Abstract
-
Concurrent signature, introduced by Chen, Kudla and Paterson, is known to just
fall short to solve the long standing fair exchange of signature problem without requiring any
trusted third party (TTP). The price for not requiring any TTP is that the initial signer is
always having some advantage over the matching signer in controlling whether the protocol
completes or not, and hence, whether the two ambiguous signatures will bind concurrently
to their true signers or not. In this paper, we examine the notion and classify the advantages
of the initial signer into three levels, some of which but not all of them may be known in
the literature.
– Advantage level 0 is the commonly acknowledged fact that concurrent signature is not
abuse-free since an initial signer who holds a keystone can always choose to complete or
abort a concurrent signature protocol run by deciding whether to release the keystone
or not.
– Advantage level 1 refers to the fact that the initial signer can convince a third party that
both ambiguous signatures are valid without actually making the signatures publicly
verifiable.
– Advantage level 2 allows the initial signer to convince a third party that the matching
signer agrees to commit to a specific message, and nothing else.We stress that advantage
level 2 is not about proving the possession of a keystone. Proving the knowledge of a
keystone would make the malicious initial signer accountable as this could only be done
by the initial signer.
We remark that the original security models for concurrent signature do not rule out the
aforementioned advantages of the initial signer. Indeed, we show that theoretically, the
initial signer always enjoys the above advantages for any concurrent signatures. Our work
demonstrates a clear gap between the notion of concurrent signature and optimistic fair
exchange (OFE) in which no party enjoys advantage level 1. Furthermore, in a variant
known as Ambiguous OFE, no party enjoys advantage level 1 and 2.