Breaking and Repairing Optimistic Fair Exchange from PODC 2003

by Yevgeniy Dodis and Leonid Reyzin

In PODC 2003, Park, Chong, Siegel and Ray [PCSR03] proposed an optimistic protocol for fair exchange, based on RSA signatures. We show that their protocol is totally breakable already in the registration phase: the honest-but-curious arbitrator can easily determine the signer's secret key. On a positive note, the authors of [PCSR03] informally introduced a connection between fair exchange and "sequential two-party multisignature schemes" (which we call two-signatures), but used an insecure two-signature scheme in their actual construction. Nonetheless, we show that this connection can be properly formalized to imply provably secure fair exchange protocols. By utilizing the state-of-the-art non-interactive two-signature of Boldyreva [Bol03], we obtain an efficient and provably secure (in the random oracle model) fair exchange protocol, which is based on GDH signatures [BLS01]. Of independent interest, we introduce a unified model for non-interactive fair exchange protocols, which results in a new primitive we call verifiably committed signatures. Verifiably committed signatures generalize (non-interactive) verifiably encrypted signatures [BGLS03] and two-signatures, both of which are sufficient for fair exchange.

This work appears in DRM 2003, Procedings of the Third ACM Workshop on Digital Rights Management, Moti Yung, editor, pages 47-54, ©ACM 2003. Posted by permission of ACM.