A family of trusted third party based fair-exchange protocols

Fair exchange protocols play an important role in application areas such as e-commerce where protocol participants require mutual guarantees that a transaction involving exchange of items has taken place in a specific manner. A protocol is fair if no protocol participant can gain any advantage over an honest participant by misbehaving. In addition, such a protocol is fault-tolerant if the protocol can ensure that an honest participant does not suffer any loss of fairness despite any failures of the participant's node. This paper presents a family of fair exchange protocols for two participants which make use of the presence of a trusted third party, under a variety of assumptions concerning participant misbehavior, message, delays, and node reliability. The development is systematic, beginning with the strongest set of the assumptions and gradually weakening the assumptions to the weakest set. The resulting protocol family exposes the impact of a given set of assumptions on solving the problem of fair exchange. Specifically, it highlights the relationships that exist between fairness and assumptions on the nature of participant misbehavior, communication delays, and node crashes. The paper also shows that the restrictions assumed on a dishonest participant's misbehavior can be realized through the use of smartcards and smartcard-based protocols.     

State and Progress in Strand Spaces: Proving Fair Exchange

Many cryptographic protocols are intended to coordinate state changes among principals. Exchange protocols, for instance, coordinate delivery of new values to the participants, i.e. additions to the set of values they possess. An exchange protocol is fair if it ensures that delivery of new values is balanced: If one participant obtains a new possession via the protocol, then all other participants will, too. Understanding this balanced coordination of different principals in a distributed system requires relating (long-term) state to (short-term) protocol activities. Fair exchange also requires progress assumptions. In this paper we adapt the strand space framework to protocols, such as fair exchange, that coordinate state changes. We regard the state as a multiset of facts, and we allow protocol actions to cause local changes in this state via multiset rewriting. Second, progress assumptions stipulate that some channels are resilient—and guaranteed to deliver messages—and some principals will not stop at critical steps. Our proofs of correctness cleanly separate protocol properties, such as authentication and confidentiality, from properties about progress and state evolution. G. Wang’s recent fair exchange protocol illustrates the approach.     

基于ATL的公平交换协议的形式化验证

如何对电子商务协议进行分析与验证一直是研究的热点,基于ATL（交替时态逻辑）对电子商务协议中的公平交换协议（Fair Exchange Protocols）进行形式化分析与验证,并选取了其中的一个电子合同签署协议进行形式化验证。用ATL语言来形式化描述公平交换协议,并使用ATS（Alternating Transition Systems,交替转移系统）来为公平交换协议进行形式化建模,再用形式化验证工具MOCHA对公平交换协议的公平性（Fairness）、及时性（Timeliness）和不可滥用性（Abuse-Freeness）进行有效的验证;对验证结果进行分析与讨论,发现了该协议不满足公平性和不可滥用性,不符合设计的要求。     

一个高效的基于RSA签名的合同签署协议

公平交换在电子商务活动中起着越来越重要的作用,合同签署协议是公平交换的一种具体实例。基于可转化签名思想和非交互的认证技术,提出一个新的合同签署协议,分析表明,新协议不仅具有优化性、公平性、实时终止性、无滥用性、TTP的无状态性等优点,而且具有高效性的特点。     

新的公平数字签名交换方案

基于Gorantla等最近提出的标准模型下可证安全的可验证加密签名,提出了一个优化的公平数字签名交换方案。签名交换双方首先交换他们的可验证加密签名,验证通过以后再交换他们的真实签名,如果其中一方不能诚实地执行协议,则另一方可求助可信任第三方以达到公平交换的目的。提出的方案具有签名长度短、计算量小等优点,可以公平且有效地实现数字签名的交换。     

Usable optimistic fair exchange

Fairly exchanging digital content is an everyday problem. It has been shown that fair exchange cannot be achieved without a trusted third party (called the Arbiter). Yet, even with a trusted party, it is still non-trivial to come up with an efficient solution, especially one that can be used in a p2p file sharing system with a high volume of data exchanged.We provide an efficient optimistic fair exchange mechanism for bartering digital files, where receiving a payment in return for a file (buying) is also considered fair. The exchange is optimistic, removing the need for the Arbiter’s involvement unless a dispute occurs. While the previous solutions employ costly cryptographic primitives for every file or block exchanged, our protocol employs them only once per peer, therefore achieving an O(n) efficiency improvement when n blocks are exchanged between two peers. Our protocol uses very efficient cryptography, making it perfectly suitable for a p-2-p file sharing system where tens of peers exchange thousands of blocks and they do not know beforehand which ones they will end up exchanging. Therefore, our system yields up to one-to-two orders of magnitude improvement in terms of both computation and communication (40 s vs. 42 min, 1.6 MB vs. 200 MB). Thus, for the first time, a provably secure (and privacy-respecting when payments are made using e-cash) fair exchange protocol can be used in real bartering applications (e.g., BitTorrent) [14] without sacrificing performance.     

简单快速的优化公平交换协议

公平交换协议是安全电子商务的基石,RSA密码体制在电子商务领域中得到了广泛的应用,设计基于RSA密码体制的公平交换协议具有重要的实践意义。文章提出了一种新的基于整数扩环的高效可验证的加密的RSA签名方案,基于该方案设计了一种高效、安全、简单、实用、快速的交换RSA签名的优化公平交换协议,对其安全性和效率进行了分析和比较。     

Group-oriented fair exchange of signatures

Optimistic Fair Exchange (OFE) of digital signatures allows two parties to exchange their signatures in a fair manner so that a third party, called the arbitrator, gets involved only when there is a dispute. Previous work on OFE considers the two parties as individuals and there is no formal study on the scenario where the two parties are two groups of users. In this paper, we formalize this new variant and call it a Group-oriented Optimistic Fair Exchange (GOFE). GOFE allows two users from two different groups to exchange signatures on behalf of their groups in a fair and anonymous manner. We formalize the notion by providing the first set of security models for GOFE, and show that it is closely related to Ambiguous OFE (AOFE) proposed by Huang et al. in Asiacrypt 2008. In particular, we propose a generic transformation which converts a GOFE to an AOFE. We also give an efficient and concrete GOFE construction and prove its security under the security models we defined. The security of the scheme relies on the decision linear assumption and strong Diffie-Hellman assumption in the random oracle model.     

Contract signing, optimism, and advantage

A contract signing protocol lets two parties exchange digital signatures on a pre-agreed text. Optimistic contract signing protocols enable the signers to do so without invoking a trusted third party. However, an adjudicating third party remains available should one or both signers seek timely resolution. We analyze optimistic contract signing protocols using a game-theoretic approach and prove a fundamental impossibility result: in any fair, optimistic, timely protocol, an optimistic player yields an advantage to the opponent. The proof relies on a careful characterization of optimistic play that postpones communication to the third party.     

Practical and efficient fair document exchange over networks

This paper presents a practical and efficient protocol to support a common Internet-based e-commerce activity—fair document exchange between two parties. This protocol incorporates a novel RSA-based method for the off-line recovery of a document decryption key of a party. The principal idea for such key recovery is based on a verifiable and recoverable encryption of the document decryption key. The verifiability of the encryption allows another party to verify the correctness of the encrypted key without actually knowing the original key, and the recoverability permits a designated third party to decrypt the encrypted key to recover the original key upon a legitimate request. Such verifiable and recoverable key encryption is essential for ensuring the fairness of the exchange. The protocol presented in this paper is more practical, cost-effective and efficient than other relevant protocols designed for fair document exchange.     

基于二元对称多项式的秘密共享方案

基于二元对称多项式,提出一个新的无可信中心的（t,n）门限秘密共享方案。方案中,利用对称多项式的对称性,为任意对参与者提供验证私钥,有效地预防外部攻击者的欺诈行为;结合离散对数的难解性,对秘密的正确性进行验证,同时确保秘密不会泄露。参与者选取子秘密,通过构造对称多项式,对子秘密加密,得出影子秘密并公开,参与者可以对公开的信息的正确性进行有效验证;不需要分发者的存在,避免了分发者的欺诈。分析结果表明,该方案是安全有效的。     

Cryptanalysis of the Wu-Varadhrajan fair exchange protocol

In this paper we present an attack on a fair exchange protocol proposed by Wu and Varadharajan. We show that, after two executions of the protocol, a dishonest participant can collect enough information in order to obtain some secret information of the other participant. This precisely allows him to compute the final signature of the other participant in all subsequent executions of the protocol, without disclosing his own signature.     

基于PSL断言的宽带电路交换芯片验证

利用基于PSL断言的验证方法验证了宽带电路交换芯片XYDXC160的设计。该芯片单片支持64路2.488Gb/s STM-16帧结构的SDH码流的输入/输出，实现1 024×1 024 STM-1流的无阻塞电路交换。断言技术的引入，降低了验证工作的复杂度，提高了验证的速度和效率，确保了验证工作的质量。     

基于RSA签名的优化公平交换协议

公平性是电子商务协议的基本安全要求.RSA是应用最为广泛的公钥密码体制之一.公平交换协议可以使得参与交换的双方以公平的方式交换信息,这样,要么任何一方都可以得到对方的信息,要么双方都得不到对方的信息.分析了现有的公平交换协议构造方法、体系结构及其在实用性和效率方面存在的问题.在此基础上,利用精心构造的扩环中可公开验证的、加密的RSA签名,提出了一种完全基于RSA签名方案的优化公平交换协议,并对其安全性和效率进行了证明和分析.分析表明,提出的方案是简洁、高效、安全的.     

一种公平交换协议的攻击算法分析

公平交换(fairexchange)协议,研究电子商务中的实时公平性问题。与其他安全协议不同的是,该类协议的公平性验证应主要针对交易实体内部可能存在的失信行为。周永彬博士等提出了一种完全基于RSA算法的公平签名交换协议。然而,由于零知识证据生成与验证的不完备,以及扩环运算可能带来的安全隐患,该协议存在安全漏洞。针对协议本身,给出了一种RSA扩环攻击的实例;针对协议的应用,指出了可能存在的安全风险。     

无须可信第三方的防滥用公平交易协议*

基于改进的完美并发签名,提出了一个无须可信第三方的防滥用公平交易协议,该协议避免了既有方案中买方滥用交易信息获得额外利益的缺陷。协议中,买方对订单、支付凭证、数字内容进行模糊签名;卖方确认买方的消息内容后,对数字内容的哈希结果和买方的订单、支付凭证一起进行模糊签名,买方提供使签名公开可验证的keystone后,卖方提供数字内容的解密密钥。买、卖双方的签名数据中包含了数字内容、支付凭证、订单信息,使得买卖双方的模糊签名与交易信息形成惟一的绑定关系,避免任何一方对签名数据和交易信息的滥用。该协议无须可信第三方     

Attacking Fair-Exchange Protocols: Parallel Models vs. Trace Models

Most approaches to formal protocol verification rely on an operational model based on traces of atomic actions. Modulo CSP, CCS, state-exploration, Higher Order Logic or strand spaces frills, authentication or secrecy are analyzed by looking at the existence or the absence of traces with a suitable property.We introduced an alternative operational approach based on parallel actions and an explicit representation of time. Our approach consists in specifying protocols within a logic language ( AL _SP), and associating the existence of an attack to the protocol with the existence of a model for the specifications of both the protocol and the attack.In this paper we show that, for a large class of protocols such as authentication and key exchange protocols, modeling in AL _SP is equivalent - as far as authentication and secrecy attacks are considered - to modeling in trace based models.We then consider fair exchange protocols introduced by N. Asokan et al. showing that parallel attacks may lead the trusted third party of the protocol into an inconsistent state. We show that the trace based model does not allow for the representation of this kind of attacks, whereas our approach can represent them.     

用串空间分析公平交换协议

公平交换协议是电子商务的关键技术．本文根据公平交换协议和串空间的特点，定义了丛最大（极大）结点、良序丛的概念．依据协议的消息驱动特征，建立了串空间结点标号的递归公平交换协议分析方法．分析了ZG协议并发现一个很多其它分析没有发现的缺陷，分析结果既肯定了本文方法的可用性又给出了一个具体的应用。     

Fair versus Unrestricted Bin Packing

Abstract. We consider the on-line Dual Bin Packing problem where we have n unit size bins and a sequence of items. The goal is to maximize the number of items that are packed in the bins by an on-line algorithm. We investigate unrestricted algorithms that have the power of performing admission control on the items, i.e., rejecting items while there is enough space to pack them, versus fair algorithms that reject an item only when there is not enough space to pack it. We show that by performing admission control on the items, we get better performance compared with the performance achieved on the fair version of the problem. Our main result shows that with an unfair variant of First-Fit, we can pack approximately two-thirds of the items for sequences for which an optimal off-line algorithm can pack all the items. This is in contrast to standard First-Fit where we show an asymptotically tight hardness result: if the number of bins can be chosen arbitrarily large, the fraction of the items packed by First-Fit comes arbitrarily close to five-eighths.     

Efficient and multi-level privacy-preserving communication protocol for VANET

In this paper, we introduce an efficient and multi-level conditional privacy preservation authentication protocol in vehicular ad hoc networks (VANETs) based on ring signature. The proposed protocol has three appealing characteristics: First, it offers conditional privacy preservation authentication: while every receiver can verify that a message issuer is an authorized participant in the system only a trusted authority can reveal the true identity of a message sender. Second, it is equipped with multi-level countermeasure: each vehicle can select the degree of privacy according to its own requirements. Third, it is efficient: our system outperforms previous proposals in message authentication and verification, cost-effective identity tracking in case of a dispute, and low storage requirements. We demonstrate the merits gained by the proposed protocol through extensive analysis.