Add to collection(s) Add to saved
  1. Math
  2. Applied Mathematics

Digital Signature final project

advertisement 
Digital Signature final project
The Fair Transaction Protocol
M953040038 阮鶴鳴
In order to solve the problem of fair transaction, I propose a simple scheme to
achieve the fair transaction without keeping TTP on-line.
Here is the flow chart below:
The notations:
M: the message recorded information below:
1. The two parties involved in this transaction.
2. The time of this transaction starts.
SA: the signature of A.
SB: the signature of B.
PA: the product (e-cash, or something.) of which A wants to make an
exchange with B.
PB: the product (e-cash, or something.) of which B wants to make an
exchange with A.
SCS: Simultaneous Contract Signing Protocol.
rA: a random number chosen by A
rB: a random number chosen by B
KA: a random chosen symmetric encryption key used for encrypting PA
KB: a random chosen symmetric encryption key used for encrypting PB
EA: the public key encryption using public key of A
EB: the public key encryption using public key of B
E K A : the symmetric encryption via symmetric key KA
E K A : the symmetric encryption via symmetric key KA
EXE(A, B, a, b): A exchanges a for b with B.
PSE(A, B, a, b): Partial Secret Exchange Protocol, which A exchanges a for
b with B, and this protocol ensures that the two parties get the correct
object from each other.
DCM(E): Digital Certified Mail, in which protocol that the receiver must
sign and send back a receipt to sender before reading message.
In this protocol, A wants to exchange something PA for PB with B. What
exchanged between A and B can be some kinds of electronic product like mp3, or
e-cash. This protocol can not only be used in e-commerce, but also can be used in
more general situations, such as the exchange after winning an auction in e-bay or
yahoo, or just secret exchange.
The two parties A and B, want to exchange something, PA and PB. They follow
the actions below:
1.
They simultaneously sign a message M, which records the two parties
2.
3.
4.
involved in this exchange, the time this exchange starts, and the
description of the objects for exchange, via Simultaneous Contract
Signing Protocol
After step 1 completed, they exchange encrypted objects.
After exchanging the encrypted objects, both parties send the blinded
encryption key to each other via Digital Certified Mail Protocol. Then
each parties will get a receipt of the other, this is the evidence of the
receiving of those blinded encryption keys.
Next step is to publish the blinding factor after one received both the
receipt and the encrypted encryption key.
5.
After getting the published blinding factor, they can un-blind the blinded
encryption key, and get the correct content they want to exchange.
If anyone, says A, want to cheat B. The possibility is summarized below:
1.
A wants to get the object from B without release the object on A’s hand. B
can ask the judge to enforce A to hand out the blinding factor or pay
proper compensation to B. Because of the Digital Certified Mail Protocol,
if one received the blinded encryption key, he/she cannot deny this fact,
and if one wants to frame the other up, he/she cannot get the signed
2.
receipt by himself, as long as the signature is not forgeable.
If one exchanges the fake object with the other, after the end of the
transaction, the victim of this fraud, says B, can use the SA(SB(M)), the
published blinding factor rA, the encrypted object E K B ( S A ( PA )) , and the
3.
4.
signed receipt return by A, as evidence of the fraud of A. Once again,
now B can use these evidences to ask judge enforce A to hand out the real
object should be exchanged, or pay proper compensation to the victim, B.
A might send the fake message in the first step, such as the wrong parties
in this exchange, the wrong time, or the wrong object for exchange. But B
will realize the trick right after his verifying the signature of A on the
message M.
In the exchange stage, one must remain honest to get the protocol
continue normally, or he cannot get the decryption key for this exchanged
object.
The SCS protocol described below:
1. Both signers randomly select 2n DES keys, grouped in pairs.
2. Dividing the signature into n parts, and each part is divided into left
and right part, using symmetric algorithm (ex: DES) to encrypt the 2n
3.
4.
5.
6.
7.
parts of signature.
Sending each other the 2n parts of encrypted signature.
Using PSE to transfer the n key pairs. So both have one key of each
key pair.
Both decrypt the message halves they can to make sure the decrypted
messages are valid.
Then both signers send each other all the 2n DES keys, one bit per
transfer.
After both decrypt the remaining halves of the message pairs, the
contract being signed.
8. Finally, both signers exchange the private keys used during the
oblivious transfer protocol in PSE used above and each verifies that the
other did not cheat.
Flow chart is as follows:
The security of this SCS:
1. In step 3, 4, A could disrupt the protocol by sending B nonsense bit strings.
B would catch this in step 5.
2. A could send B random bit strings in step 6. B can check if part of the string
and the part B has are match.
3. If A goes along with step 6 till he has enough bits of the key to mount a
brute-force attack and stop transmitting his key, B can do the same thing.
The PSE protocol described below, where the OT stands for Oblivious Transfer:
PSE( A, B, { ( ai, an + i) | i = 1 ~ n}, { ( bi, bn + i) | i = 1 ~ n}){
for( i = 1 ~ n){
OT( A, B, ai, an + i); //A sends ai and an + i to B via OT
OT( B, A, bi, bn + i); //B sends bi and bn + i to A via OT
}
//stage 2: transfer the remaining part, and using the information gain in
stage 1 to check if the other party sends the correct object.
for( j = 1 ~ m){
//m is the length of each of the secrets
A transmits the jth bit of ai to B;
B transmits the jth bit of bi to A;
}
}
The PSE used OT first, because A sends half of a via OT to B, A cannot tell
which part of a was received by B, vice versa.
Now, at stage 2, A and B can check if the partner send correct object via
checking the bits received in stage 1.
The security theorems of PSE summarized below from reference 1,
although the original paper does give formal proofs, but I think that the proofs
are beyond the scope of this document, so I skip all the proofs and only
summarize the theorems:
Suppose that X executes PSE properly and that step 1 has been
concluded. If Y deviates from PSE, in order to reach a situation in which Y
T-knows one of X’s pairs but X does not 4T-know Y’s ith pair, then X can
detect this (cheating attempt) with probability at least one half. The
definition of T-knows: a party T-knows a value if he can compute it in
“PSE-based expected time” T, the expected time of a computation given an
instance of PSE (PSE-based expected time) we mean that the average
running time is taken over all inputs which agree with the values disclosed
in the substeps (of step 2 of PSE) which have already been executed..
If X executes PSE properly and step 1 has been concluded, then:
(i)
if Y deviates from PSE, in order to reach a situation in which Y
T-knows one of X’s pairs but X does not 4T-know any of Y’s pairs,
then X can detect this (cheating attempt) with probability at least
1 – 2-n. Furthermore, if Y deviates from PSE, in order to reach a
situation in which Y T-knows one of X’s pairs but for at least half of
the i  {1, 2, . . . , n} X does not 4T-know Y’s ith pair, then X can
(ii)
detect this with probability at least 1 - 2-n/2.
If Y does not try to reach the latter situation described in part (i)
then if Y T-knows one of X’s pairs then X can compute one of Y’s
pairs, in PSE-based expected time 16T. Furthermore, with
probability at most (1/2)-j, X will spend more than 8jT expected
time in computing one of Y’s pairs.
The OT used here is 1-2 Oblivious Transfer, and here is a simple introduction of
1-2 Oblivious Transfer:
The basic idea is Sender sent 2 messages to receiver, without knowing
which one receiver received. This mechanism prevents sender from sending
identical messages, but cannot prevent from sending dummy messages. In
general, the dummy messages can be detected via testing the decrypted message.
Referring the following figure to get some image of 1-2 oblivious transfer:
1.
2.
3.
S wants to send exact one of M1 and M2 to R, but R does not want to
let S know which message R chosen.
The sender S first chooses two public/private key pair, and receiver
R chooses a symmetric encryption key KR.
R chooses one public key generated by S in step 1 randomly, and
encrypts KR with the chosen public key, send the encrypted KR back
to S.
4.
5.
6.
S decrypts T by both private keys generated in step 1, now S has two
symmetric keys K1, and K2. But S does not know which one of them
is the correct KR.
S encrypts M1 with K1, and encrypts M2 with K2, send encrypted
messages to R.
R can now decrypt exact one of those encrypted message by KR, the
other message will be incomprehensible.
The purpose of Digital Certified Mail Protocol is to ensure that receiver must
sign and return a receipt before reading the received message. This is a similar
protocol to Simultaneous Contract Signing Protocol mentioned above. The desired
objects here are messages and the signed receipt, and the ones in SCS are those signed
documents, i.e. the DCM problem is how to exchange the symmetric encryption key
and the signed receipt fairly.
There are still some essential differences between them, if using SCS to deal
with DCM problem, sender can verify that if the half of receipt is valid, but the
receiver can check the validity of the dummy message to verify if the symmetric
encryption key used to encrypt message is valid only after sender get the whole
receipt because of the validity of the symmetric encryption key can be done only after
receiving the whole key.
I found two DCM Protocols, one needs the TTP to participate only when a fraud
occurs (reference 2), and another seems not to have to keep the TTP on-line (reference
1), but the second protocol I cannot understand very well, so I describe only the first
protocol here:
A exchanges his message M in return for B’s receipt.
1. A sends B a message M, his identity information A, and B’s identity
information B, all encrypted with the trusted third party’s public-key. As B
receiving this message, he cannot read the contents since he lacks the correct
decryption key (third party’s private key KRTP).
2. B sends the receipt of the message, which is actually B’s signature over the
first message Z ( SIGB( Z ) ).
3.
A receiving the second message checks the validity of B’s signature; if valid A
sends the email message M in the third message.
If both parties behave honestly, after this step, the protocol is completed since both
parties have obtained the items they expected.
Notations:
TP: Trusted third party
KUTP: Public-Key of TP
KRTP: Private-Key of TP
M: Mailed Message
EKUTP ( X ): Asymmetric Encryption of X using the key KUTP
DKRTP ( X ): Asymmetric Decryption of X using the key KRTP
SIGB(X): B’s digital signature on X
The analyses of the fairness are discussed below:
1.
If A send the different messages at step 1 and step 3:
M received as part of the first message must be equal to M received in the
third message. In order to check this equality, B performs the encryption
EKUTP(A,B,M) using the value M obtained from the third message and
compares the result with the first message. If these two values are not equal, B
concludes that A has cheated and therefore he applies to the trusted third party
for dispute resolution.
In the fourth message, Bob sends Z and the e-mail receipt SIGB( Z ) to the
trusted third party. The trusted third party receiving this message checks the
validity of Bob’s signature. If valid, the third party resolves this dispute by
sending the appropriate item to the appropriate entity; in other words, the third
party sends the e-mail receipt SIGB( Z ) to Alice and the e-mail message M to
Bob. However, in order to do so, the trusted third party first has to retrieve the
e-mail message from Z by performing the following decryption: D KRTP(Z) = (A,
B, M).
2.
If B send fake signature on Z back to A:
Then B will just not get the message M.
Although I have mentioned the differences between SCS and DCM, but the
paper I refer to (reference 1) using the same method in SCS and DCM via PSE, this is
the point I cannot understand well, maybe that is because it is not simply generating
symmetric encryption key and transfer.
The paper constructs SCS and DCM protocol based on a hard problem: S-puzzle,
which is a problem of permuting a metric until the metric remaining as desired
permutation. But the details of this paper are too complex to me to completely realize
now. But this is really an interesting issue for me. I will peruse the methods and
proofs later.
Reference:
I.
A Randomized Protocol for Signing Contracts, SHIMON EVEN, ODED
GOLDREICH, and ABRAHAM LEMPEL, Communications of the ACM June
1985 Volume 28 Number 6
II. DESIGN AND DEVELOPMENT OF CRYPTOGRAPHIC FAIR EXCHANGE
PROTOCOLS, ÇAĞIL CAN ÖNİZ, Submitted to the Graduate School of
Engineering and Natural Sciences in partial fulfillment of the requirements for
the degree of Master of Science
III. Oblivious Transfer, wikipedia, http://en.wikipedia.org/wiki/Oblivious_transfer
Related documents
Test 2
Test 2
26. Cryptology WS
26. Cryptology WS
Electronic Data Encryption Policy 2015
Electronic Data Encryption Policy 2015
Description
Description
ACTIVE COLLEGES FUNDING AUTUMN 2014 EXPRESSION OF
ACTIVE COLLEGES FUNDING AUTUMN 2014 EXPRESSION OF
VideoCase08:_Security
VideoCase08:_Security
Guidelines for Online Surveys - Research and Graduate Studies
Guidelines for Online Surveys - Research and Graduate Studies
Download
advertisement