Constructing Fair-Exchange Protocols for E-commerce

Via Distributed Computation of RSA Signatures

Jung Min Park
School of Electrical and
Computer Engineering
Purdue University
West Lafayette, IN
47907-1285
parkjm@ecn.purdue.edu
Edwin K. P. Chong
Dept. of Electrical and
Computer Engineering
Dept. of Mathematics
Colorado State University
Fort Collins, CO 80523-1373
echong@colostate.edu
Howard Jay Siegel
Dept. of Electrical and
Computer Engineering
Dept. of Computer Science
Colorado State University
Fort Collins, CO 80523-1373
hj@colostate.edu
ABSTRACT
Appl i cat i ons such as e-commerce payment protocols, elec-
t roni c cont ract signing, and certified e-mail delivery require
t hat fair exchange be assured. A fair-exchange prot ocol al-
lows two part i es to exchange items in a fair way so t hat
either each par t y gets t he ot her' s item, or neither par t y
does. We descri be a novel met hod of const ruct i ng very ef-
ficient fair-exchange prot ocol s by di st ri but i ng t he comput a-
tion of RSA signatures. Specifically, we employ multisig-
nat ures based on t he RSA-si gnat ure scheme. To date, t he
vast maj or i t y of fair-exchange protocols require t he use of
zero-knowledge proofs, which is t he most comput at i onal l y
intensive par t of t he exchange protocol. Using t he intrinsic
features of our mul t i si gnat ure model, we const ruct protocols
t hat require no zero-knowledge proofs in t he exchange prot o-
col. Use of zero-knowledge proofs is needed only in t he pro-
tocol set up phas e- - t hi s is a one-time cost. Furt hermore, our
scheme uses mul t i si gnat ures t hat are compat i bl e with t he
underl yi ng st andar d (single-signer) si gnat ure scheme, which
makes it possible t o readi l y i nt egrat e t he fair-exchange fea-
t ure wi t h existing e-commerce systems.
Categories and Subject Descriptors
K. 6. 5 [ Manage me nt of Comput i ng and I nf or mat i on
Sys t e ms ] : Securi t y and Protection--authentication; C2.2
[ Comput e r - Communi c at i on Net wor ks ] : Network Pro-
tocols; K.4.4 [ Comput e r s and Soci et y] : Electronic Com-
merce
General Terms
Al gori t hms, Security, Design
Keywords
Fair-exchange protocols~ e-commerce, mul t i si gnat ures, RSA
signatures, zero-knowledge proofs.
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that
copies bear this notice and the full citation on the first page. To copy
otherwise, or republish, to post on servers or to redistribute to lists,
requires prior specific permission and/or a fee.
PODC"03, July 13-16, 2003, Boston, Massachusetts, USA.
Copyright 2003 ACM 1-58 ! 13-708-7/03/0007...$5.00.
1. INTRODUCTION
Fueled by t he exponent i al growt h in t he number of people
wi t h access to t he Int ernet , e-commerce t ransact i ons vi a t he
Int ernet have become a maj or par t of our economy. To dat e,
t he maj ori t y of e-commerce t ransact i ons involve exchanging
t he cust omer' s credi t -card number for t he merchant ' s guar-
antee of merchandise delivery (i.e., an electronic receipt). In
such t ransact i ons, items being exchanged have no intrinsic
value, and t hus t he i mport ance of ensuring a "fair exchange"
has not received wi despread recognition. In a fair exchange,
either each player gets t he ot her pl ayer' s item, or nei t her
player does. In t he foreseeable future, dat a wi t h significant
intrinsic value, such as financial dat a, medi cal dat a, soft-
ware, and electronic forms of money (e.g., electronic checks
and electronic cash), will be exchanged regul arl y over t he In-
t ernet . In such instances, ensuring fairness is cri t i cal if t he
part i ci pant s are to be prot ect ed from fraud. Furt hermore,
future appl i cat i ons such as payment prot ocol s vi a electronic
money [13, 18], electronic cont ract signing [4, 21], and cer-
tified e-mail delivery [1, 6, 7] require t hat fair exchange be
assured. As more business is conduct ed over t he Int ernet ,
t he fair-exchange probl em is gaining great er i mport ance.
Significant effort has been devot ed to t he st udy of t he fair-
exchange problem. For an overview of fair-exchange pro-
tocols, we refer t he reader t o [29]. Fai r-exchange prot ocol s
can be broadl y categorized into t hree types: (i) gradual ex-
change protocols, (ii) prot ocol s requiring an online t rust ed
t hi rd par t y ( TTP) , and (iii) prot ocol s requi ri ng an off:line
TTP. There are some prot ocol s [18, 31] (not included in t he
t hree categories above) t hat do not ensure fairness but pro-
vide a weaker form of protection: t he gat heri ng of evidence
during execution so t hat if one par t y obt ai ns t he ot her' s
item wi t hout sending his, t he di shonest par t y can be prose-
cuted using t he evidence. These prot ocol s are efficient, but ,
as mentioned above, do not guarant ee fairness.
In gradual exchange prot ocol s [10, 21], t he probabi l i t y of
fair exchange is gradual l y increased over several rounds of
message exchanges. These prot ocol s are i mpract i cal because
extensive amount s of communi cat i on are needed. Furt her-
more, proofs of t hei r security rely on bot h part i es having
equal comput at i onal power, which is unreal i st i c for most
applications.
172
In fair-exchange prot ocol s wi t h an on-line TTP [7, 18], a
TTP is di rect l y involved in every exchange, and must be
available for t he entire durat i on of t he exchange. The pro-
tocol itself is rel at i vel y simple ~md comput at i onal l y efficient.
However, mai nt ai ni ng a TTP t hat needs to be on-line con-
st ant l y can be expensive. Moreover, t he TTP can become a
bot t l eneck, and pose scal abi l i t y problems.
Prot ocol s wi t h an offiine TTP provide a met hod for ensur-
ing fair exchange while avoiding t he probl ems faced by t he
two ot her t ypes of protocols. In this t ype of a protocol, t he
TTP is involved in t he prot ocol only if one of t he part i es
behaves unfairly or abort s t he prot ocol premat urel y; other-
wise t he TTP is never involved in t he protocol. Hence, these
prot ocol s are also known as "optimistic" fair-exchange pro-
tocols. In t erms of practicality, opt i mi st i c protocols seem to
be most appeal i ng, and hence we focus on this approach.
Most, if not all, previously proposed opt i mi st i c fair-exchange
prot ocol s in t he l i t erat ure are largely based on two different
t ypes of prot ocol frameworks---one is t he framework pro-
posed by Asokan et al. [3, 4], and t he other is t he framework
used by Bao et al. [8]. However, each prot ocol employs a
different technique for const ruct i ng t he crypt ographi c prim-
itive t hat ensures fai rness--t hi s pri mi t i ve is t he cornerstone
of t he fair-exchange protocol, and its design poses t he great-
est technical challenge. To clarify how such a f ai rness pri mi -
t i ve is used in an exchange protocol, we present an exampl e
of a basic opt i mi st i c fair-exchange protocol. The prot ocol
framework is essentially t he same as what is proposed in [8]
excluding t he specific fairness pri mi t i ve used in t he protocol.
Let Alice and Bob be two players t ryi ng to exchange t hei r
respective di gi t al si gnat ures ira and a s on a message M
(known a priori to bot h part i es), and let Charlie represent a
TTP. In t he first st ep of t he protocol, one of t he items t hat
Alice sends to Bob is her "commi t ment " to t he t ransact i on,
which we denot e as CA. This value CA has no intrinsic value,
but serves as Alice' s commi t ment to t he exchange. Along
with CA, Alice has to send a "voucher" V t hat provides proof
of t he following: (i) t here exists a t amper pr oof one-to-one
link between CA and Alice' s si gnat ure aA, and (ii) Charlie
can comput e aA using CA if needed. We call CA and V
collectively t he fairness primitive. The prot ocol is executed
as follows:
EXCHANGE.
1. Alice sends Bob CA and its associated voucher V.
2. Bob verifies V and CA, and, if valid, sends his si gnat ure
aB to Alice. Otherwise, he st ops t he protocol.
3. If t TB is valid, Alice sends aA to Bob, otherwise she
st ops t he protocol.
4. If t7 A is valid, Bob ends t he exchange protocol. Oth-
erwise, Bob i ni t i at es t he di sput e resolution protocol.
DI SPUTE RESOLUTI ON.
1. If era is invalid (in Step 4), or if Bob fails to receive
anyt hi ng from Alice (in St ep 3), he initiates a di sput e
resolution prot ocol wi t h Charlie, and sends CA, V, and
aB to him.
2. Charlie verifies whet her cA, V, and aB are valid. If
t hey are valid, Charlie comput es (TA (which he co:re-
put es using CA), and sends it to Bob. He also forwards
O'B to Alice.
Note t hat , in t he last st ep of t he di sput e resol ut i on protocol,
Bob' s si gnat ure aB needs to be forwarded to Alice in case
Bob is dishonest. This is necessary to prevent t he scenm:io
where Bob at t empt s to obt ai n O'A vi a t he di sput e resolution
prot ocol after i nt ent i onal l y abort i ng t he exchange prot ocol
after Step 1.
Al t hough t he exampl e i l l ust rat es a si gnat ure-exchange pro-
tocol, this basic model can readi l y be adapt ed to al most
any exchange prot ocol for e-commerce. For instance, in ~n
e-commerce payment protocol, t he si gnat ure of Alice (act-
ing as a customer) would correspond to her electronic check,
and t he si gnat ure of Bob (acting as a merchant ) would be
replaced by some di gi t al merchandise (e.g., MP3 music files,
MPEG-4 medi a files, or e-books). In such a scenario, mes-
sage M would include information such as Alice' s unique
identity, Bob' s unique account number, price of merchan-
dise, descri pt i on of merchandise, and dat e of t ransact i on.
Observe t hat t he above prot ocol framework does not ensure
a t i mel y t ermi nat i on, and, as a result, does not ensure fair-
ness when time-sensitive items are exchanged. Consider t he
following scenario: after Step 1 of t he exchange protocol,
Bob abort s t he exchange, and i ni t i at es a di sput e resolution
prot ocol after a long delay. Unaware of Bob' s intentions,
Charlie sends 0"A to Bob, and forwards aB to Alice. If t he
intentional delay (caused by Bob) is sufficiently long and O B
is time-sensitive, t hen Alice suffers a loss. For example, if
aB represents a di gi t al airline ticket wi t h an expi rat i on date,
t he ticket is useless to Alice after t hat date. To prevent such
cases, a t i mes t amp can be at t ached to CA t hat specifies an
expi rat i on time. Aft er this expi rat i on time, Charlie would
refuse to execute t he di sput e resolution prot ocol wi t h Bob.
Unlike t he prot ocol framework used by Bao et al. [8], t he
framework proposed by Asokan et al. [3, 4] ensures t i mel y
t ermi nat i on wi t hout t he use of t i mest amps. However, it is
more compl i cat ed and requires t he TTP t o store st at e in-
formation. Al t hough our techniques can be appl i ed to both
frameworks, we choose t he framework of Bao et al. to il-
l ust rat e how our techniques (based on mul t i si gnat ures) m:e
applied to const ruct efficient opt i mi st i c protocols. We em-
phasize t hat our mai n cont ri but i on is t he const ruct i on of a
novel fairness primitive, and is not t he proposal of a new
prot ocol framework.
In this paper, we present a novel approach for const ruct i ng
fair-exchange protocols. We empl oy RSA-based mul t i si gna-
t ures to const ruct efficient opt i mi st i c protocols. Note t hat
our mul t i si gnat ure paradi gm is qui t e different from t he con-
ventional model of mul t i si gnat ures, and has di st i nct i ve fea-
tures t hat are used t o creat e t he fairness primitive. Our ap-
proach ensures fairness by spl i t t i ng an RSA pri vat e key into
two par t s - - t he signer holds bot h part s while t he TTP holds
j ust one of t he part s. Similar key-spl i t t i ng techniques can be
used in a variety of applications. For instance, MacKenzie
and Rei t er [25] use key spl i t t i ng to minimize t he vulnerabil-
ity of devices t hat perform networked pri vat e-key operat i ons
(i.e., si gnat ures or decrypt i ons) agai nst at t acks.
173
To date, all opt i mi st i c protocols require t he use of zero-
knowledge proofs (via zero-knowledge protocols) in t he ex-
change protocol, wi t h t he exception of schemes based on
one-time tokens (see Section 2). This technique, however,
is not a t rul y opt i mi st i c pr ot ocol - - i t only support s a lim-
ited number of exchanges, and t he TTP has to be involved
i nt ermi t t ent l y to replenish t he exhaust ed one-time tokens.
Zero-knowledge prot ocol s const i t ut e t he most comput at i on-
ally intensive par t of t he exchange protocol. In our ap-
proach, we do not use any zero-knowledge proofs in t he ex-
change protocol, which significantly increases efficiency. To
t he best of our knowledge, our scheme is t he only opt i mi st i c
fair-exchange prot ocol to dat e t hat achieves this wi t hout
suffering t he drawbacks ment i oned above (i.e., i nt ermi t t ent
i nt eract i ons wi t h t he TTP) . In our approach, use of zero-
knowledge proofs is needed, however, in t he prot ocol set up
phase (called t he regi st rat i on protocol), but this is only a
one-time cost. Thi s phase needs to be executed only once,
after which it can suppor t any number of exchanges. The
end result is a fair-exchange prot ocol t hat is very efficient in
t erms of comput at i on and communi cat i on overhead.
In t he next section, we discuss some rel at ed work relevant to
opt i mi st i c protocols. We discuss t he technical background
in Section 3- - a n overview of multisignatures, our multisig-
nat ure model, t he RSA si gnat ure al gori t hm [30], and our
RSA-based mul t i si gnat ure scheme is given. In Section 4,
we describe how our mul t i si gnat ure paradi gm can be used
to const ruct opt i mi st i c protocols. In Section 5, we compare
t he efficiency of our fair-exchange prot ocol wi t h two ot her
schemes in t erms of comput at i on and communi cat i on over-
head. The concluding remarks are given in Section 6. In t he
Appendi x, we discuss cert ai n security issues involved in key
splitting.
2. RELATED WORK
Opt i mi st i c fair-exchange prot ocol s can be categorized into
four t ypes dependi ng on how t he commi t ment and voucher
(see Section 1) ave created: (i) prot ocol s using verifiable
escrows, (ii) prot ocol s using verifiable encryptions, (iii) pro-
tocols using convertible undeniable signatures, and (iv) pro-
tocols using one-time tokens.
In [3, 4], Asokan et al. propose an opt i mi st i c prot ocol t hat
uses crypt ographi c pri mi t i ves called verifiable escrows to
produce t he fairness primitive. A verifiable escrow of a sig-
nat ure is creat ed as follows: first, t he signer reduces her
si gnat ure to a part i cul ar homomorphi c pre-i mage of t he sig-
nature; then, a cut -and-choose interactive zero-knowledge
proof, in combi nat i on wi t h an ordi nary escrow scheme, is
used to verifiably escrow t he homomorphi c pre-image. Thi s
technique can be appl i ed to al most any si gnat ure scheme as
long as t here is a way to reduce t he si gnat ure into a homo-
morphi c pre-image. It s drawback is t hat it requires Alice
and Bob to execute consi derabl e amount s of comput at i ons
duri ng t he i nt eract i ve zero-knowledge proof. Furt hermore,
communi cat i on overhead is rel at i vel y hi gh- - t he amount of
dat a t r ansmi t t ed (by bot h part i es) is on t he order of sev-
eral t housand bytes. The approach of Asokan et al. was
l at er generalized by Camenisch and Damgard [14], but t he
comput at i onal burden remains.
Fai r-exchange prot ocol s using verifiable encrypt i on was pro-
posed by Ateniese [5] and Bao et al. [8] independently. These
protocols appl y ad-hoc techniques to creat e an encrypt i on
of a si gnat ure t hat conforms to t he si gnat ure t ype. For in-
stance, a verifiable encrypt i on of an RSA si gnat ure [30] is
creat ed by encrypt i ng it vi a t he E1Gamal encrypt i on scheme
[20] using t he TTP' s public key. To prove t hat t he verifi-
able encrypt i on was correctly generat ed wi t hout revealing
t he si gnat ure itself, t he signer uses a zero-knowledge proof.
Note t hat t he verifiable encrypt i on corresponds t o Alice' s
commi t ment , and t he zero-knowledge proof corresponds t o
t he voucher. The pr i mar y advant age of prot ocol s based
on verifiable encrypt i on is its efficiency. Ateniese [5] shows
t hat his schemes require consi derabl y less comput at i on and
communi cat i on overhead t han t he approach of Asokan et
al. However, because t he verifiable encrypt i on approach is
based on ad-hoc techniques, it can be vul nerabl e to secu-
ri t y fl aws--t he verifiable encrypt i on of Gui l l ou-Qui squat er
si gnat ures proposed in [8] was shown to be insecure [5, 13].
In [13, 17], t he aut hors show t hat fair-exchange prot ocol s
can be const ruct ed efficiently using crypt ographi c pri mi t i ves
known as convertible undeni abl e signatures. Convert i bl e un-
deniable si gnat ures [11, 19, 28] require t he signer' s assistance
for verification, but have a feature t hat allows t he signa-
t ures t o be converted into "un~ersal l y verifiable" signatures.
That is, t he original si gnat ures can be convert ed into signa-
tures t hat can be verified by anyone wi t hout t he assistance
of t he signer. Using t hi s feature, fair-exchange prot ocol s can
be const ruct ed. Thi s approach also utilizes zero-knowledge
proofs in t he exchange pr ot ocol - - i n [13], a zero-knowledge
proof is used to prove t he val i di t y of t he signer' s convert-
ible undeni abl e signature. The probl em wi t h this approach
is t hat most converted si gnat ures are not compatible wi t h
st andard signatures. That is, t he convert ed si gnat ure does
not have t he same form as a st andar d si gnat ure, and hence
needs a verification al gori t hm t hat is different from t he algo-
ri t hm used to verify st andar d signatures. The scheme used
in [13] is an exception (i.e., it is compat i bl e wi t h st andar d
RSA signatures), but t hei r approach is l i mi t ed to t he RSA
si gnat ure scheme.
Anot her met hod of const ruct i ng opt i mi st i c prot ocol s is to
use one-time verifiable encrypt i ons const ruct ed from one-
t i me tokens (also called coupons) issued by t he TTP [4, 5].
The drawback of this scheme is t hat t he signer has t o con-
t act t he TTP for new tokens once all t he previ ousl y issued
tokens are exhaust ed. Prot ocol s based on one-t i me tokens
require t he use of zero-knowledge proofs for some (but not
all) si gnat ure t ypes (see Section IX of [4]).
It should be noted t hat t he difference between t he techniques
categorized above is, in some cases, obscure, and cert ai n
schemes can belong to more t han one category.
3. TECHNICAL BACKGROUND
3.1 Multisignatures
If mul t i pl e signers need to sign a single message, t he naive
approach would be to let t he signers creat e t hei r own signa-
t ure and concat enat e t he i ndi vi dual signatures. Obviously,
this causes an expansi on in t he si gnat ure dat a. A multisig-
nature scheme [12, 23, 27] allows mul t i pl e signers to sign a
single message efficiently such t hat t he resul t i ng multisig-
nat ure has l i t t l e or no difference in size wi t h an i ndi vi dual
174
signature.
The players in a t ypi cal mul t i si gnat ure scheme are n _> 2
signers and a verifier. For each signer i, t here is a pri vat e
key ski, which we call t he signer' s partial private key. De-
pendi ng on t he mul t i si gnat ure scheme, a partial public key
pki might also b e assigned to each signer. After each signer
creates its par t i al si gnat ure ~ using its part i al private key,
these are combi ned to form t he mul t i si gnat ure a, and given
to t he verifier. Aft er receiving t he multisignature, t he veri-
fier verifies its correctness using t he j oint public key pk cor-
respondi ng to t he j oint private key sk. The j oi nt private
key has an explicit algebraic relation with t he part i al pri-
vate keys, t hat is,
sk = ski @. . . @ sk~,
where @ denot es some binary" operat i on (e.g., addi t i on or
multiplication). Thi s rel at i on ,depends on how the multisig-
nat ure is const ruct ed. If t he part i al and j oi nt keys are cre-
at ed correctly, it should be infeasible to creat e a multisigna-
t ure using only a proper subset of t he part i al private keys;
more precisely, if t he j oi nt priwtte key is sk = ski @.. @ skn,
t hen it should be infeasible to creat e a mul t i si gnat ure with
a proper subset of { s ki , . . . , sk:~}.
Unlike most convertible undeni abl e signatures, multisigna-
tures are compat i bl e wi t h t he underlying (single-signer) sig-
nat ure scheme. That is, t he al gori t hm for verifying t he mul-
t i si gnat ure is identical to t he al gori t hm for verifying t he un-
derl yi ng si gnat ure scheme.
3.2 Our Multisignature Paradigm
For our appl i cat i on, we use a modified version of t he typ-
ical mul t i si gnat ure model. In our model, t he players in a
mul t i si gnat ure scheme include a primary signer, a cosigner,
and a veri fi er--we fix t he number of signers to two. 1 The
cosigner has knowledge of his part i al pri vat e key sk2 only,
while t he pr i mar y signer has knowledge of her part i al pri-
vate key ski as well as t he cosigner' s part i al pri vat e key. The
keys ski and sk2 are used to generate the pri mary signer' s
part i al si gnat ure al and t he cosigner' s part i al si gnat ure a2,
respectively. Such assignment of keys enables t he pri mary
signer to comput e t he mul t i si gnat ure a wi t hout any coop-
erat i on from t he cosigner, but; prevents t he cosigner from
comput i ng it on his own. (In cont rast , in a t ypi cal multisig-
nat ure scheme, each signer only has knowledge of his own
part i al pri vat e key so t hat every signer has to cooperat e to
comput e a mul t i si gnat ure. ) In addi t i on, in our framework,
t here exists a par t i al public key pki t hat is used to verify
t he pr i mar y signer' s part i al signature. However, there is
no part i al public key associ at ed wi t h t he cosigner because
t he cosigner' s si gnat ure does not need to be verified (in our
model).
In our model, t he cosigner acts as a sort of "arbi t rat or, "
who holds his par t i al pri vat e key so t hat he has t he abil-
ity to set t l e di sput es t hat might arise between t he pri mary
signer and t he verifier. In corttrast, t he pri mary signer is
1We associate t he pr i mar y signer with t he female gender,
and associate t he cosigner and verifier wi t h t he male gen-
der. The not at i ons associ at ed with t he pri mary signer and
cosigner have subscri pt s of one and two, respectively.
t he "owner" of t he mul t i si gnat ure, t hat is, t he multisigna-
t ure provides non-repudi at i on of t he message signed by t he
pri mary signer. Imagi ne a scenario where Alice (pri mary
signer) and Bob (verifier) are t ryi ng to exchange si gnat ures
in a fair way. Alice wants to commi t to t he t ransact i on
by providing "a token of commi t ment " but not her signa-
t ure itself. Alice wants t o convince Bob t hat she has made
an honest commi t ment and t hat he has t he guarant ee of
receiving her si gnat ure if he carries out t he prot ocol hon-
estly. If Charlie (cosigner) is t rust ed by bot h parties, it
is possible to const ruct a fair-exchange prot ocol using our
mul t i si gnat ure par adi gm- - a mul t i si gnat ure can be used as
Alice' s signature, and a correspondi ng part i al si gnat ure can
be used as her token of commi t ment . By provi di ng t he par-
t i al signature, Alice can make a commi t ment wi t hout giving
an advant age to Bob (assuming t he part i al si gnat ure is of
no value to Bob). Moreover, Bob is prot ect ed from Alice' s
dishonest behavior once he receives her par t i al si gnat ure be-
cause Charlie has t he abi l i t y to creat e t he mul t i si gnat ure us-
ing his part i al pri vat e key sk2 and Alice' s par t i al si gnat ure
al . Thus, after verifying t he correctness of Alice' s part i al
signature, Bob can safely send his si gnat ure to Alice.
Anot her i mpor t ant propert y of our model is t hat a t rust ed
par t y (i.e., Charlie) guarant ees t he algebraic rel at i on be-
tween t he keys. The correct rel at i onshi p between t he keys
ensures t hat Charlie can generat e t he mul t i si gnat ure using
his part i al pri vat e key and Alice' s part i al signature. In ad-
dition, it is assumed t hat only t he j oi nt publ i c key pk (artd
not t he part i al public key pkl) is certified by t he certification
aut hori t y (CA). Because t he part i al publ i c key pkl is not cer-
tiffed, t he only role t hat t he part i al si gnat ure can pl ay is as
a commi t ment to t he t ransact i on in which it is used and not
as a crypt ographi c pri mi t i ve for providing non-repudi at i on.
For a si gnat ure to provide non-repudi at i on, t here has to be
a t amper pr oof link between t he public key and t he signer' s
identity, and this link is provided by t he publ i c key' s cer-
tificate, issued by t he CA. In cont rast , t he j oi nt publ i c key
pk is certified, and hence t he mul t i si gnat ure provides non-
repudi at i on of t he message signed by t he ent i t y t hat holds all
t he part i al private keys- - i n our model, this is t he pri mary
signer.
The above propert i es of our mul t i si gnat ure paradi gm enable
us to const ruct efficient opt i mi st i c fair-exchange prot ocol s
wi t hout relying on costly crypt ographi c techniques.
3.3 The RSA Signature Scheme
Before we discuss our RSA-based mul t i si gnat ure scheme, we
review t he RSA (single-signer) si gnat ure scheme [30]. We
consider t he st andard "hash-t hen-decrypt " variety.
The si gnat ure space is t he set of integers modul o N, denot ed
as ZN where N is a product of two di st i nct pri mes p and q.
The paramet er N is chosen such t hat 2 k-1 _< N < 2 k holds
for some security par amet er k. The publ i c key 2 is obt ai ned
by selecting a random integer e, 1 < e < ( N) , such t hat
gcd( e, ( N) ) = 1. Here, is t he Euler t ot i ent function, a
2In some literature, (e, N) and d are called t he public and
private keys, respectively.
3(N) denotes t he number of integers i n t he interval [1, N]
t hat are relatively pri me to N.
175
The pri vat e key is generat ed by finding t he unique integer
d, 1 < d < ( N) , such t hat
ed _= 1 (mod ( N) ) .
A si gnat ure a on message M is creat ed by comput i ng
H( M) dmod N,
where H: {0, 1}* --~ ZN is a publ i c hash function. (Here,
{0, 1}* denotes a bi nar y st ri ng of ar bi t r ar y finite length.) To
t hwart at t acks, t he hash function should have t he preim-
age, second-preimage, and collision-resistance propert i es
(see p. 323, [26]). The signing space a is ZN. The signa-
t ure a is considered to be a valid si gnat ure of M if
a ~ mod N = H( M) .
3.4 Our RSA-Based Multisignature Scheme
Boyd [12] proposed an RSA-based mul t i si gnat ure scheme
t hat allows two signers to comput e a mul t i si gnat ure effi-
ciently. The core i dea behi nd his scheme is to multiplica-
tively spl i t t he pri vat e key d into two part i al keys dl and de,
each associ at ed wi t h a different signer. That is,
d _= did2 (mod ( N) ) .
The mul t i si gnat ure comput at i on is t hen based on t he equa-
t i on
H( M) ~ -= H( M) did2 (mod Y).
In [9], Bellare and Sandhu give security analyses for a set of
si gnat ure prot ocol s based on Boyd' s scheme.
In our fair-exchange protocol, we empl oy an RSA-based mul-
t i si gnat ure scheme t hat also spl i t s d into two part i al keys,
but t he spl i t t i ng is done additively i nst ead of multiplica-
tively. Our mul t i si gnat ure scheme has t he following features
t hat set it apar t from Boyd' s scheme.
We rest ri ct t he modul us N to be a product of safe primes
p and q, t hat is, p and q are primes such t hat p = 2p ~ + 1
and q = 2q' + 1 wi t h pl and q~ primes. Let Z~r denot e
t he mul t i pl i cat i ve group of integers modul o N. The signing
space is t he set of quadr at i c residues modulo N, denot ed as
QN. By definition, QN C Z~r is t he set of elements a E Z~v
such t hat t here exists an x E Z~v wi t h x 2 ~ a ( modN) . Note
t hat QN is a cyclic subgroup of Z~r, and t hat
IQNI = IZTvl
4 = plq,, (1)
where I " I denot es t he order of a group. The pri vat e key d
is split additively. That is,
d ~ dl + de (mod A),
where A = p~q'. Observe t hat t he modul us used above is
A i nst ead of ( N) because t he signing space is QN. The
mul t i si gnat ure comput at i on is t hen based on t he congruence
H( M) d ~ H( M) dl H( M) a: (mod N) ,
where H: {0, 1}* --~ QN is a publ i c hash function. In addi-
t i on to spl i t t i ng d, we need t o creat e a par t i al public key el
associ at ed wi t h t he par t i al pri vat e key dl t hat satisfies
dl el --= 1 (mod ~,).
aThe set of elements t o which t he si gnat ure t ransformat i on
is applied.
The key el is used by t he verifier t o verify t he pr i mar y
signer' s part i al signature, and is publ i shed information. For
t he following discussions, we use t he results of t he following
l emma proven in [22].
LEMMA 1. Let N = pq, where p = 2p ~ + 1, q = 2q ~ + 1,
and p, q, p' , and q~ are all prime numbers. We assume,
without loss of generality, that p < q. Then,
1. The order of elements in Z~ is one of the integers in
the set {1, 2, p' , q', 2p', 2q', p' q', 2pl q' }.
2. Given an element a e Z~ \ { - 1, 1} such that ord(a) <
p' q' , then either gcd(a - 1, N) or gcd(a + 1, N) is a
prime factor of N. (ord(.) denotes the order of a group
element.)
As a consequence of Lemma 1, any element a E Z~v \ { - 1, 1}
selected by a par t y t hat does not know t he fact ori zat i on
of N satisfies ord(a) _> plql wi t h overwhelming probabi l i t y.
We can di rect l y use t he results of Lemma 1 to gain useful
insight into t he charact eri st i cs of t he el ement s of QN. By
Lagrange' s Theorem s and (1), t he order of el ement s in QN
is one of t he integers in t he set {1, p I, q,,ptq~}. However, as a
consequence of Lemma 1, any element b E QN, b : hl , such
t hat gcd(b + 1, N) and gcd(b - 1, N) are not pri me factors
of N, satisfies
ord(b) = p~q'.
This fact will pl ay a vi t al role in t he regi st rat i on st age of
our fair-exchange protocol. The det ai l s of t he key and mul-
t i si gnat ure generation processes are given below.
KEY GENERATI ON. Let K G denot e t he key generat i on
al gori t hm for t he mul t i si gnat ure scheme. The al gori t hm
KG, on i nput of some security par amet er k, first selects
two safe pri mes p and q such t hat t hei r pr oduct N satisfies
2 k-1 _< N < 2 k. The j oi nt publ i c key is obt ai ned by select-
ing a random integer e, 1 < e < A, such t hat gcd(e, A) = 1.
The j oi nt pri vat e key is generat ed by finding t he unique in-
teger d, 1 < d < A, such t hat
ed =- 1 (mod A).
Now, t he part i al publ i c key el , 1 < el < A, is chosen ran-
doml y such t hat gcd(el , A) = 1. The correspondi ng (pri-
mar y signer' s) part i al pri vat e key is generat ed by finding
t he unique integer dl , 1 < dl < 3,, such t hat
el dl ~- 1 (mod A).
Next, t he (cosigner' s) par t i al pri vat e key d2 is comput ed as
d2 = d- dl mod A.
The .keys satisfy t he following relations:
ed ~ 1 (mod A),
el dl ~ 1 (mod A),
dl + d2 ~ d (mod A).
5Lagrange' s t heorem st at es t hat if G is a finite group and
H is a subgroup of G, t hen [H I di vi des [G[. Thus, if a E G,
t hen ord(a) divides [G I.
176
SI GNATURE GENERATI ON. The pr i mar y signer and co-
signer creat e t hei r respective part i al signatures,
ai = H( M) d~modN, i = 1, 2,
using t hei r respective par t i al pri vat e keys dl and d2. These
are mul t i pl i ed modul o N t o form t he mul t i si gnat ure a. That
is,
a = H( M) dl+d2 mod N.
The part i al si gnat ure al is considered valid if and only if
a~ 1 mod N = H( M) .
The mul t i si gnat ure a is verified in t he same way using t he
j oi nt public key e i nst ead of el .
Remark 1. Recall t hat in Boyd' s scheme, d was split mub
tiplicatively, whereas in our scheme, we split d additively.
It is necessary to t ake t he l at t er approach to avoid compro-
mising t he securi t y of our protocol. Specifically, if d is split
multiplicatively, t he cosigner is able to creat e multisigna-
t ures on his own wi t hout t he help of t hepr i maxy signer. The
compromise in security is due to t he fact t hat t he cosigner
can use t he ~hree keys available to hi m- - par t i al private key
d2, part i al publ i c key el , and t he j oi nt public key e- - t o
comput e dl . In t he Appendi x, we give details on how this
can occur. Note t hat , in t he fair-exchange protocol of Boyd
and Foo [13], an RSA-based convertible undeni abl e signa-
t ure scheme, which splits d multiplicatively, is used. In this
si gnat ure scheme, however, t he part i al public key el does
not exist. Thus, al t hough d is split multiplicatively, it does
not cause any securi t y probl ems there.
4. THE FAIR-EXCHANGE PROTOCOL
In t he following protocol, Alice is t he cust omer (or pri mary
signer), Chaxlie is t he TTP (or cosigner), and Bob is t he
merchant (or verifier). Using t h e following opt i mi st i c pro-
tocol, Alice purchases di gi t al goods from Bob, and Bob re-
ceives her electronic check in :return. We assume t hat t he
public keys of t he CA and Charlie are known to all part i es
involved in t he t ransact i on.
The central t heme of t he regi st rat i on prot ocol is Alice prov-
ing to Chaxlie t hat t he following congruences hold wi t hout
revealing dl and A (with rest of t he keys known to Chaxlie):
eldl -= 1 (mod A), (2)
(dl + d2)e ~ 1 (mod A). (3)
Thi s is done by using a reference message w and its cor-
respondi ng reference signature fl, and is described in t he
following steps. A similar approach is used to const ruct an
undeni abl e si gnat ure scheme in [22].
REGI STRATI ON. The regi st rat i on prot ocol needs to be
performed only once, after which it can support any num-
ber of exchanges. Note t hat most opt i mi st i c fair-exchange
protocols require a regi st rat i on st age (e.g., [5, 13]). We as-
sume t hat t he regi st rat i on prot ocol is performed vi a confi-
dent i al and aut hent i cat ed channels. In practice, such chan-
nels can be i mpl ement ed by using message aut hent i cat i on
codes (MAC) in conj unct i on with encrypt i on schemes.
1. Alice first generates t he :parameters N, p, and q and
t he keys e, el , d, dl , and d2. Alice t hen cont act s t he
CA to get t he j oi nt publ i c key e certified. At this stage,
Alice has to prove to t he CA t hat N is a product of safe
primes (wi t hout revealing p and q). Thi s can be done
using t he zero-knowledge prot ocol of Camenisch and
Michels [15]. Aft er verifying t he const ruct i on of N,
the CA issues a signed certificate CCA. Thi s certificate
certifies t he j oi nt public key e and t he modul us N. We
assume t hat t he values of e and N can be ext ract ed
from CCA. 6
2. Alice sends CCA, el , and d2 t o Chaxlie. Note t hat d2
is Charl i e' s part i al pri vat e key, and el is t he part i al
public key associ at ed wi t h Alice' s part i al pri vat e key
dl .
3. Chaxlie checks t he val i di t y of CCA.
4. Charlie randoml y chooses an integer ~ E g~v \ { - 1, 1},
and checks t hat gc d( ~+ l , N) and gc d( 9- 1, N) axe not
pri me factors of N. He t hen comput es w : ~2 mod N.
Note t hat w is a generat or of QN (see Section 3.4).
Chaxlie sends t he reference message w to Alice.
5. Alice comput es t he reference si gnat ure
~~ = 0J dl mod N,
and sends this to Chaxlie.
6. Now, Alice proves to Chaxlie t hat fl is a power of w
wi t hout revealing dl . Thi s can be done using t he zero-
knowledge prot ocol of Chaum et al. [16]. See [16] tbr
details.
7. Charlie checks t hat f~ is const ruct ed correct l y by w~r-
ifying t he following congruence relations:
f ~l = w (mod N) ,
fl~ "w d2e ~ w (mod N) .
8. If t he verifications (of St eps 3, 6, and 7) are passed,
Charlie accepts Alice' s claim t hat t he congruence rela-
tions of (2) and (3) hold. He t hen creates a voucher Vc
by signing on el . We assume t hat el can be ext ract ed
from Vc. Chaxlie stores his part i al pri vat e key d2, and
sends Vc to Alice.
Remark 2. The certificate CCA certifies e and N. It might
also include descriptions of t he group QN and t he hash func-
tion H: {0, 1}* ---~ QN.
Remark 3. After Step 6, Chaxlie can assume t hat f~ =
w# modN for some integer fi (at this point, he cannot be sure
t hat cf = dl ). Because w is a generat or (i.e., ord(w) = p'q~),
t he congruences in Step 7 i mpl y t hat ~el =-- 1 (mod A) and
(~-k d2)e -~ 1 (mod A), respectively. Thus, ~ = dl must be
t rue if t he verifications of Steps 6 and 7 are passed.
SThe pl ai nt ext of t he certificate can be ext r act ed from t he
certificate, either because t he si gnat ure scheme (used for
generating t he certificate) is capabl e of message recovery, or
because t he pl ai nt ext is concat enat ed wi t h t he signature.
177
Remark 4. The voucher Vc is a signed st at ement from
Charlie t hat assures t he following: (i) el is Alice' s valid
part i al public key, and (ii) t he algebraic relations between
t he keys have been verified, and, as a result, Charlie can
generat e a mul t i si gnat ure from t he corresponding part i al
signature. The first st at ement is explicitly shown by t he
content of t he voucher, and t he second st at ement is implic-
itly assumed to be t r ue- - Char l i e will not creat e t he voucher
wi t hout verifying t he rel at i ons of t he keys. Therefore, t he
voucher i mpl i ci t l y conveys t he following i mpor t ant seman-
tics: Charlie can convert any signature on some arbitrary
message M, which is verified using (el, N), to a signature
on M that is verified with (e, N) .
Alice
C C A , V C , O " 1
E r ( / ~ )
a
Bob
Figure 1: The exchange pr ot oc ol .
Remark 5. If t he number of users is large, it requires
Charlie to securely store a correspondi ngl y large number
of par t i al pri vat e keys d2 (one for each pri mary signer).
Thi s can be avoided by using t he following technique: Char-
lie concat enat es d2 and Alice' s unique identification, I DA,
to form d211IDA, and t hen encrypt s this value vi a some
symmet ri c-key encrypt i on al gori t hm E (.), where denotes
t he secret key. Charlie t hen creates a si gnat ure of t he con-
cat enat ed value of el and E(d211IDA). That is,
S i gc (el lI Es (42 I I I DA)),
where S i gc( . ) denot es Charl i e' s si gnat ure algorithm. This
value is used as t he voucher Vc. Now, Charlie can ext ract
d2 from Vc (using ) , and only needs to securely store .
3. Alice decrypt s and verifies t he merchandise. If Alice is
satisfied wi t h t he merchandise, she comput es t he mul-
t i si gnat ure a, and sends it to Bob. Otherwise, Alice
stops t he protocol.
4. Bob verifies a, and if it is valid, ends t he protocol.
Otherwise, Bob i ni t i at es t he di sput e resol ut i on prot o-
col.
Fi gure 1 shows t he messages exchanged bet ween Alice and
Bob in t he exchange prot ocol when bot h part i es act hon-
estly.
Remark 6. Note t hat al and Vc const i t ut e t he fairness
primitive.
EXCHANGE. Alice i ni t i at es t he prot ocol with Bob. We
assume t hat Alice and Bob have gone t hrough a negotia-
tion process to agree on t he purchase information M (which
might cont ai n Alice' s unique identity, Bob' s unique account
number, price of t he merchandise, descri pt i on of t he mer-
chandise, and dat e of t ransact i on) prior to t he st ar t of t he
exchange protocol. Thi s process may be as simple as Al-
ice choosing fixed-priced goods from Bob' s website. Note
t hat Alice' s di gi t al si gnat ure on M (which is her multisig-
nat ure a) acts as her di gi t al check. In addition, Alice and
Bob agree on a session key using some key-agreement pro-
tocol (e.g., Diffie-Hellman key agreement). The session key
is used to encrypt t he di gi t al merchandise to det er eaves-
droppi ng. We use t he basic opt i mi st i c prot ocol of Section 1
as t he prot ocol framework. The following st eps describe t he
exchange protocol.
1. Alice comput es her par t i al si gnat ure al (using dl ), and
sends Bob CCA, Vc, and al .
2. Bob, using CCA, verifies N and e. He t hen checks t he
val i di t y of Vc, and verifies whet her
a~ 1 mod N = H( M) .
If everyt hi ng is in order, Bob encrypt s t he di gi t al mer-
chandise ~ wi t h some symmet ri c encrypt i on al gori t hm
E~(-), where "7 is t he secret encrypt i on key (i.e., t he
session key). The encrypt ed merchandise Eu (/z) is sent
to Alice. However, if any one of t he items received from
Alice is invalid, Bob does not send t he merchandise,
and st ops t he protocol.
Remark 7. The exchange prot ocol above requires t he use
of timestamps and reliable channels 7 (see [2]) to ensure
t i mel y t ermi nat i on. Note t hat t he prot ocol framework of
Asokan et al. [3, 4] does not require t i mest amps for t i mel y
t ermi nat i on, and only requires resilient channels s. We
can also appl y our approach t o t hei r framework. Doing
so is st rai ght forward--repl ace t hei r mul t i st ep verifiable es-
crow procedure wi t h t he t ransmi ssi on of a par t i al si gnat ure
and its associated voucher (i.e., t he fairness pri mi t i ve). Of
course, t he pr i mar y signer and t he TTP would have t o go
t hrough a one-t i me regi st rat i on prot ocol a pri ori to t he ex-
change protocol.
Remark 8. The above exchange prot ocol does not require
confidential and aut hent i cat ed channels. Observe t hat Al-
ice' s di gi t al check (i.e., a) is of no value t o an eavesdrop-
per because it specifies t he i nt ended recipient of t he check.
Moreover, t he di gi t al merchandi se is encrypt ed before t rans-
mission, and hence it is useless to an eavesdropper.
DI SPUTE RESOLUTION. If Bob does not receive t he mul-
t i si gnat ure a, or if a is invalid, he i ni t i at es a di sput e resolu-
tion prot ocol by cont act i ng Charlie. We assume t hat reliable
channels exist between t he parties.
7A channel t hat is always operat i onal wi t h a known upper
bound of t he t i me delay. An at t acker cannot del ay any mes-
sages beyond t he known upper bound.
SA channel t hat is normal l y operat i onal , but an at t acker
can succeed in delaying m~ssages by an ar bi t r ar y but finite
amount of time.
178
1.
2.
Bob encrypt s t he session key "7 as AEpkc("7), where
pkc is Charl i e' s publ i c key, and AEpkc(' ) is an asym-
met ri c encrypt i on algorithm. Bob t hen sends CCA,
Vc, al , M, ET(#) , and AEpkc("7) to Charlie.
Charlie decrypt s AEpkc (7), and uses '7 to recover #.
Next, he ext ract s all t he syst em paramet ers and keys
from CCA and Vc, and t hen verifies al using those
values. If everyt hi ng is in order, Charlie generates t he
mul t i si gnat ure a using a:t and his part i al private key
d2 vi a t he rel at i on
a = al H( M) d2 mod N.
The mul t i si gnat ure is sent to Bob, and t he (encrypted)
merchandise is forwarded to Alice. If any of t he items
received from Bob is invalid, Charlie halts t he di sput e
resolution prot ocol wi t hout sending anyt hi ng to either
party.
5. EFFI CI ENCY EV ALUATI ONS
The most comput at i onal l y expensive part of an opt i mi st i c
exchange prot ocol is creat i ng and verifying t he fairness prim-
itive, t hat is, t he "commitraent" CA and its associated "vou-
cher" V (see Section 1). Moreover, modul ar exponent i at i on
is t he most costly operat i on required to creat e and verify
those items. Recall t hat in t he exchange prot ocol of Sec-
tion 4, al corresponds to a comrai t ment , and Vc corresponds
to a voucher.
In this section, we eval uat e t he efficiency of our scheme in
t erms of two criteria: (i) number of modul ar exponent i at i ons
required for creat i ng/ veri fyi ng t he fairness pri mi t i ve (i.e., al
and Vc) in t he exchange prot ocol and (ii) size of t he fairness
pri mi t i ve (in bytes). In Table 1, we compare our scheme
with t he verifiable-escrow scheme of Asokan et al. [4] and
t he verifiable-encryption scheme of Ateniese [5]. For t he
comparison, we make t he same assumpt i ons made in [5].
Specifically, we exclude t he overhead rel at ed to t he CA' s
certificate, and assume a 1200-bit RSA modulus N and a
128-bit hash function. Specific to our fair-exchange protocol,
we also assume t hat Charlie creates Vc using a si gnat ure
scheme wi t h t he message recow~ry feature t hat requires one
exponent i at i on modul o a 1280--bit number for verification
(e.g., RSA).
Note t hat t he numbers of Table 1 are approxi mat e fi gures--
t he numbers can vary dependi ng on t he implementation.
The numbers for t he verifiable escrow and verifiable encryp-
tion schemes were t aken from [5].
6. CONCLUSI ONS
We present ed a novel met hod for const ruct i ng efficient op-
t i mi st i c fair-exchange protocols using RSA-based multisig-
natures. We used a novel mul t i si gnat ure paradi gm, which
is quite different from t he conventional model. The intrin-
sic features of t he new paradi gm enabled us to const ruct
an exchange prot ocol t hat is very simple and efficient. Un-
like t he vast maj or i t y of previously proposed protocols, our
approach does not use any zero-knowledge proofs in t he ex-
change protocol, and thus avoids most of t he costly compu-
tations. Use of zero-knowledge proofs is needed only in t he
regi st rat i on phase- - t hi s is a one-time cost. As seen from Ta-
ble 1, t he resul t i ng prot ocol is ext remel y effi ci ent --i n fact, it
Tabl e 1: Compa r i s on of ef f i ci ency
verifiable verifiable mul t i - -
criterion escrow encrypt i on signatm' e
number of exponent i at i ons 75 7.5 3
fairness pri mi t i ve size 8000 400 310
requires even less comput at i on and space overhead t han t he
verifiable-encryption scheme [5], which is one of t he most
efficient protocols. Our approach has ot her advant ageous
features: (i) unlike protocols using convertible undeni abl e
signatures, our scheme uses mul t i si gnat ures t hat are corn-
pat i bl e wi t h t he underl yi ng (single-signer) signature, which
implies t hat i mpl ement i ng t he fair-exchange feature on t op
of an existing e-commerce syst em is less compl i cat ed, (i.i)
our approach can be appl i ed to const ruct i ng fair-exchange
protocols vi a mul t i si gnat ures based on si gnat ure al gori t hms
ot her t han RSA, and (iii) our technique is flexible enough so
t hat it can be used wi t h t he prot ocol framework of Asokan
et al. [3, 4] as well as t he framework of Ban et al. [8].
7. ACKNOWLEDGEMENTS
This research was support ed in par t by t he Col orado St at e
University George T. Abell Endowment , and by NSF under
grants 0098089-ECS, 0099137-ANI, and ANI-0207892. The
aut hors would like to t hank t he anonymous PODC reviewers
for t hei r insightful comment s t hat improved t he present at i on
of t he paper.
8 . ADDI TI ONAL AUTHORS
Addi t i onal authors: I ndr aj i t Ray, Depar t ment of Comput er
Science, Colorado St at e University, 601 S Howes Street, Fort
Collins, CO 80523, emaih i ndr a j t eol os t at e. odu.
o
[1]
REFERENCES
M. Abadi , N. Glew, B. Home, and B. Pinkas.
Certified email wi t h a light on-line t rust ed t hi rd part y:
design and i mpl ement at i on. In International World
Wide Web Conference Proceedings, pages 387-395,
May 1991.
[2] N. Asokan. Fairness in Electronic Commerce.
Depart ment of Comput er Science, University of
Waterloo, 1998.
[3] N. Asokan, V. Shoup, and M. Wai dner. Opt i mi st i c fair
exchange of di gi t al signatures. In Advances in
Cryptology--EUROCRYPT '98, pages 591-606, 1998.
[4] N. Asokan, V. Shoup, and M. Wai dner. Opt i mi st i c fair
exchange of di gi t al signatures. I EEE Journal on
Selected Areas in Communications, 18(4):593-610,
2000.
[5] G. Ateniese. Efficient verifiable encrypt i on (and fair
exchange) of di gi t al signatures. In Proceedings of ACM
Conference on Computer and Communications
Security, pages 138-146, November 1999.
[6] G. Ateniese and C. Ni t a-Rot aru. Stateless-recipient
certified e-mail syst em based on verifiable encrypt i on.
In Proceedings of RS A 2002, February 2002.
179
[7] A. Bahreman and J. D. Tygar. Certified electronic
mail. In Proceedings of Symposium on Network and
Distributed Systems Security, pages 3-19, February
1994.
[8] F. Bao, R. Deng, and W. Mao. Efficient and practical
fair exchange protocols with off-line TTP. In
Proceedings of I EEE Symposium on Security and
Privacy, pages 77-85, May 1998.
[9] M. Bellare and R. Sandhu. The security of practical
two-party RS A signature schemes, unpublished
manuscript, 2001, available at
ht t p : / / w w w . cs. u c s d . e d u / u s e r s / m i h i r / p a p e r s /
s p l i t k e y , h t m l .
[10] M. Blum. How to exchange (secret) keys. ACM
Transactions on Computer Systems, 1(2):175-193,
1983.
[11] J. Boyar, D. Chaum, and I. Damgard. Convertible
undeniable signatures. In Advances in
Cryptology--CRYPTO '90, pages 189-205, 1990.
[12] C. Boyd. Digital multisignatures. Cryptography and
Coding, pages 241-246, 1989.
[13] C. Boyd and E. Foo. Off-line fair payment protocols
using convertible signatures. In Advances in
Cryptology--ASI A CRYPT '98, 1998.
[14] J. Camenisch and I. Damgard. Verifiable encryption,
group encryption, and their applications to separable
group signatures and signature sharing schemes. In
Advances in Cryptology--ASI A CR YPT '00, pages
331-345, 2000.
[15] J. Camenisch and M. Michels. Proving in
zero-knowledge t hat a number is the product of two
safe primes. In Advances in
Cryptology--EUROCRYPT '99, pages 106-121, 2000.
[16] D. Chaum, J. H. Evertse, and J. van der Graafi An
improved protocol for demonstrating possession of a
discrete logarithm and some generalizations. In
Advances in Cryptology--EUROCRYPT '87, pages
127-141, 1987.
[17] L. Chen. Efficient fair exchange with verifiable
confirmation of signatures. In Advances in
Crypt ol ogy--AS I ACRYPT '98, pages 286-299, 1998.
[18] B. Cox, J. D. Tygar, and M. Sirbu. Netbill security
and transaction protocol. In Proceedings of 1st
US ENI X Workshop on Electronic Commerce, pages
77-88, July 1995.
[19] I. Damgard and T. Pedersen. New convertible
undeniable signature schemes. In Advances in
Cryptology--EUROCRYPT '96, pages 372-386, 1996.
[20] T. E1Gamal. A public key cryptosystem and a
signature scheme based on discrete logarithms. I EEE
Transactions on I nformation Theory, 31(4):469-472,
1985.
[21] S. Even, O. Goldreich, and A. Lempel. A randomized
protocol for signing contracts. Communications of the
ACM, 28(6):637-647, 1985.
[22] R. Gennaro, H. Krawczyk, and T. Rabin. RSA-based
undeniable signatures. In Advances in
Cryptology--CRYPTO '97, pages 132-149, 1997.
[23] L. Ham. Group-oriented (t, n) threshold digital
signature scheme and digital multisignature. I EE
Proceedings--Computers and Digital Techniques,
141(5):307-313, 1994.
[24] N. Koblitz. A Course in Number Theory and
Cryptography. Springer-Verlag, New York, New York,
1987.
[25] P. MacKenzie and M. K. Reiter. Networked
cryptographic devices resilient to capture. In
Proceedings of I EEE Symposium on Security and
Privacy, pages 12-25, May 2001.
[26] A. J. Menezes, P. C. van Oorschot, and S. A.
Vanstone. Handbook of Applied Cryptography. CRC
Press, Boca Raton, Florida, 1996.
[27] S. Micali, K. Ohta, and L. Reyzin.
Accountable-subgroup multisignatures. In Proceedings
of ACM Conference on Computer and
Communications Security, pages 245-254, November
2001.
[28] M. Michels and M. Stadler. Efficient convertible
undeniable signature schemes. In Proceedings of
Annual Workshop on Selected Areas in Cryptography
( SAC '97), pages 231-243, August 1997.
[29] I. Ray and I. Ray. Fair exchange in e-commerce. ACM
SIGecom Exchange, 3(2):9-17, May 2002.
[30] R. Rivest, A. Shamir, and L. Adleman. A method for
obtaining digital signatures and public key
cryptosystems. Communications of the A CM,
21(2):120-126, 1978.
[31] J. Zhou and D. Gollmann. A fair non-repudiation
protocol. In Proceedings of I EEE Symposium on
Security and Privacy, pages 55-61, May 1996.
APPENDIX
A. INSECURITY OF SPLITTING THE PRI-
V ATE KEY MULTIPLICATIV ELY
We show that splitting the joint private key d multiplica-
tively renders our protocol insecure. Specifically, if d is split
multiplicatively, the cosigner can create multisignatures on
his own without the help of the primary signer, That is,
the cosigner is able to use the three keys available to hi m- -
partial private key d2, partial public key el, and the joint
public key e- - t o compute dl. Although the cosigner is a
trusted entity, it is important that he does not have the
ability to forge multisignatures so that the multisignature' s
non-repudiation property is preserved. If we split d multi-
plicatively, then the keys satisfy the following relations:
d ~ did2 (rood A), (4)
ed ~ 1 (mod A), (5)
eldl ~ 1 (mod A), (6)
180
where A = p' q ' . Using (4), we (:an insert dl d2 in place of d
in (5) to obt ai n
edl d2 --= 1 (mod A).
Now, mul t i pl yi ng bot h sides of t he above congruence rela-
tion wi t h el and using (6), we obt ai n
ed2 ~ el (mod A).
The above congruence relation implies t hat ed2 - el is a
multiple of A.
Recall t hat t he cosigner is given t he values d2, el , and e
by the pri mary s i gner . Thi s means t hat t he cosigner can
readi l y calculate t he value of ed2 - e l , which is a mul t i pl e of
A. Wi t h this knowledge, t he cosigner can factor N efficiently
using Kobl i t z' s probabi l i st i c al gori t hm (see p. 91 of [24]).
Once N is factored, t he cosigner can readi l y comput e dl vi a
t he ext ended Eucl i dean al gori t hm, and t hus comput e t he
mul t i si gnat ure wi t hout t he pri mary signer' s help.
181