On a positive note, the authors of [PCSR03] informally introduced a connection between fair exchange and "sequential two-party multisignature schemes" (which we call two-signatures), but used an insecure two-signature scheme in their actual construction. Nonetheless, we show that this connection *can* be properly formalized to imply *provably secure* fair exchange protocols. By utilizing the state-of-the-art non-interactive two-signature of Boldyreva (PKC 2003), we obtain an efficient and provably secure (in the random oracle model) fair exchange protocol, which is based on GDH signatures of Boneh, Lynn and Shacham (Asiacrypt 2001).
Of independent interest, we introduce a unified model for non-interactive fair exchange protocols, which results in a new primitive we call *verifiably committed signatures*. Verifiably committed signatures generalize (non-interactive) verifiably encrypted signatures and two-signatures, both of which are sufficient for fair exchange.
Category / Keywords: cryptographic protocols / fair exchange, optimistic protocols, multi-signatures, verifiably encrypted signatures, contract signing, GDH signatures, committed signatures Publication Info: DRM 2003 Date: received 25 Jul 2003, last revised 2 Sep 2003 Contact author: dodis at cs nyu edu Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation Version: 20030903:013817 (All versions of this report) Short URL: ia.cr/2003/146 Discussion forum: Show discussion | Start new discussion