Private Contract Signatures
Private Contract Signatures are a cryptography primitive which we need for the Secure Contract Signing Protocol.
It was introduced in Abuse-free optimistic contract signing by Garay, Jakobsson, MacKenzie (1999).
This page aims to give an outline of what they achieve, and how to implement them.
Specifications
SPCSTS(m) denotes a Private Contract Signatures by Pi in S on contract m with Trusted Third Party T. The object is such that:
- It can be created any of the Pi’s in S and, in the eyes of an external party, faked by any other of the Pj’s in S;
- The creating Pi, or T, are able to convert it into SIGTi(m), and other Pj’s can be convinced of this.
Some Cryptography
The following must be understood first. In particular, the description of PCS we give uses the notations introduced there.
Outline of ElGamal encryption, which are encryption and signature schemes.
Outline of Sigma protocols, which are composable, interactive zero-knowledge proof schemes.
Standard scheme
A private contract signature PCSS(m,n) is
NI(⋁i∈S(CCET(i,n)∧Schnorri))(m)Intuitively:
- It constitutes a proof that one of the Pi has passed the Schnorr identification test on challenge H(gsii,m).
- This amounts to having signed m, just like in the Schnorr signature scheme.
- Except that we do not know, yet, which of the Pi has signed.
- In order to convert this into a signature by Pi, one must prove that the cyphertext n has content the integer i.
A private contract signature revealer RPCSi(n) is
NI(CCET(i,n)∨CCDT(i,n))(m)Intuitively:
- It constitutes a proof that the cyphertext n has content the integer i.
- Either Pi or T can produce this.
A contract signature SIGi(m) is
(PCSS(m,n),RPCSi(n))Intuitively:
- It constitutes a combined proof that Pi has passed the Schnorr identification test on challenge H(gsii,m).
- This amounts to having signed m, just like in the Schnorr signature scheme.
Simplified scheme (Failed attempt)
An SPCSTS(m) is
NI(⋁i∈SCCET(H(m),(PubPi,v)))(gs,H(gs,m))with s random. Intuitively:
- It constitutes a proof that $v={H(m)}{\textrm{Pub}^T}$ under ElGamal, with ephemeral key one of ${\textrm{Priv}^{Pi}}{i\in S}$.
- In order to provide such a proof one needs to have the ephemeral key used.
- Thus, whoever has done it, has admittedly signed m.
- But in order to know which of the Pi has signed, one needs a proof of which of private keys was used.
To unravel it, means to convert SPCSTS(m) into the final signature SIGTi∈S(m):
NI(CCET(H(m),(PubPi,v))∨CCDT(H(m),(PubPi,v)))(gs′,H(gs′,m))with s′ random. Intuitively:
- In order to accomplish the conversion one needs to either have PrivPi used as ephemeral key, or to have PrivT.
- It constitutes a proof that $v={H(m)}{\textrm{Pub}^T}$ under ElGamal with ephemeral key $\textrm{Priv}{Pi},whichamountstoPisigningm$.
- No step discloses PrivPi.
This scheme is simpler than the original scheme. It has dangerous weaknesses, however:
- By requiring that $\textrm{Priv}{Pi}- be the ephemeral key for ElGamal encryption, we are imposing that the pairs $(\textrm{Priv}{Pi},\textrm{Pub}^{Pi})and(\textrm{Priv}_{T},\textrm{Pub}^{T})$ are based on the same Diffie-Hellman group. Altogether, this would mean that all pairs get generates with respect to the same group. This is non-traditional, and may weaken security? Nevertheless, notice that precise, fixed groups have been recommended for use, for instance in RFC 5114.
- The same ephemeral key $\textrm{Priv}{Pi}isreusedoverandover,whichmeansthatthecyphertextisalwaysH(m)g^{\textrm{Priv}{Pi}\textrm{Priv}{T}}butsinceH(m)isknown,soisg^{\textrm{Priv}{Pi}\textrm{Priv}_{T}},andsothenexttimePiisimmediatelyidentifiedasthecreatoroftheSPCS$.
- Worse even, Pi’s signature, once it has been used once, can then be forged, since signing amounts to multiply by $g^{\textrm{Priv}{Pi}\textrm{Priv}{T}}$ in this scheme.