With Non-connected Fair Multi-party Concurrent Signature Scheme

As a special variant of fair exchange protocol of digital signatures, concurrent signature scheme has been extensively researched since it's firstly proposed by Chen et al. at Eurocypt 2004. The execution of this class of protocols will enable the users either simultaneously get digital signatures of others, or all of them get nothing, which make the assurance of the atomic property of exchanging transactions. Compared with the traditional fair exchange protocol of digital signatures, concurrent signature scheme does not depend on any trusted third party, does not need to assume that the users have comparable computing powers, has less computation cost and enjoys higher communication efficiency. Until now the researches of concurrent signature are almost focusing on two-party case, while the multi-party concurrent signature scheme has not been completely established and some issues involving fairness and security are still expected for better solution.The main work of this paper includes:(1)We present a better solution to the control balance of keystones and fairness problem. In concurrent signature scheme, each user needs to generate an ambiguous signature corresponding to an extra secret called keystone, then after the release of the keystone, all the ambiguous signatures will bind to the original signers concurrently. However, in the traditional initial-matcher model, the generation and publication of the keystone is done by the initial user of session, while the matcher has no power to control the keystone. We modified the traditional model to make sure the keystones are generated with the cooperation of all the users, which endows the equal control power of keystone to each user. With the consideration on the fairness issue that exists in Tonien et al.'s multi-party concurrent signature scheme, we ensures that the concurrent signature can only be verified after all the keystones have been released, to get rid of the possibility that the ambiguous signatures doesn't bind concurrently. (2) For the first time we construct an unlinkable multi-party concurrent signature scheme:all the known multi-party concurrent signatures contain the information of the keystones, which increases the computation cost of verification phase and reveals the traces of users in the session. The unlinkability can convert the formation of the concurrent signature to ordinary signatures without any information of the keystones, such that signatures of each user can independently verified, providing better privacy of anonymity to the signers. (3) For the first time we prove the security in the standard model:the security of all the known concurrent signatures are proved in the random oracle model, however as an ideal model it has to be replaced by some cryptographic component (e.s.p. collision-resistant hash function) with similar functionality in the real application. The security proof in the standard model ensures that the security of protocol in the real application to meet higher security requirements.