Our Protocol. The main idea of our protocol is to generate own (private, public) key pair using both sets of bases. Then each user matches them with the opposite parameters of the other user and computes two common values, which are then combined in a commutative manner.
1. Randomly select nA ∈ Z4eA and nB ∈ Z4eB .
2. Compute K = P + [n ]Q . B
3. Compute KB = PB + [nB]QB.
Our Protocol. The main idea of our protocol is to generate own (private, public) key pair using both sets of bases. Then each user matches them with the opposite parameters of the other user and computes two common values, which are then combined in a commutative manner. ∈ ∈` `
1. Randomly select nA Z eA and nB Z eB .
2. Compute KA = PA + [nA]AQA. B
3. Compute KB = PB + [nB]QB.
4. Obtain EA using the kernel KA for the isogeny φA : E EA = E/ KA .
5. Obtain EB using the kernel KB for the isogeny φB : E EB = E/ KB .
6. Compute the images of the values PB and QB under φA, namely φA(PB) and φA(QB).
7. Compute the images of the values PA and QA under φB, namely φB(PA) and φB(QA). { } { } The private key is: nA, nB . The public key is: EA, EB, φA(PB), φA(QB), φB(PA), φB(QA) . The party either sends or publishes eathe public key. In practice, since we are in concentrating on the ephemeral version, we work in the context of sending public key.
Our Protocol. In this section, we use the proposed VECS to present an efficient abuse-free contract signing protocol. We first give some notations. Let H be a key expo- sure free chameleon hash function. Denote by Xxx(SKX, M ) the signature on message M with the secret key SKX of the party X ∈ {A, B, T }; Denote by OB(E, σA, PKT ) a verifiable encryption of A’s signature σA under T ’s public key PKT . Our abuse-free contract signing protocol has three sub-protocols: Ex- change, Abort, and Resolve. In the normal case, only the exchange protocol is executed. Suppose A and B have agreed on a message M = (m, rA, rB), where m is a common contract and (rA, rB) are two random integers. We do not describe this agreement in details here and it may require a number of rounds of com- munication between A and B through an authenticated channel. Moreover, this agreement should not achieve the non-repudiation property, i.e., neither party should generate any non-repudiation token on the agreed message. Exchange Protocol
1. A computes the chameleon hash value hA = H(m, rA, PKB) and the signa- ture σ∗ = Sig(SKA, hA||T ), where || denotes concatenation. A then com- ∗ putes the ciphertext C = OB(E, σA, PKT ) and sends it to B.
2. If C is invalid, B quits. Otherwise, B computes the signature σB= Sig(SKB, hB) on the chameleon hash value hB = H(m, rB, PKA) and then sends σB to A.
3. If σB is invalid, A runs the Abort protocol. Otherwise, A computes the signature σA = Sig(XXX, hA) and sends it to B. If σA is not valid, B runs the Resolve protocol. Abort Protocol
1. A computes the signature Sig(SKA, abort||C) on message “abort||C” and then sends (C, Sig(SKA, abort||C)) to T . If the signature is valid and B has not resolved, T issues an abort-token AT = Sig(SKT , Sig(SKA, abort||C)) to A and stores it. The abort token is not a proof that the exchange has been aborted, but a guarantee by T that it has not and will not execute the Resolve protocol.
2. If B has resolved, T sends A the stored value σˆB in the Resolve protocol. Resolve Protocol
1. B firstly sends T the triple (C, hA, σˆB), where σˆB = Sig(SKB, resolve||A||hA) denotes the resolved signature of B. Generally, it is no difference with an or- dinary signature Sig(SKB, resolve||A||hA) of B on message “resolve||A||hA”. Additionally, it also denotes Sig(SKB, m) on condition that only A can pro- vide a pair (m, rA) which satisfies hA = H(m, rA, PKB).
2. If A has aborted, T then sends the abort-token AT to B. Else, if C is a valid T -verifi...
Our Protocol. Before going into details in subsequent sections, we present here a high-level overview of our protocol. We start with an authentication sub-protocol Auth presented in [RW03] that achieves the following: using the secret w that is common to Xxxxx and Xxx, it allows Xxxxx to send to Bob an authentic (but nonse- cret) message M of length λM bit-by-bit in 2λM messages. Xxxxx and Xxx [RW03] can use this sub-protocol in order to agree on a key k as follows: they use Auth to get an extractor seed s from Xxxxx to Bob, and then extract k from w using s.1 We modify this protocol by using Auth to authenticate a MAC key instead of an extractor seed. The MAC key, in turn, is used to authenticate the extrac- tor seed s (which can be done very efficiently using simple information-theoretic MACs). This seems counterintuitive, because Xxxx reveals what is being authen- ticated, while MAC keys need to remain secret. The insight is to use the MAC key before Auth begins.2 Our modification is beneficial for three reasons. First, MAC keys can be made shorter than extractor keys, so Auth is used on a shorter string, thus reducing the number of rounds and the entropy loss. Second, this modification allows us to use the same MAC key to authenticate not only the extractor seed s, but also the error-correction information (the so-called “secure sketch” of w [DORS08]) in the case Bob’s w′ is different from Xxxxx’s w. Third, because there are MACs that are secure even against (limited) key modifica- tion [DKRS06, CDF+08], we can lower the security parameters in Auth, further increasing efficiency and reducing entropy loss. The rest of the paper is devoted to filling in the details of the above overview, including smaller improvements not discussed here, and proving the following theorem.
