#
A Generic Framework for Accountable Optimistic Fair Exchange Protocol^{ †}

^{1}

^{2}

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

#### 1.1. Motivation

#### 1.2. Contribution

#### 1.3. Organisation of the Paper

## 2. Definitions and Security Models of Accountable Optimistic Fair Exchange Protocol

#### 2.1. Accountable OFE Protocol

- $\mathit{PMGen}$: On input a security parameter ${1}^{k}$, it outputs a public parameter $PM$.
- ${\mathit{Setup}}^{\mathit{A}}$: On input $PM$, it generates an arbitrator’s public and private key pair ($APK,ASK$).
- ${\mathit{Setup}}^{\mathit{U}}$: On input $PM$, it generates a user’s public and private key pair ($UP{K}_{i},US{K}_{i}$).
- $\mathit{PSign}$: On input a message m and $(US{K}_{i},APK$), it generates a partial signature ${\sigma}_{p}$.
- $\mathit{PVer}$: On input ($m,{\sigma}_{p},UP{K}_{i},APK$), it validates ($m,{\sigma}_{p}$) and outputs $\u201c1\u201d$ if ${\sigma}_{p}$ is valid on $UP{K}_{i}$ or $\u201c0\u201d$ otherwise.
- $\mathit{Sign}$: On input ($m,{\sigma}_{p},US{K}_{i},APK$), it generates a full signature $\sigma $.
- $\mathit{Ver}$: On input ($m,\sigma ,UP{K}_{i},APK$), it validates ($m,\sigma $) under ($UP{K}_{i},APK$) and outputs $\u201c1\u201d$ if $\sigma $ is valid or $\u201c0\u201d$ otherwise.
- $\mathit{Res}$: On input ($m,{\sigma}_{p},ASK,UP{K}_{i}$), it resolves ${\sigma}_{p}$ by first checking its validity. If ${\sigma}_{p}$ is valid on $UP{K}_{i}$, it generates a full signature $\sigma $ or outputs $\u201c\perp \u201d$ otherwise.
- ${\mathit{Prove}}^{\mathit{A}}$: On input ($m,\sigma ,UP{K}_{i},APK,ASK$), it generates an arbitrator proof ${\pi}^{A}$ that can claim or deny whether $\sigma $ was generated by using $APK$.
- ${\mathit{Prove}}^{\mathit{U}}$: On input ($m,\sigma ,UP{K}_{i},APK,US{K}_{i}$), it generates a user proof ${\pi}^{U}$ that can claim or deny whether $\sigma $ was generated by using $UP{K}_{i}$.
- $\mathit{Open}$: On input ($m,\sigma ,UP{K}_{i},APK,\pi $), it first validates $(m,\sigma )$ under $(UP{K}_{i},APK)$. It then outputs $\u201cUP{K}_{i}\u201d$ if $\pi $ can prove $\sigma $ is generated by the algorithm $\mathit{Sign}$ or $\u201cAPK\u201d$ if $\sigma $ is generated by the algorithm $\mathit{Res}$. Otherwise, it outputs $\u201c\perp \u201d$ which indicates $\pi $ is invalid and it cannot be opened.

#### 2.2. Accessible Oracles

- Partial Sign Oracle ${\mathcal{O}}_{PSign}$: On input $(m,UP{K}_{i})$, it runs $\mathit{PSign}(m,US{K}_{i},APK)\to {\sigma}_{p}$ and returns ${\sigma}_{p}$ as a partial signature.
- Full Sign Oracle ${\mathcal{O}}_{Sign}$: On input $(m,{\sigma}_{p},UP{K}_{i})$, it runs $\mathit{Sign}(m,{\sigma}_{p},US{K}_{i},APK)\to \sigma $ and returns $\sigma $ as a full signature.
- Resolution Oracle ${\mathcal{O}}_{Res}$: On input $(m,{\sigma}_{p},UP{K}_{i})$, it runs $\mathit{Res}(m,{\sigma}_{p},ASK,UP{K}_{i})\to \sigma $ and returns $\sigma $ as a resolved signature.
- Arbitrator Prove Oracle ${\mathcal{O}}_{Prov{e}^{A}}$: On input $(m,\sigma )$ under $(UP{K}_{i},APK)$, it runs ${\mathit{Prove}}^{\mathit{A}}(m,\sigma ,UP{K}_{i},APK,ASK)\to {\pi}^{A}$ and returns ${\pi}^{A}$ as an arbitrator proof.
- User Prove Oracle ${\mathcal{O}}_{Prov{e}^{U}}$: On input $(m,\sigma )$ under $(UP{K}_{i},APK)$, it runs ${\mathit{Prove}}^{\mathit{U}}(m,\sigma ,UP{K}_{i},APK,US{K}_{i})\to {\pi}^{U}$ and returns ${\pi}^{U}$ as a user proof.

#### 2.3. Security Properties

#### 2.3.1. Resolution Ambiguity

**Phase 1**: $\mathcal{C}$ runs $\mathit{PMGen}({1}^{k})\to PM$ and ${\mathit{Setup}}^{\mathit{A}}(PM)\to (APK,ASK)$. $\mathcal{C}$ then passes $APK$ to $\mathcal{A}$.**Phase 2**: $\mathcal{A}$ can make queries to all oracles defined in Section 2.2. At the end, $\mathcal{A}$ outputs a challenge message and partial signature pair $(\widehat{m},{\widehat{\sigma}}_{p})$ with the restriction that $\mathit{PVer}(\widehat{m},{\widehat{\sigma}}_{p},UP{K}_{i},APK)=1$.**Phase 3**: $\mathcal{C}$ picks a random bit $b\in \{0,1\}$ and generates a challenge signature $\widehat{\sigma}$. If $b=0$, $\widehat{\sigma}=\mathit{Sign}(\widehat{m},{\widehat{\sigma}}_{p},US{K}_{i},APK)$. Otherwise, $\widehat{\sigma}=\mathit{Res}(\widehat{m},{\widehat{\sigma}}_{p},ASK,UP{K}_{i})$.**Phase 4**: Once $\mathcal{A}$ receives $\widehat{\sigma}$, $\mathcal{A}$ can still continue to make queries to all oracles with the restriction that $(\widehat{m},\widehat{\sigma})$ has never been queries to ${\mathcal{O}}_{Prov{e}^{A}}$ or ${\mathcal{O}}_{Prov{e}^{U}}$. At the end, $\mathcal{A}$ outputs the guess ${b}^{\prime}$. $\mathcal{A}$ wins the game if ${b}^{\prime}=b$.

**Definition**

**1.**

#### 2.3.2. Accountability

**Type I**: It is impossible for a dishonest signer to produce a full signature $\sigma $ that can be proven as an output of the algorithm $\mathit{Res}$.- -
**Phase 1**: $\mathcal{C}$ runs $\mathit{PMGen}({1}^{k})\to PM$ and ${\mathit{Setup}}^{\mathit{A}}(PM)\to (APK,ASK)$. $\mathcal{C}$ then passes $APK$ to $\mathcal{A}$.- -
**Phase 2**: $\mathcal{A}$ can make queries to all oracles defined in Section 2.2. At the end, $\mathcal{A}$ chooses a challenge user’s public key $\widehat{UPK}$ and passes it to $\mathcal{C}$.- -
**Phase 3**: $\mathcal{A}$ continues to make queries to ${\mathcal{O}}_{Res}$ and ${\mathcal{O}}_{Prov{e}^{A}}$ only as $\mathcal{C}$ does not know $\widehat{USK}$.- -
**Phase 4**: $\mathcal{A}$ outputs a challenge message and signature pair $(\widehat{m},\widehat{\sigma})$ that is valid on $(\widehat{UPK},APK)$ and a proof $\widehat{\pi}$ with the restriction that $\widehat{\sigma}$ is not generated from ${\mathcal{O}}_{Res}$. $\mathcal{A}$ wins the game if $\mathit{Open}(\widehat{m},\widehat{\sigma},\widehat{UPK},APK,\widehat{\pi})=\u201cAPK\u201d.$

**Definition****2.**An OFE protocol is $(t,{q}_{PSign},{q}_{Sign},{q}_{Res},{q}_{Prov{e}^{A}},{q}_{Prov{e}^{U}},\epsilon )$-type I accountable if no PPT $\mathcal{A}$ can have success probability more than ε in its game with at most ${q}_{PSign}$ queries to ${\mathcal{O}}_{PSign}$, ${q}_{Sign}$ queries to ${\mathcal{O}}_{Sign}$, ${q}_{Res}$ queries to ${\mathcal{O}}_{Res}$, ${q}_{Prov{e}^{A}}$ queries to ${\mathcal{O}}_{Prov{e}^{A}}$, and ${q}_{Prov{e}^{U}}$ queries to ${\mathcal{O}}_{Prov{e}^{U}}$ in time t.**Type II**: It is impossible for a dishonest arbitrator to resolve a full signature $\sigma $ that can be proven as an output of the algorithm $\mathit{Sign}$.- -
**Phase 1**: $\mathcal{A}$ chooses a challenge arbitrator’s public key $\widehat{APK}$ and passes it to $\mathcal{C}$.- -
**Phase 2**: $\mathcal{A}$ can make queries to all oracles defined in Section 2.2 except ${\mathcal{O}}_{Res}$ and ${\mathcal{O}}_{Prov{e}^{A}}$ due to $\mathcal{C}$ does not have the knowledge of $\widehat{ASK}$.- -
**Phase 3**: $\mathcal{A}$ outputs a valid $(\widehat{m},\widehat{\sigma})$ on $(UP{K}_{i},\widehat{APK})$ and a proof $\widehat{\pi}$ with the restriction that $\widehat{\sigma}$ is not generated from ${\mathcal{O}}_{Sign}$. $\mathcal{A}$ wins the game if and only if $\mathit{Open}(\widehat{m},\widehat{\sigma},UP{K}_{i},\widehat{APK},\widehat{\pi})=\u201cUP{K}_{i}\u201d.$

**Definition****3.**An OFE protocol is $(t,{q}_{PSign},{q}_{Sign},{q}_{Prov{e}^{U}},\epsilon )$-type II accountable if no PPT $\mathcal{A}$ can have success probability more than ε in its game with at most ${q}_{PSign}$ queries to ${\mathcal{O}}_{PSign}$, ${q}_{Sign}$ queries to ${\mathcal{O}}_{Sign}$, and ${q}_{Prov{e}^{U}}$ queries to ${\mathcal{O}}_{Prov{e}^{U}}$ in time t.**Type III**: It is impossible for the signer and the arbitrator to both claim or deny a valid full signature $\sigma $.- -
**Phase 1**: $\mathcal{C}$ runs $\mathit{PMGen}({1}^{k})\to PM$. $\mathcal{A}$ is then given $PM$ to run both ${\mathit{Setup}}^{\mathit{U}}(PM)\to (\widehat{UPK},\widehat{USK})$ and ${\mathit{Setup}}^{\mathit{A}}(PM)\to (\widehat{APK},\widehat{ASK})$.- -
**Phase 2**: $\mathcal{A}$ outputs a valid $(\widehat{m},\widehat{\sigma})$ on $(\widehat{UPK},\widehat{APK})$ and two proofs $({\widehat{\pi}}^{U},{\widehat{\pi}}^{A})$. $\mathcal{A}$ wins the game if and only if either one of the following statements holds:- $\widehat{\sigma}$ is both claimed by the signer and the arbitrator. Such that$\mathit{Open}(\widehat{m},\widehat{\sigma},\widehat{UPK},\widehat{APK},{\widehat{\pi}}^{U})\to \widehat{UPK}\text{}\wedge $$\mathit{Open}(\widehat{m},\widehat{\sigma},\widehat{UPK},\widehat{APK},{\widehat{\pi}}^{A})\to \widehat{APK}$
- $\widehat{\sigma}$ is both denied by the signer and the arbitrator. Such that$\mathit{Open}(\widehat{m},\widehat{\sigma},\widehat{UPK},\widehat{APK},{\widehat{\pi}}^{U})\to \widehat{APK}\text{}\wedge $$\mathit{Open}(\widehat{m},\widehat{\sigma},\widehat{UPK},\widehat{APK},{\widehat{\pi}}^{A})\to \widehat{UPK}$

**Definition****4.**An OFE is $(t,\epsilon )$-type III accountable if no PPT $\mathcal{A}$ can have success probability more than ε in its game in time t.

#### 2.3.3. Security against Signers

**Phase 1**: $\mathcal{C}$ runs ${\mathit{Setup}}^{\mathit{A}}(PM)\to (APK,ASK)$ and passes $APK$ to $\mathcal{A}$.**Phase 2**: $\mathcal{A}$ can make queries to ${\mathcal{O}}_{Res}$.**Phase 3**: $\mathcal{A}$ outputs a challenge message and partial signature pair $(\widehat{m},{\widehat{\sigma}}_{p})$ on $UP{K}_{i}$. $\mathcal{A}$ wins the game if $\mathit{PVer}(\widehat{m},{\widehat{\sigma}}_{p},\widehat{UPK},APK)=1\wedge $ $\mathit{Ver}(\widehat{m},\mathit{Res}(\widehat{m},{\widehat{\sigma}}_{p},ASK,\widehat{UPK}),\widehat{UPK},APK)=0$.

**Definition**

**5.**

#### 2.3.4. Security against Verifiers

**Phase 1**: $\mathcal{C}$ first runs $\mathit{PMGen}({1}^{k})\to PM$ and both ${\mathit{Setup}}^{\mathit{U}}(PM)\to (UP{K}_{i},US{K}_{i})$ and ${\mathit{Setup}}^{\mathit{A}}(PM)\to (APK,ASK)$. $\mathcal{A}$ is then given $(UP{K}_{i},APK)$.**Phase 2**: $\mathcal{A}$ can make queries to ${\mathcal{O}}_{PSign}$, ${\mathcal{O}}_{Sign}$, and ${\mathcal{O}}_{Res}$.**Phase 3**: $\mathcal{A}$ outputs a challenge message and signature pair $(\widehat{m},\widehat{\sigma})$ on $(UP{K}_{i},APK)$ with the restriction that $\widehat{\sigma}$ is not generated from ${\mathcal{O}}_{Sign}$ or ${\mathcal{O}}_{Res}$. $\mathcal{A}$ wins the game if $\mathit{Ver}(\widehat{m},\widehat{\sigma},UP{K}_{i},APK)=1$.

**Definition**

**6.**

#### 2.3.5. Security against Arbitrator

**Phase 1**: $\mathcal{C}$ runs $\mathit{PMGen}({1}^{k})\to PM$ and passes to $\mathcal{A}$.**Phase 2**: $\mathcal{A}$ runs ${\mathit{Setup}}^{\mathit{A}}(PM)\to (APK,ASK)$ and sends $APK$ to $\mathcal{C}$.**Phase 3**: $\mathcal{A}$ can make queries to ${\mathcal{O}}_{PSign}$.**Phase 4**: $\mathcal{A}$ outputs a challenge message and signature pair $(\widehat{m},\widehat{\sigma})$ on $(UP{K}_{i},APK)$ with the restriction that $(\widehat{m},UP{K}_{i})$ has not been a query to ${\mathcal{O}}_{PSign}$. $\mathcal{A}$ wins the game if $\mathit{Ver}(\widehat{m},\widehat{\sigma},UP{K}_{i},APK)=1$.

**Definition**

**7.**

#### 2.3.6. Security in the Multi-User Setting and Chosen-Key Model

**Definition**

**8.**

## 3. Preliminaries

#### 3.1. Bilinear Pairings

- Bilinearity: for all ${g}_{1}\in {\mathbb{G}}_{1}$, ${g}_{2}\in {\mathbb{G}}_{2}$, and $(a,b)\in {\mathbb{Z}}_{p}$, we have $\widehat{e}({g}_{1}^{a},{g}_{2}^{b})=\widehat{e}{({g}_{1},{g}_{2})}^{ab}$.
- Non-degeneracy: if $({g}_{1},{g}_{2})$ is a generator of ${\mathbb{G}}_{1}$ and ${\mathbb{G}}_{2}$, then $\widehat{e}({g}_{1},{g}_{2})$ is a generator of ${\mathbb{G}}_{T}$, which also implies $\widehat{e}({g}_{1},{g}_{2})\ne 1$.
- Computability: there exists an efficient algorithm to compute $\widehat{e}({g}_{1},{g}_{2})$ for all ${g}_{1}\in {\mathbb{G}}_{1}$ and ${g}_{2}\in {\mathbb{G}}_{2}$.

#### 3.2. Ordinary Signature Scheme

- $\mathit{KeyGen}$: On input security parameter ${1}^{k}$, it outputs a public and private key pair $(pk,sk)$.
- $\mathit{Sign}$: On input a message and private key $(m,sk)$, it outputs an ordinary signature ${\sigma}^{os}$.
- $\mathit{Verify}$: On input $(m,{\sigma}^{os},pk)$, it outputs $\u201c1\u201d$ if ${\sigma}^{os}$ is valid and outputs $\u201c0\u201d$ otherwise.

**Correctness**. Every ordinary signature generated in a correct way is always accepted to be a valid signature, such that $\mathit{Verify}(m,Sign(m,sk),pk)\to \u201c1\u201d$.

#### Unforgeability

**Setup**: $\mathcal{C}$ runs $\mathit{KeyGen}({1}^{k})\to (pk,sk)$, then $\mathcal{A}$ is given $pk$.**Queries**: $\mathcal{A}$ can query the Sign Oracle ${\mathcal{O}}_{S}$: On input a message m, it outputs a signature ${\sigma}^{os}$ that is valid on $pk$.**Output**: At the end, $\mathcal{A}$ is required to output a challenge message and signature pair $(\widehat{m},{\widehat{\sigma}}^{os})$ that is valid on $pk$, with the restriction that $\widehat{m}$ has not been a query to ${\mathcal{O}}_{S}$ before.

**Definition**

**9.**

#### 3.3. Convertible Undeniable Signature

- $\mathit{KeyGen}$: On input a security parameter, ${1}^{k}$, outputs a signer public and private key pair ($pk,sk$).
- $\mathit{Sign}$: On input a message and a signer private key, $(m,sk)$, outputs an undeniable signature ${\sigma}^{us}$.
- $\mathit{Confirmation}/\mathit{Disavowal}\phantom{\rule{0.166667em}{0ex}}\mathit{Protocol}$: An interactive protocol that runs between the signer and the verifier on common input $(pk,m,{\sigma}^{us})$. The signer uses $sk$ to check the validity of ${\sigma}^{us}$, the output is a non-transferable proof $(\u201cAccept\u201d/\u201cDeny\u201d)$ that shows ${\sigma}^{us}$ is valid/invalid on $(m,pk)$.
- $\mathit{SConvert}$: On input $(sk,m,{\sigma}^{us})$, it computes a selective token ${\pi}^{S}$ which can be used to publicly verify $(m,{\sigma}^{us})$ on $pk$.
- $\mathit{SVerify}$: On input $(pk,m,{\sigma}^{us},{\pi}^{S})$, it outputs $\u201c\perp \u201d$ if ${\pi}^{S}$ is an invalid token on $pk$. It outputs $\u201c1\u201d$ if $(m,{\sigma}^{us},pk)$ is a valid signature and outputs $\u201c0\u201d$ otherwise.

**Completeness**and

**Soundness**.

**Completeness**can be defined as a valid (invalid) signature that can always be proven valid (invalid) and

**Soundness**can be defined as a valid (invalid) signature that cannot be proven as invalid (valid). The following two cases describe their definitions:

- If ${\sigma}^{us}$ is valid on $pk$, then
- $\mathit{Confirmation}/\mathit{Disavowal}\phantom{\rule{0.166667em}{0ex}}\mathit{Protocol}(m,{\sigma}^{us},pk,sk)\to \u201cAccept\u201d$
- $\mathit{SVerify}(m,{\sigma}^{us},pk,\mathit{SConvert}(m,{\sigma}^{us},sk))\to \u201c1\u201d$
- $\mathit{UVerify}(m,{\sigma}^{us},pk,\mathit{UConvert}(sk))\to \u201c1\u201d$

- Or else, if ${\sigma}^{us}$ is invalid on $pk$, then
- $\mathit{Confirmation}/\mathit{Disavowal}\phantom{\rule{0.166667em}{0ex}}\mathit{Protocol}(m,{\sigma}^{us},pk,sk)\to \u201cDeny\u201d$
- $\mathit{SVerify}(m,{\sigma}^{us},pk,\mathit{SConvert}(m,{\sigma}^{us},sk))\to \u201c0\u201d$
- $\mathit{UVerify}(m,{\sigma}^{us},pk,\mathit{UConvert}(sk))\to \u201c0\u201d$

#### 3.3.1. Unforgeability

**Setup**: $\mathcal{C}$ runs $\mathit{KeyGen}({1}^{k})\to (pk,sk)$, then $\mathcal{A}$ is given $pk$.**Queries**: $\mathcal{A}$ is allowed to make queries to the following oracles:- -
- Sign Oracle ${\mathcal{O}}_{S}$: On input a message m, it outputs an undeniable signature ${\sigma}^{us}$ that is valid on $pk$.
- -
- Confirmation/Disavowal Oracle ${\mathcal{O}}_{CD}$: On input any message and signature pair $(m,{\sigma}^{us})$, it runs the protocol with $\mathcal{A}$ and outputs a non-transferable proof to show the validity of ${\sigma}^{us}$.
- -
- (For convertible schemes only) SConvert Oracle ${\mathcal{O}}_{SC}$: On input a message and signature pair $(m,{\sigma}^{us})$, it outputs a selective token ${\pi}^{S}$.

**Output**: At the end, $\mathcal{A}$ is required to output a challenge message and undeniable signature pair $(\widehat{m},{\widehat{\sigma}}^{us})$, with the restriction that $\widehat{m}$ has not been a query to ${\mathcal{O}}_{S}$. If the scheme is convertible, $pk$ must not have been queried to ${\mathcal{O}}_{UC}$. $\mathcal{A}$ wins the game if $(\widehat{m},{\widehat{\sigma}}^{us})$ is valid on $pk$.

**Definition**

**10.**

#### 3.3.2. Anonymity

**Setup:**$\mathcal{C}$ first runs $\mathit{KeyGen}({1}^{k})\to (s{k}_{0},p{k}_{0})$ and $\mathit{KeyGen}({1}^{k})\to (s{k}_{1},p{k}_{1})$ and sends $(p{k}_{0},p{k}_{1})$ to $\mathcal{A}$.**Queries I:**Same as in Section 3.3.1.**Output I**: At some point, $\mathcal{A}$ outputs a challenge message $\widehat{m}$ to request a challenge signature ${\widehat{\sigma}}^{us}$. If the scheme is deterministic, $\widehat{m}$ is restricted where it has not been submitted to ${\mathcal{O}}_{S}$ during**Queries I**. $\mathcal{C}$ responds by randomly choosing $b\in \{0,1\}$ and generates a challenge signature ${\widehat{\sigma}}^{us}={\mathit{Sign}}_{s{k}_{b}}(\widehat{m})$ that is valid on either $p{k}_{0}$ or $p{k}_{1}$.**Queries II**: Once $\mathcal{A}$ obtains ${\widehat{\sigma}}^{us}$, $\mathcal{A}$ can continue making queries to the accessible oracles as in**Queries I**. If the scheme is deterministic, $\widehat{m}$ is restricted to be submitted to ${\mathcal{O}}_{S}$. An additional restriction is added where any $(\widehat{m},\xb7)$ in the equivalence class of $(\widehat{m},{\widehat{\sigma}}^{us})$ is not allowed to submit to ${\mathcal{O}}_{CD}$ (and ${\mathcal{O}}_{SC}$ if the scheme is convertible).**Output II:**$\mathcal{A}$ outputs a guess ${b}^{\prime}$ and wins the game if ${b}^{\prime}=b$.

**Definition**

**11.**

#### 3.4. Ring Signature

- $\mathit{KeyGen}$: On input ${1}^{k}$, it outputs a public and private key pair $(pk,sk)$.
- $\mathit{Sign}$: On input a message, a private key, and a list of public keys $(m,sk,P{K}_{L})$ where $P{K}_{L}=(p{k}_{1},\dots ,p{k}_{n})$ with n members, it outputs a ring signature ${\sigma}^{rs}$.
- $\mathit{Verify}$: On input $(m,{\sigma}^{rs},P{K}_{L})$, it outputs $\u201c1\u201d$ if ${\sigma}^{rs}$ is valid and output $\u201c0\u201d$ otherwise.

**Correctness**. Every ring signature that generated in a correct way can always be accepted with the equation $\mathit{Verify}(m,\mathit{Sign}(m,sk,P{K}_{L}),P{K}_{L})=\u201c1\u201d$.

#### 3.4.1. Unforgeability

**Setup**: $\mathcal{C}$ runs $KeyGen({1}^{k})$ for n times to generate n public and private key pair $((p{k}_{i},s{k}_{i}),\dots ,(p{k}_{n},s{k}_{n}))$, where n is the number of members. $\mathcal{A}$ is given $P{K}_{L}=(p{k}_{i},\dots ,p{k}_{n})$.**Queries**: $\mathcal{A}$ can query the Sign Oracle ${\mathcal{O}}_{Sign}$: On input $(m,P{K}_{L}^{*},e)$, where $P{K}_{L}^{*}\in P{K}_{L}$ is a sub list of members within $P{K}_{L}$ and e is a selected member. It then runs $\mathit{Sign}(m,s{k}_{e},P{K}_{L}^{*})$ to produce a ring signature ${\sigma}^{rs}$ to $\mathcal{A}$.**Output**: At the end, $\mathcal{A}$ is required to output a challenge message and ring signature pair $(\widehat{m},{\widehat{\sigma}}^{rs})$ on a challenge sub list of members ${\widehat{PK}}_{L}$ with the restriction that $\widehat{m}$ has not been a query to ${\mathcal{O}}_{Sign}$ before. $\mathcal{A}$ wins the game if $\mathit{Verify}(\widehat{m},{\widehat{\sigma}}^{rs},{\widehat{PK}}_{L})=\u201c1\u201d$

**Definition**

**12.**

#### 3.4.2. Anonymity

**Setup**: Same as in Section 3.4.1.**Queries**: Same as in Section 3.4.1.**Output**: At the end, $\mathcal{A}$ is required to output a challenge message and a sub list of members $(\widehat{m},{\widehat{PK}}_{L})$ and two distinct indices $({e}_{0},{e}_{1})\in \{1,\dots ,n\}$ such that $(p{k}_{{e}_{0}},p{k}_{{e}_{1}})\in {\widehat{PK}}_{L}$. $\mathcal{C}$ then chooses $b\in \{0,1\}$ randomly and computes a challenge ring signature ${\widehat{\sigma}}^{rs}=\mathit{Sign}(\widehat{m},s{k}_{{e}_{b}},{\widehat{PK}}_{L})$. $\mathcal{A}$ is given ${\widehat{\sigma}}^{rs}$ and is required to output a guess ${b}^{\prime}$. $\mathcal{A}$ wins the game if ${b}^{\prime}=b$.

**Definition**

**13.**

## 4. Generic Transformation

#### 4.1. Generic Framework

- $\mathit{PMGen}$: On input the security parameter ${1}^{k}$, it generates the public parameters $PM$ needed for the ordinary signature, convertible undeniable signature, and ring signature scheme.
- ${\mathit{Setup}}^{\mathit{A}}$: On input $PM$, it runs $\mathrm{CUS}.\mathit{KeyGen}({1}^{k})\to (ap{k}^{us},as{k}^{us})$ and $\mathrm{RS}.\mathit{KeyGen}({1}^{k})\to (ap{k}^{rs},as{k}^{rs})$ to compute an arbitrator public and private key pair $(APK,ASK)=((ap{k}^{us},ap{k}^{rs}),(as{k}^{us},as{k}^{rs}))$.
- ${\mathit{Setup}}^{\mathit{U}}$: On input $PM$, it runs $\mathrm{OS}.\mathit{KeyGen}({1}^{k})\to (p{k}_{i}^{os},s{k}_{i}^{os})$, $\mathrm{CUS}.\mathit{KeyGen}({1}^{k})\to (p{k}_{i}^{us},s{k}_{i}^{us})$, and $\mathrm{RS}.\mathit{KeyGen}({1}^{k})\to (p{k}_{i}^{rs},s{k}_{i}^{rs})$ to compute a user public and private key pair $(UP{K}_{i},US{K}_{i})=((p{k}_{i}^{os},p{k}_{i}^{us},p{k}_{i}^{rs}),(s{k}_{i}^{os},s{k}_{i}^{us},s{k}_{i}^{rs}))$.
- $\mathit{PSign}$: On input a message and a signer private key $(m,US{K}_{i})$, it runs $\mathrm{OS}.Sign(m,s{k}_{i}^{os})\to {\sigma}^{os}$ and outputs a partial signature ${\sigma}_{p}={\sigma}^{os}$.
- $\mathit{PVer}$: On input $(m,{\sigma}_{p},UP{K}_{i})$, it can validate ${\sigma}_{p}$ by running $\mathrm{OS}.\mathit{Ver}(m,{\sigma}^{os},p{k}_{i}^{os})$. It outputs $\u201c1\u201d$ if ${\sigma}_{p}$ is valid and outputs $\u201c0\u201d$ otherwise.
- $\mathit{Sign}$: On input $(m,{\sigma}_{p},US{K}_{i},APK,UP{K}_{i})$. Let ${m}^{\prime}=H(m,{\sigma}_{p},UP{K}_{i})$. It runs $\mathrm{CUS}.\mathit{Sign}({m}^{\prime},s{k}_{i}^{us})\to {\sigma}^{us}$ and $\mathrm{RS}.\mathit{Sign}(H({\sigma}^{us}),s{k}_{i}^{rs},P{K}_{L})\to {\sigma}^{rs}$, where $P{K}_{L}=(p{k}_{i}^{rs},ap{k}^{rs})$ and outputs a full signature $\sigma =({\sigma}_{p},{\sigma}^{us},{\sigma}^{rs})$.
- $\mathit{Ver}$: On input $(m,\sigma ,UP{K}_{i},APK)$, it can verify $\sigma =({\sigma}_{p}={\sigma}^{os},{\sigma}^{us},{\sigma}^{rs})$ by running $\mathrm{OS}.\mathit{Verify}(m,{\sigma}^{os},p{k}_{i}^{os})$ and $\mathrm{RS}.\mathit{Verify}(H({\sigma}^{us}),{\sigma}^{rs},P{K}_{L})$, where $P{K}_{L}=(p{k}_{i}^{rs},ap{k}^{rs})$. Therefore, if ${\sigma}_{p}$ and ${\sigma}^{rs}$ are valid, this algorithm outputs $\u201c1\u201d$ and $\u201c0\u201d$ otherwise.
- $\mathit{Res}$: On input $(m,{\sigma}_{p},ASK,APK,UP{K}_{i})$, it first checks the validity of ${\sigma}_{p}$ by running $\mathrm{OS}.\mathit{Verify}(m,{\sigma}^{os},p{k}_{i}^{os})$. It outputs $\u201c\perp \u201d$ if ${\sigma}_{p}$ is invalid. Otherwise, it continues to compute ${m}^{\prime}=H(m,{\sigma}_{p},UP{K}_{i})$. It then runs $\mathrm{CUS}.\mathit{Sign}({m}^{\prime},as{k}^{us})\to {\sigma}^{us}$ and $\mathrm{RS}.\mathit{Sign}(H({\sigma}^{us}),as{k}_{i}^{rs},P{K}_{L})\to {\sigma}^{rs}$, where $P{K}_{L}=(p{k}_{i}^{rs},ap{k}^{rs})$ and outputs a full signature $\sigma =({\sigma}_{p},{\sigma}^{us},{\sigma}^{rs})$
- ${\mathit{Prove}}^{\mathit{A}}$: On input $(m,\sigma ,ASK,APK,UP{K}_{i})$, it first runs $\mathit{Ver}(m,\sigma ,UP{K}_{i},APK)$ to check its validity and continue if and only if it is valid. Then it computes ${m}^{\prime}=H(m,{\sigma}_{p},UP{K}_{i})$ and runs $\mathrm{CUS}.\mathit{SConvert}({m}^{\prime},{\sigma}^{us},as{k}^{us})\to {\pi}^{A}$ and outputs a proof $\pi ={\pi}^{A}$. Otherwise, it outputs $\u201c\perp \u201d$.
- ${\mathit{Prove}}^{\mathit{U}}$: On input $(m,\sigma ,US{K}_{i},APK,UP{K}_{i})$, it first runs $\mathit{Ver}(m,\sigma ,UP{K}_{i},APK)$ to check its validity and continue if and only if it is valid. Then it computes ${m}^{\prime}=H(m,{\sigma}_{p},UP{K}_{i})$ and runs $\mathrm{CUS}.\mathit{SConvert}({m}^{\prime},{\sigma}^{us},s{k}_{i}^{us})\to {\pi}^{U}$ and outputs a proof $\pi ={\pi}^{U}$. Otherwise, it outputs $\u201c\perp \u201d$.
- $\mathit{Open}$: On input $(m,\sigma ,UP{K}_{i},APK,\pi )$, it first runs $\mathit{Ver}(m,\sigma ,UP{K}_{i},APK)$ to check its validity and continue if and only if it is valid. Otherwise, it outputs $\u201c\perp \u201d$. It computes ${m}^{\prime}=H(m,{\sigma}_{p},UP{K}_{i})$ and parses $\pi $ in the following cases:
- -
- If $\pi ={\pi}^{A}$, it runs $\mathrm{CUS}.\mathit{Verify}({m}^{\prime},{\sigma}^{us},{\pi}^{A},ap{k}^{us})\to b\in \{0,1\}$. If $b=1$, it outputs $\u201cAPK\u201d$ which indicates ${\sigma}^{us}$ is originally generated by the arbitrator using $as{k}^{us}$. Otherwise, it outputs $\u201cUP{K}_{i}\u201d$. If the output is $\u201c\perp \u201d$, it means $\pi $ is invalid.
- -
- Else if $\pi ={\pi}^{U}$, it runs $\mathrm{CUS}.\mathit{Verify}({m}^{\prime},{\sigma}^{us},{\pi}^{U},p{k}_{i}^{us})\to b\in \{0,1\}$. If $b=1$, it outputs $\u201cUP{K}_{i}\u201d$ which indicates ${\sigma}^{us}$ is originally generated by the signer using $s{k}_{i}^{us}$. Otherwise, it outputs $\u201cAPK\u201d$. If the output is $\u201c\perp \u201d$, it means $\pi $ is invalid.

**Correctness**. The correctness of our generic framework follows the correctness of the underlying ordinary signature, convertible undeniable signature, and ring signature scheme.

#### 4.2. Security Analysis

#### 4.2.1. Resolution Ambiguity

**Lemma**

**1.**

**Proof.**

#### 4.2.2. Type I Accountability

**Lemma**

**2.**

**Proof.**

**Phase 1**: On input $(p{k}_{0}^{us},p{k}_{0}^{rs})$ to $\mathcal{D}$, $\mathcal{D}$ sets $APK=(p{k}_{0}^{us},p{k}_{0}^{rs})$ and passes to $\mathcal{A}$.**Phase 2**: $\mathcal{A}$ can make queries to its accessible oracles defined in Section 2.2. At the end, $\mathcal{A}$ runs ${\mathit{Setup}}^{\mathit{U}}(PM)\to (UP{K}_{i},US{K}_{i})$ to generate users’ private and public key pairs. $\mathcal{A}$ then passes a challenge public key $\widehat{UPK}=(p{k}^{os},p{k}_{1}^{us},p{k}_{1}^{rs})$ to $\mathcal{D}$.**Phase 3**: $\mathcal{A}$ can make queries to the following oracles:- -
- Resolution Oracle ${\mathcal{O}}_{Res}$: On input $(m,{\sigma}_{p},\widehat{UPK})$, $\mathcal{D}$ requests ${\sigma}^{us}$ from convertible undeniable signature scheme’s ${\mathcal{O}}_{S}$ on input $({m}^{\prime},p{k}_{0}^{us})$, where ${m}^{\prime}=H(m,{\sigma}_{p},\widehat{UPK})$. $\mathcal{D}$ then requests ${\sigma}^{rs}$ from ring signature scheme’s ${\mathcal{O}}_{S}$ on input $(H({\sigma}^{us}),P{K}_{L},e)$, where $P{K}_{L}=(p{k}_{0}^{rs},p{k}_{1}^{rs})$ and $e=1$ is the selected public key position in $P{K}_{L}$. Note that $({\sigma}^{us},{\sigma}^{rs})$ is generated with $(s{k}_{0}^{us},s{k}_{0}^{rs})$ respectively. Finally, $\mathcal{D}$ returns a signature $\sigma =({\sigma}_{p},{\sigma}^{us},{\sigma}^{rs})$ to $\mathcal{A}$.
- -
- Arbitrator Prove Oracle ${\mathcal{O}}_{Prov{e}^{A}}$: On input $(m,\sigma =({\sigma}_{p},{\sigma}^{us},{\sigma}^{rs}))$, $\mathcal{D}$ requests a selective token ${\pi}^{S}$ on $p{k}_{0}^{us}$ from convertible undeniable signature scheme’s ${\mathcal{O}}_{SC}$ on input $({m}^{\prime},{\sigma}^{us})$, where ${m}^{\prime}=H(m,{\sigma}_{p},\widehat{UPK})$. $\mathcal{D}$ then returns an arbitrator proof ${\pi}^{A}={\pi}^{S}$.

**Phase 4**: $\mathcal{A}$ outputs a challenge message and signature pair $(\widehat{m},\widehat{\sigma})$ that is valid on $(\widehat{UPK},APK)$ and a proof $\widehat{\pi}$ with the restriction that $\widehat{\sigma}$ is not generated from ${\mathcal{O}}_{Res}$. Note that $\widehat{\pi}$ be can either ${\pi}^{A}$ by $p{k}_{0}^{us}$ or ${\pi}^{U}$ by $p{k}_{1}^{us}$.

**Case 1**: ${\widehat{\sigma}}^{us}$ is generated by using $s{k}_{0}^{us}$, so $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma}}^{us},p{k}_{0}^{us},{\widehat{\pi}}^{A})=\u201c1\u201d$ and $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma}}^{us},p{k}_{1}^{us},{\widehat{\pi}}^{U})=\u201c0\u201d$ hold.**Case 2**: ${\widehat{\sigma}}^{us}$ is generated by using $s{k}_{1}^{us}$, but $\widehat{\pi}$ is not sound. Hence, $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma}}^{us},p{k}_{0}^{us},{\widehat{\pi}}^{A})=\u201c1\u201d$ and $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma}}^{us},p{k}_{1}^{us},{\widehat{\pi}}^{U})=\u201c0\u201d$.

**Case 1**and breaks the completeness and soundness of the underlying convertible undeniable signature scheme in

**Case 2**. This shows that there exists a PPT $\mathcal{D}$ which can either $(t,{q}_{PSign},{q}_{Sign},{q}_{Res},{q}_{Prov{e}^{A}},{q}_{Prov{e}^{U}},\epsilon )$-break the EUF-CMA or the completeness and soundness of the underlying convertible undeniable signature scheme if there exists $\mathcal{A}$ which can $(t,{q}_{PSign},{q}_{Sign},{q}_{Res},{q}_{Prov{e}^{A}},{q}_{Prov{e}^{U}},\epsilon )$-break the type I accountability. This contradicts the EUF-CMA and the completeness and soundness of the underlying convertible undeniable signature scheme, hence our OFE protocol is type I accountable. □

#### 4.2.3. Type II Accountability

**Lemma**

**3.**

**Proof.**

**Phase 1**: On input $PM$ to $\mathcal{D}$, $\mathcal{D}$ then passes $PM$ to $\mathcal{A}$ which then runs ${\mathit{Setup}}^{\mathit{A}}(PM)\to (APK=(p{k}_{0}^{us},p{k}_{0}^{rs}),ASK=(s{k}_{0}^{us},s{k}_{0}^{rs}))$ and passes $APK$ to $\mathcal{D}$.**Phase 2**: $\mathcal{A}$ can make queries to the following oracles for a selected $UP{K}_{i}=(p{k}_{i}^{os},p{k}_{i}^{us},p{k}_{i}^{rs})$:- -
- Partial Sign Oracle ${\mathcal{O}}_{PSign}$: On input $(m,UP{K}_{i})$, $\mathcal{D}$ requests a signature ${\sigma}^{os}$ from ordinary signature scheme’s ${\mathcal{O}}_{S}$ on input $(m,p{k}_{i}^{os})$. $\mathcal{D}$ then returns a partial signature ${\sigma}_{p}={\sigma}^{os}$.
- -
- Full Sign Oracle ${\mathcal{O}}_{Sign}$: On input $(m,{\sigma}_{p},UP{K}_{i})$, $\mathcal{D}$ requests ${\sigma}^{us}$ from convertible undeniable signature scheme’s ${\mathcal{O}}_{S}$ on input $({m}^{\prime},p{k}_{i}^{us})$, where ${m}^{\prime}=H(m,{\sigma}_{p},UP{K}_{i})$. $\mathcal{D}$ then requests ${\sigma}^{rs}$ from ring signature scheme’s ${\mathcal{O}}_{S}$ on input $(H({\sigma}^{us}),P{K}_{L},e)$, where $P{K}_{L}=(p{k}_{0}^{rs},p{k}_{i}^{rs})$ and $e=2$ is the selected public key position in $P{K}_{L}$. Note that $({\sigma}^{us},{\sigma}^{rs})$ is generated with $(s{k}_{i}^{us},s{k}_{i}^{rs})$ respectively.
- -
- User Prove Oracle ${\mathcal{O}}_{Prov{e}^{U}}$: On input $(m,\sigma =({\sigma}_{p},{\sigma}^{us},{\sigma}^{rs}))$, $\mathcal{D}$ requests a selective token ${\pi}^{S}$ on $p{k}_{i}^{us}$ from convertible undeniable signature scheme’s ${\mathcal{O}}_{SC}$ on input $({m}^{\prime},{\sigma}^{us})$, where ${m}^{\prime}=H(m,{\sigma}_{p},UP{K}_{i})$. $\mathcal{D}$ then returns a user proof ${\pi}^{U}={\pi}^{S}$.

**Phase 3**: $\mathcal{A}$ outputs a challenge message and signature pair $(\widehat{m},\widehat{\sigma})$ that is valid on $(UP{K}_{i},APK)$ and a proof $\widehat{\pi}$, with the restriction that $\widehat{\sigma}$ is not generated from ${\mathcal{O}}_{Sign}$. Note that $\widehat{\pi}$ can either be the ${\pi}^{A}$ by $p{k}_{0}^{us}$ or the ${\pi}^{U}$ by $p{k}_{1}^{us}$.

**Case 1**: ${\widehat{\sigma}}^{us}$ is generated by using $s{k}_{i}^{us}$, so $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma}}^{us},p{k}_{0}^{us},{\widehat{\pi}}^{A})=\u201c0\u201d$ and $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma}}^{us},p{k}_{i}^{us},{\widehat{\pi}}^{U})=\u201c1\u201d$ hold.**Case 2**: ${\widehat{\sigma}}^{us}$ is generated by using $s{k}_{0}^{us}$, but $\widehat{\pi}$ is not sound. Therefore, $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma}}^{us},p{k}_{0}^{us},{\widehat{\pi}}^{A})=\u201c0\u201d$ and $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma}}^{us},p{k}_{i}^{us},{\widehat{\pi}}^{U})=\u201c1\u201d$.

**Case 1**and breaks the completeness and soundness of convertible undeniable signature scheme in

**Case 2**. This shows that there exists a PPT $\mathcal{D}$ that can either $(t,{q}_{PSign},{q}_{Sign},{q}_{Prov{e}^{U}},\epsilon )$-break the EUF-CMA or the completeness and soundness of the underlying convertible undeniable signature scheme if there exists $\mathcal{A}$ which can $(t,{q}_{PSign},{q}_{Sign},{q}_{Prov{e}^{U}},\epsilon )$-break the type II accountability. This contradicts the EUF-CMA and the completeness and soundness of the underlying convertible undeniable signature scheme, hence our OFE protocol is type II accountable. □

#### 4.2.4. Type III Accountability

**Lemma**

**4.**

**Proof.**

**Phase 1**: On input $PM$ to $\mathcal{D}$, $\mathcal{D}$ then passes $PM$ to $\mathcal{A}$ which then runs ${\mathit{Setup}}^{\mathit{A}}(PM)\to (APK,ASK)$ and ${\mathit{Setup}}^{\mathit{U}}(PM)\to (UP{K}_{i},US{K}_{i})$.**Phase 2**: $\mathcal{A}$ outputs a challenge message and signature pair $(\widehat{m},\widehat{\sigma})$ that is valid on $(UP{K}_{i},APK)$ and two proofs $({\widehat{\pi}}^{U},{\widehat{\pi}}^{A})$.

- A valid $(\widehat{m},{\widehat{\sigma}}^{us})$ on $UP{K}_{i}$ but $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma}}^{us},APK,{\widehat{\pi}}^{A})=\u201c1\u201d\wedge \mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma}}^{us},UP{K}_{i},{\widehat{\pi}}^{U})=\u201c0\u201d$
- A valid $(\widehat{m},{\widehat{\sigma}}^{us})$ on $APK$ but $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma}}^{us},APK,{\widehat{\pi}}^{A})=\u201c0\u201d$ ∧ $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma}}^{us},UP{K}_{i},{\widehat{\pi}}^{U})=\u201c1\u201d$

#### 4.2.5. Security against Signers

**Lemma**

**5.**

**Proof.**

#### 4.2.6. Security against Verifiers

**Lemma**

**6.**

**Proof.**

**Phase 1**: On input two challenge public key pairs $((p{k}_{0}^{us},p{k}_{0}^{rs}),(p{k}_{1}^{us},p{k}_{1}^{rs}))$ to $\mathcal{D}$, $\mathcal{D}$ first runs $\mathrm{OS}.\mathit{KeyGen}\to (p{k}^{os},s{k}^{os})$. $\mathcal{D}$ then chooses $b\in \{0,1\}$ and sets $APK=(p{k}_{b}^{us},p{k}_{b}^{rs})$ and $UPK=(p{k}^{os},p{k}_{1-b}^{us},p{k}_{1-b}^{rs})$. $\mathcal{A}$ is given $(APK,UPK)$.**Phase 2**: $\mathcal{A}$ can make queries to the following oracles:- -
- Partial Sign Oracle ${\mathcal{O}}_{PSign}$: On input $(m,UPK)$, $\mathcal{D}$ returns $\mathrm{OS}.\mathit{Sign}(m,s{k}^{os})\to {\sigma}_{p}$ to $\mathcal{A}$.
- -
- Full Sign Oracle ${\mathcal{O}}_{Sign}$: On input $(m,{\sigma}_{p},UPK)$, $\mathcal{D}$ requests ${\sigma}^{us}$ from convertible undeniable signature scheme’s ${\mathcal{O}}_{S}$ on input $({m}^{\prime},p{k}_{1-b}^{us})$, where ${m}^{\prime}=H(m,{\sigma}_{p},UPK)$. $\mathcal{D}$ then requests ${\sigma}^{rs}$ from ring signature scheme’s ${\mathcal{O}}_{S}$ on input $(H({\sigma}^{us}),P{K}_{L},e)$, where $P{K}_{L}=(p{k}_{1-b}^{rs},p{k}_{b}^{rs})$ and $e=1$ is the selected public key position in $P{K}_{L}$. Note that $({\sigma}^{us},{\sigma}^{rs})$ is generated with $(s{k}_{1-b}^{us},s{k}_{1-b}^{rs})$ respectively. Finally, $\mathcal{D}$ returns a signature $\sigma =({\sigma}_{p},{\sigma}^{us},{\sigma}^{rs})$ to $\mathcal{A}$.
- -
- Resolution Oracle ${\mathcal{O}}_{Res}$: This oracle is similar to ${\mathcal{O}}_{Sign}$ above, but $({\sigma}^{us},{\sigma}^{rs})$ is generated with $(s{k}_{b}^{us},s{k}_{b}^{rs})$ respectively, where ${\sigma}^{us}$ is from convertible undeniable signature scheme’s ${\mathcal{O}}_{S}$ on input $({m}^{\prime},p{k}_{b}^{us})$ and ${\sigma}^{rs}$ is from ring signature scheme’s ${\mathcal{O}}_{S}$ on input $(H({\sigma}^{us}),P{K}_{L},e)$ where $P{K}_{L}=(p{k}_{1-b}^{rs},p{k}_{b}^{rs})$ and $e=2$ is the selected public key position in $P{K}_{L}$.

**Phase 3**: $\mathcal{A}$ outputs a challenge message and signature pair $(\widehat{m},\widehat{\sigma})$, where $\widehat{\sigma}=({\widehat{\sigma}}_{p},{\widehat{\sigma}}^{us},{\widehat{\sigma}}^{rs})$ with the restriction that $\widehat{\sigma}$ is not generated from ${\mathcal{O}}_{Sign}$ or ${\mathcal{O}}_{Res}$.

#### 4.2.7. Security against Arbitrator

**Lemma**

**7.**

**Proof.**

**Phase 1**: On input a challenge public key $p{k}^{os}$ to $\mathcal{D}$. $\mathcal{D}$ first generates public parameters $PM$ and passes to $\mathcal{A}$.**Phase 2**: $\mathcal{A}$ then runs ${\mathit{Setup}}^{\mathit{A}}(PM)\to (APK,ASK)$ and sends $APK$ to $\mathcal{D}$.**Phase 3**: $\mathcal{A}$ can make queries to Partial Sign Oracle ${\mathcal{O}}_{PSign}$: On input $(m,UPK)$, where $\mathcal{D}$ requests a signature ${\sigma}^{os}$ from ordinary signature scheme’s ${\mathcal{O}}_{S}$ on input $(m,p{k}^{os})$. $\mathcal{D}$ returns a partial signature ${\sigma}_{p}={\sigma}^{os}$.**Phase 4**: $\mathcal{A}$ outputs a challenge message and signature pair $(\widehat{m},\widehat{\sigma})$, where $\widehat{\sigma}=({\widehat{\sigma}}_{p},{\widehat{\sigma}}^{us},{\widehat{\sigma}}^{rs})$ with the restriction that $(\widehat{m},UPK)$ has not been queried to ${\mathcal{O}}_{PSign}$.

**Theorem**

**1.**

**Proof.**

## 5. An Instantiation of Accountable Optimisitc Fair Exchange Protocol

#### 5.1. Boneh et al.’s Short Signature Scheme

- $\mathit{KeyGen}$: It randomly picks $x\in {\mathbb{Z}}_{q}$ and computes $X={g}_{2}^{x}$. It then returns a public and private key pair $(pk,sk)=(X,x)$.
- $\mathit{Sign}$: On input a message and a private key $(m,sk)$, it returns an ordinary signature ${\sigma}^{os}=H{(m)}^{x}$.
- $\mathit{Verify}$: On input $(m,{\sigma}^{os},pk)$, it checks whether $\widehat{e}(H(m),X)\stackrel{?}{=}\widehat{e}({\sigma}^{os},{g}_{2})$. It outputs $\u201c1\u201d$ if $\sigma $ is valid and $\u201c0\u201d$ otherwise.

#### 5.2. Li et al.’s Convertible Undeniable Signature Scheme

- $\mathit{KeyGen}$: It randomly picks $x,y\in {\mathbb{Z}}_{q}^{*}$ to compute $X={g}_{2}^{x}$ and $Y={g}_{2}^{y}$. It outputs a public and private key pair $(pk,sk)=((X,Y),(x,y))$.
- $\mathit{Sign}$: On input a message and private key $(m,sk)$, it computes an undeniable signature ${\sigma}^{us}=H{(m)}^{xy}$.
- $\mathit{Confirmation}/\mathit{Disavowal}\phantom{\rule{0.166667em}{0ex}}\mathit{Protocol}$: Given a message and signature pair $(m,{\sigma}^{us})$, it can confirm or deny ${\sigma}^{us}$ with the following designated verifier non-interactive zero knowledge proof of knowledge $(DVPK)$:$DVPK(y:\widehat{e}({\sigma}^{us},{g}_{2})=\widehat{e}{(H(m),X)}^{y}\wedge Y={g}_{2}^{y})$ or $DVPK(y:\widehat{e}({\sigma}^{us},{g}_{2})\ne \widehat{e}{(H(m),X)}^{y}\wedge Y={g}_{2}^{y})$
- $\mathit{SConvert}$: On input $(m,{\sigma}^{us},sk)$, it computes a converter ${\pi}^{S}=H{(m)}^{y}\in {\mathbb{G}}_{1}$.
- $\mathit{SVerify}$: On input $(m,{\sigma}^{us},pk,{\pi}^{S})$, it first verifies ${\pi}^{S}$ by checking whether $\widehat{e}({\pi}^{S},{g}_{2})\stackrel{?}{=}\widehat{e}(H(m),Y)$ or not. If ${\pi}^{S}$ is valid, then it proceeds to validate ${\sigma}^{us}$ by checking whether $\widehat{e}({\sigma}^{us},{g}_{2})\stackrel{?}{=}\widehat{e}({\pi}^{S},X)$ holds or not.

#### 5.3. Shim’s Ring Signature Scheme

- $\mathit{KeyGen}$: For a user i, it randomly picks ${x}_{i}\in {\mathbb{Z}}_{q}^{*}$ to compute ${X}_{i}={g}_{2}^{{x}_{i}}$. It outputs a public and private key pair $(p{k}_{i},s{k}_{i})=({X}_{i},{x}_{i})$.
- $\mathit{Sign}$: Let $P{K}_{L}=\{p{k}_{1},\dots ,p{k}_{n}\}$ be a list of users’ public keys with n members. On input a signer’s public and private key pair $(p{k}_{s},s{k}_{s})$ and a message $m\in {\{0,1\}}^{*}$, it first randomly chooses ${Z}_{i}\in {\mathbb{G}}_{1}$ and computes ${z}_{i}=h({Z}_{i},m,P{K}_{L})$ for $i=1,\dots ,n$ and $i\ne s$. It then chooses a random salt $r\in {\mathbb{Z}}_{q}$ and computes $({Z}_{s},{z}_{s},V)$, where$$\begin{array}{ccc}{Z}_{s}={g}_{2}^{r}\prod _{i\ne s}^{n}p{k}_{i}{Z}_{i}\hfill & \text{\hspace{1em}\hspace{1em}}{z}_{s}=h({Z}_{s},m,P{K}_{L})\hfill & \text{\hspace{1em}\hspace{1em}}V={g}_{1}^{r+{z}_{s}{x}_{s}}\hfill \end{array}$$Finally, it outputs a ring signature ${\sigma}^{rs}=({Z}_{i},\dots {Z}_{n},V)$.
- $\mathit{Verify}$: On input $(m,{\sigma}^{rs},P{K}_{L})$, where $P{K}_{L}=\{p{k}_{1},\dots ,p{k}_{n}\}$ is a list of users’ public keys with n members. It first computes ${z}_{i}=h({Z}_{i},m,P{K}_{L})$ for $i=1,\dots ,n$. It then checks whether $\widehat{e}(V,{g}_{2})\stackrel{?}{=}\widehat{e}({\prod}_{i=1}^{n}p{k}_{i}^{{z}_{i}}{Z}_{i},{g}_{2})$ holds or not. If it holds, it outputs $\u201c1\u201d$ and $\u201c0\u201d$ otherwise.

#### 5.4. The Derived Accountable Optimistic Fair Exchange Protocol

- $\mathit{PMGen}$: On input ${1}^{k}$, it generates $(q,{g}_{1},{g}_{2},{\mathbb{G}}_{1},{\mathbb{G}}_{2},{\mathbb{G}}_{T},\widehat{e})$, where ${\mathbb{G}}_{1}$,${\mathbb{G}}_{2}$,${\mathbb{G}}_{T}$ are cyclic groups of prime order q, ${g}_{1}\in {\mathbb{G}}_{1}$ and ${g}_{2}\in {\mathbb{G}}_{2}$ are two generators, and $\widehat{e}:{\mathbb{G}}_{1}\times {\mathbb{G}}_{2}\to {\mathbb{G}}_{T}$ is a bilinear map. Let ${H}_{1},{H}_{2}:{\{0,1\}}^{*}\to {\mathbb{G}}_{1}$, ${H}_{3}:{\{0,1\}}^{*}\to \mathcal{M}$, and ${h}_{1},{h}_{2}:{\{0,1\}}^{*}\to {\mathbb{Z}}_{p}^{*}$, where $\mathcal{M}$ is the message space. Finally, it outputs $PM=(q,{g}_{1},{g}_{2},{\mathbb{G}}_{1},{\mathbb{G}}_{2},{\mathbb{G}}_{T},\widehat{e},{H}_{1},{H}_{2},{H}_{3},{h}_{1},{h}_{2})$.
- ${\mathit{Setup}}^{\mathit{A}}$: On input $PM$, it runs $\mathrm{CUS}.\mathit{KeyGen}({1}^{k})\to (pk,sk)$, where $pk=({g}_{2}^{{x}_{a}},{g}_{2}^{{y}_{a}})=({X}_{a},{Y}_{a})$ and $sk=({x}_{a},{y}_{a})\in {\mathbb{Z}}_{q}^{*}$. Note that $({x}_{a},{X}_{a})$ will be used for ring signature later. Lastly, it returns an arbitrator public and private key pair $(APK,ASK)=(({X}_{a},{Y}_{a}),({x}_{a},{y}_{a}))$.
- ${\mathit{Setup}}^{\mathit{U}}$: On input $PM$, it runs $\mathrm{CUS}.\mathit{KeyGen}({1}^{k})\to (pk,sk)$, where $pk=({g}_{2}^{{x}_{i}},{g}_{2}^{{y}_{i}})=({X}_{i},{Y}_{i})$ and $sk=({x}_{i},{y}_{i})\in {\mathbb{Z}}_{q}^{*}$. Note that $({x}_{i},{X}_{i})$ will be used for ordinary signature and ring signature later. Lastly, it returns a user public and private key pair $(UP{K}_{i},US{K}_{i})=(({X}_{i},{Y}_{i}),({x}_{i},{y}_{i}))$.
- $\mathit{PSign}$: On input $(m,US{K}_{i})$, it runs $\mathrm{OS}.\mathit{Sign}$ to compute an ordinary signature, ${\sigma}^{os}={H}_{1}{(m)}^{{x}_{i}}$. It outputs a partial signature ${\sigma}_{p}={\sigma}^{os}$.
- $\mathit{PVer}$: On input $(m,{\sigma}_{p},UP{K}_{i})$, it runs $\mathrm{OS}.\mathit{Verify}$ to check the validity by comparing $\widehat{e}({H}_{1}(m),{X}_{i})\stackrel{?}{=}\widehat{e}({\sigma}_{p},{g}_{2})$. It returns $\u201c1\u201d$ if the equation holds and $\u201c0\u201d$ otherwise.
- $\mathit{Sign}$: On input $(m,{\sigma}_{p},US{K}_{i},UP{K}_{i},APK)$, it runs $\mathit{PSig}(m,{\sigma}_{p},UP{K}_{i})$ and continues if and only if ${\sigma}_{p}$ is valid. Let ${m}^{\prime}={H}_{3}(m,{\sigma}_{p},UP{K}_{i})$, it runs $\mathrm{CUS}.Sign$ to generate a convertible undeniable signature, ${\sigma}^{us}={H}_{2}{({m}^{\prime})}^{{x}_{i}{y}_{i}}$. It then runs $\mathrm{RS}.\mathit{Sign}$ to generate a ring signature, ${\sigma}^{rs}$. Let $P{K}_{L}=\{{X}_{a},{X}_{i}\}$, it randomly chooses ${Z}_{a}\in {\mathbb{G}}_{1}$ and computes ${z}_{a}=h({Z}_{a},{H}_{3}({\sigma}^{us}),P{K}_{L})$. It then chooses a random salt $r\in {\mathbb{Z}}_{q}$ and computes $({Z}_{i},{z}_{i},V)$:$$\begin{array}{ccc}{Z}_{i}={g}_{2}^{r}{X}_{a}{Z}_{a}\hfill & \text{\hspace{1em}\hspace{1em}}{z}_{i}=h({Z}_{i},{H}_{3}({\sigma}^{us}),P{K}_{L})\hfill & \text{\hspace{1em}\hspace{1em}}V={g}_{1}^{r+{z}_{i}{x}_{i}}\hfill \end{array}$$Finally, it outputs a full signature $\sigma =({\sigma}_{p},{\sigma}^{us},{\sigma}^{rs})$ where ${\sigma}^{rs}=({Z}_{a},{Z}_{i},V)$.
- $\mathit{Ver}$: On input $(m,\sigma ,UP{K}_{i},APK)$, it first runs $\mathit{PVer}(m,{\sigma}_{p},UP{K}_{i})$ and continues if and only if ${\sigma}_{p}$ is valid. It then runs $\mathrm{RS}.\mathit{Verify}$ to verify ${\sigma}^{rs}$. Let $P{K}_{L}=\{{X}_{a},{X}_{i}\}$, it then computes ${z}_{a}=h({Z}_{a},{H}_{3}({\sigma}^{us}),P{K}_{L})$ and ${z}_{i}=h({Z}_{i},{H}_{3}({\sigma}^{us}),P{K}_{L})$. It then checks whether $\widehat{e}(V,{g}_{2})\stackrel{?}{=}\widehat{e}({X}_{a}^{{z}_{a}}{Z}_{a}\xb7{X}_{i}^{{z}_{i}}{Z}_{i},{g}_{2})$ holds or not. If it holds, it outputs $\u201c1\u201d$ and $\u201c0\u201d$ otherwise.
- $\mathit{Res}$: On input $(m,{\sigma}_{p},ASK,UP{K}_{i},APK)$, it runs $\mathit{PVer}(m,{\sigma}_{p},UP{K}_{i})$ and continues if and only if ${\sigma}_{p}$ is valid. Let ${m}^{\prime}={H}_{3}(m,{\sigma}_{p},UP{K}_{i})$, it runs $\mathrm{CUS}.\mathit{Sign}$ to compute a convertible undeniable signature, ${\sigma}^{us}={H}_{2}{({m}^{\prime})}^{{x}_{a}{y}_{a}}$. It then runs $\mathrm{RS}.\mathit{Sign}$ to generate a ring signature, ${\sigma}^{rs}$. Let $P{K}_{L}=\{{X}_{a},{X}_{i}\}$, it first randomly chooses ${Z}_{i}\in {\mathbb{G}}_{1}$ and computes ${z}_{i}=h({Z}_{i},{H}_{3}({\sigma}^{us}),P{K}_{L})$. It then chooses a random salt $r\in {\mathbb{Z}}_{q}$ and computes $({Z}_{a},{z}_{a},V)$:$$\begin{array}{ccc}{Z}_{a}={g}_{2}^{r}{X}_{i}{Z}_{i}\hfill & \text{\hspace{1em}\hspace{1em}}{z}_{a}=h({Z}_{a},{H}_{3}({\sigma}^{us}),P{K}_{L})\hfill & \text{\hspace{1em}\hspace{1em}}V={g}_{1}^{r+{z}_{a}{x}_{a}}\hfill \end{array}$$Finally, it outputs a full signature $\sigma =({\sigma}_{p},{\sigma}^{us},{\sigma}^{rs})$ where ${\sigma}^{rs}=({Z}_{a},{Z}_{i},V)$.
- ${\mathit{Prove}}^{\mathit{A}}$: On input $(m,\sigma ,ASK,UP{K}_{i},APK)$, it first runs $\mathit{Ver}(m,\sigma ,UP{K}_{i},APK)$ and continues if and only if $\sigma $ is valid. Let ${m}^{\prime}={H}_{3}(m,{\sigma}_{p},UP{K}_{i})$, it runs $\mathrm{CUS}.\mathit{SConvert}$ to compute a proof ${\pi}^{A}={H}_{2}{({m}^{\prime})}^{{y}_{a}}$. Otherwise, it outputs $\u201c\perp \u201d$
- ${\mathit{Prove}}^{\mathit{U}}$: On input $(m,\sigma ,US{K}_{i},UP{K}_{i},APK)$, it first runs $\mathit{Ver}(m,\sigma ,UP{K}_{i},APK)$ and continues if and only if $\sigma $ is valid. Let ${m}^{\prime}={H}_{3}(m,{\sigma}_{p},UP{K}_{i})$, it runs $\mathrm{CUS}.\mathit{SConvert}$ to compute a proof ${\pi}^{U}={H}_{2}{({m}^{\prime})}^{{y}_{i}}$. Otherwise, it outputs $\u201c\perp \u201d$
- $\mathit{Open}$: On input $(m,\sigma ,\pi ,UP{K}_{i},APK)$, it runs $\mathit{Ver}(m,\sigma ,UP{K}_{i},APK)$ and continues if and only if $\sigma $ is valid. Let ${m}^{\prime}={H}_{3}(m,{\sigma}_{p},UP{K}_{i})$, it runs $\mathrm{CUS}.\mathit{SVerify}$ to verify ${\sigma}^{us}$, where
- -
- If $\pi ={\pi}^{A}$, it first checks the validity of ${\pi}^{A}$ by running $\widehat{e}({\pi}^{A},{g}_{2})\stackrel{?}{=}\widehat{e}({H}_{2}({m}^{\prime}),{Y}_{a})$ and outputs $\u201c\perp \u201d$ if ${\pi}^{A}$ is invalid. Otherwise, it proceeds to validate ${\sigma}^{us}$ by running $\widehat{e}({\sigma}^{us},{g}_{2})\stackrel{?}{=}\widehat{e}({\pi}^{A},{X}_{a})$. If the equation holds, it means ${\sigma}^{us}$ was signed by the arbitrator and outputs $\u201cAPK\u201d$, otherwise it outputs $\u201cUP{K}_{i}\u201d$.
- -
- If $\pi ={\pi}^{U}$, it first checks the validity of ${\pi}^{U}$ by running $\widehat{e}({\pi}^{U},{g}_{2})\stackrel{?}{=}\widehat{e}({H}_{2}({m}^{\prime}),{Y}_{i})$ and outputs $\u201c\perp \u201d$ if ${\pi}^{U}$ is invalid. Otherwise, it proceeds to validate ${\sigma}^{us}$ by running $\widehat{e}({\sigma}^{us},{g}_{2})\stackrel{?}{=}\widehat{e}({\pi}^{U},{X}_{i})$. If the equation holds, it means ${\sigma}^{us}$ was signed by the signer and outputs $\u201cUP{K}_{i}\u201d$, otherwise it outputs $\u201cAPK\u201d$.

#### Security Analysis

**Resolution Ambiguity**: This property requires that the underlying convertible undeniable signature and ring signature scheme satisfy anonymous. The derived protocol is resolution ambiguous which follows Lemma 1, such that the underlying Li et al.’s convertible undeniable signature scheme [31] is proven invisible based on One-more Decisional Co-Tripartite-Diffie-Hellman (1m-DCTDH) in the random oracle model, where it is also well known that the invisibility and anonymity are equivalent as proven by Galbraith and Mao [39]. Besides, the underlying Shim’s ring signature scheme is unconditionally anonymous as shown by the author [32].**Accountability**: This property requires that the underlying convertible undeniable signature scheme satisfies EUF-CMA and completeness and soundness. The derived protocol is accountable which follows Lemmas 2–4, such that the underlying Li et al.’s convertible undeniable signature scheme [31] achieves EUF-CMA based on Computational co-Diffie-Hellman (Co-CDH) in the random oracle model. The completeness and soundness of Li et al.’s scheme is unconditionally satisfied as shown by the author.**Security against Signers**: This property is unconditionally satisfied which follows Lemma 5 as the generic framework follows the same construction as in Huang et al. [19] and Ganjavi et al. [24], such that the arbitrator can always convert a partial signature into a full signature by generating a convertible undeniable signature and ring signature.**Security against Verifiers**: This property requires that the underlying convertible undeniable signature and ring signature scheme satisfy EUF-CMA and EUF-CSA respectively. The derived protocol is secure against verifiers which follows Lemma 6, such that the underlying Li et al.’s convertible undeniable signature scheme [31] and Shim’s ring signature scheme [32] are both proven EUF-CMA and EUF-CSA respectively based on Co-CDH in the random oracle model.**Security against Arbitrator**: This property requires that the underlying ordinary signature scheme satisfies EUF-CMA. The derived protocol is secure against arbitrator which follows Lemma 7, such that the underlying Boneh et al.’s ordinary signature [30] acheives EUF-CMA based on Co-CDH in the random oracle model.

## 6. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Bao, F.; Wang, G.; Zhou, J.; Zhu, H. Analysis and Improvement of Micali’s Fair Contract Signing Protocol. In Information Security and Privacy; Wang, H., Pieprzyk, J., Varadharajan, V., Eds.; Springer: Berlin/Heidelberg, Germany, 2004; pp. 176–187. [Google Scholar]
- Ben-Or, M.; Goldreich, O.; Micali, S.; Rivest, R.L. A fair protocol for signing contracts. IEEE Trans. Inf. Theory
**1990**, 36, 40–46. [Google Scholar] [CrossRef] [Green Version] - Park, J.M.; Chong, E.K.P.; Siegel, H.J. Constructing Fair-exchange Protocols for E-commerce via Distributed Computation of RSA Signatures. In Proceedings of the PODC ‘03 Twenty-Second Annual Symposium on Principles of Distributed Computing, Boston, MA, USA, 13–16 July 2003; ACM: New York, NY, USA, 2003; pp. 172–181. [Google Scholar] [CrossRef]
- Abadi, M.; Glew, N.; Horne, B.; Pinkas, B. Certified email with a light on-line trusted third party: Design and implementation. Int. World Wide Web Conf.
**2002**, 2, 387–395. [Google Scholar] - Ateniese, G.; Nita-Rotaru, C. Stateless-Recipient Certified E-Mail System Based on Verifiable Encryption. In Topics in Cryptology—CT-RSA 2002; Preneel, B., Ed.; Springer: Berlin/Heidelberg, Germany, 2002; pp. 182–199. [Google Scholar]
- Imamoto, K.; Sakurai, K. A Certified E-mail System with Receiver’s Selective Usage of Delivery Authority. In Progress in Cryptology—INDOCRYPT 2002; Menezes, A., Sarkar, P., Eds.; Springer: Berlin/Heidelberg, Germany, 2002; pp. 326–338. [Google Scholar]
- AlOtaibi, A.; Aldabbas, H. A review of fair exchange protocols. Int. J. Comput. Netw. Commun.
**2012**, 4, 307. [Google Scholar] [CrossRef] - Bahreman, A.; Tygar, J. Certified electronic mail. In Proceedings of the 1994 Network and Distributed System Security Symposium (NDSS 1994), New York, NY, USA, February 1994; pp. 3–19. [Google Scholar]
- Coffey, T.; Saidha, P.; Burrows, P. Analysing the Security of a Non-repudiation Communication Protocol with Mandatory Proof of Receipt. In Proceedings of the ISICT ‘03 1st International Symposium on Information and Communication Technologies, Dublin, Ireland, 24–26 September 2003; Trinity College Dublin: Dublin, Ireland, 2003; pp. 351–356. [Google Scholar]
- Cox, B.; Tygar, J.D.; Sirbu, M. NetBill Security and Transaction Protocol. In Proceedings of the USENIX Workshop on Electronic Commerce, New York, NY, USA, 11–12 July 1995; Volume 1. [Google Scholar]
- Deng, R.H.; Gong, L.; Lazar, A.A.; Wang, W. Practical protocols for certified electronic mail. J. Netw. Syst. Manag.
**1996**, 4, 279–297. [Google Scholar] [CrossRef] - Asokan, N.; Schunter, M.; Waidner, M. Optimistic Protocols for Fair Exchange. In Proceedings of the CCS ‘97 4th ACM Conference on Computer and Communications Security, Zurich, Switzerland, 1–4 April 1997; ACM: New York, NY, USA, 1997; pp. 7–17. [Google Scholar] [CrossRef]
- Dodis, Y.; Reyzin, L. Breaking and Repairing Optimistic Fair Exchange from PODC 2003. In Proceedings of the DRM ‘03 3rd ACM Workshop on Digital Rights Management, Washington, DC, USA, 27 October 2003; ACM: New York, NY, USA, 2003; pp. 47–54. [Google Scholar] [CrossRef]
- Huang, Q.; Yang, G.; Wong, D.S.; Susilo, W. Efficient Optimistic Fair Exchange Secure in the Multi-user Setting and Chosen-Key Model without Random Oracles. In Topics in Cryptology—CT-RSA 2008; Malkin, T., Ed.; Springer: Berlin/Heidelberg, Germany, 2008; pp. 106–120. [Google Scholar]
- Huang, Q.; Yang, G.; Wong, D.S.; Susilo, W. Ambiguous Optimistic Fair Exchange. In Advances in Cryptology–ASIACRYPT 2008; Pieprzyk, J., Ed.; Springer: Berlin/Heidelberg, Germany, 2008; pp. 74–89. [Google Scholar]
- Wang, Y.; Au, M.H.; Susilo, W. Perfect Ambiguous Optimistic Fair Exchange. In Information and Communications Security; Chim, T.W., Yuen, T.H., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; pp. 142–153. [Google Scholar]
- Huang, Q.; Wong, D.S.; Susilo, W. P2OFE: Privacy-Preserving Optimistic Fair Exchange of Digital Signatures. In Topics in Cryptology—CT-RSA 2014; Benaloh, J., Ed.; Springer: Cham, Switzerland, 2014; pp. 367–384. [Google Scholar]
- Guo, Q.; Cui, Y.; Zou, X.; Huang, Q. Generic Construction of Privacy-Preserving Optimistic Fair Exchange Protocols. J. Internet Serv. Inf. Secur.
**2017**, 7, 44–56. [Google Scholar] - Huang, X.; Mu, Y.; Susilo, W.; Wu, W.; Zhou, J.; Deng, R.H. Preserving Transparency and Accountability in Optimistic Fair Exchange of Digital Signatures. IEEE Trans. Inf. Forensics Secur.
**2011**, 6, 498–512. [Google Scholar] [CrossRef] - Bellare, M.; Rogaway, P. Random Oracles Are Practical: A Paradigm for Designing Efficient Protocols. In Proceedings of the CCS ‘93 1st ACM Conference on Computer and Communications Security, Fairfax, VA, USA, 3–5 November 1993; ACM: New York, NY, USA, 1993; pp. 62–73. [Google Scholar] [CrossRef]
- Bellare, M.; Goldreich, O. On Defining Proofs of Knowledge. In Advances in Cryptology—CRYPTO’ 92; Brickell, E.F., Ed.; Springer: Berlin/Heidelberg, Germany, 1993; pp. 390–420. [Google Scholar]
- Fiat, A.; Shamir, A. How To Prove Yourself: Practical Solutions to Identification and Signature Problems. In Advances in Cryptology—CRYPTO’ 86; Odlyzko, A.M., Ed.; Springer: Berlin/Heidelberg, Germany, 1987; pp. 186–194. [Google Scholar]
- Cramer, R.; Damgård, I.; Schoenmakers, B. Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols. In Advances in Cryptology—CRYPTO ’94; Desmedt, Y.G., Ed.; Springer: Berlin/Heidelberg, Germany, 1994; pp. 174–187. [Google Scholar]
- Ganjavi, R.; Asaar, M.R.; Salmasizadeh, M. A traceable optimistic fair exchange protocol. In Proceedings of the 2014 11th International ISC Conference on Information Security and Cryptology, Tehran, Iran, 3–4 September 2014; pp. 161–166. [Google Scholar] [CrossRef]
- Fujisaki, E.; Suzuki, K. Traceable Ring Signature. In Public Key Cryptography–PKC 2007; Okamoto, T., Wang, X., Eds.; Springer: Berlin/Heidelberg, Germany, 2007; pp. 181–200. [Google Scholar]
- Fujisaki, E. Sub-linear Size Traceable Ring Signatures without Random Oracles. In Topics in Cryptology—CT-RSA 2011; Kiayias, A., Ed.; Springer: Berlin/Heidelberg, Germany, 2011; pp. 393–415. [Google Scholar]
- Gu, K.; Wu, N. Constant Size Traceable Ring Signature Scheme without Random Oracles. Cryptology ePrint Archive, Report 2018/288, 2018. Available online: https://eprint.iacr.org/2018/288 (accessed on 6 June 2018).
- Hu, C.; Li, D. Forward-Secure Traceable Ring Signature. In Proceedings of the Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007), Qingdao, China, 30 July–1 August 2007; Volume 3, pp. 200–204. [Google Scholar] [CrossRef]
- Loh, J.C.; Heng, S.H.; Tan, S.Y. A Generic Framework for Accountable Optimistic Fair Exchange Protocol. In Lecture Notes in Computer Science, Proceeding of the 14th International Conference on Information Security Practice and Experience, Tokyo, Japan, 25–27 September 2018; Su, C., Kikuchi, H., Eds.; Springer: New York, NY, USA, 2018; Volume 11125, pp. 299–309. [Google Scholar]
- Boneh, D.; Lynn, B.; Shacham, H. Short Signatures from the Weil Pairing. In Advances in Cryptology—ASIACRYPT 2001; Boyd, C., Ed.; Springer: Berlin/Heidelberg, Germany, 2001; pp. 514–532. [Google Scholar]
- Li, F.; Gao, W.; Wang, Y.; Wang, X. Short Convertible Undeniable Signature From Pairing. J. Softw.
**2013**, 8, 2983–2990. [Google Scholar] [CrossRef] - Shim, K.A. An efficient ring signature scheme from pairings. Inf. Sci.
**2015**, 300, 63–69. [Google Scholar] [CrossRef] - Dodis, Y.; Lee, P.J.; Yum, D.H. Optimistic Fair Exchange in a Multi-user Setting. In Public Key Cryptography—PKC 2007; Okamoto, T., Wang, X., Eds.; Springer: Berlin/Heidelberg, Germany, 2007; pp. 118–133. [Google Scholar]
- Zhu, H.; Susilo, W.; Mu, Y. Multi-party Stand-Alone and Setup-Free Verifiably Committed Signatures. In Public Key Cryptography—PKC 2007; Okamoto, T., Wang, X., Eds.; Springer: Berlin/Heidelberg, Germany, 2007; pp. 134–149. [Google Scholar]
- Boneh, D.; Franklin, M. Identity-Based Encryption from the Weil Pairing. In Advances in Cryptology—CRYPTO 2001; Kilian, J., Ed.; Springer: Berlin/Heidelberg, Germany, 2001; pp. 213–229. [Google Scholar]
- Goldwasser, S.; Micali, S.; Rivest, R.L. A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM J. Comput.
**1988**, 17, 281–308. [Google Scholar] [CrossRef] [Green Version] - Chaum, D.; van Antwerpen, H. Undeniable Signatures. In Advances in Cryptology—CRYPTO’ 89 Proceedings; Brassard, G., Ed.; Springer: New York, NY, USA, 1990; pp. 212–216. [Google Scholar]
- Boyar, J.; Chaum, D.; Damgård, I.; Pedersen, T. Convertible Undeniable Signatures. In Advances in Cryptology-CRYPT0’ 90; Menezes, A.J., Vanstone, S.A., Eds.; Springer: Berlin/Heidelberg, Germany, 1991; pp. 189–205. [Google Scholar]
- Galbraith, S.D.; Mao, W. Invisibility and Anonymity of Undeniable and Confirmer Signatures. In Topics in Cryptology—CT-RSA 2003; Joye, M., Ed.; Springer: Berlin/Heidelberg, Germany, 2003; pp. 80–97. [Google Scholar]
- Huang, X.; Mu, Y.; Susilo, W.; Wu, W. Provably Secure Pairing-Based Convertible Undeniable Signature with Short Signature Length. In Pairing-Based Cryptography—Pairing 2007; Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2007; pp. 367–391. [Google Scholar]
- Rivest, R.L.; Shamir, A.; Tauman, Y. How to Leak a Secret. In Advances in Cryptology—ASIACRYPT 2001; Boyd, C., Ed.; Springer: Berlin/Heidelberg, Germany, 2001; pp. 552–565. [Google Scholar]
- Bender, A.; Katz, J.; Morselli, R. Ring Signatures: Stronger Definitions, and Constructions Without Random Oracles. In Theory of Cryptography; Halevi, S., Rabin, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2006; pp. 60–79. [Google Scholar]
- Bender, A.; Katz, J.; Morselli, R. Ring Signatures: Stronger Definitions, and Constructions without Random Oracles. J. Cryptol.
**2009**, 22, 114–138. [Google Scholar] [CrossRef]

**Table 1.**A comparison of the Generic Frameworks for Accountable optimistic fair exchange (OFE) Protocol.

Generic Framework | Partial Signature ${\mathit{\sigma}}_{\mathit{p}}$ | Full Signature $\mathit{\sigma}$ | Proof $\mathit{\pi}$ | Standard Model | Random Oracle Model |
---|---|---|---|---|---|

Huang et al. [19] | OS | ${\sigma}_{p}$,US, | SPK | × | √ |

r, $OR$-Signature | |||||

Ganjavi et al. [24] | OS | ${\sigma}_{p}$, TRS | TRS | √ | √ |

Proposed | OS | ${\sigma}_{p}$, CUS, RS | token | √ | √ |

© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Loh, J.-C.; Heng, S.-H.; Tan, S.-Y.
A Generic Framework for Accountable Optimistic Fair Exchange Protocol. *Symmetry* **2019**, *11*, 285.
https://doi.org/10.3390/sym11020285

**AMA Style**

Loh J-C, Heng S-H, Tan S-Y.
A Generic Framework for Accountable Optimistic Fair Exchange Protocol. *Symmetry*. 2019; 11(2):285.
https://doi.org/10.3390/sym11020285

**Chicago/Turabian Style**

Loh, Jia-Ch’ng, Swee-Huay Heng, and Syh-Yuan Tan.
2019. "A Generic Framework for Accountable Optimistic Fair Exchange Protocol" *Symmetry* 11, no. 2: 285.
https://doi.org/10.3390/sym11020285