A Generic Framework for Accountable Optimistic Fair Exchange Protocol ^†

Abstract

Optimistic Fair Exchange protocol was designed for two parties to exchange in a fair way where an arbitrator always remains offline and will be referred only if any dispute happens. There are various optimistic fair exchange protocols with different security properties in the literature. Most of the optimistic fair exchange protocols satisfy resolution ambiguity where a signature signed by the signer is computational indistinguishable from the one resolved by the arbitrator. Huang et al. proposed the first generic framework for accountable optimistic fair exchange protocol in the random oracle model where it possesses resolution ambiguity and is able to reveal the actual signer when needed. Ganjavi et al. later proposed the first generic framework in the standard model. In this paper, we propose a new generic framework for accountable optimistic fair exchange protocol in the standard model using ordinary signature, convertible undeniable signature, and ring signature scheme as the underlying building blocks. We also provide an instantiation using our proposed generic framework to obtain an efficient pairing-based accountable optimistic fair exchange protocol with short signature.

1. Introduction

A fair exchange protocol was first designed to overcome the issue of fairness during an exchange between two parties such as contract signing [1,2], digital exchange [3], certified mail [4,5,6], etc. It is widely accepted that at the end of the exchange protocol, both parties have either received their expected items or none of them have received anything. There are two types of fair exchange protocols, namely, protocols that involve the arbitrator and protocols that do not involve the arbitrator [7]. Protocol that involve an arbitrator can be further divided into three types, namely, inline arbitrator protocol [8,9], online arbitrator protocol [10,11], and offline arbitrator protocol [12,13,14]. In 1997, the offline arbitrator protocol, which is also known as optimistic fair exchange (OFE) protocol, was introduced by Asokan et al. [12] to overcome the disadvantage of the inline and online arbitrator protocols, where the arbitrator is required to always remain online. At the same time, both parties can never exchange a secret message in a fair manner without leaking some information to the arbitrator. In OFE protocol, the arbitrator always remains offline and is called for resolution if and only if any dispute happens (e.g., one of the parties is cheating or the communication channel is interrupted). Asokan et al.’s OFE protocol was later broken and formally redefined by Dodis and Reyzin [13].

For the rest of the paper, the notion of fair exchange protocol is generally referred to as fair exchange protocol for digital data. Figure 1 illustrates the OFE protocol. At first, the signer generates a message and partial signature pair $(m,{\sigma }_p^s)$ and sends to the verifier. The verifier then checks the validity of $(m,{\sigma }_p^s)$ and returns $(m,{\sigma }^v)$ to the signer. If everything goes well, the signer will reply $(m,{\sigma }^s)$ to the verifier, and the protocol ends. However, if a dispute happens where the verifier sent $(m,{\sigma }^v)$ to the signer, but the signer did not reply $(m,{\sigma }^s)$ back to the verifier, the verifier can contact the arbitrator to resolve the issue. Figure 2 illustrates the resolution protocol. During the resolution, the verifier first sends $(m,{\sigma }_p^s)$ and $(m,{\sigma }^v)$ to the arbitrator. Once the arbitrator verifies the validity, the arbitrator resolves $(m,{\sigma }_p^s)$ into $(m,{\sigma }^s)$ and returns back to the verifier.

As the partial signature ${\sigma }_p$ is publicly verifiable and non-repudiable, ${\sigma }_p$ may not be completely useless to the verifier as ${\sigma }_p$ evidently represents the signer’s commitment. In this case, an unfair situation may occur for the signer if the verifier does not send out the full signature $\sigma$. Suppose that Bob received Alice’s ${\sigma }_p$ as an offer, Bob may show ${\sigma }_p$ to Alice’s competitor, and ask for a better offer. If there is a better offer, then Bob may stop running the protocol with Alice which indicates that he is not willing to negotiate, and instead Bob carries out a new run with a better dealer. Bob can repeat the same steps until the best dealer is found. This is undesirable since a fair negotiation is expected. Therefore, the notion of ambiguous optimistic fair exchange (AOFE) was proposed by Huang et al. [15] to solve the unfair situation above. In AOFE protocol, ${\sigma }_p$ is non-transferable. More precisely, Bob has the ability to issue partial signatures that are computationally indistinguishable from those issued by Alice. Hence, the verifier will not be able to use the signer’s ${\sigma }_p$ as evidence of the signer being involved in the exchange protocol.

Although AOFE protocol has managed to solve the issue of the verifier in getting a better offer, in some cases, the parties involved in the exchange should remain anonymous before the exchange has been done. For example, in the event that Apple engages Intel to sign a contract that terminates their agreement. This information can be very valuable to third parties such as stockbrokers or other companies.

In order to overcome the above issue, the notion of perfect ambiguous optimistic fair exchange (PAOFE) was proposed by Wang et al. [16]. PAOFE was constructed by combining AOFE and public key encryption (PKE). It guarantees that ${\sigma }_p$ leaks no information about the signer nor the verifier. Although the privacy of the involved parties is protected in a normal run of the PAOFE protocol, the arbitrator can actually gain knowledge while the dispute occurs, when the arbitrator is requested to resolve it. It is very undesirable that in some sensitive applications such as contract signing, where information leakage is not desired at all, the arbitrator is requested to resolve the dispute. Hence, the notion of privacy-preserving optimistic fair exchange ($P^2$OFE) was proposed by Huang et al. [17] where ${\sigma }_p$ does not leak any information about the signer and the verifier even after the resolution has been executed by the arbitrator. Later, a generic framework for $P^2$OFE protocols was proposed by Guo et al. [18] using tag-based public key encryption, ordinary signature, and one-time signature scheme.

Based on the above reviews from the notion of ordinary OFE to $P^2$OFE, it shows that $\sigma$ can be classified into two types, namely, the actual signature generated by the signer and the resolved signature generated by the arbitrator. An OFE protocol should possess the resolution ambiguity where the actual signature and resolved signature are both computational indistinguishable. However, there is actually a threat that the arbitrator can perform resolution without having any valid proof checking, or the arbitrator might be corrupted by the verifier. Hence, the notion of accountable OFE was proposed by Huang et al. [19] to identify who is the one responsible for $\sigma$, and thus it forces the arbitrator and the signer to behave honestly in generating $\sigma$.

1.1. Motivation

In cryptography, a scheme is said to be provably secure if breaking the scheme is as hard as breaking the polynomial time hard problem. If the scheme is provably secure using only mathematical hard problems, it is said to be provably secure in the standard model. As the standard model is hard to be achieved, the random oracle model was later introduced by Bellare and Rogaway [20]. An idealistic hash function is used in the random oracle model where the hash function can return any uniformly random value for any input. However, the random oracle model is not preferable during the security proof of a scheme due to the nature of the random oracle being a black-box function.

The first generic framework for accountable OFE protocol in the random oracle model was introduced by Huang et al. [19] where the partial signature is an ordinary signature, and the full signature consists of a partial signature, a random salt, and an undeniable signature along with an $OR$-signature. It possesses resolution ambiguity due to the anonymity of undeniable signature scheme and the witness indistinguishability of $OR$-signature. In order to construct the $OR$-signature in their generic framework, one must use the private key of undeniable signature scheme to generate a signature based on proofs of knowledge (SPK) [21]. Due to the property of SPK, one can generate a proof to either claim or deny an undeniable signature during the stage of revealing the original signer in an accountable OFE protocol. A SPK can be constructed by applying the Fiat-Shamir heuristic [22] to a proof of knowledge where it is a zero-knowledge protocol that allows the signer to convince the verifier that he knows a secret without leaking it [23]. It is known that a SPK that transformed by applying Fiat-Shamir heuristic is secure in the random oracle model [22].

Ganjavi et al. [24] then proposed the first provably secure generic framework for accountable OFE protocol in the standard model. In their generic framework, the partial signature is also an ordinary signature, and the full signature consists of a partial signature and a traceable ring signature. The notion of traceable ring signature was proposed by Fujisaki and Suzuki [25]. It is a variant of ring signature having the additional property to restrict the anonymity of the signer. It possesses two additional security properties, namely, traceability and exculpability. Traceability ensures that the identity of the signer can be traced as long as the signer signs two different messages with respect to the same tag, whereas exculpability ensures that the signer cannot be accused of signing twice with respect to the same tag. However, to the best of our knowledge, there are very few traceable ring signature schemes [25,26,27,28] which can be adopted in the construction of accountable OFE protocol following Ganjavi et al.’s proposed generic framework. Hence, it is desirable if there exists another generic framework which is provably secure in the standard model.

1.2. Contribution

In this paper, we present a full version of our recent work [29], proposing another generic framework for accountable OFE protocol. As shown in

Table 1. A comparison of the Generic Frameworks for Accountable optimistic fair exchange (OFE) Protocol.

Generic Framework	Partial Signature ${\mathit{\sigma }}_{\mathit{p}}$	Full Signature $\mathit{\sigma }$	Proof $\mathit{\pi }$	Standard Model	Random Oracle Model
Huang et al. [19]	OS	${\sigma }_p$,US,	SPK	×	√
		r, $OR$-Signature
Ganjavi et al. [24]	OS	${\sigma }_p$, TRS	TRS	√	√
Proposed	OS	${\sigma }_p$, CUS, RS	token	√	√

r: Random salt; OS: Ordinary signature; US: Undeniable signature; RS: Ring signature; CUS: Convertible undeniable signature; TRS: Traceable ring signature; SPK: Signature based on proofs of knowledge.

, the partial signature in our newly proposed generic framework is also an ordinary signature, and the full signature is an intermediate solution between Huang et al. and Ganjavi et al.’s generic frameworks, where it consists of a partial signature, a convertible undeniable signature, and a ring signature. There are two types of convertible undeniable signature scheme, namely, selectively convertible and universally convertible. Our generic framework requires the former which allows the signer to convert only a specific undeniable signature into a universally verifiable one. We show that the proposed generic framework is secure in the standard model under multi-user setting and chosen-key model as long as the underlying schemes satisfy certain security properties. We then exhibit an efficient pairing-based accountable OFE protocol with short signature as a concrete example following our proposed generic framework. Similar to Ganjavi et al.’s approach, we aim to construct an efficient accountable OFE protocol. We select the short signature scheme proposed by Boneh et al. [30] as the ordinary signature scheme with the combination of convertible undeniable signature scheme proposed by Li et al. [31] and ring signature scheme proposed by Shim [32], we manage to obtain an efficient pairing-based accountable OFE protocol with short signature. More specifically, the public and private key pair from Li et al.’s convertible undeniable signature scheme can be shared with Boneh et al.’s short signature scheme and Shim’s ring signature scheme, though the derived protocol is only provably secure in the random oracle model.

1.3. Organisation of the Paper

The organisation of the paper is as follows. In Section 2, we recall the formal definitions and security models of accountable OFE protocol in the multi-user setting and chosen-key model. In Section 3, we provide a brief review on the notion of bilinear pairings. We also recall the definitions and security models of ordinary signature, convertible undeniable signature, and ring signature scheme which are served as the underlying building blocks for the proposed generic framework. In Section 4, we propose a new generic framework for accountable OFE protocol and provide its security analysis in the standard model. In Section 5, we provide an instantiation of an efficient pairing-based accountable OFE protocol with short signature. Finally, we conclude this paper in Section 6.

2. Definitions and Security Models of Accountable Optimistic Fair Exchange Protocol

In this section, we recall the formal definitions and security models of accountable OFE protocol in the muilti-user setting and chosen-key model which formalised by Huang et al. [19]. The security model of OFE protocol is setup-driven if the initial key registration needs to be done between the signer and the arbitrator, and the model is setup-free if that is not required. Since most of the existing exchange protocols consider more than one signer in the system, an OFE protocol should be applicable to multi-user setting, but items are exchanged between one signer and one verifier. More precisely, a multi-user setting OFE protocol consists of many signers and many verifiers along with only one arbitrator [33]. As previous works only considered the certified-key model, Huang et al. [14] then proposed a secure OFE protocol in the multi-user setting and chosen-key model. In contrast to the certified-key model, the adversary in chosen-key model is able to make queries with respect to the public key even without showing the knowledge of the private key.

2.1. Accountable OFE Protocol

An accountable OFE protocol consists of the following algorithms:

• $\mathit{PMGen}$: On input a security parameter $1^k$, it outputs a public parameter $PM$.
• ${\mathit{Setup}}^{\mathit{A}}$: On input $PM$, it generates an arbitrator’s public and private key pair ($APK,ASK$).
• ${\mathit{Setup}}^{\mathit{U}}$: On input $PM$, it generates a user’s public and private key pair ($UP{K}_i,US{K}_i$).
• $\mathit{PSign}$: On input a message m and $(US{K}_i,APK$), it generates a partial signature ${\sigma }_p$.
• $\mathit{PVer}$: On input ($m,{\sigma }_p,UP{K}_i,APK$), it validates ($m,{\sigma }_p$) and outputs $“1”$ if ${\sigma }_p$ is valid on $UP{K}_i$ or $“0”$ otherwise.
• $\mathit{Sign}$: On input ($m,{\sigma }_p,US{K}_i,APK$), it generates a full signature $\sigma$.
• $\mathit{Ver}$: On input ($m,\sigma ,UP{K}_i,APK$), it validates ($m,\sigma$) under ($UP{K}_i,APK$) and outputs $“1”$ if $\sigma$ is valid or $“0”$ otherwise.
• $\mathit{Res}$: On input ($m,{\sigma }_p,ASK,UP{K}_i$), it resolves ${\sigma }_p$ by first checking its validity. If ${\sigma }_p$ is valid on $UP{K}_i$, it generates a full signature $\sigma$ or outputs $“\perp ”$ otherwise.
• ${\mathit{Prove}}^{\mathit{A}}$: On input ($m,\sigma ,UP{K}_i,APK,ASK$), it generates an arbitrator proof ${\pi }^A$ that can claim or deny whether $\sigma$ was generated by using $APK$.
• ${\mathit{Prove}}^{\mathit{U}}$: On input ($m,\sigma ,UP{K}_i,APK,US{K}_i$), it generates a user proof ${\pi }^U$ that can claim or deny whether $\sigma$ was generated by using $UP{K}_i$.
• $\mathit{Open}$: On input ($m,\sigma ,UP{K}_i,APK,\pi$), it first validates $(m,\sigma )$ under $(UP{K}_i,APK)$. It then outputs $“UP{K}_i”$ if $\pi$ can prove $\sigma$ is generated by the algorithm $\mathit{Sign}$ or $“APK”$ if $\sigma$ is generated by the algorithm $\mathit{Res}$. Otherwise, it outputs $“\perp ”$ which indicates $\pi$ is invalid and it cannot be opened.

Correctness: The following algorithms will always output “1" if $\sigma$ is generated correctly. If $\sigma$ is a valid on $(UP{K}_i,APK)$ and $\pi$ is generated correctly, the algorithm $Open$ will always output either $“UP{K}_i”$ or $“APK”$.

$$\begin{array}{cc}\hfill -& \mathit{PVer}(m,\mathit{PSign}(m,US{K}_i,APK),UP{K}_i,APK)=“1”\hfill \\ \hfill -& \mathit{Ver}(m,\mathit{Sign}(m,\mathit{PSign}(m,US{K}_i,APK),US{K}_i,APK),UP{K}_i,APK)=“1”\hfill \\ \hfill -& \mathit{Ver}(m,\mathit{Res}(m,PSign(m,US{K}_i,APK),UP{K}_i,ASK),UP{K}_i,APK)=“1”\hfill \\ \hfill -& \mathit{Open}(m,\sigma ,UP{K}_i,APK,{\mathit{Prove}}^{\mathit{A}}(m,\sigma ,UP{K}_i,APK,ASK))=“UP{K}_i”or“APK”\hfill \\ \hfill -& \mathit{Open}(m,\sigma ,UP{K}_i,APK,{\mathit{Prove}}^{\mathit{U}}(m,\sigma ,UP{K}_i,APK,US{K}_i))=“UP{K}_i”or“APK”\hfill \end{array}$$

2.2. Accessible Oracles

The following oracles are all the accessible oracles that define for an adversary $\mathcal{A}$ in the accountable OFE protocol.

• Partial Sign Oracle ${\mathcal{O}}_{PSign}$: On input $(m,UP{K}_i)$, it runs $\mathit{PSign}(m,US{K}_i,APK)\to {\sigma }_p$ and returns ${\sigma }_p$ as a partial signature.
• Full Sign Oracle ${\mathcal{O}}_{Sign}$: On input $(m,{\sigma }_p,UP{K}_i)$, it runs $\mathit{Sign}(m,{\sigma }_p,US{K}_i,APK)\to \sigma$ and returns $\sigma$ as a full signature.
• Resolution Oracle ${\mathcal{O}}_{Res}$: On input $(m,{\sigma }_p,UP{K}_i)$, it runs $\mathit{Res}(m,{\sigma }_p,ASK,UP{K}_i)\to \sigma$ and returns $\sigma$ as a resolved signature.
• Arbitrator Prove Oracle ${\mathcal{O}}_{Prov{e}^A}$: On input $(m,\sigma )$ under $(UP{K}_i,APK)$, it runs ${\mathit{Prove}}^{\mathit{A}}(m,\sigma ,UP{K}_i,APK,ASK)\to {\pi }^A$ and returns ${\pi }^A$ as an arbitrator proof.
• User Prove Oracle ${\mathcal{O}}_{Prov{e}^U}$: On input $(m,\sigma )$ under $(UP{K}_i,APK)$, it runs ${\mathit{Prove}}^{\mathit{U}}(m,\sigma ,UP{K}_i,APK,US{K}_i)\to {\pi }^U$ and returns ${\pi }^U$ as a user proof.

2.3. Security Properties

An accountable OFE protocol possesses resolution ambiguity, accountability, security against signers, security against verifiers, and security against arbitrator. Its security models in the multi-user setting and chosen-key model are defined as the game between a probabilistic polynomial time (PPT) adversary $\mathcal{A}$ and a challenger $\mathcal{C}$.

2.3.1. Resolution Ambiguity

A full signature $\sigma$ generated by the signer or resolved by the arbitrator should be computationally indistinguishable. Note that this security model is referred from the transparent third party property as defined by [19].

• Phase 1: $\mathcal{C}$ runs $\mathit{PMGen}(1^k)\to PM$ and ${\mathit{Setup}}^{\mathit{A}}(PM)\to (APK,ASK)$. $\mathcal{C}$ then passes $APK$ to $\mathcal{A}$.
• Phase 2: $\mathcal{A}$ can make queries to all oracles defined in Section 2.2. At the end, $\mathcal{A}$ outputs a challenge message and partial signature pair $(\widehat{m},{\widehat{\sigma }}_p)$ with the restriction that $\mathit{PVer}(\widehat{m},{\widehat{\sigma }}_p,UP{K}_i,APK)=1$.
• Phase 3: $\mathcal{C}$ picks a random bit $b\in \{0,1\}$ and generates a challenge signature $\widehat{\sigma }$. If $b=0$, $\widehat{\sigma }=\mathit{Sign}(\widehat{m},{\widehat{\sigma }}_p,US{K}_i,APK)$. Otherwise, $\widehat{\sigma }=\mathit{Res}(\widehat{m},{\widehat{\sigma }}_p,ASK,UP{K}_i)$.
• Phase 4: Once $\mathcal{A}$ receives $\widehat{\sigma }$, $\mathcal{A}$ can still continue to make queries to all oracles with the restriction that $(\widehat{m},\widehat{\sigma })$ has never been queries to ${\mathcal{O}}_{Prov{e}^A}$ or ${\mathcal{O}}_{Prov{e}^U}$. At the end, $\mathcal{A}$ outputs the guess $b^{\prime }$. $\mathcal{A}$ wins the game if $b^{\prime }=b$.

Definition 1.

An OFE protocol is $(t,q_{PSign},q_{Sign},q_{Res},q_{Prov{e}^A},q_{Prov{e}^U},\epsilon )$-resolution ambiguous if no PPT $\mathcal{A}$ can have success probability more than $\epsilon +\frac{1}{2}$ in its game with at most $q_{PSign}$ queries to ${\mathcal{O}}_{PSign}$, $q_{Sign}$ queries to ${\mathcal{O}}_{Sign}$, $q_{Res}$ queries to ${\mathcal{O}}_{Res}$, $q_{Prov{e}^A}$ queries to ${\mathcal{O}}_{Prov{e}^A}$, and $q_{Prov{e}^U}$ queries to ${\mathcal{O}}_{Prov{e}^U}$ in time t.

2.3.2. Accountability

An OFE protocol possesses accountability if it satisfies three types of accountability as follows [19]:

• Type I: It is impossible for a dishonest signer to produce a full signature $\sigma$ that can be proven as an output of the algorithm $\mathit{Res}$.

  -

  Phase 1: $\mathcal{C}$ runs $\mathit{PMGen}(1^k)\to PM$ and ${\mathit{Setup}}^{\mathit{A}}(PM)\to (APK,ASK)$. $\mathcal{C}$ then passes $APK$ to $\mathcal{A}$.

  -

  Phase 2: $\mathcal{A}$ can make queries to all oracles defined in Section 2.2. At the end, $\mathcal{A}$ chooses a challenge user’s public key $\widehat{UPK}$ and passes it to $\mathcal{C}$.

  -

  Phase 3: $\mathcal{A}$ continues to make queries to ${\mathcal{O}}_{Res}$ and ${\mathcal{O}}_{Prov{e}^A}$ only as $\mathcal{C}$ does not know $\widehat{USK}$.

  -

  Phase 4: $\mathcal{A}$ outputs a challenge message and signature pair $(\widehat{m},\widehat{\sigma })$ that is valid on $(\widehat{UPK},APK)$ and a proof $\widehat{\pi }$ with the restriction that $\widehat{\sigma }$ is not generated from ${\mathcal{O}}_{Res}$. $\mathcal{A}$ wins the game if $\mathit{Open}(\widehat{m},\widehat{\sigma },\widehat{UPK},APK,\widehat{\pi })=“APK”.$

  Definition 2.

  An OFE protocol is $(t,q_{PSign},q_{Sign},q_{Res},q_{Prov{e}^A},q_{Prov{e}^U},\epsilon )$-type I accountable if no PPT $\mathcal{A}$ can have success probability more than ε in its game with at most $q_{PSign}$ queries to ${\mathcal{O}}_{PSign}$, $q_{Sign}$ queries to ${\mathcal{O}}_{Sign}$, $q_{Res}$ queries to ${\mathcal{O}}_{Res}$, $q_{Prov{e}^A}$ queries to ${\mathcal{O}}_{Prov{e}^A}$, and $q_{Prov{e}^U}$ queries to ${\mathcal{O}}_{Prov{e}^U}$ in time t.
• Type II: It is impossible for a dishonest arbitrator to resolve a full signature $\sigma$ that can be proven as an output of the algorithm $\mathit{Sign}$.

  -

  Phase 1: $\mathcal{A}$ chooses a challenge arbitrator’s public key $\widehat{APK}$ and passes it to $\mathcal{C}$.

  -

  Phase 2: $\mathcal{A}$ can make queries to all oracles defined in Section 2.2 except ${\mathcal{O}}_{Res}$ and ${\mathcal{O}}_{Prov{e}^A}$ due to $\mathcal{C}$ does not have the knowledge of $\widehat{ASK}$.

  -

  Phase 3: $\mathcal{A}$ outputs a valid $(\widehat{m},\widehat{\sigma })$ on $(UP{K}_i,\widehat{APK})$ and a proof $\widehat{\pi }$ with the restriction that $\widehat{\sigma }$ is not generated from ${\mathcal{O}}_{Sign}$. $\mathcal{A}$ wins the game if and only if $\mathit{Open}(\widehat{m},\widehat{\sigma },UP{K}_i,\widehat{APK},\widehat{\pi })=“UP{K}_i”.$

  Definition 3.

  An OFE protocol is $(t,q_{PSign},q_{Sign},q_{Prov{e}^U},\epsilon )$-type II accountable if no PPT $\mathcal{A}$ can have success probability more than ε in its game with at most $q_{PSign}$ queries to ${\mathcal{O}}_{PSign}$, $q_{Sign}$ queries to ${\mathcal{O}}_{Sign}$, and $q_{Prov{e}^U}$ queries to ${\mathcal{O}}_{Prov{e}^U}$ in time t.
• Type III: It is impossible for the signer and the arbitrator to both claim or deny a valid full signature $\sigma$.

  -

  Phase 1: $\mathcal{C}$ runs $\mathit{PMGen}(1^k)\to PM$. $\mathcal{A}$ is then given $PM$ to run both ${\mathit{Setup}}^{\mathit{U}}(PM)\to (\widehat{UPK},\widehat{USK})$ and ${\mathit{Setup}}^{\mathit{A}}(PM)\to (\widehat{APK},\widehat{ASK})$.

  -

  Phase 2: $\mathcal{A}$ outputs a valid $(\widehat{m},\widehat{\sigma })$ on $(\widehat{UPK},\widehat{APK})$ and two proofs $({\widehat{\pi }}^U,{\widehat{\pi }}^A)$. $\mathcal{A}$ wins the game if and only if either one of the following statements holds:

  • $\widehat{\sigma }$ is both claimed by the signer and the arbitrator. Such that
    $\mathit{Open}(\widehat{m},\widehat{\sigma },\widehat{UPK},\widehat{APK},{\widehat{\pi }}^U)\to \widehat{UPK}\wedge$
    $\mathit{Open}(\widehat{m},\widehat{\sigma },\widehat{UPK},\widehat{APK},{\widehat{\pi }}^A)\to \widehat{APK}$
  • $\widehat{\sigma }$ is both denied by the signer and the arbitrator. Such that
    $\mathit{Open}(\widehat{m},\widehat{\sigma },\widehat{UPK},\widehat{APK},{\widehat{\pi }}^U)\to \widehat{APK}\wedge$
    $\mathit{Open}(\widehat{m},\widehat{\sigma },\widehat{UPK},\widehat{APK},{\widehat{\pi }}^A)\to \widehat{UPK}$

  Definition 4.

  An OFE is $(t,\epsilon )$-type III accountable if no PPT $\mathcal{A}$ can have success probability more than ε in its game in time t.

2.3.3. Security against Signers

It is impossible for a dishonest signer to produce a valid partial signature ${\sigma }_p$ which cannot be resolved by the arbitrator using $\mathit{Res}$ [24].

• Phase 1: $\mathcal{C}$ runs ${\mathit{Setup}}^{\mathit{A}}(PM)\to (APK,ASK)$ and passes $APK$ to $\mathcal{A}$.
• Phase 2: $\mathcal{A}$ can make queries to ${\mathcal{O}}_{Res}$.
• Phase 3: $\mathcal{A}$ outputs a challenge message and partial signature pair $(\widehat{m},{\widehat{\sigma }}_p)$ on $UP{K}_i$. $\mathcal{A}$ wins the game if $\mathit{PVer}(\widehat{m},{\widehat{\sigma }}_p,\widehat{UPK},APK)=1 \wedge$ $\mathit{Ver}(\widehat{m},\mathit{Res}(\widehat{m},{\widehat{\sigma }}_p,ASK,\widehat{UPK}),\widehat{UPK},APK)=0$.

Definition 5.

An OFE protocol is $(t,q_{Res},\epsilon )$-secure against signers if no PPT $\mathcal{A}$ can have success probability more than ε in its game with at most $q_{Res}$ queries to ${\mathcal{O}}_{Res}$ in time t.

2.3.4. Security against Verifiers

It is impossible for a dishonest verifier to produce a valid full signature $\sigma$ without the assistance from the signer or the arbitrator. The security model is referred from [24]. Note that we allow $\mathcal{A}$ to access ${\mathcal{O}}_{Sign}$ as we want to simulate the scenario that a dishonest verifier can forge a full signature on either the signer or the arbitrator.

• Phase 1: $\mathcal{C}$ first runs $\mathit{PMGen}(1^k)\to PM$ and both ${\mathit{Setup}}^{\mathit{U}}(PM)\to (UP{K}_i,US{K}_i)$ and ${\mathit{Setup}}^{\mathit{A}}(PM)\to (APK,ASK)$. $\mathcal{A}$ is then given $(UP{K}_i,APK)$.
• Phase 2: $\mathcal{A}$ can make queries to ${\mathcal{O}}_{PSign}$, ${\mathcal{O}}_{Sign}$, and ${\mathcal{O}}_{Res}$.
• Phase 3: $\mathcal{A}$ outputs a challenge message and signature pair $(\widehat{m},\widehat{\sigma })$ on $(UP{K}_i,APK)$ with the restriction that $\widehat{\sigma }$ is not generated from ${\mathcal{O}}_{Sign}$ or ${\mathcal{O}}_{Res}$. $\mathcal{A}$ wins the game if $\mathit{Ver}(\widehat{m},\widehat{\sigma },UP{K}_i,APK)=1$.

Definition 6.

An OFE protocol is $(t,q_{PSign},q_{Sign},q_{Res},\epsilon )$-secure against verifiers if no PPT $\mathcal{A}$ can have success probability more than ε in its game with at most $q_{PSign}$ queries to ${\mathcal{O}}_{PSign}$, $q_{Sign}$ queries to ${\mathcal{O}}_{Sign}$, and $q_{Res}$ queries to ${\mathcal{O}}_{Res}$ in time t.

2.3.5. Security against Arbitrator

It is impossible for a dishonest arbitrator to produce a valid $\sigma$ without having the corresponding ${\sigma }_p$ from the signer [24].

• Phase 1: $\mathcal{C}$ runs $\mathit{PMGen}(1^k)\to PM$ and passes to $\mathcal{A}$.
• Phase 2: $\mathcal{A}$ runs ${\mathit{Setup}}^{\mathit{A}}(PM)\to (APK,ASK)$ and sends $APK$ to $\mathcal{C}$.
• Phase 3: $\mathcal{A}$ can make queries to ${\mathcal{O}}_{PSign}$.
• Phase 4: $\mathcal{A}$ outputs a challenge message and signature pair $(\widehat{m},\widehat{\sigma })$ on $(UP{K}_i,APK)$ with the restriction that $(\widehat{m},UP{K}_i)$ has not been a query to ${\mathcal{O}}_{PSign}$. $\mathcal{A}$ wins the game if $\mathit{Ver}(\widehat{m},\widehat{\sigma },UP{K}_i,APK)=1$.

Definition 7.

An OFE protocol is $(t,q_{PSign},\epsilon )$-secure against arbitrator if no PPT $\mathcal{A}$ can have success probability more than ε in its game with at most $q_{PSign}$ queries to ${\mathcal{O}}_{PSign}$ in time t.

2.3.6. Security in the Multi-User Setting and Chosen-Key Model

A secure OFE protocol in the multi-user setting and chosen-key model should satisfy the following properties, namely, security against signers, security against verifiers, and security against arbitrator as defined in Section 2.3.3, Section 2.3.4 and Section 2.3.5 respectively [33,34].

Definition 8.

An accountable OFE protocol is secure in the multi-user setting and chosen-key model if it is accountable, secure against signers, secure against verifiers, and secure against arbitrator.

3. Preliminaries

In this section, we first provide a brief review on the notion of bilinear pairings. We then review some variants of digital signature scheme such as ordinary signature, convertible undeniable signature, and ring signature scheme. We also review their respective security models.

3.1. Bilinear Pairings

Let ${\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T$ be cyclic groups of prime order p and two generators $g_1\in {\mathbb{G}}_1$ and $g_2\in {\mathbb{G}}_2$. The map $\widehat{e}:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$ is a bilinear map which satisfies the following properties [35]:

• Bilinearity: for all $g_1\in {\mathbb{G}}_1$, $g_2\in {\mathbb{G}}_2$, and $(a,b)\in {\mathbb{Z}}_p$, we have $\widehat{e}(g_1^a,g_2^b)=\widehat{e}{(g_1,g_2)}^{ab}$.
• Non-degeneracy: if $(g_1,g_2)$ is a generator of ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$, then $\widehat{e}(g_1,g_2)$ is a generator of ${\mathbb{G}}_T$, which also implies $\widehat{e}(g_1,g_2)\ne 1$.
• Computability: there exists an efficient algorithm to compute $\widehat{e}(g_1,g_2)$ for all $g_1\in {\mathbb{G}}_1$ and $g_2\in {\mathbb{G}}_2$.

3.2. Ordinary Signature Scheme

Ordinary signature is a publicly verifiable digital signature. The message and signature pair can be verified as long as the signer’s public key is known. It was formalised by Goldwasser et al. [36] with the following three algorithms:

• $\mathit{KeyGen}$: On input security parameter $1^k$, it outputs a public and private key pair $(pk,sk)$.
• $\mathit{Sign}$: On input a message and private key $(m,sk)$, it outputs an ordinary signature ${\sigma }^{os}$.
• $\mathit{Verify}$: On input $(m,{\sigma }^{os},pk)$, it outputs $“1”$ if ${\sigma }^{os}$ is valid and outputs $“0”$ otherwise.

Correctness. Every ordinary signature generated in a correct way is always accepted to be a valid signature, such that $\mathit{Verify}(m,Sign(m,sk),pk)\to “1”$.

Unforgeability

Unforgeability ensures that there is no computational way to forge a valid ordinary signature on the public key $pk$. Its security model is defined as the following game between a probabilistic polynomial time (PPT) adversary $\mathcal{A}$ and a challenge $\mathcal{C}$ [36].

• Setup: $\mathcal{C}$ runs $\mathit{KeyGen}(1^k)\to (pk,sk)$, then $\mathcal{A}$ is given $pk$.
• Queries: $\mathcal{A}$ can query the Sign Oracle ${\mathcal{O}}_S$: On input a message m, it outputs a signature ${\sigma }^{os}$ that is valid on $pk$.
• Output: At the end, $\mathcal{A}$ is required to output a challenge message and signature pair $(\widehat{m},{\widehat{\sigma }}^{os})$ that is valid on $pk$, with the restriction that $\widehat{m}$ has not been a query to ${\mathcal{O}}_S$ before.

Definition 9.

An ordinary signature scheme is $(t,q_S,\epsilon )$-existential unforgeable against chosen message attack (EUF-CMA) if no PPT $\mathcal{A}$ can have success probability more than ε in its game with at most $q_S$ queries to ${\mathcal{O}}_S$ in time t.

3.3. Convertible Undeniable Signature

An undeniable signature is a special featured digital signature proposed by Chaum and van Antwerpen [37] which is only verifiable with the help of the signer. Unlike ordinary digital signature, undeniable signature has a distinctive feature, i.e., without the help of the signer, the verifier will not be able to verify the validity of the undeniable signature. The notion of convertible undeniable signature was proposed by Boyar et al. [38] which is an extension of undeniable signature that allows the signer to transform an undeniable signature into a universally verifiable ordinary digital signature. There are two types of convertible undeniable signature, namely, selectively convertible and universally convertible. The selectively convertible undeniable signature allows the signer to convert only a specific undeniable signature into a universally verifiable one by releasing a token, and the universally convertible undeniable signature allows the signer to release a universal token that can publicly verify every undeniable signature. A convertible undeniable signature scheme has the following algorithms:

• $\mathit{KeyGen}$: On input a security parameter, $1^k$, outputs a signer public and private key pair ($pk,sk$).
• $\mathit{Sign}$: On input a message and a signer private key, $(m,sk)$, outputs an undeniable signature ${\sigma }^{us}$.
• $\mathit{Confirmation}/\mathit{Disavowal}\mathit{Protocol}$: An interactive protocol that runs between the signer and the verifier on common input $(pk,m,{\sigma }^{us})$. The signer uses $sk$ to check the validity of ${\sigma }^{us}$, the output is a non-transferable proof $(“Accept”/“Deny”)$ that shows ${\sigma }^{us}$ is valid/invalid on $(m,pk)$.
• $\mathit{SConvert}$: On input $(sk,m,{\sigma }^{us})$, it computes a selective token ${\pi }^S$ which can be used to publicly verify $(m,{\sigma }^{us})$ on $pk$.
• $\mathit{SVerify}$: On input $(pk,m,{\sigma }^{us},{\pi }^S)$, it outputs $“\perp ”$ if ${\pi }^S$ is an invalid token on $pk$. It outputs $“1”$ if $(m,{\sigma }^{us},pk)$ is a valid signature and outputs $“0”$ otherwise.

Completeness and Soundness. Completeness can be defined as a valid (invalid) signature that can always be proven valid (invalid) and Soundness can be defined as a valid (invalid) signature that cannot be proven as invalid (valid). The following two cases describe their definitions:

• If ${\sigma }^{us}$ is valid on $pk$, then
  • $\mathit{Confirmation}/\mathit{Disavowal}\mathit{Protocol}(m,{\sigma }^{us},pk,sk)\to “Accept”$
  • $\mathit{SVerify}(m,{\sigma }^{us},pk,\mathit{SConvert}(m,{\sigma }^{us},sk))\to “1”$
  • $\mathit{UVerify}(m,{\sigma }^{us},pk,\mathit{UConvert}(sk))\to “1”$
• Or else, if ${\sigma }^{us}$ is invalid on $pk$, then
  • $\mathit{Confirmation}/\mathit{Disavowal}\mathit{Protocol}(m,{\sigma }^{us},pk,sk)\to “Deny”$
  • $\mathit{SVerify}(m,{\sigma }^{us},pk,\mathit{SConvert}(m,{\sigma }^{us},sk))\to “0”$
  • $\mathit{UVerify}(m,{\sigma }^{us},pk,\mathit{UConvert}(sk))\to “0”$

3.3.1. Unforgeability

The same as in Section 3.2, it implies the inability to forge an undeniable signature. Its security model is defined as the following game between a PPT $\mathcal{A}$ and $\mathcal{C}$ in the undeniable signature setting.

• Setup: $\mathcal{C}$ runs $\mathit{KeyGen}(1^k)\to (pk,sk)$, then $\mathcal{A}$ is given $pk$.
• Queries: $\mathcal{A}$ is allowed to make queries to the following oracles:

  -

  Sign Oracle ${\mathcal{O}}_S$: On input a message m, it outputs an undeniable signature ${\sigma }^{us}$ that is valid on $pk$.

  -

  Confirmation/Disavowal Oracle ${\mathcal{O}}_{CD}$: On input any message and signature pair $(m,{\sigma }^{us})$, it runs the protocol with $\mathcal{A}$ and outputs a non-transferable proof to show the validity of ${\sigma }^{us}$.

  -

  (For convertible schemes only) SConvert Oracle ${\mathcal{O}}_{SC}$: On input a message and signature pair $(m,{\sigma }^{us})$, it outputs a selective token ${\pi }^S$.

• Output: At the end, $\mathcal{A}$ is required to output a challenge message and undeniable signature pair $(\widehat{m},{\widehat{\sigma }}^{us})$, with the restriction that $\widehat{m}$ has not been a query to ${\mathcal{O}}_S$. If the scheme is convertible, $pk$ must not have been queried to ${\mathcal{O}}_{UC}$. $\mathcal{A}$ wins the game if $(\widehat{m},{\widehat{\sigma }}^{us})$ is valid on $pk$.

Definition 10.

An undeniable signature, convertible undeniable signature, or designated confirmer signature scheme is $(t,q_S,q_{CD},q_{SC},q_{UC},\epsilon )$-EUF-CMA if no PPT $\mathcal{A}$ can have success probability more than ε in its game with at most $q_S$ queries to ${\mathcal{O}}_S$, $q_{CD}$ queries to ${\mathcal{O}}_{CD}$, $q_{SC}$ queries to ${\mathcal{O}}_{SC}$, and $q_{UC}$ queries to ${\mathcal{O}}_{UC}$ in time t.

3.3.2. Anonymity

The notion of anonymity was proposed by Galbraith and Mao [39]. This security property requires that given a valid message and signature pair and two possible signers’ public keys ($p{k}_0,p{k}_1$), there is no computational way to decide who the real signer is. Huang et al. [40] later further studied the anonymity in order to cover the convertible schemes. Its security model is defined as the following game between a PPT $\mathcal{A}$ and $\mathcal{C}$.

• Setup:$\mathcal{C}$ first runs $\mathit{KeyGen}(1^k)\to (s{k}_0,p{k}_0)$ and $\mathit{KeyGen}(1^k)\to (s{k}_1,p{k}_1)$ and sends $(p{k}_0,p{k}_1)$ to $\mathcal{A}$.
• Queries I: Same as in Section 3.3.1.
• Output I: At some point, $\mathcal{A}$ outputs a challenge message $\widehat{m}$ to request a challenge signature ${\widehat{\sigma }}^{us}$. If the scheme is deterministic, $\widehat{m}$ is restricted where it has not been submitted to ${\mathcal{O}}_S$ during Queries I. $\mathcal{C}$ responds by randomly choosing $b\in \{0,1\}$ and generates a challenge signature ${\widehat{\sigma }}^{us}={\mathit{Sign}}_{s{k}_b}(\widehat{m})$ that is valid on either $p{k}_0$ or $p{k}_1$.
• Queries II: Once $\mathcal{A}$ obtains ${\widehat{\sigma }}^{us}$, $\mathcal{A}$ can continue making queries to the accessible oracles as in Queries I. If the scheme is deterministic, $\widehat{m}$ is restricted to be submitted to ${\mathcal{O}}_S$. An additional restriction is added where any $(\widehat{m},·)$ in the equivalence class of $(\widehat{m},{\widehat{\sigma }}^{us})$ is not allowed to submit to ${\mathcal{O}}_{CD}$ (and ${\mathcal{O}}_{SC}$ if the scheme is convertible).
• Output II:$\mathcal{A}$ outputs a guess $b^{\prime }$ and wins the game if $b^{\prime }=b$.

Definition 11.

An undeniable signature, convertible undeniable signature, or designated confirmer signature scheme is $(t,q_S,q_{CD},q_{SC},q_{UC},\epsilon )$-anonymous if no PPT $\mathcal{A}$ can have success probability more than $\epsilon +\frac{1}{2}$ in its game with at most $q_S$ queries to ${\mathcal{O}}_S$, $q_{CD}$ queries to ${\mathcal{O}}_{CD}$, $q_{SC}$ queries to ${\mathcal{O}}_{SC}$, and $q_{UC}$ queries to ${\mathcal{O}}_{UC}$ in time t.

3.4. Ring Signature

Ring signature was introduced by Rivest et al. [41]. It is a group-oriented signature with the anonymity property where the signer can sign on behalf of a group of members, and the ring signature is publicly verifiable without revealing the actual signer. A ring signature scheme consists of the following three algorithms:

• $\mathit{KeyGen}$: On input $1^k$, it outputs a public and private key pair $(pk,sk)$.
• $\mathit{Sign}$: On input a message, a private key, and a list of public keys $(m,sk,P{K}_L)$ where $P{K}_L=(p{k}_1,\dots ,p{k}_n)$ with n members, it outputs a ring signature ${\sigma }^{rs}$.
• $\mathit{Verify}$: On input $(m,{\sigma }^{rs},P{K}_L)$, it outputs $“1”$ if ${\sigma }^{rs}$ is valid and output $“0”$ otherwise.

Correctness. Every ring signature that generated in a correct way can always be accepted with the equation $\mathit{Verify}(m,\mathit{Sign}(m,sk,P{K}_L),P{K}_L)=“1”$.

3.4.1. Unforgeability

This security property ensures that there is no computational way to forge a ring signature with only the knowledge of a list of public keys $P{K}_L=(p{k}_i,\dots ,p{k}_n)$ of n members. Its security model is defined as the following game between a PPT $\mathcal{A}$ and $\mathcal{C}$ [42].

• Setup: $\mathcal{C}$ runs $KeyGen(1^k)$ for n times to generate n public and private key pair $((p{k}_i,s{k}_i),\dots ,(p{k}_n,s{k}_n))$, where n is the number of members. $\mathcal{A}$ is given $P{K}_L=(p{k}_i,\dots ,p{k}_n)$.
• Queries: $\mathcal{A}$ can query the Sign Oracle ${\mathcal{O}}_{Sign}$: On input $(m,P{K}_L^{*},e)$, where $P{K}_L^{*}\in P{K}_L$ is a sub list of members within $P{K}_L$ and e is a selected member. It then runs $\mathit{Sign}(m,s{k}_e,P{K}_L^{*})$ to produce a ring signature ${\sigma }^{rs}$ to $\mathcal{A}$.
• Output: At the end, $\mathcal{A}$ is required to output a challenge message and ring signature pair $(\widehat{m},{\widehat{\sigma }}^{rs})$ on a challenge sub list of members ${\widehat{PK}}_L$ with the restriction that $\widehat{m}$ has not been a query to ${\mathcal{O}}_{Sign}$ before. $\mathcal{A}$ wins the game if $\mathit{Verify}(\widehat{m},{\widehat{\sigma }}^{rs},{\widehat{PK}}_L)=“1”$

Definition 12.

A ring signature scheme is $(t,q_S,\epsilon )$-existential unforgeable against chosen subring attack (EUF-CSA) if no PPT $\mathcal{A}$ can have success probability more than ε in its game with at most $q_S$ queries to ${\mathcal{O}}_S$ in time t.

3.4.2. Anonymity

The definition of anonymity for ring signature scheme can be phrased in either a computational or an unconditional sense [43]. This security property requires that given a valid $(m,{\sigma }^{rs})$ and two possible signers’ public keys ($p{k}_0,p{k}_1$), there is no computational way to decide who the real signer is.

• Setup: Same as in Section 3.4.1.
• Queries: Same as in Section 3.4.1.
• Output: At the end, $\mathcal{A}$ is required to output a challenge message and a sub list of members $(\widehat{m},{\widehat{PK}}_L)$ and two distinct indices $(e_0,e_1)\in \{1,\dots ,n\}$ such that $(p{k}_{e_0},p{k}_{e_1})\in {\widehat{PK}}_L$. $\mathcal{C}$ then chooses $b\in \{0,1\}$ randomly and computes a challenge ring signature ${\widehat{\sigma }}^{rs}=\mathit{Sign}(\widehat{m},s{k}_{e_b},{\widehat{PK}}_L)$. $\mathcal{A}$ is given ${\widehat{\sigma }}^{rs}$ and is required to output a guess $b^{\prime }$. $\mathcal{A}$ wins the game if $b^{\prime }=b$.

Definition 13.

A ring signature scheme is $(t,q_S,\epsilon )$-anonymous with respect to adversarially chosen keys if no PPT $\mathcal{A}$ can have success probability more than ε in its game with at most $q_S$ queries to ${\mathcal{O}}_S$ in time t.

4. Generic Transformation

4.1. Generic Framework

We propose a generic framework for accountable OFE protocol using ordinary signature, convertible undeniable signature, and ring signature scheme as the underlying building blocks. The partial signature is an ordinary signature, ${\sigma }_p={\sigma }^{os}$, and the full signature consists of a partial signature, a convertible undeniable signature, and a ring signature, $\sigma =({\sigma }_p,{\sigma }^{us},{\sigma }^{rs})$. Let $\mathrm{OS}=(\mathit{KeyGen},\mathit{Sign},\mathit{Verify})$ be an ordinary signature scheme, $\mathrm{CUS}=(\mathit{KeyGen},\mathit{Sign},\mathit{Confirmation}/\mathit{Disavowal}\mathit{Protocol},\mathit{SConvert},\mathit{SVerify})$ be a convertible undeniable signature scheme, and $\mathrm{RS}=(\mathit{KeyGen},\mathit{Sign},\mathit{Verify})$ be a ring signature scheme. We need a hash function $H:{\{0,1\}}^{*}\to \mathcal{M}$, where $\mathcal{M}$ is the message space. An accountable OFE protocol consists of the following algorithms:

• $\mathit{PMGen}$: On input the security parameter $1^k$, it generates the public parameters $PM$ needed for the ordinary signature, convertible undeniable signature, and ring signature scheme.
• ${\mathit{Setup}}^{\mathit{A}}$: On input $PM$, it runs $\mathrm{CUS}.\mathit{KeyGen}(1^k)\to (ap{k}^{us},as{k}^{us})$ and $\mathrm{RS}.\mathit{KeyGen}(1^k)\to (ap{k}^{rs},as{k}^{rs})$ to compute an arbitrator public and private key pair $(APK,ASK)=((ap{k}^{us},ap{k}^{rs}),(as{k}^{us},as{k}^{rs}))$.
• ${\mathit{Setup}}^{\mathit{U}}$: On input $PM$, it runs $\mathrm{OS}.\mathit{KeyGen}(1^k)\to (p{k}_i^{os},s{k}_i^{os})$, $\mathrm{CUS}.\mathit{KeyGen}(1^k)\to (p{k}_i^{us},s{k}_i^{us})$, and $\mathrm{RS}.\mathit{KeyGen}(1^k)\to (p{k}_i^{rs},s{k}_i^{rs})$ to compute a user public and private key pair $(UP{K}_i,US{K}_i)=((p{k}_i^{os},p{k}_i^{us},p{k}_i^{rs}),(s{k}_i^{os},s{k}_i^{us},s{k}_i^{rs}))$.
• $\mathit{PSign}$: On input a message and a signer private key $(m,US{K}_i)$, it runs $\mathrm{OS}.Sign(m,s{k}_i^{os})\to {\sigma }^{os}$ and outputs a partial signature ${\sigma }_p={\sigma }^{os}$.
• $\mathit{PVer}$: On input $(m,{\sigma }_p,UP{K}_i)$, it can validate ${\sigma }_p$ by running $\mathrm{OS}.\mathit{Ver}(m,{\sigma }^{os},p{k}_i^{os})$. It outputs $“1”$ if ${\sigma }_p$ is valid and outputs $“0”$ otherwise.
• $\mathit{Sign}$: On input $(m,{\sigma }_p,US{K}_i,APK,UP{K}_i)$. Let $m^{\prime }=H(m,{\sigma }_p,UP{K}_i)$. It runs $\mathrm{CUS}.\mathit{Sign}(m^{\prime },s{k}_i^{us})\to {\sigma }^{us}$ and $\mathrm{RS}.\mathit{Sign}(H({\sigma }^{us}),s{k}_i^{rs},P{K}_L)\to {\sigma }^{rs}$, where $P{K}_L=(p{k}_i^{rs},ap{k}^{rs})$ and outputs a full signature $\sigma =({\sigma }_p,{\sigma }^{us},{\sigma }^{rs})$.
• $\mathit{Ver}$: On input $(m,\sigma ,UP{K}_i,APK)$, it can verify $\sigma =({\sigma }_p={\sigma }^{os},{\sigma }^{us},{\sigma }^{rs})$ by running $\mathrm{OS}.\mathit{Verify}(m,{\sigma }^{os},p{k}_i^{os})$ and $\mathrm{RS}.\mathit{Verify}(H({\sigma }^{us}),{\sigma }^{rs},P{K}_L)$, where $P{K}_L=(p{k}_i^{rs},ap{k}^{rs})$. Therefore, if ${\sigma }_p$ and ${\sigma }^{rs}$ are valid, this algorithm outputs $“1”$ and $“0”$ otherwise.
• $\mathit{Res}$: On input $(m,{\sigma }_p,ASK,APK,UP{K}_i)$, it first checks the validity of ${\sigma }_p$ by running $\mathrm{OS}.\mathit{Verify}(m,{\sigma }^{os},p{k}_i^{os})$. It outputs $“\perp ”$ if ${\sigma }_p$ is invalid. Otherwise, it continues to compute $m^{\prime }=H(m,{\sigma }_p,UP{K}_i)$. It then runs $\mathrm{CUS}.\mathit{Sign}(m^{\prime },as{k}^{us})\to {\sigma }^{us}$ and $\mathrm{RS}.\mathit{Sign}(H({\sigma }^{us}),as{k}_i^{rs},P{K}_L)\to {\sigma }^{rs}$, where $P{K}_L=(p{k}_i^{rs},ap{k}^{rs})$ and outputs a full signature $\sigma =({\sigma }_p,{\sigma }^{us},{\sigma }^{rs})$
• ${\mathit{Prove}}^{\mathit{A}}$: On input $(m,\sigma ,ASK,APK,UP{K}_i)$, it first runs $\mathit{Ver}(m,\sigma ,UP{K}_i,APK)$ to check its validity and continue if and only if it is valid. Then it computes $m^{\prime }=H(m,{\sigma }_p,UP{K}_i)$ and runs $\mathrm{CUS}.\mathit{SConvert}(m^{\prime },{\sigma }^{us},as{k}^{us})\to {\pi }^A$ and outputs a proof $\pi ={\pi }^A$. Otherwise, it outputs $“\perp ”$.
• ${\mathit{Prove}}^{\mathit{U}}$: On input $(m,\sigma ,US{K}_i,APK,UP{K}_i)$, it first runs $\mathit{Ver}(m,\sigma ,UP{K}_i,APK)$ to check its validity and continue if and only if it is valid. Then it computes $m^{\prime }=H(m,{\sigma }_p,UP{K}_i)$ and runs $\mathrm{CUS}.\mathit{SConvert}(m^{\prime },{\sigma }^{us},s{k}_i^{us})\to {\pi }^U$ and outputs a proof $\pi ={\pi }^U$. Otherwise, it outputs $“\perp ”$.
• $\mathit{Open}$: On input $(m,\sigma ,UP{K}_i,APK,\pi )$, it first runs $\mathit{Ver}(m,\sigma ,UP{K}_i,APK)$ to check its validity and continue if and only if it is valid. Otherwise, it outputs $“\perp ”$. It computes $m^{\prime }=H(m,{\sigma }_p,UP{K}_i)$ and parses $\pi$ in the following cases:

  -

  If $\pi ={\pi }^A$, it runs $\mathrm{CUS}.\mathit{Verify}(m^{\prime },{\sigma }^{us},{\pi }^A,ap{k}^{us})\to b\in \{0,1\}$. If $b=1$, it outputs $“APK”$ which indicates ${\sigma }^{us}$ is originally generated by the arbitrator using $as{k}^{us}$. Otherwise, it outputs $“UP{K}_i”$. If the output is $“\perp ”$, it means $\pi$ is invalid.

  -

  Else if $\pi ={\pi }^U$, it runs $\mathrm{CUS}.\mathit{Verify}(m^{\prime },{\sigma }^{us},{\pi }^U,p{k}_i^{us})\to b\in \{0,1\}$. If $b=1$, it outputs $“UP{K}_i”$ which indicates ${\sigma }^{us}$ is originally generated by the signer using $s{k}_i^{us}$. Otherwise, it outputs $“APK”$. If the output is $“\perp ”$, it means $\pi$ is invalid.

Correctness. The correctness of our generic framework follows the correctness of the underlying ordinary signature, convertible undeniable signature, and ring signature scheme.

4.2. Security Analysis

In this subsection, we provide the security analysis on our proposed framework. The proof approach for resolution ambiguity and accountability are inspired by Huang et al. [19], and the proof approach for security against signers, security against verifiers, and security against arbitrator are inspired by Ganjavi et al. [24].

4.2.1. Resolution Ambiguity

Lemma 1.

Our proposed generic framework is resolution ambiguity if the underlying convertible undeniable signature scheme and ring signature scheme satisfy anonymity.

Proof. 

As the full signature contains a partial signature, a convertible undeniable signature, and a ring signature $\sigma =({\sigma }_p,{\sigma }^{us},{\sigma }^{rs})$, the resolution ambiguity follows the anonymity of the underlying convertible undeniable signature scheme and ring signature scheme. □

4.2.2. Type I Accountability

Lemma 2.

Our proposed generic framework is $(t,q_{PSign},q_{Sign},q_{Res},q_{Prov{e}^A},q_{Prov{e}^U},\epsilon )$-type I accountable if the underlying convertible undeniable signature scheme is $(t,q_{PSign},q_{Sign},q_{Res},q_{Prov{e}^A},q_{Prov{e}^U},\epsilon )$-EUF-CMA and complete and sound.

Proof. 

Let $\mathcal{A}$ be the PPT adversary which $(t,q_{PSign},q_{Sign},q_{Res},q_{Prov{e}^A},q_{Prov{e}^U},\epsilon )$-breaks the type I accountability, we build a PPT algorithm $\mathcal{D}$ which runs $\mathcal{A}$ as a subroutine and $(t,q_{PSign},q_{Sign},q_{Res},q_{Prov{e}^A},q_{Prov{e}^U},\epsilon )$-breaks the EUF-CMA and the completeness and soundness of the underlying convertible undeniable signature scheme with the success probability more than $\epsilon$ in its game with at most $q_{PSign}$ queries to ${\mathcal{O}}_{PSign}$, $q_{Sign}$ queries to ${\mathcal{O}}_{Sign}$, $q_{Res}$ queries to ${\mathcal{O}}_{Res}$, $q_{Prov{e}^A}$ queries to ${\mathcal{O}}_{Prov{e}^A}$, and $q_{Prov{e}^U}$ queries to ${\mathcal{O}}_{Prov{e}^U}$ in time t.

• Phase 1: On input $(p{k}_0^{us},p{k}_0^{rs})$ to $\mathcal{D}$, $\mathcal{D}$ sets $APK=(p{k}_0^{us},p{k}_0^{rs})$ and passes to $\mathcal{A}$.
• Phase 2: $\mathcal{A}$ can make queries to its accessible oracles defined in Section 2.2. At the end, $\mathcal{A}$ runs ${\mathit{Setup}}^{\mathit{U}}(PM)\to (UP{K}_i,US{K}_i)$ to generate users’ private and public key pairs. $\mathcal{A}$ then passes a challenge public key $\widehat{UPK}=(p{k}^{os},p{k}_1^{us},p{k}_1^{rs})$ to $\mathcal{D}$.
• Phase 3: $\mathcal{A}$ can make queries to the following oracles:

  -

  Resolution Oracle ${\mathcal{O}}_{Res}$: On input $(m,{\sigma }_p,\widehat{UPK})$, $\mathcal{D}$ requests ${\sigma }^{us}$ from convertible undeniable signature scheme’s ${\mathcal{O}}_S$ on input $(m^{\prime },p{k}_0^{us})$, where $m^{\prime }=H(m,{\sigma }_p,\widehat{UPK})$. $\mathcal{D}$ then requests ${\sigma }^{rs}$ from ring signature scheme’s ${\mathcal{O}}_S$ on input $(H({\sigma }^{us}),P{K}_L,e)$, where $P{K}_L=(p{k}_0^{rs},p{k}_1^{rs})$ and $e=1$ is the selected public key position in $P{K}_L$. Note that $({\sigma }^{us},{\sigma }^{rs})$ is generated with $(s{k}_0^{us},s{k}_0^{rs})$ respectively. Finally, $\mathcal{D}$ returns a signature $\sigma =({\sigma }_p,{\sigma }^{us},{\sigma }^{rs})$ to $\mathcal{A}$.

  -

  Arbitrator Prove Oracle ${\mathcal{O}}_{Prov{e}^A}$: On input $(m,\sigma =({\sigma }_p,{\sigma }^{us},{\sigma }^{rs}))$, $\mathcal{D}$ requests a selective token ${\pi }^S$ on $p{k}_0^{us}$ from convertible undeniable signature scheme’s ${\mathcal{O}}_{SC}$ on input $(m^{\prime },{\sigma }^{us})$, where $m^{\prime }=H(m,{\sigma }_p,\widehat{UPK})$. $\mathcal{D}$ then returns an arbitrator proof ${\pi }^A={\pi }^S$.

• Phase 4: $\mathcal{A}$ outputs a challenge message and signature pair $(\widehat{m},\widehat{\sigma })$ that is valid on $(\widehat{UPK},APK)$ and a proof $\widehat{\pi }$ with the restriction that $\widehat{\sigma }$ is not generated from ${\mathcal{O}}_{Res}$. Note that $\widehat{\pi }$ be can either ${\pi }^A$ by $p{k}_0^{us}$ or ${\pi }^U$ by $p{k}_1^{us}$.

Assume that $\mathcal{A}$ wins the game because $\mathit{Open}(\widehat{m},\widehat{\sigma },\widehat{UPK},APK,\pi )=“APK”$ and $\widehat{\sigma }$ is not generated from $\mathit{Res}$, there exist two possible cases:

• Case 1: ${\widehat{\sigma }}^{us}$ is generated by using $s{k}_0^{us}$, so $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma }}^{us},p{k}_0^{us},{\widehat{\pi }}^A)=“1”$ and $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma }}^{us},p{k}_1^{us},{\widehat{\pi }}^U)=“0”$ hold.
• Case 2: ${\widehat{\sigma }}^{us}$ is generated by using $s{k}_1^{us}$, but $\widehat{\pi }$ is not sound. Hence, $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma }}^{us},p{k}_0^{us},{\widehat{\pi }}^A)=“1”$ and $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma }}^{us},p{k}_1^{us},{\widehat{\pi }}^U)=“0”$.

Hence, if $\mathcal{D}$ takes $(\widehat{m},{\widehat{\sigma }}^{us},\widehat{\pi })$ as the output, $\mathcal{D}$ breaks the EUF-CMA of convertible undeniable signature scheme in Case 1 and breaks the completeness and soundness of the underlying convertible undeniable signature scheme in Case 2. This shows that there exists a PPT $\mathcal{D}$ which can either $(t,q_{PSign},q_{Sign},q_{Res},q_{Prov{e}^A},q_{Prov{e}^U},\epsilon )$-break the EUF-CMA or the completeness and soundness of the underlying convertible undeniable signature scheme if there exists $\mathcal{A}$ which can $(t,q_{PSign},q_{Sign},q_{Res},q_{Prov{e}^A},q_{Prov{e}^U},\epsilon )$-break the type I accountability. This contradicts the EUF-CMA and the completeness and soundness of the underlying convertible undeniable signature scheme, hence our OFE protocol is type I accountable. □

4.2.3. Type II Accountability

Lemma 3.

Our generic framework is $(t,q_{PSign},q_{Sign},q_{Prov{e}^U},\epsilon )$-type II accountable if the underlying convertible undeniable signature scheme is $(t,q_{PSign},q_{Sign},q_{Prov{e}^U},\epsilon )$-EUF-CMA and complete and sound.

Proof. 

Let $\mathcal{A}$ be the PPT adversary which $(t,q_{PSign},q_{Sign},q_{Prov{e}^U},\epsilon )$-breaks the type II accountability, we build a PPT algorithm $\mathcal{D}$ which runs $\mathcal{A}$ as a subroutine and $(t,q_{PSign},q_{Sign},q_{Prov{e}^U},\epsilon )$-breaks the EUF-CMA and the completeness and soundness of the underlying convertible undeniable signature scheme with the success probability more than $\epsilon$ in its game with at most $q_{PSign}$ queries to ${\mathcal{O}}_{PSign}$, $q_{Sign}$ queries to ${\mathcal{O}}_{Sign}$, and $q_{Prov{e}^U}$ queries to ${\mathcal{O}}_{Prov{e}^U}$ in time t.

• Phase 1: On input $PM$ to $\mathcal{D}$, $\mathcal{D}$ then passes $PM$ to $\mathcal{A}$ which then runs ${\mathit{Setup}}^{\mathit{A}}(PM)\to (APK=(p{k}_0^{us},p{k}_0^{rs}),ASK=(s{k}_0^{us},s{k}_0^{rs}))$ and passes $APK$ to $\mathcal{D}$.
• Phase 2: $\mathcal{A}$ can make queries to the following oracles for a selected $UP{K}_i=(p{k}_i^{os},p{k}_i^{us},p{k}_i^{rs})$:

  -

  Partial Sign Oracle ${\mathcal{O}}_{PSign}$: On input $(m,UP{K}_i)$, $\mathcal{D}$ requests a signature ${\sigma }^{os}$ from ordinary signature scheme’s ${\mathcal{O}}_S$ on input $(m,p{k}_i^{os})$. $\mathcal{D}$ then returns a partial signature ${\sigma }_p={\sigma }^{os}$.

  -

  Full Sign Oracle ${\mathcal{O}}_{Sign}$: On input $(m,{\sigma }_p,UP{K}_i)$, $\mathcal{D}$ requests ${\sigma }^{us}$ from convertible undeniable signature scheme’s ${\mathcal{O}}_S$ on input $(m^{\prime },p{k}_i^{us})$, where $m^{\prime }=H(m,{\sigma }_p,UP{K}_i)$. $\mathcal{D}$ then requests ${\sigma }^{rs}$ from ring signature scheme’s ${\mathcal{O}}_S$ on input $(H({\sigma }^{us}),P{K}_L,e)$, where $P{K}_L=(p{k}_0^{rs},p{k}_i^{rs})$ and $e=2$ is the selected public key position in $P{K}_L$. Note that $({\sigma }^{us},{\sigma }^{rs})$ is generated with $(s{k}_i^{us},s{k}_i^{rs})$ respectively.

  -

  User Prove Oracle ${\mathcal{O}}_{Prov{e}^U}$: On input $(m,\sigma =({\sigma }_p,{\sigma }^{us},{\sigma }^{rs}))$, $\mathcal{D}$ requests a selective token ${\pi }^S$ on $p{k}_i^{us}$ from convertible undeniable signature scheme’s ${\mathcal{O}}_{SC}$ on input $(m^{\prime },{\sigma }^{us})$, where $m^{\prime }=H(m,{\sigma }_p,UP{K}_i)$. $\mathcal{D}$ then returns a user proof ${\pi }^U={\pi }^S$.

• Phase 3: $\mathcal{A}$ outputs a challenge message and signature pair $(\widehat{m},\widehat{\sigma })$ that is valid on $(UP{K}_i,APK)$ and a proof $\widehat{\pi }$, with the restriction that $\widehat{\sigma }$ is not generated from ${\mathcal{O}}_{Sign}$. Note that $\widehat{\pi }$ can either be the ${\pi }^A$ by $p{k}_0^{us}$ or the ${\pi }^U$ by $p{k}_1^{us}$.

Assume that $\mathcal{A}$ wins the game because $\mathit{Open}(\widehat{m},\widehat{\sigma },UP{K}_i,APK,\pi )=“UP{K}_i”$ and $\widehat{\sigma }$ is not generated from $\mathit{Sign}$, there exist two possible cases:

• Case 1: ${\widehat{\sigma }}^{us}$ is generated by using $s{k}_i^{us}$, so $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma }}^{us},p{k}_0^{us},{\widehat{\pi }}^A)=“0”$ and $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma }}^{us},p{k}_i^{us},{\widehat{\pi }}^U)=“1”$ hold.
• Case 2: ${\widehat{\sigma }}^{us}$ is generated by using $s{k}_0^{us}$, but $\widehat{\pi }$ is not sound. Therefore, $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma }}^{us},p{k}_0^{us},{\widehat{\pi }}^A)=“0”$ and $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma }}^{us},p{k}_i^{us},{\widehat{\pi }}^U)=“1”$.

Hence, if $\mathcal{D}$ takes $(\widehat{m},{\widehat{\sigma }}^{us},\widehat{\pi })$ as the output, $\mathcal{D}$ breaks the EUF-CMA of convertible undeniable signature scheme in Case 1 and breaks the completeness and soundness of convertible undeniable signature scheme in Case 2. This shows that there exists a PPT $\mathcal{D}$ that can either $(t,q_{PSign},q_{Sign},q_{Prov{e}^U},\epsilon )$-break the EUF-CMA or the completeness and soundness of the underlying convertible undeniable signature scheme if there exists $\mathcal{A}$ which can $(t,q_{PSign},q_{Sign},q_{Prov{e}^U},\epsilon )$-break the type II accountability. This contradicts the EUF-CMA and the completeness and soundness of the underlying convertible undeniable signature scheme, hence our OFE protocol is type II accountable. □

4.2.4. Type III Accountability

Lemma 4.

Our proposed generic framework is $(t,\epsilon )$-type III accountable if the underlying convertible undeniable signature scheme is $(t,\epsilon )$-complete and sound.

Proof. 

Let $\mathcal{A}$ be the PPT adversary which $(t,\epsilon )$-breaks the type III accountability, we build a PPT algorithm $\mathcal{D}$ which runs $\mathcal{A}$ as a subroutine and $(t,\epsilon )$-breaks the completeness and soundness of the underlying convertible undeniable signature scheme with the success probability more than $\epsilon$ in its game in time t.

• Phase 1: On input $PM$ to $\mathcal{D}$, $\mathcal{D}$ then passes $PM$ to $\mathcal{A}$ which then runs ${\mathit{Setup}}^{\mathit{A}}(PM)\to (APK,ASK)$ and ${\mathit{Setup}}^{\mathit{U}}(PM)\to (UP{K}_i,US{K}_i)$.
• Phase 2: $\mathcal{A}$ outputs a challenge message and signature pair $(\widehat{m},\widehat{\sigma })$ that is valid on $(UP{K}_i,APK)$ and two proofs $({\widehat{\pi }}^U,{\widehat{\pi }}^A)$.

At the end of the game, $\mathcal{D}$ takes $(\widehat{m},{\widehat{\sigma }}^{us},{\widehat{\pi }}^U,{\widehat{\pi }}^A)$ as the output. $\mathcal{D}$ breaks the completeness and soundness of the underlying convertible undeniable signature scheme if either one of the following statements holds:

• A valid $(\widehat{m},{\widehat{\sigma }}^{us})$ on $UP{K}_i$ but $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma }}^{us},APK,{\widehat{\pi }}^A)=“1”\wedge \mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma }}^{us},UP{K}_i,{\widehat{\pi }}^U)=“0”$
• A valid $(\widehat{m},{\widehat{\sigma }}^{us})$ on $APK$ but $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma }}^{us},APK,{\widehat{\pi }}^A)=“0”$ ∧ $\mathrm{CUS}.\mathit{SVerify}(\widehat{m},{\widehat{\sigma }}^{us},UP{K}_i,{\widehat{\pi }}^U)=“1”$

This shows that there exists a PPT $\mathcal{D}$ which can $(t,\epsilon )$-break the completeness and soundness of the underlying convertible undeniable signature if there exists $\mathcal{A}$ which can $(t,\epsilon )$-break the type III accountability with the success probability more than $\epsilon$ in its game in time t. This contradicts the completeness and soundness of the convertible undeniable signature scheme, hence our OFE protocol is type III accountable. □

4.2.5. Security against Signers

Lemma 5.

Our proposed generic framework is unconditionally secure against signers.

Proof. 

The security against signers in our generic framework follows unconditionally as a full signature contains a partial signature, a convertible undeniable signature, and a ring signature, $\sigma =({\sigma }_p,{\sigma }^{us},{\sigma }^{rs})$, the arbitrator can always convert ${\sigma }_p$ to $\sigma$, by generating ${\sigma }^{us}$ on $m^{\prime }=H(m,{\sigma }_p,UP{K}_i)$ and ${\sigma }^{rs}$. □

4.2.6. Security against Verifiers

Lemma 6.

Our proposed generic framework is $(t,q_{PSign},q_{Sign},q_{Res},\epsilon )$-secure against verifiers if the underlying convertible undeniable signature scheme is $(t+t_1{q}_{PSign},q_{Sign},q_{Res},\epsilon )$-EUF-CMA and ring signature scheme is $(t+t_1{q}_{PSign},q_{Sign},q_{Res},\epsilon )$-EUF-CSA.

Proof. 

Let $\mathcal{A}$ be the PPT adversary which $(t,q_{PSign},q_{Sign},q_{Res},\epsilon )$-break the security against verifiers, we build a PPT algorithm $\mathcal{D}$ which runs $\mathcal{A}$ as a subroutine and $(t+t_1{q}_{PSign},q_{Sign},q_{Res},\epsilon )$-breaks the EUF-CMA of the underlying convertible undeniable signature scheme and the EUF-CSA of the underlying ring signature scheme with the success probability more than $\epsilon$ in its game with at most $q_{Sign}$ queries to ${\mathcal{O}}_{Sign}$ and $q_{Res}$ queries to ${\mathcal{O}}_{Res}$ in time $t+t_1{q}_{PSign}$, where $t_1{q}_{PSign}$ is the time cost to generate a partial signature.

• Phase 1: On input two challenge public key pairs $((p{k}_0^{us},p{k}_0^{rs}),(p{k}_1^{us},p{k}_1^{rs}))$ to $\mathcal{D}$, $\mathcal{D}$ first runs $\mathrm{OS}.\mathit{KeyGen}\to (p{k}^{os},s{k}^{os})$. $\mathcal{D}$ then chooses $b\in \{0,1\}$ and sets $APK=(p{k}_b^{us},p{k}_b^{rs})$ and $UPK=(p{k}^{os},p{k}_{1-b}^{us},p{k}_{1-b}^{rs})$. $\mathcal{A}$ is given $(APK,UPK)$.
• Phase 2: $\mathcal{A}$ can make queries to the following oracles:

  -

  Partial Sign Oracle ${\mathcal{O}}_{PSign}$: On input $(m,UPK)$, $\mathcal{D}$ returns $\mathrm{OS}.\mathit{Sign}(m,s{k}^{os})\to {\sigma }_p$ to $\mathcal{A}$.

  -

  Full Sign Oracle ${\mathcal{O}}_{Sign}$: On input $(m,{\sigma }_p,UPK)$, $\mathcal{D}$ requests ${\sigma }^{us}$ from convertible undeniable signature scheme’s ${\mathcal{O}}_S$ on input $(m^{\prime },p{k}_{1-b}^{us})$, where $m^{\prime }=H(m,{\sigma }_p,UPK)$. $\mathcal{D}$ then requests ${\sigma }^{rs}$ from ring signature scheme’s ${\mathcal{O}}_S$ on input $(H({\sigma }^{us}),P{K}_L,e)$, where $P{K}_L=(p{k}_{1-b}^{rs},p{k}_b^{rs})$ and $e=1$ is the selected public key position in $P{K}_L$. Note that $({\sigma }^{us},{\sigma }^{rs})$ is generated with $(s{k}_{1-b}^{us},s{k}_{1-b}^{rs})$ respectively. Finally, $\mathcal{D}$ returns a signature $\sigma =({\sigma }_p,{\sigma }^{us},{\sigma }^{rs})$ to $\mathcal{A}$.

  -

  Resolution Oracle ${\mathcal{O}}_{Res}$: This oracle is similar to ${\mathcal{O}}_{Sign}$ above, but $({\sigma }^{us},{\sigma }^{rs})$ is generated with $(s{k}_b^{us},s{k}_b^{rs})$ respectively, where ${\sigma }^{us}$ is from convertible undeniable signature scheme’s ${\mathcal{O}}_S$ on input $(m^{\prime },p{k}_b^{us})$ and ${\sigma }^{rs}$ is from ring signature scheme’s ${\mathcal{O}}_S$ on input $(H({\sigma }^{us}),P{K}_L,e)$ where $P{K}_L=(p{k}_{1-b}^{rs},p{k}_b^{rs})$ and $e=2$ is the selected public key position in $P{K}_L$.

• Phase 3: $\mathcal{A}$ outputs a challenge message and signature pair $(\widehat{m},\widehat{\sigma })$, where $\widehat{\sigma }=({\widehat{\sigma }}_p,{\widehat{\sigma }}^{us},{\widehat{\sigma }}^{rs})$ with the restriction that $\widehat{\sigma }$ is not generated from ${\mathcal{O}}_{Sign}$ or ${\mathcal{O}}_{Res}$.

At the end of the game, $\mathcal{D}$ takes $({\widehat{m}}^{\prime },{\widehat{\sigma }}^{us},{\widehat{\sigma }}^{rs})$ as the output where ${\widehat{m}}^{\prime }=H(\widehat{m},{\widehat{\sigma }}_p,UPK)$. $\mathcal{D}$ breaks the EUF-CMA of the underlying convertible undeniable signature scheme if $({\widehat{m}}^{\prime },{\widehat{\sigma }}^{us})$ is valid on either $p{k}_0^{us}$ or $p{k}_1^{us}$. $\mathcal{D}$ also breaks the EUF-CSA of the underlying ring signature scheme if ${\widehat{\sigma }}^{rs}$ is valid on either $p{k}_0^{rs}$ or $p{k}_1^{rs}$. Therefore, this shows that there exists a PPT $\mathcal{D}$ which can $(t+t_1{q}_{PSign},q_{Sign},q_{Res},\epsilon )$-break the EUF-CMA of the underlying convertible undeniable signature scheme and EUF-CSA of the underlying ring signature scheme if there exists $\mathcal{A}$ which can $(t,q_{PSign},q_{Sign},q_{Res},\epsilon )$-break the security against verifiers with the success probability more than $\epsilon$ in its game with at most $q_{Sign}$ queries to ${\mathcal{O}}_{Sign}$ and $q_{Res}$ queries to ${\mathcal{O}}_{Res}$ in time $t+t_1{q}_{PSign}$. This contradicts the EUF-CMA of the underlying convertible undeniable signature scheme and the EUF-CSA of the underlying ring signature scheme, hence our OFE protocol is secure against verifiers. □

4.2.7. Security against Arbitrator

Lemma 7.

Our proposed generic framework is $(t,q_{PSign},\epsilon )$-secure against the arbitrator if the underlying ordinary signature scheme is $(t,q_{PSign},\epsilon )$-EUF-CMA.

Proof. 

Let $\mathcal{A}$ be the PPT adversary which $(t,q_{PSign},\epsilon )$-breaks the security against the arbitrator, we build a PPT algorithm $\mathcal{D}$ which runs $\mathcal{A}$ as a subroutine and $(t,q_{PSign},\epsilon )$-breaks the EUF-CMA of the underlying ordinary signature scheme with the success probability more than $\epsilon$ in its game with at most $q_{PSign}$ queries to ${\mathcal{O}}_{PSign}$ in time t.

• Phase 1: On input a challenge public key $p{k}^{os}$ to $\mathcal{D}$. $\mathcal{D}$ first generates public parameters $PM$ and passes to $\mathcal{A}$.
• Phase 2: $\mathcal{A}$ then runs ${\mathit{Setup}}^{\mathit{A}}(PM)\to (APK,ASK)$ and sends $APK$ to $\mathcal{D}$.
• Phase 3: $\mathcal{A}$ can make queries to Partial Sign Oracle ${\mathcal{O}}_{PSign}$: On input $(m,UPK)$, where $\mathcal{D}$ requests a signature ${\sigma }^{os}$ from ordinary signature scheme’s ${\mathcal{O}}_S$ on input $(m,p{k}^{os})$. $\mathcal{D}$ returns a partial signature ${\sigma }_p={\sigma }^{os}$.
• Phase 4: $\mathcal{A}$ outputs a challenge message and signature pair $(\widehat{m},\widehat{\sigma })$, where $\widehat{\sigma }=({\widehat{\sigma }}_p,{\widehat{\sigma }}^{us},{\widehat{\sigma }}^{rs})$ with the restriction that $(\widehat{m},UPK)$ has not been queried to ${\mathcal{O}}_{PSign}$.

At the end of the game, $\mathcal{D}$ takes $(\widehat{m},{\widehat{\sigma }}_p)$ as the output. $\mathcal{D}$ breaks the EUF-CMA of the underlying ordinary signature scheme if $\mathrm{OS}.\mathit{Verify}(\widehat{m},{\widehat{\sigma }}_p,p{k}^{os})=1$. This shows that there exists a PPT $\mathcal{D}$ which can $(t,q_{PSign},\epsilon )$-break the EUF-CMA of the underlying ordinary signature scheme if there exists $\mathcal{A}$ which can $(t,q_{PSign},\epsilon )$-break the security against arbitrator with the success probability more than $\epsilon$ in its game with at most $q_{PSign}$ queries to ${\mathcal{O}}_{PSign}$ in time t. This contradicts the EUF-CMA of the underlying ordinary signature scheme, hence our OFE protocol is secure against arbitrator. □

Theorem 1.

Our proposed generic framework is secure in the multi-user setting and chosen-key model.

Proof. 

The proof follows directly from Lemmas 1–7. □

5. An Instantiation of Accountable Optimisitc Fair Exchange Protocol

The derived protocol is built from Boneh et al.’s short signature scheme [30], Li et al.’s convertible undeniable signature scheme [31], and Shim’s ring signature scheme [32], following our proposed generic framework. We first review the respective underlying schemes.

5.1. Boneh et al.’s Short Signature Scheme

The same public parameters $PM=(q,g_1,g_2,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,\widehat{e},H)$ is used following the definition as in Section 3.1, and $H:{\{0,1\}}^{*}\to {\mathbb{G}}_1$ is a hash function. The scheme consists of the following algorithms [30]:

• $\mathit{KeyGen}$: It randomly picks $x\in {\mathbb{Z}}_q$ and computes $X=g_2^x$. It then returns a public and private key pair $(pk,sk)=(X,x)$.
• $\mathit{Sign}$: On input a message and a private key $(m,sk)$, it returns an ordinary signature ${\sigma }^{os}=H{(m)}^x$.
• $\mathit{Verify}$: On input $(m,{\sigma }^{os},pk)$, it checks whether $\widehat{e}(H(m),X)\stackrel{?}{=}\widehat{e}({\sigma }^{os},g_2)$. It outputs $“1”$ if $\sigma$ is valid and $“0”$ otherwise.

5.2. Li et al.’s Convertible Undeniable Signature Scheme

The same public parameters $PM$ as in Boneh et al.’s short signature scheme is used in this scheme with the following algorithms [31]:

• $\mathit{KeyGen}$: It randomly picks $x,y\in {\mathbb{Z}}_q^{*}$ to compute $X=g_2^x$ and $Y=g_2^y$. It outputs a public and private key pair $(pk,sk)=((X,Y),(x,y))$.
• $\mathit{Sign}$: On input a message and private key $(m,sk)$, it computes an undeniable signature ${\sigma }^{us}=H{(m)}^{xy}$.
• $\mathit{Confirmation}/\mathit{Disavowal}\mathit{Protocol}$: Given a message and signature pair $(m,{\sigma }^{us})$, it can confirm or deny ${\sigma }^{us}$ with the following designated verifier non-interactive zero knowledge proof of knowledge $(DVPK)$:
  $DVPK(y:\widehat{e}({\sigma }^{us},g_2)=\widehat{e}{(H(m),X)}^y\wedge Y=g_2^y)$ or $DVPK(y:\widehat{e}({\sigma }^{us},g_2)\ne \widehat{e}{(H(m),X)}^y\wedge Y=g_2^y)$
• $\mathit{SConvert}$: On input $(m,{\sigma }^{us},sk)$, it computes a converter ${\pi }^S=H{(m)}^y\in {\mathbb{G}}_1$.
• $\mathit{SVerify}$: On input $(m,{\sigma }^{us},pk,{\pi }^S)$, it first verifies ${\pi }^S$ by checking whether $\widehat{e}({\pi }^S,g_2)\stackrel{?}{=}\widehat{e}(H(m),Y)$ or not. If ${\pi }^S$ is valid, then it proceeds to validate ${\sigma }^{us}$ by checking whether $\widehat{e}({\sigma }^{us},g_2)\stackrel{?}{=}\widehat{e}({\pi }^S,X)$ holds or not.

5.3. Shim’s Ring Signature Scheme

The same public parameters $PM$ as in Boneh et al.’s short signature are used in this scheme with the following algorithms [32]:

• $\mathit{KeyGen}$: For a user i, it randomly picks $x_i\in {\mathbb{Z}}_q^{*}$ to compute $X_i=g_2^{x_i}$. It outputs a public and private key pair $(p{k}_i,s{k}_i)=(X_i,x_i)$.
• $\mathit{Sign}$: Let $P{K}_L=\{p{k}_1,\dots ,p{k}_n\}$ be a list of users’ public keys with n members. On input a signer’s public and private key pair $(p{k}_s,s{k}_s)$ and a message $m\in {\{0,1\}}^{*}$, it first randomly chooses $Z_i\in {\mathbb{G}}_1$ and computes $z_i=h(Z_i,m,P{K}_L)$ for $i=1,\dots ,n$ and $i\ne s$. It then chooses a random salt $r\in {\mathbb{Z}}_q$ and computes $(Z_s,z_s,V)$, where

  $$\begin{array}{ccc}{Z}_s=g_2^r\prod _{i\ne s}^{n}p{k}_i{Z}_i\hfill & z_s=h(Z_s,m,P{K}_L)\hfill & V=g_1^{r+z_s{x}_s}\hfill \end{array}$$
  Finally, it outputs a ring signature ${\sigma }^{rs}=(Z_i,\dots Z_n,V)$.
• $\mathit{Verify}$: On input $(m,{\sigma }^{rs},P{K}_L)$, where $P{K}_L=\{p{k}_1,\dots ,p{k}_n\}$ is a list of users’ public keys with n members. It first computes $z_i=h(Z_i,m,P{K}_L)$ for $i=1,\dots ,n$. It then checks whether $\widehat{e}(V,g_2)\stackrel{?}{=}\widehat{e}({\prod }_{i=1}^{n}p{k}_i^{z_i}{Z}_i,g_2)$ holds or not. If it holds, it outputs $“1”$ and $“0”$ otherwise.

5.4. The Derived Accountable Optimistic Fair Exchange Protocol

In order to reduce the key pair needed, we use the same approach as in the concrete protocol proposed by [19], where we utilise the public and private key pair from Li et al.’s convertible undeniable signature scheme to construct the ordinary signature and the ring signature. The signature in our protocol is short and it is more efficient in generating signature and proof as compared to Huang et al. and Ganjavi et al.’s concrete protocols. However, it takes longer to verify a signature due to the pairing-based setting, and this results in the derived protocol to be secure in the random oracle model only.

Let $\mathrm{OS}=(\mathit{KeyGen},\mathit{Sign},\mathit{Verify})$ be Boneh et al.’s signature scheme, $\mathrm{CUS}=(\mathit{KeyGen},\mathit{Sign},\mathit{Confirmation}/\mathit{Disavowal}\mathit{Protocol},\mathit{SConvert},\mathit{SVerify})$ be Li et al.’s convertible undeniable signature scheme, and $\mathrm{RS}=(\mathit{KeyGen},\mathit{Sign},\mathit{Verify})$ be Shim’s ring signature scheme. The derived accountable OFE protocol consists of the following algorithms:

• $\mathit{PMGen}$: On input $1^k$, it generates $(q,g_1,g_2,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,\widehat{e})$, where ${\mathbb{G}}_1$,${\mathbb{G}}_2$,${\mathbb{G}}_T$ are cyclic groups of prime order q, $g_1\in {\mathbb{G}}_1$ and $g_2\in {\mathbb{G}}_2$ are two generators, and $\widehat{e}:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$ is a bilinear map. Let $H_1,H_2:{\{0,1\}}^{*}\to {\mathbb{G}}_1$, $H_3:{\{0,1\}}^{*}\to \mathcal{M}$, and $h_1,h_2:{\{0,1\}}^{*}\to {\mathbb{Z}}_p^{*}$, where $\mathcal{M}$ is the message space. Finally, it outputs $PM=(q,g_1,g_2,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,\widehat{e},H_1,H_2,H_3,h_1,h_2)$.
• ${\mathit{Setup}}^{\mathit{A}}$: On input $PM$, it runs $\mathrm{CUS}.\mathit{KeyGen}(1^k)\to (pk,sk)$, where $pk=(g_2^{x_a},g_2^{y_a})=(X_a,Y_a)$ and $sk=(x_a,y_a)\in {\mathbb{Z}}_q^{*}$. Note that $(x_a,X_a)$ will be used for ring signature later. Lastly, it returns an arbitrator public and private key pair $(APK,ASK)=((X_a,Y_a),(x_a,y_a))$.
• ${\mathit{Setup}}^{\mathit{U}}$: On input $PM$, it runs $\mathrm{CUS}.\mathit{KeyGen}(1^k)\to (pk,sk)$, where $pk=(g_2^{x_i},g_2^{y_i})=(X_i,Y_i)$ and $sk=(x_i,y_i)\in {\mathbb{Z}}_q^{*}$. Note that $(x_i,X_i)$ will be used for ordinary signature and ring signature later. Lastly, it returns a user public and private key pair $(UP{K}_i,US{K}_i)=((X_i,Y_i),(x_i,y_i))$.
• $\mathit{PSign}$: On input $(m,US{K}_i)$, it runs $\mathrm{OS}.\mathit{Sign}$ to compute an ordinary signature, ${\sigma }^{os}=H_1{(m)}^{x_i}$. It outputs a partial signature ${\sigma }_p={\sigma }^{os}$.
• $\mathit{PVer}$: On input $(m,{\sigma }_p,UP{K}_i)$, it runs $\mathrm{OS}.\mathit{Verify}$ to check the validity by comparing $\widehat{e}(H_1(m),X_i)\stackrel{?}{=}\widehat{e}({\sigma }_p,g_2)$. It returns $“1”$ if the equation holds and $“0”$ otherwise.
• $\mathit{Sign}$: On input $(m,{\sigma }_p,US{K}_i,UP{K}_i,APK)$, it runs $\mathit{PSig}(m,{\sigma }_p,UP{K}_i)$ and continues if and only if ${\sigma }_p$ is valid. Let $m^{\prime }=H_3(m,{\sigma }_p,UP{K}_i)$, it runs $\mathrm{CUS}.Sign$ to generate a convertible undeniable signature, ${\sigma }^{us}=H_2{(m^{\prime })}^{x_i{y}_i}$. It then runs $\mathrm{RS}.\mathit{Sign}$ to generate a ring signature, ${\sigma }^{rs}$. Let $P{K}_L=\{X_a,X_i\}$, it randomly chooses $Z_a\in {\mathbb{G}}_1$ and computes $z_a=h(Z_a,H_3({\sigma }^{us}),P{K}_L)$. It then chooses a random salt $r\in {\mathbb{Z}}_q$ and computes $(Z_i,z_i,V)$:

  $$\begin{array}{ccc}{Z}_i=g_2^r{X}_a{Z}_a\hfill & z_i=h(Z_i,H_3({\sigma }^{us}),P{K}_L)\hfill & V=g_1^{r+z_i{x}_i}\hfill \end{array}$$
  Finally, it outputs a full signature $\sigma =({\sigma }_p,{\sigma }^{us},{\sigma }^{rs})$ where ${\sigma }^{rs}=(Z_a,Z_i,V)$.
• $\mathit{Ver}$: On input $(m,\sigma ,UP{K}_i,APK)$, it first runs $\mathit{PVer}(m,{\sigma }_p,UP{K}_i)$ and continues if and only if ${\sigma }_p$ is valid. It then runs $\mathrm{RS}.\mathit{Verify}$ to verify ${\sigma }^{rs}$. Let $P{K}_L=\{X_a,X_i\}$, it then computes $z_a=h(Z_a,H_3({\sigma }^{us}),P{K}_L)$ and $z_i=h(Z_i,H_3({\sigma }^{us}),P{K}_L)$. It then checks whether $\widehat{e}(V,g_2)\stackrel{?}{=}\widehat{e}(X_a^{z_a}{Z}_a·X_i^{z_i}{Z}_i,g_2)$ holds or not. If it holds, it outputs $“1”$ and $“0”$ otherwise.
• $\mathit{Res}$: On input $(m,{\sigma }_p,ASK,UP{K}_i,APK)$, it runs $\mathit{PVer}(m,{\sigma }_p,UP{K}_i)$ and continues if and only if ${\sigma }_p$ is valid. Let $m^{\prime }=H_3(m,{\sigma }_p,UP{K}_i)$, it runs $\mathrm{CUS}.\mathit{Sign}$ to compute a convertible undeniable signature, ${\sigma }^{us}=H_2{(m^{\prime })}^{x_a{y}_a}$. It then runs $\mathrm{RS}.\mathit{Sign}$ to generate a ring signature, ${\sigma }^{rs}$. Let $P{K}_L=\{X_a,X_i\}$, it first randomly chooses $Z_i\in {\mathbb{G}}_1$ and computes $z_i=h(Z_i,H_3({\sigma }^{us}),P{K}_L)$. It then chooses a random salt $r\in {\mathbb{Z}}_q$ and computes $(Z_a,z_a,V)$:

  $$\begin{array}{ccc}{Z}_a=g_2^r{X}_i{Z}_i\hfill & z_a=h(Z_a,H_3({\sigma }^{us}),P{K}_L)\hfill & V=g_1^{r+z_a{x}_a}\hfill \end{array}$$
  Finally, it outputs a full signature $\sigma =({\sigma }_p,{\sigma }^{us},{\sigma }^{rs})$ where ${\sigma }^{rs}=(Z_a,Z_i,V)$.
• ${\mathit{Prove}}^{\mathit{A}}$: On input $(m,\sigma ,ASK,UP{K}_i,APK)$, it first runs $\mathit{Ver}(m,\sigma ,UP{K}_i,APK)$ and continues if and only if $\sigma$ is valid. Let $m^{\prime }=H_3(m,{\sigma }_p,UP{K}_i)$, it runs $\mathrm{CUS}.\mathit{SConvert}$ to compute a proof ${\pi }^A=H_2{(m^{\prime })}^{y_a}$. Otherwise, it outputs $“\perp ”$
• ${\mathit{Prove}}^{\mathit{U}}$: On input $(m,\sigma ,US{K}_i,UP{K}_i,APK)$, it first runs $\mathit{Ver}(m,\sigma ,UP{K}_i,APK)$ and continues if and only if $\sigma$ is valid. Let $m^{\prime }=H_3(m,{\sigma }_p,UP{K}_i)$, it runs $\mathrm{CUS}.\mathit{SConvert}$ to compute a proof ${\pi }^U=H_2{(m^{\prime })}^{y_i}$. Otherwise, it outputs $“\perp ”$
• $\mathit{Open}$: On input $(m,\sigma ,\pi ,UP{K}_i,APK)$, it runs $\mathit{Ver}(m,\sigma ,UP{K}_i,APK)$ and continues if and only if $\sigma$ is valid. Let $m^{\prime }=H_3(m,{\sigma }_p,UP{K}_i)$, it runs $\mathrm{CUS}.\mathit{SVerify}$ to verify ${\sigma }^{us}$, where

  -

  If $\pi ={\pi }^A$, it first checks the validity of ${\pi }^A$ by running $\widehat{e}({\pi }^A,g_2)\stackrel{?}{=}\widehat{e}(H_2(m^{\prime }),Y_a)$ and outputs $“\perp ”$ if ${\pi }^A$ is invalid. Otherwise, it proceeds to validate ${\sigma }^{us}$ by running $\widehat{e}({\sigma }^{us},g_2)\stackrel{?}{=}\widehat{e}({\pi }^A,X_a)$. If the equation holds, it means ${\sigma }^{us}$ was signed by the arbitrator and outputs $“APK”$, otherwise it outputs $“UP{K}_i”$.

  -

  If $\pi ={\pi }^U$, it first checks the validity of ${\pi }^U$ by running $\widehat{e}({\pi }^U,g_2)\stackrel{?}{=}\widehat{e}(H_2(m^{\prime }),Y_i)$ and outputs $“\perp ”$ if ${\pi }^U$ is invalid. Otherwise, it proceeds to validate ${\sigma }^{us}$ by running $\widehat{e}({\sigma }^{us},g_2)\stackrel{?}{=}\widehat{e}({\pi }^U,X_i)$. If the equation holds, it means ${\sigma }^{us}$ was signed by the signer and outputs $“UP{K}_i”$, otherwise it outputs $“APK”$.

Security Analysis

In this section, we show the derived protocol is secure in the multi-user setting and chosen-key model which follows from Theorem 1.

• Resolution Ambiguity: This property requires that the underlying convertible undeniable signature and ring signature scheme satisfy anonymous. The derived protocol is resolution ambiguous which follows Lemma 1, such that the underlying Li et al.’s convertible undeniable signature scheme [31] is proven invisible based on One-more Decisional Co-Tripartite-Diffie-Hellman (1m-DCTDH) in the random oracle model, where it is also well known that the invisibility and anonymity are equivalent as proven by Galbraith and Mao [39]. Besides, the underlying Shim’s ring signature scheme is unconditionally anonymous as shown by the author [32].
• Accountability: This property requires that the underlying convertible undeniable signature scheme satisfies EUF-CMA and completeness and soundness. The derived protocol is accountable which follows Lemmas 2–4, such that the underlying Li et al.’s convertible undeniable signature scheme [31] achieves EUF-CMA based on Computational co-Diffie-Hellman (Co-CDH) in the random oracle model. The completeness and soundness of Li et al.’s scheme is unconditionally satisfied as shown by the author.
• Security against Signers: This property is unconditionally satisfied which follows Lemma 5 as the generic framework follows the same construction as in Huang et al. [19] and Ganjavi et al. [24], such that the arbitrator can always convert a partial signature into a full signature by generating a convertible undeniable signature and ring signature.
• Security against Verifiers: This property requires that the underlying convertible undeniable signature and ring signature scheme satisfy EUF-CMA and EUF-CSA respectively. The derived protocol is secure against verifiers which follows Lemma 6, such that the underlying Li et al.’s convertible undeniable signature scheme [31] and Shim’s ring signature scheme [32] are both proven EUF-CMA and EUF-CSA respectively based on Co-CDH in the random oracle model.
• Security against Arbitrator: This property requires that the underlying ordinary signature scheme satisfies EUF-CMA. The derived protocol is secure against arbitrator which follows Lemma 7, such that the underlying Boneh et al.’s ordinary signature [30] acheives EUF-CMA based on Co-CDH in the random oracle model.

6. Conclusions

We proposed a generic framework to construct accountable OFE protocol in the multi-user setting and chosen-key model which is proven secure in the standard model by using the ordinary signature, convertible undeniable signature, and ring signature scheme as the underlying building blocks. We also provided a concrete instantiation of accountable OFE protocol based our proposed generic framework in the random oracle model.