We propose a new protocol allowing the exchange of an item against a signature while assuring fairness. The proposed protocol, based on the Girault-Poupard-Stern signature scheme (a variation of the Schnorr scheme), assumes the existence of a trusted third party that, except in the setup phase, is involved in the protocol only when one of the parties does not follow the designated protocol or some technical problem occures during the execution of the protocol. The interesting feature of the protocol is the low communication and computational charges required by the parties. Moreover, in case of problems during the main protocol, the trusted third party can derive the same digital signature as the one transmitted in a faultless case, rather than an adavit or an official certificate.

Applications such as e-commerce payment protocols, elec-tronic contract signing, and certified e-mail delivery require that fair exchange be assured. A fair-exchange protocol al-lows two parties to exchange items in a fair way so that either each party gets the other's item, or neither party does. We describe a novel method of constructing very ef-ficient fair-exchange protocols by distributing the computa-tion of RSA signatures. Specifically, we employ multisig-natures based on the RSA-signature scheme. To date, the vast majority of fair-exchange protocols require the use of zero-knowledge proofs, which is the most computationally intensive part of the exchange protocol. Using the intrinsic features of our multisignature model, we construct protocols that require no zero-knowledge proofs in the exchange proto-col. Use of zero-knowledge proofs is needed only in the pro-tocol setup phase--this is a one-time cost. Furthermore, our scheme uses multisignatures that are compatible with the underlying standard (single-signer) signature scheme, which makes it possible to readily integrate the fair-exchange fea-ture with existing e-commerce systems.

In this paper we consider a new and efficient optimistic nonrepudiation protocol. In a non-repudiation protocol, during which Alice wants to transmit a message to Bob, Alice has to send a non-repudiation of origin evidence to Bob (attesting that Alice is at the origin of the transmitted message), and Bob has to send a non-repudiation of receipt evidence to Alice (attesting Bob's receipt of the message). Classical solutions propose to use a trusted third party to help realizing the exchange without giving any significant advantage to one of the two parties. In an optimistic protocol, the trusted third party intervenes only in case of problems during the communication between Alice and Bob. Classically, in a situation where an error occurs, evidences that have been digitally signed by the TTP are issued. Although these evidences are distinct from those produced by Alice and Bob in a faultless case, they have the same value in case of a dispute. In this paper we propose a protocol where the TTP produces the same evidences that Alice and Bob should have produced in a faultless protocol execution (this prevents, after a succesful protocol execution, to determine whether the TTP was involved or not).

Abstract. An untraceable fair network payment protocol is proposed by Wang in Asiacrypt’03, which employs the existent techniques of the offline untraceable cash and a new technique called restrictive confirmation signature scheme (RCSS). It is claimed that the fair payment protocol has both the fairness such that the buyer obtains the digital goods if and only if the merchant gains the digital cash and the untraceability and unlinkability such that no one can tell who is the original owner of the money. In this paper we show that the fairness is breached under a simple colluding attack, by which a dishonest merchant can obtain the digital money without the buyer obtaining the goods. We also apply the attack to some of the schemes of fair exchange of digital signatures proposed by Ateniese in ACM CCS’99. Our study shows that two of them are subjected to the attack. A countermeasure against the attack is proposed for the fair exchange of digital signatures. However, we are unable to fix the fair payment protocol if the untraceability and unlinkability are the required features. 1

This paper reports on the on-going Fair Integrated Data Exchange Services (FIDES) project aimed at developing a security middleware solution to support e-commerce transactions and the provision of the important fair exchange and nonrepudiation security services. Fair exchange ensures that either both business parties participating in a transaction receive the exchanged valuable items or neither party receives anything useful. Non-repudiation ensures that neither party involved in the exchange can falsely deny sending or receiving a particular item and therefore taking part in the transaction. Keywords: E-commerce, Security, Fair exchange, Non-repudiation. 1

The growing importance of electronic commerce...

This paper presents an efficient security protocol for certified e-goods delivery with the following features: (1) ensures strong fairness, (2) ensures nonrepudiation of origin and non-repudiation of receipt, (3) allows the receiver of an e-goods to verify, during the protocol execution, that the e-goods he is about to receive is the one he is signing the receipt for, (4) does not require the active involvement of a fully trusted third party, but rather an off-line and transparent semi-trusted third party (STTP) only in cases of unfair behaviour by any party, and (5) provides confidentiality protection for the exchanged items from the STTP. 1.

Abstract: Delivering electronic goods over the Internet is one of the e-commerce applications that will proliferate in the coming years. Certified e-goods delivery is a process where valuable e-goods are exchanged for an acknowledgement of their reception. This paper proposes an efficient security protocol for certified e-goods delivery with the following features: (1) it ensures strong fairness for the exchange of e-goods and proof of reception, (2) it ensures nonrepudiation of origin and non-repudiation of receipt for the delivered e-goods, (3) it allows the receiver of e-goods to verify, during the exchange process, that the e-goods to be received are the one he is signing the receipt for, (4) it uses an off-line and transparent semi-trusted third party (STTP) only in cases when disputes arise, (5) it provides the confidentiality protection for the exchanged items from the STTP, and (6) achieves these features with less computational and communicational overheads than related protocols.

Abstract. A fair network payment protocol plays an important role in electronic commerce. The fairness concept in payments can be illustrated as that two parties (e.g. customers and merchants) exchange the electronic items (e.g. electronic money and goods) with each other in a fair manner that no one can gain advantage over the other even if there are malicious actions during exchanging process. In the previous works of fair payments, the buyer is usually required to sign a purchase message which can be traced by everyone. The information about where the buyer spent the money and what he purchased would easily be revealed by this way. This paper employs two techniques of off-line untraceable cash and designated confirmer signatures to construct a new fair payment protocol, in which the untraceability (or privacy) property can be achieved. A Restrictive Confirmation Signature Scheme (RCSS) will be introduced and used in our protocol to prevent the interested persons except the off-line TTP (Trusted Third Party) from tracing the buyer’s spending behavior.

Abstract. For controlling the public verifiability of ordinary digital signatures, designated confirmer signature (DCS) schemes were introduced by Chaum at Eurocrypt 1994. In such schemes, a signature can be verified only with the help of a semi-trusted third party, called the designated confirmer. The confirmer can further selectively convert individual designated confirmer signatures into ordinary signatures so that anybody can check their validity. In the last decade, a number of DCS schemes have been proposed. However, most of those schemes are either inefficient or insecure. At Asiacrypt 2005, Gentry, Molnar and Ramzan presented a generic transformation to convert any signature scheme into a DCS scheme, and proved the scheme is secure in their security model. Their DCS scheme not only has efficient instantiations but also gets rid of both random oracles and general zero-knowledge proofs. In this paper, we first show that their DCS transformation does not meet the desired security requirements by identifying two security flaws. Then, we point out the reasons that cause those flaws and further propose a secure improvement to fix the flaws. Finally, we present a new generic and efficient DCS scheme without using any public key encryption and prove its security. To the best of our knowledge, this is the first secure DCS scheme that does not require public key encryption.