Abstract. We present a new protocol that allows two players to ex-change digital signatures over the Internet in a fair way, so that either each player gets the other’s signature, or neither player does. The ob-vious application is where the signatures represent items of value, for example, an electronic check or airline ticket. The protocol can also be adapted to exchange encrypted data. The protocol relies on a trusted third party, but is “optimistic, ” in that the third party is only needed in cases where one player attempts to cheat or simply crashes. A key feature of our protocol is that a player can always force a timely and fair termination, without the cooperation of the other player. 1

The optimistic approach of involving a third party only in the case of exceptions is a useful technique to build secure, yet practical fair exchange protocols. Previous solutions using this approach implicitly assumed that players had reliable communication channels to the third party. In this paper, we present a set of optimistic fair exchange protocols which tolerate temporary failures in the communication channels to the third party. A central feature of the protocols is that either player can asynchronously and unilaterally bring a protocol run to completion.

An increasing number of web-sites require users to establish an account before they can access the information stored on that site ("personalized web browsing"). Typically, the user is required to provide at least a unique username, a secret password and an e-mail address. Establishing accounts at multiple web-sites is a tedious task. A securityand privacy-aware user may have toinvent a distinct username and a secure password, both unrelated to his/her identity, for each web-site. The user may also desire mechanisms for anonymous e-mail. Besides the information that the user supplies voluntarily to the web-site, additional information about the user may flow (involuntarily) from the user's site to the web-site, due to the nature of the HTTP protocol and the cookie mechanism. This paper describes the Janus Personalized Web Anonymizer, which makes personalized web browsing simple, secure and anonymous by providing convenient solutions to each of the above problems. Janus serves as an intermediary entity between a user and a web-site. Given a user and a web-site, Janus automatically generates an alias -- typically a username, a password and an e-mail address -- that can be used to establish an anonymous account at the web-site. Different aliases are generated for each user, web-site pair � however the same alias is presented whenever a particular user visits a particular web-site. Janus frees the user from the burden of inventing and memorizing distinct usernames and secure passwords for each web-site, and guarantees that an alias (including an e-mail address) does not reveal the true identity of the user. Janus also provides mechanisms to complete an anonymous e-mail exchange from a web-site to a user, and filters the information-flow of the HTTP protocol to preserve user privacy. Thus Janus provides simultaneous user identification and user privacy, as required for anonymous personalized web browsing.

Abstract. We develop an approach in which we model communication protocols via commitment machines. Commitment machines supply a content to protocol states and actions in terms of the social commitments of the participants. The content can be reasoned about by the agents thereby enabling flexible execution of the given protocol. We provide reasoning rules to capture the evolution of commitments through the agents ’ actions. Because of its representation of content and its operational rules, a commitment machine effectively encodes a systematically enhanced version of the original protocol, which allows the original sequences of actions as well as other legal moves to accommodate exceptions and opportunities. We show how a commitment machine can be compiled into a finite state machine for efficient execution, and prove soundness and completeness of our compilation procedure. 1

There is tremendous demand for the ability to be able to electronically buy and sell goods over networks. This field is called electronic commerce, and it has inspired a large variety of work. Unfortunately, much of that work ignores traditional transaction processing concerns — chiefly atomicity. This paper discusses the role of atomicity in electronic commerce. It then briefly surveys some major types of electronic commerce pointing out flaws in atomicity. We pay special attention to the atomicity problems of proposals for digital cash. The paper present two examples of highly atomic

With the phenomenal growth of the Internet and open networks in general, security services, such as non-repudiation, become crucial to many applications. Nonrepudiation services must ensure that when Alice sends some information to Bob over a network, neither Alice nor Bob can deny having participated in a part or the whole of this communication. Therefore a fair non-repudiation protocol has to generate non-repudiation of origin evidences intended to Bob, and non-repudiation of receipt evidences destined to Alice. In this paper, we clearly define the properties a fair non-repudiation protocol must respect, and give a survey of the most important non-repudiation protocols without and with trusted third party (TTP). For the later ones we discuss the evolution of the TTP's involvement and, between others, describe the most recent protocol using a transparent TTP. We also discuss some ad-hoc problems related to the management of non-repudiation evidences.

Optimistic contract signing protocols allow two parties to commit to a previously agreed upon contract, relying on a third party to abort or confirm the contract if needed. These protocols are relatively subtle, since there may be interactions between the subprotocols used for normal signing without the third party, aborting the protocol through the third party, or requesting confirmation from the third party. With the help of Mur', a finite-state verification tool, we analyze two related contract signing protocols: the optimistic contract signing protocol of Asokan, Shoup, and Waidner, and the abuse-free contract signing protocol of Garay, Jakobsson, and MacKenzie. For the first protocol, we discover that a malicious participant can produce inconsistent versions of the contract or mount a replay attack. For the second protocol, we discover that negligence or corruption of the trusted third party may allow abuse or unfairness. In this case, contrary to the intent of the protocol, the cheated party is not able to hold the third party accountable. We present and analyze modifications to the protocols that avoid these problems and discuss the basic challenges involved in formal analysis of fair exchange protocols.

Micro-payments are payments too small in amount to warrant the overhead costs of current financial clearing networks. Furthermore one can expect that content servers for the global information infrastructure (GII) will have to process so many of these low value transactions that computationally complex and costly cryptographic protocols will be impractical. This report proposes a micro-payment scheme that can be bootstrapped with the already well-known payment protocols for larger amounts, but does not depend on them for each micro-transaction. Special attention is given to its integration into IBM's Internet Keyed Payment Systems (iKP). 1 Introduction Micro-payments have a broad application area in the marketing of information distributed in an electronic form. Modern network information browsing tools (WWW [1]) enable users/clients to wander arbitrarily through the global networks and obtain such documents. We assume that a specific client normally is consuming enough low-value docu...

Fairness may be a desirable property of a nonrepudiation service. Protocols can achieve fairness through the involvement of a trusted third party but the extent of the trusted third party's involvement can vary between protocols. Hence, one of the goals of designing an efficient non-repudiation protocol is to reduce the work load of the trusted third party. In this paper we present a variant of our fair non-repudiation protocol [15], where the trusted third party will be involved only in case that one party cannot obtain the expected non-repudiation evidence from the other party. This variant is efficient in an environment where the two parties are likely to resolve communications problems between themselves.

The ultimate purpose of a non-repudiation service is to resolve disputes about the occurrence or non-occurrence of a claimed event or action. Dispute resolution relies on the evidence held by the participants. This paper discusses types of non-repudiation evidence, elements of non-repudiation evidence and validity of non-repudiation evidence. We also investigate and compare a number of protocols aiming at fair exchange of non-repudiation evidence.