## Efficient and Practical Fair Exchange Protocols with Off-line TTP (1998)

Citations: | 104 - 6 self |

### BibTeX

@INPROCEEDINGS{Bao98efficientand,

author = {Feng Bao and Robert H. Deng and Wenbo Mao},

title = {Efficient and Practical Fair Exchange Protocols with Off-line TTP},

booktitle = {},

year = {1998},

pages = {77--85}

}

### Years of Citing Articles

### OpenURL

### Abstract

We present new protocols for fair exchange of electronic data (digital signatures, payment and confidential data) between two parties A and B. Novel properties of the proposed protocols include: 1) off-line trusted third party (TTP), i.e., TTP does not take part in the exchange unless one of the parties behaves improperly; 2) only three message exchanges are required in the normal situation; 3) true fair exchange, i.e., either A and B obtain each other's data or no party receives anything useful; no loss can be incurred to a party no matter how maliciously the other party behaves during the exchange. This last property is in contrast to previously proposed protocols with off-line TTP ([1] and [21]), where a misbehaving party may get other party's data while reuse to send his document to the other party, and the TTP can provide affidavits attesting to what happened during the exchange. To our knowledge, the protocols presented here are the first exchange protocols which use off-line TTP and at the same time guarantee true fair-exchange of digital messages. We introduce...

### Citations

622 |
Efficient signature generation by smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ...n M is Ssiyn(sk,M) = (d,D) where d = h(M IIDvJa). 6.3 PEDL Certificate Before we proceed to describe CEMBS for the above system, we first review the Proof of Equivalence of Discrete Logarithms (PEDL) =-=[3, 5, 17, 19]. In PEDL,-=- a prover wants to prove to a verifier that Y = X" and y = x" for some a while not revealing a. Here x, y, X, YsG with G being a group, x and X having order q and asZ. Certificate Generation... |

503 | A Randomized Protocol for Signing Contracts
- Even, Goldreich, et al.
- 1985
(Show Context)
Citation Context ...emes is that the exchange requires many rounds of interactions between the two parties. In addition, such schemes have always one bit unfairness; therefore, they do not guarantee perfect fairness. In =-=[2]-=- by Ben-Or, Goldreich, Micali and Rivest and [15] by Rabin, probabilistic methods were used in exchanging signatures on a contract, where A and B alternatively increase their probabilities of commitme... |

315 |
Wallet databases with observers
- Chaum, Pedersen
- 1993
(Show Context)
Citation Context ...n M is Ssiyn(sk,M) = (d,D) where d = h(M IIDvJa). 6.3 PEDL Certificate Before we proceed to describe CEMBS for the above system, we first review the Proof of Equivalence of Discrete Logarithms (PEDL) =-=[3, 5, 17, 19]. In PEDL,-=- a prover wants to prove to a verifier that Y = X" and y = x" for some a while not revealing a. Here x, y, X, YsG with G being a group, x and X having order q and asZ. Certificate Generation... |

287 | Efficient group signature schemes for large groups (extended abstract - Camenisch, Stadler |

235 | PayWord and MicroMint–Two Simple Micropayment Schemes
- Rivest, Shamir
(Show Context)
Citation Context ...es a known output, already validated as part of the protocol or application, from a one-way function. Examples include the S/KEY user authentication system [11], the PayWord electronic payment scheme =-=[16]-=-, and applications of digital timestamping [12]. Protocol 3 1. Party A computes her signature signA = Ssign(sk,h(M)) on the one-way hash of the desired message and the ciphertext CT = Pencr(PKT, signA... |

224 | How to Time-Stamp a Digital Document
- Haber, Stornetta
(Show Context)
Citation Context ... the protocol or application, from a one-way function. Examples include the S/KEY user authentication system [11], the PayWord electronic payment scheme [16], and applications of digital timestamping =-=[12]-=-. Protocol 3 1. Party A computes her signature signA = Ssign(sk,h(M)) on the one-way hash of the desired message and the ciphertext CT = Pencr(PKT, signA). A then generates CEMBS Cert which is used to... |

171 | Optimistic protocols for fair exchange
- Asokan, Schunter, et al.
- 1997
(Show Context)
Citation Context ...useful; no loss can be incurred to a party no matter how maliciously the other party behaves during the exchange. This last property is in contrast to previously proposed protocols with off-line TTP (=-=[1]-=- and [21]), where a misbehaving party may get other party's data while reuse to send his document to the other party, and the TTP can provide adavits attesting to what happened during the exchange. To... |

155 | A Fair Non-repudiation Protocol
- Zhou, Gollmann
- 1996
(Show Context)
Citation Context ...l advantage in probability of commitment than the other one and it also requires many rounds of communications. Another well known approach to fair exchange is using an on-line TTP, see for examples, =-=[20]-=- by Zhou and Gollmann, [6] by Deng, Gong, Laxar, and Wang, and [9] by Franklin and Reiter. In on-line TTP based protocols, the TTP acts as a mediator between A and B A and B forward their data to the ... |

143 | An Efficient Off-Line Electronic Cash System Based on the Representation Problem
- Brands
- 1993
(Show Context)
Citation Context ...n M is Ssiyn(sk,M) = (d,D) where d = h(M IIDvJa). 6.3 PEDL Certificate Before we proceed to describe CEMBS for the above system, we first review the Proof of Equivalence of Discrete Logarithms (PEDL) =-=[3, 5, 17, 19]. In PEDL,-=- a prover wants to prove to a verifier that Y = X" and y = x" for some a while not revealing a. Here x, y, X, YsG with G being a group, x and X having order q and asZ. Certificate Generation... |

123 | Publicly Verifiable Secret Sharing
- Stadler
- 1996
(Show Context)
Citation Context ...nt of the E1Gamal signature scheme. It is easy to see that this scheme is at least as secure as DSA. 5.2 Description of CEMBS CEMBS in the system described above can be realized through Stadler's (in =-=[18]-=-) PEDLDLL (Proof of Equivalence of Discrete Logarithm to Discrete LogLogarithm) which is stated as follows: Let p and q be as defined above. Let x, y, z 6 Z and X, Y 6 Z; where ord(X) = q. There exist... |

110 |
A ‘‘paradoxical” identity-based signature scheme resulting from zero-knowledge
- Guillou, Quisquater
- 1989
(Show Context)
Citation Context ...ystem [8] and S -- DSAlike signature scheme, as we will demonstrate in Section 5. It can also be realized on systems with P = E1Gamal public key cryptosystem and S = GullouQuisquater signature scheme =-=[10]-=-, as will be shown in Section 6. 4 Description and Analysis of New Protocols In this section, we present three fair exchange protocols with off-line TTP. Let A and B be the two parties involved in the... |

92 | Fair exchange with a semi-trusted third party
- Franklin, Reiter
- 1997
(Show Context)
Citation Context ...also requires many rounds of communications. Another well known approach to fair exchange is using an on-line TTP, see for examples, [20] by Zhou and Gollmann, [6] by Deng, Gong, Laxar, and Wang, and =-=[9]-=- by Franklin and Reiter. In on-line TTP based protocols, the TTP acts as a mediator between A and B A and B forward their data to the TTP which first checks the validity of the received data and then ... |

64 | Practical protocols for certified electronic mail
- Deng, Gong, et al.
- 1996
(Show Context)
Citation Context ...of commitment than the other one and it also requires many rounds of communications. Another well known approach to fair exchange is using an on-line TTP, see for examples, [20] by Zhou and Gollmann, =-=[6]-=- by Deng, Gong, Laxar, and Wang, and [9] by Franklin and Reiter. In on-line TTP based protocols, the TTP acts as a mediator between A and B A and B forward their data to the TTP which first checks the... |

7 |
A public key cryptosystem and a signature scheme based on discrete logarithms
- E1Gamal
- 1985
(Show Context)
Citation Context ...rt such that Veri( Cert, C, M, P K, pk ) = yes without C = Pencr(PK, m) and Sveri(Pk, m,M) = yes holding true for some m. The CEMBS can be realized on systems with P = E1Gamal public key cryptosystem =-=[8]-=- and S -- DSAlike signature scheme, as we will demonstrate in Section 5. It can also be realized on systems with P = E1Gamal public key cryptosystem and S = GullouQuisquater signature scheme [10], as ... |

3 |
The S/KEY one-time password system
- Hailer
- 1994
(Show Context)
Citation Context ...ponsible for revealing the input that produces a known output, already validated as part of the protocol or application, from a one-way function. Examples include the S/KEY user authentication system =-=[11]-=-, the PayWord electronic payment scheme [16], and applications of digital timestamping [12]. Protocol 3 1. Party A computes her signature signA = Ssign(sk,h(M)) on the one-way hash of the desired mess... |

3 | Verifiable Escrowed Signature - Mao - 1997 |

1 |
and K.Ohta, "How to simultaneously exchange secrets by general assumption
- Okamoto
- 1994
(Show Context)
Citation Context ... as the Internet. Fair exchange has been studied for some time in the context of "simultaneous secret exchange" or "gradual secret releasing", see for examples, [7] by Even, Goldre=-=ich, and Lempel and [14]-=- by Okamoto and Ohta. In simultaneous secret exchange schemes, it is assumed that two parties A (Alice) and B (Bob) each possess a secret a and b, respectively, where a and b are n bit strings. Furthe... |

1 |
Transaction protection by beacons", Aiken Computation Lab
- Rabin
- 1981
(Show Context)
Citation Context ...f interactions between the two parties. In addition, such schemes have always one bit unfairness; therefore, they do not guarantee perfect fairness. In [2] by Ben-Or, Goldreich, Micali and Rivest and =-=[15]-=- by Rabin, probabilistic methods were used in exchanging signatures on a contract, where A and B alternatively increase their probabilities of commitment to the contract. This approach removes the dra... |

1 |
Tilborg, "Binding E1Gamah a fraud-detectable alternative to key escrow proposals
- Verheul, C
- 1997
(Show Context)
Citation Context |