We present new protocols for fair exchange of electronic data (digital signatures, payment and confidential data) between two parties A and B. Novel properties of the proposed protocols include: 1) off-line trusted third party (TTP), i.e., TTP does not take part in the exchange unless one of the parties behaves improperly; 2) only three message exchanges are required in the normal situation; 3) true fair exchange, i.e., either A and B obtain each other's data or no party receives anything useful; no loss can be incurred to a party no matter how maliciously the other party behaves during the exchange. This last property is in contrast to previously proposed protocols with off-line TTP ([1] and [21]), where a misbehaving party may get other party's data while reuse to send his document to the other party, and the TTP can provide affidavits attesting to what happened during the exchange. To our knowledge, the protocols presented here are the first exchange protocols which use off-line TTP and at the same time guarantee true fair-exchange of digital messages. We introduce...

Applications such as e-commerce payment protocols, elec-tronic contract signing, and certified e-mail delivery require that fair exchange be assured. A fair-exchange protocol al-lows two parties to exchange items in a fair way so that either each party gets the other's item, or neither party does. We describe a novel method of constructing very ef-ficient fair-exchange protocols by distributing the computa-tion of RSA signatures. Specifically, we employ multisig-natures based on the RSA-signature scheme. To date, the vast majority of fair-exchange protocols require the use of zero-knowledge proofs, which is the most computationally intensive part of the exchange protocol. Using the intrinsic features of our multisignature model, we construct protocols that require no zero-knowledge proofs in the exchange proto-col. Use of zero-knowledge proofs is needed only in the pro-tocol setup phase--this is a one-time cost. Furthermore, our scheme uses multisignatures that are compatible with the underlying standard (single-signer) signature scheme, which makes it possible to readily integrate the fair-exchange fea-ture with existing e-commerce systems.

Abstract. We propose a micro-cash technique based on a one-time sig-nature scheme: signing a message more than once leads to disclosure of the signer's private key. In addition to usual cash properties such as off-fine bank for payment and spender's anonymity, the technique also provides a number of useful features. These include: identifying double spender with strong proof, cash revocable for identified double spender, independent of using tamper-resistant devices, coin sub-divisible to smal-ler denominations, and system simplicity in terms of small-sized data for cash representation as well as simple protocols for cash withdrawal, pay-ment and deposit. We reason that these features support a lightweight cash system suitable for handling very low value payment transactions, such as information purchases on the Internet.

Many variants of the ElGamal signature scheme have been proposed. The most famous is the DSA standard. If computing discrete logarithms is hard, then some of these schemes have been proven secure in an idealized model, either the random oracle or the generic group. We propose a generic but simple presentation of signature schemes with security based on the discrete logarithm. We show how they can be proven secure in idealized model, under which conditions. We conclude that none of the previously proposed digital signature schemes has optimal properties and we propose a scheme named PECDSA.