Optimistic fair Exchange of Digital Signatures
N. Asokan, V. Shoup, M. Waidner
Abstract: We present a new protocol that allows two players to exchange digital signatures (including RSA and DSS) over the Internet in a fair way, so that either each player gets the other's signature, or neither player does. One obvious application is where the signatures represent items of value, for example, an electronic check or airline ticket; the protocol can also be adapted to exchange encrypted data. The protocol relies on a trusted third party, but is "optimistic," in that the third party is only needed in cases where one player attempts to cheat or simply crashes. This is an important property, as it greatly reduces the load on the third party, which in particular facilitates a more robust and secure implementation of the third party.
Our protocol enjoys two novel properties. First, unlike previously known optimistic protocols, our protocol guarantees *strong* fairness: the players get the signatures themselves, not affidavits that can be used in an external dispute mechanism or some other type of substitute. Second, either player can always force a timely and fair termination, without the cooperation of the other player, and without reliance on synchronized clocks or any kind of ``time-out'' mechanism. This makes our protocol much more secure than previous fair exchange protocols (optimistic or not), as previous protocols either leave one player ``hanging'' for a long time (if the time-out is too long), or expose one player to an unreasonable risk of being cheated (if the time-out is too short).
A specialization of our protocol can be used for contract signing; this specialization is not only more efficient, but also has the important property that the third party can be held *accountable* for its actions: if it ever cheats, this can be detected and proven. All of the protocols are quite practical and provably secure in a reasonable formal model of security.
Keywords: fair exchange protocol, contract signing
comment: received December 5th, 1997. (This paper is IBM Research Report RZ 2973, dated Nov. 17, 1997.)
contact author: sho@zurich.ibm.com
Fetch PostScript file of the full paper.