Optimistic fair exchange of digital signatures

Extended abstract
  • N. Asokan
  • Victor Shoup
  • Michael Waidner
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1403)


We present a new protocol that allows two players to exchange digital signatures over the Internet in a fair way, so that either each player gets the other's signature, or neither player does. The obvious application is where the signatures represent items of value, for example, an electronic check or airline ticket. The protocol can also be adapted to exchange encrypted data. The protocol relies on a trusted third party, but is “optimistic,” in that the third party is only needed in cases where one player attempts to cheat or simply crashes. A key feature of our protocol is that a player can always force a timely and fair termination, without the cooperation of the other player.


  1. 1.
    N. Asokan, M. Schunter, and M. Waidner. Optimistic protocols for fair exchange. In 4th ACM Conference on Computer and Communication Security, pages 6–17, 1997.Google Scholar
  2. 2.
    N. Asokan, V. Shoup, and M. Waidner. Optimistic fair exchange of dig-ital signatures. IBM Research Report RZ 2973, available on-line at www.cs.wisc.edu/~shoup, 1997.Google Scholar
  3. 3.
    N. Asokan, V. Shoup, and M. Waidner. Asynchronous protocols for optimistic fair exchange. In Proc. IEEE Symp. on Research in Security and Privacy, 1998. Available on-line at www.cs.wisc.edu/~shoup.Google Scholar
  4. 4.
    M. Bellare and S. Goldwasser. Encapsulated key escrow. Preprint, 1996.Google Scholar
  5. 5.
    M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for design-ing efficient protocols. In First ACM Conference on Computer and Communica-tions Security, 1993.Google Scholar
  6. 6.
    M. Bellare and P. Rogaway. Optimal asymmetric encryption. In Advances in Cryptology—Crypto '94, pages 92–111, 1994.Google Scholar
  7. 7.
    S. Brands. Untraceable off-line cash in wallets with observers. In Advances in Cryptology-Crypto '93, pages 302–318, 1993.Google Scholar
  8. 8.
    H. Bürk and A. Pfitzmann. Value exchange systems enabling security and unob-servability. Computers and Security, 9:715–721, 1990.CrossRefGoogle Scholar
  9. 9.
    D. Chaum and T. Pederson. Wallet databases with observers. In Advances in Cryptology-Crypto '92, pages 89–105, 1992.Google Scholar
  10. 10.
    B. Cox, J. D. Tygar, and M. Sirbu. NetBill security and transaction protocol. In First USENIX Workshop on Electronic Commerce, pages 77–88, 1995.Google Scholar
  11. 11.
    R. H. Deng, L. Gong, A. A. Lazar, and W. Wang. Practical protocols for certified electronic mail. J. of Network and Systems Management, 4(3), 1996.Google Scholar
  12. 12.
    A. Fiat and A. Shamir. How to prove yourself: practical solutions to identification and signature problems. In Advances in Cryptology—Crypto '86, pages 186–194, 1986.Google Scholar
  13. 13.
    M. K. Franklin and M. K. Reiter. Verifiable signature sharing. In Advances in Cryptology-Eurocrypt '95, pages 50–63, 1995.Google Scholar
  14. 14.
    M. K. Franklin and M. K. Reiter. Fair exchange with a semi-trusted third party. In 4th ACM Conference on Computer and Communications Security, pages 1–5, 1997.Google Scholar
  15. 15.
    L. Guillou and J. Quisquater. A “paradoxical” identity-based signature scheme resulting from zero-knowledge. In Advances in Cryptology-Crypto '88, pages 216–231, 1988.Google Scholar
  16. 16.
    D. W. Kravitz. Digital signature algorithm, 1993. U. S. Patent No. 5,231,668.Google Scholar
  17. 17.
    C. H. Lim and P. J. Lee. More flexible exponentiation with precomputation. In Advances in Cryptology-Crypto '94, pages 95–107, 1994.Google Scholar
  18. 18.
    S. Micali. Certified e-mail with invisible post offices. Unpublished manuscript, 1997 (presented at the 1997 RSA Security Conference).Google Scholar
  19. 19.
    H. Ong and C. Schnorr. Fast signature generation with a Fiat Shamir-like scheme. In Advances in Cryptology-Eurocrypt '90, pages 432–440, 1990.Google Scholar
  20. 20.
    C. Rackoff and D. Simon. Noninteractive zero-knowledge proof of knowledge and chosen ciphertext attack. In Advances in Cryptology-Crypto '91, pages 433–444, 1991.Google Scholar
  21. 21.
    R. L. Rivest, A. Shamir, and L. M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, pages 120–126, 1978.Google Scholar
  22. 22.
    C. Schnorr. Efficient signature generation by smart cards. J. Cryptology, 4:161–174, 1991.MATHMathSciNetCrossRefGoogle Scholar
  23. 23.
    V. Shoup. Lower bounds for discrete logarithms and related problems. In Advances in Cryptology-Eurocrypt '97, 1997.Google Scholar

Copyright information

© Springer-Verlag 1998

Authors and Affiliations

  • N. Asokan
    • 1
  • Victor Shoup
    • 1
  • Michael Waidner
    • 1
  1. 1.IBM Zürich Research LaboratoryRüschlikonSwitzerland

Personalised recommendations