A unified approach to a fair document exchange system
Introduction
One of the principal activities in e-commerce is concerned with fair document exchange among a group of parties (e.g. companies, organisations or individuals). Such exchange is required when the documents to be exchanged contain valuable information. For example, a vendor exchanges valuable electronic goods for a payment from a customer, a group of companies or individuals exchange valuable electronic goods, and an individual or a company exchanges an important email or document for acknowledgements from a number of recipients. The valuable nature of the documents dictates that the exchange must be secure and fair to prevent a dishonest party from misbehaving and to avoid the situation where a party Pa can obtain an expected document from another party Pb, while Pb cannot get its expected document from Pa.
So far a number of approaches have been proposed to achieve fair exchange (Asokan et al., 1996; Asokan et al., 1997, Asokan et al., 1998, Asokan et al., 2000; Ateniese, 1999; Bao et al., 1998; Bao et al., 1999; Bao and Deng, 1999; Chen, 1998; Franklin and Reiter, 1997; Franklin and Tsudik, 1998; Khill et al., 2001; Okamoto and Ohta, 1994; Rabin, 1983; Ray et al., 2000; Ray and Ray, 2000, Ray and Ray, 2001; Vogt et al., 1999; Zhang et al., 1999). The main methods used by these approaches can be divided into three categories:
- (1)
Online trusted neutral (or third) party (TNP) based approaches: An online TNP acts as an intermediary to assist other parties in a document exchange. It is online because it takes part in the exchange process to perform tasks such as collecting, verifying and forwarding data items related to keys for document decryption (Franklin and Reiter, 1997). The neutral party could also be semi-trusted in the sense that it may misbehave but does not conspire with any party involved in the exchange (Franklin and Reiter, 1997). The use of a semi-trusted neutral party (STNP) makes its implementation easier.
- (2)
Offline TNP based approaches: An offline TNP does not participate in an exchange in normal cases. In other words, the parties involved in the exchange can fairly complete the exchange process without any involvement of the TNP if the exchange process is operated properly. The TNP is invoked to recover necessary information, e.g. a signature on a file or a message (Bao et al., 1998), so as to ensure a fair completion of the exchange only in abnormal cases where the exchange is not operated properly due to system faults or a party's misbehaviour. This type of approach becomes preferable as it offers the more cost-effective use of a TNP. As with the online TNP based approaches, the neutral party could be semi-trusted as well (Bao and Deng, 1999).
- (3)
Approaches without use of any TNP: Most of them are based on gradual secret releasing, e.g. (Okamoto and Ohta, 1994), and probabilistic methods, e.g. (Rabin, 1983), which are not considered as cost-effective (Bao et al., 1998), e.g. they require many rounds of exchanges. There is another approach (Zhang et al., 1999) which relies on the honest behaviours of over half of multiple parties involved in an exchange to achieve fairness.
Fairness can be divided into strong fairness and weak fairness (Asokan et al., 1997). Strong fairness means that at the end of an exchange among a group of parties, either each party can obtain every expected document from the others, or no party can obtain any expected document from any other party. Weak fairness refers to that at the end of an exchange, either it achieves strong fairness, or any party Pa which cannot obtain an expected document from another party Pb can prove to an arbiter that Pb has received (or can receive) its document. In the latter case, an external dispute resolution system such as a court of law is needed to resolve the dispute, which may not guarantee that Pa will receive the expected document from Pb. Thus strong fairness is more desirable, which is the main issue to be addressed in the rest of this paper.
There are a number of fair exchange approaches such as those given in Asokan et al. (2000), Ateniese (1999), Bao et al., 1998, Bao et al., 1999, Chen (1998), which belong to category (2) mentioned above and can achieve strong fairness. These approaches are concerned mainly with exchanges involving signatures. The principal idea used by the approaches is based on a verifiable and recoverable encryption of a signature. The verifiability means that any party can verify the correctness of the encrypted signature without actually viewing the signature. The recoverability implies that only a designated offline TNP (or STNP) can decrypt the encrypted signature when the TNP is invoked for the legitimate recovery of the signature. This verifiable and recoverable signature encryption is essential for the approaches to achieve strong fairness based on an offline TNP.
However, existing approaches offering strong fairness suffer from two main weaknesses. First, in an exchange of documents, the parties involved normally first exchange their documents encrypted with symmetric (or conventional) keys, and then exchange the keys for the decryption of the documents. The main issue for this exchange is about how to exchange the keys fairly. It would be desirable to apply the concept of verifiable and recoverable signature encryption to keys so as to achieve strong fairness for key exchange. As the verification of a key is different from that of a signature, appropriate methods for verifiable and recoverable key encryption are needed. To the best of our knowledge, no published approach to fair document exchange has applied the concept of such key encryption to achieve strong fairness based on an offline TNP/STNP.
Secondly, no current work has unified the above three categories of approaches to handle exchanges in various situations in a flexible, consistent and cost-effective manner, while guaranteeing strong fairness. Currently, most exiting approaches fall in one of the three categories. This restricts their applicability as different situations may require the use of different categories of approaches, e.g. only an approach of category (3) is applicable if no TNP/STNP can be agreed by all the parties involved in an exchange. Consequently, a document exchange system has to incorporate the different categories of approaches, and little consistency between them hinders a cost-effective implementation of the system. Though the approach given in Zhang et al. (1999) belongs to both of categories (1) and (3), it can only provide weak fairness. Additionally the approach presented in Vogt et al. (1999) falls in categories (1) and (2), but it does not really offer strong fairness when it operates with an offline TNP.
The aim of this paper is to rectify the above weaknesses. Specifically, we will present a simple but efficient approach to verifiable and recoverable key encryption for each of the three categories (1)–(3) above. We will then combine these approaches to propose a flexible, general and unified approach for the development of a fair document exchange system, which can offer strong fairness. The unified approach can operate in any one of the following modes for a document exchange among any number of parties:
- (a)
Use of an online STNP if half, or fewer than half, of the parties are honest, or
- (b)
Use of an offline STNP if half, or fewer than half, of the parties are honest, or
- (c)
Without use of any TNP/STNP if over half of the parties are honest.
These three modes are similar to the three categories (1)–(3) of approaches to fair document exchange described earlier, respectively, but the first two modes make use of STNPs instead of TNPs. Modes (a) and (b) have some advantages and weaknesses in comparison with each other. Mode (a) offers an easy implementation of a STNP as it can operate just like an ordinary party, but the STNP needs to participate in the exchange process online. Mode (b) provides a more cost-effective use of a STNP because it is invoked only under abnormal cases, but the STNP needs to perform different operations from ordinary parties so that special care must be given to its management and protection. These advantages and weaknesses should be taken into account in conjunction with application environments to determine which mode is more suitable.
The major novel contribution of this paper is twofold. First, it presents the first unified fair document exchange solution that applies the concept of verifiable and recoverable key encryption to achieve strong fairness under various application circumstances. Secondly, the mode (b) of the unified solution is more efficient than other related work, and there is no existing approach offering the mode (c) of the unified solution for document exchange with strong fairness.
The rest of the paper is organised as follows. Section 2 states the notation, assumptions and strong fairness requirement to be used in the subsequent sections. In Section 3, we present an approach to fair document exchange without use of any TNP/STNP, i.e. mode (c) above. Section 4 demonstrates how mode (a) can be handled as a special instance of the approach by employing an online STNP. In Section 5, we extend the approach to incorporate an offline STNP, i.e. mode (b). Section 6 proposes a unified solution to fair document exchange based on the approaches developed. In Section 7 we analyse the fairness of this unified solution with regard to the strong fairness requirement stated. Section 8 compares the unified solution with related work. Finally our conclusions and future work are outlined in Section 9.
Section snippets
Notation
The notation to be used throughout this paper is summarised as follows:
- •
Ek(x) expresses the ciphertext of a data item x encrypted with a key k. Ek(x) is computed using a public-key cryptosystem (e.g. RSA) if the corresponding decryption key is different from k, and using a conventional cryptosystem (e.g. triple DES) otherwise. Here we assume that the cryptosystems used are secure.
- •
pki and ski represent public and private keys of a party Pi, respectively.
- •
with x<q is used as a one-way
Key exchange without any STNP/TNP
Suppose that at most out of the n parties might be dishonest or not trustful, e.g. they may intend to obtain other parties' document keys without allowing the others to get their keys. The remaining n−m parties are honest. Note that if m=0, i.e. all the parties are honest, there is no need to use any fair exchange approach for the document exchange. The upper bound of m ensures that over half of the parties wish to honestly exchange their documents. In this case, there is no
Key exchange with an online STNP
The approach for the mode (c) of exchange presented in Section 3 can also be applied to deal with the case of m⩾⌊(n+1)/2⌋ (i.e. no less than half of the parties may be dishonest) by employing online STNP Pon (=Pn+1, as assumed in Section 2.2) agreed by all the parties, i.e. the mode (a) of exchange stated in Section 1. The role of Pon is to assist the parties in the fair exchange of their document keys. In the following, we will only outline the differences of mode (a) from mode (c) in relation
Key exchange with an offline STNP
Alternatively, in the case of m⩾⌊(n+1)/2⌋, offline STNP , as assumed in Section 2.2) agreed by all the n parties can be employed to assist them in the exchange of their document keys, i.e. the mode (b) of exchange stated in Section 1. The main difference from the mode (a) of exchange described in Section 4 is that Poff does not participate in the normal exchange process, i.e. stages 1–3 presented in Section 3, and it is invoked only when the recovery of a key is required, i.e. stage 4.
A unified approach to fair document exchange
We now combine the three approaches given in 3 Key exchange without any STNP/TNP, 4 Key exchange with an online STNP, 5 Key exchange with an offline STNP to produce a unified approach to fair document exchange among the n parties. This unified approach will be presented using two protocols. The first protocol corresponds to the first three stages of the exchange process described in Section 3, namely normal cases of exchange without key recovery. The second protocol is for key recovery, i.e.
Fairness analysis
We now analyse the fairness of the unified solution for document exchange defined in Table 1, Table 2. The analysis is presented in terms of the three modes of the protocols, respectively.
- •
Mode (c) of the protocols (i.e. no STNP is used): The fairness of this mode (i.e. the approach described in Section 3) is demonstrated by the following points:
- (1)
Once a party Pi has got all the n correct acknowledgements in its possession, Pi can obtain any other party Pj's key kj either directly from another
- (1)
Comparison with related work
In this section we compare the three modes of the unified approach described in Section 6 with related work, respectively.
- •
Mode (a) of the approach (i.e. when Pon is used): Existing fair exchange approaches relevant to the method presented in Section 4 (and 3) are those given in Franklin and Reiter (1997) and Franklin and Tsudik (1998). These approaches allow an online STNP to verify the correctness of document keys without actually seeing them, and to forward the verified keys to the
Conclusions and future work
We have presented approaches to fair document exchange with the support of no STNP, an online STNP, or an offline STNP, respectively, in a unified manner. These approaches adopt the concept of verifiable and recoverable key encryption to achieve strong fairness. We have then combined the approaches to produce the first unified solution for fair document exchange involving any number of parties, which can operate under various situations while guaranteeing strong fairness. This unified solution
Acknowledgements
This research is supported in part by the FIDES (Fair Integrated Data Exchange Services) project funded jointly by the UK Engineering and Physical Sciences Research Council (EPSRC) and Department of Trade and Industry (DTI). The project reference is LINK, GR/R55177.
We would like to thank the anonymous referees for their most constructive comments and suggestions.
Ning Zhang is a Lecturer in Computer and Communication Networks in the Department of Computer Science at the University of Manchester in the UK. She received her PhD from the University of Kent at Canterbury in the UK in 1991. Between 1991 and 2000, she first worked for the University of York and then Manchester Metropolitan University in the UK before she joined the University of Manchester in 2000. Her main research interests include the design of protocols and architectures for secure
References (22)
- et al.
Multi-party fair exchange protocol using ring architecture model
Computers & Security
(2001) Transaction protection by beacons
Journal of Computer and System Science
(1983)- Asokan, N., Schunter, M., Waidner, M., 1996. Optimistic protocols for multi-party fair exchange. IBM Research Report...
- Asokan, N., Schunter, M., Waidner, M., 1997. Optimistic protocols for fair exchange. In: Proceedings of ACM Conference...
- Asokan, N., Shoup, V., Waidner, M., 1998. Asynchronous protocols for optimistic fair exchange. In: Proceedings of IEEE...
- et al.
Optimistic fair exchange of digital signatures
IEEE Journal on Selected Areas in Communications
(2000) - Ateniese, G., 1999. Efficient verifiable encryption (and fair exchange) of digital signatures. In: Proceedings of ACM...
- Bao, F., Deng, R., Mao, W., 1998. Efficient and practical fair exchange protocols with off-line TTP. In: Proceedings of...
- Bao, F., Deng, R., 1999. An efficient fair exchange protocol with an off-line semi-trusted third party. In: Proceedings...
- Bao, F., Deng, R., Nguyen, K.Q., Varadharajan, V., 1999. Multi-party fair exchange with an off-line trusted neutral...
Efficient fair exchange with verifiable confirmation of signatures
Cited by (6)
Chained Transaction Protocol Automated Verification Using Cl-AtSe
2021, Communications in Computer and Information ScienceFair exchange E-commerce protocol for multi-chained complex transactions
2020, ICETE 2020 - Proceedings of the 17th International Joint Conference on e-Business and TelecommunicationsAn optimistic fair exchange protocol with active intermediaries
2013, International Journal of Information SecurityAn agent-mediated fair exchange protocol
2010, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)Secure and anonymous electronic commerce protocol over a public network
2008, IMSAA'08 - 2nd International Conference on Internet Multimedia Services Architecture and ApplicationStrategic aspects of electronic document encryption
2007, International Journal of Services and Standards
Ning Zhang is a Lecturer in Computer and Communication Networks in the Department of Computer Science at the University of Manchester in the UK. She received her PhD from the University of Kent at Canterbury in the UK in 1991. Between 1991 and 2000, she first worked for the University of York and then Manchester Metropolitan University in the UK before she joined the University of Manchester in 2000. Her main research interests include the design of protocols and architectures for secure communications, networks, and e-commerce. She is currently leading a research team working on a number of research projects on security, which are funded by various sources including the Engineering and Physical Sciences Research Council (EPSRC) that is the largest of the seven UK Research Councils.
Qi Shi is a Reader in the School of Computing and Mathematical Sciences at Liverpool John Moores University in the UK. He received his PhD in Computing from Dalian University of Technology, Dalian, People's Republic of China, in 1989. Between 1990 and 1994 he worked on a research project for the Department of Computer Science at the University of York in the UK. In 1994 he joined the School of Computing and Mathematical Sciences at Liverpool John Moores University. His current research interests include the development of formal security models, composable security theory, security protocols, mobile communication security, and network intrusion detection. He is currently supervising several research projects on network security, which are funded by various sources.
Madjid Merabti is a Professor, Director, and the Head of Research, School of Computing and Mathematical Sciences, Liverpool John Moores University, Liverpool, UK. He is a graduate of Lancaster University in the UK. He has over 10 years experience in conducting research and teaching in the areas of Distributed Multimedia Systems (Computer Networks, Operating Systems, and Computer Security). Prof. Merabti has over 50 publications in these areas, and he leads the Distributed Multimedia Systems Group which has a number of Government and Industry supported research projects in the areas of: Multimedia Networking, IP telephony, Differential Services Networks, Interactive TV, Multimedia Retrieval and Presentation, Mobile Networks Security, Intrusion Detection, and Security Architectures. He is collaborating with a number of international colleagues in the above areas.