Usable Optimistic Fair Exchange

  • Alptekin Küpçü
  • Anna Lysyanskaya
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5985)


Fairly exchanging digital content is an everyday problem. It has been shown that fair exchange cannot be done without a trusted third party (called the Arbiter). Yet, even with a trusted party, it is still non-trivial to come up with an efficient solution, especially one that can be used in a p2p file sharing system with a high volume of data exchanged.

We provide an efficient optimistic fair exchange mechanism for bartering digital files, where receiving a payment in return to a file (buying) is also considered fair. The exchange is optimistic, removing the need for the Arbiter’s involvement unless a dispute occurs. While the previous solutions employ costly cryptographic primitives for every file or block exchanged, our protocol employs them only once per peer, therefore achieving O(n) efficiency improvement when n blocks are exchanged between two peers. The rest of our protocol uses very efficient cryptography, making it perfectly suitable for a p2p file sharing system where tens of peers exchange thousands of blocks and they do not know beforehand which ones they will end up exchanging. Therefore, our system yields to one-two orders of magnitude improvement in terms of both computation and communication (80 seconds vs. 84 minutes, 1.6MB vs. 100MB). Thus, for the first time, a provably secure (and privacy respecting when payments are made using e-cash) fair exchange protocol is being used in real bartering applications (e.g., BitTorrent) [14] without sacrificing performance.


Hash Function Encryption Scheme Signature Scheme Trust Third Party Setup Phase 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Asokan, N., Janson, P.A., Steiner, M., Waidner, M.: The state of the art in electronic payment systems. IEEE Computer 30, 28–35 (1997)Google Scholar
  2. 2.
    Asokan, N., Schunter, M., Waidner, M.: Optimistic Protocols for Fair Exchange. In: CCS (1997)Google Scholar
  3. 3.
    Asokan, N., Shoup, V., Waidner, M.: Asynchronous protocols for optimistic fair exchange. In: IEEE Security and Privacy (1998)Google Scholar
  4. 4.
    Asokan, N., Shoup, V., Waidner, M.: Optimistic fair exchange of digital signatures. IEEE Journal on Selected Areas in Communications 18(4), 591–610 (2000)CrossRefGoogle Scholar
  5. 5.
    Ateniese, G.: Efficient verifiable encryption (and fair exchange) of digital signatures. In: CCS (1999)Google Scholar
  6. 6.
    Avoine, G., Vaudenay, S.: Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 74–85. Springer, Heidelberg (2004)Google Scholar
  7. 7.
    Backes, M., Datta, A., Derek, A., Mitchell, J.C., Turuani, M.: Compositional analysis of contract-signing protocols. Theoretical Computer Science 367(1-2), 33–56 (2006)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Belenkiy, M., Chase, M., Erway, C.C., Jannotti, J., Küpçü, A., Lysyanskaya, A., Rachlin, E.: Making P2P Accountable without Losing Privacy. In: WPES (2007)Google Scholar
  9. 9.
    Belenkiy, M., Chase, M., Erway, C.C., Jannotti, J., Küpçü, A., Lysyanskaya, A.: Incentivizing Outsourced Computation. In: NetEcon (2008)Google Scholar
  10. 10.
    Bellare, M., Rogaway, P.: Optimal Asymmetric Encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  11. 11.
    Ben-Or, M., Goldreich, O., Micali, S., Rivest, R.L.: A fair protocol for signing contracts. IEEE Transactions on Information Theory 36(1), 40–46 (1990)CrossRefGoogle Scholar
  12. 12.
    Blakley, G.R.: Safeguarding cryptographic keys. In: National Computer Conference (1979)Google Scholar
  13. 13.
    Boneh, D., Naor, M.: Timed commitments. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, p. 236. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  14. 14.
  15. 15.
    Camenisch, J., Damgård, I.: Verifiable Encryption, Group Encryption, and Their Applications to Group Signatures and Signature Sharing Schemes. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 331. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  16. 16.
    Camenisch, J., Hohenberger, S., Kohlweiss, M., Lysyanskaya, A., Meyerovich, M.: How to Win the Clonewars: Efficient Periodic N-times Anonymous Authentication. In: CCS (2006)Google Scholar
  17. 17.
    Camenisch, J.L., Hohenberger, S., Lysyanskaya, A.: Compact e-cash. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 302–321. Springer, Heidelberg (2005)Google Scholar
  18. 18.
    Camenisch, J., Lysyanskaya, A., Meyerovich, M.: Endorsed e-cash. IEEE Security and Privacy (2007)Google Scholar
  19. 19.
    Camenisch, J., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003)Google Scholar
  20. 20.
    Chaum, D.: Bling signatures for untraceable payments. In: CRYPTO (1982)Google Scholar
  21. 21.
    Chaum, D., den Boer, B., van Heyst, E., Mjolsnes, S., Steenbeek, A.: Efficient offline electronic checks. In: EUROCRYPT (1990)Google Scholar
  22. 22.
    Cohen, B.: Incentives build robustness in bittorrent. In: Kaashoek, M.F., Stoica, I. (eds.) IPTPS 2003. LNCS, vol. 2735, Springer, Heidelberg (2003)Google Scholar
  23. 23.
    Cohen, L.: Testimony of Larry Cohen, President of Communications Workers of America (May 2007)Google Scholar
  24. 24.
    Cramer, R., Shoup, V.: A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 13. Springer, Heidelberg (1998)Google Scholar
  25. 25.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES–the Advanced Encryption Standard. Springer books (2002)Google Scholar
  26. 26.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: The second-generation onion router. In: USENIX Security (2004)Google Scholar
  27. 27.
    Dodis, Y., Lee, P.J., Yum, D.H.: Optimistic Fair Exchange in a Multi-user Setting. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 118–133. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  28. 28.
    Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM Journal on Computing (2000)Google Scholar
  29. 29.
    Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP Is Secure under the RSA Assumption. Journal of Cryptology 17(2), 81–104 (2004)zbMATHCrossRefMathSciNetGoogle Scholar
  30. 30.
    Garay, J., Jakobsson, M., MacKenzie, P.: Abuse-free optimistic contract signing. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 449. Springer, Heidelberg (1999)Google Scholar
  31. 31.
    Goldwasser, S., Micali, S., Rivest, R.: A Digital Signature Scheme Secure Against Adaptive Chosen Message Attack. SIAM Journal on Computing (1988)Google Scholar
  32. 32.
    Iosup, A., Garbacki, P., Pouwelse, J., Epema, D.H.J.: Correlating Topology and Path Characteristics of Overlay Networks and the Internet. In: GP2PC (2006)Google Scholar
  33. 33.
    Katz, J., Lindell, Y.: Introduction to Modern Cryptography. Chapman and Hall/CRC Press, Boca Raton (2007)Google Scholar
  34. 34.
    Küpçü, A., Lysyanskaya, A.: Optimistic Fair Exchange with Multiple Arbiters. Cryptology ePrint Archive, Report 2009/069 (2009),
  35. 35.
    Küpçü, A., Lysyanskaya, A.: Usable Optimistic Fair Exchange. Cryptology ePrint Archive, Report 2008/431 (2008),
  36. 36.
    Lindell, Y.: Legally Enforceable Fairness in Secure Two-Party Computation. In: Malkin, T.G. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 121–137. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  37. 37.
    Markowitch, O., Saeednia, S.: Optimistic fair exchange with transparent signature recovery. In: Syverson, P.F. (ed.) FC 2001. LNCS, vol. 2339, p. 329. Springer, Heidelberg (2002)Google Scholar
  38. 38.
    Merkle, R.: A digital signature based on a conventional encryption function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988)Google Scholar
  39. 39.
    Micali, S.: Simultaneous Electronic Transactions. U.S. Patent, No. 5,666,420 (1997)Google Scholar
  40. 40.
    Micali, S.: Simple and fast optimistic protocols for fair electronic exchange. In: PODC (2003)Google Scholar
  41. 41.
    Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: STOC (1989)Google Scholar
  42. 42.
    NIST. Digital Signature Standard (DSS). FIPS, PUB 186-2 (2000)Google Scholar
  43. 43.
    Pagnia, H., Gärtner, F.C.: On the impossibility of fair exchange without a trusted third party. Technical Report, TUD-BS-1999-02 (1999)Google Scholar
  44. 44.
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, p. 223. Springer, Heidelberg (1999)Google Scholar
  45. 45.
    Shamir, A.: How to Share a Secret. ACM Communications (1979)Google Scholar
  46. 46.
    Shmatikov, V., Mitchell, J.C.: Finite-state analysis of two contract signing protocols. Theoretical Computer Science 283(2), 419–450 (2002)zbMATHCrossRefMathSciNetGoogle Scholar
  47. 47.
    Shoup, V., Gennaro, R.: Securing threshold cryptosystems against chosen ciphertext attack. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 1–16. Springer, Heidelberg (1998)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Alptekin Küpçü
    • 1
  • Anna Lysyanskaya
    • 1
  1. 1.Brown UniversityProvidenceUSA

Personalised recommendations