(Im)possbly of Safe Exchange Mechansm Desgn Tuomas Sandholm Compuer Scence Deparmen Carnege Mellon Unversy 5 Forbes Avenue Psburgh, PA 15213 sandholm@cs.cmu.edu XaoFeng Wang Deparmen of Elecrcal and Compuer Engneerng Carnege Mellon Unversy 5 Forbes Avenue Psburgh, PA 15213 xaofeng@andrew.cmu.edu Absrac Safe exchange s a key ssue n mulagen sysem especally n elecronc ransacons where nondelvery s a maor problem. In hs paper we presen a unfed framework for modelng safe exchange mechansms. I capures he dsparae earler approaches as well as new safe exchange mechansms (e.g., repuaon lockng). Beng an overarchng framework, also allows us o sudy wha s nherenly possble and mpossble n safe exchange. We sudy hs under dfferen game-heorec soluon concep wh and whou a rused hrd pary, and wh an offlne hrd pary ha only ges nvolved f he exchange fals. The resuls vary based on he generaly of he exchange seng, he exsence (or creave consrucon) of specal ypes of ems o be exchanged, and he magnude of ransfer cos defecon cos and escrow fees. Fnally, we presen an ncenve-compable negoaon proocol for selecng he bes safe exchange mechansm when he agens do no know each ohers coss for he dfferen alernaves. 1. Inroducon Safe exchange s a key ssue n mulagen sysem especally n elecronc ransacons. The rapd growh of Inerne commerce has nensfed hs due o anonymous exchange pare cheap pseudonym globaly (dfferen laws n dfferen counres), ec. A recen sudy showed ha 6% of people wh onlne buyng experence have repored nondelvery (NCL 1999). Sofware agens furher exacerbae he problem due o he ably o vansh by kllng her own processes. Whou effecve soluon he safe exchange problem s one of he greaes obsacles o he furher developmen of elecronc commerce. AI research has suded he problem usng gameheorec mechansm desgn. A safe exchange mechansm proposed n (Sandholm and Lesser 1995, Sandholm 1996) spls he exchange no small porons so ha each agen benefs more by connung he exchange han by vanshng. Ths dea has been operaonalzed n a safe exchange planner (Sandholm and Ferrandon 2). The problem of cheap pseudonyms has been ackled by forcng new raders o pay an enry fee (Fredman and Resnck 1998), and schemes have been proposed for mnmzng he needed enry fee (Masubara and Yokoo 2). Safe exchange was recenly modeled as a dynamc game (Buyan and Hubaux 21). Copyrgh 22, Amercan Assocaon for Arfcal Inellgence (www.aaa.org). All rghs reserved. Safe exchange has also been suded n compuer secury. These echnques nclude he con rppng proocol (Jakobsson 1995) and zero knowledge proofs for exchangng sgnaures (Bao e al. 1998), whch we wll dscuss laer n hs paper. Some of he echnques rely on a rused hrd pary (Deng e al. 1996). Ths paper presens a unfed exchange model ha capures he prevous dsparae approaches (Secon 2). We also presen new safe exchange proocols. Mos mporanly, our model allows us o sudy wha s nherenly possble and mpossble o acheve n safe exchange. We sudy hs n he conex of no rused hrd pary (Secon 3), wh a rused hrd pary (Secon 4), and wh an offlne rused hrd pary ha only ges nvolved f he exchange fals (Secon 5). We ask wheher safe exchange s possble under dfferen game-heorec soluon conceps. We sudy hs n he general case, wh specal ypes of ems o be exchanged, and wh varous ransfer cos defecon cos and escrow fees. Fnally, we presen a negoaon mechansm for selecng among mulple safe exchange mechansms (Secon 6). To our knowledge, hs s he frs work o sysemacally nvesgae general exchange problems from he perspecve of mechansm desgn. 2. Our exchange model Our exchange seng has hree pares: wo sraegc agen N={1,2}, ha exchange ems (for example, goods and paymen), and a rused hrd pary (TTP) whch faclaes he exchange. The TTP s no a sraegc agen, and fahfully follows he exchange proocol. A any sage of he exchange, each pary s n some sae. The space of saes of pary s denoed by S.S=S 1 S 2 S TTP s he space of exchange saes. The sae s = P, A, α, c S of agen ncludes he followng componens: A possesson se P whch s he se of he ems ha he agen possesses. These ems coun oward he agen s uly. Inuvely, he agen can allocae hese ems o ohers. 1 However, we make he followng key generalzaon whch allows us o capure safe exchange mechansms 1 The model also capures duplcable ems such as sofware. The duplcaon s consdered o occur before he exchange, so a he sar all copes are n he possesson ses.
from he leraure and new ones ha would no f a model based solely on possesson ses. Specfcally, somemes a pary may have he rgh o allocae an em even f does no possess he em. For example, one can rp a $1 bll no wo halves and gve one of he halves o anoher pary. Hence, neher pary owns he money bu can gve o he oher. In order o descrbe an agen s conrol of such ems ha do no conrbue o he agen s uly, we nroduce he noon of an allocaon se. An allocaon se A whch s he se of ems ha an agen does no posses bu can allocae o ohers (no o self). An acvy flag α {ACTIVE, INACTIVE} whch defnes wheher he pary s sll acve. Ths echncaly s needed n order o have a well-defned seng (whch requres ha an oucome sae s defned). An oucome sae s an exchange sae where no pary s acve anymore ( does no necessarly mean ha he exchange s complee). An acve pary can ake acons whle an nacve one canno. For example, an agen ha vanshes n he mddle of an exchange becomes nacve. Once an agen becomes nacve, canno become acve agan. Acosc whch s he cumulave cos ha he agen has ncurred n he exchange so far (cos of sendng em defecon penale ec). Because he TTP can conrol some ems durng he exchange, has an allocaon se, bu because s no a sraegc player and hus does no have a uly funcon, has no possesson se. The TTP self does no have a co bu agan, n order o have well-defned oucome he TTP does have an acvy flag. Pu ogeher, he sae of he TTP s s = A, α S TTP. The se of oucome saes s O. We say ha n any oucome sae, all allocaon ses become empy because he pares are nacve and canno allocae ems anymore. An exchange sars from an nal sae s, where he possesson ses P conan he ems ha are o be exchanged, and he allocaon ses A are empy. In any complee sae s complee O, he exchange s successfully compleed: each agen possesses he ems was supposed o receve and los only he ems was supposed o lose. Each pary can ake acons. M=M 1 M 2 M TTP s he acon space of he exchange. All hree exchange pares have he followng ypes of acons: 1. Wa: A pary can wa for ohers o ake acons. 2. Transfer: A pary can ransfer ems from a source se (possesson se or allocaon se) o a se of desnaon ses. Each pary has a Boolean funcon T (src, em, DES) o deermne wheher he agen can ransfer em from se src o all ses n DES (hs does no mply he possbly of ransferrng o a subse of ses n DES). For example, f em P 1, hen T 1 (P 1, em, {P 1 })=1. Some ems (e.g., $1 bll) can be moved no allocaon ses. 3. Ex: Agen can deacvae self by exng a any sae. Boh agens and he TTP auomacally ex f any complee sae s complee s reached. 2 Each acon aken by an agen may ncur a cos for ha agen. The TTP also has an exra acon ype: can punsh an agen by addng o he agen s cumulave cos. We assume ha each agen N has quas-lnear preferences over sae so s uly funcon can be wren as u ( s ) = v ( λ, λ,..., λ ) c, where v 1 2 k s agen s valuaon, λ s he quany of em he possesse and c s he cumulave cos defned above. The uple E = N, TTP, S, M, u 1, u 2 s called an exchange envronmen. An nsance of he envronmen s an exchange. The mechansm desgner operaes n E o desgn an exchange mechansm EM= S, ρ, M, F, o, where S S and M M. The player funcon ρ:s \O N {TTP} deermnes whch pary akes acons n a sae. The space of sraegy profles s F=F 1 F 2 F TTP. Agen s sraegy f :S \O M specfes he acon agen wll ake n a sae. The oucome funcon o( f 1, f 2, f TTP ) O denoes he resulng oucome f pares follow sraeges f 1, f 2, f TTP sarng from sae s. Snce he TTP s no a sraegc player, we om s sac sraegy from hs funcon. We denoe an agen by, and he oher agen by. An exchange mechansm EM has a domnan sraegy equlbrum (DSE) f and only f each agen N has a sraegy f ha s s bes sraegy no maer wha sraegy he oher agen chooses. Formally, f, f )) f, f )) for all f F, f - F - (he oher agen s sraegy) and s S. The mechansm has a subgame perfec Nash equlbrum (SPNE) f and only f f, f )) f, f )) for all f F and s S. In eher equlbrum concep, f he nequaly s src, he equlbrum s src. Oherwse,sweak. An exchange can be represened as an exchange graph (Sandholm and Ferrandon 2), where saes are represened as verces and acons as dreced edges beween saes. Each edge has a wegh ndcang he cos of he move. An exchange mechansm s presened as a subgraph (see all fgures 3 ). A pah from s o any s complee s called a compleon pah. An exchange mechansm s a safe exchange mechansm (SEM) for an exchange n envronmen E f he mechansm has a leas one equlbrum ( f, f ) n whch he pah of play s a 1 2 complee compleon pah, ha o ( s, f, f ) = s.suchapah 1 2 s called a safe exchange pah. If he equlbrum s a (src/weak) DSE, we say he safe exchange s mplemened n (src/weak) DSE. If he equlbrum s a (src/weak) SPNE, we say he safe exchange s mplemened n (src/weak) SPNE. We make he followng assumpons: 2 One concern s ha an agen could pospone (ndefnely) whou declarng ex. However, snce we sudy exchanges for whch we desgn well-defned exchange proocol he pares can rea ohers ou-of-proocol acons as ex acons. 3 When we llusrae mechansms n hs paper, for smplcy of drawng, we draw one verex o represen all he saes ha have he same em allocaon (bu whch may have dfferen cumulaed coss).
1. Sequenaly. For any gven sae of he exchange, he SEM specfes exacly one agen ha s supposed o make ransfers. We make hs sequenaly assumpon for convenence only. Allowng for parallel acons does no affec safey because f an agen s safe n a parallel acon, would have o be safe even f he oher pary dd no complee s poron of he parallel acon. 2. Possessons close. If an agen possesses an em, he oher agen has no possesson of ha em. There s no exogenous subsdy o he exchange. Formally, em P a sae s only f ( em P P ) ( em P ). 3. Ex rules. Boh agens can ex a any sae. Exng s cosless n any complee sae s complee. Exng n any oher sae may subec he exng agen o a cos (repuaon los some chance of geng caugh and fnancally penalzed, ec.). 4. Nondecreasng uly. An agen s uly wll no decrease from possessng addonal ems. Formally, f P ' P, ' u ( s ) u ( s ) gven he same coss. An mmedae resul, whch we wll use n several place s ha durng any exchange, no agen can ake acon o mprove s own mmedae uly: Lemma 2.1. I s mpossble o have wo saes s, s +1 of he exchange such ha ( N) ((s s +1 ) M ) (u (s )<u (s +1 )). 3. SEM desgn whou a TTP In hs secon, we sudy he possbly of SEM desgn n an exchange envronmen wh no TTP. 3.1. Resuls for unresrced ems and coss Here we derve general resuls for safe exchange whou a TTP. 4 The resuls are general n ha he exchange may conan any ypes of ems and ex coss can be arbrary. Proposon 3.1. Whou a TTP, here exs exchanges ha canno be mplemened safely n (even weak) DSE. Proof. Consder an exchange of an em k. Whou loss of generaly, le agen make he frs move from he nal sae s. Denoe he resulng sae by s 1. Le (1) v ( λ ) < v ( λ ) f λ < λ, and (2) say em k canno be k k k k ransferred o any allocaon se. The only possble move s o ransfer some amoun of em k o he oher agen s possesson se. Thu from (1) above and Assumpon 2, we ge u (s )>u (s 1 ). Le f be any sraegy conanng he above frs move. Le here be free ex a he nal sae s,andlef and f - be sraeges ha prescrbe ex a s. Whou a TTP, agen becomes he only player once he oher agen exs. Accordng o Lemma 2.1, 1 s, f, f )) u ( s ) < u ( s ) = s, f, f )). Thu f s no a domnan sraegy. Snce any safe exchange pah should conan he frs move, we have ha s mpossble o mplemen he safe exchange n DSE. In fac, we can prove a sronger clam whch would mply Proposon 3.1 (we neverheless presened he proof of 3.1 because s based on a dfferen prncple): 4 The mpossbly of a smlar noon, far exchange, has been suded n a non-gameheorec framework (Pagna and Gaerner 1999). Proposon 3.2. Whou a TTP, here exs exchanges ha canno be mplemened safely n (even weak) SPNE. Proof. Consder an exchange where properes (1) and (2) from he prevous proof hold (a leas for he las em o be delvered), and ex coss are zero. Consder any parcular sae s ha precedes a complee sae s complee. Whou loss of generaly, le N make he las acon o ge o s complee. By properes (1) and (2), u (s )>u (s complee ). Le f F, f F be any sraegy profle whch forms a pah from s o s and ncludes he las move. Le f be a sraegy dencal o f excep ha ex s played a s. Snce here s no defecon co complee s, f, f )) = u ( s ) < u ( s ) s, f, f )). Thus any sraegy profle conanng he las move s no a SPNE. However, a compleon pah has o nclude he las move. Therefore, s mpossble o mplemen he safe exchange n SPNE. 3.2. Resuls for exchanges ncludng one-way ems The resuls above show ha here are exchange sengs where safe exchange s mpossble whou a TTP. In hs secon we sudy n more deal he condons under whch he mpossbly holds. I urns ou ha he exsence of one-way ems o be exchanged plays a key role. A oneway em s an em he can be moved no allocaon se(s). Recall ha an agen ha has an em n s allocaon se canno ransfer he em o s own possesson se. The followng resuls hghlgh he mporance of our nroducon of allocaon ses no he exchange model. Defnon 3.1. An em k s a one-way em f here exss an agen such ha (, N) (A Y) (T (P, λ k, Y)=1). 5 An em s a one-way em also f s worhless o some agen (hs s because he possesson of such an em does no brng s owner any value whle allocang o ohers may ncrease her uly). The nex wo proocols enable safe exchange whou a TTP by consrucng one-way ems n dfferen ways. Proocol 3.1. Con rppng (Jakobsson 1995). Ths proocol uses a crypographc dgal con whch can be rpped no wo halves. A sngle half has no value and once a half con has been spen, canno be spen agan. 6 The exchange proceeds as follows: 1) agen 1 rps a con p and gves he frs half con o agen 2; 2) agen 2 delveres he good g o agen 1; 3) agen 1 gves he oher half of he con o agen 2. In hs proocol, he con serves as a oneway em. In he fgure, denoes an nacve agen. P 1:{p} A 1:{} P 2:{g} A 2:{} P 1:{} A 1:{p} P 2:{g} A 2:{p} Ex Ex Ex P 1:{g} A 1:{p} P 2:{} A 2:{p} P 1:{g} A 1:{} P 2:{p} A 2:{} 5 An em may be n several agens allocaons ses smulaneously, and n some oher agen s possesson se. 6 (Jakobsson 1995) proposed a scheme whch allows a buyer o gve a seller he hash value of a dgal con verfable o a bank. The orgnal con canno be spen (agan) afer he seller has gven he hash value o he bank.
A weakness here s ha agen 1 s ndfferen beween delverng he second half of he con and no. Hence, he safe exchange s only a weak SPNE. The con rppng proocol requres a specal crypographc dgal con. Here, we nroduce a new proocol whch s applcable more broadly because enables safe exchange even f money s no one of he ems o be exchanged. Proocol 3.2. Repuaon lockng. Ths proocol uses repuaon as a one-way em! Suppose here s a publc onlne repuaon daabase. In our proocol, an agen s repuaon record can be encryped by oher agens wh he agen s permsson, and only he agens ha encryped can read/decryp. We call hs repuaon lockng because he agen does no have an observable repuaon whle s encryped. The proocol proceeds as follows: 1) agen 2 perms agen 1 o lock s repuaon R; 2) agen 1 gves agen 2 paymen p v 2 (R); 3) agen 2 sends good g o agen 1; 4) agen 1 unlocks he repuaon. The repuaon R s a one-way em whch can be moved no agen 1 s allocaon se. Ths proocol mplemens he safe exchange n SPNE. However, as n con rppng, s only a weak mplemenaon because agen 1 s ndfferen beween cooperaon and ex a sep 4. P 1:{p} A 1:{} P 2:{g,R} A 2:{} P 1:{p} A 1:{R} P 2:{g} A 2:{} P 1:{} A 1:{R} P 2:{p,g} A 2:{} P 1:{g} A 1:{R} P 2:{p} A 2:{} Ex Ex Ex Ex P 1:{g} A 1:{} P 2:{p,R} A 2:{} The wo proocols above show ha one can enable safe exchange by creavely consrucng one-way ems. (Ths s no always he case, for example, f he one-way ems are oo mnor compared o he oher ems). Ineresngly, creaon of one-way ems s he only approach ha works n anonymous commerce where here s no rused hrd pary and no coss o premaure ex from he exchange! Proposon 3.3. Wh zero ex coss and no TTP, an exchange can be mplemened n weak SPNE only f here exss a one-way em. Proof. Suppose here exss an SEM for an exchange ncludng no one-way ems. By he defnon of a one-way em, f an em s no a one-way em, sasfes properes (1) and (2) from he proof of Proposon 3.1. Therefore, he proof of Proposon 3.2 apples. I urns ou ha he weakness of he con rppng and repuaon lockng proocols s nevable: Proposon 3.4. Wh zero ex coss and no TTP, no exchange can be mplemened n src SPNE (even wh one-way ems). Proof. If agen exs a sae s, (any parcular sae before a complee sae) whou a TTP, he oher agen (say ) becomes he only player. Accordng o Lemma 2.1, canno mprove s own uly, so exng becomes one of s bes response acons. In ha case, agen obans s fnal uly already a s. Therefore, exng a s becomes one of s bes response acons. Therefore, here exss a connuaon equlbrum a s where boh ex, and he exchange does no complee. 3.3. Defecon cos (cos of premaure ex) Proposon 3.4 showed ha wh free ex and no TTP, weak SPNE s he bes one can acheve. Proposon 3.3 showed ha even weak mplemenaon requres he exsence of one-way ems. However, f here are coss o premaure ex (defecon cos) such as loss of repuaon, chance of geng caugh and punshed, loss of fuure busnes ec. hen safe exchange can be acheved more broadly (Sandholm and Lesser 1995) (Sandholm 1996) (Sandholm and Ferrandon 2). We model hs by an ex cos d ( s ) ha may depend on he agen and he exchange sae s. We allow for he possbly ha he ex cos s zero n some saes (for example n he nal sae n cases where parcpaon n he exchange s volunary). Proposon 3.5. Whou a TTP, an exchange can be mplemened safely n SPNE f and only f here exss a pah s s s T (where s T s a complee sae) such ha T u( s ) u( s ) d( s ) for all [,]. The exchange can be mplemened safely n DSE f and only f q u ( s ) mn u ( s ) d ( s ) for all [,]onsucha q=, + 1,..., T pah. In eher case, f each nequaly s src, he equlbrum s src. Oherwse he equlbrum s weak. Proof. If par for SPNE: Consruc an exchange mechansm as follows. The players should follow he compleon pah. If eher agen devaes from he pah, boh agens ex, and he devaor has o pay he ex cos d ( s ). For any agen, le f be a sraegy ha follows he pah and f be a sraegy ha defecs a s. So, complee s, f, f )) = u ( s ) u ( s ) d ( s ) s, f, f )). = Thus ( f, f ) s a SPNE. Only f par for SPNE: Le s s 1 s s complee be any parcular safe exchange pah for an SPNE. Thu complee u ( s ) = s, f, f )) s, f, f )) = u ( s ) d ( s ) for all saes on he pah and for boh agens. q If par for DSE: If u ( s ) mn u ( s ) d ( s ) for q=, + 1,..., T all [,], hen agen s beer off by followng he exchange no maer wha he oher agen does. Only f par for DSE: If here exss a sae s where he nequaly does no hold for agen, hen f he oher agen s sraegy s o defec a sae s m sasfyng m u ( s ) d ( s ) > u ( s ), agen s beer off by exng a s. Thus followng he compleon pah s no a domnan sraegy for. 4. SEM desgn wh an onlne TTP A smple way of achevng safe exchange s o use a TTP. A TTP faclaes exchange by helpng agens allocae ems and by punshng a defecor. We assume ha any em from eher agen s possesson se can be moved o he TTP s allocaon se and vce versa. We also assume ha
he TTP can observe he sae of he exchange. TTP-based safe exchange mechansms have been explored n compuer secury (Buyan and Hubaux 21). Two ypes of TTPs have been proposed: onlne TTPs (Deng e al. 1996) and offlne TTPs (Ba e al. 2) (Bao e al. 1998) (Asokan e al. 1997). An onlne TTP s always nvolved n he exchange whle an offlne TTP only ges nvolved f a defecon has occurred. We dscuss onlne TTPs frs. 7 The exsence of onlne TTP makes he safe exchange mplemenable n DSE: Proocol 4.1. Onlne TTP-based SE. Each agen gves s ems o be exchanged o he TTP. If boh agens do h he TTP swaps he ems. Else he TTP reurns he ems. P 1:{1} P 1:{} P 1:{} P 1:{2} A TTP:{} A TTP:{1} A TTP:{1,2} A TTP:{} P 2:{2} P 2:{2} P 2:{} P 2:{1} Ex Ex P 1:{1} A TTP:{} P 2:{2} If he onlne TTP requres an escrow fee (as mos of he curren ones do), we say ha he escrow fee s pad before he exchange begns. Wh hs undersandng we have: Proposon 4.1. Wh an onlne TTP, f (1) each agen s uly of he complee sae s greaer han ha of he nal sae, and (2) for each sae on he exchange pah and for each agen, he agen s sum of acon coss (for ransfer acons and wa acons) from ha sae o he complee sae s less han he agen s ex cos a ha sae, hen Proocol 4.1 mplemens he exchange safely n src DSE. Theproofsnohard,andweomdueo lmed space. 5. SEM desgn wh an offlne TTP Wh no TTP, he safey of he exchange can usually be assured only n weak SPNE. Wh an onlne TTP, domnan sraegy mplemenaon s achevable, bu he TTP s closely nvolved, ncurs operang expense and hus usually charges an escrow fee even f he exchange complees whou problems. A radeoff beween hese wo exremes s o use an offlne TTP whch does no parcpae n he exchange as long as execues correcly, bu ges nvolved f eher agen exs premaurely. Offlne TTPs have been praccally mplemened (such as ebay s feedback sysem) and heorecally nvesgaed (Masubara and Yokoo 2) (Asokan e al. 1997). 5.1. General resuls Here we nvesgae wha can be acheved wh an offlne TTP when here are no lms on em ypes and ex coss. If he TTP does no have (and canno oban) allocaon rghs on he defecor s ems afer defecon, he TTP can do no more han punsh he defecor. Ths s equvalen o mposng an ex co so Proposon 3.5 suffces o characerze wha s (m)possble n hs case. 7 (Kechpel and Garca-Molna 1996) suded, n a non-game-heorec way, how dfferen pars of an exchange should be sequenced when here are several onlne TTP bu each TTP s only rused by some subse of he pares. So, wha can be acheved wh an offlne TTP depends on how much penaly he TTP can mpose on a defecor. Punshng under dfferen forms of nformaon asymmery s dffcul (Fredman and Resnck 1998) (Masubara and Yokoo 2), for example due o cheap pseudonyms on he Inerne, dfferen laws n dfferen counre ec. Therefore, s mporan o sudy wha can be acheved when he TTP has oo lle power o punsh defecors. Tha s wha we address n he res of hs secon. 5.2. Revocable and relnqushable ems When here s no relable penaly for premaure ex (defecon cos s dffcul o esmae or he TTP has nadequae power o punsh), a TTP ha has he ably o reallocae he defecors possessons could faclae safe exchange. Unforunaely, an offlne TTP only ges nvolved afer he defecon a whch me has no conrol on any ems (s allocaon se s empy). In hs case, he acve agen (he defecor s nacve) s he only one ha can gve he TTP such reallocaon rghs on (some of) he defecor s ems. Ths furher requres ha he acve agen have conrol of he ems. In he language of our exchange model, such ems are n one agen s allocaon se and he oher agen s possesson/allocaon se a he same me. We now analyze such specal ems ha an offlne TTP can use o faclae safe exchange. We call an em revocable f s possessor can ransfer o he oher agen s allocaon or possesson se whle ransferrng no s own allocaon se (hus keepng he rgh o ransfer he em from he oher agen o he TTP). We call an em relnqushable f s possessor can keep n he possesson se whle ransferrng no he oher agen s allocaon se (hus gvng he oher agen he rgh o ransfer he em from he former agen o he TTP). 8 Smlar conceps have been dscussed n he conex of a parcular exchange proocol for exchangng wo ems (Asokan e al. 1997). Defnon 5.1. Denoe by x he possesson se or allocaon se of agen, and denoe he oher agen by. An em k s revocable o agen f T ( P, λ,{ A, x }) = 1. 9 k (To handle he rval case where an em s no of srcly posve value o s orgnal possessor, we also call such ems revocable.) An em k s relnqushable f here exss an agen such ha T ( P, λ,{ x, A }) = 1. k The followng proocols use hese ypes of specal ems. Proocol 5.1. Cred card paymen. A cred card paymen can be vewed as a revocable em. Agen 1 pays agen 2 a paymen p for good g wh a cred card. A ha pon, p A 1 P 2. If agen 2 does no delver g, agen 1 sends a reques o he offlne TTP (cred card company). Ths corresponds o ransferrng p from A 1 o A TTP. The company hen revokes he paymen (ransfers p from A TTP 8 Recall ha by he defnon of allocaon se, he oher agen can ransfer he em o he TTP s allocaon se or he former agen s allocaon se, bu no no s own possesson se. 9 Recall ha agen canno gve ems ha are n s allocaon se no s possesson se, and ha agen can gve ems n s allocaon se o oher pare parcularly he TTP s allocaon se. Then he TTP can ransfer he em o agen s possesson se.
and from P 2 o P 1 ). Wh zero acon cos he safe exchange pah s followed n DSE. P 1:{p} A 1:{} P 2:{g} Ex P 1:{p} A 1:{} A TTP:{} P 2:{g} P 1:{} A 1:{p} P 2:{g, p} Ex P 1:{} A 1:{} A TTP:{p} P 2:{g, p} P 1:{g} A 1:{} P 2:{p} Proocol 5.2. Escrowed sgnaure (Bao e al. 1998). The proocol s for exchangng sgnaures on a conrac. A dgal sgnaure can be convered no a relnqushable em. The proocol proceeds as follows: 1) agen 1 encryps s dgal sgnaure (σ 1 ) wh he publc key of an offlne TTP and hen sends along wh a zero knowledge proof (Bao e al. 1998) o agen 2; 2) agen 2 checks ha he daa s an encryped verson of agen 1 s sgnaure, and gves s sgnaure (σ 2 ) o agen 1; 3) agen 1 sends agen 2 σ 1. If agen 1 nsead exs a sep 3, agen 2 sends he daa fromsep2ohettpfordecrypon,andhettpwll gve he decryped sgnaure of agen 1 o agen 2. Wh zero acon cos he safe exchange pah s followed n DSE. 1 P 1:{σ 1} P 2:{σ 2}A 2:{} Ex P 1:{σ 1} P 2:{σ 2}A 2:{} P 1:{σ 1} P 2:{σ 2}A 2:{σ 1} Ex P 1:{σ 1, σ 2} P 2:{} A 2:{σ 1} Ex P 1:{σ 1, σ 2} A TTP:{σ 1} P 2:{} A 2:{} P 1:{σ 2} P 2:{σ 1} A 2:{} I urns ou ha revocable or relnqushable ems are n a sense necessary for safe exchange! Proposon 5.1. Le here be only an offlne TTP and zero acon coss (for ransfer, wa, and ex acons). Le he ems o be exchanged nclude no revocable or relnqushable ems. Now, he exchange canno be mplemened n src SPNE or even n weak DSE. 11 Proof. Src SPNE: Afer a defecon, he defecor s nacve, and he offlne TTP s allocaon se s empy. So, he only way he TTP can affec a defecor s possesson se s f he acve agen can pu ems ha are n he defecor s possesson se no he TTP s allocaon se (hs requres he ems o be n he acve agen s allocaon se). 12 By he defnons of revocable/relnqushable em such a sae can be reached only f revocable or relnqushable ems exs. If, on he oher hand, he TTP canno affec he defecor s possesson se, hen Proposon 3.4 apples. Weak DSE: Suppose here exss a compleon pah mplemened n weak DSE. By he assumpon of 1 Recall we assume ha he TTP can observe saes so ha an agen canno ge he sgnaure decryped whou gvng s own sgnaure o he oher. The proocol works even f he TTP does no observe saes: n hs case, each agen needs o gve s own sgnaure o he TTP (whch wll pass o he oher agen) o ge he oher s sgnaure decryped. 11 As shown earler n he paper, a weak SPNE can exs f here exss a one-way em. 12 Recall ha possessons close, so he ems n he defecor s possesson se canno be n he acve agen s possesson se. Also, by he defnon of an allocaon se, he acve agen canno move ems from s allocaon se o s own possesson se. sequenal acons and he fac ha evenually all ems are exchanged, here has o be some sae where one agen (say A) has ransferred an em I no he oher agen s (say B) possesson se before recevng any ems no s own possesson se. A ha sae, because here are no revocable or relnqushable em I canno be n anyone s allocaon se. If B now defec A wll have receved nohng, and wll have los I whch s of value o A. Therefore, A would have been srcly beer off exng n he nal sae. Thus A s sraegy of followng he safe exchange s no a weak domnan sraegy. Conradcon. 5.3. Transfer coss and offlne TTP s escrow fee In many seng especally when exchangng physcal good here s a cos assocaed wh each ransfer acon. Anoher ype of cos ha s assocaed wh a ransfer acon s he fee ha an agen has o pay an offlne TTP when he agen asks he offlne TTP o carry ou a ransfer acon agans a defecor. (In he case of onlne TTP he escrow fee had no sraegc effecs because had o be pad anyway, bu n he offlne TTP case has sraegc effecs because has o be pad only f he TTP s help s used). Proposon 5.2. Wh an offlne TTP and no relnqushable em no exchange can be safely mplemened n weak DSE f he compleon pah conans any posve ransfer cos. Proof. Suppose here exss a compleon pah mplemened n weak DSE. By he assumpon of sequenal acons and he fac ha evenually all ems are exchanged, here has o be some sae where one agen (say A) has ransferred an em no he oher agen s (say B) possesson se before recevng any ems no s own possesson se. A ha sae (say s), because here are no relnqushable em A canno conrol any of B s orgnal em bu may be able o ake back some of he ems gave o B. However, because here was a posve ransfer co A would have been srcly beer off exng n he nal sae. Thus A s sraegy of followng he safe exchange s no a weak domnan sraegy. Conradcon. Proposon 5.3. Wh a posve offlne TTP fee and no relnqushable em no exchange can be safely mplemened n weak DSE. Proof. The proof s analogous o ha of Proposon 5.2. Proposon 5.4. Wh no revocable em an exchange can be safely mplemened n weak DSE only f for each agen, he offlne TTP s escrow fee plus s sum of ransfer coss on he compleon pah s a mos complee u ( s ) u ( s ). The proof s no hard, and we om due o lmed space. 6. Selecng a safe exchange mechansm In he real world, dfferen ypes of SEMs co-exs. For example, on he Inerne, onlne TTPs such as TradeSafe ex offlne TTPs such as he Beer Busness Bureau ex and obvously drec exchange s possble (and safe exchange planners for ha exs (Sandholm and Ferrandon 2)). Now, whch SEM should he agens selec? For a gven exchange, dfferen SEMs have dfferen coss. Onlne TTPs have an escrow fee. Drec exchange and
offlne TTPs may have varous coss: some requre agens o expose her fxed enes (e.g., cred based exchange) hus ncurrng prvacy cos; some need nensve compuaon (e.g., escrowed sgnaure); almos all of hem expose he agens o rsks (rraonal play by he oher pary, accden ec.). Furhermore, agens may have dfferen coss for a gven SEM, and he agens coss are generally only prvaely known by he agen. We presen a mechansm ha wll selec he bes SEM and movaes he agens o ruhfully repor her coss. We presen as choosng beween an onlne TTP based SEM (TSEM) and anoher SEM (ASEM). We assume ha 1) he onlne TTP s escrow fee c s commonly known and he agens have an agreemen o share n proporons d 1 and d 2 (where d 1 +d 2 =1), and 2) agens prefer exchange hrough eher SEM o no exchange a all. Proocol 6.1. SEM selecon. Each agen reveals o he oher whch SEM prefers. If boh agens prefer he same SEM, ha SEM s chosen. Oherwse, he agens resolve he conflc as follows: 1) each agen ransfers a paymen c (he oal amoun of he escrow fee) and reveals s ASEM cos ĉ o he onlne TTP. (If he oher agen does no subm s paymen and cos nformaon, he TTP reurns he former agen s paymen.); 2a) If c ˆ 1 + cˆ 2 < c,asems chosen, he TTP reurns a paymen c- c ˆ + d c o he agen who preferred ASEM, and reurns he enre amoun c o he oher agen (who preferred TSEM). So, he TTP ends up keepng a nonnegave amoun, whch we consder s fee for resolvng he SEM selecon conflc. 2b) If cˆ 1 + cˆ 2 c, TSEM s chosen, he TTP reurns a paymen cˆ o he agen ha preferred TSEM, and reurns d c o he oher agen -. A hs pon, he TTP has goen pad he escrow fee plus a nonnegave conflc resoluon fee. Proposon 6.1. Proocol 6.1 s ex pos ndvdually raonal, weak DSE ncenve compable, and effcen (ha he cheapes SEM s chosen). Proof. Skech. The mechansm s an applcaon of he Clarke ax vong scheme (Clark 1971), whch has hese properes. 7. Conclusons and fuure research Safe exchange s a key problem n mulagen sysem especally n elecronc ransacons. A large number of dfferen approaches have been proposed for safe exchange. In hs paper we presened a unfed framework for modelng safe exchange mechansms. Our framework capures he dsparae earler approache as well as new SEMs (e.g., repuaon lockng). Beng an overarchng framework, also allowed us o sudy wha s nherenly possble and mpossble n safe exchange. We showed wha role specal ypes of ems play, and derved quanave condons on defecon coss. The followng able summarzes he qualave resuls a a hgh level. No TTP Offlne TTP General resuls No weak SPNE. Suffcen punshmen weak/src SPNE/DSE. Specal ems No src SPNE. One-way em weak SPNE (Revocable or relnqushable em) src SPNE. Wh coss Suffcenexcoss weak/src SPNE/DSE. No relnqushable em: (ransfer cos or escrow fee) no weak DSE No revocable em: weak DSE (low escrow fee & low ransfer cos) Onlne (Suffcen ex coss & low ransfer coss) src DSE TTP Fnally, we presened an ncenve-compable mechansm for selecng he bes SEM when he agens do no know each ohers coss for he dfferen SEMs. Fuure work ncludes exendng he resuls o exchanges wh more han 2 agen and o sengs where he agens and/or he TTP are unceran abou he exchange sae. Acknowledgemens We hank Kark Hosanagar for llumnang dscussons a he early sage of hs work. We also hank Ramayya Krshnan and Pradeep Khosla for her encouragemen. Sandholm s suppored by NSF CAREER Award IRI- 973122, and NSF grans IIS-98994, ITR IIS-81246, and ITR IIS-121678. Wang s suppored by NSF gran IIS-118767, he DARPA OASIS program, and he PASIS proec a CMU. References Asokan, N; Schuner, M; and Wadner, M.1997. Opmsc proocols for far exchange. ACM Compuer & Communcaon Secury Conerence. p. 7-17. Ba, S; Whnson, A. B.; Zhang, H. 2. The dynamcs of he elecronc marke: an evoluonary game approach. Informaon Sysem Froners 2:1, 31-4. Clarke, E. 1971. Mul-par prcng of publc goods. Publc Choce, 11:17-33. Bao, F; Deng, R; and Mao, W; 1998. Effcen and praccal far exchange proocols wh off-lne TTP. IEEE symposum S&P. p. 77-85. Buyan, L; Hubaux, J.P. 2. Toward a formal model of far exchange-a game heorec approach. Inernaonal workshop on ecommerce. Deng, R; Gong, L; Lazar, A; and Wang, W. 1996. Praccal proocols for cerfed elecronc mal. Journal of Nework & Sysems Managemen 4(3), 279-297. Fredman, E; Resnck, P. 1998. The socal cos of cheap pseudonyms. Journal of Economcs and Managemen Sraegy 1(2): 173-199. Jakobsson, M. 1995. Rppng cons for a far exchange. EUROCRYPT, p. 22-23. Kechpel, S. P; Garca-Molna, H. 1996. Makng Trus Explc n Dsrbued Commerce Transacons. Inernaonal Conference on Dsrbued Compung Sysem p. 27-281. Masubara, S; Yokoo, M. 2. Defecon-free exchange mechansm for nformaon goods. ICMAS, p.183-19 Naonal Consumers League. 1999. New NCL survey shows consumers are boh exced and confused abou shoppng onlne, www.naconsumersleague.org/beewsepr.hml. Pagna, H; Gaerner. F. 1999. On he mpossbly of far exchange whou a rused hrd pary. Darmsad Unversy of Technology, Deparmen of Compuer Scence echncal repor TUD-1999-2. Sandholm, T. 1996. Negoaon among Self-Ineresed Compuaonally Lmed Agens. PhD Thess. UMass Amher Compuer Scence Dep. Sandholm, T; Lesser, V. 1995. Equlbrum analyss of he possbles of uneforced exchange n mulagen sysems. IJCAI, p.694-71. Sandholm,T; Ferrandon. V. 2. Safe exchange planner. ICMAS. p.255-262.