Agora A Minimal Distributed Proto col for Electronic Commerce Eran Gabb er and Abraham Silb erschatz Bell Lab oratories Mountain Ave Murray Hill NJ feran avigresearchbel llabscom not aord to communicate with the bank for ev Abstract ery transaction High transactions volume implies Agora is a Web proto col for electronic commerce distributed proto cols since anycentralized resource whichisintended to supp ort highvolume of trans will b ecome a b ottleneck actions each with low incurred cost Agora has the In our terminology banks are nancial insti following novel prop erties tutes that manage customer and merchant accounts Banks provide transaction pro cessing capabilities Minimal The incurred cost of Agora transac similar to current credit card companies Merchants tions is close to free Web browsing where cost are vendors that would like to sell go o ds electron is determined by the numb er of messages ically Customers are users p eople rob ots etc that would like to purchase go o ds electronicallyIn Distributed Agora is fully distributed Mer our scheme we assume that banks are trusted en chants can authenticate customers without ac tities while customers and merchants are assumed cess to a central authority Customers with to b e nontrusted entities In case of a dispute a valid accounts can purchase from anymerchant fourth typ e of entity arbiters are used to settle the without any preparations such as prior regis dispute b etween customers and merchants Arbiters tration at the merchant or at a broker are assumed to b e trusted Online arbitration An online arbiter can set The World Wide Web requires a new class of tle certain customermerchant disputes proto cols Web commerce proto cols that are op timized for purchase of page like merchandise eg Fraud control Agora can limit the degree of Web pages and information that can b e represented fraud to a predetermined low level as Web pages A Web commerce proto col should b e comparable to free Web browsing in terms of Agora is authenticated secure and can not b e repu message overhead in order to achievelow incurred diated It can use regular insecure communication transaction cost channels We assume that the numb er of messages rather than message length determines the o verhead and Intro duction cost of a proto col In other words the optimiza tion criteria should b e numb er of messages and not The wide spread use of electronic commerce on the message length provided that message length re World Wide Web will require mechanisms for deal mains within some reasonable b ounds For example ing with high volume of lowpriced transactions By in TCP or UDP proto cols the overhead of a short lowpriced transactions we mean transactions of low message is similar to a longer message that ts into monetary value which is close to or lower than the the same numberofIPpackets cost incurred in communicating with a bank Thus Agora is a fully distributed commerce proto col lowpriced transactions implies that merchants can that requires a total of four messages to complete a transaction including transfer of go o ds without Agora is an ancient Greek marketplace It is also the name of the Israeli coin of the lowest denomination any access to a central authority When Agora is namely purchasing a scrip from a broker These employed as a Web commerce proto col its messages preparations can involve as many as messages An can b e piggybacked on existing HTTP messages other complication is handling of change Normally without any additional messages Hence Agora is the value of the scrip is higher than the price of the minimal since it generates the same numb er of mes go o ds Thus the merchant returns the change to the sage as free Web browsing user in the form of another scrip Since this scrip is Agora is a credit based proto col that is a trans honored only by issuing merchant the customer is action involves transfer of an account identier and forced to redeem it by the broker not the actual funds Merchants use accountidenti NetBill is a robust electronic commerce pro ers in order to get the funds from the bank to col that provides atomicity customer pays for Fully distributed credit based proto cols are sus delivered merchandise only and anonymityvia ceptible to certain typ es of fraud since the bank is pseudonyms However NetBill requires messages not contacted during the execution of every trans to complete a transaction of whichtwo are tofrom action For example customers may exceed their the bank Thus NetBill is not applicable for low credit limit and since the bank is not involved in priced transactions that are less exp ensiv e then the every transaction the transaction will b e approved cost of contacting the bank As another example if a thief gets hold of the iden The Secure Electronic Transaction SET proto col tication string and the private key of a legitimate of Visa and MasterCard is a credit based proto customer the thief can go on an unrestricted elec col like Agora However SET requires communica tronic shopping spree Toovercome this inherent tion with the bank for every transaction That is aw we present in Section the enhanced Agora SET is not distributed and its incurred cost pro proto col that uses a probabilistic algorithm to limit hibits lowpriced transactions the amount of fraud to a predetermined low level The overhead of the enhanced Agora proto col is sim Digital cash proto cols such as DigiCash pro ilar to the basic Agora proto col vide total anonymityHowever these proto cols were not designed for Web commerce and lackproperar We implemented a prototyp e of Agora using stan bitration eg customer sent digital cash and didnt dard Web to ols a Netscap e browser and an NCSA receive the merchandise server The customer side was implemented bya Java applet and the merchantsidewas implemented The chrghttp proto col isarecentWeb com by a set of CGI scripts and a small database merce proto col for lowpriced transactions It was implemented with standard Web to ols Mosaic The reminder of the pap er is organized as fol browser and CERN server However it ignores lows Section describ es work on related electronic the complexity of real world digital cash and credit commerce proto cols Section discusses the basic transactions Instead chrghttp assumes that mer Agora proto col while Section discusses its prop er chants will bill customers at regular intervals Cus ties Section describ es the enhanced Agora proto tomers must register with merchants b efore anypur wn low level col which can limit fraud to a kno chase Section discusses the online arbitration proto Since Agora uses digital signatures to authenti col which can settle certain customermerchant dis putes In Section we discuss several limitations of cate messages its do es not require a secure commu the Agora proto col Section discusses scalability is nication channel such as Netscap es Secure So ckets sues The pap er concludes with a description of the Layer SSL implementation The App endix describ es the em Agora implements an application layer securityon b edding of the Agora proto col in HTTP Messages top of HTTP In this asp ect it is similar to Secure HTTP SHTTP Related Work Basic Proto col Millicent is a distributed lowoverhead digital The Agora proto col as describ ed in the intro duc cash proto col Its prop erties are similar to Agora tion involves four entities banks merchants cus Millicentintro duces a scrip which is a digital money tomers and arbiters Agora supp orts multiple that is honored by a single vendor Millicentisde banks Each bank has a unique identier Bida signed to supp ort high volume of lowpriced transac p s private secret key K andapublickey K tions Millicents overhead is similar to Agora when b b used for Web commerce However Millicent requires Customers and merchants must have an account preparation b efore a purchase from a new vendor with some bank b efore any sale or purchase can b e name description format p Cid Customer ID Bid k expir ation date k Cacct k K c SC id Signed customer ID Cid k S H Cid b p date k M name k M acct k K Mid MerchantID Bid k expir ation m SM id Signed merchantID Mid k S H Mid b Table Customer and Merchant Identication Accounts initiated Customer account name is denoted by C acct and merchant account name is denoted by All customers and merchants must have an account M acctMerchants are also identied by a unique with a bank The bank uses a bil ling perioddur public name Mname which can b e their IP ad ing which customer and merchant IDs are valid dress or their domain name Customers and mer The bank generates new IDs for customers and mer s s chants haveprivate keys K and K resp ectively c m chants every billing p erio d The IDs expire bythe p p and public keys K and K respectively Cus c m end of the current billing p erio d or bytheendofthe tomers and merchants identify themselves bypre next p erio d a grace p erio d In this w ay the bank senting signed IDs whichwere obtained from the can force customers to pay their bills on time bank SC id is a customers signed ID and SM id is The proto col assumes that all participants change a merchants signed ID their private and public keys every billing p erio d in Arbiters are trusted entities not necessarily the order to prevent brute force attacks The bank de bank that are resp onsible for settling certain dis livers its new public key to customers and merchants een customers and merchants Arbiters putes b etw together with their new IDs have the authority to repudiate committed transac Table depicts the generation