In commercial transactions, fairness needs to be guaranteed in any acceptable model. This is difficult in an electronic world because receiving the goods from a merchant and getting the payment in exchange cannot occur simultaneously in a distributed system; any protocol used in a network is asynchronous by nature.
This leads to a number of attacks, which have been well researched, and generally conclude that a trusted third party is required to achieve fairness. Simple fair exchange protocols need an active trusted third party (trusted third party) which gets involved in every message exchange. More sophisticated types of protocols are referred to as optimistic protocols, in which a trusted third party is not involved unless there is a dispute, which occurs infrequently. In the above optimistic protocols, a buyer exchanges his signature instead of virtual money. After the exchange, the merchant can use the signature to get money from a bank. As a result of the trusted third party only being occasionally involved, that is, when there is a dispute, optimistic protocols are more efficient. However, note that such optimistic protocols do not protect the buyer's privacy.
In order to solve this problem, there is described the use of e-coins for payment instead of a buyer's signature, where e-coins comprise an untraceable fair payment protocol with an off-line trusted third party. The protocol uses an untraceable offline e-coin and a new primitive referred to as a restrictive confirmation signature scheme (RCSS), in which a signature is confirmed by a designated confirmer, and can be verified only by some specified verifiers.
However, a dishonest merchant may collude with a conspirator to obtain the digital money without delivering the goods to a buyer, essentially taking advantage of the lack of a link between the RCSS-signed order agreement and the buyer's e-coins. To this end, the merchant can send his conspirator's RCSS-signed order agreement and the buyer's pseudo-e-coins in the dispute stage, whereby the trusted third party sends the e-goods to the conspirator, and the real e-coins to the merchant, but nothing to the buyer.
Although there is a proposed solution to the above collusion attack, that improved solution as well as the original solution suffer from a new type of attack, referred to herein as an unconscious double-spending (UDS) attack. More particularly, by exploiting the fact that e-coins can be duplicated unlimited times but are allowed to be spent only once, an unconscious double-spending attack can make an innocent buyer unconsciously spend the same money twice.