In this section, we first give a high level overview of our anonymous atomic transaction system design, and then describe our abstract protocols.
Critical to our system is the use of a blind signature in the withdrawal protocol. Here, the consumer obtains a blinded token from the bank as a result of withdrawing money from the consumer's account.
Unlike previous works where the blind-signed data is a token which represents value, in our protocol the public key of a newly generated public/private key pair is signed; this certifies a trapdoor function rather than data to be disclosed in the purchase protocol. This effectively provides a temporary, anonymous certificate of ownership of the withdrawn amount. The private key of the key pair is known only to the consumer, and it is used with the certificate to anonymously authorize transfers of the withdrawn amount to a merchant's account. Authorization messages signed with this key are used in our transactions to signal readiness to commit to a purchase transaction, and to serve as part of the ``paper trail'' to prove that the token has been expended.
In the purchase phase, the merchant delivers encrypted goods along with a signed contract providing the goods description and the price. If the consumer finds the contract acceptable, readiness to commit is sent to the bank in the form of a signed message (using the above blind-certified key) to authorize the transfer of funds if the transaction commits, and then the bank similarly signals its readiness to the merchant with a message promising an anonymous deposit into the merchant account when the transaction commits. The transaction commits when the transaction log records a message from the merchant which contains the merchandise key.
Timely delivery of the merchant's message to the transaction log results in the transaction committing, thereby crediting the merchant's account and releasing the merchandise key to the consumer. If the merchant's message does not arrive before the expiration time, the transaction aborts.
Note that unlike standard two-phase commit, there is no central transaction coordinator; instead, the various parties' readiness to commit are determined using non-repudiable messages in a distributed, cascading fashion as explained in section 4.
Next, we give a detailed description of the withdrawal and purchase protocols.