Feedback on paper of Zhang et al HYPOTHESES AND THEIR EVALUATION The claims of this paper are clearly stated in the last sentence of the abstract: "The new protocol treats both fairness and anonymity as essential properties, employs an efficient method for off-line key recovery, and places weak requirements on the security of the third party." These claims are then elaborated in the penultimate paragraph of section 1 on p20. To address the evaluation of these claims we will separate them into three parts. Fairness and Anonymity: The evaluation of these two claims are dealt with together and at length in section 6. The type of evaluation is theoretical, but is more a reasoned argument based on the logic of the protocol than a mathematical proof as usually understood. It seems to be thorough and convincing, but a word of warning here. Security protocols have proved notoriously difficult to get right. For instance, the 7 line Needham–Schroeder protocol was published in 1978 and a flaw in it lay undetected until 1995, when Lowe published an attack. There are many similar examples. Many attacks are now found by exhaustive machine analysis, so one should not be entirely convinced until such an analysis has been performed. I would not expect you to know about the need for such analysis, since it requires expert knowledge of the field. Efficient Method for Off-Line Key Recovery: the analysis of the protocol does not cover efficiency. In fact, the only places in the paper that this is discussed,and then only implicitly, are at the end of the first paragraph on p20: "Fair exchange protocols based on an off-line trusted third party are preferable as they offer a more cost-effective use of a trusted third party." which is presented as a background assumption of the work. In the next paragraph this point is essentially repeated in the extended list of claims: "Secondly, it provides a simpler and more efficient off-line recovery method for handling abnormal cases of exchange than other existing methods." The argument is that since an off-line trusted party is only involved in the event of a problem, this is a more efficient use of their time than involving them on-line in every transaction. This seems a pretty dubious argument to me: * The work of the trusted party might be more onerous after a problem has occurred than it would have been if they were involved from the outset. * Why only take into account the role of the trusted party when estimating the efficiency of key recovery? * Why only consider off-line key recovery when considering efficiency? * Since the protocols are short and involve fairly trivial automated processing, why is efficiency an issue anyway? Weak Requirements on the Security of the Third Party: The evaluation of this claim is summarised by a sentence in the Conclusion on p27: "Also the key recovery conducted by Pt does not require any information about the identities, locations, exchanged documents and keys of Pa and Pb, so the impact of Pt's security on the protocol is weakened." and this is also mentioned in the 2nd paragraph on p23. Again, the discussion is a theoretical, reasoned argument based on the logic of the protocol. RELATED WORK There is no explicit related work section, but references to related work are scattered throughout the paper. We are interested, in particular, in the establishment of the originality of this work. The first sentence of the last paragraph of p19 establishes that the originality does not lie with fairness: "So far a number of protocols have been proposed to achieve fair exchange [1–6,8,10–14,16]." but with anonymity: "However, the existing fair exchange protocols either do not consider anonymity [5] or have partial or inappropriate considerations of anonymity [3,11,14]." which is taken from the second paragraph of p20. This raises the question of what the authors mean when they contrast "partial or inappropriate considerations of anonymity" with their own claim to provide "true" anonymity. Unfortunately, no further details are given. Similarly, no further comparisons are given between their way of dealing with fairness and those in the citations [1–6,8,10–14,16]. We can, therefore, conclude that the related work discussion is inadequate. YOUR REVIEWS The overall quality of reviews was good. This review was perhaps a little more challenging than the previous two in that the faults in the paper were less obvious. * Several people focused only the hypotheses on fairness and anonymity and either overlooked or downplayed those on efficiency and weak security requirements. This meant they also omitted any criticism of the poor evidence presented to support these two hypotheses.Note that 'efficient' was in the title, so this was clearly intended to be a major factor. * Several people still classified the paper as exploratory research trying to identify hypotheses, whereas it seemed clear from the presentation that the hypotheses were anticipated from the start and then evaluated. Moreover, there was no implementation, so no experimentation of either an exploratory or confirmatory kind. * Several people classified the paper as combining several techniques, without specifying what these techniques were. Others claimed the techniques were fairness and anonymity, but these are properties of techniques, not techniques in their own right. * Several people classified the paper as a new application of a techniques. However, as is clear from the very limited related work discussions, using protocols for document exchange is not a new application, but a fairly well explored field. * Several people criticised the paper because there was no implementation. It is, however, legitimate to publish a purely theoretical paper without an implementation. * A couple of people spotted that a similar paper by the same authors had been published in: Zhang, N.; Shi, Q.; Merabti, M.; , "Anonymous public-key certificates for anonymous and fair document exchange," Communications, IEE Proceedings- , vol.147, no.6, pp.345-350, Dec 2000. This older paper is different in several respects, e.g., the security requirements of the trusted third party are not weak in that they can establish the identities of the other parties. However, there is also significant overlap and it is 'surprising' that this 2000 paper is not cited in the current one. BTW -- it is standard practice for a updated and more detailed versions of short conference papers to be subsequently published as journal papers, but this does not seem to explain this case.