[Cryptography] Proposal of a fair contract signing protocol

mok-kong shen mok-kong.shen at t-online.de
Sun Jun 12 14:13:25 EDT 2016

Am 12.06.2016 um 05:34 schrieb Ron Garret:
> On Jun 11, 2016, at 1:45 AM, mok-kong shen <mok-kong.shen at t-online.de> wrote:

>> [Addendum:] Remark: The message sent by Alice in step (1) looks like
>> the following and is as a whole piece encrypted with Bob's public key
>> and signed by Alice.
>> ...... some text ...... Here is the X-part of VC signed by me:
>> signed(Alice,X) ......Here is the Y-part of VC: Y ......
>> some text ……
> This doesn’t work because:
>> Note that after step (2) Alice cannot innocently refuse to perform step
>> (3), since the pair (X,Y) stems from her.
> Alice can refuse by (falsely) claiming that she sent (S(X), Z) instead of (S(X), Y).  If this were not the case (i.e. if Alice could not plausibly make this false claim), then Alice would already be committed after sending (S(X), Y), and the protocol would cease to be fair.

But her message to Bob was sent with signcryption, i.e. with her
signature ensuring the correctness of its content (which includes Y).

M. K. Shen

> My hunch is that it’s a theorem that the sort of fair commitment protocol that you’re describing is not possible without a trusted third party, and that the proof would look something like the proof of the impossibility of establishing common knowledge with unreliable point-to-point communications.
> rg

More information about the cryptography mailing list