[Cryptography] Proposal of a fair contract signing protocol

[mok-kong shen]

Am 12.06.2016 um 20:13 schrieb mok-kong shen:
> Am 12.06.2016 um 05:34 schrieb Ron Garret:
>>
>> On Jun 11, 2016, at 1:45 AM, mok-kong shen <mok-kong.shen at t-online.de>
>> wrote:
>>
> [snip]
>
>>> [Addendum:] Remark: The message sent by Alice in step (1) looks like
>>> the following and is as a whole piece encrypted with Bob's public key
>>> and signed by Alice.
>>>
>>> ...... some text ...... Here is the X-part of VC signed by me:
>>> signed(Alice,X) ......Here is the Y-part of VC: Y ......
>>> some text ……
>>
>> This doesn’t work because:
>>
>>> Note that after step (2) Alice cannot innocently refuse to perform step
>>> (3), since the pair (X,Y) stems from her.
>>
>> Alice can refuse by (falsely) claiming that she sent (S(X), Z) instead
>> of (S(X), Y).  If this were not the case (i.e. if Alice could not
>> plausibly make this false claim), then Alice would already be
>> committed after sending (S(X), Y), and the protocol would cease to be
>> fair.
>>
>
> But her message to Bob was sent with signcryption, i.e. with her
> signature ensuring the correctness of its content (which includes Y).

[Addendum:] Sorry I forgot to write:

To your 2nd point, one could explicitly have the convention that only 
signed(A, U) means A commits to U, nothing else.

M. K. Shen