[Cryptography] Proposal of a fair contract signing protocol

mok-kong shen mok-kong.shen at t-online.de
Sun Jun 12 14:21:32 EDT 2016

Am 12.06.2016 um 20:13 schrieb mok-kong shen:
> Am 12.06.2016 um 05:34 schrieb Ron Garret:
>> On Jun 11, 2016, at 1:45 AM, mok-kong shen <mok-kong.shen at t-online.de>
>> wrote:
> [snip]
>>> [Addendum:] Remark: The message sent by Alice in step (1) looks like
>>> the following and is as a whole piece encrypted with Bob's public key
>>> and signed by Alice.
>>> ...... some text ...... Here is the X-part of VC signed by me:
>>> signed(Alice,X) ......Here is the Y-part of VC: Y ......
>>> some text ……
>> This doesn’t work because:
>>> Note that after step (2) Alice cannot innocently refuse to perform step
>>> (3), since the pair (X,Y) stems from her.
>> Alice can refuse by (falsely) claiming that she sent (S(X), Z) instead
>> of (S(X), Y).  If this were not the case (i.e. if Alice could not
>> plausibly make this false claim), then Alice would already be
>> committed after sending (S(X), Y), and the protocol would cease to be
>> fair.
> But her message to Bob was sent with signcryption, i.e. with her
> signature ensuring the correctness of its content (which includes Y).

[Addendum:] Sorry I forgot to write:

To your 2nd point, one could explicitly have the convention that only 
signed(A, U) means A commits to U, nothing else.

M. K. Shen

More information about the cryptography mailing list