[Cryptography] Proposal of a fair contract signing protocol

[Ray Dillinger]

Hmmm.  There's this weird property of error-correction codes based on
CRC redundancy checks that the error-correction code identifies the
location of the bit errors in both the document *AND* the error-
correction code itself.

The Diffie-Hellman protocol allows two parties to communicate
non-secret information pertaining to secret nonces, and derive from
it a shared secret.

And then there's public-key/private-key transformations, some of
which are commutative and therefore useful in blind signatures, as
in unpadded RSA where Da(Db(Ea(Eb(Plaintext)))) == Plaintext and it
doesn't matter whether you decrypt in the reverse of the key sequence
used to encrypt.

And then there's secret splitting, where you have 1-N of the required
set revealing nothing about a secret but any N of the required set
allowing it to be fully determined...

All of these things seem to have properties relevant to or involved
with a hypothetical signature type that violates the assumptions which
the proof of impossibility is based on.

If you do deeper math than I do, figuring out a solution would be a
short trip to at least as much fame (and as much value contributed
to the world) as Diffie and Hellman got out of their key agreement
protocol.

So here's the conundrum; is it possible for Bob and Alice to pick secret
nonces, and then communicate in a protocol creating a shared
secret, that allows Alice to produce a signature on [Document plus
Bob's signature] while Bob produces a signature on [Document plus
Alice's signature], before either learns the exact bits of the other's
signature?

The idea being that neither signature can be checked or verified by
anyone else as relating to a document lacking the other signature.
Alice would be able to check her own signature knowing the secret
nonce she picked (obviously - since she can derive it) but she'd
never have to publish the nonce.  Bob likewise would be able to
check his own signature knowing the secret nonce he picked, but
he'd never have to publish that nonce.  And either of them could
immediately check the other's signature immediately when they receive
it.  But nobody else could check either signature without the other,
and absolutely anybody could check them both given both signatures
and the document plus Alice and Bob's public keys.

If that particular math problem has a solution, then it doesn't matter
what order they're revealed in or who communicates their signature
first.  Revealing enough to show the other's commitment would require
revealing enough to show one's own commitment, and vice versa.

				Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160626/1d841eb6/attachment.sig>