A fair protocol for signing contracts

  • Michael Ben-Or
  • Oded Goldreich
  • Silvio Micali
  • Ronald L. Rivest
Conference paper
First Online:
Part of the Lecture Notes in Computer Science book series (LNCS, volume 194)

Abstract

Assume that two parties, A and B, want to sign a contract over a communication network, i.e. they want to exchange their “commitments“ to the contract. We consider a contract signing protocol to be fair if, at any stage in its execution, the following hold: the conditional probability that party A obtains B's signature to the contract given that B has obtained A's signature to the contract, is close to 1. (Symmetrically, when switching the roles of A and B).

Contract signing protocols cannot be fair without relying on a trusted third party. We present a fair, cryptographic protocol for signing contracts that makes use of the weakest possible form of a trusted third party (judge). If both A and B are honest, the judge will never be called upon. Otherwise, the judge rules by performing a simple computation, without referring to previous verdicts. Thus, no bookkeeping is required from the judge. Our protocol is fair even if A and B have very different computing powers. Its fairness is proved under the very general cryptographic assumption that functions that are one-way in a weak sense exist. Our protocol is also optimal with respect to the number of messages exchanged.

Keywords

Signature Scheme Contract CONT Digital Signature Scheme Initial Declaration Fairness Requirement 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [B]
    Blum, M., “How to Exchange (Secret) Keys”, ACM Trans. on Comp. Sys., Vol. 1, No. 2, 1983, pp. 175–193. Also in the Proc. of the 15th ACM Symp. on Theory of Computation, 1983, pp. 440–447.CrossRefGoogle Scholar
  2. [BM]
    M. Blum and S. Micali, “How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits”, SIAM Jour. on Computing, Vol. 13, Nov. 1984, pp 850–864 (Preliminary version: Proc. 23rd IEEE Symp. on Foundations of Computer Science, 1982, pp 112–117.)CrossRefGoogle Scholar
  3. [BR]
    Blum, M., and Rabin, M.O., “Mail Certification by Randomization”, in preparation.Google Scholar
  4. [DH]
    Diffie, W., and Hellman, M.E., “New Directions in Cryptography”, IEEE Trans. on Inform. Theory, Vol. IT-22, No. 6, November 1976, pp. 644–654.CrossRefGoogle Scholar
  5. [E]
    Even, S., “A Protocol for Signing Contracts”, TR No. 231, Computer Science Dept., Technion, Haifa, Israel, 1982. Presented in Crypto81.Google Scholar
  6. [EGL]
    Even, S., Goldreich, O., and Lempel, A., “A Randomized Protocol for Signing Contracts”, Advances in Cryptology: Proceedings of Crypto82, (Chaum D. et al. eds.), Plenum Press, 1983, pp. 205–210. A better version will apear in the Comm. of the ACM.Google Scholar
  7. [EY]
    Even, S., and Yacobi, Y., “Relations Among Public Key Signature Systems”, TR No. 175, Computer Science Dept., Technion, Haifa, Israel, 1980.Google Scholar
  8. [G]
    Goldreich, O., “A Simple Protocol for Signing Contracts”, in Advances in Cryptology: Proceedings of Crypto83, (Chaum D., ed.), Plenum Press, pp. 133–136, 1984.Google Scholar
  9. [GGM]
    Goldreich, O., Goldwasser, S., and Micali, S., “How to Construct Random Functions”, Proc. of the 25th IEEE Symp. on Foundation of Computer Science, 1984, pp. 464–479. To appear, Journal of ACM Google Scholar
  10. [GMR]
    Goldwasser, S., Micali, S., and Rivest, R.L., “A Paradoxical Solution to the Signature Problem”, Proc. of the 25th IEEE Symp. on Foundation of Computer Science, 1984, pp. 441–448.Google Scholar
  11. [HS]
    Hastad, J., and Shamir, A., “The Cryptographic Security of Truncated Linearly Related Variables”, to appear in the proceedings of the 17th STOC, 1985.Google Scholar
  12. [L]
    Levin, L.A., “One-way Functions and Oseudorandom Generators”, to appear in the proceedings of the 17th STOC, 1985.Google Scholar
  13. [R]
    Rabin, M.O., “Transaction Protection by Beacons”, TR-29-81, Aiken Computation Laboratory, Harvard University, 1981.Google Scholar
  14. [RSA]
    Rivest, R.L., Shamir, A., and Adleman, L., “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, Comm. of the ACM, Feb. 1978, pp. 120–126.Google Scholar
  15. [Y]
    Yao, A.C., “Theory and Application of Trapdoor Functions”, Proc. of the 23rd IEEE Symp. on Foundation of Computer Science, 1982, pp. 80–91.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1985

Authors and Affiliations

  • Michael Ben-Or
    • 1
  • Oded Goldreich
    • 2
  • Silvio Micali
    • 3
  • Ronald L. Rivest
    • 3
  1. 1.Institute of Mathematics and Computer ScienceHebrew UniversityJerusalemIsrael
  2. 2.Computer Science Dept., TechnionHaifaIsrael
  3. 3.Laboratory for Computer Science, MITCambridgeUSA

Personalised recommendations