[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

non-transferable & designated verifier signatures





Monty Cantsin writes:
> Anonymous wrote:
> >[non-transferable signatures]
> >
> >[these sigs] guarantee the message came from another person, but
> >aren't binding.  [...]
> >
> >In paper business correspondence, there is no such distinction.  A
> >signed letter is transferable.  Go beyond this and business will be
> >scratching its heads.  It's a solution looking for a problem.
> 
> How about arbitration?  Two parties may wish to make an agreement to
> be judged by an arbitrator of their choosing.  In certain cases, the
> State can be expected to intervene.  If only the arbitrator knows the
> signatures to be valid, the State has no fair basis on which to make
> an intervention.

Wuw.  Don't go away will you Monty?  That was an excellent point.

The application you describe could be catered for very well by a third
type of signature called a designated verifier signature.  With this
type of signature you can designate when you create the signature who
can verify it.  DV signatures are different than non-transferable
signatures in that in addition to being not transferable to
non-verifiers, you can't transfer them without revealing your private
key.  The other difference being that you can construct them for other
verifiers (the arbitration service).

Non-transferable signatures on the other hand work by being made
forgeable by the recipient.  That way it is essentially the recipients
word against the senders.  However there is some transferable proof
there: there is proof that _one_ of you wrote it.

So DV signatures are probably the best of the two.  Merely being able
to demonstrate enough proof to cause an argument about which of you
wrote the document costs you the compromise of your private key.

Also you could clearly cope with the arbitrator situation without
resorting to DV signatures; non-transferable signatures would be
enough, if you sent a signed message to Alice, and a detached
signature to your abitrator.  If you want to later use the abitrator,
you send the body of the message to the arbitrator.  He calculates the
hash of the message, and is then able to use the detatched
non-transferable signature to verify your claim.  But he can't
demonstrate this to other people.  One disadvantage is that the
arbitrator could team up with you and make that two peoples words
against one.  You might see that as an advantage, but Alice won't.  An
arbitrator which indulged in this kind of behaviour may lose
reputation.


Lastly, some comments along the lines of `smart contracts' as
discussed by Nick Szabo in the past.  It would be nicer if you didn't
need the arbitrator.

One way to do this for some kinds of situations is for each party to
setup a atomic transfer where they give each other the ability to
cause a penalty to be extracted from both of them.

Say they are engaging in some business worth $100.  Alice is
performing some programming task for Bob.

If Bob is satisfied with the software he gives Alice the $100.  If he
is not he incurs a $50 loss himself which goes to charity, and Alice
does also.  In doing this he doesn't get the software.  But Alice is
penalised, and it is better than losing $100.

Problem with that example is that you still need an arbitrator
probably.  Unless perhaps Bob is able to determine quality without
source code, or with part of source code.

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`