[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

non-transferable & designated verifier signatures




Adam Back:

> The application you describe could be catered for very well by a third
> type of signature called a designated verifier signature.

AKA patent number 5373558 : Desinated-confirmer signature systems 
INVENTORS: Chaum; David, Sherman Oaks, CA 91403

> Non-transferable signatures on the other hand work by being made
> forgeable by the recipient.  That way it is essentially the recipients
> word against the senders.  However there is some transferable proof
> there: there is proof that _one_ of you wrote it.

Not clear how much privacy this buys you.  If one party sues the other,
it's some protection.  But if both parties are hauled into court and
accused of some crime, it's going to be clear enough which party sent
the mail.  Yes, technically it could have been forged by the other party,
but people have been convicted on evidence a lot shakier than this.

> Also you could clearly cope with the arbitrator situation without
> resorting to DV signatures; non-transferable signatures would be
> enough, if you sent a signed message to Alice, and a detached
> signature to your abitrator.  If you want to later use the abitrator,
> you send the body of the message to the arbitrator.  He calculates the
> hash of the message, and is then able to use the detatched
> non-transferable signature to verify your claim.  But he can't
> demonstrate this to other people.  One disadvantage is that the
> arbitrator could team up with you and make that two peoples words
> against one.  You might see that as an advantage, but Alice won't.  An
> arbitrator which indulged in this kind of behaviour may lose
> reputation.

Sounds complicated.  It will be years before the legal system is able
to handle these subtleties.  Ordinary digital signatures are challenging
enough.

> One way to do this for some kinds of situations is for each party to
> setup a atomic transfer where they give each other the ability to
> cause a penalty to be extracted from both of them.

Torn ecash?

> Say they are engaging in some business worth $100.  Alice is
> performing some programming task for Bob.

> If Bob is satisfied with the software he gives Alice the $100.  If he
> is not he incurs a $50 loss himself which goes to charity, and Alice
> does also.  In doing this he doesn't get the software.  But Alice is
> penalised, and it is better than losing $100.

With torn ecash, Bob withdraws $100 from his account, but in such a way
that Alice has some crucial information needed to unblind it.  If they
can't come to a meeting of the minds, Bob is out the $100 and Alice is
out the time she spent on the project.  This removes much of the incentive
each has to cheat the other, and gives them an incentive to cooperate.