From: Anonymous <nobody@REPLAY.COM>
To: cypherpunks@cyberpass.net
Message Hash: 4d5d282cab0788d9a3724fd0a9e98030383c608a68cb94332291c3f1f1e6684d
Message ID: <199710110505.HAA15711@basement.replay.com>
Reply To: N/A
UTC Datetime: 1997-10-11 05:20:08 UTC
Raw Date: Sat, 11 Oct 1997 13:20:08 +0800
From: Anonymous <nobody@REPLAY.COM>
Date: Sat, 11 Oct 1997 13:20:08 +0800
To: cypherpunks@cyberpass.net
Subject: non-transferable & designated verifier signatures
Message-ID: <199710110505.HAA15711@basement.replay.com>
MIME-Version: 1.0
Content-Type: text/plain
Adam Back:
> The application you describe could be catered for very well by a third
> type of signature called a designated verifier signature.
AKA patent number 5373558 : Desinated-confirmer signature systems
INVENTORS: Chaum; David, Sherman Oaks, CA 91403
> Non-transferable signatures on the other hand work by being made
> forgeable by the recipient. That way it is essentially the recipients
> word against the senders. However there is some transferable proof
> there: there is proof that _one_ of you wrote it.
Not clear how much privacy this buys you. If one party sues the other,
it's some protection. But if both parties are hauled into court and
accused of some crime, it's going to be clear enough which party sent
the mail. Yes, technically it could have been forged by the other party,
but people have been convicted on evidence a lot shakier than this.
> Also you could clearly cope with the arbitrator situation without
> resorting to DV signatures; non-transferable signatures would be
> enough, if you sent a signed message to Alice, and a detached
> signature to your abitrator. If you want to later use the abitrator,
> you send the body of the message to the arbitrator. He calculates the
> hash of the message, and is then able to use the detatched
> non-transferable signature to verify your claim. But he can't
> demonstrate this to other people. One disadvantage is that the
> arbitrator could team up with you and make that two peoples words
> against one. You might see that as an advantage, but Alice won't. An
> arbitrator which indulged in this kind of behaviour may lose
> reputation.
Sounds complicated. It will be years before the legal system is able
to handle these subtleties. Ordinary digital signatures are challenging
enough.
> One way to do this for some kinds of situations is for each party to
> setup a atomic transfer where they give each other the ability to
> cause a penalty to be extracted from both of them.
Torn ecash?
> Say they are engaging in some business worth $100. Alice is
> performing some programming task for Bob.
> If Bob is satisfied with the software he gives Alice the $100. If he
> is not he incurs a $50 loss himself which goes to charity, and Alice
> does also. In doing this he doesn't get the software. But Alice is
> penalised, and it is better than losing $100.
With torn ecash, Bob withdraws $100 from his account, but in such a way
that Alice has some crucial information needed to unblind it. If they
can't come to a meeting of the minds, Bob is out the $100 and Alice is
out the time she spent on the project. This removes much of the incentive
each has to cheat the other, and gives them an incentive to cooperate.
Return to October 1997
Return to “Anonymous <nobody@REPLAY.COM>”
1997-10-11 (Sat, 11 Oct 1997 13:20:08 +0800) - non-transferable & designated verifier signatures - Anonymous <nobody@REPLAY.COM>