Nonrepudiation protocols without a trusted party

Abstract

A nonrepudiation protocol from party S to party R performs two tasks. First, the protocol enables party S to send to party R some text x along with sufficient evidence (that can convince a judge) that x was indeed sent by S. Second, the protocol enables party R to receive text x from S and to send to S sufficient evidence (that can convince a judge) that x was indeed received by R. Almost every published nonrepudiation protocol from party S to party R involves three parties: the two original parties S and R, and a third party that is often called a trusted party. A well-known nonrepudiation protocol that does not involve a third party is based on an assumption that party S knows an upper bound on the computing power of party R. This assumption does not seem reasonable especially since by violating this assumption, party R can manipulate the nonrepudiation protocol so that R obtains all its needed evidence without supplying party S with all its needed evidence. In this paper, we show that nonrepudiation protocols that do not involve a third party can be designed under reasonable assumptions. Moreover, we identify necessary and sufficient (reasonable) assumptions under which these protocols can be designed. Finally, we present the first ever l-nonrepudiation protocol that involves l parties (none of which is trusted), where l ≥ 2.