Nonrepudiation Protocols Without a Trusted Party

A nonrepudiation protocol from party S to party R performs two tasks. First, the protocol enables party S to send to party R some text x along with sufficient evidence (that can convince a judge) that x was indeed sent by S. Second, the protocol enables party R to receive text x from S and to send to S sufficient evidence (that can convince a judge) that x was indeed received by R. Almost every published nonrepudiation protocol from party S to party R involves three parties: the two original parties S and R, and a third party that is often called a trusted party. A well-known nonrepudiation protocol that does not involve a third party is based on an assumption that party S knows an upper bound on the computing power of party R. This assumption does not seem reasonable especially since by violating this assumption, party R can manipulate the nonrepudiation protocol so that R obtains all its needed evidence without supplying party S with all its needed evidence. In this paper, we show that nonrepudiation protocols that do not involve a third party can be designed under reasonable assumptions. Moreover, we identify necessary and sufficient (reasonable) assumptions under which these protocols can be designed. Finally, we present the first ever \(\ell \)-nonrepudiation protocol that involves \(\ell \) parties (none of which is trusted), where \(\ell \) \(\ge \) 2.