@InProceedings{BOGMR85, replaced-by = { BOGMR90 }, author = { Michael Ben-Or and Oded Goldreich and Silvio Micali and Ronald L. Rivest }, title = { A Fair Protocol for Signing Contracts (Extended Abstract) }, pages = { 43--52 }, OPTurl = { http://dx.doi.org/10.1007/BFb0015729 }, doi = { 10.1007/BFb0015729 }, booktitle = { Proceedings 1985 International Colloquium on Automata, Languages, and Programming }, publisher = { Springer }, organization = { EATCS }, editor = { Wilfried Brauer }, date = { 1985 }, series = { Lecture Notes in Computer Science }, volume = { 194 }, OPTyear = { 1985 }, OPTmonth = { July 15--19, }, eventdate = { 1985-07-15/1985-07-19 }, eventtitle = { ICALP '85 }, venue = { Nafplion, Greece }, abstract = { Assume that two parties, A and B , want to sign a contract over a communication network, i.e. they want to exchange their ``commitments'' to the contract. We consider a contract signing protocol to be fair if, at any stage in its execution, the following hold: the conditional probability that party A obtains B's signature to the contract given that B has obtained A's signature to the contract, is close to 1. (Symmetrically, when switching the roles of A and B ). \par Contract signing protocols cannot be fair without relying on a trusted third party. We present a fair, cryptographic protocol for signing contracts that makes use of the \emph{weakest possible form of a trusted third party (judge)}. If both A and B are honest, the judge will never be called upon. Otherwise, the judge rules by performing a simple computation, without referring to previous verdicts. Thus, no bookkeeping is required from the judge. Our protocol is fair even if A and B have very different computing powers. Its fairness is proved under the very general cryptographic assumption that functions that are one-way in a weak sense exist. Our protocol is also optimal with respect to the number of messages exchanged. }, }