A significant number of transactions occur electronically and remotely where the participants exchange electronic data to facilitate the transaction but nonetheless never meet. In some cases, it is desirable to be able to bind a participant to an electronic transaction in a way that in non-repudiatable by the participant. For example, if a customer instructs a stockbroker to purchase a particular stock that subsequently goes down, it is important for the broker that the customer not be able to repudiate the transaction and try to claim that he never is the broker to purchase the stock.
In the case of asymmetric encryption, non-repudiation is provided by digitally signing data using a secret key known only to one of the participants (and perhaps an issuer of the key, who is trusted not to misuse the key). In such an arrangement, it is possible to verify that particular data (i.e., instructions for a particular transaction) were signed by a specific entity that was in possession of the secret key. This verification is possible without knowing the secret key. Thus, assuming that the secret key has not been compromised, the entity that uses the secret key for digitally signing instructions for a transaction cannot later repudiate the transaction.
However, it is a different situation in the case of symmetric encryption, where multiple participants in an electronic transaction use the same secret key. In such a case, a sender of an encrypted electronic message (i.e., transaction instructions) could repudiate the message by claiming that the message was fraudulently constructed by the receiver. In addition, in some systems, the sender bears the burden of proving that a transaction is fraudulent. However, in the case of symmetric encryption using a shared secret key, the sender cannot meet this burden since a legitimate message signed by the sender using the shared secret key is identical to a fraudulent message constructed by the receiver using the same shared secret key.
Accordingly, it is desirable to provide a mechanism that allows a sender to repudiate an electronic message when the sender and the recipient use the same shared secret key.