Abstract. Verifiably encrypted signature (VES) schemes allow a signer to encrypt a signature under the public key of a trusted party, the adjudicator, while maintaining public signature verifiability without interactive proofs. A popular application for this concept is fair online contract signing. This paper answers the question of whether it is possible to implement a VES without pairings and zero-knowledge proofs. Our construction is based on RSA signatures and a Merkle hash tree. Hence, the scheme is stateful but relies on relatively mild assumptions in the random oracle model. Thus, we provide an alternative that does not rely on pairingbased assumptions. The advantage of our approach over previous schemes is that widespread efficient hard-and software implementations of hash functions and RSA signatures can be easily reused for VES, i.e., we can avoid costly redevelopment. Furthermore, in contrast to using non-interactive zeroknowledge proofs, we only need a constant, small number of modular exponentiations.