[Cryptography] Proposal of a fair contract signing protocol

[Ray Dillinger]

Okay, let's put it in a simpler way.

Stop your protocol right before the last message is sent by Bob.

At this point, Alice has nothing more to do to complete the
protocol.  Bob has the choice between sending his final message
and completing the protocol (putting in the hands of Alice a
contract that binds him) or just composing that final message
and never sending it.

Now, If the contract turns out to be beneficial to Bob, Bob can
later go to court and show the final contract (whether he did, or
did not, actually transmit it to Alice) and claim that Alice
is bound.

Contrariwise, if it turns  not to be to his benefit to have made
such a contract, and Alice never received the final message, then
Alice cannot show the final message to the judge and claim that
Bob is bound.

In court, Alice will claim she isn't bound because she never
received that final message completing the protocol.  There is
no way for the judge to know whether or not she's telling the
truth about receiving it, nor whether Bob is telling the truth
about having sent it.

With the channel being unreliable, there is even the possibility
that both of them are telling the truth.  Maybe Bob really DID
send the message and Alice really DIDN'T receive it.

Unless there is some way to irreversibly publish the completed
contract in an archive where it remains 'on display' in a way
that either participant could have checked at any time since
(and where later someone can show that it has been present since
a particular time), and such publication is required as a step
to complete the contract, it comes down to Bob's word against
Alice's.

				Bear

PS.  This is a very silly argument under "reasonable man"
provisions as real courts use -- A contract with signatures
from both, and acknowledging signatures of the document plus
both signatures from both, will stand up in any court.
Requiring an infinite regress of acknowledgements of the
acknowledgements of the acknowledgements of the signatures
is, well, childish and silly and would get you laughed at.
So, yes, in some technical "pure" sense it's impossible under
the proposed conditions, but it doesn't matter.

Also, public archives from which neither can delete something
and which either could publish in or check at any time, and where
either could later prove that something was or wasn't published
before a particular time, are easily available.  So the fair
contract problem is easy to solve because the assumptions on
which this impossibility theorem rests don't even apply.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160630/a2351ad0/attachment.sig>