[Cryptography] Proposal of a fair contract signing protocol

Jonathan Katz jkatz at cs.umd.edu
Fri Jul 1 18:27:32 EDT 2016


On Fri, Jul 1, 2016 at 5:27 PM, mok-kong shen <mok-kong.shen at t-online.de> wrote:
> Am 01.07.2016 um 06:33 schrieb Ray Dillinger:
>>
>>
>>
>> Okay, let's put it in a simpler way.
>>
>> Stop your protocol right before the last message is sent by Bob.
>>
>> At this point, Alice has nothing more to do to complete the
>> protocol.  Bob has the choice between sending his final message
>> and completing the protocol (putting in the hands of Alice a
>> contract that binds him) or just composing that final message
>> and never sending it.
>
>
> If Bob chooses to go the first way, the protcol completes and the
> fiarness definiton applies. If Bob chooses to go the second way,
> the protocol never completes and, since the fairness definition
> only deals with a completed protocol, it has no chance of being
> considered at all.
>
> M. K. Shen

The discussion is going in circles; it just illustrates the futility
of discussing such things without formal definitions in place.

Here is another "fair" contract signing protocol that is simpler and
seems to achieve the same things you claim:
0. Let C be the contract to sign. Let C' be the contract plus the
statement "this contract is valid only if signed by Alice and Bob."
1. Alice signs C' and sends the signature to Bob.
2. Bob signs C' and sends the signature to Alice.

Note that if Bob does not follow step 2, then he does not have a valid
contract. (Since it is valid only if signed by Alice and Bob.) On the
other hand, once Bob follows step 2, both parties are bound to the
contract.

Don't bother telling me why this protocol is bad; I will agree with you.

Please move this discussion off list.


More information about the cryptography mailing list