[Cryptography] Proposal of a fair contract signing protocol

Ron Garret ron at flownet.com
Sat Jun 11 23:34:30 EDT 2016 

On Jun 11, 2016, at 1:45 AM, mok-kong shen <mok-kong.shen at t-online.de> wrote:

> Am 11.06.2016 um 02:28 schrieb Ray Dillinger:
>> 
>> 
>> On 06/10/2016 01:59 PM, mok-kong shen wrote:
>>> 
>>> When a contract in digital from is to be signed online by Alice and
>>> Bob, an issue concerning the fairness of the signing process crops up
>>> as follows: If Alice first signs the document and sends it to Bob, it
>>> means she has committed to something (e.g. ready to purchase an article
>>> from Bob at a certain price). Bob can however, if he desires, at least
>>> to some extent arbitrarily delay giving his digital signature, i.e.
>>> having a period during which he has no corresponding commitment. This
>>> is obviously unfair and thus to be avoided, if possible.
>>> 
>> 
>> Contracts as legal commitments are not operative until signed
>> by all parties.  Software commitments, when competently implemented,
>> are the same.
>> 
>> The fairness issue arises, to some extent, if there is a period
>> of time during which Bob may have the *option* of signing or not,
>> after Alice has already signed.
>> 
>> But this is easily prevented - by incremental signing, as you
>> suggested, but secret splits, including visual-cryptography
>> splits, are not appropriate, because for any such split one can
>> fabricate a corresponding split that combines with it to make
>> a different contract.  Thus the commitment fails, because
>> Alice has signed a split of contract A, and Bob provides a
>> specially constructed split that combines with it to form
>> contract B and claims Alice agreed to contract B when she
>> signed.
> [snip]
> 
> No. If in step (2) Bob employs a Z so that (X,Z) gives a document
> D different from C and sends signed(Bob,X) and signed(Bob,Z) to Alice,
> then this manipulation will be detected by Alice as I wrote in
> step (3) and the protocol fails to complete.
> 
> M. K. Shen
> -------------------------------------------------
> 
> P.S. I like to take this opportunity to post an addendum to my OP
> to avoid an eventual possible misunderstanding of the readers.
> 
> [Addendum:] Remark: The message sent by Alice in step (1) looks like
> the following and is as a whole piece encrypted with Bob's public key
> and signed by Alice.
> 
> ...... some text ...... Here is the X-part of VC signed by me:
> signed(Alice,X) ......Here is the Y-part of VC: Y ......
> some text ……

This doesn’t work because:

> Note that after step (2) Alice cannot innocently refuse to perform step
> (3), since the pair (X,Y) stems from her.

Alice can refuse by (falsely) claiming that she sent (S(X), Z) instead of (S(X), Y).  If this were not the case (i.e. if Alice could not plausibly make this false claim), then Alice would already be committed after sending (S(X), Y), and the protocol would cease to be fair.

My hunch is that it’s a theorem that the sort of fair commitment protocol that you’re describing is not possible without a trusted third party, and that the proof would look something like the proof of the impossibility of establishing common knowledge with unreliable point-to-point communications.

rg

More information about the cryptography mailing list