[Cryptography] Proposal of a fair contract signing protocol

Ron Garret ron at flownet.com
Mon Jun 13 18:38:50 EDT 2016

On Jun 13, 2016, at 2:50 PM, mok-kong shen <mok-kong.shen at t-online.de> wrote:

> Am 12.06.2016 um 21:43 schrieb Ron Garret:
>> On Jun 12, 2016, at 11:21 AM, mok-kong shen <mok-kong.shen at t-online.de> wrote:
>>> Am 12.06.2016 um 20:13 schrieb mok-kong shen:
>>>> Am 12.06.2016 um 05:34 schrieb Ron Garret:
>>>>> On Jun 11, 2016, at 1:45 AM, mok-kong shen <mok-kong.shen at t-online.de>
>>>>> wrote:
>>>> [snip]
>>>>>> [Addendum:] Remark: The message sent by Alice in step (1) looks like
>>>>>> the following and is as a whole piece encrypted with Bob's public key
>>>>>> and signed by Alice.
>>>>>> ...... some text ...... Here is the X-part of VC signed by me:
>>>>>> signed(Alice,X) ......Here is the Y-part of VC: Y ......
>>>>>> some text ……
>>>>> This doesn’t work because:
>>>>>> Note that after step (2) Alice cannot innocently refuse to perform step
>>>>>> (3), since the pair (X,Y) stems from her.
>>>>> Alice can refuse by (falsely) claiming that she sent (S(X), Z) instead
>>>>> of (S(X), Y).  If this were not the case (i.e. if Alice could not
>>>>> plausibly make this false claim), then Alice would already be
>>>>> committed after sending (S(X), Y), and the protocol would cease to be
>>>>> fair.
>>>> But her message to Bob was sent with signcryption, i.e. with her
>>>> signature ensuring the correctness of its content (which includes Y).
>>> [Addendum:] Sorry I forgot to write:
>>> To your 2nd point, one could explicitly have the convention that only signed(A, U) means A commits to U, nothing else.
>> In that case, Alice is not committed after Bob signs (but Bob is) and again, the protocol is unfair.
> Sorry, I don't yet see your point. Bob has the freedom to commit or
> not commit. If he chooses to commit, then Alice is immediately obliged
> to commit. Isn't that good enough?

Not according to the fairness criterion that you originally stated:

> When a contract in digital from is to be signed online by Alice and
> Bob, an issue concerning the fairness of the signing process crops up
> as follows: If Alice first signs the document and sends it to Bob, it
> means she has committed to something (e.g. ready to purchase an article
> from Bob at a certain price). Bob can however, if he desires, at least
> to some extent arbitrarily delay giving his digital signature, i.e.
> having a period during which he has no corresponding commitment. This
> is obviously unfair and thus to be avoided, if possible.

You stated goal was to remove the asymmetry, i.e. the period of time where Bob has the option to commit or not while Alice no longer has that option.  Your protocol does not achieve that goal.  No protocol that does not use a trusted third party can accomplish that.  As I suspected and danimoth confirmed, it’s a theorem.


More information about the cryptography mailing list