[Cryptography] Proposal of a fair contract signing protocol

Ron Garret ron at flownet.com
Mon Jun 13 18:52:26 EDT 2016

On Jun 13, 2016, at 1:01 PM, Ray Dillinger <bear at sonic.net> wrote:

> On 06/13/2016 10:26 AM, Allen wrote:
>> I believe the original poster is proposing a technical solution that
>> provides hard-to-refute proof, i.e., something more than just
>> he-said-she-said or "this is the record of all communications" vs "no it's
>> not, that is forged, here's the true record".
> I do not understand how that is an issue.
> Surely, if each message contains the hash of messages received so far,
> then the last message (at any time) contains the root of a Merkle tree
> demonstrating the complete correspondence record.  There is no way for
> Bob or Alice to continue correspondence while keeping the other ignorant
> of what is and isn't on the official record of their correspondence, and
> either can prove the existence and receipt of any message ever responded
> to "on the record" by the other.
> At any moment, both correspondents have a complete record of everything
> the other has acknowledged "on the record", and anything not
> acknowledged is inoperative as part of the record anyway because the
> other party might not have even received it. It can be resent, and any
> further messages originating from the sender will include its hash, or
> else the correspondence can just plain stop until it's acknowledged.

This is actually much more subtle than you might imagine.

Suppose Alice extends an offer to Bob.  Bob accepts the offer within the deadline and sends his acceptance to Alice.  Everything is properly hashed and signed.  Are they committed?

Not necessarily.  Suppose that Alice decides she wants to rescind her offer.  She’s not actually allowed to do that, but she can claim that she never received Bob’s acceptance, and Bob can’t prove otherwise.

So we add another step to the protocol: Alice has to acknowledge to Bob that she received his acceptance in order to complete the protocol, which she does.  Are they committed now?  No, because now Bob can decide to rescind his acceptance by claiming (falsely but plausibly) that he never received Alice’s acknowledgement.

This is a general problem (no pun intended — see below).  It is provably unsolvable in the face of unreliable point-to-point communications.  See:



More information about the cryptography mailing list