[Cryptography] Proposal of a fair contract signing protocol

Tue Jun 14 03:03:52 EDT 2016

On Jun 13, 2016, at 11:24 PM, Ray Dillinger <bear at sonic.net> wrote:

> 
> 
> On 06/13/2016 03:52 PM, Ron Garret wrote:
> 
> Suppose that Alice decides she wants to rescind her offer.  She’s not
> actually allowed to do that, but she can claim that she never received
> Bob’s acceptance, and Bob can’t prove otherwise.
>> 
>> So we add another step to the protocol: Alice has to acknowledge to Bob that she received his acceptance in order to complete the protocol, which she does.  Are they committed now?  No, because now Bob can decide to rescind his acceptance by claiming (falsely but plausibly) that he never received Alice’s acknowledgement.
> 
> It doesn't work.  Both of them know within an hour that they either do,
> or don't, have the other's acknowledgement of the contract (or the
> signed contract).  Alice who made the offer and does not have Bob's
> ack on the offer is not bound.  Bob who signed the offer but received
> no acknowledgement of the receipt of his signature, is not bound.
> Expiration of an hour without those conditions being met, means the
> contract is not operative.

You are assuming the communications channel between Alice and Bob is reliable.  If it’s not, then the participants cannot reach a reliable conclusion about whether or not they have actually reached an agreement.  In the real world this rarely matters because modern communications channels are reliable and for most negotiations the stakes are low.  But you and I actually experienced a real-world failure of exactly this sort recently where the result was that I showed up for a meeting and you didn’t (twice!).  And this happened because during a critical period we did not have a reliable communications channel.  So this sort of thing really does matter even in the real world on occasion.

> I have the impression that your proof that this is insoluble relies on
> preconditions which would be laughed at in any court of law - such as
> the notion that correspondents are not aware of the passage of time or
> can consider time to be a meaningful part of the protocol.  Or on the
> parties playing ridiculous mathematical games like a child asking "why"
> iteratively forever, insisting on an infinite regress of acknowledging
> the acknowledgements.
> 
> Such antics and requirements for absolute mathematical purity do not
> impress judges and juries, any more than a child's demand to know the
> ultimate cause of the universe.

Yes, I know that.  But this is not a discussion about the law, it’s a discussion about a proposed cryptographic protocol.

But this actually is a problem in the real world too.  Disputes over the content of signed documents are rare, but when they happen they can be hard to sort out because there is often no binding of signature to content.  This is why for important documents you often have to sign (or at least initial) every page separately.

rg