[Cryptography] Proposal of a fair contract signing protocol

Tue Jun 14 18:28:03 EDT 2016

On Jun 14, 2016, at 8:59 AM, Ray Dillinger <bear at sonic.net> wrote:

> On 06/14/2016 12:03 AM, Ron Garret wrote:
>> 
>> On Jun 13, 2016, at 11:24 PM, Ray Dillinger <bear at sonic.net> wrote:
> 
>>> Such antics and requirements for absolute mathematical purity do not
>>> impress judges and juries, any more than a child's demand to know the
>>> ultimate cause of the universe.
> 
>> Yes, I know that.  But this is not a discussion about the law, it’s a discussion about a proposed cryptographic protocol.
> 
> But protocols insofar as anyone cares about them are used for reasons
> that people care about.  If the problem is signing a contract, the legal
> binding that people are asking about is decided by a court.

Yes, I know that.  But again, this is not about what “people" care about, this is about a particular problem and proposed solution advanced by the OP.  (Re-read the subject line of this thread.)

> If communications are unreliable, obviously there's a bottom case in
> which communications don't exist at all and you can't make a contract no
> matter what.  So what even was there to prove?  That missed messages
> such as happen when communications don't exist at all can cause a
> protocol to fail?  Was that a surprise to anyone?

It’s not quite that simple.  The OP’s protocol fails even in the face of perfectly reliable communications.  Understanding why might be interesting to some people on this list.  It certainly should be interesting to the OP.  It might even be interesting to you if you give it a chance.

Just for the record, the OP’s problem had to do with fair commitment while the well-known two-generals problem has to do with achieving consensus/common knowledge.  These problems are related, but they are not identical.  Understanding how they are related is not entirely trivial.  Indeed, the academic results on fair commitment cited by danimoth post-date the results on two-party consensus by 10-25 years.

> Anyway, there are plenty of public, irrefutably timestamped venues where
> neither participant controls the timestamp and neither participant can
> rescind a message.  Usenet, bitcoin blockchain, etc.  Commitment or lack
> thereof can be based on what appears on those channels within a time
> limit, and there's no way either party can claim it's there when it's
> not, or that it's not there when it is.

Yes, I know that too.  There are plenty of ways to solve the problem that the OP posed as a practical matter using a TTP or some variation on that theme.  But again, that’s not really what this is about.  Just because a problem is well understood in academia doesn’t mean all discussion about it on this mailing list should be shut down.  Look at how much time is spent talking about generating secure random numbers here even though this too is a very well understood problem with a wide variety of easy-to-implement real-world solutions.

rg