[Cryptography] Proposal of a fair contract signing protocol

Ron Garret ron at flownet.com
Wed Jun 22 21:42:54 EDT 2016


On Jun 22, 2016, at 5:52 PM, mok-kong shen <mok-kong.shen at t-online.de> wrote:

> Am 22.06.2016 um 22:54 schrieb Ron Garret:
>> 
>> On Jun 22, 2016, at 12:06 PM, Jon Callas <jon at callas.org> wrote:
>> 
>>> Signed PGP part
>>> I apologize in advance if I'm being clueless on some piece of this, because I have *not* spent enough time to thoroughly understand Mok-Kong's protocol. (Furthermore, I have picky questions that I don't know if they're relevant about parts the protocol, like what properties should "signcryption" have?)
>>> 
>>> But anyway...
>>> 
>>> There are plenty of unsolvable problems that you can solve is useful ways. Yeah, they're "limited" but they're often limited to the real world and often because the full problem is unsolvable.
>>> 
>>> For example, it's often completely reasonable to solve the halting problem by setting a timeout. Split-brain problems are solved all the time with a quorum system. You can solve the Generals/Agreement problems either by allowing it to go a wait state or declaring an exit condition, etc. In short, these unsolvable problems are solvable when you put in an escape valve that says that when you get into the unsolvable state, you declare a solution.
>>> 
>>> Mok-Kong has this note at the end of the protocol:
>>> 
>>>   Note that after step (2) Alice cannot innocently refuse to perform
>>>   step (3), since the pair (X,Y) stems from her. In other words, after
>>>   step (2) the contract is de facto completed.
>>> 
>>> To me, it appears that "de facto completed" means there's an escape valve. If the protocol says that Alice does X, Bob does Y, and Alice is supposed to do Z, but if she doesn't, tough -- then the protocol terminates.
>>> 
>>> Of course, this might be unsatisfactory on some level and there may need to be software duct tape and chicken wire to make it work. But it sounds to me like there's the escape clause here.
>>> 
>>> Am I right or not?
>> 
>> Not.
>> 
>> Here is Mok-Kong’s problem statement:
>> 
>>> When a contract in digital from is to be signed online by Alice and
>>> Bob, an issue concerning the fairness of the signing process crops up
>>> as follows: If Alice first signs the document and sends it to Bob, it
>>> means she has committed to something (e.g. ready to purchase an article
>>> from Bob at a certain price), Bob can however, if he desires, to some
>>> extent delay giving his digital signature and thus have a certain
>>> finite time interval during which he has no corresponding commitment.
>>> This is obviously unfair and hence to be avoided, if possible.
>> 
>> Mok-Kong’s claim is that his protocol is *fair* in the sense that there is never a time when Alice is committed and Bob isn’t, or vice-versa.  But this cannot possibly be the case if Alice and Bob’s actions are interleaved in time and there is no trusted third party.
>> 
>> This is not quite the same as the two-generals problem.  The 2G problem is solvable if you have reliable communications.  The fair commitment problem is not solvable even with reliable communications.
>> 
>> Proof by reductio: assume that the problem is solvable, i.e. there is some sequence of interleaved actions taken by A and B that results in fair commitment, i.e. at some point there is some key action K where neither A or B are committed before the action but both are committed after.  Since actions are interleaved, K must be performed either by A or by B.  Let us assume WOLOG that K is performed by A.  A, by assumption, is uncommitted before performing K, and so can choose to perform K or not.  But B can no longer make this choice.  B’s commitment (or lack thereof) hinges entirely on a choice made by A.  Therefore the protocol cannot be fair.
> 
> Allow me anyway an attempt to counter-argue. Would you please point
> out what's defective in my thought below?

You are playing fast and loose with the definition of the word “commit”.

> If the contract C is as such directly to be signed and Alice and Bob
> are to sign it online, then it is naturally the case that both
> signatures couldn't be done at the same moment and consequently the
> unfairness occurs. What the virtual cryptography does is to split C
> into two pieces X and Y to be signed. Alice initiates the signing
> process through first signing only X, but promises to sign Y in case
> Bob signs both X and Y. As long as Bob's action is not done, Alice has
> not signed C. That's trivial. After Bob signs X and Y, Alice must sign
> Y within a time period TP, for otherwise she would have broken her
> promise.

If Alice “must” do something then she is committed to doing it.  That’s what being committed means.

> Thus either C never comes into being, or C becomes valid in
> step 3 but there is no time point in the entire processing where one
> party is commited to C while the other party has the freedom to commit
> to C or not. Isn't this sufficient to consider the protocol to be fair?

No.  It doesn’t matter whether “C has come into being” or not.  What matters is whether there is simultaneous commitment, and there isn’t, because there can’t be.  Alice is effectively committed as soon as she signs the first time because she has promised (a.k.a. committed) to sign the second time.

rg



More information about the cryptography mailing list