[Cryptography] Proposal of a fair contract signing protocol

mok-kong shen mok-kong.shen at t-online.de
Thu Jun 23 03:13:49 EDT 2016

Am 23.06.2016 um 08:50 schrieb Ron Garret:
> On Jun 22, 2016, at 11:41 PM, mok-kong shen <mok-kong.shen at t-online.de> wrote:
>> Am 23.06.2016 um 03:42 schrieb Ron Garret:
>>> On Jun 22, 2016, at 5:52 PM, mok-kong shen <mok-kong.shen at t-online.de> wrote:
>>>> Am 22.06.2016 um 22:54 schrieb Ron Garret:
>>>>> Here is Mok-Kong’s problem statement:
>>>>>> When a contract in digital from is to be signed online by Alice and
>>>>>> Bob, an issue concerning the fairness of the signing process crops up
>>>>>> as follows: If Alice first signs the document and sends it to Bob, it
>>>>>> means she has committed to something (e.g. ready to purchase an article
>>>>>> from Bob at a certain price), Bob can however, if he desires, to some
>>>>>> extent delay giving his digital signature and thus have a certain
>>>>>> finite time interval during which he has no corresponding commitment.
>>>>>> This is obviously unfair and hence to be avoided, if possible.
>>>>> Mok-Kong’s claim is that his protocol is *fair* in the sense that there is never a time when Alice is committed and Bob isn’t, or vice-versa.  But this cannot possibly be the case if Alice and Bob’s actions are interleaved in time and there is no trusted third party.
>>>>> This is not quite the same as the two-generals problem.  The 2G problem is solvable if you have reliable communications.  The fair commitment problem is not solvable even with reliable communications.
>>>>> Proof by reductio: assume that the problem is solvable, i.e. there is some sequence of interleaved actions taken by A and B that results in fair commitment, i.e. at some point there is some key action K where neither A or B are committed before the action but both are committed after.  Since actions are interleaved, K must be performed either by A or by B.  Let us assume WOLOG that K is performed by A.  A, by assumption, is uncommitted before performing K, and so can choose to perform K or not.  But B can no longer make this choice.  B’s commitment (or lack thereof) hinges entirely on a choice made by A.  Therefore the protocol cannot be fair.
>>>> Allow me anyway an attempt to counter-argue. Would you please point
>>>> out what's defective in my thought below?
>>> You are playing fast and loose with the definition of the word “commit”.
>>>> If the contract C is as such directly to be signed and Alice and Bob
>>>> are to sign it online, then it is naturally the case that both
>>>> signatures couldn't be done at the same moment and consequently the
>>>> unfairness occurs. What the virtual cryptography does is to split C
>>>> into two pieces X and Y to be signed. Alice initiates the signing
>>>> process through first signing only X, but promises to sign Y in case
>>>> Bob signs both X and Y. As long as Bob's action is not done, Alice has
>>>> not signed C. That's trivial. After Bob signs X and Y, Alice must sign
>>>> Y within a time period TP, for otherwise she would have broken her
>>>> promise.
>>> If Alice “must” do something then she is committed to doing it.  That’s what being committed means.
>>>> Thus either C never comes into being, or C becomes valid in
>>>> step 3 but there is no time point in the entire processing where one
>>>> party is commited to C while the other party has the freedom to commit
>>>> to C or not. Isn't this sufficient to consider the protocol to be fair?
>>> No.  It doesn’t matter whether “C has come into being” or not.  What matters is whether there is simultaneous commitment, and there isn’t, because there can’t be.  Alice is effectively committed as soon as she signs the first time because she has promised (a.k.a. committed) to sign the second time.
>> I don't think so. In step 1 Alice only commits to X
> No.  She also "promises to sign Y”.  Whether you call it a “promise” or a “commitment” is irrelevant.  Alice is still bound by Bob’s decision to sign.

Sorry, I don't yet understand you. That promise (or commitment) is
"conditioned" on Bob's commitment on C (his acceptance of Alice's
proposal, he may refuse that). To see this point of mine: If I promise
to give as present $10000 to someone if tomorrow the sun rises on the
west, would that even be a promise or commitment at all?

M. K. Shen

More information about the cryptography mailing list