[Cryptography] Proposal of a fair contract signing protocol

mok-kong shen mok-kong.shen at t-online.de
Thu Jun 23 03:35:38 EDT 2016

Am 23.06.2016 um 09:13 schrieb mok-kong shen:
> Am 23.06.2016 um 08:50 schrieb Ron Garret:
>> On Jun 22, 2016, at 11:41 PM, mok-kong shen
>> <mok-kong.shen at t-online.de> wrote:
>>> Am 23.06.2016 um 03:42 schrieb Ron Garret:
>>>> On Jun 22, 2016, at 5:52 PM, mok-kong shen
>>>> <mok-kong.shen at t-online.de> wrote:
>>>>> Am 22.06.2016 um 22:54 schrieb Ron Garret:
> [snip]
>>>>>> Here is Mok-Kong’s problem statement:
>>>>>>> When a contract in digital from is to be signed online by Alice and
>>>>>>> Bob, an issue concerning the fairness of the signing process
>>>>>>> crops up
>>>>>>> as follows: If Alice first signs the document and sends it to
>>>>>>> Bob, it
>>>>>>> means she has committed to something (e.g. ready to purchase an
>>>>>>> article
>>>>>>> from Bob at a certain price), Bob can however, if he desires, to
>>>>>>> some
>>>>>>> extent delay giving his digital signature and thus have a certain
>>>>>>> finite time interval during which he has no corresponding
>>>>>>> commitment.
>>>>>>> This is obviously unfair and hence to be avoided, if possible.
>>>>>> Mok-Kong’s claim is that his protocol is *fair* in the sense that
>>>>>> there is never a time when Alice is committed and Bob isn’t, or
>>>>>> vice-versa.  But this cannot possibly be the case if Alice and
>>>>>> Bob’s actions are interleaved in time and there is no trusted
>>>>>> third party.
>>>>>> This is not quite the same as the two-generals problem.  The 2G
>>>>>> problem is solvable if you have reliable communications.  The fair
>>>>>> commitment problem is not solvable even with reliable communications.
>>>>>> Proof by reductio: assume that the problem is solvable, i.e. there
>>>>>> is some sequence of interleaved actions taken by A and B that
>>>>>> results in fair commitment, i.e. at some point there is some key
>>>>>> action K where neither A or B are committed before the action but
>>>>>> both are committed after.  Since actions are interleaved, K must
>>>>>> be performed either by A or by B.  Let us assume WOLOG that K is
>>>>>> performed by A.  A, by assumption, is uncommitted before
>>>>>> performing K, and so can choose to perform K or not.  But B can no
>>>>>> longer make this choice.  B’s commitment (or lack thereof) hinges
>>>>>> entirely on a choice made by A.  Therefore the protocol cannot be
>>>>>> fair.
>>>>> Allow me anyway an attempt to counter-argue. Would you please point
>>>>> out what's defective in my thought below?
>>>> You are playing fast and loose with the definition of the word
>>>> “commit”.
>>>>> If the contract C is as such directly to be signed and Alice and Bob
>>>>> are to sign it online, then it is naturally the case that both
>>>>> signatures couldn't be done at the same moment and consequently the
>>>>> unfairness occurs. What the virtual cryptography does is to split C
>>>>> into two pieces X and Y to be signed. Alice initiates the signing
>>>>> process through first signing only X, but promises to sign Y in case
>>>>> Bob signs both X and Y. As long as Bob's action is not done, Alice has
>>>>> not signed C. That's trivial. After Bob signs X and Y, Alice must sign
>>>>> Y within a time period TP, for otherwise she would have broken her
>>>>> promise.
>>>> If Alice “must” do something then she is committed to doing it.
>>>> That’s what being committed means.
>>>>> Thus either C never comes into being, or C becomes valid in
>>>>> step 3 but there is no time point in the entire processing where one
>>>>> party is commited to C while the other party has the freedom to commit
>>>>> to C or not. Isn't this sufficient to consider the protocol to be
>>>>> fair?
>>>> No.  It doesn’t matter whether “C has come into being” or not.  What
>>>> matters is whether there is simultaneous commitment, and there
>>>> isn’t, because there can’t be.  Alice is effectively committed as
>>>> soon as she signs the first time because she has promised (a.k.a.
>>>> committed) to sign the second time.
>>> I don't think so. In step 1 Alice only commits to X
>> No.  She also "promises to sign Y”.  Whether you call it a “promise”
>> or a “commitment” is irrelevant.  Alice is still bound by Bob’s
>> decision to sign.
> Sorry, I don't yet understand you. That promise (or commitment) is
> "conditioned" on Bob's commitment on C (his acceptance of Alice's
> proposal, he may refuse that). To see this point of mine: If I promise
> to give as present $10000 to someone if tomorrow the sun rises on the
> west, would that even be a promise or commitment at all?

[Addendum:] Each contract proposal by Alice must be of the nature that
if Bob agrees within a short period then everything runs as stated (i.e.
Alice is bound). Otherwise the proposal is nothing. Alice could
actually also add a sentence reserving her right to cancel the proposal
at anytime before getting Bob's acceptance in T. (This could be useful
e.g. for one selling a rare book which he has only a single copy.)

M. K. Shen

More information about the cryptography mailing list