[Cryptography] Proposal of a fair contract signing protocol

Jon Callas jon at callas.org
Thu Jun 23 14:11:17 EDT 2016

Hash: SHA256

> On Jun 22, 2016, at 1:54 PM, Ron Garret <ron at flownet.com> wrote:
> Here is Mok-Kong’s problem statement:
>> When a contract in digital from is to be signed online by Alice and
>> Bob, an issue concerning the fairness of the signing process crops up
>> as follows: If Alice first signs the document and sends it to Bob, it
>> means she has committed to something (e.g. ready to purchase an article
>> from Bob at a certain price), Bob can however, if he desires, to some
>> extent delay giving his digital signature and thus have a certain
>> finite time interval during which he has no corresponding commitment.
>> This is obviously unfair and hence to be avoided, if possible.
> Mok-Kong’s claim is that his protocol is *fair* in the sense that there is never a time when Alice is committed and Bob isn’t, or vice-versa.  But this cannot possibly be the case if Alice and Bob’s actions are interleaved in time and there is no trusted third party.
> This is not quite the same as the two-generals problem.  The 2G problem is solvable if you have reliable communications.  The fair commitment problem is not solvable even with reliable communications.

Well, it sounds to me like you and I agree, but we're agreeing with me saying yes and you saying no.

I was observing that the protocol does not appear to be bound by Generals-class unsolvability because it has a property that is a termination condition.

You're observing that it isn't bound by Generals issues, but that it isn't fair. 

The property you're calling unfairness is the same property I'm calling a termination condition without further affect. So we agree.

But beyond that, it appears that he's been clear and explicit that this termination property isn't "fair" (that's the paragraph I quoted) because when the protocol enters a certain state, an outcome is presumed to be true, even if the rest of the protocol falls on the floor. 

So it really sounds like we have squishy language about what things like "fair" and "commit" or "promise" mean and there's a lot of imprecision in it (I noted that as well -- there are a bunch of terms that I don't know what they mean in the protocol), but it's *not* subject to Generals-style failures.

But yeah, it sounds like we don't have an agreed-upon definiton of what "fair" means, and it's hard to judge a fair signing protocol without knowing what fair means.


Version: PGP Universal 3.3.0 (Build 9060)
Charset: windows-1252


More information about the cryptography mailing list