[Cryptography] Proposal of a fair contract signing protocol
ron at flownet.com
Thu Jun 23 14:34:03 EDT 2016
On Jun 23, 2016, at 11:11 AM, Jon Callas <jon at callas.org> wrote:
>> On Jun 22, 2016, at 1:54 PM, Ron Garret <ron at flownet.com> wrote:
>> Here is Mok-Kong’s problem statement:
>>> When a contract in digital from is to be signed online by Alice and
>>> Bob, an issue concerning the fairness of the signing process crops up
>>> as follows: If Alice first signs the document and sends it to Bob, it
>>> means she has committed to something (e.g. ready to purchase an article
>>> from Bob at a certain price), Bob can however, if he desires, to some
>>> extent delay giving his digital signature and thus have a certain
>>> finite time interval during which he has no corresponding commitment.
>>> This is obviously unfair and hence to be avoided, if possible.
>> Mok-Kong’s claim is that his protocol is *fair* in the sense that there is never a time when Alice is committed and Bob isn’t, or vice-versa. But this cannot possibly be the case if Alice and Bob’s actions are interleaved in time and there is no trusted third party.
>> This is not quite the same as the two-generals problem. The 2G problem is solvable if you have reliable communications. The fair commitment problem is not solvable even with reliable communications.
> Well, it sounds to me like you and I agree, but we're agreeing with me saying yes and you saying no.
> I was observing that the protocol does not appear to be bound by Generals-class unsolvability because it has a property that is a termination condition.
> You're observing that it isn't bound by Generals issues, but that it isn't fair.
> The property you're calling unfairness is the same property I'm calling a termination condition without further affect. So we agree.
> But beyond that, it appears that he's been clear and explicit that this termination property isn't "fair" (that's the paragraph I quoted) because when the protocol enters a certain state, an outcome is presumed to be true, even if the rest of the protocol falls on the floor.
> So it really sounds like we have squishy language about what things like "fair" and "commit" or "promise" mean and there's a lot of imprecision in it (I noted that as well -- there are a bunch of terms that I don't know what they mean in the protocol), but it's *not* subject to Generals-style failures.
> But yeah, it sounds like we don't have an agreed-upon definiton of what "fair" means, and it's hard to judge a fair signing protocol without knowing what fair means.
Yes, that is the root of the problem, that Mok-Kong’s doesn’t have a precise definition of “commit” and “fair”. But there is an implicit definition contained in his problem statement:
> When a contract in digital from is to be signed online by Alice and
> Bob, an issue concerning the fairness of the signing process crops up
> as follows: If Alice first signs the document and sends it to Bob, it
> means she has committed to something (e.g. ready to purchase an article
> from Bob at a certain price). Bob can however, if he desires, at least
> to some extent arbitrarily delay giving his digital signature, i.e.
> having a period during which he has no corresponding commitment. This
> is obviously unfair and thus to be avoided, if possible.
From this I think it is reasonable to infer that “unfair” means that there exists a period of time where one party is “committed” during which the other party "has no corresponding commitment”, i.e. for a protocol to be fair it has to produce simultaneous commitment. And that not possible with interleaved actions by the participants and no TTP.
AFAICT, MK’s argument hinges on trying to draw a distinction between actually being committed and merely having made a promise to commit, or something like that. But this seems to me like a distinction without a difference, mere wordplay, like being engaged to be engaged. To me, being “committed to X” means that you are in a state where there will be some negative consequence if you do not do X. Whether you call that “committed” or “promised” or “frabnobulated” is irrelevant.
More information about the cryptography