[Cryptography] Proposal of a fair contract signing protocol

mok-kong shen mok-kong.shen at t-online.de
Fri Jun 24 18:56:03 EDT 2016

Am 25.06.2016 um 00:39 schrieb Allen:
> On Sun, Jun 19, 2016 at 12:51 PM, mok-kong shen
> <mok-kong.shen at t-online.de <mailto:mok-kong.shen at t-online.de>> wrote:
>     Step 1: Alice formulates a contract document C, generates with visual
>     cryptography a pair (X, Y), sends a message containing signed(Alice,X)
>     and Y to Bob and asks him to accept C before a certain day T in the
>     future and promises to complete the contract formality within a certain
>     time period TP in case Bob commits to C in step 2.
>     Step 2: Bob obtains C from (X, Y). If he can't accept C, he informs
>     Alice and the protocol begins again at step 1. Otherwise he sends a
>     message containing signed(Bob,X) and signed(Bob,Y) to Alice and asks
>     her to release C. (If Bob does nothing before T is reached, the
>     protocol begins again at step 1.)
>     Step 3: Alice examines whether Bob has signed the correct stuff, i.e.
>     whether he hadn't e.g. by mistake sent signed(Bob,Z) in place of
>     signed(Bob,X) with Z != X. If Bob had signed the wrong stuff, she
>     informs Bob and the protocol begins again at step 1. Otherwise she
>     releases C, signed(Alice,X), signed(Alice,Y), signed(Bob,X) and
>     signed(Bob,Y) to the public. (Alice is responsible to complete step 3
>     within TP.)
> On Fri, Jun 24, 2016 at 5:51 PM, mok-kong shen
> <mok-kong.shen at t-online.de <mailto:mok-kong.shen at t-online.de>> wrote:
>     Under a valid contract I meant what Alice in step 3 produces, which
>     includes the text of the contract C and the pair of visual cryptography
>     (X, Y) signed by both Alice and Bob, with (X, Y) exactly reproducing C.
>     Does that sufficiently cover your "how to test for it"? Or do you mean
>     anything in connection with the digital signatures of Alice and Bob?
>     (I assume that the signatures are properly done by them.)
> Using this definition of validity "what Alice in step 3 produces", the
> protocol is pretty obviously "unfair".  In Step 3, Alice creates and
> publishes signed(Alice,Y).  She can create and publish this at her
> option--if she does, a valid contract suddenly comes into existence, and
> if she does not, there is no valid contact.  Therefore, the creation of
> the valid contract is completely under Alice's control at this point,
> and completely out of Bob's control.

Did you read what in step 1 Alice promises to do if Bob commits? If Bob
commits in step 2 and Alice doesn't do step 3 then she breaks her
promise and Bob could suit her. Note once again that if a contract
doesn't come into being for technical or human reasons, my definition
of unfairness is never touched upon, for the definition assumes a
valid document, i.e. step 3 is completed.

M. K. Shen

More information about the cryptography mailing list