[Cryptography] Proposal of a fair contract signing protocol

mok-kong shen mok-kong.shen at t-online.de
Fri Jun 24 23:47:56 EDT 2016

Am 25.06.2016 um 04:28 schrieb Donald Eastlake:
> On Fri, Jun 24, 2016 at 6:56 PM, mok-kong shen
> <mok-kong.shen at t-online.de <mailto:mok-kong.shen at t-online.de>> wrote:
>     Am 25.06.2016 um 00:39 schrieb Allen:
>         On Sun, Jun 19, 2016 at 12:51 PM, mok-kong shen
>         <mok-kong.shen at t-online.de <mailto:mok-kong.shen at t-online.de>
>         <mailto:mok-kong.shen at t-online.de
>         <mailto:mok-kong.shen at t-online.de>>> wrote:
>             Step 1: Alice formulates a contract document C, generates
>         with visual
>             cryptography a pair (X, Y), sends a message containing
>         signed(Alice,X)
>             and Y to Bob and asks him to accept C before a certain day T
>         in the
>             future and promises to complete the contract formality
>         within a certain
>             time period TP in case Bob commits to C in step 2.
>             Step 2: Bob obtains C from (X, Y). If he can't accept C, he
>         informs
>             Alice and the protocol begins again at step 1. Otherwise he
>         sends a
>             message containing signed(Bob,X) and signed(Bob,Y) to Alice
>         and asks
>             her to release C. (If Bob does nothing before T is reached, the
>             protocol begins again at step 1.)
>             Step 3: Alice examines whether Bob has signed the correct
>         stuff, i.e.
>             whether he hadn't e.g. by mistake sent signed(Bob,Z) in place of
>             signed(Bob,X) with Z != X. If Bob had signed the wrong
>         stuff, she
>             informs Bob and the protocol begins again at step 1.
>         Otherwise she
>             releases C, signed(Alice,X), signed(Alice,Y), signed(Bob,X) and
>             signed(Bob,Y) to the public. (Alice is responsible to
>         complete step 3
>             within TP.)
> So Bob signs and returns believing/saying he has done so within T but
> Alice believes/says that he sent it late and she isn't bound. Could be
> due to a slow channel or Alice is lying or Bob is lying or speed of
> light delay or...

(1) If due to technical problems Bob's message is arrived too late,
i.e. after T, then the condition set up by Alice in step 1 is not
fulfilled, so the protocol as specified fails, i.e. no contract C can/is
established according to the protocol. (I wrote in my original version
of OP for that case that "the protocol begins again at step 1" but
didn't consider it absolutely necessary to say that.) (2) If Bob signs
X and Y and Alice gets that within T, Bob has evidently no way of lying.
(3) If Alice could somehow trick. i.e. manages to claim to see no
message of Bob within T, then the condition of step 1 is not fulfilled,
hence Alice's trick would work but then again no contract C can/is
estalished according to the protocol. So what's the problem with the
fairness of my definition which applies "only" after step 3 is done?
(BTW C is Alice's own proposal, she should normally have no motivation
to trick so that the proposal fails, but this is only an aside here
and doesn't belong to my counter-argument to your comment.)

M. K. Shen

M. K. Shen
> You just can't do it without third party. In this case, looks like a
> trusted time stamping service would do.
> (This seems very reminiscent of the impossibility of physically
> realizing a bounded synchronizer or arbiter.)
> Thanks,
> Donald
> ===============================
>  Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>  155 Beaver Street, Milford, MA 01757 USA
>  d3e3e3 at gmail.com <mailto:d3e3e3 at gmail.com>

More information about the cryptography mailing list