[Cryptography] Proposal of a fair contract signing protocol

Sidney Markowitz sidney at sidney.com
Wed Jun 29 10:40:29 EDT 2016

mok-kong shen wrote on 29/06/16 11:53 PM:
> [I hope that the following more carefully/clearly formulated revised
> version of my OP should render the underlying idea of mine
> understandable and more easily seen to be correct.]

Well, at least you have made it clear that it is different than the Two
Generals problem, so we can't simply say that what you are trying to do has
been proven impossible that way. The Two Generals problem says (roughly) that
it is impossible for two parties to unequivocally come to an agreement over an
unreliable channel. Your protocol is allowed to time out without any contract
coming into effect if it takes too long, so that is not an issue.

> If Alice first signs the document and sends it to Bob, it
> means she has committed to something (e.g. ready to purchase an article
> from Bob at a certain price), Bob can however, if he desires, to some
> extent delay giving his digital signature and thus have a certain
> finite time interval during which he has no corresponding commitment.
> This is obviously unfair and hence to be avoided, if possible.

No, this is not obvious. Someone always has to be first to sign a contract,
but a contract does not come into effect before both parties agree to it.

If signing is what makes commitment then whoever signs first is committed
first. In your protocol Alice first signs the promise. She is committed to
contract P (the promise) which requires her to do certain things in exchange
for Bob providing his signature on C. Bob has no corresponding commitment.
That is unfair by your definition, but does not seem particularly unfair to
me. When someone proposes a contract C, at some point they need to commit to
something so that the other party has a reason to commit to something else.
All you have done is make the promise that first stage of commitment and then
called it "fair" because it is conditional on Bob's act of commitment.

If signed conditional promises make it fair by your definition then there is
no need for your protocol: Alice writes C to include the clause "This contract
comes into effect as soon as it is signed by both Alice and Bob as long as
both signatures are done and the signed document is published by time T." Then
it can be signed in any order and it is still fair by your definition.

At this point I don't see that you are clarifying any more, only repeating
your initial statement of the protocol. You have not explained why Alice
signing the promise is any different than an "unfair" signing of C, or why
signing a C that says that it is conditional on Bob's signature is not just as
fair as signing a conditional promise to sign C. If you simply repeat a
description of your protocol without answering those questions I don't see any
further purpose in discussion.


More information about the cryptography mailing list