[Cryptography] Proposal of a fair contract signing protocol

Judson Lester nyarly at gmail.com
Thu Jun 30 19:14:23 EDT 2016

On Thu, Jun 30, 2016 at 10:30 AM mok-kong shen <mok-kong.shen at t-online.de>

> > As you stated previously, Alice's "promise" is enforceable in court by
> > Bob, so as soon as Alice sends her promise, she is bound while Bob is
> > not, and therefore the protocol fails any reasonable definition of
> > "fairness".
> You clearly have misunderstood me. In step 1 Alice is bound to
> something but Bob to nothing. But that doesn't matter "at all" to
> my definition of fairness, which deals merely with (1) the (if
> exists, then clearly bad) hypothetical situation where a contract
> already comes into being (i.e. after step 3) "but" there is a (for
> argumentaton purposes temporarily "assumed" possible) finite time
> period in the contract processing during which one partner is fully
> committed while the other partner is not fully committed and (2)
> the consequential corresponding question of whether such an "assumed"
> case could "ever" happen in my scheme. I claim that such a hypothetical
> case clearly can't logically exist, which means that my protocol
> satisfies my definition. If you don't agree, then please point out
> at which location or locations of my protocol there is something
> wrong/impossible and therefore my scheme couldn't satisfy my definition.
> M. K. Shen

It appears that your "fairness" is either vacuous or paradoxical.

In the execution of your protocol, after step 1, Alice is committed to sign
the executed contract when Bob completes step 2. Either this is equivalent
to Alice being committed when Bob is not, or it is not equivalent.

If the commitment to sign is equivalent to signing, the protocol isn't fair
precisely because the scenario without this protocol isn't fair: Alice is
committed where Bob isn't.

After step 2, Bob is committed to the contract. If Alice's commitment to
sign is not equivalent to signing the contract, then Bob is committed and
Alice is not, which is a violation of the fairness you've defined, with
Alice and Bob's roles reversed.

I conclude: either "commitment to sign" is equivalent to signing, in which
case your protocol is unfair to Alice, or it is not and it is unfair to
Bob. Any other interpretation is of a property of the transaction so vague
as to be meaningless.

This isn't a novel formulation - I quite liked the general impossibility
result, which this is merely a specialization of to your protocol.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160630/963ac08b/attachment.html>

More information about the cryptography mailing list