1. Introduction
Quantum cryptography traces back to late 1960s and early 1970s work on quantum money by Stephen Wiesner. While this work was published only a decade later, in 1983 [
1], it had a significant impact on what usually is considered the birth of quantum cryptography, the seminal BB84 paper on quantum key distribution (QKD) [
2]. Secure quantum communication offers higher, unconditional (i.e., information theoretic) security levels, as opposed to the computational security of classical cryptography. As a consequence, it became among the most prominent of the emerging quantum technologies, and QKD systems are currently available on the market, such as ID Quantique, QuintessenceLabs, etc. Other related protocols, such as quantum secure direct communication [
3], have also been developed. Nevertheless, there is much beyond key distribution that quantum cryptography can offer, such as quantum secret sharing [
4], quantum private query [
5,
6], and quantum secure distributed learning [
7]. Secure multiparty computation (SMC) [
8] presents another class of cryptographic protocols in which the privacy of users’ data and inputs is protected. Instances of such schemes include private data mining and e-voting, to name a few. Recently, quantum solutions’ bit commitment and oblivious transfer, cryptographic primitives that allow for execution of SMC, have been proposed [
9]. In the current work, we present a quantum solution to the contract signing problem.
Contract signing [
10] is a security protocol that falls within the group of the so-called commitment protocols [
11,
12,
13]. In general, the protocol can be defined for an arbitrary number of parties (clients engaged in the protocol). For simplicity, we discuss the case of a two-party protocol, which can be straightforwardly generalized to an arbitrary number of participants.
The participants, usually referred to as Alice and Bob, have a common contract upon which they decide to commit, or not. The commitments are traditionally done by simple signatures: having a text of the contract with Bob’s signature stamped on it, Alice can appeal to the authorities (the Judge), which in turn declares the document valid (i.e., binds the contract). In other words, having Bob’s signature gives Alice the power to enforce the terms of the contract. Consequently, signing his name on a copy of the contract means that Bob commits to the contract. The aim of a contract signing protocol is that either both clients obtain each others’ commitments or none of them do (the protocol is said to be fair). Further, if both clients follow the protocol correctly, both of them can obtain each others’ commitments with certainty (the protocol is then said to be viable).
If only Alice has a copy with Bob’s signature (i.e., only Bob is committed), she can later in time choose to either enforce, or not, the terms of the contract. Bob, however, has no power whatsoever: his future behavior is determined solely by Alice’s decisions. For example, Alice may have a document with Bob’s signature on it, declaring that he would buy a car from her, for a fixed amount of money. Knowing that only she has such a document, Alice can continue to negotiate the price of her car with other potential customers: in case she obtains a better offer, she is free to discard Bob’s offer and thus is able to earn more money. Bob does not have such an option: if Alice does not obtain a better offer, she can always force Bob to buy the car from her, by showing to the authorities the contract signed by Bob. Having no proven commitment (signature) from Alice, Bob cannot enforce the contract himself and is thus unable to prevent Alice from such behavior, which puts him in an unfair situation.
Achieving fairness is trivial when clients meet up and simultaneously sign copies of the contract, thus both obtaining each others’ commitments. Unfortunately, doing so when the clients are far apart, e.g., over the Internet, is difficult: indeed, sending his signed copy to Alice gives Bob no guarantee that he will obtain one from Alice; on the other hand, obtaining a signature from Alice before actually sending his gives Bob the advantage of having Alice’s commitment without committing himself.
It has been shown [
10,
14] that the fairness of a contract signing protocol with spatially-distant clients can be achieved only by introducing a trusted third party, usually referred to as Trent, during the phase of exchanging clients’ commitments. Trent’s role is to receive clients’ commitments and perform the exchange only upon obtaining signed copies of the contract from both clients. However simple and straightforward this solution may seem, it has a drawback, as Trent (in practice, a trusted agency accredited by the State that offers its time and resources for the exchange of money, e.g., public notaries) may be expensive. Therefore, the need for protocols using third parties as little as possible arises. Some contract signing protocols [
15,
16,
17] do not require a trusted third party, but use a number of transmissions to send the pieces of signatures, or the partial information required to obtain the complete signature, in each message. Another possible way out is to design optimistic and/or probabilistic protocols.
In optimistic contract signing protocols [
18], the exchange of commitments is, unless something goes wrong, executed solely by Alice and Bob. Only in case communication between the clients is interrupted (malfunction of the network, etc.), a trusted third party is involved [
19]. In probabilistic protocols [
20,
21], by exchanging messages between each other, clients increase their probabilities to bind the contract. To be (probabilistically) fair, such protocols have to ensure that at each stage of the information exchange, the probabilities to bind the contract of both clients can be made arbitrarily close to each other (no client is significantly privileged). One such protocol is [
21], for which the symmetry between the clients’ positions is strengthened by the requirement that the joint probability that one client can bind the contract, while the other cannot, can be made smaller than any given
. Finally, there is both a probabilistically fair and optimistic solution, with an optimal number of exchanged messages [
20] for which even a stronger fairness condition is satisfied: the conditional probability that a client cannot bind the contract, when the other has already done so, can be made arbitrarily low.
Recently, a probabilistically fair and optimistic quantum protocol was presented in [
22] (see a version using the simultaneous dense coding scheme in [
23]). There, the trusted third party, Trent, was required to initiate the protocol and was contacted later only in case something went wrong. The protocol in [
22] was also abuse-free [
24], i.e., the clients cannot provide proofs of being involved in a contract signing procedure. Nevertheless, it has three important disadvantages: (i) Alice and Bob have to share the content of the contract with Trent; (ii) both clients have to be present in order to bind the contract, in case something goes wrong and Trent’s services are required; and (iii) they have to agree upon the content of the contract before the protocol initialization. In this paper, we propose an improved version of the contract signing protocol where (i) the clients never disclose the content of the contract to Trent, (ii) only one client is needed to bind the contract, and (iii) the clients can decide upon the contract after they initially contact Trent.
Regarding Point (iii) from the previous paragraph, note that often, when parties initiate business negotiations, this does not result in making a deal formalized by a contract. Thus, involving Trent, who charges for his services, might often result in the waste of clients’ resources, and Point (iii) might seem not to present a real advantage. Nevertheless, waiting for the last moment and contacting Trent only upon successful agreement and contract formulation might result in the system’s failure due to possible communication bottlenecks. Imagine the following situation. Alice and Bob negotiate buying/selling a certain product, say a security system, knowing that on a given date in the future, a big company will announce a new model with its novel performances. Obviously, the price of the model used will highly depend on the information about the new one, and Alice and Bob will only upon learning the new piece of information decide upon the final contract. The problem is, many other users may choose to make similar business contracts in the same period of time, and if they all have to only then contact Trent, this might cause a communication bottleneck and the failure of the system. Thus, being able to contact Trent in advance and then, only later, “offline” (without contacting the trusted agency) exchange the commitments might be useful, especially in “more serious” business deals including larger amounts of money.
In
Section 2, we begin with the description of the contract signing protocol with all the different phases explained in detail. In
Section 3, we provide the security analysis of the protocol, together with relevant numerical results. Finally, in
Section 5, we present the conclusions and discuss the contributions to the area.
2. The Proposed Protocol
In the quantum contract signing proposal [
22], Trent sends two strings of qubits, one to Alice and another to Bob, such that each qubit is randomly prepared in one of the four BB84 states. The commitments are done by measuring one of the two observables on all qubits given to a client: in case of accepting the contract, measurement in the computational basis is performed, while choosing to reject it, one measures in the diagonal basis. Since the two bases are mutually unbiased, as a consequence of the Heisenberg uncertainty principle, it is impossible to learn both properties simultaneously. Thus, measurement outcomes of each client serve as certificates of the commitments. In order to achieve the fairness criterion (the two commitment choices have to be the same), the measurements are done in rounds, such that only one qubit per client is measured in each round and the outcomes are exchanged. Since, in addition to qubit strings, Trent also informs Alice of Bob’s states (and vice versa), exchanging the outcomes allows clients to check each others’ honesty. In our current proposal, instead of accompanying qubits with the classical information about other client’s states, Trent exchanges entangled pairs. As a consequence of this change, in the current protocol, the choice of which out of the two observables clients measures in each round is different, as described below.
Consider two orthonormal qubit states
and
of the computational basis
. The diagonal basis
is given by
. We also define two measurement observables:
Let the bit string
M be the contract upon which Alice and Bob agree. Let
h be a publicly known hash function that they also agree to use. The value
will be the only information they provide to Trent about the contract
M, when and if they contact him.
The protocol is described below in three parts: (i) initialization phase, Stage I: Alice and Bob contact the trusted party, Trent, who provides each of them with different secret classical information, to be used in the later phases of the protocol; Stage II: Trent prepares and distributes the states among the clients, to be used to sign the contract; (ii) exchange phase: the clients, using the states and the information provided by Trent, ping-pong the information needed to sign the contract; and (iii) binding phase: in this phase of the protocol, any one of the clients can contact Trent with his/her results in order to obtain an authorized document declaring the hash value valid, which then validates the contract M.
Note that the exchange of classical information between Trent and the clients, in Stage I of the initialization phase, occurs over a private channel. During the rest of the protocol, the exchange of both quantum and classical information between Trent and the clients only needs to be authenticated. Classical authentication can be dealt with in a similar manner as in QKD, that is by assuming that a secret key is shared between Trent and the clients. How this key is exchanged depends on the level of security that we want to achieve: either an initial key is pre-shared (using a private channel), and then, it is enlarged using QKD (information-theoretical security); or a public key infrastructure is used (computational security). It is relatively easy to authenticate quantum information upon having classical authentication. It reduces to applying the cut-and-choose technique to verify the authenticity of quantum states exchanged, i.e., some random states are used by the clients and Trent to check whether the quantum channel was tampered with. This way, Trent discloses the description of the states over the authenticated classical channel, and the clients check if what they received is according to what was expected.
Below, we present the detailed description of the protocol.
Initialization phase: Stage I:
Parties involved: Alice, Bob, and Trent.
Input: Bit strings and of length each and randomly chosen indices from the set of indices of the rounds of the protocol, .
Communication channel: Private classical channel between Trent and the clients.
Stage I of the initialization phase consists of the following steps:
Alice and Bob contact Trent for his services and inform him about the future time, at which Trent will begin Stage II of the initialization phase.
Trent provides Alice and Bob with randomly-generated bit strings
and
, respectively, of length
each. Alice and Bob prepare the strings
and
(bit-wise XOR), respectively. Note that in order to exchange the commitments to the whole string, we have
. We define the honest observables
and
for Alice and Bob, respectively, to be measured at each step
i of the protocol (
) as:
where
is the
i-th bit of the string
and analogously for Bob’s string
. Note that the secret keys
and
are used by the clients to hide their respective honest observables from each other. As it will be clear later on, the introduction of these keys prevents the scenario of a dishonest client, say, Bob, attacking the quantum channel between Trent and Alice by measuring the correct honest observables on Alice’s qubits to obtain perfect correlations.
Trent provides Alice with a set of 2N randomly-chosen indices from the total 4N indices, . Analogously, he randomly chooses 2N indices and sends them to Bob.
Trent provides Alice with 2N bits of Bob’s secret string , corresponding to the above-mentioned 2N indices from . Analogously, he sends the bits to Bob from Alice’s secret string .
The initialization phase: Stage I ends with the following:
Alice has a -long secret bit string and a set of randomly-chosen indices from . Alice also has for all indices .
Bob has a -long secret bit string and a set of randomly-chosen indices from . Bob also has for all indices
Initialization phase: Stage II:
Parties involved: Alice, Bob, and Trent.
Input: number of entangled pairs.
Communication channel: Authenticated classical and quantum channels between Trent and the clients.
The initialization phase: Stage II consists of the following steps (see
Figure 1):
- 5.
Trent produces two ordered sets, each consisting of
entangled pairs (
pairs in total). Each pair of particles is in the state
. He sends one particle from each pair of the first set to Alice, and from the second set to Bob, keeping the order of the pairs preserved. Let us denote the ordered set of
particles given to Alice by
and those given to Bob by
. The two ordered sets kept by Trent, each consisting of
particles entangled with particles sent to Alice and Bob, are denoted by
and
, respectively. We would like to note that the use of ordered sets was previously proposed in [
3], later called the block transmission technique, crucial to quantum secure direct communication.
- 6.
According to the set of indices sent to Bob, , Trent divides into two ordered subsets of particles each: and , with the indices corresponding to the particles . Note that the original positions in of each particle from and are preserved. In other words, for each particle from and , Trent knows its position in and, hence, with which particle in it is entangled. The same is done with particles from , entangled with those in , obtaining and .
- 7.
Trent sends the ordered subsets and to Bob and Alice, respectively, each consisting of 2N particles. The particles in and are entangled with the corresponding particles ( of them) in the sets and , given to Alice and Bob, respectively. Note that knowing the indices , Alice knows which particle from is entangled with of the particles in ; and analogously for Bob. Trent keeps the subsets and to himself, to be used during the binding phase.
The initialization phase: Stage II ends with the following:
Alice has an ordered set of particles, entangled with particles kept by Trent, , and additional particles that are given to Bob, . She has another ordered set of particles, entangled with particles given to Bob, chosen from according to .
Bob has an ordered set of particles, entangled with particles kept by Trent, , and additional particles that are given to Alice, . He has another ordered set of particles, entangled with particles given to Alice, chosen from according to .
Trent keeps two ordered sets of particles each, and , entangled with particles from and , respectively.
Exchange phase:
Parties involved: Alice and Bob.
Input:
The particles and indices Alice and Bob obtained at the end of the initialization phase.
, the hash value of the contract M to be signed, obtained using publicly known function h.
and for Alice and Bob, respectively.
Communication channel: Unauthenticated classical channel between the clients.
The exchange phase (see
Figure 2) consists of
rounds. In each round, a client, say Alice, has a particle from
, on which she measures
, with
, and sends the results to Bob. In addition to this, in
rounds labeled by
, Alice measures
on the corresponding particles from
. Note that Alice knows
, and therefore, she knows
. Since Alice knows that those particles are entangled with Bob, she uses her measurement outcomes to compare them with the results received from Bob, thus checking his behavior. Bob performs his measurements analogously. These two kinds of measurements are shown in
Figure 3.
- 8.
At the beginning of the exchange phase, Alice and Bob are in possession of
particles each. Alice has
particles denoted by
and
particles by
, and analogously for Bob. On the
particles from
, Alice measures her honest observable
, with
. Bob measures
on his corresponding particles from
. Their measurement outcomes form ordered sets of binary results
and
respectively, where:
We use
to denote Alice’s measurement results on the particles from
(
of them) that are entangled with
(kept by Trent) and
to denote her measurement results on the rest of the particles from
(
of them) entangled with
(given to Bob); and analogously for Bob’s results,
and
. They send these results to each other, one-by-one: if Alice starts first: in the
i-th step of the exchange, she sends to Bob her result
, then Bob sends to Alice his result
, and so on.
- 9.
For each round
for which there exists
, such that
, Alice measures
on the corresponding particle from
, to obtain
(see
Figure 3). If Bob indeed measured his honest observable
, then his measurement outcome will match Alice’s,
. In the presence of noise, Alice applies a statistical test to verify if Bob provided enough consistent results (see
Appendix A.1.2). In case
, Alice uses Bob’s result
for the optional binding phase, when Trent confronts Alice’s information about
with his own measurement outcomes. The same is done by Bob upon receiving
from Alice. Then: (i) if all measurement outcomes,
(
of them for each client), are found to be consistent by the end of the communication at step
, both clients will, during the binding phase, obtain with certainty the certified document from Trent that allows them to acquire a signed contract from the authorities (see the description below of the binding phase); (ii) if one of the clients suspects dishonest behavior, the communication is stopped, and they measure their honest observables on all remaining qubits and proceed to the binding phase.
The exchange phase ends with the following: If no cheating occurred, Alice and Bob both obtain their own, as well as each others’ results, and . In case the communication was interrupted at step m, a client, say, Alice, ends up with all of her own results and those received from Bob by the step m (note that those do not necessarily need to be obtained by actually performing measurements on qubits).
Binding phase:
Parties involved: Trent and a client, say, Alice.
Input:
The sets and of particles kept by Trent.
The sets of Alice’s measurement results, , and those sent to Alice by Bob, . Note that in the case of Bob’s cheating, might contain the wrong values, and in case the communication was interrupted at step m, it is only a partial set of results. For simplicity, we use the same symbol for both sets of “honest”, as well as “dishonest” results.
, the hash value of the contract M to be signed, obtained using publicly-known function h.
A publicly-known distribution to choose the acceptance rate .
Communication channel: Private classical channel or in person.
The binding phase (see
Figure 4) consists of the following step:
- 10.
During the binding phase, a single client, say Alice, presents her results to Trent in order to bind the contract, to receive a certified document, signed by Trent’s public key, declaring valid the hash value . Having such a certificate, Alice can appeal to the authorities to enforce the terms of the contract M: she presents the contract M and the signed document declaring the value valid, so that the authorities can verify that indeed (note that the function h is publicly known). As pointed out in the Introduction, Trent is an agency accredited by the State (e.g., public notaries). To bind the contract, Alice provides the string to Trent and presents her results , as well as those obtained from Bob, (if the protocol was interrupted before its completion, Alice will guess the rest of Bob’s outcomes; see Appendix for details). Knowing , Trent computes and . Trent thus measures the honest observables on N randomly-chosen qubits from the subset and on another N randomly-chosen qubits from (the other particles are kept for binding the contract for Bob, if requested). He also chooses independently at random , according to some publicly-known distribution . Trent will give to Alice a certified document declaring the hash value valid (“bind the contract for Alice”) if the results and satisfy the following two conditions:
- 10a.
at least a fraction of N Alice’s results from is equal to Trent’s results on the corresponding entangled N particles from , and
- 10b.
at least a fraction of N Bob’s results from is equal to Trent’s results on the corresponding entangled N particles from .
The binding phase ends with the following: In case Trent finds Alice’s results consistent with his, she receives an authorized document from him declaring the hash value valid, which then allows her to obtain the certified copy of the contract M, for which .
3. Security Analysis
In our protocol, a cryptographic hash function
h is used to map contract
M to a bit string of fixed size
. Had Trent possessed an infinite computational power, he would be able to find the collisions, among which one message would be the contract
M. Nevertheless, the problem of finding collisions for existing cryptographic hash functions (such as SHA256 and others) is not based on any mathematical or number theoretical conjecture, such as the hardness of factoring, but on the fact that the hashing function is highly irregular and non-linear. Its security is at the same level of symmetric cryptography (such as AES), which is assumed to be beyond the capacity of quantum technologies to attack, and moreover, AES is actually used in current commercial QKD services. Furthermore, note that at the time this paper was written, it was not yet found a single collision for SHA256 of two meaningless texts, and so, it is unforeseeable to find collisions for a given fixed text. Google used more than
hashes to find a meaningless collision of SHA1 [
25], and SHA256 is considerably harder than SHA1. Finally, it is worthwhile noticing that the assumption that there exists an unbreakable hash function, the so-called random oracle model, is quite common, even when quantum information and computation is available [
26]. In addition, having such computational power would also allow a cheating client (say, Bob) to find collisions as well, thus potentially giving him the opportunity to bind a different contract
, for which
. Nevertheless, given a particular hash function
h, it is negligible that other collisions different from the contract
M would still represent meaningful contracts, let alone contracts that would be favorable to Bob.
Let us define the following probabilities for Alice to pass the above tests (a) and (b), in case the communication was interrupted at step
m,
and
can be analogously defined as Alice’s probabilities to pass Tests (a) and (b). Additionally, we define Bob’s probability to pass Alice’s verification test on the results
(see Step (5) of
Section 2) received from Alice by step
m, as:
and analogously
for Alice.
It is easy to verify that, in the noiseless scenario, the protocol is optimistic. If both clients follow the protocol honestly till the end, both of them are able to enforce the contract: Alice will have all the consistent results for her own, as well as Bob’s qubits, allowing her to bind the contract with probability one (the same happens for Bob).
To analyze the probabilistic fairness quantitatively, we introduce the so-called probability to cheat, along the lines of the similar quantity analyzed in [
22]. By
, we denote the probability that Bob passes Trent’s tests and can thus bind the contract, if the communication is interrupted at step
m of the protocol, for a given choice of
; and analogously for Alice. To reach step
m, both clients have to pass each others’ verification, which is given by the probability
. Bob’s probability to cheat at step
m, for a given
, is defined as the probability that he can bind the contract, while Alice cannot, multiplied by the probability to reach step
m:
Note that the above probabilities also depend on the particular distribution of entangled pairs, denoted as “configuration ”, given by probability , and in the case of a dishonest client, the cheating strategy. Furthermore, both the above, as well as any probability evaluated (with the exception of ) depend on N; therefore, we omit writing it, as it is implicitly assumed. Nevertheless, the dependence on configuration is relevant in calculations, and below, we analyze it in detail.
As prescribed by the protocol, Trent gives
qubits to Alice:
qubits from
and
from
(see
Figure 5), together with their relative positions. Analogously, Bob receives
qubits from
and
. We assume that all the classical communications between Trent and clients are private and authenticated, based on, say, pre-shared symmetric key schemes. After the communication has stopped at step
m, out of the
qubits to measure from
and
, Alice and Bob will be left with
and
unmeasured qubits, respectively, with
. Note that, among the
and
qubits, not all will be used by Trent to bind the contract for Alice and Bob. In fact, the qubits that are entangled between Alice and Bob are irrelevant for their binding probabilities. They are used by the parties to check each others’ honesty. Let then
be decomposed into
and
, the qubits entangled with those held by Trent and by Bob, respectively. Analogously, let
be decomposed into
and
. Therefore:
In order to bind the contract, a client, say Bob, has to present his own measurement results, as well as those obtained from Alice. Then, Trent checks if they are correlated with those obtained on qubits in his possession. Unlike the previous proposal [
22], in which both clients had to be present and show their results to Trent in order to both obtain signed contracts during the binding phase, in the current protocol, Bob does not need Alice to be summoned in order to bind the contract (and vice versa). Since the protocol should be symmetric to both clients, it should allow that they both, separately, are able to bind the contract. For this reason, when binding the contract to, say Bob, Trent does not check all of his results from
and
for qubits entangled with
and
, respectively. Note that to check Bob’s results, Trent has to measure the honest observables
and
on his qubits, he obtains using the
provided by Bob. Therefore, if both clients were using the same sets of qubits (entangled with those in Trent’s possession) to bind the contract separately, a dishonest Bob would have a trivial successful cheating strategy. He measures his honest observables given by the mutually-agreed contract
M, which allows him to bind that contract. Nevertheless, in case he later decides not to comply with it, he simply provides Trent with a random
. As a consequence, Trent’s results will be uncorrelated with both Bob’s, as well as Alice’s results, i.e., neither client would be able to bind the contract
M. This is precisely the reason for checking only
N out of
qubits from
and
, each.
Thus, Trent’s qubits are each divided into two equal subsets of the same size,
and
: the sets with the
subscript are used for binding the contract to Alice, while those with
for Bob. Consequently, we have
and
(see
Figure 5).
The overall configuration
of the entangled pairs distributed between Alice, Bob, and Trent is given by six numbers,
Therefore, Bob’s probability to cheat, given by Equation (
5), now written with the explicit dependence on the configuration
, is:
Averaging the “constituent” probabilities from the above equation over their respective configurations from
gives:
where
represents the expectation value of
over the values of
ℓ. To simplify notation, in the following, we will use
and
, and analogously for the other four probabilities from the right-hand sides of the above three equations.
Hence, with Bob’s probability to cheat, averaged over all configurations
,
we have the expected probability to cheat as:
For honest clients that follow the protocol, the above probability is determined by the steps prescribed by the protocol (the “honest strategy”). In case a client, say Bob, does not follow the protocol, the above probability depends on the “cheating strategy” of a dishonest client. It turns out (see
Appendix A.2) that the quantum part of the honest and the optimal cheating strategies is the same, i.e., the (quantum) measurements performed by a cheating Bob are the same as that of an honest one, given by his honest observables
. In other words, the best a cheating Bob can do is to send to Alice the wrong results determined by a frequency
f. This is a consequence of the fact that Bob does not know which of the qubits given to him are used to bind the contract by Trent and which to check his honesty by Alice (for details, see
Appendix A.2).
In
Appendix A.1, we derive the explicit expressions for the expected probability to cheat (
11) for honest clients that follow the protocol, in the ideal noiseless case (
Appendix A.1.1), as well as for noisy environments (
Appendix A.1.2), thus showing the soundness of the protocol. In
Figure 6a,b,d,e, we present the values of the maximal expected probability to cheat as a function of the total number of photons for the values of
up to 6000. In both cases (as well as for the case of a cheating client discussed below), the results are obtained for the uniform
on the intervals
,
, and
, and with a noise parameter
. The observed dependence
is confirmed by the proof of the asymptotic behavior,
(see Theorem A1 from
Appendix A.1.1).
In
Appendix A.2, we evaluated the corresponding probabilities for the case of a cheating client who deviates from the protocol, in the presence of noise. In
Figure 6c,f, we plot the values of the maximal expected probability to cheat against
, for the optimal cheating strategy, showing the same dependence
. Further, in
Appendix A.1 and
Appendix A.2, we analyze the decrease of the expected probabilities to cheat in case the cheating strategy deviates from the optimal values of
m or
f.
The results presented in
Figure 6 are obtained for a fixed value of the noise parameter
. By increasing the noise, more and more “wrong” results are going to be obtained, such that even honest participants will either interrupt the communication during the exchange phase or will not be able to bind the contract with Trent. The figure of merit here is the final average probability to bind obtained for
, given by Equations (
A26)–(
A28) from
Appendix A.1.2 (note that, if upon exchanging all the messages, clients have high enough probability to bind the contract, then they would also be able to pass each others’ tests during the whole exchange phase with equally high probability).
Thus, for a fixed number of rounds, , range of , and its probability distribution , one can straightforwardly obtain the threshold values for the noise parameter , both for the honest noisy, as well as for dishonest noisy cases (note that such threshold values depend on predetermined security level, i.e., the lower bound for the binding probability set by the users).
While such quantitative numbers can straightforwardly be obtained using the analysis presented in the paper, they would not be very informative. Namely, what one should do is to, given the noise level (given ), determined by the actual implementation setup, optimize the rest of the relevant parameters ( and its range). While conceptually, this is possible to do, it is clearly exceptionally demanding regarding the computational resources (note that in our analysis, we probed only three ranges and only the simplest uniform distribution). Our paper is more of a proof of a concept, rather than the final analysis, which, as mentioned, is strongly implementation dependent.
Therefore, considering our limited computational power and the fact that the presented threshold values for would probably differ from the ones to be obtained by optimizing the parameters of actual implementations, we decided to omit such numerical analysis. Note that the above discussion also applies for the cheating probability: to obtain the optimized cheating probability levels, one should vary all the relevant parameters. Nevertheless, while it is obvious that the binding probability will decrease as the noise increases, it was not at all obvious that it is even possible to establish upper bounds for the cheating probability, such that it can be made arbitrarily low.
The techniques presented in our paper use the “brute force” numerical approach in obtaining the final quantitative results (with the exception of our analytic proof of the asymptotic behavior given in Theorem A1 from
Appendix A.1.1), which do not allow for drawing qualitative insights. Developing more closed analytic expressions for the final binding and cheating probabilities that can be analyzed beyond the final numerical values would be an interesting topic of future research.