“Smart contracts” are a form of code, in the context of cryptocurrency and blockchain platforms, that is used to enforce security properties of multi-agent protocols. Often these protocols are for processes for which trust amongst the agents would typically have been provided through the use of legal contracts. The emergence of the area of “smart contracts” has given renewed motivation to study the formal representation of legal reasoning and legal processes. In the present paper, we consider questions of knowledge representation pertinent to a particular legal process: contract signature.
In formation of legal contracts between two or more parties, all parties to the contract are required to sign in order for the contract to be considered valid. In some sensitive situations, this requires a physical meeting of the parties so that copies of the contract can be signed and immediately exchanged for co-signature. An example of such a sensitive situation is where one party may gain advantage in a negotiation with a third party by presentation of a partially signed contract. It is also frequently desirable to establish a state of common knowledge amongst the parties that the contract has been signed and that the signers were authenticated: a physical signing ceremony achieves this goal.
However, physical meetings present the difficulties of scheduling of the participants and travel costs. In practice, therefore, the parties frequently allow the contract to be considered valid when each of the parties has signed a distinct copy. This is referred to as the document being signed “in counterparts”, and is considered legally valid in many jurisdictions. In some cases there is the additional requirement that the contract is not valid until the signed copies have been delivered to the parties.
The question we address in this paper is the following: when a party signs its copy of a contract that may be signed in counterparts, just what, logically, is the commitment that they are making in doing so? They are not assenting that they are bound by the terms of the contract, since that depends on the other party or parties to the contract also signing. A better characterization would seem to be the conditional assertion “I assent to be bound by the terms of this contract provided that the others do also”. We show that a naive way to capture this conditional logically does not suffice to validate the contract. We argue that a better understanding can be obtained by treating the contract as making a self-referential statement: “This contract may be signed in counterparts”, that one does indeed find in the natural language text of many actual contracts.
The problem that then arises is how to make logical sense of such self-reference, given that attempts to introduce self-reference into logic are fraught with paradox. We solve this problem by developing a logical treatment that allows self-reference without falling into inconsistency. We give a number of axioms and a model theoretic semantics that validates these axioms. We then proceed to show that the axioms allow a formal account of the reasoning by which a contract signed in counterparts becomes valid. We go on to study some further properties of the semantics, arguing that it supports the conclusion that our account of signing in counterparts does not just lead the parties to agreement that the contract is valid, but in fact to a common knowledge-like state of mutual agreement. This is a much stronger conclusion that may be questionable in the context of asynchronous or unreliable communication. However, we argue that the conclusion is justifiable under some interpretations of the logic that involve use of trusted third parties or a blockchain to register the signatures.
2 A Logic
The logic is based on a sort of terms in some term algebra . We write for a generic term. A subset of atomic terms (i.e., nullary operators) , with generic elements , is used to represent agents. The term algebra has a sub-algebra of formulas with generic element . Terms not in this subalgebra, constructed using some set of operators in addition to the operators used for formulas (given below) , represent application specific content that is not purely logical, but may still be signed and may contain logical content. Formulas are defined inductively, with basis a set of atomic terms, representing atomic propositions, with generic element . Formulas are closed under boolean operations: if , and are formulas, and is a term, then (using infix operators), , and are also formulas, representing the usual boolean constructs of negation and conjunction. Other boolean constructs such as and can be treated as abbreviations for formulas in the language in the usual way. Furthermore, there is also a set of operators constructing modal formulas: and and .
Intuitively, expresses that term “entails” formula . In general, terms may represent both logical and non-logical content. For example, a term representing a contract may contain non-logical information such as a date of creation, the names of the parties, as well as logical content in the form of clauses that capture the consequences of the contract. The latter would correspond to the formulas such that .
The formula expresses that agent has “signed” term . Intuitively, this means that has applied one of its private signature keys to (a serialisation of) the term , and that other parties who know that the corresponding public verification key is associated to can verify that the signature is valid. Authentication of here might be simply because identity is semantically represented as identical to the public key, or because the association of to the public verification key is attested by a trusted certification authority. In the present paper, we assume that the logic abstracts from such details. Note that we permit an arbitrary term to be signed, not just a formula.
Finally, expresses that agent “says” formula . Intuitively, this means that is committed to and its logical consequences, from a moral or legal perspective, and that there exists evidence in the form of cryptographically signed messages, using which, such commitment can be proved.
The logic has the following axiom schemas and rules of inference. In the following, are formulas, is a term and are agents. We write to mean that is derivable from axioms using the rules of inference given.
All substitution instances of tautologies of propositional logic
Rules of Inference:
and implies .
Note that axiom 3 and rule 2 together state that “” is a normal modal operator for each term . Similarly axiom 5 and rule 3 together state that “” is a normal modal operator for each agent . Axiom 2 says that a formula (as a term) entails itself. (Entailments of non-formula terms are application specific and are not constrained by the logic.) Axiom 6 can be understood as stating that signed messages are indisputable, in the sense that if agent has signed then agent must say that signed — agent is unable to deny that the signature exists.
The logic can be given a Kripke style semantics as follows. We assume a signature in the form is given, where is the term algebra, is the set of atomic terms that are agent names, is the (disjoint) subset of atomic terms that are atomic propositions, and is the sub-algebra of formulas. A model for signature is a tuple , where
is a set, whose elements are called worlds,
is a relation, such that represents that agent has signed term ,
is a relation, such that represents that world is consistent with the information entailed by term ,
is a relation, such that represents that world is consistent with the information said by agent ,
is an interpretation that associates each world with the set of atomic propositions holding at the world.
We assume that for formulas , we have implies . We do not assume that the set of for which is non-empty. Intuitively, we allow that an agent says an inconsistency, in which case no worlds are consistent. We do require the following technical constraint, which essentially expresses axiom 4 semantically: if then implies . Intuitively, if agent has signed then any world consistent with what says must be consistent with the entailments of term .
The semantics of the logic is given by a relation of satisfaction , where is a model, is a world of and is a formula. This relation is defined recursively by
, for , when ,
if not ,
if and ,
if for all such that ,
if for all such that .
The axiom schemas and rules of inference are sound.
Proof: Axiom 1 and rule 1 are immediate from the fact that the boolean operators in formulas have their usual semantics. Axiom 2 is direct from the assumption that implies . Axioms 3, 5 and rules 2 and 3 follow in the usual way from the fact that the operators and have been given a standard Kripke semantics using relations and .
Axiom 4 follows from the constraint that if then implies . For, suppose . From we have that . Let be any world such that . By the constraint, . Thus, from , we get . We have shown that for all with , we have . Thus, .
For axiom 6, suppose that . Then . Let be any world with . Then , by . Thus, for all with , which is equivalent to .
We discuss some further axioms that are sound with respect to the semantics in Section 7, but we make no attempt in this paper at completeness: our principal concern is to develop a minimal set of axioms that support our main focus of reasoning about counterpart signatures.
4 Representing Counterpart Signatures
Suppose that and wish to sign an agreement whose meaning is captured by the formula .
An approach that does not work is for and to independently sign , i.e., and . By axiom 2 we have , and by 4, we have, for all agents , that . Taking , we can then derive and , so that both and are committed to the contract. The problem with this is that once obtains the signed message supporting , party has evidence proving , without themselves being committed to the contract. We do not wish to have committed to the contract until also has committed.
We could try to make the version of the document that signs conditional on having signed, and vice versa:
The problem with this is that it does not allow us to derive and . By 4, we can derive
However, this is too weak: these assertions have a model in which neither nor .
Suppose is the atomic proposition , and let , be a model with ,
, , and defined by and
. We take to be an arbitrary relation satisfying the necessary constraints, since it does not play a role in any of the formulas we consider.
Note that for all worlds , we have , and . Moreover,
we have and , since and .
It follows that and , since the antecedent of the implications in these “says” formulas is false.
Hence all the assumptions of the proposed approach to counterpart signatures hold, but the desired conclusion that does not.
As an alternative to relying on the statements made by the parties, our resolution of the problem is to make the contract itself assert that it is valid if signed by both parties. This requires allowing the contract to be self-referential. We develop the solution first in the abstract, and propose a specific concrete syntax and semantics for self-reference in the next section. For our abstract presentation, it suffices to capture self-reference by means of an assumption about the entailment relation . Let a term representing the contract itself, and let be a formula capturing the logical content of the contract once it is valid. We assume that the following holds:
Intuitively, this says that the contract entails that, once both and have signed it, holds.
5 A syntax and semantics for self-reference
We now develop a specific syntax and semantics for self-referential terms. We extend the term algebra so that terms contain a set of atomic terms called variables, with generic element . There is also a binary operator , which when applied to a variable and a term produces a term written . Intuitively, says that in the context of , the term may be referred to as . For technical reasons, explained below, the variable may appear only inside “syntactic contexts”. These are defined to be subterms in subterms of of the forms for some agent , or for some formula . Intuitively, these contexts are syntactic in the sense that they do not require semantic interpretation as formulas.
An occurrence of a variable in a term is said to be free if it is not inside any term of the form . A term is ground if it contains no free occurrences of any variable. We restrict the term algebra to ground terms.
If is a formula, we treat also as a formula. The semantics is extended by
That is, holds if holds, with the term substituted for free ocurrences of in . In effect, this makes such occurrences equivalent to a reference to the formula .
This semantics may appear to be viciously recursive, making the interpretation of depend on the semantics of a formula that may itself contain the subformula . However, we note that the syntactic restrictions adopted prevents this from arising. Recall that the variable may occur only in terms appearing in subformulas of of the forms for some agent , or for some formula . The semantic clauses for these cases refer to the relations and in way that treats syntactically, without further decomposition that would result in a reinvocation of the semantic clause for . The recursion is therefore not vicious.
A more serious problem would occur if we were to allow to occur more generally. For example, is essentially the famous “Liar Paradox” [BGR19], since it effectively states “This formula is false”. Applying the above semantics would yield iff iff not , making the semantics itself inconsistent!
In an effort to give the most general possible solution to the Liar, for languages containing a truth predicate, a variety of approaches have been proposed, including hierarchies of languages and meta-languages [TAR56], fixed point semantics [KRI75], or use of non-standard set theories [BE87]. The scope of these approaches is significantly beyond our needs, since our logic has no truth operator. One could attempt to follow the -calculus [KOZ83] and require that occurrences of inside must be in positive position for to be well-formed. We have not pursued such approaches here because we deliberately wish to treat semantically as a term, i.e., a piece of syntax, rather than as a property, as in the -calculus.
Having introduced the new self-reference construct with the above semantics, we get a new axiom for the logic:
8 is valid.
Direct from the semantics.
6 Application of self-reference to counterpart signatures
In Section 4, we already gave the structure of the argument that individually signed copies of a contract serve to commit the agents to the logical content of the contract. That argument assumed that satisfies the formula . We now show that the syntax and semantics for self-reference developed above enables us to display a particular contract for which this formula is indeed a validity of the logic.
Let be the formula
Then is valid.
Proof: We have the following instance of axiom 8:
It follows that we can use the particular formula to implement signature by counterpart of a contract with logical content .
Let be the formula
Then is valid.
Thus, we have the concrete self-referential formula as one example that supports signature in counterparts in our logic. Other examples are easily generated. For example, it is clear that for contracts involving a larger number of parties , the formula
7 Common Commitment
We have not attempted to prove a completeness result for our logic, but have merely developed a semantics that validates the axioms we have chosen to work with. This suffices to show that the logic is consistent, and was useful in Section 4 to show that a particular entailment does not hold. We now note one interesting property that follows from the semantics, but which might be considered controversial or undesirable for some applications. We first note some further validities with respect to our semantics.
A formula is valid in a model , written , if for all worlds of .
Say that a formula is global if for all models , either or . Intuitively, global formulas express properties of the model as a whole rather than properties that can vary from world to world of at least some models. The following states some useful technical facts concerning global formulas.
If are global, then and are also global.
is global for all .
If is global, then is valid.
Proof: For (1), it is obvious from the definition that is global if is. If are global then, in each model, these formulas take the same truth value at all worlds, so also takes the same truth value at all worlds.
For (2), note that the semantics of at a world depends only on the relation , and not on the world itself. There are two cases. If for some world , we have , then for all worlds with . It follows from this that for all worlds , i.e., . Otherwise, we have , for all worlds , so we have .
For (3) suppose is global and . By globality, in fact we must have for all
. In particular, we have for all with , i.e., .
We can now discuss some additional axioms validated by our semantics for the relation . (We remark that similar axioms apply to the relation , we do not develop these since they are less relevant to the issues we discuss below, and leave them as an exercise for the reader.)
The following axioms are valid:
These axioms can be understood as more general versions of the S5 Positive and Negative Introspection axioms familiar from epistemic logic, in the cases and . However, they are significantly stronger in that they apply to not just what an agent says about what it says itself, but also about what other agents say! Intuitively, this means that agents cannot disagree on what has been said!
Whether this is desirable is application dependent, and we do not propose that the semantics considered in the present paper is adequate for all applications. However, it can be viewed as reasonable in situations where has the interpretation that agent has committed itself to by placing its non-repudiable and publically verifiable (cryptographic) signature on content that entails . This means that no agent can be positioned to reasonably dispute that . This provides some basis on which validity of can be considered reasonable. A similar argument might be made for implying that no agent being able to assert , since the evidence by way of signed documentation supporting this fact does not exist. Thus, it is also reasonable that is valid on this understanding. However, this is weaker than 10. That there do not exist any facts substantiating does not mean that agent knows that there exist no such facts. If what says is based on ’s incomplete view of the world, then we would assume that there are statements about what other agents have said to which is agnostic.
A stronger argument for the axioms can be made on the assumption that all signed statements that count for the purposes of the meaning of are available to all agents. One scenario where this might be the case is a setting where a central trusted agent, such as a law firm or official registry, collects and stores all signed statements, and provides any such evidence relevant to an agent upon request. Indeed, signature of contracts in counterparts often makes use of law firms for this purpose (see the discussion section below). In this event, not just positive evidence for what says, but also negative evidence, can be verified by an agent, and we have much better grounds for acceptance of the axiom .
A more secure way to realise such a scenario, particularly if there are questions about the trustworthiness or reliability of a trusted third party, would be to eliminate use of third party by using a blockchain to record the signed statements. (Blockchains use a variety of byzantine consensus protocols to implement an immutable ledger [NAK08, ACC+17].) In such an application could be taken to have the semantics that not only has cryptographically signed , but that the signed copy of has been recorded on the blockchain. Similarly can be interpreted as meaning that cryptographic evidence entailing that is committed to
is present on the blockchain. (There are subtleties about finality and the stability of the record that depend on the details of the consensus protocol in use by the blockchain. Some blockchains have the property that facts may be unstable, though only with negligible probability. For our purposes here we treat this as equivalent to actual stability for practical purposes.) In such an interpretation, there is a strong case for the validity of axioms9 and 10, since a secure public record is available to all agents.
Subject to desirability of the axiom 9, we can derive some further conclusions. When is a group (set) of agents, write for the conjunction , and inductively define , where is a natural number, by and . Define the semantics of by
if for all natural numbers .
Intuitively, states that the group is in mutual agreement concerning . Not only is everyone in the group committed to (since ), but everyone agrees that everyone is committed, i.e., , and they furthermore agree that everyone agrees that everyone is committed, i.e., , and so on. This notion is very similar to the well-know notion of common knowledge from the literature on epistemic logic [FHM+95] with the exception that we do not have valid.
The following is valid:
We assume that and show by induction that for all ,
(1) is global and (2) .
The base case of follows from the assumption and the above paragraph.
Suppose that the claim holds for . For (1), note first that is , which is
global by the argument of the first paragraph. Next, for (2), by globality of , we have, for all agents , that
using Proposition 5(3).
In particular, we have this for all agents , so from
we can derive ,
Thus, when a group says , it is doing more than just the individual members agreeing to , indeed, the group is mutually agreeing to that agreement.
The conclusion of our characterization of signature in counterparts was that , where and is the logical content of the contract. Hence, according to the semantics we have adopted, it follows that , i.e., the parties to the contract are in mutual agreement about the content of the contract and the fact that they have agreed to that content. Certainly this is a desirable conclusion - problems could arise if were to accept that it is possible that the parties have agreed to the contract but they are in disagreement about whether they have agreed - one could envisage one of the agents litigating on the question of whether a valid contract has in fact been formed, in order to escape the contract. The desirability of mutual agreement may in fact underly the historical process of gathering all parties in a single location for a signature ceremony, since such a setting, with all parties observing each other signing the contract, establishes common knowledge concerning the parties commitment to the contract.
Indeed, we draw can a further conclusion from . Since is global, so is , by a simple induction. Again by induction, and Proposition 5(3) we conclude from that for any group . In particular, if the group has formed a mutual agreement about , then not just the group , but in fact all of society is in mutual agreement that group has this mutual agreement! This again could be considered desirable, from the point of view of societal enforcement of contracts! On the other hand, it is reasonable that agents might be entitled to privacy concerning their contracts until and unless these come into dispute, which would argue against the reasonableness of this conclusion. However, if we interpret conditionally, as asserting that would agree to were to be be presented with all the relevant (cryptographic) signature evidence in existence, then we do not have that implies knows that , and the conclusion is more reasonable.
For some applications, e.g., settings where agents do not have access to a trustworthy common source of truth about what has been signed, the conclusions of Section 7 may be considered to be too strong, and it may be desirable to move to a weaker semantics that relativizes the relations and to a world. We leave for future work the question of what, from the point of view of intuitive acceptability and the needs of applications, are the appropriate axioms beyond the ones we have used, as well the question of what more liberal semantics supports the required axioms.
We note that these question about the right axioms and semantics do not affect the main conclusions of the paper in Section 4 and Section 6. We have established these conclusions proof theoretically, using only the minimal set of rules and axioms in Section 2, so these conclusions should be acceptable to anyone who accepts the correctness of these rules and axioms.
The operator is similar to the operator “says” from access control and authentication logics, which have been surveyed by Abadi [ABA08]. We note that these logics generally have our distinction (critical to keeping the semantics of self-reference simple) between and .
There exists a body of work in the cryptography literature on “contract signing protocols” [PVG03, KMZ02]. A primary goal in this area of literature is to ensure that the parties received fully signed copies of the contract atomically, i.e., neither party has a fully signed copy until it is guaranteed that the other will also obtain a copy. Some general impossibility theorems in distributed computing imply that it is often not possible to achieve this goal without use of a trusted third party [EY80], but protocols may attempt to minimize the use of this third party in various ways, e.g., using them as a fallback in case one party attempts to cheat the other [ASW00].
This problem is different from the one we have addressed in the present paper. Agent ’s signature on the self-referential formula we have developed could very well be sufficient evidence for a third party of ’s willingness to engage in the contract. Moreover, we have assumed it is sufficient for validity of the contract simply that and , without considering the issue of who possesses the cryptographic evidence. In Section 7 we argued that the use of a trusted third party or blockchain best justifies some aspects of our semantics for . Thus, we have merely circumvented rather than solved the main problems being addressed in the cryptographic protocol literature.
In the present paper, we have been primarily concerned with developing a logical understanding signature by counterparts. Beyond this issue, there are several concerns that affect the legal standing of the contract. Contracts often need to be not just signed but also given official standing as a contract by being ‘sealed’ (a term that derives from the historical use of wax seals for this purpose - nowadays a signature may serve the same purpose). Legislation affecting particular types of contracts may place additional requirements, e.g., use of witnesses, and registration of the contract with a registrar, who may impose particular physical forms on the contract, such as original signed copies or specific types and sizes of paper.
A report [AAH+16] by Australia’s major law firms develops general principles and three distinct protocols for remote signing of financial documents. Generally, these require signers to print and sign a paper copy of the contract and/or signature page, but allows scanned copies of these to be returned. All the protocols assume a coordinating legal law firm, so they use a centralised trusted third party. Statements made by the signatories in the emails by which the scanned copies are delivered address the questions of sealing and validity date of the contract. The report does not go into the general legal principles or security requirements underlying the design of these protocols, or elucidate how the protocols meet the requirements for the particular types of contract for which they are recommended. It may be interesting to pursue these questions in future work, using a formal methodology similar to that of the present paper.
- [ABA08] (2008) Variations in access control logic. In Deontic Logic in Computer Science, 9th International Conference, DEON 2008, Luxembourg, Luxembourg, July 15-18, 2008. Proceedings, pp. 96–109. External Links: Cited by: §8.
- [AAH+16] (2016-06) Remote signing protocols for financing transactions. Note: Online https://www.liv.asn.au/getattachment/7483f56b-ff5d-4ea9-bbf3-cf2e6cbd1864/Remote-signing-protocols---June-2016-(2).pdf.aspx Cited by: §8.
- [ACC+17] (2017) Permissioned blockchains and hyperledger fabric. ERCIM News 2017 (110). External Links: Cited by: §7.
- [ASW00] (2000) Optimistic fair exchange of digital signatures. IEEE Journal on Selected Areas in Communications 18 (4), pp. 593–610. External Links: Cited by: §8.
- [BE87] (1987) The liar, an essay on truth and circularity. Oxford University Press, New York, Oxford. Cited by: §5.
- [BGR19] (2019) Liar paradox. In The Stanford Encyclopedia of Philosophy, E. N. Zalta (Ed.), Note: https://plato.stanford.edu/archives/win2019/entries/liar-paradox/ Cited by: §5.
- [EY80] (1980) Relations among public key signature schemes. Technical Report Technical Report 175, Computer Science Dept.m Technion, Haifa, Israel. Cited by: §8.
- [FHM+95] (1995) Reasoning about knowledge. The MIT Press. Cited by: §7.
- [KOZ83] (1983) Results on the propositional mu-calculus. Theor. Comput. Sci. 27, pp. 333–354. External Links: Cited by: §5.
- [KMZ02] (2002) An intensive survey of fair non-repudiation protocols. Computer Communications 25 (17), pp. 1606–1621. External Links: Cited by: §8.
- [KRI75] (1975) Outline of a theory of truth. Journal of Philosoph 72 (19), pp. 690–716. Cited by: §5.
- [NAK08] (2008-11) Bitcoin: a peer-to-peer electronic cash system. Note: Available at https://bitcoin.org/bitcoin.pdf Cited by: §7.
- [PVG03] (2003) Fair exchange. Comput. J. 46 (1), pp. 55–75. External Links: Cited by: §8.
- [TAR56] (1956) The concept of truth in formalised languages. In Logic, Smeantics, Metamathematics, pp. 152–277. Cited by: §5.