Quantum Contract Signing with Entangled Pairs

We present a quantum scheme for signing contracts between two clients (Alice and Bob) using entangled states and the services of a third trusted party (Trent). The trusted party is only contacted for the initialization of the protocol, and possibly at the end, to verify clients’ honesty and deliver signed certificates. The protocol is fair, i.e., the probability that a client, say Bob, can obtain a signed copy of the contract, while Alice cannot, can be made arbitrarily small, and scales as N−1/2, where 4N is the total number of rounds (communications between the two clients) of the protocol. Thus, the protocol is optimistic, as cheating is not successful, and the clients rarely have to contact Trent to confirm their honesty by delivering the actual signed certificates of the contract. Unlike the previous protocol (Paunković et al., Phys. Rev. A 84, 062331 (2011)), in the present proposal, a single client can obtain the signed contract alone, without the need for the other client’s presence. When first contacting Trent, the clients do not have to agree upon a definitive contract. Moreover, even upon terminating the protocol, the clients do not reveal the actual contract to Trent. Finally, the protocol is based on the laws of physics, rather than on mathematical conjectures and the exchange of a large number of signed authenticated messages during the actual contract signing process. Therefore, it is abuse-free, as Alice and Bob cannot prove they are involved in the contract signing process.


I. INTRODUCTION
Contract signing [9] is a security protocol that falls within a group of the so-called commitment protocols [1,15,16]. In general, the protocol can be defined for arbitrary number of parties (clients engaged in the protocol). For simplicity, we discuss the case of a two-party protocol, which can be straightforwardly generalized to an arbitrary number of participants.
The participants, usually referred to as Alice and Bob, have a common contract to which they decide to commit upon, or not. The commitments are usually done by simple signatures: having a text of the contract with Bob's signature stamped on it, Alice can appeal to the authorities (the Judge), that in turn declares the document valid (i.e., bind the contract). In other words, having Bob's signature gives Alice the power to enforce the terms of the contract. Consequently, signing his name on a copy of the contract means that Bob commits to the contract. The aim of a contract signing protocol is that either both clients obtain each other's commitments, or none of them does (the protocol is said to be fair).
If only Alice has a copy with Bob's signature (i.e., only Bob is committed) she can later in time choose to either enforce, or not, the terms of the contract. Bob, however, has no power whatsoever -his future behavior is determined solely by Alice's decisions. For example, Alice may have a document with Bob's signature on it, declaring that he would buy a car from her, for a fixed amount of money. Knowing that only she has such a document, Alice can continue to negotiate the price of her car with other potential costumers: in case she obtains a better offer, she is free to discard Bob's offer and thus able to earn more money. Bob does not have such an option: if Alice does not obtain a better offer, she can always force Bob to buy the car from her, by showing to the authorities the contract signed by Bob. Having no proven commitment (signature) from Alice, Bob cannot enforce the contract himself and is thus unable to prevent Alice from such behavior, which puts him in an unfair situation.
Achieving fairness is trivial in cases when clients meet up and simultaneously sign copies of the contract, thus both obtaining each other's commitments. Unfortunately, doing so when the clients are far apart, e.g., over the internet, is difficult: indeed, sending his signed copy to Alice gives Bob no guarantee that he will obtain one from Alice; on the other hand, obtaining a signature from Alice before actually sending his, gives Bob an advantage of having Alice's commitment without committing himself.
It has been shown [9,11] that the fairness of a contract signing protocol with spatially distant clients can be achieved only by introducing a trusted third party, usually referred to as Trent, during the phase of exchanging clients' commitments. Trent's role is to receive clients' commitments and perform the exchange only upon obtaining signed copies of the contract from both clients. However simple and straightforward this solution may seem, it has a drawback, as Trent (in practice, a trusted agency accredited by the State that offers its time and resources for exchange of money, e.g., public notaries) may be expensive. Therefore, the need for protocols using third parties as little as possible arises. Some contract signing protocols [7,8,13] do not require a trusted third party, but use a number of transmissions to send the pieces of signatures, or the partial information required to obtain the complete signature, in each message. Another possible way out is to design optimistic and/or probabilistic protocols.
In optimistic contract signing protocols [2], the exchange of commitments is, unless something goes wrong, executed solely by Alice and Bob. Only in case communication between the clients is interrupted (malfunction of the network, etc.), a trusted third party is involved [3]. In probabilistic protocols [5,18], by exchanging messages between each other, clients increase their probabilities to bind the contract. In order to be (probabilistically) fair, such protocols have to ensure that at each stage of the information exchange, the probabilities to bind the contract of both clients can be made arbitrarily close to each other (no client is significantly privileged). One such protocol is [18], for which the symmetry between the clients' positions is strengthened by the requirement that the joint probability that one client can bind the contract, while the other cannot, can be made smaller than any given ε < 1. Finally, there is both probabilistically fair and optimistic solution, with an optimal number of exchanged messages [5] for which even stronger fairness condition is satisfied: the conditional probability that a client cannot bind the contract, when the other has already done so, can be made arbitrary low.
Recently, a probabilistically fair and optimistic quantum protocol was presented in [17] (see a version using the simultaneous dense coding scheme in [19]). There, the trusted third party, Trent, is required to initiate the protocol and is contacted later only in case something goes wrong. The protocol in [17] is also abuse-free [12], i.e., the clients cannot provide proofs of being involved in a contract signing procedure. Nevertheless, it has three important disadvantages: (i) Alice and Bob have to share the content of the contract with Trent, (ii) both clients have to be present in order to bind the contract, in case something goes wrong and Trent's services are required, and (iii) they have to agree upon the content of the contract before the protocol initialization. Moreover, it relies on long-term stable quantum memories, making it infeasible with current technology. In this paper we propose an improved version of the contract signing protocol where (i) the clients never disclose the content of the contract to Trent, (ii) only one client is needed to bind the contract, and (iii) the clients can decide upon the contract after they initially contact Trent. Further, we propose an experimental realization of a version of the protocol that does not require quantum memories.
Regarding point (iii) from the previous paragraph, note that often, when parties initiate business contact, this does not result in making a deal formalized by a contract. Thus, involving Trent, who charges his services, might often result in the waste of clients' resources, and point (iii) does not really present an advantage. Nevertheless, waiting for the last moment, and contacting Trent only upon successful agreement and contract formulation, might result in the system failure due to possible communication bottlenecks. Imagine the following situation. Alice and Bob negotiate in buying/selling a certain product, say a security system, knowing that on a given date in the future a big company will announce a new model with its novel performances. Obviously, the price of the used model will highly depend on the information on the new one, and Alice and Bob will only upon learning the new piece of information decide upon the final contract. The problem is, many other users may decide to make similar business contracts at the same period of time, and if they all will have to only then contact Trent, this might cause communication bottleneck and the failure of the system. Thus, being able to contact Trent in advance, and then only later, "offline" (without contacting the trusted agency) exchange the commitments, might be of use, especially in "more serious" business deals including bigger amounts of money.

II. THE PROTOCOL
Consider two orthonormal states |0 and |1 of the computational basis B + . The diagonal basis B × = {|− , |+ } is given by |± = 1 √ 2 (|1 ± |0 ). We also define the measurement observables,Ô + andÔ × , aŝ Let the bit-string M be the contract that Alice and Bob agree upon. Let h be a known hash function that they also agree to use. The value h * = h(M ) will be the only information they provide to Trent, when and if they contact him. Consider the Honest observables,Ĥ i , that both honest clients, Alice and Bob, should measure at each step i of the protocol (i = 1, . . . |h(M )|), defined asĤ  where h i (M ) is the i-th bit of the string h(M ). The protocol is described below in three parts: (i) Initialization phase -in this stage of the protocol, the trusted party, Trent, prepares and distributes the states among the clients, Alice and Bob, to be used to sign the contract; (ii) Exchange phase -in this stage of the protocol, the clients, using the states and the information provided by Trent, ping-pong the information needed to sign the contract; and (iii) Binding phase -in this stage of the protocol, any one of the parties can contact Trent with his/her results in order to obtain an authorized document declaring the hash value h * = h(M ) valid, which then validates the contract M .

Initialization phase:
Parties involved: Alice, Bob and Trent. Input: 8N number of entangled pairs. The Initialization phase (see Fig. 1), consists of the following steps: 1) Trent produces two ordered sets, each consisting of 4N entangled pairs (8N pairs in total). Each pair of particles is in the state |φ + = 1 √ 2 (|0 |0 + |1 |1 ). He gives one particle from each pair of the first set to Alice, and from the second set to Bob, keeping the order of the pairs preserved. Let us denote the ordered set of 4N particles given to Alice by A, and those given to Bob by B. The two ordered sets kept by Trent, each consisting of 4N particles entangled with particles sent to Alice and Bob, are denoted by T (A) and T (B) , respectively.
2) Trent randomly divides T (A) into two ordered subsets of 2N particles each: T 1. Alice measures on the i-th particle from to obtain . 2. Alice sends to Bob.
3. Bob receives from Alice. 4. If i is an index corresponding to an index j of a particle from , then Bob measures on the j-th particle from to obtain and checks if , otherwise does nothing. 5. Bob measures on the i-th particle from to obtain . 6. Bob sends to Alice.
Alice receives from Bob. 8. If i is an index corresponding to an index j of a particle from , then Alice measures on the j-th particle from to obtain , and checks if , otherwise does nothing. The Initialization phase ends with the following: • Alice has an ordered set A of 4N particles, entangled with 2N particles kept by Trent, T Exchange phase: Parties involved: Alice and Bob. Input: • The particles and indices Alice and Bob obtained at the end of the Initialization phase.
• h * = h(M ), the hash value of the contract M to be signed, obtained using publicly known function h.
The Exchange phase (see Fig. 2), consists of 4N rounds. In 2N (randomly distributed) of them, a client, say Alice, performs a single measurement per round, on a particle (from A) that is entangled with a particle kept with Trent,

Alice Bob
At the i-th step: FIG. 3: The two kinds of measurements a client, say, Alice, performs at a step i.
or with Bob (unknown by Alice). In the other 2N rounds, she performs two measurements, one again on a particle (from A) entangled with a particle kept with Trent or Bob, and on another one (from T

(B)
A ), that Alice knows is entangled with a particle with Bob, and whose outcome she uses to compare it with the result received from Bob, and thus check his behavior. These two kinds of measurements are shown in Fig. 3.
We use R , (2N of them for each client) are found to be consistent by the end of the communication at step 4N , both clients will, during the Binding phase, obtain with certainty the certified document from Trent that allows them to acquire a signed contract from the authorities (see below the description of the Binding phase), (ii) if one of the clients suspects dishonest behavior, the communication is stopped, they measure the Honest observables on all remaining qubits and proceed to the Binding phase.
The Exchange phase ends with the following: If no cheating occurred, Alice and Bob both obtain their own as well as each other's results, R (A) and R (B) . In case the communication interrupted at step m, a client, say, Alice, ends up with all of her own results R (A) and those received from Bob by the step m (note that those do not necessarily need to be obtained by actually performing measurements on qubits).
Compares the results using a publicly known distribution , and decides whether to provide Alice with a certified document declaring the hash value valid.
FIG. 4: Binding phase: the thick arrows represent the transfer of measurement outcomes from Alice to Trent. The steps for the binding phase are described.
Binding phase: Parties involved: Trent and one of the parties, say, Alice. Input: • The sets T • The sets of Alice's measurement results, R (A) , and those sent to Alice by Bob, R (B) . Note that in the case of Bob's cheating, R (B) might contain wrong values and, in case the communication interrupted at step m, it is only a partial set of results. For simplicity, we use the same symbol R (B) for both sets of "honest", as well as "dishonest", results.
• h * = h(M ), the hash value of the contract M to be signed, obtained using publicly known function h.
• A public distribution p(α) to choose the acceptance rate α.
The Binding phase (see Fig. 4), consists of the following steps: 6) During the Binding phase, a single client, say Alice, presents her results to Trent, in order to bind the contract: she receives a certified document, signed by Trent's public key, declaring valid the hash value h * = h(M ). Having such a certificate, Alice can appeal to the authorities to enforce the terms of the contract M : she presents the contract M and the signed document declaring the value h * valid, so that the authorities can verify that indeed h * = h(M ) (note that the function h is publicly known). As pointed out in the Introduction, Trent is an agency accredited by the State (e.g., public notaries). To bind the contract, Alice provides the string h * = h(M ) to Trent and presents her results R (A) , as well as those obtained from Bob, R (B) (if the protocol was interrupted before its completion, Alice will guess the rest of Bob's outcomes; see Appendix for details). Trent measures 2N of the 4N particles in his possession -N randomly chosen from the subset T , in the bases given by h * = h(M ) (the other 2N particles are kept for binding the contract for Bob, if requested). He also chooses independently at random α > 1/2, according to some publicly known distribution p(α). Trent will give to Alice a certified document declaring the hash value h * valid ("bind the contract for Alice") if the results R (A) and R (B) satisfy the following two conditions: The Binding phase ends with the following: In case Trent finds Alice's results consistent with his, she receives an authorized document from Trent declaring the hash value h * valid, which then allows her to obtain the certified copy of the contract M , for which h * = h(M ).

III. SECURITY DESCRIPTION
Let us define the following probabilities for Alice to pass the above tests (a) and (b), in case the communication was interrupted at step m, It is easy to verify that, in the noiseless scenario, the protocol is optimistic. If both clients follow the protocol honestly till the end, both of them are able to enforce the contract: Alice will have all the outcomes of Bob's measurements in the Honest basis, allowing her to bind the contract with probability 1 (the same happens for Bob).
To analyze the probabilistic fairness quantitatively, we introduce the so-called probability to cheat, along the lines of the similar quantity analyzed in [17]. By P B bind (m; α) = P BT H (m; α) · P BT A (m; α), we denote the probability that Bob passes Trent's tests and can thus bind the contract, if the communication is interrupted at step m of the protocol, for a given choice of α; and analogously for Alice. To reach step m, both clients have to pass each other's verification, which is given by the probability P (m) = P BAS (m) · P ABS (m). Bob's probability to cheat at step m, for a given α, is defined as the probability that he can bind the contract, while Alice cannot, multiplied by the probability to reach step m: Note that the above probabilities also depend on the particular distribution of entangled pairs, denoted as "configuration L", given by probability q(L), and in case of a dishonest client, the cheating strategy. Also, both the above, as well as any probability evaluated (with the exception of p(α)) depend of N ; therefore, we omit to write it, as it is implicitly assumed. Nevertheless, the dependence on configuration L is relevant in calculations, and below we analyze it in detail.
As prescribed by the protocol, Trent gives 6N qubits to Alice -4N qubits from A and 2N from T In order to bind the contract, a client, say Bob, has to present his own measurement results, as well as those obtained from Alice. Then, Trent checks if they are correlated with those obtained on qubits in his possession. Unlike the previous proposal [17], in which both clients had to be present and show their results to Trent in order to both obtain signed contracts during the Binding phase, in the current protocol Bob does not need Alice to be summoned in order to bind the contract (and vice versa). Since the protocol should be symmetric to both clients, it should allow that they both, separately, are able to bind the contract. For this reason, when binding the contract to, say Bob, Trent does not check all of his results from T for qubits entangled with A and B, respectively. Note that to check Bob's results, Trent has to measure his qubits in the bases given by h * = h(M ) which is provided by Bob. Therefore, if both clients were using the same sets of qubits (entangled with those in Trent's possession) to separately bind the contract, a dishonest Bob would have a trivial successful cheating strategy. He measures the Honest observables given by the mutually agreed contract M , which allows him to bind that contract. Nevertheless, in case he later decides not to comply to it, he simply provides Trent with a random h = h(M ). As a consequence, Trent's results will be uncorrelated to both Bob's, as well as Alice's results, i.e., neither client would be able to bind the contract M . This is precisely the reason for checking only N out of 2N qubits from T T 2 (see Fig. 5). The overall configuration L of the entangled pairs distributed between Alice, Bob and Trent is given by six independent numbers, A , T 2 ). Therefore, Bob's probability to cheat, given by equation (4), now written with the explicit dependence on the configuration L, is T 2 ) T 1 ) .
Averaging the "constituent" probabilities from the above equation over their respective configurations from L gives where A represents the expectation value of A( ) over the values of . To simplify notation, in the following we will use P ABS (m) = P ABS (m| , and analogously for the other four probabilities from the right hand sides of the above three equations.
Hence, with Bob's probability to cheat, averaged over all configurations L, we have the expected probability to cheat as For honest clients that follow the protocol, the above probability is determined by the steps prescribed by the protocol (the "honest strategy"). In case a client, say Bob, does not follow the protocol, the above probability depends on the "cheating strategy" of a dishonest client. It turns out (see Appendix B), that the quantum part of the honest and the optimal cheating strategies are the same, i.e., the (quantum) measurements performed by a cheating Bob are the same as that of an honest one, given by the Honest observablesĤ i . In other words, the best a cheating Bob can do is to send to Alice wrong results determined by a frequency f . This is a consequence of the fact that Bob does not know which of the qubits given to him are used to bind the contract by Trent, and which to check his honesty by Alice (for details, see Appendix B).
In Appendix A, we derive the explicit expressions for the expected probability to cheat (10) for honest clients that follow the protocol, in the ideal noiseless case (Appendix A 1), as well as for noisy environments (Appendix A 2), thus showing the soundness of the protocol. In Figs. 6 (a) In Appendix B we evaluated the corresponding probabilities for the case of a cheating client who deviates from the protocol, in the presence of noise. On Figs. 6 (c) and (f), we plot the values of the maximal expected probability to cheat against 4N , for the optimal cheating strategy, showing the same dependence ∝ N −1/2 . Further, in Appendices A and B, we have analyzed the decrease of the expected probabilities to cheat in case the cheating strategy deviates from the optimal values of m or f .

IV. PRACTICAL IMPLEMENTATION WITH CURRENT TECHNOLOGY
The protocol introduced in Section II assumes that the clients keep their part of entangled pairs for a long time. With current technology, this assumption is quite limiting, as long-term stable quantum memories do not exist. Thus, both Trent, as well as Alice and Bob, are forced to perform the measurements on their respective states as they are produced/arrive. Since Trent is honest, his measurement collapses the respective photons sent to Alice an Bob in one of the four BB84 pure states. Note that, not knowing the message M , Trent measures his particles either in the computational, or the diagonal basis, chosen uniformly at random. The same applies to the honest Alice and Bob.
Thus, the practical problem of long-term stable quantum memories can be overcome by a simple modification: instead of EPR pairs, Trent sends two ordered sets of photons in pure BB84 states, |ψ ∈ {|0 , |1 , |+ , |− }, one for Alice and the other for Bob. As soon as the clients receive their particles, they measure on them the Honest observables according to h(M ). Thus, all the information kept by the parties is classical. Trent keeps with him a record of the classical information of the states sent to Alice and Bob, respectively, to use it to check their honesty in the Binding phase. However, the practical implementation of the protocol requires twice as many photons to be sent to the clients, 8N to each, instead of previous 4N , as now Trent's choices of the preparation bases are not given by h(M ), but are random. As such, during the Binding phase they will coincide with a client's measurement choices on about half of the runs only. Thus, in this practical implementation the length of the hash function is |h(M )| = 8N . From the set of 8N particles sent to a client, say Alice, Trent randomly chooses 4N particles, and sends to Bob the classical information about their states and the indices. Bob uses this information to check Alice's honesty during the Exchange phase. Note that, similarly as when comparing Trent's with a client's results (during the Binding phase), here as well only on about half of the 4N cases the preparation bases will coincide with Alice's measurement bases given by h(M ), and only those Bob can effectively use for verification. Trent sends the analogous information to Alice about the particles sent to Bob.
Once the clients contact Trent and the Initialization phase begins, Trent starts continuously broadcasting photons in BB84 states. After Alice and Bob agree on some contract M , they also agree on the moment when they execute the Exchange phase. However, they need not inform Trent until the final, Binding phase. Trent has to store the classical records of the transmitted BB84 states to Alice and Bob each in a large, but finite, buffer, erasing older values and replacing them with new ones. Therefore, when the clients first contact Trent to use his services, they are informed about the time interval between the Exchange and the Binding phases, after which Trent starts reseting the records. Assuming Trent produces photons at a clock rate of the order of GHz [6], with about 1000 terabyte of classical information storage per contract, he can keep the measurement results for around one week before erasing previous ones. Note that the feature of being able to postpone exchanging the commitments arises only in specific cases, when major investments are involved, and the possibility of a bottleneck scenario arises. It is natural to assume that in such cases both the clients, as well as the agency providing Trent's assistance, would be willing to spend significant amounts of funds for such services, and invest considerable resources in equipping the premises, respectively. With the projected decrease in the storage memory prices, the estimated times will only increase in the future.
Although the cheating probability asymptotic behavior P ch (m; α) ∈ O(N −1/2 ) shows that arbitrarily high levels of security can be achieved, it would be interesting to compare the protocol's efficiency with today's technology. Requiring a security level of the order of, say 10 −6 , it would need N ≈ 10 12 photons. A single-photon source with rates of the order of GHz [6] would achieve this number in about 15 minutes. While it is indeed not highly efficient, it can still be considered useful, and the future advances in technology will only enhance the protocol's efficiency. Note though that such high security levels, that would correspond to a 6-digit PIN (Personal Identification Number), are applied only for the most sensitive cases. In the majority of everyday applications, security levels of the order of 10 −4 would suffice (indeed, many of the credit cards have 4 digits long PINs), resulting in much shorter execution times of the order of a second.
Finally, regarding lossy channels, they will only affect the number of received photons, and not the probabilities to cheat. In other words, given certain number of received photons, N R , the security of the protocol would stay the same as in the ideal case of N = N R emitted photons. Given that the losses are of the form N R = 10 −αL/10 N , where L is the the distance travelled by photons, requiring the same order of the number of received and emitted photons, say N R = N/2, for α = 0.2 km −1 , one gets the maximal length between the clients of the order of L max = 15 km. This is already enough to cover the size of medium to large cities, and will only increase in the future. In particular, drastic changes are to be expected with the development of the satellite-based quantum communications [20], which are likely to allow covering large parts of the Earth.
Concerning security, having to measure the photons immediately after receiving them from Trent, makes it harder to cheat, as a dishonest client cannot adjust his/her cheating strategy according to the honest client's results. Along the lines of the theoretical version, the security analysis of this practical version of the protocol can be, for both noiseless and realistic noisy scenarios, conducted straightforwardly.

V. DISCUSSION AND CONCLUSIONS
We presented a quantum protocol for signing contracts. We showed that, under the realistic assumptions of noise and measurement errors, the protocol is fair, and consequently optimistic as well. Unlike the classical counterparts, the protocol is based on the laws of physics, and the clients do not need to exchange huge number of signed authenticated messages during the actual contract signing process (the Exchange phase). Thus, the protocol is abuse-free: a client cannot prove to be involved in the actual act of signing the contract. In the classical counterparts, having the signed and authenticated messages received during the Exchange phase, a client could show them to other interested clients to negotiate better terms of a financial transaction. In other words, classically a dishonest client can abuse the signing process by falsely presenting his/her interest in the deal, while actually using the protocol to achieve different goal(s). Unlike generic quantum security protocols (say, quantum key distribution), preforming quantum measurements different from those prescribed by the protocol cannot help a cheating client (see Appendix B for details). The security mechanism of our protocol is somewhat different from that in standard quantum cryptographic protocols, as learning the states/measurement outcomes of the other client does not help a dishonest client. In the current proposal, each client can independently obtain the signed contract, without the other client being present, which was not possible in [17]. Thus, the probability to cheat is assigned to a real event (whereas in [17], it is just a formal figure of merit). Unlike the classical counterparts (and the previous quantum proposal [17]), when first contacting Trent, the clients do not need to agree upon a definitive contract. Moreover, Trent never learns the actual content of the protocol, as the clients provide Trent its hash value, h * = h(M ), given by publicly known hash function h. Finally, we present a version of the protocol that does not rely on stable quantum memories, making it possible to achieve with the current technology. from Trent to Alice and Bob, respectively. The big boxes represent shielded private laboratories of Alice, Bob and Trent.

APPENDIX
In this Appendix, we analyze protocol's security in case the communication is interrupted at step m. To proceed to the Binding phase, the two clients measure the Honest observable on the rest of their qubits, thus increasing their probability to pass Trent's test (a) on qubits shared with him. For the qubits shared between Trent and the other client, used in test (b), the best they can do is to guess their outcomes. Note that this strategy is optimal for both the case of honest clients, studied in Appendix A, as well as for a dishonest client, discussed in Appendix B.
Before discussing protocol's correctness for the case of honest, and security for dishonest clients, we present the overall set-up: the "configuration" L and the details of the structure of the figure of merit, the expected probability to cheat for Bob and Alice. We assume the scenario in which the communication is interrupted upon both clients received m measurement outcomes from the other. The biased case of one client having m, while the other m − 1, results is described analogously. A simplified protocol description is given in Fig. 7

Noiseless channel
In the absence of any noise, both honest Alice and Bob obtain perfect correlations on their respective qubits shared (entangled) with Trent and among themselves. Hence, both clients will, with certainty, pass each other verification tests, P ABS (m) = P BAS (m) = 1, and thus P (m) = P ABS (m) · P BAS (m) = 1 (i.e., the reason for communication interruption is the failure of the network). Then, the probability to cheat, say, for Bob (9), is given by Moreover, the probabilities for the clients to pass Trent's test on their own qubits, P AT H (m; α) and P BT H (m; α), are also 1. Thus, Bob's probability to bind (8) is also simplified, giving and analogously for Alice. Out of the m correct results that Bob received from Alice (note that we assume ideal noiseless scenario), N − T 2 results to convince Trent to bind the contract for him. Hence, his probability to bind the contract is given by Here, T 2 = 0 , . . . , N range. By replacing m with m − 1 in equation (A5), one obtains Alice's probability to bind the contract P A bind (m; α) (note that, having one less measurement results than Bob, she therefore has a small disadvantage).
Bob's probability to cheat (A1), when the communication is interrupted at step m, and for a fixed α, is given by . Using (A4) and its counterpart for Alice one can evaluate the expected probability to cheatP B ch (m) = p(α) P B ch (m; α) dα for every m. In Fig. 8, we plot the expected probability to cheat,P B ch (m), against the step of communication interruption m (running from 1 to 4N ), for the simplest case of the uniform distribution p(α) on the interval [0.9, 0.99]. Since Alice starts first, and Bob is thus privileged, we have thatP A ch (m) ≤P B ch (m) =P ch (m). The maximal value shows the behavior max mPch (m) ∝ N −1/2 , as presented in Figs. 6(a) and 6(d), from the main text.
In addition to the quantitative results for up to 4N = 6000, below we present an analytic proof of the asymptotic behavior for the maximal expected probability to cheat, showing that as N → ∞ we have P ch (m; α) ∝ N −1/2 . The proof for the case of a noisy channel follows analogously (see [14] for the analysis for the contract signing presented in [17]). Theorem 1. In the honest noiseless case, for uniformly chosen α ∈ (1/2, 1), we have that Proof. We are going to show that for all 1 < m < 4N and α ∈ (1/2, 1) we have that P ch (m; α) ∈ O(N −1/2 ) and therefore, the statement follows straightforwardly.
Recall that a Binomial distribution B(k, p), with k sufficiently large and p bounded away from 0 and 1 (that is, does not tend to 0 or 1 as N grows to infinity), can be approximated by a Normal distribution with mean, kp, and variance, kp(1 − p) as N (kp, kp(1 − p)). In our case (with k = Therefore where erfc(β) is the complementary error function, defined as For the case αN > N − where it has the value 1/2, to obtain We also obtain the limits for T 2 where this function becomes 1 and 0, denoted by inf and sup , respectively.
We know that with the probability distribution for (A12) By Feller's result [10] on the approximation of hypergeometric distribution, one can approximate (A12) for N → ∞, N 4N → t ∈ (0, 1) to a Normal distribution as q( T 2 = inf and using the approximation (A10) from inf to sup ) by To obtain the expression for Alice's probability to bind, P A bind (m; α), we have Making the same approximations, we get P 2 (B) T 1 similar to (A13), with m replaced by m − 1. Hence where the bounds in Eq. (A18) was obtained with the help of the Mathematica software package. Since we are computing the lower bound, one can drop A 2 and it suffices to show that the integral of A 1 computed between N (1 − α) (as P A bind (m; α| T 1 ) is 1 upto N (1 − α)) and inf vanishes when N → ∞. Since (1 − P A bind (m; α| T 1 )) < 1, we can drop this and compute the limit of the integral of P 2 ( (B) T 1 ), which also provides the bound. If the communication was interrupted at step m, for all choices of α ∈ (1/2, 1) by Trent, we want to compute, say for Bob, the probability to cheat, given by where the O(N −1/2 ) in Eq. (A21) was again obtained by computing a limit with the Mathematica software package.

Noisy channel
For the case of a noisy channel, a binomial test could be used by both parties for the permitted number of wrong results from the other party. Consider white noise in the channel that decreases the degree of correlation between the honest clients' results. The depolarizing channel, modeling the effects of white noise on a two-qubit mixed state ρ, is given by (I is the identity matrix for dimension 4, and κ ∈ [0, 1]): Hence, both Alice and Bob receive some inevitable number of incorrect results, due to the noise considered, in spite of both of them measuring their respective qubits in the Honest basis. Let us denote by p(xy) the probability of Alice and Bob obtaining the results x and y, respectively, corresponding to measurements of E d (ρ) in either computational or diagonal basis, for the case of the entangled two-qubit state ρ = |ψ + ψ + |. Given both Alice and Bob measure the correct observable, that is,Ĥ i , we have the following probabilities of obtaining different results For a given probability of the favorable event (in our case, p(00) + p(11), of obtaining consistent results), and the total number of such events (say, m r ), the probability of obtaining exactly r correct results is given by the binomial distribution P r||ψ + ; m r , κ = m r r p(00) + p(11) r p(01) + p(10) with mean and variance given by Suppose that each party applies a 3-sigma "acceptance criterion", then a client will continues as long as he/she has at least µ − 3σ consistent results from the other. From (8), Bob's probability to bind the contract is P B bind (m; α) = P BT H (m; α| While Bob's probability to pass the test on his qubits, P BT H , does not depend on step m nor on T 2 (he measures all of his qubits), the probability to pass the test on Alice's qubits, P BT A , depends on m, as well as on (A) T 2 (for simplicity, we omit the implicit dependence on the noise parameter κ). Thus, we have where P = = p(00) + p(11) and P = = p(10) + p(01). Analogously, we define P A bind (m; α) = P AT H (α) · P AT B (m; α| To obtain Bob's probability to cheat (9), P B ch (m; α) = P (m)P B bind (m; α) 1 − P A bind (m; α) , we now estimate P (m) = P ABS (m) · P BAS (m). P BAS (m), the probability that Bob passes Alice's tests on their Shared qubits (from the m − 1 results sent by him to Alice). Note that, in order to reach at step m, Bob has to pass the test at all the steps 2, ...., m − 2, m − 1. Thus, we can bound P BAS (m) from above by the probability to pass Alice's test at step m − 1 only probability for Alice to obtain at least µ − 3σ correct results on the 2N − P ABS (m), the probability that Alice passes Bob's test on their Shared qubits (from the m results she sends to Bob), as well as its bound P ABS (m), are defined analogously. Thus, the overall probability to reach at step m is given by P ABS (m) · P BAS (m) ≤ P ABS (m) · P BAS (m). Hence, the average probability for Bob to cheat, with both Alice and Bob having reached the step m by passing each other's tests, isP In Fig. 9 we present the expected probability to cheat,P ch (m), plotted against the total number of communications between Alice and Bob, 4N , for the 3-sigma acceptance criterion of both Alice and Bob (as before, p(α) is uniform on the interval [0.9, 0.99]). The maximal value again shows the behavior max mPch (m) ∝ N −1/2 , as presented in Figs. 6(b) and 6(e), from the main text.
Appendix B: Security analysis (probabilistic fairness) against a dishonest client In order to cheat, a dishonest client, say Bob, would want to obtain a signed copy of the contract for message M that Alice and Bob initially agreed upon, without letting Alice obtain a signed copy for herself, so that he can use it later on, if he wants to.
The qubits from T (A) B are used to verify Alice's honesty, and therefore Bob measures them according to the protocol (note that he knows which qubits from A are entangled with T (A) B ). Regarding qubits from B, unlike the standard quantum cryptographic protocols, where the task of an adversary (say Eve, in key distribution schemes) is to distinguish between mutually non-orthogonal states, in this protocol a cheating Bob knows the pure states of his qubits: he knows which observables Trent and an honest Alice measure, and thus by measuring that observable can check which of the two mutually orthogonal states they (will) collapse his system to. Note that Bob cannot take advantage of measuring observables different from those prescribed by the protocol. Since Alice's and Bob's measurements are local, they commute and thus their time order is irrelevant. Thus, by deviating from the protocol, a dishonest Bob can only spoil the correlations between his and Alice's outcomes, a task he can achieve by any random source. Regarding Trent, the time ordering matters, as it is Bob who tells Trent which single-qubit observables to measure. Nevertheless, since Bob's aim is to have his results as correlated as possible with Trent's, without spoiling the correlations established with Alice's results, Bob should measure all the qubits from B according to the protocol.
As argued above, for a cheating client Bob, even knowing to which states the particles sent to him are collapsed to (due to Alice's and Trent's measurements), does not help. This is because he still does not know which of those particles are entangled with Alice and which ones are with Trent. Bob's cheating strategy should allow him to bind the contract, such that Alice is unable to bind the contract even with Trent's help. In order to bind the contract for himself, Bob must pass the test by providing to Trent at least a fraction α of correct measurement results on the qubits entangled with T T 2 entangled with Trent. While these incorrect results will spoil Alice's chances to bind the contract, they will equally decrease Bob's chances too. Hence, the best strategy is to measure all his qubits in Honest basis to pass the test on all T (B) T 2 qubits, and send random bits to Alice, by choosing a random probability f to decide whether or not to flip the result that he sends to Alice (the frequency of sending wrong results). Therefore, the probability for Alice to obtain correct results on these qubits will beP where P = = p(00) + p(11) and P = = p(10) + p(01). The communication is interrupted at step m, after Alice stops sending the measurement outcomes to Bob upon suspecting a dishonest behavior. Recall that we are considering the case where Alice is the first one to start the communication, and therefore, in the worst case scenario after the m-th step Alice and Bob each have m measurement results from each other.
With m measurement results each, the probability for Alice and Bob to pass Trent's test on her/his own qubits, P AT H (α) and P BT H (α) respectively, remains the same as in the honest noisy case. Since Bob decides to flip the results randomly, based on f , he is bound to send wrong results on some of the qubits. Hence, Alice receives more incorrect results from Bob as compared to the honest noisy case. Bob on the other hand receives the same number of correct results as in the honest noisy case. Therefore, P ABS (m) and P BT A (m; α) remain the same, while P AT B (m; α) and P BAS (m) are modified by replacing P = and P = byP = andP = = 1 −P = (B1).
The expected probability to cheat,P ch (m, f ), is plotted in Fig. 10. The same behavior (as in the case of honest clients), max m,fPch (m, f ) ∝ N −1/2 , is observed, as in Figs. 6(c) and 6(f) from the main text.