[Cryptography] Proposal of a fair contract signing protocol

mok-kong shen mok-kong.shen at t-online.de
Fri Jun 10 16:59:04 EDT 2016

When a contract in digital from is to be signed online by Alice and
Bob, an issue concerning the fairness of the signing process crops up
as follows: If Alice first signs the document and sends it to Bob, it
means she has committed to something (e.g. ready to purchase an article
from Bob at a certain price). Bob can however, if he desires, at least
to some extent arbitrarily delay giving his digital signature, i.e.
having a period during which he has no corresponding commitment. This
is obviously unfair and thus to be avoided, if possible.

Noting that with visual cryptography a document can be separated into
two pieces such that they jointly can reproduce the original but
neither piece alone provides any information of the document, the
following protocol appears to well fulfill the requirements of fairness
in the present context.

(1) Alice formulates the contract document C and generates from it with
visual cryptography a pair (X, Y), signs X and with signcryption
(signed encryption) sends a message containing signed(Alice,X) and Y to
Bob. (We assume that signcryption of a message is authenticated, i.e.
it has integrity check. signed(Alice,X) denotes an X in the message
that is digitally signed by Alice.)

(2) Bob obtains C from (X, Y). If he finds C acceptable, he gives his
consent through signing X and Y and sending with signcryption
signed(Bob,X) and signed(Bob,Y) to Alice. Otherwise he asks Alice to
revise the docment and the protocol begins again from step (1).

(3) Alice checks that Bob has signed X and Y (i.e. not other values),
signs Y and releases C, signed(Alice,X), signed(Alice Y), signed(Bob,X)
and signed(Bob,Y) to the public.

Note that after step (2) Alice cannot innocently refuse to perform step
(3), since the pair (X,Y) stems from her. In other words, after step
(2) the contract is de facto completed.

Thus there is no time period during which one partner has full
commitment to C while the other has none and, if C is released to the
public, it is signed by both partners.

For comments and critiques I should be very grateful.

M. K. Shen

More information about the cryptography mailing list