[Cryptography] Proposal of a fair contract signing protocol

mok-kong shen mok-kong.shen at t-online.de
Mon Jun 13 20:49:06 EDT 2016

[I noticed that my OP of 10.06.2016 was not sufficiently well
formulated and may thus lead to misunderstandings. Allow me to present
a revised version in the following, which IMHO also answered some of
the critiques received.]

When a contract in digital from is to be signed online by Alice and
Bob, an issue concerning the fairness of the signing process crops up
as follows: If Alice first signs the document and sends it to Bob, it
means she has committed to something (e.g. ready to purchase an article
from Bob at a certain price), Bob can however, if he desires, at least
to some extent arbitrarily delay giving his digital signature, i.e.
having a period during which he has no corresponding commitment. This
is obviously unfair and thus to be avoided, if possible.

Noting that with visual cryptography a document can be separated into
two pieces such that they jointly can reproduce the original but
neither piece alone provides any information of the document, the
following protocol appears to well fulfill the requirements of fairness
in the present context.

In the following the convention is that signed(A, U) denotes U (as a
single piece) digitally signed by A and that A thereby commits to U and
that nothing else, e.g. simply a V in a message which as a whole is
signed, has the meaning of a commitment.

Step 1: Alice formulates a contract document C, generates with visual
cryptography a pair (X, Y), sends a message containing signed(Alice,X)
and Y to Bob and asks him to accept C within a certain reasonable time
period T1 and promises to complete the contract formality within a
reasonalble time period T2 in case Bob commits to C.

Step 2: In time period T1: Bob obtains C from (X, Y). If he can't
accept C, he informs Alice and the protocol begins again at step 1.
Otherwise he sends a message containing signed(Bob,X) and signed(Bob,Y)
to Alice and asks her to release C. (If Bob does nothing in T1, the
protocol begins again at step 1.)

Step 3: In time period T2: Alice examines whether Bob has signed the
correct stuff, i.e. whether he hadn't e.g. by mistake sent
signed(Bob,Z) in place of signed(Bob,X) with Z != X. If Bob had signed
the wrong stuff, she informs Bob and the protocol begins again at
step 1. Otherwise she releases C, signed(Alice,X), signed(Alice,Y),
signed(Bob,X) and signed(Bob,Y) to the public. (Alice is responsible
to complete step 3 in T2.)

The messages of step 1 and 2 are to be sent with signcryption, i.e.
encrypted with reciever's public key and signed by the sender, and with
authentication (integrity check).

Note that:

(a) In step 1 Alice has not committed to C. Since she proposes C in the
hope that Bob would accept it, it is natural that she must allow a time
period T1 during which Bob makes his decision. This is familiar also in
all other human transactions where one party takes the initiative to
suggest something to be done together and the other party agrees or
refuses. Thus there is no unfairness here.

(b) If Bob commits to C in step 2, then Alice is immediatly obliged
(responsible) to commit to C as well, since the pair (X, Y) stems from
herself. That is, C is virtually already valid. That the formlity may
take a time period T2 is familiar also in all other human transactions.

M. K. Shen

More information about the cryptography mailing list