[Cryptography] Proposal of a fair contract signing protocol

mok-kong shen mok-kong.shen at t-online.de
Wed Jun 29 07:53:20 EDT 2016

[I hope that the following more carefully/clearly formulated revised
version of my OP should render the underlying idea of mine
understandable and more easily seen to be correct.]

Proposal of a fair contract signing protocol (without a trusted third

When a contract in digital from is to be signed online by Alice and
Bob, an issue concerning the fairness of the signing process crops up
as follows: If Alice first signs the document and sends it to Bob, it
means she has committed to something (e.g. ready to purchase an article
from Bob at a certain price), Bob can however, if he desires, to some
extent delay giving his digital signature and thus have a certain
finite time interval during which he has no corresponding commitment.
This is obviously unfair and hence to be avoided, if possible.

Noting that with visual cryptography a document can be separated into
two pieces such that they jointly can reproduce the original but
neither piece alone provides any information of the document, we
propose the following protocol which well fulfills the requirements of
fairness in the present context.

In the following the convention is that signed(A, U) denotes U
digitally signed by A and that A thereby commits to U and that nothing
else, e.g. simply a V in a message (which as a whole piece can be
signed by A) has the meaning of a commitment. All messages are to be
sent with signcryption, i.e. encrypted with reciever's public key and
signed by the sender with his/her private key, and with authentication
(integrity check). All messages are to be sent with request for
acknowledgement of receipt.

Step 1: Alice formulates a contract document C, assigns to it a unique
identifier, generates with visual cryptography a pair (X, Y), signs X
and sends a message containing signed(Alice, X) and Y and a promise
(a conditioned commitment) that she will sign Y in case Bob signs X and
Y, to Bob.

Step 2: Bob obtains C from (X, Y). If he can't accept C, he informs
Alice and the protocol begins again at step 1. Otherwise he signs X and
Y and sends a message containing signed(Bob, X) and signed(Bob, Y) to

Step 3: Alice examines whether Bob has signed the correct stuff, e.g.
whether he had e.g. by mistake sent signed(Bob, Z) in place of
signed(Bob, X) with Z != X. If Bob had signed the wrong stuff, she
informs Bob and the protocol begins again at step 1. Otherwise she
signs Y and releases C, signed(Alice, X), signed(Alice, Y),
signed(Bob, X) and signed(Bob, Y) to the public.

Note that:

(a) In step 1 Alice has only signed X but not Y, thus has not yet
committed to C.

(b) In step 3 Alice is bound to sign Y because of her earlier promise
to do that in the message sent and signed by her to Bob in step 1.

(c) Our definition is: A valid contract C , i.e. one signed by both
partners, is unfair in its signing processing, if there existed a
certain finite time interval in which one partner had already committed
to C while the other partner had yet the freedom to commit to C or not.
It is evident that, when our protocol completes, fairness, thus
defined, is fulfilled.

(d) Our protocol doesn't involve/need any trusted third party, which is
an advantage.

(e) There are literatures which claim (if I have not misinterpreted)
that protocols of our genre are impossible. My humble knowledge is
unfortuantely insufficient to study them in details so as to resolve
the apparent contradiction between our result and the impossibility
claims. I guess that this could be a consequence of these literatures'
employment of a different (maybe more demanding) definition of fairness
than ours or there could eventually be errors in them. Readers
interested in probing the causes of that contradiction may eventually
desire to read a paper of H. Pagnia and F. C. Gaertner of 1999 entitled
"On the Impossibility of Fair Exchange without a Trusted Third Party"
which is however currently not online accessible from the institution
where the paper was originally published. In that case I could send
over a copy. (My address: mok-kong.shen at t-online.de)

For comments and critiques I should be very grateful.

(For signcryption, see e.g. Example 3S in 

M. K. Shen

More information about the cryptography mailing list