Pardon a naive question, but shouldn't the signing algorithm allow the signer to add two nonces before and after the thing to be signed, and make the nonces part of the signature? That would eliminate the risk of ever signing something exactly chosen by an attacker, or at least so it would seem.
Most (secure) signature schemes actually include the randomization as part of their process, so adding nonces to the text before signing is not necessary. OTOH, I don't see any problem in defining between the parties (in the `meta-contract` defining their use of public key signatures) that the signed documents are structured with a random field before and after the `actual contract`, as long as the fields are well defined.
Associate Professor, Computer Science Dept., Bar Ilan University
http://amirherzberg.com (information and lectures in cryptography & security)
Mirror site: http://www.mfn.org/~herzbea/
begin:vcard fn:Amir Herzberg n:Herzberg;Amir org:Bar Ilan University;Computer Science adr:;;;Ramat Gan ;;52900;Israel email;internet:[EMAIL PROTECTED] title:Associate Professor tel;work:+972-3-531-8863 tel;fax:+972-3-531-8863 x-mozilla-html:FALSE url:http://AmirHerzberg.com , mirror: http://www.mfn.org/~herzbea/ version:2.1 end:vcard