TECS Week 2005 Contract Signing � Two parties want to sign a contract Contract-Signing Protocols • Multi-party signing is more complicated � The contract is known to both parties • The protocols we will look at are not for contract negotiation (e.g., auctions) John Mitchell � The attacker could be Stanford • Another party on the network • The “person” you think you want to sign a contract with Example Another example: stock trading Willing to sell stock at price X Immunity Ok, willing to buy at price X deal stock broker customer � Both parties want to sign the contract � Why signed contract? � Neither wants to commit first • Suppose market price changes • Buyer or seller may want proof of agreement Network is Asynchronous Fundamental limitation � Physical solution � Impossibility of consensus • Very weak consensus is not solvable if one or more • Two parties sit at table processes can be faulty � Asynchronous setting • Write their signatures simultaneously • Process has initial 0 or 1, and eventually decides 0 or 1 • Exchange copies • Weak termination : some correct process decides • Agreement : no two processes decide on different values � Problem • Very weak validity : there is a run in which the decision is 0 and a run in which the decision is 1 • How to sign a contract on a network? � Reference • M. J. Fischer, N. A. Lynch and M. S. Paterson, Impossibility of Distributed Consensus with One Faulty Fair exchange: general problem of exchanging Process . J ACM 32(2):374-382 (April 1985). information so both succeed or both fail 1
FLP Partial Intuition Implication for fair exchange � Quote from paper: � Need a trusted third party (TTP) • It is impossible to solve strong fair exchange • The asynchronous commit protocols in current without a trusted third party. The proof is by use all seem to have a “window of vulnerability”- relating strong fair exchange to the problem of an interval of time during the execution of the consensus and adapting the impossibility result algorithm in which the delay or inaccessibility of of Fischer, Lynch and Paterson. a single process can cause the entire algorithm � Reference to wait indefinitely. It follows from our • H. Pagnia and F. C. Gärtner, On the impossibility impossibility result that every commit protocol of fair exchange without a trusted third party . has such a “window,” confirming a widely Technical Report TUD-BS-1999-02, Darmstadt believed tenet in the folklore. University of Technology, March 1999 Two forms of contract signing Easy TTP contract signing � Gradual-release protocols • Alice and Bob sign contract signature signature • Exchange signatures a few bits at a time A B contract TTP contract • Issues – Signatures are verifiable – Work required to guess remaining signature decreases – Alice, Bob must be able to verify that what they have � Problem received so far is part of a valid signature � Add trusted third party • TTP is bottleneck • Can we do better? Optimistic contract signing General protocol outline � Use TTP only if needed I am going to sign the contract • Can complete contract signing without TTP I am going to sign the contract • TTP will make decisions if asked A B � Goals Here is my signature • Fair: no one can cheat the other Here is my signature • Timely: no one has to wait indefinitely (assuming that TTP is available) • Other properties … � Trusted third party can force contract • Third party can declare contract binding if presented with first two messages. 2
Commitment (idea from crypto) Refined protocol outline � Cryptographic hash function sign(A, 〈 contract, hash(rand_A) 〉 ) • Easy to compute function f sign(B, 〈 contract, hash(rand_B) 〉 ) • Given f(x), hard to find y with f(y)=f(x) A B • Hard to find pairs x, y with f(y)=f(x) rand_A � Commit rand_B • Send f(x) for randomly chosen x � Complete � Trusted third party can force contract • Reveal x • Third party can declare contract binding by signing first two messages. Optimistic Protocol [Asokan, Shoup, Waidner] Asokan-Shoup-Waidner Outcomes Input: Input: � Contract from normal execution PK K , T, text PK M , T, text m 1 = sig M (PK M , PK K , T, text, hash (R M )) m 1 , R M , m 2 , R K � Contract issued by third party m 2 = sig K ( m 1 , hash (R K )) M K sig T ( m 1 , m 2 ) m 3 = R M � Abort token issued by third party m 4 = R K sig T (abort, a 1 ) m 1 , R M , m 2 , R K Resolve Subprotocol Role of Trusted Third Party � T can issue a replacement contract m 1 = sig M (… hash (R M )) • Proof that both parties are committed m 2 = sig K (… hash (R K )) Net K Net M � T can issue an abort token m 3 = ??? m 4 = ??? • Proof that T will not issue contract � T acts only when requested r 1 = m 1 , m 2 r 2 r 2 • decides whether to abort or resolve on the first-come-first-serve basis T aborted? sig T ( m 1 , m 2 ) Yes: r 2 = sig T (abort, a 1 ) • only gets involved if requested by M or K OR No: resolved := true r 2 = sig T ( m 1 , m 2 ) sig T (abort, a 1 ) 3
Abort Subprotocol Fairness and Timeliness Fairness m 1 = sig M (… hash (R M )) M K Network If A cannot obtain B’s signature, then m 2 = ??? B should not be able to obtain A’s signature a 1 = sig M (abort, m 1 ) and vice versa Timeliness a 2 T “One player cannot force the other to wait -- a fair and timely termination can always be sig T ( m 1 , m 2 ) resolved? forced by contacting TTP” Yes: a 2 = sig T ( m 1 , m 2 ) OR No: aborted := true [Asokan, Shoup, Waidner Eurocrypt ‘98] sig T (abort, a 1 ) a 2 = sig T (abort, a 1 ) Attack Asokan-Shoup-Waidner protocol m 1 = sig M (... hash (R M )) Agree Abort m 2 = sig K ( m 1 , hash (R K )) m1= sign(A, 〈 c, hash(r_A) 〉 ) B A M sign(B, 〈 m1, hash(r_B) 〉 ) a 1 Network secret Q K , m 2 ??? A B r_A m 3 = R M r_B If not already T sig T ( a 1 ,abort) r 1 = m 1 , m 2 resolved Resolve Attack? T m 1 contracts are A m 2 r 2 = sig T ( m 1 , m 2 ) B inconsistent! A Net ??? T sig T ( m 1 , m 2 ) m 1 , R M , m 2 , Q K sig T ( m 1 , m 2 ) T Replay Attack Fixing the Protocol Input: Input: sig M (… hash (R M )) Intruder causes K PK K , T, text PK M , T, text M sig K (... hash (R K )) K to commit to old R M m 1 = sig M (PK M , PK K , T, text, hash (R M )) contract with M R K m 2 = sig K ( m 1 , hash (R K )) Later ... M K m 3 = R M sig M ( , hash (R K )) sig M (PK M , PK K , T, text, hash (R M )) m 4 = R K sig K ( m 1 , hash (Q K )) K R M m 1 , R M , m 2 , R K Q K 4
[Garay, Jakobsson, MacKenzie] Desirable properties Abuse-Free Contract Signing � Fair PCS A (text,B,T) • If one can get contract, so can other PCS B (text,A,T) � Accountability A B • If someone cheats, message trace shows sig A (text) who cheated sig B (text) � Abuse free • No party can show that they can � Private Contract Signature determine outcome of the protocol • Special cryptographic primitive • B cannot take msg from A and show to C • T converts signatures, does not use own Role of Trusted Third Party Resolve Subprotocol � T can convert PCS to regular signature PCS A (text,B,T) • Resolve the protocol if necessary PCS B (text,A,T) Net B A � T can issue an abort token ??? • Promise not to resolve protocol in future � T acts only when requested r 1 = PCS A (text,B,T), sig B (text) r 2 • decides whether to abort or resolve on a first-come-first-served basis T aborted? sig T ( a 1 ) Yes: r 2 = sig T ( a 1 ) • only gets involved if requested by A or B No: resolved := true OR r 2 = sig A (text) store sig B (text) sig A ( text ) Abort Subprotocol Garay, Jakobsson, MacKenzie Agree Abort m 1 = PCS A (text,B,T) PCS A (text,B,T) m 1 = PCS A (text,B,T) B A A B Network ??? PCS B (text,A,T) Network ??? A B sig A (text) a 1 =sig A ( m 1 ,abort) sig B (text) T a 2 Resolve Attack PCS A (text,B,T) T B PCS B (text,A,T) B A Net resolved? sig B ( text ) sig T (abort) Yes: a 2 = sig B (text) ??? OR No: aborted := true T Leaked by T T PCS A (text,B,T) a 2 = sig T ( a 1 ) abort AND sig T ( a 1 ) abort sig B (text) sig B (text) 5
Recommend
More recommend
