Analysis of optimistic multi-party contract signing Rohit Chadha 1,2 - PowerPoint PPT Presentation

Analysis of optimistic multi-party contract signing Rohit Chadha 1,2 , Steve Kremer 3 , Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex 3 Université Libre de Bruxelles

Digital Contract signing � Use dig ita l sig na ture s to sig n a c o ntra c t o ve r a ne two rk � Spe c ia l insta nc e o f fa ir e xc ha ng e pro to c o ls � I mpo rta nt issue fo r se c ure e le c tro nic c o mme rc e � Na ive 2-pa rty e xa mple : A → B : Sig A (contract) B → A : Sig B (contract)

Digital Contract signing � Use dig ita l sig na ture s to sig n a c o ntra c t o ve r a ne two rk � Spe c ia l insta nc e o f fa ir e xc ha ng e pro to c o ls � I mpo rta nt issue fo r se c ure e le c tro nic c o mme rc e � Na ive 2-pa rty e xa mple : A → B : Sig A (contract) B → A : � � Bo b ma y b e ma lic io us a nd no t se nd his sig na ture � Asymme try : so me o ne must b e the first to se nd his sig na ture

Properties of Contract Signing � F a irne ss – I f A c a n g e t B’ s sig na ture , the n B c a n g e t A’ s sig na ture a nd vic e -ve rsa � T ime line ss – Avo ids tha t a pa rtic ipa nt g e ts stuc k � Ad va nta g e – A pa rtic ipa nt ha s a n a dva nta g e if • he ha s a stra te g y to c o mple te the e xc ha ng e • a nd he ha s a stra te g y to a b o rt the e xc ha ng e � Abuse -fre e ne ss (pro va b le a dva nta g e ) – Avo ids tha t a pa rtic ipa nt c a n pro ve to a n e xte rna l pa rty tha t he ha s the po we r to c ho o se the o utc o me o f the pro to c o l

Evolution of contract signing I n 1980, E ve n & Ya c o b i sho we d tha t no fa ir de te rministic c o ntra c t sig ning pro to c o l e xists witho ut the pa rtic ipa tio n o f a truste d pa rty. � Ra ndo mize d pro to c o ls � T ruste d Pa rty inte rve ne s • Use truste d pa rty a s a de live ry a utho rity • Ma y c a use a b o ttle ne c k … � T ruste d Pa rty inte rve ne s o nly in c a se o f pro b le m (o ptimistic a ppro a c h) • Mo re c o mple x, a nd mo re e rro r -pro ne …

Formal methods & contract signing � [Shmatikov, Mitchell, 2000] – Mo de l-c he c ke r Murphi – inva ria nt c he c king � [Chadha, Kanovich, Scedrov, 2001] – Spe c ific a tio n in MSR – induc tive pro o fs � [Kremer, Raskin, 2002] – Mo de l-c he c ke r Mo c ha – AT L (te mpo ra l lo g ic with g a me se ma ntic s) � [Chadha, Mitchell, Scedrov, Shmatikov 2003] – g e ne ra l re sults (pro to c o l inde pe nde nt) o n a dva nta g e ⇒ Only 2-pa rty c o ntra c t sig ning pro to c o ls ha ve b e e n studie d

Topologies � Unlike fo r 2-pa rty pro to c o ls, the diffe re nt insta nc e s o f fa ir e xc ha ng e pro to c o ls diffe r sig nific a ntly in the multi-pa rty c ase 1 1 1 n 2 n 2 ... ... ... 2 3 n 3 3 1-to -ma ny ring to po lo g y full g ra ph no n-re pud ia tio n a nd b a rte r c o ntra c t sig ning c e rtifie d e -ma il � Co ntra c t sig ning re q uire s the mo st c o mplic a te d pro to c o ls

Multi-party contract signing � n pa rtic ipa nts wa nt to sig n a c o ntra c t � Pro pe rtie s fo r a ho ne st pa rtic ipa nt must ho ld a g a inst a ny c o a litio n o f d isho ne st pa rtic ipa nts, i.e ., a g a inst up to n-1 disho ne st pa rtic ipa nts � E ve ry pa rtic ipa nt must re c e ive the sig na ture o f a ll o the r pa rtic ipa nts (to p o lo g y is a full g ra ph)

Multi-party protocols � Asto nishing ly fe w so fa r � [Asokan, Baum-Waidner, Schunter, Waidner, T.R. 1998] Optimistic sync hro no us multi-pa rty c o ntra c t sig ning � [Baum-Waidner, Waidner, T.R. 1998 & ICALP 2000] Optimistic a sync hro no us multi-pa rty c o ntra c t sig ning � [Garay, MacKenzie, DISC 1999] Optimistic a sync hro no us multi-pa rty c o ntra c t sig ning � [Baum-Waidner, Waidner, ICALP 2001] Optimistic a sync hro no us multi-pa rty c o ntra c t sig ning with re duc e d numb e r o f ro unds

Protocol model � All pa rtic ipa nts a re pla ye rs � 2 ve rsio ns o f e a c h pla ye r de sc rib e d using g ua rde d c o mma nds – ho ne st : fo llo w the pro to c o l – disho ne st : ma y se nd me ssa g e s o ut o f o rde r a nd c o ntinue the ma in pro to c o l a fte r c o nta c ting the truste d pa rty � Me ssa g e s a re imme dia te ly a va ila b le fo r re a ding � Only struc tura l fla ws a re c o nside re d – no mo de lling o f the c rypto g ra phic primitive s � Mo c ha c a nno t ha ndle pa ra me tric spe c ific a tio ns – Sma ll C++ pro g ra ms fo r the GM pro to c o l a nd the BW pro to c o l, tha t g e ne ra te the Mo c ha spe c ific a tio n fo r a g ive n numb e r o f pa rtic ipa nts

The model-checker Mocha AT L fo rmula C++ pro g ra m Moc ha Moc ha Gua rde d c omma nds AT S Mo d e l-Che c king de sc r ibing the pr otoc ol YES NO

The BW protocol [Baum, Waidner, ICALP 2000] � Ra the r simple pro to c o l, with symme tric b e ha vio ur o f e a c h p a rtic ip a nt � T c a n o ve rturn a b o rts � We use d Mo c ha to ve rify fa irne ss fo r n=2,…,5, b ut no fla w wa s fo und � T he b a sic pro to c o l d o e s no t a im to pro vide a b use -fre e ne ss � No n-sta nd a rd d e finitio n o f c o ntra c t – a spe c ia l pro to c o l fo r ve rifying the va lidity o f a c o ntra c t is de fine d

GM protocol [Garay, MacKenzie, DISC 1999] � Re c ursive de sc riptio n o f the pro to c o l � T he pro to c o l is divide d into n le ve ls – I n e a c h pro to c o l le ve l spe c ific pro mise s a re use d – Pro mise s a re imple me nte d using priva te c o ntra c t sig na ture s (c o nve rtib le de sig na te d ve rifie r sig na ture s) � T he i-le ve l pro to c o l is trig g e re d whe n P i re c e ive s i-le ve l pro mise s fro m P i +1 thro ug h P n � I n i-le ve l pro to c o l pa rtic ipa nts P i thro ug h P 1 e xc ha ng e i-le ve l pro mise s – T he y a g re e o n the c o ntra c t with pro mise s (no t sig na ture s) � P i thro ug h P 1 c lo se hig he r le ve l pro to c o ls � Afte r the n-le ve l pro to c o l a c tua l sig na ture s a re e xc ha ng e d

GM main protocol for P i P i P i ... P 1 -1 Distrib ute 1-le ve l pro mise s (i-1) le ve l pro to c o l Co lle c t (i-1) le ve l pro mise s E xc ha ng e i-le ve l p ro mise s

GM main prot. (4 participants) P4 P3 P2 P1 1-le ve l promise othe r wise stop 1-le ve l promise 1-le ve l promise 1-le ve l promise othe r wise stop 1-le ve l promise 1-le ve l promise othe rwise stop

GM main prot. (4 participants) P4 P3 P2 P1 1-le ve l promise othe r wise a bort 2-le ve l promise othe r wise r e c ove r othe r wise 2-le ve l promise r e c ove r 2-le ve l promise othe r wise 2-le ve l promise r e c ove r

GM main prot. (4 participants) P4 P3 P2 P1 othe r wise 3-le ve l promise r e c ove r 3-le ve l promise 3-le ve l promise othe r wise r e c ove r othe r wise 3-le ve l promise r e c ove r 3-le ve l promise 3-le ve l promise othe r wise 3-le ve l promise r e c ove r 3-le ve l promise othe r wise 3-le ve l promise r e c ove r

GM main prot. (4 participants) P4 P3 P2 P1 othe r wise 4-le ve l promise r e c ove r 4-le ve l promise 4-le ve l promise othe r wise 4-le ve l promise r e c ove r 4-le ve l promise 4-le ve l promise othe r wise r e c ove r othe r wise 4-le ve l promise r e c ove r 4-le ve l promise 4-le ve l promise othe r wise 4-le ve l promise r e c ove r 4-le ve l promise 4-le ve l promise othe r wise r e c ove r

GM main prot. (4 participants) P4 P3 P2 P1 othe r wise Sig na ture r e c ove r Sig na ture Sig na ture Sig na ture othe r wise Sig na ture r e c ove r Sig na ture Sig na ture Sig na ture othe r wise Sig na ture r e c ove r othe r wise Sig na ture r e c ove r othe r wise Sig na ture r e c ove r Sig na ture othe r wise r e c ove r

GM abort and resolve for P i � T o a b o rt, P i se nd s to T S Pi (m,P i ,(P 1 , ... ,P n ), a b o rt) � T o re so lve , Pi se nd s to T } (j ∈ {1... n}\{i}),S S Pi ({PCS Pj (m,k j ), P i , T Pi (m,1) whe re – if j>i, k j is the ma ximum le ve l o f a pro mise re c e ive d fro m P j o n m – if j<i, k j is the ma ximum le ve l o f pro mise s re c e ive d fro m e a c h o f the pa rtic ipa nts P j' , with j'< i

GM protocol for T � E a c h pa rtic ipa nt ma y c o nta c t T o nly o nc e � T re plie s with a re so lve d c o ntra c t o r a n a b o rt to ke n � T ma y o ve rturn a n a b o rt, b ut ne ve r a re so lve � T ma inta ins the fo llo wing info rma tio n fo r e a c h c o ntra c t to de c ide whe n to o ve rturn a n a b o rt – va lida te d: a b o o le a n indic a ting whe the r the c o ntra c t ha s b e e n va lida te d o r no t – S: the se t o f indic e s o f pa rtie s that ha ve a b o rte d – F : se t o f indic e s o f pa rtie swhic h he lp T to de c ide whe n to o ve rturn a n a b o rt

An attack on abuse-freeness � No te tha t P 1 c a nno t a b o rt � Ab o rt re spo nse s inc lud e the pa rtic ipa nts tha t ha ve a b o rte d � I f P 1 re c e ive s a n a b o rt fro m T he must ha ve se nd a re so lve re q ue st � Use T a s a n o ra c le : – Whe n T re c e ive s a re so lve re q ue st T ve rifie s a ll pro mise s a nd, b y a nswe ring to P 1 , pro vide s e vide nc e tha t a ll pa rtic ipa nts ha ve sta rte d the pro to c o l