Analysis of optimistic multi-party contract signing Rohit Chadha 1,2 - - PowerPoint PPT Presentation

analysis of optimistic multi party contract signing
SMART_READER_LITE
LIVE PREVIEW

Analysis of optimistic multi-party contract signing Rohit Chadha 1,2 - - PowerPoint PPT Presentation

Analysis of optimistic multi-party contract signing Rohit Chadha 1,2 , Steve Kremer 3 , Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex 3 Universit Libre de Bruxelles Digital Contract signing Use dig ita l sig na ture s


slide-1
SLIDE 1

Analysis of optimistic multi-party contract signing

Rohit Chadha1,2, Steve Kremer3, Andre Scedrov1

1University of Pennsylvania 2University of Sussex 3Université Libre de Bruxelles

slide-2
SLIDE 2

Digital Contract signing

Use dig ita l sig na ture s to sig n a c o ntra c t o ve r a

ne two rk

Spe c ia l insta nc e o f fa ir e xc ha ng e pro to c o ls I

mpo rta nt issue fo r se c ure e le c tro nic c o mme rc e

Na ive 2-pa rty e xa mple :

A → B : SigA (contract) B → A : SigB (contract)

slide-3
SLIDE 3

Digital Contract signing

Use dig ita l sig na ture s to sig n a c o ntra c t o ve r a

ne two rk

Spe c ia l insta nc e o f fa ir e xc ha ng e pro to c o ls I

mpo rta nt issue fo r se c ure e le c tro nic c o mme rc e

Na ive 2-pa rty e xa mple :

A → B : SigA (contract) B → A :

Bo b ma y b e ma lic io us a nd no t se nd his sig na ture Asymme try : so me o ne must b e the first to se nd

his sig na ture

slide-4
SLIDE 4

Properties of Contract Signing

F

a irne ss

– I f A c a n g e t B’ s sig na ture , the n B c a n g e t A’ s sig na ture a nd vic e -ve rsa T

ime line ss

– Avo ids tha t a pa rtic ipa nt g e ts stuc k Ad va nta g e – A pa rtic ipa nt ha s a n a dva nta g e if

  • he ha s a stra te g y to c o mple te the e xc ha ng e
  • a nd he ha s a stra te g y to a b o rt the e xc ha ng e

Abuse -fre e ne ss (pro va b le a dva nta g e ) – Avo ids tha t a pa rtic ipa nt c a n pro ve to a n e xte rna l pa rty tha t he ha s the po we r to c ho o se the o utc o me o f the pro to c o l

slide-5
SLIDE 5

Evolution of contract signing

Ra ndo mize d pro to c o ls T

ruste d Pa rty inte rve ne s

  • Use truste d pa rty a s a de live ry a utho rity
  • Ma y c a use a b o ttle ne c k …

T

ruste d Pa rty inte rve ne s o nly in c a se o f pro b le m (o ptimistic a ppro a c h)

  • Mo re c o mple x, a nd mo re e rro r
  • pro ne …

I n 1980, E ve n & Ya c o b i sho we d tha t no fa ir de te rministic c o ntra c t sig ning pro to c o l e xists witho ut the pa rtic ipa tio n o f a truste d pa rty.

slide-6
SLIDE 6

Formal methods & contract signing

[Shmatikov, Mitchell, 2000] – Mo de l-c he c ke r Murphi – inva ria nt c he c king [Chadha, Kanovich, Scedrov, 2001] – Spe c ific a tio n in MSR – induc tive pro o fs [Kremer, Raskin, 2002] – Mo de l-c he c ke r Mo c ha – AT L (te mpo ra l lo g ic with g a me se ma ntic s) [Chadha, Mitchell, Scedrov, Shmatikov 2003] – g e ne ra l re sults (pro to c o l inde pe nde nt) o n a dva nta g e

⇒ Only 2-pa rty c o ntra c t sig ning pro to c o ls ha ve b e e n studie d

slide-7
SLIDE 7

Topologies

Unlike fo r 2-pa rty pro to c o ls, the diffe re nt insta nc e s o f fa ir

e xc ha ng e pro to c o ls diffe r sig nific a ntly in the multi-pa rty c ase

1-to -ma ny no n-re pud ia tio n a nd c e rtifie d e -ma il ring to po lo g y b a rte r full g ra ph c o ntra c t sig ning

1 n 3 2 ... 1 n 3 2 ... 1 n 3 2 ...

Co ntra c t sig ning re q uire s the mo st c o mplic a te d pro to c o ls

slide-8
SLIDE 8

Multi-party contract signing

n pa rtic ipa nts wa nt to sig n a c o ntra c t Pro pe rtie s fo r a ho ne st pa rtic ipa nt must

ho ld a g a inst a ny c o a litio n o f d isho ne st pa rtic ipa nts, i.e ., a g a inst up to n-1 disho ne st pa rtic ipa nts

E

ve ry pa rtic ipa nt must re c e ive the sig na ture o f a ll o the r pa rtic ipa nts (to p o lo g y is a full g ra ph)

slide-9
SLIDE 9

Multi-party protocols

Asto nishing ly fe w so fa r [Asokan, Baum-Waidner, Schunter, Waidner, T.R. 1998] Optimistic sync hro no us multi-pa rty c o ntra c t sig ning [Baum-Waidner, Waidner, T.R. 1998 & ICALP 2000] Optimistic a sync hro no us multi-pa rty c o ntra c t sig ning [Garay, MacKenzie, DISC 1999] Optimistic a sync hro no us multi-pa rty c o ntra c t sig ning [Baum-Waidner, Waidner, ICALP 2001] Optimistic a sync hro no us multi-pa rty c o ntra c t sig ning with re duc e d numb e r o f ro unds

slide-10
SLIDE 10

Protocol model

All pa rtic ipa nts a re pla ye rs 2 ve rsio ns o f e a c h pla ye r de sc rib e d using

g ua rde d c o mma nds

– ho ne st : fo llo w the pro to c o l – disho ne st : ma y se nd me ssa g e s o ut o f o rde r a nd c o ntinue the ma in pro to c o l a fte r c o nta c ting the truste d pa rty Me ssa g e s a re imme dia te ly a va ila b le fo r re a ding Only struc tura l fla ws a re c o nside re d – no mo de lling o f the c rypto g ra phic primitive s Mo c ha c a nno t ha ndle pa ra me tric spe c ific a tio ns – Sma ll C++ pro g ra ms fo r the GM pro to c o l a nd the BW pro to c o l, tha t g e ne ra te the Mo c ha spe c ific a tio n fo r a g ive n numb e r o f pa rtic ipa nts

slide-11
SLIDE 11

The model-checker Mocha

Gua rde d c omma nds de sc r ibing the pr

  • toc ol

AT L fo rmula

Moc ha Moc ha

AT S Mo d e l-Che c king

YES NO

C++ pro g ra m

slide-12
SLIDE 12

The BW protocol [Baum, Waidner, ICALP 2000]

Ra the r simple pro to c o l, with symme tric

b e ha vio ur o f e a c h p a rtic ip a nt

T

c a n o ve rturn a b o rts

We use d Mo c ha to ve rify fa irne ss fo r

n=2,…,5, b ut no fla w wa s fo und

T

he b a sic pro to c o l d o e s no t a im to pro vide a b use -fre e ne ss

No n-sta nd a rd d e finitio n o f c o ntra c t

– a spe c ia l pro to c o l fo r ve rifying the va lidity o f a c o ntra c t is de fine d

slide-13
SLIDE 13

GM protocol [Garay, MacKenzie, DISC 1999]

Re c ursive de sc riptio n o f the pro to c o l T

he pro to c o l is divide d into n le ve ls

– I n e a c h pro to c o l le ve l spe c ific pro mise s a re use d – Pro mise s a re imple me nte d using priva te c o ntra c t sig na ture s (c o nve rtib le de sig na te d ve rifie r sig na ture s) T

he i-le ve l pro to c o l is trig g e re d whe n Pi re c e ive s i-le ve l pro mise s fro m Pi

+1 thro ug h Pn

I

n i-le ve l pro to c o l pa rtic ipa nts Pi thro ug h P1 e xc ha ng e i-le ve l pro mise s

– T he y a g re e o n the c o ntra c t with pro mise s (no t sig na ture s) Pi thro ug h P1 c lo se hig he r le ve l pro to c o ls Afte r the n-le ve l pro to c o l a c tua l sig na ture s a re

e xc ha ng e d

slide-14
SLIDE 14

GM main protocol for Pi

Pi Pi

  • 1

... P1

Distrib ute 1-le ve l pro mise s (i-1) le ve l pro to c o l Co lle c t (i-1) le ve l pro mise s E xc ha ng e i-le ve l p ro mise s

slide-15
SLIDE 15

GM main prot. (4 participants)

P4 P3 P2 P1

  • the r

wise stop

  • the r

wise stop

  • the rwise

stop 1-le ve l promise 1-le ve l promise 1-le ve l promise 1-le ve l promise 1-le ve l promise 1-le ve l promise

slide-16
SLIDE 16

GM main prot. (4 participants)

P4 P3 P2 P1

  • the r

wise a bort

1-le ve l promise 2-le ve l promise 2-le ve l promise 2-le ve l promise 2-le ve l promise

  • the r

wise r e c ove r

  • the r

wise r e c ove r

  • the r

wise r e c ove r

slide-17
SLIDE 17

GM main prot. (4 participants)

P4 P3 P2 P1

3-le ve l promise

  • the r

wise r e c ove r

  • the r

wise r e c ove r

3-le ve l promise 3-le ve l promise

  • the r

wise r e c ove r

3-le ve l promise

  • the r

wise r e c ove r

  • the r

wise r e c ove r

3-le ve l promise 3-le ve l promise 3-le ve l promise 3-le ve l promise 3-le ve l promise

slide-18
SLIDE 18

GM main prot. (4 participants)

P4 P3 P2 P1

  • the r

wise r e c ove r

  • the r

wise r e c ove r

4-le ve l promise 4-le ve l promise 4-le ve l promise 4-le ve l promise 4-le ve l promise 4-le ve l promise othe r

wise r e c ove r

  • the r

wise r e c ove r

4-le ve l promise 4-le ve l promise 4-le ve l promise

  • the r

wise r e c ove r

4-le ve l promise 4-le ve l promise 4-le ve l promise

  • the r

wise r e c ove r

slide-19
SLIDE 19

GM main prot. (4 participants)

P4 P3 P2 P1

  • the r

wise r e c ove r

  • the r

wise r e c ove r

Sig na ture Sig na ture Sig na ture

  • the r

wise r e c ove r

  • the r

wise r e c ove r

  • the r

wise r e c ove r

Sig na ture Sig na ture Sig na ture

  • the r

wise r e c ove r

Sig na ture Sig na ture Sig na ture Sig na ture Sig na ture Sig na ture

slide-20
SLIDE 20

GM abort and resolve for Pi

T

  • a b o rt, Pi se nd s to T

S

Pi(m,Pi,(P1, ... ,Pn), a b o rt)

T

  • re so lve , Pi se nd s to T

S

Pi ({PCS Pj(m,kj), Pi, T

} (j ∈ {1... n}\{i}),S

Pi(m,1)

whe re – if j>i, kj is the ma ximum le ve l o f a pro mise re c e ive d fro m Pj o n m – if j<i, kj is the ma ximum le ve l o f pro mise s re c e ive d fro m e a c h o f the pa rtic ipa nts Pj' , with j'< i

slide-21
SLIDE 21

GM protocol for T

E

a c h pa rtic ipa nt ma y c o nta c t T

  • nly o nc e

T

re plie s with a re so lve d c o ntra c t o r a n a b o rt to ke n

T

ma y o ve rturn a n a b o rt, b ut ne ve r a re so lve

T

ma inta ins the fo llo wing info rma tio n fo r e a c h c o ntra c t to de c ide whe n to o ve rturn a n a b o rt

– va lida te d: a b o o le a n indic a ting whe the r the c o ntra c t ha s b e e n va lida te d o r no t – S: the se t o f indic e s o f pa rtie s that ha ve a b o rte d – F : se t o f indic e s o f pa rtie swhic h he lp T to de c ide whe n to o ve rturn a n a b o rt

slide-22
SLIDE 22

An attack on abuse-freeness

No te tha t P1 c a nno t a b o rt Ab o rt re spo nse s inc lud e the pa rtic ipa nts

tha t ha ve a b o rte d

I

f P1 re c e ive s a n a b o rt fro m T he must ha ve se nd a re so lve re q ue st

Use T

a s a n o ra c le :

– Whe n T re c e ive s a re so lve re q ue st T ve rifie s a ll pro mise s a nd, b y a nswe ring to P1, pro vide s e vide nc e tha t a ll pa rtic ipa nts ha ve sta rte d the pro to c o l

slide-23
SLIDE 23

An attack on abuse-freeness (2)

Co nsid e r the pro to c o l insta nc e whe re

n=3

Using Mo c ha , we sho w tha t a b use -

fre e ne ss d o e s no t ho ld fo r a ho ne st P3

P1 and P2 have a strate g y to re ac h a state whe re

– P1 has an ab o rt re ply and – P1 and P2 have a strate g y to o b tain P3’s sig nature – ho ne st P3 do e s no t have a strate g y to o b tain P1’s and P2’s sig nature

slide-24
SLIDE 24

An attack on abuse-freeness (3)

At the b e g inning P2 a b o rts P1 trie s to re so lve , b ut g e ts a n a b o rt re ply

fro m T , whic h he c a n sho w to Cha rlie

At tha t po int P1 a nd P2 c a n c ho o se the

  • utc o me

– sto p the pro to c o l : P3 is no t a b le to o ve rturn the a b o rt – c o mple te the pro to c o l in a n o ptimistic wa y

E

a sy fix: ma ke a b o rt re plie s to d iffe re nt pa rtic ipa nts ind isting uisha b le

slide-25
SLIDE 25

An attack on fairness

T

he first a tta c k wa s disc o ve re d whe n no tic ing a n e rro r in the pro o f

Co nside r the pro to c o l insta nc e whe re n=4 Using Mo c ha , we sho w tha t fa irne ss do e s no t

ho ld fo r a ho ne st P2 T he re e xists a path suc h that

– P1, P3 and P4 have P2’s sig nature – the re e xists a path suc h that P2 do e s no t o b tain all

  • the r sig nature s

Simila r a tta c ks c a n b e sho wn a g a inst P1 a nd P3 Using Mo c ha we did no t disc o ve r a ny a tta c k o n

fa irne ss ho lds fo r n=3

slide-26
SLIDE 26

An attack on fairness (2)

P1, P3 a nd P4 c o llud e a g a inst P2 P3 a b o rts a t the b e g inning

– T a dds P3 to S

P1 re so lve s, b ut T

re spo nd s with a n a b o rt

– T a dds P1 to S a nd P2 to F

P2 trie s to re c o ve r, b ut a s P2 is in F

, T re spo nd s with a n a b o rt

P4 re so lve s a nd T

  • ve rturns the a b o rt
slide-27
SLIDE 27

An attack on fairness (3)

Mo re g e ne ra lly the a tta c k sc e na rio s a re a s

fo llo ws – disho ne st Pk1 a b o rts b ut c o ntinue s the pro to c o l – disho ne st Pk2 trie s to re c o ve r b ut do e s no t suc c e e d

  • a s a side-e ffe c t he a dds o ne o r se ve ra l pa rtic ipa nts

to the se t F

– ho ne st Pk3 trie s to re c o ve r b ut do e s no t suc c e e d – disho ne st Pk4 re c o ve rs a nd o ve rturns the a b o rt

slide-28
SLIDE 28

Conclusion

F

irst fo rma l a na lysis o f multi-pa rty c o ntra c t sig ning p ro to c o ls

Using the mo de l-c he c ke r Mo c ha a nd the

lo g ic AT L insta nc e s o f two pro to c o ls ha ve b e e n ve rifie d

T

wo ne w a tta c ks ha ve b e e n d isc o ve re d in the GM pro to c o l

– Abuse -fre e ne ss c a n b e b ro ke n using side info rma tio n g ive n b y T : e a sy to fix – F a irne ss c a n b e b ro ke n whe n n > 3: re q uire s ma jo r c ha ng e s to b e fixe d

slide-29
SLIDE 29

Future work

E

xte nd stra nd spa c e fo rma lism to mo de l fa ir e xc ha ng e pro to c o ls

– de rive Mo c ha spe c ific a tio ns dire c tly fro m stra nds – c o rre c tne ss pro o fs whe n no a tta c k is fo und E

xte nd the a na lysis to a mo re c o mple te mo de l

– Do le v-Yao -like intrude r – Pa ra me tric ve rific a tio n Study diffe re nt to po lo g ie s, e .g . ring to po lo g ie s in

fa ir e xc ha ng e

Mo de l o ptimistic pla ye rs in multi-pa rty pro to c o ls E

xte nd g e ne ra l re sults o n a dva nta g e , pre se nte d in [Chadha, Mitchell, Scedrov, Shmatikov 2003] to multi- pa rty pro to c o ls

slide-30
SLIDE 30

GM main prot. (4 participants)

P4 P3 P2 P1

1- le ve l pr

  • mise

1- le ve l pr

  • mise

3- le ve l pr

  • mise

1- le ve l pr

  • mise

2- le ve l pr

  • mise

2- le ve l pr

  • mise

2- le ve l pr

  • mise

3- le ve l pr

  • mise

3- le ve l pr

  • mise

3- le ve l pr

  • mise

3- le ve l pr

  • mise

4- le ve l pr

  • mise

4- le ve l pr

  • mise

4- le ve l pr

  • mise

4- le ve l pr

  • mise

4- le ve l pr

  • mise

Signatur e Signatur e Signatur e

slide-31
SLIDE 31

GM main protocol for Pi (detailed)

Pi

1-le ve l p ro mise fro m j (n ≤ j < i) Othe rwise , sto p 1-le ve l pro mise to j (i < j ≤ 1)

a g re e me nt o f Pi...P1

i

  • 1-le ve l pro mise to j (i < j ≤ 1)

i

  • le ve l pro mise to j (i < j ≤ 1)

i

  • le ve l pro mise fro m j (i < j ≤ 1)

i

  • le ve l pro mise to i+1

Othe rwise , a b o rt Othe rwise , re so lve i

  • le ve l p ro mise fro m i+1

Othe rwise , re so lve i+1-le ve l pro mise to j (i < j ≤ 1) i+1-le ve l pro mise fro m j (i < j ≤ 1) Othe rwise , re so lve i+1-le ve l pro mise to j (i < j ≤ i+2) i+2-le ve l p ro mise fro m j (i+2 ≤ j < i) Othe rwise , re so lve

...

Othe rwise , re so lve n+1-le ve l p ro mise fro m j (n ≤ j < i) a nd sig na ture s n+1-le ve l pro mise to j ( j ≠ i) a nd sig na ture s