Advantage and abuse-freeness in contract-signing protocols
Rohit Chadha, John Mitchell, Andre Scedrov, Vitaly Shmatikov
To appear in CONCUR 2003
Contract-signing protocols
Two parties want to exchange signatures on pre-agreed texts over the internet
Signers adversarial Both signers want to exchange signatures Neither wants to sign first Fairness
• Each signer gets the other’s signature or neither does Timeliness:
• No signer gets stuck Abuse-freeness:
• No party can prove to an outside party that it can control the outcome
Optimism
Two categories of contract-signing protocols:• Gradual release protocols• Fixed-round protocols
Fairness requires a third party, T • Even 81, FLP
Trivial protocol• Send signatures to T which then completes the exchange
Optimistic 3-party protocols• T contacted only for error recovery• Avoids communication bottlenecks
Optimistic signer• Prefers not to go to T
General protocol outline
Trusted third party can force or abort the exchnage• Third party can declare exchange binding if presented with first two messages.
B C
Willing to sell stock at this price
OK, willing to buy stock at this price
Here is my signature
Here is my signature
Optimism and advantage
Once customer commits to the purchase, he cannot use the committed funds for other purposes
Customer likely to wait for some time for broker to respond: contacting T to force the exchange is costly and can cause delays
Since broker can abort the exchange, this waiting period may give broker a way to profit: see if shares are available at a lower price
The longer the customer is willing to wait, the greater chance the broker has to pair trades at a profit
Broker has an advantage: she can control the outcome of the protocol
Related work
Need for trusted third party• Even 81
Mitchell and Shmatikov (Financial Crypto 2000) used Mur, a finite-state model checker, to analyze two signature-exchange protocols• Asokan-Shoup-Waidner (IEEE Symposium on Security and
Privacy, 98)• Garay-Jakobsson-Mackenzie Protocol(GJM) (Crypto 1999)
Chadha, Kanovich and Scedrov used MSR to analyze GJM protocol • Proved fairness• Defined and proved balance for honest participants
Kremer and Raskin used model-checkers to study a version of abuse-freeness (CSFW 2002)
Fairness, optimism, and timeliness
Model and fairness
We consider only single runs of the protocol Call the two participants P and Q Definitions lead to game-theoretic notions
• If P follows strategy, then Q cannot achieve win over P• Or, P follows strategy from some class …
A strategy of P is Q-silent if it succeeds whenever Q does nothing
Need timeouts in the model “waiting”• The signers use timeouts to decide when to contact T
Fairness for P• If Q has P’s contract, then P has a strategy to get Q’s
contract
Timeliness
A protocol is timely for P if• For all reachable states, S, P has a (Q -silent)
strategy to drive the protocol to a state S’ such that
either P gets Q’s signatureor Q cannot obtain P’s signature by talking to T
• Protocol is timely if it is timely for both signers
Optimism
Protocol is optimistic for Q if, assuming P controls the timeouts of both Q and P, then and honest Q has a strategy to get honest P’s contract without any messages to/from T• The signers use timeouts to decide when to contact T
• If P is willing to wait “long enough” for Q, then Q may exchange signatures with P without T getting involved
Protocol is optimistic if it is optimistic for both signers
Optimistic participant
A participant P is honest if it follows the protocol
Honest P is said to be optimistic if• Whenever P can choose between
– waiting for a message from Q– contacting T for any purpose
P waits and allows Q to move next• Modeled by giving the control of timeouts to Q
Advantage
Q is said to have the power to abort against an optimistic P in S• if Q has a strategy to prevent P from getting
Q’s signature Q is said to have the power to resolve
against an optimistic P in S• if Q has a strategy to get P’s signature
Q has advantage against an optimistic P if Q has both the power to abort and the power to resolve
Hierarchy
Advantage against honest P H-adv
Advantage against optimistic P O-adv
Exchange subprotocol in GJM
O R
I am willing to sign
I am willing to sign
Here is my signature
Here is my signaturemay resolve
may abort
may quit
may resolve
Advantage flow in GJM
O R
I am willing to sign
I am willing to sign
Here is my signature
Here is my signature
O-adv
O-adv
Impossibility theorems
GJM is balanced for honest participants• No participant has an advantage
In any optimistic and fair protocol• Some potentially dishonest participant has an
advantage over its optimistic counterparty
In any optimistic, fair, and timely protocol• Any potentially dishonest participant has an
advantage at some non-initial point over its optimistic counterparty
Abuse-freeness
No evidence of advantage
If • Q can provide evidence of P’s participation to
an outside observer X,
then • Q does not have advantage against an
optimistic P • The protocol is said to be abuse-free
Evidence: what does X know X knows fact in state
• is true in any state consistent with X’s observations in
Advantage flow in GJM
O R
I am willing to sign
I am willing to sign
Here is my signature
Here is my signature
O-adv
O-adv
Exchange subprotocol in Boyd-Foo
O R
I am willing to sign
may resolve
Here is my signature
Here is my signature
R may request T to enforce the exchange
Advantage flow in BF
O R
I am willing to sign
Here is my signature
Here is my signature
H-adv
A non abuse-free protocol
O T R
My signature
My signature
Release sigs?
Yes
R’s signature O’s signature
O can present message from T to C as proof of R’s participation
Relationship between various properties
Fair
Abuse-FreeSecure for
honest signer
Secure for optimistic signer
Weak abuse-freeness
The only proof of participation of P is P’s contract
A protocol is weakly abuse-free for P if in any reachable state S where Q has received P’s contract, Q does not have advantage over P
If a protocol is fair for P , then it is weakly abuse-free for P
Conclusions
A model to study contract signing protocols• Use multiset rewriting framework • Used timers to reflect natural bias• Formal definitions of fairness and effectiveness given• Natural bias: optimistic signers defined• Give game-theoretic definitions of advantage and balance• Advantage flows in GJM and BF
Show that the addition of the third party does not guarantee balance
Use epistemic logic to formalize abuse-freeness
Further work
Multiparty signature exchange protocols to be investigated
Other properties like trusted-third party accountability to be investigated
Use of automated theorem provers based on rewriting techniques• Maude developed by Denker, Lincoln, Meseguer, Eker,
Clavel, etc.
Explore solutions other than abuse-freeness to address lack of balance• Estimate cost of asymmetry
Interested participant
Honest P is said to be interested if• Whenever P can choose between
– waiting for a message from Q – quitting or contacting T to abort
P waits and allows Q to move next
Modeled by giving the control of abort timeouts to Q
Hierarchy
Advantage against honest A H-adv
Advantage against interested A I-adv
Advantage against optimistic A O-adv
Top Related