1 / 28

Advantage and abuse-freeness in contract-signing protocols

Advantage and abuse-freeness in contract-signing protocols. Rohit Chadha, John Mitchell, Andre Scedrov, Vitaly Shmatikov. To appear in CONCUR 2003. Contract-signing protocols. Two parties want to exchange signatures on pre-agreed texts over the internet Signers adversarial

lorin
Download Presentation

Advantage and abuse-freeness in contract-signing protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Advantage and abuse-freeness in contract-signing protocols Rohit Chadha, John Mitchell, Andre Scedrov, Vitaly Shmatikov To appear in CONCUR 2003

  2. Contract-signing protocols • Two parties want to exchange signatures on pre-agreed texts over the internet • Signers adversarial • Both signers want to exchange signatures • Neither wants to sign first • Fairness • Each signer gets the other’s signature or neither does • Timeliness: • No signer gets stuck • Abuse-freeness: • No party can prove to an outside party that it can control the outcome

  3. Optimism • Two categories of contract-signing protocols: • Gradual release protocols • Fixed-round protocols • Fairness requires a third party, T • Even 81, FLP • Trivial protocol • Send signatures to T which then completes the exchange • Optimistic 3-party protocols • T contacted only for error recovery • Avoids communication bottlenecks • Optimistic signer • Prefers not to go to T

  4. Willing to sell stock at this price OK, willing to buy stock at this price Here is my signature Here is my signature General protocol outline • Trusted third party can force or abort the exchnage • Third party can declare exchange binding if presented with first two messages. B C

  5. Optimism and advantage • Once customer commits to the purchase, he cannot use the committed funds for other purposes • Customer likely to wait for some time for broker to respond: contacting T to force the exchange is costly and can cause delays • Since broker can abort the exchange, this waiting period may give broker a way to profit: see if shares are available at a lower price • The longer the customer is willing to wait, the greater chance the broker has to pair trades at a profit • Broker has an advantage: she can control the outcome of the protocol

  6. Related work • Need for trusted third party • Even 81 • Mitchell and Shmatikov (Financial Crypto 2000) used Mur, a finite-state model checker, to analyze two signature-exchange protocols • Asokan-Shoup-Waidner (IEEE Symposium on Security and Privacy, 98) • Garay-Jakobsson-Mackenzie Protocol(GJM) (Crypto 1999) • Chadha, Kanovich and Scedrov used MSR to analyze GJM protocol • Proved fairness • Defined and proved balance for honest participants • Kremer and Raskin used model-checkers to study a version of abuse-freeness (CSFW 2002)

  7. Fairness, optimism, and timeliness

  8. Model and fairness • We consider only single runs of the protocol • Call the two participants P and Q • Definitions lead to game-theoretic notions • If P follows strategy, then Q cannot achieve win over P • Or, P follows strategy from some class … • A strategy of P is Q-silent if it succeeds whenever Q does nothing • Need timeouts in the model “waiting” • The signers use timeouts to decide when to contact T • Fairness for P • If Q has P’s contract, then P has a strategy to get Q’s contract

  9. Timeliness • A protocol is timely for P if • For all reachable states, S, P has a (Q -silent) strategy to drive the protocol to a state S’ such that either P gets Q’s signature or Q cannot obtain P’s signature by talking to T • Protocol is timely if it is timely for both signers

  10. Optimism • Protocol is optimistic for Q if, assuming P controls the timeouts of both Q and P, then and honest Q has a strategy to get honest P’s contract without any messages to/from T • The signers use timeouts to decide when to contact T • If P is willing to wait “long enough” for Q, then Q may exchange signatures with P without T getting involved • Protocol is optimistic if it is optimistic for both signers

  11. Optimistic participant • A participant P is honest if it follows the protocol • Honest P is said to be optimistic if • Whenever P can choose between • waiting for a message from Q • contacting T for any purpose P waits and allows Q to move next • Modeled by giving the control of timeouts to Q

  12. Advantage • Q is said to have the power to abort against an optimisticP in S • if Q has a strategy to prevent P from getting Q’s signature • Q is said to have the power to resolve against an optimisticP in S • if Q has a strategy to get P’s signature • Q has advantage against an optimisticP if Q has both the power to abort and the power to resolve

  13. Hierarchy Advantage against honest P H-adv  Advantage against optimistic P O-adv

  14. I am willing to sign Here is my signature I am willing to sign Here is my signature Exchange subprotocol in GJM O R may quit may abort may resolve may resolve

  15. I am willing to sign Here is my signature I am willing to sign Here is my signature Advantage flow in GJM O R O-adv O-adv

  16. Impossibility theorems • GJM is balanced for honest participants • No participant has an advantage • In any optimistic and fair protocol • Some potentially dishonest participant has an advantage over its optimistic counterparty • In any optimistic, fair, and timely protocol • Any potentially dishonest participant has an advantage at some non-initial point over its optimistic counterparty

  17. Abuse-freeness

  18. No evidence of advantage • If • Q can provide evidence of P’s participation to an outside observer X, then • Q does not have advantage against an optimistic P • The protocol is said to be abuse-free • Evidence: what does X know • X knows fact in state  • is true in any state consistent with X’s observations in 

  19. I am willing to sign Here is my signature I am willing to sign Here is my signature Advantage flow in GJM O R O-adv O-adv

  20. I am willing to sign Here is my signature Here is my signature Exchange subprotocol in Boyd-Foo O R may resolve R may request T to enforce the exchange

  21. I am willing to sign Here is my signature Here is my signature Advantage flow in BF O R H-adv

  22. A non abuse-free protocol O T R My signature My signature Release sigs? Yes R’s signature O’s signature O can present message from T to C as proof of R’s participation

  23. Relationship between various properties Secure for optimistic signer Secure for honest signer Abuse-Free Fair

  24. Weak abuse-freeness • The only proof of participation of P is P’s contract • A protocol is weakly abuse-free for P if in any reachable state S where Q has received P’s contract, Q does not have advantage over P • If a protocol is fair for P , then it is weakly abuse-free for P

  25. Conclusions • A model to study contract signing protocols • Use multiset rewriting framework • Used timers to reflect natural bias • Formal definitions of fairness and effectiveness given • Natural bias: optimistic signers defined • Give game-theoretic definitions of advantage and balance • Advantage flows in GJM and BF • Show that the addition of the third party does not guarantee balance • Use epistemic logic to formalize abuse-freeness

  26. Further work • Multiparty signature exchange protocols to be investigated • Other properties like trusted-third party accountability to be investigated • Use of automated theorem provers based on rewriting techniques • Maude developed by Denker, Lincoln, Meseguer, Eker, Clavel, etc. • Explore solutions other than abuse-freeness to address lack of balance • Estimate cost of asymmetry

  27. Interested participant • Honest P is said to be interested if • Whenever P can choose between • waiting for a message from Q • quitting or contacting T to abort P waits and allows Q to move next • Modeled by giving the control of abort timeouts to Q

  28. Hierarchy Advantage against honest A H-adv  Advantage against interested A I-adv  Advantage against optimistic A O-adv

More Related