Presentation is loading. Please wait.

Presentation is loading. Please wait.

Probabilistic Contract Signing CS 395T. Probabilistic Fair Exchange uTwo parties exchange items of value Signed commitments (contract signing) Signed.

Published byLeonard Watson Modified over 8 years ago

Similar presentations

Presentation on theme: "Probabilistic Contract Signing CS 395T. Probabilistic Fair Exchange uTwo parties exchange items of value Signed commitments (contract signing) Signed."— Presentation transcript:

1 Probabilistic Contract Signing CS 395T

2 Probabilistic Fair Exchange uTwo parties exchange items of value Signed commitments (contract signing) Signed receipt for an email message (certified email) Digital cash for digital goods (e-commerce) uImportant if parties don’t trust each other Need assurance that if one does not get what it wants, the other doesn’t get what it wants either uFairness is hard to achieve Gradual release of verifiable commitments Convertible, verifiable signature commitments Probabilistic notions of fairness

3 Properties of Fair Exchange Protocols Fairness At each step, the parties have approximately equal probabilities of obtaining what they want Optimism If both parties are honest, then exchange succeeds without involving a judge or trusted third party Timeliness If something goes wrong, the honest party does not have to wait for a long time to find out whether exchange succeeded or not

4 Rabin’s Beacon uA “beacon” is a trusted party that publicly broadcasts a randomly chosen number between 1 and N every day Michael Rabin. “Transaction protection by beacons”. Journal of Computer and System Sciences, Dec 1983. Jan 27Jan 28Jan 29Jan 30Jan 31Feb 1 … 15 28 22 11 25

5 Contract CONTRACT(A, B, future date D, contract terms) Exchange of commitments must be concluded by this date

6 CONTRACT(A, B, future date D, contract terms) Rabin’s Contract Signing Protocol sig B ”I am committed if 1 is broadcast on day D” sig A ”I am committed if 1 is broadcast on day D” sig A ”I am committed if i is broadcast on day D” sig B ”I am committed if i is broadcast on day D” … sig A ”I am committed if N is broadcast on day D” sig B ”I am committed if N is broadcast on day D” 2N messages are exchanged if both parties are honest

7 Probabilistic Fairness uSuppose B stops after receiving A’s i th message B has sig A ”committed if 1 is broadcast”, sig A ”committed if 2 is broadcast”, … sig A ”committed if i is broadcast” A has sig B ”committed if 1 is broadcast”,... sig B ”committed if i-1 is broadcast” u… and beacon broadcasts number b on day D If b <i, then both A and B are committed If b >i, then neither A, nor B is committed If b =i, then only A is committed This happens only with probability 1/N

8 Properties of Rabin’s Protocol Fair The difference between A’s probability to obtain B’s commitment and B’s probability to obtain A’s commitment is at most 1/N –But communication overhead is 2N messages Not optimistic Need input from third party in every transaction –Same input for all transactions on a given day sent out as a one-way broadcast. Maybe this is not so bad! Not timely If one of the parties stops communicating, the other does not learn the outcome until day D

9 BGMR Probabilistic Contract Signing [Ben-Or, Goldreich, Micali, Rivest ’85-90] uDoesn’t need beacon input in every transaction uUses sig A ”I am committed with probability p A ” instead of sig A ”I am committed if i is broadcast on day D” uEach party decides how much to increase the probability at each step A receives sig B ”I am committed with probability p B ” from B Sets p A =min(1,p B   ) Sends sig A ”I am committed with probability p A ” to B … the algorithm for B is symmetric  is a parameter chosen by A

10 CONTRACT(A, B, future date D, contract terms) BGMR Message Flow sig B ”I am committed with probability “ 0.12 sig A ”I am committed with probability “ 0.100.20 sig A ”I am committed with probability “ sig B ”I am committed with probability “ 0.23 … sig A ”I am committed with probability “ 1.00 sig B ”I am committed with probability “ 1.00

11 Conflict Resolution sig A ”I am committed with probability “ pA 1 pA 2 sig A ”I am committed with probability “ ??? sig B ”I am committed with probability “ pB 1 sig B ”I am committed with probability “ pB 1 judge “Binding” or “Canceled” (same verdict for both parties) “Binding” or “Canceled” (same verdict for both parties) 01 Waits until date D If   pB 1, contract is binding, else contract is canceled

12 Judge uWaits until date D to decide uAnnounces verdict to both parties uTosses coin once for each contract uRemembers previous coin tosses Constant memory: use pseudo-random functions with a secret input to produce repeatable coin tosses for each contract uDoes not remember previous verdicts Same coin toss combined with different evidence (signed message with a different probability value) may result in a different verdict

13 Privilege and Fairness At any step where Prob(B is privileged) > v, Prob(A is not privileged | B is privileged) <  Intuition: at each step, the parties should have comparable probabilities of causing the judge to declare contract binding (privilege must be symmetric) Fairness A party is privileged if it has the evidence to cause the judge to declare contract binding Privilege Intuition: the contract binds either both parties, or neither; what matters is the ability to make the contract binding

14 Properties of BGMR Protocol Fair Privilege is almost symmetric at each step: if Prob(B is privileged) > p A 0, then Prob(A is not privileged | B is privileged) < 1-1/  Optimistic Two honest parties don’t need to invoke a judge Not timely Judge waits until day D to toss the coin What if the judge tosses the coin and announces the verdict as soon as he is invoked?

15 Formal Model uProtocol should ensure fairness given any possible behavior by a dishonest participant Contact judge although communication hasn’t stopped Contact judge more than once Delay messages from judge to honest participant uNeed nondeterminism To model dishonest participant’s choice of actions uNeed probability To model judge’s coin tosses uThe model is a Markov decision process

16 Constructing the Model uDiscretize probability space of coin tosses The coin takes any of N values with equal probability uFix each party’s “probability step” Rate of increases in the probability value contained in the party’s messages determines how many messages are exchanged uA state is unfair if privilege is asymmetric Difference in evidence, not difference in commitments uCompute probability of reaching an unfair state for different values of the parties’ probability steps Use PRISM Defines state space

17 Attack Strategy uDishonest B’s probability of driving the protocol to an unfair state is maximized by this strategy: 1.Contact judge as soon as first message from A arrives 2.Judge tries to send verdict to A (the verdict is probably negative, since A’s message contains a low probability value) 3.B delays judge’s verdicts sent to A 4.B contacts judge again with each new message from A until a positive verdict is obtained uThis strategy only works in the timely protocol In the original protocol, coin is not tossed and verdict is not announced until day D uConflict between optimism and timeliness

18 Analysis Results For a higher probability of winning, dishonest B must exchange more messages with honest A Probability of reaching a state where B is privileged and A is not Increase in B’s probability value at each step (lower increase means more messages must be exchanged)

19 Attacker’s Tradeoff uLinear tradeoff for dishonest B between probability of winning and ability to delay judge’s messages to A uWithout complete control of the communication network, B may settle for a lower probability of winning Expected number of messages before unfair state is reached Probability of reaching a state where B is privileged and A is not

20 Summary uProbabilistic contract signing is a good testbed for probabilistic model checking techniques Standard formal analysis techniques not applicable Combination of nondeterminism and probability Good for quantifying tradeoffs uProbabilistic contract signing is subtle Unfairness as asymmetric privilege Optimism cannot be combined with timeliness, at least not in the obvious way

Download ppt "Probabilistic Contract Signing CS 395T. Probabilistic Fair Exchange uTwo parties exchange items of value Signed commitments (contract signing) Signed."

Similar presentations

Contract-Signing Protocols John Mitchell Stanford TECS Week2005.

Contract-Signing Protocols John Mitchell Stanford TECS Week2005.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
1 CS 194: Elections, Exclusion and Transactions Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer.

1 CS 194: Elections, Exclusion and Transactions Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Probabilistic Contract Signing CS 259 Vitaly Shmatikov.

Probabilistic Contract Signing CS 259 Vitaly Shmatikov.
Probabilistic Model Checking CS 395T. Overview uCrowds redux uProbabilistic model checking PRISM model checker PCTL logic Analyzing Crowds with PRISM.

Probabilistic Model Checking CS 395T. Overview uCrowds redux uProbabilistic model checking PRISM model checker PCTL logic Analyzing Crowds with PRISM.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Non-blocking Atomic Commitment Aaron Kaminsky Presenting Chapter 6 of Distributed Systems, 2nd edition, 1993, ed. Mullender.

Non-blocking Atomic Commitment Aaron Kaminsky Presenting Chapter 6 of Distributed Systems, 2nd edition, 1993, ed. Mullender.
Randomized and Quantum Protocols in Distributed Computation Michael Ben-Or The Hebrew University Michael Rabin’s Birthday Celebration.

Randomized and Quantum Protocols in Distributed Computation Michael Ben-Or The Hebrew University Michael Rabin’s Birthday Celebration.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Incomplete Contracts Renegotiation, Communications and Theory December 10, 2007.

Incomplete Contracts Renegotiation, Communications and Theory December 10, 2007.

Similar presentations

Ads by Google