Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex."— Presentation transcript:

1 Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex 3 Université Libre de Bruxelles

2 Digital Contract signing Use digital signatures to sign a contract over a network Special instance of fair exchange protocols Important issue for secure electronic commerce Naive 2-party example : A  B : Sig A (contract) B  A : Sig B (contract)

3 Digital Contract signing Use digital signatures to sign a contract over a network Special instance of fair exchange protocols Important issue for secure electronic commerce Naive 2-party example : A  B : Sig A (contract) B  A :  Bob may be malicious and not send his signature Assymmetry : someone must be the first to send his signature

4 Properties of Contract Signing Fairness –If A can gat B’s signature, then B can gat A’s signature and vice-versa Timeliness –Avoids that a participant gets stuck Advantage –A participant has an advantage if he has a strategy to complete the exchange and he has a strategy to abort the exchange Abuse-freeness (provable advantage) –Avoids that a participant can prove to an external party that he has the power to choose the outcome of the protocol

5 Evolution of contract signing Randomized protocols Trusted Party intervenes Use trusted party as a delivery authority May cause a bottleneck … Trusted Party intervenes only in case of problem (optimistic approach) More complex, and more error-prone … In 1980, Even & Yacobi showed that no fair deterministic contract signing protocol exists without the participation of a trusted party.

6 Formal methods & contract signing [Shmatikov, Mitchell, 2000] –Model-checker Murphi –invariant checking [Chadha, Kanovich, Scedrov, 2001] –Specification in MSR –inductive proofs [Kremer, Raskin, 2002] –Model-checker Mocha –ATL (temporal logic with game semantics) [Chadha, Mitchell, Scedrov, Shmatikov 2003] –general results (protocol independent) on advantage  Only 2-party contract signing protocols have been studied

7 Topologies Unlike for 2-party protocols, the different instances of fair exchange protocols differ significantly in the multi-party case 1-to-many non-repudiation and certified e-mail ring topology barter full graph contract signing 1 n 3 2... 1 n 3 2 1 n 32 Contract signing requires the most complicated protocols

8 Multi-party contract signing n participants want to sign a contract Properties for a honest participant must hold against any coalition of dishonest participants, i.e. against up to n-1 dishonest participants Every participant must receive the signature of all other participants (topology is a full graph)

9 Multi-party protocols Astonishingly few so far [Asokan, Baum-Waidner, Schunter, Waidner, T.R. 1998] Optimistic synchronous multi-party contract signing [Baum-Waidner, Waidner, T.R. 1998 & ICALP 2000] Optimistic asynchronous multi-party contract signing [Garay, MacKenzie, DISC 1999] Optimistic asynchronous multi-party contract signing [Baum-Waidner, Waidner, ICALP 2001] Optimistic asynchronous multi-party contract signing with reduced number of rounds

10 Protocol model All participants are players 2 versions of each player described using guarded commands –honest : follow the protocol –dishonest : may send messages out of order and continue the main protocol after contacting the trusted party Messages are immediately available for reading Only structural flaws are considered –no modelling of the cryptographic primitives Mocha cannot handle parametric specifications –Small C++ programs for the GM protocol and the BW protocol, that generate the Mocha specification for a given number of participants

11 The model-checker Mocha Guarded commands describing the protocol ATL formula Mocha ATSModel-Checking YESNO C++ program

12 The BW protocol [Baum, Waidner, ICALP 2000] Rather simple protocol, with symmetric behaviour of each participant T can overturn aborts We used Mocha to verify fairness for n=2..5, but no flaw was found The basic protocol does not aim to provide abuse-freeness Non-standard definition of contract –a special protocol for verifying the validity of a contract is defined

13 GM protocol [Garay, MacKenzie, DISC 1999] Recursive description of the protocol The protocol is divided into n levels –In each protocol level specific promises are used –Promises are implemented using private contract signatures (convertible designated verifier signatures) The i-level protocol is triggered when P i receives i-level promises from P i+1 through P n In i-level protocol participants P i through P 1 exchange i-level promises –They agree on the contract with promises (not signatures) P i through P 1 close higher level protocols After the n-level protocol actual signatures are exchanged

14 GM main protocol for P i P i P i-1...P 1 Distribute 1-level promises (i-1) level protocol Collect (i-1) level promises Exchange i-level promises

15 GM main prot. (4 participants) P4P3P2P1 otherwise stop otherwise stop 1-level promise

16 GM main prot. (4 participants) P4P3P2P1 otherwise abort 1-level promise 2-level promise otherwise recover otherwise recover otherwise recover

17 GM main prot. (4 participants) P4P3P2P1 3-level promise otherwise recover otherwise recover 3-level promise otherwise recover 3-level promise otherwise recover otherwise recover 3-level promise

18 GM main prot. (4 participants) P4P3P2P1 otherwise recover otherwise recover 4-level promise otherwise recover otherwise recover 4-level promise otherwise recover 4-level promise otherwise recover

19 GM main prot. (4 participants) P4P3P2P1 otherwise recover otherwise recover Signature otherwise recover otherwise recover otherwise recover Signature otherwise recover Signature

20 GM abort and resolve for P i To abort, P i sends to T S Pi (m,P i,(P 1,...,P n ), abort) To resolve, Pi sends to T S Pi ({PCS Pj (m,k j ), P i, T} (j  {1... n}\{i}),S Pi (m,1) where – if j>i, k j is the maximum level of a promise received from P j on m –if j<i, k j is the maximum level of promises received from each of the participants P j', with j'< i

21 GM protocol for T Each participant may contact T only once T replies with a resolved contract or an abort request T may overturn an abort, but never a resolve T maintains the following information for each contract to decide when to overturn an abort –validated: a boolean indicating whether the contract has been validated or not –S: the set of indices of parties that have aborted –F: set of indices of parties which help T to decide when to overturn an abort

22 An attack on abuse-freeness Note that P 1 cannot abort Abort responses include the participants that have aborted If P 1 receives an abort from T he must have send a resolve request Use T as an oracle : –When T receives a resolve request T verifies all promises and, by answering to P 1, provides evidence that all participants have started the protocol

23 An attack on abuse-freeness (2) Consider the protocol instance where n=3 Using Mocha, we show that abuse- freeness does not hold for a honest P 3 P1 and P2 have a strategy to reach a state where –P1 has an abort reply and –P1 and P2 have a strategy to obtain P3’s signature –honest P3 does not have a strategy to obtain P1’s and P2’s signature

24 An attack on abuse-freeness (3) At the beginning P2 aborts P1 tries to resolve, but gets an abort reply from T, which he can show to Charlie At that point P1 and P3 can choose the outcome –stop the protocol : P3 is not able to overturn the abort –complete the protocol in an optimistic way Easy fix: make abort replies to different participants indistinguishable

25 An attack on fairness The first attack was discovered when noticing an error in the proof Consider the protocol instance where n=4 Using Mocha, we show that fairness does not hold for a honest P 2 There exists a path such that –P1, P3 and P4 have P2’s signature –there exists a path such that P2 does not obtain all other signatures Similar attacks can be shown against P 1 and P 3 Using Mocha we did not discover any attack on fairness holds for n=3

26 An attack on fairness (2) P 1, P 3 and P 4 collude against P 2 P 3 aborts at the beginning – T adds P 3 to S P 1 resolves, but T responds with an abort –T adds P 1 to S and P 2 to F P 2 tries to recover, but as P 2 is in F, T responds with an abort P 4 resolves and T overturns the abort

27 An attack on fairness (3) More generally the attack scenarios are as follows –dishonest P k1 aborts but continues the protocol –dishonest P k2 tries to recover but does not succeed as a side-effect he adds one or several participants to the set F –honest P k3 tries to recover but does not succeed –dishonest P k4 recovers and overturns the abort

28 Conclusion First formal analysis of multi-party contract signing protocols Using the model-checker Mocha and the logic ATL instances of two protocols have been verified Two new attacks have been discovered in the GM protocol –Abuse-freeness can be broken using side information given by T: easy to fix –Fairness can be broken when n > 3: requires major changes to be fixed

29 Future work Extend strand space formalism to model fair exchange protocols –derive Mocha specifications directly from strands –correctness proofs when no attack is found Extend the analysis to a more complete model –Dolev-Yao-like intruder –Parametric verification Study different topologies, e.g. ring topologies in fair exchange Model optimistic players in multi-party protocols Extend general results on advantage, presented in [Chadha, Mitchell, Scedrov, Shmatikov 2003] to multi- party protocols

30 GM main prot. (4 participants) P4P3P2P1 1-level promise 3-level promise 1-level promise 2-level promise 3-level promise 4-level promise Signature

31 GM main protocol for P i (detailed) PiPi 1-level promise from j (n  j < i) Otherwise, stop 1-level promise to j (i < j  1) agreement of P i...P 1 i-1-level promise to j (i < j  1) i-level promise to j (i < j  1) i-level promise from j (i < j  1) i-level promise to i+1 Otherwise, abort Otherwise, resolve i-level promise from i+1 Otherwise, resolve i+1-level promise to j (i < j  1) i+1-level promise from j (i < j  1) Otherwise, resolve i+1-level promise to j (i < j  i+2) i+2-level promise from j (i+2  j < i) Otherwise, resolve... Otherwise, resolve n+1-level promise from j (n  j < i) and signatures n+1-level promise to j ( j  i) and signatures

Download ppt "Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex."

Similar presentations

Contract-Signing Protocols John Mitchell Stanford TECS Week2005.

Contract-Signing Protocols John Mitchell Stanford TECS Week2005.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3,4, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.

Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3,4, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.

Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.

A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.
Probabilistic Contract Signing CS 259 Vitaly Shmatikov.

Probabilistic Contract Signing CS 259 Vitaly Shmatikov.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.
1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.

1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.

Similar presentations

Ads by Google