Presentation is loading. Please wait.

Presentation is loading. Please wait.

Probabilistic Contract Signing CS 259 Vitaly Shmatikov.

Published byHoratio Webb Modified over 9 years ago

Similar presentations

Presentation on theme: "Probabilistic Contract Signing CS 259 Vitaly Shmatikov."— Presentation transcript:

1 Probabilistic Contract Signing CS 259 Vitaly Shmatikov

2 Rabin’s Beacon uA “beacon” is a trusted party that publicly broadcasts a randomly chosen number between 1 and N every day Michael Rabin. “Transaction protection by beacons”. Journal of Computer and System Sciences, Dec 1983. Jan 27Jan 28Jan 29Jan 30Jan 31Feb 1 … 15 28 22 11 25

3 CONTRACT(A, B, future date D, contract terms) Rabin’s Contract Signing Protocol sig B ”I am committed if 1 is broadcast on day D” sig A ”I am committed if 1 is broadcast on day D” sig A ”I am committed if i is broadcast on day D” sig B ”I am committed if i is broadcast on day D” … sig A ”I am committed if N is broadcast on day D” sig B ”I am committed if N is broadcast on day D” 2N messages are exchanged if both parties are honest

4 Probabilistic Fairness uSuppose B stops after receiving A’s i th message B has sig A ”committed if 1 is broadcast”, sig A ”committed if 2 is broadcast”, … sig A ”committed if i is broadcast” A has sig B ”committed if 1 is broadcast”,... sig B ”committed if i-1 is broadcast” u… and beacon broadcasts number b on day D If b <i, then both A and B are committed If b >i, then neither A, nor B is committed If b =i, then only A is committed This happens only with probability 1/N

5 Properties of Rabin’s Protocol Fair The difference between A’s probability to obtain B’s commitment and B’s probability to obtain A’s commitment is at most 1/N –But communication overhead is 2N messages Not optimistic Need input from third party in every transaction –Same input for all transactions on a given day sent out as a one-way broadcast. Maybe this is not so bad! Not timely If one of the parties stops communicating, the other does not learn the outcome until day D

6 BGMR Probabilistic Contract Signing [Ben-Or, Goldreich, Micali, Rivest ’85-90] uDoesn’t need beacon input in every transaction uUses sig A ”I am committed with probability p A ” instead of sig A ”I am committed if i is broadcast on day D” uEach party decides how much to increase the probability at each step A receives sig B ”I am committed with probability p B ” from B Sets p A =min(1,p B   ) Sends sig A ”I am committed with probability p A ” to B … the algorithm for B is symmetric  is a parameter chosen by A

7 CONTRACT(A, B, future date D, contract terms) BGMR Message Flow sig B ”I am committed with probability “ 0.12 sig A ”I am committed with probability “ 0.100.20 sig A ”I am committed with probability “ sig B ”I am committed with probability “ 0.23 … sig A ”I am committed with probability “ 1.00 sig B ”I am committed with probability “ 1.00

8 Conflict Resolution sig A ”I am committed with probability “ pA 1 pA 2 sig A ”I am committed with probability “ ??? sig B ”I am committed with probability “ pB 1 sig B ”I am committed with probability “ pB 1 judge “Binding” or “Canceled” (same verdict for both parties) “Binding” or “Canceled” (same verdict for both parties) 01 Waits until date D If   pB 1, contract is binding, else contract is canceled

9 Judge uWaits until date D to decide uAnnounces verdict to both parties uTosses coin once for each contract uRemembers previous coin tosses Constant memory: use pseudo-random functions with a secret input to produce repeatable coin tosses for each contract uDoes not remember previous verdicts Same coin toss combined with different evidence (signed message with a different probability value) may result in a different verdict

10 Privilege and Fairness At any step where Prob(B is privileged) > v, Prob(A is not privileged | B is privileged) <  Intuition: at each step, the parties should have comparable probabilities of causing the judge to declare contract binding (privilege must be symmetric) Fairness A party is privileged if it has the evidence to cause the judge to declare contract binding Privilege Intuition: the contract binds either both parties, or neither; what matters is the ability to make the contract binding

11 Properties of BGMR Protocol Fair Privilege is almost symmetric at each step: if Prob(B is privileged) > p A 0, then Prob(A is not privileged | B is privileged) < 1-1/  Optimistic Two honest parties don’t need to invoke a judge Not timely Judge waits until day D to toss the coin What if the judge tosses the coin and announces the verdict as soon as he is invoked?

12 Formal Model uProtocol should ensure fairness given any possible behavior by a dishonest participant Contact judge although communication hasn’t stopped Contact judge more than once Delay messages from judge to honest participant uNeed nondeterminism To model dishonest participant’s choice of actions uNeed probability To model judge’s coin tosses uThe model is a Markov decision process

13 Constructing the Model uDiscretize probability space of coin tosses The coin takes any of N values with equal probability uFix each party’s “probability step” Rate of increases in the probability value contained in the party’s messages determines how many messages are exchanged uA state is unfair if privilege is asymmetric Difference in evidence, not difference in commitments uCompute probability of reaching an unfair state for different values of the parties’ probability steps Use PRISM Defines state space

14 Attack Strategy uDishonest B’s probability of driving the protocol to an unfair state is maximized by this strategy: 1.Contact judge as soon as first message from A arrives 2.Judge tries to send verdict to A (the verdict is probably negative, since A’s message contains a low probability value) 3.B delays judge’s verdicts sent to A 4.B contacts judge again with each new message from A until a positive verdict is obtained uThis strategy only works in the timely protocol In the original protocol, coin is not tossed and verdict is not announced until day D uConflict between optimism and timeliness

15 Analysis Results For a higher probability of winning, dishonest B must exchange more messages with honest A Probability of reaching a state where B is privileged and A is not Increase in B’s probability value at each step (lower increase means more messages must be exchanged)

16 Attacker’s Tradeoff uLinear tradeoff for dishonest B between probability of winning and ability to delay judge’s messages to A uWithout complete control of the communication network, B may settle for a lower probability of winning Expected number of messages before unfair state is reached Probability of reaching a state where B is privileged and A is not

17 Summary uProbabilistic contract signing is a good testbed for probabilistic model checking techniques Standard formal analysis techniques not applicable Combination of nondeterminism and probability Good for quantifying tradeoffs uProbabilistic contract signing is subtle Unfairness as asymmetric privilege Optimism cannot be combined with timeliness, at least not in the obvious way

Download ppt "Probabilistic Contract Signing CS 259 Vitaly Shmatikov."

Similar presentations

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Reaching Agreements II. 2 What utility does a deal give an agent? Given encounter  T 1,T 2  in task domain  T,{1,2},c  We define the utility of a.

Reaching Agreements II. 2 What utility does a deal give an agent? Given encounter  T 1,T 2  in task domain  T,{1,2},c  We define the utility of a.
Distributed Markov Chains P S Thiagarajan School of Computing, National University of Singapore Joint work with Madhavan Mukund, Sumit K Jha and Ratul.

Distributed Markov Chains P S Thiagarajan School of Computing, National University of Singapore Joint work with Madhavan Mukund, Sumit K Jha and Ratul.
1 CS 194: Elections, Exclusion and Transactions Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer.

1 CS 194: Elections, Exclusion and Transactions Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Probabilistic Model Checking CS 395T. Overview uCrowds redux uProbabilistic model checking PRISM model checker PCTL logic Analyzing Crowds with PRISM.

Probabilistic Model Checking CS 395T. Overview uCrowds redux uProbabilistic model checking PRISM model checker PCTL logic Analyzing Crowds with PRISM.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
Roberto Di Pietro, Luigi V. Mancini and Alessandro Mei.

Roberto Di Pietro, Luigi V. Mancini and Alessandro Mei.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Teknik Routing Pertemuan 20 Matakuliah: H0484/Jaringan Komputer Tahun: 2007.

Teknik Routing Pertemuan 20 Matakuliah: H0484/Jaringan Komputer Tahun: 2007.
Randomized and Quantum Protocols in Distributed Computation Michael Ben-Or The Hebrew University Michael Rabin’s Birthday Celebration.

Randomized and Quantum Protocols in Distributed Computation Michael Ben-Or The Hebrew University Michael Rabin’s Birthday Celebration.

Similar presentations

Ads by Google