Multi-Party Contract Signing Sam Hasinoff April 9, 2001

References Round-optimal and Abuse-free Optimistic Multi-Party Contract Signing (Waidner and Waidner, ICALP 2000) Abuse-free Multi-party Contract Signing (Garay and MacKenzie, DISC 1999)

Overview Contract signing Lower bound on number of rounds Contract signing protocol Abuse-freeness

Contract Signing Contract – formal agreement on a text between two or more parties –Example: landlord, tenant, sublessor If terms of a contract are broken and need to be enforced, a contract verifier must be able determine the validity of the contract Fairness – either all honest participants obtain a valid contract or no one does

Every party decides signed or failed Using a trusted party (T), the problem is easy to solve: –T collects signatures from the parties –If all signatures arrive, it redistributes them, otherwise it aborts the contract T is a bottleneck for trust and performance Optimistic protocol – uses T only if something goes wrong

Security Requirements (Fairness) Correctness – if all parties are honest and patient, they all decide signed Verifiability – if an honest party decided signed and the verifier is patient, he will decide signed Unforgeability – if an honest party didnt sign the contract, no verifier decides signed No invalid contracts – if an honest party decided failed, no verifier decides signed Termination – the protocol eventually terminates

Model There are n signing parties – P 1,…,P n Up to t < n parties are Byzantine Network is asynchronous and scheduled by the adversary –Messages are reliably delivered, eventually, but with no guarantee on order Signatures are unforgeable –Assumption based on the cryptography

Lower bound There must exist a final round in which some party (say P 1 ) sends a message that can be combined with all previous messages to complete the contract Theorem 1 [Garay, MacKenzie, DISC 1999]. Any fair optimistic contract signing protocol for n parties requires at least n rounds (in a run where T is not used).

At this point, P 1 must have received messages from the others in previous rounds s.t. it could send a message to T to obtain a complete contract Otherwise, the other parties could use the message from P 1 to complete their contracts, but decide to send nothing further. This would leave P 1 with no contract and violate fairness – a contradiction Specifically, there must be a previous round in which some party (say P 2 ) sends a message to P 1 allowing this

This argument generalizes easily Given that a set of participants P 1,…,P i have received messages s.t. any of them could send a message to T and obtain a complete contract regardless of the actions of P i+1,…,P n, there must be a previous round in which some party (say P i+1 ), sends a message to P i that allows this So by a backwards induction, the number of rounds needed is at least n

Contract signing protocol Protocol proceeds in t+2 rounds In round 1, each party signs a promise to sign the contract and broadcasts that promise In subsequent rounds, each party collects signatures from the previous round, countersigns this set of n signatures, and broadcasts it The result of the (t+2)-nd round is the real contract

Any party who gets tired of waiting can contact T and send it all the messages received so far It then stops sending any messages, and simply waits for an answer from T If T receives its first message in round 1, it must abort and respond with failed If T receives its first message in some later round, it will respond with signed T will only ever change its response (from failed to signed ) if all messages it previously answered with failed came from dishonest parties

Detecting dishonesty Since s > 0, we have r > 2, and therefore the message from P i includes the complete set of round-(r-2) messages, countersigned by everybody Thus P k must have participated in round r-1, in order to have countersigned the round-(r-2) messages and sent this as a message to P i So P k was active after having sent its message to T, and hence is dishonest Lemma 1. If T receives a message from P i in round r, and previously answered failed to some other P k in round s < r-1, then P k is dishonest

Verification protocol P i shows a signed contract to the verifier V V outputs signed if either the contract consists of either of the following: –(T was contacted and responded signed ) the complete set of n round-(r-1) messages signed by some P j and countersigned by T in round r > 1 –(optimistic termination) the complete set of n round-(t+2) messages Otherwise V outputs failed

Security of the protocol Correctness and verifiability are clearly satisfied Unforgeability is true because all variants of a valid contract contain pieces signed by all parties, and we assume the signatures are unforgeable Theorem 2 [Waidner and Waidner, ICALP 2000]. The protocol described is a fair asynchronous multi-party contract signing scheme with a trusted third party T for any t < n. It is optimistic and terminates in t+4 rounds in the worst case.

Termination –Each of the t+2 rounds terminates either because all responses from the other parties are received, or T is contacted and eventually answers. In the worst case, T is contacted in the last round, giving t+4 rounds No invalid contracts is shown by contradiction. Assume an honest P i decided failed and an honest verifier V decides signed –Case 1: V has all n round-(r-1) messages signed by some P j and countersigned by T in round r > 1 P j decided signed based on the response received from T in round r, and so for P i to decide failed, it must has received an abort from T in round s <= r But T could not have changed its decision from failed to signed, because it could only do that if all aborted parties (P i is a counterexample) are dishonest – a contradiction

No invalid contracts (continued) –Case 2: V has all n round-(t+2) messages To decide failed, P i must have participated in round t+2 but then contacted T and received an abort From the rules of T, and by induction, for all rounds {1,…,t+1}, some party received an abort Then by Lemma 1, those parties who received an abort in rounds {1,…,t} must be dishonest Since there are at most t dishonest parties, the party who received an abort in round t+1 must be honest That party could not have participated in round t+2, so the set n of round-(t+2) messages could not have been complete – a contradiction

Round optimality Corollary 1. The number of rounds for the contract signing scheme is O(n).

Abuse-freeness Abuse-freeness – at no point can a party prove to an outsider that he has the power to control whether the contract will be signed Example of abuse: –Alice signs a contract (to supply widgets for $10) and faxes it to Bob for him to sign –Bob (abusive) uses his potentially signed contract with Alice to coerce Charlie into offering him a new contract (for $9 widgets) –Bob never signs the contract with Alice

Is the protocol abuse-free? The contract signing protocol is not abuse-free! Example (n = 2, P 2 abusive): –both parties send their round-1 messages, but only P 1 sends his round-2 message –P 2 could either ignore the messages from P 1 and send a (round-1) message to T and get the response failed, or use the messages from P 1 and send a (round-3) message to T and get the response signed –the round-3 message that P 2 could send to T will convince an outsider of the power that P 2 has to decide the contract

Adding abuse-freeness The basic idea remains the same, but each party generates a fresh, new signature for the execution of the protocol –This is in contrast to their mutually agreed upon, permanent digital signatures The result of an execution of the old protocol with the fresh signatures is called the pre-contract Since an adversary cannot prove that a fresh signature belongs to a certain party, an outsider would not be convinced of the status of the protocol, and hence the protocol is abuse-free

However, the pre-contract is also made to contain the contract signed with the parties permanent signatures, but encrypted (with Ts public key) so that only T can decrypt To convert the pre-contract into a real contract, the parties then exchange the original contract signed with the parties permanent signatures, and check that the pre-contract was indeed valid Failing that, T can try to recover by decrypting all the encrypted messages in the pre-contract

Final result Theorem 3 [Waidner and Waidner, ICALP 2000]. There is a protocol (as outlined) for asynchronous abuse-free multi-party contract signing with a trusted third party T for any t < n. It is optimistic and terminates in t+6 rounds in the worst case.