C ontract signing Rohit Chadha, John Mitchell, Andre Scedrov, Vitaly Shmatikov.

Slides:



Advertisements
Similar presentations
The 4 P’s of Marketing consumer The Marketing Mix.
Advertisements

Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland.
Contract-Signing Protocols John Mitchell Stanford TECS Week2005.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Auction Theory Class 5 – single-parameter implementation and risk aversion 1.
Non myopic strategy Truth or Lie?. Scoring Rules One important feature of market scoring rules is that they are myopic strategy proof. That means that.
Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3,4, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.
CS 603 Handling Failure in Commit February 20, 2002.
Distributed Algorithms – 2g1513 Lecture 10 – by Ali Ghodsi Fault-Tolerance in Asynchronous Networks.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
© 2009 Pearson Education Canada 20/1 Chapter 20 Asymmetric Information and Market Behaviour.
Probabilistic Contract Signing CS 259 Vitaly Shmatikov.
Lecture 4 on Individual Optimization Risk Aversion
Normal Forms for CFG’s Eliminating Useless Variables Removing Epsilon
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 16 Wenbing Zhao Department of Electrical and Computer Engineering.
Synchronization Clock Synchronization Logical Clocks Global State Election Algorithms Mutual Exclusion.
Incomplete Contracts Renegotiation, Communications and Theory December 10, 2007.
Near-Optimal Network Design with Selfish Agents By Elliot Anshelevich, Anirban Dasgupta, Eva Tardos, Tom Wexler STOC’03 Presented by Mustafa Suleyman CIFTCI.
Issues with Clocks. Problem Lack of global time –Need to compare different events in a distributed system.
Stanford vs. UC: The Big Game A. Datta, A. Derek, J. C. Mitchell, A. Ramanathan & A. Scedrov August 16, 2005.
 Idit Keidar, Principles of Reliable Distributed Systems, Technion EE, Spring Principles of Reliable Distributed Systems Lecture 6: Impossibility.
Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.
©Silberschatz, Korth and Sudarshan19.1Database System Concepts Distributed Transactions Transaction may access data at several sites. Each site has a local.
 Idit Keidar, Principles of Reliable Distributed Systems, Technion EE, Spring Principles of Reliable Distributed Systems Lecture 12: Impossibility.
Advantage and abuse-freeness in contract-signing protocols Rohit Chadha, John Mitchell, Andre Scedrov, Vitaly Shmatikov To appear in CONCUR 2003.
Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.
Platinum’s definitive Forex trading programme to help you become a professional trader.
Marketing Concept The Competitive Philosophy For Reaching Goals Ted Mitchell.
Adaptively Secure Broadcast, Revisited
How Securities Are Traded
Distributed Consensus Reaching agreement is a fundamental problem in distributed computing. Some examples are Leader election / Mutual Exclusion Commit.
Distributed Consensus Reaching agreement is a fundamental problem in distributed computing. Some examples are Leader election / Mutual Exclusion Commit.
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/09/08 CRYP-202 Legally-Enforceable Fairness in Secure Two-Party Computation.
Contract-Signing Protocols J. Mitchell CS 259. Revised schedule uTuesday 1/24 Contract-signing protocols uThursday 1/26 Secure hardware architecture (XOM)
CS 395T Contract Signing Protocols. Real-World Fair Exchange uBoth parties want to sign the deal uNeither wants to commit first Immunity deal.
Distributed Algorithms – 2g1513 Lecture 9 – by Ali Ghodsi Fault-Tolerance in Distributed Systems.
Analysis of a Fair Exchange Protocol Vitaly Shmatikov John Mitchell Stanford University.
Auction Theory תכנון מכרזים ומכירות פומביות Topic 7 – VCG mechanisms 1.
Information Security Conference (ISC 2015) On the Efficiency of Multi-Party Contract Signing Protocols Gerard Draper-Gil, Josep-Lluis Ferrer Gomila, M.
Rational Exchange Levente Buttyán and Jean-Pierre Hubaux Swiss Federal Institute of Technology – Lausanne Laboratory for Computer Communications and Applications.
Game-Based Verification of Fair Exchange Protocols CS 259 Vitaly Shmatikov.
Distributed Transactions Chapter 13
Consensus and Its Impossibility in Asynchronous Systems.
Protocol Analysis: The SPYCE Perspective Joe Halpern.
DISTRIBUTED SYSTEMS II FAULT-TOLERANT AGREEMENT Prof Philippas Tsigas Distributed Computing and Systems Research Group.
Issues with Clocks. Context The tree correction protocol was based on the idea of local detection and correction. Protocols of this type are complex to.
University of Tampere, CS Department Distributed Commit.
FRAMEWORK FOR FINANCIAL REPORTING
Copyright © Cengage Learning. All rights reserved. CHAPTER 8 RELATIONS.
Rational Cryptography Some Recent Results Jonathan Katz University of Maryland.
CS 395T Game-Based Verification of Contract Signing Protocols.
CS294, Yelick Consensus revisited, p1 CS Consensus Revisited
Committed:Effects are installed to the database. Aborted:Does not execute to completion and any partial effects on database are erased. Consistent state:
Chap 15. Agreement. Problem Processes need to agree on a single bit No link failures A process can fail by crashing (no malicious behavior) Messages take.
Two-Phase Commit Brad Karp UCL Computer Science CS GZ03 / M th October, 2008.
Alternating Temporal Logic and Game-Based Properties CS 259 John Mitchell with slides from Vitaly Shmatikov.
Digital Cash Protocols: A Formal Presentation Delwin F. Lee & Mohamed G.Gouda The University of Texas at Austin Presented by Savitha Krishnamoorthy CIS.
Utility Dependence in Correct and Fair Rational Secret Sharing Gilad Asharov Yehuda Lindell Bar-Ilan University, Israel.
Probabilistic Contract Signing CS 395T. Probabilistic Fair Exchange uTwo parties exchange items of value Signed commitments (contract signing) Signed.
5-1 Chapter 5 Charles P. Jones, Investments: Analysis and Management, Tenth Edition, John Wiley & Sons Prepared by G.D. Koppenhaver, Iowa State University.
False-name Bids “The effect of false-name bids in combinatorial
Choosing the Lesser Evil: Helping Students Understand Voting Systems
How Securities Are Traded
Commit Protocols CS60002: Distributed Systems
Hypothesis Testing A hypothesis is a claim or statement about the value of either a single population parameter or about the values of several population.
Probabilistic Contract Signing
Presentation transcript:

C ontract signing Rohit Chadha, John Mitchell, Andre Scedrov, Vitaly Shmatikov

Contract signing (fair exchange) uTwo parties want to exchange signatures on an already agreed upon contract text uParties adversarial uBoth parties want to sign a contract uNeither wants to sign first uFairness: each party gets the other’s signature or neither does uTimeliness: No player gets stuck uAbuse-freeness: No party can prove to an outside party that it can control the outcome

Optimism uFairness requires a third party, T Even 81 FLP uTrivial protocol Send signatures to T which then completes the exchange uOptimistic 3-party protocols T contacted only for error recovery Avoids communication bottlenecks uOptimistic player Prefers not to go to T

General protocol outline uTrusted third party can force or abort contract Third party can declare contract binding if presented with first two messages. BC Willing to sell stock at this price OK, willing to buy stock at this price Here is my signature

Optimism and advantage uOnce customer commits to the purchase, he cannot use the committed funds for other purposes uCustomer likely to wait for some time for broker to respond, since contacting T to force the contract is costly and can cause delays uSince broker can abort the exchange, this waiting period may give broker a way to profit: see if shares are available at a lower price uThe longer the customer is willing to wait, the greater chance the broker has to pair trades at a profit uBroker has an advantage: it can control the outcome of the protocol

Fairness, optimism, and timeliness

Model and fairness uCall the two participants P and Q uDefinitions lead to game-theoretic notions If P follows strategy, then Q cannot achieve win over P Or, P follows strategy from some class … uNeed timeouts in the model “waiting” uFairness for P If Q has P’s contract, then P has a strategy to get Q’s contract

Optimistic protocols uProtocol is optimistic for Q if, assuming Q controls the timeouts of both Q and P, then and honest Q has a strategy to get honest P’s contract without any messages to/from T

Silent strategies uA strategy of Q is P-silent if it succeeds whenever P does nothing uDefine two values, rslv P and rslv Q on reachable states S: rslv P (S ) = 2 if P has a strategy to get honest Q’s signature, = 1 if P has a Q-silent strategy to get Q’s signature, = 0 otherwise

Timeliness uQ is said to have a (P-silent) abort strategy at S if Q has a (P-silent) strategy to drive the protocol to a state S’ such that rslv P (S’)=0 uQ is said to have a (P-silent) resolve strategy at S if Q has a (P-silent) strategy to drive the protocol to a state S’ such that rslv Q (S’)=2 uA protocol is said to be timely for Q if For all reachable states, S, Q has either a P-silent abort strategy at S or a P-silent resolve strategy at S uA protocol is timely if it is timely for both Q and P

Advantage

uAdvantage Power to abort and power to complete uBalance Potentially dishonest Q never has an advantage against an honest P uReflect natural bias of honest P P is interested in completing a contract, so P is likely to wait before asking T for an abort or for a resolve Formulate properties stronger than balance

Optimistic participant uHonest P is said to be optimistic if Whenever P can choose between –waiting for a message from Q –contacting TTP for any purpose P waits and allows Q to move next uModeled by giving the control of timeouts to Q [Chadha, Mitchell, Scedrov, Shmatikov]

Advantage uQ is said to have the power to abort against an optimistic P the protocol in S if Q has an abort strategy uQ is said to have the power to resolve against an optimistic P the protocol in S if Q has a resolve strategy uQ has advantage against an optimistic P if Q has both the power to abort and the power to complete

Hierarchy Advantage against honest P H-adv  Advantage against optimistic P O-adv

Advantage flow B C I am willing to sell at this price I am willing to buy at this price Here is my signature O-adv

Impossibility Theorem

uIn any optimistic, fair, and timely contract-signing protocol, any potentially dishonest participant will have an advantage at some non-initial point if the other participant is optimistic u3-valued version of: Even’s impossibility of deterministic two-party contract signing Fischer-Lynch-Paterson impossibility of consensus in distributed systems [Chadha, Mitchell, Scedrov, Shmatikov]

Proof Outline uPick an optimistic flow: S 0, …., S n uRecall rslv Q rslv Q (S) = 2 if Q has a strategy to get P’s signature, = 1 if Q has a P-silent strategy to get P’s signature, = 0 otherwise uWe shall assume that rslv Q (S 0 )=0 A cryptographic assumption uClearly, rslv Q (S n )=2 uPick i such that rslv Q (S i )=0 and rslv Q (S i+1 ) >0 uThe transition from S i to S i+1 is a transition of P

Proof outline contd.. uProtocol is timely for Q Q does not have a P-silent resolve strategy at S i ( rslv Q (S i )=0) Q has a P-silent abort strategy at S i uLet S, S’ be reachable states such that Q has an P-silent abort strategy at S S' is obtained from S using a transition of P that does not send any messages to T Then Q has an P-silent abort strategy at S'. u Q has a P -silent abort strategy at S i+1

Proof outline contd… uLet S be a reachable state such that Q has an P- silent abort strategy at S Then Q also an abort strategy if P does not send any messages to T uQ also an abort strategy at S i+1 if P does not send any messages to T uQ has power to abort against an optimistic P at S i+1 uSince rslv Q (S i+1 )>0, Q has a P-silent resolve strategy at S i+1 Q also an resolve strategy at S i+1 if P does not send any messages to T uQ has an advantage against optimistic P uJim Gray

No evidence of advantage uIf Q can provide evidence of P’s participation to an outside observer X, then Q does not have advantage against an optimistic P The protocol is said to be abuse-free u Evidence: what does X know u X knows fact  in state   is true in any state consistent with X’s observations in 

Conclusions uConsider several signature exchange protocols Garay Jakobsson and Mackenzie Boyd Foo Asokan Shoup and Waidner uUsed timers to reflect real-world behavior uFormal definitions of fairness, optimism, timeliness and advantage were given uReflect natural bias: optimistic participants defined uGive game-theoretic definitions of protocol properties

Conclusions uDescribe the advantage flows in several signature protocol uImpossibility result any fair, timely and optimistic protocol necessary gives advantage uDefine abuse-freeness precisely using epistemic logic uGive an example of a non abuse-free non- optimistic protocol

Further Work uOther properties like trusted-third party accountability to be investigated uMultiparty contract signing protocols to be investigated uUse of automated theorem provers based on rewriting techniques

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.