Analysis of a Fair Exchange Protocol Vitaly Shmatikov John Mitchell Stanford University

Agreement in Hostile Environment l Cannot trust the communication channel l Cannot trust the other party in the protocol l Trusted third party may exist n Last resort: use only if something goes wrong

Contract Signing l Both parties want to sign the contract l Neither wants to commit first Immunity deal

Fairness If A cannot obtain a contract, then B should not be able to obtain a contract, either (and vice versa) Example (Alice buys a house from Bob) If Alice cannot obtain a deed for the property, Bob should not be able to collect Alice’s money

Accountability If trusted party T misbehaves, then honest party should be able to prove T’s misbehavior Example (Alice buys a house from Bob) If escrow service gives Bob Alice’s money without giving Alice the deed, Alice should be able to prove to a judge that escrow service is cheating

Formal Protocol Analysis Intruder Model Analysis Tool Formal Protocol Informal Protocol Description Gee whiz. Looks OK to me.

Mur  [Dill et al.] l Describe finite-state system n State variables with initial values n Transition rules n Communication by shared variables n Scalable: choose system size parameters l Specify correctness condition l Automatic exhaustive state enumeration n Hash table to avoid repeating states Success with research, industrial protocol verification

Optimistic Contract Signing A B m 1 = sig A (PK A, PK B, T, text, hash(R A )) m 2 = sig B (m 1, hash(R B )) m 3 = R A m 4 = R B [Asokan, Shoup, Waidner] m 1, R A, m 2, R B

l Contract from normal execution l Contract issued by third party l Abort token issued by third party Several Forms of Contract m 1, R A, m 2, R B sig T (m 1, m 2 ) sig T (abort, a 1 )

Role of Trusted Third Party l T can issue an abort token Promise not to resolve the protocol in the future l T can issue a replacement contract Proof that both parties are committed l T decides whether to abort or resolve on the first-come-first-serve basis l T only gets involved if requested by A or B

Abort Subprotocol A ??? B Network T a 1 =sig A (abort,m 1 ) a2a2 resolved? Yes: a 2 = sig T (m 1, m 2 ) No: aborted := true a 2 = sig T (abort, a 1 ) m 1 = sig A (… hash(R A )) sig T (m 1, m 2 ) sig T (abort, a 1 ) OR

Resolve Subprotocol B A Net T r 1 = m 1, m 2 aborted? Yes: r 2 = sig T (abort, a 1 ) No: resolved := true r 2 = sig T (m 1, m 2 ) r2r2 m 1 = sig A (… hash(R A )) m 3 = R A m 2 = sig B (… hash(R B )) sig T (m 1, m 2 ) sig T (abort, a 1 ) OR ???

Race Condition B A m 1 = sig A (PK A, PK B, T, text, hash(R B )) m 2 = sig B (m 1, hash(R B )) T a 1 = sig A (abort, m 1 ) r 1 = m 1, m 2

Attack A r 2 = sig T (m 1, m 2 ) m 1 = sig A (... hash(R A )) m 2 = sig B (m 1, hash(R B )) m 3 = R A T r 1 = m 1, m 2 secret Q B, m 2 sig T (m 1, m 2 ) m 1, R A, m 2, Q B contracts are inconsistent!

Later... sig A (PK A, PK A, T, text, hash(R A )) B Replay Attack Intruder causes B to commit to old contract with A sig B (m 1, hash(Q B )) RARA QBQB A B RARA sig A (… hash(R A )) RBRB sig B (... hash(R B ))

sig A (, hash(R B )) Repairing the Protocol A B m 1 = sig A (PK A, PK B, T, text, hash(R A )) m 2 = sig B (m 1, hash(R B )) m 3 = R A m 4 = R B m 1, R A, m 2, R B

Another Property: Abuse-Freeness No party should be able to prove that it can solely determine the outcome of the protocol Example (Alice buys a house from Bob) Bob should not be able to show Alice’s offer to Cynthia so that he can convince Cynthia to pay more

Conclusions l Fair exchange protocols are subtle n Correctness conditions are hard to formalize n Unusual constraints on communication channels l Several interdependent subprotocols n Many cases and interleavings l Finite-state tools are useful for case analysis