Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advantage and abuse-freeness in contract-signing protocols Rohit Chadha, John Mitchell, Andre Scedrov, Vitaly Shmatikov To appear in CONCUR 2003.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Advantage and abuse-freeness in contract-signing protocols Rohit Chadha, John Mitchell, Andre Scedrov, Vitaly Shmatikov To appear in CONCUR 2003."— Presentation transcript:

1 Advantage and abuse-freeness in contract-signing protocols Rohit Chadha, John Mitchell, Andre Scedrov, Vitaly Shmatikov To appear in CONCUR 2003

2 Contract-signing protocols uTwo parties want to exchange signatures on pre- agreed texts over the internet uSigners adversarial uBoth signers want to exchange signatures uNeither wants to sign first uFairness Each signer gets the other’s signature or neither does uTimeliness: No signer gets stuck uAbuse-freeness: No party can prove to an outside party that it can control the outcome

3 Optimism uTwo categories of contract-signing protocols: Gradual release protocols Fixed-round protocols uFairness requires a third party, T Even 81, FLP uTrivial protocol Send signatures to T which then completes the exchange uOptimistic 3-party protocols T contacted only for error recovery Avoids communication bottlenecks uOptimistic signer Prefers not to go to T

4 General protocol outline uTrusted third party can force or abort the exchnage Third party can declare exchange binding if presented with first two messages. BC Willing to sell stock at this price OK, willing to buy stock at this price Here is my signature

5 Optimism and advantage uOnce customer commits to the purchase, he cannot use the committed funds for other purposes uCustomer likely to wait for some time for broker to respond: contacting T to force the exchange is costly and can cause delays uSince broker can abort the exchange, this waiting period may give broker a way to profit: see if shares are available at a lower price uThe longer the customer is willing to wait, the greater chance the broker has to pair trades at a profit uBroker has an advantage: she can control the outcome of the protocol

6 Related work uNeed for trusted third party Even 81 uMitchell and Shmatikov (Financial Crypto 2000) used Mur , a finite-state model checker, to analyze two signature- exchange protocols Asokan-Shoup-Waidner (IEEE Symposium on Security and Privacy, 98) Garay-Jakobsson-Mackenzie Protocol(GJM) (Crypto 1999) uChadha, Kanovich and Scedrov used MSR to analyze GJM protocol Proved fairness Defined and proved balance for honest participants uKremer and Raskin used model-checkers to study a version of abuse-freeness (CSFW 2002)

7 Fairness, optimism, and timeliness

8 Model and fairness uWe consider only single runs of the protocol uCall the two participants P and Q uDefinitions lead to game-theoretic notions If P follows strategy, then Q cannot achieve win over P Or, P follows strategy from some class … uA strategy of P is Q-silent if it succeeds whenever Q does nothing uNeed timeouts in the model “waiting” The signers use timeouts to decide when to contact T uFairness for P If Q has P’s contract, then P has a strategy to get Q’s contract

9 Timeliness uA protocol is timely for P if For all reachable states, S, P has a ( Q -silent) strategy to drive the protocol to a state S’ such that either P gets Q’s signature or Q cannot obtain P’s signature by talking to T Protocol is timely if it is timely for both signers

10 Optimism uProtocol is optimistic for Q if, assuming P controls the timeouts of both Q and P, then and honest Q has a strategy to get honest P’s contract without any messages to/from T The signers use timeouts to decide when to contact T If P is willing to wait “long enough” for Q, then Q may exchange signatures with P without T getting involved uProtocol is optimistic if it is optimistic for both signers

11 Optimistic participant uA participant P is honest if it follows the protocol uHonest P is said to be optimistic if Whenever P can choose between –waiting for a message from Q –contacting T for any purpose P waits and allows Q to move next Modeled by giving the control of timeouts to Q

12 Advantage uQ is said to have the power to abort against an optimistic P in S if Q has a strategy to prevent P from getting Q’s signature uQ is said to have the power to resolve against an optimistic P in S if Q has a strategy to get P’s signature uQ has advantage against an optimistic P if Q has both the power to abort and the power to resolve

13 Hierarchy Advantage against honest P H-adv  Advantage against optimistic P O-adv

14 Exchange subprotocol in GJM O R I am willing to sign Here is my signature may resolve may abort may quit may resolve

15 Advantage flow in GJM O R I am willing to sign Here is my signature O-adv

16 Impossibility theorems uGJM is balanced for honest participants No participant has an advantage uIn any optimistic and fair protocol Some potentially dishonest participant has an advantage over its optimistic counterparty uIn any optimistic, fair, and timely protocol Any potentially dishonest participant has an advantage at some non-initial point over its optimistic counterparty

17 Abuse-freeness

18 No evidence of advantage uIf Q can provide evidence of P’s participation to an outside observer X, then Q does not have advantage against an optimistic P The protocol is said to be abuse-free u Evidence: what does X know u X knows fact  in state   is true in any state consistent with X’s observations in 

19 Abuse-freeness and impossibilty theorem uIf P is an optimistic signer in an optimistic, fair, timely, and abuse-free protocol then there is trace tr leading to a non-initial state S such that the counterparty Q has an advantage over optimistic P at S C does not know in the state S that P is participating in the protocol –There is a trace tr’ leading to a state S’ such that the observations collected by C in S and S’ are computationally indistinguishable and P is not participating in tr’

20 Advantage flow in GJM O R I am willing to sign Here is my signature O-adv

21 Exchange subprotocol in Boyd-Foo O R I am willing to sign may resolve Here is my signature R may request T to enforce the exchange

22 Advantage flow in BF O R I am willing to sign Here is my signature H-adv

23 A non abuse-free protocol O T R My signature Release sigs? Yes R’s signature O’s signature O can present message from T to C as proof of R’s participation

24 Relationship between various properties Fair Abuse-Free Secure for honest signer Secure for optimistic signer

25 Weak abuse-freeness uThe only proof of participation of P is P’s contract uA protocol is weakly abuse-free for P if in any reachable state S where Q has received P’s contract, Q does not have advantage over P uIf a protocol is fair for P, then it is weakly abuse-free for P

26 Conclusions uA model to study contract signing protocols Use multiset rewriting framework Used timers to reflect natural bias Formal definitions of fairness and effectiveness given Natural bias: optimistic signers defined Give game-theoretic definitions of advantage and balance Advantage flows in GJM and BF uShow that the addition of the third party does not guarantee balance uUse epistemic logic to formalize abuse-freeness

27 Further work uMultiparty signature exchange protocols to be investigated uOther properties like trusted-third party accountability to be investigated uUse of automated theorem provers based on rewriting techniques Maude developed by Denker, Lincoln, Meseguer, Eker, Clavel, etc. uExplore solutions other than abuse-freeness to address lack of balance Estimate cost of asymmetry

28 Interested participant uHonest P is said to be interested if Whenever P can choose between –waiting for a message from Q –quitting or contacting T to abort P waits and allows Q to move next uModeled by giving the control of abort timeouts to Q

29 Hierarchy Advantage against honest A H-adv  Advantage against interested A I-adv  Advantage against optimistic A O-adv

Download ppt "Advantage and abuse-freeness in contract-signing protocols Rohit Chadha, John Mitchell, Andre Scedrov, Vitaly Shmatikov To appear in CONCUR 2003."

Similar presentations

Dov Gordon & Jonathan Katz University of Maryland.

Dov Gordon & Jonathan Katz University of Maryland.
Funding of Deposit Insurance Systems: Comments Jean Roy Professor of finance HEC-Montreal, Canada.

Funding of Deposit Insurance Systems: Comments Jean Roy Professor of finance HEC-Montreal, Canada.
Contract-Signing Protocols John Mitchell Stanford TECS Week2005.

Contract-Signing Protocols John Mitchell Stanford TECS Week2005.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Brewer’s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services Authored by: Seth Gilbert and Nancy Lynch Presented by:

Brewer’s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services Authored by: Seth Gilbert and Nancy Lynch Presented by:
Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3,4, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.

Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3,4, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.
CS 603 Handling Failure in Commit February 20, 2002.

CS 603 Handling Failure in Commit February 20, 2002.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
© 2009 Pearson Education Canada 20/1 Chapter 20 Asymmetric Information and Market Behaviour.

© 2009 Pearson Education Canada 20/1 Chapter 20 Asymmetric Information and Market Behaviour.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Probabilistic Contract Signing CS 259 Vitaly Shmatikov.

Probabilistic Contract Signing CS 259 Vitaly Shmatikov.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC513-01 Instructor:Professor Anvari Student ID:106845 Name:Xin Wen Date:11/25/00.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.

Similar presentations

Ads by Google