Presentation is loading. Please wait.

Presentation is loading. Please wait.

C ontract signing Rohit Chadha, John Mitchell, Andre Scedrov, Vitaly Shmatikov.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "C ontract signing Rohit Chadha, John Mitchell, Andre Scedrov, Vitaly Shmatikov."— Presentation transcript:

1 C ontract signing Rohit Chadha, John Mitchell, Andre Scedrov, Vitaly Shmatikov

2 Contract signing (fair exchange) uTwo parties want to exchange signatures on an already agreed upon contract text uParties adversarial uBoth parties want to sign a contract uNeither wants to sign first uFairness: each party gets the other’s signature or neither does uTimeliness: No player gets stuck uAbuse-freeness: No party can prove to an outside party that it can control the outcome

3 Optimism uFairness requires a third party, T Even 81 FLP uTrivial protocol Send signatures to T which then completes the exchange uOptimistic 3-party protocols T contacted only for error recovery Avoids communication bottlenecks uOptimistic player Prefers not to go to T

4 General protocol outline uTrusted third party can force or abort contract Third party can declare contract binding if presented with first two messages. BC Willing to sell stock at this price OK, willing to buy stock at this price Here is my signature

5 Optimism and advantage uOnce customer commits to the purchase, he cannot use the committed funds for other purposes uCustomer likely to wait for some time for broker to respond, since contacting T to force the contract is costly and can cause delays uSince broker can abort the exchange, this waiting period may give broker a way to profit: see if shares are available at a lower price uThe longer the customer is willing to wait, the greater chance the broker has to pair trades at a profit uBroker has an advantage: it can control the outcome of the protocol

6 Fairness, optimism, and timeliness

7 Model and fairness uCall the two participants P and Q uDefinitions lead to game-theoretic notions If P follows strategy, then Q cannot achieve win over P Or, P follows strategy from some class … uNeed timeouts in the model “waiting” uFairness for P If Q has P’s contract, then P has a strategy to get Q’s contract

8 Optimistic protocols uProtocol is optimistic for Q if, assuming Q controls the timeouts of both Q and P, then and honest Q has a strategy to get honest P’s contract without any messages to/from T

9 Silent strategies uA strategy of Q is P-silent if it succeeds whenever P does nothing uDefine two values, rslv P and rslv Q on reachable states S: rslv P (S ) = 2 if P has a strategy to get honest Q’s signature, = 1 if P has a Q-silent strategy to get Q’s signature, = 0 otherwise

10 Timeliness uQ is said to have a (P-silent) abort strategy at S if Q has a (P-silent) strategy to drive the protocol to a state S’ such that rslv P (S’)=0 uQ is said to have a (P-silent) resolve strategy at S if Q has a (P-silent) strategy to drive the protocol to a state S’ such that rslv Q (S’)=2 uA protocol is said to be timely for Q if For all reachable states, S, Q has either a P-silent abort strategy at S or a P-silent resolve strategy at S uA protocol is timely if it is timely for both Q and P

11 Advantage

12 uAdvantage Power to abort and power to complete uBalance Potentially dishonest Q never has an advantage against an honest P uReflect natural bias of honest P P is interested in completing a contract, so P is likely to wait before asking T for an abort or for a resolve Formulate properties stronger than balance

13 Optimistic participant uHonest P is said to be optimistic if Whenever P can choose between –waiting for a message from Q –contacting TTP for any purpose P waits and allows Q to move next uModeled by giving the control of timeouts to Q [Chadha, Mitchell, Scedrov, Shmatikov]

14 Advantage uQ is said to have the power to abort against an optimistic P the protocol in S if Q has an abort strategy uQ is said to have the power to resolve against an optimistic P the protocol in S if Q has a resolve strategy uQ has advantage against an optimistic P if Q has both the power to abort and the power to complete

15 Hierarchy Advantage against honest P H-adv  Advantage against optimistic P O-adv

16 Advantage flow B C I am willing to sell at this price I am willing to buy at this price Here is my signature O-adv

17 Impossibility Theorem

18 uIn any optimistic, fair, and timely contract-signing protocol, any potentially dishonest participant will have an advantage at some non-initial point if the other participant is optimistic u3-valued version of: Even’s impossibility of deterministic two-party contract signing Fischer-Lynch-Paterson impossibility of consensus in distributed systems [Chadha, Mitchell, Scedrov, Shmatikov]

19 Proof Outline uPick an optimistic flow: S 0, …., S n uRecall rslv Q rslv Q (S) = 2 if Q has a strategy to get P’s signature, = 1 if Q has a P-silent strategy to get P’s signature, = 0 otherwise uWe shall assume that rslv Q (S 0 )=0 A cryptographic assumption uClearly, rslv Q (S n )=2 uPick i such that rslv Q (S i )=0 and rslv Q (S i+1 ) >0 uThe transition from S i to S i+1 is a transition of P

20 Proof outline contd.. uProtocol is timely for Q Q does not have a P-silent resolve strategy at S i ( rslv Q (S i )=0) Q has a P-silent abort strategy at S i uLet S, S’ be reachable states such that Q has an P-silent abort strategy at S S' is obtained from S using a transition of P that does not send any messages to T Then Q has an P-silent abort strategy at S'. u Q has a P -silent abort strategy at S i+1

21 Proof outline contd… uLet S be a reachable state such that Q has an P- silent abort strategy at S Then Q also an abort strategy if P does not send any messages to T uQ also an abort strategy at S i+1 if P does not send any messages to T uQ has power to abort against an optimistic P at S i+1 uSince rslv Q (S i+1 )>0, Q has a P-silent resolve strategy at S i+1 Q also an resolve strategy at S i+1 if P does not send any messages to T uQ has an advantage against optimistic P uJim Gray

22 No evidence of advantage uIf Q can provide evidence of P’s participation to an outside observer X, then Q does not have advantage against an optimistic P The protocol is said to be abuse-free u Evidence: what does X know u X knows fact  in state   is true in any state consistent with X’s observations in 

23 Conclusions uConsider several signature exchange protocols Garay Jakobsson and Mackenzie Boyd Foo Asokan Shoup and Waidner uUsed timers to reflect real-world behavior uFormal definitions of fairness, optimism, timeliness and advantage were given uReflect natural bias: optimistic participants defined uGive game-theoretic definitions of protocol properties

24 Conclusions uDescribe the advantage flows in several signature protocol uImpossibility result any fair, timely and optimistic protocol necessary gives advantage uDefine abuse-freeness precisely using epistemic logic uGive an example of a non abuse-free non- optimistic protocol

25 Further Work uOther properties like trusted-third party accountability to be investigated uMultiparty contract signing protocols to be investigated uUse of automated theorem provers based on rewriting techniques

Download ppt "C ontract signing Rohit Chadha, John Mitchell, Andre Scedrov, Vitaly Shmatikov."

Similar presentations

The 4 P’s of Marketing consumer The Marketing Mix.

The 4 P’s of Marketing consumer The Marketing Mix.
Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland.

Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland.
Contract-Signing Protocols John Mitchell Stanford TECS Week2005.

Contract-Signing Protocols John Mitchell Stanford TECS Week2005.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Auction Theory Class 5 – single-parameter implementation and risk aversion 1.

Auction Theory Class 5 – single-parameter implementation and risk aversion 1.
Non myopic strategy Truth or Lie?. Scoring Rules One important feature of market scoring rules is that they are myopic strategy proof. That means that.

Non myopic strategy Truth or Lie?. Scoring Rules One important feature of market scoring rules is that they are myopic strategy proof. That means that.
Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3,4, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.

Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3,4, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.
CS 603 Handling Failure in Commit February 20, 2002.

CS 603 Handling Failure in Commit February 20, 2002.
Distributed Algorithms – 2g1513 Lecture 10 – by Ali Ghodsi Fault-Tolerance in Asynchronous Networks.

Distributed Algorithms – 2g1513 Lecture 10 – by Ali Ghodsi Fault-Tolerance in Asynchronous Networks.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
© 2009 Pearson Education Canada 20/1 Chapter 20 Asymmetric Information and Market Behaviour.

© 2009 Pearson Education Canada 20/1 Chapter 20 Asymmetric Information and Market Behaviour.
Probabilistic Contract Signing CS 259 Vitaly Shmatikov.

Probabilistic Contract Signing CS 259 Vitaly Shmatikov.
Lecture 4 on Individual Optimization Risk Aversion

Lecture 4 on Individual Optimization Risk Aversion
Normal Forms for CFG’s Eliminating Useless Variables Removing Epsilon

Normal Forms for CFG’s Eliminating Useless Variables Removing Epsilon
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 16 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 16 Wenbing Zhao Department of Electrical and Computer Engineering.
Synchronization Clock Synchronization Logical Clocks Global State Election Algorithms Mutual Exclusion.

Synchronization Clock Synchronization Logical Clocks Global State Election Algorithms Mutual Exclusion.
Incomplete Contracts Renegotiation, Communications and Theory December 10, 2007.

Incomplete Contracts Renegotiation, Communications and Theory December 10, 2007.

Similar presentations

Ads by Google