Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Conference (ISC 2015) On the Efficiency of Multi-Party Contract Signing Protocols Gerard Draper-Gil, Josep-Lluis Ferrer Gomila, M.

Published byJessie Peters Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security Conference (ISC 2015) On the Efficiency of Multi-Party Contract Signing Protocols Gerard Draper-Gil, Josep-Lluis Ferrer Gomila, M."— Presentation transcript:

1 Information Security Conference (ISC 2015) On the Efficiency of Multi-Party Contract Signing Protocols Gerard Draper-Gil, Josep-Lluis Ferrer Gomila, M. Francisca Hinarejos, Jianying Zhou September 9-11, 2015 | Trondheim, Norway

2 On The Efficiency of Multi-Party Contract Signing Protocols Table of Contents September 9-11, 2015 | Trondheim, Norway Introduction to Multi-Party Contract Signing (MPCS) MPCS Requirements Efficiency and Topologies Overview of Our Proposal Example: MPCS with Ring Topology N=3 and PCS Summary of Optimistic MPCS and Topologies Conclusions

3 On The Efficiency of Multi-Party Contract Signing Protocols Introduction to Multi-Party Contract Signing (MPCS) September 9-11, 2015 | Trondheim, Norway The objective of Multi-Party Contract Signing (MPCS) protocols is to allow a set of N participants Pi (1 ≤ i ≤ N) to exchange a valid signature on a contract C. Existing problems: Different criteria to define requirements and terms like round or step  Difficult validation of results. What is the influence of protocol topology? Our Contribution: Clear definition of efficiency parameters. Assessment on the influence of topology. Method to design optimal efficient MPCS.

4 On The Efficiency of Multi-Party Contract Signing Protocols MPCS Requirements September 9-11, 2015 | Trondheim, Norway Effectiveness Fairness (Strong and Weak) Non-repudiation Timeliness Abuse-Freeness: After Pi receives a partial signature from another participant Pj, the recipient Pi cannot convince others but himself that the partial signature is from the sender Pj. Multi-Party Fair Exchange Requirements: Requirement for Contract Signing Protocols:

5 On The Efficiency of Multi-Party Contract Signing Protocols Efficiency and Topologies I September 9-11, 2015 | Trondheim, Norway The action of transmitting one or more messages from an originator A to a recipient B. Transmission A “logical” set of information sent from an originator A to B, where B can be a set of recipients {B 1,..., B N } Message The definition of the term “Round” will depend on the topology.

6 On The Efficiency of Multi-Party Contract Signing Protocols Efficiency and Topologies II September 9-11, 2015 | Trondheim, Norway Ring Topology: A complete round requires N transmissions. A round begins when P1 executes a transmission to P2, then P2 transmits to P3,..., and ends when P1 receives the transmission from PN, closing the ring. Ring-Round

7 On The Efficiency of Multi-Party Contract Signing Protocols Efficiency and Topologies III September 9-11, 2015 | Trondheim, Norway Sequential Topology: A complete round requires 2(N-1) transmissions. A round starts from P1, transmitting one or more messages to P2. The transmissions continue through all the participants in a certain order (e.g., incrementing the subindex i: Pi, P(i+1),..), until it reaches PN, who reverses the order transmitting to P(N−1), who executes a transmission to P(N−2), etc. The round ends when P1 receives a transmission from P2. Sequential-Round

8 On The Efficiency of Multi-Party Contract Signing Protocols Efficiency and Topologies IV September 9-11, 2015 | Trondheim, Norway Star Topology: A complete round requires 2(N-1) transmissions. A round begins when the initiator P1 transmits some message or messages to all Pj (j ∈ [2..N]), and ends when P1 has received the corresponding transmission from each Pj. Alternatively, the round can be initiated by all Pj (j ∈ [2..N]) transmitting to P1, and finish when each Pj has received P1's transmission. Star-Round

9 On The Efficiency of Multi-Party Contract Signing Protocols Efficiency and Topologies V September 9-11, 2015 | Trondheim, Norway Mesh Topology: A complete round requires N(N-1) transmissions. A round begins when Pi, with 1 ≤ i ≤ N executes a transmission to each Pj, with j ∈ [1..N], j != i. The round will end when every participant has received a transmission from the other N − 1 participants. Mesh-Round

10 All MPCS protocols are optimistic. Each protocol is composed of an exchange and a resolution sub-protocol. All protocols follow the same principle: the participants exchange a series of commitments in turn, until they gather enough evidence to consider the contract as signed, while maintaining the fairness. All protocols meet the MPCS necessary security requirements: effectiveness, fairness, non-repudiation timeliness, and abuse-freeness. On The Efficiency of Multi-Party Contract Signing Protocols Overview of Our Proposal : MPCS Protocols September 9-11, 2015 | Trondheim, Norway Methodology to design MPCS protocols:

11 On The Efficiency of Multi-Party Contract Signing Protocols Overview of Our Proposal : Trusted Third Party Rules I September 9-11, 2015 | Trondheim, Norway Rule 0: The TTP only accepts one request per participant. Rule 1: During the 1 st round, authorized participants can cancel the protocol execution, if it has not been previously finished. (If it has been finished, the TTP will answer with the corresponding affidavit.) “Authorized participants” are those who have not received the commitment from the other N-1 participants, examples: Ring: {P1,…,P(N-1)} Star: {P2,…,PN} Common rules to design resolution sub-protocol:

12 On The Efficiency of Multi-Party Contract Signing Protocols Overview of Our Proposal : Trusted Third Party Rules II September 9-11, 2015 | Trondheim, Norway Rule 2: After the 1 st round, the TTP can finalize the protocol execution, generating the corresponding affidavit, if it has not been previously cancelled. Rule 3: The decision to finish the protocol is final. Rule 4: If the TTP receives a request to finish (sign) the protocol after the 1 st round, and the protocol has been previously cancelled, it will review all the evidence received. If the TTP can prove all the previous requests were dishonest, it will change the protocol status to finished, and it will generate the corresponding affidavit. Otherwise it will answer with a cancellation evidence to maintain fairness. The rules to prove dishonest participants will depend on the topology.

13 On The Efficiency of Multi-Party Contract Signing Protocols Overview of Our Proposal : Trusted Third Party Rules III September 9-11, 2015 | Trondheim, Norway Ring Topology: Examples of Rule 4: Pi Malicious ! Honest Star Topology: Pi Malicious ! Honest

14 On The Efficiency of Multi-Party Contract Signing Protocols Example: MPCS with Ring Topology September 9-11, 2015 | Trondheim, Norway Every turn, each participant generates a commitment message, with an index k, for each of the other participants. The index k is decremented by the first participant to receive the k-commitments from the other participants. When k reaches -1, the participants will release the complete signature. MPCS with Private Contract Signatures (PCS*): * Garay, J.A., Jakobsson, M., MacKenzie, P.D.: “Abuse-free Optimistic Contract Signing”. CRYPTO'99.

15 On The Efficiency of Multi-Party Contract Signing Protocols Example: MPCS with Ring Topology N=3 September 9-11, 2015 | Trondheim, Norway Round r = 1 P 1 P 2 PCS 1 ((C,1),P 2,TTP), PCS 1 ((C,1),P 3,TTP) P 2 P 3 PCS 2 ((C,1),P 3,TTP), PCS 2 ((C,1),P 1,TTP) PCS 1 ((C,1),P 3,TTP) P 3 P 1 PCS 3 (C, P 1,TTP), PCS 3 (C,P 2,TTP) PCS 2 ((C,1),P 1,TTP) Round r = 2 P 1 P 2 PCS 1 (C,P 2,TTP), PCS 1 (C,P 3,TTP) PCS 3 (C,P 2,TTP) P 2 P 3 SIG 2 (C) PCS 1 (C,P 3,TTP) P 3 P 1 SIG 3 (C) SIG 2 (C) Round r = 3 P 1 P 2 SIG 1 (C) SIG 3 (C) P 2 P 3 SIG 1 (C) TOTAL (N=3) Transmissions : (N+1)(N-1) = 8 Messages/user : (N-1)2+1 = 5 (P i = P 1 ) (N-2)(N-1) + 1 = 3 (P i != P 1 ) T1 T2 T3 T4 T5 T6 T7 T8 M1(P 1 )M2(P 1 ) M3(P 1 ) M4(P 1 ) M5(P 1 ) M1(P 3 )M2(P 3 ) M3(P 3 ) M1(P 2 ) M3(P 2 )

16 On The Efficiency of Multi-Party Contract Signing Protocols Summary of optimistic MPCS and topologies September 9-11, 2015 | Trondheim, Norway TopologyTransmissions (1) Messages/user (2) Ring(N+1)(N-1) (N-1) 2 +1 when P i =P 1 (N-2)(N-1)+1 when P i !=P 1 Sequential(N+1)(N-1) (N-1)/2 (N-1) +1 when N is odd (N-1)/2 (N-1) – i +2 when N is even Star(2N+1)(N-1)(N-2)(N-1)+1 MeshN 2 (N-1)(N-1) 2 +1 (1) Optimistic case, the TTP does not intervene and (N-1) malicious participants assumed. (2) Number of messages (signatures) generated by each user i, 1 ≤ i ≤ N

17 On The Efficiency of Multi-Party Contract Signing Protocols Conclusions September 9-11, 2015 | Trondheim, Norway We presented a methodology to design optimistic MPCS protocols for a ring, sequential, star and mesh topologies. All protocols meet fair exchange requirements for optimistic MPCS protocols: efficiency, fairness, non- repudiation, timeliness and abuse-freeness. Minimum number of transmissions needed for each protocol proposal: new lower-bound. Future Work: extend the study to hybrid topologies.

18 On The Efficiency of Multi-Party Contract Signing Protocols Abort Chaining: Proving Lower Bound (Ring Topology N=3) September 9-11, 2015 | Trondheim, Norway Round r = 1 P 2 TTP Cancel Request. TTP P 2 Cancel Token (Rule 1). P 2 dishonest, continues the protocol. Round r = 2 P 1 TTP Finish Request. P 1 has sent his signature but has not received the others. TTP P 1 Cancel Token (Rule 3). TTP cannot prove P 2 is cheating. P 3 Receives proof of signature from other participants. P 3, honest, has proof of signature. P 1, honest, has proof of cancellation.  Fairness is broken!

19 On The Efficiency of Multi-Party Contract Signing Protocols Abort Chaining: Proving Lower Bound (Ring Topology N=3) September 9-11, 2015 | Trondheim, Norway Round r = 1 P 2 TTP Cancel Request. TTP P 2 Cancel Token (Rule 1). P 2 dishonest, continues the protocol. Round r = 2 P 1 TTP Finalize Request. P 1 has sent his signature but has not received the others. TTP P 1 Cancel Token (Rule 3). TTP cannot prove P 2 is cheating. Round r = 3 (if P 1 is honest) P 3 TTP Finish Request. P 1 is honest, therefore it will stop the protocol execution. TTP P 3 Cancel Token (Rule 4). TTP will recognize P 2 as dishonest, but cannot prove P 1 is dishonest. Therefore to maintain fairness, TTP will send a cancel Token. Fairness is maintained. Round r = 3 (if P 1 is dishonest, it will continue the protocol execution) P 1 P 2 If P 2 continues the protocol, P 3 will receive the signature from all participants (T8), otherwise P 3 will contact TTP (in previous example). Fairness is maintained.

Download ppt "Information Security Conference (ISC 2015) On the Efficiency of Multi-Party Contract Signing Protocols Gerard Draper-Gil, Josep-Lluis Ferrer Gomila, M."

Similar presentations

Contract-Signing Protocols John Mitchell Stanford TECS Week2005.

Contract-Signing Protocols John Mitchell Stanford TECS Week2005.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
A New Approach of Signing Documents with Symmetric Cryptosystems and an Arbitrator Nol Premasathian Faculty of Science King Mongkut’s.

A New Approach of Signing Documents with Symmetric Cryptosystems and an Arbitrator Nol Premasathian Faculty of Science King Mongkut’s.
FIPA Interaction Protocol. Request Interaction Protocol Summary –Request Interaction Protocol allows one agent to request another to perform some action.

FIPA Interaction Protocol. Request Interaction Protocol Summary –Request Interaction Protocol allows one agent to request another to perform some action.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Brewer’s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services Authored by: Seth Gilbert and Nancy Lynch Presented by:

Brewer’s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services Authored by: Seth Gilbert and Nancy Lynch Presented by:
Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3,4, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.

Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3,4, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 3.3: Fair Exchange.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
Probabilistic Contract Signing CS 259 Vitaly Shmatikov.

Probabilistic Contract Signing CS 259 Vitaly Shmatikov.
1 Principles of Reliable Distributed Systems Lecture 6: Synchronous Uniform Consensus Spring 2005 Dr. Idit Keidar.

1 Principles of Reliable Distributed Systems Lecture 6: Synchronous Uniform Consensus Spring 2005 Dr. Idit Keidar.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
1 Principles of Reliable Distributed Systems Lecture 3: Synchronous Uniform Consensus Spring 2006 Dr. Idit Keidar.

1 Principles of Reliable Distributed Systems Lecture 3: Synchronous Uniform Consensus Spring 2006 Dr. Idit Keidar.
Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.

Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Similar presentations

Ads by Google