1 / 23

Multi-Party Contract Signing

Multi-Party Contract Signing. Sam Hasinoff April 9, 2001. References. Round-optimal and Abuse-free Optimistic Multi-Party Contract Signing (Waidner and Waidner, ICALP 2000) Abuse-free Multi-party Contract Signing (Garay and MacKenzie, DISC 1999). Overview. Contract signing

ulf
Download Presentation

Multi-Party Contract Signing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Multi-Party Contract Signing Sam Hasinoff April 9, 2001

  2. References • Round-optimal and Abuse-free Optimistic Multi-Party Contract Signing (Waidner and Waidner, ICALP 2000) • Abuse-free Multi-party Contract Signing (Garay and MacKenzie, DISC 1999)

  3. Overview • Contract signing • Lower bound on number of rounds • Contract signing protocol • Abuse-freeness

  4. Contract Signing • Contract – formal agreement on a text between two or more parties • Example: landlord, tenant, sublessor • If terms of a contract are broken and need to be enforced, a contract verifier must be able determine the validity of the contract • Fairness – either all honest participants obtain a valid contract or no one does

  5. Every party decides signed or failed • Using a trusted party (T), the problem is easy to solve: • T collects signatures from the parties • If all signatures arrive, it redistributes them, otherwise it aborts the contract • T is a bottleneck for trust and performance • Optimistic protocol – uses T only if something goes wrong

  6. Security Requirements (Fairness) • Correctness – if all parties are honest and patient, they all decide signed • Verifiability – if an honest party decided signed and the verifier is patient, he will decide signed • Unforgeability – if an honest party didn’t sign the contract, no verifier decides signed • No invalid contracts – if an honest party decided failed, no verifier decides signed • Termination – the protocol eventually terminates

  7. Model • There are n signing parties – P1,…,Pn • Up to t < n parties are Byzantine • Network is asynchronous and scheduled by the adversary • Messages are reliably delivered, eventually, but with no guarantee on order • Signatures are unforgeable • Assumption based on the cryptography

  8. Lower bound Theorem 1 [Garay, MacKenzie, DISC 1999].Any fair optimistic contract signing protocol for n parties requires at least n rounds (in a run where T is not used). • There must exist a final round in which some party (say P1) sends a message that can be combined with all previous messages to complete the contract

  9. At this point, P1 must have received messages from the others in previous rounds s.t. it could send a message to T to obtain a complete contract • Otherwise, the other parties could use the message from P1 to complete their contracts, but decide to send nothing further. This would leave P1 with no contract and violate fairness – a contradiction • Specifically, there must be a previous round in which some party (say P2) sends a message to P1 allowing this

  10. This argument generalizes easily • Given that a set of participants P1,…,Pi have received messages s.t. any of them could send a message to T and obtain a complete contract regardless of the actions of Pi+1,…,Pn, there must be a previous round in which some party (say Pi+1), sends a message to Pi that allows this • So by a backwards induction, the number of rounds needed is at least n

  11. Contract signing protocol • Protocol proceeds in t+2 rounds • In round 1, each party signs a promise to sign the contract and broadcasts that promise • In subsequent rounds, each party collects signatures from the previous round, countersigns this set of n signatures, and broadcasts it • The result of the (t+2)-nd round is the real contract

  12. Any party who gets tired of waiting can contact T and send it all the messages received so far • It then stops sending any messages, and simply waits for an answer from T • If T receives its first message in round 1, it must abort and respond with failed • If T receives its first message in some later round, it will respond with signed • T will only ever change its response (from failed to signed) if all messages it previously answered with failed came from dishonest parties

  13. Detecting dishonesty Lemma 1. If T receives a message from Pi in round r, and previously answered failed to some other Pk in round s < r-1, then Pk is dishonest • Since s > 0, we have r > 2, and therefore the message from Pi includes the complete set of round-(r-2) messages, countersigned by everybody • Thus Pk must have participated in round r-1, in order to have countersigned the round-(r-2) messages and sent this as a message to Pi • So Pk was active after having sent its message to T, and hence is dishonest

  14. Verification protocol • Pi shows a signed contract to the verifier V • V outputs signed if either the contract consists of either of the following: • (T was contacted and responded signed) the complete set of n round-(r-1) messages signed by some Pj and countersigned by T in round r > 1 • (optimistic termination) the complete set of n round-(t+2) messages • Otherwise V outputs failed

  15. Security of the protocol Theorem 2 [Waidner and Waidner, ICALP 2000]. The protocol described is a fair asynchronous multi-party contract signing scheme with a trusted third party T for any t < n. It is optimistic and terminates in t+4 rounds in the worst case. • Correctness and verifiability are clearly satisfied • Unforgeability is true because all variants of a valid contract contain pieces signed by all parties, and we assume the signatures are unforgeable

  16. Termination • Each of the t+2 rounds terminates either because all responses from the other parties are received, or T is contacted and eventually answers. In the worst case, T is contacted in the last round, giving t+4 rounds • No invalid contracts is shown by contradiction. Assume an honest Pi decided failed and an honest verifier V decides signed • Case 1: V has all n round-(r-1) messages signed by some Pj and countersigned by T in round r > 1 • Pj decided signed based on the response received from T in round r, and so for Pi to decide failed, it must has received an abort from T in round s <= r • But T could not have changed its decision from failed to signed, because it could only do that if all aborted parties (Pi is a counterexample) are dishonest – a contradiction

  17. No invalid contracts (continued) • Case 2: V has all n round-(t+2) messages • To decide failed, Pi must have participated in round t+2 but then contacted T and received an abort • From the rules of T, and by induction, for all rounds {1,…,t+1}, some party received an abort • Then by Lemma 1, those parties who received an abort in rounds {1,…,t} must be dishonest • Since there are at most t dishonest parties, the party who received an abort in round t+1 must be honest • That party could not have participated in round t+2, so the set n of round-(t+2) messages could not have been complete – a contradiction

  18. Round optimality Corollary 1. The number of rounds for the contract signing scheme is O(n).

  19. Abuse-freeness • Abuse-freeness – at no point can a party prove to an outsider that he has the power to control whether the contract will be signed • Example of abuse: • Alice signs a contract (to supply widgets for $10) and faxes it to Bob for him to sign • Bob (abusive) uses his potentially signed contract with Alice to coerce Charlie into offering him a new contract (for $9 widgets) • Bob never signs the contract with Alice

  20. Is the protocol abuse-free? • The contract signing protocol is not abuse-free! • Example (n = 2, P2 abusive): • both parties send their round-1 messages, but only P1 sends his round-2 message • P2 could either • ignore the messages from P1 and send a (round-1) message to T and get the response failed, or • use the messages from P1 and send a (round-3) message to T and get the response signed • the round-3 message that P2 could send to T will convince an outsider of the power that P2 has to decide the contract

  21. Adding abuse-freeness • The basic idea remains the same, but each party generates a fresh, new signature for the execution of the protocol • This is in contrast to their mutually agreed upon, permanent digital signatures • The result of an execution of the old protocol with the fresh signatures is called the pre-contract • Since an adversary cannot prove that a fresh signature belongs to a certain party, an outsider would not be convinced of the status of the protocol, and hence the protocol is abuse-free

  22. However, the pre-contract is also made to contain the contract signed with the parties’ permanent signatures, but encrypted (with T’s public key) so that only T can decrypt • To convert the pre-contract into a real contract, the parties then exchange the original contract signed with the parties’ permanent signatures, and check that the pre-contract was indeed valid • Failing that, T can try to recover by decrypting all the encrypted messages in the pre-contract

  23. Final result Theorem 3 [Waidner and Waidner, ICALP 2000]. There is a protocol (as outlined) for asynchronous abuse-free multi-party contract signing with a trusted third party T for any t < n. It is optimistic and terminates in t+6 rounds in the worst case.

More Related