Next few lectures. Contract-Signing Protocols. Contract Signing. Example. Network is Asynchronous. Another example: stock trading. Today.

Transcription

1 CS 259 Next few lectures Contract-Signing Protocols J. itchell V. Shmatikov oday Contract-signing protocols hursday ore about contract signing, probability Next ues Probabilistic model checking Next hurs Homework due; think about projects fter this week, cover tools and protocol examples together Contract Signing wo parties want to sign a contract ulti-party signing is more complicated he contract is known to both parties he protocols we will look at are not for contract negotiation (e.g., auctions) he attacker could be nother party on the network he person you think you want to sign a contract with Example Immunity deal oth parties want to sign the contract Neither wants to commit first nother example: stock trading work is synchronous stock broker Willing to sell stock at price X Ok, willing to buy at price X Why signed contract? Suppose market price changes uyer or seller may want proof of agreement customer Physical solution wo parties sit at table Write their signatures simultaneously Exchange copies Problem How to sign a contract on a network? Fair exchange: general problem of exchanging information so both succeed or both fail 1

2 Fundamental limitation Impossibility of consensus Very weak consensus is not solvable if one or more processes can be faulty synchronous setting Process has initial 0 or 1, and eventually decides 0 or 1 Weak termination: some correct process decides greement: no two processes decide on different values Very weak validity: there is a run in which the decision is 0 and a run in which the decision is 1 Reference. J. Fischer, N.. Lynch and. S. Paterson, Impossibility of Distributed Consensus with One Faulty Process. J C 32(2): (pril 1985). FLP Partial Intuition Quote from paper: he asynchronous commit protocols in current use all seem to have a window of vulnerability - an interval of time during the execution of the algorithm in which the delay or inaccessibility of a single process can cause the entire algorithm to wait indefinitely. It follows from our impossibility result that every commit protocol has such a window, confirming a widely believed tenet in the folklore. Implication for fair exchange Need a trusted third party (P) It is impossible to solve strong fair exchange without a trusted third party. he proof is by relating strong fair exchange to the problem of consensus and adapting the impossibility result of Fischer, Lynch and Paterson. Reference H. Pagnia and F. C. Gärtner, On the impossibility of fair exchange without a trusted third party. echnical Report UD-S , Darmstadt University of echnology, arch 1999 wo forms of contract signing Gradual-release protocols lice and ob sign contract Exchange signatures a few bits at a time Issues Signatures are verifiable Work required to guess remaining signature decreases lice, ob must be able to verify that what they have received so far is part of a valid signature dd trusted third party Easy P contract signing Optimistic contract signing signature contract Problem P is bottleneck Can we do better? P signature contract Use P only if needed Can complete contract signing without P P will make decisions if asked Goals Fair: no one can cheat the other imely: no one has to wait indefinitely (assuming that P is available) Other properties 2

3 General protocol outline Commitment (idea from crypto) I am going to sign the contract I am going to sign the contract Here is my signature Here is my signature rusted third party can force contract hird party can declare contract binding if presented with first two messages. Cryptographic hash function Easy to compute function f Given f(x), hard to find y with f(y)=f(x) Hard to find pairs x, y with f(y)=f(x) Commit Send f(x) for randomly chosen x Complete Reveal x Refined protocol outline Optimistic Protocol [sokan, Shoup, Waidner] sign(, contract, hash(rand_) ) sign(, contract, hash(rand_) ) rand_ rand_ Input: P,, text m 1 = sig (P, P,, text, hash(r )) m 2 = sig (m 1, hash(r )) m 3 = R Input: P,, text m 4 = R rusted third party can force contract hird party can declare contract binding by signing first two messages. m 1, R, m 2, R sokan-shoup-waidner Outcomes Contract from normal execution m 1, R, m 2, R Contract issued by third party sig (m 1, m 2 ) bort token issued by third party sig (abort, a 1 ) Role of rusted hird Party can issue a replacement contract Proof that both parties are committed can issue an abort token Proof that will not issue contract acts only when requested decides whether to abort or resolve on the first-come-first-serve basis only gets involved if requested by or 3

4 Resolve Subprotocol bort Subprotocol m 1 = sig ( hash(r )) m 2 = sig ( hash(r )) m 3 = m 4 = m 1 = sig ( hash(r )) work m 2 = a 1 = sig (abort, m 1 ) r2 sig (m 1, m 2 ) OR sig (abort, a 1 ) r 1 = m 1, m 2 r 2 aborted? Yes: r 2 = sig (abort, a 1 ) No: resolved := true r 2 = sig (m 1, m 2 ) a 2 sig (m 1, m 2 ) OR sig (abort, a 1 ) resolved? Yes: a 2 = sig (m 1, m 2 ) No: aborted := true a 2 = sig (abort, a 1 ) Fairness and imeliness sokan-shoup-waidner protocol Fairness If cannot obtain s signature, then should not be able to obtain s signature imeliness One player cannot force the other to wait -- a fair and timely termination can always be forced by contacting P and vice versa [sokan, Shoup, Waidner Eurocrypt 98] gree m1= sign(, c, hash(r_) ) sign(, m1, hash(r_) ) r_ r_ Resolve m 1 m 2 sig (m 1, m 2 ) a 1 sig (a 1,abort) bort ttack? work If not already resolved ttack Replay ttack r 2 = sig (m 1, m 2 ) m 1 = sig (... hash(r )) m 2 = sig (m 1, hash(r )) r 1 = m 1, m 2 m 3 = R secret Q, m 2 contracts are inconsistent! sig ( hash(r )) sig (... hash(r )) R R Later... sig (P, P,, text, hash(r )) sig (m 1, hash(q )) R Intruder causes to commit to old contract with sig (m 1, m 2 ) m 1, R, m 2, Q Q 4

5 Fixing the Protocol Input: P,, text m 1 = sig (P, P,, text, hash(r )) m 2 = sig (m 1, hash(r )) m 3 = sig ( R, hash(r )) m 4 = R Input: P,, text Desirable properties Fair If one can get contract, so can other ccountability If someone cheats, message trace shows who cheated buse free No party can show that they can determine outcome of the protocol m 1, R, m 2, R buse-free Contract Signing Preventing abuse [Garay, Jakobsson, acenzie] PCS (text,,) PCS (text,,) sig (text) sig (text) [Garay, Jakobsson, acenzie] Private Contract Signature Special cryptographic primitive cannot take msg from and show to C converts signatures, does not use own Role of rusted hird Party can convert PCS to regular signature Resolve the protocol if necessary can issue an abort token Promise not to resolve protocol in future acts only when requested decides whether to abort or resolve on a first-come-first-served basis only gets involved if requested by or Resolve Subprotocol r 1 = PCS (text,,), sig (text) sig (a 1 ) OR sig (text) PCS (text,,) PCS (text,,) r 2 aborted? Yes: r 2 = sig (a 1 ) No: resolved := true r 2 = sig (text) store sig (text) 5

6 bort Subprotocol Garay, Jakobsson, acenzie m 1 = PCS (text,,) gree bort work a 1 =sig (m 1,abort) PCS (text,,) PCS (text,,) sig (text) sig (text) m 1 = PCS (text,,) work a 2 sig (text) OR sig (a 1 ) resolved? Yes: a 2 = sig (text) No: aborted := true a 2 = sig (a 1 ) Resolve PCS (text,,) PCS (text,,) PCS (text,,) sig (text) abort ND sig (text) ttack sig (abort) Leaked by abort ttack Repairing the Protocol PCS (text,,) PCS (text,,) sig PCS (text,,), (abort) sig (text) Leaked by sig sig (abort) (abort) If converts PCS into a conventional signature, can be held accountable PCS (text,,) PCS (text,,) PCS (text,,), PCS (text,,) abort ND sig (text) only abort alance dvantage No party should be able to unilaterally determine the outcome of the protocol Willing to sell stock at price X Ok, willing to buy at price X alance may be violated even if basic fairness is satisfied! stock broker ust be able to ask P to cancel this instance of protocol, or will be stuck indefinitely if customer does not respond customer Stock sale example: there is a point in the protocol where the broker can unilaterally choose whether the sale happens or not Can a timely, optimistic protocol be fair ND balanced? Can go ahead and complete the sale, OR Optimistically waits for broker to respond can still ask P to cancel (P doesn t know customer has responded) Chooses whether deal will happen: does not have to commit stock for sale, can cancel if sale looks unprofitable Cannot back out of the deal: must commit money for stock 6

7 buse free : as good as it gets Specifically: One signer always has an advantage over the other, no matter what the protocol is heorem In any fair, optimistic, timely contract-signing protocol, if one player is optimistic*, the other player has an advantage. est case: signer with advantage cannot prove it has the advantage to an outside observer * optimistic player: waits a little before going to the third party buse-freeness alance impossible No party should be able to unilaterally determine the outcome of the protocol buse-freeness No party should be able to prove that it can unilaterally determine the outcome of the protocol How to prove something like this? Define protocol Program for lice, ob, P Each move depends on Local State (what s happened so far) essage from network imeout Consider possible optimistic runs Show someone gets advantage [Garay, Jakobsson, acenzie Crypto 99] ey idea (omitting many subtleties) dvantage (intuition for main argument) Define power of a signer ( or ) in a state s Power (s) = if can get contract by reading a message already in network, doing internal computation if can get contract by communicating with, assuming does nothing otherwise Look at optimistic transition s s where Power (s) =1 > Power (s) = 0. If Power (s) = 0 Power (s ) =1 then his is result of some move by Power (s) = 0 means cannot get contract without s help he move by is not a message to P he proof is for an optimistic protocol, so we are thinking about a run without msg to could abort in state s We assume protocol is timely and fair: must be able to do something, cannot get contract can still abort in s, so has advantage! 7

8 Conclusions Online contract signing is subtle Fair buse-free ccountability Several interdependent subprotocols any cases and interleavings Finite-state tools great for case analysis! Find bugs in protocols proved correct Proving properties of all protocols is harder Understand what is possible and what is not 8