Contract Signing. Contract-Signing Protocols. Another example: stock trading. Example. Network is Asynchronous. Fundamental limitation

Transcription

1 ECS Week 2005 Contract-Signing Protocols John itchell Stanford Contract Signing wo parties want to sign a contract ulti-party signing is more complicated he contract is known to both parties he protocols we will look at are not for contract negotiation (e.g., auctions) he attacker could be nother party on the network he person you think you want to sign a contract with Example nother example: stock trading Immunity deal stock broker Willing to sell stock at price X Ok, willing to buy at price X customer oth parties want to sign the contract Neither wants to commit first Why signed contract? Suppose market price changes uyer or seller may want proof of agreement work is synchronous Physical solution wo parties sit at table Write their signatures simultaneously Exchange copies Problem How to sign a contract on a network? Fair exchange: general problem of exchanging information so both succeed or both fail Fundamental limitation Impossibility of consensus Very weak consensus is not solvable if one or more processes can be faulty synchronous setting Process has initial 0 or 1, and eventually decides 0 or 1 Weak termination: some correct process decides greement: no two processes decide on different values Very weak validity: there is a run in which the decision is 0 and a run in which the decision is 1 Reference. J. Fischer, N.. Lynch and. S. Paterson, Impossibility of Distributed Consensus with One Faulty Process. J C 32(2): (pril 1985).

2 FLP Partial Intuition Quote from paper: he asynchronous commit protocols in current use all seem to have a window of vulnerability - an interval of time during the execution of the algorithm in which the delay or inaccessibility of a single process can cause the entire algorithm to wait indefinitely. It follows from our impossibility result that every commit protocol has such a window, confirming a widely believed tenet in the folklore. Implication for fair exchange Need a trusted third party (P) It is impossible to solve strong fair exchange without a trusted third party. he proof is by relating strong fair exchange to the problem of consensus and adapting the impossibility result of Fischer, Lynch and Paterson. Reference H. Pagnia and F. C. Gärtner, On the impossibility of fair exchange without a trusted third party. echnical Report UD-S , Darmstadt University of echnology, arch 1999 wo forms of contract signing Easy P contract signing Gradual-release protocols lice and ob sign contract Exchange signatures a few bits at a time Issues Signatures are verifiable Work required to guess remaining signature decreases lice, ob must be able to verify that what they have received so far is part of a valid signature dd trusted third party signature contract Problem P is bottleneck Can we do better? P signature contract Optimistic contract signing Use P only if needed Can complete contract signing without P P will make decisions if asked Goals Fair: no one can cheat the other imely: no one has to wait indefinitely (assuming that P is available) Other properties General protocol outline I am going to sign the contract I am going to sign the contract Here is my signature Here is my signature rusted third party can force contract hird party can declare contract binding if presented with first two messages.

3 Commitment (idea from crypto) Refined protocol outline Cryptographic hash function Easy to compute function f Given f(x), hard to find y with f(y)=f(x) Hard to find pairs x, y with f(y)=f(x) Commit Send f(x) for randomly chosen x Complete Reveal x sign(, contract, hash(rand_) ) sign(, contract, hash(rand_) ) rand_ rand_ rusted third party can force contract hird party can declare contract binding by signing first two messages. Optimistic Protocol [sokan, Shoup, Waidner] P,, text m 1 = sig (P, P,, text, hash(r )) P,, text sokan-shoup-waidner Outcomes Contract from normal execution m 1, R, m 2, R m 2 = sig (m 1, hash(r )) m 3 = R Contract issued by third party sig (m 1, m 2 ) m 4 = R bort token issued by third party sig (abort, a 1 ) m 1, R, m 2, R Role of rusted hird Party Resolve Subprotocol can issue a replacement contract Proof that both parties are committed can issue an abort token Proof that will not issue contract acts only when requested decides whether to abort or resolve on the first-come-first-serve basis only gets involved if requested by or r2 sig (m 1, m 2 ) sig (abort, a 1 ) m 1 = sig ( hash(r )) m 2 = sig ( hash(r )) m 3 = m 4 = r 1 = m 1, m 2 r 2 aborted? Yes: r 2 = sig (abort, a 1 ) No: resolved := true r 2 = sig (m 1, m 2 )

4 bort Subprotocol Fairness and imeliness m 1 = sig ( hash(r )) work m 2 = a 1 = sig (abort, m 1 ) Fairness If cannot obtain s signature, then should not be able to obtain s signature a 2 sig (m 1, m 2 ) sig (abort, a 1 ) resolved? Yes: a 2 = sig (m 1, m 2 ) No: aborted := true a 2 = sig (abort, a 1 ) imeliness One player cannot force the other to wait -- a fair and timely termination can always be forced by contacting P and vice versa [sokan, Shoup, Waidner Eurocrypt 98] sokan-shoup-waidner protocol ttack gree m1= sign(, c, hash(r_) ) sign(, m1, hash(r_) ) r_ r_ bort a 1 sig (a 1,abort) work If not already resolved m 1 = sig (... hash(r )) m 2 = sig (m 1, hash(r )) secret Q, m 2 m 3 = R r 1 = m 1, m 2 Resolve m 1 m 2 sig (m 1, m 2 ) ttack? r 2 = sig (m 1, m 2 ) sig (m 1, m 2 ) contracts are inconsistent! m 1, R, m 2, Q Replay ttack Fixing the Protocol sig ( hash(r )) sig (... hash(r )) R R Later... sig (P, P,, text, hash(r )) sig (m 1, hash(q )) R Q Intruder causes to commit to old contract with P,, text m 1 = sig (P, P,, text, hash(r )) m 2 = sig (m 1, hash(r )) m 3 = sig ( R, hash(r )) m 4 = R m 1, R, m 2, R P,, text

5 Desirable properties [Garay, Jakobsson, acenzie] buse-free Contract Signing Fair If one can get contract, so can other ccountability If someone cheats, message trace shows who cheated buse free No party can show that they can determine outcome of the protocol PCS (text,,) PCS (text,,) sig (text) sig (text) Private Contract Signature Special cryptographic primitive cannot take msg from and show to C converts signatures, does not use own Role of rusted hird Party Resolve Subprotocol can convert PCS to regular signature Resolve the protocol if necessary can issue an abort token Promise not to resolve protocol in future acts only when requested decides whether to abort or resolve on a first-come-first-served basis only gets involved if requested by or PCS (text,,) PCS (text,,) r 1 = PCS (text,,), sig (text) sig (a 1 ) sig (text) r 2 aborted? Yes: r 2 = sig (a 1 ) No: resolved := true r 2 = sig (text) store sig (text) bort Subprotocol Garay, Jakobsson, acenzie m 1 = PCS (text,,) gree bort work a 1 =sig (m 1,abort) PCS (text,,) PCS (text,,) sig (text) sig (text) m 1 = PCS (text,,) work a 2 sig (text) sig (a 1 ) resolved? Yes: a 2 = sig (text) No: aborted := true a 2 = sig (a 1 ) Resolve PCS (text,,) PCS (text,,) PCS (text,,) sig (text) abort ND sig (text) ttack sig (abort) Leaked by abort

6 ttack Repairing the Protocol PCS (text,,) PCS (text,,) sig PCS (text,,), (abort) sig (text) Leaked by sig sig (abort) (abort) If converts PCS into a conventional signature, can be held accountable PCS (text,,) PCS (text,,) PCS (text,,), PCS (text,,) abort ND sig (text) only abort alance dvantage No party should be able to unilaterally determine the outcome of the protocol alance may be violated even if basic fairness is satisfied! Stock sale example: there is a point in the protocol where the broker can unilaterally choose whether the sale happens or not Can a timely, optimistic protocol be fair ND balanced? stock broker Willing to sell stock at price X Ok, willing to buy at price X ust be able to ask P to cancel this instance of protocol, or will be stuck indefinitely if customer does not respond customer Can go ahead and complete the sale, Optimistically waits for broker to respond can still ask P to cancel (P doesn t know customer has responded) Chooses whether deal will happen: does not have to commit stock for sale, can cancel if sale looks unprofitable Cannot back out of the deal: must commit money for stock buse free : as good as it gets Specifically: One signer always has an advantage over the other, no matter what the protocol is heorem In any fair, optimistic, timely contract-signing protocol, if one player is optimistic*, the other player has an advantage. est case: signer with advantage cannot prove it has the advantage to an outside observer * optimistic player: waits a little before going to the third party

7 buse-freeness alance impossible No party should be able to unilaterally determine the outcome of the protocol buse-freeness No party should be able to prove that it can unilaterally determine the outcome of the protocol How to prove something like this? Define protocol Program for lice, ob, P Each move depends on Local State (what s happened so far) essage from network imeout Consider possible optimistic runs Show someone gets advantage [Garay, Jakobsson, acenzie Crypto 99] ey idea (omitting many subtleties) dvantage (intuition for main argument) Define power of a signer ( or ) in a state s Power (s) = if can get contract by reading a message already in network, doing internal computation if can get contract by communicating with, assuming does nothing otherwise Look at optimistic transition s s where Power (s) =1 > Power (s) = 0. If Power (s) = 0 Power (s ) =1 then his is result of some move by Power (s) = 0 means cannot get contract without s help he move by is not a message to P he proof is for an optimistic protocol, so we are thinking about a run without msg to could abort in state s We assume protocol is timely and fair: must be able to do something, cannot get contract can still abort in s, so has advantage! Conclusions Online contract signing is subtle Fair buse-free ccountability Several interdependent subprotocols any cases and interleavings Finite-state tools great for case analysis! Find bugs in protocols proved correct Proving properties of all protocols is harder Understand what is possible and what is not