Inductive Methods and ContractSigning Protocols

1
Inductive Methods and Contract-Signing Protocols

• Rohit Chadha, Max Kanovich, Andre Scedrov
• University Of Pennsylvania

2
Contract-signing protocols purpose

• Two parties want to sign a contract over the
  internet
• Traditionally, they meet and sign their copies
  together
• On the internet, somebody has to go first
• The parties are adversarial i.e. collaborate
  actively with intruder

3
Desired properties

• Want to ensure fairness
• If nothing goes wrong, each party gets a valid
  contract
• At the end either both parties have contract or
  none has
• Balanced
• No party controls the outcome at any stage
• Optimistic
• Bother the trusted third party only if something
  goes wrong

4
Related work

• Multiset-Rewriting formalism designed by Lincoln,
  Mitchell, Scedrov, Durgin, Cervesato
• Use MSR to specify the protocol
• Mitchell and Shmatikov used Mur?, a finite-state
  model checker, to analyze two contract-signing
  protocols
• Asokan-Shoup-Waidner
• GJM Protocol
• Mitchell and Shmatikov found several bugs and
  suggested fixes
• Das and Dill use model-checking and abstraction
  to give automated proofs of fairness

5
What we achieved..

• Studied Garay-Jakobsson-Mackenzie protocol
• Found another anamoly and proposed a fix
• Give formal definitions and proofs of fairness
  and balance
• Study strongly dishonest participants
• Their private keys are known to the Dolev-Yao
  intruder
• Study connections with linear logic

6
GJM protocol

7
Assumptions

• Two Parties Originator, O and Responder, R
  exchange signatures on a previously agreed upon
  contract text, m
• Exchange signatures with the help of a
  Trusted-Third-Party, T
• Maintains a database of the protocol instances it
  has seen before
• Never misbehaves
• Identity of T agreed upon before the protocol
  begins
• A globally unique protocol identifier, n agreed
  upon before the protocol begins

8
The protocol

• The protocol consists of three different
  subprotocols
• Exchange subprotocol
• Abort subprotocol
• Resolve subprotocol
• Abbreviate pd ltm,n,O,R,Tgt. pd identifies
  protocol uniquely.
• A participant is said to have a valid contract if
• It has either sigO(pd) or TP-sigO(pd), and
• It has either sigR(pd) or TP-sigR(pd)

9
Exchange subprotocol
O
R
may quit
may abort
may resolve
may resolve
T can arbitrate if anything goes wrong
10
Abort subprotocol

• O requests T to abort pd
• The channel to T is write-protected and
  transparent, i.e., the intruder can observe the
  traffic but cannot block, delay, or insert
  messages
• If T has not answered a request from O before
• If it has a resolution, it sends the resolution
• If it has an abort, it sends the abort token
• If neither, it sends an abort token and stores it
  

11
Resolve subprotocol

• O requests T to resolve pd
• If T has not answered a request from O before
• If it has a resolution, it sends the resolution
• If it has an abort, it sends the abort token
• If neither, it sends the resolution and stores
  it

12
Without the unique identifier
O ? R PCS(O,m,R,T) lt Intruder interceptsgt
O ? T sigO(O,m,R,T,abort) lt T Abortsgt
O and R Start Again
O ? R PCS(O,m,R,T)
R ? O PCS(R,m,O,T)
O ? R sigO(m,O,T)
R ? O sigR(m,R,T) ltIntruder interceptsgt
O ? T PCS(O,m,R,T), PCS(R,m,O,T)
T Aborts
13
Fairness

14
Optimistic

• There exists a reachable configuration, reachable
  without the use of rules of T, in which O has
  finished the protocol and has a valid contract

T need not always be bothered
15
Effectiveness

• Effectiveness for honest O
• For each reachable configuration S, there is a
  configuration S reachable from S, reachable by
  rules of O and T, such that honest O has
  completed the protocol instance and has either an
  abort token or a valid contract

An honest participant can always get an abort
token or a valid contract
16
Fairness

• Fairness for honest O
• If R has a valid contract in a reachable
  configuration S, then there exists S reachable
  from S such that an honest O has a valid contract
• If an honest O has an abort token in
  configuration S then for all configurations S
  reachable from S R does not have a valid contract

A strongly dishonest participant gets a valid
contract if and only if the honest one does
17
Database properties

• Database Persistence If T has an abort for pd
  in S then it still has an abort for all
  configurations reachable from S. The same holds
  for a resolution and a valid contract
• Database Consistency T does not have conflicting
  entries for pd in any reachable configuration.

Key to fairness lies in these properties
18
Balance

19
Abuse-free contract signing GJM

• Wish to avoid the following scenario
• Suppose R tries to sell a house to O and they
  agree on a price
• Now R gets another bidder, say O
• Suppose R can convince O that O is committed to
  the sale, whereas R is not yet
• If O offers a better price then R may forgo the
  previous sale

20
Approximation balance

• Assume effectiveness and fairness
• Abuse-freeness GJM
• It is impossible for any participant at any point
  in the protocol to be able to prove to an outside
  party that he (the participant) has the power to
  abort or complete the contract
• Balance
• No participant has the ability at any point in
  the protocol to determine the outcome of the
  protocol, i.e., have both the power to abort and
  the power to successfully complete the contract

21
Transparent channels and balance

• Steve Kremer and Olivier Markowitch
• If the condition on channels to T is relaxed and
  the intruder may delay messages on these
  channels, the following scenario arises
• O sends its PCS to R, R does not respond
• O asks T for abort, R asks T for resolution
• In order to achieve an abort, R delays its
  resolve request until T issues an abort
• In order to achieve a valid contract, R delays
  Os abort request until T issues a resolution

22
Continuation tree

• O is honest and R is strongly dishonest
• Strongly dishonest R is in coalition with the
  intruder
• Assume that the intruder takes finitely many
  steps
• Continuation tree at S, tr, is the full tree of
  traces after S

23
Strategy

• A removable edge in tr is an edge labeled by
• a rule of R,
• an intruder rule, or
• that indicates a message read from the network
• If E is a set of removable edges,
• tr\E is the tree obtained by deleting all the
  edges in E along with its descendants
• tr\E is a strategy of R

24
Strategy example
25
Strategy example
26
Power to abort

• tr\E is an abort tree if every leaf node is
  labeled by a state in which O has an abort token
• R has the power to abort at S if there is an E
  such that tr\E is an abort tree
• Power to resolve can be defined similarly

27
Balance

• Balance for honest O For any reachable
  configuration S, and for all bounds on the number
  of steps the intruder can take, at S, R has does
  not have both the power to abort and the power to
  complete

28
Main lemma

• R has the power to abort in S iff
• O has the abort token in S, or
• There is a subset X of rules that label removable
  edges such that
• whenever S goes to S by an application of a
  rule that labels a non-removable edge or by an
  application of a rule in X , then R has the power
  to abort in S

Recursive characterization allows us to prove
balance
29
Conclusions

• The globally unique identifier is important to
  guarantee fairness
• Use multiset-rewriting formalism with existential
  quantification to express the protocols
• Formal definitions of basic fairness properties
  of contract-signing protocols
• Formal definition of a natural game-based
  non-trace property a version of abuse-freeness

30
Conclusions

• Consider strongly dishonest participants and a
  Dolev-Yao intruder
• Formal inductive proofs of fairness and balance
• Extension with the additive connectives of linear
  logic allows formalization of the non-trace-based
  property balance

31
Further Work

• Other properties such as Trusted Third party
  accountability to be investigated
• Other possible forms of abuse-freeness to be
  considered
• Multiparty contract signing protocols to be
  investigated

32
What we achieved..

• Studied Garay-Jakobsson-Mackenzie protocol
• Found another anamoly and proposed a fix
• Give formal definitions and proofs of fairness
  and balance
• Study strongly dishonest participants
• Their private keys are known to the Dolev-Yao
  intruder
• Study connections with linear logic

33
Without the unique identifier
O ? R PCS(O,m,R,T) lt Intruder interceptsgt
O ? T sigO(O,m,R,T,abort) lt T Abortsgt
O and R Start Again
O ? R PCS(O,m,R,T)
R ? O PCS(R,m,O,T)
O ? R sigO(m,O,T)
R ? O sigR(m,R,T) ltIntruder interceptsgt
O ? T PCS(O,m,R,T), PCS(R,m,O,T)
T Aborts
34
Inductive Methods and Contract-Signing Protocols

• Rohit Chadha, Max Kanovich, Andre Scedrov

35
Contract-signing protocols purpose

• Two parties want to sign a contract over the
  internet
• Traditionally, they meet and sign their copies
  together
• On the internet, somebody has to go first
• Want to ensure fairness
• If nothing goes wrong, each party gets a valid
  contract
• At the end either both parties have contract or
  none has
• Optimistic
• Bother the trusted third party only if something
  goes wrong
• Balanced
• No party controls the outcome at any stage

36
Goals of this work

• Study contract-signing protocols
• State and formally prove basic fairness
  properties of contract-signing protocols, e.g.,
• Every participant is guaranteed to complete
• Honest party does not get cheated
• A potentially dishonest participant cannot
  control the outcome of the protocol
• Study logical connections

37
Outline

• Garay-Jakobsson-MacKenzie two-party
  contract-signing protocol
• Definition in multiset-rewriting formalism
• Definition and proof of fairness
• Proof by inductive methods
• Definition and proof of balance
• Definition in terms of game-like strategies
• Expressing balance in Linear Logic

38
Related work

• Mitchell and Shmatikov used Mur?,
  a finite-state model checker, to analyze two
  contract-signing protocols
• Asokan-Shoup-Waidner
• GJM Protocol
• Mitchell and Shmatikov found several bugs and
  suggested fixes
• Das and Dill use model-checking and abstraction
  to give automated proofs of fairness

39
GJM Protocol

40
Assumptions

• Two Parties Originator, O and Responder, R
  exchange signatures on a previously agreed upon
  contract text, m
• Exchange signatures with the help of a
  Trusted-Third-Party, T
• Identity of T agreed upon before the protocol
  begins
• A globally unique protocol identifier, n agreed
  upon before the protocol begins.

41
Cryptographic assumptions

• Each participant is identified with a private
  signing/public verification key pair
• Perfect cryptography
• Protocol uses a new cryptographic primitive
  Private Contract Signature, PCS
• The private contract signature of O on m intended
  for R with respect to T is denoted by PCS(O,m,
  R,T) and its properties are

42
PCS

• PCS(O,m,R,T) can be computed by O
• There is an algorithm PCS-Ver such that
  PCS-Ver(O,m,R,T,S)true if S PCS(O,m,R,T)
• R can compute SFakeSign(O,m,R,T) such that
  PCS-Ver(O,m,R,T,S)true
• Only O and R can compute S such that
  PCS-Ver(O,m,R,T,S)true, and only O, R, and T can
  tell who computed such an S
• O can convert PCS(O,m,R,T) into a conventional
  universally verifiable signature sigO(m)

43
PCS contd..

• T can convert PCS(O,m,R,T) into a conventional
  universally verifiable signature TP-SigO(m)
• Nobody other than O or T can convert PCS(O,m,R,T)
  into a universally verifiable signature

44
Channels

• The channel between O and R in complete control
  of the Dolev-Yao intruder
• Intruder can intercept messages
• It can copy messages
• It can decompose, compose messages
• It can insert messages
• The channel between a participant and T is
  write-protected and transparent, i.e., the
  intruder can observe the traffic but cannot
  block, delay, or insert messages

45
Trusted third party

• T maintains a database of all the protocol
  instances it has acted upon
• T does not misbehave
• T separate from all participants

46
Participants

• Honest participants follow the protocol
• Weakly dishonest participants accept messages
  from the intruder and take no further part in the
  protocol.
• Strongly dishonest participants their signing
  keys known to the intruder

47
The protocol

• The protocol consists of three different
  subprotocols
• Exchange subprotocol
• Abort subprotocol
• Resolve subprotocol
• Protocol instance identified by
• Identity of O, R, T
• Contract text, m
• Globally unique identifier, n
• Abbreviate pd ltm,n,O,R,Tgt

48
Exchange subprotocol
O
R
may quit
may abort
may resolve
may resolve
49
Abort subprotocol

• O requests T to abort by sending ma1
  sigO(pd,abort)
• T checks if it has answered a request for pd
  before on the O-T channel. If not
• If it has a resolution, it sends the resolution,
  ltTP-sigO(pd), TP-sigR(pd)gt on O-T channel
• If it has an abort, it sends the abort token
  sigT(ma1)
• If neither resolution nor abort, it sends the
  abort token, sigT(ma1), stores it and raises its
  abort flag.

50
Resolve subprotocol

• O requests T to resolve by sending PCS(O,m,R,T),
  PCS(R,m,O,T)
• T checks if it has answered a request for pd
  before on the O-T channel. If not
• If it has a resolution, it sends the resolution,
  ltTP-sigO(pd), TP-sigR(pd)gt
• If it has an abort, it sends the abort token
• If neither resolution nor abort, it sends the
  resolution, ltTP-sigO(pd), TP-sigR(pd)gt , stores
  it and raises and raises its abort flag.
• Rs resolve subprotocol is similar.

51
Without the unique identifier
O ? R PCS(O,m,R,T) lt Intruder interceptsgt
O ? T sigO(O,m,R,T,abort) lt T Abortsgt
O and R Start Again
O ? R PCS(O,m,R,T)
R ? O PCS(R,m,O,T)
O ? R sigO(m,O,T)
R ? O sigR(m,R,T) ltIntruder interceptsgt
O ? T PCS(O,m,R,T), PCS(R,m,O,T)
T Aborts
52
Valid contract

• A participant is said to have a valid contract if
• It has either sigO(pd) or TP-sigO(pd), and
• It has either sigR(pd) or TP-sigR(pd)

53
Protocol definition in MSR

54
Multiset-rewriting formalism

• Choose a first-order signature, fix it
• Facts
• F P(t1, , tn)
• t x c f(t1, , tn)
• States F1, ..., Fn
• Multiset of facts
• Includes network messages, private state
• Intruder will see messages, not private state
• Multiset allows duplicated messages, states

Multi-sorted first-order atomic formulas
55
State transitions

• Transition rule
• F1, , Fk ?? ?x1 ?xm. G1, , Gn
• What this means
• If F1, , Fk in state ?, then a next state ? has
• Facts F1, , Fk removed
• G1, , Gn added, with x1 xm replaced by new
  symbols
• Other facts in state ? carry over to ?
• Free variables in rule universally quantified
• Pattern matching in F1, , Fk can invert
  functions
• Linear Logic F1??Fk ?? ?x1 ?xm(G1??Gn)

56
Initial facts

• Finite set of initial facts ?
• Contains KP(ks, kv) predicates
• HonestGuy (ks, kv)
• WDishonestGuy (ks, kv)
• BadKey (ks, kv)
• TTP (ks, kv)
• Both the keys in the BadKey predicate are known
  to the intruder(models strongly dishonest
  participant)
• Contract(m) predicates

57
Role generation
KP(kos,ko), KP(krs,ko), TTP(kts,kt), contract(m)
?
? n. Oo(pd), R0(pd), T0(pd), KP(kos,ko),
KP(krs,ko), TTP(kts,kt) )
contract(m), M(n)

58
Rules for O
O1 O0(pd) ? O1(pd, me1), N1(me1)
Oab? O1(pd, me1) ? Oab?(pd, me1, ma1), Rn1(kt,
ko, ma1)
O2 O1(pd, me1), N2(me2) ? O2(pd, me1, me2)
O3 O2(pd, me1, me2) ? O3(pd, me1, me2,
me3), N3(me3)
59
Rules for O
60
Rules for weakly dishonest O
Olt4,i,jgt WDishonestGuy(kos,ko), Oi(pd,-),
N_j(x) ?
Olt4,i,jgt(pd, -, x), WDishonestGuy(kos,k
o)
61
Strongly dishonest participants

• Modeled by BadKey predicates
• Both the keys in the BadKey predicate are known
  to the intruder
• Because the signing key is known to the intruder,
  the intruder can sign messages, send messages on
  the channels to T

62
Common intruder model

• Derived from Dolev-Yao assumptions
• Intruder is a nondeterministic process
• Intruder can
• Block network traffic except on the channels to T
• Read any message, decompose into parts
• Sign if key is known to intruder
• Insert new message from data it has observed
  except on channels to T
• Adversary cannot
• Gain partial knowledge
• Guess part of a key
• Perform statistical tests

63
Rules of the intruder
I/O rules
REC Ni(x) ? D(x)
SND C(x) ? Ni( x)
RECR Rni(k1, k2, x) ? D(x), Rni(k1, k2, x)
64
Rules of the intruder
Decomposition rules
DCMP D(ltx,ygt) ? D(x), D(y)
LRN D(x) ? M(x)
ReadPCS D(PCS(ko,x,kr,kt)) ? D(x)
ReadSg D(sg(ko,x)) ? D(x)
ReadFSg D(FSn(ko,x,kr,kt)) ? D(x)
ReadTSg D( tsg(ko,x)) ? D(x)
65
Rules of the intruder
Composition rules
COMPC(x), C(y) ? C(ltx,ygt)
USEM(x) ? C(x), M(x)
PCS M(kos),C(x),KP(kos,ko) ? M(kos),C(PCS(ko,x,kr
,kt)),KP(kos,ko)
FSnM(krs),C(x),KP(krs,kr) ? M(krs),C(FSn(ko,x,kr,
kt)),KP(krs,kr)
SgM(kos),C(PCS(ko,x,kr,kt)),KP(kos,ko) ?
M(kos),C(sg(ko,x)),KP(kos,ko)
TSgM(kts),C(PCS(ko,x,kr,kt)),KP(kts,kt) ?
M(kos),C(tsg(ko,x)),KP(kts,kt)
GEN ? ? x. M(x)
66
Fairness

67
Assumptions

• Assume we start in a configuration S0
• Two principals O and R agree to sign a contract
  with pdltm,n,O,R,Tgt by using the role generation
  rule and the resulting configuration is S1
• Any configuration reachable from S1 will be
  called a reachable configuration
• O is honest and R is strongly dishonest. The
  other cases can be similarly treated
• We use induction on number of steps required to
  reach a configuration

68
Desired properties

• There is a protocol run that does not involve TTP
  or the intruder, and results in both participants
  getting a valid contract
• Every honest participant is guaranteed to finish
  the protocol
• Once an honest participant gets an abort token
  from T, it is impossible for the other
  participant to get a valid contract
• It is impossible for a strongly dishonest
  participant to get a valid contract without
  allowing the other participant to get a valid
  contract

69
View of the intruder

• For each reachable configuration S, the view of
  the intruder is defined to be the set of messages
  the intruder can compose using the information
  available on the network, the channels to T and
  the intruders memory.
• Henceforth S is a reachable configuration
• A strongly dishonest participant is said to have
  a valid contract if it is in the view of the
  intruder

70
Definition of effectiveness

• Effectiveness for honest O
• There exists a reachable configuration in which O
  has finished the protocol and has a valid
  contract
• For each reachable configuration S, there is a
  configuration S reachable from S such that
  honest O has completed the protocol instance and
  has either an abort token or a valid contract

71
Definition of fairness

• Fairness for honest O
• If R has a valid contract in a reachable
  configuration S, then there exists S reachable
  from S such that an honest O has a valid
  contract.
• If an honest O has an abort token in
  configuration S then for all configurations S
  reachable from S R does not have a valid
  contract.

72
Database properties

• Database Persistence If T has an abort for pd
  in S then it still has an abort for all
  configurations reachable from S. The same holds
  for a resolution and a valid contract
• Database Consistency T does not have conflicting
  entries for pd in any reachable configuration.

73
Effectiveness proof outline

• If O is in a state in which it has requested an
  abort or a resolution then either and an abort
  token or a valid contract is on the O-T channel
  or T has yet to answer a request from O.
• Effectiveness for honest O holds

74
Fairness proof outline

• An abort token or a resolution for pd is in the
  view of the intruder only if it is in Ts
  database.
• If O has an abort token for pd in S then for all
  configurations S reachable from S, resolution is
  not in the view of the intruder.
• If O is in one of the states Oi, for i ?
  0,1,2,3,res? and an abort request or an abort
  token is not in the view of the intruder then for
  all configurations reachable from S, an abort
  token is not in the view of the intruder
• Oab2 is not reachable

75
Fairness proof outline contd..

• If O has an abort token then me3 is not in the
  view of the intruder for all configurations
  reachable from S.
• If an honest O has an abort token in
  configuration S then for all configurations S
  reachable from S, R does not have a valid
  contract.
• The other fairness conditions can be similarly
  stated and proved

76
Balance

77
Abuse-free contract signing GJM

• Wish to avoid the following scenario
• Suppose R tries to sell a house to O and they
  agree on a price
• Now R gets another bidder, say O
• Suppose R can convince O that O is committed to
  the sale, whereas R is not yet
• If O offers a better price then R may forgo the
  previous sale

78
Approximation balance

• Assume effectiveness and fairness
• Abuse-freeness GJM
• It is impossible for any participant at any point
  in the protocol to be able to prove to an outside
  party that he (the participant) has the power to
  abort or complete the contract
• Balance
• No participant has the ability at any point in
  the protocol to determine the outcome of the
  protocol, i.e., have both the power to abort and
  the power to successfully complete the contract

79
Transparent channels and balance

• Steve Kremer and Olivier Markowitch
• If the condition on channels to T is relaxed and
  the intruder may delay messages on these
  channels, the following scenario arises
• O sends its PCS to R, R does not respond
• O asks T for abort, R asks T for resolution
• In order to achieve an abort, R delays its
  resolve request until T issues an abort
• In order to achieve a valid contract, R delays
  Os abort request until T issues a resolution

80
Assumptions

• Consider the set of initial facts ?
• Now let O and R agree to sign a contract by use
  of role generation rule and the resulting
  configuration be S1
• O is honest and R is strongly dishonest
• By reachable configuration we mean any
  configuration reachable from S1 without the use
  of role generation rule

81
Continuation tree

• Assume the intruder takes only a bounded number
  of steps
• Continuation tree at S the full tree of traces
  after S
• Because of fairness for honest O, the leaves are
  labeled by states in which O has either a valid
  contract or an abort token
• Protocol is successfully completed if O has a
  valid contract
• Protocol is aborted if O has an abort token

82
Strategy definition

• Let tr be the continuation tree at S
• A removable edge is an edge labeled by a rule
• of R, or by a rule of the intruder theory, or
  by a rule in which a Ni predicate occurs on the
  left of the rule
• Let E be a set of removable edges in tr
• Let tr\E be the tree obtained from tr by deleting
  all the edges in E along with its descendants
• Think of tr\E as a strategy of R

83
Strategy example
84
Strategy example
85
Power to abort

• tr\E is an abort tree if every leaf node is
  labeled by a state in which O has an abort token
• R has the power to abort at S if there is an E
  such that tr\E is an abort tree

86
Power to complete

• tr\E is a contract tree if every leaf node is
  labeled by a state in which O has a valid
  contract
• R has the power to complete at S if there is an E
  such that tr\E is a contract tree

87
Balance for honest O

• For any reachable configuration S, and for all
  bounds on the number of steps the intruder can
  take, at S, R has does not have both the power to
  abort and the power to complete
• Note for the protocol not to be balanced there
  need exist only one bound where R has both the
  power to abort and the power to complete. So R
  gets to choose the bound on the number of steps

88
Main lemma

• R has the power to abort in S iff
• O has the abort token in S, or
• There is a subset X of rules that label removable
  edges such that
• whenever S goes to S by an application of a
  rule that labels a non-removable edge or by an
  application of a rule in X , then R has the power
  to abort in S

89
Recursive characterization

• Suppose that the intruder takes only a bounded
  number of steps
• tr be the continuation tree at S
• Let N be a node in tr and X be a set of removable
  edges coming out of N
• Let NX be the set of all children of N such that
  each edge from N to this set is either in X or a
  non-removable edge

90
Recursive characterization

• N is said to be an abort-power node if it is
  labeled by a state in which O has an abort token,
  or
• There is an X such NX is nonempty and every node
  in NX is an abort-power node
• Define contract-power node similarly

91
Recursive characterization

• At S, R has the power to abort iff S (i.e., the
  root node of tr ) is an abort-power node
• Ditto for power to complete

92
Proof outline

• Assume the main lemma
• Let N be a node in the continuation tree labeled
  by S
• If at S, O is in a state in which it has
  requested for an abort token from T, then either
  N is not an abort-power node or N is not a
  complete-power node
• Similarly if in S, O has requested a resolution
• R does not have both the power to abort and
  resolve hence the protocol is balanced

93
Balance and concurrent runs

• For the construction of continuation tree
• Bound the number of runs
• Each edge labeled by the rule being used and the
  key of the principal involved
• Any edge labeled by Rs key or a key known to
  intruder is also a removable edge
• Protocol is balanced if for all large enough
  bounds on number of runs and for all bounds on
  the intruder steps, R does not have both the
  power to abort and the power to complete

94
Linear Logic and Balance

95
Linear logic

• Let the removable rules be labeled as P1, P2,
  Pm.
• For each removable rule introduce control
  variables q1,1, q1,2 q1,m
• Now for each rule Pi X ?? Y, introduce a new
  guarded rule, Pi q1,i ? X ?? q ? Y. Also
  introduce a rule idle 1 ?? q
• Let the non-removable be labeled as O1, O2, On
• For each of these add a control variable qi, and
  guard the rule Oi X ?? Y introduce the guarded
  rule, Oi qi ? X ?? q ? Y

96
Power to Abort

• Also add a rule, C q ?? (q1,1 q1,2 q1,m
  1) ? q1 ? q2 ? ? qn
• Now, at S, R has the power to abort if there
  exists a derivation
• !C ? ! P1 ? ! Pm ? ! O1 ? ! Om ? S ? q
• ? S1 ? S2 ? Sk
• such that for each Si, either
• In Si, O has the abort token, or
• There is no S s.t !C ? ! P1 ? ! Pm ? ! O1 ?
  ! Om ? S ? q ? S
• Power to resolve can be similarly defined

97
Conclusions

• The globally unique identifier is important to
  guarantee fairness
• Use multiset-rewriting formalism with existential
  quantification to express the protocols
• Formal definitions of basic fairness properties
  of contract-signing protocols
• Formal definition of a natural game-based
  property a version of abuse-freeness

98
Conclusions

• Consider weakly corrupt participants and a
  Dolev-Yao intruder
• Formal inductive proofs of fairness and balance
• Extension with the additive connectives of linear
  logic allows formalization of the non-trace-based
  property balance

99
Further Work

• Other properties such as Trusted Third party
  accountability to be investigated
• Other possible forms of abuse-freeness to be
  considered
• Multiparty contract signing protocols to be
  investigated