Multi-Party Contract Signing - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Multi-Party Contract Signing

Description:

Multi-Party Contract Signing Sam Hasinoff April 9, 2001 References Round-optimal and Abuse-free Optimistic Multi-Party Contract Signing (Waidner and Waidner, ICALP ... – PowerPoint PPT presentation

Number of Views:27
Avg rating:3.0/5.0
Slides: 24
Provided by: SamHas4
Category:

less

Transcript and Presenter's Notes

Title: Multi-Party Contract Signing


1
Multi-Party Contract Signing
  • Sam Hasinoff
  • April 9, 2001

2
References
  • Round-optimal and Abuse-free Optimistic
    Multi-Party Contract Signing (Waidner and
    Waidner, ICALP 2000)
  • Abuse-free Multi-party Contract Signing (Garay
    and MacKenzie, DISC 1999)

3
Overview
  • Contract signing
  • Lower bound on number of rounds
  • Contract signing protocol
  • Abuse-freeness

4
Contract Signing
  • Contract formal agreement on a text between two
    or more parties
  • Example landlord, tenant, sublessor
  • If terms of a contract are broken and need to be
    enforced, a contract verifier must be able
    determine the validity of the contract
  • Fairness either all honest participants obtain
    a valid contract or no one does

5
  • Every party decides signed or failed
  • Using a trusted party (T), the problem is easy to
    solve
  • T collects signatures from the parties
  • If all signatures arrive, it redistributes them,
    otherwise it aborts the contract
  • T is a bottleneck for trust and performance
  • Optimistic protocol uses T only if something
    goes wrong

6
Security Requirements (Fairness)
  • Correctness if all parties are honest and
    patient, they all decide signed
  • Verifiability if an honest party decided signed
    and the verifier is patient, he will decide
    signed
  • Unforgeability if an honest party didnt sign
    the contract, no verifier decides signed
  • No invalid contracts if an honest party decided
    failed, no verifier decides signed
  • Termination the protocol eventually terminates

7
Model
  • There are n signing parties P1,,Pn
  • Up to t lt n parties are Byzantine
  • Network is asynchronous and scheduled by the
    adversary
  • Messages are reliably delivered, eventually, but
    with no guarantee on order
  • Signatures are unforgeable
  • Assumption based on the cryptography

8
Lower bound
Theorem 1 Garay, MacKenzie, DISC 1999. Any fair
optimistic contract signing protocol for n
parties requires at least n rounds (in a run
where T is not used).
  • There must exist a final round in which some
    party (say P1) sends a message that can be
    combined with all previous messages to complete
    the contract

9
  • At this point, P1 must have received messages
    from the others in previous rounds s.t. it could
    send a message to T to obtain a complete contract
  • Otherwise, the other parties could use the
    message from P1 to complete their contracts, but
    decide to send nothing further. This would leave
    P1 with no contract and violate fairness a
    contradiction
  • Specifically, there must be a previous round in
    which some party (say P2) sends a message to P1
    allowing this

10
  • This argument generalizes easily
  • Given that a set of participants P1,,Pi have
    received messages s.t. any of them could send a
    message to T and obtain a complete contract
    regardless of the actions of Pi1,,Pn, there
    must be a previous round in which some party (say
    Pi1), sends a message to Pi that allows this
  • So by a backwards induction, the number of rounds
    needed is at least n

11
Contract signing protocol
  • Protocol proceeds in t2 rounds
  • In round 1, each party signs a promise to sign
    the contract and broadcasts that promise
  • In subsequent rounds, each party collects
    signatures from the previous round, countersigns
    this set of n signatures, and broadcasts it
  • The result of the (t2)-nd round is the real
    contract

12
  • Any party who gets tired of waiting can contact T
    and send it all the messages received so far
  • It then stops sending any messages, and simply
    waits for an answer from T
  • If T receives its first message in round 1, it
    must abort and respond with failed
  • If T receives its first message in some later
    round, it will respond with signed
  • T will only ever change its response (from failed
    to signed) if all messages it previously answered
    with failed came from dishonest parties

13
Detecting dishonesty
Lemma 1. If T receives a message from Pi in round
r, and previously answered failed to some other
Pk in round s lt r-1, then Pk is dishonest
  • Since s gt 0, we have r gt 2, and therefore the
    message from Pi includes the complete set of
    round-(r-2) messages, countersigned by everybody
  • Thus Pk must have participated in round r-1, in
    order to have countersigned the round-(r-2)
    messages and sent this as a message to Pi
  • So Pk was active after having sent its message to
    T, and hence is dishonest

14
Verification protocol
  • Pi shows a signed contract to the verifier V
  • V outputs signed if either the contract consists
    of either of the following
  • (T was contacted and responded signed) the
    complete set of n round-(r-1) messages signed by
    some Pj and countersigned by T in round r gt 1
  • (optimistic termination) the complete set of n
    round-(t2) messages
  • Otherwise V outputs failed

15
Security of the protocol
Theorem 2 Waidner and Waidner, ICALP 2000. The
protocol described is a fair asynchronous
multi-party contract signing scheme with a
trusted third party T for any t lt n. It is
optimistic and terminates in t4 rounds in the
worst case.
  • Correctness and verifiability are clearly
    satisfied
  • Unforgeability is true because all variants of a
    valid contract contain pieces signed by all
    parties, and we assume the signatures are
    unforgeable

16
  • Termination
  • Each of the t2 rounds terminates either because
    all responses from the other parties are
    received, or T is contacted and eventually
    answers. In the worst case, T is contacted in the
    last round, giving t4 rounds
  • No invalid contracts is shown by contradiction.
    Assume an honest Pi decided failed and an honest
    verifier V decides signed
  • Case 1 V has all n round-(r-1) messages signed
    by some Pj and countersigned by T in round r gt 1
  • Pj decided signed based on the response received
    from T in round r, and so for Pi to decide
    failed, it must has received an abort from T in
    round s lt r
  • But T could not have changed its decision from
    failed to signed, because it could only do that
    if all aborted parties (Pi is a counterexample)
    are dishonest a contradiction

17
  • No invalid contracts (continued)
  • Case 2 V has all n round-(t2) messages
  • To decide failed, Pi must have participated in
    round t2 but then contacted T and received an
    abort
  • From the rules of T, and by induction, for all
    rounds 1,,t1, some party received an abort
  • Then by Lemma 1, those parties who received an
    abort in rounds 1,,t must be dishonest
  • Since there are at most t dishonest parties, the
    party who received an abort in round t1 must be
    honest
  • That party could not have participated in round
    t2, so the set n of round-(t2) messages could
    not have been complete a contradiction

18
Round optimality
Corollary 1. The number of rounds for the
contract signing scheme is O(n).
19
Abuse-freeness
  • Abuse-freeness at no point can a party prove to
    an outsider that he has the power to control
    whether the contract will be signed
  • Example of abuse
  • Alice signs a contract (to supply widgets for
    10) and faxes it to Bob for him to sign
  • Bob (abusive) uses his potentially signed
    contract with Alice to coerce Charlie into
    offering him a new contract (for 9 widgets)
  • Bob never signs the contract with Alice

20
Is the protocol abuse-free?
  • The contract signing protocol is not abuse-free!
  • Example (n 2, P2 abusive)
  • both parties send their round-1 messages, but
    only P1 sends his round-2 message
  • P2 could either
  • ignore the messages from P1 and send a (round-1)
    message to T and get the response failed, or
  • use the messages from P1 and send a (round-3)
    message to T and get the response signed
  • the round-3 message that P2 could send to T will
    convince an outsider of the power that P2 has to
    decide the contract

21
Adding abuse-freeness
  • The basic idea remains the same, but each party
    generates a fresh, new signature for the
    execution of the protocol
  • This is in contrast to their mutually agreed
    upon, permanent digital signatures
  • The result of an execution of the old protocol
    with the fresh signatures is called the
    pre-contract
  • Since an adversary cannot prove that a fresh
    signature belongs to a certain party, an outsider
    would not be convinced of the status of the
    protocol, and hence the protocol is abuse-free

22
  • However, the pre-contract is also made to contain
    the contract signed with the parties permanent
    signatures, but encrypted (with Ts public key)
    so that only T can decrypt
  • To convert the pre-contract into a real contract,
    the parties then exchange the original contract
    signed with the parties permanent signatures,
    and check that the pre-contract was indeed valid
  • Failing that, T can try to recover by decrypting
    all the encrypted messages in the pre-contract

23
Final result
Theorem 3 Waidner and Waidner, ICALP 2000.
There is a protocol (as outlined) for
asynchronous abuse-free multi-party contract
signing with a trusted third party T for any t lt
n. It is optimistic and terminates in t6 rounds
in the worst case.
Write a Comment
User Comments (0)
About PowerShow.com