Multi-Party Contract Signing

1
Multi-Party Contract Signing

• Sam Hasinoff
• April 9, 2001

2
References

• Round-optimal and Abuse-free Optimistic
  Multi-Party Contract Signing (Waidner and
  Waidner, ICALP 2000)
• Abuse-free Multi-party Contract Signing (Garay
  and MacKenzie, DISC 1999)

3
Overview

• Contract signing
• Lower bound on number of rounds
• Contract signing protocol
• Abuse-freeness

4
Contract Signing

• Contract formal agreement on a text between two
  or more parties
• Example landlord, tenant, sublessor
• If terms of a contract are broken and need to be
  enforced, a contract verifier must be able
  determine the validity of the contract
• Fairness either all honest participants obtain
  a valid contract or no one does

5

• Every party decides signed or failed
• Using a trusted party (T), the problem is easy to
  solve
• T collects signatures from the parties
• If all signatures arrive, it redistributes them,
  otherwise it aborts the contract
• T is a bottleneck for trust and performance
• Optimistic protocol uses T only if something
  goes wrong

6
Security Requirements (Fairness)

• Correctness if all parties are honest and
  patient, they all decide signed
• Verifiability if an honest party decided signed
  and the verifier is patient, he will decide
  signed
• Unforgeability if an honest party didnt sign
  the contract, no verifier decides signed
• No invalid contracts if an honest party decided
  failed, no verifier decides signed
• Termination the protocol eventually terminates

7
Model

• There are n signing parties P1,,Pn
• Up to t lt n parties are Byzantine
• Network is asynchronous and scheduled by the
  adversary
• Messages are reliably delivered, eventually, but
  with no guarantee on order
• Signatures are unforgeable
• Assumption based on the cryptography

8
Lower bound
Theorem 1 Garay, MacKenzie, DISC 1999. Any fair
optimistic contract signing protocol for n
parties requires at least n rounds (in a run
where T is not used).

• There must exist a final round in which some
  party (say P1) sends a message that can be
  combined with all previous messages to complete
  the contract

9

• At this point, P1 must have received messages
  from the others in previous rounds s.t. it could
  send a message to T to obtain a complete contract
• Otherwise, the other parties could use the
  message from P1 to complete their contracts, but
  decide to send nothing further. This would leave
  P1 with no contract and violate fairness a
  contradiction
• Specifically, there must be a previous round in
  which some party (say P2) sends a message to P1
  allowing this

10

• This argument generalizes easily
• Given that a set of participants P1,,Pi have
  received messages s.t. any of them could send a
  message to T and obtain a complete contract
  regardless of the actions of Pi1,,Pn, there
  must be a previous round in which some party (say
  Pi1), sends a message to Pi that allows this
• So by a backwards induction, the number of rounds
  needed is at least n

11
Contract signing protocol

• Protocol proceeds in t2 rounds
• In round 1, each party signs a promise to sign
  the contract and broadcasts that promise
• In subsequent rounds, each party collects
  signatures from the previous round, countersigns
  this set of n signatures, and broadcasts it
• The result of the (t2)-nd round is the real
  contract

12

• Any party who gets tired of waiting can contact T
  and send it all the messages received so far
• It then stops sending any messages, and simply
  waits for an answer from T
• If T receives its first message in round 1, it
  must abort and respond with failed
• If T receives its first message in some later
  round, it will respond with signed
• T will only ever change its response (from failed
  to signed) if all messages it previously answered
  with failed came from dishonest parties

13
Detecting dishonesty
Lemma 1. If T receives a message from Pi in round
r, and previously answered failed to some other
Pk in round s lt r-1, then Pk is dishonest

• Since s gt 0, we have r gt 2, and therefore the
  message from Pi includes the complete set of
  round-(r-2) messages, countersigned by everybody
• Thus Pk must have participated in round r-1, in
  order to have countersigned the round-(r-2)
  messages and sent this as a message to Pi
• So Pk was active after having sent its message to
  T, and hence is dishonest

14
Verification protocol

• Pi shows a signed contract to the verifier V
• V outputs signed if either the contract consists
  of either of the following
• (T was contacted and responded signed) the
  complete set of n round-(r-1) messages signed by
  some Pj and countersigned by T in round r gt 1
• (optimistic termination) the complete set of n
  round-(t2) messages
• Otherwise V outputs failed

15
Security of the protocol
Theorem 2 Waidner and Waidner, ICALP 2000. The
protocol described is a fair asynchronous
multi-party contract signing scheme with a
trusted third party T for any t lt n. It is
optimistic and terminates in t4 rounds in the
worst case.

• Correctness and verifiability are clearly
  satisfied
• Unforgeability is true because all variants of a
  valid contract contain pieces signed by all
  parties, and we assume the signatures are
  unforgeable

16

• Termination
• Each of the t2 rounds terminates either because
  all responses from the other parties are
  received, or T is contacted and eventually
  answers. In the worst case, T is contacted in the
  last round, giving t4 rounds
• No invalid contracts is shown by contradiction.
  Assume an honest Pi decided failed and an honest
  verifier V decides signed
• Case 1 V has all n round-(r-1) messages signed
  by some Pj and countersigned by T in round r gt 1
• Pj decided signed based on the response received
  from T in round r, and so for Pi to decide
  failed, it must has received an abort from T in
  round s lt r
• But T could not have changed its decision from
  failed to signed, because it could only do that
  if all aborted parties (Pi is a counterexample)
  are dishonest a contradiction

17

• No invalid contracts (continued)
• Case 2 V has all n round-(t2) messages
• To decide failed, Pi must have participated in
  round t2 but then contacted T and received an
  abort
• From the rules of T, and by induction, for all
  rounds 1,,t1, some party received an abort
• Then by Lemma 1, those parties who received an
  abort in rounds 1,,t must be dishonest
• Since there are at most t dishonest parties, the
  party who received an abort in round t1 must be
  honest
• That party could not have participated in round
  t2, so the set n of round-(t2) messages could
  not have been complete a contradiction

18
Round optimality
Corollary 1. The number of rounds for the
contract signing scheme is O(n).
19
Abuse-freeness

• Abuse-freeness at no point can a party prove to
  an outsider that he has the power to control
  whether the contract will be signed
• Example of abuse
• Alice signs a contract (to supply widgets for
  10) and faxes it to Bob for him to sign
• Bob (abusive) uses his potentially signed
  contract with Alice to coerce Charlie into
  offering him a new contract (for 9 widgets)
• Bob never signs the contract with Alice

20
Is the protocol abuse-free?

• The contract signing protocol is not abuse-free!
• Example (n 2, P2 abusive)
• both parties send their round-1 messages, but
  only P1 sends his round-2 message
• P2 could either
• ignore the messages from P1 and send a (round-1)
  message to T and get the response failed, or
• use the messages from P1 and send a (round-3)
  message to T and get the response signed
• the round-3 message that P2 could send to T will
  convince an outsider of the power that P2 has to
  decide the contract

21
Adding abuse-freeness

• The basic idea remains the same, but each party
  generates a fresh, new signature for the
  execution of the protocol
• This is in contrast to their mutually agreed
  upon, permanent digital signatures
• The result of an execution of the old protocol
  with the fresh signatures is called the
  pre-contract
• Since an adversary cannot prove that a fresh
  signature belongs to a certain party, an outsider
  would not be convinced of the status of the
  protocol, and hence the protocol is abuse-free

22

• However, the pre-contract is also made to contain
  the contract signed with the parties permanent
  signatures, but encrypted (with Ts public key)
  so that only T can decrypt
• To convert the pre-contract into a real contract,
  the parties then exchange the original contract
  signed with the parties permanent signatures,
  and check that the pre-contract was indeed valid
• Failing that, T can try to recover by decrypting
  all the encrypted messages in the pre-contract

23
Final result
Theorem 3 Waidner and Waidner, ICALP 2000.
There is a protocol (as outlined) for
asynchronous abuse-free multi-party contract
signing with a trusted third party T for any t lt
n. It is optimistic and terminates in t6 rounds
in the worst case.