Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract SigningSam Hasinoff

April 9, 2001

References

• Round-optimal and Abuse-free Optimistic Multi-Party Contract Signing (Waidner and Waidner, ICALP 2000)

• Abuse-free Multi-party Contract Signing (Garay and MacKenzie, DISC 1999)

Overview

• Contract signing

• Lower bound on number of rounds

• Contract signing protocol

• Abuse-freeness

Contract Signing

• Contract – formal agreement on a text between two or more parties– Example: landlord, tenant, sublessor

• If terms of a contract are broken and need to be enforced, a contract verifier must be able determine the validity of the contract

• Fairness – either all honest participants obtain a valid contract or no one does

• Every party decides signed or failed• Using a trusted party (T), the problem is

easy to solve:– T collects signatures from the parties– If all signatures arrive, it redistributes them,

otherwise it aborts the contract

• T is a bottleneck for trust and performance

• Optimistic protocol – uses T only if something goes wrong

Security Requirements (Fairness)

• Correctness – if all parties are honest and patient, they all decide signed

• Verifiability – if an honest party decided signed and the verifier is patient, he will decide signed

• Unforgeability – if an honest party didn’t sign the contract, no verifier decides signed

• No invalid contracts – if an honest party decided failed, no verifier decides signed

• Termination – the protocol eventually terminates

Model

• There are n signing parties – P1,…,Pn

• Up to t < n parties are Byzantine• Network is asynchronous and scheduled by

the adversary– Messages are reliably delivered, eventually, but

with no guarantee on order

• Signatures are unforgeable– Assumption based on the cryptography

Lower bound

• There must exist a final round in which some party (say P1) sends a message that can be combined with all previous messages to complete the contract

Theorem 1 [Garay, MacKenzie, DISC 1999]. Any fair optimistic contract signing protocol for n parties requires at least n rounds (in a run where T is not used).

• At this point, P1 must have received messages from the others in previous rounds s.t. it could send a message to T to obtain a complete contract

• Otherwise, the other parties could use the message from P1 to complete their contracts, but decide to send nothing further. This would leave P1 with no contract and violate fairness – a contradiction

• Specifically, there must be a previous round in which some party (say P2) sends a message to P1 allowing this

• This argument generalizes easily

• Given that a set of participants P1,…,Pi have received messages s.t. any of them could send a message to T and obtain a complete contract regardless of the actions of Pi+1,…,Pn, there must be a previous round in which some party (say Pi+1), sends a message to Pi that allows this

• So by a backwards induction, the number of rounds needed is at least n

Contract signing protocol

• Protocol proceeds in t+2 rounds• In round 1, each party signs a promise to sign the

contract and broadcasts that promise• In subsequent rounds, each party collects

signatures from the previous round, countersigns this set of n signatures, and broadcasts it

• The result of the (t+2)-nd round is the real contract

• Any party who gets tired of waiting can contact T and send it all the messages received so far

• It then stops sending any messages, and simply waits for an answer from T

• If T receives its first message in round 1, it must abort and respond with failed

• If T receives its first message in some later round, it will respond with signed

• T will only ever change its response (from failed to signed) if all messages it previously answered with failed came from dishonest parties

Detecting dishonesty

• Since s > 0, we have r > 2, and therefore the message from Pi includes the complete set of round-(r-2) messages, countersigned by everybody

• Thus Pk must have participated in round r-1, in order to have countersigned the round-(r-2) messages and sent this as a message to Pi

• So Pk was active after having sent its message to T, and hence is dishonest

Lemma 1. If T receives a message from Pi in round r, and previously answered failed to some other Pk in round s < r-1, then Pk is dishonest

Verification protocol

• Pi shows a signed contract to the verifier V

• V outputs signed if either the contract consists of either of the following:– (T was contacted and responded signed) the

complete set of n round-(r-1) messages signed by some Pj and countersigned by T in round r > 1

– (optimistic termination) the complete set of n round-(t+2) messages

• Otherwise V outputs failed

Security of the protocol

• Correctness and verifiability are clearly satisfied• Unforgeability is true because all variants of a

valid contract contain pieces signed by all parties, and we assume the signatures are unforgeable

Theorem 2 [Waidner and Waidner, ICALP 2000]. The protocol described is a fair asynchronous multi-party contract signing scheme with a trusted third party T for any t < n. It is optimistic and terminates in t+4 rounds in the worst case.

• Termination– Each of the t+2 rounds terminates either because all

responses from the other parties are received, or T is contacted and eventually answers. In the worst case, T is contacted in the last round, giving t+4 rounds

• No invalid contracts is shown by contradiction. Assume an honest Pi decided failed and an honest verifier V decides signed– Case 1: V has all n round-(r-1) messages signed by some

Pj and countersigned by T in round r > 1 • Pj decided signed based on the response received from T in round

r, and so for Pi to decide failed, it must has received an abort from T in round s <= r

• But T could not have changed its decision from failed to signed, because it could only do that if all aborted parties (Pi is a counterexample) are dishonest – a contradiction

• No invalid contracts (continued)– Case 2: V has all n round-(t+2) messages

• To decide failed, Pi must have participated in round t+2 but then contacted T and received an abort

• From the rules of T, and by induction, for all rounds {1,…,t+1}, some party received an abort

• Then by Lemma 1, those parties who received an abort in rounds {1,…,t} must be dishonest

• Since there are at most t dishonest parties, the party who received an abort in round t+1 must be honest

• That party could not have participated in round t+2, so the set n of round-(t+2) messages could not have been complete – a contradiction

Round optimality

Corollary 1. The number of rounds for the contract signing scheme is O(n).

Abuse-freeness

• Abuse-freeness – at no point can a party prove to an outsider that he has the power to control whether the contract will be signed

• Example of abuse:– Alice signs a contract (to supply widgets for

$10) and faxes it to Bob for him to sign– Bob (abusive) uses his potentially signed

contract with Alice to coerce Charlie into offering him a new contract (for $9 widgets)

– Bob never signs the contract with Alice

Is the protocol abuse-free?

• The contract signing protocol is not abuse-free!• Example (n = 2, P2 abusive):

– both parties send their round-1 messages, but only P1 sends his round-2 message

– P2 could either• ignore the messages from P1 and send a (round-1) message to T

and get the response failed, or• use the messages from P1 and send a (round-3) message to T and

get the response signed

– the round-3 message that P2 could send to T will convince an outsider of the power that P2 has to decide the contract

Adding abuse-freeness

• The basic idea remains the same, but each party generates a fresh, new signature for the execution of the protocol– This is in contrast to their mutually agreed upon,

permanent digital signatures

• The result of an execution of the old protocol with the fresh signatures is called the pre-contract

• Since an adversary cannot prove that a fresh signature belongs to a certain party, an outsider would not be convinced of the status of the protocol, and hence the protocol is abuse-free

• However, the pre-contract is also made to contain the contract signed with the parties’ permanent signatures, but encrypted (with T’s public key) so that only T can decrypt

• To convert the pre-contract into a real contract, the parties then exchange the original contract signed with the parties’ permanent signatures, and check that the pre-contract was indeed valid

• Failing that, T can try to recover by decrypting all the encrypted messages in the pre-contract

Final result

Theorem 3 [Waidner and Waidner, ICALP 2000]. There is a protocol (as outlined) for asynchronous abuse-free multi-party contract signing with a trusted third party T for any t < n. It is optimistic and terminates in t+6 rounds in the worst case.