Download ppt

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
Document related concepts
no text concepts found
Transcript 
Advantage and abuse-freeness
in contract-signing protocols
Rohit Chadha, John Mitchell, Andre Scedrov,
Vitaly Shmatikov
To appear in CONCUR 2003
Contract-signing protocols
 Two parties want to exchange signatures on preagreed texts over the internet
 Signers adversarial
 Both signers want to exchange signatures
 Neither wants to sign first
 Fairness
• Each signer gets the other’s signature or neither does
 Timeliness:
• No signer gets stuck
 Abuse-freeness:
• No party can prove to an outside party that it can control
the outcome
Optimism
 Two categories of contract-signing protocols:
• Gradual release protocols
• Fixed-round protocols
 Fairness requires a third party, T
• Even 81, FLP
 Trivial protocol
• Send signatures to T which then completes the exchange
 Optimistic 3-party protocols
• T contacted only for error recovery
• Avoids communication bottlenecks
 Optimistic signer
• Prefers not to go to T
General protocol outline
Willing to sell stock at this price
OK, willing to buy stock at this price
B
Here is my signature
C
Here is my signature
 Trusted third party can force or abort the exchnage
• Third party can declare exchange binding if presented
with first two messages.
Optimism and advantage
 Once customer commits to the purchase, he cannot use
the committed funds for other purposes
 Customer likely to wait for some time for broker to
respond: contacting T to force the exchange is costly
and can cause delays
 Since broker can abort the exchange, this waiting
period may give broker a way to profit: see if shares
are available at a lower price
 The longer the customer is willing to wait, the greater
chance the broker has to pair trades at a profit
 Broker has an advantage: she can control the outcome
of the protocol
Related work
 Need for trusted third party
• Even 81
 Mitchell and Shmatikov (Financial Crypto 2000) used Mur, a
finite-state model checker, to analyze two signatureexchange protocols
• Asokan-Shoup-Waidner (IEEE Symposium on Security and Privacy,
98)
• Garay-Jakobsson-Mackenzie Protocol(GJM) (Crypto 1999)
 Chadha, Kanovich and Scedrov used MSR to analyze GJM
protocol
• Proved fairness
• Defined and proved balance for honest participants
 Kremer and Raskin used model-checkers to study a version of
abuse-freeness (CSFW 2002)
Fairness, optimism, and
timeliness
Model and fairness
 We consider only single runs of the protocol
 Call the two participants P and Q
 Definitions lead to game-theoretic notions
• If P follows strategy, then Q cannot achieve win over P
• Or, P follows strategy from some class …
 A strategy of P is Q-silent if it succeeds whenever Q
does nothing
 Need timeouts in the model “waiting”
• The signers use timeouts to decide when to contact T
 Fairness for P
• If Q has P’s contract, then P has a strategy to get Q’s
contract
Timeliness
A protocol is timely for P if
• For all reachable states, S, P has a (Q -silent)
strategy to drive the protocol to a state S’ such
that
either P gets Q’s signature
or Q cannot obtain P’s signature by talking to T
• Protocol is timely if it is timely for both
signers
Optimism
Protocol is optimistic for Q if, assuming P
controls the timeouts of both Q and P, then
and honest Q has a strategy to get honest
P’s contract without any messages to/from T
• The signers use timeouts to decide when to contact T
• If P is willing to wait “long enough” for Q, then Q
may exchange signatures with P without T getting
involved
Protocol is optimistic if it is optimistic for
both signers
Optimistic participant
A participant P is honest if it follows the
protocol
Honest P is said to be optimistic if
• Whenever P can choose between
– waiting for a message from Q
– contacting T for any purpose
P waits and allows Q to move next
• Modeled by giving the control of timeouts to Q
Advantage
Q is said to have the power to abort against
an optimistic P in S
• if Q has a strategy to prevent P from getting Q’s
signature
Q is said to have the power to resolve
against an optimistic P in S
• if Q has a strategy to get P’s signature
Q has advantage against an optimistic P if Q
has both the power to abort and the power to
resolve
Hierarchy
Advantage against honest P
H-adv

Advantage against optimistic P
O-adv
Exchange subprotocol in GJM
O
R
I am willing to sign
may abort
I am willing to sign
Here is my signature
may resolve
may quit
Here is my signature
may resolve
Advantage flow in GJM
O
R
I am willing to sign
O-adv
O-adv
I am willing to sign
Here is my signature
Here is my signature
Impossibility theorems
GJM is balanced for honest participants
• No participant has an advantage
In any optimistic and fair protocol
• Some potentially dishonest participant has an
advantage over its optimistic counterparty
In any optimistic, fair, and timely protocol
• Any potentially dishonest participant has an
advantage at some non-initial point over its
optimistic counterparty
Abuse-freeness
No evidence of advantage
If
• Q can provide evidence of P’s participation to an
outside observer X,
then
• Q does not have advantage against an optimistic P
• The protocol is said to be abuse-free
 Evidence: what does X know
 X knows fact  in state 
•  is true in any state consistent with X’s
observations in 
Advantage flow in GJM
O
R
I am willing to sign
O-adv
O-adv
I am willing to sign
Here is my signature
Here is my signature
Exchange subprotocol in Boyd-Foo
O
R
I am willing to sign
Here is my signature
may resolve
Here is my signature
R may request T to enforce the exchange
Advantage flow in BF
O
R
I am willing to sign
H-adv
Here is my signature
Here is my signature
A non abuse-free protocol
O
T
My signature
R
My signature
Release sigs?
Yes
R’s signature
O’s signature
O can present message from T to C as
proof of R’s participation
Relationship between various properties
Secure for optimistic
signer
Secure for
honest signer
Abuse-Free
Fair
Weak abuse-freeness
The only proof of participation of P is P’s
contract
A protocol is weakly abuse-free for P if in any
reachable state S where Q has received P’s
contract, Q does not have advantage over P
If a protocol is fair for P , then it is weakly
abuse-free for P
Conclusions
 A model to study contract signing protocols
•
•
•
•
•
•
Use multiset rewriting framework
Used timers to reflect natural bias
Formal definitions of fairness and effectiveness given
Natural bias: optimistic signers defined
Give game-theoretic definitions of advantage and balance
Advantage flows in GJM and BF
 Show that the addition of the third party does not
guarantee balance
 Use epistemic logic to formalize abuse-freeness
Further work
 Multiparty signature exchange protocols to be
investigated
 Other properties like trusted-third party
accountability to be investigated
 Use of automated theorem provers based on
rewriting techniques
• Maude developed by Denker, Lincoln, Meseguer, Eker,
Clavel, etc.
 Explore solutions other than abuse-freeness to
address lack of balance
• Estimate cost of asymmetry
Interested participant
Honest P is said to be interested if
• Whenever P can choose between
– waiting for a message from Q
– quitting or contacting T to abort
P waits and allows Q to move next
Modeled by giving the control of abort
timeouts to Q
Hierarchy
Advantage against honest A
H-adv

Advantage against interested A
I-adv

Advantage against optimistic A
O-adv
Related documents
Print This Product - Check Endorser Store
Print This Product - Check Endorser Store
PATIENTS` RIGHTS AND RESPONSIBILITIES STATEMENT
PATIENTS` RIGHTS AND RESPONSIBILITIES STATEMENT
amino acids, peptides and proteins
amino acids, peptides and proteins
HEALTH HISTORY AIDS/HIV Yes Yes Lazy Eye Yes Yes Arthritis
HEALTH HISTORY AIDS/HIV Yes Yes Lazy Eye Yes Yes Arthritis
Release of Information
Release of Information
ppt
ppt
I understand that the information that I have given today is correct to
I understand that the information that I have given today is correct to
Honors World History - Ottawa Township High School
Honors World History - Ottawa Township High School
personal finance syllabus - Anderson School District One
personal finance syllabus - Anderson School District One
system no yes ? no yes
system no yes ? no yes
AUTHORITY TO SIGN A UNIVERSITY CONTRACT Rule of Law:
AUTHORITY TO SIGN A UNIVERSITY CONTRACT Rule of Law: