information security conference (isc 2015) on the efficiency of multi-party contract signing...

Information Security Conference (ISC 2015)

On the Efficiency of Multi-Party Contract Signing Protocols

Gerard Draper-Gil, Josep-Lluis Ferrer Gomila, M. Francisca Hinarejos,Jianying Zhou

September 9-11, 2015 | Trondheim, Norway

On The Efficiency of Multi-Party Contract Signing Protocols

Table of Contents


• Introduction to Multi-Party Contract Signing (MPCS)

• MPCS Requirements

• Efficiency and Topologies

• Overview of Our Proposal

• Example: MPCS with Ring Topology N=3 and PCS

• Summary of Optimistic MPCS and Topologies

• Conclusions


Introduction to Multi-Party Contract Signing (MPCS)


The objective of Multi-Party Contract Signing (MPCS) protocols is to allow a set of N participants Pi (1 ≤ i ≤ N) to exchange a valid signature on a contract C.

Existing problems:• Different criteria to define requirements and terms like

round or step Difficult validation of results.• What is the influence of protocol topology?

Our Contribution:• Clear definition of efficiency parameters.• Assessment on the influence of topology.• Method to design optimal efficient MPCS.


MPCS Requirements


• Effectiveness• Fairness (Strong and Weak)• Non-repudiation• Timeliness

• Abuse-Freeness: After Pi receives a partial signature from another participant Pj, the recipient Pi cannot convince others but himself that the partial signature is from the sender Pj.

• Multi-Party Fair Exchange Requirements:

• Requirement for Contract Signing Protocols:


Efficiency and Topologies I


The action of transmitting one or more messages from an originator A to a recipient B.

Transmission

A “logical” set of information sent from an originator A to B,where B can be a set of recipients {B1, ..., BN}

Message

The definition of the term “Round” will depend on the topology.


Efficiency and Topologies II


Ring Topology:

A complete round requiresN transmissions.

A round begins when P1 executes a transmission to P2, then P2 transmits to P3, ..., and ends when P1 receives the transmission from PN, closing the ring.

Ring-Round


Efficiency and Topologies III


Sequential Topology:

A complete round requires2(N-1) transmissions.

A round starts from P1, transmitting one or more messages to P2. The transmissions continue through all the participants in a certain order (e.g., incrementing the subindex i: Pi, P(i+1),..), until it reaches PN, who reverses the order transmitting to P(N−1), who executes a transmission to P(N−2), etc. The round ends when P1 receives a transmission from P2.

Sequential-Round


Efficiency and Topologies IV


Star Topology:

A complete round requires2(N-1) transmissions.

A round begins when the initiator P1 transmits some message or messages to all Pj (j [2..N]), and ends when P1 has ∈received the corresponding transmission from each Pj. Alternatively, the round can be initiated by all Pj (j [2..N]) ∈transmitting to P1, and finish when each Pj has received P1's transmission.

Star-Round


Efficiency and Topologies V


Mesh Topology:

A complete round requiresN(N-1) transmissions.

A round begins when Pi, with 1 ≤ i ≤ N executes a transmission to each Pj , with j [1..N], j != i. The round will end when every ∈participant has received a transmission from the other N − 1 participants.

Mesh-Round

• All MPCS protocols are optimistic.

• Each protocol is composed of an exchange and a resolution sub-protocol.

• All protocols follow the same principle: the participants exchange a series of commitments in turn, until they gather enough evidence to consider the contract as signed, while maintaining the fairness.

• All protocols meet the MPCS necessary security requirements: effectiveness, fairness, non-repudiation timeliness, and abuse-freeness.


Overview of Our Proposal : MPCS Protocols


• Methodology to design MPCS protocols:


Overview of Our Proposal : Trusted Third Party Rules I


Rule 0: The TTP only accepts one request per participant.

Rule 1: During the 1st round, authorized participants can cancel the protocol execution, if it has not been previously finished. (If it has been finished, the TTP will answer with the corresponding affidavit.)

“Authorized participants” are those who have not received the commitment from the other N-1 participants, examples:

• Ring: {P1,…,P(N-1)} • Star: {P2,…,PN}

• Common rules to design resolution sub-protocol:


Overview of Our Proposal : Trusted Third Party Rules II


Rule 2: After the 1st round, the TTP can finalize the protocol execution, generating the corresponding affidavit, if it has not been previously cancelled.

Rule 3: The decision to finish the protocol is final.

Rule 4: If the TTP receives a request to finish (sign) the protocol after the 1st round, and the protocol has been previously cancelled, it will review all the evidence received.

• If the TTP can prove all the previous requests were dishonest, it will change the protocol status to finished, and it will generate the corresponding affidavit.

• Otherwise it will answer with a cancellation evidence to maintain fairness.

• The rules to prove dishonest participants will depend on the topology.


Overview of Our Proposal : Trusted Third Party Rules III


• Ring Topology:

• Examples of Rule 4:

Pi Malicious !

Pi Malicious !

Honest

• Star Topology:

Pi Malicious !

Honest

𝑇𝑥 (𝑟 ,𝑖 )𝑖𝑠 h𝑡 𝑒𝑟𝑒𝑞𝑢𝑒𝑠𝑡 h𝑤𝑖𝑡 𝑟𝑜𝑢𝑛𝑑=𝑟 𝑓𝑟𝑜𝑚𝑝𝑎𝑟𝑡𝑖𝑐𝑖𝑝𝑎𝑛𝑡 𝑃𝑖

𝑇𝑥𝑅𝑖𝑠 h𝑡 𝑒𝑠𝑒𝑡 𝑜𝑓 𝑎𝑙𝑙𝑟𝑒𝑞𝑢𝑒𝑠𝑡𝑠𝑇𝑥𝑟𝑒𝑐𝑒𝑖𝑣𝑒𝑑𝑏𝑦 h𝑡 𝑒𝑇𝑇𝑃h𝑒𝑟𝑒 ,𝑟 𝑎𝑛𝑑𝑖𝑎𝑟𝑒𝑒𝑥𝑡𝑟𝑎𝑐𝑡𝑒𝑑 𝑓𝑟𝑜𝑚 h𝑡 𝑒𝑟𝑒𝑞𝑢𝑒𝑠𝑡𝑇𝑥𝑒𝑣𝑎𝑙𝑢𝑎𝑡𝑒𝑑

𝑖𝑓 ∀𝑇𝑥(𝑟 ′ , 𝑖′ )∈𝑇𝑥𝑅 / (𝑟 ′=𝑟 )𝑜𝑟 (𝑟 ′=𝑟−1𝑎𝑛𝑑𝑖′> 𝑖)

<

𝑖𝑓 ∃𝑇𝑥 (𝑟 ′ ,𝑖′ )∈𝑇𝑥𝑅 /(𝑟 ′=𝑟 −1𝑎𝑛𝑑𝑖′<𝑖)

𝑖𝑓 ∀𝑇𝑥(𝑟 ′ , 𝑖′ )∈𝑇𝑥𝑅 /(𝑟 ′ ≥ 𝑟−1)

<


Example: MPCS with Ring Topology


• Every turn, each participant generates a commitment message, with an index k, for each of the other participants.

• The index k is decremented by the first participant to receive the k-commitments from the other participants.

• When k reaches -1, the participants will release the complete signature.

• MPCS with Private Contract Signatures (PCS*):

* Garay, J.A., Jakobsson, M., MacKenzie, P.D.: “Abuse-free Optimistic Contract Signing”. CRYPTO'99.


Example: MPCS with Ring Topology N=3


Round r = 1

P1 P

2 PCS

1((C,1),P

2,TTP), PCS

1((C,1),P

3,TTP)

P2 P

3 PCS

2((C,1),P

3,TTP), PCS

2((C,1),P

1,TTP)

PCS1((C,1),P

3,TTP)

P3 P

1 PCS

3(C, P

1,TTP), PCS

3(C,P

2,TTP)

PCS2((C,1),P

1,TTP)

Round r = 2

P1 P

2 PCS

1(C,P

2,TTP), PCS

1(C,P

3,TTP)

PCS3(C,P

2,TTP)

P2 P

3 SIG

2(C)

PCS1(C,P

3,TTP)

P3 P

1 SIG

3(C)

SIG2(C)

Round r = 3

P1 P

2 SIG

1(C)

SIG3(C)

P2 P

3 SIG

1(C)

TOTAL (N=3)

Transmissions: (N+1)(N-1) = 8

Messages/user: (N-1)2+1 = 5 (Pi = P

1)

(N-2)(N-1) + 1 = 3 (Pi != P

1)

T1

T2

T3

T4

T5

T6

T7

T8

M1(P1) M2(P1)

M3(P1) M4(P1)

M5(P1)

M1(P3) M2(P3)

M3(P3)

M1(P2) M1(P2)

M3(P2)


Summary of optimistic MPCS and topologies


Topology Transmissions (1) Messages/user (2)

Ring (N+1)(N-1) (N-1)2+1 when Pi=P

1

(N-2)(N-1)+1 when Pi!=P

1

Sequential (N+1)(N-1) (N-1)/2 (N-1) +1 when N is odd

(N-1)/2 (N-1) – i +2 when N is even

Star (2N+1)(N-1) (N-2)(N-1)+1

Mesh N2(N-1) (N-1)2+1

(1) Optimistic case, the TTP does not intervene and (N-1) malicious participants assumed.

(2) Number of messages (signatures) generated by each user i, 1 ≤ i ≤ N


Conclusions


• We presented a methodology to design optimistic MPCS protocols for a ring, sequential, star and mesh topologies.

• All protocols meet fair exchange requirements for optimistic MPCS protocols: efficiency, fairness, non-repudiation, timeliness and abuse-freeness.

• Minimum number of transmissions needed for each protocol proposal: new lower-bound.

• Future Work: extend the study to hybrid topologies.


Abort Chaining: Proving Lower Bound (Ring Topology N=3)


Round r = 1

P2 TTP Cancel Request.

TTP P2

Cancel Token (Rule 1). P2 dishonest, continues the protocol.

Round r = 2

P1 TTP Finish Request. P

1 has sent his signature but has not received the others.

TTP P1

Cancel Token (Rule 3). TTP cannot prove P2 is cheating.

P3 Receives proof of signature from other participants.

P3, honest, has proof of signature.

P1, honest, has proof of cancellation. Fairness is broken!


Abort Chaining: Proving Lower Bound (Ring Topology N=3)


Round r = 1

P2 TTP Cancel Request.

TTP P2

Cancel Token (Rule 1). P2 dishonest, continues the protocol.

Round r = 2

P1 TTP Finalize Request. P

1 has sent his signature but has not received the others.

TTP P1

Cancel Token (Rule 3). TTP cannot prove P2 is cheating.

Round r = 3 (if P1 is honest)

P3 TTP Finish Request. P

1 is honest, therefore it will stop the protocol execution.

TTP P3

Cancel Token (Rule 4). TTP will recognize P2 as dishonest, but cannot

prove P1 is dishonest. Therefore to maintain fairness, TTP will send a cancel

Token. Fairness is maintained.

Round r = 3 (if P1 is dishonest, it will continue the protocol execution)

P1 P

2 If P

2 continues the protocol, P

3 will receive the signature from all participants (T8),

otherwise P3 will contact TTP (in previous example). Fairness is maintained.

information security conference (isc 2015) on the efficiency of multi-party contract signing...

Documents