Finite-state analysis of two contract signing protocols

Vitaly Shmatikov, John C. Mitchell
2002 Theoretical Computer Science  
Optimistic contract signing protocols allow two parties to commit to a previously agreed upon contract, relying on a third party to abort or conÿrm the contract if needed. These protocols are relatively subtle, since there may be interactions between the subprotocols used for normal signing without the third party, aborting the protocol through the third party, or requesting conÿrmation from the third party. With the help of Mur', a ÿnite-state veriÿcation tool, we analyze two related contract
more » ... igning protocols: the optimistic contract signing protocol of Asokan, Shoup, and Waidner, and the abuse-free contract signing protocol of Garay, Jakobsson, and MacKenzie. For the ÿrst protocol, we discover that a malicious participant can produce inconsistent versions of the contract or mount a replay attack. For the second protocol, we discover that negligence or corruption of the trusted third party may allow abuse or unfairness. In this case, contrary to the intent of the protocol, the cheated party is not able to hold the third party accountable. We present and analyze modiÿcations to the protocols that avoid these problems and discuss the basic challenges involved in formal analysis of fair exchange protocols.
doi:10.1016/s0304-3975(01)00141-4 fatcat:vau2mq2surcnfczmgc6fbpqhhu