##
###
Multiparty Contract Signing Over a Reliable Network

Simona Orzan, Erik de Vink

2006
*
Electronical Notes in Theoretical Computer Science
*

Most contract signing protocols make use of a trusted third party (TTP) to ensure fairness. It has been shown that in the crash network model, this is inevitable. However, for stronger networks, where misbehavior is allowed but failure excluded, the necessity of a TTP has not yet been debated. We consider a strong network model, that includes reliable broadcast, bounded delays and timestamps and use it to describe a simple multiparty contract signing protocol that does not rely on a TTP. This
## more »

... ows that by strengthening the assumptions on the network, the transfer of trust from one dedicated server to the network is feasible. The result is commented in a more general setting of multiparty protocols and problems. The correctness of the proposed protocol for any number of participants is proven using process algebra techniques. 1 Also affiliated to CWI, Amsterdam. 2 Also affiliated to LIACS, Leiden University. protocols usually rely on such a TTP, which can be contacted offline or online. However, a TTP is clearly a bottleneck, both in performance and trust, and constitutes a single point of failure. Solutions without a TTP include protocols with gradual information exchange, randomized and probabilistic protocols, all with a non-zero failure probability. It has also been proved that in the so-called crash network model, where connections are faulty and parties possibly misbehaving, the problem is impossible to solve without a TTP [15] . In other, more reliable network models, the contract signing problem has not been studied, basically because reliable networks are not considered realistic. But in the context of fault-tolerant software architectures and coordination middleware platforms [14, 18, 17] , a reliable communication medium is plausible. Therefore the question arises whether these generic models can take over the functionality of the dedicated TTP, and if so, which communication primitives are necessary/sufficient. The second issue concerns the formal analysis of multiparty contract signing protocols and fair exchange protocols in general. We want to formally prove security properties of multiparty contract signing protocols parametric in the number of participants. Referring to the well-known quote of Roger Needham about three-line security protocols [1], it comes without saying that formal verification is important in this field. Even more so for multiparty protocols that come with the burden of non-intuitive scheduling and state explosion. Although these two questions don't seem related at first, they are subtly linked. Namely, the protocols without a TTP exhibit more symmetry, and are therefore more likely in reach of recent parametrized verification techniques. We seek to answer our two-fold question by strengthening the network to the point where the network itself can provide the functionality of a trusted party. So, conceptually, trust is transferred from the TTP to the communication structure. Identifying the precise point where this transfer is complete remains an open challenge, but we give a partial solution here. The proposed network model includes (i) reliable broadcast with bounded delay, (ii) timestamps, and (iii) a proof-of-send mechanism. The latter mechanism provides the sender of a message with an unforgeable proof of delivery of the message to the network. Admittedly, the resulting protocol is of limited practical value; the assumptions on the network are strong. However, it shows that a TTP-free solution for the multiparty contract signing problem exists and is, moreover, not dependent on the number of misbehaving parties. The proposed protocol is also simple enough to be in reach of algebraic verification techniques. We manage to prove its fairness for any number of participants. The proof is of an inductive flavor, having equivalences checked automatically for the base case, and using axioms of the process algebra µCRL to lift the equivalences to the general case. As far as we know, no protocol similar to the one presented here exists in the literature. The closest related work is reported in [7] . In the context

doi:10.1016/j.entcs.2005.09.042
fatcat:fjxaz54ebjacbcyvl2jt2aq2uu