Analysis of a Fair Exchange Protocol

1
Analysis of a Fair Exchange Protocol

• Vitaly Shmatikov
• Stanford University

2
Protocols in Hostile Environment

• Cannot trust the communication channel
• Cannot trust the other party in the protocol
• There may exist a trusted third party

3
Contract Signing
Ceasefire agreement

• Both parties want to sign the contract
• Neither wants to commit first
• If both are honest, then
• trusted third party need not be involved

4
Fairness

• Each party receives the item it expects
• OR
• Neither party learns anything about
• the others item
• OR
• Cheated party obtains proof of cheating
• Other properties may be required
• Evidence to resolve future disputes
• Non-repudiability

5
Optimistic Contract Signing
Asokan et al
Input PKK, T, text
Input PKM, T, text
M
K
m1, RM, m2, RK
6
Role of Trusted Third Party

• T can issue an abort token
• Proof that exchange has been canceled
• T can issue a replacement contract
• Proof that both parties are committed
• T decides whether to abort or resolve on the
  first-come-first-serve basis
• T only gets involved if requested by M or K

7
Resolve Subprotocol
K
Net
Net
M
8
Attack
M
secret QK
contracts are inconsistent!
9
Fixing the Protocol
Input PKK, T, text
Input PKM, T, text
m1 sigM (PKM, PKK, T, text, hash(RM))
m2 sigK (m1, hash(RK))
M
K
m3 sigM (RM, hash(RK))
m4 RK
m1, RM, m2, RK
10
Conclusions

• Fair exchange protocols are subtle
• Cannot trust the other party in the protocol
• Correctness conditions are hard to formalize
• Unusual constraints on communication channels
• Multiple interdependent subprotocols
• Murj can be successfully used for analysis
• Find non-obvious attacks
• Better understand the protocols