Intelligent Modeling and Verification 2014View this Special Issue
Research Article | Open Access
Formal Analysis of Fairness for Optimistic Multiparty Contract Signing Protocol
Optimistic multiparty contract signing (OMPCS) protocols are proposed for exchanging multiparty digital signatures in a contract. Compared with general two-party exchanging protocols, such protocols are more complicated, because the number of protocol messages and states increases considerably when signatories increase. Moreover, fairness property in such protocols requires protection from each signatory rather than from an external hostile agent. It thus presents a challenge for formal verification. In our analysis, we employ and combine the strength of extended modeling language CSP# and linear temporal logic (LTL) to verify the fairness of OMPCS protocols. Furthermore, for solving or mitigating the state space explosion problem, we set a state reduction algorithm which can decrease the redundant states properly and reduce the time and space complexity greatly. Finally, this paper illustrates the feasibility of our approach by analyzing the GM and CKS protocols, and several fairness flaws have been found in certain computation times.
The first optimistic multiparty contract signing protocol (OMPCS) was designed by Asokan et al. in 1997 . The goal of this protocol is for all signatories to send signatures on a preagreed-upon contract text to all others and for every signatory to obtain all other signatories’ signatures on this contract. With the asymmetric structure, one partner must first send out his signature to the others; thus the fairness of such protocols is hard to guarantee. One method to solve the problem is to use a Trust Third Party (TTP) as an intermediary , but this method is not efficient and the TTP becomes a bottleneck as all signatories have to communicate with it. The other method is to design the so-called optimistic multiparty contract signing protocol which has the idea that only when an unfairness problem arises the TTP intervenes . In 2009, Mauw et al. proposed the notion abort-chaining attacks and analyzed the message complexity of OMPCS protocols . Resolve-impossibility which means that it is impossible to define a trusted party protocol for a special OMPCS protocol was presented .
Some specific properties such as fairness, timeliness, and abuse-freeness should be satisfied in OMPCS protocols. Asokan defines a fairness system as that if a player behaves correctly, the other players will not gain any advantage over the correctly behaving player, and he divides fairness into strong fairness and weak fairness. Strong fairness means that, when the protocol has completed, has ’s item, or has gained no additional information about ’s item, and vice versa. Here, the assumed “item” means the signed contract, and “additional information” means information which can be obtained from the signed contract. However, weak fairness means that either strong fairness is achieved or a correctly behaving node can prove to an arbiter that an unfair situation has occurred .
Although not so much attention has been paid to optimistic multiparty contract signing protocols, there have been several researchers who did certain remarkable work in the weak fairness verification field and got some achievements. The pioneer work can be traced to Chadha et al. . Based on the alternation transition system (ATS) and symbolic tool Mocha, GM protocol was verified to be unfair when the number of signatories is four. Those authors also presented a CKS protocol and verified that the fairness can be guaranteed in the case of four. Then such method was used in  to analyze the fairness of MRT  and MR  protocols. The MRT protocol failed to satisfy fairness when the number of participators is three, and no flaw has been revealed in the MR protocol.
As an analyzing method, the strand space model has lots of magnificent qualities such as intuitiveness and strictness. In , Mukhamedov et al. used a strand space model to describe the GM protocol and found a flaw. Theorem proving method uses formulae to verify the correctness of protocols. The CKS protocol was shown to have flaws in  by using the Isabelle/HOL theorem proving machine.
This paper describes a precise and nature formulation of the desired weak fairness and universal OMPCS protocol models that includes multisignatories and contract texts promises simultaneously, formalizes protocol arithmetic, and considers composite attackers of the dishonest signatory. Besides, to mitigate the state explosion problem, a state reduction algorithm is proposed, and conversions between processes are supported, all of such actions can help our analysis to reach cases of more signatories. Furthermore, a visual attacking trace will be given when there exist error traces.
The paper is structured as follows. Section 2 defines the notion of OMPCS protocols and weak fairness. The CSP# language and the LTL logic are briefly introduced in Section 3. This section also explains how to build models for OMPCS protocols and how to express the weak fairness property. In the next section, we apply our novel method to the analysis of two typical OMPCS protocols GM and CKS. Finally, conclusions and future work are summarized.
Definition 1 (optimistic multiparty contract signing). A protocol for at least signatories to sign a contract over a Trust Third Party is called a multiparty contract signing (MPCS) protocol. If all signatories are honest, the protocol terminates without ever sending or receiving any messages; it is called an optimistic multiparty contract signing (OMPCS) protocol. An OMPCS protocol consists of three subprotocols: main subprotocol, recovery subprotocol, and abort subprotocol. The main subprotocol for n signers is divided into -levels, which can be described recursively. The recovery and abort subprotocols are used to contact when something goes wrong.
In an OMPCS protocol, every signer has a public and private key pair and can make a digital signature with the private key. ( is short for TTP) denotes the promise signed by and sent to , and (a) is generated by ;(b) can forge but can be distinguished by , , and ;(c)only and can transfer into a digital signature which can be universally verified.
Definition 2 (weak fairness). For a protocol , a contract , and signers and with each one’s signed contract and , we call the protocol which satisfies weak fairness if and only if we get one of the following conditions:(a)when the protocol is terminated, both and have not received and from each other(b)or when the protocol is terminated, both and have received and from each other.
3. Formal Method
Unlike classical security protocols, besides the security property, the OMPCS protocols also need to guarantee fairness between participants. For verifying such property, this paper described an innovative method and Figure 1 shows the structure of it.
Considering the general conditions of OMPCS protocol, assumptions for our fairness analyzing method are as follows.(a)Channel assumption (lower-case): channels between participants are not trusty; that is to say, the transmitting messages may be delayed and lost. However, channels between participants and the TTP are really reliable; that is, although the transmitting messages may be delayed, they will reach the destination in the limited time.(b)Participants of protocols: participants may not be honest, but there is at least one honest among a number of participants. The TTP is always honest, and the honest one will follow protocols. A dishonest one can be legal user, possessing his/her own public and private keys.(c)Attacker: the cryptography is assumed to be perfect, and external hostile agent is assumed not existing for fairness property in OMPCS protocols requires protection from each signatory rather than from external attackers. All of the assumption can let us only concentrate on the structure of the protocols.
3.2. System Variables
CSP# was proposed as an extension of CSP; it combines high-level modeling operators with shared variables and low-level programming constructs. The idea is to treat sequential terminating programs as atomic events .
The CSP# model of an OMPCS protocol consists of participants (honest or dishonest), TTP and the communication channel. CSP# mathematical signals were applied to describe the protocols’ participants and the components which combine participants together. The syntax of basic operators is listed in Table 1. Where , are processes, e is a name representing an event with an optional sequential program prog, cond is a boolean formula, X is a set of events names, ch is a channel, is an expression, and is a variable.
Under the modeling language CSP#, the system variables of protocol model are defined in Table 2. Each sending message between signers is modeled using a variable, initialized to 0 and set as when the successfully sent message level is . Each sending message between signers and TTP is modeled using a boolean variable, initialized to false and set true when message was sent.
3.3. Modeling Protocol
The semantic model is based on the labeled transition system (LTS). An LTS is a three-tuple .(i) is set of states. A state can be described by giving value for all valuations in the CSP# model.(ii) is the set of initial states.(iii) is the transition relation, is a set of all events, is a set of all traces, and a trace is a sequence of events. For every state , there is a state such that . is process expressions in our CSP# protocol model.
A CSP# model configuration is composited of two components , where is a function mapping a variable name to its value and is a process expression. Then we can get the , →), where is the set of reachable system configurations, is the initial configuration , and → is a transition relation.
For every signer in protocol, we use a process to describe , which describes how honest signer behaves and the dishonest has a corresponding process . is defined to model which represents the processes of recovery and abort subprotocols. The protocol is then described as formula (1); is the set of signatories:
3.4. Modeling Weak Fairness
In order to reason protocol model, fairness assertion is described by LTL (linear temporal logic). LTL was proposed by Pnueli in 1977  and is used to verify computer program logic language.
LTL is defined by assuming that the atomic formulae are state predicates. Formulae are built up in the usual way according to the following grammar. AP is a collection of atomic propositions of LTL:(a)for all the atomic propositions , is a LTL formula;(b)the constants “true” and “false” are both LTL formulae;(c)if , are two LTL formulae, then , , , , and are all LTL formulae;(d)every LTL formula can be built up by using finite times of the above formation rules.
Here and are two formulae, reads as “global” (also can be written as ), and means that event has to hold on the entire subsequent path. reads as “finally” (also can be written as <>), means that event eventually has to hold (somewhere on the subsequent path).
According to the fairness definition and LTL logic, we assume that only signer is honest, and the description of fairness of signer is given in formula (2). It means that, when the protocol is terminated, if there is a reachable trace in which a signer in can receive ’s digital signature , then there must exist which is reachable from and can make receive the digital signature of :
3.5. State Reduction Algorithm
The model checking method has many advantages, such as, high level automation and exact description ability. But the idea of this method is based on exhausted state space searching. When we use it to verify some concurrent systems, the state space may be increased exponentially. That is the space explosion problem. Towards the space explosion problem, a detailed state reduction algorithm is demonstrated below and the algorithm is shown in Algorithm 1.(a)Deleting states that system cannot reach to decrease the searching time.(b)Deleting states that will absolutely lead to fairness which can make the track of attack trace more conveniently.(c)Combing transition relations which reach the same next states to compress the state space, that is, and , we can combine the two transition relations into . Here , , and are states and is transition function. The proof can be found in “Hoare Logic,” rules of consequence.(d)Letting the dishonest signers send the highest promises to each other, for the transaction between dishonest signers will not influence the fairness of the honest one. Such behaviors can cut down the number of messages between the dishonest signers and then can reduce the state space.
is an array which stores the transition relations in the OMPCS model, and every transition relation in contains two states as well as a variable; state 1 is the current state, state 2 is the next state, and . is the weight of states. If a state in a protocol model has been reached for times, the value of mark for such state is . The variable is a function to judge whether, after contacting T, there also exists an honest signer who has no contract . means that the transition relation contracted , and sent a recovery message to reply to it; otherwise, sent an abort message.
Line 1 to line 2 are corresponding to (a) and (b), according to the recovery subprotocols in OMPCS; if and the honest signer have not contracted TTP before, this protocol will be fair. Lines 4 to 7 mean (c); if and have the same next state (state2), will be combined with , and will be deleted.
From lines 8 to 11, is the number of signers, , here are the unique ID for signatories, and are the sets for the dishonest signatories. In line 10, if and are dishonest signatories, then they will send the highest promise to each other and it is the pseudocode of (d).
4. Case Study
As an OMPCS protocol, the GM protocol was proposed by Garay and Mackenzie in ; then in  Asokan modified it and proposed the CKS protocol. In this section, the two protocols are modeled and analyzed on the platform PAT  and fairness flaws have been discovered.
4.1. GM and CKS
Each of the GM and CKS protocols has three subprotocols: main subprotocol, recovery subprotocol, and abort subprotocol. Such protocols use zero-knowledge primitives, private contract signatures . The main subprotocol of the two protocols is the same, and major changes are in the recovery and abort subprotocols.
The main subprotocol for n signers is divided into -level recursions with -level promises. sends -level promise to which can be denoted as . The third party is ; if there is nothing wrong in the execution of main subprotocol, will not be invoked. Conversely, requirement messages will be sent by signers to to guarantee fairness. For to abort, it will send the abort message to ; for to recover, it will send the corresponding recovery message. The messages are designed so that can infer the promises that an honest signer would have sent when it launched the recovery subprotocol. For lack of space, we will not describe the two protocols and the details can be found in [6, 14].
4.2. Modeling GM Protocol
We have modeled and analyzed the GM protocol for three cases, and here we take the case of four parties for example. Figure 2 describes the communications between signers, third party, and channels. We assume that the honest signer is , , , and are dishonest, and , , and can collude to cheat . H_process() was defined as the behavior of and _process(), _process(), _process(), and as the behaviors of , , , and . After doing that, the GM protocol was modeled as a parallel system called “sys1H.”
4.2.1. Modeling GM Main Subprotocol
Main subprotocol is executed when signers exchange their promises. When , the main subprotocol has 4 levels (see the OMPCS definition in Section 2) recursions. We use integer variables to describe promises between signers, and boolean variables represent messages between signers and . The details of the main subprotocol model are shown in Algorithm 2.
The honest mainly performs two kinds of actions in the main subprotocol, which includes sending promises to other signers and sending requirement to . They are described in step and step . Step models the action of sending 1-level promise, in which we use boolean variables, such as , to represent the promises exchanging. Setting means has successfully sent 1-level promise to . Step says that if has not received the correct promises, he can set _Recovery_1_1_1 as true, which represents the action of sending out recovery requirement. Step and Step describe the malicious behaviors of dishonest . Step models that can send 1-level promise to and Step specifies that can send recovery requirement to at a relatively relaxing condition.
4.2.2. Modeling GM Abort and Recovery Subprotocol
Algorithm 3 models the actions of the , that is, the abort and recovery subprotocols. is a special player that has to be modeled in a particular way. The definition and grammar are the same as the main subprotocol. _process() maintains two sets, and , which are initialized as empty. When sends abort message to , is set to be . Elements inside are those signers who have not sent abort message to . Based on the values of and , the recovery or abort decision will be made by .
The actions of can be divided into two parts, the first part describes how deals with abort request from . sends out abort token to if the status is that is false and is true. However, if is true, this means the recovery message has already been sent. Then the abort request is to be refused. Part two models the behaviors of dealing with recovery requests from ; if is true, the recovery message will be sent. However, conversely, will make decisions based on the current conditions.
4.3. Modeling GM Fairness
The fairness of can be divided into two parts. The first is that when GM protocol is finished, if has not received the contract signed by other signers, then every other signer also will not receive the contract signed by . The remainder is that if any other signers have received the contract signed by , then must have received the contract signed by other signers as well. So the LTL modeling of ’s fairness is illustrated in Algorithm 4.
Goal 1 means that at least one signer in , , and has received the contract signed by . Meanwhile, goal 2 means that has received the contract signed by , , and . The fairness of can be described as sys1, which means that, for all the traces of GM modeling system, if there is one trace to make one of , , and receive the signed contract from , there must exist another trace that can guarantee that receives the signed contract from , , and .
4.4. Modeling CKS Protocol
The model of CKS main subprotocol and the description of fairness remain the same with the GM protocol, so this section will concentrate on the abort and recovery part. The main difference is that , when presented with a recovery request, overturns its abort decision if and only if can infer dishonesty on the part of each of the signers that contracted in the past. Compared with GM, in CKS also maintains two integer variables, but the difference is that the variables have different meanings than that in GM.
We modeled cases of four and five signers of the CKS protocol and a fairness flaw was found in the case of five. For the sake of contrastive analysis, specifics of abort request and _Recovery_1_1_3_3 recovery requirements are shown in Algorithm 5.
4.5. State Reduction
When modeling GM and CKS protocol, we mitigate the state space explosion problem based on the algorithm proposed in Section 3.5. The detailed examples are given as below.(a)Deleting states which cannot be reached: for instance, in the GM protocol, when is dealing with the requirement _Recovery_1_3_2 from , there is a state which requires that and two elements in set should be true. Then a conclusion can be reached that this state is unreachable, for the state constraint must be , which is contradictory. Therefore, we can delete this state.(b)Deleting states which will absolutely lead to fairness: when modeling the GM protocol, if sends a recovery requirement _Recovery_3_3_3 in the condition that no one has contacted before, will absolutely agree with ’s requirement, setting . It is obvious to ensure that the fairness can be guaranteed for, in the recovery subprotocol, cannot overturn the recovery decision. Therefore, this state can be ignored when we are searching for attacking trace.(c)Combining transition relations which have the same next states: in the GM protocol, when deals with the requirement _Recovery_4_4_4 from , there are two transition relations: one of the current states is and the other is . However, those two states can reach the same next state; thus, they can be combined into one state .(d)Letting the dishonest signers send the highest promises to each other: when we model the dishonest signers and in the CKS protocol, some of the intermediate states such as and can be deleted, letting and send the highest promise to each other directly, and .
One feature of the OMPCS protocol is that the number of participants can be varied and the structure is not symmetric. That is why the specification of is different from that of . A number of CSP# models have been written in PAT for different signers for the GM and CKS protocols. We found that GM protocol cannot satisfy fairness for the case of , because we can verify that the protocol is not fair in case of four, and, in more signatories cases, if there is only one honest, then the dishonest can collaborate to cheat just as they do in the case of 4. The CKS protocol is not fair for the number of signers , the reason is the same for GM.
Table 3 shows one possible error trace for the GM protocol ( is the honest one and ). State 0 is the initialized state. In state 1, contacts T by sending an abort requirement. According to , T agrees with this requirement and sends abort message, setting . But the dishonest continues to execute the main subprotocol. Then contract T with a recovery requirement. T refuses ’s requirement based on the abort subprotocol with , . However, the dishonest continues to execute the main subprotocol. In the next state launches a resolve request to T, however is true and it indicates that T will refuse ’s requirement and update . Then the honest signer quits the main subprotocol. At last, sends a recovery requirement. For is false, overturns the previous decision and agrees with ’s requirement. Hence the fairness of are violated. We also found unfairness trace when or is the dishonest signer.
Table 4 shows one possible unfairness trace for the CKS protocol ( is the honest one and ). State 0 is also the initialized state. In step 1, sends an abort requirement to T. T agrees with this requirement and sends back an abort message with , . But the dishonest continues to execute the protocol. In state 2, contract T with a recovery requirement. refuses ’s requirement and sets , , the dishonest continues to execute the main subprotocol. Then launches a recovery request to . refuses ’s requirement with an abort message, setting , . In the following states, send recovery messages to T and T will refuse it and update , . sends its signed contract to and , but the dishonest and quits the protocol and contracts T with recovery requirement.
However, according to  and the recovery subprotocol, T computes the value of and and finds , and then it makes a decision that it will not overturn the previous decision. Finally, T sends an abort message to ; thus, the fairness of is not guaranteed. The similar error traces can also be found when , , or is the dishonest one.
4.7. Experiment Comparison
In this paper, the fairness for four-party GM protocol and five-party CKS protocol has been verified. There are certain advantages of our method, such as less time and space complexity, more precise semantic, higher degree of automation, and more detailed results. The time and space consuming comparison between our method and the method in  is showed in Table 5; the unit for time is second and for memory is KB.
We use a common environment for all the tests discussed in this section; the hardware environment for the two methods is the same. For , the model checking platform is cmocha and the operating system is Ubuntu. For our method, the model checking platform is PAT3, and the operating system is Windows 7.
As Table 5 demonstrated, although the problem of protocol fairness verification is a NP problem and the states and time are expected to increase exponentially in theory, our method can get the verification result in certain times in the three and four participants cases of the CKS protocol. Therefore, we can get a conclusion that the reduction algorithm did a good performance as no error trace was found in such cases, and every state in the state space was visited. On the contrary, the method in  consumed more time and memory. Specifically, in the four-party occasion, in our experiment environment, this method cannot get verification result in certain hours (we had waited for more than 12 hours). Moreover, this method cannot give explicitly a number of visited states and fairness counterexamples. The main reason is that our method has less system states, higher states compression ratio, and the trace back-track algorithm.
5. Conclusion and Future Work
Based on modeling language CSP# and linear temporal logic, an efficient method which aims to analyze the fairness of optimistic multiparty contract signing protocols is presented in this paper. In order to demonstrate the feasibility of our method, two examples of the GM and CKS protocol have been described and several fairness attacking traces have been found. Comparisons also have been made in this paper between our method and other traditional methods. And the result shows that our method has certain strengths such as higher automation, less time and space complexity, visualized attacking trace, and better utility.
There is no explicit model for any cryptographic primitives in this paper and the attack model is weaker than the original paper. The main challenge is to verify the OMPCS protocols fairness in a more general condition which accounts for cryptographic and a more relaxed communication model. In our next work, we plan to extend the automatic cryptographic protocol verifier ProVerif  to suit our fairness verification method.
Conflict of Interests
The authors declare that there is no conflict of interests regarding the publication of this paper.
This work was supported in part by the National Science Foundation of China (nos. 91118003, 61272106, and 61003080).
- N. Asokan, M. Schunter, and M. Waidner, “Optimistic protocols for fair exchange,” in Proceedings of the 4th ACM Conference on Computer and Communications Security, pp. 6–17, New York, NY, USA, April 1997.
- S. Even and Y. Yacobi, “Relations among public key signatures systems,” Tech. Rep. 175, Technion, Haifa, Israel, 1980.
- S. Mauw, S. Radomirović, and M. T. Dashti, “Minimal message complexity of asynchronous multi-party contract signing,” in Proceedings of the 22nd IEEE Computer Security Foundations Symposium (CSF '09), pp. 13–25, IEEE Computer Society Press, July 2009.
- A. Mukhamedov and M. D. Ryan, “Resolve-impossibility for a contract-signing protocol,” in Proceedings of the 19th IEEE Computer Security Foundations Workshop (CSFW '06), pp. 167–173, July 2006.
- N. Asokan, Fairness in electronic commerce [Ph.D. thesis], University of Waterloo, 1998.
- R. Chadha, S. Kremer, and A. Scedrov, “Formal analysis of multi-party contract signing,” in Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW '04), pp. 266–279, IEEE Computer Society Press, Washington, DC, USA, June 2004.
- Y. Zhang, C. Zhang, J. Pang, and S. Mauw, “Game-based verification of contract signing protocols with minimal messages,” Innovations in Systems and Software Engineering, vol. 8, no. 2, pp. 111–124, 2012.
- A. Mukhamedov and M. D. Ryan, “Fair multi-party contract signing using private contract signatures,” Information and Computation, vol. 206, no. 2–4, pp. 272–290, 2008.
- S. Mauw, S. Radomirović, and M. T. Dashti, “Minimal message complexity of asynchronous multi-party contract signing,” in Proceedings of the 22nd IEEE Computer Security Foundations Symposium (CSF '09), pp. 13–25, IEEE CS, July 2009.
- A. Mukhamedov, S. Kremer, and E. Ritter, “Analysis of a multi-party fair exchange protocol and formal proof of correctness in the strand space model,” in Financial Cryptography and Data Security, vol. 3570 of Lecture Notes in Computer Science, pp. 255–269, 2005.
- N. Zhang, X. Zhang, and Y. Wang, “Formal analysis of GM multi-party contract signing protocol,” in Proceedings of the 2nd International Conference on Convergent Information Technology (ICCIT '07), pp. 1316–1321, IEEE Computer Society Press, November 2007.
- J. Sun, Y. Liu, S. D. Jin, and C. Chen, “Integrating specification and programs for system modeling and verification,” in Proceedings of the 3rd IEEE International Symposium on Theoretical Aspects of Software Engineering (TASE '09), pp. 127–135, July 2009.
- A. Pnueli, “The temporal logic of programs,” in Proceedings of the 18th Annual Symposium on Foundations of Computer Science (FOCS '77), pp. 46–57, 1977.
- J. A. Garay and P. Mackenzie, “Abuse-free multi-party contract signing,” in Distributed Computing, vol. 1693 of Lecture Notes in Computer Science, pp. 151–165, 1999.
- Y. Liu, J. Sun, and J. S. Dong, “PAT 3: an extensible architecture for building multi-domain model checkers,” in Proceedings of the 22nd IEEE International Symposium on Software Reliability Engineering (ISSRE '11), pp. 190–199, Hiroshima, Japan, December 2011.
- V. Cheval and B. Blanchet, “Proving more observational equivalences with ProVerif,” in Principles of Security and Trust, vol. 7796 of Lecture Notes in Computer Science, pp. 226–246, Springer, 2013.
Copyright © 2014 Xiaoru Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.