Formal Aspects of Computing

, Volume 26, Issue 4, pp 825–859 | Cite as

Assume-guarantee synthesis for digital contract signing

  • Krishnendu Chatterjee
  • Vishwanath RamanEmail author
Original Paper


We study the automatic synthesis of fair non-repudiation protocols, a class of fair exchange protocols, used for digital contract signing. First, we show how to specify the objectives of the participating agents and the trusted third party as path formulas in linear temporal logic and prove that the satisfaction of these objectives imply fairness; a property required of fair exchange protocols. We then show that weak (co-operative) co-synthesis and classical (strictly competitive) co-synthesis fail, whereas assume-guarantee synthesis (AGS) succeeds. We demonstrate the success of AGS as follows: (a) any solution of AGS is attack-free; no subset of participants can violate the objectives of the other participants; (b) the Asokan–Shoup–Waidner certified mail protocol that has known vulnerabilities is not a solution of AGS; (c) the Kremer–Markowitch non-repudiation protocol is a solution of AGS; and (d) AGS presents a new and symmetric fair non-repudiation protocol that is attack-free. To our knowledge this is the first application of synthesis to fair non-repudiation protocols, and our results show how synthesis can both automatically discover vulnerabilities in protocols and generate correct protocols. The solution to AGS can be computed efficiently as the secure equilibrium solution of three-player graph games.


Graph games Model checking and synthesis Assume-guarantee reasoning Assume-guarantee synthesis Fair exchange protocols Digital contract signing 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. ACC07.
    Armando A, Carbone R, Compagna L (2007) LTL model checking for security protocols. In: CSF, pp 385–396Google Scholar
  2. AHM+98.
    Alur R, Henzinger TA, Mang FYC, Qadeer S, Rajamani SK, Tasiran S (1998) Mocha: modularity in model checking. In: CAV, pp 521–525Google Scholar
  3. ASW98.
    Asokan N, Shoup V, Waidner M (1998) Asynchronous protocols for optimistic fair exchange. In: IEEE S&P, pp 86–99Google Scholar
  4. ATHCR08.
    Alcaide A, Tapiador JM, Hernandez-Castro JC, Ribagorda A (2008) Nature—inspired synthesis of rational protocols. In: Proceedings of the 10th international conference on parallel problem solving from nature: PPSN X. Springer, Berlin, pp 981–990Google Scholar
  5. BAN90.
    Burrows M, Abadi M, Needham RM (1990) A logic of authentication. ACM Trans Comput Syst 8(1): 18–36CrossRefGoogle Scholar
  6. CE82.
    Clarke EM, Emerson EA (1982) Design and synthesis of synchronization skeletons using branching-time temporal logic. In: Logic of programs, workshop. Springer, Berlin, pp 52–71Google Scholar
  7. CH07.
    Chatterjee K, Henzinger TA (2007) Assume-guarantee synthesis. In: TACAS, pp 261–275Google Scholar
  8. CH12.
    Chatterjee K, Henzinger M (2012) An o(n 2) time algorithm for alternating Büchi games. In: SODA, pp 1386–1399Google Scholar
  9. CHJ06.
    Chatterjee K, Henzinger TA, Jurdzinski M (2006) Games with secure equilibria. Theor Comput Sci 365(1–2): 67–82CrossRefzbMATHMathSciNetGoogle Scholar
  10. CKS01.
    Chadha R, Kanovich MI, Scedrov A (2001) Inductive methods and contract-signing protocols. In: CCS. ACM, New York, pp 176–185Google Scholar
  11. CKS06.
    Chadha R, Kremer S, Scedrov A (2006) Formal analysis of multiparty contract signing. J Autom Reason 36(1–2): 39–83CrossRefzbMATHMathSciNetGoogle Scholar
  12. CMSS03.
    Chadha R, Mitchell JC, Scedrov A, Shmatikov V (2003) Contract signing, optimism, and advantage. In: CONCUR, pp 361–377Google Scholar
  13. CMSS03.
    de Alfaro L, Henzinger TA (2001) Interface automata. In: Proceedings of the 8th European software engineering conference and the 9th ACM SIGSOFT symposium on the foundations of software engineering (ESEC/FSE). ACM Press, New York, pp 109–120Google Scholar
  14. EY80.
    Even S, Yacobi Y (1980) Relations among public key signature systems, technical report 175. Technical report, Technion, Haifa, IsraelGoogle Scholar
  15. GJM99.
    Garay JA, Jakobsson M, MacKenzie PD (1999) Abuse-free optimistic contract signing. In: CRYPTO, pp 449–466Google Scholar
  16. KMZ02.
    Kremer S, Markowitch O, Zhou J (2002) An intensive survey of fair non-repudiation protocols. CC 25(17): 1606–1621Google Scholar
  17. KMZ02.
    Kremer S, Raskin J-F (2002) Game analysis of abuse-free contract signing. In: CSFW. IEEE, New York, pp 206–220Google Scholar
  18. KMZ03.
    Kremer S, Raskin J-F (2003) A game-based verification of non-repudiation and fair exchange protocols. J Comput Secur 11(3): 399–430Google Scholar
  19. Lou00.
    Louridas P (2000) Some guidelines for non-repudiation protocols. SIGCOMM CC 30(5): 29–38CrossRefGoogle Scholar
  20. MGK02.
    Markowitch O, Gollmann D, Kremer S (2002) On fairness in exchange protocols. In: ICISC, pp 451–464Google Scholar
  21. MK01.
    Markowitch O, Kremer S (2001) An optimistic non-repudiation protocol with transparent trusted third party. In: ISC, pp 363–378Google Scholar
  22. MP91.
    Manna Z, Pnueli A (1991) The temporal logic of reactive and concurrent systems: specification. Springer, New YorkzbMATHGoogle Scholar
  23. PG99.
    Pagnia H, Gärtner FC (1999) On the impossibility of fair exchange without a trusted third party. Technical report, DarmstadtGoogle Scholar
  24. Pnu77.
    Pnueli A (1977) The temporal logic of programs. In: Proceedings of the 18th IEEE symposium on foundations of computer science. IEEE Computer Society Press, New York, pp 46–57Google Scholar
  25. PR89.
    Pnueli A, Rosner R (1989) On the synthesis of a reactive module. In: POPL. ACM Press, New York, pp 179–190Google Scholar
  26. PS00.
    Perrig A, Song DX (2000) A first step towards the automatic generation of security protocols. In: NDSSGoogle Scholar
  27. RW87.
    Ramadge P, Wonham W (1987) Supervisory control of a class of discrete event processes. Siam J Control Optim 25(1): 206–230CrossRefzbMATHMathSciNetGoogle Scholar
  28. Sai02.
    Saidi H (2002) Toward automatic synthesis of security protocols. AAAI Technical Report, SS-02-05Google Scholar
  29. SBP01.
    Song D, Berezin S, Perrig A (2001) Athena: a novel approach to efficient automatic security protocol analysis. J Comput Secur 9:2001Google Scholar
  30. SM02.
    Shmatikov V, Mitchell JC (2002) Finite-state analysis of two contract signing protocols. Theor Comput Sci 283(2): 419–450CrossRefzbMATHMathSciNetGoogle Scholar
  31. THG99.
    Thayer FJ, Herzog JC, Guttman JD (1999) Strand spaces: proving security protocols correct. J Comput Secur 7(1): 191–230Google Scholar
  32. Tho97.
    Thomas W (1997) Languages, automata, and logic. Handbook of formal languages: beyond words, vol 3, pp 389–455Google Scholar
  33. ZDB00.
    Zhou J, Deng RH, Bao F (2000) Some remarks on a fair exchange protocol. In: Public key cryptography, pp 46–57Google Scholar
  34. ZG97.
    Zhou J, Gollmann D (1997) An efficient non-repudiation protocol. In: PCSFW. IEEE Computer Society Press, New York, pp 126–132Google Scholar
  35. ZG98.
    Zhou J, Gollmann D (1998) Towards verification of non-repudiation protocols. In: Proceedings of 1998 international refinement workshop and formal methods Pacific. Springer, Berlin, pp 370–380Google Scholar

Copyright information

© British Computer Society 2013

Authors and Affiliations

  1. 1.IST Austria (Institute of Science and Technology Austria)KlosterneuburgAustria
  2. 2.Carnegie Mellon UniversityMoffett FieldUSA

Personalised recommendations