Contract Signing, Optimism, and Advantage

  • Rohit Chadha
  • John C. Mitchell
  • Andre Scedrov
  • Vitaly Shmatikov
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2761)


A contract signing protocol lets two parties exchange digital signatures on a pre-agreed text. Optimistic contract signing protocols enable the signers to do so without invoking a trusted third party. However, an adjudicating third party remains available should one or both signers seek timely resolution. We analyze optimistic contract signing protocols using a game-theoretic approach and prove a fundamental impossibility result: in any fair, optimistic, timely protocol, an optimistic player yields an advantage to the opponent. The proof relies on a careful characterization of optimistic play that postpones communication to the third party. Since advantage cannot be completely eliminated from optimistic protocols, we argue that the strongest property attainable is the absence of provable advantage, i.e., abuse-freeness in the sense of Garay-Jakobsson-MacKenzie.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M.: andA. Gordon.Acalculus for cryptographic protocols: the spi-calculus. Information and Computation 143, 1–70 (1999)CrossRefMathSciNetGoogle Scholar
  2. 2.
    Asokan, N., Schunter, M., Waidner, M.: Optimistic protocols for fair exchange. In: Proc. 4th ACM Conf. on Computer and Communications Security, pp. 7–17 (1997)Google Scholar
  3. 3.
    Asokan, N., Shoup, V., Waidner, M.: Optimistic fair exchange of digital signatures. IEEE Journal on Selected Areas in Communications 18(4), 593–610 (2000)CrossRefGoogle Scholar
  4. 4.
    Banatre, J., Le Metayer, D.: Computing by multiset transformation. Communications of the ACM (CACM) 36(1), 98–111 (1993)CrossRefGoogle Scholar
  5. 5.
    Ben-Or, M., Goldreich, O., Micali, S., Rivest, R.L.: A fair protocol for signing contracts. IEEE Transactions on Information Theory 36(1), 40–46 (1990)CrossRefGoogle Scholar
  6. 6.
    Berry, G., Boudol, D.: The chemical abstract machine. Theoretical Computer Science 96(1), 217–248 (1992)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Boneh, D., Naor, M.: Timed commitments and applications. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 236–254. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. 8.
    Boyd, C., Foo, E.: Off-line fair payment protocols using convertible signatures. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 271–285. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  9. 9.
    Buttyán, L., Hubaux, J.-P.: Toward a formal model of fair exchange — a game theoretic approach. Technical Report SSC/1999/39, Swiss Federal Institute of Technology (EPFL), Lausanne, Switzerland (December 1999)Google Scholar
  10. 10.
    Cervesato, I., Durgin, N., Lincoln, P.D., Mitchell, J.C., Scedrov, A.: A meta-notation for protocol analysis. In: Proc. 12th IEEE Computer Security Foundations Workshop, pp. 55–69 (1999)Google Scholar
  11. 11.
    Chadha, R., Kanovich, M., Scedrov, A.: Inductive methods and contract signing protocols. In: Proc. 8th ACM Conf. on Computer and Communications Security, pp. 176–185 (2001)Google Scholar
  12. 12.
    Damgård, I.B.: Practical and provably secure release of a secret and exchange of signatures. J. Cryptology 8(4), 201–222 (1995)zbMATHCrossRefGoogle Scholar
  13. 13.
    Dolev, D., Yao, A.: On the security of public-key protocols. In: Proc. 22nd Annual IEEE Symposium on Foundations of Computer Science, pp. 350–357 (1981)Google Scholar
  14. 14.
    Even, S., Yacobi, Y.: Relations among public key signature schemes. Technical Report 175, Computer Science Dept. Technion, Israel (March 1980)Google Scholar
  15. 15.
    Thayer Fábrega, F.J., Herzog, J., Guttman, J.: Strand spaces: Why is a security protocol correct? In: Proc. IEEE Symposium on Security and Privacy, pp. 160–171 (1998)Google Scholar
  16. 16.
    Fagin, R., Halpern, J., Moses, Y., Vardi, M.: Reasoning about Knowledge. MIT Press, Cambridge (1995)zbMATHGoogle Scholar
  17. 17.
    Fischer, M., Lynch, N., Patterson, M.: Impossibility of distributed consensus with one faulty process. JACM 32(2), 374–382 (1985)zbMATHCrossRefGoogle Scholar
  18. 18.
    Garay, J., Jakobsson, M., MacKenzie, P.: Abuse-free optimistic contract signing. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 449–466. Springer, Heidelberg (1999)Google Scholar
  19. 19.
    Hintikka, J.: Knowledge and Belief. Cornell University Press (1962)Google Scholar
  20. 20.
    Kremer, S., Raskin, J.-F.: A game-based verification of non-repudiation and fair exchange protocols. In: Larsen, K.G., Nielsen, M. (eds.) CONCUR 2001. LNCS, vol. 2154, pp. 551–565. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  21. 21.
    Kremer, S., Raskin, J.-F.: Game analysis of abuse-free contract signing. In: Proc. 15th IEEE Computer Security Foundations Workshop, pp. 206–220 (2002)Google Scholar
  22. 22.
    Pucella, R., Halpern, J.: Modeling adversaries in a logic for security protocol analysis. In: Abdallah, A.E., Ryan, P.Y.A., Schneider, S. (eds.) FASec 2002. LNCS, vol. 2629. Springer, Heidelberg (2003)Google Scholar
  23. 23.
    Markowitch, O., Saeednia, S.: Optimistic fair exchange with transparent signature recovery. In: Proc. 5th International Conf. on Financial Cryptography, pp. 339–350 (2001)Google Scholar
  24. 24.
    Pagnia, H., Gaertner, F.: On the impossibility of fair exchange without a trusted third party. Technical Report TUD-BS-1999-02, Department of Computer Science, Darmstadt University of Technology, Germany (March 1999)Google Scholar
  25. 25.
    Woo, T.Y.C., Lam, S.S.: A semantic model for authentication protocols. In: Proc. IEEE Symposium on Security and Privacy, pp. 178–194 (1993)Google Scholar
  26. 26.
    Zhou, J., Gollmann, D.: A fair non-repudiation protocol. In: Proc. IEEE Symposium on Security and Privacy, pp. 55–61 (1996)Google Scholar
  27. 27.
    Zhou, J., Gollmann, D.: Towards verification of non-repudiation protocols. In: Proc. International Refinement Workshop and Formal Methods Pacific, pp. 370–380 (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Rohit Chadha
    • 1
    • 4
  • John C. Mitchell
    • 2
  • Andre Scedrov
    • 1
  • Vitaly Shmatikov
    • 3
  1. 1.University of Pennsylvania 
  2. 2.Stanford University 
  3. 3.SRI International 
  4. 4.University of Sussex 

Personalised recommendations