Formal Analysis of Fairness for Optimistic Multiparty Contract Signing Protocol

Optimistic multiparty contract signing (OMPCS) protocols are proposed for exchangingmultiparty digital signatures in a contract. Compared with general two-party exchanging protocols, such protocols are more complicated, because the number of protocol messages and states increases considerably when signatories increase. Moreover, fairness property in such protocols requires protection from each signatory rather than from an external hostile agent. It thus presents a challenge for formal verification. In our analysis, we employ and combine the strength of extended modeling language CSP# and linear temporal logic (LTL) to verify the fairness of OMPCS protocols. Furthermore, for solving or mitigating the state space explosion problem, we set a state reduction algorithm which can decrease the redundant states properly and reduce the time and space complexity greatly. Finally, this paper illustrates the feasibility of our approach by analyzing the GM and CKS protocols, and several fairness flaws have been found in certain computation times.


Introduction
The first optimistic multiparty contract signing protocol (OMPCS) was designed by Asokan et al. in 1997 [1].The goal of this protocol is for all signatories to send signatures on a preagreed-upon contract text to all others and for every signatory to obtain all other signatories' signatures on this contract.With the asymmetric structure, one partner must first send out his signature to the others; thus the fairness of such protocols is hard to guarantee.One method to solve the problem is to use a Trust Third Party (TTP) as an intermediary [2], but this method is not efficient and the TTP becomes a bottleneck as all signatories have to communicate with it.The other method is to design the socalled optimistic multiparty contract signing protocol which has the idea that only when an unfairness problem arises the TTP intervenes [1].In 2009, Mauw et al. proposed the notion abort-chaining attacks and analyzed the message complexity of OMPCS protocols [3].Resolve-impossibility which means that it is impossible to define a trusted party protocol for a special OMPCS protocol was presented [4].Some specific properties such as fairness, timeliness, and abuse-freeness should be satisfied in OMPCS protocols.Asokan defines a fairness system as that if a player behaves correctly, the other players will not gain any advantage over the correctly behaving player, and he divides fairness into strong fairness and weak fairness.Strong fairness means that, when the protocol has completed,  has 's item, or  has gained no additional information about 's item, and vice versa.Here, the assumed "item" means the signed contract, and "additional information" means information which can be obtained from the signed contract.However, weak fairness means that either strong fairness is achieved or a correctly behaving node can prove to an arbiter that an unfair situation has occurred [5].
Although not so much attention has been paid to optimistic multiparty contract signing protocols, there have been several researchers who did certain remarkable work in the weak fairness verification field and got some achievements.The pioneer work can be traced to Chadha et al. [6].Based on the alternation transition system (ATS) and symbolic tool Mocha, GM protocol was verified to be unfair when the number of signatories is four.Those authors also presented a

Definitions
Definition 1 (optimistic multiparty contract signing).A protocol for at least  ( ≥ 2) signatories  1 , . . .,   , . . .  , . . .  to sign a contract  over a Trust Third Party is called a multiparty contract signing (MPCS) protocol.If all signatories are honest, the protocol terminates without  ever sending or receiving any messages; it is called an optimistic multiparty contract signing (OMPCS) protocol.An OMPCS protocol consists of three subprotocols: main subprotocol, recovery subprotocol, and abort subprotocol.The main subprotocol for n signers is divided into -levels, which can be described recursively.The recovery and abort subprotocols are used to contact  when something goes wrong.
In an OMPCS protocol, every signer has a public and private key pair and can make a digital signature with the private key.PCS  1 (,  2 , ) ( is short for TTP) denotes the promise signed by  1 and sent to  2 , and [10] (a) PCS  1 (,

Formal Method
Unlike classical security protocols, besides the security property, the OMPCS protocols also need to guarantee fairness between participants.For verifying such property, this paper described an innovative method and Figure 1 shows the structure of it.

Assumption.
Considering the general conditions of OMPCS protocol, assumptions for our fairness analyzing method are as follows.
(a) Channel assumption (lower-case): channels between participants are not trusty; that is to say, the transmitting messages may be delayed and lost.However, channels between participants and the TTP are really reliable; that is, although the transmitting messages may be delayed, they will reach the destination in the limited time.
(b) Participants of protocols: participants may not be honest, but there is at least one honest among a number of participants.The TTP is always honest, and the honest one will follow protocols.A dishonest one can be legal user, possessing his/her own public and private keys.
(c) Attacker: the cryptography is assumed to be perfect, and external hostile agent is assumed not existing for fairness property in OMPCS protocols requires protection from each signatory rather than from external attackers.All of the assumption can let us only concentrate on the structure of the protocols.

System
Variables.CSP# was proposed as an extension of CSP; it combines high-level modeling operators with shared variables and low-level programming constructs.The idea is to treat sequential terminating programs as atomic events [12].The CSP# model of an OMPCS protocol consists of participants (honest or dishonest), TTP and the communication channel.CSP# mathematical signals were applied to describe the protocols' participants and the components which combine participants together.The syntax of basic operators is listed in Table 1.Where ,  are processes, e is a name representing an event with an optional sequential program prog, cond is a boolean formula, X is a set of events names, ch is a channel, exp is an expression, and  is a variable.Under the modeling language CSP#, the system variables of protocol model are defined in Table 2.Each sending message between signers is modeled using a variable, initialized to 0 and set as  when the successfully sent message level is .Each sending message between signers and TTP is modeled using a boolean variable, initialized to false and set true when message was sent.

Modeling Protocol.
The semantic model is based on the labeled transition system (LTS).An LTS is a three-tuple  = (,  0 , ).
(i)  is set of states.A state can be described by giving value for all valuations in the CSP# model.
(ii)  0 ∈  is the set of initial states.
(iii)  :  × ∑  ×  is the transition relation, ∑  is a set of all events, ∑ * is a set of all traces, and a trace is a sequence of events.For every state  ∈ , there is a state   ∈  such that (,   ) ∈ . is process expressions in our CSP# protocol model.
A CSP# model configuration is composited of two components (, ), where  is a function mapping a variable name to its value and  is a process expression.Then we can get the LTS = (, init, → ), where  is the set of reachable system configurations, init is the initial configuration (, ), and → is a transition relation.
For every signer in protocol, we use a process to describe    process, which describes how honest signer   behaves and the dishonest   has a corresponding process   process. process is defined to model  which represents the processes of recovery and abort subprotocols.The protocol is then described as formula (1);  is the set of signatories: sys =    Process |||   process (,  ∈ ) . (1)

Modeling Weak Fairness.
In order to reason protocol model, fairness assertion is described by LTL (linear temporal logic).LTL was proposed by Pnueli in 1977 [13] and is used to verify computer program logic language.LTL is defined by assuming that the atomic formulae are state predicates.Formulae are built up in the usual way according to the following grammar.AP is a collection of atomic propositions of LTL: (a) for all the atomic propositions  ∈ AP,  is a LTL formula; (b) the constants "true" and "false" are both LTL formulae; (c) if ,  are two LTL formulae, then ¬,  ∨ ,  ∧ , , and   are all LTL formulae; (d) every LTL formula can be built up by using finite times of the above formation rules.
Here  and  are two formulae,  reads as "global" (also can be written as []), and  means that event  has to hold on the entire subsequent path. reads as "finally" (also can be written as <>),  means that event  eventually has to hold (somewhere on the subsequent path).
According to the fairness definition and LTL logic, we assume that only signer   is honest, and the description of fairness of signer   is given in formula (2).It means that, when the protocol is terminated, if there is a reachable trace  in which a signer in  1 , . . .,  −1 ,  +1 , . . .,   can receive   's digital signature    (), then there must exist   which is reachable from  and can make   receive the digital signature of  1 , . . .,  −1 ,  +1 , . . .,   : (2)

State Reduction Algorithm.
The model checking method has many advantages, such as, high level automation and exact description ability.But the idea of this method is based on exhausted state space searching.When we use it to verify some concurrent systems, the state space may be increased exponentially.That is the space explosion problem.Towards the space explosion problem, a detailed state reduction algorithm is demonstrated below and the algorithm is shown in Algorithm 1.
(a) Deleting states that system cannot reach to decrease the searching time.
(b) Deleting states that will absolutely lead to fairness which can make the track of attack trace more conveniently.
(c) Combing transition relations which reach the same next states to compress the state space, that is, {} and {}, we can combine the two transition relations into ( ∨ ){}.Here , , and  are states and  is transition function.The proof can be found in "Hoare Logic, " rules of consequence.
(d) Letting the dishonest signers send the highest promises to each other, for the transaction between dishonest signers will not influence the fairness of the honest one.Such behaviors can cut down the number of messages between the dishonest signers and then can reduce the state space.
trans is an array which stores the transition relations in the OMPCS model, and every transition relation in trans contains two states as well as a variable; state 1 is the current state, state 2 is the next state, and trans.mark is the weight of states.If a state in a protocol model has been reached for  times, the value of mark for such state is .The variable exishon() is a function to judge whether, after   contacting T, there also exists an honest signer who has no contract .From lines 8 to 11,  is the number of signers, ,  here are the unique ID for signatories, and  are the sets for the dishonest signatories.In line 10, if   and   are dishonest signatories, then they will send the highest promise to each other and it is the pseudocode of (d).

Case Study
As an OMPCS protocol, the GM protocol was proposed by Garay and Mackenzie in [14]; then in [5] Asokan modified it and proposed the CKS protocol.In this section, the two protocols are modeled and analyzed on the platform PAT [15] and fairness flaws have been discovered.

GM and CKS.
Each of the GM and CKS protocols has three subprotocols: main subprotocol, recovery subprotocol, and abort subprotocol.Such protocols use zero-knowledge primitives, private contract signatures [14].The main subprotocol of the two protocols is the same, and major changes are in the recovery and abort subprotocols.
The main subprotocol for n signers is divided into -level recursions with -level promises. 1 sends -level promise to  2 which can be denoted as PCS  1 ((, ),  2 , ).The third party is ; if there is nothing wrong in the execution of main subprotocol,  will not be invoked.Conversely, requirement messages will be sent by signers to  to guarantee fairness.For   to abort, it will send the abort message to ; for   to recover, it will send the corresponding recovery message.The messages are designed so that  can infer the promises that an honest signer would have sent when it launched the recovery subprotocol.For lack of space, we will not describe the two protocols and the details can be found in [6,14].

Modeling GM Protocol.
We have modeled and analyzed the GM protocol for three cases, and here we take the case of four parties for example.Figure 2 describes the communications between signers, third party, and channels.We assume that the honest signer is  1 ,  2 ,  3 , and  4 are dishonest, and  2 ,  3 , and  4 can collude to cheat  1 . 1 H process() was defined as the behavior of  1 and  2 process(),  3 process(),  4 process(), and  process() as the behaviors of  2 ,  3 ,  4 , and .After doing that, the GM protocol was modeled as a parallel system called "sys1H."

Modeling GM Main Subprotocol.
Main subprotocol is executed when signers exchange their promises.When  = 4, the main subprotocol has 4 levels (see the OMPCS definition in Section 2) recursions.We use integer variables to describe promises between signers, and boolean variables represent messages between signers and .The details of the main subprotocol model are shown in Algorithm 2.
The honest  1 mainly performs two kinds of actions in the main subprotocol, which includes sending promises to other signers and sending requirement to .They are described in step (1) and step (2).
Step (1) models the action of sending 1-level promise, in which we use boolean variables, The third party (TTP)

Modeling GM Abort and Recovery Subprotocol.
Algorithm 3 models the actions of the , that is, the abort and recovery subprotocols. is a special player that has to be modeled in a particular way.The definition and grammar are the same as the main subprotocol. process() maintains two sets, () and (), which are initialized as empty.When   sends abort message to , () is set to be () = () ∪ {}.
Elements inside () are those signers who have not sent abort message to .Based on the values of () and (), the recovery or abort decision will be made by .
The actions of  can be divided into two parts, the first part describes how  deals with abort request from  2 . sends out abort token to  2 if the status is that  Validated is false and ( 4 ||  3) is true.However, if  Validated is true, this means the recovery message has already been sent.Then the abort request is to be refused.Part two models the behaviors of dealing with recovery requests from  3 ; if  Validated is true, the recovery message will be sent.However, conversely,  will make decisions based on the current conditions.

Modeling GM Fairness.
The fairness of  1 can be divided into two parts.The first is that when GM protocol is finished, if  1 has not received the contract signed by other signers, then every other signer also will not receive the contract signed by  1 .The remainder is that if any other signers have received the contract signed by  1 , then  1 must have received the contract signed by other signers as well.So the LTL modeling of  1 's fairness is illustrated in Algorithm 4.
Goal 1 means that at least one signer in  2 ,  3 , and  4 has received the contract signed by  1 .Meanwhile, goal 2 means that  1 has received the contract signed by  2 ,  3 , and  4 .The fairness of  1 can be described as sys1| = ((goals 1) → (goals 2)), which means that, for all the traces of GM modeling system, if there is one trace to make one of  2 ,  3 , and  4 receive the signed contract from  1 , there must exist another trace that can guarantee that  1 receives the signed contract from  2 ,  3 , and  4 .

4.4.
Modeling CKS Protocol.The model of CKS main subprotocol and the description of fairness remain the same with the GM protocol, so this section will concentrate on the abort and recovery part.The main difference is that , when presented with a recovery request, overturns its abort decision if and only if  can infer dishonesty on the part of each of the signers that contracted  in the past.Compared with GM,  in CKS also maintains two integer variables, but the difference is that the variables have different meanings than that in GM.
We modeled cases of four and five signers of the CKS protocol and a fairness flaw was found in the case of five.For the sake of contrastive analysis, specifics of  2 abort request and  3 Recovery 1 1 3 3 recovery requirements are shown in Algorithm 5.However, according to [5] and the recovery subprotocol, T computes the value of  ℎ and   and finds ( 2) ∧ ( 2 ≤  ℎ2), and then it makes a decision that it will not overturn the previous decision.Finally, T sends an abort message to  3 ; thus, the fairness of  3 is not guaranteed.The similar error traces can also be found when  4 ,  2 , or  1 is the dishonest one.

Experiment Comparison.
In this paper, the fairness for four-party GM protocol and five-party CKS protocol has been verified.There are certain advantages of our method, such as less time and space complexity, more precise semantic, higher degree of automation, and more detailed results.The time and space consuming comparison between our method and the method in [5] is showed in Table 5; the unit for time is second and for memory is KB.
We use a common environment for all the tests discussed in this section; the hardware environment for the two methods is the same.For [5], the model checking platform is cmocha and the operating system is Ubuntu.For our method, the model checking platform is PAT3, and the operating system is Windows 7.
As Table 5 demonstrated, although the problem of protocol fairness verification is a NP problem and the states and time are expected to increase exponentially in theory, our method can get the verification result in certain times in the three and four participants cases of the CKS protocol.Therefore, we can get a conclusion that the reduction algorithm did a good performance as no error trace was found in such cases, and every state in the state space was visited.On the contrary, the method in [5] consumed more time and memory.Specifically, in the four-party occasion, in our experiment environment, this method cannot get verification result in certain hours (we had waited for more than 12 hours).Moreover, this method cannot give explicitly a number of visited states and fairness counterexamples.The main reason is that our method has less system states, higher states compression ratio, and the trace back-track algorithm.

Conclusion and Future Work
Based on modeling language CSP# and linear temporal logic, an efficient method which aims to analyze the fairness of optimistic multiparty contract signing protocols is presented in this paper.In order to demonstrate the feasibility of our method, two examples of the GM and CKS protocol have been described and several fairness attacking traces have been found.Comparisons also have been made in this paper between our method and other traditional methods.And the result shows that our method has certain strengths such as higher automation, less time and space complexity, visualized attacking trace, and better utility.
There is no explicit model for any cryptographic primitives in this paper and the attack model is weaker than the original paper.The main challenge is to verify the OMPCS protocols fairness in a more general condition which accounts for cryptographic and a more relaxed communication model.In our next work, we plan to extend the automatic cryptographic protocol verifier ProVerif [16] to suit our fairness verification method.

Figure 1 :
Figure 1: Structure of the method.
Definition 2 (weak fairness).For a protocol Γ, a contract , and signers   and   with each one's signed contract    () and    (), we call the protocol Γ which satisfies weak fairness if and only if we get one of the following conditions: (a) when the protocol is terminated, both   and   have not received    () and    () from each other (b) or when the protocol is terminated, both   and   have received    () and    () from each other.

Table 1 :
Syntax of the CSP#.

Table 2 :
System variables.        = , if   has successfully sent the  level promise to     V    V     V      sends recovery requirement message to TTP,  is the max level of message   has sent to   ,  is the max level of message   has sent to   , and m is the max level of message   has sent to   , and so on      quits the protocol       has sent recovery or abort requirement messages to TTP      has successfully received the   signed contract      sends abort requirement message to TTP   TTP has responded to the requirement of    V    TTP sends recovery message to        TTP sends abort message to       has not sent abort message and TTP will force him/her to abort in certain situation     has sent abort message  ℎ The highest level   has sent to higher signer before it contacts TTP   The lowest level   has sent to lower signer before it contacts TTP The highest level   has received from   ( < )The highest level   has received from all signers , (,  < ) as Pr 1 3 , to represent the promises exchanging.Setting Pr 1 2  = 1 means  1 has successfully sent 1-level promise to  2 .Step (2) says that if  1 has not received the correct promises, he can set  2 Recovery 1 1 1 as true, which represents the action of sending out recovery requirement.Step (3) and Step (4) describe the malicious behaviors of dishonest  2 .Step (3) models that  2 can send 1-level promise to  1 and Step (4) specifies that  2 can send recovery requirement to  at a relatively relaxing condition. such Reduction.When modeling GM and CKS protocol, we mitigate the state space explosion problem based on the algorithm proposed in Section 3.5.The detailed examples are given as below.Deleting states which will absolutely lead to fairness: when modeling the GM protocol, if  4 sends  a recovery requirement  4 Recovery 3 3 3 in the condition that no one has contacted  before,  will absolutely agree with  4 's requirement, setting  Validated = 1.It is obvious to ensure that the fairness can be guaranteed for, in the recovery subprotocol,  cannot overturn the recovery decision.
(d) Letting the dishonest signers send the highest promises to each other: when we model the dishonest signers  2 and  3 in the CKS protocol, some of

Table 5 :
Experiment comparison. 2 send recovery messages to T and T will refuse it and update  2 =  ℎ2 = 5,  2 = true. 3 sends its signed contract to  4 and  5 , but the dishonest  4 and  5 quits the protocol and  3 contracts T with recovery requirement.