An Optimistic Non-repudiation Protocol with Transparent Trusted Third Party

Markowitch, Olivier; Kremer, Steve

doi:10.1007/3-540-45439-x_25

Cited by 74 publications

(117 citation statements)

References 9 publications

Supporting

Mentioning

114

Contrasting

Unclassified

Order By: Relevance

“…The reason is that, in the infrastructureless case, the existence of a trusted third party simply cannot be assumed, while in the other case, even if a trusted third party is present, there is no guarantee that the nodes can access it in a timely manner due to frequent and unpredictable disconnections from the fixed infrastructure. Although fair exchange protocols that do not rely on a trusted third party do exist (e.g., gradual secret release schemes [11] and probabilistic protocols [20]), they are highly inefficient in the sense that they require a high number of messages to be exchanged in order to achieve an acceptable level of fairness. As a consequence, they are not suitable for applications in wireless ad hoc networks, where the number of transmissions should be minimized due to the limited available bandwidth and in order to reduce the energy consumption (i.e., save battery power and reduce interference) of the nodes.…”

Section: Introductionmentioning

confidence: 99%

A formal model of rational exchange and its application to the analysis of Syverson's protocol

Buttyán

Hubaux

Čapkun

2004

JCS

View full text Add to dashboard Cite

We propose a formal model of rational exchange and exchange protocols in general, which is based on game theory. In this model, an exchange protocol is represented as a set of strategies in a game that is played by the protocol parties and the network that they use to communicate with each other. Within this model, we give a formal definition for rational exchange and various other properties of exchange protocols, including fairness. In particular, rational exchange is defined in terms of a Nash equilibrium in the protocol game. We also study the relationship between rational and fair exchange, and prove that fairness implies rationality, but not vice versa. Finally, we illustrate the usage of our formal model for the analysis of existing rational exchange protocols by analyzing a protocol proposed by Syverson. We show that the protocol is rational only under the assumption that the network is reliable.

show abstract

Section: Introductionmentioning

confidence: 99%

A formal model of rational exchange and its application to the analysis of Syverson's protocol

Buttyán

Hubaux

Čapkun

2004

JCS

View full text Add to dashboard Cite

show abstract

“…However this simultaneous secret exchange is troublesome for actual implementations because fairness is based on the assumption of equal computational power for both parties, which is very unlikely in a real world scenario. A possible solution to this problem is the use of a trusted third party (TTP), and in fact it has been shown that this is impossible to achieve fair exchange without a TTP [18,20]. The TTP can be used as a delivery agent to provide simultaneous share of evidences.…”

Section: Introductionmentioning

confidence: 99%

“…One of these recent protocols is the optimistic Cederquist-Corin-Dashti (CCD) non-repudiation protocol [6]. The CCD protocol has the advantage of not using session labels, unlike many others in the literature [14,17,30,25]. A session label typically consists of a hash of all message components.…”

Section: Introductionmentioning

confidence: 99%

Automatic Methods for Analyzing Non-repudiation Protocols with an Active Intruder

Klay

Vigneron

2009

Formal Aspects in Security and Trust

View full text Add to dashboard Cite

Abstract. Non-repudiation protocols have an important role in many areas where secured transactions with proofs of participation are necessary. Formal methods are clever and without error, therefore using them for verifying such protocols is crucial. In this purpose, we show how to partially represent non-repudiation as a combination of authentications on the Fair Zhou-Gollmann protocol. After discussing the limitations of this method, we define a new one, based on the handling of the knowledge of protocol participants. This second method is general and of natural use, as it consists in adding simple annotations in the protocol specification. It is very easy to implement in tools able to handle participants knowledge. We have implemented it in the AVISPA Tool and analyzed the Fair Zhou-Gollmann protocol and the optimistic Cederquist-Corin-Dashti protocol, discovering attacks in each. This extension of the AVISPA Tool for handling non-repudiation opens a highway to the specification of many other properties, without any more change in the tool itself.

show abstract

“…This is a novel line of research, and very few results have been published. For non-repudiation (a restricted case of contract signing), Aldini and Gorrieri [1] used a probabilistic process algebra to analyse the fairness guarantees of the probabilistic non-repudiation protocol of Markowitch and Roggeman [26] Even for non-fairness properties such as secrecy, authentication, anonymity, etc., formal techniques for the analysis of security protocols have focused almost exclusively on nondeterministic attacker models. Attempts to incorporate prob-ability into formal models have been limited to probabilistic characterization of non-interference [20,33,34], and process formalisms that aim to represent probabilistic properties of cryptographic primitives [25].…”

Section: Introductionmentioning

confidence: 99%

Analysis of Probabilistic Contract Signing

Norman

Shmatikov

2003

Formal Aspects of Security

View full text Add to dashboard Cite

We present three case studies, investigating the use of probabilistic model checking to automatically analyse properties of probabilistic contract signing protocols. We use the probabilistic model checker PRISM to analyse three protocols: Rabin's probabilistic protocol for fair commitment exchange; the probabilistic contract signing protocol of Ben-Or, Goldreich, Micali, and Rivest; and a randomised protocol for signing contracts of Even, Goldreich, and Lempel. These case studies illustrate the general methodology for applying probabilistic model checking to formal verification of probabilistic security protocols.For the Ben-Or et al. protocol, we demonstrate the difficulty of combining fairness with timeliness. If, as required by timeliness, the judge responds to participants' messages immediately upon receiving them, then there exists a strategy for a misbehaving participant that brings the protocol to an unfair state with arbitrarily high probability, unless unusually strong assumptions are made about the quality of the communication channels between the judge and honest participants. We quantify the tradeoffs involved in the attack strategy, and discuss possible modifications of the protocol that ensure both fairness and timeliness.For the Even et al. protocol, we demonstrate that the responder enjoys a distinct advantage. With probability 1, the protocol reaches a state in which the responder possesses the initiator's commitment, but the initiator does not possess the responder's commitment. We then analyse several variants of the protocol, exploring the tradeoff between fairness and the number of messages that must be exchanged between participants.

show abstract

An Optimistic Non-repudiation Protocol with Transparent Trusted Third Party

Cited by 74 publications

References 9 publications

A formal model of rational exchange and its application to the analysis of Syverson's protocol

A formal model of rational exchange and its application to the analysis of Syverson's protocol

Automatic Methods for Analyzing Non-repudiation Protocols with an Active Intruder

Analysis of Probabilistic Contract Signing

Contact Info

Product

Resources

About