Fair multi-party contract signing using private contract signatures

A multi-party contract signing protocol allows a set of participants to exchange messages with each other with a view to arriving in a state in which each of them has a pre-agreed contract text signed by all the others. Garay and Mackenzie (GM) proposed such protocol based on private contract signatures, but it was later shown to be flawed by Chadha, Kremer and Scedrov (CKS); the authors CKS also provided a fix to the GM protocol by revising one of its sub-protocols. We show an attack on the revised GM protocol for any number (n > 4) of signers. Furthermore, we argue that our attack shows that the message exchange structure of GM's main protocol is flawed: whatever the trusted party does will result in unfairness for some signer. This means that it is impossible to define a trusted party protocol for Garay and MacKenzie's main protocol; we call this "resolve-impossibility". We propose a new optimistic multi-party contract signing protocol, also based on private contract signatures. We present a proof that our protocol satisfies fairness as well as its formal analysis in NuSMV model checker for the case of five signers. The protocol requires n(n - 1)([n/2] + 1) messages to be sent in the optimistic execution, which is about half the number of messages required by the state-of-the-art Baum-Waidner and Waidner protocol, and in contrast with. Baum-Waidner and Waidner, it does not use a non-standard notion of a signed contract. (C) 2007 Elsevier Inc. All rights reserved.