Finite-state analysis of two contract signing protocols

Optimistic contract signing protocols allow two parties to commit to a previously agreed upon contract, relying on a third party to abort or connrm the contract if needed. These protocols are relatively subtle, since there may be interactions between the subprotocols used for normal signing without the third party, aborting the protocol through the third party, or requesting connrmation from the third party. With the help of Mur', a nite-state veriication tool, we analyze two related contract signing protocols: the optimistic contract signing protocol of Asokan, Shoup, and Waidner, and the abuse-free contract signing protocol of Garay, Jakobsson, and MacKenzie. For the rst protocol, we discover that a malicious participant can produce inconsistent versions of the contract or mount a replay attack. For the second protocol, we discover that negligence or corruption of the trusted third party may allow abuse or unfairness. In this case, contrary to the intent of the protocol, the cheated party is not able to hold the third party accountable. We present and analyze modiications to the protocols that avoid these problems and discuss the basic challenges involved in formal analysis of fair exchange protocols.