A Game Approach to the Veri cation of Exchange Protocols Application to Non-repudiation Protocols

Non-repudiation Protocols. During the last decade open networks, above all the Internet, have known an impressive growth. As a consequence, new security issues, like non-repudiation have to be considered. Repudiation is de ned as the denial of an entity of having participated in all or part of a communication. Consider for instance the following scenario: Alice wants to send a message to Bob; after having sent the message, Alice may deny having sent it (repudiation of origin), or Bob may deny having received it (repudiation of receipt). Therefore, speci c protocols have been designed in order to generate evidences for non-repudiation of origin (NRO) (for Bob), and non-repudiation of receipt (NRR) (for Alice). In case of a dispute Alice or Bob will present their evidences to an adjudicator, who will take a decision in favor of one of the two entities without ambiguity. One solution consists in using a trusted third party (TTP) as an intermediary to ensure delivery. The major problem of this approach is the network bottleneck, represented by the TTP. To avoid the decrease of performance created by this bottleneck, Asokan et al. introduced the optimistic approach for fair exchange [ASW97]. In an optimistic protocol one supposes that in general the involved entities are honest and that the network is well functioning. The rational is that the TTP only intervenes in case of a problem. Afterwards, Zhou et al. applied the optimistic approach to the non-repudiation protocols [ZG97]. A non-repudiation protocol has to respect several properties. The most important one is fairness: fairness must ensure that if at least one entity is honest, either both receive the expected non-repudiation evidence or none of them receives it. Another property we require is timeliness: we want that the protocol nishes for each honest player after a nite amount of time. A third property that is desirable but not necessary is viability. A protocol is viable if two honest players always succeed in exchanging the expected evidences. We consider three classes of channels: unreliable channels, resilient channels and operational channels. No assumptions can be made about unreliable channels: data may be lost. A resilient channel delivers data after a nite, but unknown amount of time. Data may be