| A fair signature exchange protocol lets two parties exchange digital signatures on a specified text. In optimistic protocols, it is possible for two signers to do so without invoking a trusted third party. However, an adjudicating third party remains available should one or both signers seek timely resolution. Each signer may have one or more objectives, ranging from “optimistically” trying to put the exchange in place as quickly as possible to maliciously manipulating the other party to gain an advantage. We study in detail the optimistic two-party signature exchange protocol of Garay, Jakobsson and MacKenzie [28] using a game-theoretic framework and show that no signer enjoys an advantage over an honest counterparty. In this setting, we employ the formal inductive proof methods previously used in the formal analysis of simpler, trace-based properties of authentication protocols. We extend this game-theoretic framework to include concepts of preferred behavior and analyze a class of signature exchange protocols. In the process of establishing relationships amongst various protocol properties obtained in the literature, we obtain a fundamental impossibility result: in any fair, optimistic protocol there is a point at which one signer realizes an advantage over an optimistic opponent. |
