Generalizing Multi-party Contract Signing

Multi-party contract signing (MPCS) protocols allow a group of signers to exchange signatures on a predefined contract. Previous approaches considered either completely linear protocols or fully parallel broadcasting protocols. We introduce the new class of DAG MPCS protocols which combines parallel and linear execution and allows for parallelism even within a signer role. This generalization is useful in practical applications where the set of signers has a hierarchical structure, such as chaining of service level agreements and subcontracting. Our novel DAG MPCS protocols are represented by directed acyclic graphs and equipped with a labeled transition system semantics. We define the notion of abort-chaining sequences and prove that a DAG MPCS protocol satisfies fairness if and only if it does not have an abort-chaining sequence. We exhibit several examples of optimistic fair DAG MPCS protocols. The fairness of these protocols follows from our theory and has additionally been verified with our automated tool. We define two complexity measures for DAG MPCS protocols, related to execution time and total number of messages exchanged. We prove lower bounds for fair DAG MPCS protocols in terms of these measures.

💡 Research Summary

The paper addresses the problem of multi‑party contract signing (MPCS) in asynchronous networks where a group of parties must obtain each other’s signatures on a common digital contract. Existing optimistic MPCS protocols fall into two extreme categories: linear protocols, in which at any moment only one participant can advance, and broadcast protocols, in which all participants exchange messages in synchronized rounds. Both categories are ill‑suited for realistic scenarios such as service‑level agreements or supply‑chain contracting, where the set of signers has a hierarchical structure and direct communication between all parties (or between all sub‑contractors) is either impossible or highly inefficient.

To overcome these limitations the authors introduce DAG MPCS protocols, a new class whose execution flow is described by a directed acyclic graph (DAG). Vertices represent local states of a signer, while edges are either (i) ε‑edges that model internal causal dependencies within the same role, (ii) message edges that carry a labeled message from one role to another, or (iii) exit edges that allow a role to contact a trusted third party (TTP). The graph may contain parallel outgoing edges from a vertex, thus permitting true parallelism both across different signers and within a single signer’s multiple threads. The TTP’s behavior is captured by a function δ that maps the sequence of received messages to a response, modelling the resolve sub‑protocol.

A central contribution is the definition of abort‑chaining sequences (ACS), a generalized form of abort‑chaining attacks. An ACS is a chain of abort requests that, once initiated by a dishonest participant, forces other honest participants to be unable to obtain the missing signatures. The authors prove a necessary‑and‑sufficient condition for fairness: a DAG MPCS protocol is fair if and only if its execution graph contains no ACS. This result extends earlier fairness criteria that were limited to linear or broadcast settings.

The paper also introduces two quantitative complexity measures for DAG MPCS protocols:

1. Parallel complexity – the length of the longest causal path (i.e., the number of “rounds” required for completion). This generalises the classic round‑complexity used for broadcast protocols.
2. Message complexity – the total number of message edges in the DAG, reflecting the overall communication load.

Using these measures, the authors derive lower bounds for any fair DAG MPCS protocol. They show that linear protocols achieve the minimal message complexity but suffer from maximal parallel complexity, whereas broadcast protocols achieve the opposite. DAG protocols can simultaneously approach both lower bounds, offering a better trade‑off.

To demonstrate practicality, three novel optimistic DAG MPCS protocols are constructed:

• A protocol that exploits in‑role parallelism, allowing a signer to run two independent threads concurrently while preserving fairness.
• A hierarchical protocol that mirrors the structure of SLA chains or subcontracting relationships, avoiding direct communication between unrelated subcontractors.
• A mixed protocol that interleaves linear and parallel segments to minimise both round count and message count.

For each protocol the authors apply their ACS‑free criterion and prove fairness analytically. Additionally, they built an automated verification tool (described in Appendix A) that takes a DAG specification as input, explores its state space, encodes the ACS condition into a SAT/SMT problem, and decides fairness automatically. The tool successfully verified the three example protocols and confirmed that they meet the derived lower bounds.

Related work is surveyed comprehensively: early optimistic MPCS protocols by Baum‑Waidner & Waidner, abuse‑free contract signing, abort‑chaining attacks by Mukhamedov & Ryan, and recent model‑checking efforts using Mocha and NuSMV. The authors argue that none of the prior approaches support the combination of linear and parallel behaviour within a single role, nor provide a general fairness condition applicable to arbitrary DAGs.

In conclusion, the paper establishes a robust theoretical framework for designing fair, efficient multi‑party contract signing protocols that can accommodate complex, hierarchical business relationships. By modelling protocols as DAGs, defining abort‑chaining sequences, proving tight complexity lower bounds, and providing an automatic verification tool, the work paves the way for practical deployment of MPCS in modern distributed systems where both scalability and fairness are paramount.