Bangalore, 2 Feb 2005 Probabilistic security protocols 1
CIMPA School on Security
Specification and verification of randomized security
protocols
Lecture 2
Catuscia Palamidessi, INRIA & LIX
www.lix.polytechnique.fr/~catuscia
Page of the course:
www.lix.polytechnique.fr/~catuscia/teaching/CIMPA_School_05/
Bangalore, 2 Feb 2005 Probabilistic security protocols 2
Plan of the course
• Overview of the basic notions of Probability theory and Measure theory
• Probabilistic automata
• Probabilistic -calculus
• Applications to the specification and verification of randomized security protocols– Anonymity
– Fair exchange
Bangalore, 2 Feb 2005 Probabilistic security protocols 3
Randomized security protocols• A certain number of security protocols use randomized primitives
– Anonymity:
• Crowds [Reiter and Rubin,1998],
– anonymous communication (anonymity of the sender)
• Onion Routing [Syverson, Goldschlag and Reed, 1997]
– anonymous communication
• Freenet [Clarke et al. 2001]
– anonymous information storage and retrieval
– Fairness
• Probabilistic Contract Signing protocol [Ben-Or et al., 1990]
• Probabilistic non-repudiation protocol [Markowitch and Roggeman, 1999]
• Partial Secrets Exchange protocol [Even, Goldreich and Lempel, 1985]
Bangalore, 2 Feb 2005 Probabilistic security protocols 4
The probabilistic -calculus
References:
• O.M. Herescu, C. Palamidessi. Probabilistic asynchronous -calculus. In J. Tiuryn, ed., Proc. of FOSSACS 2000 (Part of ETAPS 2000), vol. 1784 of LNCS, pages 146--160. Springer-Verlag, 2000. www.lix.polytechnique.fr/~catuscia/papers/Prob_asy_pi/report.ps
• C. Palamidessi, O.M. Herescu. A Randomized Distributed Encoding of the -Calculus with Mixed Choice. To appear in Theoretical Computer Science (short version in Proc. of IFIP-TCS 2002, pages 537-549, Kluwer, 2002.)www.lix.polytechnique.fr/~catuscia/papers/prob_enc/report.ps
Bangalore, 2 Feb 2005 Probabilistic security protocols 5
The probabilistic -calculus
• Originally developed as an intermediate language for the fully distributed implementation of the -calculus
– The mixed choice mechanism of the p-calculus cannot be implemented in a fully distributed way deterministically, but can be done in a randomized way. Correctness is achieved with probability 1.
• Presently, we use it as a framework to model the correctness of security protocols:
– to specify security properties which require a probabilistic formulation,
– to represent randomized security protocols
– to prove their correctness, i.e. t verify that they satisfy the intended properties
Bangalore, 2 Feb 2005 Probabilistic security protocols 6
The probabilistic -calculus: syntax
Similar to the asynchronous p-calculus of Amadio,Castellani and Sangiorgi, the only difference is that the input-guarded choice is probabilistic
input | silent action
inactionprobabilistic choiceoutput parallelnew namereplication
Bangalore, 2 Feb 2005 Probabilistic security protocols 7
The probabilistic -calculus: operational sem
• Based on the probabilistic automata of Segala and Lynch
• nondeterministic and probabilistic behavior
• nondeterminism associated to a scheduler (adversary)
• probabilistic behavior associated to the choice of the process
– groups, probabilistic distributions, steps
1/2
1/21/3
1/31/3
1/32/3
1/2
1/21/3
1/31/3
1/32/3
1/2
1/21/3
1/31/3
1/32/3
steps
Bangalore, 2 Feb 2005 Probabilistic security protocols 8
The probabilistic -calculus: operational sem
…
1 2 np1 p2
pn
Bangalore, 2 Feb 2005 Probabilistic security protocols 9
The probabilistic -calculus: operational sem
Bangalore, 2 Feb 2005 Probabilistic security protocols 10
The probabilistic -calculus: operational sem
Bangalore, 2 Feb 2005 Probabilistic security protocols 11
The probabilistic -calculus: operational sem
Bangalore, 2 Feb 2005 Probabilistic security protocols 12
The probabilistic -calculus: operational sem
