Model Checking Dining Cryptographers with

VerICS⋆

A. Niewiadomski2, W. Penczek12, M. Szreter1, M. Kacprzak3

1 Institute of Computer Science, PAS01-237 Warsaw, ul. Ordona 21, Poland{penczek,szreter}@ipipan.waw.pl

2 Institute of Computer Science, University of Podlasie,ul. Sienkiewicza 51, 08-110 Siedlce, Poland,

artur@iis.ap.siedlce.pl3 Bia lystok University of TechnologyInstitute of Mathematics and Physics

15-351 Bia lystok, ul. Wiejska 45A, Polandmdkacprzak@wp.pl

Abstract. We show how to verify the protocol Dining Cryptographers(DC) with VerICS. To this aim we present a new model of DC in termsof a network of communicating automata extended with green and redstates for representing correct and incorrect behaviours. The languageCTLKD (an extension of the standard CTL enriched with deontic oper-ators and standard epistemic operators) is used for the representation ofthe temporal evolution of epistemic states of the agents, as well as theircorrect and incorrect functioning behaviour. The verification is based onan application of the technique of bounded model checking (BMC), amainstream approach in verification of reactive systems, implemented asa module of VerICS. We verify several formulas in CTLKD showing theefficiency of both our modelling of DC as well as our implementation ofBMC for ECTLKD - the existential fragment of CTLKD.

1 Introduction

The main problem in designing of software systems is checking whether a pro-gram meets its specification conditions. However, in distributed systems (suchas multi-agent systems) different entities can be created by different designers.Thereby, it is very difficult to ensure that all cooperating processes follow givenrules and work in a desirable way. This problem often appears in electroniccommerce, e.g., during carrying out an automatic auction or purchase, whereparticipants are not sure how their co-workers behave. Therefore, in multi-agentsystems it is crucial to establish whether agents act according to established pro-tocols. Questions about consequences of wrong functioning of agents are also very

⋆ The authors acknowledge support from the Polish grants 3T11C01128 andW/IMF/2/04.

important. Properties of systems which concern these issues can be expressed indeontic logic.

Deontic logic is a modal logic which explores two modalities: O - “obligatory”,P - “permitted”. In the context of multi-agent systems these modalities are usedin order to deal with correct and incorrect behaviour of agents. Two kinds offormulas: Oiα and Piα can be built. Their intuitive meaning is the following:“α is obligatory always when agent i behaves correctly” and “α is permittedwhen agent i behaves correctly”, respectively. Formally, suitable and unsuitablefunctioning of agents is described by means of green and red states from whichsets of local states of agents are composed of.

In the paper, we consider the well known Dining Cryptographers (DC) proto-col. It is used in cryptography for anonymous broadcasting messages. However,we assume that some of cryptographers can be faulty. So, we are interested notonly in testing of the correctness of this protocol but also in checking what agentsare aware of if they know that some of them can cheat.

Validation of computer protocols is currently conducted by means of threemain techniques: testing, theorem proving, and model checking. Testing involvessearching the state-space of the possible inputs of a protocol looking for po-tentially problematic outputs. Theorem proving techniques are based on therepresentation of a protocol by means of a system of formal logic; in its simplestinstance, checking whether a property is satisfied amounts to checking whether aformula is a theorem of the logic that represents the protocol. Model checking [2]involves representing all possible computational traces of the protocol by meansof a temporal model and checking whether or not a modal formula, representingthe property to be verified, holds in this model.

Protocol validation has in other words an intrinsic “deontic connotation”. Itamounts to checking whether the system under consideration behaves as it isprescribed by its specification. But it should be noted that, in this approach,this is a property that is external from the logical system. One could say, thecorrect functioning behaviour of the system is a metalogical property of the logicsystem representing the program. Differently from what happens in deontic logic,deontic concepts here are not explicitly used in the logic to represent the system,but they are built into the procedures that operate on the logic used to checkthe system. The interested reader is referred to [13] for more details.

In this paper we show how to model the protocol of Dining Cryptographersin terms of a network o communicating automata. Then, we discuss the imple-mentation of BMC for ECTLKD of VerICS, and conduct several experiments forverifying correctness properties of DC. Since all the paths in the model of DiningCryptographers are finite, we can exploit this fact for proving several universalproperties by showing that their negations do not hold in the whole model.

The paper is organized as follows. The next section discusses existing ap-proaches to verifying the protocol Dining Cryptographers. In Section 2, we in-troduce basic notions for modelling protocols. In Section 3 we discuss the pro-tocol DC and its model in terms of a network of communicating automata. Thelanguage of CTLKD, an extension of CTLK, representing correct/incorrect func-

tioning behaviour of the agents is given in Section 4. In Section 5 we presenta bounded semantics definition for satisfaction that we use in implementationof the algorithm of bounded model checking. In Section 6 we show the experi-mental results of verifying several properties of DC, whereas Section 7 providesconclusions and plans for future work.

1.1 Related Work

R. van der Meyden and K. Su in [12] discuss a BDD-based approach to verifyingDining Cryptographers. They assume the perfect recall of the agents and verifythe formula that says that if the cryptographer 1 did not pay, then he knowseither that no cryptographer paid, or knows that one of the others paid, but doesnot know which one. They can verify this formula in a reasonable time (i.e., lessthan 10 hours) for five cryptographers.

Wiebe van der Hoek et al. in [11] show a translation from CTLn to LTL inorder to verify Dining Cryptographers using SPIN.

Finally, F. Raimondi and A. Lomuscio in [10] verify Dining Cryptographersusing a BDD-based model checker mcmas for CTLKD. They show experimentalresults for the three cryptographers.

2 Modelling protocols

For modelling different kinds of systems, including communication protocols, awide range of description techniques can be applied: from high level descriptionlanguages to detailed description in a form of transition-based system. A choiceof one of them usually depends on a complexity of a modelling problem and anavailability of tools that can handle it. One of possible representations of proto-cols is a network of communicating automata, where each automaton representsone component of a system.

Definition 1 (Deontic automaton). A deontic automaton is a four-tupleA = (Act, L, s0, T ), where

– Act is a finite set of actions,– L is a finite set of states, which is divided into two disjoint sets of green LG

and red LR states,– s0 ∈ L is the initial state,– T ⊆ L × Act × L is a transition relation.

The automata of a network can be composed into the product automaton by astandard multi-synchronization approach: the transitions that do not correspondto a shared action are interleaved, whereas the transitions labelled with a sharedaction are synchronized. A synchronized transition is enabled if is enabled in allsynchronizing automata.

Definition 2 (A product automaton). Given a network {A1, . . . ,An} ofdeontic automata, where Ai = (Acti, Li, s

0i , Ti) for 1 ≤ i ≤ n. The product

automaton is a four-tuple A = (Act,G, s0, T ), where

– Act =⋃n

i=1 Acti is a finite set of actions,

– G = L1 × . . . × Ln is a finite set of global states,

– s0 = (s01, . . . , s

0n) ∈ G is the initial state,

– T ⊆ G × Act × G is a transition relation such that

((l1, . . . , ln), a, (l′1, . . . , l′n)) ∈ T iff (∀i ∈ A(a)) (li, a, l′i) ∈ Ti and

(∀i ∈ {1, . . . , n}\A(a)) li = l′i, where A(a) = {i | 1 ≤ i ≤ n and a ∈ Acti}.

Intuitively, the global state (l′1, . . . , l′n) is the result of executing the action a at a

global state (l1, . . . , ln) iff for every automaton Ai whose set of actions containsa, we have (li, a, l′i) ∈ Ti, and for the remaining Aj we take l′j = lj .

The product automaton extended with a labelling function is used as a modelfor interpreting our specification language, but we do not build it explicitly forverification purposes as we use a symbolic approach.

In the context of multi-agent systems, the automata are called agents andits states are called local states. Let loci : G → Li be a function which returnsthe local state of an agent Ai (i = 1, . . . , n) from a global state. A notion of amodel is defined below.

Definition 3 (Model). Let A = (Act,G, s0, T ) be a product automaton. Bythe (deontic) model we mean a tuple M = (W, s0, TR,∼, ∼O,V), where

– W is a set of reachable global states from s0, i.e., W = {s ∈ G | (s0, s) ∈TR∗}4,

– TR ⊆ W × W is a binary relation on W such that (s, s′) ∈ TR iff thereexists a ∈ Act such that (s, a, s′) ∈ T or if for every a ∈ Act, (s, a, s′) 6∈ T ,then s = s′,

– ∼= {∼i}i=1,...,n, where ∼i ⊆ G×G is an epistemic accessibility relation foreach agent Ai (1 ≤ i ≤ n) defined by: s ∼i s′ iff loci(s

′) = loci(s),

– ∼O= {∼Oi }1≤i≤n, where ∼O

i ⊆ G × G is a deontic accessibility relation foreach agent Ai (1 ≤ i ≤ n) defined by: s ∼O

i s′ iff loci(s′) ∈ LG

i5,

– V : G −→ 2PV is a valuation function for a set of propositional variablesPV such that true ∈ V(s) for all s ∈ G. V assigns to each state a set ofpropositional variables that are assumed to be true at that state.

Observe that according to this model, every agent can perform its local ac-tion as soon as it is allowed. However, as we mentioned before, some of localactions are synchronized and must be executed together. The synchronization ofautomata and thereby communication between agents is done via shared labelsof transitions. Moreover, two or more unsynchronized actions cannot be realizedat the same time. So, we explore the interleaving model of computation.

4 TR∗ denotes the reflexive and transitive closure of TR.5 Since each ∼O

i only depends on the target state, for what pertains this componentwe could have equally defined a model by means of green local states for agent i.

Computations paths. A computation in M is a possibly infinite sequenceπ = (s0, s1, . . .) of states such that (si, si+1) ∈ TR for each i ∈ IN. A k-computationis a sequence of length k. For a computation π = (s0, s1, . . .), let π(k) = sk, andπk = (s0, . . . , sk), for each k ∈ IN. By Π(s) we denote a set of all the infinite com-putations starting at s in M, whereas by Πk(s) a set of all the k-computationsstarting at s. Moreover, let IN+ = IN\{0}.

3 Dining Cryptographers

The anonymous broadcasting of information is one of the main problems dis-cussed in cryptography. The Dining Cryptographers (DC) protocol provides oneof cryptographically secure solutions. It allows for keeping confidential who sendswhich message and can be adapted to a wide variety of practical considerations.The DC protocol has been introduced by Chaum. The original wording from [1]is included below.

”Three cryptographers are sitting down to dinner at their favorite three-starrestaurant. Their waiter informs them that arrangements have been made withthe maitre d’hotel for the bill to be paid anonymously. One of the cryptographersmight be paying for dinner, or it might have been NSA (U.S. National SecurityAgency). The three cryptographers respect each other’s right to make an anony-mous payment, but they wonder if NSA is paying. They resolve their uncertaintyfairly by carrying out the following protocol:

Each cryptographer flips an unbiased coin behind his menu, between him andthe cryptographer on his right, so that only the two of them can see the outcome.Each cryptographer then states aloud whether the two coins he can see–the onehe flipped and the one his left-hand neighbor flipped–fell on the same side or ondifferent sides. If one of the cryptographers is the payer, he states the opposite ofwhat he sees. An odd number of differences uttered at the table indicates that acryptographer is paying; an even number indicates that NSA is paying (assumingthat dinner was paid for only once). Yet if a cryptographer is paying, neither ofthe other two learns anything from the utterances about which cryptographer itis.”

The same protocol can be run also for a number of cryptographers greaterthan three (see [1]). For the purposes of this paper, we consider a variation ofthe protocol in which we assume that some cryptographers may be faulty. Inparticular, we allow them to say the opposite of what they are supposed to say,i.e., they can choose to behave correctly or to cheat when announcing the valuesof the coins they see.

The Cheating Dining Cryptographers protocol (CDC) is modelled with anetwork of communicating automata. In the general case, there are n1 automatamodelling the cheating cryptographers and n2 automata modelling the honestones. The automaton for the honest cryptographer AHCi

(i = n1 + 1, . . . , n1 +n2) consists of 5 states with the clear meaning: 0 (the initial state), seeEquali,seeDifferenti, saidEquali, and saidDifferenti. If the cryptographer can cheat, thenthe automaton ACCi

(i = 1, . . . , n1) contains two additional states: lieEquali and

lieDifferenti. The cryptographers start with the state 0, and then perform actionsaffirming what they can see and what they said in turn.

Moreover, there are n = n1 + n2 automata APi(i = 1, . . . , n) determining

who is paying for dinner. Each of them contains three states: 0 (the initial state),paidi, and notPaidi. These automata synchronize in such a way that at mostone of them, can execute an action that results in the state paidi, whereas theremaining automata reach the state notPaidj . In particular, if the NSA is paying,all automata APi

(i = 1 . . . , n) reach the state notPaidi. After this, all of theiractions synchronize with actions of cryptographers determining what they said.

Furthermore, we have n automata AOi(i = 1, . . . , n) that model flipping

coins. Each of them consists of three states: 0 (the initial state), headi, andtaili. First, they behave independently of other automata and perform actionsdetermining the result of the flipping. Next, they synchronize with the automatafor the cryptographers who can see appropriate coins, influencing the states theyreach, either seeEqual or seeDifferent.

Finally, we have one automaton AR which models the counter of differencesin the utterances. This automaton also starts with the initial state 0, and thenregisters what the cryptographers said in turn as well as how many differencesare. So, it synchronizes with the automata of the cryptographers and finisheseither with the state even or with the state odd.

We assume that all states of automata are green with the exception of thestates lieEquali and lieDifferenti (i = 1, . . . , n2) of the cheating cryptographers.It is easy to notice that the total number of the automata is equal to 3n + 1.

For simplicity, an instance of the protocol with two honest and one cheatingcryptographer is visualised below. In this case we obtain a network of the 10automata: three representing the cryptographers (Fig. 3 and 4), three determin-ing who pays for dinner (Fig. 1), three modelling the toss-ups (Fig. 2), and oneplaying a role of the counter of differences in utterances (Fig. 5).

The above automata are composed into the product automaton A with theinitial state s0 = 〈0, 0, 0, 0, 0, 0, 0, 0, 0, 0〉. The global actions, global states anda transition relation are built according to Definition 2. The automaton A isturned into the model M with a valuation function V defined over a set ofpropositions PV = {paid1, paid2, paid3, even, odd} as follows:

– paidi ∈ V((l1, . . . , l10)) iff li = paidi, for i = 1, 2, 3,

– even ∈ V((l1, . . . , l10)) iff l10 = even,

– odd ∈ V((l1, . . . , l10)) iff l10 = odd.

Now, we present an example of a computation, but note that some other se-quences of states are also possible. At the beginning, the automata modellingtoss-up execute the actions h1, h2, h3 in turn. These actions select the random re-sults of coin tosses. Therefore, after three steps the global states3 = 〈0, 0, 0, 0, 0, 0, head1, head2, head3, 0〉 is reached. Next, the automata de-termining who pays for dinner execute the synchronized action s0, which in-dicates that the agency is a payer. So, the global state of the model is s4 =

Fig. 1. The automata AP1, AP2

, AP3

determining who pays for dinner.Fig. 2. The automata AO1

,AO2,AO3

mod-elling toss-ups.

Fig. 3. The automata AHC2, AHC3

modelling the honest cryptographers.

Fig. 4. The automaton ACC1modelling the

cheating cryptographer.Fig. 5. The automaton AR

modelling the counter of dif-ferences in the utterances.

〈0, 0, 0, notPaid1, notPaid2, notPaid3, head1, head2, head3, 0〉. Next, the cryptog-raphers can see the results of coin tosses and say whether they see equal or differ-ent sides of coins. Then, the counter counts the number of differences. All of thisactions are realized through firing appropriate shared transitions. Assuming thatthe cheating cryptographer does not cheat at this time, the final state of this sce-nario is: s13 = 〈saidEqual1, saidEqual2, saidEqual3, notPaid1, notPaid2,

notPaid3, head1, head2, head3, even〉. It is reached after executing 13 transitions.In the general case, if the system consists of n cryptographers, the maximal num-ber of fired transitions is equal to 4n + 1. This number is called the maximaldepth of the model.

4 The Logic CTLKD

The specification of the protocol Dining Cryptographers can be expressed in thelanguage of CTLKD. This logic is an extension of Computational Tree Logic(CTL) [4], introduced by Emerson and Clarke, enriched with standard epistemicoperators6 [5] as well as deontic operators.

Deontic logic is a modal logic in which the modal operator O is used toexpress that something is obligatory. In particular, in multi-agent scenario allstates of agents can be divided into two disjoint sets of red and green states.Green states describe correct behaviour of agents, while red states characterizeerrors. As a result, the deontic formula Oiα expresses that α is true always whenagent i behaves correctly, i.e, reaches its green states. The dual deontic formulaPiα states that it is possible to reach a green state in which α holds.

Definition 4 (Syntax of CTLKD). The set of CTLKD formulas FORM isdefined as follows: α ::= p | ¬α | α ∨ α | EXα | EGα | E(αUα) | Kiα | Piα,

where p ∈ PV and i ∈ {1, . . . , n}.

The basic modalities are defined by derivation as follows: EFαdef= E(trueUα),

AFαdef= ¬EG¬α, A(αRβ)

def= ¬E(¬αU¬β), AXα

def= ¬EX¬α, Oiα

def= ¬Pi¬α,

Kiαdef= ¬Ki¬α, Other boolean connectives are defined in the standard way.

Moreover, falsedef= ¬true. The formula Piα stands for ”there exists a state

where agent i is functioning correctly and α holds”. As customary X,G stand for“at the next step”, and “forever in the future” respectively. The Until operatorU, precisely αUβ, expresses that β occurs eventually and α holds continuouslyuntil then. The operators Ki denote knowledge of the agent i.

Definition 5 (Interpretation of CTLKD). Let M = (W, s0, TR,∼,∼O,V)be a model, s ∈ W a state, π a computation, and α, β formulas of CTLKD.M, s |= α denotes that α is true at the state s in the model M. M is omitted,if it is implicitly understood. The relation |= is defined inductively as follows:

6 Here we restrict our formalism to the knowledge operator only.

s |= EXα iff ∃π ∈ Π(s) π(1) |= α,s |= EGα iff ∃π ∈ Π(s) ∀m≥0 π(m) |= α,

s |= E(αUβ) iff ∃π ∈ Π(s) (∃m≥0 [π(m) |= β and ∀j<m π(j) |= α]),s |= Piα iff ∃s′ ∈ W (s ∼O

i s′ and s′ |= α),s |= Kiα iff ∃s′ ∈ W (s ∼i s′ and s′ |= α).

For propositions and boolean connectives the relation |= is defined in the standardmanner.

Definition 6. (Validity) A CTLKD formula ϕ is valid in M (denotedM |= ϕ) iff M, s0 |= ϕ, i.e., ϕ is true at the initial state of the model M .

The logic ECTLKD is the existential restriction of CTLKD such that the nega-tion can be applied only to elements of PV, i.e., ¬α is replaced by ¬p in theDefinition 4. The logic ACTLKD is the universal restriction of CTLKD suchthat its language is defined as {¬ϕ | ϕ ∈ ECTLKD}.

5 Bounded Model Checking

For testing which properties the protocol Dining Cryptographers meets, we useBounded Model Checking (BMC) [8]. This method was originally introduced forverification of the existential fragment of the logic CTL, and then was extendedfor ECTLK [7] and ECTLKD [13]. BMC is based on an observation that someproperties of systems can be checked without the need of searching the wholestate space. In the simplest case of reachability analysis, the approach consistsin an iterative encoding of a symbolic path. The satisfiability of the resultingpropositional formula is then checked using an external SAT-solver.

The main idea is that we can check ϕ over Mk (a k-model for M that consistsof all k-computations of M) by checking the satisfiability of a propositional

formula [M,ϕ]k = [Mϕ,s0

]k ∧ [ϕ]Mk, where the first conjunct represents (part

of) the model under consideration and the second a number of constraints thatmust be satisfied on Mk for ϕ to be satisfied.

Definition 7. Define a function fk : ECTLKD −→ IN as follows:• fk(p) = fk(¬p) = 0, for p ∈ PV, • fk(EGα) = (k + 1) · fk(α) + 1,• fk(α ∨ β) = max{fk(α), fk(β)}, • fk(E(αUβ)) = k · fk(α) + fk(β) + 1,• fk(α ∧ β) = fk(α) + fk(β), • fk(Zα) = fk(α) + 1, for Z ∈ {EX,Ki,Pi}.

Each deontic global state s = (s[1], . . . , s[m])7 can be represented by w =(w[1], . . . , w[m]) (which we shall call a global state variable), where each w[i]for i = 1, . . . ,m is a propositional variable. (Notice that we distinguish betweenglobal states being sequences of binary digits and their representations in termsof propositional variables w[i]). A finite sequence (w0, . . . , wk) of global statevariables is called a symbolic k−path. In general we shall need to consider not

7 The number m depends on the number of local states.

just one but a number of symbolic k−paths. This number depends on the for-mula ϕ under investigation, and it is returned as the value fk(ϕ) of the functionfk. We refer to [8] for more details.

The propositional formula [Mϕ,s0

]k is defined as follows:

[Mϕ,s0

]k := Is0(w0,0) ∧

fk(ϕ)∧

j=1

k−1∧

i=0

T (wi,j , wi+1,j),

where Is0(w0,0) is a propositional formula that encodes the initial state s0,T (wi,j , wi+1,j) is a propositional formula that encodes the transition relationTR. and fk(ϕ) is the function defined above.

The translation of the selected formulas is given below:

[E(αUβ)][m,n]k :=

∨fk(ϕ)i=1

(

H(wm,n, w0,i) ∧∨k

j=0

(

[β][j,i]k ∧

∧j−1t=0 [α]

[t,i]k

)

)

,

[Plα][m,n]k :=

∨fk(ϕ)i=1

(

Is0(w0,i) ∧∨k

j=0

(

[α][j,i]k ∧ HPl(wj,i)

)

)

,

[Klα][m,n]

k :=∨fk(ϕ)

i=1

(

Is0(w0,i) ∧∨k

j=0

(

[α][j,i]k ∧ HKl(wm,n, wj,i)

)

)

,

where H(wm,n, w0,i) encodes that global states represented by the global statevariables wm,n and w0,i are the same, HPl(wj,i) encodes that in a global staterepresented by the global state variable wj,i agent l is running correctly,HKl(wm,n, wj,i) encodes that local states of agent l in global states representedby variables wm,n and wj,i are the same.

Intuitively, the formula [Plα][m,n]k expresses the condition that there exists

a state represented by wj,i, such that its l-local state is green, which is acces-sible from the initial state by some computation, and satisfies α. The formula

[Klα][m,n]k expresses the fact that there exists a state represented by wj,i, which

has the same local state for the agent l as that represented by wm,n, it is ac-cessible from the initial state by some computation, and it satisfies α. For moredetails see [13].

6 Experimental results

In this section we present the results of verification of several properties of theprotocol Dining Cryptographers. The formulas have been tested on the model ofDC protocol parameterized with the number of agents (n), denoted by MDCn

,and for the model of the CDC protocol with only one cheating cryptographer,denoted by M1

CDCn. The verification system VerICS has been used to perform

all the experiments.

VerICS is a verification tool for real-time and multi-agent systems. It offersthree complementary methods of model checking: SAT-based Bounded ModelChecking (BMC), SAT-based Unbounded Model Checking (UMC), and an on-the-fly verification while constructing abstract models of systems. The theoreticalbackground for its implementation has been presented in several papers [3, 9, 14].In this work only the BMC module is exploited.

Name Formula Result

ϕ1(n) AG(Kn(O1(odd ∧ ¬paidn ⇒∨

i=1...n−1paidi))) M1

CDCn|= ϕ1(n)

¬ϕ1(n) EF(Kn(P1(odd ∧∧

i=1...n¬paidi))) M1

CDCn6|= ¬ϕ1(n)

ϕ2(n) AG(K1(odd ∧ ¬paid1 ⇒∨

i=2...npaidi)) MDCn

|= ϕ2(n)

¬ϕ2(n) EF(K1(odd ∧∧

i=1...n¬paidi)) MDCn

6|= ¬ϕ2(n)

ϕ3(n) AG(K1(even ∧ ¬paid1 ⇒∨

i=2...npaidi)) MDCn

6|= ϕ3(n)

¬ϕ3(n) EF(K1(even ∧∧

i=1...n¬paidi)) MDCn

|= ¬ϕ3(n)

ϕ4(n) AG(K1(¬paid1 ⇒∨

i=2...npaidi)) MDCn

6|= ϕ4(n)

¬ϕ4(n) EF(K1(∧

i=1...n¬paidi)) MDCn

|= ¬ϕ4(n)Table 1. The formulas tested for Dining Cryptographers protocol

The tests presented below have been performed on a workstation equippedwith the AMD Athlon XP+ 2400 MHz processor and 2 GB RAM running un-der Fedora Linux. For checking satisfiability of propositional formulas obtainedduring verification of Dining Cryptographers protocol, BerkMin SAT-solver [6]has been used. The examples have been scaled until the total computation timehas exceeded 8 hours for unsatisfiable formulas and 30 minutes for satisfiableformulas. It is worth noticing that it does not exhaust the ability of our tool andDC protocol with bigger number of cryptographers can be verified.

n Depth BMC[s] BMC[MB] BerkMin[s] Vars Clauses

3 13 7.46 7.77 72.34 25619 761444 17 19.96 11.05 984.65 45400 1349035 21 41.53 14.86 9511.62 70739 2103676 25 79.49 20.26 > 30000 102645 305436

Table 2. The results of verification for the formula ¬ϕ1(n).

The tested formulas are given in Table 1. In order to give a better intuition,they are presented in the universal form. However, BMC cannot handle universalformulas directly. Therefore, their negations (i.e. the existential formulas) areexplored.

The formula ϕ1(n) is tested on the model in which the first cryptographer isfaulty. Since one of the cryptographers can cheat it is not true that always whenthe number of differences is odd, then NSA did not pay for the dinner. However,agents know that if the cheating cryptographer follows the given protocol, thenthe above property holds. This is expressed by the formula ϕ1(n): The n-thcryptographer always knows that if the first cryptographer behaves correctly, then-th cryptographer does not pay for dinner and the number of differences in theutterances is odd, then some other cryptographer paid for dinner.

Because the propositional variable odd can be true only in the last state of anexecution of Dining Cryptographers protocol, the formula ϕ1(n) must be testedat symbolic paths of full depth. Observe, that if the deontic operator is not

used, this formula will be not correct anymore for the system with a cheatingcryptographer. The results for verification of ϕ1(n) are given in Table 2. Theformula ϕ2(n) has similar meaning to ϕ1(n), but is tested for a system withoutcheating cryptographers (see Table 3). Thereby, the behaviour of all agents iscorrect and there is no need for using the deontic operator. In both the casesabove, we have checked that the existential formula does not hold in the model.

n Depth BMC[s] BMC[MB] BerkMin[s] Vars Clauses

3 13 0.64 6.58 85.40 15363 450194 17 1.24 8.50 1013.62 27621 810175 21 2.07 10.34 9359.97 43393 1274826 25 3.13 12.92 > 30000 63351 186345

Table 3. The results of verification for the formula ¬ϕ2(n).

Obviously, it is more effective to verify that a formula holds in the model(see Table 4). To this aim we consider the formula ϕ3(n), which specifies: The firstcryptographer always knows that when it does not pay for dinner and the numberof differences in utterances is even, then another cryptographer paid. Clearly itis not true, because one of the elementary rule of the Dining Cryptographersprotocol is: If the number of differences is even then agency paid for dinner.Therefore, the formula ¬ϕ3(n) obtained by negating ϕ3(n) holds in the modelMDCn

with no cheating cryptographers.

n Depth BMC[s] BMC[MB] BerkMin[s] Vars Clauses

3 13 0.64 5.80 4.01 15361 450135 21 2.03 10.44 65.11 43391 1274767 29 4.55 17.62 308.70 8705 2585368 33 6.50 22.38 408.67 118495 34907010 41 11.2 34.04 1928.47 193041 569518

Table 4. The results of verification of the formula ¬ϕ3(n).

The interpretation of the formula ϕ4(n), also tested on MDCnmodel, is

the following: The first cryptographer always knows that when it does not payfor dinner, then another cryptographer paid. This property is not true since itis possible that agency paid for dinner. The main reason of high efficiency ofverification in this case (see Table 5) is a very small depth of the model at whichthe formula holds. This makes the BMC method very powerful in such cases.

7 Conclusions and future work

In the paper we have shown verification of the well known protocol Dining Cryp-tographers applied for anonymous broadcasting of messages. Its variation, in

n Depth BMC[s] BMC[MB] BerkMin[s] Vars Clauses

10 1 0.21 4.09 < 0.01 4915 1374030 1 1.19 7.17 0.05 22239 63799100 1 12.77 37.18 0.24 194565 574101200 1 54.7 128 1.17 709005 2107908300 1 125.31 265 2.95 1544469 4604787400 1 231.60 607 5.65 2697869 8055487500 1 368.63 1003 9.50 4171269 12466187

Table 5. The results of verification of the formula ¬ϕ4(n).

which faulty cryptographers can appear, has been also considered. We have pre-sented an original way of modelling of the protocol. It allows for testing selectedproperties of protocols that consist of even 500 cryptographers.

For expressing properties the temporal logic CTL enriched with epistemicas well as deontic operators is used. For verification, Bounded Model Checking(BMC) technique is adapted. BMC is usually used for checking validity of exis-tential formulas. However, in this case, since all computations of DC model arefinite checking validity of universal formulas is also possible. Thereby, validityof formulas expressing properties that are true when agents behave in a correctway can be proved effectively.

Unfortunately, some of important properties of Dining Cryptographers can-not be expressed as either existential or universal formulas of CTLKD logic.Therefore, our future work will focus on applying Unbounded Model Checkingfor the verification of this protocol.

References

1. D. Chaum. The dining cryptographers problem: Unconditional sender and recipientuntraceability. Journal of Cryptology, 1(1):65–75, 1988.

2. E. M. Clarke, O. Grumberg, and D. Peled. Model Checking. MIT Press, 1999.3. A. Doros, A. Janowska, and P. Janowski. From specification languages to timed au-

tomata. In Proc. of the Int. Workshop on Concurrency, Specification and Program-ming (CS&P’02), volume 161(1) of Informatik-Berichte, pages 117–128. HumboldtUniversity, 2002.

4. E. A. Emerson and E. M. Clarke. Using branching-time temporal logic to synthesizesynchronization skeletons. Science of Computer Programming, 2(3):241–266, 1982.

5. R. Fagin, J. Y. Halpern, Y. Moses, and M. Y. Vardi. Reasoning about Knowledge.MIT Press, Cambridge, 1995.

6. E. Goldberg and Y. Novikov. BerkMin: A fast and robust SAT-solver. In Proc.of the Int. Conf. on Design, Automation and Test in Europe (DATE’02), pages142–149. IEEE Computer Society, 2002.

7. W. Penczek and A. Lomuscio. Verifying epistemic properties of multi-agent systemsvia bounded model checking. In Proc. of the 2nd Int. Conf. on Autonomous Agentsand Multi-Agent Systems (AAMAS’03), pages 209–216. ACM, July 2003.

8. W. Penczek, B. Wozna, and A. Zbrzezny. Bounded model checking for the universalfragment of CTL. Fundamenta Informaticae, 51(1-2):135–156, 2002.

9. W. Penczek, B. Wozna, and A. Zbrzezny. SAT-based bounded model checkingfor the universal fragment of TCTL. Technical Report 947, ICS PAS, Ordona 21,01-237 Warsaw, August 2002.

10. F. Raimondi and A. Lomuscio. Symbolic model checking of multiagent systems viaobdd’s: an algorithm and its implementation. In Proceedings of AAMAS04, NewYork, 2004.

11. Wiebe van der Hoek, Mike Wooldridge, and Sieuwert van Otterloo. Model checkingknowledge and time via local propositions: Cooperative and adversarial systems.2004. submitted.

12. R. van der Meyden and K. Su. Symbolic model checking the knowledge of thedining cryptographers. In 17th IEEE Computer Security Foundations Workshop,pages 280–291, 2004.

13. B. Wozna, A. Lomuscio, and W. Penczek. Bounded model checking for deonticinterpreted systems. In Proc. of the 2nd Workshop on Logic and Communication inMulti-Agent Systems (LCMAS’04), volume 126 of ENTCS, pages 93–114. Elsevier.

14. B. Wozna, W. Penczek, and A. Zbrzezny. Reachability for timed systems basedon SAT-solvers. In Proc. of the Int. Workshop on Concurrency, Specification andProgramming (CS&P’02), volume 161(2) of Informatik-Berichte, pages 380–395.Humboldt University, 2002.