Title: CIMPA School on Security Specification and verification of randomized security protocols Lecture 2
1CIMPA School on Security Specification and
verification of randomized security protocols
Lecture 2
- Catuscia Palamidessi, INRIA LIX
- catuscia_at_lix.polytechnique.fr
- www.lix.polytechnique.fr/catuscia
- Page of the course
- www.lix.polytechnique.fr/catuscia/teaching/CIMPA_
School_05/
2Plan of the course
- Overview of the basic notions of Probability
theory and Measure theory - Probabilistic automata
- Probabilistic p-calculus
- Applications to the specification and
verification of randomized security protocols - Anonymity
- Fair exchange
3Randomized security protocols
- A certain number of security protocols use
randomized primitives - Anonymity
- Crowds Reiter and Rubin,1998,
- anonymous communication (anonymity of the sender)
- Onion Routing Syverson, Goldschlag and Reed,
1997 - anonymous communication
- Freenet Clarke et al. 2001
- anonymous information storage and retrieval
- Fairness
- Probabilistic Contract Signing protocol Ben-Or
et al., 1990 - Probabilistic non-repudiation protocol
Markowitch and Roggeman, 1999 - Partial Secrets Exchange protocol Even,
Goldreich and Lempel, 1985
4The probabilistic p-calculus
- References
- O.M. Herescu, C. Palamidessi. Probabilistic
asynchronous p-calculus. In J. Tiuryn, ed., Proc.
of FOSSACS 2000 (Part of ETAPS 2000), vol. 1784
of LNCS, pages 146--160. Springer-Verlag, 2000.
www.lix.polytechnique.fr/catuscia/papers/Prob_asy
_pi/report.ps - C. Palamidessi, O.M. Herescu. A Randomized
Distributed Encoding of the p-Calculus with Mixed
Choice. To appear in Theoretical Computer Science
(short version in Proc. of IFIP-TCS 2002, pages
537-549, Kluwer, 2002.) - www.lix.polytechnique.fr/catuscia/papers/prob_en
c/report.ps
5The probabilistic p-calculus
- Originally developed as an intermediate language
for the fully distributed implementation of the
p-calculus - The mixed choice mechanism of the p-calculus
cannot be implemented in a fully distributed way
deterministically, but can be done in a
randomized way. Correctness is achieved with
probability 1. - Presently, we use it as a framework to model the
correctness of security protocols - to specify security properties which require a
probabilistic formulation, - to represent randomized security protocols
- to prove their correctness, i.e. t verify that
they satisfy the intended properties
6The probabilistic p-calculus syntax
Similar to the asynchronous p-calculus of
Amadio,Castellani and Sangiorgi, the only
difference is that the input-guarded choice is
probabilistic
7The probabilistic p-calculus operational sem
- Based on the probabilistic automata of Segala and
Lynch - nondeterministic and probabilistic behavior
- nondeterminism associated to a scheduler
(adversary) - probabilistic behavior associated to the choice
of the process - groups, probabilistic distributions, steps
steps
8The probabilistic p-calculus operational sem
9The probabilistic p-calculus operational sem
10The probabilistic p-calculus operational sem
11The probabilistic p-calculus operational sem
12The probabilistic p-calculus operational sem