Abstract
This paper presents the time-bounded task-PIOA modeling framework, an extension of the probabilistic input/output automata (PIOA) framework that can be used for modeling and verifying security protocols. Time-bounded task-PIOAs can describe probabilistic and nondeterministic behavior, as well as time-bounded computation. Together, these features support modeling of important aspects of security protocols, including secrecy requirements and limitations on the computational power of adversarial parties. They also support security protocol verification using methods that are compatible with less formal approaches used in the computational cryptography research community. We illustrate the use of our framework by outlining a proof of functional correctness and security properties for a well-known oblivious transfer protocol.
Similar content being viewed by others
References
Abadi M, Rogaway P (2002) Reconciling two views of cryptography (the computational soundness of formal encryption). J. Cryptol 15(2):103–127
Barthe G, Cerderquist J, Tarento, S (2004) A machine-checked formalization of the generic model and the random oracle model. In: Automated reasoning: second international joint conference (IJCAR). LNCS, vol 3097, pp 385–399
Blanchet B (2005) A computationally sound mechanized prover for security protocols. Cryptology ePrint Archive, Report 2005/401. http://eprint.iacr.org/
Blanchet B (2006) A computationally sound mechanized prover for security protocols. In: IEEE symposium on security and privacy. Oakland, California, May, pp 140–154
Backes M, Pfitzmann B, Waidner, M (2003) A composable cryptographic library with nested operations. In: Proceedings of the 10th ACM conference on computer and communications security (CCS)
Backes M, Pfitzmann B, Waidner M (2004a) A general composition theorem for secure reactive systems. In: First theory of cryptography conference (TCC 2004). LNCS, vol 2951, pp 336–354
Backes M, Pfitzmann B, Waidner M (2004b) Secure asynchronous reactive systems. Cryptology ePrint Archive, Report 2004/082. http://eprint.iacr.org/
Bellare M, Rogaway P (2004) The game-playing technique and its application to triple encryption. Cryptology ePrint Archive, Report 2004/331. http://eprint.iacr.org/
Cachin C, Maurer UM (1997) Unconditional security against memory-bounded adversaries. In: Kaliski B (ed) Advances in cryptology—crypto ’97. Lecture Notes in Computer Science, vol 1294. Berlin, Springer-Verlag, pp 292–306
Canetti R (2001) Universally composable security: A new paradigm for cryptographic protocols. In: Proceedings of the 42nd Annual Conference on Foundations of Computer Science (FOCS). Full version available at http://eprint.iacr.org/2000/067
Canetti R, Herzog J (2006) Universally composable symbolic analysis of mutual authentication and key exchange protocols. In: Halevi S, Rabin T (eds) Proceedings, theory of cryptography conference (TCC). LNCS, Springer, vol 3876, pp 380–403 March. Full version available on http://eprint.iacr.org/2004/334
Canetti R, Lindell Y, Ostrovsky R, Sahai A (2002) Universally composable two-party and multi-party secure computation. In: Proceedings on 34th annual ACM symposium on theory of computing, AMCM, pp 494–503
Canetti R, Cheung L, Kaynar D, Liskov M, Lynch N, Pereira O, Segala R (2005) Using probabilistic i/o automata to analyze an oblivious transfer protocol. Cryptology ePrint Archive, Report 2005/452. http://eprint.iacr.org/. Version of February 16, 2007
Canetti R, Cheung L, Kaynar D, Liskov M, Lynch N, Pereira O, Segala R (2006a) Task-structured probabilistic I/O automata. In: Proceedings of the 8th international workshop on discrete event systems (WODES), Ann Arbor, Michigan, July
Canetti R, Cheung L, Kaynar D, Liskov M, Lynch N, Pereira O, Segala R (2006b) Task-structured probabilistic I/O automata. Technical Report MIT-CSAIL-TR-2006-060, CSAIL, MIT, Cambridge, MA. Submitted for journal publication. Most current version available at http://theory.csail.mit.edu/~lcheung/papers/task-PIOA-TR.pdf
Canetti R, Cheung L, Kaynar D, Liskov M, Lynch N, Pereira O, Segala R (2006c) Using probabilistic I/O automata to analyze an oblivious transfer protocol. Technical Report MIT-CSAIL-TR-2006-046, CSAIL, MIT. This is the revised version of Technical Reports MIT-LCS-TR-1001a and MIT-LCS-TR-1001.
Canetti R, Cheung L, Kaynar D, Lynch N, Pereira O (2007a) Compositional security for Task-PIOAs. In: Proceedings of the 20th IEEE computer security foundations symposium (CSF-20), pp 125–139
Canetti R, Cheung L, Lynch N, Pereira O (2007b) On the role of scheduling in simulation-based security. In: Proceedings of the 7th international workshop on issues in the theory of security (WITS’07), pp 22–37
Dolev D, Yao AC (1983) On the security of public-key protocols. IEEE Trans Inf Theory 2(29):198–208
Even S, Goldreich O, Lempel A (1985) A randomized protocol for signing contracts. CACM 28(6):637–647
Goldreich O (2001) Foundations of cryptography volume I basic tools. Cambridge Univ. Press
Goldreich O (2004) Foundations of cryptography, volume II basic applications. Cambridge Univ. Press
Goldreich O, Micali S, Wigderson A (1987) How to play any mental game. In: Proceedings of the 19th symposium on theory of computing (STOC), pp 218–229
Goldwasser S, Micali S, Rackoff C (1989) The knowledge complexity of interactive proof systems. SIAM J Comput 18(1):186–208
Halevi S (2005) A plausible approach to computer-aided cryptographic proofs. Cryptology ePrint Archive, Report 2005/181. http://eprint.iacr.org/
Küsters R (2006) Simulation-based security with inexhaustible interactive Turing machines. In: Proceedings of the 19th IEEE computer security foundations workshop (CSFW-19 2006). IEEE Computer Society, pp 309–320
Lincoln PD, Mitchell JC, Mitchell M, Scedrov A (1998) A probabilistic poly-time framework for protocol analysis. In: Proceedings of the 5th ACM conference on computer and communications security (CCS-5), pp 112–121
Lynch N, Segala R, Vaandrager F (2007) Observing branching structure through probabilistic contexts. SIAM J Comput 37(4):977–1013
Mateus P, Mitchell JC, Scedrov A (2003) Composition of cryptographic protocols in a probabilistic polynomial-time calculus. In: Proceedings of the 14th International Conference on Concurrency Theory (CONCUR). LNCS, vol 2761, pp 327–349
Micciancio D, Warinschi B (2004) Soundness of formal encryption in the presence of active adversaries. In: Proceedings of the first theory of cryptography conference, LNCS, vol 2951, Springer, Cambridge, MA, USA, pp 133–151
Müller-Quade J, Unruh D (2007) Long-term security and universal composability. In: Theory of cryptography, proceedings of TCC 2007. Lecture Notes in Computer Science. Springer-Verlag, March. Preprint on IACR ePrint 2006/422
Pfitzmann B, Waidner M (2000) Composition and integrity preservation of secure reactive systems. In: 7th ACM conference on computer and communications security, pp 245–254
Pfitzmann B, Waidner M (2001) A model for asynchronous reactive systems and its application to secure message transmission. In: IEEE symposium on security and privacy, pp 184–200
Pogosyants A, Segala R, Lynch N (2000) Verification of the randomized consensus algorithm of Aspnes and Herlihy: a case study. Distrib Comput 13(3):155–186
Ramanathan A, Mitchell JC, Scedrov A, Teague V (2004) Probabilistic bisimulation and equivalence for security analysis of network protocols. In: Proceedings of foundations of sotware science and computation structires (FOSSACS). LNCS, vol 2987, pp 468–483
Shoup V (2004) Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332. http://eprint.iacr.org/
Segala R (1995) Modeling and verification of randomized distributed real-time systems. PhD Thesis, Department of Electrical Engineering and Computer Science, MIT, May 1995. Also, MIT/LCS/TR-676
Segala R, Lynch N (1995) Probabilistic simulations for probabilistic processes. Nord J Comput 2(2):250–273, August
Stoelinga MIA, Vaandrager FW (1999) Root contention in IEEE 1394. In: Proc. 5th International AMAST workshop on formal methods for real-time and probabilistic systems. LNCS, vol 1601, Springer, pp 53–74
Author information
Authors and Affiliations
Corresponding author
Additional information
Canetti’s work on this project was supported by NSF CyberTrust Grant #0430450. Cheung was supported by DFG/NWO bilateral cooperation project 600.050.011.01 Validation of Stochastic Systems (VOSS) and by NSF Award #CCR-0326227. Kaynar and Lynch were supported by DARPA/AFOSR MURI Award #F49620-02-1-0325, MURI AFOSR Award #SA2796PO 1-0000243658, NSF Awards #CCR-0326277 and #CCR-0121277, and USAF, AFRL Award #FA9550-04-1-0121, and Kaynar was supported by US Army Research Office grant #DAAD19-01-1-0485. Pereira was supported by the Belgian National Fund for Scientific Research (F.R.S.-FNRS), and Segala by MIUR project AIDA and by INRIA ARC project ProNoBiS.
Rights and permissions
About this article
Cite this article
Canetti, R., Cheung, L., Kaynar, D. et al. Analyzing Security Protocols Using Time-Bounded Task-PIOAs. Discrete Event Dyn Syst 18, 111–159 (2008). https://doi.org/10.1007/s10626-007-0032-1
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10626-007-0032-1