## A probabilistic polynomial-time calculus for analysis of cryptographic protocols (2001)

### Cached

### Download Links

Venue: | Electronic Notes in Theoretical Computer Science |

Citations: | 44 - 8 self |

### BibTeX

@INPROCEEDINGS{Mitchell01aprobabilistic,

author = {John C. Mitchell and Ajith Ramanathan and Andre Scedrov and Vanessa Teague},

title = {A probabilistic polynomial-time calculus for analysis of cryptographic protocols },

booktitle = {Electronic Notes in Theoretical Computer Science},

year = {2001},

publisher = {}

}

### Years of Citing Articles

### OpenURL

### Abstract

We prove properties of a process calculus that is designed for analyzing security protocols. Our long-term goal is to develop a form of protocol analysis, consistent with standard cryptographic assumptions, that provides a language for expressing probabilistic polynomial-time protocol steps, a specification method based on a compositional form of equivalence, and a logical basis for reasoning about equivalence. The process calculus is a variant of CCS, with bounded replication and probabilistic polynomial-time expressions allowed in messages and boolean tests. To avoid inconsistency between security and nondeterminism, messages are scheduled probabilistically instead of nondeterministically. We prove that evaluation of any process expression halts in probabilistic polynomial time and define a form of asymptotic protocol equivalence that allows security properties to be expressed using observational equivalence, a standard relation from programming language theory that involves quantifying over possible environments that might interact with the protocol. We develop a form of probabilistic bisimulation and use it to establish the soundness of an equational proof system based on observational equivalences. The proof system is illustrated by a formation derivation of the assertion, well-known in cryptography, that ElGamal encryption’s semantic security is equivalent to the (computational) Decision Diffie-Hellman assumption. This example demonstrates the power of probabilistic bisimulation and equational reasoning for protocol security.

### Citations

3204 | Communication and Concurrency - Milner - 1989 |

2714 | New directions in cryptography, in
- Diffie, Hellman
(Show Context)
Citation Context ...es uniform-complexity. Before we provide a definition of semantic security, we need to define an encryption scheme. The ideas behind public-key cryptosystems were first proposed by Diffie and Hellman =-=[24]-=-. Our presentation of public-key cryptosystems is drawn from Goldreich [32] as well as Goldwasser and Bellare [33]. Definition 5.12. [24, 32, 33] A public-key encryption scheme or, more simply, an enc... |

1178 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ... cryptography. In particular, the characterization of “secure” encryption function, for use in protocols, does not appear to have been completely settled. While the definition of semantic security=-= in [18]-=- appears to have been accepted, there are stronger notions such as non-malleability [11] that are more appropriate to protocol analysis. In a sense, the difference is that semantic security is natural... |

1138 | A Logic of Authentication
- Burrows, Abadi, et al.
- 1989
(Show Context)
Citation Context ...manathan, Scedrov, and Teague A variety of methods are used for analyzing and reasoning about security protocols. The main systematic or formal approaches include specialized logics such as BAN logic =-=[8,13]-=-, special-purpose tools designed for cryptographic protocol analysis [20], and theorem proving [32,31] and model-checking methods using several general purpose tools described in [24,26,29,34,35]. Alt... |

1113 |
A public key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...we can analyze probabilistic as well as deterministic encryption functions and protocols. Without a probabilistic framework, it would not be possible to analyze an encryption function such as ElGamal =-=[14], fo-=-r which a single plaintext may have more than one 1 Partially supported by DoD MURI “Semantic Consistency in Information Exchange” through ONR Grant N00014-97-1-0505. 2 Additional support by OSD/O... |

1047 | On the security of public-key protocols
- Dolev, Yao
- 1983
(Show Context)
Citation Context ... ways, all reflect the same basic assumptions about the way an adversary may interact with the protocol or attempt to decrypt encrypted messages. This common model, largely derived from Dolev and Yao =-=[26]-=- and suggestions due to Needham and Schroeder [54], allows a protocol adversary to nondeterministically choose among Date: December 14, 2003, and, in revised form, March 8 2004. Key words and phrases.... |

864 |
Using encryption for authentication in large networks of computers
- Needham, Schroeder
(Show Context)
Citation Context ... the same basic assumptions about the way an adversary may interact with the protocol or attempt to decrypt encrypted messages. In the common model, largely derived from [12] and suggestions found in =-=[30]-=- (see, e.g., [10]), a protocol adversary is allowed to nondeterministically choose among possible actions. This is a convenient idealization, intended to give the adversary a chance to find an attack ... |

785 | A calculus for cryptographic protocols: The spi calculus
- Abadi, Gordon
- 1997
(Show Context)
Citation Context ...e presented in [51] and further example protocols considered in [42]. Much of this paper is based on a preliminary report in [53]. The closest technical precursor is the Abadi and Gordon spi-calculus =-=[2, 3]-=- which uses observational equivalence and channel abstraction but does not involve probability or computational complexity bounds; subsequent related work is cited in [1], for example. Prior work on C... |

617 | Universally composable security: A new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067, 2005. Revised version of [8 - Canetti |

613 | Breaking and fixing the Needham-Schroeder public-key protocol using CSP and FDR
- Lowe
- 1996
(Show Context)
Citation Context ...h as BAN logic [8,13], special-purpose tools designed for cryptographic protocol analysis [20], and theorem proving [32,31] and model-checking methods using several general purpose tools described in =-=[24,26,29,34,35]-=-. Although these approaches differ in significant ways, all reflect the same basic assumptions about the way an adversary may interact with the protocol or attempt to decrypt encrypted messages. In th... |

516 |
Theory and applications of trapdoor functions
- Yao
- 1982
(Show Context)
Citation Context ... processes coincides with the traditional notion of indistinguishability by polynomial-time statistical tests, a standard way of characterizing cryptographically strong pseudorandom number generators =-=[37,17,16,25,15]-=-. 6.0.1 Pseudorandom Number Generators We begin by recalling several standard notions from cryptographic literature [37,17,16,25,15]. Definition 6.1 [function ensemble] A function ensemble f is an ind... |

461 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...ffie-Hellman Assumption. We start by defining the Decision Diffie-Hellman assumption [24]. Our version is drawn from Boneh [12] and Tsiounis and Yung [64]. Goldreich [32], as well as Cramer and Shoup =-=[20]-=- also offer helpful discussions. A group family G is a set of finite cyclic groups {Gp} where the index p ranges over an infinite set. An instance generator IG(n) takes security parameter n, runs in t... |

450 | Relations among notions of security for public-key encryption schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...ty is an important cryptographic property due to Goldwasser and Micali [34]. Our definition of semantic security, though, is adapted from presentations by Goldreich [32] and by Goldwasser and Bellare =-=[10, 33]-=-. The definition of semantic security we work with assumes uniform-complexity. Before we provide a definition of semantic security, we need to define an encryption scheme. The ideas behind public-key ... |

403 | Bisimulation through probabilistic testing - Larsen, Skou - 1991 |

391 | Security and composition of multi-party cryptographic protocols - Canetti |

334 | Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption - Abadi, Rogaway - 2002 |

314 |
A Public-Key Cryptosystem and Signature Scheme Based on Discrete Logarithms
- Gamal
- 1985
(Show Context)
Citation Context ...we can analyze probabilistic as well as deterministic encryption functions and protocols. Without a probabilistic framework, it would not be possible to analyze an encryption function such as ElGamal =-=[28]-=-, for which a single plaintext may have more than one ciphertext. A probabilistic setting is important also because the combination of nondeterminism and bit-level representation of encryption keys re... |

273 | Mobile values, new names, and secure communication
- Abadi, Fournet
- 2001
(Show Context)
Citation Context ...di and Gordon spi-calculus [2, 3] which uses observational equivalence and channel abstraction but does not involve probability or computational complexity bounds; subsequent related work is cited in =-=[1]-=-, for example. Prior work on CSP and security protocols, e.g., [61,63], also uses process calculus and security specifications in the form of equivalence or related approximation orderings on processe... |

262 | U.: Automated analysis of cryptographic protocols using Murϕ
- Mitchell, Mitchell, et al.
- 1997
(Show Context)
Citation Context ...h as BAN logic [8,13], special-purpose tools designed for cryptographic protocol analysis [20], and theorem proving [32,31] and model-checking methods using several general purpose tools described in =-=[24,26,29,34,35]-=-. Although these approaches differ in significant ways, all reflect the same basic assumptions about the way an adversary may interact with the protocol or attempt to decrypt encrypted messages. In th... |

196 | The decision Diffie-Hellman problem
- Boneh
- 1998
(Show Context)
Citation Context ...ndistinguishably secure iff it is semantically secure. � 5.4. The Decision Diffie-Hellman Assumption. We start by defining the Decision Diffie-Hellman assumption [24]. Our version is drawn from Bone=-=h [12]-=- and Tsiounis and Yung [64]. Goldreich [32], as well as Cramer and Shoup [20] also offer helpful discussions. A group family G is a set of finite cyclic groups {Gp} where the index p ranges over an in... |

152 | Reactive, generative, and stratified models of probabilistic processes - Glabbeek, Smolka, et al. - 1995 |

150 | Proving properties of security protocols by induction
- Paulson
- 1997
(Show Context)
Citation Context ...y protocols. The main systematic or formal approaches include specialized logics such as BAN logic [8,13], special-purpose tools designed for cryptographic protocol analysis [20], and theorem proving =-=[32,31]-=- and model-checking methods using several general purpose tools described in [24,26,29,34,35]. Although these approaches differ in significant ways, all reflect the same basic assumptions about the wa... |

149 |
Pseudorandomness and Cryptographic Applications
- Luby
- 1996
(Show Context)
Citation Context ... processes coincides with the traditional notion of indistinguishability by polynomial-time statistical tests, a standard way of characterizing cryptographically strong pseudorandom number generators =-=[37,17,16,25,15]-=-. 6.0.1 Pseudorandom Number Generators We begin by recalling several standard notions from cryptographic literature [37,17,16,25,15]. Definition 6.1 [function ensemble] A function ensemble f is an ind... |

147 | Time and probability in formal design of distributed systems - Hansson - 1994 |

143 | A meta-notation for protocol analysis
- Cervesato, Durgin, et al.
- 1999
(Show Context)
Citation Context ...for protocol security. 1. Introduction There are a variety of methods used in the analysis of security protocols. The main systematic or formal approaches include specialized logics such as BAN logic =-=[13, 19, 27]-=-, special-purpose tools designed for cryptographic protocol analysis [39], and theorem proving [55, 56] and model-checking techniques using several general purpose tools [43, 46, 52, 61, 63]. Although... |

140 | Composition and integrity preservation of secure reactive systems - Pfitzmann, Waidner - 2000 |

135 | Labelled Markov processes
- Desharnais
- 1999
(Show Context)
Citation Context ...5]. However, asymptotic equivalence as used in security does not appear in any of these references. There are studies of asymptotic equivalence in the context of bisimulations though, including e.g., =-=[22, 23]. -=-In this paper, security properties are specified as observational equivalences. Specifically, P ∼ = Q means that for any context C[ ], the behavior of process C[P] is asymptotically computationally ... |

135 |
Three systems for cryptographic protocol analysis
- Kemmerer, Meadows, et al.
- 1994
(Show Context)
Citation Context ...nd reasoning about security protocols. The main systematic or formal approaches include specialized logics such as BAN logic [8,13], special-purpose tools designed for cryptographic protocol analysis =-=[20]-=-, and theorem proving [32,31] and model-checking methods using several general purpose tools described in [24,26,29,34,35]. Although these approaches differ in significant ways, all reflect the same b... |

127 | Modern cryptography, probabilistic proofs and pseudorandomness, volume 17 of Algorithms and Combinatorics - Goldreich - 1999 |

115 | Security properties and CSP
- Schneider
- 1996
(Show Context)
Citation Context ...h as BAN logic [8,13], special-purpose tools designed for cryptographic protocol analysis [20], and theorem proving [32,31] and model-checking methods using several general purpose tools described in =-=[24,26,29,34,35]-=-. Although these approaches differ in significant ways, all reflect the same basic assumptions about the way an adversary may interact with the protocol or attempt to decrypt encrypted messages. In th... |

112 | A Probabilistic Poly-time Framework for Protocol Analysis
- Lincoln, Mitchell, et al.
- 1998
(Show Context)
Citation Context ...er we describe some general concepts in security protocol analysis, mention some of the competing approaches, and describe some technical properties of a process calculus that was proposed earlier in =-=[23,22]-=- as the basis for a form of protocol analysis that is formal, yet closer in foundations to the mathematical setting of modern cryptography. The framework relies on a language for defining communicatin... |

101 | Universally composable notions of key exchange and secure channels - CANETTI, 2002b |

98 | Formal eavesdropping and its computational interpretation - Abadi, Jurjens - 2001 |

96 | Modelling and Verifying Key-Exchange Protocols Using
- Roscoe
- 1995
(Show Context)
Citation Context |

95 | R.: A tutorial on EMPA: A theory of concurrent processes with nondeterminism, priorities, probabilities and time
- Bernardo, Gorrieri
- 1998
(Show Context)
Citation Context ...ith probabilistic bisimulation or the proof rules for our calculus. Another one based on I/O automata can be found in [7,8,57,58]. Previous literature on probabilistic process calculi includes, e.g., =-=[11, 40, 65]-=-. However, asymptotic equivalence as used in security does not appear in any of these references. There are studies of asymptotic equivalence in the context of bisimulations though, including e.g., [2... |

79 | A.D.: A bisimulation method for cryptographic protocols - Abadi, Gordon - 1998 |

68 | A general composition theorem for secure reactive systems
- Backes, Pfitzmann, et al.
- 2004
(Show Context)
Citation Context ...work and its compositionality is discussed in [45]. The paper [45] does not deal with probabilistic bisimulation or the proof rules for our calculus. Another one based on I/O automata can be found in =-=[7,8,57,58]-=-. Previous literature on probabilistic process calculi includes, e.g., [11, 40, 65]. However, asymptotic equivalence as used in security does not appear in any of these references. There are studies o... |

62 | Universal composition with joint state - Canetti, Rabin - 2003 |

62 | Mechanized proofs for a recursive authentication protocol
- Paulson
- 1997
(Show Context)
Citation Context ...y protocols. The main systematic or formal approaches include specialized logics such as BAN logic [8,13], special-purpose tools designed for cryptographic protocol analysis [20], and theorem proving =-=[32,31]-=- and model-checking methods using several general purpose tools described in [24,26,29,34,35]. Although these approaches differ in significant ways, all reflect the same basic assumptions about the wa... |

61 | Analyzing the Needham-Schroeder public key protocol: A comparison of two approaches
- Meadows
- 1996
(Show Context)
Citation Context |

61 | Quantitative analysis and model checking - Huth, Kwiatkowska - 1997 |

60 | Breaking and the Needham-Schroeder public-key protocol using FDR - Lowe - 1998 |

52 | Probabilistic Polynomial-time equivalence and security analysis. Formal Methods Workshop
- Lincoln, Mitchell, et al.
- 1999
(Show Context)
Citation Context ...er we describe some general concepts in security protocol analysis, mention some of the competing approaches, and describe some technical properties of a process calculus that was proposed earlier in =-=[23,22]-=- as the basis for a form of protocol analysis that is formal, yet closer in foundations to the mathematical setting of modern cryptography. The framework relies on a language for defining communicatin... |

45 | Predicative Recursion and Computational Complexity
- Bellantoni
- 1992
(Show Context)
Citation Context ...pressed by some basic term. One example of such a set of terms is based on a term calculus called OSLR studied in Mitchell, Mitchell, and Scedrov [51] (based in turn on work by Bellantoni and Hofmann =-=[9,37]).-=- The closed OSLR terms of type N m → N satisfy properties 1 and 2. For our purposes, we simply identify the probabilistic poly-time functions and basic terms. Thus, if f is a probabilistic poly-time... |

34 |
Algorithms and Theory of Computation Handbook
- Atallah
- 1998
(Show Context)
Citation Context ... as in the multiset A. The set of equivalence classes of A induced by R, written A/ R , is the set {[x]R| x ∈ A}. 2.3. Probabilistic Turing Machines. The following definitions are standard (see e.g.=-=, [6]-=-). Definition 2.6. An oracle Turing machine is a Turing machine with an extra oracle tape and three extra states qquery, qyes, and qno. When the machine enters state qquery control passes to the state... |

34 | Temporal logics for the specification of performance and reliability
- Alfaro
- 1997
(Show Context)
Citation Context ...ormal proofs of properties of more complex security protocols. It may also be possible to develop model-checking procedures along the lines of these already explored for probabilistic temporal logics =-=[21, 35, 36, 38]-=-. In fact, we hope to be able to develop automated reasoning procedures for use in a network security setting using techniques developed in our study of the properties of our process calculus. Acknowl... |

33 | A compositional logic for protocol correctness
- Durgin, Mitchell, et al.
- 2001
(Show Context)
Citation Context ...for protocol security. 1. Introduction There are a variety of methods used in the analysis of security protocols. The main systematic or formal approaches include specialized logics such as BAN logic =-=[13, 19, 27]-=-, special-purpose tools designed for cryptographic protocol analysis [39], and theorem proving [55, 56] and model-checking techniques using several general purpose tools [43, 46, 52, 61, 63]. Although... |

28 | An improved pseudo-random generator based on the discrete logarithm problem - Gennaro - 2008 |

27 | A Unified Framework for Analyzing Security of Protocols - Canetti |

26 | A.: A linguistic characterization of bounded oracle computation and probabilistic polynomial time
- Mitchell, Mitchell, et al.
- 1998
(Show Context)
Citation Context ...protocol analysis that is formal, yet closer in foundations to the mathematical setting of modern cryptography. The framework relies on a language for defining communicating polynomial-time processes =-=[28]. Th-=-e reason we restrict processes to probabilistic polynomial time is so that we can reason about the security of protocols by quantifying over all “adversarial” processes definable in the language. ... |