## A probabilistic polynomial-time calculus for analysis of cryptographic protocols (2001)

### Cached

### Download Links

Venue: | Electronic Notes in Theoretical Computer Science |

Citations: | 44 - 8 self |

### BibTeX

@INPROCEEDINGS{Mitchell01aprobabilistic,

author = {John C. Mitchell and Ajith Ramanathan and Andre Scedrov and Vanessa Teague},

title = {A probabilistic polynomial-time calculus for analysis of cryptographic protocols },

booktitle = {Electronic Notes in Theoretical Computer Science},

year = {2001},

publisher = {}

}

### Years of Citing Articles

### OpenURL

### Abstract

We prove properties of a process calculus that is designed for analyzing security protocols. Our long-term goal is to develop a form of protocol analysis, consistent with standard cryptographic assumptions, that provides a language for expressing probabilistic polynomial-time protocol steps, a specification method based on a compositional form of equivalence, and a logical basis for reasoning about equivalence. The process calculus is a variant of CCS, with bounded replication and probabilistic polynomial-time expressions allowed in messages and boolean tests. To avoid inconsistency between security and nondeterminism, messages are scheduled probabilistically instead of nondeterministically. We prove that evaluation of any process expression halts in probabilistic polynomial time and define a form of asymptotic protocol equivalence that allows security properties to be expressed using observational equivalence, a standard relation from programming language theory that involves quantifying over possible environments that might interact with the protocol. We develop a form of probabilistic bisimulation and use it to establish the soundness of an equational proof system based on observational equivalences. The proof system is illustrated by a formation derivation of the assertion, well-known in cryptography, that ElGamal encryption’s semantic security is equivalent to the (computational) Decision Diffie-Hellman assumption. This example demonstrates the power of probabilistic bisimulation and equational reasoning for protocol security.