## Probabilistic Polynomial-Time Process Calculus and Security Protocol Analysis (2006)

### Cached

### Download Links

- [theory.stanford.edu]
- [www.stanford.edu]
- [crypto.stanford.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | Theoretical Computer Science |

Citations: | 36 - 3 self |

### BibTeX

@INPROCEEDINGS{Mitchell06probabilisticpolynomial-time,

author = {John C. Mitchell and Ajith Ramanathan and Andre Scedrov and Vanessa Teague},

title = {Probabilistic Polynomial-Time Process Calculus and Security Protocol Analysis},

booktitle = {Theoretical Computer Science},

year = {2006},

pages = {23--29},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We prove properties of a process calculus that is designed for analysing security protocols. Our long-term goal is to develop a form of protocol analysis, consistent with standard cryptographic assumptions, that provides a language for expressing probabilistic polynomial-time protocol steps, a specification method based on a compositional form of equivalence, and a logical basis for reasoning about equivalence. The process calculus is a variant of CCS, with bounded replication and probabilistic polynomial-time expressions allowed in messages and boolean tests. To avoid inconsistency between security and nondeterminism, messages are scheduled probabilistically instead of nondeterministically. We prove that evaluation of any process expression halts in probabilistic polynomial time and define a form of asymptotic protocol equivalence that allows security properties to be expressed using observational equivalence, a standard relation from programming language theory that involves quantifying over all possible environments that might interact with the protocol. We develop a form of probabilistic bisimulation and use it to establish the soundness of an equational proof system based on observational equivalences. The proof system is illustrated by a formation derivation of the assertion, well-known in cryptography, that El Gamal encryption’s semantic security is equivalent to the (computational) Decision Diffie-Hellman assumption. This example demonstrates the power of probabilistic bisimulation and equational reasoning for protocol security.

### Citations

2716 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...es uniform-complexity. Before we provide a definition of semantic security, we need to define an encryption scheme. The ideas behind public-key cryptosystems were first proposed by Diffie and Hellman =-=[24]-=-. Our presentation of public-key cryptosystems is drawn from Goldreich [32] as well as Goldwasser and Bellare [33]. Definition 44. [24, 32, 33] A public-key encryption scheme or, more simply, an encry... |

1048 | On the security of public key protocols
- Dolev, Yao
- 1983
(Show Context)
Citation Context ... ways, all reflect the same basic assumptions about the way an adversary may interact with the protocol or attempt to decrypt encrypted messages. This common model, largely derived from Dolev and Yao =-=[26]-=- and suggestions due to Needham and Key words and phrases. Process Algebra, Observational Equivalence, Probabilistic Bisimulation, Security Protocol Analysis. The authors were supported by DoD MURI “S... |

785 | A calculus for cryptographic protocols: The spi calculus
- Abadi, Gordon
- 1997
(Show Context)
Citation Context ...he proof system given in [59] were found to be false. Fortunately, none of our major results were found to be untrue. The closest, independent technical precursor is the Abadi and Gordon spi-calculus =-=[2, 3]-=- which uses observational equivalence and channel abstraction but does not involve probability or computational complexity bounds; subsequent related work is cited in [1], for example. Prior work on C... |

619 | Universally composable security: A new paradigm for cryptographic protocols - Canetti - 2001 |

461 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ... Our presentation is drawn from Boneh [12] andsA PROCESS CALCULUS FOR THE SECURITY ANALYSIS OF PROTOCOLS 49 Tsiounis and Yung [64]. Goldreich [32] offers helpful discussions, as does Cramer and Shoup =-=[20]-=-. A group family G is a set of finite cyclic groups {Gp} where the index p ranges over an infinite set. An instance generator IG(n) takes security parameter n, runs in time polynomial in n and returns... |

450 | Relations among notions of security for public-key encryption schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...ty is an important cryptographic property due to Goldwasser and Micali [34]. Our definition of semantic security, though, is adapted from presentations by Goldreich [32] and by Goldwasser and Bellare =-=[10, 33]-=-. The definition of semantic security we work with assumes uniform-complexity. Before we provide a definition of semantic security, we need to define an encryption scheme. The ideas behind public-key ... |

391 | Security and composition of multi-party cryptographic protocols - Canetti |

334 | Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption - Abadi, Rogaway - 2002 |

314 |
A Public-Key Cryptosystem and Signature Scheme Based on Discrete Logarithms
- Gamal
- 1985
(Show Context)
Citation Context ...we can analyse probabilistic as well as deterministic encryption functions and protocols. Without a probabilistic framework, it would not be possible to analyse an encryption function such as ElGamal =-=[28]-=-, for which a single plaintext may have more than one ciphertext. A probabilistic setting is important also because the combination of nondeterminism and bit-level representation of encryption keys re... |

273 | Mobile values, new names, and secure communication
- Abadi, Fournet
- 2001
(Show Context)
Citation Context ...di and Gordon spi-calculus [2, 3] which uses observational equivalence and channel abstraction but does not involve probability or computational complexity bounds; subsequent related work is cited in =-=[1]-=-, for example. Prior work on CSP and security protocols, e.g., [61, 63], also uses process calculus and security specifications in the form of equivalence or related approximation orderings on process... |

196 | The decision Diffie-Hellman problem
- Boneh
- 1998
(Show Context)
Citation Context ...〈G, E, D〉 is semantically secure iff LSS ∼ = RSS. � 7.4. The Decision Diffie-Hellman Assumption. We start by defining the Decision Diffie-Hellman assumption [24]. Our presentation is drawn from Boneh =-=[12]-=- andsA PROCESS CALCULUS FOR THE SECURITY ANALYSIS OF PROTOCOLS 49 Tsiounis and Yung [64]. Goldreich [32] offers helpful discussions, as does Cramer and Shoup [20]. A group family G is a set of finite ... |

143 | A meta-notation for protocol analysis
- Cervesato, Durgin, et al.
- 1999
(Show Context)
Citation Context ... reasoning for protocol security. Introduction There are many methods used in the analysis of security protocols. The main systematic or formal approaches include specialised logics such as BAN logic =-=[13,19,27]-=-, special-purpose tools designed for cryptographic protocol analysis [39], and theorem proving [55, 56] and model-checking techniques using several general purpose tools [43, 46, 51, 61, 63]. Although... |

135 | Labelled Markov processes
- Desharnais
- 1999
(Show Context)
Citation Context ...5]. However, asymptotic equivalence as used in security does not appear in any of these references. There are studies of asymptotic equivalence in the context of bisimulations though, including e.g., =-=[22, 23]-=-. This is an orthogonal approach since in this work,sA PROCESS CALCULUS FOR THE SECURITY ANALYSIS OF PROTOCOLS 3 expressions represent non-terminating entities. So, when two expressions are said to be... |

101 | Universally composable notions of key exchange and secure channels - CANETTI, 2002b |

98 | Formal eavesdropping and its computational interpretation - Abadi, Jurjens - 2001 |

95 | R.: A tutorial on EMPA: A theory of concurrent processes with nondeterminism, priorities, probabilities and time
- Bernardo, Gorrieri
- 1998
(Show Context)
Citation Context ... probabilistic bisimulation or the proof rules for our calculus. Another one based on I/O automata can be found in [7, 8, 57, 58]. Previous literature on probabilistic process calculi includes, e.g., =-=[11, 40, 65]-=-. However, asymptotic equivalence as used in security does not appear in any of these references. There are studies of asymptotic equivalence in the context of bisimulations though, including e.g., [2... |

79 | A.D.: A bisimulation method for cryptographic protocols - Abadi, Gordon - 1998 |

68 | A general composition theorem for secure reactive systems
- Backes, Pfitzmann, et al.
- 2004
(Show Context)
Citation Context ...work and its compositionality is discussed in [45]. The paper [45] does not deal with probabilistic bisimulation or the proof rules for our calculus. Another one based on I/O automata can be found in =-=[7, 8, 57, 58]-=-. Previous literature on probabilistic process calculi includes, e.g., [11, 40, 65]. However, asymptotic equivalence as used in security does not appear in any of these references. There are studies o... |

62 | Universal composition with joint state - Canetti, Rabin - 2003 |

45 | Predicative Recursion and Computational Complexity
- Bellantoni
- 1992
(Show Context)
Citation Context ...guarantees that any probabilistic poly-time function of type Nk → N can be expressed by some basic term. One example of such class of terms is the term calculus OSLR studied in [50] (based in turn on =-=[9, 37]-=-). As a consequence of these two conditions, we will, henceforth, freely move between terms and functions. Whenever we need to explicitly specify a basic term, we will use a notation styled on λ-calcu... |

34 |
Algorithms and Theory of Computation Handbook
- Atallah
- 1998
(Show Context)
Citation Context ...tion g ◦ f: X × Z → [0, 1] of two probabilistic functions f: X ��� Y and g: Y ��� Z is a probabilistic function. Probabilistic Turing Machines. Our presentation follows standard treatments (see e.g., =-=[6, 54]-=-). A random Turing machine (RTM) is a Turing machine with an extra random-tape and three extra states qrand, qone and qzero. Initially, the machine starts with the input on the working tape and an inf... |

34 | Temporal logics for the specification of performance and reliability
- Alfaro
- 1997
(Show Context)
Citation Context ...ormal proofs of properties of more complex security protocols. It may also be possible to develop model-checking procedures along the lines of these already explored for probabilistic temporal logics =-=[21, 35, 36, 38]-=-. In fact, we hope to be able to develop automated reasoning procedures for use in a network security setting using techniques developed in our study of the properties of our process calculus. Acknowl... |

33 | A compositional logic for protocol correctness
- Durgin, Mitchell, et al.
- 2001
(Show Context)
Citation Context ... reasoning for protocol security. Introduction There are many methods used in the analysis of security protocols. The main systematic or formal approaches include specialised logics such as BAN logic =-=[13,19,27]-=-, special-purpose tools designed for cryptographic protocol analysis [39], and theorem proving [55, 56] and model-checking techniques using several general purpose tools [43, 46, 51, 61, 63]. Although... |

28 | An improved pseudo-random generator based on the discrete logarithm problem - Gennaro - 2008 |

18 |
Non-Malleable Cryptography (Extended Abstract
- DOLEV, DWORK, et al.
- 1991
(Show Context)
Citation Context ...or use in protocols, does not appear to have been completely settled. While the definition of semantic security [34] appears to have been accepted, there are stronger notions such as non-malleability =-=[25]-=- that are more appropriate to protocol analysis. In a sense, the difference is that semantic security is natural for the single transmission of an encrypted message, while non-malleability accounts fo... |

13 | Reactively Secure Signature Schemes
- Backes, Pfitzmann, et al.
- 2003
(Show Context)
Citation Context ...work and its compositionality is discussed in [45]. The paper [45] does not deal with probabilistic bisimulation or the proof rules for our calculus. Another one based on I/O automata can be found in =-=[7, 8, 57, 58]-=-. Previous literature on probabilistic process calculi includes, e.g., [11, 40, 65]. However, asymptotic equivalence as used in security does not appear in any of these references. There are studies o... |

10 |
A logic of authentication. Proceedings of the Royal Society of London A, 426:233–271
- Burrows, Abadi, et al.
- 1989
(Show Context)
Citation Context ... reasoning for protocol security. Introduction There are many methods used in the analysis of security protocols. The main systematic or formal approaches include specialised logics such as BAN logic =-=[13,19,27]-=-, special-purpose tools designed for cryptographic protocol analysis [39], and theorem proving [55, 56] and model-checking techniques using several general purpose tools [43, 46, 51, 61, 63]. Although... |

10 | Universal composition with joint state. Cryptology ePrint Archive, report 2002/47 - Canetti, Rabin - 2003 |