A probabilistic polynomial-time process calculus for the analysis of cryptographic protocols

Theoretical Computer Science

Volumn 353, Issue 1-3, 2006, Pages 118-164

  Mitchell, John C ^a   Ramanathan, Ajith ^a   Scedrov, Andre ^b   Teague, Vanessa ^a  

^a Stanford University   (United States)

^b UNIVERSITY OF PENNSYLVANIA   (United States)

Author keywords

Observational equivalence; Probabilistic bisimulation; Process Algebra; Security protocol analysis

Indexed keywords

CRYPTOGRAPHY; NETWORK PROTOCOLS; POLYNOMIALS;

OBSERVATIONAL EQUIVALENCE; PROBABILISTIC BISIMULATION; PROCESS ALGEBRA; SECURITY PROTOCOL ANALYSIS;

DIFFERENTIATION (CALCULUS);

EID: 33244491452     PISSN: 03043975     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.tcs.2005.10.044     Document Type: Article

References (64)

1. M. Abadi, and C. Fournet Mobile values, new names, and secure communication 28th ACM Symp. Principles of Programming Languages 2001 104 115
2. M. Abadi, A.D. Gordon, A bisimulation method for cryptographic protocol, in: Proc. ESOP 98, Lecture Notes in Computer Science, Springer, Berlin, 1998.
3. M. Abadi, and A.D. Gordon A calculus for cryptographic protocols: the spi calculus Inform. and Comput. 143 1999 1 70 expanded version available as SRC Research Report 149 (January 1998)
4. M.J. Atallah (Ed.), Algorithms and Theory of Computation Handbook, CRC Press LLC, 1999, pp. 19-28 (Chapter 24).
5. M. Backes, B. Pfitzmann, M. Waidner, Reactively secure signature schemes, in: Proc. Sixth Information Security Conf., Lecture Notes in Computer Science, Vol. 2851, Springer, Berlin, 2003, pp. 84-95.
6. M. Backes, B. Pfitzmann, M. Waidner, A general composition theorem for secure reactive systems, in: Proc. First Theory of Cryptography Conference, Lecture Notes in Computer Science, Vol. 2951, Springer, Berlin, 2004.
7. S. Bellantoni, Predicative recursion and computational complexity, Ph.D. Thesis, University of Toronto, 1992.
8. M. Bellare, A. Desai, D. Pointcheval, P. Rogaway, Relations among notions of security for public-key encryption schemes, in: H. Krawczyk (Ed.), Proc. CRYPTO 1998, Santa Barbara, CA, Lecture Notes in Computer Science, Vol. 1462, Springer, Berlin, 1998, pp. 26-45.
9. M. Bernardo, and R. Gorrieri A tutorial on EMPA: a theory of concurrent processes with nondeterminism, priorities, probabilities and time Theoret. Comput. Sci. 202 1998 1 54
10. D. Boneh The decision Diffie-Hellman problem Proc. Third Algorithmic Number Theory Symp. Vol. 1423 1998 48 63
11. M. Burrows, M. Abadi, and R. Needham A logic of authentication Proc. Roy. Soc. Ser. A 426 1871 1989 233 271 (also appeared as SRC Research Report 39 and, in a shortened form, in ACM Trans. Comput. Systems 8(1) (1990) 18-36)
12. R. Canetti Security and composition of multiparty cryptographic protocols J. Cryptology 13 1 2000 143 202
13. R. Canetti Universally composable security: a new paradigm for cryptographic protocols Proc. 42nd IEEE Symp. Foundations of Computer Science IEEE 2001 (Full version available at 〈 http://eprint.iacr.org/2000/067/ 〉 )
14. R. Canetti, H. Krawczyk, Universally composable notions of key exchange and secure channels, Cryptology ePrint Archive, Report 2002/059, 2002, 〈 http://eprint.iacr.org/ 〉.
15. R. Canetti, T. Rabin, Universal composition with joint state, Cryptology ePrint Archive, Report 2002/047, 2002, 〈 http://eprint.iacr.org/〉.
16. R. Canetti, T. Rabin, Universal composition with joint state, in: D. Boneh (Ed.), Proc. CRYPTO 2003, Santa Barbara, CA, Lecture Notes in Computer Science, Vol. 2729, Springer, Berlin, 2003, pp. 265-281.
17. I. Cervesato, N.A. Durgin, P.D. Lincoln, J.C. Mitchell, and A. Scedrov A meta-notation for protocol analysis 12th IEEE Computer Security Foundations Workshop IEEE Computer Society Press 1999
18. R. Cramer, V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, Lecture Notes in Computer Science, Vol. 1462, Springer, Berlin, 1998, pp. 13-25.
19. L. de Alfaro, Temporal logics for the specification of performance and reliability, in: STACS '97, Lecture Notes in Computer Science, Vol. 1200, Springer, Berlin, 1997, pp. 165-176.
20. J. Desharnais, A. Edalat, and P. Panangaden Bisimulation for labelled Markov processes Inform. and Comput. 179 2 2002 163 193
21. J. Desharnais, V. Gupta, R. Jagadeesan, and P. Panangaden Approximating labeled Markov processes Logic in Computer Science 2000 95 106
22. W. Diffie, and M.E. Hellman New directions in cryptography IEEE Trans. Inform. Theory 22 1976 644 654
23. D. Dolev, C. Dwork, and M. Naor Non-malleable cryptography (extended abstract) Proc. 23rd Annu. ACM Symp. Theory of Computing 1991 542 552
24. D. Dolev, and A.C.-C. Yao On the security of public-key protocols Proc. 22nd Annu. IEEE Symp. Foundations of Computer Science 1981 350 357
25. N.A. Durgin, J.C. Mitchell, D. Pavlovic, A compositional logic for protocol correctness, in: 14th IEEE Computer Security Foundations Workshop, Cape Breton, Nova Scotia, Canada, June 2001.
26. T. El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms IEEE Trans. Inform. Theory 31 1985 469 472
27. R. Gennaro, An improved pseudo-random generator based on discrete log, in: Proc. CRYPTO 2000, Santa Barbara, CA, Lecture Notes in Computer Science, Vol. 1880, Springer, Berlin, 2000, pp. 469-481 (Revised version available at 〈 http://www.research.ibm.com/people/r/rosario/ 〉 ).
28. O. Goldreich Modern Cryptography, Probabilistic Proofs and Pseudorandomness 1999 Springer Berlin
29. O. Goldreich, The Foundations of Cryptography, Vol. 1, Cambridge University Press, Cambridge, June 2001.
30. O. Goldreich, The Foundations of Cryptography, Vol. 2, Cambridge University Press, Cambridge, May 2004.
31. S. Goldwasser, M. Bellare, Lecture Notes on Cryptography, 2003. Lecture notes for a class taught by the authors at the MIT (1996-2001); available online at 〈 http://www.cs.nyu.edu/courses/fall01/G22.3033-003/〉.
32. S. Goldwasser, and S. Micali Probabilistic encryption J. Comput. System Sci. 28 2 1984 270 299 Previous version in STOC 1982
33. H. Hansson Time and probabilities in formal design of distributed systems, Real-Time Safety Critical Systems 1994 Elsevier Amsterdam
34. H. Hansson, and B. Jonsson A framework for reasoning about time and reliability Proc. Real Time Systems Symp. IEEE 1989 102 111
35. M. Hofmann, Type systems for Polynomial-Time Computation, Habilitation Thesis, Darmstadt; see 〈 http://www.dcs.ed.ac.uk/home/mxh/papers.html 〉, 1999.
36. M. Huth, and M.Z. Kwiatkowska Quantitative analysis and model checking Lecture Notes in Computer Science 1997 Springer Berlin 111 122
37. R.A. Kemmerer, C. Meadows, and J.K. Millen Three systems for cryptographic protocol analysis J. Cryptology 7 2 1994 79 130
38. K.G. Larsen, and A. Skou Bisimulation through probabilistic testing Inform. and Comput. 94 1 1991 1 28
39. P.D. Lincoln, J.C. Mitchell, M. Mitchell, and A. Scedrov A probabilistic poly-time framework for protocol analysis M.K. Reiter Proc. Fifth ACM Conf. Computer and Communications Security San Francisco, CA 1998 ACM Press New York 112 121
40. P.D. Lincoln, J.C. Mitchell, M. Mitchell, A. Scedrov, Probabilistic polynomial-time equivalence and security protocols, in: J.M. Wing, J. Woodcock, J. Davies (Eds.), Formal Methods World Congress, Vol. I, Toulouse, France, Lecture Notes in Computer Science, Vol. 1708, Springer, Berlin, 1999, pp. 776-793.
41. G. Lowe, Breaking and fixing the Needham-Schroeder public-key protocol using CSP and FDR, in: T. Margaria, B. Steffen (Eds.), Second Internat. Workshop on Tools and Algorithms for the Construction and Analysis of Systems, Lecture Notes in Computer Science, Vol. 1055, Springer, Berlin, 1996, pp. 147-166.
42. M. Luby Pseudorandomness and Cryptographic Applications, Princeton Computer Science Notes 1996 Princeton University Press
43. P. Mateus, J.C. Mitchell, A. Scedrov, Composition of cryptographic protocols in a probabilistic polynomial-time process calculus, in: R.M. Amadio, D. Lugiez (Eds.), 14th Internat. Conf. Concurrency Theory, Marseille, France, Lecture Notes in Computer Science, Vol. 2761, Springer, Berlin, 2003, pp. 327-349.
44. C. Meadows Analyzing the Needham-Schroeder public-key protocol: a comparison of two approaches Proc. European Symp. Research in Computer Security 1996 Springer Berlin 351 364
45. A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone Handbook of Applied Cryptography 2001 CRC Press Boca Raton, FL
46. S. Micali, C. Rackoff, and B. Sloan The notion of security for probabilistic cryptosystems SIAM J. Computing 17 1988 412 426
47. R. Milner Communication and Concurrency, International Series in Computer Science 1989 Prentice-Hall Englewoods Cliffs, NJ
48. J.C. Mitchell, M. Mitchell, and A. Scedrov A linguistic characterization of bounded oracle computation and probabilistic polynomial time Proc. 39th Annu. IEEE Symp. Foundations of Computer Science Palo Alto, CA 1998 IEEE 725 733
49. J.C. Mitchell, M. Mitchell, and U. Stern Automated analysis of cryptographic protocols using Mur φ Proc. IEEE Symp. Security and Privacy 1997 141 151
50. J.C. Mitchell, A. Ramanathan, A. Scedrov, V. Teague, A probabilistic polynomial-time calculus for the analysis of cryptographic protocols (preliminary report), in: S. Brookes, M. Mislove (Eds.), 17th Annu. Conf. Mathematical Foundations of Programming Semantics, Arhus, Denmark, Vol. 45, May 2001 (electronic notes in Theoretical Computer Science).
51. R. Needham, and M. Schroeder Using encryption for authentication in large networks of computers Commun. ACM 21 12 1978 993 999
52. C.H. Papadimitriou Computational Complexity 1994 Addison-Wesley Reading, MA
53. L.C. Paulson Mechanized proofs for a recursive authentication protocol 10th IEEE Computer Security Foundations Workshop 1997 84 95
54. L.C. Paulson Proving properties of security protocols by induction 10th IEEE Computer Security Foundations Workshop 1997 70 83
55. B. Pfitzmann, and M. Waidner Composition and integrity preservation of secure reactive systems Seventh ACM Conf. Computer and Communications Security Athens November 2000 ACM New York 245 254 (preliminary version: IBM Research Report RZ 3234 (# 93280) 06/12/00, IBM Research Division, Zürich, June 2000)
56. B. Pfitzmann, and M. Waidner A model for asynchronous reactive systems and its application to secure message transmission IEEE Symp. Security and Privacy Washington 2001 184 200
57. A. Ramanathan, J.C. Mitchell, A. Scedrov, V. Teague, Probabilistic bisimulation and equivalence for security analysis of network protocols, in: I. Walukiewicz (Ed.), Foundations of Software Science and Computation Structures, Seventh Internat. Conf., FOSSACS 2004, Barcelona, Spain, Lecture Notes in Computer Science, Vol. 2987, Springer, Berlin, 2004, pp. 468-483 (summarizes results of [60]).
58. A. Ramanathan, J.C. Mitchell, A. Scedrov, V. Teague, Probabilistic Bisimulation and Equivalence for Security Analysis of Network Protocols, Technical Report, 2004 (see 〈 http://www-cs-students.stanford.edu/ ∼ ajith/〉).
59. A.W. Roscoe Modeling and verifying key-exchange protocols using CSP and FDR CSFW 8 1995 IEEE Computer Society Press 98 99
60. P.Y.A. Ryan, and S.A. Schneider An attack on a recursive authentication protocol - A cautionary tale Inform. Process. Lett. 65 1 1998 7 10
61. S. Schneider Security properties and CSP IEEE Symp. Security and Privacy Oakland, CA 1996
62. Y. Tsiounis, M. Yung, On the security of El Gamal-based encryption, Lecture Notes in Computer Science, Vol. 1431, Springer, Berlin, 1998, pp. 117-134.
63. R.J. van Glabbeek, S.A. Smolka, and B. Steffen Reactive, generative, and stratified models of probabilistic processes Internat. J. Inform. and Comput. 121 1 1995
64. A.C.-C. Yao Theory and applications of trapdoor functions IEEE Foundations of Computer Science 1982 80 91