Discrete Event Dynamic Systems

, Volume 18, Issue 1, pp 111–159 | Cite as

Analyzing Security Protocols Using Time-Bounded Task-PIOAs

  • Ran Canetti
  • Ling Cheung
  • Dilsun KaynarEmail author
  • Moses Liskov
  • Nancy Lynch
  • Olivier Pereira
  • Roberto Segala


This paper presents the time-bounded task-PIOA modeling framework, an extension of the probabilistic input/output automata (PIOA) framework that can be used for modeling and verifying security protocols. Time-bounded task-PIOAs can describe probabilistic and nondeterministic behavior, as well as time-bounded computation. Together, these features support modeling of important aspects of security protocols, including secrecy requirements and limitations on the computational power of adversarial parties. They also support security protocol verification using methods that are compatible with less formal approaches used in the computational cryptography research community. We illustrate the use of our framework by outlining a proof of functional correctness and security properties for a well-known oblivious transfer protocol.


Security protocols Time-bounded task-PIOAs Probabilistic input/output automata Oblivious transfer 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Abadi M, Rogaway P (2002) Reconciling two views of cryptography (the computational soundness of formal encryption). J. Cryptol 15(2):103–127zbMATHMathSciNetGoogle Scholar
  2. Barthe G, Cerderquist J, Tarento, S (2004) A machine-checked formalization of the generic model and the random oracle model. In: Automated reasoning: second international joint conference (IJCAR). LNCS, vol 3097, pp 385–399Google Scholar
  3. Blanchet B (2005) A computationally sound mechanized prover for security protocols. Cryptology ePrint Archive, Report 2005/401.
  4. Blanchet B (2006) A computationally sound mechanized prover for security protocols. In: IEEE symposium on security and privacy. Oakland, California, May, pp 140–154Google Scholar
  5. Backes M, Pfitzmann B, Waidner, M (2003) A composable cryptographic library with nested operations. In: Proceedings of the 10th ACM conference on computer and communications security (CCS)Google Scholar
  6. Backes M, Pfitzmann B, Waidner M (2004a) A general composition theorem for secure reactive systems. In: First theory of cryptography conference (TCC 2004). LNCS, vol 2951, pp 336–354Google Scholar
  7. Backes M, Pfitzmann B, Waidner M (2004b) Secure asynchronous reactive systems. Cryptology ePrint Archive, Report 2004/082.
  8. Bellare M, Rogaway P (2004) The game-playing technique and its application to triple encryption. Cryptology ePrint Archive, Report 2004/331.
  9. Cachin C, Maurer UM (1997) Unconditional security against memory-bounded adversaries. In: Kaliski B (ed) Advances in cryptology—crypto ’97. Lecture Notes in Computer Science, vol 1294. Berlin, Springer-Verlag, pp 292–306Google Scholar
  10. Canetti R (2001) Universally composable security: A new paradigm for cryptographic protocols. In: Proceedings of the 42nd Annual Conference on Foundations of Computer Science (FOCS). Full version available at
  11. Canetti R, Herzog J (2006) Universally composable symbolic analysis of mutual authentication and key exchange protocols. In: Halevi S, Rabin T (eds) Proceedings, theory of cryptography conference (TCC). LNCS, Springer, vol 3876, pp 380–403 March. Full version available on
  12. Canetti R, Lindell Y, Ostrovsky R, Sahai A (2002) Universally composable two-party and multi-party secure computation. In: Proceedings on 34th annual ACM symposium on theory of computing, AMCM, pp 494–503Google Scholar
  13. Canetti R, Cheung L, Kaynar D, Liskov M, Lynch N, Pereira O, Segala R (2005) Using probabilistic i/o automata to analyze an oblivious transfer protocol. Cryptology ePrint Archive, Report 2005/452. Version of February 16, 2007
  14. Canetti R, Cheung L, Kaynar D, Liskov M, Lynch N, Pereira O, Segala R (2006a) Task-structured probabilistic I/O automata. In: Proceedings of the 8th international workshop on discrete event systems (WODES), Ann Arbor, Michigan, JulyGoogle Scholar
  15. Canetti R, Cheung L, Kaynar D, Liskov M, Lynch N, Pereira O, Segala R (2006b) Task-structured probabilistic I/O automata. Technical Report MIT-CSAIL-TR-2006-060, CSAIL, MIT, Cambridge, MA. Submitted for journal publication. Most current version available at
  16. Canetti R, Cheung L, Kaynar D, Liskov M, Lynch N, Pereira O, Segala R (2006c) Using probabilistic I/O automata to analyze an oblivious transfer protocol. Technical Report MIT-CSAIL-TR-2006-046, CSAIL, MIT. This is the revised version of Technical Reports MIT-LCS-TR-1001a and MIT-LCS-TR-1001.Google Scholar
  17. Canetti R, Cheung L, Kaynar D, Lynch N, Pereira O (2007a) Compositional security for Task-PIOAs. In: Proceedings of the 20th IEEE computer security foundations symposium (CSF-20), pp 125–139Google Scholar
  18. Canetti R, Cheung L, Lynch N, Pereira O (2007b) On the role of scheduling in simulation-based security. In: Proceedings of the 7th international workshop on issues in the theory of security (WITS’07), pp 22–37Google Scholar
  19. Dolev D, Yao AC (1983) On the security of public-key protocols. IEEE Trans Inf Theory 2(29):198–208CrossRefMathSciNetGoogle Scholar
  20. Even S, Goldreich O, Lempel A (1985) A randomized protocol for signing contracts. CACM 28(6):637–647MathSciNetGoogle Scholar
  21. Goldreich O (2001) Foundations of cryptography volume I basic tools. Cambridge Univ. PressGoogle Scholar
  22. Goldreich O (2004) Foundations of cryptography, volume II basic applications. Cambridge Univ. PressGoogle Scholar
  23. Goldreich O, Micali S, Wigderson A (1987) How to play any mental game. In: Proceedings of the 19th symposium on theory of computing (STOC), pp 218–229Google Scholar
  24. Goldwasser S, Micali S, Rackoff C (1989) The knowledge complexity of interactive proof systems. SIAM J Comput 18(1):186–208zbMATHCrossRefMathSciNetGoogle Scholar
  25. Halevi S (2005) A plausible approach to computer-aided cryptographic proofs. Cryptology ePrint Archive, Report 2005/181.
  26. Küsters R (2006) Simulation-based security with inexhaustible interactive Turing machines. In: Proceedings of the 19th IEEE computer security foundations workshop (CSFW-19 2006). IEEE Computer Society, pp 309–320Google Scholar
  27. Lincoln PD, Mitchell JC, Mitchell M, Scedrov A (1998) A probabilistic poly-time framework for protocol analysis. In: Proceedings of the 5th ACM conference on computer and communications security (CCS-5), pp 112–121Google Scholar
  28. Lynch N, Segala R, Vaandrager F (2007) Observing branching structure through probabilistic contexts. SIAM J Comput 37(4):977–1013CrossRefGoogle Scholar
  29. Mateus P, Mitchell JC, Scedrov A (2003) Composition of cryptographic protocols in a probabilistic polynomial-time calculus. In: Proceedings of the 14th International Conference on Concurrency Theory (CONCUR). LNCS, vol 2761, pp 327–349Google Scholar
  30. Micciancio D, Warinschi B (2004) Soundness of formal encryption in the presence of active adversaries. In: Proceedings of the first theory of cryptography conference, LNCS, vol 2951, Springer, Cambridge, MA, USA, pp 133–151Google Scholar
  31. Müller-Quade J, Unruh D (2007) Long-term security and universal composability. In: Theory of cryptography, proceedings of TCC 2007. Lecture Notes in Computer Science. Springer-Verlag, March. Preprint on IACR ePrint 2006/422Google Scholar
  32. Pfitzmann B, Waidner M (2000) Composition and integrity preservation of secure reactive systems. In: 7th ACM conference on computer and communications security, pp 245–254Google Scholar
  33. Pfitzmann B, Waidner M (2001) A model for asynchronous reactive systems and its application to secure message transmission. In: IEEE symposium on security and privacy, pp 184–200Google Scholar
  34. Pogosyants A, Segala R, Lynch N (2000) Verification of the randomized consensus algorithm of Aspnes and Herlihy: a case study. Distrib Comput 13(3):155–186CrossRefGoogle Scholar
  35. Ramanathan A, Mitchell JC, Scedrov A, Teague V (2004) Probabilistic bisimulation and equivalence for security analysis of network protocols. In: Proceedings of foundations of sotware science and computation structires (FOSSACS). LNCS, vol 2987, pp 468–483Google Scholar
  36. Shoup V (2004) Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332.
  37. Segala R (1995) Modeling and verification of randomized distributed real-time systems. PhD Thesis, Department of Electrical Engineering and Computer Science, MIT, May 1995. Also, MIT/LCS/TR-676Google Scholar
  38. Segala R, Lynch N (1995) Probabilistic simulations for probabilistic processes. Nord J Comput 2(2):250–273, AugustzbMATHMathSciNetGoogle Scholar
  39. Stoelinga MIA, Vaandrager FW (1999) Root contention in IEEE 1394. In: Proc. 5th International AMAST workshop on formal methods for real-time and probabilistic systems. LNCS, vol 1601, Springer, pp 53–74Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2007

Authors and Affiliations

  • Ran Canetti
    • 1
    • 2
  • Ling Cheung
    • 2
  • Dilsun Kaynar
    • 3
    Email author
  • Moses Liskov
    • 4
  • Nancy Lynch
    • 2
  • Olivier Pereira
    • 5
  • Roberto Segala
    • 6
  1. 1.IBM T.J. Watson CenterHawthorneUSA
  2. 2.Massachusetts Institute of TechnologyCambridgeUSA
  3. 3.Carnegie Mellon UniversityPittsburghUSA
  4. 4.The College of William and MaryWilliamsburgUSA
  5. 5.Université catholique de LouvainLouvain-la-NeuveBelgium
  6. 6.Università di VeronaVeronaItaly

Personalised recommendations