Sums and Lovers: Case Studies in Security, Compositionality and Refinement

  • Annabelle K. McIver
  • Carroll C. Morgan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5850)


A truly secure protocol is one which never violates its security requirements, no matter how bizarre the circumstances, provided those circumstances are within its terms of reference. Such cast-iron guarantees, as far as they are possible, require formal techniques: proof or model-checking. Informally, they are difficult or impossible to achieve.

Our technique is refinement, until recently not much applied to security. We argue its benefits by giving rigorous formal developments, in refinement-based program algebra, of several security case studies.

A conspicuous feature of our studies is their layers of abstraction and –for the main study, in particular– that the protocol is unbounded in state, placing its verification beyond the reach of model checkers.

Correctness in all contexts is crucial for our goal of layered, refinement-based developments. This is ensured by our semantics in which the program constructors are monotonic with respect to “security-aware” refinement, which is in turn a generalisation of compositionality.


Refinement of security formalised secrecy hierarchical security reasoning compositional semantics 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    Černý, P.: Private communication (February 2009)Google Scholar
  3. 3.
    Alur, R., Černý, P., Zdancewic, S.: Preserving secrecy under refinement. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 107–118. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Bogetoft, P., Christensen, D.L., Damgård, I., Geisler, M., Jakobsen, T., Krøigaard, M., Nielsen, J.D., Nielsen, J.B., Nielsen, K., Pagter, J., Schwartzbach, M., Toft, T.: Secure multiparty computation goes live,
  5. 5.
    Coble, A.: Formalized information-theoretic proofs of privacy using the HOL-4 theorem-prover. In: Borisov, N., Goldberg, I. (eds.) PETS 2008. LNCS, vol. 5134, pp. 77–98. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Engelhardt, K., van der Meyden, R., Moses, Y.: A refinement theory that supports reasoning about knowledge and time. In: Nieuwenhuis, R., Voronkov, A. (eds.) LPAR 2001. LNCS (LNAI), vol. 2250, pp. 125–141. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Goguen, J.A., Meseguer, J.: Unwinding and inference control. In: Proc. IEEE Symp. on Security and Privacy, pp. 75–86 (1984)Google Scholar
  8. 8.
    Hoare, C.A.R.: A couple of novelties in the propositional calculus. Zeitschr für Math. Logik und Grundlagen der Math. 31(2), 173–178 (1985)MATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Leino, K.R.M., Joshi, R.: A semantic approach to secure information flow. Science of Computer Programming 37(1–3), 113–138 (2000)MATHMathSciNetGoogle Scholar
  10. 10.
    Malkhi, D., Nisan, N., Pinkas, B., Sella, Y.: Fairplay — A secure two-party computation system. In: Proc. 13th Conf. on USENIX Security Symposium. USENIX Association (2004)Google Scholar
  11. 11.
    Mantel, H.: Preserving information flow properties under refinement. In: Proc. IEEE Symp. Security and Privacy, pp. 78–91 (2001)Google Scholar
  12. 12.
    McIver, A.K., Cohen, E., Morgan, C., Gonzalia, C.: Using probabilistic Kleene algebra pKA for protocol verification. Journal of Logic and Algebraic Programming 76(1), 90–111 (2008)MATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Morgan, C.C.: Programming from Specifications, 2nd edn. Prentice-Hall, Englewood Cliffs (1994), MATHGoogle Scholar
  14. 14.
    Morgan, C.C.: The Shadow Knows: Refinement of ignorance in sequential programs. In: Uustalu, T. (ed.) Math. Prog. Construction. LNCS, vol. 4014, pp. 359–378. Springer, Heidelberg (2006) Treats Dining CryptographersCrossRefGoogle Scholar
  15. 15.
    Morgan, C.C.: The Shadow Knows: Refinement of ignorance in sequential programs. Science of Computer Programming 74(8) (2009) Treats Oblivious TransferGoogle Scholar
  16. 16.
    Paulson, L.: Proving properties of security protocols by induction,
  17. 17.
    Rabin, M.O.: How to exchange secrets by oblivious transfer. Technical Report TR-81, Harvard University (1981),
  18. 18.
    Rivest, R.: Unconditionally secure commitment and oblivious transfer schemes using private channels and a trusted initialiser. Technical report, M.I.T (1999),
  19. 19.
    Ryan, P., Schneider, S., Goldsmith, M., Lowe, G., Roscoe, B.: Modelling and Analysis of Security Protocols. Addison-Wesley, Reading (2000)Google Scholar
  20. 20.
    Sabelfeld, A., Sands, D.: A PER model of secure information flow. Higher-Order and Symbolic Computation 14(1), 59–91 (2001)MATHCrossRefGoogle Scholar
  21. 21.
    Schoenmakers, B.: Cryptography lecture notes,
  22. 22.
  23. 23.
    Yao, A.C.-C.: Protocols for secure computations (extended abstract). In: Annual Symposium on Foundations of Computer Science (FOCS 1982), pp. 160–164 (1982)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Annabelle K. McIver
    • 1
  • Carroll C. Morgan
    • 2
  1. 1.Dept. Computer ScienceMacquarie UniversityAustralia
  2. 2.School of Comp. Sci. and Eng.Univ. New South WalesAustralia

Personalised recommendations