Modular Verification of Protocol Equivalence in the Presence of Randomness

  • Matthew S. Bauer
  • Rohit Chadha
  • Mahesh Viswanathan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10492)


Security protocols that provide privacy and anonymity guarantees are growing increasingly prevalent in the online world. The highly intricate nature of these protocols makes them vulnerable to subtle design flaws. Formal methods have been successfully deployed to detect these errors, where protocol correctness is formulated as a notion of equivalence (indistinguishably). The high overhead for verifying such equivalence properties, in conjunction with the fact that protocols are never run in isolation, has created a need for modular verification techniques. Existing approaches in formal modeling and (compositional) verification of protocols for privacy have abstracted away a fundamental ingredient in the effectiveness of these protocols, randomness. We present the first composition results for equivalence properties of protocols that are explicitly able to toss coins. Our results hold even when protocols share data (such as long term keys) provided that protocol messages are tagged with the information of which protocol they belong to.


  1. 1.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. ACM SIGPLAN Not. 36(3), 104–115 (2001)CrossRefzbMATHGoogle Scholar
  2. 2.
    Andova, S., Cremers, C.J.F., Gjøsteen, K., Mauw, S., Mjølsnes, S.F., Radomirovic, S.: A framework for compositional verification of security protocols. Inf. Comput. 206(2–4), 425–459 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Arapinis, M., Cheval, V., Delaune, S.: Verifying privacy-type properties in a modular way. In: CSF, pp. 95–109 (2012)Google Scholar
  4. 4.
    Arapinis, M., Cheval, V., Delaune, S.: Composing security protocols: from confidentiality to privacy. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 324–343. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46666-7_17 Google Scholar
  5. 5.
    Arapinis, M., Chothia, T., Ritter, E., Ryan, M.: Analysing unlinkability and anonymity using the applied pi calculus. In: CSF, pp. 107–121 (2010)Google Scholar
  6. 6.
    Arapinis, M., Delaune, S., Kremer, S.: From one session to many: dynamic tags for security protocols. In: Cervesato, I., Veith, H., Voronkov, A. (eds.) LPAR 2008. LNCS (LNAI), vol. 5330, pp. 128–142. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-89439-1_9 CrossRefGoogle Scholar
  7. 7.
    Basin, D., Dreier, J., Sasse, R.: Automated symbolic proofs of observational equivalence. In: CCS, pp. 1144–1155 (2015)Google Scholar
  8. 8.
    Baudet, M.: Deciding security of protocols against off-line guessing attacks. In: CCS, pp. 16–25 (2005)Google Scholar
  9. 9.
    Bauer, M.S., Chadha, R., Viswanathan, M.: Modular verification of protocol equivalence in the presence of randomness.
  10. 10.
    Bauer, M.S., Chadha, R., Viswanathan, M.: Composing protocols with randomized actions. In: Piessens, F., Viganò, L. (eds.) POST 2016. LNCS, vol. 9635, pp. 189–210. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49635-0_10 CrossRefGoogle Scholar
  11. 11.
    Ben-Or, M., Goldreich, O., Micali, S., Rivest, R.L.: A fair protocol for signing contracts. IEEE Trans. Inf. Theor. 36(1), 40–46 (1990)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. In: LICS, pp. 331–340 (2005)Google Scholar
  13. 13.
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS, pp. 136–145 (2001)Google Scholar
  14. 14.
    Canetti, R., Cheung, L., Kaynar, D., Liskov, M., Lynch, N., Pereira, P., Segala, R.: Task-structured probabilistic I/O automata. In: Workshop on Discrete Event Systems (2006)Google Scholar
  15. 15.
    Canetti, R., Herzog, J.: Universally composable symbolic analysis of mutual authentication and key-exchange protocols. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 380–403. Springer, Heidelberg (2006). doi: 10.1007/11681878_20 CrossRefGoogle Scholar
  16. 16.
    Chadha, R., Sistla, A., Viswanathan, M.: Model checking concurrent programs with nondeterminism and randomization. In: FSTTCS, pp. 364–375 (2010)Google Scholar
  17. 17.
    Chadha, R., Sistla, A.P., Viswanathan, M.: Verification of randomized security protocols. In: LICS (2017)Google Scholar
  18. 18.
    Chatzikokolakis, K., Palamidessi, C.: Making random choices invisible to the scheduler. Inf. Comput. 208, 694–715 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Chaum, D.: The dining cryptographers problem: unconditional sender and recipient untraceability. J. Cryptology 1(1), 65–75 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Chaum, D.L.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–90 (1981)CrossRefGoogle Scholar
  21. 21.
    Cheung, L.: Reconciling nondeterministic and probabilistic choices. Ph.D. thesis, Radboud University of Nijmegen (2006)Google Scholar
  22. 22.
    Chevalier, C., Delaune, S., Kremer, S.: Transforming password protocols to compose. In: FSTTCS, pp. 204–216 (2011)Google Scholar
  23. 23.
    Chevalier, Y., Rusinowitch, M.: Decidability of equivalence of symbolic derivations. J. Autom. Reasoning 48, 263–292 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Cortier, V., Delaitre, J., Delaune, S.: Safely composing security protocols. In: Arvind, V., Prasad, S. (eds.) FSTTCS 2007. LNCS, vol. 4855, pp. 352–363. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-77050-3_29 CrossRefGoogle Scholar
  25. 25.
    Cortier, V., Delaune, S.: A method for proving observational equivalence. In: CSF, pp. 266–276 (2009)Google Scholar
  26. 26.
    Cortier, V., Delaune, S.: Safely composing security protocols. Formal Methods Syst. Des. 34(1), 1–36 (2009)CrossRefzbMATHGoogle Scholar
  27. 27.
    Ciobâcă, Ş., Cortier, V.: Protocol composition for arbitrary primitives. In: CSF, pp. 322–336 (2010)Google Scholar
  28. 28.
    Datta, A., Derek, A., Mitchell, J.C., Pavlovic, D.: A derivation system and compositional logic for security protocols. J. Comput. Secur. 13(3), 423–482 (2005)CrossRefGoogle Scholar
  29. 29.
    de Alfaro, L.: The verification of probabilistic systems under memoryless partial information policies is hard. In: PROBMIV (1999)Google Scholar
  30. 30.
    Delaune, S., Kremer, S., Ryan, M.: Verifying privacy-type properties of electronic voting protocols. J. Comput. Secur. 17(4), 435–487 (2009)CrossRefzbMATHGoogle Scholar
  31. 31.
    Delaune, S., Kremer, S., Ryan, M.D.: Composition of password-based protocols. In: CSF, pp. 239–251 (2008)Google Scholar
  32. 32.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. Technical report, DTIC Document (2004)Google Scholar
  33. 33.
    Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theor. 29(2), 198–208 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  34. 34.
    Dreier, J., Duménil, C., Kremer, S., Sasse, R.: Beyond subterm-convergent equational theories in automated verification of stateful protocols. In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 117–140. Springer, Heidelberg (2017). doi: 10.1007/978-3-662-54455-6_6 CrossRefGoogle Scholar
  35. 35.
    Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: cryptographic protocol analysis modulo equational properties, pp. 1–50 (2009)Google Scholar
  36. 36.
    Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Commun. ACM 28(6), 637–647 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
  37. 37.
    Garcia, F., van Rossum, P., Sokolova, A.: Probabilistic Anonymity and Admissible Schedulers. CoRR, abs/0706.1019 (2007)Google Scholar
  38. 38.
    Goldschlag, D.M., Reed, M.G., Syverson, P.F.: Hiding routing information. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 137–150. Springer, Heidelberg (1996). doi: 10.1007/3-540-61996-8_37 CrossRefGoogle Scholar
  39. 39.
    Goubault-Larrecq, J., Palamidessi, C., Troina, A.: A probabilistic applied Pi–calculus. In: Shao, Z. (ed.) APLAS 2007. LNCS, vol. 4807, pp. 175–190. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-76637-7_12 CrossRefGoogle Scholar
  40. 40.
    Gunter, C.A., Khanna, S., Tan, K., Venkatesh, S.S.: Dos protection for reliably authenticated broadcast. In: NDSS (2004)Google Scholar
  41. 41.
    Guttman, J.D.: Authentication tests and disjoint encryption: a design method for security protocols. J. Comput. Secur. 12(3–4), 409–433 (2004)CrossRefGoogle Scholar
  42. 42.
    Guttman, J.D.: Cryptographic protocol composition via the authentication tests. In: Alfaro, L. (ed.) FoSSaCS 2009. LNCS, vol. 5504, pp. 303–317. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-00596-1_22 CrossRefGoogle Scholar
  43. 43.
    He, C., Sundararajan, M., Datta, A., Derek, A., Mitchell, J.C.: A modular correctness proof of IEEE 802.11i and TLS. In: CCS, pp. 2–15 (2005)Google Scholar
  44. 44.
    Hirschi, L., Baelde, D., Delaune, S.: A method for verifying privacy-type properties: the unbounded case. In: SP, pp. 564–581 (2016)Google Scholar
  45. 45.
    Hoare, C.A.R.: Communicating Sequential Processes, vol. 178 (1985)Google Scholar
  46. 46.
    Kwiatkowska, M., Norman, G., Parker, D.: Prism: probabilistic symbolic model checker. In: International Conference on Modelling Techniques and Tools for Computer Performance Evaluation, pp. 200–204 (2002)Google Scholar
  47. 47.
    Meadows, C.: Formal methods for cryptographic protocol analysis: emerging issues and trends. IEEE J. Sel. Areas Commun. 21(1), 44–54 (2003)CrossRefGoogle Scholar
  48. 48.
    Meadows, C.: Emerging issues and trends in formal methods in cryptographic protocol analysis: twelve years later. In: Martí-Oliet, N., Ölveczky, P.C., Talcott, C. (eds.) Logic, Rewriting, and Concurrency. LNCS, vol. 9200, pp. 475–492. Springer, Cham (2015). doi: 10.1007/978-3-319-23165-5_22 CrossRefGoogle Scholar
  49. 49.
    Mödersheim, S., Viganò, L.: Sufficient conditions for vertical composition of security protocols. In: CCS, pp. 435–446 (2014)Google Scholar
  50. 50.
    Pfitzmann, B., Pfitzmann, A.: How to break the direct RSA-implementation of mixes. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 373–381. Springer, Heidelberg (1990). doi: 10.1007/3-540-46885-4_37 CrossRefGoogle Scholar
  51. 51.
    Reiter, M.K., Rubin, A.D.: Crowds: anonymity for web transactions. TISSEC 1(1), 66–92 (1998)CrossRefGoogle Scholar
  52. 52.
    Rusinowitch, M., Turuani, M.: Protocol insecurity with finite number of sessions is NP-complete. In: CSFW, pp. 174–190 (2001)Google Scholar
  53. 53.
    Ryan, P.Y.A., Bismark, D., Heather, J., Schneider, S., Xia, Z.: Prêt à voter: a voter-verifiable voting system. IEEE Trans. Inf. Forensics Secur. 4(4), 662–673 (2009)CrossRefGoogle Scholar
  54. 54.
    Schmidt, B., Meier, S., Cremers, C., Basin, D.: Automated analysis of diffie-hellman protocols and advanced security properties. In: CSF, pp. 78–94 (2012)Google Scholar
  55. 55.
    Schneider, S., Sidiropoulos, A.: CSP and anonymity. In: Bertino, E., Kurth, H., Martella, G., Montolivo, E. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 198–218. Springer, Heidelberg (1996). doi: 10.1007/3-540-61770-1_38 CrossRefGoogle Scholar
  56. 56.
    Shmatikov, V.: Probabilistic analysis of an anonymity system. J. Comput. Secur. 12(3–4), 355–377 (2004)CrossRefzbMATHGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Matthew S. Bauer
    • 1
  • Rohit Chadha
    • 2
  • Mahesh Viswanathan
    • 1
  1. 1.University of Illinois at Urbana-ChampaignChampaignUSA
  2. 2.University of MissouriColumbiaUSA

Personalised recommendations