Task-Strctred Probabilistic I/ Atomata Ran Canetti Ling Cheng Dilsn Kaynar Moses Liskov Nancy Lynch livier Pereira Roberto Segala IBM TJ atson Research Center USA Radbod University of Nijmegen the Netherlands MIT CSAIL USA The College of illiam and Mary USA Université Catholiqe de Lovain Belgim Università di Verona Italy Abstract Modeling frameorks sch as Probabilistic I/ Atomata (PIA) and Markov Decision Processes permit both probabilistic and nondeterministic choices In order to se sch frameorks to express claims abot probabilities of events one needs mechanisms for resolving the nondeterministic choices For PIAs nondeterministic choices have traditionally been resolved by schedlers that have perfect information abot the past exection Hoever sch schedlers are too poerfl for certain settings sch as cryptographic protocol analysis here information mst sometimes be hidden Here e propose a ne less poerfl nondeterminismresoltion mechanism for PIAs consisting of tasks and local schedlers Tasks are eqivalence classes of system actions that are schedled by oblivios global task seqences Local schedlers resolve nondeterminism ithin system components based on local information only The reslting task-pia frameork yields simple notions of external behavior and implementation and spports simple compositionality reslts e also define a ne kind of simlation relation and sho it to be sond for proving implementation e illstrate the potential of the task-pia frameork by otlining its se in verifying an blivios Transfer protocol I INTRDUCTIN The Probabilistic I/ Atomata (PIA) modeling frameork [Seg95] [SL95] is a simple combination of I/ Atomata [LT89] and Markov Decision Processes (MDP) [Pt94] As demonstrated in [LSS94] [SV99] [PSL00] PIAs are ell sited for modeling and analyzing distribted algorithms that se randomness as a comptational primitive In this setting distribted processes se random choices to break symmetry in solving problems sch as choice coordination [R82] and consenss [B83] [AH90] Each process is modeled as an atomaton ith random transitions and an entire protocol is modeled as the parallel composition of process atomata and atomata representing commnication channels This modeling paradigm combines nondeterministic and probabilistic choices in a natral ay Nondeterminism is sed here for modeling ncertainties in the timing of events in highly npredictable distribted environments It is also sed for modeling distribted algorithms at high levels of abstraction leaving many details nspecified This in trn facilitates algorithm verification becase reslts proved Canetti is spported by NSF CyberTrst Grant 430450; Cheng by DFG/N bilateral cooperation project 60005001101 Validation of Stochastic Systems (VSS); Kaynar and Lynch by DARPA/AFSR MURI Aard F49620-02-1-0325 MURI AFSR Aard SA2796P 1-0000243658 NSF Aards CCR-0326277 and CCR-0121277 and USAF AFRL Aard FA9550-04-1-0121; Pereira by the Belgian National Fnd for Scientific Research (FNRS); and Segala by MURST project Constraintbased Verification of reactive systems (CoVer) abot nondeterministic algorithms apply atomatically to an entire family of algorithms obtained by resolving the nondeterministic choices in particlar ays In order to formlate and prove probabilistic properties of distribted algorithms one needs mechanisms for resolving the nondeterministic choices In the randomized distribted setting the most common mechanism is a perfectinformation event schedler hich has access to local state and history of all system components and has nlimited comptation poer Ths probabilistic properties of distribted algorithms are typically asserted ith respect to orst-case adversarial schedlers ho can choose the next event based on complete knoledge of the past (eg [PSL00]) ne old expect that a similar modeling paradigm inclding both probabilistic and nondeterministic choices old be similarly sefl for modeling cryptographic protocols These are special kinds of distribted algorithms designed to protect sensitive data hen it is transmitted over nreliable channels Their correctness typically relies on comptational assmptions hich say that certain problems cannot be solved by an adversarial entity ith bonded comptation resorces [Gol01] Hoever a major problem ith this extension is that the perfect-information schedler mechanism sed for distribted algorithms is too poerfl for se in the cryptographic setting A schedler that cold see all information abot the past old in particlar see secret information hidden in the states of non-corrpted protocol participants and be able to divlge this information to corrpted participants eg by encoding it in the order in hich it schedles events In this paper e present task-pias an adaptation of PIAs that has ne less poerfl mechanisms for resolving nondeterminism Task-PIAs are sitable for modeling and analyzing cryptographic protocols; they may also be sefl for other kinds of distribted systems in hich the perfect information assmption is nrealistically strong Task-PIAs: A task-pia is simply a PIA agmented ith a partition of non-inpt actions into eqivalence classes called tasks A task is typically a set of related actions for example all the actions of a cryptographic protocol that send a rond 1 message Tasks are nits of schedling; they are schedled by simple oblivios global task schedle seqences e define notions of external behavior and implementation for task-pias based on the trace distribtion semantics proposed by Segala [Seg95] e define parallel composition in the obvios ay and sho that or implementation relation is compositional
e also define a ne type of simlation relation hich incorporates tasks and prove that it is sond for proving implementation relationships beteen task-pias This ne relation differs from simlation relations stdied earlier [SL95] [LSV03] in that it relates probability measres rather than states In many cases inclding or ork on cryptographic protocols (see belo) tasks alone sffice for resolving nondeterminism Hoever for extra expressive poer e define a second mechanism local schedlers hich can be sed to resolve nondeterminism ithin system components based on local information only This mechanism is based on earlier ork in [CLSV04] Cryptographic protocols: In [CC 06a] e applied the task-pia frameork to analyze an blivios Transfer (T) protocol of Goldreich et al [GM87] That analysis reqired defining extra strctre for task-pias in order to express isses involving comptational limitations Ths e defined notions sch as time-bonded task-pias and approximate implementation ith respect to time-bonded environments Details are beyond the scope of this paper bt e otline or approach in Section IV Adversarial schedling: The standard schedling mechanism in the cryptographic commnity is an adversarial schedler namely a resorce-bonded algorithmic entity that determines the next move adaptively based on its on vie of the comptation so far This is eaker than the perfect-information schedler sed for distribted algorithms hich have access to local state and history of all components and have nlimited comptation poer r task schedle seqences are essentially oblivios schedlers hich fix the entire schedle of tasks nondeterministically in advance This formlation does not directly captre the adaptivity of adversarial schedlers r soltion is to separate schedling concerns into to parts e model the adaptive adversarial schedler as a system component for example a message delivery service that can eavesdrop on the commnications and control the order of message delivery Sch a system component has access to partial information abot the exection: it sees information that other components commnicate to it dring exection bt not secret information that these components hide n the other hand basic schedling choices are resolved by a task schedle seqence chosen nondeterministically in advance These tasks are eqivalence classes of actions independent of actal choices that are determined dring the exection e believe this separation is conceptally meaningfl: The high-level adversarial schedler is responsible for choices that are essential in secrity analysis sch as the ordering of message deliveries The lo-level schedle of tasks resolves inessential choices For example in the T protocol both the transmitter and receiver make random choices bt it is inconseqential hich does so first Related ork: The literatre contains nmeros models that combine nondeterministic and probabilistic choices (see [SdV04] for a srvey) Hoever fe tackle the isse of partial-information schedling as e do Exceptions inclde [CH05] hich models local-oblivios schedling and [da99] hich ses partitions on the state space to obtain partial-information schedles The latter is essentially ithin the frameork of partially observable MDPs (PMDPs) originally stdied in the context of reinforcement learning [KLA98] All of these acconts neglect partial information aspects of (parameterized) actions therefore are not sitable in a cryptographic setting A version of local schedlers as introdced in [CLSV04] r general approach to cryptographic protocol verification as directly inspired by the Interactive Tring Machine (ITM) frameork of [Can01] There participants in a protocol are modeled as ITMs and messages as bit strings ritten on inpt and otpt tapes ITMs are prely probabilistic and schedling nondeterminism is resolved sing predefined rles In principle this frameork cold be sed to analyze cryptographic protocols rigorosly inclding comptational complexity isses Hoever complete analysis of protocols in terms of Tring machines is impractical becase it involves too many lo-level machine details Indeed in the comptational cryptography commnity protocols are typically described sing an informal high-level langage and proof sketches are given in terms of the informal protocol descriptions e aim to provide a frameork in hich proofs in the ITM style can be carried ot formally at a high level of abstraction Also e aim to exploit the benefits of nondeterminism to a greater extent than the ITM approach Several other researchers have added featres for comptational cryptographic analysis to conventional abstract concrrency modeling frameorks sch as process algebras and restricted forms of PIAs [LMMS98] [P00] [P01] [MMS03] These approaches again se less nondeterminism than e do: individal system components are prely probabilistic and schedling is determined by predefined rles For example in [LMMS98] a niform distribtion is imposed on the set of possible redctions for each term In [MMS03] internal redctions are prioritized over external commnications and several independence properties are assmed In [P01] schedling is based on a distribted scheme herein each system component schedles the next one based on its on local information None of the prior ork separates high-level and lo-level nondeterminism resoltion as e do Roadmap: Section II defines task-pias task schedles composition and implementation and presents a compositionality reslt Section III presents or simlation relation and its sondness theorem Section IV smmarizes or T protocol case stdy Section V discsses local schedlers and conclding discssions follo in Section VI Frther details appear in [CC 06b] II TASK-PIAS A Basic PIAs e assme or reader is comfortable ith basic notions of probability theory sch as -fields and (discrete) probability measres A smmary is provided in [CC 06b] A probabilistic I/ atomaton (PIA) is a tple here: (i) is a contable set of states ith start state ; (ii) and are contable and pairise disjoint sets of actions referred to as inpt otpt and internal actions respectively; and (iii)
Z Z ; U is a transition relation here is the set of discrete probability measres on An action is enabled in a state if for some The set is called the action alphabet of If then is closed The set of external actions of is and the set of locally controlled actions is e assme that satisfies: Inpt enabling: For every state and inpt action is enabled in Transition determinism: For every and there is at most one sch that If there is exactly one sch it is denoted '( by and e rite "$&% for the transition An exection fragment of is a finite or infinite seqence ) +* - &/01020 of alternating states and actions sch that (i) if ) is finite then it ends ith a state; and (ii) for every non-final 3 there is a transition 24 4 ith 24 +5&6&6 7 9 1586&6 7 here denotes the spport of e rite :<; ) for * and if ) is finite e rite :<; ) A for its last state e se >/"$@? (resp >/"$@? ) to denote the set of all (resp all finite) exection fragments of An exection of is an exection fragment beginning from the start state 1 ++A B8CD; (resp B8CD; ) denotes the set of all (resp finite) exections of The trace of an exection fragment ) ritten "E ) is the restriction of ) to the set of external actions of The symbol F denotes the prefix relation on seqences hich applies in particlar to exection fragments and traces Nondeterministic choices in are(a resolved IHKJMLN5&/ sing a schedler hich is a fnction G>/"E@? P sch that +5&6&6 ) implies ) LN5&R Q :<; Here denotes the set of discrete sb-probability measres on that is the measre of the entire space is reqired to be FTS Ths decides (probabilistically) hich transition (if any) to take after each finite exection fragment ) A schedler and a finite exection fragment ) generate a measre UV on the -field XY generated 8[ by cones of exection fragments here each cone Z is the set of exection fragments [ that have ) \ as a prefix The measre of a cone U(V is defined recrsively as: 1) ] if )'\_^ F ) and )`^ F )\ 2) S if )'\ F ) [ [ < 3) U V b[ [dc V&a if )\ is of the form )\ \ and ) F )\ \ b[ [ec Here V&a )\ \ "E&%Dfgdhdijhdk a [ [ cl l f gdhdijhek a [ [ cm )\ \ is defined to be that is the probability that chooses a transition labeled by and that the ne state is Standard measre theoretic argments 9 ensre that U V is ell-defined e call the state :<; ) the first state of U V 9 and denote it by :<; U V If ) consists of the start state only e call U V a probabilistic exection of +A Let be a discrete n probability measre over >/"E@? e denote by U V the measre o ) n U V and e say that U V is generated by n and e call the measre U V a generalized probabilistic exection fragment of If every exection fragment n +5&686 p in consists of a single state then e call U V a probabilistic exection fragment of e note that the "$ ; fnction is a measrable fnction from X Y to the -field generated by cones of traces Ths given a probability measre U on X Y e define the trace distribtion of U denoted q to be the image measre of U nder "E ; e denote by q the set of trace distribtions of (probabilistic exections of) Definition 21: To PIAs 4 4 24 4 4 4 4 3 sr PtR S are said to be compatible if 41v x 41v henever 3 y ^ In that case e define their composition {z to be the PIA / here is the set of triples } sch that (i) is enabled in some :4 and (ii) for every 3 if 4 then 24 4 4 otherise 4 ~ 24 This definition can be extended to any finite nmber of PIAs rather than jst to B Task-PIAs e no agment the PIA frameork ith task partitions or main mechanism for resolving nondeterminism P Definition 22: A task-pia is a pair G here (i) is a PIA (satisfying transition determinism) and (ii) is an eqivalence relation on the locally-controlled actions ( ) The eqivalence classes of are called tasks A task is enabled in a state if some is enabled in Unless otherise stated technical notions for task-pias are inherited from those for PIAs Exceptions inclde the notions of probabilistic exections and trace distribtions For no e impose the folloing action-determinism assmption hich implies that tasks alone are enogh to resolve all nondeterministic choices e ill remove this assmption hen e introdce local schedlers in Section V Action determinism: For every state and task at most one action is enabled in A task schedle for is any finite or infinite seqence M 01020 of tasks in A task schedle is static (or oblivios) in the sense that it does not depend on dynamic information generated dring exection Under the action-determinism assmption a task schedle can be sed to generate a niqe probabilistic exection and hence a niqe trace distribtion of the nderlying PIA ne can do this by repeatedly schedling tasks each of hich determines at most one transition of Formally e define an operation that applies a task schedle to a task-pia: Definition 23: Let be an action-deterministic task-pia here Given >/"E@? A and a task schedle 6&6 p is the probability measre on >/"E@? defined recrsively by: 6&6 7 P 1) ( denotes the empty seqence) 2) For 6&6 p is defined as follos For every ) (A 6&6 7 >/"$@? ) ˆŠ Œ here: )'\ < if ) is of the form )\ here and :<; ) \ ; Ž] otherise ) if is not enabled in :<; ) ; N ] otherise 3) For of the form R\ 686 p 686 6&6 p \ 4) For 686 p infinite e d 4d 6&6 p &4 here /4 denotes the length-3 prefix of In Case (2) above represents the probability that ) is exected hen applying task at the end of ) \ Becase of
~ :<; is niqe and so is ell-defined The term represents the original probability ) transition-determinism and action-determinism the transition )'\ hich is relevant if is not enabled after ) It is rotine to check that the limit in Case (4) is ell-defined The other to cases are straightforard 6&6 7 Next e sho that is a generalized probabilistic exection fragment generated by and a schedler for in the sal sense Ths a task schedle for a task-pia is a special case of a schedler P for the nderlying PIA Theorem 24: Let G be an action-deterministic A task-pia For each measre and task on >/"$@? schedle there is schedler for 6&6 7 sch that n is the generalized 6&6 probabilistic 7 exection fragment U V Any sch is said to be a generalized probabilistic exection fragment of Probabilistic exection fragments and probabilistic exections are then defined by making the same restrictions as for basic PIAs e rite p q as shorthand for q the trace distribtion obtained by applying task schedle starting from the measre on exection fragments e rite q 6&6 for q the trace distribtion obtained by applying from the niqe start state (Recall that the Dirac measre for an element ~ is the discrete probability measre that assigns probability S to r ) A trace distribtion of is any q e se q to denote the set r q is a task schedle for Finally e define composition of task-pias: Definition 25: To task-pias 4 4 P 4 3 r PtR S are said to be compatible provided the nderlying PIAs are 686 p compatible In this case e define their composition {z to be the task-pia P I z It is easy to see that 8z is in fact a task-pia In particlar since compatibility ensres disjoint sets of locallycontrolled actions Š is an eqivalence relation on the locally-controlled actions of bz It is also easy to see that action determinism is preserved nder composition Note that hen to task-pias are composed no ne mechanisms are reqired to schedle actions of the to components the tasks alone are enogh C Implementation e no define the notion of external behavior for a task- PIA and the indced implementation relation beteen task- PIAs Unlike previos definitions of external behavior the one e se here is not simply a set of trace distribtions Rather it is a mapping that specifies for every possible environment for the given task-pia the set of trace distribtions that can arise hen is composed ith Definition 26: Let be any task-pia and be an action-deterministic task-pia e say that is an environment for if (i) is compatible ith and (ii) the composition z is closed Note that may have otpt actions that are not in the signatre of Definition 27: The external behavior of denoted by ;C@ ; is the total fnction that maps each environment to the set of trace distribtions q z Ths for each environment e consider the set of trace distribtions that arise from all task schedles Note that these traces may inclde ne otpt actions of in addition to the external actions already present in r definition of implementation is inflenced by common notions in the secrity literatre (eg [LMMS98] [Can01] [P01]) Namely the implementation mst look like the specification from the perspective of every possible environment The precise notion of implementation is formlated in terms of inclsion of sets of trace distribtions for each environment atomaton An advantage of this style of definition is that it yields simple compositionality reslts (Theorem 29) Definition 28: Let and be comparable actiondeterministic task-pias that is and e say that implements ritten F * if ;C@ ; ;C@ ; for every environment for both and In other ords e reqire q q for every The sbscript ] in the relation symbol F * refers to the reqirement that every trace distribtion in q N mst have an identical match in q For secrity analysis e also define another relation F hich allos negligible discrepancies beteen matching trace distribtions [CC 06a] D Compositionality Becase external behavior and implementation are defined in terms of mappings from environments to sets of trace distribtions a compositionality reslt for F * follos easily: Theorem 29: Let R be comparable actiondeterministic task-pias sch that N F * R and let be an action-deterministic task-pia compatible ith each of and R Then z F * R z P Proof Let be any environment (actiondeterministic) task-pia for both N z and R z Fix any task schedle for z z Let be the trace distribtion of z z generated by It sffices to sho that is also generated by some task schedle for R z z Note that is also a task schedle for {z /z and that generates the same trace distribtion in the composed task-pia bz /z No &z is an (action-deterministic) environment task- PIA for each of and Since by assmption F * e infer the existence of a task schedle for R z z sch that generates trace distribtion in the task-pia R z z Since is also a task schedle for - z z and generates this sffices III SIMULATIN RELATINS e define a ne simlation relation notion for closed action-deterministic task-pias and sho that it is sond for proving F * r definition is based on three operations involving probability measres: flattening lifting and expansion These have been previosly defined eg in [LSV03] A Flattening lifting and expansion The flattening operation takes a discrete probability measre over probability measres and flattens it into a single probability measre Formally let be a discrete probability measre p on Then the flattening of denoted by :l<;{% p is the discrete probability measre on defined by :l<;b% o n g c 7 l a The lifting operation takes a relation beteen to domains and and lifts it to a relation beteen discrete
~ A A A ~ A F measres over and Informally speaking a measre on is related to a measre on if can be obtained by redistribting the probability masses assigned by in 7 is respected Formally the lifting of denoted by is a relation from to defined by: Œ J * iff there exists a eighting fnction sch that 1) For each and ] implies 2) For each o 3) For each o sch a ay that the relation Finally the expansion operation takes a relation beteen discrete measres on to domains and retrns a relation of the same kind that relates to measres henever they can be 7 decomposed into to -related measres Formally let be a relation from to P The expansion of ritten is a relation from to iff there exist to discrete measres respectively sch that e se expansions directly in or definition of simlation means that it is possible to simlate defined by: and on and 7 :l<;{% 7 :l<;{% and Informally from } anything that can happen from Frthermore \ \ means that e can decompose \ and \ into pieces that can simlate each other and so e can say that it is also possible to simlate from \ anything that can happen from \ This intition is at the base of the proof of or sondness reslt (cf Theorem 35) B Simlation relation definition e need to more axiliary definitions The first expresses consistency beteen a probability measre over finite exections and a task schedle: informally a measre U over finite exections is said to be consistent ith a task schedle if it assigns non-zero probability only to those exections that are possible nder the task schedle e se this condition in order to avoid seless proof obligations in or definition of simlation relation Definition 31: Let be a closed actiondeterministic task-pia U a discrete probability measre over finite exections of and a finite task schedle for Then U is consistent ith 1586&6 provided that +5&6&6 686 U here is the start state of For the second definition sppose e have a mapping that given a finite task schedle and a task of a task- PIA yields a task schedle of another task-pia The idea is that describes ho matches task given that it has already matched the task schedle Using that given a task schedle 9 5 e define a ne fnction ˆ iterates on all the elements of ths prodcing a fll task schedle of - that matches all of Definition 32: Let P 7 and R be to task-pias and let A J be a fnction that assigns a finite task schedle of to each finite task schedle of and task of 9 5 A J 9 5 Define j ˆ 9 5 recrsively as follos: ˆ ˆ and ˆ 9 5 ˆ 9 5 (the concatenation of ˆ and ) e can no define or ne notion of simlation for task- PIAs and establish its sondness ith respect to the F * relation Note that or simlation relations do not jst relate states to states bt rather probability measres on exections to probability measres on exections 1 The se of measres on exections here rather than jst exections is motivated by certain cases that arise in or T protocol proof eg cases here related random choices are made at different points in the lo-level and high-level models (see Section III-D) Definition 33: Let and P be to comparable closed action-deterministic task-pias Let be a relation from + B8C@; A to + B8CD; A sch that if U1 U( then q U+ q U( Then is a simlation from to R 7 if there exists A _J sch that the folloing properties hold: 1) Start condition: ~ 2) Step condition: If U1 U( ith U( 9 5 is consistent ith ˆ and then U \ U \ 6&6 here U \ U and U \ 686 U( C Sondness U+ is consistent Lemma 34: Let and be comparable closed actiondeterministic task-pias a simlation from to Let U and U be discrete probability measres over finite exections of and respectively sch that U U Then q U q U The folloing theorem says that for closed task-pias the existence of a simlation relation implies inclsion of sets of trace distribtions r main sondness reslt for (not necessarily closed) task-pias then follos as a corollary Theorem 35: Let and - be comparable closed actiondeterministic task-pias If there exists a simlation relation from to R then q q R Proof Let be the assmed simlation relation from K to Let U be the probabilistic exection of generated by and a (finite or infinite) task schedle For each 3 ] define /4 to be 4 4 Let U be the probabilistic exection generated by and e claim that q U q U hich sffices For each y ] let U 686 M and U 6&6 T Then for each y] U U and U F U ; moreover e d x U U and d e x U 6&6 U Also for every y ] U+ U+ 6&6 and U( U( bserve that U1 * `~ and U( * ~ The start condition for a simlation relation and a trivial expansion imply that U+ * 7 U( * Then by indction sing the definition of a simlation relation in proving the indctive step (this ses a series of lemmas; see [CC 06b] for details) e sho that for each y ] U 7 U Then by Lemma 34 for each y ] q U q U No q U d e q U and q U d d x q U Since for each y ] q U q U e conclde that q U q U as needed Corollary 36: Let and be to comparable actiondeterministic task-pias Sppose that for every environment for both and there exists a simlation relation from z to R z Then F * R 1 It old be nice to simplify this definition so that it involves measres on states instead of measres on exections bt e don t yet kno ho to do this
Z D Example: D: vs The folloing example from or T proof as a key motivation for generalizing prior notions of simlation relations e consider to closed task-pias D: and chooses a nmber randomly and otpts it D: on the other hand first chooses a random nmber then applies a knon permtation to the chosen nmber and then otpts the reslt (The name D: refers to the type of permtation that is sed in the T protocol) More precisely has otpt actions P x r S 01020 and internal action It has tasks P r P and Z r Its state contains one variable / hich assmes vales in r initially The action is enabled hen & and has the effect of setting / to a nmber in chosen niformly at random The action is enabled hen /Œ and has no effect on the state (so it may happen repeatedly) See Figre 1 choose z 1 z 2 z n report(1) report(2) report(n) Fig 1 Task-PIA "$ D2 has the same actions as pls internal action % '&() It has the same tasks as pls the task Z % '&()Ž r % '&() D: s state contains to variables and each of hich takes on vales in r initially The action is enabled hen I and sets to a nmber in chosen niformly at random The % *&*) action is enabled hen ^ and and sets s+ The P action behaves exactly as in See Figre 2 choose y 1 y 2 y n compte compte compte Fig 2 z f (1) report(f (1)) report(f (2)) z f (2) report(f (n)) z f (n) Task-PIA -/10$2323- e anted to se a simlation relation to prove that q D2 7 q % In doing so e decided that the steps that define shold correspond in the to atomata hich meant that the steps of D: hich define shold map to no steps of Then beteen the and % *&*) in D: a randomly-chosen vale old appear in the component of D: s state bt no sch vale old appear in the corresponding state of Therefore the simlation relation old have to relate a probability measre on states of 4 @: to a single state of e ere able to express this correspondence sing a simlation relation of or ne kind: If U and U are discrete measres over finite exection fragments of D: and respectively then e defined U U exactly +5&6&6 if the folloing conditions hold: (i) For every :<; U and & 1586&6 :<; U 0 5&0 (ii) For every & 1586&6 :<; U if &0 then either :<; U 0 is everyhere ndefined or else it is the niform distribtion on The task correspondence mapping is defined by: Z % '&() Z P P P IV APPLICATIN T SECURITY PRTCLS In [CC 06a] e se the task-pias of this paper to model and analyze the blivios Transfer (T) protocol of Goldreich et al [GM87] In the T problem to inpt bits * are sbmitted to a Transmitter 4 @ and a single inpt bit 3 to a Receiver After engaging in an T protocol shold otpt only the single bit 4 shold not learn the other bit N4 and D shold not learn 3 ; moreover an eavesdropping adversary shold not by observing the protocol messages be able to learn anything abot the inpts or the progress of the protocol T has been shon to be complete for mltiparty secre comptation in the sense that sing T as the only cryptographic primitive one can constrct protocols for secrely realizing any fnctionality The protocol of [GM87] ses trap-door permtations (and hard-core predicates) as an nderlying cryptographic primitive It ses three ronds of commnication: First chooses a random trap-door permtation and sends D it to Second chooses to random nmbers * & and sends * to D here 4 for the inpt index 3 is 4 and K4 K4 Third D applies the same transformation 6 to each of * and and sends the reslts back as * 76 Finally decodes and otpts the correct bit The protocol ses cryptographic primitives and comptational hardness in an essential ay Its secrity is inherently only comptational so its analysis reqires modeling comptational assmptions r analysis follos the trsted party paradigm of [GM87] ith a formalization that is close in spirit to [P00] [Can01] e first define task-pias representing the real system (RS) (the 8 protocol) and the ideal system (IS) (the reqirements) In typical tasks inclde choose random * / send rond 1 message and deliver rond 1 message as ell as arbitrary tasks of incompletelyspecified environment and adversary atomata Note that these tasks do not specify exactly hat transition occrs; eg the send task does not specify the message contents these are chosen by D based on its on internal state Then e prove that 8 implements 8 The proof consists of for cases depending on hich parties are corrpted 2 In the to cases here D is corrpted e can sho that 8 8 implements nconditionally sing F * In the cases here D is not corrpted e can sho implementation only in a comptational sense namely (i) for resorcebonded adversaries (ii) p to negligible differences and 2 Actally in [CC9 06a] e prove only one case hen only is corrpted e prove all for cases in [CC9 05] bt sing a less general definition of task-pias than the one sed here and in [CC9 06a] and ith non-branching adversaries
8 8 8 (iii) nder comptational hardness assmptions Modeling these aspects reqires additions to the task-pia frameork of this paper namely defining a time-bonded version of task-pias and defining a variation F on the F * relation hich describes approximate implementation ith respect to polynomial-time-bonded environments Similar relations ere defined in [LMMS98] [P01] r simlation relations are also sond ith respect to F e also provide models for the cryptographic primitives (trap-door fnctions and hard-core predicates) Part of the specification for sch primitives is that their behavior shold look approximately random to otside observers; e formalize this in terms of F The correctness proofs proceed by levels of abstraction relating each pair of models at sccessive levels sing F In the case here only is corrpted all bt one of the relationships beteen levels are proved sing simlation relations as defined in this paper (and so they garantee F * ) The only exception relates a level in hich the cryptographic primitive is sed ith a higher level in hich the se of the primitive is replaced by a random choice Shoing this correspondence relies on or F -based definitions of the cryptographic primitive and on composition reslts for timebonded task-pias Since this type of reasoning is isolated to one correspondence the methods of this paper in fact sffice to accomplish most of the ork of verifying T Each of or system models at each level incldes an explicit adversary component atomaton hich acts as a message delivery service that can eavesdrop on commnications and control the order of message delivery The behavior of this adversary is arbitrary sbject to general constraints on its capabilities In or models the adversary is the same at all levels so or simlation relations relate the adversary states at consective levels directly sing the identity fnction This treatment allos s to consider arbitrary adversaries ithot examining their strctre in detail (they can do anything bt mst do the same thing at all levels) Certain patterns that arise in or simlation relation proofs led s to extend earlier definitions of simlation relations [SL95] [LSV03] by adding the expansion capability and by corresponding measres to measres: (i) e often correspond random choices at to levels of abstraction for instance hen the adversary makes a random choice from the same state at both levels e old like or simlation relation to relate the individal otcomes of the choices at the to levels matching p the states in hich the same reslt is obtained Modeling this correspondence ses the expansion featre (ii) The D: vs example described in Section III occrs in or T proof Here the lo-level system chooses a random and then comptes sing a trap-door permtation The higher level x system simply chooses the vale of randomly ithot sing vale or permtation This correspondence relates measres to measres and ses expansion (iii) In another case a loer-level system chooses a random vale and then comptes a ne vale by XR ing ith an inpt vale The higher level system jst chooses a random vale Hoever XR ing any vale ith a random vale yields the same reslt as jst choosing a random vale This correspondence relates measres to measres and ses expansion V LCAL SCHEDULERS ith the action-determinism assmption or task mechanism is enogh to resolve all nondeterminism Hoever action determinism limits expressive poer No e remove this assmption and add a second mechanism for resolving the reslting additional nondeterminism namely a local schedler for each component task-pia A local schedler for a given component can be sed to resolve nondeterministic choices among actions in the same task sing only information abot the past history of that component Here e define one type of local schedler hich ses only the crrent state and indicate ho or reslts for the actiondeterministic case carry over to this setting r notion of local schedler is simply a sb-atomaton : e say that task-pia \ \ P \ is a sb-task-pia of task-pia provided that all components are identical except that \ here and \ are the sets of discrete transitions of and \ respectively Ths the only difference is that \ may have a smaller set of transitions A local schedler for a task-pia is any action-deterministic sb-task-pia of A probabilistic system is a pair here is a task-pia and is a set of local schedlers for A probabilistic exection of a probabilistic system is defined to be any probabilistic 8 exection of any task-pia If and are to probabilistic systems and and are compatible then their composition {z is the probabilistic system 8z here is the set of local schedlers for {z of the form bz 8 for some 8 and If is a probabilistic system then an environment for is any environment (action-deterministic task- PIA) for If is a probabilistic system then the external behavior of ;C@ ; is the total fnction that maps each environment task-pia for to the set 8 q z Ths for each environment e consider the set of trace distribtions that arise from to choices: of a local schedler of and of a global task schedle If and are comparable probabilistic systems (ie and are comparable) then implements ritten F * provided that ;C@ ; ;+C: ; for every environment (action-deterministic) task-pia for both and e obtain a sfficient condition for implementation of probabilistic systems in hich each local schedler for the lolevel system alays corresponds to the same local schedler of the high-level system Theorem 51: Let and be to comparable probabilistic systems Sppose that is a total fnction from to 8 sch that for every F * 8 Then F * e also obtain a compositionality reslt for probabilistic systems The proof is similar to that of Theorem 29 for the action-deterministic case Theorem 52: Let be comparable probabilistic systems sch that F * and let be a probabilistic system compatible ith each of and Then {z F * 8z
VI CNCLUSINS e have extended the traditional PIA model ith a task mechanism hich provides a systematic ay of resolving nondeterministic schedling choices ithot sing information abot past history e have provided basic machinery for sing the reslting task-pia frameork for verification inclding a compositional trace-based semantics and a ne kind of simlation relation e have proposed extending the frameork to allo additional nondeterminism resolved by schedlers that se only local information e have illstrated the tility of these tools ith a case stdy involving analysis of an blivios Transfer cryptographic protocol Althogh or development as motivated by concerns of cryptographic protocol analysis partial-information schedling is interesting in other settings For example some distribted algorithms ork ith partial-information adversarial schedlers althrogh the problems they solve are provably nsolvable ith perfect-information adversaries [Cha96] [Asp03] Also partial-information schedling is realistic for modeling large distribted systems in hich basic schedling decisions are made locally and not by any centralized mechanism Many qestions remain in or stdy of task-pias: r notion of implementation F * is defined by considering all environments; can e characterize F * sing a small sbclass of environments? Can or simlation relation notion be simplified ithot sacrificing sondness or applicability? Also or notion of local schedlers needs frther development It remains to consider more applications of task-pias for cryptographic protocol analysis and for other applications A next step in cryptographic protocol analysis is to formlate and prove protocol composition reslts like those of [P00] [Can01] in terms of task-pias Finally e old like to model perfect-information schedlers as sed for analyzing randomized distribted algorithms sing task-pias Acknoledgments: e thank Frits Vaandrager for collaboration in early stages of this project and Michael Backes Anpam Datta Ralf Kesters John Mitchell Birgit Pfitzmann and Andre Scedrov for technical discssions that helped s in clarifying or ideas and their connections to other ork in analysis of cryptographic protocols e thank Silvio Micali for impressing pon s the importance of adaptive adversarial schedlers in the cryptographic setting e thank Sayan Mitra both for technical discssions and for help in prodcing the paper REFERENCES [Asp03] J Aspnes Randomized protocols for asynchronos consenss Distribted Compting 16(2-3):165 175 2003 [AH90] J Aspnes and M Herlihy Fast randomized consenss sing shared memory Jornal of Algorithms 11(2) pages 441 461 September 1990 [B83] M Ben-r Another advantage of free choice: Completely asynchronos agreement protocolsproc 2nd ACM Symposim on Principles of Distribted Compting pages 2730 Montreal Qebec Canada Agst 1983 [Can01] R Canetti Universally composable secrity: a ne paradigm for cryptographic protocols Proc42nd IEEE Symposim on Fondations of Compting pages 136 145 2001 [CC9 05] R Canetti L Cheng D Kaynar M Liskov N Lynch Pereira and R Segala Using probabilistic I/ atomata to analyze an oblivios transfer protocol Technical Report MIT-LCS-TR-1001a MIT CSAIL 2005 [CC9 06a] [CC9 06b] [CLSV04] [CH05] [Cha96] [da99] [GM87] R Canetti L Cheng D Kaynar M Liskov N Lynch Pereira and R Segala Using task-strctred probabilistic I/ atomata to analyze an oblivios transfer protocol Technical Report MIT-CSAIL-TR-2006-019 MIT CSAIL 2006 Available at http://hdlhandlenet/17211/31310 R Canetti L Cheng D Kaynar M Liskov N Lynch Pereira and R Segala Task-strctred probabilistic I/ atomata Technical Report MIT-CSAIL-TR-2006-023 2006 L Cheng N Lynch R Segala and F Vaandrager Sitched PIA: Parallel Composition via Distribted Schedling To appear in TCS Special Isse on FMC 2004 L Cheng and M Hendriks Casal dependencies in parallel composition of stochastic processes Technical Report ICIS- R05020 Institte for Compting and Information Sciences University of Nijmegen 2005 TD Chandra Polylog randomized ait-free consenss Proc 15th ACM Symposim on Principles of Distribted Compting pages 166 175 1996 L de Alfaro The verification of probabilistic systems nder memoryless partial-information policies is hard Proc PRB- MIV 99 pages 19 32 1999 Goldreich S Micali and A igderson Ho to play any mental game Proc 19th Symposim on Theory of Compting (STC) pages 218 229 ACM 1987 [Gol01] Goldreich Fondations of Cryptography: Basic Tools volme I Cambridge University Press 2001 [KLA98] LP Kaelbling ML Littman and ARCassandra Planning and acting in partially observable stochastic domains Artificial Intelligence 101:99 134 1998 [LMMS98] P Lincoln JC Mitchell M Mitchell and A Scedrov A probabilistic poly-time frameork for protocol analysis In ACM Conference on Compter and Commnications Secrity pages 112 121 1998 [LSS94] NA Lynch I Saias and R Segala Proving time bonds for randomized distribted algorithms Proc 13th ACM Symposim on Principles of Distribted Compting pages 314 323 1994 [LSV03] NA Lynch R Segala and F Vaandrager Compositionality for probabilistic atomata Proc 14th International Conference on Concrrency Theory (CNCUR 2003) volme 2761 of LNCS pages 208 221 Springer-Verlag 2003 [LT89] [MMS03] [PSL00] NA Lynch and MR Tttle An introdction to inpt/otpt atomata CI Qarterly 2(3):219 246 September 1989 P Mates JC Mitchell and A Scedrov Composition of cryptographic protocols in a probabilistic polynomial-time process calcls Proc CNCUR 2003 pages 323 345 2003 A Pogosyants R Segala and NA Lynch Verification of the randomized consenss algorithm of Aspnes and Herlihy: a case stdy Distribted Compting 13(3):155 186 2000 [Pt94] ML Pterman Markov Decision Process Discrete Stochastic Dynamic Programming John iley & Sons Inc Ne York NY 1994 [P00] B Pfitzman and M aidner Composition and integrity [P01] [R82] [RMST04] preservation of secre reactive systems Proc CCS 2000 2000 B Pfitzman and M aidner A model for asynchronos reactive systems and its application to secre message transmission Proc IEEE Symposim on Research in Secrity and Privacy pages 184 200 2001 M Rabin The choice coordination problem Acta Informatica 17:121 134 1982 A Ramanathan JC Mitchell A Scedrov and V Teage Probabilistic bisimlation and eqivalence for secrity analysis of netork protocols Proc FSSACS 2004 2004 [SdV04] A Sokolova and EP de Vink Probabilistic atomata: system types parallel composition and comparison In Validation of Stochastic Systems volme 2925 of LNCS pages 1 43 Springer-Verlag 2004 [Seg95] R Segala Modeling and Verification of Randomized Distribted Real-Time Systems PhD thesis Department of Electrical Engineering and Compter Science Massachsetts Institte [SL95] [SV99] of Technology Jne 1995 Available as Technical Report MIT/LCS/TR-676 R Segala and NA Lynch Probabilistic simlations for probabilistic processes Nordic Jornal of Compting 2(2):250 273 1995 MIA Stoelinga and F Vaandrager Root contention in IEEE 1394 Proc 5th International AMAST orkshop on Formal Methods for Real-Time and Probabilistic Systems volme 1601 of LNCS pages 53 74 Springer-Verlag 1999