CIMPA School on Security

Specification and verification of randomized security

protocols

Lecture 1

Catuscia Palamidessi, INRIA & LIX

catuscia@lix.polytechnique.fr

www.lix.polytechnique.fr/~catuscia

Page of the course:

www.lix.polytechnique.fr/~catuscia/teaching/CIMPA_School_05/

Bangalore, 1 Feb 2005 Randomized security protocols 2

Plan of the course

• Overview of the basic notions of Probability theory and Measure theory

• Probabilistic automata

• Probabilistic -calculus

• Applications to the specification and verification of randomized security protocols– Anonymity

– Fair exchange

Bangalore, 1 Feb 2005 Randomized security protocols 3

Probability and measure theory

References

• Prakash Panangaden, Measure and probability for Concurrency Theorists. TCS. 253(2): 287-309. www.lix.polytechnique.fr/~catuscia/teaching/papers_and_books/panangaden.ps

• Prakash Panangaden, Stochastic techniques in Concurrency. Lecture notes. www.lix.polytechnique.fr/~catuscia/teaching/papers_and_books/notes.ps

Bangalore, 1 Feb 2005 Randomized security protocols 4

Introduction 1/4

Probability in the finite case – An experiment with a finite set S of possible results– Event: a subset A of S– Assuming that all outcomes are equally likely, the

probability of event A is defined by pb(A) = |A| / |S|

Example: tossing a fair dice– Set of possible results S = { 1,2,3,4,5,6 }– Event “the result is even”: A = { 2,4,6 } , pb(A) = 1/2– Event “the result is at least 5” : B = { 5,6 } , pb(B) = 1/3

Bangalore, 1 Feb 2005 Randomized security protocols 5

Introduction 2/4

• Example: tossing 3 three times a fair coin

• Possible outcomes (sequences H/T): 23 = 8

– Event “all coins are H”:

• pb(HHH) = p(H--) x pb(-H-) x pb(--H) independent

= 1/2 x 1/2 x 1/2 = 1/8

– “all coins are H or all coins are T” :

• pb(HHH or TTT) = pb(HHH) + pb(TTT) = 1/4 disjoint

– “at least one coin is H”:

• pb(not TTT) = 1 – pb(TTT) = 7/8

– “at least one coin is H and at least one coin is T”

• pb(not TTT and not HHH) = 6/8 not independent

– “at least one coin is H or at least one coin is T”

• pb(not TTT or not HHH) not disjoint

= pb(not TTT) + pb(not HHH) – pb(not TTT and not HHH)

= 7/8 + 7/8 – 6/8 = 1

Bangalore, 1 Feb 2005 Randomized security protocols 6

Introduction 3/4

• The need for measure theory

– Some “experiments” have infinititary nature

– Example: tossing infinitely many time a fair coin

• The set S of all infinite sequences of H/T is infinite (uncountable)

• The probability of each sequence is 0, so we cannot expect that the single result will be enough as “building blocks” (i.e. we cannot expect to be able to define the probability of every event by summing up the probability of the singletones)

• When S is uncountable, we cannot expect of being able to define the probability of every set of results.

Bangalore, 1 Feb 2005 Randomized security protocols 7

Introduction 4/4

S

A B C

Bangalore, 1 Feb 2005 Randomized security protocols 8

Measure theory 1/7

Bangalore, 1 Feb 2005 Randomized security protocols 9

Measure theory 2/7

Bangalore, 1 Feb 2005 Randomized security protocols 10

Measure theory 3/7

Bangalore, 1 Feb 2005 Randomized security protocols 11

Measure theory 4/7

Bangalore, 1 Feb 2005 Randomized security protocols 12

Measure theory 5/7

Bangalore, 1 Feb 2005 Randomized security protocols 13

Measure theory 6/7

Example S = the set of all infinite sequences of a fair coin tossing

• From elementary finite probability theory: Each finite sequence of H/T x0,x1,…,xn-1 (xi=H or xi=T) has probability 1/2n

(independence)

• Each infinite sequence has probability 0

• Cone: given a sequence s = x0,x1,…,xn-1 [,…], the set A of all sequences which have s as prefix is called cone

– We assign to A the probability measure of its prefix: (A) = 1/2n

• Define B (base) as the set of all cones. Note that they are All disjoint

Bangalore, 1 Feb 2005 Randomized security protocols 14

Measure theory 7/7

• Consider the space (S,B) generated by S and the set B of all cones, with probability measure induced by

• What is the probability that a sequence has infinitely many H?

– Probability of exactly one H in any position: 0 (countable disjoint union of sets with measure 0)

– Probability of exactly n H in any position: 0 (same reason)

– Probability of finitely many H in any position: 0 (same reason)

– Probability of infinitely many H:

1 – pb(finitely many H) = 1 – 0 (complementation property)

Bangalore, 1 Feb 2005 Randomized security protocols 15

Some relevant definitions

• We say that A, B are independent if

pb(A ∩ B) = pb(A) x pb(B)

• Conditional probability:

pb(A | B) is the probability of A given B

pb(A | B) = pb(A ∩ B) / pb(B)

Example: 3-sequences of coin-tossing– What is the probability of having all H given that the first is H?– Pb(HHH | H--) = pb(HHH ∩ H--) / pb(H--) = pb(HHH) / pb(H--) =

(1/8) / (1/2) = 1/4

Bangalore, 1 Feb 2005 Randomized security protocols 16

A puzzle about conditional probability

– A king offers to a guest to pick one of three closed boxes. One contains a diamond, the other two are empty

– After the guest has picked a box, the king opens one of the other two boxes and shows that it is empty

– Then the king offers to the guest to exchange the box he picked with the other (closed) one

– Question: should the guest exchange?

Bangalore, 1 Feb 2005 Randomized security protocols 17

A puzzle about conditional probability

• Answer: it depends on whether the king opens intentionally an empty box, or not.

• In the first case, the guest should better change his choice since the other box has now probability 2/3 to contain the ring

• In the second case, it does not matter. Both the remaining closed boxes have now probability ½ to contain the ring

Bangalore, 1 Feb 2005 Randomized security protocols 18

A puzzle about conditional probability

Let us consider again the puzzle in Case 2

• Bi = Box i contains the ring

• Initially: pb(B1) = pb(B2) = pb(B3) = 1/3

• After opening one box, say Box 1, if it turns out to be empty, we have:

pb(B2) = pb(B2 | not B1)

= pb(B2 and not B1) / pb(not B1)

= pb(B2) / pb(not B1)

= (1/3) / (2/3)

= 1 / 2

Bangalore, 1 Feb 2005 Randomized security protocols 19

Application: Probabilistic Automata

• Nondeterministic choice and probabilistic choice• Definition of probabilistic automata• Concept of adversary (aka scheduler)• Concept of execution• The measurable space and the probability measure associated to the

executions• Some examples

• Roberto Segala. Modeling and Verification of Randomized Distributed RealTime Systems . PhD thesis, Laboratory for Computer Science, Massachusetts Institute of Technology, June 1995. Available as Technical Report MIT/LCS/TR-676.

• Roberto Segala and Nancy Lynch.Probabilistic simulations for probabilistic processes.Nordic Journal of Computing, 2(2):250--273, 1995.An extended abstract appeared in the Proceedings of CONCUR '94,LNCS 836: 22--25.

Both references above are available on Segala’s web site

Bangalore, 1 Feb 2005 Randomized security protocols 20

Probabilistic Automata

Distinction between – nondeterministic behavior (choice of the scheduler)

and – probabilistic behavior (choice of the process)

Scheduling Policy:The scheduler chooses the group of transitionsExecution:The process chooses probabilistically the transition within the group

1/2

1/21/3

1/31/3

1/32/3

1/2

1/21/3

1/31/3

1/32/3

1/2

1/21/3

1/31/3

1/32/3

1/2

1/21/3

1/31/3

1/32/3

1/2

1/21/3

1/31/3

1/32/3

1/2

1/21/3

1/31/3

1/32/3

1/2

1/21/3

1/31/3

1/32/3

1/2

1/21/3

1/31/3

1/32/3

1/2

1/21/3

1/31/3

1/32/3