Keeping Fairness Alive : Design and formal verification of optimistic fair exchange protocols

The work in this thesis has been carried out at the centre for mathematics and computer science (CWI), under the auspices of the research school IPA (Institute for Programming research and Algorithmics). The research has been funded by the Dutch organisation for scientific research (NWO) in the context of the ACCOUNT project on accountability in electronic commerce protocols. Acknowledgements This thesis is the result of my research in the last four years at CWI. In the following, I mention some of those who helped me in doing this research. First comes Wan Fokkink, my supervisor and promotor. The liberty Wan gave me to follow my research interests and his constant encouragement were of great importance to me, both personally and professionally. A large part of the results that I report in the thesis has been produced jointly with Jan Cederquist. Jan has been the first critic of my work, besides being a very supportive friend. I would like to thank the members of the reading committee of my thesis, Bruno Crispo, Sandro Etalle, Joshua Guttman and Sjouke Mauw. Their feedback in many ways improved the quality of the thesis. I am also grateful to Jan Cederquist and Felix Freiling for participating in my promotion committee as opponent members. Among other colleagues, my promotor Jaco van de Pol and Michael Weber answered a lot of my questions and commented on my raw ideas. I very much appreciate their enthusiasm. I attended several herfstdagen and lentedagen schools organised by IPA, in which I was a member of the PhD council for the last three years. I also participated in two courses at the Vrije Universiteit, one on type theory taught by Freek Wiedijk and one on distributed algorithms taught by Wan Fokkink. It was very kind of them to let me participate in these courses. I sincerely thank Paul Klint, the current head of our team, for his support in facilitating my stay at CWI in the last few months. I co-wrote a few papers, some of which presented in this thesis. I enjoyed the time we spent together discussing " work " at CWI and elsewhere. A special gratitude goes to my parents, my brother Hesam and my sister Sanaz, with whom I shared my up and down times. I could not have led any kind of productive life in these four years without the huge amount of support that I …

[1]  Olivier Markowitch,et al.  Selective Receipt in Certified E-mail , 2001, INDOCRYPT.

[2]  Doron A. Peled Partial order reduction: Linear and branching temporal logics and process algebras , 1996, Partial Order Methods in Verification.

[3]  Marko Vukolic,et al.  Gracefully Degrading Fair Exchange with Security Modules , 2005, EDCC.

[4]  Vitaly Shmatikov,et al.  Finite-state analysis of two contract signing protocols , 2002, Theor. Comput. Sci..

[5]  Dimitra Giannakopoulou,et al.  Model checking for concurrent software architectures , 1999 .

[6]  Jaco van de Pol,et al.  A Database Approach to Distributed State-Space Generation , 2008, J. Log. Comput..

[7]  Danny Dolev,et al.  On the Security of Public Key Protocols (Extended Abstract) , 1981, FOCS.

[8]  N. Asokan,et al.  Optimistic protocols for fair exchange , 1997, CCS '97.

[9]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[10]  Hans Hüttel,et al.  Recursion vs. Replication in Simple Cryptographic Protocols , 2004 .

[11]  Josep Lluís Ferrer-Gomila,et al.  A Realistic Protocol for Multi-party Certified Electronic Mail , 2002, ISC.

[12]  Markus Jakobsson,et al.  Revokable and versatile electronic money (extended abstract) , 1996, CCS '96.

[13]  Lawrence C. Paulson,et al.  Mechanized proofs for a recursive authentication protocol , 1997, Proceedings 10th Computer Security Foundations Workshop.

[14]  Jeroen Eggermont,et al.  Data Mining using Genetic Programming : Classification and Symbolic Regression , 2005 .

[15]  Leon Moonen,et al.  Exploring software systems , 2003, International Conference on Software Maintenance, 2003. ICSM 2003. Proceedings..

[16]  F. Javier Thayer Fábrega,et al.  Strand spaces: proving security protocols correct , 1999 .

[17]  Steve Kremer,et al.  Analysis of a Multi-party Fair Exchange Protocol and Formal Proof of Correctness in the Strand Space Model , 2005, Financial Cryptography.

[18]  Martijn M. Schrage,et al.  Proxima: a presentation-oriented editor for structured documents , 2000 .

[19]  Andrew S. Tanenbaum,et al.  Enabling DRM-preserving digital content redistribution , 2005, Seventh IEEE International Conference on E-Commerce Technology (CEC'05).

[20]  Panagiotis Louridas Some guidelines for non-repudiation protocols , 2000, CCRV.

[21]  Guy M. Wilson,et al.  How to Measure , 2010 .

[22]  Doron A. Peled,et al.  All from One, One for All: on Model Checking Using Representatives , 1993, CAV.

[23]  Birgit Pfitzmann,et al.  Polynomial fairness and liveness , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[24]  David A. Basin Lazy Infinite-State Analysis of Security Protocols , 1999, CQRE.

[25]  Sujeet Shenoi,et al.  Formal verification of cryptographic protocols , 2001 .

[26]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[27]  Liqun Chen,et al.  Efficient Fair Exchange with Verifiable Confirmation of Signatures , 1998, ASIACRYPT.

[28]  Marcel Kyas,et al.  Verifying OCL specifications of UML models: tool support and compositionakity , 2006 .

[29]  Neil Evans,et al.  Verifying security protocols with PVS: widening the rank function approach , 2005, J. Log. Algebraic Methods Program..

[30]  Dieter Gollmann,et al.  Certified Electronic Mail , 1996, ESORICS.

[31]  Vitaly Shmatikov,et al.  Contract Signing, Optimism, and Advantage , 2003, CONCUR.

[32]  Bastiaan Stephan Graaf,et al.  Model-Driven Evolution of Software Architectures , 2007, 11th European Conference on Software Maintenance and Reengineering (CSMR'07).

[33]  T. Kuipers,et al.  Techniques for understanding legacy software systems , 2002 .

[34]  Muhammad Torabi Dashti,et al.  An intruder model for verifying termination in security protocols , 2005 .

[35]  Patrick Horster,et al.  Undetectable on-line password guessing attacks , 1995, OPSR.

[36]  Robert H. Deng,et al.  Some Remarks on a Fair Exchange Protocol , 2000, Public Key Cryptography.

[37]  Ferucio Laurentiu Tiplea,et al.  Decidability and Complexity Results for Security Protocols , 2005, VISSAS.

[38]  Martijn Hendriks,et al.  Model checking timed automata : techniques and applications , 2006 .

[39]  Steve Kremer Formal Verification of Cryptographic Protocols , 2006 .

[40]  Wolter Pieters,et al.  La volonté machinale: understanding the electronic voting controversy , 2008 .

[41]  Dr. B. Crispo Accountability in Electronic Commerce Protocols ( ACCOUNT ) Applicants : , 2022 .

[42]  Y Yuechen Qian,et al.  Data synchronization and browsing for home environments , 2004 .

[43]  Seif Haridi,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[44]  Daan Leijen,et al.  The λ Abroad - A Functional Approach to Software Components , 2003 .

[45]  Simona Orzan,et al.  Distributed Analysis with mu CRL: A Compendium of Case Studies , 2007, TACAS.

[46]  R Ronald Ruimerman,et al.  Modeling and remodeling in bone tissue , 2005 .

[47]  Philippe Schnoebelen,et al.  Temporal logic with forgettable past , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[48]  Bernadette Charron-Bost,et al.  Simulating Reliable Links with Unreliable Links in the Presence of Process Crashes , 1996, WDAG.

[49]  Paul D. Ezhilchelvan,et al.  A family of trusted third party based fair-exchange protocols , 2005, IEEE Transactions on Dependable and Secure Computing.

[50]  Muhammad Torabi Dashti,et al.  Partial Order Reduction for Branching Security Protocols , 2010, 2010 10th International Conference on Application of Concurrency to System Design.

[51]  Joost Visser,et al.  Generic traversal over typed source code representations , 2003 .

[52]  Anton Wijs,et al.  What to do next? Analysing and optimising system behaviour in time , 2007 .

[53]  Jianying Zhou,et al.  An Intensive Survey of Non-Repudiation Protocols , 2002 .

[54]  Indrajit Ray,et al.  An Optimistic Fair Exchange E-commerce Protocol with Automated Dispute Resolution , 2000, EC-Web.

[55]  Carsten Rudolph,et al.  Security Analysis of (Un-) Fair Non-repudiation Protocols , 2002, FASec.

[56]  Muhammad Torabi Dashti,et al.  Pruning State Spaces with Extended Beam Search , 2006, ATVA.

[57]  Ralf Küsters,et al.  Constraint Solving for Contract-Signing Protocols , 2005, CONCUR.

[58]  Sushil Jajodia,et al.  Avoiding loss of fairness owing to failures in fair data exchange systems , 2001, Decis. Support Syst..

[59]  Ling Cheung,et al.  Reconciling nondeterministic and probabilistic choices , 2006 .

[60]  Rohit Chadha,et al.  A formal analysis of exchange of digital signatures , 2003 .

[61]  Simona Orzan,et al.  A Framework for Automatically Checking Anonymity with mu CRL , 2006, TGC.

[62]  Mariëlle Stoelinga,et al.  Alea jacta est : verification of probabilistic, real-time and parametric systems , 2002 .

[63]  L. Tang,et al.  Verifiable transaction atomicity for electronic payment protocols , 1996, Proceedings of 16th International Conference on Distributed Computing Systems.

[64]  Jan Friso Groote,et al.  Algebraic Process Verification , 2001, Handbook of Process Algebra.

[65]  Shimon Even,et al.  A protocol for signing contracts , 1983, SIGA.

[66]  Charalampos Manifavas,et al.  A new family of authentication protocols , 1998, OPSR.

[67]  Benoît Garbinato,et al.  A Topological Condition for Solving Fair Exchange in Byzantine Environments , 2006, ICICS.

[68]  M. Niqui,et al.  Formalising Exact Arithmetic. Representations, Algorithms and Proofs , 2004 .

[69]  Ricardo Corin,et al.  Analysis Models for Security Protocols , 2006 .

[70]  Paul F. Syverson,et al.  Weakly secret bit commitment: applications to lotteries and fair exchange , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[71]  Indrajit Ray,et al.  An anonymous and failure resilient fair-exchange e-commerce protocol , 2005, Decis. Support Syst..

[72]  Silvio Micali,et al.  Simple and fast optimistic protocols for fair electronic exchange , 2003, PODC '03.

[73]  Ross J. Anderson UEPS - A Second Generation Electronic Wallet , 1992, ESORICS.

[74]  Mark Ryan,et al.  Resolve-impossibility for a contract-signing protocol , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[75]  Gavin Lowe,et al.  How to prevent type flaw attacks on security protocols , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[76]  Jianying Zhou,et al.  An intensive survey of fair non-repudiation protocols , 2002, Comput. Commun..

[77]  Robert H. Deng,et al.  Efficient and practical fair exchange protocols with off-line TTP , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[78]  Lawrence A. Crowl How to measure, present, and compare parallel performance , 1994, IEEE Parallel & Distributed Technology: Systems & Applications.

[79]  Muhammad Torabi Dashti,et al.  A Hybrid PKI-IBC Based Ephemerizer System , 2007, SEC.

[80]  Nadarajah Asokan,et al.  Fairness in electronic commerce , 1998, Research report / RZ / IBM / IBM Research Division / Zürich Research Laboratory.

[81]  Holger Vogt Asynchronous Optimistic Fair Exchange Based on Revocable Items , 2003, Financial Cryptography.

[82]  Doron A. Peled,et al.  Ten Years of Partial Order Reduction , 1998, CAV.

[83]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[84]  V Victor Bos,et al.  Formal specification and analysis of industrial systems , 2002 .

[85]  Daniele Varacca New Perspectives of Fairness , 2006, Bull. EATCS.

[86]  Wpaj Wil Michiels Performance ratios for the differencing method , 2004 .

[87]  P. Zoeteweij,et al.  Composing constraint solvers , 2005 .

[88]  Ralf Küsters,et al.  Infinite State AMC-Model Checking for Cryptographic Protocols , 2007, 22nd Annual IEEE Symposium on Logic in Computer Science (LICS 2007).

[89]  Daniel R. Tauritz,et al.  Adaptive Information Filtering: Concepts and Algorithms , 2002 .

[90]  Jan Friso Groote,et al.  The Syntax and Semantics of μCRL , 1995 .

[91]  Vitaly Shmatikov,et al.  Intruder deductions, constraint solving and insecurity decision in presence of exclusive or , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[92]  Markus Jakobsson,et al.  Efficient Constructions for One-Way Hash Chains , 2005, ACNS.

[93]  Jjd Joep Aerts Random redundant storage for video on demand , 2003 .

[94]  Simona Orzan,et al.  On Distributed Verification and Verified Distribution , 2004 .

[95]  Yevgeniy Dodis,et al.  Optimistic Fair Exchange in a Multi-user Setting , 2007, J. Univers. Comput. Sci..

[96]  Véronique Cortier,et al.  A survey of algebraic properties used in cryptographic protocols , 2006, J. Comput. Secur..

[97]  Kouichi Sakurai,et al.  An Evenhanded Certified Email System for Contract Signing , 2005, ICICS.

[98]  Muhammad Torabi Dashti,et al.  Distributed Partial Order Reduction for Security Protocols , 2008, PDMC@CAV.

[99]  A. Prasad Sistla,et al.  Safety, liveness and fairness in temporal logic , 1994, Formal Aspects of Computing.

[100]  Kensaku Mori,et al.  A Framework for Distributed Inter-smartcard Communication , 2006 .

[101]  Michael K. Reiter,et al.  Fair Exchange with a Semi-Trusted Third Party (extended abstract) , 1997, CCS.

[102]  L. Buttyán,et al.  Toward a Formal Model of Fair Exchange - a Game Theoretic Approach , 2000 .

[103]  Matthias Schunter,et al.  Optimistic fair exchange , 2000 .

[104]  Ana Sokolova,et al.  Coalgebraic analysis of probabilistic systems , 2005 .

[105]  Dieter Gollmann,et al.  Observations on Non-repudiation , 1996, ASIACRYPT.

[106]  Manuel Blum,et al.  Reducibility Among Protocols , 1983, CRYPTO.

[107]  Magiel Bruntink,et al.  Renovation of idiomatic crosscutting concerns in embedded systems , 2005 .

[108]  Dino Salvo Distefano,et al.  On model checking the dynamics of object-based software : a foundational approach , 2003 .

[109]  Himanshu Khurana,et al.  Certified mailing lists , 2006, ASIACCS '06.

[110]  Jurgen Vinju,et al.  Analysis and transformation of source code by parsing and rewriting , 2005 .

[111]  Nancy A. Lynch,et al.  Easy impossibility proofs for distributed consensus problems , 1985, PODC '85.

[112]  Rohit Chadha,et al.  Formal analysis of multi-party contract signing , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[113]  Michel A. Reniers,et al.  Hybrid process algebra , 2005, J. Log. Algebraic Methods Program..

[114]  Yanjing Wang,et al.  Risk Balance in Exchange Protocols , 2007, ASIAN.

[115]  Donald E. Eastlake,et al.  Requirements and Design for Voucher Trading System (VTS) , 2003, RFC.

[116]  Steve A. Schneider,et al.  To infinity and beyond or, avoiding the infinite in security protocol analysis , 2006, SAC '06.

[117]  Robert H. Deng,et al.  Evolution of Fair Non-repudiation with TTP , 1999, ACISP.

[118]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[119]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[120]  Bastiaan Heeren,et al.  Top quality type error Messages , 2005 .

[121]  Goran Frehse,et al.  Compositional verification of hybrid systems using simulation relations , 2005 .

[122]  Catherine A. Meadows,et al.  On the Relative Soundness of the Free Algebra Model for Public Key Encryption , 2005, ARSPA@IJCAR.

[123]  Dominique Bolignano An approach to the formal verification of cryptographic protocols , 1996, CCS '96.

[124]  Chin-Laung Lei,et al.  Temporal Reasoning Under Generalized Fairness Constraints , 1986, STACS.

[125]  A. L. de Groot,et al.  Practical Automaton proofs in PVS , 2000 .

[126]  Cjf Cas Cremers Scyther : semantics and verification of security protocols , 2006 .

[127]  Joshua D. Guttman,et al.  Strand Spaces: Proving Security Protocols Correct , 1999, J. Comput. Secur..

[128]  Michele Bugliesi,et al.  Principles for Entity Authentication , 2003, Ershov Memorial Conference.

[129]  Vitaly Shmatikov,et al.  Is it possible to decide whether a cryptographic protocol is secure or not , 2002 .

[130]  E. Allen Emerson,et al.  Temporal and Modal Logic , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[131]  N.J.M. van den Nieuwelaar,et al.  Supervisory machine control by predictive-reactive scheduling , 2004 .

[132]  Michael Goldsmith The perfect spy for model−checking crypto−protocols , 1997 .

[133]  Michaël Rusinowitch,et al.  Protocol insecurity with finite number of sessions is NP-complete , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[134]  M. B. van der Zwaag,et al.  Models and logics for process algebra , 2002 .

[135]  Bahareh Badban,et al.  Verification Techniques for Extensions of Equality Logic , 2006 .

[136]  Lawrence C. Paulson,et al.  Mechanical Proofs about a Non-repudiation Protocol , 2001, TPHOLs.

[137]  Nikolay Kavaldjiev,et al.  A run-time reconfigurable Network-on-Chip for streaming DSP applications , 2006 .

[138]  Gavin Lowe,et al.  A hierarchy of authentication specifications , 1997, Proceedings 10th Computer Security Foundations Workshop.

[139]  Bruce Schneier,et al.  Protocol Interactions and the Chosen Protocol Attack , 1997, Security Protocols Workshop.

[140]  Giuseppe Ateniese Verifiable encryption of digital signatures and applications , 2004, TSEC.

[141]  Olivier Markowitch,et al.  Trust relationships in exchange protocols , 2005 .

[142]  Jun Pang,et al.  Analysis of a Security Protocol in µCRL , 2002, ICFEM.

[143]  N. Asokan,et al.  Optimistic Fair Exchange of Digital Signatures (Extended Abstract) , 1998, EUROCRYPT.

[144]  Paul Syverson,et al.  A Taxonomy of Replay Attacks , 1994 .

[145]  M. de Jonge,et al.  To reuse or to be reused. Techniques for component composition and construction , 2003 .

[146]  Yee Wei Law,et al.  Key management and link-layer security of wireless sensor networks : Energy-efficient attack and defense , 2005 .

[147]  Michele Boreale,et al.  Symbolic Trace Analysis of Cryptographic Protocols , 2001, ICALP.

[148]  M. T. de Berg,et al.  Multi-functional geometric data structures , 2003 .

[149]  Donald E. Eastlake,et al.  US Secure Hash Algorithm 1 (SHA1) , 2001, RFC.

[150]  Nancy A. Lynch,et al.  On the weakest failure detector ever , 2007, PODC.

[151]  Dieter Gollmann,et al.  A fair non-repudiation protocol , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[152]  Joan Daemen Management of Secret Keys: Dynamic Key Handling , 1997, State of the Art in Applied Cryptography.

[153]  Silvio Micali,et al.  A fair protocol for signing contracts , 1990, IEEE Trans. Inf. Theory.

[154]  Véronique Cortier,et al.  A Cryptographic Model for Branching Time Security Properties - The Case of Contract Signing Protocols , 2007, ESORICS.

[155]  Marius Adrian Marin,et al.  An Integrated System to Manage Crosscutting Concerns in Source Code , 2008 .

[156]  Dmitri Jarnikov,et al.  QoS framework for video streaming in home networks , 2007 .

[157]  William R. Crowther,et al.  The Data Transfer Protocol , 1971, RFC.

[158]  Joseph Y. Halpern,et al.  Knowledge and common knowledge in a distributed environment , 1984, JACM.

[159]  Hui Gao,et al.  Design and verification of lock-free parallel algorithms , 2005 .

[160]  Sebastian Mödersheim,et al.  CDiff: a new reduction technique for constraint-based analysis of security protocols , 2003, CCS '03.

[161]  Tac Tim Willemse Semantics and verification in process algebras with data and timing , 2003 .

[162]  Muhammad Torabi Dashti,et al.  Formal Analysis of a Fair Payment Protocol , 2004, Formal Aspects in Security and Trust.

[163]  Dieter Gollmann,et al.  Why Trust is Bad for Security , 2006, Electron. Notes Theor. Comput. Sci..

[164]  J. Doug Tygar,et al.  Atomicity in electronic commerce , 1996, NTWK.

[165]  I C M Ingrid Flinsenberg,et al.  Route Planning Algorithms for Car Navigation , 2009 .

[166]  N. Koblitz The Uneasy Relationship Between Mathematics and Cryptography , 2007 .

[167]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[168]  Dieter Gollmann,et al.  Evidence and non-repudiation , 1997 .

[169]  Joseph Sifakis,et al.  Fairness and related properties in transition systems — a temporal logic to deal with fairness , 1983, Acta Informatica.

[170]  Radek Pelánek,et al.  Typical Structural Properties of State Spaces , 2004, SPIN.

[171]  Wuu Yang,et al.  On Preventing Type Flaw Attacks on Security Protocols With a Simplified Tagging Scheme , 2005, J. Inf. Sci. Eng..

[172]  Sebastian Maneth,et al.  Models of tree translation , 2004 .

[173]  Sandro Etalle,et al.  An Improved Constraint-Based System for the Verification of Security Protocols , 2002, SAS.

[174]  Ran Canetti,et al.  Asynchronous secure computation , 1993, STOC.

[175]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption) , 2007, Journal of Cryptology.

[176]  John A. Clark,et al.  A Survey of Authentication Protocol Literature , 2010 .

[177]  Matthias Schunter,et al.  Optimistic Protocols for Multi-Party Fair Exchange , 1996 .

[178]  Ran Canetti,et al.  Efficient authentication and signing of multicast streams over lossy channels , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[179]  Yi Mu,et al.  Perfect Concurrent Signature Schemes , 2004, ICICS.

[180]  Muhammad Torabi Dashti,et al.  An intruder model for verifying liveness in security protocols , 2006, FMSE '06.

[181]  Roberto M. Amadio,et al.  On the symbolic reduction of processes with cryptographic functions , 2003, Theor. Comput. Sci..

[182]  Reinder J. Bril,et al.  Real-time scheduling for media processing using conditionally guaranteed budgets , 2004 .

[183]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[184]  Jan Friso Groote,et al.  Computer assisted manipulation of algebraic process specifications , 2002, SIGP.

[185]  Laura Brandán Briones,et al.  Theories for Model-based Testing: Real-time and Coverage , 2007 .

[186]  Alessandro Armando,et al.  LTL Model Checking for Security Protocols , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[187]  Cruz Filipe,et al.  Constructive real analysis : a type-theoretical formalization and applications , 2004 .

[188]  Wan Fokkink,et al.  Modelling Distributed Systems , 2010, Texts in Theoretical Computer Science. An EATCS Series.

[189]  Ka Lok Man,et al.  Formal specification and analysis of hybrid systems , 2006 .

[190]  Jan Friso Groote,et al.  µCRL: A Toolset for Analysing Algebraic Specifications , 2001, CAV.

[191]  Jeannette M. Wing,et al.  Model checking electronic commerce protocols , 1996 .

[192]  Muhammad Torabi Dashti,et al.  Keeping Secrets in Resource Aware Components , 2007, Electron. Notes Theor. Comput. Sci..

[193]  Michael O. Rabin,et al.  Transaction Protection by Beacons , 1983, J. Comput. Syst. Sci..

[194]  John A. Clark,et al.  A survey of authentication protocol literature: Version 1.0 , 1997 .

[195]  Catherine A. Meadows,et al.  Formal methods for cryptographic protocol analysis: emerging issues and trends , 2003, IEEE J. Sel. Areas Commun..

[196]  Olivier Markowitch,et al.  Optimistic Fair Exchange with Transparent Signature Recovery , 2002, Financial Cryptography.

[197]  Ranko S. Lazic,et al.  A semantic study of data independence with applications to model checking , 1999 .

[198]  Gabriele Lenzini,et al.  Integration of Analysis Techniques in Security and Fault-Tolerance , 2005 .

[199]  Bengt Jonsson,et al.  Probabilistic Process Algebra , 2001 .

[200]  Jim Gray,et al.  Notes on Data Base Operating Systems , 1978, Advanced Course: Operating Systems.

[201]  Felix C. Freiling,et al.  Using Smart Cards for Fair Exchange , 2001, WELCOM.

[202]  Alain Kerbrat,et al.  CADP - A Protocol Validation and Verification Toolbox , 1996, CAV.

[203]  Robert H. Deng,et al.  Practical protocols for certified electronic mail , 1996, Journal of Network and Systems Management.

[204]  Aad Mathssen,et al.  Logical Calculi for Reasoning with Binding , 2008 .

[205]  Yehuda Lindell,et al.  Secure Computation without Agreement , 2002, DISC.

[206]  Robert McNaughton,et al.  Counter-Free Automata (M.I.T. research monograph no. 65) , 1971 .

[207]  Bruce Schneier,et al.  A certified e-mail protocol , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[208]  Rob van Glabbeek,et al.  Handbook of Process Algebra , 2001 .

[209]  Maryam Shayegan Hastings,et al.  She Does Math!: Mathematics and Computer Science , 1995 .

[210]  Martín Abadi,et al.  Prudent engineering practice for cryptographic protocols , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[211]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[212]  Oded Goldreich,et al.  Foundations of Cryptography - A Primer , 2005, Found. Trends Theor. Comput. Sci..

[213]  Philippe Flajolet,et al.  Mathematics and Computer Science II , 2002 .

[214]  Josep Lluís Ferrer-Gomila,et al.  An Efficient Protocol for Certified Electronic Mail , 2000, ISW.

[215]  Rob J. van Glabbeek,et al.  The Linear Time - Branching Time Spectrum II , 1993, CONCUR.

[216]  Lubos Brim,et al.  Distributed Partial Order Reduction of State Spaces , 2005, Electron. Notes Theor. Comput. Sci..

[217]  Dan Boneh,et al.  A Method for Fast Revocation of Public Key Certificates and Security Capabilities , 2001, USENIX Security Symposium.

[218]  H.M.A. van Beek,et al.  Specification and analysis of Internet applications , 2005 .

[219]  Jianying Zhou,et al.  The Fairness of Perfect Concurrent Signatures , 2006, ICICS.

[220]  Jonathan K. Millen,et al.  On the freedom of decryption , 2003, Inf. Process. Lett..

[221]  W. L. Ngai MSc Thesis , 2015 .

[222]  Srdjan Capkun,et al.  A formal model of rational exchange and its application to the analysis of Syverson's protocol , 2004, J. Comput. Secur..

[223]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[224]  Cfj Christian Lange,et al.  Assessing and improving the quality of modeling : a series of empirical studies about the UML , 2007 .

[225]  EO Esko Dijk Indoor ultrasonic position estimation using a single base station , 2004 .

[226]  Eike Best CONCUR'93 , 1993, Lecture Notes in Computer Science.

[227]  Simon S. Lam,et al.  A semantic model for authentication protocols , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[228]  Virgil D. Gligor On the evolution of adversary models in security protocols: from the beginning to sensor networks , 2007, ASIACCS '07.

[229]  Paul Syverson,et al.  Dolev-Yao is no better than Machiavelli , 2000 .

[230]  T. D. Vu,et al.  Semantics and applications of process and program algebra , 2007 .

[231]  Markus Jakobsson,et al.  Ripping Coins For a Fair Exchange , 1995, EUROCRYPT.

[232]  Vitaly Shmatikov,et al.  Efficient finite-state analysis for large security protocols , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[233]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1983, PODS '83.

[234]  Oded Goldreich,et al.  On Post-Modern Cryptography , 2006, IACR Cryptol. ePrint Arch..

[235]  John C. Mitchell,et al.  Automated analysis of cryptographic protocols using Mur/spl phi/ , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[236]  AJ Arjan Mooij,et al.  Constructive formal methods and protocol standardization , 2006 .

[237]  G Giovanni Russello,et al.  Separation and adaptation of concerns in a shared data space , 2006 .

[238]  Steve Kremer,et al.  Formal analysis of optimistic fair exchange protocols , 2004 .

[239]  Yannick Chevalier,et al.  Automated Unbounded Verification of Security Protocols , 2002, CAV.

[240]  Yannick Chevalier,et al.  An NP decision procedure for protocol insecurity with XOR , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[241]  Muhammad Torabi Dashti,et al.  A Certified Email Protocol Using Key Chains , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[242]  Olivier Markowitch,et al.  Probabilistic Non-Repudiation without Trusted Third Party , 1999 .

[243]  Mudhakar Srivatsa,et al.  ExchangeGuard: a distributed protocol for electronic fair-exchange , 2005, 19th IEEE International Parallel and Distributed Processing Symposium.

[244]  Martín Abadi,et al.  Computer-Assisted Verification of a Protocol for Certified Email , 2003, SAS.

[245]  J. Doug Tygar,et al.  A Model for Secure Protocols and Their Compositions , 1996, IEEE Trans. Software Eng..

[246]  Steve A. Schneider,et al.  Formal analysis of a non-repudiation protocol , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[247]  Markus Jakobsson,et al.  Abuse-Free Optimistic Contract Signing , 1999, CRYPTO.

[248]  Martín Abadi,et al.  Certified email with a light on-line trusted third party: design and implementation , 2002, WWW.

[249]  Hamid Pirahesh,et al.  ARIES: a transaction recovery method supporting fine-granularity locking and partial rollbacks using write-ahead logging , 1998 .

[250]  Olivier Bonaventure,et al.  Model-Based Verification of a Security Protocol for Conditional Access to Services , 1999, Formal Methods in System Design.

[251]  Oded Goldreich,et al.  On the security of multi-party ping-pong protocols , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[252]  Yevgeniy Dodis,et al.  Breaking and repairing optimistic fair exchange from PODC 2003 , 2003, DRM '03.

[253]  Birgit Pfitzmann,et al.  Optimal efficiency of optimistic contract signing , 1998, PODC '98.

[254]  Daniel Kroening,et al.  Decision Procedures for Equality Logic and Uninterpreted Functions , 2008 .

[255]  Ricardo Dahab,et al.  An Attack on a Protocol for Certified Delivery , 2002, ISC.

[256]  Carsten Rudolph,et al.  On the security of fair non-repudiation protocols , 2003, International Journal of Information Security.

[257]  Arno Wouters Manual for the $ mu CRL $ tool set (version 2.8.2) , 2001 .

[258]  Rajashekar Kailar,et al.  Accountability in Electronic Commerce Protocols , 1996, IEEE Trans. Software Eng..

[259]  Rocco De Nicola,et al.  Three logics for branching bisimulation , 1995, JACM.

[260]  Michael Weber,et al.  "To Store or Not To Store" Reloaded: Reclaiming Memory on Demand , 2006, FMICS/PDMC.

[261]  Peter Y. A. Ryan,et al.  The modelling and analysis of security protocols: the csp approach , 2000 .

[262]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[263]  Ganesh Gopalakrishnan,et al.  A Distributed Partial Order Reduction Algorithm , 2002, FORTE.

[264]  G. Rozenberg,et al.  Effective models for the structure of ð-calculus processes with replication , 2001 .

[265]  James Heather,et al.  A Theorem-Proving Approach to Verification of Fair Non-repudiation Protocols , 2006, Formal Aspects in Security and Trust.

[266]  Juan Visente Guillen Scholten,et al.  Mobile Channels for Exogenous Coordination of Distributed Systems: Semantics, Implementation and Composition , 2007 .

[267]  Dieter Gollmann,et al.  An efficient non-repudiation protocol , 1997, Proceedings 10th Computer Security Foundations Workshop.

[268]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[269]  Masayuki Terada,et al.  An Optimistic Fair Exchange Protocol for Trading Electronic Rights , 2004, CARDIS.

[270]  Henning Pagnia,et al.  On the Impossibility of Fair Exchange without a Trusted Third Party , 1999 .

[271]  Ralf Küsters,et al.  Deciding Properties of Contract-Signing Protocols , 2005, STACS.

[272]  S. P. Luttik Choice quantification in process algebra , 2002 .

[273]  Nancy A. Lynch,et al.  On the weakest failure detector ever , 2007, PODC '07.

[274]  Lutz Priese,et al.  Fairness , 1988, Bull. EATCS.

[275]  Michael O. Rabin,et al.  How To Exchange Secrets with Oblivious Transfer , 2005, IACR Cryptol. ePrint Arch..

[276]  Catherine A. Meadows,et al.  Ordering from Satan's menu: a survey of requirements specification for formal analysis of cryptographic protocols , 2004, Sci. Comput. Program..

[277]  Maria Eva Magdalena Lijding,et al.  Real-Time Scheduling of Tertiary Storage , 2003 .

[278]  Martin Bravenboer,et al.  Exercises in Free Syntax. Syntax Definition, Parsing, and Assimilation of Language Conglomerates , 2003 .

[279]  M. A. Valero Espada,et al.  Modal Abstraction and Replication of Processes with Data , 2005 .

[280]  David Chaum,et al.  Multiparty unconditionally secure protocols , 1988, STOC '88.

[281]  Colin Stirling,et al.  Modeling and Model Checking Mobile Phone Payment Systems , 2003, FORTE.

[282]  Birgit Pfitzmann,et al.  Relating symbolic and cryptographic secrecy , 2005, IEEE Transactions on Dependable and Secure Computing.

[283]  Michael T. Goodrich,et al.  TRICERT: A Distributed Certified E-Mail Scheme , 2001, NDSS.

[284]  R. McNaughton,et al.  Counter-Free Automata , 1971 .

[285]  Virgil D. Gligor,et al.  On belief evolution in authentication protocols , 1991, Proceedings Computer Security Foundations Workshop IV.

[286]  Marko Vukolic,et al.  Reducing Fair Exchange to Atomic Commit , 2005 .

[287]  Muhammad Torabi Dashti,et al.  On the Quest for Impartiality: Design and Analysis of a Fair Non-repudiation Protocol , 2005, ICICS.

[288]  Olivier Markowitch,et al.  A Multi-Party Non-Repudiation Protocol , 2000, SEC.

[289]  Moti Yung,et al.  An Overview of Secure Distributed Computing , 1992 .

[290]  Cas J. F. Cremers,et al.  Checking Secrecy by Means of Partial Order Reduction , 2004, SAM.

[291]  Peter Verbaan,et al.  The Computational Complexity of Evolving Systems , 2006 .

[292]  Somesh Jha,et al.  Using state space exploration and a natural deduction style message derivation engine to verify security protocols , 1998, PROCOMET.

[293]  Wan Fokkink Modelling Distributed Systems (Texts in Theoretical Computer Science. An EATCS Series) , 2007 .

[294]  Anton Wijs,et al.  Silent steps in transition systems and Markov chains , 2007 .

[295]  Mikhail J. Atallah,et al.  Achieving Fairness in Private Contract Negotiation , 2005, Financial Cryptography.

[296]  Jianying Zhou,et al.  On the Security of a Certified E-Mail Scheme with Temporal Authentication , 2005, ICCSA.

[297]  Shlomo Moran,et al.  Extended Impossibility Results for Asynchronous Complete Networks , 1987, Inf. Process. Lett..

[298]  RJ Roy Willemen,et al.  School timetable construction : algorithms and complexity , 2002 .

[299]  Ansgar Fehnker,et al.  Citius, Vilius, Melius : guiding and cost-optimality in model checking of timed and hybrid systems , 2002 .

[300]  Tuomas Sandholm,et al.  (Im)possibility of safe exchange mechanism design , 2002, AAAI/IAAI.

[301]  Sebastian Mödersheim,et al.  Constraint differentiation: A new reduction technique for constraint-based analysis of security protocols , 2003 .

[302]  Susan Pancho-Festin Paradigm shifts in protocol analysis , 1999, NSPW.

[303]  Yannick Chevalier,et al.  Extending the Dolev-Yao Intruder for Analyzing an Unbounded Number of Sessions , 2003, CSL.

[304]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[305]  Jianying Zhou,et al.  On the Security of a Multi-party Certified Email Protocol , 2004, ICICS.

[306]  Paul F. Syverson,et al.  A different look at secure distributed computation , 1997, Proceedings 10th Computer Security Foundations Workshop.

[307]  Danny Dolev,et al.  Distributed computing meets game theory: robust mechanisms for rational secret sharing and multiparty computation , 2006, PODC '06.

[308]  Riccardo Pucella,et al.  A logic for reasoning about digital rights , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[309]  Kenneth G. Paterson,et al.  Concurrent Signatures , 2004, EUROCRYPT.

[310]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[311]  John B. Shoven,et al.  I , Edinburgh Medical and Surgical Journal.

[312]  Martijn Warnier,et al.  Language based security for Java and JML , 2006 .

[313]  N. Asokan,et al.  Asynchronous protocols for optimistic fair exchange , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[314]  Vitaly Shmatikov,et al.  Constraint solving for bounded-process cryptographic protocol analysis , 2001, CCS '01.

[315]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[316]  Jun Sekine,et al.  Digital-Ticket-Controlled Digital Ticket Circulation , 1999, USENIX Security Symposium.

[317]  Colin Stirling,et al.  Modal Logics and mu-Calculi: An Introduction , 2001, Handbook of Process Algebra.

[318]  Ncwm Niels Braspenning Model-based integration and testing of high-tech multi-disciplinary systems , 2008 .

[319]  Yahiko Kambayashi,et al.  Fair Exchange under Limited Trust , 2002, TES.

[320]  John Ulrich,et al.  Automated Analysis of Cryptographic Protocols Using Mur ' , 1997 .

[321]  Lawrence C. Paulson,et al.  Accountability protocols: Formalized and verified , 2006, TSEC.

[322]  Felix C. Freiling,et al.  TrustedPals: Secure Multiparty Computation Implemented with Smart Cards , 2006, ESORICS.

[323]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[324]  Thomas Wolle,et al.  Computational aspects of treewidth : Lower bounds and network reliability , 2005 .

[325]  Jianying Zhou,et al.  Some common attacks against certified email protocols and the countermeasures , 2006, Comput. Commun..

[326]  Benjamin Cox,et al.  NetBill Security and Transaction Protocol , 1995, USENIX Workshop on Electronic Commerce.

[327]  H. A. deJong Flexible Heterogeneous Software Systems , 2007 .

[328]  Peter Y. A. Ryan,et al.  An Attack on a Recursive Authentication Protocol. A Cautionary Tale , 1998, Inf. Process. Lett..

[329]  Josep Lluís Ferrer-Gomila,et al.  Optimality in Asynchronous Contract Signing Protocols , 2004, TrustBus.

[330]  Jaco van de Pol,et al.  Modal Abstractions in µCRL , 2004, AMAST.

[331]  H. Rice Classes of recursively enumerable sets and their decision problems , 1953 .

[332]  Nancy A. Lynch,et al.  Cryptographic protocols , 1982, STOC '82.

[333]  F. Bartels,et al.  On Generalised Coinduction and Probabilistic Specification Formats , 2004 .

[334]  Mohammad Ali Abam New data structures and algorithms for mobile data , 2007 .

[335]  Jaco van de Pol,et al.  Just-in-time: On Strategy Annotations , 2001, WRS.

[336]  Colin Boyd,et al.  Exploring Fair Exchange Protocols Using Specification Animation , 2000, ISW.

[337]  Jan A. Bergstra,et al.  Algebra of Communicating Processes with Abstraction , 1985, Theor. Comput. Sci..

[338]  R. Boumen,et al.  Integration and test plans for complex manufacturing systems , 2007 .

[339]  Martijn van Veelen,et al.  Considerations on modeling for early detection of abnormalities in locally autonomous distributed systems , 2007 .

[340]  Mihir Bellare,et al.  Incremental Cryptography: The Case of Hashing and Signing , 1994, CRYPTO.

[341]  Roberto Gorrieri,et al.  Classification of Security Properties (Part I: Information Flow) , 2000, FOSAD.

[342]  Olivier Markowitch,et al.  An Optimistic Non-repudiation Protocol with Transparent Trusted Third Party , 2001, ISC.

[343]  Eelco Dolstra,et al.  The purely functional software deployment model , 2006 .

[344]  Susan Pancho-Festin,et al.  On the Formal Analyses of the Zhou-Gollmann Non-repudiation Protocol , 2005, Formal Aspects in Security and Trust.

[345]  Mihaela Sighireanu,et al.  Efficient on-the-fly model-checking for regular alternation-free mu-calculus , 2003, Sci. Comput. Program..

[346]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[347]  Kim G. Larsen,et al.  To Store or Not to Store , 2003, CAV.

[348]  Sebastian Mödersheim,et al.  The ASW Protocol Revisited: A Unified View , 2005, Electron. Notes Theor. Comput. Sci..

[349]  Muhammad Torabi Dashti,et al.  Nuovo DRM paradiso: towards a verified fair DRM scheme , 2007, FSEN'07.

[350]  Dongvu Tonien,et al.  Multi-party Concurrent Signatures , 2006, ISC.

[351]  Maurice H. ter Beek,et al.  Team Automata: A Formal Approach to the Modeling of Collaboration Between System Components , 2003 .

[352]  Edwin K. P. Chong,et al.  Constructing fair-exchange protocols for E-commerce via distributed computation of RSA signatures , 2003, PODC '03.

[353]  Jean-François Raskin,et al.  A Game-based Verification of Non-repudiation and Fair Exchange Protocols , 2001, J. Comput. Secur..

[354]  Mohammad Reza Mousavi,et al.  Structuring structural operational semantics , 2005 .

[355]  Kensaku Mori,et al.  An Optimistic NBAC-Based Fair Exchange Method for Arbitrary Items , 2006, CARDIS.

[356]  Stephan Merz,et al.  Model Checking , 2000 .

[357]  Somesh Jha,et al.  Partial Order Reductions for Security Protocol Verification , 2000, TACAS.

[358]  Somesh Jha,et al.  Verifying security protocols with Brutus , 2000, TSEM.

[359]  Somesh Jha,et al.  Efficient verification of security protocols using partial-order reductions , 2003, International Journal on Software Tools for Technology Transfer.

[360]  Richard Cleve,et al.  Controlled Gradual Disclosure Schemes for Random Bits and Their Applications , 1989, CRYPTO.

[361]  Cheun Ngen Chong Experiments in rights control : expression and enforcement , 2005 .

[362]  Ulf Carlsen,et al.  Cryptographic Protocols Flaws , 1994, CSFW.

[363]  Erika Ábrahám,et al.  An Assertional Proof System for Multithreaded Java - Theory and Tool Support , 2005 .

[364]  Pierre Wolper,et al.  An Automata-Theoretic Approach to Automatic Program Verification (Preliminary Report) , 1986, LICS.

[365]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[366]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[367]  Steve A. Schneider,et al.  Using a PVS Embedding of CSP to Verify Authentication Protocols , 1997, TPHOLs.

[368]  A. J. Markvoort Towards hybrid molecular simulations , 2006 .

[369]  Sorin M. Iacob,et al.  License Transfer in OMA-DRM , 2006, ESORICS.

[370]  Tuomas Sandholm,et al.  Unenforced E-Commerce Transactions , 1997, IEEE Internet Comput..

[371]  Tomas Krilavicius,et al.  Hybrid Techniques for Hybrid Systems , 2006 .

[372]  M. T. Ionita,et al.  Scenario-based system architecting : a systematic approach to developing future-proof system architectures , 2005 .