A randomized protocol for signing contracts
Communications of the ACM
How to construct random functions
Journal of the ACM (JACM)
Optimistic protocols for fair exchange
Proceedings of the 4th ACM conference on Computer and communications security
Formal Methods in System Design - Special issue on The First Federated Logic Conference (FLOC'96), part II
Inductive methods and contract-signing protocols
CCS '01 Proceedings of the 8th ACM conference on Computer and Communications Security
Finite-state analysis of two contract signing protocols
Theoretical Computer Science
Finite State Markovian Decision Processes
Finite State Markovian Decision Processes
Security Analysis of a Probabilistic Non-repudiation Protocol
PAPM-PROBMIV '02 Proceedings of the Second Joint International Workshop on Process Algebra and Probabilistic Methods, Performance Modeling and Verification
Model Checking of Probabalistic and Nondeterministic Systems
Proceedings of the 15th Conference on Foundations of Software Technology and Theoretical Computer Science
The epistemic representation of information flow security in probabilistic systems
CSFW '95 Proceedings of the 8th IEEE workshop on Computer Security Foundations
Probabilistic Noninterference in a Concurrent Language
CSFW '98 Proceedings of the 11th IEEE workshop on Computer Security Foundations
A Formal Analysis of Syverson's Rational Exchange Protocol
CSFW '02 Proceedings of the 15th IEEE workshop on Computer Security Foundations
Game Analysis of Abuse-free Contract Signing
CSFW '02 Proceedings of the 15th IEEE workshop on Computer Security Foundations
Model checking for a probabilistic branching time logic with fairness
Distributed Computing
PRISM: a tool for automatic verification of probabilistic systems
TACAS'06 Proceedings of the 12th international conference on Tools and Algorithms for the Construction and Analysis of Systems
Optimistic fair exchange of digital signatures
IEEE Journal on Selected Areas in Communications
Theoretical Computer Science
Counterexample Generation for Discrete-Time Markov Chains Using Bounded Model Checking
VMCAI '09 Proceedings of the 10th International Conference on Verification, Model Checking, and Abstract Interpretation
Approximate Model Checking of PCTL Involving Unbounded Path Properties
ICFEM '09 Proceedings of the 11th International Conference on Formal Engineering Methods: Formal Methods and Software Engineering
Deciding strategy properties of contract-signing protocols
ACM Transactions on Computational Logic (TOCL)
SFM'07 Proceedings of the 7th international conference on Formal methods for performance evaluation
How fast and fat is your probabilistic model checker? an experimental performance comparison
HVC'07 Proceedings of the 3rd international Haifa verification conference on Hardware and software: verification and testing
Symbolic model checking of probabilistic knowledge
Proceedings of the 13th Conference on Theoretical Aspects of Rationality and Knowledge
Counterexample generation for Markov chains using SMT-based bounded model checking
FMOODS'11/FORTE'11 Proceedings of the joint 13th IFIP WG 6.1 and 30th IFIP WG 6.1 international conference on Formal techniques for distributed systems
ACM Transactions on Software Engineering and Methodology (TOSEM)
The COMICS tool: computing minimal counterexamples for DTMCs
ATVA'12 Proceedings of the 10th international conference on Automated Technology for Verification and Analysis
Hi-index | 0.00 |
We present three case studies, investigating the use of probabilistic model checking to automatically analyse properties of probabilistic contract signing protocols. We use the probabilistic model checker PRISM to analyse three protocols: Rabin's probabilistic protocol for fair commitment exchange; the probabilistic contract signing protocol of Ben-Or, Goldreich, Micali, and Rivest; and a randomised protocol for signing contracts of Even, Goldreich, and Lempel. These case studies illustrate the general methodology for applying probabilistic model checking to formal verification of probabilistic security protocols. For the Ben-Or et al. protocol, we demonstrate the difficulty of combining fairness with timeliness. If, as required by timeliness, the judge responds to participants' messages immediately upon receiving them, then there exists a strategy for a misbehaving participant that brings the protocol to an unfair state with arbitrarily high probability, unless unusually strong assumptions are made about the quality of the communication channels between the judge and honest participants. We quantify the tradeoffs involved in the attack strategy, and discuss possible modifications of the protocol that ensure both fairness and timeliness. For the Even et al. protocol, we demonstrate that the responder enjoys a distinct advantage. With probability 1, the protocol reaches a state in which the responder possesses the initiator's commitment, but the initiator does not possess the responder's commitment. We then analyse several variants of the protocol, exploring the tradeoff between fairness and the number of messages that must be exchanged between participants.