200 likes | 326 Views
CIMPA School on Security Specification and verification of randomized security protocols Lecture 1. Catuscia Palamidessi, INRIA & LIX catuscia@lix.polytechnique.fr www.lix.polytechnique.fr/~catuscia Page of the course: www.lix.polytechnique.fr/~catuscia/teaching/CIMPA_School_05/.
E N D
CIMPA School on SecuritySpecification and verification of randomized security protocolsLecture 1 Catuscia Palamidessi, INRIA & LIX catuscia@lix.polytechnique.fr www.lix.polytechnique.fr/~catuscia Page of the course: www.lix.polytechnique.fr/~catuscia/teaching/CIMPA_School_05/
Plan of the course • Overview of the basic notions of Probability theory and Measure theory • Probabilistic automata • Probabilistic p-calculus • Applications to the specification and verification of randomized security protocols • Anonymity • Fair exchange Randomized security protocols
Probability and measure theory References • Prakash Panangaden, Measure and probability for Concurrency Theorists.TCS. 253(2): 287-309. www.lix.polytechnique.fr/~catuscia/teaching/papers_and_books/panangaden.ps • Prakash Panangaden, Stochastic techniques in Concurrency. Lecture notes. www.lix.polytechnique.fr/~catuscia/teaching/papers_and_books/notes.ps Randomized security protocols
Introduction 1/4 Probability in the finite case • An experiment with a finite set S of possible results • Event: a subset A of S • Assuming that all outcomes are equally likely, the probability of event A is defined by pb(A) = |A| / |S| Example: tossing a fair dice • Set of possible results S = { 1,2,3,4,5,6 } • Event “the result is even”: A = { 2,4,6 } , pb(A) = 1/2 • Event “the result is at least 5” : B = { 5,6 } , pb(B) = 1/3 Randomized security protocols
Introduction 2/4 • Example: tossing 3 three times a fair coin • Possible outcomes (sequences H/T): 23 = 8 • Event “all coins are H”: • pb(HHH) = p(H--) x pb(-H-) x pb(--H) independent = 1/2 x 1/2 x 1/2 = 1/8 • “all coins are H or all coins are T” : • pb(HHH or TTT) = pb(HHH) + pb(TTT) = 1/4 disjoint • “at least one coin is H”: • pb(not TTT) = 1 – pb(TTT) = 7/8 • “at least one coin is H and at least one coin is T” • pb(not TTT and not HHH) = 6/8 not independent • “at least one coin is H or at least one coin is T” • pb(not TTT or not HHH) not disjoint = pb(not TTT) + pb(not HHH) – pb(not TTT and not HHH) = 7/8 + 7/8 – 6/8 = 1 Randomized security protocols
Introduction 3/4 • The need for measure theory • Some “experiments” have infinititary nature • Example: tossing infinitely many time a fair coin • The set S of all infinite sequences of H/T is infinite (uncountable) • The probability of each sequence is 0, so we cannot expect that the single result will be enough as “building blocks” (i.e. we cannot expect to be able to define the probability of every event by summing up the probability of the singletones) • When S is uncountable, we cannot expect of being able to define the probability of every set of results. Randomized security protocols
Introduction 4/4 S A B C Randomized security protocols
Measure theory 1/7 Randomized security protocols
Measure theory 2/7 Randomized security protocols
Measure theory 3/7 Randomized security protocols
Measure theory 4/7 Randomized security protocols
Measure theory 5/7 Randomized security protocols
Measure theory 6/7 Example S = the set of all infinite sequences of a fair coin tossing • From elementary finite probability theory: Each finite sequence of H/T x0,x1,…,xn-1 (xi=H or xi=T) has probability 1/2n (independence) • Each infinite sequence has probability 0 • Cone: given a sequence s = x0,x1,…,xn-1 [,…], the set A of all sequences which have s as prefix is called cone • We assign to A the probability measure of its prefix: m(A) = 1/2n • Define B (base) as the set of all cones. Note that they are All disjoint Randomized security protocols
Measure theory 7/7 • Consider the space (S,SB) generated by S and the set B of all cones, with probability measure induced by m • What is the probability that a sequence has infinitely many H? • Probability of exactly one H in any position: 0 (countable disjoint union of sets with measure 0) • Probability of exactly n H in any position: 0 (same reason) • Probability of finitely many H in any position: 0 (same reason) • Probability of infinitely many H: 1 – pb(finitely many H) = 1 – 0 (complementation property) Randomized security protocols
Some relevant definitions • We say that A, B are independent if pb(A ∩ B) = pb(A) x pb(B) • Conditional probability: pb(A | B) is the probability of A given B pb(A | B) = pb(A ∩ B) / pb(B) Example: 3-sequences of coin-tossing • What is the probability of having all H given that the first is H? • Pb(HHH | H--) = pb(HHH ∩ H--) / pb(H--) = pb(HHH) / pb(H--) = (1/8) / (1/2) = 1/4 Randomized security protocols
A puzzle about conditional probability • A king offers to a guest to pick one of three closed boxes. One contains a diamond, the other two are empty • After the guest has picked a box, the king opens one of the other two boxes and shows that it is empty • Then the king offers to the guest to exchange the box he picked with the other (closed) one • Question: should the guest exchange? Randomized security protocols
A puzzle about conditional probability • Answer: it depends on whether the king opens intentionally an empty box, or not. • In the first case, the guest should better change his choice since the other box has now probability 2/3 to contain the ring • In the second case, it does not matter. Both the remaining closed boxes have now probability ½ to contain the ring Randomized security protocols
A puzzle about conditional probability Let us consider again the puzzle in Case 2 • Bi = Box i contains the ring • Initially: pb(B1) = pb(B2) = pb(B3) = 1/3 • After opening one box, say Box 1, if it turns out to be empty, we have: pb(B2) = pb(B2 | not B1) = pb(B2 and not B1) / pb(not B1) = pb(B2) / pb(not B1) = (1/3) / (2/3) = 1 / 2 Randomized security protocols
Application: Probabilistic Automata • Nondeterministic choice and probabilistic choice • Definition of probabilistic automata • Concept of adversary (aka scheduler) • Concept of execution • The measurable space and the probability measure associated to the executions • Some examples • Roberto Segala. Modeling and Verification of Randomized Distributed Real Time Systems . PhD thesis, Laboratory for Computer Science, Massachusetts Institute of Technology, June 1995. Available as Technical Report MIT/LCS/TR-676. • Roberto Segala and Nancy Lynch. Probabilistic simulations for probabilistic processes. Nordic Journal of Computing, 2(2):250--273, 1995. An extended abstract appeared in the Proceedings of CONCUR '94, LNCS 836: 22--25. Both references above are available on Segala’s web site Randomized security protocols
1/2 1/3 1/2 1/3 1/2 1/3 1/3 1/3 1/2 1/3 1/2 1/2 1/2 1/3 1/3 1/3 1/2 1/2 1/2 1/3 1/3 1/3 1/3 1/3 1/3 1/2 1/2 1/2 1/3 1/3 1/3 1/2 1/2 1/2 2/3 1/3 1/3 1/3 1/3 1/3 1/3 1/3 2/3 1/3 2/3 2/3 2/3 2/3 2/3 2/3 1/3 1/3 1/3 1/3 1/3 1/3 1/2 1/3 1/3 1/2 1/3 2/3 1/3 Probabilistic Automata Distinction between • nondeterministic behavior (choice of the scheduler) and • probabilistic behavior (choice of the process) Scheduling Policy: The scheduler chooses the group of transitions Execution: The process choosesprobabilistically the transition within the group Randomized security protocols