1 / 20

CIMPA School on Security Specification and verification of randomized security protocols Lecture 1

Learn about probability and measure theory, probabilistic automata, p-calculus, and applications to security protocol specification and verification. Understand anonymity and fair exchange in random security protocols.

nhudgins
Download Presentation

CIMPA School on Security Specification and verification of randomized security protocols Lecture 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CIMPA School on SecuritySpecification and verification of randomized security protocolsLecture 1 Catuscia Palamidessi, INRIA & LIX catuscia@lix.polytechnique.fr www.lix.polytechnique.fr/~catuscia Page of the course: www.lix.polytechnique.fr/~catuscia/teaching/CIMPA_School_05/

  2. Plan of the course • Overview of the basic notions of Probability theory and Measure theory • Probabilistic automata • Probabilistic p-calculus • Applications to the specification and verification of randomized security protocols • Anonymity • Fair exchange Randomized security protocols

  3. Probability and measure theory References • Prakash Panangaden, Measure and probability for Concurrency Theorists.TCS. 253(2): 287-309. www.lix.polytechnique.fr/~catuscia/teaching/papers_and_books/panangaden.ps • Prakash Panangaden, Stochastic techniques in Concurrency. Lecture notes. www.lix.polytechnique.fr/~catuscia/teaching/papers_and_books/notes.ps Randomized security protocols

  4. Introduction 1/4 Probability in the finite case • An experiment with a finite set S of possible results • Event: a subset A of S • Assuming that all outcomes are equally likely, the probability of event A is defined by pb(A) = |A| / |S| Example: tossing a fair dice • Set of possible results S = { 1,2,3,4,5,6 } • Event “the result is even”: A = { 2,4,6 } , pb(A) = 1/2 • Event “the result is at least 5” : B = { 5,6 } , pb(B) = 1/3 Randomized security protocols

  5. Introduction 2/4 • Example: tossing 3 three times a fair coin • Possible outcomes (sequences H/T): 23 = 8 • Event “all coins are H”: • pb(HHH) = p(H--) x pb(-H-) x pb(--H) independent = 1/2 x 1/2 x 1/2 = 1/8 • “all coins are H or all coins are T” : • pb(HHH or TTT) = pb(HHH) + pb(TTT) = 1/4 disjoint • “at least one coin is H”: • pb(not TTT) = 1 – pb(TTT) = 7/8 • “at least one coin is H and at least one coin is T” • pb(not TTT and not HHH) = 6/8 not independent • “at least one coin is H or at least one coin is T” • pb(not TTT or not HHH) not disjoint = pb(not TTT) + pb(not HHH) – pb(not TTT and not HHH) = 7/8 + 7/8 – 6/8 = 1 Randomized security protocols

  6. Introduction 3/4 • The need for measure theory • Some “experiments” have infinititary nature • Example: tossing infinitely many time a fair coin • The set S of all infinite sequences of H/T is infinite (uncountable) • The probability of each sequence is 0, so we cannot expect that the single result will be enough as “building blocks” (i.e. we cannot expect to be able to define the probability of every event by summing up the probability of the singletones) • When S is uncountable, we cannot expect of being able to define the probability of every set of results. Randomized security protocols

  7. Introduction 4/4 S A B C Randomized security protocols

  8. Measure theory 1/7 Randomized security protocols

  9. Measure theory 2/7 Randomized security protocols

  10. Measure theory 3/7 Randomized security protocols

  11. Measure theory 4/7 Randomized security protocols

  12. Measure theory 5/7 Randomized security protocols

  13. Measure theory 6/7 Example S = the set of all infinite sequences of a fair coin tossing • From elementary finite probability theory: Each finite sequence of H/T x0,x1,…,xn-1 (xi=H or xi=T) has probability 1/2n (independence) • Each infinite sequence has probability 0 • Cone: given a sequence s = x0,x1,…,xn-1 [,…], the set A of all sequences which have s as prefix is called cone • We assign to A the probability measure of its prefix: m(A) = 1/2n • Define B (base) as the set of all cones. Note that they are All disjoint Randomized security protocols

  14. Measure theory 7/7 • Consider the space (S,SB) generated by S and the set B of all cones, with probability measure induced by m • What is the probability that a sequence has infinitely many H? • Probability of exactly one H in any position: 0 (countable disjoint union of sets with measure 0) • Probability of exactly n H in any position: 0 (same reason) • Probability of finitely many H in any position: 0 (same reason) • Probability of infinitely many H: 1 – pb(finitely many H) = 1 – 0 (complementation property) Randomized security protocols

  15. Some relevant definitions • We say that A, B are independent if pb(A ∩ B) = pb(A) x pb(B) • Conditional probability: pb(A | B) is the probability of A given B pb(A | B) = pb(A ∩ B) / pb(B) Example: 3-sequences of coin-tossing • What is the probability of having all H given that the first is H? • Pb(HHH | H--) = pb(HHH ∩ H--) / pb(H--) = pb(HHH) / pb(H--) = (1/8) / (1/2) = 1/4 Randomized security protocols

  16. A puzzle about conditional probability • A king offers to a guest to pick one of three closed boxes. One contains a diamond, the other two are empty • After the guest has picked a box, the king opens one of the other two boxes and shows that it is empty • Then the king offers to the guest to exchange the box he picked with the other (closed) one • Question: should the guest exchange? Randomized security protocols

  17. A puzzle about conditional probability • Answer: it depends on whether the king opens intentionally an empty box, or not. • In the first case, the guest should better change his choice since the other box has now probability 2/3 to contain the ring • In the second case, it does not matter. Both the remaining closed boxes have now probability ½ to contain the ring Randomized security protocols

  18. A puzzle about conditional probability Let us consider again the puzzle in Case 2 • Bi = Box i contains the ring • Initially: pb(B1) = pb(B2) = pb(B3) = 1/3 • After opening one box, say Box 1, if it turns out to be empty, we have: pb(B2) = pb(B2 | not B1) = pb(B2 and not B1) / pb(not B1) = pb(B2) / pb(not B1) = (1/3) / (2/3) = 1 / 2 Randomized security protocols

  19. Application: Probabilistic Automata • Nondeterministic choice and probabilistic choice • Definition of probabilistic automata • Concept of adversary (aka scheduler) • Concept of execution • The measurable space and the probability measure associated to the executions • Some examples • Roberto Segala. Modeling and Verification of Randomized Distributed Real Time Systems . PhD thesis, Laboratory for Computer Science, Massachusetts Institute of Technology, June 1995. Available as Technical Report MIT/LCS/TR-676. • Roberto Segala and Nancy Lynch. Probabilistic simulations for probabilistic processes. Nordic Journal of Computing, 2(2):250--273, 1995. An extended abstract appeared in the Proceedings of CONCUR '94, LNCS 836: 22--25. Both references above are available on Segala’s web site Randomized security protocols

  20. 1/2 1/3 1/2 1/3 1/2 1/3 1/3 1/3 1/2 1/3 1/2 1/2 1/2 1/3 1/3 1/3 1/2 1/2 1/2 1/3 1/3 1/3 1/3 1/3 1/3 1/2 1/2 1/2 1/3 1/3 1/3 1/2 1/2 1/2 2/3 1/3 1/3 1/3 1/3 1/3 1/3 1/3 2/3 1/3 2/3 2/3 2/3 2/3 2/3 2/3 1/3 1/3 1/3 1/3 1/3 1/3 1/2 1/3 1/3 1/2 1/3 2/3 1/3 Probabilistic Automata Distinction between • nondeterministic behavior (choice of the scheduler) and • probabilistic behavior (choice of the process) Scheduling Policy: The scheduler chooses the group of transitions Execution: The process choosesprobabilistically the transition within the group Randomized security protocols

More Related