Notes:
Further information and verification results are available from the
PRISM web page.
|
Links:
[Google]
[Google Scholar]
|
Abstract.
We present three case studies, investigating the use of probabilistic
model checking to automatically analyse properties of probabilistic
contract signing protocols. We use the probabilistic model checker
PRISM to analyse three protocols: Rabin's probabilistic protocol for
fair commitment exchange; the probabilistic contract signing protocol of
Ben-Or, Goldreich, Micali, and Rivest; and a randomised protocol for
signing contracts of Even, Goldreich, and Lempel. These case studies
illustrate the general methodology for applying probabilistic model
checking to formal verification of probabilistic security protocols.
For the Ben-Or et al. protocol, we demonstrate the difficulty of combining fairness with timeliness. If, as required by timeliness, the judge responds to participants' messages immediately upon receiving them, then there exists a strategy for a misbehaving participant that brings the protocol to an unfair state with arbitrarily high probability, unless unusually strong assumptions are made about the quality of the communication channels between the judge and honest participants. We quantify the tradeoffs involved in the attack strategy, and discuss possible modifications of the protocol that ensure both fairness and timeliness. For the Even et al. protocol, we demonstrate that the responder enjoys a distinct advantage. With probability 1, the protocol reaches a state in which the responder possesses the initiator's commitment, but the initiator does not possess the responder's commitment. We then analyse several variants of the protocol, exploring the tradeoff between fairness and the number of messages that must be exchanged between participants. |