Results 1  10
of
64
Universally composable security: A new paradigm for cryptographic protocols
, 2013
"... We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved ..."
Abstract

Cited by 842 (43 self)
 Add to MetaCart
We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved under a general protocol composition operation, called universal composition. The proposed framework with its securitypreserving composition operation allows for modular design and analysis of complex cryptographic protocols from relatively simple building blocks. Moreover, within this framework, protocols are guaranteed to maintain their security in any context, even in the presence of an unbounded number of arbitrary protocol instances that run concurrently in an adversarially controlled manner. This is a useful guarantee, that allows arguing about the security of cryptographic protocols in complex and unpredictable environments such as modern communication networks.
Stochastic Hybrid Systems: Application to Communication Networks
 in Hybrid Systems: Computation and Control, ser. Lect. Notes in Comput. Science
, 2004
"... Abstract. We propose a model for Stochastic Hybrid Systems (SHSs) where transitions between discrete modes are triggered by stochastic events much like transitions between states of a continuoustime Markov chains. However, the rate at which transitions occur is allowed to depend both on the continu ..."
Abstract

Cited by 67 (14 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a model for Stochastic Hybrid Systems (SHSs) where transitions between discrete modes are triggered by stochastic events much like transitions between states of a continuoustime Markov chains. However, the rate at which transitions occur is allowed to depend both on the continuous and the discrete states of the SHS. Based on results available for PiecewiseDeterministic Markov Process (PDPs), we provide a formula for the extended generator of the SHS, which can be used to compute expectations and the overall distribution of the state. As an application, we construct a stochastic model for onoff TCP flows that considers both the congestionavoidance and slowstart modes and takes directly into account the distribution of the number of bytes transmitted. Using the tools derived for SHSs, we model the dynamics of the moments of the sending rate by an infinite system of ODEs, which can be truncated to obtain an approximate finitedimensional model. This model shows that, for transfersize distributions reported in the literature, the standard deviation of the sending rate is much larger than its average. Moreover, the later seems to vary little with the probability of packet drop. This has significant implications for the design of congestion control mechanisms. 1
Characterising testing preorders for finite probabilistic processes
 In LICS’07: Proceedings of the 22nd Annual IEEE Symposium on Logic in Computer Science. IEEE Computer Society Press, Los Alamitos, CA
"... In 1992 Wang & Larsen extended the may and must preorders of De Nicola and Hennessy to processes featuring probabilistic as well as nondeterministic choice. They concluded with two problems that have remained open throughout the years, namely to find complete axiomatisations and alternative cha ..."
Abstract

Cited by 28 (10 self)
 Add to MetaCart
(Show Context)
In 1992 Wang & Larsen extended the may and must preorders of De Nicola and Hennessy to processes featuring probabilistic as well as nondeterministic choice. They concluded with two problems that have remained open throughout the years, namely to find complete axiomatisations and alternative characterisations for these preorders. This paper solves both problems for finite processes with silent moves. It characterises the may preorder in terms of simulation, and the must preorder in terms of failure simulation. It also gives a characterisation of both preorders using a modal logic. Finally it axiomatises both preorders over a probabilistic version of CSP. 1.
Observing Branching Structure through Probabilistic Contexts
 SIAM J. Comput
"... Abstract. Probabilistic automata (PAs) constitute a general framework for modeling and analyzing discrete event systems that exhibit both nondeterministic and probabilistic behavior, such as distributed algorithms and network protocols. The behavior of PAs is commonly defined using schedulers (also ..."
Abstract

Cited by 27 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Probabilistic automata (PAs) constitute a general framework for modeling and analyzing discrete event systems that exhibit both nondeterministic and probabilistic behavior, such as distributed algorithms and network protocols. The behavior of PAs is commonly defined using schedulers (also called adversaries or strategies), which resolve all nondeterministic choices based on past history. From the resulting purely probabilistic structures, trace distributions can be extracted, whose intent is to capture the observable behavior of a PA. However, when PAs are composed via an (asynchronous) parallel composition operator, a global scheduler may establish strong correlations between the behavior of system components and, for example, resolve nondeterministic choices in one PA based on the outcome of probabilistic choices in the other. It is well known that, as a result of this, the (lineartime) trace distribution precongruence is not compositional for PAs. In his 1995 Ph.D. thesis, Segala has shown that the (branchingtime) probabilistic simulation preorder is compositional for PAs. In this paper, we establish that the simulation preorder is, in fact, the coarsest refinement of the trace distribution preorder that is compositional. We prove our characterization result by providing (1) a context of a given PA A, called the tester, which may announce the state of A to the outside world, and (2) a specific global scheduler, called the observer, which ensures that the state information that is announced is actually correct. Now when another PA B is composed with the tester, it may generate the same external behavior as the observer only when it is able to simulate A in the sense that whenever A goes to some state s, B can go to a corresponding state u, from which it may generate the same external behavior. Our result shows that probabilistic contexts together with global schedulers are able to exhibit the branching structure of PAs.
Taskstructured probabilistic I/O automata
, 2006
"... Modeling frameworks such as Probabilistic I/O Automata (PIOA) and Markov Decision Processes permit both probabilistic and nondeterministic choices. In order to use such frameworks to express claims about probabilities of events, one needs mechanisms for resolving nondeterministic choices. For PIOAs, ..."
Abstract

Cited by 24 (13 self)
 Add to MetaCart
Modeling frameworks such as Probabilistic I/O Automata (PIOA) and Markov Decision Processes permit both probabilistic and nondeterministic choices. In order to use such frameworks to express claims about probabilities of events, one needs mechanisms for resolving nondeterministic choices. For PIOAs, nondeterministic choices have traditionally been resolved by schedulers that have perfect information about the past execution. However, such schedulers are too powerful for certain settings, such as cryptographic protocol analysis, where information must sometimes be hidden. Here, we propose a new, less powerful nondeterminismresolution mechanism for PIOAs, consisting of tasks and local schedulers. Tasks are equivalence classes of system actions that are scheduled by oblivious, global task sequences. Local schedulers resolve nondeterminism within system components, based on local information only. The resulting taskPIOA framework yields simple notions of external behavior and implementation, and supports simple compositionality results. We also define a new kind of simulation relation, and show it to be sound for proving implementation. We illustrate the potential of the taskPIOA framework by outlining its use in verifying an Oblivious Transfer protocol.
Testing Finitary Probabilistic Processes (Extended Abstract)
"... Abstract. This paper provides modal and relational characterisations of mayand musttesting preorders for recursive CSP processes with divergence, featuring probabilistic as well as nondeterministic choice. May testing is characterised in terms of simulation, and must testing in terms of failure si ..."
Abstract

Cited by 22 (15 self)
 Add to MetaCart
(Show Context)
Abstract. This paper provides modal and relational characterisations of mayand musttesting preorders for recursive CSP processes with divergence, featuring probabilistic as well as nondeterministic choice. May testing is characterised in terms of simulation, and must testing in terms of failure simulation. To this end we develop weak transitions between probabilistic processes, elaborate their topological properties, and capture divergence in terms of partial distributions. 1
Logical Characterizations of Bisimulations for Discrete Probabilistic Systems
, 2007
"... We give logical characterizations of bisimulation relations for the probabilistic automata of Segala in terms of three HennessyMilner style logics. The three logics characterize strong, strong probabilistic and weak probabilistic bisimulation, and differ only for the kind of diamond operator used. ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
We give logical characterizations of bisimulation relations for the probabilistic automata of Segala in terms of three HennessyMilner style logics. The three logics characterize strong, strong probabilistic and weak probabilistic bisimulation, and differ only for the kind of diamond operator used. Compared to the Larsen and Skou logic for reactive systems, these logics introduce a new operator that measures the probability of the set of states that satisfy a formula. Moreover, the satisfaction relation is defined on measures rather than single states. We rederive previous results of Desharnais et. al. by defining sublogics for Reactive and Alternating Models viewed as restrictions of probabilistic automata. Finally, we identify restrictions on probabilistic automata, weaker than those imposed by the Alternating Models, that preserve the logical characterization of Desharnais et. al. These restrictions require that each state either enables several ordinary transitions or enables a single probabilistic transition.
On the Semantics of Markov Automata
"... Abstract. Markov automata describe systems in terms of events which may be nondeterministic, may occur probabilistically, or may be subject to time delays. We define a novel notion of weak bisimulation for such systems and prove that this provides both a sound and complete proof methodology for a na ..."
Abstract

Cited by 20 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Markov automata describe systems in terms of events which may be nondeterministic, may occur probabilistically, or may be subject to time delays. We define a novel notion of weak bisimulation for such systems and prove that this provides both a sound and complete proof methodology for a natural extensional behavioural equivalence between such systems, a generalisation of reduction barbed congruence, the wellknown touchstone equivalence for a large variety of process description languages. 1
Scalar outcomes suffice for finitary probabilistic testing
 of Lecture Notes in Computer Science
, 2007
"... Abstract. The question of equivalence has long vexed research in concurrency, leading to many different denotational and bisimulationbased approaches; a breakthrough occurred with the insight that tests expressed within the concurrent framework itself, based on a special “success action”, yield ..."
Abstract

Cited by 18 (11 self)
 Add to MetaCart
(Show Context)
Abstract. The question of equivalence has long vexed research in concurrency, leading to many different denotational and bisimulationbased approaches; a breakthrough occurred with the insight that tests expressed within the concurrent framework itself, based on a special “success action”, yield equivalences that make only inarguable distinctions. When probability was added, however, it seemed necessary to extend the testing framework beyond a direct probabilistic generalisation in order to remain useful. An attractive possibility was the extension to multiple success actions that yielded vectors of realvalued outcomes. Here we prove that such vectors are unnecessary when processes are finitary, that is finitely branching and finitestate: single scalar outcomes are just as powerful. Thus for finitary processes we can retain the original, simpler testing approach and its direct connections to other naturally scalarvalued phenomena. 1