Questions of belief are essential in analyzing protocols for the authentication of principals in distributed computing systems. In this paper we motivate, set out, and exemplify a logic specifically designed for this analysis; we show how various protocols differ subtly with respect to the required initial assumptions of the participants and their final beliefs. Our formalism has enabled us to isolate and express these differences with a precision that was not previously possible. It has drawn attention to features of protocols of which we and their authors were previously unaware, and allowed us to suggest improvements to the protocols. The reasoning about some protocols has been mechanically verified. This paper starts with an informal account of the problem, goes on to explain the formalism to be used, and gives examples of its application to protocols from the literature, both with shared-key cryptography and with public-key cryptography. Some of the examples are chosen because of their practical importance, while others serve to illustrate subtle points of the logic and to explain how we use it. We discuss extensions of the logic motivated by actual practice -- for example, in order to account for the use of hash functions in signatures. The final sections contain a formal semantics of the logic and some conclusions.

We identify the computational complexity of the satisfiability problem for FO², the fragment of first-order logic consisting of all relational first-order sentences with at most two distinct variables. Although this fragment was shown to be decidable a long time ago, the computational complexity of its decision problem has not been pinpointed so far. In 1975 Mortimer proved that FO² has the finite-model property, which means that if an FO²-sentence is satisfiable, then it has a finite model. Moreover, Mortimer showed that every satisfiable FO²-sentence has a model whose size is at most doubly exponential in the size of the sentence. In this paper, we improve Mortimer's bound by one exponential and show that every satisfiable FO²-sentence has a model whose size is at most exponential in the size of the sentence. As a consequence, we establish that the satisfiability problem for FO² is NEXPTIME-complete.

This paper is based on a course Syverson taught at the 1st International School on Foundations of Security Analysis and Design (FOSAD'00) in Bertinoro, Italy in September 2000. Cervesato was a student there. The work of the first author was supported by ONR. The work of the second author was supported by NSF grant INT98-15731 "Logical Methods for Formal Verification of Software" and by NRL under contract N00173-00-C-2086

This thesis addresses the topic of secure distributed computation, a general and powerful tool for balancing cooperation and mistrust among independent agents. We study many related models, which differ as to the allowable communication among agents, the ways in which agents may misbehave, and the complexity (cryptographic) assumptions that are made. We present new protocols, both for general secure computation (i.e., of any function over a finite domain) and for specific tasks (e.g., electronic money). We investigate fundamental relationships among security needs and various resource requirements, with an emphasis on communication complexity. A number of mathematical methods are employed for our investigations, including algebraic, graph-theoretic, and cryptographic techniques.

We describe BDD-based decision procedures for the modal logic K. Our approach is inspired by the automata-theoretic approach, but we avoid explicit automata construction. Instead, we compute certain fixpoints of a set of types---which can be viewed as an on-the-fly emptiness of the automaton. We use BDDs to represent and manipulate such type sets, and investigate different kinds of representations as well as a "level-based" representation scheme. The latter turns out to speed up construction and reduce memory consumption considerably. We also study the effect of formula simplification on our decision procedures. To proof the viability of our approach, we compare our approach with a representative selection of other approaches, including a translation of to QBF. Our results indicate that the BDD-based approach dominates for modally heavy formulae, while search-based approaches dominate for propositionally heavy formulae.

s, and Summary of Discussions Joan Feigenbaum and Michael Merritt AT&T Bell Laboratories Murray Hill, NJ 07974 The DIMACS Workshop on Distributed Computing and Cryptography was held at the Nassau Inn in Princeton, New Jersey, on October 4, 5, and 6, 1989. Participants took a critical look at the results, choice of problems, guiding philosophies, research methodology, and engineering projects that currently absorb much of the effort of people working in "cryptography" and "computer system security." This report summarizes both the formal presentations and the informal discussions that took place. Section 1 contains our account of the group discussions and statements of open questions, both general and specific, that we think are important. This report on the workshop is based on our recollections, our notes, and notes taken by the graduate-student participants; we assume responsibility for any inaccuracies in our account. Section 2 contains abstracts of the talks presented at the worksh...

this paper, we will see solutions to the Fortune 500 problem (or any other computational problem) that assume nothing more than that each company trusts that there are at least 333 other companies that will not betray it (plus secure phone lines). Other solutions show that if conference-calling is also allowed, then each company need only assume that 250 other companies are honest. Still other solutions need only assume that the Chief Number Theorist of each company certifies that certain problems (such as quadratic residuosity) will remain intractable for as long as its financial information remains sensitive. Results in the field can be divided into two main categories: protocols and complexity results. Protocols can be divided into two main categories: cryptographic and non-cryptographic. Cryptographic protocols can be divided into two main categories: two-party protocols and multi-party protocols. These are the lines along which the bulk of this paper is organized.

Because Cryptographic Protocols (CPs) are similar to computer programs, techniques for program verification are applicable to verifying CPs. We show how a CP evaluation system [YW96] utilizing weakest precondition reasoning [DIJK76] can be used to analyze protocols and their goals. We also demostrate how this method complements BAN Logic {BAN89] by combining the method with BAN Logic to evaluate CPs. Section 1. Introduction. In this paper we illustrate the Cryptographic Protocol Analysis Language Evaluation System (CPAL-ES) [YW96]. CPAL-ES is based on a technique from program verification called Weakest Precondition reasoning [DIJK76]. CPAL-ES allows an analyst to give a definitive meaning to the actions of all principals in a protocol run, including intruders. The foundation on predicate calculus with uninterpreted function symbols allows this methodology to complement logics used to evaluate cryptographic protocols. This method is like BAN Logic [BAN89] in that it does not discover a...

Group communication among multiple entities is required in distributed applications like groupware systems. In addition to conventional wide-area networks, local area networks (LANs) and radio networks are available to realize the appli- cations. The LANs and radio networks provide broadcast communication at the media access control (MAC) layer, that is, every communication entity, i.e. station can receive every protocol data unit (PDU) transmitted in the network. The group communication can be easily realized by these networks. One problem in the broadcast network is how to provide the secure communication for the group. In this paper, we discuss how to provide secure broadcast communication among multiple entities in the presence of attacks by malicious entities. The protocol is based on the distributed control scheme by using reliable but unsecure broadcast networks.

Mathematical logicians had developed the art of formalizing declarative knowledge long before the advent of the computer age. But they were interested primarily in formalizing mathematics. Because of the important role of nonmathematical knowledge in AI, their emphasis was too narrow from the perspective of knowledge representation, their formal languages were not sufficiently expressive. On the other hand, most logicians were not concerned about the possibility of automated reasoning; from the perspective of knowledge representation, they were often too generous in the choice of syntactic constructs. In spite of these differences, classical mathematical logic has exerted significant influence on knowledge representation research, and it is appropriate to begin this handbook with a discussion of the relationship between these fields. The language of classical logic that is most widely used in the theory of knowledge representation is the language of first-order (predicate) formulas. These are the formulas that John McCarthy proposed to use for representing declarative knowledge in his advice taker paper [176], and Alan Robinson proposed to prove automatically using resolution [236]. Propositional logic is, of course, the most important subset of first-order logic; recent