Abstract
Chaum’s Dining Cryptographers protocol crystallises the essentials of security just as other famous diners once demonstrated deadlock and livelock: it is a benchmark for security models and their associated verification methods. Here we give a correctness proof of the Cryptographers in a new style, one in which stepwise refinement plays a prominent role. Furthermore, our proof applies to arbitrarily many diners: that is unusually general. The proof is based on the Shadow Security Model, which integrates non-interference and program refinement: with it, we try to make a case that stepwise development of security protocols is not only possible but also actually to be recommended. It benefits from more than 3 decades of experience of how layers of abstraction can both simplify the design process and make its outcomes more likely to be correct.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Some researchers [2] do not consider the final h here: for our purposes that would make our program operators non-monotonic for refinement (thus a failure of compositionality). That is, if for hidden h the assignments h: = 0 and h: = 1 are the same, then for visible v the compositions h: = 0; v: = h and h: = 1; v: = h should not be different.
- 2.
This is the Smyth Order [33] on sets of outcomes that is induced by the order on individual outcomes given by (v, h, H 1) ⊑ (v, h, H 2) iff H 1 ⊆ H 2.
- 3.
We use upper case for modal formulae, and lower case for classical.
- 4.
This is the title of the presentation on which the current paper is based [26].
- 5.
While based on Chaum’s Dining Cryptographers [6], the story for this tiny example has been especially invented to illustrate piecewise construction of a protocol that ultimately will be quite complex. This is the smallest portion, the first step.
- 6.
The original story ends differently. Without a protocol, the two diners do engage in “after you” protestations, each believing that the one who eventually chooses first will out of politeness have to take the small cracker; but in fact one diner finally chooses the cake. Outraged, the other diner protests “If I had chosen first, I’d have taken the cracker!” “Well,” replies the first, “That’s exactly what you’ve got.”
- 7.
We formalise this observation by observing that with the altered declarations hid a; vis b, that is B’s point of view, we have the equality \((\mathbf{reveal}\ a\equiv b) = (\mathbf{reveal}\ a\equiv b; \mathbf{reveal}\ a)\) from (12.6) and b’s being visible.
- 8.
Three diners is Chaum’s example exactly.
- 9.
This Arthurian concept is one of Formal Methods’ great contributions to computing.
- 10.
Think of A’s secret in Section 12.5 being l ⊕ a and B’s secret being b ⊕ r, and re-instantiate the derivation on that basis, replacing \(\equiv \) by ⊕.
- 11.
This is in the Arabian sense: “as many as you like.”
References
Abrial, J.-R.: The B Book: Assigning Programs to Meanings. Cambridge University Press, (1996)
Alur, R., Černý, P., Zdancewic, S.: Preserving secrecy under refinement. In: ICALP ’06: Proceedings (Part II) of the 33rd International Colloquium on Automata, Languages and Programming, pp. 107–118. Springer (2006)
Back, R.-J.R.: On the correctness of refinement steps in program development. Report A-1978-4, Dept Comp Sci, Univ Helsinki (1978)
Back, R.-J.R.: A calculus of refinements for program derivations. Acta Inf. 25, 593–624 (1988)
Broadfoot, P J., Roscoe, A.W.: Tutorial on FDR and its applications. In: Havelund, K., Penix, J., Visser, W. (eds.), SPIN, volume 1885 of Lecture Notes in Computer Science, pp. 322. Springer (2000)
Chaum, D.: The dining cryptographers problem: unconditional sender and recipient untraceability. J. Cryptol. 1(1), 65–75 (1988)
Chong, S., Myers, A.C.: Security policies for downgrading. In: CCS ’04: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp 198–209, New York, USA (2004). ACM
Dijkstra, E.W.: A Discipline of Programming. Prentice-Hall (1976)
Engelhardt, K., Moses, Y., van der Meyden, R.: Unpublished report, Univ NSW (2005)
Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Commun. ACM, 28(6), 637–647 (1985)
Fagin, R., Halpern, J., Moses, Y., Vardi, M.: Reasoning about Knowledge. MIT Press (1995)
Goguen J.A., Meseguer, J.: Unwinding and inference control. In: Proc IEEE Symp on Security and Privacy, pp. 75–86 (1984)
Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptive chosen message attacks. SIAM J. Comput. 17, 281–308 (1988)
Probabilistic Systems Group. Collected publications.www.cse.unsw.edu.au/~carrollm/probs
Halpern, J.Y., O’Neill, K.R.: Anonymity and information hiding in multiagent systems. In: Proc 16th IEEE Computer Security Foundations Workshop, pp. 75–88 (2003)
Hoare, C.A.R.: An axiomatic basis for computer programming. Comm. ACM 12(10), 576–80, 583 (October 1969)
Hoare, C.A.R.: Communicating Sequential Processes. Prentice Hall (1985)
Jacob. J.: Security specifications. In: IEEE Symposium on Security and Privacy, pp. 14–23 (1988)
Leino, K.R.M., Joshi, R.: A semantic approach to secure information flow. Science Comput. Program. 37(1–3), 113–38 (2000)
Li, P., Zdancewic, S.: Downgrading policies and relaxed noninterference. In: POPL ’05: Proc. 32nd ACM SIGPLAN-SIGACT Symp. on Princ. of Prog. Lang., pp. 158–170, New York, USA (2005) ACM
Mantel, H.: Preserving information flow properties under refinement. In: Proc IEEE Symp Security and Privacy, pp. 78–91 (2001)
McIver, A.K., Morgan, C.C.: The thousand-and-one cryptographers. At [14, McIver:10web]; includes appendices (April 2009)
Morgan, C.C.: Programming from Specifications, 2nd ed Prentice-Hall, (1994). web.comlab.ox.ac.uk/oucl/publications/books/PfS/
Morgan, C.C.: Of probabilistic wp and CSP. In: Abdallah, A., Jones, C.B., Sanders, J.W. (eds.), Communicating Sequential Processes: The First 25 Years. Springer (2005)
Morgan, C.C.: The Shadow Knows: Refinement of ignorance in sequential programs. In: Uustalu, T. (ed.), Math Prog. Construction, volume 4014 of Springer, pp. 359–78. Springer (2006) Treats Dining Cryptographers
Morgan, C.C.: A calculus of revelations (2008). Presented at VSTTE ’08, Toronto.http://www.cs.stevens.edu/~naumann/vstte-theory-2008/
Morgan, C.C.: The Shadow Knows: refinement of ignorance in sequential programs. Sci. Comput. Program. 74(8) (2009) Treats Oblivious Transfer
Morgan, C.C., McIver, A.K.: Unifying wp and wlp. Inf. Proc. Lett., 20(3), 159–164 (1996). Available at [14, key MM95]
Rabin, M. O.: How to exchange secrets by oblivious transfer. Technical Report TR-81, Harvard University (1981). Available at eprint.iacr.org/2005/187
Rivest, R.: Unconditionally secure commitment and oblivious transfer schemes using private channels and a trusted initialiser. Technical report, MIT press (1999). //theory.lcs.mit.edu/ rivest/Rivest-commitment.pdf
Roscoe, A.W., Woodcock, J.C.P., Wulf, L.: Non-interference through determinism. Journal of Computer Security, 4(1), 27–54, (1996)
Sabelfeld, A., Sands, D.: A PER model of secure information flow. Higher-Order Symb. Comput., 14(1), 59–91 (2001)
Smyth, M.B.: Power domains. Jnl. Comp. Sys. Sci. 16, 23–36 (1978)
Wirth, N.: Program development by stepwise refinement. Comm. ACM 14(4), 221–7 (1971)
Wirth, N., Hoare, C.A.R.: A contribution to the development of ALGOL. Commun. ACM 9(6), 413–432 (June 1966)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer London
About this chapter
Cite this chapter
McIver, A.K., Morgan, C.C. (2010). The Thousand-and-One Cryptographers. In: Roscoe, A., Jones, C., Wood, K. (eds) Reflections on the Work of C.A.R. Hoare. Springer, London. https://doi.org/10.1007/978-1-84882-912-1_12
Download citation
DOI: https://doi.org/10.1007/978-1-84882-912-1_12
Published:
Publisher Name: Springer, London
Print ISBN: 978-1-84882-911-4
Online ISBN: 978-1-84882-912-1
eBook Packages: Computer ScienceComputer Science (R0)