Abstract
Chaum’s Dining Cryptographers protocol crystallises the essentials of security just as other famous diners once demonstrated deadlock and livelock: it is a benchmark for security models and their associated verification methods. Here we give a correctness proof of the Cryptographers in a new style, one in which stepwise refinement plays a prominent role. Furthermore, our proof applies to arbitrarily many diners: that is unusually general. The proof is based on the Shadow Security Model, which integrates non-interference and program refinement: with it, we try to make a case that stepwise development of security protocols is not only possible but also actually to be recommended. It benefits from more than 3 decades of experience of how layers of abstraction can both simplify the design process and make its outcomes more likely to be correct.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Some researchers [2] do not consider the final h here: for our purposes that would make our program operators non-monotonic for refinement (thus a failure of compositionality). That is, if for hidden h the assignments h: = 0 and h: = 1 are the same, then for visible v the compositions h: = 0; v: = h and h: = 1; v: = h should not be different.
- 2.
This is the Smyth Order [33] on sets of outcomes that is induced by the order on individual outcomes given by (v, h, H 1) ⊑ (v, h, H 2) iff H 1 ⊆ H 2.
- 3.
We use upper case for modal formulae, and lower case for classical.
- 4.
This is the title of the presentation on which the current paper is based [26].
- 5.
While based on Chaum’s Dining Cryptographers [6], the story for this tiny example has been especially invented to illustrate piecewise construction of a protocol that ultimately will be quite complex. This is the smallest portion, the first step.
- 6.
The original story ends differently. Without a protocol, the two diners do engage in “after you” protestations, each believing that the one who eventually chooses first will out of politeness have to take the small cracker; but in fact one diner finally chooses the cake. Outraged, the other diner protests “If I had chosen first, I’d have taken the cracker!” “Well,” replies the first, “That’s exactly what you’ve got.”
- 7.
We formalise this observation by observing that with the altered declarations hid a; vis b, that is B’s point of view, we have the equality \((\mathbf{reveal}\ a\equiv b) = (\mathbf{reveal}\ a\equiv b; \mathbf{reveal}\ a)\) from (12.6) and b’s being visible.
- 8.
Three diners is Chaum’s example exactly.
- 9.
This Arthurian concept is one of Formal Methods’ great contributions to computing.
- 10.
Think of A’s secret in Section 12.5 being l ⊕ a and B’s secret being b ⊕ r, and re-instantiate the derivation on that basis, replacing \(\equiv \) by ⊕.
- 11.
This is in the Arabian sense: “as many as you like.”
References
Abrial, J.-R.: The B Book: Assigning Programs to Meanings. Cambridge University Press, (1996)
Alur, R., Černý, P., Zdancewic, S.: Preserving secrecy under refinement. In: ICALP ’06: Proceedings (Part II) of the 33rd International Colloquium on Automata, Languages and Programming, pp. 107–118. Springer (2006)
Back, R.-J.R.: On the correctness of refinement steps in program development. Report A-1978-4, Dept Comp Sci, Univ Helsinki (1978)
Back, R.-J.R.: A calculus of refinements for program derivations. Acta Inf. 25, 593–624 (1988)
Broadfoot, P J., Roscoe, A.W.: Tutorial on FDR and its applications. In: Havelund, K., Penix, J., Visser, W. (eds.), SPIN, volume 1885 of Lecture Notes in Computer Science, pp. 322. Springer (2000)
Chaum, D.: The dining cryptographers problem: unconditional sender and recipient untraceability. J. Cryptol. 1(1), 65–75 (1988)
Chong, S., Myers, A.C.: Security policies for downgrading. In: CCS ’04: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp 198–209, New York, USA (2004). ACM
Dijkstra, E.W.: A Discipline of Programming. Prentice-Hall (1976)
Engelhardt, K., Moses, Y., van der Meyden, R.: Unpublished report, Univ NSW (2005)
Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Commun. ACM, 28(6), 637–647 (1985)
Fagin, R., Halpern, J., Moses, Y., Vardi, M.: Reasoning about Knowledge. MIT Press (1995)
Goguen J.A., Meseguer, J.: Unwinding and inference control. In: Proc IEEE Symp on Security and Privacy, pp. 75–86 (1984)
Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptive chosen message attacks. SIAM J. Comput. 17, 281–308 (1988)
Probabilistic Systems Group. Collected publications.www.cse.unsw.edu.au/~carrollm/probs
Halpern, J.Y., O’Neill, K.R.: Anonymity and information hiding in multiagent systems. In: Proc 16th IEEE Computer Security Foundations Workshop, pp. 75–88 (2003)
Hoare, C.A.R.: An axiomatic basis for computer programming. Comm. ACM 12(10), 576–80, 583 (October 1969)
Hoare, C.A.R.: Communicating Sequential Processes. Prentice Hall (1985)
Jacob. J.: Security specifications. In: IEEE Symposium on Security and Privacy, pp. 14–23 (1988)
Leino, K.R.M., Joshi, R.: A semantic approach to secure information flow. Science Comput. Program. 37(1–3), 113–38 (2000)
Li, P., Zdancewic, S.: Downgrading policies and relaxed noninterference. In: POPL ’05: Proc. 32nd ACM SIGPLAN-SIGACT Symp. on Princ. of Prog. Lang., pp. 158–170, New York, USA (2005) ACM
Mantel, H.: Preserving information flow properties under refinement. In: Proc IEEE Symp Security and Privacy, pp. 78–91 (2001)
McIver, A.K., Morgan, C.C.: The thousand-and-one cryptographers. At [14, McIver:10web]; includes appendices (April 2009)
Morgan, C.C.: Programming from Specifications, 2nd ed Prentice-Hall, (1994). web.comlab.ox.ac.uk/oucl/publications/books/PfS/
Morgan, C.C.: Of probabilistic wp and CSP. In: Abdallah, A., Jones, C.B., Sanders, J.W. (eds.), Communicating Sequential Processes: The First 25 Years. Springer (2005)
Morgan, C.C.: The Shadow Knows: Refinement of ignorance in sequential programs. In: Uustalu, T. (ed.), Math Prog. Construction, volume 4014 of Springer, pp. 359–78. Springer (2006) Treats Dining Cryptographers
Morgan, C.C.: A calculus of revelations (2008). Presented at VSTTE ’08, Toronto.http://www.cs.stevens.edu/~naumann/vstte-theory-2008/
Morgan, C.C.: The Shadow Knows: refinement of ignorance in sequential programs. Sci. Comput. Program. 74(8) (2009) Treats Oblivious Transfer
Morgan, C.C., McIver, A.K.: Unifying wp and wlp. Inf. Proc. Lett., 20(3), 159–164 (1996). Available at [14, key MM95]
Rabin, M. O.: How to exchange secrets by oblivious transfer. Technical Report TR-81, Harvard University (1981). Available at eprint.iacr.org/2005/187
Rivest, R.: Unconditionally secure commitment and oblivious transfer schemes using private channels and a trusted initialiser. Technical report, MIT press (1999). //theory.lcs.mit.edu/ rivest/Rivest-commitment.pdf
Roscoe, A.W., Woodcock, J.C.P., Wulf, L.: Non-interference through determinism. Journal of Computer Security, 4(1), 27–54, (1996)
Sabelfeld, A., Sands, D.: A PER model of secure information flow. Higher-Order Symb. Comput., 14(1), 59–91 (2001)
Smyth, M.B.: Power domains. Jnl. Comp. Sys. Sci. 16, 23–36 (1978)
Wirth, N.: Program development by stepwise refinement. Comm. ACM 14(4), 221–7 (1971)
Wirth, N., Hoare, C.A.R.: A contribution to the development of ALGOL. Commun. ACM 9(6), 413–432 (June 1966)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer London
About this chapter
Cite this chapter
McIver, A.K., Morgan, C.C. (2010). The Thousand-and-One Cryptographers. In: Roscoe, A., Jones, C., Wood, K. (eds) Reflections on the Work of C.A.R. Hoare. Springer, London. https://doi.org/10.1007/978-1-84882-912-1_12
Download citation
DOI: https://doi.org/10.1007/978-1-84882-912-1_12
Published:
Publisher Name: Springer, London
Print ISBN: 978-1-84882-911-4
Online ISBN: 978-1-84882-912-1
eBook Packages: Computer ScienceComputer Science (R0)