An Extension of CryptoPAi to the Formal Analysis of E-voting Protocols

(1)

Journal of Computing and Security

An Extension of

CryptoPAi

to the Formal Analysis of E-voting

Protocols

Hamid Reza Mahrooghi

a,∗

, Rasool Jalili

b

a_{Department of Computer Engineering, Imamreza International University, Mashhad, Iran.} b_{Department of Computer Engineering, Sharif University of Technology, Tehran, Iran.}

A R T I C L E I N F O.

Article history:

Received:16 October 2018

Revised:4 August 2019

Accepted:9 October 2019

Published Online:2 December 2019 Keywords:

Process Algebra, E-Voting Protocols, Formal Specification and Verification, CryptoPAi.

A B S T R A C T

CryptoPAi is a hybrid operational-epistemic framework for specification and analysis of security protocols with genuine support for cryptographic constructs. This framework includes a process algebraic formalism for the operational specification and an epistemic extension of modal µ-calculus with past for the property specification. In this paper, we extend CryptoPAi framework with more cryptographic constructs. The main practical motivation for this work came from the domain of e-voting protocols and then we investigate the applicability of the extended framework in this domain. The framework provides explicit support for cryptographic constructs, which is among the most essential ingredients of security and e-voting protocols. We apply our extended framework to the FOO e-voting protocol. We also promote the prototype model-checker of the framework in the Maude rewriting logic tool and apply it to model-check some specified properties on their corresponding models.

c

1 Introduction

Operational specifications provide an intuitive representation of security protocols (see [1], [2], [3], [4], [5]). Unfortunately, these standard and successful verification schemes use temporal-logics that are not well-suited for expressing knowledge-based propertie.

Also, epistemic (i.e., knowledge-related) spec-ifications [6–8] provide inherent support for cor-rectness requirements: most security properties (e.g., secrecy and anonymity) concern

impossi-∗ _{Corresponding author.}

bility of gaining knowledge about certain facts, or correspondence between a notion of belief and what is actually the case (e.g., authenti-cation). Therefore, many approaches based on epistemic logics have been developed for the analysis of such protocols.

(2)

e.g., [9–13]).

An approach combining the best of the two worlds is highly desirable, i.e., an approach allowing for protocol specification in the op-erational style and property specification and verification in the epistemic style. This has al-ready been noted by several authors and there already exists some literature on such combi-national frameworks [14–16] (cf. related work section below). The approach proposed in [17] allows one to specify the behavior of a proto-col in a process language and verify properties expressed in a logic with both temporal and epistemic operators.

This paper extends and promotes the

CryptoPAi model checking application based on some essential issues that we have to con-sider. As defined in [18] and [19], using Rnd

is one of these issues that we need in order to keep track of different invocations of the en-cryption primitive (representing probabilistic operations). We reason under the assumption of perfect cryptography and assume that the results of two invocations of encryption will be different, even with the same arguments, as opposed to two copies of the same invocation of the encryption operation, which are in fact the same terms. Another issue is related to the definition of pattern that is a parameter to our theory. An alternative definition would be possible, with some complications. Based on this approach, our pattern-definition have to be refined using a type-preserving bijective renaming function of keys, nonces, and random-numbers. This reflects the intuition that two different randomly chosen keys (,nonces, or random-numbers) are indistinguishable [20]. Although they have different names, they both represent samples from the same distribution and we can replace one of them with the other. These parametericity are further demonstrated by our extension to the term structure and the definition of pattern in Section 2.

We provide some more advanced crypto-graphic constructs to allow specifying the be-havior of more protocols in our process lan-guage and then verifying properties expressed in our logic with both temporal and epistemic operators. The domain of e-voting protocols is the main practical motivation for current work. We investigate the applicability of our frame-work in this domain by applying it to the FOO

e-voting protocol. Using our tool, we model-check some specified properties of this protocol on their corresponding models.

Related Work

Using epistemic logic for the specification and verification of security protocols has been the subject of numerous papers and a comprehen-sive survey of all these pieces of work goes be-yond the scope of this paper. We refer to two doctoral theses [13, 21], which provide an ex-tensive survey of the state of the art. Opera-tional techniques and behavioral verification have been the primary focus of protocols de-signers and hence providing a survey of oper-ational and behavioral approaches is virtually impossible. Hence, we only focus on approaches that combine the behavioral and epistemic ap-proaches to protocol specification and verifica-tion.

The fact that the two verification approaches, process algebraic and epistemic, are comple-mentary and that they should ideally be com-bined has already been recognized in [7], where the aim is, just as here, to provide a frame-work in which both protocol specification and correctness criteria can be specified succinctly and intuitively (and the authors indeed put the two approaches in sharp contrast). However, [7] takes a totally different path towards its goals and develops a domain-theoretic notion of function views to define security protocols and their properties.

Thus, combining the best of the two opera-tional and epistemic styles is highly desirable, i.e., an approach allowing for protocol specifica-tion in the operaspecifica-tional style and property spec-ification and verspec-ification in the epistemic style.

CryptoPAi is our earlier combinational frame-work with a genuine support for some crypto-graphic constructs [17]. In the framework, a process-algebraic syntax (with parameterized actions) has been introduced for expressing the operational specification of the security proto-cols and an epistemic extension of the modal

µ-calculus with past [22] for property specifi-cation.

(3)

sys-tems. Our key improvement is the introduction of a process specification language with a for-mal semantics, which enables the modelling of systems at a reasonable abstraction level.

In [16] an extension of a dynamic spatial logic with knowledge-related constructs is presented. There are a number of essential differences between the approach of [16] and that of [17] such as: the notion of knowledge captured in [16] captures only an explicit notion of local knowledge through the content of the received messages; the notion of symbolic crypto-term used in [16] is coarser than the notion used in [20] and adopted in [17].

In [14] an epistemic logic for the appliedπ -calculus [25] is presented. We improved upon the approach of [14] in some essential ways such as: The notion of knowledge captured in [17] allows for different views of the events by different principals and introduces a more expressive logic with fixed points. A prototype model-checker for our framework is provided in the Maude rewriting logic tool (see [17]) while [14] does not introduce a tool.

There is still ongoing research in finding a generic and compositional approach to protocol specification in the operational style and prop-erty specification in the epistemic style. We re-fer to [17],[13],[7],[26] for a more detailed com-parison of epistemic-based vs. process-based protocol verification. As in [17], the concept of indistinguishability used here bears resem-blances to the data independence technique in [27]. In fact, runs of a protocol are indistin-guishable if they appear equal to a principal (as defined by the visibility range of actions and their public appearance).

We further extend the framework of

CryptoPAiwith more advanced constructs and it can be extended for forming a very rich frame-work with support for epistemic, probabilistic and cryptographic constructs as a future work. A part of the framework proposed in [28] has been extended with probabilities in [15].

Structure of the Paper

In Section 2.1, we recall our basic cryptographic terms using symmetric encryption and then this basic setting is extended with various con-structs such as asymmetric keys, blinding and signing show the modularity of our approach by

plugging the new term structure into the ear-lier setting. In sections 2.3 and 2.4, the syntax and the semantics ofCryptoPAiis recalled. In Section 3, we present the syntax and semantics ofEµ(as our property specification language), which is an epistemic extension of the modal

µ-calculus with past. We have completed the implementation of our earlier prototype (to mechanize reasoning about our specifications), which we report in Section 5 and further show specifying and reasoning about FOO e-voting protocol as a case study. Section 6 concludes the paper and presents some directions for further research. Some semantic results and details of the implementation are left out and we refer to [17] for complete details of the techniques used in this implementation and the results.

2 The

CryptoPAi

Calculus

CryptoPAicalculus extended the syntax of CCS with two essential ingredients: identities and cryptographic terms. In the remainder of this section, we first define our new notion of cryp-tographic terms. Subsequently, we recall the syntax of theCryptoPAi calculus and its oper-ational semantics.

2.1 Cryptographic Terms

Our original signature for cryptographic terms features basic constructs such as plain text, nonces, symmetric keys, and encryption, given in the following definition. This signature can be easily extended, as demonstrated in the following definition, with more constructs, such as asymmetric keys, signing, and blinding.

Definition 1 (Symbolic Terms). We as-sume a syntactic classKeyof symmetric and asymmetric keys, typically denoted by k,

ki,. . .,pkid,skid,. . . (k and ki represent

sym-metric keys, the publicpkidandskidrepresent

the public and private keys of a principal with identity idrespectively); a syntactic class Id

ofprincipal identities, typically represented by

A,B, 1, 2,. . .; a classVar ofvariables, typi-cally denoted byx,xA,xk,. . .; a classNonce

of nonces, denoted by n, nI, . . .; and a class Msg of plain-text messages, denoted by m,

mI,. . .. Plain text messages, keys and nonces

(4)

The set of crypto-terms, denoted byTerm, is defined by the following grammar:

M, N ::=k|id|m|x|n|r|

{M}k,r|(M, N)|pkid |skid | {M}apkid,r

| {M}s

skid,r | {M}

b r

where k, pkid, skid,r ∈ Key, id ∈ Id, m ∈ Msg, x ∈ Var, id ∈ Id, m ∈ Msg, and

n∈ Nonce. The term{M}k,r is the result of encrypting M with the symmetric keyk and random-number r ∈ Rnd. The term (M,N)

represents pairing ofM andN.

The set of crypto-terms, is extended by asymmetrically encrypted term {M}a

pkid,r,

signed term {M}s

skid,r, and blinded term

{M}b

r. {M}br denotes the term M blinded

using the random numberr∈ Rnd(as blind-ing factor). Usblind-ing the blind signature scheme enables a principal to strip the signed term off from the signed blinded term. Another important and relevant detail is that the de-cryption, unsigning, and unblinding of terms can be operated using the relevant inverted key, respectively.

Since some of the cryptographic construc-tors (such as encryption) represent probabilis-tic operations, we need to useRndin order to keep track of different invocations of the en-cryption primitive. Under the assumption of perfect cryptography, we assume that the re-sults of two invocations of encryption will be different, even with the same arguments, as op-posed to two copies of the same invocation of the encryption operation, which are in fact the same terms. As the label r is the invocation identifier of the encryption primitive, when-ever we consider two expressions{m}k,r and

{m0}k0_,r with the same labelr, then it should

also hold thatm=m0_and_k₌_k0_.

To avoid cluttering the notation, we assume that pairing associates to the right and thus, we denote nested pairs of the form (M0,(M1, , . . . ,(Mn−1, Mn))) by

(M0, M1, . . . , Mn−1, Mn). Informally, we may

just write {M}k, {M}a

pkid, and {M}

s skid

in-stead of {M}k,r, {M}a

pkid,r, and {M}

a skid,r,

whenris irrelevant or clear from the context. Plain text messages may be of different types (e.g., strings and integers), each equipped with

an algebraic structure (e.g., concatenation and arithmetic operators, respectively). We do not elaborate further on this aspect of term speci-fication and allow for its tacit use in protocol specifications.

2.2 Term Deduction.

Terms can be derived (i.e., (de)constructed) from others due to using cryptographic opera-tions. This concept has been captured by the deduction rules in Figure 1. A judgement of the formT `M readstermM is derivable from the setTof terms. The deduction rules are self-explanatory; we only note that in these rules

M is an arbitrary crypto-term, whilekis a key. To apply the extension mentioned in Section 1, we need to extend our term deduction rules by the relevant rules, depicted in Figure 2, which are also relevant to the public-key encryption system.

The rules (blind), (unblind), and (blindsign), show that a principal who has the keyk, can blind or unblind a term, and also obtain{M}s

ski

from the term{{M}b

r}sskiblindly signed by the

principal i (i.e., {{M}s skid}

b

r ≡ {{M}br}sskid).

The term{M}a

pki means that the termM has

been encrypted using the public-keypki (enca

rule).ski denotes the relevant private-key of

pki and is used to extract the termM from {M}a

pki (deca rule). The term{M}

s

ski

repre-sents the messageM signed by the private-key

ski(signrule). The signed term{M}sskican be

unsigned (and indeed check the sign) using the corresponding public-key pki (unsign rule).

However, depending on the signature schseme, theunsignrule may be used to retrieve the messageM from the signature. i.e.,

(unsign) T ` {M}

s ski

T `M

2.3 CryptoPAi Syntax

(5)

(∈T)

T `MM∈T

(pair) T `M T `N

T `(M, N) (fst)

T `(M, N)

T `M (snd)

T `(M, N)

T `N

(dec) T ` {M}k T `k

T `M (enc)

T `k T `M T ` {M}k

Figure 1. Term Deduction Rules.

(blind) T `M T `r

T ` {M}b r

(unblind) T` {M}

b

r T `r

T `M (blindsign) {{M}b

r}sski ≡ {{M}

s ski}

b r

(deca)

T ` {M}a

pki T `ski

T `M (enca)

T `pki T `M

T ` {M}a pki

(sign) T`ski T `M

T ` {M}a ski

(unsign) T ` {M}

s

ski T `pki

T `M

Figure 2. Extended Term Deduction Rules.

actions, respectively. Actions that result from a synchronization as well as internal actions are denoted without any annotation. (Note that this is a slight deviation from Milner’s CCS, where the result of a synchronization is nec-essarily denoted by an internal action. In our calculus, agents may be able to observe and de-rive useful information from synchronizations.) Actionτ∈ Actdenotes the silent action which also represents a message that offers no new information to any observer.

P, Q::= P rocesses

0 inaction

D;P action pref ixing P+P nondeterministic choice P ||P parallel composition

∂(P) encapsulation

D::= (J)α(−M→)

Constant 0 denotes inaction (termination). Action prefixing is denoted byd;P, for each

d ∈ D; an action may contain zero or more

crypto-terms as parameters. Nondeterministic choice amongPandQis denoted byP+Qand means that the first action taken by either of the two processes determines the choice.P||Q

denotes parallel composition; it allows for in-terleaving of internal actions and the results of earlier communications as well as hand-shaking synchronization between input and output ac-tions. Hand-shaking synchronization results in a value-passing by replacing the variables of the receiving party with closed terms from the sending party. Our language also includes an encapsulation operator,∂, which prevents un-successful communication attempts and turns them into deadlock.

d= (J)α(−M→)∈D denotes a parametric dec-orated action, which has the following intu-ition: actionα∈ Actwith parameters−M→is vis-ible to principali∈J⊆ Id. Other principals (j /∈J) observe ρ(α(−M→)) being taken, where

(6)

princi-pals. The combination of identity decoration on actions, action renaming (public appearance), and action parameters provides different views on the behavior of protocols, according to dif-ferent (participating or observing) principals.

To avoid cluttering the syntax, we assume that action prefixing binds stronger than non-deterministic choice and non-non-deterministic choice binds stronger than parallel composi-tion. Also, we omit the trailing 0 and write, for example,dford; 0.

2.4 CryptoPAi Semantics: Indistin-guishability

The operational state ofCryptoPAiis typically denoted by (P,Γ), which comprises two compo-nents: a processP and a computation Γ. The first component of the operational semantics determines the possible future behavior of the specified system, while the second component records the history of its past behavior, i.e., which processes executed which decorated ac-tions leading to the current state. The process

P has the syntax described in the previous section. The computation Γ, formally defined below, is a sequence of pairs of processes and decorated actions.

Definition 2 (Computation). A computa-tion Γ∈ History is a sequence of pairs (p, d), where pis process in the syntax given in the syntax section ofCryptoPAianddis a param-eterized decorated action with term parameter (of the form (J)α(−M→), see the same section). By (p, d)__{Γ, we denote concatenating a pair}

(p, d) with a computation Γ. The empty com-putation is denoted byε.

The operational semantics defines two types of relations among states: a transition relation, defining how a state may evolve by perform-ing actions, and an indistperform-inguishability relation (labeled by principal identities), defining all states that are deemed possible, given the cur-rent computation observed by each principal. This combination, called an Epistemic Labeled Transition System (ELTS). In order to define the indistinguishability, a number of auxiliary definitions are necessary, presented in the re-mainder of this section.

Patterns. The followingPatternfunction (as in [20]) is defined to reduce a given termM

to a pattern using a set of keys deduced from the term itself. This function provides an ab-stract view of encryption, capturing the fact encrypted terms are indistinguishable if their respective keys are not available (denoted by

2).

Definition 3 (Patterns). A pattern is a crypto-term with (possibly multiple) occur-rences of a specific constant 2r _{(indexed by}

random-numbers), capturing those encrypted messages that cannot be decrypted. Hence, the setPT ermof patterns is defined with the following grammar.

MP, NP ::=k|pk |sk|r|id|m| {MP}k,r | {MP}apk,r | {MP}ssk,r | {MP}br|(MP, NP)|2r

The function Pattern : Term → PT erm

is redefined below using the auxiliary function

pat : Term× Key → PT erm which defines the pattern of a message given a set of keys.

P attern(M) =pat(M,{k∈ Key|M `k}).

Intuitively, pattern of term maps the observed term to what can be learned and understood from the viewpoint of a principal.

pat(id, K) =id (id∈ Id), pat(k, K) =k (k∈ Key), pat(m, K) =m (m∈ Msg),

pat(n, K) =n (n∈ Nonce), pat((M, N), K) = (pat(M, K), pat(N, K)),

pat({M}r k, K) =

    

   

{pat(M, K)}r

k if k∈K,

2r _otherwise.

(7)

pat(pkid, T) =

pkid (pkid∈ Key),

pat(skid, T) =

skid (skid∈ Key),

pat(r, T) =

r (r∈ Rnd),

pat({M}a

pkid,r, T) =                     

{pat(M, T)}a pkid,r

if T `skid

or (T `pkid and T `M)

2r

otherwise.

pat({M}s

skid,r, T) =                     

{pat(M, T)}s skid,r

if T `pkid

or (T `skid and T `M)

2r

otherwise.

pat({M}b r, T) =

 



{pat(M, T)}b

r if T `r,

2r _otherwise.

We re-use the same notation and write

pat(M) for pat(M, K), where K is the set of all keysksuch thatM `k.

Using this notion of patterns and incorpo-rating the randomness of keys and nonces, we define the following notion of pattern equiva-lence, denoted by≡P.

Definition 4 (Pattern Equivalence). Two terms m and m0 ∈ Term are pattern equiv-alent, denoted by m ≡p m0, if and only if there exist a type preserving bijection σ of

Key ∪ Nonce ∪

;rndset, such thatpat(m) =pat(m0σ), where

m0σdenotes the application ofσtom0.

Example 1. The following examples illus-trate the notion of pattern:

pat({{(kAB, B)}rkBS}

r0

kAS,∅) = 2

r0

pat({{(kAB, B)}rkBS}

r0

kAS,{kAS, kBS}) = {{(kAB, B)}

r kBS}

r0 kAS

pat({B}r k,{B}

r0

k) = (2

r_,₂r0₎

Example 2. The following examples illus-trate the notion of pattern equivalence:

k ≡p k0

(k0, k0) 6≡p (k0, k1) ifk06=k1 ({A}r

k, k) 6≡p ({B} r0

k0, k0) ifA6=B

({B}r k,{B}

r

k) 6≡p ({B} r k,{B}

r0

k) ifr6=r0

The following lemma illustrates that the in-formation abstracted away by the notion of pattern, can always be recovered by putting terms into context.

Lemma 1. Consider two termsmandm0such thatm ≡p m0_{; if it holds that for each term}

m00_,₍_m00_{, m}₎_≡p₍_m00_{, m}0₎_{, then}_m_and_m0_are syntactically equal.

Proof. See [17].

In order to lift the notion of pattern equiva-lence to computations, we need the notions of appearance for actions and visible terms, de-fined below.

Definition 5 (Appearance of Actions).

Given a decorated action d and an iden-tity i, the appearance of d to i, denoted by

Appeari(d), is defined as follows.

Appeari((J)a(−M→)) =         

a(−M→) if i∈J,

b(−→M0) if i /∈J andρ(a(−M→)) =b(−→M0)

In the above definition, it is assumed that−M→

and−→M0can be empty vectors of terms, denoting actions with no parameter (includingτ).

Definition 6 (Visible Terms). Given a computation Γ and an identity i, the set of visible terms in Γ according toiis denoted by

T ermSeti(Γ), and is defined below (ε and ∅

(8)

T ermSeti_{(Γ) =}                                 

∅ if Γ =ε,

{−M→} ∪T ermSeti(Γ0) if Γ = (p, d)

__Γ0_and _Appeari₍_d_{) =}_a₍−_M→₎_,

T ermSeti_(Γ0₎ _{if Γ = (}_{p, d}₎ __Γ0_and _Appeari₍_d_{) =}_a₍₎_.

Definition 7 (Indistinguishability of Computations). Let Γ be a computation, then the pattern of computation Γ from the viewpoint of the principal i is denoted by

HP atterni(Γ), as defined below.

HP atterni(Γ) =                                                                                  ε

if Γ =ε,

HP atterni(Γ0)

if Γ = (P, D)_Γ0 andAppeari₍_D_{) =}_τ,

a(pat(M, Ti₎₎__{HP attern}i_(Γ0₎

if Γ = (p, d)__Γ0

andAppeari₍_d_{) =}_a₍_M₎_,

a()__{HP attern}i_(Γ0₎

if Γ = (p, d)_Γ0 andAppeari(d) =a()

anda6=τ,

where Ti ₌_{_t_|_t_{∈ T}_erm _∧ _{T ermSet}i_(Γ)_`

t}.

Next, we define the indistinguishability rela-tion, denoted by=, of histories as follows.i

Γ= Γi 0 if and only if

HP atterni(Γ) =HP atterni(Γ0σσ0σ00),

for some bijections

σ:Key→ Key, σ0_:_N_once_{→ N}_{once, and σ}00_:_R_nd_{→ R}_nd

Some extensions and issues such as com-posed/related keys, randomness, and cycles (encrypting a key under itself) are useful in modeling realistic protocols, but would compli-cate our definitions and theorems. So, we leave them for further work.

2.5 CryptoPAi Semantics: Deduction Rules

Plotkin-style deduction rules for the structural operational semantics [29] of CryptoPAi are given in Figure 3.

The transition relation → has exactly the same role and meaning as in the standard no-tion of Labeled Transino-tion system (LTS). The formulas_Xshows the possibility of termination in states. The indistinguishability betweens0 ands1 according to principaliis denoted by expressions0

i

· · ·s1. Observing of actions de-pends on the visibility range of actions. The relation ⇒ ⊆d St×St has been defined for each parametric decorated actiond∈Dwhere

Stis the set of operational states. The deduc-tion rules for ⇒d are mostly self-explanatory and standard to most process algebras. One peculiar deduction rule is (p3) which uses the premiseσ=match(−M ,→ −→M0) in order to match the open term at the receiving process with the (closed) term at the sending side. The matching (unifying) substitution is then applied to the continuation of the receiving process, thereby replacing its variables with the received val-ues. In the deduction rule (strip), the extra information on the labels (concerning the visi-bility range) are stripped off, i.e., we block in-dividual send and receive actions and thereby obtain the transition relation →. Deduction rule (IC) move the indistinguishability

(9)

(0)

(0,Γ)_X (d) ₍_d_;_P,_Γ) d

⇒(P,Γ_₍_d_;_{P, d}₎₎

(n0) (p0,Γ)

d

⇒(q0,Γ_(p0, d)) (p0+p1,Γ)

d

⇒(q0,Γ_(p0+p1, d))

(n2) (p0,Γ)X

(p0+p1,Γ0)X

(p0) (p0,Γ)

d

⇒(q0,Γ_(p0, d)) (p0||p1,Γ)

d

⇒(q0||p1,Γ_(p0||p1, d))

(p2) (p0,Γ)X (p1,Γ

0₎

X (p0||p1,Γ00)X

(p3) (p0,Γ)

(J)?a(−M→)

⇒ (q0,Γ0) (p1,Γ)

(J0)!a(−→M0)

⇒ (q1,Γ00) σ=match(

−→

M ,−→M0₎

(p0||p1,Γ)

(J∪J0)a(−→M0)

⇒ (σ(q0)||q1,Γ_(p0||p1,(J∪J0)a(

−→

M0)))

(strip) (p,Γ)

(J)a(−M→)

⇒ (q,Γ0) (p,Γ)a(

−→ M)

→ (q,Γ0)

(IC)

Γ0

i

= Γ1 (p0,Γ0)

i

· · ·(p1,Γ1)

Figure 3. SOS Rules ofCryptoPAi.

the premises and the conclusion of rules (n2) and (p2). The transition relation ⇒ and in-distinguishability equivalence relation· · ·are the sets of all closed statements provable us-ing the deduction rules (plus their symmetric versions) from Figure 3. These define an Epis-temic Labeled Transition System (ELTS) for each processp, as defined below.

Definition 8 (Semantics of Processes).

Given the sets Act and Term, an ELTS is a 5-tuple hSt,→,_X, IC, s0i, where → ⊆

St × Act × Term∗ × St is the transition relation, _X ⊆ St is the termination pred-icate, IC ⊆ St × Id×St is the

histories-indistinguishability relation, and s0 is the initial state.

The semantics of processphas been defined by the ELTS with pairs of processes and trace histories as states, → as transition relation,_X as termination relation, · · ·as indistinguisha-bility equivalence relation, and (p, ε) as the ini-tial state, whereεdenotes the empty compu-tation.

An operational state is a pair (p,Γ), where

p ∈ Proc is a CryptoPAi process and Γ is a finite computation recording the history of the

process executed so far.

3 Eµ: An Epistemic Mu-Calculus

Eµis the modalµ-calculus extended with past and two epistemic constructs:HasandK, rep-resenting local and epistemic knowledge [17]. The semantics of Eµ has been given on the ELTS [17], thereby connecting the protocol specification and the logical reasoning domain. Epistemic knowledge refers to all facts that a principal can deduce from the particular run of the protocol, set aside all possible runs (also including facts of the form “principaliknows that principalj knows the key k”). Now we recall our logic in the following section.

3.1 Syntax

(10)

φ::=> |X | ^ j∈J

φj | ¬φ

| ha(−M→)i

φ| ha(−M→)i

φ|Kiφ|Hasi(M)|νX.φ(X) (ifX occurs only positively inφ),

wherei∈ Id,M ∈ Term, and a(−M→) is a pa-rameterized action.ha(−M→)iφmeans that “after somea(−M→) transitionφholds”;ha(−M→)iφhas the same meaning asha(−M→)iφ, except that it refers to thepast; it intuitively means that there is a state in whichφholds and from which it is possible to take ana(−M→)-step to the current state. Kiφ indicates that “principal i knows

thatφholds”.Hasi(M) means that the term

M can be deduced (trough our term deduction rules) in the current state by the principal i. Recursive concepts can be defined using the greatest fixed point operatorνX.φ(X), i.e., the current state is in the largest set X of states that satisfyφ(X).

For convenience, the abbreviations, defined in Figure 4, are used for commonly used logical formulae: The common knowledge property is a very powerful construction, particularly for protocols where trust is an issue. It has posed a real challenge for specification and verification with the standard operational techniques so far. We have modeled this property by theCJφ

operator, expresses that agents inJ not only know that φ holds, but also all agents in J

know thatφholds, and all agents in J know that all agents inJ know thatφholds, and so on.Eµ-forms denotes the set ofEµformulas. In the following definition, the satisfaction of a formula φ ∈ Eµ-forms in the ELTS E is interpreted.

Definition 9 (Satisfaction). Let E be an ELTS as E =hS,→,_X, IC, s0iands∈S be a state of E. The satisfaction relation |= for formulasφ∈ Eµ-forms is defined inductively in Figure 5: E satisfies a formulaφ, denoted E|=φ, ifs0|=φ.

For example, the knowledge operator Kiφ

indicates thatiknows thatφifφholds in all states reachable from sthrough the · · ·i rela-tion. The definition of this relation is based on whatiis allowed to observe and relating it

to all computations (trace-histories) that are indistinguishable toi.

4 Case Study

In the following example, we specify the FOO’92 e-voting protocol [30], which uses the cryptographic constructs introduced earlier in this section. FOO’92 is a well-known e-voting protocol, satisfying some security properties such as eligibility and privacy.

Example 3. It is due to compare the new combined framework with using exclusively the operational approach or the epistemic one. The FOO’92 protocol has already been ana-lyzed using both operational [31],[32] and epis-temic approaches [33]. Anonymous channels are assumed in the protocol for communica-tion between voters and the collector author-ity. The protocol comprises voter principals who cast their vote, administrator authority, who identifies eligible voters, and the counter authority, who collects and counts votes and finally publishes the result. To describe the protocol, the following notations are used.

Vi: identity of the voteri,

A: identity of the administrator authority,

C: identity of the counter authority,

ξ(v, k): bit-commitment scheme for messagev

using keyk,

σi(m):Vi’s signature scheme,

σA(m):A’s signature scheme,

e=χ(m, r): blinding messagemusing random numberr, and

vi: vote of voterVi.

Public and private keys are distributed during a pre-stage, calledregistration. Subsequently, the protocol consists these main stages ex-ecuted by the voter(s), administrator, and counter [30]:

(11)

W

j∈Jφj stands for disjunction defined by¬

V

j∈J¬φj.

[a(−M→)]φ intuitively means that afteralla(M−→)-transitions,φholds. i.e.,¬ha(−M→)i¬φ.

µX.φ(X) (withX occurring positively inφ) is the least fixed point operator, which is defined by¬νX.¬φ(¬X) (X also occurs positively in¬φ). The current state is in the smallest set of states satisfyingφ(X).

hiφ stands forW_a_∈A_ct,M_∈T_ermha(−M→)iφ, which is by itself an abbreviation for a number of disjunctions (similarly,hiφstands forW_a_∈A_ct,M_∈T_ermha(−→M)iφ). Intuitively, it means that after (before)sometransitionφholds.

[]φ ¬hi¬φ, after all transitionsπ holds

_a₍−_M→₎ _(similarly, _a₍−_M→₎₎ _is _an _abbreviation _for _µX._h_a₍−_M→₎_{i> ∨ h}_x_i_.X _(or

µX.ha(−M→)i> ∨ hxi.X). So, it is possible to reach a state in the future where ana(−M→)-transition is possible (go back to a state in the past that results from ana(−M→)-transition).

[∗]φ (similarly, [∗_]_φ_{) is an abbreviation for} _µX.φ_∨_[_]_X _(or_µX.φ_∨_[_]_φ_{). The}

intuition behind this abbreviation is that all future paths will (paths in the past) lead to a state, in which there is a state satisfyingφ. (h∗iφandh∗_i_φ

are defined accordingly.)

CJφ stands forνX.(V_i_∈_JKi(X∧φ)), meaning: “it is common knowledge among the principals in the setJthatφholds” [6].

Figure 4. Abbreviations Used for Logical Formulae.

E, s |=> iff true

−→

M)

→ s0_{and E}_{, s}0_|₌_φ

E, s |=ha(−M→)iφ iff there is ans0∈Ss.t.s0a(

−→

M)

→ sand E, s0|=φ

E, s |=Hasi(M) iff T ermSeti(Γ)`M such thats= (q,Γ) E, s |=Kiφ iff for all reachables0∈Ssuch thats

i

· · ·s0: E, s0|=φ

E, s |=νX.φ(X) iff s∈S_{

S0⊆S|∀s0∈S0.E, s0|=φ(X:=S0)}

Figure 5. Satisfaction Relation of Our Logic.

the voter. The blind-signature is used to guarantee the voter privacy; the admin-istrator signs the message in which the vote is hidden.

• Voting andCollecting: at this stage, the voter anonymously sends her ballot signed by administrator to the counter. At the end of this stage, the counter publishes the list of received ballots.

• Opening andCounting: finally, the voter has to reveal her random keyrto the col-lector in order to open the votes and

pub-lish the result.

(12)

1. Vi−→A : (Vi, si, ei)

2. A−→Vi : Vi, di

3. Vi−→C : (xi, yi)

4. C−→ ∗ : (l, xi, yi)

5. Vi−→C : (l, ki)

6. C−→ ∗ : (l, vi)

Model

In the specification of the protocol given in Figure 6, we assume that m ∈ M, n ∈ N,

i ∈I,j ∈J, andr∈R for some finite (non-empty and non-singleton) setsM,N,I,J, and

R.pkA,mandskA,mrepresent, respectively,A’s

public and private keys, and similarly,pkVi,n

and skVi,n represent Vi’s public and private

keys;cj ∈ Candindicates thejth candidate of

candidates list; lr ∈Lindicates the index of

result-list made by the authorityCounter.

Key={pkVi,n, skVi,n,

pkA,m, skA,m, kV, rV

|m∈M, n∈N},

Id={A, C, E, Vi},

Var={xpkV, xskV,

xpkA, xskA, xsc, xl, xV,

xsvbc, xvbc, xc, xkV},

Cand={cj |j∈J}, L={lr|r∈R},

We first define the process RegAuthority, which initializes the protocol with keys distri-bution. Then we specify the behavior of the

Administrator andCounter, as well as that ofV oter. The principal with identityEplays the role of the eavesdropper (passive intruder) in our model. The set Id used in the speci-fication denotes the set of all identities, i.e.,

{A, C, Vi, E}.

Regarding the public appearance of actions, we define for all of the identities andm∈M,

RegAuthority= P

m∈M

P

n∈N

(Id)!DistV iP ubK((pkVi,n, pkA,m)); ({Vi})!DistV iP rivK(skVi,n); (Id)!DistAdP ubK((pkA,m, pkVi,n)); ({A})!DistAdP rivK(skA,m); (Id)!DistCoP ubK(pkA,m)

V oter=

(Id)?DistV iP ubK((xpkV, xpkA)); ({Vi})?DistV iP rivK(xskV); P

vi∈Cand(Id)!V iReqAdSign((Vi,

{{{vi}kV} b rV}

s

x_skV,{{vi}kV}rV)); (Id)?AdAckSign((Vi,{xsc}brV)); ({})!V iV oting((xsc,{vi}kV)); (Id)?CoV oteList((xl, xsc,{vi}kV)); ({})!V iRevealKey((xl, kV))) (Id)?P ublishResult

Administrator=

(Id)?DistAdP ubK((xpkA, xpkV)); ({A})?DistAdP rivK(xsk_A);

(Id)?V iReqAdSign((xV, xsvbc, xvbc)); (Id)!AdAckSign((xV,{xvbc}x_skA))

Counter= (Id)?DistCoP ubK(xpkA); ({})?V iV oting((xsc, xc));

P

lr∈L(Id)!CoV oteList((lr, xsc, xc)); ({})?V iRevealKey((lr, xkV)); (Id)!P ublishResult

Figure 6. Our Model of the FOO’92 E-Voting Proto-col.

n∈N,vi ∈ Cand, andlr∈L,

ρ(DistV iP rivK(skVi,n)) =τ

ρ(DistAdP rivK(skA,m)) =τ

ρ(V iV oting({{vi}k_V}s

skA,m,{vi}kV)) =τ

ρ(V iRevealKey(lr, kV)) =τ

(13)

F OO=RegAuthority||Administrator||Counter||V oter

Analysis

Next, we specify some security properties of the FOO protocol; for sake of brevity, we leave out key secrecy properties that have the same structure as in the Needham-Schroeder proto-col.

The following formula is relevant to the el-igibility of a voter. It states when a voter try to cast her vote, she must have already been authenticated by the authorityA.

[.∗]V

vi∈Cand V

m∈M

[V iV oting(({{vi}k_V}s

skA,m,{vi}kV))]

AdAckSign(Vi,{{{vi}kV}

b rV}

s skA,m)

.

The fairness property is another security re-quirements for the e-voting protocols and refers to impossibility of affecting the remaining vot-ers by revealing the intermediate results. In other words, it means that the votes cannot be opened before and while they are being col-lected. Fairness can be expressed by the follow-ing formula.

[.∗]V

lr∈L

V

vi∈Cand V

m∈M

[CoV oteList((lr,{{vi}kV}

s

skA,m,{vi}kV))] V

id∈{A,C,E}¬(h∗iHasid(vi)).

5 Implementation

In [17], we have formalized the semantics of

CryptoPAiand a subset of ourEµlogic (includ-ing the basic temporal and epistemic operators) in the rewriting logic of Maude and mechanized the model-checking process in its toolset [34]. Next, we extend our earlier implementation based on our extension in current paper.

5.1 CryptoPAiin Maude

Let Act, TAct, TDAct andProc are sorts for

basic actions, parametric actions, decorated parametric-actions and processes, respectively. The attributectordesignates constructors of

each sort.rcv,sndandsyncdefine decorated parametric-actions for send, receive and syn-chronization (or just non-communicating ac-tions), denoted in the original syntax by “?”, “!” and without any preceding mark, respectively).

tauis the invisible internal action. The syn-tax of our actions, crypto-terms, and process language are as follows.

op tau : -> TDAct [ctor] .

op _ ( _ ) : Act PAiTerm -> TAct [ctor] .

op rcv ( _ ) _ ( _ ) : IdSet Act PAiTerm -> TDAct [ctor] . op snd ( _ ) _ ( _ ) : IdSet Act PAiTerm ->

TDAct [ctor] . op sync ( _ ) _ ( _ ) : IdSet Act PAiTerm ->

TBDAct [ctor] .

op rho ( _ ) : TAct -> TAct .

op ( _ , _ ) : PAiTerm PAiTerm ->

PAiTerm [ctor] . op enc { _ }_ _ : PAiTerm PAiTerm PAiTerm ->

PAiTerm [ctor] . op enca { _ }_ _ : PAiTerm PAiTerm PAiTerm ->

PAiTerm [ctor] . op sign { _ }_ _ : PAiTerm PAiTerm PAiTerm ->

PAiTerm [ctor] .

op blind { _ }_ : PAiTerm PAiTerm ->

PAiTerm [ctor] .

subsort TDAct TBDAct < Proc.

op NIL : -> Proc [ctor].

op _ ; _ : TDAct Proc -> Proc [ctor prec 21]. op _ ; _ : Proc Proc -> Proc [ctor prec 22]. op _ + _ : Proc Proc -> Proc [ctor prec 23]. op _ || _ : Proc Proc -> Proc [ctor prec 24].

The operational semantics (given in Figure 3) has been implemented trough translation of the deduction rules. A set of Maude’s condi-tional rewrite rules have been used to model transitions in the formalization. For example deduction rules (0), (d) and (n0) have been im-plemented as follows. The auxiliary symbol$*

used at the left-hand side of the rewrite rules designates the transition ⇒.

var td : TDAct.

vars p0 p1 pp1 : Proc.

vars ga gap : Hist.

...

***(0) and other terminating rules eq (tick NIL) = true.

eq (tick d) = false.

(14)

eq (tick (p0 ; p1)) = ((tick p0) and (tick p1)). eq (tick (p0 || p1)) = ((tick p0) and (tick p1)). *** (d)

rl $* (td,ga) => ({td} R (NIL,ga^(td:td))). *** (n0)

crl $* (p0 ; p1 ,ga) => ({td} R (pp1,gap)) if (tick p0) /\ $* (p1,ga)=>

({td} R (pp1,gap)). ...

Finally, the following equalities, represent deduction rules (=refl) and (=pat) in Fig-ure 3. In fact, they formalize the introduced indistinguishability concept in Maude. ded

operator has been defined to check the de-ducibility of a term from a given term-set.

pat, iCP attern, and iT erm implement the introduced functions pat (in Section 2.1),

CP atterni_and_{T erm}i _{(in Section 2.4),}

respec-tively. Regarding Definition 4, the function

Sigma implements type-preserving bijection

σ of Key ∪ Nonce∪ Rnd (i.e., σ : Key → Key,Nonce→ Nonce,Rnd→ Rnd).

vars P Pp Ppp : PAiPair .

op Box(_) :

PAiTerm -> Pattern [ctor].

op _ ded _ :

PAiTerm PAiTerm -> Bool .

op pat ( _ , _ ) :

PAiTerm PAiTerm -> Pattern [ctor].

op iTerm(_,_) :

Id TDAct -> PAiPair [ctor].

op iTermSet(_,_) :

Id History -> PAiPair [ctor].

op iAppear (_,_,_) :

Id TDAct -> TAct [ctor].

op iCPattern(_,_,_) :

Id History History -> PHistory [ctor]. ...

*** Term^i and TermSet^i Functions *** eq iTerm(i, snd (I) ac (Emp) ) = empty .

ceq iTerm(i, snd (I) ac (P) ) =

empty if not (i in I) .

ceq iTerm(i, snd (I) ac (P) ) = P if ( i in I ) . ...

*** pat Function *** ceq pat((Pp,Ppp),P) =

((pat(Pp , P)) , (pat(Ppp , P)))

if (Pp =/= empty) and (Ppp =/= empty) . ceq pat((enc{Pp}k r) , P) =

(enc{(pat(Pp,P))}k r) if (P ded k) .

eq pat((enc{Pp}k r) , P) = Box(r) [owise]. ...

*** Appear^i Function ***

ceq iAppear(i, snd (I) ac (P)) = bc (Pp) if (not (i in I) and rho(ac(P))==bc(Pp) . ceq iAppear(i, snd (I) ac (P)) =

ac (P) if ( i in I ). ...

*** CPattern^i Function ***

ceq iCPattern(i,h,((prc : tda) ^ hp)) = (ac (pat(P,iTermSet(i,h))))

~ iCPattern(i,h,hp)

if iAppear(i,tda) == ac (P) . ...

*** Indistinguishability Rel. *** op _ obseq ( _ ) _ :

History Id History -> Bool. eq (ga obseq (i) ga ) = true. ceq (ga obseq (i) gap) =

true if (iCPattern(i,ga,ga) ==

iCPattern(i,Sigma(gap),Sigma(gap))). ...

5.2 Eµin Maude

The formalization defined in [17] for the syntax of the logic defined in Section 3 is used without any changes in this paper.

5.3 Modeling the FOO Protocol in Maude

In this section we briefly present the model-ing of Example 4 in the Maude implementa-tion. We use the following commands in the Maude command-line in order to simulate the protocols and verify them against the specified formulae:

• rew+(p,niks): calculates a trace of a

CryptoPAi process p, whereniksstands for the empty computation,

• rew s0 (p,niks)|= phi: is used to verify

an Emu formulaphion a processp(with the empty computation), in a state space reachable from the initial states0. In the following specification,FOOProtocol

andFOOState0stand for the specification of

the protocol and its initial state, respectively.

mod FOO_Protocol is include CryptoPAi. include EmuBasic . ...

eq FOOProtocol =

( Reg || ( Voteri || ( Admin || Counter ) ) ) .

(15)

eq Reg = Sum ( ((pki,ski) : ((pki1,ski1),(pki2,ski2))) ( Sum ( ((pkA,skA) :

((pkA1,skA1),(pkA2,skA2))) ( (((((snd ( Vi;A;C;E )

TakeViPubK ((pki,pkA))); (snd ( Vi ) TakeViPrivK (ski))); (snd ( Vi;A;C;E )

TakeAdPubK ((pkA , pki)))); (snd ( A ) TakeAdPrivK (skA))); (snd ( Vi;A;C;E )

TakeCoPubK (pkA))) )) )).

eq Admin = ((((rcv ( Vi;A;C;E ) TakeAdPubK ((xpkA,xpki))); (rcv ( A ) TakeAdPrivK ( xskA ))); (rcv ( Vi;A;C;E )

ViReqAdSign ((xVi,(xsvbc , xvbc))))); (snd ( Vi;A;C;E ) AdAckSign

((xVi,(sign{xvbc}xskA))))).

eq Voteri = Sum ( (vi : (vi1 , vi2)) ( ((((((((rcv ( Vi;A;C;E )

TakeViPubK ((xpki , xpkA))); (rcv ( Vi ) TakeViPrivK (xski))) ; (snd ( Vi;A;C;E )

ViReqAdSign ((Vi ,(sign{(blind{ (enc{vi}ki)}ri)}xski),

(blind{(enc{vi}ki)}ri))))) ; (rcv ( Vi;A;C;E )

AdAckSign ((Vi,(blind{xsc}ri))))); (snd ( Vi )

ViVoting ((xsc , (enc{vi}ki))))); (rcv ( Vi;A;C;E )

CoVoteList ((xl,(xsc,(enc{vi}ki)))))); (snd ( Vi ) ViRevealKey ((xl , ki)))); (rcv ( Vi;A;C;E ) PublishResult (empty))))).

eq Counter = Sum ( (l : (l1 , l2)) ( (((((rcv ( Vi;A;C;E )

TakeCoPubK (xpkA));

(rcv ( Vi ) ViVoting ((xsc , xc)))); (snd ( Vi;A;C;E )

CoVoteList ((l , (xsc , xc))))); (rcv ( Vi ) ViRevealKey ((l , xki)))); (snd ( Vi;A;C;E )

PublishResult (empty))))). endm

Some of the properties of the protocol have been verified on the above specification and their result are reported below.

- rew FOOState0 (FOOProtocol , niks) |= [.*] ([TakeViPrivK(ski1)](emnot

(E Has ski1))) . rewrite in EmuBasic :

FOOState0 FOOProtocol,niks |= [.*]([TakeViPrivK(ski1)]emnot (E Has ski1)) .

rewrites: 915479 in

1628036047000ms cpu (55030ms real) (0 rewrites/second)

result Satform: * true

- rew FOOState0 (FOOProtocol , niks) |= [.*] ([TakeViPrivK(ski1)](emnot (K{E} (TakeViPrivK(ski1) <-|)))) .

rewrite in EmuBasic :

FOOState0 FOOProtocol,niks |= [.*]([TakeViPrivK(ski1)]emnot (K{E}(TakeViPrivK(ski1)) <-|)) . rewrites: 5276064119 in

1628036047000ms cpu (61563115ms real) (3 rewrites/second)

- rew FOOState0 (FOOProtocol , niks) |= [.*] ([TakeViPrivK(ski1)]((K{Vi} (TakeViPrivK(ski1) <-|)))) . rewrite in EmuBasic :

FOOState0 FOOProtocol,niks |= [.*]([TakeViPrivK(ski1)]K{Vi} (TakeViPrivK(ski1)) <-|) . rewrites: 13857468327

in 1628036047000ms cpu (56267527ms real) (8 rewrites/second)

- rew FOOState0 (FOOProtocol , niks) |= [.*]([ViRevealKey(l1,ki)] ((Vi Has vi1) emor (Vi Has vi2))) .

FOOState0 FOOProtocol,niks |= [.*]([ViRevealKey(l1,ki)] (Vi Has vi1 emor Vi Has vi2)) . rewrites: 6929255

- rew FOOState0 (FOOProtocol , niks) |= [.*]([ViRevealKey(l1,ki)]((Vi Has ski1) emor (Vi Has ski2)))) .

FOOState0 FOOProtocol,niks |= [.*]([ViRevealKey(l1,ki)] (Vi Has ski1 emor Vi Has ski2)) . rewrites: 6887015

(16)

- rew FOOState0 (FOOProtocol , niks) |= [.*]([ViRevealKey(l1,ki)]((E Has vi1) emor (E Has vi2))) .

rewrite in

EmuBasic : FOOState0 FOOProtocol,niks |= [.*]([ViRevealKey(l1,ki)]

(E Has vi1 emor E Has vi2)) . rewrites: 6891623

- rew FOOState0 (FOOProtocol , niks) |= [.*]([ViRevealKey(l1,ki)]((E Has ski1) emor (E Has ski2)))) .

rewrite in

EmuBasic : FOOState0 FOOProtocol,niks |= [.*]([ViRevealKey(l1,ki)]

((E Has ski1 emor E Has ski2)) . rewrites: 518997

result Satform: * false

- rew FOOState0 (FOOProtocol , niks) |= [.*] ([ViVoting(sign{enc{vi1}ki}skA1, enc{vi1}ki)]

(AdAckSign(Vi,sign

{blind{enc{vi1}ki}ri}skA1)) <-| ) . rewrite in

EmuBasic : FOOState0 FOOProtocol,niks |= [.*]([ViVoting(sign{

enc{vi1}ki}skA1,enc{vi1}ki)] (AdAckSign(Vi,sign

{blind{enc{vi1}ki}ri}skA1)) <-|) . rewrites: 888839

- rew FOOState0 (FOOProtocol , niks) |= [.*] ( [ViVoting(sign{enc{vi2}ki}skA2, enc{vi2}ki)]

( (AdAckSign(Vi, sign

{blind{enc{vi2}ki}ri}skA2) ) <-| ) ) . rewrite in

EmuBasic : FOOState0 FOOProtocol,niks |= [.*]([ViVoting(sign{

enc{vi2}ki}skA2,enc{vi2}ki)] (AdAckSign(Vi,sign

{blind{enc{vi2}ki}ri}skA2)) <-|) . rewrites: 888839

6 Conclusions

In this paper, we presented an extension of our hybrid operational-epistemic framework, intro-duced in [17], for specification and analysis of security protocols with genuine support for cryptographic constructs. The framework in-cludes a process algebraic formalism for the op-erational specification and an epistemic exten-sion of modalµ-calculus with past for the prop-erty specification. The extended framework has been further re-formalized and re-implemented in the rewriting logic of Maude.

The main practical motivation for this paper came from the domain of e-voting protocols. In fact, we extendedCryptoPAi framework with more cryptographic constructs and then inves-tigated its applicability in this domain through analysis of the FOO e-voting protocol as a case study. We plan to further investigate the ap-plicability of our framework in this domain by applying it to more case studies (see [35] for some ideas in this direction). Extending our framework with probabilities, along the lines of [15], is another avenue for future research.

References

[1] Gavin Lowe. Casper: A compiler for the analysis of security protocols. Journal of Computer Security, 6(1-2):53–84, 1998. doi:10.3233/JCS-1998-61-204.

[2] C. Caleiroa, L. Vigan`o , and D. Basin. On the semantics of Alice & Bob specifi-cations of security protocols. Theoretical Computer Science, 367(1-2):88–122, 2006. doi:10.1016/j.tcs.2006.08.041.

[3] S. D. Brookes, C. A. R. Hoare, and A. W. Roscoe. A theory of communi-cating sequential processes. Journal of the ACM (JACM), 31(3):560–599, 1984. doi:10.1145/828.833.

[4] Robin Milner. A Calculus of Communi-cating Systems. Springer-Verlag, 1980. [5] M. Abadi and A. D.Gordon. A calculus for

cryptographic protocols: The spi calculus.

Information and computation, 148(1):1– 70, 1999. doi:10.1006/inco.1998.2740. [6] R. Fagin, J. Y. Halpern, Y. Moses, and

(17)

MIT Press, 1995.

[7] D. Hughes and V. Shmatikov. Information hiding, anonymity and privacy: A modular approach. Journal of Computer Security, 12(1):3–36, 2004. doi:10.3233/JCS-2004-12102.

[8] F. Dechesne and Y. Wang. To know or not to know: epistemic approaches to security protocol verification. Syn-these, 177(1):51–76, 2010. ISSN 0039-7857. doi:10.1007/s11229-010-9765-8.

[9] A. Hommersom, J.-J. Meyer, and E.P. de Vink. Update semantics of security protocols. Synthese, 142(2):229–267, 2004. ISSN 0039-7857. doi:10.1007/s11229-004-2247-0.

[10] A. Baltag and M. Sadrzadeh. The al-gebra of multi-agent dynamic belief re-vision. Electronic Notes in Theoretical Computer Science, 157(4):37 – 56, 2006.

doi:10.1016/j.entcs.2006.02.012.

[11] Simon Kramer. Cryptographic protocol logic: Satisfaction for (timed) dolev-yao cryptography.The Journal of Logic and Al-gebraic Programming, 77(1-2):60–91, 2008. doi:10.1016/j.jlap.2008.05.005.

[12] S. Richards and M. Sadrzadeh. Aximo: Automated axiomatic reasoning for infor-mation update. Electronic Notes in The-oretical Computer Science, 231:211–225, 2009. doi:10.1016/j.entcs.2009.02.037. [13] Yanjing Wang. Epistemic Modeling and

Protocol Dynamics. PhD thesis, University of Amsterdam, 2010.

[14] R. Chadha, S. Delaune, and S. Kremer. Epistemic logic for the applied pi calcu-lus. InInternational Conference on For-mal Methods for Open Object-Based Dis-tributed Systems, pages 182–197. Springer, Berlin, Heidelberg, 2009. ISBN 978-3-642-02137-4. doi:10.1007/978-3-642-02138-1 doi:10.1007/978-3-642-02138-12.

[15] S. Kramer, C. Palamidessi, R. Segala, A. Turrini, and C. Braun. A quantita-tive doxastic logic for probabilistic pro-cesses and applications to information-hiding. The Journal of Applied Non-Classical Logic, 19(4):489–516, 2009.

doi:10.3166/jancl.19.489-516.

[16] R. Milner. A spatial-epistemic logic for reasoning about security protocols. In International Workshop on Security Issues in Concurrency (SecCo), 2010. doi:10.4204/EPTCS.51.

[17] H. R. Mahrooghi and M. R.Mousavi. Rec-onciling operational and epistemic ap-proaches to the formal analysis of crypto-based security protocols. InProceedings of the 9th International Workshop on Se-curity Issues in Concurrency, 2011. [18] M. Abadi and J. J ˜A1₄rjens. Formal

eaves-dropping and its computational inter-pretation. In International Symposium on Theoretical Aspects of Computer Soft-ware, pages 82–94. Springer, Berlin, Hei-delberg, 2001. ISBN 978-3-540-42736-0. doi:10.1007/3-540-45500-0 4.

[19] L. Peeter and R. Corin. Sound compu-tational interpretation of formal encryp-tion with composed keys. InInternational Conference on Information Security and Cryptology, pages 55–66. Springer, Berlin, Heidelberg, 2003. ISBN 978-3-540-21376-5. doi:10.1007/978-3-540-24691-6 978-3-540-21376-5. [20] M. Abadi and P. Rogaway.

Recon-ciling two views of cryptography (the computational soundness of formal en-cryption). Journal of cryptology, 15 (12):103–127, 2002. ISSN 0933-2790. doi:10.1007/s00145-001-0014-7.

[21] Tomohiro Hoshi. Epistemic Modeling and Protocol Information. PhD thesis, Stan-ford University, 2009.

[22] M. Hennessy and R. Milner. Algebraic laws for nondeterminism and concurrency.

Journal of the ACM, 32(1):137–161, 1985. doi:10.1145/2455.2460.

[23] F. Raimondi and A. Lomuscio. Automatic verification of deontic interpreted systems by model checking via OBDD’s. Jour-nal of Applied Logic, 5(2):235–251, 2006. doi:10.1016/j.jal.2005.12.010.

[24] J. Y. Halpern and K. R. O’Neill. Anonymity and information hiding in multiagent systems. Journal of Com-puter Security, 13(3):483–514, 2005. doi:10.3233/JCS-2005-13305.

[25] M. Abadi and C. Fournet. Mobile val-ues, new names, and secure communi-cation. In The 28th ACM SIGPLAN-SIGACT Symposium on Principles of Pro-gramming Languages (POPL 2001), pages 104–115. ACM, 2001. ISBN 1-58113-336-7. doi:10.1145/373243.360213.

[26] J. v. Eijck and S. Orzan. Epistemic ver-ification of anonymity. In Proceedings VODCA’06, 2006.

(18)

Model Checking of Security Protocols. PhD thesis, Oxford University, 2001.

[28] F. Dechesne, M. R. Mousavi, and S. Orzan. Operational and epistemic approaches to protocol analysis: bridging the gap. In In-ternational Conference on Logic for Pro-gramming Artificial Intelligence and Rea-soning, pages 226–241. Springer, Berlin, Heidelberg, 2007. ISBN 978-3-540-75558-6. doi:10.1007/978-3-540-75560-9 18. [29] G. D. Plotkin. A structural approach to

operational semantics. Journal of Logic and Algebraic Progamming, pages 17–139, 2004. doi:10.1016/j.jlap.2004.05.001. [30] A. Fujioka, T. Okamoto, and K. Ohta. A

practical secret voting scheme for large scale elections. In International Work-shop on the Theory and Application of Cryptographic Techniques, pages 244–251.

Springer, Berlin, Heidelberg, 1992. ISBN 978-3-540-57220-6. doi:10.1007/3-540-57220-1 66.

[31] S. Delaune, S. Kremer, and M. Ryan. Veri-fying privacy-type properties of electronic voting protocols. Journal of Computer Security, 17(4):435–487, 2009. ISSN 0039-7857. doi:10.3233/JCS-2009-0340. [32] H. R. Mahrooghi, M. H. Haghighat,

and R. Jalili. Formal verification of authentication-type properties of an electronic voting protocol using mcrl2. In Proceedings of the Fourth international conference on Verifica-tion and EvaluaVerifica-tion of Computer and Communication Systems. eWiC, 2010.

doi:10.14236/ewic/VECOS2010.10. [33] J. v. Eijck and S. Orzan. Epistemic

verifica-tion of anonymity.Electronic Notes in The-oretical Computer Science, 168:159–174, 2007. doi:10.1016/j.entcs.2006.08.026. [34] M. Clavel, F. Dur´an, S. Eker, P.

Lin-coln, N. Mart´ı-Oliet, J. Meseguer, and C. Talcott. All About Maude - A High-Performance Logical Framework, How to Specify, Program and Verify Systems in Rewriting Logic. Springer, 2007.

[35] A. Baskar, R. Ramanujam, and S. P. Suresh. Knowledge-based modelling of voting protocols. In Proceedings of the 11th Conference on Theoretical Aspects of Rationality and Knowledge (TARK-2007), pages 62–71. ACM, 2007.

doi:10.1145/1324249.1324261.

Hamid Reza Mahrooghireceived his bachelor’s degree in Computer En-gineering from Isfahan University of Technology in 1993, and his master’s degree in Computer Engineering from Sharif University of Technology in 1996. He received his Ph.D. in Com-puter Engineering from Sharif Univer-sity of Technology, in 2013. He joined the Group of Computer Engineering, Imamreza Uni-versity, Mashhad, Iran, in 2004. His research interests include electronic-voting, mobile & network security, block-chain-which he conducts at his network security laboratory in Imamreza University.