arXiv:2101.05140v1 [cs.LO] 13 Jan 2021

Secure Process Algebra

— Yong Wang —

arX

iv:2

101.

0514

0v5

[cs

.LO

] 2

5 O

ct 2

021

Contents

1 Introduction 1

2 Truly Concurrent Process Algebra 2

2.1 Operational Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2.2 Proof Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.3 Basic Algebra for True Concurrency . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.4 Algebra for Parallelism in True Concurrency . . . . . . . . . . . . . . . . . . . . . . 6

2.5 Recursion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.6 Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.7 Placeholder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.8 Axiomatization for Hhp-Bisimilarity . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.8.1 APTC with Left Parallel Composition . . . . . . . . . . . . . . . . . . . . . 15

2.8.2 Recursion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.8.3 Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.9 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3 Data Manipulation in APTC 29

3.1 Operational Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.2 BATC with Guards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.3 APTC with Guards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.4 Recursion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.5 Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

4 Secure APTC 44

4.1 Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

4.2 Asymmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

4.3 Hash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4.4 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4.5 Message Authentication Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4.6 Random Sequence Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4.7 Blind Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4.8 XOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

4.9 Extended Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

4.10 Analyses of Security Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

i

4.10.1 A Protocol Using Private Channels . . . . . . . . . . . . . . . . . . . . . . . 47

4.10.2 Secure Communication Protocols Using Symmetric Keys . . . . . . . . . . 48

4.10.3 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

5 Analyses of Key Exchange Protocols 53

5.1 Key Exchange with Symmetric Cryptography . . . . . . . . . . . . . . . . . . . . . . 53

5.2 Key Exchange with Public-Key Cryptography . . . . . . . . . . . . . . . . . . . . . 55

5.3 Interlock Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

5.4 Key Exchange with Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . 62

5.5 Key and Message Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

5.6 Key and Message Broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

6 Analyses of Authentication Protocols 70

6.1 Mutual Authentication Using the Interlock Protocol . . . . . . . . . . . . . . . . . . 70

6.2 SKID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

7 Analyses of Practical Protocols 76

7.1 Wide-Mouth Frog Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

7.2 Yahalom Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

7.3 Needham-Schroeder Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

7.4 Otway-Rees Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

7.5 Kerberos Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

7.6 Neuman-Stubblebine Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

7.7 Denning-Sacco Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

7.8 DASS Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

7.9 Woo-Lam Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

8 Analyses of Other Protocols 113

8.1 Analyses of Secret Splitting Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . 113

8.2 Analyses of Bit Commitment Protocols . . . . . . . . . . . . . . . . . . . . . . . . . 115

8.2.1 Bit Commitment Protocol 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

8.2.2 Bit Commitment Protocol 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

8.3 Analyses of Anonymous Key Distribution Protocols . . . . . . . . . . . . . . . . . . 120

ii

9 Analyses of Digital Cash Protocols 123

9.1 Digital Cash Protocol 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123




10 Analyses of Secure Elections Protocols 136

10.1 Secure Elections Protocol 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136






iii

1 Introduction

A security protocol [1] includes some computational operations, some cryptographic operations

(for examples, symmetric encryption/decryption, asymmetric encryption/decryption, hash func-

tion, digital signatures, message authentication codes, random sequence generations, XOR op-

erations, etc), some communication operations to exchanging data, and also the computational

logics among these operations.

Design a perfectly practical security protocol is a quite complex task, because of the open net-

work environments and the complex security requirements against various known and unknown

attacks. How to design a security protocol usually heavenly depends on the experiences of secu-

rity engineering. More for experiences, formal verifications can be used in the design of security

protocols to satisfy the main goal of the security protocol.

There are many formal verification tools to support the verifications of security protocols, such

as BAN logic [2] and those works based on process algebra. In the work based on process algebra,

there are works based on pi-calculus, such as spi-calculus [7] and the applied pi-calculus [8]. The

work based on process algebra has some advantages: they describe the security protocols in a

programming style, and have firmly theoretic foundations.

Based on our previous work on truly concurrent process algebras APTC [3], we use it to verify

the security protocols. This work (called Secure APTC, abbreviated SAPTC) have the following

advantages in verifying security protocols:

1. It has a firmly theoretic foundations, including equational logics, structured operational

semantics, and axiomatizations between them;

2. It has rich expressive powers to describe security protocols. Cryptographic operations

are modeled as atomic actions and can be extended, explicit parallelism and communi-

cation mechanism to modeling communication operations and principals, rich computa-

tional properties to describing computational logics in the security protocols, including

conditional guards, alternative composition, sequential composition, parallelism and com-

munication, encapsulation and deadlock, recursion, abstraction.

3. Especially by abstraction, it is convenient and obvious to observe the relations between

the inputs and outputs of a security protocol, including the relations without any attack,

the relations under each known attack, and the relations under unknown attacks if the

unknown attacks can be described.

This manuscript is organized as follows. In chapter 2 and 3, we briefly introduce truly concur-

rent process algebra APTC and data manipulation in APTC. We extend APTC to SAPTC to

describe cryptographic properties in chapter 4. Then we introduce the cases of verifying secu-

rity protocols, including key exchange related protocols in chapter 5, authentication protocols

in chapter 6, key exchange and authentication mixed protocols in chapter 7, other protocols in

chapter 8, digital cash protocols in chapter 9, and secure elections protocols in chapter 10.

1

2 Truly Concurrent Process Algebra

In this chapter, we introduce the preliminaries on truly concurrent process algebra [3], which is

based on truly concurrent operational semantics.

APTC eliminates the differences of structures of transition system, event structure, etc, and dis-

cusses their behavioral equivalences. It considers that there are two kinds of causality relations:

the chronological order modeled by the sequential composition and the causal order between dif-

ferent parallel branches modeled by the communication merge. It also considers that there exist

two kinds of confliction relations: the structural confliction modeled by the alternative com-

position and the conflictions in different parallel branches which should be eliminated. Based

on conservative extension, there are four modules in APTC: BATC (Basic Algebra for True

Concurrency), APTC (Algebra for Parallelism in True Concurrency), recursion and abstraction.

2.1 Operational Semantics

The semantics of ACP is based on bisimulation/rooted branching bisimulation equivalences, and

the modularity of ACP relies on the concept of conservative extension, for the conveniences, we

introduce some concepts and conclusions on them.

Definition 2.1 (Bisimulation). A bisimulation relation R is a binary relation on processes such

that: (1) if pRq and paÐ→ p′ then q

aÐ→ q′ with p′Rq′; (2) if pRq and qaÐ→ q′ then p

aÐ→ p′ with

p′Rq′; (3) if pRq and pP , then qP ; (4) if pRq and qP , then pP . Two processes p and q are

bisimilar, denoted by p ∼HM q, if there is a bisimulation relation R such that pRq.

Definition 2.2 (Congruence). Let Σ be a signature. An equivalence relation R on T (Σ) is a

congruence if for each f ∈ Σ, if siRti for i ∈ {1,⋯, ar(f)}, then f(s1,⋯, sar(f))Rf(t1,⋯, tar(f)).

Definition 2.3 (Branching bisimulation). A branching bisimulation relation R is a binary re-

lation on the collection of processes such that: (1) if pRq and paÐ→ p′ then either a ≡ τ and p′Rq

or there is a sequence of (zero or more) τ -transitions qτÐ→ ⋯ τÐ→ q0 such that pRq0 and q0

aÐ→ q′

with p′Rq′; (2) if pRq and qaÐ→ q′ then either a ≡ τ and pRq′ or there is a sequence of (zero or

more) τ -transitions pτÐ→ ⋯ τÐ→ p0 such that p0Rq and p0

aÐ→ p′ with p′Rq′; (3) if pRq and pP ,

then there is a sequence of (zero or more) τ -transitions qτÐ→ ⋯ τÐ→ q0 such that pRq0 and q0P ;

(4) if pRq and qP , then there is a sequence of (zero or more) τ -transitions pτÐ→ ⋯ τÐ→ p0 such

that p0Rq and p0P . Two processes p and q are branching bisimilar, denoted by p ≈bHM q, if

there is a branching bisimulation relation R such that pRq.

Definition 2.4 (Rooted branching bisimulation). A rooted branching bisimulation relation R is

a binary relation on processes such that: (1) if pRq and paÐ→ p′ then q

aÐ→ q′ with p′ ≈bHM q′; (2)

if pRq and qaÐ→ q′ then p

aÐ→ p′ with p′ ≈bHM q′; (3) if pRq and pP , then qP ; (4) if pRq and qP ,

then pP . Two processes p and q are rooted branching bisimilar, denoted by p ≈rbHM q, if there

is a rooted branching bisimulation relation R such that pRq.

Definition 2.5 (Conservative extension). Let T0 and T1 be TSSs (transition system specifica-

tions) over signatures Σ0 and Σ1, respectively. The TSS T0 ⊕ T1 is a conservative extension of

T0 if the LTSs (labeled transition systems) generated by T0 and T0⊕T1 contain exactly the same

transitions taÐ→ t′ and tP with t ∈ T (Σ0).

2

Definition 2.6 (Source-dependency). The source-dependent variables in a transition rule of ρ

are defined inductively as follows: (1) all variables in the source of ρ are source-dependent; (2)

if taÐ→ t′ is a premise of ρ and all variables in t are source-dependent, then all variables in t′

are source-dependent. A transition rule is source-dependent if all its variables are. A TSS is

source-dependent if all its rules are.

Definition 2.7 (Freshness). Let T0 and T1 be TSSs over signatures Σ0 and Σ1, respectively. A

term in T(T0 ⊕ T1) is said to be fresh if it contains a function symbol from Σ1 ∖Σ0. Similarly,

a transition label or predicate symbol in T1 is fresh if it does not occur in T0.

Theorem 2.8 (Conservative extension). Let T0 and T1 be TSSs over signatures Σ0 and Σ1,

respectively, where T0 and T0 ⊕ T1 are positive after reduction. Under the following conditions,

T0 ⊕ T1 is a conservative extension of T0. (1) T0 is source-dependent. (2) For each ρ ∈ T1,

either the source of ρ is fresh, or ρ has a premise of the form taÐ→ t′ or tP , where t ∈ T(Σ0), all

variables in t occur in the source of ρ and t′, a or P is fresh.

2.2 Proof Techniques

In this subsection, we introduce the concepts and conclusions about elimination, which is very

important in the proof of completeness theorem.

Definition 2.9 (Elimination property). Let a process algebra with a defined set of basic terms

as a subset of the set of closed terms over the process algebra. Then the process algebra has the

elimination to basic terms property if for every closed term s of the algebra, there exists a basic

term t of the algebra such that the algebra⊢ s = t.Definition 2.10 (Strongly normalizing). A term s0 is called strongly normalizing if does not

an infinite series of reductions beginning in s0.

Definition 2.11. We write s >lpo t if s→+ t where →+ is the transitive closure of the reduction

relation defined by the transition rules of an algebra.

Theorem 2.12 (Strong normalization). Let a term rewriting system (TRS) with finitely many

rewriting rules and let > be a well-founded ordering on the signature of the corresponding algebra.

If s >lpo t for each rewriting rule s → t in the TRS, then the term rewriting system is strongly

normalizing.

2.3 Basic Algebra for True Concurrency

BATC has sequential composition ⋅ and alternative composition + to capture the chronological

ordered causality and the structural confliction. The constants are ranged over A, the set of

atomic actions. The algebraic laws on ⋅ and + are sound and complete modulo truly concurrent

bisimulation equivalences (including pomset bisimulation, step bisimulation, hp-bisimulation

and hhp-bisimulation).

Definition 2.13 (Prime event structure with silent event). Let Λ be a fixed set of labels, ranged

over a, b, c,⋯ and τ . A (Λ-labelled) prime event structure with silent event τ is a tuple E =⟨E,≤, ♯, λ⟩, where E is a denumerable set of events, including the silent event τ . Let E = E/{τ},

exactly excluding τ , it is obvious that τ∗ = ε, where ε is the empty event. Let λ ∶ E → Λ be a

labelling function and let λ(τ) = τ . And ≤, ♯ are binary relations on E, called causality and

conflict respectively, such that:

3

1. ≤ is a partial order and ⌈e⌉ = {e′ ∈ E∣e′ ≤ e} is finite for all e ∈ E. It is easy to see that

e ≤ τ∗ ≤ e′ = e ≤ τ ≤ ⋯ ≤ τ ≤ e′, then e ≤ e′.

2. ♯ is irreflexive, symmetric and hereditary with respect to ≤, that is, for all e, e′, e′′ ∈ E, if

e ♯ e′ ≤ e′′, then e ♯ e′′.

Then, the concepts of consistency and concurrency can be drawn from the above definition:

1. e, e′ ∈ E are consistent, denoted as e ⌢ e′, if ¬(e ♯ e′). A subset X ⊆ E is called consistent,

if e ⌢ e′ for all e, e′ ∈X.

2. e, e′ ∈ E are concurrent, denoted as e ∥ e′, if ¬(e ≤ e′), ¬(e′ ≤ e), and ¬(e ♯ e′).

Definition 2.14 (Configuration). Let E be a PES. A (finite) configuration in E is a (finite)

consistent subset of events C ⊆ E, closed with respect to causality (i.e. ⌈C⌉ = C). The set of

finite configurations of E is denoted by C(E). We let C = C/{τ}.

A consistent subset of X ⊆ E of events can be seen as a pomset. Given X,Y ⊆ E, X ∼ Y if X and

Y are isomorphic as pomsets. In the following of the paper, we say C1 ∼ C2, we mean C1 ∼ C2.

Definition 2.15 (Pomset transitions and step). Let E be a PES and let C ∈ C(E), and ∅ ≠X ⊆ E,

if C ∩X = ∅ and C ′ = C ∪X ∈ C(E), then CXÐ→ C ′ is called a pomset transition from C to C ′.

When the events in X are pairwise concurrent, we say that CXÐ→ C ′ is a step.

Definition 2.16 (Pomset, step bisimulation). Let E1, E2 be PESs. A pomset bisimulation is

a relation R ⊆ C(E1) × C(E2), such that if (C1,C2) ∈ R, and C1X1Ð→ C ′

1 then C2X2Ð→ C ′

2, with

X1 ⊆ E1, X2 ⊆ E2, X1 ∼ X2 and (C ′

1,C′

2) ∈ R, and vice-versa. We say that E1, E2 are pomset

bisimilar, written E1 ∼p E2, if there exists a pomset bisimulation R, such that (∅,∅) ∈ R. By

replacing pomset transitions with steps, we can get the definition of step bisimulation. When

PESs E1 and E2 are step bisimilar, we write E1 ∼s E2.

Definition 2.17 (Posetal product). Given two PESs E1, E2, the posetal product of their config-

urations, denoted C(E1)×C(E2), is defined as

{(C1, f,C2)∣C1 ∈ C(E1),C2 ∈ C(E2), f ∶ C1 → C2 isomorphism}.

A subset R ⊆ C(E1)×C(E2) is called a posetal relation. We say that R is downward closed

when for any (C1, f,C2), (C ′

1, f′,C ′

2) ∈ C(E1)×C(E2), if (C1, f,C2) ⊆ (C ′

1, f′,C ′

2) pointwise and

(C ′

1, f′,C ′

2) ∈ R, then (C1, f,C2) ∈ R.

For f ∶X1 →X2, we define f[x1 ↦ x2] ∶X1∪{x1}→X2∪{x2}, z ∈X1∪{x1},(1)f[x1 ↦ x2](z) =x2,if z = x1;(2)f[x1 ↦ x2](z) = f(z), otherwise. Where X1 ⊆ E1, X2 ⊆ E2, x1 ∈ E1, x2 ∈ E2.

Definition 2.18 ((Hereditary) history-preserving bisimulation). A history-preserving (hp-) bisim-

ulation is a posetal relation R ⊆ C(E1)×C(E2) such that if (C1, f,C2) ∈ R, and C1e1Ð→ C ′

1, then

C2e2Ð→ C ′

2, with (C ′

1, f[e1 ↦ e2],C ′

2) ∈ R, and vice-versa. E1,E2 are history-preserving (hp-

)bisimilar and are written E1 ∼hp E2 if there exists a hp-bisimulation R such that (∅,∅,∅) ∈ R.

A hereditary history-preserving (hhp-)bisimulation is a downward closed hp-bisimulation. E1,E2

are hereditary history-preserving (hhp-)bisimilar and are written E1 ∼hhp E2.

4

No. Axiom

A1 x + y = y + xA2 (x + y) + z = x + (y + z)A3 x + x = xA4 (x + y) ⋅ z = x ⋅ z + y ⋅ zA5 (x ⋅ y) ⋅ z = x ⋅ (y ⋅ z)

Table 1: Axioms of BATC

eeÐ→√

xeÐ→√

x + y eÐ→√x

eÐ→ x′

x + y eÐ→ x′

yeÐ→√

x + y eÐ→√y

eÐ→ y′

x + y eÐ→ y′

xeÐ→√

x ⋅ y eÐ→ y

xeÐ→ x′

x ⋅ y eÐ→ x′ ⋅ y

Table 2: Transition rules of BATC

In the following, let e1, e2, e′

1, e′

2 ∈ E, and let variables x, y, z range over the set of terms for true

concurrency, p, q, s range over the set of closed terms. The set of axioms of BATC consists of

the laws given in Table 1.

We give the operational transition rules of operators ⋅ and + as Table 2 shows. And the predicateeÐ→√

represents successful termination after execution of the event e.

Theorem 2.19 (Soundness of BATC modulo truly concurrent bisimulation equivalences). The

axiomatization of BATC is sound modulo truly concurrent bisimulation equivalences ∼p, ∼s, ∼hpand ∼hhp. That is,

1. let x and y be BATC terms. If BATC ⊢ x = y, then x ∼p y;

2. let x and y be BATC terms. If BATC ⊢ x = y, then x ∼s y;

3. let x and y be BATC terms. If BATC ⊢ x = y, then x ∼hp y;

4. let x and y be BATC terms. If BATC ⊢ x = y, then x ∼hhp y.

Theorem 2.20 (Completeness of BATC modulo truly concurrent bisimulation equivalences).

The axiomatization of BATC is complete modulo truly concurrent bisimulation equivalences ∼p,∼s, ∼hp and ∼hhp. That is,

1. let p and q be closed BATC terms, if p ∼p q then p = q;

5

2. let p and q be closed BATC terms, if p ∼s q then p = q;

3. let p and q be closed BATC terms, if p ∼hp q then p = q;

4. let p and q be closed BATC terms, if p ∼hhp q then p = q.

2.4 Algebra for Parallelism in True Concurrency

APTC uses the whole parallel operator �, the auxiliary binary parallel ∥ to model parallelism,

and the communication merge ∣ to model communications among different parallel branches, and

also the unary conflict elimination operator Θ and the binary unless operator ◁ to eliminate

conflictions among different parallel branches. Since a communication may be blocked, a new

constant called deadlock δ is extended to A, and also a new unary encapsulation operator

∂H is introduced to eliminate δ, which may exist in the processes. The algebraic laws on

these operators are also sound and complete modulo truly concurrent bisimulation equivalences

(including pomset bisimulation, step bisimulation, hp-bisimulation, but not hhp-bisimulation).

Note that, the parallel operator ∥ in a process cannot be eliminated by deductions on the process

using axioms of APTC, but other operators can eventually be steadied by ⋅, + and ∥, this is also

why truly concurrent bisimulations are called an truly concurrent semantics.

We design the axioms of APTC in Table 3, including algebraic laws of parallel operator ∥,communication operator ∣, conflict elimination operator Θ and unless operator ◁, encapsulation

operator ∂H , the deadlock constant δ, and also the whole parallel operator �.

we give the transition rules of APTC in Table 4, it is suitable for all truly concurrent behav-

ioral equivalence, including pomset bisimulation, step bisimulation, hp-bisimulation and hhp-

bisimulation.

Theorem 2.21 (Soundness of APTC modulo truly concurrent bisimulation equivalences). The

axiomatization of APTC is sound modulo truly concurrent bisimulation equivalences ∼p, ∼s, and

∼hp. That is,

1. let x and y be APTC terms. If APTC ⊢ x = y, then x ∼p y;

2. let x and y be APTC terms. If APTC ⊢ x = y, then x ∼s y;

3. let x and y be APTC terms. If APTC ⊢ x = y, then x ∼hp y.

Theorem 2.22 (Completeness of APTC modulo truly concurrent bisimulation equivalences).

The axiomatization of APTC is complete modulo truly concurrent bisimulation equivalences ∼p,∼s, and ∼hp. That is,

1. let p and q be closed APTC terms, if p ∼p q then p = q;

2. let p and q be closed APTC terms, if p ∼s q then p = q;

3. let p and q be closed APTC terms, if p ∼hp q then p = q.

6

No. Axiom

A6 x + δ = xA7 δ ⋅ x = δP1 x� y = x ∥ y + x ∣ yP2 x ∥ y = y ∥ xP3 (x ∥ y) ∥ z = x ∥ (y ∥ z)P4 e1 ∥ (e2 ⋅ y) = (e1 ∥ e2) ⋅ yP5 (e1 ⋅ x) ∥ e2 = (e1 ∥ e2) ⋅ xP6 (e1 ⋅ x) ∥ (e2 ⋅ y) = (e1 ∥ e2) ⋅ (x� y)P7 (x + y) ∥ z = (x ∥ z) + (y ∥ z)P8 x ∥ (y + z) = (x ∥ y) + (x ∥ z)P9 δ ∥ x = δP10 x ∥ δ = δC11 e1 ∣ e2 = γ(e1, e2)C12 e1 ∣ (e2 ⋅ y) = γ(e1, e2) ⋅ yC13 (e1 ⋅ x) ∣ e2 = γ(e1, e2) ⋅ xC14 (e1 ⋅ x) ∣ (e2 ⋅ y) = γ(e1, e2) ⋅ (x� y)C15 (x + y) ∣ z = (x ∣ z) + (y ∣ z)C16 x ∣ (y + z) = (x ∣ y) + (x ∣ z)C17 δ ∣ x = δC18 x ∣ δ = δCE19 Θ(e) = eCE20 Θ(δ) = δCE21 Θ(x + y) = Θ(x)◁ y +Θ(y)◁ x

CE22 Θ(x ⋅ y) = Θ(x) ⋅Θ(y)CE23 Θ(x ∥ y) = ((Θ(x)◁ y) ∥ y) + ((Θ(y)◁ x) ∥ x)CE24 Θ(x ∣ y) = ((Θ(x)◁ y) ∣ y) + ((Θ(y)◁ x) ∣ x)U25 (♯(e1, e2)) e1 ◁ e2 = τU26 (♯(e1, e2), e2 ≤ e3) e1 ◁ e3 = e1

U27 (♯(e1, e2), e2 ≤ e3) e3◁ e1 = τU28 e◁ δ = eU29 δ◁ e = δU30 (x + y)◁ z = (x◁ z) + (y◁ z)U31 (x ⋅ y)◁ z = (x◁ z) ⋅ (y◁ z)U32 (x ∥ y)◁ z = (x◁ z) ∥ (y◁ z)U33 (x ∣ y)◁ z = (x◁ z) ∣ (y◁ z)U34 x◁ (y + z) = (x◁ y)◁ z

U35 x◁ (y ⋅ z) = (x◁ y)◁ z

U36 x◁ (y ∥ z) = (x◁ y)◁ z

U37 x◁ (y ∣ z) = (x◁ y)◁ z

D1 e ∉H ∂H(e) = eD2 e ∈H ∂H(e) = δD3 ∂H(δ) = δD4 ∂H(x + y) = ∂H(x) + ∂H(y)D5 ∂H(x ⋅ y) = ∂H(x) ⋅ ∂H(y)D6 ∂H(x ∥ y) = ∂H(x) ∥ ∂H(y)

Table 3: Axioms of APTC

7

xe1Ð→√

ye2Ð→√

x ∥ y {e1,e2}ÐÐÐÐ→√x

e1Ð→ x′ ye2Ð→√

x ∥ y {e1,e2}ÐÐÐÐ→ x′

xe1Ð→√

ye2Ð→ y′

x ∥ y {e1,e2}ÐÐÐÐ→ y′

xe1Ð→ x′ y

e2Ð→ y′

x ∥ y {e1,e2}ÐÐÐÐ→ x′ � y′

xe1Ð→√

ye2Ð→√

x ∣ y γ(e1,e2)ÐÐÐÐ→√x

e1Ð→ x′ ye2Ð→√

x ∣ y γ(e1,e2)ÐÐÐÐ→ x′

xe1Ð→√

ye2Ð→ y′

x ∣ y γ(e1,e2)ÐÐÐÐ→ y′

xe1Ð→ x′ y

e2Ð→ y′

x ∣ y γ(e1,e2)ÐÐÐÐ→ x′ � y′

xe1Ð→√ (♯(e1, e2))

Θ(x) e1Ð→√x

e2Ð→√ (♯(e1, e2))Θ(x) e2Ð→√

xe1Ð→ x′ (♯(e1, e2))Θ(x) e1Ð→ Θ(x′)

xe2Ð→ x′ (♯(e1, e2))Θ(x) e2Ð→ Θ(x′)

xe1Ð→√

y ↛e2 (♯(e1, e2))x◁ y

τÐ→√x

e1Ð→ x′ y ↛e2 (♯(e1, e2))x◁ y

τÐ→ x′

xe1Ð→√

y ↛e3 (♯(e1, e2), e2 ≤ e3)x◁ y

e1Ð→√x

e1Ð→ x′ y ↛e3 (♯(e1, e2), e2 ≤ e3)x◁ y

e1Ð→ x′

xe3Ð→√

y ↛e2 (♯(e1, e2), e1 ≤ e3)x◁ y

τÐ→√x

e3Ð→ x′ y ↛e2 (♯(e1, e2), e1 ≤ e3)x◁ y

τÐ→ x′

xeÐ→√

∂H(x) eÐ→√ (e ∉H) xeÐ→ x′

∂H(x) eÐ→ ∂H(x′)(e ∉H)

Table 4: Transition rules of APTC

8

ti(⟨X1∣E⟩,⋯, ⟨Xn∣E⟩) {e1,⋯,ek}ÐÐÐÐÐ→√

⟨Xi∣E⟩ {e1,⋯,ek}ÐÐÐÐÐ→√

ti(⟨X1∣E⟩,⋯, ⟨Xn∣E⟩) {e1,⋯,ek}ÐÐÐÐÐ→ y

⟨Xi∣E⟩ {e1,⋯,ek}ÐÐÐÐÐ→ y

Table 5: Transition rules of guarded recursion

No. Axiom

RDP ⟨Xi∣E⟩ = ti(⟨X1∣E,⋯,Xn∣E⟩) (i ∈ {1,⋯, n})RSP if yi = ti(y1,⋯, yn) for i ∈ {1,⋯, n}, then yi = ⟨Xi∣E⟩ (i ∈ {1,⋯, n})

Table 6: Recursive definition and specification principle

2.5 Recursion

To model infinite computation, recursion is introduced into APTC. In order to obtain a sound

and complete theory, guarded recursion and linear recursion are needed. The corresponding

axioms are RSP (Recursive Specification Principle) and RDP (Recursive Definition Principle),

RDP says the solutions of a recursive specification can represent the behaviors of the specifica-

tion, while RSP says that a guarded recursive specification has only one solution, they are sound

with respect to APTC with guarded recursion modulo several truly concurrent bisimulation

equivalences (including pomset bisimulation, step bisimulation and hp-bisimulation), and they

are complete with respect to APTC with linear recursion modulo several truly concurrent bisim-

ulation equivalences (including pomset bisimulation, step bisimulation and hp-bisimulation). In

the following, E,F,G are recursion specifications, X,Y,Z are recursive variables.

For a guarded recursive specifications E with the form

X1 = t1(X1,⋯,Xn)

⋯

Xn = tn(X1,⋯,Xn)

the behavior of the solution ⟨Xi∣E⟩ for the recursion variable Xi in E, where i ∈ {1,⋯, n},

is exactly the behavior of their right-hand sides ti(X1,⋯,Xn), which is captured by the two

transition rules in Table 5.

The RDP (Recursive Definition Principle) and the RSP (Recursive Specification Principle) are

shown in Table 6.

Theorem 2.23 (Soundness of APTC with guarded recursion). Let x and y be APTC with

guarded recursion terms. If APTC with guarded recursion ⊢ x = y, then

9

1. x ∼s y;

2. x ∼p y;

3. x ∼hp y.

Theorem 2.24 (Completeness of APTC with linear recursion). Let p and q be closed APTC

with linear recursion terms, then,

1. if p ∼s q then p = q;

2. if p ∼p q then p = q;

3. if p ∼hp q then p = q.

2.6 Abstraction

To abstract away internal implementations from the external behaviors, a new constant τ called

silent step is added to A, and also a new unary abstraction operator τI is used to rename actions

in I into τ (the resulted APTC with silent step and abstraction operator is called APTCτ ). The

recursive specification is adapted to guarded linear recursion to prevent infinite τ -loops specif-

ically. The axioms of τ and τI are sound modulo rooted branching truly concurrent bisimula-

tion equivalences (several kinds of weakly truly concurrent bisimulation equivalences, including

rooted branching pomset bisimulation, rooted branching step bisimulation and rooted branching

hp-bisimulation). To eliminate infinite τ -loops caused by τI and obtain the completeness, CFAR

(Cluster Fair Abstraction Rule) is used to prevent infinite τ -loops in a constructible way.

Definition 2.25 (Weak pomset transitions and weak step). Let E be a PES and let C ∈ C(E),

and ∅ ≠ X ⊆ E, if C ∩X = ∅ and C ′ = C ∪X ∈ C(E), then CXÔ⇒ C ′ is called a weak pomset

transition from C to C ′, where we defineeÔ⇒≜ τ

∗

Ð→ eÐ→ τ∗Ð→. AndXÔ⇒≜ τ

∗

Ð→ eÐ→ τ∗Ð→, for every e ∈ X.

When the events in X are pairwise concurrent, we say that CXÔ⇒ C ′ is a weak step.

Definition 2.26 (Branching pomset, step bisimulation). Assume a special termination predicate

↓, and let√

represent a state with√ ↓. Let E1, E2 be PESs. A branching pomset bisimulation

is a relation R ⊆ C(E1) × C(E2), such that:

1. if (C1,C2) ∈ R, and C1XÐ→ C ′

1 then

• either X ≡ τ∗, and (C ′

1,C2) ∈ R;

• or there is a sequence of (zero or more) τ -transitions C2τ∗Ð→ C0

2 , such that (C1,C02) ∈ R

and C02

XÔ⇒ C ′

2 with (C ′

1,C′

2) ∈ R;

2. if (C1,C2) ∈ R, and C2XÐ→ C ′

2 then

• either X ≡ τ∗, and (C1,C′

2) ∈ R;


1 , such that (C01 ,C2) ∈ R

and C01

XÔ⇒ C ′

1 with (C ′

1,C′

2) ∈ R;

10

3. if (C1,C2) ∈ R and C1 ↓, then there is a sequence of (zero or more) τ -transitions C2τ∗Ð→ C0

2

such that (C1,C02) ∈ R and C0

2 ↓;

4. if (C1,C2) ∈ R and C2 ↓, then there is a sequence of (zero or more) τ -transitions C1τ∗Ð→ C0

1

such that (C01 ,C2) ∈ R and C0

1 ↓.

We say that E1, E2 are branching pomset bisimilar, written E1 ≈bp E2, if there exists a branching

pomset bisimulation R, such that (∅,∅) ∈ R.

By replacing pomset transitions with steps, we can get the definition of branching step bisimula-

tion. When PESs E1 and E2 are branching step bisimilar, we write E1 ≈bs E2.

Definition 2.27 (Rooted branching pomset, step bisimulation). Assume a special termination

predicate ↓, and let√

represent a state with√ ↓. Let E1, E2 be PESs. A branching pomset

bisimulation is a relation R ⊆ C(E1) × C(E2), such that:

1. if (C1,C2) ∈ R, and C1XÐ→ C ′

1 then C2XÐ→ C ′

2 with C ′

1 ≈bp C ′

2;

2. if (C1,C2) ∈ R, and C2XÐ→ C ′

2 then C1XÐ→ C ′

1 with C ′

1 ≈bp C ′

2;

3. if (C1,C2) ∈ R and C1 ↓, then C2 ↓;

4. if (C1,C2) ∈ R and C2 ↓, then C1 ↓.

We say that E1, E2 are rooted branching pomset bisimilar, written E1 ≈rbp E2, if there exists a

rooted branching pomset bisimulation R, such that (∅,∅) ∈ R.

By replacing pomset transitions with steps, we can get the definition of rooted branching step

bisimulation. When PESs E1 and E2 are rooted branching step bisimilar, we write E1 ≈rbs E2.

Definition 2.28 (Branching (hereditary) history-preserving bisimulation). Assume a special

termination predicate ↓, and let√

represent a state with√ ↓. A branching history-preserving

(hp-) bisimulation is a weakly posetal relation R ⊆ C(E1)×C(E2) such that:

1. if (C1, f,C2) ∈ R, and C1e1Ð→ C ′

1 then

• either e1 ≡ τ , and (C ′

1, f[e1 ↦ τ],C2) ∈ R;


2 , such that (C1, f,C02) ∈

R and C02

e2Ð→ C ′

2 with (C ′

1, f[e1 ↦ e2],C ′

2) ∈ R;

2. if (C1, f,C2) ∈ R, and C2e2Ð→ C ′

2 then

• either X ≡ τ , and (C1, f[e2 ↦ τ],C ′

2) ∈ R;


1 , such that (C01 , f,C2) ∈

R and C01

e1Ð→ C ′

1 with (C ′

1, f[e2 ↦ e1],C ′

2) ∈ R;

3. if (C1, f,C2) ∈ R and C1 ↓, then there is a sequence of (zero or more) τ -transitions C2τ∗Ð→

C02 such that (C1, f,C

02) ∈ R and C0

2 ↓;

11

No. Axiom

B1 e ⋅ τ = eB2 e ⋅ (τ ⋅ (x + y) + x) = e ⋅ (x + y)B3 x ∥ τ = xTI1 e ∉ I τI(e) = eTI2 e ∈ I τI(e) = τTI3 τI(δ) = δTI4 τI(x + y) = τI(x) + τI(y)TI5 τI(x ⋅ y) = τI(x) ⋅ τI(y)TI6 τI(x ∥ y) = τI(x) ∥ τI(y)CFAR If X is in a cluster for I with exits

{(a11 ∥ ⋯ ∥ a1i)Y1,⋯, (am1 ∥ ⋯ ∥ ami)Ym, b11 ∥ ⋯ ∥ b1j ,⋯, bn1 ∥ ⋯ ∥ bnj},

then τ ⋅ τI(⟨X ∣E⟩) =τ ⋅ τI((a11 ∥ ⋯ ∥ a1i)⟨Y1∣E⟩ +⋯ + (am1 ∥ ⋯ ∥ ami)⟨Ym∣E⟩ + b11 ∥ ⋯ ∥ b1j +⋯ + bn1 ∥ ⋯ ∥ bnj)

Table 7: Axioms of APTCτ

4. if (C1, f,C2) ∈ R and C2 ↓, then there is a sequence of (zero or more) τ -transitions C1τ∗Ð→

C01 such that (C0

1 , f,C2) ∈ R and C01 ↓.

E1,E2 are branching history-preserving (hp-)bisimilar and are written E1 ≈bhp E2 if there exists a

branching hp-bisimulation R such that (∅,∅,∅) ∈ R.

A branching hereditary history-preserving (hhp-)bisimulation is a downward closed branching

hhp-bisimulation. E1,E2 are branching hereditary history-preserving (hhp-)bisimilar and are writ-

ten E1 ≈bhhp E2.

Definition 2.29 (Rooted branching (hereditary) history-preserving bisimulation). Assume a

special termination predicate ↓, and let√

represent a state with√ ↓. A rooted branching history-

preserving (hp-) bisimulation is a weakly posetal relation R ⊆ C(E1)×C(E2) such that:

1. if (C1, f,C2) ∈ R, and C1e1Ð→ C ′

1, then C2e2Ð→ C ′

2 with C ′

1 ≈bhp C ′

2;

2. if (C1, f,C2) ∈ R, and C2e2Ð→ C ′

1, then C1e1Ð→ C ′

2 with C ′

1 ≈bhp C ′

2;

3. if (C1, f,C2) ∈ R and C1 ↓, then C2 ↓;

4. if (C1, f,C2) ∈ R and C2 ↓, then C1 ↓.

E1,E2 are rooted branching history-preserving (hp-)bisimilar and are written E1 ≈rbhp E2 if there

exists rooted a branching hp-bisimulation R such that (∅,∅,∅) ∈ R.

A rooted branching hereditary history-preserving (hhp-)bisimulation is a downward closed rooted

branching hhp-bisimulation. E1,E2 are rooted branching hereditary history-preserving (hhp-)bisimilar

and are written E1 ≈rbhhp E2.

The axioms and transition rules of APTCτ are shown in Table 7 and Table 8.

12

ττÐ→√

xeÐ→√

τI(x)eÐ→√ e ∉ I x

eÐ→ x′

τI(x)eÐ→ τI(x′)

e ∉ I

xeÐ→√

τI(x)τÐ→√ e ∈ I x

eÐ→ x′

τI(x)τÐ→ τI(x′)

e ∈ I

Table 8: Transition rule of APTCτ

S○→√

Table 9: Transition rule of the shadow constant

Theorem 2.30 (Soundness of APTCτ with guarded linear recursion). Let x and y be APTCτwith guarded linear recursion terms. If APTCτ with guarded linear recursion ⊢ x = y, then

1. x ≈rbs y;

2. x ≈rbp y;

3. x ≈rbhp y.

Theorem 2.31 (Soundness of CFAR). CFAR is sound modulo rooted branching truly concur-

rent bisimulation equivalences ≈rbs, ≈rbp and ≈rbhp.

Theorem 2.32 (Completeness of APTCτ with guarded linear recursion and CFAR). Let p

and q be closed APTCτ with guarded linear recursion and CFAR terms, then,

1. if p ≈rbs q then p = q;

2. if p ≈rbp q then p = q;

3. if p ≈rbhp q then p = q.

2.7 Placeholder

We introduce a constant called shadow constant S○ to act for the placeholder that we ever used

to deal entanglement in quantum process algebra. The transition rule of the shadow constant

S○ is shown in Table 9. The rule say that S○ can terminate successfully without executing any

action.

We need to adjust the definition of guarded linear recursive specification to the following one.

13

No. Axiom

SC1 S○ ⋅ x = xSC2 x ⋅ S○ = xSC3 S○e ∥ e = eSC4 e ∥ ( S○e ⋅ y) = e ⋅ ySC5 S○e ∥ (e ⋅ y) = e ⋅ ySC6 (e ⋅ x) ∥ S○e = e ⋅ xSC7 ( S○e ⋅ x) ∥ e = e ⋅ xSC8 (e ⋅ x) ∥ ( S○e ⋅ y) = e ⋅ (x� y)SC9 ( S○e ⋅ x) ∥ (e ⋅ y) = e ⋅ (x� y)

Table 10: Axioms of shadow constant

Definition 2.33 (Guarded linear recursive specification). A linear recursive specification E is

guarded if there does not exist an infinite sequence of τ -transitions ⟨X ∣E⟩ τÐ→ ⟨X ′∣E⟩ τÐ→ ⟨X ′′∣E⟩ τÐ→⋯, and there does not exist an infinite sequence of S○-transitions ⟨X ∣E⟩ → ⟨X ′∣E⟩ → ⟨X ′′∣E⟩ →⋯.

Theorem 2.34 (Conservativity of APTC with respect to the shadow constant). APTCτ with

guarded linear recursion and shadow constant is a conservative extension of APTCτ with guarded

linear recursion.

We design the axioms for the shadow constant S○ in Table 10. And for S○ei , we add superscript

e to denote S○ is belonging to e and subscript i to denote that it is the i-th shadow of e. And

we extend the set E to the set E ∪ {τ} ∪ {δ} ∪ { S○ei}.

The mismatch of action and its shadows in parallelism will cause deadlock, that is, e ∥ S○e′ = δwith e ≠ e′. We must make all shadows S○e

i are distinct, to ensure f in hp-bisimulation is an

isomorphism.

Theorem 2.35 (Soundness of the shadow constant). Let x and y be APTCτ with guarded

linear recursion and the shadow constant terms. If APTCτ with guarded linear recursion and

the shadow constant ⊢ x = y, then

1. x ≈rbs y;

2. x ≈rbp y;

3. x ≈rbhp y.

Theorem 2.36 (Completeness of the shadow constant). Let p and q be closed APTCτ with

guarded linear recursion and CFAR and the shadow constant terms, then,



3. if p ≈rbhp q then p = q.

14

With the shadow constant, we have

∂H((a ⋅ rb)� wb) = ∂H((a ⋅ rb)� ( S○a1 ⋅wb))

= a ⋅ cb

with H = {rb,wb} and γ(rb,wb) ≜ cb.And we see the following example:

a� b = a ∥ b + a ∣ b= a ∥ b + a ∥ b + a ∥ b + a ∣ b= a ∥ ( S○a

1 ⋅ b) + ( S○b1 ⋅ a) ∥ b + a ∥ b + a ∣ b

= (a ∥ S○a1) ⋅ b + ( S○b

1 ∥ b) ⋅ a + a ∥ b + a ∣ b= a ⋅ b + b ⋅ a + a ∥ b + a ∣ b

What do we see? Yes. The parallelism contains both interleaving and true concurrency. This

may be why true concurrency is called true concurrency.

2.8 Axiomatization for Hhp-Bisimilarity

Since hhp-bisimilarity is a downward closed hp-bisimilarity and can be downward closed to single

atomic event, which implies bisimilarity. As Moller [6] proven, there is not a finite sound and

complete axiomatization for parallelism ∥ modulo bisimulation equivalence, so there is not a

finite sound and complete axiomatization for parallelism ∥ modulo hhp-bisimulation equivalence

either. Inspired by the way of left merge to modeling the full merge for bisimilarity, we introduce

a left parallel composition 6 to model the full parallelism ∥ for hhp-bisimilarity.

In the following subsection, we add left parallel composition 6 to the whole theory. Because the

resulting theory is similar to the former, we only list the significant differences, and all proofs

of the conclusions are left to the reader.

2.8.1 APTC with Left Parallel Composition

The transition rules of left parallel composition 6 are shown in Table 11. With a little abuse,

we extend the causal order relation ≤ on E to include the original partial order (denoted by <)

and concurrency (denoted by =).

The new axioms for parallelism are listed in Table 12.

15

xe1Ð→√

ye2Ð→√ (e1 ≤ e2)

x 6 y{e1,e2}ÐÐÐÐ→√

xe1Ð→ x′ y

e2Ð→√ (e1 ≤ e2)

x 6 y{e1,e2}ÐÐÐÐ→ x′

xe1Ð→√

ye2Ð→ y′ (e1 ≤ e2)

x 6 y{e1,e2}ÐÐÐÐ→ y′

xe1Ð→ x′ y

e2Ð→ y′ (e1 ≤ e2)

x 6 y{e1,e2}ÐÐÐÐ→ x′ � y′

Table 11: Transition rules of left parallel operator 6

Definition 2.37 (Basic terms of APTC with left parallel composition). The set of basic terms

of APTC, B(APTC), is inductively defined as follows:

1. E ⊂ B(APTC);

2. if e ∈ E, t ∈ B(APTC) then e ⋅ t ∈ B(APTC);

3. if t, s ∈ B(APTC) then t + s ∈ B(APTC);

4. if t, s ∈ B(APTC) then t 6 s ∈ B(APTC).

Theorem 2.38 (Generalization of the algebra for left parallelism with respect to BATC). The

algebra for left parallelism is a generalization of BATC.

Theorem 2.39 (Congruence theorem of APTC with left parallel composition). Truly concur-

rent bisimulation equivalences ∼p, ∼s, ∼hp and ∼hhp are all congruences with respect to APTC

with left parallel composition.

Theorem 2.40 (Elimination theorem of parallelism with left parallel composition). Let p be a

closed APTC with left parallel composition term. Then there is a basic APTC term q such that

APTC ⊢ p = q.

Theorem 2.41 (Soundness of parallelism with left parallel composition modulo truly concur-

rent bisimulation equivalences). Let x and y be APTC with left parallel composition terms. If

APTC ⊢ x = y, then

1. x ∼s y;

2. x ∼p y;

3. x ∼hp y;

4. x ∼hhp y.

Theorem 2.42 (Completeness of parallelism with left parallel composition modulo truly con-

current bisimulation equivalences). Let x and y be APTC terms.

1. If x ∼s y, then APTC ⊢ x = y;

2. if x ∼p y, then APTC ⊢ x = y;

3. if x ∼hp y, then APTC ⊢ x = y;

16

No. Axiom

A6 x + δ = xA7 δ ⋅ x = δP1 x� y = x ∥ y + x ∣ yP2 x ∥ y = y ∥ xP3 (x ∥ y) ∥ z = x ∥ (y ∥ z)P4 x ∥ y = x 6 y + y 6 x

P5 (e1 ≤ e2) e1 6 (e2 ⋅ y) = (e1 6 e2) ⋅ yP6 (e1 ≤ e2) (e1 ⋅ x) 6 e2 = (e1 6 e2) ⋅ xP7 (e1 ≤ e2) (e1 ⋅ x) 6 (e2 ⋅ y) = (e1 6 e2) ⋅ (x� y)P8 (x + y) 6 z = (x 6 z) + (y 6 z)P9 δ 6 x = δC10 e1 ∣ e2 = γ(e1, e2)C11 e1 ∣ (e2 ⋅ y) = γ(e1, e2) ⋅ yC12 (e1 ⋅ x) ∣ e2 = γ(e1, e2) ⋅ xC13 (e1 ⋅ x) ∣ (e2 ⋅ y) = γ(e1, e2) ⋅ (x� y)C14 (x + y) ∣ z = (x ∣ z) + (y ∣ z)C15 x ∣ (y + z) = (x ∣ y) + (x ∣ z)C16 δ ∣ x = δC17 x ∣ δ = δCE18 Θ(e) = eCE19 Θ(δ) = δCE20 Θ(x + y) = Θ(x)◁ y +Θ(y)◁ x

CE21 Θ(x ⋅ y) = Θ(x) ⋅Θ(y)CE22 Θ(x 6 y) = ((Θ(x)◁ y) 6 y) + ((Θ(y)◁ x) 6 x)CE23 Θ(x ∣ y) = ((Θ(x)◁ y) ∣ y) + ((Θ(y)◁ x) ∣ x)U24 (♯(e1, e2)) e1 ◁ e2 = τU25 (♯(e1, e2), e2 ≤ e3) e1 ◁ e3 = e1

U26 (♯(e1, e2), e2 ≤ e3) e3◁ e1 = τU27 e◁ δ = eU28 δ◁ e = δU29 (x + y)◁ z = (x◁ z) + (y◁ z)U30 (x ⋅ y)◁ z = (x◁ z) ⋅ (y◁ z)U31 (x 6 y)◁ z = (x◁ z) 6 (y◁ z)U32 (x ∣ y)◁ z = (x◁ z) ∣ (y◁ z)U33 x◁ (y + z) = (x◁ y)◁ z

U34 x◁ (y ⋅ z) = (x◁ y)◁ z

U35 x◁ (y 6 z) = (x◁ y)◁ z

U36 x◁ (y ∣ z) = (x◁ y)◁ z

Table 12: Axioms of parallelism with left parallel composition

17

No. Axiom

D1 e ∉H ∂H(e) = eD2 e ∈H ∂H(e) = δD3 ∂H(δ) = δD4 ∂H(x + y) = ∂H(x) + ∂H(y)D5 ∂H(x ⋅ y) = ∂H(x) ⋅ ∂H(y)D6 ∂H(x 6 y) = ∂H(x) 6 ∂H(y)

Table 13: Axioms of encapsulation operator with left parallel composition

4. if x ∼hhp y, then APTC ⊢ x = y.

The transition rules of encapsulation operator are the same, and the its axioms are shown in 13.

Theorem 2.43 (Conservativity of APTC with respect to the algebra for parallelism with left

parallel composition). APTC is a conservative extension of the algebra for parallelism with left

parallel composition.

Theorem 2.44 (Congruence theorem of encapsulation operator ∂H). Truly concurrent bisimu-

lation equivalences ∼p, ∼s, ∼hp and ∼hhp are all congruences with respect to encapsulation operator

∂H .

Theorem 2.45 (Elimination theorem of APTC). Let p be a closed APTC term including the

encapsulation operator ∂H . Then there is a basic APTC term q such that APTC ⊢ p = q.

Theorem 2.46 (Soundness of APTC modulo truly concurrent bisimulation equivalences). Let

x and y be APTC terms including encapsulation operator ∂H . If APTC ⊢ x = y, then

1. x ∼s y;

2. x ∼p y;

3. x ∼hp y;

4. x ∼hhp y.

Theorem 2.47 (Completeness of APTC modulo truly concurrent bisimulation equivalences).

Let p and q be closed APTC terms including encapsulation operator ∂H ,



3. if p ∼hp q then p = q;

4. if p ∼hhp q then p = q.

18

2.8.2 Recursion

Definition 2.48 (Recursive specification). A recursive specification is a finite set of recursive

equations

X1 = t1(X1,⋯,Xn)

⋯

Xn = tn(X1,⋯,Xn)

where the left-hand sides of Xi are called recursion variables, and the right-hand sides ti(X1,⋯,Xn)are process terms in APTC with possible occurrences of the recursion variables X1,⋯,Xn.

Definition 2.49 (Solution). Processes p1,⋯, pn are a solution for a recursive specification {Xi =ti(X1,⋯,Xn)∣i ∈ {1,⋯, n}} (with respect to truly concurrent bisimulation equivalences ∼s(∼p, ∼hp,∼hhp)) if pi ∼s (∼p,∼hp,∼ hhp)ti(p1,⋯, pn) for i ∈ {1,⋯, n}.

Definition 2.50 (Guarded recursive specification). A recursive specification

X1 = t1(X1,⋯,Xn)

...

Xn = tn(X1,⋯,Xn)

is guarded if the right-hand sides of its recursive equations can be adapted to the form by ap-

plications of the axioms in APTC and replacing recursion variables by the right-hand sides of

their recursive equations,

(a11 6 ⋯ 6 a1i1)⋅s1(X1,⋯,Xn)+⋯+(ak1 6 ⋯ 6 akik)⋅sk(X1,⋯,Xn)+(b11 6 ⋯ 6 b1j1)+⋯+(b1j1 6 ⋯ 6 bljl)

where a11,⋯, a1i1 , ak1,⋯, akik , b11,⋯, b1j1 , b1j1 ,⋯, bljl ∈ E, and the sum above is allowed to be

empty, in which case it represents the deadlock δ.

Definition 2.51 (Linear recursive specification). A recursive specification is linear if its recur-

sive equations are of the form

(a11 6 ⋯ 6 a1i1)X1 +⋯ + (ak1 6 ⋯ 6 akik)Xk + (b11 6 ⋯ 6 b1j1) +⋯ + (b1j1 6 ⋯ 6 bljl)


empty, in which case it represents the deadlock δ.

Theorem 2.52 (Conservitivity of APTC with guarded recursion). APTC with guarded recur-

sion is a conservative extension of APTC.

Theorem 2.53 (Congruence theorem of APTC with guarded recursion). Truly concurrent

bisimulation equivalences ∼p, ∼s, ∼hp, ∼hhp are all congruences with respect to APTC with

guarded recursion.

19

Theorem 2.54 (Elimination theorem of APTC with linear recursion). Each process term in

APTC with linear recursion is equal to a process term ⟨X1∣E⟩ with E a linear recursive specifi-

cation.

Theorem 2.55 (Soundness of APTC with guarded recursion). Let x and y be APTC with

guarded recursion terms. If APTC with guarded recursion ⊢ x = y, then

1. x ∼s y;

2. x ∼p y;

3. x ∼hp y;

4. x ∼hhp y.

Theorem 2.56 (Completeness of APTC with linear recursion). Let p and q be closed APTC

with linear recursion terms, then,



3. if p ∼hp q then p = q;

4. if p ∼hhp q then p = q.

2.8.3 Abstraction

Definition 2.57 (Guarded linear recursive specification). A recursive specification is linear if

its recursive equations are of the form

(a11 6 ⋯ 6 a1i1)X1 +⋯ + (ak1 6 ⋯ 6 akik)Xk + (b11 6 ⋯ 6 b1j1) +⋯ + (b1j1 6 ⋯ 6 bljl)

where a11,⋯, a1i1 , ak1,⋯, akik , b11,⋯, b1j1 , b1j1 ,⋯, bljl ∈ E ∪ {τ}, and the sum above is allowed to

be empty, in which case it represents the deadlock δ.

A linear recursive specification E is guarded if there does not exist an infinite sequence of τ -

transitions ⟨X ∣E⟩ τÐ→ ⟨X ′∣E⟩ τÐ→ ⟨X ′′∣E⟩ τÐ→ ⋯.

The transition rules of τ are the same, and axioms of τ are as Table 14 shows.

Theorem 2.58 (Conservitivity of APTC with silent step and guarded linear recursion). APTC

with silent step and guarded linear recursion is a conservative extension of APTC with linear

recursion.

Theorem 2.59 (Congruence theorem of APTC with silent step and guarded linear recursion).

Rooted branching truly concurrent bisimulation equivalences ≈rbp, ≈rbs, ≈rbhp, and ≈rbhhp are all

congruences with respect to APTC with silent step and guarded linear recursion.

20

No. Axiom

B1 e ⋅ τ = eB2 e ⋅ (τ ⋅ (x + y) + x) = e ⋅ (x + y)B3 x 6 τ = x

Table 14: Axioms of silent step

Theorem 2.60 (Elimination theorem of APTC with silent step and guarded linear recursion).

Each process term in APTC with silent step and guarded linear recursion is equal to a process

term ⟨X1∣E⟩ with E a guarded linear recursive specification.

Theorem 2.61 (Soundness of APTC with silent step and guarded linear recursion). Let x and

y be APTC with silent step and guarded linear recursion terms. If APTC with silent step and

guarded linear recursion ⊢ x = y, then

1. x ≈rbs y;

2. x ≈rbp y;

3. x ≈rbhp y;

4. x ≈rbhhp y.

Theorem 2.62 (Completeness of APTC with silent step and guarded linear recursion). Let p

and q be closed APTC with silent step and guarded linear recursion terms, then,



3. if p ≈rbhp q then p = q;

4. if p ≈rbhhp q then p = q.

The transition rules of τI are the same, and the axioms are shown in Table 15.

Theorem 2.63 (Conservitivity of APTCτ with guarded linear recursion). APTCτ with guarded

linear recursion is a conservative extension of APTC with silent step and guarded linear recur-

sion.

Theorem 2.64 (Congruence theorem of APTCτ with guarded linear recursion). Rooted branch-

ing truly concurrent bisimulation equivalences ≈rbp, ≈rbs, ≈rbhp and ≈rbhhp are all congruences

with respect to APTCτ with guarded linear recursion.

Theorem 2.65 (Soundness of APTCτ with guarded linear recursion). Let x and y be APTCτwith guarded linear recursion terms. If APTCτ with guarded linear recursion ⊢ x = y, then

1. x ≈rbs y;

21

No. Axiom

TI1 e ∉ I τI(e) = eTI2 e ∈ I τI(e) = τTI3 τI(δ) = δTI4 τI(x + y) = τI(x) + τI(y)TI5 τI(x ⋅ y) = τI(x) ⋅ τI(y)TI6 τI(x 6 y) = τI(x) 6 τI(y)

Table 15: Axioms of abstraction operator

No. Axiom

CFAR If X is in a cluster for I with exits

{(a11 6 ⋯ 6 a1i)Y1,⋯, (am1 6 ⋯ 6 ami)Ym, b11 6 ⋯ 6 b1j ,⋯, bn1 6 ⋯ 6 bnj},

then τ ⋅ τI(⟨X ∣E⟩) =τ ⋅ τI((a11 6 ⋯ 6 a1i)⟨Y1∣E⟩ +⋯ + (am1 6 ⋯ 6 ami)⟨Ym∣E⟩ + b11 6 ⋯ 6 b1j +⋯ + bn1 6 ⋯ 6 bnj)

Table 16: Cluster fair abstraction rule

2. x ≈rbp y;

3. x ≈rbhp y;

4. x ≈rbhhp y.

Definition 2.66 (Cluster). Let E be a guarded linear recursive specification, and I ⊆ E. Two

recursion variable X and Y in E are in the same cluster for I iff there exist sequences of

transitions ⟨X ∣E⟩ {b11,⋯,b1i}ÐÐÐÐÐÐ→ ⋯ {bm1,⋯,bmi}ÐÐÐÐÐÐÐ→ ⟨Y ∣E⟩ and ⟨Y ∣E⟩{c11,⋯,c1j}ÐÐÐÐÐÐ→ ⋯

{cn1,⋯,cnj}ÐÐÐÐÐÐ→ ⟨X ∣E⟩,where b11,⋯, bmi, c11,⋯, cnj ∈ I ∪ {τ}.

a1 6 ⋯ 6 ak or (a1 6 ⋯ 6 ak)X is an exit for the cluster C iff: (1) a1 6 ⋯ 6 ak or (a1 6 ⋯ 6ak)X is a summand at the right-hand side of the recursive equation for a recursion variable in

C, and (2) in the case of (a1 6 ⋯ 6 ak)X, either al ∉ I ∪ {τ}(l ∈ {1,2,⋯, k}) or X ∉ C.

Theorem 2.67 (Soundness of CFAR). CFAR is sound modulo rooted branching truly concur-

rent bisimulation equivalences ≈rbs, ≈rbp, ≈rbhp and ≈rbhhp.

Theorem 2.68 (Completeness of APTCτ with guarded linear recursion and CFAR). Let p

and q be closed APTCτ with guarded linear recursion and CFAR terms, then,



3. if p ≈rbhp q then p = q;

4. if p ≈rbhhp q then p = q.

22

2.9 Applications

APTC provides a formal framework based on truly concurrent behavioral semantics, which can

be used to verify the correctness of system behaviors. In this subsection, we tend to choose

alternating bit protocol (ABP) [9].

The ABP protocol is used to ensure successful transmission of data through a corrupted channel.

This success is based on the assumption that data can be resent an unlimited number of times,

which is illustrated in Figure 1, we alter it into the true concurrency situation.

1. Data elements d1, d2, d3,⋯ from a finite set ∆ are communicated between a Sender and a

Receiver.

2. If the Sender reads a datum from channel A1, then this datum is sent to the Receiver in

parallel through channel A2.

3. The Sender processes the data in ∆, formes new data, and sends them to the Receiver

through channel B.

4. And the Receiver sends the datum into channel C2.

5. If channel B is corrupted, the message communicated through B can be turn into an error

message �.

6. Every time the Receiver receives a message via channel B, it sends an acknowledgement

to the Sender via channel D, which is also corrupted.

7. Finally, then Sender and the Receiver send out their outputs in parallel through channels

C1 and C2.

In the truly concurrent ABP, the Sender sends its data to the Receiver; and the Receiver can also

send its data to the Sender, for simplicity and without loss of generality, we assume that only

the Sender sends its data and the Receiver only receives the data from the Sender. The Sender

attaches a bit 0 to data elements d2k−1 and a bit 1 to data elements d2k, when they are sent into

channel B. When the Receiver reads a datum, it sends back the attached bit via channel D. If

the Receiver receives a corrupted message, then it sends back the previous acknowledgement to

the Sender.

Then the state transition of the Sender can be described by APTC as follows.

Sb = ∑d∈∆

rA1(d) ⋅ Tdb

Tdb = (∑d′∈∆

(sB(d′, b) ⋅ sC1(d′)) + sB(�)) ⋅Udb

Udb = rD(b) ⋅ S1−b + (rD(1 − b) + rD(�)) ⋅ Tdb

where sB denotes sending data through channel B, rD denotes receiving data through channel

D, similarly, rA1 means receiving data via channel A1, sC1 denotes sending data via channel C1,

and b ∈ {0,1}.

23

Sender Receiver

A1

B

D

A2

C1

C2

Figure 1: Alternating bit protocol

And the state transition of the Receiver can be described by APTC as follows.

Rb = ∑d∈∆

rA2(d) ⋅R′

b

R′

b = ∑d′∈∆

{rB(d′, b) ⋅ sC2(d′) ⋅Qb + rB(d′,1 − b) ⋅Q1−b} + rB(�) ⋅Q1−b

Qb = (sD(b) + sD(�)) ⋅R1−b

where rA2 denotes receiving data via channel A2, rB denotes receiving data via channel B, sC2

denotes sending data via channel C2, sD denotes sending data via channel D, and b ∈ {0,1}.

The send action and receive action of the same data through the same channel can communicate

each other, otherwise, a deadlock δ will be caused. We define the following communication

functions.

γ(sB(d′, b), rB(d′, b)) ≜ cB(d′, b)γ(sB(�), rB(�)) ≜ cB(�)γ(sD(b), rD(b)) ≜ cD(b)γ(sD(�), rD(�)) ≜ cD(�)

Let R0 and S0 be in parallel, then the system R0S0 can be represented by the following process

term.

24

τI(∂H(Θ(R0 � S0))) = τI(∂H(R0 � S0))

where H = {sB(d′, b), rB(d′, b), sD(b), rD(b)∣d′ ∈ ∆, b ∈ {0,1}}{sB(�), rB(�), sD(�), rD(�)}I = {cB(d′, b), cD(b)∣d′ ∈ ∆, b ∈ {0,1}} ∪ {cB(�), cD(�)}.

Then we get the following conclusion.

Theorem 2.69 (Correctness of the ABP protocol). The ABP protocol τI(∂H(R0 � S0)) can

exhibit desired external behaviors.

Proof. By use of the algebraic laws of APTC, we have the following expansions.

R0 � S0P1= R0 ∥ S0 +R0 ∣ S0

RDP= (∑d∈∆

rA2(d) ⋅R′

0) ∥ (∑d∈∆

rA1(d)Td0)

+(∑d∈∆

rA2(d) ⋅R′

0) ∣ (∑d∈∆

rA1(d)Td0)

P6,C14= ∑d∈∆

(rA2(d) ∥ rA1(d))R′

0 � Td0 + δ ⋅R′

0 � Td0

A6,A7= ∑d∈∆

(rA2(d) ∥ rA1(d))R′

0 � Td0

∂H(R0 � S0) = ∂H(∑d∈∆

(rA2(d) ∥ rA1(d))R′

0 � Td0)

= ∑d∈∆

(rA2(d) ∥ rA1(d))∂H(R′

0 � Td0)

Similarly, we can get the following equations.

∂H(R0 � S0) = ∑d∈∆

(rA2(d) ∥ rA1(d)) ⋅ ∂H(Td0 � R′

0)

∂H(Td0 � R′

0) = cB(d′,0) ⋅ (sC1(d′) ∥ sC2(d′)) ⋅ ∂H(Ud0 � Q0) + cB(�) ⋅ ∂H(Ud0 � Q1)∂H(Ud0 � Q1) = (cD(1) + cD(�)) ⋅ ∂H(Td0 � R′

0)∂H(Q0 � Ud0) = cD(0) ⋅ ∂H(R1 � S1) + cD(�) ⋅ ∂H(R′

1 � Td0)∂H(R′

1 � Td0) = (cB(d′,0) + cB(�)) ⋅ ∂H(Q0 � Ud0)∂H(R1 � S1) = ∑

d∈∆

(rA2(d) ∥ rA1(d)) ⋅ ∂H(Td1 � R′

1)

∂H(Td1 � R′

1) = cB(d′,1) ⋅ (sC1(d′) ∥ sC2(d′)) ⋅ ∂H(Ud1 � Q1) + cB(�) ⋅ ∂H(Ud1 � Q′

0)∂H(Ud1 � Q′

0) = (cD(0) + cD(�)) ⋅ ∂H(Td1 � R′

1)∂H(Q1 � Ud1) = cD(1) ⋅ ∂H(R0 � S0) + cD(�) ⋅ ∂H(R′

0 � Td1)∂H(R′

0 � Td1) = (cB(d′,1) + cB(�)) ⋅ ∂H(Q1 � Ud1)

25

Let ∂H(R0 � S0) = ⟨X1∣E⟩, where E is the following guarded linear recursion specification:

{X1 = ∑d∈∆

(rA2(d) ∥ rA1(d)) ⋅X2d, Y1 = ∑d∈∆

(rA2(d) ∥ rA1(d)) ⋅ Y2d,

X2d = cB(d′,0) ⋅X4d + cB(�) ⋅X3d, Y2d = cB(d′,1) ⋅ Y4d + cB(�) ⋅ Y3d,

X3d = (cD(1) + cD(�)) ⋅X2d, Y3d = (cD(0) + cD(�)) ⋅ Y2d,

X4d = (sC1(d′) ∥ sC2(d′)) ⋅X5d, Y4d = (sC1(d′) ∥ sC2(d′)) ⋅ Y5d,

X5d = cD(0) ⋅ Y1 + cD(�) ⋅X6d, Y5d = cD(1) ⋅X1 + cD(�) ⋅ Y6d,

X6d = (cB(d,0) + cB(�)) ⋅X5d, Y6d = (cB(d,1) + cB(�)) ⋅ Y5d

∣d, d′ ∈ ∆}

Then we apply abstraction operator τI into ⟨X1∣E⟩.

τI(⟨X1∣E⟩) = ∑d∈∆

(rA1(d) ∥ rA2(d)) ⋅ τI(⟨X2d∣E⟩)

= ∑d∈∆

(rA1(d) ∥ rA2(d)) ⋅ τI(⟨X4d∣E⟩)

= ∑d,d′∈∆

(rA1(d) ∥ rA2(d)) ⋅ (sC1(d′) ∥ sC2(d′)) ⋅ τI(⟨X5d∣E⟩)

= ∑d,d′∈∆

(rA1(d) ∥ rA2(d)) ⋅ (sC1(d′) ∥ sC2(d′)) ⋅ τI(⟨Y1∣E⟩)

Similarly, we can get τI(⟨Y1∣E⟩) = ∑d,d′∈∆(rA1(d) ∥ rA2(d)) ⋅ (sC1(d′) ∥ sC2(d′)) ⋅ τI(⟨X1∣E⟩).We get τI(∂H(R0 � S0)) = ∑d,d′∈∆(rA1(d) ∥ rA2(d)) ⋅ (sC1(d′) ∥ sC2(d′)) ⋅ τI(∂H(R0 � S0)). So,

the ABP protocol τI(∂H(R0 � S0)) can exhibit desired external behaviors.

With the help of shadow constant, now we can verify the traditional alternating bit protocol

(ABP) [9].

The ABP protocol is used to ensure successful transmission of data through a corrupted channel.

This success is based on the assumption that data can be resent an unlimited number of times,

which is illustrated in Figure 2, we alter it into the true concurrency situation.

1. Data elements d1, d2, d3,⋯ from a finite set ∆ are communicated between a Sender and a

Receiver.

2. If the Sender reads a datum from channel A.

3. The Sender processes the data in ∆, formes new data, and sends them to the Receiver

through channel B.

4. And the Receiver sends the datum into channel C.

5. If channel B is corrupted, the message communicated through B can be turn into an error

message �.

26

Sender Receiver

A

B

D

C

Figure 2: Alternating bit protocol

6. Every time the Receiver receives a message via channel B, it sends an acknowledgement

to the Sender via channel D, which is also corrupted.

The Sender attaches a bit 0 to data elements d2k−1 and a bit 1 to data elements d2k, when

they are sent into channel B. When the Receiver reads a datum, it sends back the attached bit

via channel D. If the Receiver receives a corrupted message, then it sends back the previous

acknowledgement to the Sender.

Then the state transition of the Sender can be described by APTC as follows.

Sb = ∑d∈∆

rA(d) ⋅ Tdb

Tdb = (∑d′∈∆

(sB(d′, b) ⋅ S○sC(d′)) + sB(�)) ⋅Udb

Udb = rD(b) ⋅ S1−b + (rD(1 − b) + rD(�)) ⋅ Tdb

where sB denotes sending data through channel B, rD denotes receiving data through channel

D, similarly, rA means receiving data via channel A, S○sC(d′) denotes the shadow of sC(d′).

And the state transition of the Receiver can be described by APTC as follows.

Rb = ∑d∈∆

S○rA(d) ⋅R′

b

R′

b = ∑d′∈∆

{rB(d′, b) ⋅ sC(d′) ⋅Qb + rB(d′,1 − b) ⋅Q1−b} + rB(�) ⋅Q1−b

Qb = (sD(b) + sD(�)) ⋅R1−b

27

where S○rA(d) denotes the shadow of rA(d), rB denotes receiving data via channel B, sC denotes

sending data via channel C, sD denotes sending data via channel D, and b ∈ {0,1}.

The send action and receive action of the same data through the same channel can communicate

each other, otherwise, a deadlock δ will be caused. We define the following communication

functions.

γ(sB(d′, b), rB(d′, b)) ≜ cB(d′, b)γ(sB(�), rB(�)) ≜ cB(�)γ(sD(b), rD(b)) ≜ cD(b)γ(sD(�), rD(�)) ≜ cD(�)

Let R0 and S0 be in parallel, then the system R0S0 can be represented by the following process

term.

τI(∂H(Θ(R0 � S0))) = τI(∂H(R0 � S0))

where H = {sB(d′, b), rB(d′, b), sD(b), rD(b)∣d′ ∈ ∆, b ∈ {0,1}}{sB(�), rB(�), sD(�), rD(�)}I = {cB(d′, b), cD(b)∣d′ ∈ ∆, b ∈ {0,1}} ∪ {cB(�), cD(�)}.

Then we get the following conclusion.

Theorem 2.70 (Correctness of the ABP protocol). The ABP protocol τI(∂H(R0 � S0)) can

exhibit desired external behaviors.

Proof. Similarly, we can get τI(⟨X1∣E⟩) = ∑d,d′∈∆ rA(d) ⋅ sC(d′) ⋅ τI(⟨Y1∣E⟩) and τI(⟨Y1∣E⟩) =∑d,d′∈∆ rA(d) ⋅ sC(d′) ⋅ τI(⟨X1∣E⟩).So, the ABP protocol τI(∂H(R0 � S0)) can exhibit desired external behaviors.

28

3 Data Manipulation in APTC

This chapter is organized as follows. We introduce the operational semantics of guards in

section 3.1, BATC with Guards in section 3.2, APTC with Guards 3.3, recursion in section 3.4,

abstraction in section 3.5.

3.1 Operational Semantics

In this section, we extend truly concurrent bisimilarities to the ones containing data states.

Definition 3.1 (Prime event structure with silent event and empty event). Let Λ be a fixed set

of labels, ranged over a, b, c,⋯ and τ, ε. A (Λ-labelled) prime event structure with silent event τ

and empty event ε is a tuple E = ⟨E,≤, ♯, λ⟩, where E is a denumerable set of events, including

the silent event τ and empty event ε. Let E = E/{τ, ε}, exactly excluding τ and ε, it is obvious

that τ∗ = ε. Let λ ∶ E → Λ be a labelling function and let λ(τ) = τ and λ(ε) = ε. And ≤, ♯ are

binary relations on E, called causality and conflict respectively, such that:

1. ≤ is a partial order and ⌈e⌉ = {e′ ∈ E∣e′ ≤ e} is finite for all e ∈ E. It is easy to see that

e ≤ τ∗ ≤ e′ = e ≤ τ ≤ ⋯ ≤ τ ≤ e′, then e ≤ e′.

2. ♯ is irreflexive, symmetric and hereditary with respect to ≤, that is, for all e, e′, e′′ ∈ E, if

e ♯ e′ ≤ e′′, then e ♯ e′′.

Then, the concepts of consistency and concurrency can be drawn from the above definition:

1. e, e′ ∈ E are consistent, denoted as e ⌢ e′, if ¬(e ♯ e′). A subset X ⊆ E is called consistent,

if e ⌢ e′ for all e, e′ ∈X.

2. e, e′ ∈ E are concurrent, denoted as e ∥ e′, if ¬(e ≤ e′), ¬(e′ ≤ e), and ¬(e ♯ e′).

Definition 3.2 (Configuration). Let E be a PES. A (finite) configuration in E is a (finite)

consistent subset of events C ⊆ E, closed with respect to causality (i.e. ⌈C⌉ = C), and a data

state s ∈ S with S the set of all data states, denoted ⟨C, s⟩. The set of finite configurations of Eis denoted by ⟨C(E), S⟩. We let C = C/{τ} ∪ {ε}.

A consistent subset of X ⊆ E of events can be seen as a pomset. Given X,Y ⊆ E, X ∼ Y if X and

Y are isomorphic as pomsets. In the following of the paper, we say C1 ∼ C2, we mean C1 ∼ C2.

Definition 3.3 (Pomset transitions and step). Let E be a PES and let C ∈ C(E), and ∅ ≠X ⊆ E,

if C ∩X = ∅ and C ′ = C ∪X ∈ C(E), then ⟨C, s⟩ XÐ→ ⟨C ′, s′⟩ is called a pomset transition from

⟨C, s⟩ to ⟨C ′, s′⟩. When the events in X are pairwise concurrent, we say that ⟨C, s⟩ XÐ→ ⟨C ′, s′⟩is a step. It is obvious that →∗

XÐ→→∗= XÐ→ and →∗eÐ→→∗= eÐ→ for any e ∈ E and X ⊆ E.

Definition 3.4 (Weak pomset transitions and weak step). Let E be a PES and let C ∈ C(E),

and ∅ ≠ X ⊆ E, if C ∩X = ∅ and C ′ = C ∪X ∈ C(E), then ⟨C, s⟩ XÔ⇒ ⟨C ′, s′⟩ is called a weak

pomset transition from ⟨C, s⟩ to ⟨C ′, s′⟩, where we defineeÔ⇒≜ τ

∗

Ð→ eÐ→ τ∗Ð→. AndXÔ⇒≜ τ

∗

Ð→ eÐ→ τ∗Ð→, for

every e ∈ X. When the events in X are pairwise concurrent, we say that ⟨C, s⟩ XÔ⇒ ⟨C ′, s′⟩ is a

weak step.

29

We will also suppose that all the PESs in this paper are image finite, that is, for any PES E and

C ∈ C(E) and a ∈ Λ, {e ∈ E∣⟨C, s⟩ eÐ→ ⟨C ′, s′⟩∧λ(e) = a} and {e ∈ E∣⟨C, s⟩ eÔ⇒ ⟨C ′, s′⟩∧λ(e) = a} is

finite.

Definition 3.5 (Pomset, step bisimulation). Let E1, E2 be PESs. A pomset bisimulation is a

relation R ⊆ ⟨C(E1), S⟩×⟨C(E2), S⟩, such that if (⟨C1, s⟩, ⟨C2, s⟩) ∈ R, and ⟨C1, s⟩X1Ð→ ⟨C ′

1, s′⟩ then

⟨C2, s⟩X2Ð→ ⟨C ′

2, s′⟩, with X1 ⊆ E1, X2 ⊆ E2, X1 ∼ X2 and (⟨C ′

1, s′⟩, ⟨C ′

2, s′⟩) ∈ R for all s, s′ ∈ S,

and vice-versa. We say that E1, E2 are pomset bisimilar, written E1 ∼p E2, if there exists a pomset

bisimulation R, such that (⟨∅,∅⟩, ⟨∅,∅⟩) ∈ R. By replacing pomset transitions with steps, we

can get the definition of step bisimulation. When PESs E1 and E2 are step bisimilar, we write

E1 ∼s E2.

Definition 3.6 (Weak pomset, step bisimulation). Let E1, E2 be PESs. A weak pomset bisimu-

lation is a relation R ⊆ ⟨C(E1), S⟩× ⟨C(E2), S⟩, such that if (⟨C1, s⟩, ⟨C2, s⟩) ∈ R, and ⟨C1, s⟩X1Ô⇒

⟨C ′

1, s′⟩ then ⟨C2, s⟩

X2Ô⇒ ⟨C ′

2, s′⟩, with X1 ⊆ E1, X2 ⊆ E2, X1 ∼ X2 and (⟨C ′

1, s′⟩, ⟨C ′

2, s′⟩) ∈ R

for all s, s′ ∈ S, and vice-versa. We say that E1, E2 are weak pomset bisimilar, written E1 ≈p E2,

if there exists a weak pomset bisimulation R, such that (⟨∅,∅⟩, ⟨∅,∅⟩) ∈ R. By replacing weak

pomset transitions with weak steps, we can get the definition of weak step bisimulation. When

PESs E1 and E2 are weak step bisimilar, we write E1 ≈s E2.

Definition 3.7 (Posetal product). Given two PESs E1, E2, the posetal product of their config-

urations, denoted ⟨C(E1), S⟩×⟨C(E2), S⟩, is defined as

{(⟨C1, s⟩, f, ⟨C2, s⟩)∣C1 ∈ C(E1),C2 ∈ C(E2), f ∶ C1 → C2 isomorphism}.

A subset R ⊆ ⟨C(E1), S⟩×⟨C(E2), S⟩ is called a posetal relation. We say that R is downward closed

when for any (⟨C1, s⟩, f, ⟨C2, s⟩), (⟨C ′

1, s′⟩, f ′, ⟨C ′

2, s′⟩) ∈ ⟨C(E1), S⟩×⟨C(E2), S⟩, if (⟨C1, s⟩, f, ⟨C2, s⟩) ⊆

(⟨C ′

1, s′⟩, f ′, ⟨C ′

2, s′⟩) pointwise and (⟨C ′

1, s′⟩, f ′, ⟨C ′

2, s′⟩) ∈ R, then (⟨C1, s⟩, f, ⟨C2, s⟩) ∈ R.


Definition 3.8 (Weakly posetal product). Given two PESs E1, E2, the weakly posetal product

of their configurations, denoted ⟨C(E1), S⟩×⟨C(E2), S⟩, is defined as

{(⟨C1, s⟩, f, ⟨C2, s⟩)∣C1 ∈ C(E1),C2 ∈ C(E2), f ∶ C1 → C2 isomorphism}.

A subset R ⊆ ⟨C(E1), S⟩×⟨C(E2), S⟩ is called a weakly posetal relation. We say that R is

downward closed when for any (⟨C1, s⟩, f, ⟨C2, s⟩), (⟨C ′

1, s′⟩, f, ⟨C ′

2, s′⟩) ∈ ⟨C(E1), S⟩×⟨C(E2), S⟩, if

(⟨C1, s⟩, f, ⟨C2, s⟩) ⊆ (⟨C ′

1, s′⟩, f ′, ⟨C ′

2, s′⟩) pointwise and (⟨C ′

1, s′⟩, f ′, ⟨C ′

2, s′⟩) ∈ R, then (⟨C1, s⟩, f, ⟨C2, s⟩) ∈

R.


Also, we define f(τ∗) = f(τ∗).

Definition 3.9 ((Hereditary) history-preserving bisimulation). A history-preserving (hp-) bisim-

ulation is a posetal relation R ⊆ ⟨C(E1), S⟩×⟨C(E2), S⟩ such that if (⟨C1, s⟩, f, ⟨C2, s⟩) ∈ R, and

30

⟨C1, s⟩e1Ð→ ⟨C ′

1, s′⟩, then ⟨C2, s⟩

e2Ð→ ⟨C ′

2, s′⟩, with (⟨C ′

1, s′⟩, f[e1 ↦ e2], ⟨C ′

2, s′⟩) ∈ R for all s, s′ ∈ S,

and vice-versa. E1,E2 are history-preserving (hp-)bisimilar and are written E1 ∼hp E2 if there ex-

ists a hp-bisimulation R such that (⟨∅,∅⟩,∅, ⟨∅,∅⟩) ∈ R.

A hereditary history-preserving (hhp-)bisimulation is a downward closed hp-bisimulation. E1,E2

are hereditary history-preserving (hhp-)bisimilar and are written E1 ∼hhp E2.

Definition 3.10 (Weak (hereditary) history-preserving bisimulation). A weak history-preserving

(hp-) bisimulation is a weakly posetal relation R ⊆ ⟨C(E1), S⟩×⟨C(E2), S⟩ such that if (⟨C1, s⟩, f, ⟨C2, s⟩) ∈R, and ⟨C1, s⟩

e1Ô⇒ ⟨C ′

1, s′⟩, then ⟨C2, s⟩

e2Ô⇒ ⟨C ′

2, s′⟩, with (⟨C ′

1, s′⟩, f[e1 ↦ e2], ⟨C ′

2, s′⟩) ∈ R for

all s, s′ ∈ S, and vice-versa. E1,E2 are weak history-preserving (hp-)bisimilar and are written

E1 ≈hp E2 if there exists a weak hp-bisimulation R such that (⟨∅,∅⟩,∅, ⟨∅,∅⟩) ∈ R.

A weakly hereditary history-preserving (hhp-)bisimulation is a downward closed weak hp-bisimulation.

E1,E2 are weakly hereditary history-preserving (hhp-)bisimilar and are written E1 ≈hhp E2.

3.2 BATC with Guards

In this subsection, we will discuss the guards for BATC, which is denoted as BATCG. Let

E be the set of atomic events (actions), and we assume that there is a data set ∆ and data

D1,⋯,Dn ∈ ∆, the data variable d1,⋯, dn range over ∆, and di has the same data type as Di

and can have a substitution Di/di, for process x, x[Di/di] denotes that all occurrences of di in

x are replaced by Di. And also the atomic action e may manipulate on data and has the form

e(d1,⋯, dn) or e(D1,⋯,Dn). Gat be the set of atomic guards, δ be the deadlock constant, and

ε be the empty event. We extend Gat to the set of basic guards G with element φ,ψ,⋯, which

is generated by the following formation rules:

φ ∶∶= δ∣ε∣¬φ∣ψ ∈ Gat∣φ + ψ∣φ ⋅ ψ

In the following, let e1, e2, e′

1, e′

2 ∈ E, φ,ψ ∈ G and let variables x, y, z range over the set of terms

for true concurrency, p, q, s range over the set of closed terms. The predicate test(φ, s) repre-

sents that φ holds in the state s, and test(ε, s) holds and test(δ, s) does not hold. effect(e, s) ∈S denotes s′ in s

eÐ→ s′. The predicate weakest precondition wp(e, φ) denotes that ∀s ∈S, test(φ, effect(e, s)) holds.

The set of axioms of BATCG consists of the laws given in Table 17.

Note that, by eliminating atomic event from the process terms, the axioms in Table 17 will lead

to a Boolean Algebra. And G9 is a precondition of e and φ, G10 is the weakest precondition of

e and φ. A data environment with effect function is sufficiently deterministic, and it is obvious

that if the weakest precondition is expressible and G9, G10 are sound, then the related data

environment is sufficiently deterministic.

Definition 3.11 (Basic terms of BATCG). The set of basic terms of BATCG, B(BATCG), is

inductively defined as follows:

1. E ⊂ B(BATCG);

31

No. Axiom

A1 x + y = y + xA2 (x + y) + z = x + (y + z)A3 x + x = xA4 (x + y) ⋅ z = x ⋅ z + y ⋅ zA5 (x ⋅ y) ⋅ z = x ⋅ (y ⋅ z)A6 x + δ = xA7 δ ⋅ x = δA8 ε ⋅ x = xA9 x ⋅ ε = xG1 φ ⋅ ¬φ = δG2 φ + ¬φ = εG3 φδ = δG4 φ(x + y) = φx + φyG5 φ(x ⋅ y) = φx ⋅ yG6 (φ + ψ)x = φx + ψxG7 (φ ⋅ ψ) ⋅ x = φ ⋅ (ψ ⋅ x)G8 φ = ε if ∀s ∈ S.test(φ, s)G9 φ0 ⋅ ⋯ ⋅ φn = δ if ∀s ∈ S,∃i ≤ n.test(¬φi, s)G10 wp(e, φ)eφ = wp(e, φ)eG11 ¬wp(e, φ)e¬φ = ¬wp(e, φ)e

Table 17: Axioms of BATCG

2. G ⊂ B(BATCG);

3. if e ∈ E, t ∈ B(BATCG) then e ⋅ t ∈ B(BATCG);

4. if φ ∈ G, t ∈ B(BATCG) then φ ⋅ t ∈ B(BATCG);

5. if t, s ∈ B(BATCG) then t + s ∈ B(BATCG).

Theorem 3.12 (Elimination theorem of BATCG). Let p be a closed BATCG term. Then there

is a basic BATCG term q such that BATCG ⊢ p = q.

We will define a term-deduction system which gives the operational semantics of BATCG. We

give the operational transition rules for ε, atomic guard φ ∈ Gat, atomic event e ∈ E, operators

⋅ and + as Table 18 shows. And the predicateeÐ→ √

represents successful termination after

execution of the event e.

Note that, we replace the single atomic event e ∈ E by X ⊆ E, we can obtain the pomset transition

rules of BATCG, and omit them.

Theorem 3.13 (Congruence of BATCG with respect to truly concurrent bisimulation equiva-

lences). (1) Pomset bisimulation equivalence ∼p is a congruence with respect to BATCG.

(2) Step bisimulation equivalence ∼s is a congruence with respect to BATCG.

32

⟨ε, s⟩→ ⟨√, s⟩

⟨e, s⟩ eÐ→ ⟨√, s′⟩if s′ ∈ effect(e, s)

⟨φ, s⟩→ ⟨√, s⟩ if test(φ, s)

⟨x, s⟩ eÐ→ ⟨√, s′⟩⟨x + y, s⟩ eÐ→ ⟨√, s′⟩

⟨x, s⟩ eÐ→ ⟨x′, s′⟩⟨x + y, s⟩ eÐ→ ⟨x′, s′⟩

⟨y, s⟩ eÐ→ ⟨√, s′⟩⟨x + y, s⟩ eÐ→ ⟨√, s′⟩

⟨y, s⟩ eÐ→ ⟨y′, s′⟩⟨x + y, s⟩ eÐ→ ⟨y′, s′⟩

⟨x, s⟩ eÐ→ ⟨√, s′⟩⟨x ⋅ y, s⟩ eÐ→ ⟨y, s′⟩

⟨x, s⟩ eÐ→ ⟨x′, s′⟩⟨x ⋅ y, s⟩ eÐ→ ⟨x′ ⋅ y, s′⟩

Table 18: Single event transition rules of BATCG

(3) Hp-bisimulation equivalence ∼hp is a congruence with respect to BATCG.

(4) Hhp-bisimulation equivalence ∼hhp is a congruence with respect to BATCG.

Theorem 3.14 (Soundness of BATCG modulo truly concurrent bisimulation equivalences). (1)

Let x and y be BATCG terms. If BATC ⊢ x = y, then x ∼p y.

(2) Let x and y be BATCG terms. If BATC ⊢ x = y, then x ∼s y.

(3) Let x and y be BATCG terms. If BATC ⊢ x = y, then x ∼hp y.

(4) Let x and y be BATCG terms. If BATC ⊢ x = y, then x ∼hhp y.

Theorem 3.15 (Completeness of BATCG modulo truly concurrent bisimulation equivalences).

(1) Let p and q be closed BATCG terms, if p ∼p q then p = q.(2) Let p and q be closed BATCG terms, if p ∼s q then p = q.(3) Let p and q be closed BATCG terms, if p ∼hp q then p = q.(4) Let p and q be closed BATCG terms, if p ∼hhp q then p = q.

Theorem 3.16 (Sufficient determinacy). All related data environments with respect to BATCGcan be sufficiently deterministic.

3.3 APTC with Guards

In this subsection, we will extend APTC with guards, which is abbreviated APTCG. The set

of basic guards G with element φ,ψ,⋯, which is extended by the following formation rules:

φ ∶∶= δ∣ε∣¬φ∣ψ ∈ Gat∣φ + ψ∣φ ⋅ ψ∣φ ∥ ψ

The set of axioms of APTCG including axioms of BATCG in Table 17 and the axioms are shown

in Table 19.

33

No. Axiom

P1 x� y = x ∥ y + x ∣ yP2 e1 ∥ (e2 ⋅ y) = (e1 ∥ e2) ⋅ yP3 (e1 ⋅ x) ∥ e2 = (e1 ∥ e2) ⋅ xP4 (e1 ⋅ x) ∥ (e2 ⋅ y) = (e1 ∥ e2) ⋅ (x� y)P5 (x + y) ∥ z = (x ∥ z) + (y ∥ z)P6 x ∥ (y + z) = (x ∥ y) + (x ∥ z)P7 δ ∥ x = δP8 x ∥ δ = δP9 ε ∥ x = xP10 x ∥ ε = xC1 e1 ∣ e2 = γ(e1, e2)C2 e1 ∣ (e2 ⋅ y) = γ(e1, e2) ⋅ yC3 (e1 ⋅ x) ∣ e2 = γ(e1, e2) ⋅ xC4 (e1 ⋅ x) ∣ (e2 ⋅ y) = γ(e1, e2) ⋅ (x� y)C5 (x + y) ∣ z = (x ∣ z) + (y ∣ z)C6 x ∣ (y + z) = (x ∣ y) + (x ∣ z)C7 δ ∣ x = δC8 x ∣ δ = δC9 ε ∣ x = δC10 x ∣ ε = δCE1 Θ(e) = eCE2 Θ(δ) = δCE3 Θ(ε) = εCE4 Θ(x + y) = Θ(x)◁ y +Θ(y)◁ x

CE5 Θ(x ⋅ y) = Θ(x) ⋅Θ(y)CE6 Θ(x ∥ y) = ((Θ(x)◁ y) ∥ y) + ((Θ(y)◁ x) ∥ x)CE7 Θ(x ∣ y) = ((Θ(x)◁ y) ∣ y) + ((Θ(y)◁ x) ∣ x)U1 (♯(e1, e2)) e1 ◁ e2 = τU2 (♯(e1, e2), e2 ≤ e3) e1 ◁ e3 = e1

U3 (♯(e1, e2), e2 ≤ e3) e3◁ e1 = τU4 e◁ δ = eU5 δ◁ e = δU6 e◁ ε = eU7 ε◁ e = eU8 (x + y)◁ z = (x◁ z) + (y◁ z)U9 (x ⋅ y)◁ z = (x◁ z) ⋅ (y◁ z)U10 (x ∥ y)◁ z = (x◁ z) ∥ (y◁ z)U11 (x ∣ y)◁ z = (x◁ z) ∣ (y◁ z)U12 x◁ (y + z) = (x◁ y)◁ z

U13 x◁ (y ⋅ z) = (x◁ y)◁ z

U14 x◁ (y ∥ z) = (x◁ y)◁ z

U15 x◁ (y ∣ z) = (x◁ y)◁ z

Table 19: Axioms of APTCG

34

No. Axiom

D1 e ∉H ∂H(e) = eD2 e ∈H ∂H(e) = δD3 ∂H(δ) = δD4 ∂H(x + y) = ∂H(x) + ∂H(y)D5 ∂H(x ⋅ y) = ∂H(x) ⋅ ∂H(y)D6 ∂H(x ∥ y) = ∂H(x) ∥ ∂H(y)G12 φ(x ∥ y) = φx ∥ φyG13 φ(x ∣ y) = φx ∣ φyG14 φ ∥ δ = δG15 δ ∥ φ = δG16 φ ∣ δ = δG17 δ ∣ φ = δG18 φ ∥ ε = φG19 ε ∥ φ = φG20 φ ∣ ε = δG21 ε ∣ φ = δG22 φ ∥ ¬φ = δG23 Θ(φ) = φG24 ∂H(φ) = φG25 φ0 ∥ ⋯ ∥ φn = δ if ∀s0,⋯, sn ∈ S,∃i ≤ n.test(¬φi, s0 ∪⋯ ∪ sn)

Table 20: Axioms of APTCG(continuing)

Definition 3.17 (Basic terms of APTCG). The set of basic terms of APTCG, B(APTCG), is

inductively defined as follows:

1. E ⊂ B(APTCG);

2. G ⊂ B(APTCG);

3. if e ∈ E, t ∈ B(APTCG) then e ⋅ t ∈ B(APTCG);

4. if φ ∈ G, t ∈ B(APTCG) then φ ⋅ t ∈ B(APTCG);

5. if t, s ∈ B(APTCG) then t + s ∈ B(APTCG).

6. if t, s ∈ B(APTCG) then t ∥ s ∈ B(APTCG).

Based on the definition of basic terms for APTCG (see Definition 3.17) and axioms of APTCG,

we can prove the elimination theorem of APTCG.

Theorem 3.18 (Elimination theorem of APTCG). Let p be a closed APTCG term. Then there

is a basic APTCG term q such that APTCG ⊢ p = q.

35

⟨e1 ∥ ⋯ ∥ en, s⟩{e1,⋯,en}ÐÐÐÐÐ→ ⟨√, s′⟩

if s′ ∈ effect(e1, s) ∪⋯ ∪ effect(en, s)

⟨φ1 ∥ ⋯ ∥ φn, s⟩→ ⟨√, s⟩ if test(φ1, s),⋯, test(φn, s)

⟨x, s⟩ e1Ð→ ⟨√, s′⟩ ⟨y, s⟩ e2Ð→ ⟨√, s′′⟩

⟨x ∥ y, s⟩ {e1,e2}ÐÐÐÐ→ ⟨√, s′ ∪ s′′⟩

⟨x, s⟩ e1Ð→ ⟨x′, s′⟩ ⟨y, s⟩ e2Ð→ ⟨√, s′′⟩

⟨x ∥ y, s⟩ {e1,e2}ÐÐÐÐ→ ⟨x′, s′ ∪ s′′⟩

⟨x, s⟩ e1Ð→ ⟨√, s′⟩ ⟨y, s⟩ e2Ð→ ⟨y′, s′′⟩

⟨x ∥ y, s⟩ {e1,e2}ÐÐÐÐ→ ⟨y′, s′ ∪ s′′⟩

⟨x, s⟩ e1Ð→ ⟨x′, s′⟩ ⟨y, s⟩ e2Ð→ ⟨y′, s′′⟩

⟨x ∥ y, s⟩ {e1,e2}ÐÐÐÐ→ ⟨x′ � y′, s′ ∪ s′′⟩

⟨x, s⟩ e1Ð→ ⟨√, s′⟩ ⟨y, s⟩e2Ð/Ð→ (e1%e2)

⟨x ∥ y, s⟩ e1Ð→ ⟨y, s′⟩⟨x, s⟩ e1Ð→ ⟨x′, s′⟩ ⟨y, s⟩

e2Ð/Ð→ (e1%e2)

⟨x ∥ y, s⟩ e1Ð→ ⟨x′ � y, s′⟩

⟨x, s⟩e1Ð/Ð→ ⟨y, s⟩ e2Ð→ ⟨√, s′′⟩ (e1%e2)

⟨x ∥ y, s⟩ e2Ð→ ⟨x, s′′⟩⟨x, s⟩

e1Ð/Ð→ ⟨y, s⟩ e2Ð→ ⟨y′, s′′⟩ (e1%e2)⟨x ∥ y, s⟩ e2Ð→ ⟨x� y′, s′′⟩

⟨x, s⟩ e1Ð→ ⟨√, s′⟩ ⟨y, s⟩ e2Ð→ ⟨√, s′′⟩

⟨x ∣ y, s⟩ γ(e1,e2)ÐÐÐÐ→ ⟨√, effect(γ(e1, e2), s)⟩

⟨x, s⟩ e1Ð→ ⟨x′, s′⟩ ⟨y, s⟩ e2Ð→ ⟨√, s′′⟩

⟨x ∣ y, s⟩ γ(e1,e2)ÐÐÐÐ→ ⟨x′, effect(γ(e1, e2), s)⟩

⟨x, s⟩ e1Ð→ ⟨√, s′⟩ ⟨y, s⟩ e2Ð→ ⟨y′, s′′⟩

⟨x ∣ y, s⟩ γ(e1,e2)ÐÐÐÐ→ ⟨y′, effect(γ(e1, e2), s)⟩

⟨x, s⟩ e1Ð→ ⟨x′, s′⟩ ⟨y, s⟩ e2Ð→ ⟨y′, s′′⟩

⟨x ∣ y, s⟩ γ(e1,e2)ÐÐÐÐ→ ⟨x′ � y′, effect(γ(e1, e2), s)⟩

⟨x, s⟩ e1Ð→ ⟨√, s′⟩ (♯(e1, e2))⟨Θ(x), s⟩ e1Ð→ ⟨√, s′⟩

⟨x, s⟩ e2Ð→ ⟨√, s′′⟩ (♯(e1, e2))⟨Θ(x), s⟩ e2Ð→ ⟨√, s′′⟩

⟨x, s⟩ e1Ð→ ⟨x′, s′⟩ (♯(e1, e2))⟨Θ(x), s⟩ e1Ð→ ⟨Θ(x′), s′⟩

⟨x, s⟩ e2Ð→ ⟨x′′, s′′⟩ (♯(e1, e2))⟨Θ(x), s⟩ e2Ð→ ⟨Θ(x′′), s′′⟩

⟨x, s⟩ e1Ð→ ⟨√, s′⟩ ⟨y, s⟩↛e2 (♯(e1, e2))⟨x◁ y, s⟩ τÐ→ ⟨√, s′⟩

⟨x, s⟩ e1Ð→ ⟨x′, s′⟩ ⟨y, s⟩↛e2 (♯(e1, e2))⟨x◁ y, s⟩ τÐ→ ⟨x′, s′⟩

⟨x, s⟩ e1Ð→ ⟨√, s⟩ ⟨y, s⟩↛e3 (♯(e1, e2), e2 ≤ e3)⟨x◁ y, s⟩ e1Ð→ ⟨√, s′⟩

⟨x, s⟩ e1Ð→ ⟨x′, s′⟩ ⟨y, s⟩↛e3 (♯(e1, e2), e2 ≤ e3)⟨x◁ y, s⟩ e1Ð→ ⟨x′, s′⟩

⟨x, s⟩ e3Ð→ ⟨√, s′⟩ ⟨y, s⟩↛e2 (♯(e1, e2), e1 ≤ e3)⟨x◁ y, s⟩ τÐ→ ⟨√, s′⟩

⟨x, s⟩ e3Ð→ ⟨x′, s′⟩ ⟨y, s⟩↛e2 (♯(e1, e2), e1 ≤ e3)⟨x◁ y, s⟩ τÐ→ ⟨x′, s′⟩

⟨x, s⟩ eÐ→ ⟨√, s′⟩⟨∂H(x), s⟩ eÐ→ ⟨√, s′⟩

(e ∉H) ⟨x, s⟩ eÐ→ ⟨x′, s′⟩⟨∂H(x), s⟩ eÐ→ ⟨∂H(x′), s′⟩

(e ∉H)

Table 21: Transition rules of APTCG

36

We will define a term-deduction system which gives the operational semantics of APTCG. Two

atomic events e1 and e2 are in race condition, which are denoted e1%e2.

Theorem 3.19 (Generalization of APTCG with respect to BATCG). APTCG is a generaliza-

tion of BATCG.

Theorem 3.20 (Congruence of APTCG with respect to truly concurrent bisimulation equiva-

lences). (1) Pomset bisimulation equivalence ∼p is a congruence with respect to APTCG.

(2) Step bisimulation equivalence ∼s is a congruence with respect to APTCG.

(3) Hp-bisimulation equivalence ∼hp is a congruence with respect to APTCG.

(4) Hhp-bisimulation equivalence ∼hhp is a congruence with respect to APTCG.

Theorem 3.21 (Soundness of APTCG modulo truly concurrent bisimulation equivalences). (1)

Let x and y be APTCG terms. If APTC ⊢ x = y, then x ∼p y.

(2) Let x and y be APTCG terms. If APTC ⊢ x = y, then x ∼s y.

(3) Let x and y be APTCG terms. If APTC ⊢ x = y, then x ∼hp y.

Theorem 3.22 (Completeness of APTCG modulo truly concurrent bisimulation equivalences).

(1) Let p and q be closed APTCG terms, if p ∼p q then p = q.(2) Let p and q be closed APTCG terms, if p ∼s q then p = q.(3) Let p and q be closed APTCG terms, if p ∼hp q then p = q.Theorem 3.23 (Sufficient determinacy). All related data environments with respect to APTCGcan be sufficiently deterministic.

3.4 Recursion

In this subsection, we introduce recursion to capture infinite processes based on APTCG. In

the following, E,F,G are recursion specifications, X,Y,Z are recursive variables.

Definition 3.24 (Guarded recursive specification). A recursive specification

X1 = t1(X1,⋯,Xn)...

Xn = tn(X1,⋯,Xn)

is guarded if the right-hand sides of its recursive equations can be adapted to the form by ap-

plications of the axioms in APTC and replacing recursion variables by the right-hand sides of

their recursive equations,

(a11 ∥ ⋯ ∥ a1i1)⋅s1(X1,⋯,Xn)+⋯+(ak1 ∥ ⋯ ∥ akik)⋅sk(X1,⋯,Xn)+(b11 ∥ ⋯ ∥ b1j1)+⋯+(b1j1 ∥ ⋯ ∥ bljl)


empty, in which case it represents the deadlock δ. And there does not exist an infinite sequence

of ε-transitions ⟨X ∣E⟩→ ⟨X ′∣E⟩→ ⟨X ′′∣E⟩→ ⋯.

37

⟨ti(⟨X1∣E⟩,⋯, ⟨Xn∣E⟩), s⟩ {e1,⋯,ek}ÐÐÐÐÐ→ ⟨√, s′⟩

⟨⟨Xi∣E⟩, s⟩ {e1,⋯,ek}ÐÐÐÐÐ→ ⟨√, s′⟩

⟨ti(⟨X1∣E⟩,⋯, ⟨Xn∣E⟩), s⟩ {e1,⋯,ek}ÐÐÐÐÐ→ ⟨y, s′⟩

⟨⟨Xi∣E⟩, s⟩ {e1,⋯,ek}ÐÐÐÐÐ→ ⟨y, s′⟩

Table 22: Transition rules of guarded recursion

Theorem 3.25 (Conservitivity of APTCG with guarded recursion). APTCG with guarded

recursion is a conservative extension of APTCG.

Theorem 3.26 (Congruence theorem of APTCG with guarded recursion). Truly concurrent

bisimulation equivalences ∼p, ∼s and ∼hp are all congruences with respect to APTCG with guarded

recursion.

Theorem 3.27 (Elimination theorem of APTCG with linear recursion). Each process term

in APTCG with linear recursion is equal to a process term ⟨X1∣E⟩ with E a linear recursive

specification.

Theorem 3.28 (Soundness of APTCG with guarded recursion). Let x and y be APTCG with

guarded recursion terms. If APTCG with guarded recursion ⊢ x = y, then

(1) x ∼s y.

(2) x ∼p y.

(3) x ∼hp y.

Theorem 3.29 (Completeness of APTCG with linear recursion). Let p and q be closed APTCGwith linear recursion terms, then,

(1) if p ∼s q then p = q.(2) if p ∼p q then p = q.(3) if p ∼hp q then p = q.

3.5 Abstraction

To abstract away from the internal implementations of a program, and verify that the program

exhibits the desired external behaviors, the silent step τ and abstraction operator τI are intro-

duced, where I ⊆ E∪Gat denotes the internal events or guards. The silent step τ represents the

internal events or guards, when we consider the external behaviors of a process, τ steps can be

removed, that is, τ steps must keep silent. The transition rule of τ is shown in Table 23. In the

following, let the atomic event e range over E∪{ε}∪{δ}∪{τ}, and φ range over G∪{τ}, and let

the communication function γ ∶ E ∪ {τ} × E ∪ {τ} → E ∪ {δ}, with each communication involved

τ resulting in δ. We use τ(s) to denote effect(τ, s), for the fact that τ only change the state of

internal data environment, that is, for the external data environments, s = τ(s).

38

⟨τ, s⟩→ ⟨√, s⟩ if test(τ, s)

⟨τ, s⟩ τÐ→ ⟨√, τ(s)⟩

Table 23: Transition rule of the silent step

In section 3.1, we introduce τ into event structure, and also give the concept of weakly true

concurrency. In this subsection, we give the concepts of rooted branching truly concurrent

bisimulation equivalences, based on these concepts, we can design the axiom system of the silent

step τ and the abstraction operator τI .

Definition 3.30 (Branching pomset, step bisimulation). Assume a special termination predicate

↓, and let√

represent a state with√ ↓. Let E1, E2 be PESs. A branching pomset bisimulation

is a relation R ⊆ ⟨C(E1), S⟩ × ⟨C(E2), S⟩, such that:

1. if (⟨C1, s⟩, ⟨C2, s⟩) ∈ R, and ⟨C1, s⟩XÐ→ ⟨C ′

1, s′⟩ then

• either X ≡ τ∗, and (⟨C ′

1, s′⟩, ⟨C2, s⟩) ∈ R with s′ ∈ τ(s);

• or there is a sequence of (zero or more) τ -transitions ⟨C2, s⟩τ∗Ð→ ⟨C0

2 , s0⟩, such that

(⟨C1, s⟩, ⟨C02 , s

0⟩) ∈ R and ⟨C02 , s

0⟩ XÔ⇒ ⟨C ′

2, s′⟩ with (⟨C ′

1, s′⟩, ⟨C ′

2, s′⟩) ∈ R;


2, s′⟩ then

• either X ≡ τ∗, and (⟨C1, s⟩, ⟨C ′

2, s′⟩) ∈ R;



(⟨C01 , s

0⟩, ⟨C2, s⟩) ∈ R and ⟨C01 , s

0⟩ XÔ⇒ ⟨C ′

1, s′⟩ with (⟨C ′

1, s′⟩, ⟨C ′

2, s′⟩) ∈ R;

3. if (⟨C1, s⟩, ⟨C2, s⟩) ∈ R and ⟨C1, s⟩ ↓, then there is a sequence of (zero or more) τ -transitions

⟨C2, s⟩τ∗Ð→ ⟨C0

2 , s0⟩ such that (⟨C1, s⟩, ⟨C0

2 , s0⟩) ∈ R and ⟨C0

2 , s0⟩ ↓;

4. if (⟨C1, s⟩, ⟨C2, s⟩) ∈ R and ⟨C2, s⟩ ↓, then there is a sequence of (zero or more) τ -transitions

⟨C1, s⟩τ∗Ð→ ⟨C0

1 , s0⟩ such that (⟨C0

1 , s0⟩, ⟨C2, s⟩) ∈ R and ⟨C0

1 , s0⟩ ↓.

We say that E1, E2 are branching pomset bisimilar, written E1 ≈bp E2, if there exists a branching

pomset bisimulation R, such that (⟨∅,∅⟩, ⟨∅,∅⟩) ∈ R.

By replacing pomset transitions with steps, we can get the definition of branching step bisimula-

tion. When PESs E1 and E2 are branching step bisimilar, we write E1 ≈bs E2.

Definition 3.31 (Rooted branching pomset, step bisimulation). Assume a special termination

predicate ↓, and let√

represent a state with√ ↓. Let E1, E2 be PESs. A rooted branching pomset

bisimulation is a relation R ⊆ ⟨C(E1), S⟩ × ⟨C(E2), S⟩, such that:


1, s′⟩ then ⟨C2, s⟩

XÐ→ ⟨C ′

2, s′⟩ with ⟨C ′

1, s′⟩ ≈bp

⟨C ′

2, s′⟩;

39


2, s′⟩ then ⟨C1, s⟩

XÐ→ ⟨C ′

1, s′⟩ with ⟨C ′

1, s′⟩ ≈bp

⟨C ′

2, s′⟩;

3. if (⟨C1, s⟩, ⟨C2, s⟩) ∈ R and ⟨C1, s⟩ ↓, then ⟨C2, s⟩ ↓;

4. if (⟨C1, s⟩, ⟨C2, s⟩) ∈ R and ⟨C2, s⟩ ↓, then ⟨C1, s⟩ ↓.

We say that E1, E2 are rooted branching pomset bisimilar, written E1 ≈rbp E2, if there exists a

rooted branching pomset bisimulation R, such that (⟨∅,∅⟩, ⟨∅,∅⟩) ∈ R.

By replacing pomset transitions with steps, we can get the definition of rooted branching step

bisimulation. When PESs E1 and E2 are rooted branching step bisimilar, we write E1 ≈rbs E2.

Definition 3.32 (Branching (hereditary) history-preserving bisimulation). Assume a special

termination predicate ↓, and let√

represent a state with√ ↓. A branching history-preserving

(hp-) bisimulation is a weakly posetal relation R ⊆ ⟨C(E1), S⟩×⟨C(E2), S⟩ such that:

1. if (⟨C1, s⟩, f, ⟨C2, s⟩) ∈ R, and ⟨C1, s⟩e1Ð→ ⟨C ′

1, s′⟩ then

• either e1 ≡ τ , and (⟨C ′

1, s′⟩, f[e1 ↦ τ], ⟨C2, s⟩) ∈ R;



(⟨C1, s⟩, f, ⟨C02 , s

0⟩) ∈ R and ⟨C02 , s

0⟩ e2Ð→ ⟨C ′

2, s′⟩ with (⟨C ′

1, s′⟩, f[e1 ↦ e2], ⟨C ′

2, s′⟩) ∈

R;


2, s′⟩ then

• either e2 ≡ τ , and (⟨C1, s⟩, f[e2 ↦ τ], ⟨C ′

2, s′⟩) ∈ R;



(⟨C01 , s

0⟩, f, ⟨C2, s⟩) ∈ R and ⟨C01 , s

0⟩ e1Ð→ ⟨C ′

1, s′⟩ with (⟨C ′

1, s′⟩, f[e2 ↦ e1], ⟨C ′

2, s′⟩) ∈

R;

3. if (⟨C1, s⟩, f, ⟨C2, s⟩) ∈ R and ⟨C1, s⟩ ↓, then there is a sequence of (zero or more) τ -

transitions ⟨C2, s⟩τ∗Ð→ ⟨C0

2 , s0⟩ such that (⟨C1, s⟩, f, ⟨C0

2 , s0⟩) ∈ R and ⟨C0

2 , s0⟩ ↓;

4. if (⟨C1, s⟩, f, ⟨C2, s⟩) ∈ R and ⟨C2, s⟩ ↓, then there is a sequence of (zero or more) τ -

transitions ⟨C1, s⟩τ∗Ð→ ⟨C0

1 , s0⟩ such that (⟨C0

1 , s0⟩, f, ⟨C2, s⟩) ∈ R and ⟨C0

1 , s0⟩ ↓.

E1,E2 are branching history-preserving (hp-)bisimilar and are written E1 ≈bhp E2 if there exists a

branching hp-bisimulation R such that (⟨∅,∅⟩,∅, ⟨∅,∅⟩) ∈ R.

A branching hereditary history-preserving (hhp-)bisimulation is a downward closed branching hp-

bisimulation. E1,E2 are branching hereditary history-preserving (hhp-)bisimilar and are written

E1 ≈bhhp E2.

Definition 3.33 (Rooted branching (hereditary) history-preserving bisimulation). Assume a

special termination predicate ↓, and let√

represent a state with√ ↓. A rooted branching history-

preserving (hp-) bisimulation is a weakly posetal relation R ⊆ ⟨C(E1), S⟩×⟨C(E2), S⟩ such that:


1, s′⟩, then ⟨C2, s⟩

e2Ð→ ⟨C ′

2, s′⟩ with ⟨C ′

1, s′⟩ ≈bhp

⟨C ′

2, s′⟩;

40

No. Axiom

B1 e ⋅ τ = eB2 e ⋅ (τ ⋅ (x + y) + x) = e ⋅ (x + y)B3 x ∥ τ = xG26 φ ⋅ τ = φG27 φ ⋅ (τ ⋅ (x + y) + x) = φ ⋅ (x + y)

Table 24: Axioms of silent step


2, s′⟩, then ⟨C1, s⟩

e1Ð→ ⟨C ′

1, s′⟩ with ⟨C ′

1, s′⟩ ≈bhp

⟨C ′

2, s′⟩;

3. if (⟨C1, s⟩, f, ⟨C2, s⟩) ∈ R and ⟨C1, s⟩ ↓, then ⟨C2, s⟩ ↓;

4. if (⟨C1, s⟩, f, ⟨C2, s⟩) ∈ R and ⟨C2, s⟩ ↓, then ⟨C1, s⟩ ↓.

E1,E2 are rooted branching history-preserving (hp-)bisimilar and are written E1 ≈rbhp E2 if there

exists a rooted branching hp-bisimulation R such that (⟨∅,∅⟩,∅, ⟨∅,∅⟩) ∈ R.

A rooted branching hereditary history-preserving (hhp-)bisimulation is a downward closed rooted

branching hp-bisimulation. E1,E2 are rooted branching hereditary history-preserving (hhp-)bisimilar

and are written E1 ≈rbhhp E2.

Definition 3.34 (Guarded linear recursive specification). A linear recursive specification E is

guarded if there does not exist an infinite sequence of τ -transitions ⟨X ∣E⟩ τÐ→ ⟨X ′∣E⟩ τÐ→ ⟨X ′′∣E⟩ τÐ→⋯, and there does not exist an infinite sequence of ε-transitions ⟨X ∣E⟩→ ⟨X ′∣E⟩→ ⟨X ′′∣E⟩→ ⋯.

Theorem 3.35 (Conservitivity of APTCG with silent step and guarded linear recursion).

APTCG with silent step and guarded linear recursion is a conservative extension of APTCGwith linear recursion.

Theorem 3.36 (Congruence theorem of APTCG with silent step and guarded linear recur-

sion). Rooted branching truly concurrent bisimulation equivalences ≈rbp, ≈rbs and ≈rbhp are all

congruences with respect to APTCG with silent step and guarded linear recursion.

We design the axioms for the silent step τ in Table 24.

Theorem 3.37 (Elimination theorem of APTCG with silent step and guarded linear recursion).

Each process term in APTCG with silent step and guarded linear recursion is equal to a process

term ⟨X1∣E⟩ with E a guarded linear recursive specification.

Theorem 3.38 (Soundness of APTCG with silent step and guarded linear recursion). Let x

and y be APTCG with silent step and guarded linear recursion terms. If APTCG with silent

step and guarded linear recursion ⊢ x = y, then

(1) x ≈rbs y.

(2) x ≈rbp y.

(3) x ≈rbhp y.

41

⟨x, s⟩ eÐ→ ⟨√, s′⟩⟨τI(x), s⟩

eÐ→ ⟨√, s′⟩e ∉ I ⟨x, s⟩ eÐ→ ⟨x′, s′⟩

⟨τI(x), s⟩eÐ→ ⟨τI(x′), s′⟩

e ∉ I

⟨x, s⟩ eÐ→ ⟨√, s′⟩⟨τI(x), s⟩

τÐ→ ⟨√, τ(s)⟩e ∈ I ⟨x, s⟩ eÐ→ ⟨x′, s′⟩

⟨τI(x), s⟩τÐ→ ⟨τI(x′), τ(s)⟩

e ∈ I

Table 25: Transition rule of the abstraction operator

No. Axiom

TI1 e ∉ I τI(e) = eTI2 e ∈ I τI(e) = τTI3 τI(δ) = δTI4 τI(x + y) = τI(x) + τI(y)TI5 τI(x ⋅ y) = τI(x) ⋅ τI(y)TI6 τI(x ∥ y) = τI(x) ∥ τI(y)G28 φ ∉ I τI(φ) = φG29 φ ∈ I τI(φ) = τ

Table 26: Axioms of abstraction operator

Theorem 3.39 (Completeness of APTCG with silent step and guarded linear recursion). Let

p and q be closed APTCG with silent step and guarded linear recursion terms, then,

(1) if p ≈rbs q then p = q.(2) if p ≈rbp q then p = q.(3) if p ≈rbhp q then p = q.

The unary abstraction operator τI (I ⊆ E ∪Gat) renames all atomic events or atomic guards in

I into τ . APTCG with silent step and abstraction operator is called APTCGτ . The transition

rules of operator τI are shown in Table 25.

Theorem 3.40 (Conservitivity of APTCGτ with guarded linear recursion). APTCGτ with

guarded linear recursion is a conservative extension of APTCG with silent step and guarded

linear recursion.

Theorem 3.41 (Congruence theorem ofAPTCGτ with guarded linear recursion). Rooted branch-

ing truly concurrent bisimulation equivalences ≈rbp, ≈rbs and ≈rbhp are all congruences with re-

spect to APTCGτ with guarded linear recursion.

We design the axioms for the abstraction operator τI in Table 26.

Theorem 3.42 (Soundness of APTCGτ with guarded linear recursion). Let x and y be APTCGτwith guarded linear recursion terms. If APTCGτ with guarded linear recursion ⊢ x = y, then

42

(1) x ≈rbs y.

(2) x ≈rbp y.

(3) x ≈rbhp y.

Though τ -loops are prohibited in guarded linear recursive specifications (see Definition 3.34) in

a specifiable way, they can be constructed using the abstraction operator, for example, there

exist τ -loops in the process term τ{a}(⟨X ∣X = aX⟩). To avoid τ -loops caused by τI and ensure

fairness, the concept of cluster and CFAR (Cluster Fair Abstraction Rule) [4] are still needed.

Theorem 3.43 (Completeness of APTCGτ with guarded linear recursion and CFAR). Let p

and q be closed APTCGτ with guarded linear recursion and CFAR terms, then,

(1) if p ≈rbs q then p = q.(2) if p ≈rbp q then p = q.(3) if p ≈rbhp q then p = q.

43

4 Secure APTC

Cryptography mainly includes two aspects: the cryptographic operations and security protocols.

The former includes symmetric and asymmetric encryption/decryption, hash, digital signatures,

message authentication codes, random sequence generation, and XOR, etc. The latter includes

the computational logic driven by the security application logics among the cryptographic op-

erations.

In this chapter, we model the above two cryptographic properties by APTC (APTCG). In

section 4.1, we model symmetric encryption/decryption by APTC. And we model asymmetric

encryption/decryption, hash, digital signatures, message authentication codes, random sequence

generation, blind signatures, and XOR in section 4.2, 4.3, 4.4, 4.5, 4.6, 4.7,4.8. In section 4.9,

we extended the communication merge to support data substitution. Finally, in section 4.10,

we show that how to analyze the security protocols by use of APTC (APTCG).

4.1 Symmetric Encryption

In the symmetric encryption and decryption, there uses only one key k. The inputs of symmetric

encryption are the key k and the plaintext D and the output is the ciphertext, so we treat

the symmetric encryption as an atomic action denoted enck(D). We also use ENCk(D) to

denote the ciphertext output. The inputs of symmetric decryption are the same key k and the

ciphertext ENCk(D) and output is the plaintext D, we also treat the symmetric decryption as

an atomic action deck(ENCk(D)). And we also use DECk(ENCk(D)) to denote the output

of the corresponding decryption.

For D is plaintext, it is obvious that DECk(ENCk(D)) = D and enck(D) ≤ deck(ENCk(D)),where ≤ is the causal relation; and for D is the ciphertext, ENCk(DECk(D)) =D and deck(D) ≤enck(DECk(D)) hold.

4.2 Asymmetric Encryption

In the asymmetric encryption and decryption, there uses two keys: the public key pks and the

private key sks generated from the same seed s. The inputs of asymmetric encryption are the

key pks or sks and the plaintext D and the output is the ciphertext, so we treat the asymmetric

encryption as an atomic action denoted encpks(D) or encsks(D). We also use ENCpks(D) and

ENCsks(D) to denote the ciphertext outputs. The inputs of asymmetric decryption are the

corresponding key sks or pks and the ciphertext ENCpks(D) or ENCsks(D), and output is the

plaintext D, we also treat the asymmetric decryption as an atomic action decsks(ENCpks(D))and decpks(ENCsks(D)). And we also use DECsks(ENCpks(D)) and DECpks(ENCsks(D))to denote the corresponding decryption outputs.

For D is plaintext, it is obvious that DECsks(ENCpks(D)) =D and DECpks(ENCsks(D)) =D,

and encpks(D) ≤ decsks(ENCpks(D)) and encsks(D) ≤ decpks(ENCsks(D)), where ≤ is the

causal relation; and forD is the ciphertext, ENCsks(DECpks(D)) =D and ENCpks(DECsks(D)) =D, and decpks(D) ≤ encsks(DECpks(D)) and decsks(D) ≤ encpks(DECsks(D)).

44

4.3 Hash

The hash function is used to generate the digest of the data. The input of the hash function

hash is the data D and the output is the digest of the data. We treat the hash function as an

atomic action denoted hash(D), and we also use HASH(D) to denote the output digest.

For D1 =D2, it is obvious that HASH(D1) =HASH(D2).

4.4 Digital Signatures

Digital signature uses the private key sks to encrypt some data and the public key pks to decrypt

the encrypted data to implement the so-called non-repudiation. The inputs of sigh function are

some data D and the private key sks and the output is the signature. We treat the signing

function as an atomic action signsks(D), and also use SIGNsks(D) to denote the signature.

The inputs of the de-sign function are the public key pks and the signature SIGNsks(D), and

the output is the original data D. We also treat the de-sign function as an atomic action

de-signpks(SIGNsks(D)), and also we use DE-SIGNpks(SIGNsks(D)) to denote the output of

the de-sign action.

It is obvious that DE-SIGNpks(SIGNsks(D)) =D.

4.5 Message Authentication Codes

MAC (Message Authentication Code) is used to authenticate data by symmetric keys k and

often assumed that k is privately shared only between two principals A and B. The inputs of

the MAC function are the key k and some data D, and the output is the MACs. We treat the

MAC function as an atomic action mack(D), and use MACk(D) to denote the output MACs.

The MACs MACk(D) are generated by one principal A and with D together sent to the

other principal B. The other principal B regenerate the MACs MACk(D)′, if MACk(D) =MACk(D)′, then the data D are from A.

4.6 Random Sequence Generation

Random sequence generation is used to generate a random sequence, which may be a symmetric

key k, a pair of public key pks and sks, or a nonce nonce (usually used to resist replay attacks).

We treat the random sequence generation function as an atomic action rsgk for symmetric key

generation, rsgpks,sks for asymmetric key pair generation, and rsgN for nonce generation, and

the corresponding outputs are k, pks and sks, N respectively.

4.7 Blind Signatures

In the blind signatures, there uses only one key k. The inputs of blind function are the key k and

the plaintext D and the output is the ciphertext, so we treat the blind function as an atomic

action denoted blindk(D). We also use BLINDk(D) to denote the ciphertext output. The

inputs of unblind function are the same key k and the ciphertext BLINDk(D) and output is

the plaintext D, we also treat the unblind function as an atomic action unblindk(BLINDk(D)).

45

No. Axiom

C1 e1(D1,⋯,Dn) ∣ e2(d1,⋯, dn) = γ(e1(D1,⋯,Dn), e2(d1,⋯, dn))C2 e1(D1,⋯,Dn) ∣ (e2(d1,⋯, dn) ⋅ y) = γ(e1(D1,⋯,Dn), e2(d1,⋯, dn)) ⋅ y[D1/d1,⋯,Dn/dn]C3 (e1(D1,⋯,Dn) ⋅ x) ∣ e2(d1,⋯, dn) = γ(e1(D1,⋯,Dn), e2(d1,⋯, dn)) ⋅ xC4 (e1(D1,⋯,Dn) ⋅ x) ∣ (e2(d1,⋯, dn) ⋅ y) =

γ(e1(D1,⋯,Dn), e2(d1,⋯, dn)) ⋅ (x� y[D1/d1,⋯,Dn/dn])

Table 27: Axioms of the Extended Communication Merge

And we also use UNBLINDk(BLINDk(D)) to denote the output of the corresponding unblind

function.

For D is plaintext, it is obvious that UNBLINDk(BLINDk(D)) =D and

blindk(D) ≤ unblindk(BLINDk(D)), where ≤ is the causal relation; and for D is the ciphertext.

And also UNBLINDk(SIGNsk(BLINDk(D))) = SIGNsk(D).

4.8 XOR

The inputs of the XOR function are two data D1 and D2, and the output is the XOR result.

We treat the XOR function as an atomic action xor(D1,D2), and we also use XOR(D1,D2) to

denoted the XOR result.

It is obvious that the following equations hold:

1. XOR(XOR(D1,D2),D3) =XOR(D1,XOR(D2,D3)).

2. XOR(D1,D2) =XOR(D2,D1).

3. XOR(D,0) =D.

4. XOR(D,D) = 0.

5. XOR(D2,XOR(D1,D2)) =D1

4.9 Extended Communications

In APTC (APTCG), the communication between two parallel processes is modeled as the com-

munication merge of two communicating actions. One communicating action is the sending

data (D1,⋯,Dn ∈ ∆) action through certain channel A which is denoted sA(D1,⋯,Dn), the

other communicating action is the receiving data (d1,⋯, dn range over ∆) action through the

corresponding channel A which is denoted rA(d1,⋯, dn), note that di and Di for 1 ≤ i ≤ n have

the same data type.

We extend communication merge to this situation. The axioms of the extended communication

merge are shown in Table 27, and the transition rules are shown in Table 28.

Obviously, the conclusions of the theories of APTC and APTCG still hold without any alter-

nation.

46

⟨x, s⟩ e1(D1,⋯,Dn)ÐÐÐÐÐÐÐ→ ⟨√, s′⟩ ⟨y, s⟩ e2(d1,⋯,dn)ÐÐÐÐÐÐ→ ⟨√, s′′⟩

⟨x ∣ y, s⟩ γ(e1(D1,⋯,Dn),e2(d1,⋯,dn))ÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐ→ ⟨√, effect(γ(e1(D1,⋯,Dn), e2(d1,⋯, dn)), s)⟩

⟨x, s⟩ e1(D1,⋯,Dn)ÐÐÐÐÐÐÐ→ ⟨x′, s′⟩ ⟨y, s⟩ e2(d1,⋯,dn)ÐÐÐÐÐÐ→ ⟨√, s′′⟩

⟨x ∣ y, s⟩ γ(e1(D1,⋯,Dn),e2(d1,⋯,dn))ÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐ→ ⟨x′, effect(γ(e1(D1,⋯,Dn), e2(d1,⋯, dn)), s)⟩

⟨x, s⟩ e1(D1,⋯,Dn)ÐÐÐÐÐÐÐ→ ⟨√, s′⟩ ⟨y, s⟩ e2(d1,⋯,dn)ÐÐÐÐÐÐ→ ⟨y′, s′′⟩

⟨x ∣ y, s⟩ γ(e1(D1,⋯,Dn),e2(d1,⋯,dn))ÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐ→ ⟨y′[D1/d1,⋯,Dn/dn], effect(γ(e1(D1,⋯,Dn), e2(d1,⋯, dn)), s)⟩

⟨x, s⟩ e1(D1,⋯,Dn)ÐÐÐÐÐÐÐ→ ⟨x′, s′⟩ ⟨y, s⟩ e2(d1,⋯,dn)ÐÐÐÐÐÐ→ ⟨y′, s′′⟩

⟨x ∣ y, s⟩ γ(e1(D1,⋯,Dn),e2(d1,⋯,dn))ÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐ→ ⟨x′ � y′[D1/d1,⋯,Dn/dn], effect(γ(e1(D1,⋯,Dn), e2(d1,⋯, dn)), s)⟩

Table 28: Transition Rules of the Extended Communication Merge

Alice BobCA CAB CB

Figure 3: A protocol using private channels

4.10 Analyses of Security Protocols

In this section, we will show the application of analyzing security protocols by APTC (APTCG)

via several examples.

4.10.1 A Protocol Using Private Channels

The protocol shown in Figure 3 uses private channels, that is, the channel CAB between Alice

and Bob is private to Alice and Bob, there is no one can use this channel.

The process of the protocol is as follows.

1. Alice receives some messages D from the outside through the channel CA (the correspond-

ing reading action is denoted rCA(D)), after an internal processing af , she sends D to Bob

through the private channel CAB (the corresponding sending action is denoted sCAB(D));

2. Bob receives the message D through the private channel CAB (the corresponding reading

action is denoted rCAB(D)), after and internal processing bf , he sends D to the outside

through the channel CB (the corresponding sending action is denoted sCB(D)).

47

Where D ∈ ∆, ∆ is the set of data.

Alice’s state transitions described by APTCG are as follows.

A = ∑D∈∆ rCA(D) ⋅A2

A2 = af ⋅A3

A3 = sCAB(D) ⋅ABob’s state transitions described by APTCG are as follows.

B = rCAB(D) ⋅B2

B2 = bf ⋅B3

B3 = sCB(D) ⋅BThe sending action and the reading action of the same type data through the same channel

can communicate with each other, otherwise, will cause a deadlock δ. We define the following

communication functions.

γ(rCAB(D), sCAB(D) ≜ cCAB(D)Let all modules be in parallel, then the protocol A B can be presented by the following process

term.

τI(∂H(Θ(A� B))) = τI(∂H(A� B))

where H = {rCAB(D), sCAB(D)∣D ∈ ∆}, I = {cCAB(D), af, bf ∣D ∈ ∆}.

Then we get the following conclusion on the protocol.

Theorem 4.1. The protocol using private channels in Figure 3 is secure.

Proof. Based on the above state transitions of the above modules, by use of the algebraic laws

of APTCG, we can prove that

τI(∂H(A� B)) = ∑D∈∆(rCA(D) ⋅ sCB(D)) ⋅ τI(∂H(A� B)).For the details of proof, please refer to section 2.9, and we omit it.

That is, the protocol in Figure 3 τI(∂H(A � B)) can exhibit desired external behaviors, and

because the channel CAB is private, there is no any attack.

So, The protocol using private channels in Figure 3 is secure.

4.10.2 Secure Communication Protocols Using Symmetric Keys

The protocol shown in Figure 4 uses symmetric keys for secure communication, that is, the key

kAB between Alice and Bob is privately shared to Alice and Bob, there is no one can use this

key. For secure communication, the main challenge is the information leakage to against the

confidentiality. Since all channels in Figure 4 are public, so there may be an Eve to intercept

the messages sent from Alice to Bob, and try to crack the secrets.


48

Alice BobCA CAB CB

Eve

CE

Figure 4: Secure communication protocol using symmetric keys


ing reading action is denoted rCA(D)), after an encryption processing enckAB(D), she

sends ENCkAB(D) to Bob through the channel CAB (the corresponding sending action is

denoted sCAB(ENCkAB(D))). She also sends ENCkAB(D) to Eve through the channel

CAE (the corresponding sending action is denoted sCAE(ENCkAB(D)));

2. Bob receives the message ENCkAB(D) through the channel CAB (the corresponding read-

ing action is denoted rCAB(ENCkAB(D))), after a decryption processing deckAB(ENCkAB(D)),he sends D to the outside through the channel CB (the corresponding sending action is

denoted sCB(D));

3. Eve receives the message ENCkAB(D) through the channel CAE (the corresponding read-

ing action is denoted rCAE(ENCkAB(D))), after a decryption processing deckE(ENCkAB(D)),he sends DECkE(ENCkAB(D)) to the outside through the channel CE (the corresponding

sending action is denoted sCE(DECkE(ENCkAB(D)))).



A = ∑D∈∆ rCA(D) ⋅A2

A2 = enckAB(D) ⋅A3

A3 = (sCAB(ENCkAB(D)) ∥ sCAE(ENCkAB(D))) ⋅ABob’s state transitions described by APTCG are as follows.

B = rCAB(ENCkAB(D)) ⋅B2

49

B2 = deckAB(ENCkAB(D)) ⋅B3

B3 = sCB(D) ⋅BEve’s state transitions described by APTCG are as follows.

E = rCAE(ENCkAB(D)) ⋅E2

E2 = deckE(ENCkAB(D)) ⋅E3

E3 = ({kE ≠ kAB} ⋅ sCE(DECkE(ENCkAB(D))) + {kE = kAB} ⋅ sCE(D)) ⋅EThe sending action and the reading action of the same type data through the same channel



γ(rCAB(ENCkAB(D)), sCAB(ENCkAB(D)) ≜ cCAB(ENCkAB(D))γ(rCAE(ENCkAB(D)), sCAE(ENCkAB(D)) ≜ cCAE(ENCkAB(D))Let all modules be in parallel, then the protocol A B E can be presented by the following

process term.

τI(∂H(Θ(A� B � E))) = τI(∂H(A� B � E))

whereH = {rCAB(ENCkAB(D)), sCAB(ENCkAB(D)), rCAE(ENCkAB(D)), sCAE(ENCkAB(D))∣D ∈∆},

I = {cCAB(ENCkAB(D)), cCAE(ENCkAB(D)), enckAB(D), deckAB(ENCkAB(D)), deckE(ENCkAB(D)),{kE ≠ kAB},{kE = kAB}∣D ∈ ∆}.


Theorem 4.2. The protocol using symmetric keys for secure communication in Figure 4 is

confidential.



τI(∂H(A � B � E)) = ∑D∈∆(rCA(D) ⋅ (sCB(D) ∥ sCE(DECkE(ENCkAB(D))))) ⋅ τI(∂H(A �B � E)).For the details of proof, please refer to section 2.9, and we omit it.

That is, the protocol in Figure 4 τI(∂H(A � B � E)) can exhibit desired external behaviors,

and because the key kAB is private, DECkE(ENCkAB(D)) ≠D (for kE ≠ kAB).

So, The protocol using symmetric keys in Figure 4 is confidential.

4.10.3 Discussion

Through the above subsection, we can see the process of analysis of security protocols, that is,

through abstract away the internal series of cryptographic operations, we can see the relation

between the inputs and the outputs of the whole protocol, then we can get the conclusions of if

or not the protocol being secure.

50

Alice BobCA CAB CB

Eve

Figure 5: Secure communication protocol using symmetric keys with Replay Attack

A security protocol is designed for one or several goals. For example, the secure communication

protocol using symmetric keys in Figure 4 is designed for the confidentiality of the communica-

tion. So, we only verify if the protocol is confidential. In fact, the protocol in Figure 4 can not

resist other attacks, for example, the replay attack, as Figure 5 shows.



ing reading action is denoted rCA(D)), after an encryption processing enckAB(D), she

sends ENCkAB(D) to Bob through the channel CAB (the corresponding sending action is

denoted sCAB(ENCkAB(D))). She also sends ENCkAB(D) to Eve through the channel

CAE (the corresponding sending action is denoted sCAE(ENCkAB(D)));

2. Eve receives the message ENCkAB(D) through the channel CAE (the corresponding read-

ing action is denoted rCAE(ENCkAB(D))), without an internal processing, he sends ENCkAB(D)to the outside through the channel CEB (the corresponding sending action is denoted

sCEB(ENCkAB(D)));



denoted sCB(D)); Bob receives the message ENCkAB(D) through the channel CEB (the

corresponding reading action is denoted rCEB(ENCkAB(D))), after a decryption process-

ing deckAB(ENCkAB(D)), he sends D to the outside through the channel CB (the corre-

sponding sending action is denoted sCB(D)).



51

A = ∑D∈∆ rCA(D) ⋅A2


A3 = (sCAB(ENCkAB(D)) ∥ sCAE(ENCkAB(D))) ⋅ABob’s state transitions described by APTCG are as follows.

B = (rCAB(ENCkAB(D)) ∥ rCAB(ENCkEB(D))) ⋅B2

B2 = (deckAB(ENCkAB(D)) ∥ deckAB(ENCkAB(D))) ⋅B3

B3 = (sCB(D) ∥ sCB(D)) ⋅BEve’s state transitions described by APTCG are as follows.

E = rCAE(ENCkAB(D)) ⋅E2

E2 = deckE(ENCkAB(D)) ⋅E3

E3 = sCEB(ENCkAB(D)) ⋅EThe sending action and the reading action of the same type data through the same channel



γ(rCAB(ENCkAB(D)), sCAB(ENCkAB(D)) ≜ cCAB(ENCkAB(D))γ(rCAE(ENCkAB(D)), sCAE(ENCkAB(D)) ≜ cCAE(ENCkAB(D))γ(rCBE(ENCkAB(D)), sCBE(ENCkAB(D)) ≜ cCBE(ENCkAB(D))Let all modules be in parallel, then the protocol A B E can be presented by the following

process term.

τI(∂H(Θ(A� B � E))) = τI(∂H(A� B � E))

whereH = {rCAB(ENCkAB(D)), sCAB(ENCkAB(D)), rCAE(ENCkAB(D)), sCAE(ENCkAB(D)),rCBE(ENCkAB(D)), sCBE(ENCkAB(D))∣D ∈ ∆},

I = {cCAB(ENCkAB(D)), cCAE(ENCkAB(D)), cCBE(ENCkAB(D)), enckAB(D), deckAB(ENCkAB(D))∣D ∈∆}.


Theorem 4.3. The protocol using symmetric keys for secure communication in Figure 4 is not

secure for replay attack.



τI(∂H(A� B � E)) = ∑D∈∆(rCA(D) ⋅ (sCB(D) ∥ sCB(D))) ⋅ τI(∂H(A� B � E)).For the details of proof, please refer to section 2.9, and we omit it.

That is, the protocol in Figure 4 τI(∂H(A� B � E)) can exhibit undesired external behaviors

(D is outputted twice times).

So, The protocol using symmetric keys in Figure 4 is not secure for replay attack.

Generally, in the following chapters, when we introduce the analysis of a security protocol, we

will mainly analyze the secure properties related to its design goal.

52

Alice BobCA CAB CB

Trent

Figure 6: Key exchange protocol with symmetric cryptography

5 Analyses of Key Exchange Protocols

In this chapter, we will introduce several key exchange protocols, including key exchange pro-

tocols with symmetric cryptography in section 5.1 and public key cryptography in section 5.2,

interlock protocol against man-in-the-middle attack in section 5.3, key exchange protocol with

digital signature in section 5.4, key and message transmission protocol in section 5.5, and key

and message broadcast protocol in section 5.6.

5.1 Key Exchange with Symmetric Cryptography

The protocol shown in Figure 6 uses symmetric keys for secure communication, that is, the key

kAB between Alice and Bob is privately shared to Alice and Bob, and kAB is generated by the

Trent, Alice, Bob have shared keys kAT and kBT already. For secure communication, the main

challenge is the information leakage to against the confidentiality.



ing reading action is denoted rCA(D)), if kAB is not established, she sends a key request

message M to Trent through the channel CAT (the corresponding sending action is denoted

sCAT (M));

2. Trent receives the message M through the channel CAT (the corresponding reading ac-

tion is denoted rCAT (M)), generates a session key kAB through an action rsgkAB , and

encrypts it for Alice and Bob through an action enckAT (kAB) and action enckBT (kAB) re-

spectively, he sends ENCkAT (kAB),ENCkBT (kAB) to the Alice through the channel CTA(the corresponding sending action is denoted sCTA(ENCkAT (kAB),ENCkBT (kAB)));

53

3. Alice receives ENCkAT (kAB),ENCkBT (kAB) from Trent through the channel CTA (the

corresponding reading action is denoted rCTA(ENCkAT (kAB),ENCkBT (kAB))), she de-

crypts ENCkAT (kAB) through an action deckAT (ENCkAT (kAB)) and gets kAB, and sends

ENCkBT (kAB) to Bob through the channel CAB (the corresponding sending action is

denoted sCAB(ENCkBT (kAB)));

4. Bob receives ENCkBT (kAB) from Alice through the channel CAB (the corresponding read-

ing action is denoted rCAB(ENCkBT (kAB))), he decrypts ENCkAT (kAB) through an ac-

tion deckAT (ENCkAT (kAB)) and gets kAB, then kAB is established;

5. If kAB is established, after an encryption processing enckAB(D), Alice sends ENCkAB(D)to Bob through the channel CAB (the corresponding sending action is denoted sCAB(ENCkAB(D)));



denoted sCB(D)).



A = ∑D∈∆ rCA(D) ⋅A2

A2 = {kAB = NULL} ⋅ sCAT (M) ⋅A3 + {kAB ≠ NULL} ⋅A6

A3 = rCTA(ENCkAT (kAB),ENCkBT (kAB)) ⋅A4

A4 = deckAT (ENCkAT (kAB)) ⋅A5

A5 = sCAB(ENCkBT (kAB)) ⋅A6


A7 = sCAB(ENCkAB(D)) ⋅ABob’s state transitions described by APTCG are as follows.

B = {kAB = NULL} ⋅B1 + {kAB ≠ NULL} ⋅B3

B1 = rCAB(ENCkBT (kAB)) ⋅B2

B2 = deckBT (ENCkAB(kAB)) ⋅B3

B3 = rCAB(ENCkAB(D)) ⋅B4


B5 = sCB(D) ⋅BTrent’s state transitions described by APTCG are as follows.

T = rCAT (M) ⋅ T2

T2 = rsgkAB ⋅ T3

T3 = (enckAT (kAB) ∥ enckBT (kAB)) ⋅ T4

T4 = sCTA(ENCkAT (kAB),ENCkBT (kAB)) ⋅ T

54

The sending action and the reading action of the same type data through the same channel



γ(rCAT (M), sCAT (M)) ≜ cCAT (M)γ(rCTA(ENCkAT (kAB),ENCkBT (kAB)), sCTA(ENCkAT (kAB),ENCkBT (kAB)))≜ cCTA(ENCkAT (kAB),ENCkBT (kAB))γ(rCAB(ENCkBT (kAB)), sCAB(ENCkBT (kAB))) ≜ cCAB(ENCkBT (kAB))γ(rCAB(ENCkAB(D)), sCAB(ENCkAB(D)) ≜ cCAB(ENCkAB(D))Let all modules be in parallel, then the protocol A B T can be presented by the following

process term.

τI(∂H(Θ(A� B � T ))) = τI(∂H(A� B � T ))

where H = {rCAT (M), sCAT (M), rCTA(ENCkAT (kAB),ENCkBT (kAB)),sCTA(ENCkAT (kAB),ENCkBT (kAB)), rCAB(ENCkBT (kAB)), sCAB(ENCkBT (kAB)),rCAB(ENCkAB(D)), sCAB(ENCkAB(D)∣D ∈ ∆},

I = {cCAT (M), cCTA(ENCkAT (kAB),ENCkBT (kAB)), cCAB(ENCkBT (kAB)), cCAB(ENCkAB(D)),{kAB = NULL},{kAB ≠ NULL}, deckAT (ENCkAT (kAB)), enckAB(D),deckBT (ENCkAB(kAB)), deckAB(ENCkAB(D)), rsgkAB , enckAT (kAB), enckBT (kAB)∣D ∈ ∆}.


Theorem 5.1. The key exchange protocol with symmetric cryptography in Figure 6 is confiden-

tial.



τI(∂H(A � B � T )) = ∑D∈∆(rCA(D) ⋅ (sCB(D) ∥ sCE(DECkE(ENCkAB(D))))) ⋅ τI(∂H(A �B � T )).For the details of proof, please refer to section 2.9, and we omit it.

That is, the protocol in Figure 6 τI(∂H(A� B � T )) can exhibit desired external behaviors, and

because the key kAB is private, The protocol using symmetric keys in Figure 6 is confidential

and similar to the protocol in section 4.10.2, and we do not model the information leakage

attack.

5.2 Key Exchange with Public-Key Cryptography

The protocol shown in Figure 7 uses public keys for secure communication with man-in-the-

middle attack, that is, Alice, Bob have shared their public keys pkA and pkB already. For secure

communication, the main challenge is the information leakage to against the confidentiality.

The process of key exchange protocol with public-key cryptography is:

1. Alice gets Bob’s public key from Trent;

55

Alice Bob

Mallory

CM

Figure 7: Key exchange protocol with public-key cryptography and man-in-the-middle attack

2. Alice generates a random session key, encrypts it using Bob’s public key, and sends to Bob;

3. Bob receives the encrypted session key, decrypted by his private key, and gets the session

key;

4. Alice and Bob can communicate by use of the session key.

We do not verify the above protocols, and verify the above protocols with man-in-the-middle

attack as Figure 7 shows.

The process of the protocol with man-in-the-middle attack is as follows, and we only consider

the message in one direction: from Alice to Bob.

1. Alice receives some messages D from the outside through the channel CAI (the correspond-

ing reading action is denoted rCAI (D)), she sends a key request message Me to Mallory

through the channel CAM (the corresponding sending action is denoted sCAM (Me));

2. Mallory receives the message Me through the channel CAM (the corresponding reading

action is denoted rCAM (Me)), he sends Me to the Bob through the channel CMB (the

corresponding sending action is denoted sCMB(Me));

3. Bob receives the message Me from Mallory through the channel CMB (the corresponding

reading action is denoted rCMB(Me)), and sends his public key pkB to Mallory through

the channel CBM (the corresponding sending action is denoted sCBM (pkB));

4. Mallory receives pkB from Bob through the channel CBM (the corresponding reading action

is denoted rCBM (pkB)), then he stores pkB, and sends his public key pkM to Alice through

the channel CMA (the corresponding sending action is denoted sCMA(pkM));

56

5. Alice receives pkM from Mallory through the channel CMA (the corresponding reading

action is denoted rCMA(pkM)), she encrypts the message D with Mallory’s public key

pkM through the action encpkM (D), then Alice sends ENCpkM (D) to Mallory through

the channel CAM (the corresponding sending action is denoted sCAM (ENCpkM (D)));

6. Mallory receives ENCpkM (D) from Alice through the channel CAM (the corresponding

reading action is denoted rCAM (ENCpkM (D))), he decrypts the message with his pri-

vate key skM through the action decskM (ENCpkM (D)) to get the message D, and sends

D to the outside through the channel CM (the corresponding sending action is denoted

sCM (D)), then he encrypts D with Bob’s public key pkB through the action encpkB(D) and

sends ENCpkB(D) to Bob through the channel CMB (the corresponding sending action is

denoted sCMB(ENCpkB(D)));

7. Bob receives the message ENCpkB(D) through the channel CMB (the corresponding read-

ing action is denoted rCMB(ENCpkB(D))), after a decryption processing decskB(ENCpkB(D))

to get the message D, then he sends D to the outside through the channel CBO (the cor-

responding sending action is denoted sCBO(D)).



A = ∑D∈∆ rCAI (D) ⋅A2

A2 = sCAM (Me) ⋅A3

A3 = rCMA(pkM) ⋅A4

A4 = encpkM (D) ⋅A5

A5 = sCAM (ENCpkM (D)) ⋅ABob’s state transitions described by APTCG are as follows.

B = rCMB(Me) ⋅B2

B2 = sCBM (pkB) ⋅B3

B3 = rCMB(ENCpkB(D)) ⋅B4

B4 = decskB(ENCpkB(D)) ⋅B5

B5 = sCBO(D) ⋅BMallory’s state transitions described by APTCG are as follows.

Ma = rCAM (Me) ⋅Ma2

Ma2 = sCMB(Me) ⋅Ma3

Ma3 = rCBM (pkB) ⋅Ma4

Ma4 = sCMA(pkM) ⋅Ma5

Ma5 = rCAM (ENCpkM (D)) ⋅Ma6

Ma6 = decskM (ENCpkM (D)) ⋅Ma7

Ma7 = sCM (D) ⋅Ma8

Ma8 = encpkB(D) ⋅Ma9

57

Ma9 = sCMB(ENCpkB(D)) ⋅Ma




γ(rCAM (Me), sCAM (Me)) ≜ cCAM (Me)γ(rCMB

(Me), sCMB(Me)) ≜ cCMB

(Me)γ(rCBM (pkB), sCBM (pkB)) ≜ cCBM (pkB)γ(rCMA

(pkM), sCMA(pkM)) ≜ cCMA

(pkM)γ(rCAM (ENCpkM (D)), sCAM (ENCpkM (D))) ≜ cCAM (ENCpkM (D))γ(rCMB

(ENCpkB(D)), sCMB(ENCpkB(D))) ≜ cCMB

(ENCpkB(D))Let all modules be in parallel, then the protocol A B Ma can be presented by the following

process term.

τI(∂H(Θ(A� B �Ma))) = τI(∂H(A� B �Ma))

where H = {rCAM (Me), sCAM (Me), rCMB(Me), sCMB

(Me), rCBM (pkB), sCBM (pkB),rCMA

(pkM), sCMA(pkM), rCAM (ENCpkM (D)), sCAM (ENCpkM (D)),

rCMB(ENCpkB(D)), sCMB

(ENCpkB(D))∣D ∈ ∆},

I = {cCAM (Me), cCMB(Me), cCBM (pkB), cCMA

(pkM), cCAM (ENCpkM (D)),cCMB

(ENCpkB(D)), encpkM (D), decskB(ENCpkB(D)), decskM (ENCpkM (D)), encpkB(D)∣D ∈ ∆}.


Theorem 5.2. The key exchange protocol with public key cryptography in Figure 7 is insecure.



τI(∂H(A� B �Ma)) = ∑D∈∆(rCAI (D) ⋅ sCM (D) ⋅ sCBO(D)) ⋅ τI(∂H(A� B �Ma)).For the details of proof, please refer to section 2.9, and we omit it.

That is, the protocol in Figure 7 τI(∂H(A� B �Ma)) can exhibit undesired external behaviors,

that is, there is an external action sCM (D) while Alice and Bob do not aware.

5.3 Interlock Protocol

The interlock protocol shown in Figure 8 also uses public keys for secure communication with

man-in-the-middle attack, that is, Alice, Bob have shared their public keys pkA and pkB already.

But, the interlock protocol can resist man-in-the-middle attack, that is, Alice and Bob can aware

of the existence of the man in the middle.

The process of the interlock protocol with man-in-the-middle attack is as follows, we assume

that Alice has ”Bob’s” public key pkM , Bob has ”Alice’s” public key pkM , and Mallory has

Alice’s public key pkA and Bob’s public key pkB.

58

Alice Bob

Mallory

Figure 8: Interlock protocol with man-in-the-middle attack

1. Alice receives some messages DA from the outside through the channel CAI (the cor-

responding reading action is denoted rCAI (DA)), she encrypts the message DA with

Mallory’s public key pkM through the action encpkM (DA), then Alice sends the half of

ENCpkM (DA) to Mallory through the channel CAM (the corresponding sending action is

denoted sCAM (ENCpkM (DA)/2));

2. Mallory receives ENCpkM (DA)/2 from Alice through the channel CAM (the corresponding

reading action is denoted rCAM (ENCpkM (DA)/2)), he can not decrypt the message with

his private key skM , and has to make another message D′

A and encrypt D′

A with Bob’s

public key pkB through the action encpkB(D′

A), and sends the half of ENCpkB(D′

A) to Bob

through the channel CMB (the corresponding sending action is denoted sCMB(ENCpkB(D′

A)/2));

3. Bob receives the message ENCpkB(D′

A)/2 through the channel CMB (the corresponding

reading action is denoted rCMB(ENCpkB(D′

A)/2)), and receives some messageDB from the

outside through the channel CBI (the corresponding reading action is denoted rBI(DB)),after an encryption processing encpkM (DB) to get the message ENCpkM (DB), then he

sends the half of ENCpkM (DB) to Mallory through the channel CBM (the corresponding

sending action is denoted sCBM (ENCpkM (DB)/2));

4. Mallory receives ENCpkM (DB)/2 from Bob through the channel CBM (the corresponding

reading action is denoted rCBM (ENCpkM (DB)/2)), he can not decrypt the message with

his private key skM , and has to make another message D′

B and encrypt D′

B with Alice’s

public key pkA through the action encpkA(D′

B), and sends the half of ENCpkA(D′

B) to Alice

through the channel CMA (the corresponding sending action is denoted sCMA(ENCpkA(D′

B)/2));

5. Alice receives the message ENCpkA(D′

B)/2 through the channel CMA (the corresponding

reading action is denoted rCMA(ENCpkA(D′

B)/2)), and sends the other half of ENCpkM (DA)to Mallory through the channel CAM (the corresponding sending action is denoted

sCAM (ENCpkM (DA)/2));

59

6. Mallory receives ENCpkM (DA)/2 from Alice through the channel CAM (the correspond-

ing reading action is denoted rCAM (ENCpkM (DA)/2)), he can combine the two half of

ENCpkM (DA)/2 and decrypt the message with his private key skM , and but he has to

send the other half of ENCpkB(D′

A) to Bob through the channel CMB (the corresponding

sending action is denoted sCMB(ENCpkB(D′

A)/2));

7. Bob receives the message ENCpkB(D′

A)/2 through the channel CMB (the corresponding

reading action is denoted rCMB(ENCpkB(D′

A)/2)), after a combination of two half of

ENCpkB(D′

A) and a decryption processing decskB(ENCpkB(D′

A)) to get the message D′

A,

then he sends it to the outside through the channel CBO (the corresponding sending action

is denoted sCBO(D′

A)). Then he sends the other half of ENCpkM (DB) to Mallory through

the channel CBM (the corresponding sending action is denoted sCBM (ENCpkM (DB)/2));

8. Mallory receives ENCpkM (DB)/2 from Bob through the channel CBM (the correspond-

ing reading action is denoted rCBM (ENCpkM (DB)/2)), he can combine the two half of

ENCpkM (DB)/2 and decrypt the message with his private key skM , and but he has to

send the other half of ENCpkA(D′

B) to Alice through the channel CMA (the corresponding

sending action is denoted sCMA(ENCpkA(D′

B)/2));

9. Alice receives the message ENCpkA(D′


reading action is denoted rCMA(ENCpkA(D′

B)/2)), after a combination of two half of

ENCpkA(D′

B) and a decryption processing decskA(ENCpkA(D′

B)) to get the message D′

B,

then she sends it to the outside through the channel CAO (the corresponding sending action

is denoted sCAO(D′

B)).



A = ∑DA∈∆ rCAI (DA) ⋅A2

A2 = encpkM (DA) ⋅A3

A3 = sCAM (ENCpkM (DA)/2) ⋅A4

A4 = rCMA(ENCpkA(D′

B)/2) ⋅A5

A5 = sCAM (ENCpkM (DA)/2) ⋅A6

A6 = rCMA(ENCpkA(D′

B)/2) ⋅A7

A7 = decskA(ENCpkA(D′

B)) ⋅A8

A8 = sCAO(D′

B) ⋅ABob’s state transitions described by APTCG are as follows.

B = rCMB(ENCpkB(D′

A)/2) ⋅B2

B2 = ∑DB∈∆ rBI(DB) ⋅B3

B3 = encpkM (DB) ⋅B4

B4 = sCBM (ENCpkM (DB)/2) ⋅B5

B5 = rCMB(ENCpkB(D′

A)/2) ⋅B6

B6 = decskB(ENCpkB(D′

A)) ⋅B7

60

B7 = sCBO(D′

A) ⋅B8

B8 = sCBM (ENCpkM (DB)/2) ⋅BMallory’s state transitions described by APTCG are as follows.

Ma = rCAM (ENCpkM (DA)/2) ⋅Ma2

Ma2 = encpkB(D′

A) ⋅Ma3

Ma3 = sCMB(ENCpkB(D′

A)/2) ⋅Ma4

Ma4 = rCBM (ENCpkM (DB)/2) ⋅Ma5

Ma5 = encpkA(D′

B) ⋅Ma6

Ma6 = sCMA(ENCpkA(D′

B)/2) ⋅Ma7

Ma7 = rCAM (ENCpkM (DA)/2) ⋅Ma8

Ma8 = sCMB(ENCpkB(D′

A)/2) ⋅Ma9

Ma9 = rCBM (ENCpkM (DB)/2) ⋅Ma10

Ma10 = sCMA(ENCpkA(D′

B)/2) ⋅Ma




γ(rCAM (ENCpkM (DA)/2), sCAM (ENCpkM (DA)/2)) ≜ cCAM (ENCpkM (DA)/2)γ(rCMB

(ENCpkB(D′

A)/2), sCMB(ENCpkB(D′

A)/2)) ≜ cCMB(ENCpkB(D′

A)/2)γ(rCBM (ENCpkM (DB)/2), sCBM (ENCpkM (DB)/2)) ≜ cCBM (ENCpkM (DB)/2)γ(rCMA

(ENCpkA(D′

B)/2), sCMA(ENCpkA(D′

B)/2)) ≜ cCMA(ENCpkA(D′

B)/2)γ(rCAM (ENCpkM (DA)/2), sCAM (ENCpkM (DA)/2)) ≜ cCAM (ENCpkM (DA)/2)γ(rCMB

(ENCpkB(D′


A)/2)) ≜ cCMB(ENCpkB(D′

A)/2)γ(rCBM (ENCpkM (DB)/2), sCBM (ENCpkM (DB)/2)) ≜ cCBM (ENCpkM (DB)/2)γ(rCMA

(ENCpkA(D′


B)/2)) ≜ cCMA(ENCpkA(D′

B)/2)Let all modules be in parallel, then the protocol A B Ma can be presented by the following

process term.


where H = {rCAM (ENCpkM (DA)/2), sCAM (ENCpkM (DA)/2), rCMB(ENCpkB(D′

A)/2),sCMB

(ENCpkB(D′

A)/2), rCBM (ENCpkM (DB)/2), sCBM (ENCpkM (DB)/2),rCMA

(ENCpkA(D′


B)/2), rCAM (ENCpkM (DA)/2),sCAM (ENCpkM (DA)/2), rCMB

(ENCpkB(D′


A)/2),rCBM (ENCpkM (DB)/2), sCBM (ENCpkM (DB)/2), rCMA

(ENCpkA(D′

B)/2),sCMA

(ENCpkA(D′

B)/2)∣DA,DB,D′

A,D′

B ∈ ∆},

I = {cCAM (ENCpkM (DA)/2), cCMB(ENCpkB(D′

A)/2), cCBM (ENCpkM (DB)/2), cCMA(ENCpkA(D′

B)/2),cCAM (ENCpkM (DA)/2), cCMB

(ENCpkB(D′

A)/2), cCBM (ENCpkM (DB)/2), cCMA(ENCpkA(D′

B)/2),encpkM (DA), decskA(ENCpkA(D′

B)), encpkM (DB), decskB(ENCpkB(D′

A)), encpkB(D′

A),encpkA(D′

B)∣DA,DB,D′

A,D′

B ∈ ∆}.

61

Alice Bob

Mallory

CM

Figure 9: Key exchange protocol with digital signature and man-in-the-middle attack


Theorem 5.3. The interlock protocol with public key cryptography in Figure 8 is secure.



τI(∂H(A � B � Ma)) = ∑DA,DB ,D′A,D′B∈∆(rCAI (DA) ⋅ rCBI (DB) ⋅ sCBO(D′

A) ⋅ sCAO(D′

B)) ⋅τI(∂H(A� B �Ma)).For the details of proof, please refer to section 2.9, and we omit it.

That is, the interlock protocol in Figure 8 τI(∂H(A � B � Ma)) can exhibit desired external

behaviors, that is, Alice and Bob can aware the existence of the man in the middle.

5.4 Key Exchange with Digital Signatures

The protocol shown in Figure 9 uses digital signature for secure communication with man-in-

the-middle attack, that is, Alice, Bob have shared their public keys pkA and pkB, and the public

keys are signed by the Trent: SIGNskT (A,pkA), SIGNskT (B,pkB) and SIGNskT (M,pkM).Note that, Trent’s public key pkT is well-known. And also, the key exchange protocol with

digital signature can resist man-in-the-middle attack, that is, Alice and Bob can aware of the

existence of the man in the middle.

The process of the protocol with man-in-the-middle attack is as follows, and we only consider

the message in one direction: from Alice to Bob.

62


ing reading action is denoted rCAI (D)), she sends a key request message Me to Mallory

through the channel CAM (the corresponding sending action is denoted sCAM (Me));

2. Mallory receives the message Me through the channel CAM (the corresponding reading

action is denoted rCAM (Me)), he sends Me to the Bob through the channel CMB (the

corresponding sending action is denoted sCMB(Me));

3. Bob receives the message Me from Mallory through the channel CMB (the corresponding

reading action is denoted rCMB(Me)), and sends his signed public key SIGNskT (B,pkB)

to Mallory through the channel CBM (the corresponding sending action is denoted

sCBM (SIGNskT (B,pkB)));

4. Mallory receives SIGNskT (B,pkB) from Bob through the channel CBM (the corresponding

reading action is denoted rCBM (SIGNskT (B,pkB))), he can get pkB, then he sends his

signed public key SIGNskT (M,pkM) or SIGNskT (B,pkB) to Alice through the channel

CMA (the corresponding sending action is denoted sCMA(SIGNskT (M,pkM)));

5. Alice receives SIGNskT (M,pkM) or SIGNskT (B,pkB) from Mallory through the channel

CMA (the corresponding reading action is denoted rCMA(SIGNskT (d1, d2))), she de-sign

this message using Trent’s public key pkT through the action de-signpkT (SIGNskT (d1, d2)),if d1 = B: she encrypts the message D with Bob’s public key pkB through the action

encpkB(D), then Alice sends ENCpkB(D) to Mallory through the channel CAM (the cor-

responding sending action is denoted sCAM (ENCpkB(D))); if d1 ≠ B, she encrypts the

message � (a special meaningless message) with Mallory’s public key pkM through the ac-

tion encpkM (�), then Alice sends ENCpkM (�) to Mallory through the channel CAM (the

corresponding sending action is denoted sCAM (ENCpkM (�)));

6. Mallory receives ENCpkM (d3) from Alice through the channel CAM (the corresponding

reading action is denoted rCAM (ENCpkM (d3))), he decrypts the message with his private

key skM through the action decskM (ENCpkM (d3)) to get the message d3 (maybe � or

another meaningless data, all denoted �), and sends � to the outside through the channel

CM (the corresponding sending action is denoted sCM (�)), then he encrypts � with Bob’s

public key pkB through the action encpkB(�) and sends ENCpkB(�) to Bob through the

channel CMB (the corresponding sending action is denoted sCMB(ENCpkB(�)));

7. Bob receives the message ENCpkB(�) through the channel CMB (the corresponding read-

ing action is denoted rCMB(ENCpkB(�))), after a decryption processing decskB(ENCpkB(�))

to get the message �, then he sends � to the outside through the channel CBO (the corre-

sponding sending action is denoted sCBO(�)).



A = ∑D∈∆ rCAI (D) ⋅A2

A2 = sCAM (Me) ⋅A3

A3 = rCMA(SIGNskT (d1, d2)) ⋅A4

A4 = de-signpkT (SIGNskT (d1, d2)) ⋅A5

63

A5 = ({d1 = B} ⋅ encpkB(D) ⋅ sCAM (ENCpkB(D))+{d1 ≠ B} ⋅ encpkM (�) ⋅ sCAM (ENCpkM (�))) ⋅ABob’s state transitions described by APTCG are as follows.

B = rCMB(Me) ⋅B2

B2 = sCBM (SIGNskT (B,pkB)) ⋅B3

B3 = rCMB(ENCpkB(�)) ⋅B4

B4 = decskB(ENCpkB(�)) ⋅B5

B5 = sCBO(�) ⋅BMallory’s state transitions described by APTCG are as follows.

Ma = rCAM (Me) ⋅Ma2

Ma2 = sCMB(Me) ⋅Ma3

Ma3 = rCBM (SIGNskT (B,pkB)) ⋅Ma4

Ma4 = sCMA(SIGNskT (M,pkM)) ⋅Ma5

Ma5 = rCAM (ENCpkM (d3)) ⋅Ma6

Ma6 = decskM (ENCpkM (d3)) ⋅Ma7

Ma7 = sCM (�) ⋅Ma8

Ma8 = encpkB(�) ⋅Ma9

Ma9 = sCMB(ENCpkB(�)) ⋅Ma




γ(rCAM (Me), sCAM (Me)) ≜ cCAM (Me)γ(rCMB

(Me), sCMB(Me)) ≜ cCMB

(Me)γ(rCBM (SIGNskT (B,pkB)), sCBM (SIGNskT (B,pkB))) ≜ cCBM (SIGNskT (B,pkB))γ(rCMA

(SIGNskT (M,pkM)), sCMA(SIGNskT (M,pkM))) ≜ cCMA

(SIGNskT (M,pkM))γ(rCAM (ENCpkM (d3)), sCAM (ENCpkM (d3))) ≜ cCAM (ENCpkM (d3))γ(rCMB

(ENCpkB(�)), sCMB(ENCpkB(�))) ≜ cCMB

(ENCpkB(�))Let all modules be in parallel, then the protocol A B Ma can be presented by the following

process term.


where H = {rCAM (Me), sCAM (Me), rCMB(Me), sCMB

(Me), rCBM (SIGNskT (B,pkB)),sCBM (SIGNskT (B,pkB)), rCMA

(SIGNskT (M,pkM)), sCMA(SIGNskT (M,pkM)),

rCAM (ENCpkM (d3)), sCAM (ENCpkM (d3)), rCMB(ENCpkB(�)), sCMB

(ENCpkB(�))∣D ∈ ∆},

I = {cCAM (Me), cCMB(Me), cCBM (SIGNskT (B,pkB)), cCMA

(SIGNskT (M,pkM)),cCAM (ENCpkM (d3)), cCMB

(ENCpkB(�)), de-signpkT (SIGNskT (d1, d2)),{d1 = B},ENCpkB(D),{d1 ≠ B}, encpkM (�), decskB(ENCpkB(�)),decskM (ENCpkM (d3)), encpkB(�)∣D ∈ ∆}.


64

Alice Bob

CBA

CAB

Figure 10: Key and message transmission protocol

Theorem 5.4. The key exchange protocol with digital signature in Figure 9 is secure.



τI(∂H(A� B �Ma)) = ∑D∈∆(rCAI (D) ⋅ sCM (�) ⋅ sCBO(�)) ⋅ τI(∂H(A� B �Ma)).For the details of proof, please refer to section 2.9, and we omit it.

That is, the protocol in Figure 9 τI(∂H(A� B �Ma)) can exhibit desired external behaviors,

that is, Alice and Bob can aware the existence of the man in the middle.

5.5 Key and Message Transmission

The protocol shown in Figure 10 uses digital signature for secure communication, that is, Alice,

Bob have shared their public keys pkA and pkB, and the public keys are signed by the Trent:

SIGNskT (A,pkA), SIGNskT (B,pkB). Note that, Trent’s public key pkT is well-known. There

is not a session key exchange process before the message is transferred.

The process of the protocol is as follows, and we only consider the message in one direction:

from Alice to Bob.


ing reading action is denoted rCAI (D)), she has SIGNskT (B,pkB), she

de-signpkT (SIGNskT (B,pkB)) and gets pkB, then generate a session key kAB through an

action rsgkAB, and she encrypts the message D with kAB through an action enckAB(D)and encrypts kAB with Bob’s public key pkB through the action encpkB(kAB), then Alice

sends ENCpkB(kAB),ENCkAB(D) to Bob through the channel CAB (the corresponding

sending action is denoted sCAB(ENCpkB(kAB),ENCkAB(D)));

2. Bob receives the message ENCpkB(kAB),ENCkAB(D) through the channel CAB (the cor-

responding reading action is denoted rCAB(ENCpkB(kAB),ENCkAB(D))), after a decryp-

tion processing decskB(ENCpkB(kAB)) to get the message kAB and a decryption processing

deckAB(ENCkAB(D)) to get D, then he sends D to the outside through the channel CBO(the corresponding sending action is denoted sCBO(D)).


65


A = ∑D∈∆ rCAI (D) ⋅A2

A2 = de-signpkT (SIGNskT (B,pkB)) ⋅A3

A3 = rsgkAB ⋅A4


A5 = encpkB(kAB) ⋅A6

A6 = sCAB(ENCpkB(kAB),ENCkAB(D)) ⋅ABob’s state transitions described by APTCG are as follows.

B = rCAB(ENCpkB(kAB),ENCkAB(D)) ⋅B2

B2 = decskB(ENCpkB(kAB)) ⋅B3


B4 = sCBO(D) ⋅BThe sending action and the reading action of the same type data through the same channel



γ(rCAB(ENCpkB(kAB),ENCkAB(D)), sCAB(ENCpkB(kAB),ENCkAB(D)))≜ cCAB(ENCpkB(kAB),ENCkAB(D))Let all modules be in parallel, then the protocol A B can be presented by the following process

term.

τI(∂H(Θ(A� B))) = τI(∂H(A� B))

where H = {rCAB(ENCpkB(kAB),ENCkAB(D)), sCAB(ENCpkB(kAB),ENCkAB(D))∣D ∈ ∆},

I = {cCAB(ENCpkB(kAB),ENCkAB(D)), de-signpkT (SIGNskT (B,pkB)), rsgkAB ,enckAB(D), encpkB(kAB), decskB(ENCpkB(kAB)), deckAB(ENCkAB(D))∣D ∈ ∆}.


Theorem 5.5. The key and message transmission protocol with digital signature in Figure 10

is secure.



τI(∂H(A� B)) = ∑D∈∆(rCAI (D) ⋅ sCBO(D)) ⋅ τI(∂H(A� B)).For the details of proof, please refer to section 2.9, and we omit it.

That is, the protocol in Figure 10 τI(∂H(A � B)) can exhibit desired external behaviors,

and similarly to the protocol in subsection 5.4, this protocol can resist the man-in-the-middle

attack.

66

Bob Carol

CA

I

CA

O

Dave

Alice

CA

C

CC

A

CB

I

CB

O

CC

I

CC

O

CD

I

CD

O

Figure 11: Key and message broadcast protocol

5.6 Key and Message Broadcast

The protocol shown in Figure 11 uses digital signature for secure broadcast communication, that

is, Alice, Bob, Carol, and Dave have shared their public keys pkA, pkB, pkC and pkDa and the

public keys are signed by the Trent: SIGNskT (A,pkA), SIGNskT (B,pkB), SIGNskT (C,pkC)and SIGNskT (Da, pkDa). Note that, Trent’s public key pkT is well-known. There is not a

session key exchange process before the message is transferred.


from Alice to Bob, Carol and Dave.


ing reading action is denoted rCAI (D)), she has SIGNskT (B,pkB), SIGNskT (C,pkC), and

SIGNskT (Da, pkDa), she de-signpkT (SIGNskT (B,pkB)) and gets pkB,

de-signpkT (SIGNskT (C,pkC)) and gets pkC , de-signpkT (SIGNskT (Da, pkDa)) and gets

pkDa, then generate a session key k through an action rsgk, and she encrypts the message

D with k through an action enck(D) and encrypts k with Bob’s public key pkB through

the action encpkB(kAB), Carol’s public key pkC through the action encpkC(k), Dave’s pub-

lic key pkDa through the action encpkDa(k), then Alice sends ENCpkB(k),ENCk(D) to

Bob through the channel CAB (the corresponding sending action is denoted

sCAB(ENCpkB(k),ENCk(D))), sends ENCpkC(k),ENCk(D) to Bob through the chan-

nel CAC (the corresponding sending action is denoted sCAC(ENCpkC(k),ENCk(D))),sends ENCpkDa(k),ENCk(D) to Bob through the channel CAD (the corresponding send-

ing action is denoted sCAD(ENCpkDa(k),ENCk(D)));

67

2. Bob receives the message ENCpkB(k),ENCk(D) through the channel CAB (the corre-

sponding reading action is denoted rCAB(ENCpkB(k),ENCk(D))), after a decryption pro-

cessing decskB(ENCpkB(k)) to get the key k and a decryption processing deck(ENCk(D))to get D, then he sends D to the outside through the channel CBO (the corresponding

sending action is denoted sCBO(D));

3. Carol receives the message ENCpkC(k),ENCk(D) through the channel CAC (the corre-

sponding reading action is denoted rCAC(ENCpkC(k),ENCk(D))), after a decryption pro-

cessing decskC(ENCpkC(k)) to get the message k and a decryption processing deck(ENCk(D))to get D, then he sends D to the outside through the channel CCO (the corresponding

sending action is denoted sCCO(D));

4. Dave receives the message ENCpkDa(k),ENCk(D) through the channel CAD (the cor-

responding reading action is denoted rCAD(ENCpkDa(k),ENCk(D))), after a decryp-

tion processing decskDa(ENCpkDa(k)) to get the message k and a decryption processing

deck(ENCk(D)) to get D, then he sends D to the outside through the channel CDO (the

corresponding sending action is denoted sCDO(D)).



A = ∑D∈∆ rCAI (D) ⋅A2

A2 = (de-signpkT (SIGNskT (B,pkB)) ∥ de-signpkT (SIGNskT (C,pkC))∥ de-signpkT (SIGNskT (D,pkD))) ⋅A3

A3 = rsgk ⋅A4

A4 = enck(D) ⋅A5

A5 = (encpkB(k) ∥ encpkC(k) ∥ encpkD(k)) ⋅A6

A6 = (sCAB(ENCpkB(k),ENCk(D)) ∥ sCAC(ENCpkC(k),ENCk(D))∥ sCAD(ENCpkD(k),ENCk(D))) ⋅ABob’s state transitions described by APTCG are as follows.

B = rCAB(ENCpkB(k),ENCk(D)) ⋅B2

B2 = decskB(ENCpkB(k)) ⋅B3

B3 = deck(ENCk(D)) ⋅B4

B4 = sCBO(D) ⋅BCarol’s state transitions described by APTCG are as follows.

C = rCAC(ENCpkC(k),ENCk(D)) ⋅C2

C2 = decskC(ENCpkC(k)) ⋅C3

C3 = deck(ENCk(D)) ⋅C4

C4 = sCCO(D) ⋅CDave’s state transitions described by APTCG are as follows.

Da = rCAD(ENCpkDa(k),ENCk(D)) ⋅Da2

68

Da2 = decskDa(ENCpkDa(k)) ⋅Da3

Da3 = deck(ENCk(D)) ⋅Da4

Da4 = sCDO(D) ⋅DaThe sending action and the reading action of the same type data through the same channel



γ(rCAB(ENCpkB(k),ENCk(D)), sCAB(ENCpkB(k),ENCk(D))) ≜ cCAB(ENCpkB(k),ENCk(D))γ(rCAC(ENCpkC(k),ENCk(D)), sCAC(ENCpkC(k),ENCk(D))) ≜ cCAC(ENCpkC(k),ENCk(D))γ(rCAD(ENCpkDa(k),ENCk(D)), sCAD(ENCpkDa(k),ENCk(D))) ≜ cCAD(ENCpkDa(k),ENCk(D))Let all modules be in parallel, then the protocol A B C Da can be presented by the

following process term.

τI(∂H(Θ(A� B � C �Da))) = τI(∂H(A� B � C �Da))

whereH = {rCAB(ENCpkB(k),ENCk(D)), sCAB(ENCpkB(k),ENCk(D)), rCAC(ENCpkC(k),ENCk(D)),sCAC(ENCpkC(k),ENCk(D)), rCAD(ENCpkDa(k),ENCk(D)), sCAD(ENCpkDa(k),ENCk(D))∣D ∈∆},

I = {cCAB(ENCpkB(k),ENCk(D)), cCAC(ENCpkC(k),ENCk(D)), cCAD(ENCpkDa(k),ENCk(D)),de-signpkT (SIGNskT (C,pkC)), de-signpkT (SIGNskT (Da, pkDa)), de-signpkT (SIGNskT (B,pkB)),rsgk, enck(D), encpkB(k), encpkC(k), encpkDa(k), deck(ENCk(D)),decskB(ENCpkB(k)), decskC(ENCpkC(k)), decskDa(ENCpkDa(k))∣D ∈ ∆}.


Theorem 5.6. The key and message broadcast protocol with digital signature in Figure 11 is

secure.



τI(∂H(A � B � C � Da)) = ∑D∈∆(rCAI (D) ⋅ (sCBO(D) ∥ sCCO(D) ∥ sCDO(D))) ⋅ τI(∂H(A �B � C �Da)).For the details of proof, please refer to section 2.9, and we omit it.

That is, the protocol in Figure 11 τI(∂H(A � B � C � Da)) can exhibit desired external

behaviors, and similarly to the protocol in subsection 5.4, this protocol can resist the man-in-

the-middle attack.

69

Alice Bob

Mallory

Figure 12: Mutual authentication using the interlock protocol with man-in-the-middle attack

6 Analyses of Authentication Protocols

An authentication protocol is used to verify the principal’s identity, including verification of one

principal’s identity and mutual verifications of more that two principals’ identities. We omit

some quite simple authentication protocols, including authentication using one-way functions,

etc. We will analyze mutual authentication using the interlock protocol against man-in-the-

middle attack in section 6.1, and SKID in section 6.2.

6.1 Mutual Authentication Using the Interlock Protocol

The mutual authentication using the interlock protocol shown in Figure 12 also uses public

keys for secure communication with man-in-the-middle attack, that is, Alice, Bob have shared

their public keys pkA and pkB already. But, the interlock protocol can resist man-in-the-middle

attack, that is, Alice and Bob can aware of the existence of the man in the middle.

The process of the mutual authentication using the interlock protocol with man-in-the-middle

attack is as follows, we assume that Alice has ”Bob’s” public key pkM , Bob has ”Alice’s” public

key pkM , and Mallory has Alice’s public key pkA and Bob’s public key pkB.

1. Alice receives some password PA from the outside through the channel CAI (the cor-

responding reading action is denoted rCAI (PA)), she encrypts the password PA with

Mallory’s public key pkM through the action encpkM (PA), then Alice sends the half of

ENCpkM (PA) to Mallory through the channel CAM (the corresponding sending action is

denoted sCAM (ENCpkM (PA)/2));

2. Mallory receives ENCpkM (PA)/2 from Alice through the channel CAM (the correspond-

ing reading action is denoted rCAM (ENCpkM (PA)/2)), he can not decrypt the pass-

word with his private key skM , and has to make another password P ′

A and encrypt

70

P ′

A with Bob’s public key pkB through the action encpkB(P ′

A), and sends the half of

ENCpkB(P ′

A) to Bob through the channel CMB (the corresponding sending action is de-

noted sCMB(ENCpkB(P ′

A)/2));

3. Bob receives the password ENCpkB(P ′

A)/2 through the channel CMB (the correspond-

ing reading action is denoted rCMB(ENCpkB(P ′

A)/2)), and receives some password PBfrom the outside through the channel CBI (the corresponding reading action is denoted

rBI(PB)), after an encryption processing encpkM (PB) to get the password ENCpkM (PB),then he sends the half of ENCpkM (PB) to Mallory through the channel CBM (the corre-

sponding sending action is denoted sCBM (ENCpkM (PB)/2));

4. Mallory receives ENCpkM (PB)/2 from Bob through the channel CBM (the correspond-

ing reading action is denoted rCBM (ENCpkM (PB)/2)), he can not decrypt the pass-

word with his private key skM , and has to make another password P ′

B and encrypt

P ′

B with Alice’s public key pkA through the action encpkA(P ′

B), and sends the half of

ENCpkA(P ′

B) to Alice through the channel CMA (the corresponding sending action is

denoted sCMA(ENCpkA(P ′

B)/2));

5. Alice receives the password ENCpkA(P ′


reading action is denoted rCMA(ENCpkA(P ′

B)/2)), and sends the other half of ENCpkM (PA)to Mallory through the channel CAM (the corresponding sending action is denoted

sCAM (ENCpkM (PA)/2));

6. Mallory receives ENCpkM (PA)/2 from Alice through the channel CAM (the correspond-

ing reading action is denoted rCAM (ENCpkM (PA)/2)), he can combine the two half of

ENCpkM (PA)/2 and decrypt the password with his private key skM , and but he has to

send the other half of ENCpkB(P ′

A) to Bob through the channel CMB (the corresponding

sending action is denoted sCMB(ENCpkB(P ′

A)/2));

7. Bob receives the password ENCpkB(P ′

A)/2 through the channel CMB (the correspond-

ing reading action is denoted rCMB(ENCpkB(P ′

A)/2)), after a combination of two half of

ENCpkB(P ′

A) and a decryption processing decskB(ENCpkB(P ′

A)) to get the password P ′

A,

then he sends it to the outside through the channel CBO (the corresponding sending action

is denoted sCBO(P ′

A)). Then he sends the other half of ENCpkM (PB) to Mallory through

the channel CBM (the corresponding sending action is denoted sCBM (ENCpkM (PB)/2));

8. Mallory receives ENCpkM (PB)/2 from Bob through the channel CBM (the correspond-

ing reading action is denoted rCBM (ENCpkM (PB)/2)), he can combine the two half of

ENCpkM (PB)/2 and decrypt the password with his private key skM , and but he has to

send the other half of ENCpkA(P ′

B) to Alice through the channel CMA (the corresponding

sending action is denoted sCMA(ENCpkA(P ′

B)/2));

9. Alice receives the password ENCpkA(P ′

B)/2 through the channel CMA (the correspond-

ing reading action is denoted rCMA(ENCpkA(P ′

B)/2)), after a combination of two half

of ENCpkA(P ′

B) and a decryption processing decskA(ENCpkA(P ′

B)) to get the password

P ′

B, then she sends it to the outside through the channel CAO (the corresponding sending

action is denoted sCAO(P ′

B)).

Where PA, PB, P′

A, P′

B ∈ ∆, ∆ is the set of data.

71


A = ∑PA∈∆ rCAI (PA) ⋅A2

A2 = encpkM (PA) ⋅A3

A3 = sCAM (ENCpkM (PA)/2) ⋅A4

A4 = rCMA(ENCpkA(P ′

B)/2) ⋅A5

A5 = sCAM (ENCpkM (PA)/2) ⋅A6

A6 = rCMA(ENCpkA(P ′

B)/2) ⋅A7

A7 = decskA(ENCpkA(P ′

B)) ⋅A8

A8 = sCAO(P ′

B) ⋅ABob’s state transitions described by APTCG are as follows.

B = rCMB(ENCpkB(P ′

A)/2) ⋅B2

B2 = ∑PB∈∆ rBI(PB) ⋅B3

B3 = encpkM (PB) ⋅B4

B4 = sCBM (ENCpkM (PB)/2) ⋅B5

B5 = rCMB(ENCpkB(P ′

A)/2) ⋅B6

B6 = decskB(ENCpkB(P ′

A)) ⋅B7

B7 = sCBO(P ′

A) ⋅B8

B8 = sCBM (ENCpkM (PB)/2) ⋅BMallory’s state transitions described by APTCG are as follows.

Ma = rCAM (ENCpkM (PA)/2) ⋅Ma2

Ma2 = encpkB(P ′

A) ⋅Ma3

Ma3 = sCMB(ENCpkB(P ′

A)/2) ⋅Ma4

Ma4 = rCBM (ENCpkM (PB)/2) ⋅Ma5

Ma5 = encpkA(P ′

B) ⋅Ma6

Ma6 = sCMA(ENCpkA(P ′

B)/2) ⋅Ma7

Ma7 = rCAM (ENCpkM (PA)/2) ⋅Ma8

Ma8 = sCMB(ENCpkB(P ′

A)/2) ⋅Ma9

Ma9 = rCBM (ENCpkM (PB)/2) ⋅Ma10

Ma10 = sCMA(ENCpkA(P ′

B)/2) ⋅Ma




γ(rCAM (ENCpkM (PA)/2), sCAM (ENCpkM (PA)/2)) ≜ cCAM (ENCpkM (PA)/2)γ(rCMB

(ENCpkB(P ′

A)/2), sCMB(ENCpkB(P ′

A)/2)) ≜ cCMB(ENCpkB(P ′

A)/2)γ(rCBM (ENCpkM (PB)/2), sCBM (ENCpkM (PB)/2)) ≜ cCBM (ENCpkM (PB)/2)

72

γ(rCMA(ENCpkA(P ′

B)/2), sCMA(ENCpkA(P ′

B)/2)) ≜ cCMA(ENCpkA(P ′

B)/2)γ(rCAM (ENCpkM (PA)/2), sCAM (ENCpkM (PA)/2)) ≜ cCAM (ENCpkM (PA)/2)γ(rCMB

(ENCpkB(P ′


A)/2)) ≜ cCMB(ENCpkB(P ′

A)/2)γ(rCBM (ENCpkM (PB)/2), sCBM (ENCpkM (PB)/2)) ≜ cCBM (ENCpkM (PB)/2)γ(rCMA

(ENCpkA(P ′


B)/2)) ≜ cCMA(ENCpkA(P ′

B)/2)Let all modules be in parallel, then the protocol A B Ma can be presented by the following

process term.


where H = {rCAM (ENCpkM (PA)/2), sCAM (ENCpkM (PA)/2), rCMB(ENCpkB(P ′

A)/2),sCMB

(ENCpkB(P ′

A)/2), rCBM (ENCpkM (PB)/2), sCBM (ENCpkM (PB)/2),rCMA

(ENCpkA(P ′


B)/2), rCAM (ENCpkM (PA)/2),sCAM (ENCpkM (PA)/2), rCMB

(ENCpkB(P ′


A)/2),rCBM (ENCpkM (PB)/2), sCBM (ENCpkM (PB)/2), rCMA

(ENCpkA(P ′

B)/2),sCMA

(ENCpkA(P ′

B)/2)∣PA, PB, P ′

A, P′

B ∈ ∆},

I = {cCAM (ENCpkM (PA)/2), cCMB(ENCpkB(P ′

A)/2), cCBM (ENCpkM (PB)/2), cCMA(ENCpkA(P ′

B)/2),cCAM (ENCpkM (PA)/2), cCMB

(ENCpkB(P ′

A)/2), cCBM (ENCpkM (PB)/2), cCMA(ENCpkA(P ′

B)/2),encpkM (PA), decskA(ENCpkA(P ′

B)), encpkM (PB), decskB(ENCpkB(P ′

A)), encpkB(P ′

A),encpkA(P ′

B)∣PA, PB, P ′

A, P′

B ∈ ∆}.


Theorem 6.1. The mutual authentication using the interlock protocol in Figure 12 is secure.



τI(∂H(A� B �Ma)) = ∑PA,PB ,P ′A,P ′B∈∆(rCAI (PA)⋅rCBI (PB)⋅sCBO(P ′

A)⋅sCAO(P ′

B))⋅τI(∂H(A�B �Ma)).For the details of proof, please refer to section 2.9, and we omit it.

That is, the mutual authentication using the interlock protocol in Figure 12 τI(∂H(A � B �Ma)) can exhibit desired external behaviors, that is, Alice and Bob can aware the existence of

the man in the middle.

6.2 SKID

The SKID protocol shown in Figure 13 uses symmetric cryptography to authenticate each other,

that is, Alice, Bob have shared their key kAB.


from Alice to Bob.


ing reading action is denoted rCAI (D)), she generates a random number RA through an

action rsgRA , she sends RA to Bob through the channel CAB (the corresponding sending

action is denoted sCAB(RA));

73

Alice Bob

CBA

CAB

Figure 13: SKID protocol

2. Bob receives the number RA through the channel CAB (the corresponding reading action

is denoted rCAB(RA)), he generates a random number RB through an action rsgRB , and

generates a MAC (Message Authentication Code) through an action mackAB(RA,RB,B),then he sends B,RB,MACkAB(RA,RB,B) to Alice through the channel CBA (the corre-

sponding sending action is denoted sCBA(B,RB,MACkAB(RA,RB,B)));

3. Alice receives dB, dRB , dMACkAB (RA,RB ,B)from Bob through the channel CBA (the cor-

responding reading action is denoted rCBA(dB, dRB , dMACkAB (RA,RB ,B))), she generates a

MAC through an actionmackAB(RA, dRB , dB), ifMACkAB(RA, dRB , dB) = dMACkAB (RA,RB ,B),

she generates a MAC through an action mackAB(RB,A) and encrypts D by kAB through

an action enckAB(D), then she sends A,MACkAB(RB,A),ENCkAB(D) to Bob through

the channel CAB (the corresponding sending action is denoted

sCAB(A,MACkAB(RB,A),ENCkAB(D)));

4. Bob receives the data dA, dMACkAB (RB ,A),ENCkAB(D) from Alice through the channel

CAB (the corresponding reading action is denoted rCAB(dA, dMACkAB (RB ,A),ENCkAB(D))),

he generates a MAC through an actionmackAB(RB, dA), ifMACkAB(RB, dA) = dMACkAB (RB ,A),

he decrypts ENCkAB(D) by kAB through an action deckAB(ENCkAB(D)) to get D, then

she sends D to the outside through the channel CBO (the corresponding sending action is

denoted sCBO(D)).



A = ∑D∈∆ rCAI (D) ⋅A2

A2 = rsgRA ⋅A3

A3 = sCAB(RA) ⋅A4

A4 = rCBA(dB, dRB , dMACkAB (RA,RB ,B)) ⋅A5

A5 =mackAB(RA, dRB , dB) ⋅A6

A6 = {MACkAB(RA, dRB , dB) = dMACkAB (RA,RB ,B)} ⋅mackAB(RB,A) ⋅ enckAB(D)

⋅ sCAB(A,MACkAB(RB,A),ENCkAB(D)) ⋅ABob’s state transitions described by APTCG are as follows.

B = rCAB(RA) ⋅B2

74

B2 = rsgRB ⋅B3

B3 =mackAB(RA,RB,B) ⋅B4

B4 = sCBA(B,RB,MACkAB(RA,RB,B)) ⋅B5

B5 = rCAB(dA, dMACkAB (RB ,A),ENCkAB(D)) ⋅B6

B6 =mackAB(RB, dA) ⋅B7

B7 = {MACkAB(RB, dA) = dMACkAB (RB ,A)} ⋅ deckAB(ENCkAB(D)) ⋅ sCBO(D) ⋅B




γ(rCAB(RA), sCAB(RA)) ≜ cCAB(RA)γ(rCBA(B,RB,MACkAB(RA,RB,B)), sCBA(B,RB,MACkAB(RA,RB,B)))≜ cCBA(B,RB,MACkAB(RA,RB,B))γ(rCAB(dA, dMACkAB (RB ,A)

,ENCkAB(D)), sCAB(dA, dMACkAB (RB ,A),ENCkAB(D)))

≜ cCAB(dA, dMACkAB (RB ,A),ENCkAB(D))

Let all modules be in parallel, then the protocol A B can be presented by the following process

term.

τI(∂H(Θ(A� B))) = τI(∂H(A� B))

where H = {rCAB(RA), sCAB(RA), rCBA(B,RB,MACkAB(RA,RB,B)),sCBA(B,RB,MACkAB(RA,RB,B)), rCAB(dA, dMACkAB (RB ,A)

,ENCkAB(D)),sCAB(dA, dMACkAB (RB ,A)

,ENCkAB(D))∣D ∈ ∆},

I = {cCAB(RA), cCBA(B,RB,MACkAB(RA,RB,B)), cCAB(dA, dMACkAB (RB ,A),ENCkAB(D)),

rsgRA ,mackAB(RA, dRB , dB),{MACkAB(RA, dRB , dB) = dMACkAB (RA,RB ,B)},mackAB(RB,A),

enckAB(D), rsgRB ,mackAB(RA,RB,B),mackAB(RB, dA),{MACkAB(RB, dA) = dMACkAB (RB ,A)},

deckAB(ENCkAB(D))∣D ∈ ∆}.


Theorem 6.2. The key and message transmission protocol with digital signature in Figure 13

is secure.



τI(∂H(A� B)) = ∑D∈∆(rCAI (D) ⋅ sCBO(D)) ⋅ τI(∂H(A� B)).For the details of proof, please refer to section 2.9, and we omit it.

That is, the protocol in Figure 13 τI(∂H(A � B)) can exhibit desired external behaviors, and

similarly to the protocol in subsection 5.4, without leasing of kAB, this protocol can resist the

man-in-the-middle attack.

75

Alice Bob

CAI CAB CBO

Trent

CAO CBA CBI

Figure 14: Wide-Mouth Frog protocol

7 Analyses of Practical Protocols

In this chapter, we will introduce analyses of some practical authentication and key exchange

protocols. For a perfectly practical security protocol, it should can resist any kind of attack.

There are many kinds of attacks, it is difficult to model all known attacks, for simplicity, we

only analyses the protocols with several kinds of main attacks.

We introduce analyses of Wide-Mouth Frog protocol in section 7.1, Yahalom protocol in section

7.2, Needham-Schroeder protocol in section 7.3, Otway-Rees protocol in section 7.4, Kerberos

protocol in section 7.5, Neuman-Stubblebine protocol in section 7.6, Denning-Sacco protocol in

section 7.7, DASS protocol in section 7.8 and Woo-Lam protocol in section 7.9.

7.1 Wide-Mouth Frog Protocol

The Wide-Mouth Frog protocol shown in Figure 14 uses symmetric keys for secure communica-

tion, that is, the key kAB between Alice and Bob is privately shared to Alice and Bob, Alice,

Bob have shared keys with Trent kAT and kBT already.



ing reading action is denoted rCAI (D)), if kAB is not established, she generates a random

session key kAB through an action rsgkAB , encrypts the key request message TA,B, kABwith kAT through an action enckAT (TA,B, kAB) where TA Alice’s time stamp, and sends

A,ENCkAT (TA,B, kAB) to Trent through the channel CAT (the corresponding sending

action is denoted sCAT (A,ENCkAT (TA,B, kAB)));

2. Trent receives the message A,ENCkAT (TA,B, kAB) through the channel CAT (the corre-

sponding reading action is denoted rCAT (A,ENCkAT (TA,B, kAB))), he decrypts the mes-

76

sage through an action deckAT (ENCkAT (TA,B, kAB)). If isFresh(TA) = TRUE where

isFresh is a function to deciding whether a time stamp is fresh, he encrypts TB,A,KAB

with kBT through an action enckBT (TB,A,KAB), sends ⊺ to Alice through the channel

CTA (the corresponding sending action is denoted sCTA(⊺)) and ENCkBT (TB,A,KAB) to

Bob through the channel CTB (the corresponding sending action is denoted

sCTB(ENCkBT (TB,A,KAB))); else if isFresh(TA) = FLASE, he sends � to Alice and

Bob (the corresponding sending actions are denoted sCTA(�) and sCTB(�) respectively);

3. Bob receives dTB from Trent through the channel CTB (the corresponding reading action

is denoted rCTB(dTB)). If dTB = �, he sends � to Alice through the channel CBA (the corre-

sponding sending action is denoted sCBA(�)); if dTB ≠ �, he decrypts ENCkBT (TB,A,KAB)through an action deckBT (ENCkBT (TB,A,KAB)). If isFresh(TB) = TRUE, he gets

kAB, and sends ⊺ to Alice (the corresponding sending action is denoted sCBA(⊺)); if

isFresh(TB) = FALSE, he sends � to Alice through the channel CBA (the corresponding

sending action is denoted sCBA(�));

4. Alice receives dTA from Trent through the channel CTA (the corresponding reading action is

denoted rCTA(dTA)), receives dBA from Bob through the channel CBA (the corresponding

reading action is denoted rCBA(dBA)). If dTA = ⊺ ⋅ dBA = ⊺, after an encryption processing

enckAB(TAD ,D), Alice sends ENCkAB(TAD ,D) to Bob through the channel CAB (the

corresponding sending action is denoted sCAB(TAD ,ENCkAB(D))); else if dTA = �+dBA =�, Alice sends � to the outside through the channel CAO (the corresponding sending action

is denoted sCAO(�));

5. Bob receives the message ENCkAB(TAD ,D) through the channel CAB (the correspond-

ing reading action is denoted rCAB(TAD ,ENCkAB(D))), after a decryption processing

deckAB(ENCkAB(TAD ,D)), if isFresh(TAD) = TRUE, he sends D to the outside through

the channel CBO (the corresponding sending action is denoted sCBO(D)), if isFresh(TAD) =FALSE, he sends � to the outside through the channel CBO (the corresponding sending

action is denoted sCBO(�)).



A = ∑D∈∆ rCAI (D) ⋅A2

A2 = {kAB = NULL} ⋅ rsgkAB ⋅A3 + {kAB ≠ NULL} ⋅A7

A3 = enckAT (TA,B, kAB) ⋅A4

A4 = sCAT (A,ENCkAT (TA,B, kAB)) ⋅A5

A5 = (rCTA(dTA) ∥ rCBA(dBA)) ⋅A6

A6 = {dTA = ⊺ ⋅ dBA = ⊺} ⋅A7 + {dTA = � + dBA = �} ⋅A9

A7 = enckAB(TAD ,D) ⋅A8

A8 = sCAB(TAD ,ENCkAB(D)) ⋅AA9 = sCAO(�) ⋅ABob’s state transitions described by APTCG are as follows.

77


B1 = rCTB(dTB) ⋅B2

B2 = {dTB ≠ �} ⋅B3 + {dTB = �} ⋅ sCBA(�) ⋅BB3 = deckBT (ENCkBT (TB,A,KAB)) ⋅B4

B4 = {isFresh(TB) = TRUE} ⋅ sCBA(⊺) ⋅B5 + {isFresh(TB) = FALSE} ⋅ sCBA(�) ⋅BB5 = rCAB(TAD ,ENCkAB(D)) ⋅B6

B6 = deckAB(ENCkAB(TAD ,D)) ⋅B7

B7 = {isFresh(TAD) = TRUE} ⋅ sCBO(D) ⋅B + {isFresh(TAD) = FALSE} ⋅ sCBO(�) ⋅BTrent’s state transitions described by APTCG are as follows.

T = rCAT (A,ENCkAT (TA,B, kAB)) ⋅ T2

T2 = deckAT (ENCkAT (TA,B, kAB)) ⋅ T3

T3 = {isFresh(TA) = TRUE} ⋅enckBT (TB,A,KAB) ⋅(sCTA(⊺) ∥ sCTB(ENCkBT (TB,A,KAB)))T+ {isFresh(TA) = FALSE} ⋅ (sCTA(�) ∥ sCTB(�)) ⋅ TThe sending action and the reading action of the same type data through the same channel



γ(rCAT (A,ENCkAT (TA,B, kAB)), sCAT (A,ENCkAT (TA,B, kAB))) ≜ cCAT (A,ENCkAT (TA,B, kAB))γ(rCTA(dTA), sCTA(dTA)) ≜ cCTA(dTA)γ(rCBA(dBA), sCBA(dBA)) ≜ cCBA(dBA)γ(rCAB(TAD ,ENCkAB(D)), sCAB(TAD ,ENCkAB(D))) ≜ cCAB(TAD ,ENCkAB(D))γ(rCTB(dTB), sCTB(dTB)) ≜ cCTB(dTB)Let all modules be in parallel, then the protocol A B T can be presented by the following

process term.

τI(∂H(Θ(A� B � T ))) = τI(∂H(A� B � T ))

where H = {rCAT (A,ENCkAT (TA,B, kAB)), sCAT (A,ENCkAT (TA,B, kAB)),rCTA(dTA), sCTA(dTA), rCBA(dBA), sCBA(dBA),rCAB(TAD ,ENCkAB(D)), sCAB(TAD ,ENCkAB(D)), rCTB(dTB), sCTB(dTB)∣D ∈ ∆},

I = {cCAT (A,ENCkAT (TA,B, kAB)), cCTA(dTA), cCBA(dBA),cCAB(TAD ,ENCkAB(D)), cCTB(dTB),{kAB = NULL}, rsgkAB ,{kAB ≠ NULL}, enckAT (TA,B, kAB),{dTA = ⊺ ⋅ dBA = ⊺},{dTA = � + dBA = �},enckAB(TAD ,D),{dTB ≠ �},{dTB = �}, deckBT (ENCkBT (TB,A,KAB)),{isFresh(TB) = TRUE},{isFresh(TB) = FALSE}, deckAB(ENCkAB(TAD ,D)),{isFresh(TAD) = TRUE},{isFresh(TAD) = FALSE}, deckAT (ENCkAT (TA,B, kAB)),{isFresh(TA) = TRUE}, enckBT (TB,A,KAB),{isFresh(TA) = FALSE}∣D ∈ ∆}.


Theorem 7.1. The Wide-Mouth Frog protocol in Figure 14 is secure.

78



τI(∂H(A� B � T )) = ∑D∈∆(rCAI (D) ⋅((sCAO(�) ∥ sCBO(�))+sCBO(D))) ⋅τI(∂H(A� B � T )).For the details of proof, please refer to section 2.9, and we omit it.

That is, the Wide-Mouth Frog protocol in Figure 14 τI(∂H(A � B � T )) can exhibit desired

external behaviors:

1. For information leakage, because kAT is privately shared only between Alice and Trent,

kBT is privately shared only between Bob and Trent, kAB is privately shared only among

Trent, Alice and Bob. For the modeling of confidentiality, it is similar to the protocol in

section 4.10.2, the Wide-Mouth Frog protocol is confidential;

2. For replay attack, the using of time stamps TA, TB, and TAD , makes that τI(∂H(A� B �T )) = ∑D∈∆(rCAI (D) ⋅ (sCAO(�) ∥ sCBO(�))) ⋅ τI(∂H(A� B � T )), it is desired;

3. Without replay attack, the protocol would be τI(∂H(A � B � T )) = ∑D∈∆(rCAI (D) ⋅sCBO(D)) ⋅ τI(∂H(A� B � T )), it is desired;

4. For the man-in-the-middle attack, because kAT is privately shared only between Alice and

Trent, kBT is privately shared only between Bob and Trent, kAB is privately shared only

among Trent, Alice and Bob. For the modeling of the man-in-the-middle attack, it is

similar to the protocol in section 5.4, the Wide-Mouth Frog protocol can be against the

man-in-the-middle attack;

5. For the unexpected and non-technical leaking of kAT , kBT , kAB, or they being not strong

enough, or Trent being dishonest, they are out of the scope of analyses of security protocols;

6. For malicious tampering and transmission errors, they are out of the scope of analyses of

security protocols.

7.2 Yahalom Protocol

The Yahalom protocol shown in Figure 15 uses symmetric keys for secure communication, that

is, the key kAB between Alice and Bob is privately shared to Alice and Bob, Alice, Bob have

shared keys with Trent kAT and kBT already.




number RA through an action rsgRA , and sends A,RA to Bob through the channel CAB(the corresponding sending action is denoted sCAB(A,RA));

2. Bob receives A,RA from Alice through the channel CAB (the corresponding reading ac-

tion is denoted rCAB(A,RA)), he generates a random number RB through an action

rsgRB , encrypts A,RA,RB by kBT through an action enckBT (A,RA,RB), and sends

79

Alice Bob

CAI CAB CBO

Trent

CAO CBA CBI

Figure 15: Yahalom protocol

ENCkBT (A,RA,RB) to Trent through the channel CBT (the corresponding sending action

is denoted sCBT (ENCkBT (A,RA,RB)));

3. Trent receives ENCkBT (A,RA,RB) through the channel CBT (the corresponding reading

action is denoted rCBT (ENCkBT (A,RA,RB))), he decrypts the message through an ac-

tion deckBT (ENCkBT (A,RA,RB)), generates a random session key kAB through an action

rsgkAB , then he encryptsB,kAB,RA,RB by kAT through an action enckAT (B,kAB,RA,RB),encrypts A,kAB by kBT through an action enckBT (A,kAB), and sends them to Alice

through the channel CTA (the corresponding sending action is denoted

sCTA(ENCkAT (B,kAB,RA,RB),ENCkBT (A,kAB)));

4. Alice receives the message from Trent through the channel CTA (the corresponding read-

ing action is denoted rCTA(ENCkAT (B,kAB, dRA ,RB),ENCkBT (A,kAB))), she decrypts

ENCkAT (B,kAB, dRA ,RB) by kAT through an action deckAT (ENCkAT (B,kAB, dRA ,RB)),if dRA = RA, she encrypts RB,D by kAB through an action enckAB(RB,D), and sends

ENCkBT (A,kAB),ENCkAB(RB,D) to Bob through the channel CAB (the corresponding

sending action is denoted sCAB(ENCkBT (A,kAB),ENCkAB(RB,D))); else if dRA ≠ RA,

she sends � to Bob through the channel CAB (the corresponding sending action is denoted

sCAB(�));

5. Bob receives dAB from Alice (the corresponding reading action is denoted rCAB(dAB)), if

dAB = �, he sends � to the outside through the channel CBO (the corresponding sending

action is denoted sCBO(�)); else if dAB ≠ �, dAB must be the form of

ENCkBT (A,kAB),ENCkAB(dRB ,D) (without considering the malicious tampering and

transmission errors), he decrypts ENCkBT (A,kAB) by kBT through an action

deckBT (ENCkBT (A,kAB)) to ensure the message is from Alice and get kAB, then he de-

crypts ENCkAB(dRB ,D) by kAB through an action deckAB(ENCkAB(dRB ,D)), if dRB =RB, he sends D to the outside through the channel CBO (the corresponding sending action

80

is denoted sCBO(D)), else if dRB ≠ RB, he sends � to the outside through the channel CBO(the corresponding sending action is denoted sCBO(�)).



A = ∑D∈∆ rCAI (D) ⋅A2

A2 = {kAB = NULL} ⋅ rsgRA ⋅A3 + {kAB ≠ NULL} ⋅A7

A3 = sCAB(A,RA) ⋅A4

A4 = rCTA(ENCkAT (B,kAB, dRA ,RB),ENCkBT (A,kAB)) ⋅A5

A5 = deckAT (ENCkAT (B,kAB, dRA ,RB)) ⋅A6

A6 = {dRA = RA} ⋅A7 + {dRA ≠ RA} ⋅A9

A7 = enckAB(RB,D) ⋅A8

A8 = sCAB(ENCkBT (A,kAB),ENCkAB(RB,D)) ⋅AA9 = sCAB(�) ⋅ABob’s state transitions described by APTCG are as follows.


B1 = rCAB(A,RA) ⋅B2

B2 = rsgRB ⋅B3

B3 = enckBT (A,RA,RB) ⋅B4

B4 = sCBT (ENCkBT (A,RA,RB)) ⋅B5

B5 = rCAB(dAB) ⋅B6

B6 = {dAB = �} ⋅ sCBO(�) ⋅B + {dAB ≠ �} ⋅B7

B7 = deckBT (ENCkBT (A,kAB)) ⋅B8

B8 = deckAB(ENCkAB(dRB ,D)) ⋅B9

B9 = {dRB = RB} ⋅ sCBO(D) ⋅B + {dRB ≠ RB} ⋅ sCBO(�) ⋅BTrent’s state transitions described by APTCG are as follows.

T = rCBT (ENCkBT (A,RA,RB)) ⋅ T2

T2 = deckBT (ENCkBT (A,RA,RB)) ⋅ T3

T3 = rsgkAB ⋅ T4

T4 = enckAT (B,kAB,RA,RB) ⋅ T5

T5 = enckBT (A,kAB) ⋅ T6

T6 = sCTA(ENCkAT (B,kAB,RA,RB),ENCkBT (A,kAB)) ⋅ TThe sending action and the reading action of the same type data through the same channel



γ(rCAB(A,RA), sCAB(A,RA)) ≜ cCAB(A,RA)

81

γ(rCTA(ENCkAT (B,kAB, dRA ,RB),ENCkBT (A,kAB)),sCTA(ENCkAT (B,kAB, dRA ,RB),ENCkBT (A,kAB)))≜ cCTA(ENCkAT (B,kAB, dRA ,RB),ENCkBT (A,kAB))γ(rCBT (ENCkBT (A,RA,RB)), sCBT (ENCkBT (A,RA,RB))) ≜ cCBT (ENCkBT (A,RA,RB))γ(rCAB(dAB), sCAB(dAB)) ≜ cCAB(dAB)Let all modules be in parallel, then the protocol A B T can be presented by the following

process term.

τI(∂H(Θ(A� B � T ))) = τI(∂H(A� B � T ))

where H = {rCAB(A,RA), sCAB(A,RA), rCAB(dAB), sCAB(dAB),rCTA(ENCkAT (B,kAB, dRA ,RB),ENCkBT (A,kAB)), sCTA(ENCkAT (B,kAB, dRA ,RB),ENCkBT (A,kAB)), rCBT (ENCkBT (A,RA,RB)), sCBT (ENCkBT (A,RA,RB))∣D ∈ ∆},

I = {cCAB(A,RA), cCTA(ENCkAT (B,kAB, dRA ,RB),ENCkBT (A,kAB)),cCBT (ENCkBT (A,RA,RB)), cCAB(dAB),{kAB = NULL}, rsgRA ,{kAB ≠ NULL},deckAT (ENCkAT (B,kAB, dRA ,RB)),{dRA = RA},{dRA ≠ RA},enckAB(RB,D), rsgRB , enckBT (A,RA,RB),{dAB = �},{dAB ≠ �},deckBT (ENCkBT (A,kAB)), deckAB(ENCkAB(dRB ,D)),{dRB = RB},{dRB ≠ RB}, deckBT (ENCkBT (A,RA,RB)), rsgkAB ,enckAT (B,kAB,RA,RB), enckBT (A,kAB)∣D ∈ ∆}.


Theorem 7.2. The Yahalom protocol in Figure 15 is secure.



τI(∂H(A� B � T )) = ∑D∈∆(rCAI (D) ⋅ (sCBO(�) + sCBO(D))) ⋅ τI(∂H(A� B � T )).For the details of proof, please refer to section 2.9, and we omit it.

That is, the Yahalom protocol in Figure 15 τI(∂H(A � B � T )) can exhibit desired external

behaviors:




section 4.10.2, the Yahalom protocol is confidential;

2. For the man-in-the-middle attack, because kAT is privately shared only between Alice

and Trent, kBT is privately shared only between Bob and Trent, kAB is privately shared

only among Trent, Alice and Bob, and the use of the random numbers RA and RB, the

protocol would be τI(∂H(A� B � T )) = ∑D∈∆(rCAI (D) ⋅ sCBO(�)) ⋅ τI(∂H(A� B � T )),it is desired, the Yahalom protocol can be against the man-in-the-middle attack;

3. Without man-in-the-middle attack, the protocol would be τI(∂H(A� B � T )) = ∑D∈∆(rCAI (D)⋅sCBO(D)) ⋅ τI(∂H(A� B � T )), it is desired;

82

Alice Bob

CAI CAB CBO

Trent

CAO CBA CBI

Figure 16: Needham-Schroeder protocol




security protocols.

7.3 Needham-Schroeder Protocol

The Needham-Schroeder protocol shown in Figure 16 uses symmetric keys for secure communi-

cation, that is, the key kAB between Alice and Bob is privately shared to Alice and Bob, Alice,





number RA through an action rsgRA , and sends A,B,RA to trent through the channel

CAT (the corresponding sending action is denoted sCAT (A,B,RA));

2. Trent receives A,B,RA from Alice through the channel CAT (the corresponding reading

action is denoted rCAT (A,B,RA)), he generates a random session key kAB through an ac-

tion rsgkAB , then he encrypts A,kAB by kBT through an action enckBT (A,kAB), encrypts

RA,B, kAB,ENCkBT (A,kAB) by kAT through an action enckAT (RA,B, kAB,ENCkBT (A,kAB)),and sends them to Alice through the channel CTA (the corresponding sending action is

denoted sCTA(ENCkAT (RA,B, kAB,ENCkBT (A,kAB))));

83

3. Alice receives the message from Trent through the channel CTA (the corresponding reading

action is denoted rCTA(ENCkAT (dRA ,B, kAB,ENCkBT (A,kAB)))), she decrypts

ENCkAT (dRA ,B, kAB,ENCkBT (A,kAB)) by kAT through an action

deckAT (ENCkAT (dRA ,B, kAB,ENCkBT (A,kAB))), if dRA = RA, she sends ENCkBT (A,kAB)to Bob through the channel CAB (the corresponding sending action is denoted

sCAB(ENCkBT (A,kAB))); else if dRA ≠ RA, she sends � to Bob through the channel CAB(the corresponding sending action is denoted sCAB(�));



action is denoted sCBO(�)), and sends � to Alice through the channel CAB (the corre-

sponding sending action is denoted sCAB(�)); else if dAB ≠ �, dAB must be the form of

ENCkBT (A,kAB) (without considering the malicious tampering and transmission errors),

he decrypts ENCkBT (A,kAB) by kBT through an action deckBT (ENCkBT (A,kAB)) to

ensure the message is from Alice and get kAB, then he generates a random number RBthrough an action rsgRB , encrypts RB by kAB through an action enckAB(RB), and sends

ENCkAB(RB) to Alice through the channel CBA (the corresponding sending action is

denoted sCBA(ENCkAB(RB)));

5. Alice receives dBA from Bob through the channel CBA (the corresponding reading action is

denoted rCBA(dBA)), if dBA ≠ �, she decrypts ENCkAB(RB) to get RB by kAB through an

action deckAB(ENCkAB(RB)), encrypts RB − 1,D through an action enckAB(RB − 1,D),and sends ENCkAB(RB−1,D) to Bob through the channel CAB (the corresponding sending

action is denoted sCAB(ENCkAB(RB −1,D))); else if dBA = �, she sends � to Bob through

the channel CAB (the corresponding sending action is denoted sCAB(�));

6. Bob receives d′AB from Alice through the channel CAB (the corresponding reading action is

denoted rCAB(d′AB)), if d′AB ≠ �, he decrypts ENCkAB(dRB−1,D) by kAB through an action

deckAB(ENCkAB(dRB−1,D)), if dRB−1 = RB − 1, he sends D to the outside through the

channel CBO (the corresponding sending action is denoted sCBO(D)), else if dRB−1 ≠ RB−1,

he sends � to the outside through the channel CBO (the corresponding sending action is

denoted sCBO(�));else if d′AB = �, he sends � to the outside through the channel CBO (the

corresponding sending action is denoted sCBO(�)).



A = ∑D∈∆ rCAI (D) ⋅A2


A3 = sCAT (A,B,RA) ⋅A4

A4 = rCTA(ENCkAT (dRA ,B, kAB,ENCkBT (A,kAB))) ⋅A5

A5 = deckAT (enckAT (dRA ,B, kAB,ENCkBT (A,kAB))) ⋅A6

A6 = {dRA = RA} ⋅A7 + {dRA ≠ RA} ⋅ sCAB(�) ⋅A8

A7 = sCAB(ENCkBT (A,kAB)) ⋅A8

A8 = rCBA(dBA) ⋅A9

84

A9 = {dBA ≠ �} ⋅A10 + {dBA = �} ⋅A13

A10 = deckAB(ENCkAB(RB)) ⋅A11

A11 = enckAB(RB − 1,D) ⋅A12

A12 = sCAB(ENCkAB(RB − 1,D)) ⋅AA13 = sCAB(�) ⋅ABob’s state transitions described by APTCG are as follows.



B2 = {dAB = �} ⋅ (sCBO(�) ∥ sCAB(�)) ⋅B7 + {dAB ≠ �} ⋅B3

B3 = deckBT (ENCkBT (A,kAB)) ⋅B4

B4 = rsgRB ⋅B5

B5 = enckAB(RB) ⋅B6

B6 = sCBA(ENCkAB(RB)) ⋅B7

B7 = rCAB(d′AB) ⋅B8

B8 = {d′AB ≠ �} ⋅B9 + {d′AB = �} ⋅ sCBO(�) ⋅BB9 = deckAB(ENCkAB(dRB−1,D)) ⋅B10

B10 = {dRB−1 = RB − 1} ⋅ sCBO(D) ⋅B + {dRB−1 ≠ RB − 1} ⋅ sCBO(�) ⋅BTrent’s state transitions described by APTCG are as follows.

T = rCAT (A,B,RA) ⋅ T2

T2 = rsgkAB ⋅ T3

T3 = enckBT (A,kAB) ⋅ T4

T4 = enckAT (RA,B, kAB,ENCkBT (A,kAB)) ⋅ T5

T5 = sCTA(ENCkAT (RA,B, kAB,ENCkBT (A,kAB))) ⋅ TThe sending action and the reading action of the same type data through the same channel



γ(rCAT (A,B,RA), sCAT (A,B,RA)) ≜ cCAT (A,B,RA)γ(rCTA(ENCkAT (dRA ,B, kAB,ENCkBT (A,kAB))),sCTA(ENCkAT (dRA ,B, kAB,ENCkBT (A,kAB))))≜ cCTA(ENCkAT (dRA ,B, kAB,ENCkBT (A,kAB)))γ(rCAB(dAB), sCAB(dAB)) ≜ cCAB(dAB)γ(rCBA(dBA), sCBA(dBA)) ≜ cCBA(dBA)γ(rCAB(d′AB), sCAB(d′AB)) ≜ cCAB(d′AB)Let all modules be in parallel, then the protocol A B T can be presented by the following

process term.

τI(∂H(Θ(A� B � T ))) = τI(∂H(A� B � T ))

85

where H = {rCAT (A,B,RA), sCAT (A,B,RA), rCAB(dAB), sCAB(dAB),rCBA(dBA), sCBA(dBA), rCAB(d′AB), sCAB(d′AB),rCTA(ENCkAT (dRA ,B, kAB,ENCkBT (A,kAB))),sCTA(ENCkAT (dRA ,B, kAB,ENCkBT (A,kAB)))∣D ∈ ∆},

I = {cCAT (A,B,RA), cCAB(dAB), cCBA(dBA), cCAB(d′AB),cCTA(ENCkAT (dRA ,B, kAB,ENCkBT (A,kAB))),{kAB = NULL}, rsgRA ,{kAB ≠ NULL},deckAT (enckAT (dRA ,B, kAB,ENCkBT (A,kAB))),{dRA = RA},{dRA ≠ RA},{dBA ≠ �},{dBA = �},deckAB(ENCkAB(RB)), enckAB(RB − 1,D),{dAB = �},{dAB ≠ �},deckBT (ENCkBT (A,kAB)), rsgRB , enckAB(RB),{d′AB = �},{d′AB ≠ �}, deckAB(ENCkAB(dRB−1,D)),{dRB−1 = RB − 1},{dRB−1 ≠ RB − 1}, rsgkAB , enckBT (A,kAB),enckAT (RA,B, kAB,ENCkBT (A,kAB))∣D ∈ ∆}.


Theorem 7.3. The Needham-Schroeder protocol in Figure 16 is secure.




That is, the Needham-Schroeder protocol in Figure 16 τI(∂H(A� B � T )) can exhibit desired

external behaviors:




section 4.10.2, the Needham-Schroeder protocol is confidential;

2. For replay attack, the using of random numbers RA, RB, makes that τI(∂H(A � B �T )) = ∑D∈∆(rCAI (D) ⋅ sCBO(�)) ⋅ τI(∂H(A� B � T )), it is desired;





similar to the protocol in section 5.4, the Needham-Schroeder protocol can be against the

man-in-the-middle attack;




security protocols.

86

Alice Bob

CAI CAB CBO

Trent

CAO CBA CBI

Figure 17: Otway-Rees protocol

7.4 Otway-Rees Protocol

The Otway-Rees protocol shown in Figure 17 uses symmetric keys for secure communication,

that is, the key kAB between Alice and Bob is privately shared to Alice and Bob, Alice, Bob

have shared keys with Trent kAT and kBT already.


1. Alice receives some messages D from the outside through the channel CAI (the corre-

sponding reading action is denoted rCAI (D)), if kAB is not established, she generates the

random numbers I, RA through the actions rsgI and rsgRA , encrypts RA, I,A,B by kATthrough an action enckAT (RA, I,A,B), and sends I,A,B,ENCkAT (RA, I,A,B) to Bob

through the channel CAB (the corresponding sending action is denoted

sCAB(I,A,B,ENCkAT (RA, I,A,B)));

2. Bob receives I,A,B,ENCkAT (RA, I,A,B) from Alice through the channel CAB (the cor-

responding reading action is denoted rCAB(I,A,B,ENCkAT (RA, I,A,B))), he generates a

random number RB through an action rsgRB , encrypts RB, I,A,B by kBT through an ac-

tion enckBT (RB, I,A,B), and sends I,A,B,ENCkAT (RA, I,A,B),ENCkBT (RB, I,A,B)to Trent through the channel CBT (the corresponding sending action is denoted

sCBT (I,A,B,ENCkAT (RA, I,A,B),ENCkBT (RB, I,A,B)));

3. Trent receives I,A,B,ENCkAT (RA, I,A,B),ENCkBT (RB, I,A,B) through the channel

CBT (the corresponding reading action is denoted

rCBT (I,A,B,ENCkAT (RA, I,A,B),ENCkBT (RB, I,A,B))), he decrypts the message

ENCkAT (RA, I,A,B) through an action deckAT (ENCkAT (RA, I,A,B)) and the message

ENCkBT (RB, I,A,B) through an action deckBT (ENCkBT (RB, I,A,B)), generates a ran-

dom session key kAB through an action rsgkAB , then he encrypts RA, kAB by kAT through

an action enckAT (RA, kAB), encrypts RB, kAB by kBT through an action enckBT (RB, kAB),

87

and sends them to Bob through the channel CTB (the corresponding sending action is de-

noted sCTB(I,ENCkAT (RA, kAB),ENCkBT (RB, kAB)));

4. Bob receives the message from Trent through the channel CTB (the corresponding reading

action is denoted rCTB(dI ,ENCkAT (RA, kAB),ENCkBT (dRB , kAB))), he decrypts

ENCkBT (dRB , kAB) by kBT through an action deckBT (ENCkBT (dRB , kAB)), if dRB = RBand dI = I, he sends I,ENCkAT (RA, kAB) to Alice through the channel CBA (the cor-

responding sending action is denoted sCBA(I,ENCkAB(RA, kAB))); else if dRB ≠ RB or

DI ≠ I, he sends � to Alice through the channel CBA (the corresponding sending action is

denoted sCBA(�));

5. Alice receives dBA from Bob (the corresponding reading action is denoted rCBA(dBA)),if dBA = �, she sends � to Bob through the channel CAB (the corresponding sending

action is denoted sCAB(�)); else if dBA ≠ �, she decrypts ENCkAT (RA, kAB) by kATthrough an action deckAT (ENCkAT (RA, kAB)), if dRA = RA and dI = I, she generates a

random number RD through an action rsgRD , encrypts RD,D by kAB through an action

enckAB(RD,D), and sends it to Bob through the channel CAB (the corresponding sending

action is denoted sCAB(ENCkAB(RD,D))), else if dRA ≠ RA or dI ≠ I, she sends � to Bob

through the channel CAB (the corresponding sending action is denoted sCAB(�));



action is denoted sCBO(�)); else if dAB ≠ �, she decrypts ENCkAB(RD,D) by kAB through

an action deckAB(ENCkAB(RD,D)), if isFresh(RD) = TRUE, she sends D to the outside

through the channel CBO (the corresponding sending action is denoted sCBO(D)), else

if isFresh(dRD) = FALSE, he sends � to the outside through the channel CBO (the




A = ∑D∈∆ rCAI (D) ⋅A2

A2 = {kAB = NULL} ⋅ rsgI ⋅ rsgRA ⋅A3 + {kAB ≠ NULL} ⋅A9

A3 = enckAT (RA, I,A,B) ⋅A4

A4 = sCAB(I,A,B,ENCkAT (RA, I,A,B)) ⋅A5


A6 = {dBA ≠ �} ⋅A7 + {dBA = �} ⋅ sCAB(�) ⋅AA7 = deckAT (ENCkAT (RA, kAB)) ⋅A8

A8 = {dRA = RA ⋅ dI = I} ⋅A9 + {dRA ≠ RA + dI ≠ I} ⋅A12

A9 = rsgRD ⋅A10

A10 = enckAB(RD,D) ⋅A11

A11 = sCAB(ENCkAB(RD,D)) ⋅AA12 = sCAB(�) ⋅ABob’s state transitions described by APTCG are as follows.

88


B1 = rCAB(I,A,B,ENCkAT (RA, I,A,B)) ⋅B2

B2 = rsgRB ⋅B3

B3 = enckBT (RB, I,A,B) ⋅B4

B4 = sCBT (I,A,B,ENCkAT (RA, I,A,B),ENCkBT (RB, I,A,B)) ⋅B5

B5 = rCTB(dI ,ENCkAT (RA, kAB),ENCkBT (dRB , kAB)) ⋅B6

B6 = deckBT (ENCkBT (dRB , kAB)) ⋅B7

B7 = {dRB = RB ⋅ dI = I} ⋅ sCBA(I,ENCkAB(RA, kAB)) ⋅B8 + {dRB ≠ RB + dI ≠ I} ⋅ sCAB(�) ⋅B8


B9 = {dAB = �} ⋅ sCBO(�) ⋅B + {dAB ≠ �} ⋅B10

B10 = deckAB(ENCkAB(RD,D)) ⋅B11

B11 = {isFresh(RD) = TRUE} ⋅B12 + {isFresh(RD) = FLASE} ⋅ sCBO(�) ⋅BB12 = sCBO(D) ⋅BTrent’s state transitions described by APTCG are as follows.

T = rCBT (I,A,B,ENCkAT (RA, I,A,B),ENCkBT (RB, I,A,B)) ⋅ T2

T2 = deckAT (ENCkAT (RA, I,A,B)) ⋅ T3

T3 = deckBT (ENCkBT (RB, I,A,B)) ⋅ T4

T4 = rsgkAB ⋅ T5

T5 = enckAT (RA, kAB) ⋅ T6

T6 = enckBT (RB, kAB) ⋅ T7

T7 = sCTB(I,ENCkAT (RA, kAB),ENCkBT (RB, kAB)) ⋅ TThe sending action and the reading action of the same type data through the same channel



γ(rCAB(I,A,B,ENCkAT (RA, I,A,B)), sCAB(I,A,B,ENCkAT (RA, I,A,B)))≜ cCAB(I,A,B,ENCkAT (RA, I,A,B))γ(rCBA(dBA), sCBA(dBA)) ≜ cCBA(dBA)γ(rCBT (I,A,B,ENCkAT (RA, I,A,B),ENCkBT (RB, I,A,B)),sCBT (I,A,B,ENCkAT (RA, I,A,B),ENCkBT (RB, I,A,B)))≜ cCBT (I,A,B,ENCkAT (RA, I,A,B),ENCkBT (RB, I,A,B))γ(rCTB(dI ,ENCkAT (RA, kAB),ENCkBT (dRB , kAB)),sCTB(dI ,ENCkAT (RA, kAB),ENCkBT (dRB , kAB)))≜ cCTB(dI ,ENCkAT (RA, kAB),ENCkBT (dRB , kAB))γ(rCAB(dAB), sCAB(dAB)) ≜ cCAB(dAB)Let all modules be in parallel, then the protocol A B T can be presented by the following

process term.

89

τI(∂H(Θ(A� B � T ))) = τI(∂H(A� B � T ))

where H = {rCAB(I,A,B,ENCkAT (RA, I,A,B)), sCAB(I,A,B,ENCkAT (RA, I,A,B)),rCBA(dBA), sCBA(dBA), rCAB(dAB), sCAB(dAB),rCBT (I,A,B,ENCkAT (RA, I,A,B),ENCkBT (RB, I,A,B)),sCBT (I,A,B,ENCkAT (RA, I,A,B),ENCkBT (RB, I,A,B)),rCTB(dI ,ENCkAT (RA, kAB),ENCkBT (dRB , kAB)),sCTB(dI ,ENCkAT (RA, kAB),ENCkBT (dRB , kAB))∣D ∈ ∆},

I = {cCAB(I,A,B,ENCkAT (RA, I,A,B)), cCBA(dBA), cCAB(dAB),cCBT (I,A,B,ENCkAT (RA, I,A,B),ENCkBT (RB, I,A,B)),cCTB(dI ,ENCkAT (RA, kAB),ENCkBT (dRB , kAB)),{kAB = NULL}, rsgI , rsgRA ,{kAB ≠ NULL}, enckAT (RA, I,A,B),{dBA ≠ �},{dBA = �}, deckAT (ENCkAT (RA, kAB)),{dRA = RA ⋅ dI = I},{dRA ≠ RA + dI ≠ I}, rsgRD ,enckAB(RD,D), rsgRB , enckBT (RB, I,A,B),deckBT (ENCkBT (dRB , kAB)),{dRB = RB ⋅ dI = I},{dRB ≠ RB + dI ≠ I},{dAB = �},{dAB ≠ �},deckAB(ENCkAB(RD,D)),{isFresh(RD) = TRUE},{isFresh(RD) = FALSE},deckAT (ENCkAT (RA, I,A,B)), deckBT (ENCkBT (RB, I,A,B)),rsgkAB , enckAT (RA, kAB), enckBT (RB, kAB)∣D ∈ ∆}.


Theorem 7.4. The Otway-Rees protocol in Figure 17 is secure.




That is, the Otway-Rees protocol in Figure 17 τI(∂H(A� B � T )) can exhibit desired external

behaviors:




section 4.10.2, the Otway-Rees protocol is confidential;



among Trent, Alice and Bob, and the use of the random numbers I, RA and RB, the

protocol would be τI(∂H(A� B � T )) = ∑D∈∆(rCAI (D) ⋅ sCBO(�)) ⋅ τI(∂H(A� B � T )),it is desired, the Otway-Rees protocol can be against the man-in-the-middle attack;

3. For replay attack, the using of the random numbers I, RA and RB, makes that τI(∂H(A�B � T )) = ∑D∈∆(rCAI (D) ⋅ sCBO(�)) ⋅ τI(∂H(A� B � T )), it is desired;

90

Alice Bob

CAI CAB CBO

Trent

CAO CBA CBI

Figure 18: Kerberos protocol

4. Without man-in-the-middle and replay attack, the protocol would be τI(∂H(A � B �T )) = ∑D∈∆(rCAI (D) ⋅ sCBO(D)) ⋅ τI(∂H(A� B � T )), it is desired;




security protocols.

7.5 Kerberos Protocol

The Kerberos protocol shown in Figure 18 uses symmetric keys for secure communication, that

is, the key kAB between Alice and Bob is privately shared to Alice and Bob, Alice, Bob have

shared keys with Trent kAT and kBT already.



ing reading action is denoted rCAI (D)), if kAB is not established, she sends A,B to trent

through the channel CAT (the corresponding sending action is denoted sCAT (A,B));

2. Trent receives A,B from Alice through the channel CAT (the corresponding reading ac-

tion is denoted rCAT (A,B)), he generates a random session key kAB through an ac-

tion rsgkAB , get time stamp T and lifetime L, then he encrypts T,L, kAB,B by kATthrough an action enckAT (T,L, kAB,B), encrypts T,L, kAB,A by kBT through an action

enckBT (T,L, kAB,A), and sends them to Alice through the channel CTA (the corresponding

sending action is denoted sCTA(ENCkAT (T,L, kAB,B),ENCkBT (K,L, kAB,A)));

91


ing action is denoted rCTA(ENCkAT (T,L, kAB,B),ENCkBT (K,L, kAB,A))), she decrypts

ENCkAT (T,L, kAB,B) by kAT through an action deckAT (ENCkAT (T,L, kAB,B)), en-

crypts A,T by kAB through an action enckAB(A,T ), she sends

ENCkAB(A,T ),ENCkBT (T,L, kAB,A) to Bob through the channel CAB (the correspond-

ing sending action is denoted sCAB(ENCkAB(A,T ),ENCkBT (T,L, kAB,A)));

4. Bob receives ENCkAB(A,T ),ENCkBT (T,L, kAB,A) from Alice (the corresponding read-

ing action is denoted rCAB(ENCkAB(A,T ),ENCkBT (T,L, kAB,A))), he decrypts

ENCkBT (T,L, kAB,A) by kBT through an action deckBT (ENCkBT (T,L, kAB,A)) to en-

sure the message is from Alice and get kAB, and decrypts ENCkAB(A,T ) by kAB through

an action deckAB(ENCkAB(A,T )) to get A and T , then he encrypts T +1 by kAB through

an action enckAB(T + 1), and sends ENCkAB(T + 1) to Alice through the channel CBA(the corresponding sending action is denoted sCBA(ENCkAB(T + 1)));

5. Alice receives ENCkAB(dT+1) from Bob through the channel CBA (the corresponding

reading action is denoted rCBA(ENCkAB(dT+1))), he decrypts ENCkAB(dT+1) by kABthrough an action deckAB(ENCkAB(dT+1)), if dT+1 = T + 1, she encrypts T + 2,D through

an action enckAB(T +2,D), and sends ENCkAB(T +2,D) to Bob through the channel CAB(the corresponding sending action is denoted sCAB(ENCkAB(T+2,D))); else if dT+1 ≠ T+1,


sCAB(�));

6. Bob receives dAB from Alice through the channel CAB (the corresponding reading action

is denoted rCAB(dAB)), if dAB ≠ �, he decrypts ENCkAB(dT+2,D) by kAB through an

action deckAB(ENCkAB(dT+2,D)), if dT+2 = T + 2, he sends D to the outside through the

channel CBO (the corresponding sending action is denoted sCBO(D)), else if dT+2 ≠ T + 2,

he sends � to the outside through the channel CBO (the corresponding sending action is

denoted sCBO(�));else if dAB = �, he sends � to the outside through the channel CBO (the




A = ∑D∈∆ rCAI (D) ⋅A2

A2 = {kAB = NULL} ⋅A3 + {kAB ≠ NULL} ⋅A12

A3 = sCAT (A,B) ⋅A4

A4 = rCTA(ENCkAT (T,L, kAB,B),ENCkBT (K,L, kAB,A)) ⋅A5

A5 = deckAT (ENCkAT (T,L, kAB,B)) ⋅A6

A6 = enckAB(A,T ) ⋅A7

A7 = sCAB(ENCkAB(A,T ),ENCkBT (T,L, kAB,A)) ⋅A8

A8 = rCBA(ENCkAB(dT+1)) ⋅A9

A9 = deckAB(ENCkAB(dT+1)) ⋅A10

A10 = deckAB(ENCkAB(RB)) ⋅A11

92

A11 = {dT+1 = T + 1} ⋅A12 + {dT+1 ≠ T + 1} ⋅A14

A12 = enckAB(T + 2,D) ⋅A13

A13 = sCAB(ENCkAB(RB − 1,D)) ⋅AA14 = sCAB(�) ⋅ABob’s state transitions described by APTCG are as follows.


B1 = rCAB(ENCkAB(A,T ),ENCkBT (T,L, kAB,A)) ⋅B2

B2 = deckBT (ENCkBT (T,L, kAB,A)) ⋅B3

B3 = deckAB(ENCkAB(A,T )) ⋅B4

B4 = enckAB(T + 1) ⋅B5

B5 = sCBA(ENCkAB(T + 1)) ⋅B6


B7 = {dAB ≠ �} ⋅B8 + {dAB = �} ⋅ sCBO(�) ⋅BB8 = deckAB(ENCkAB(dT+2,D)) ⋅B9

B9 = {dT+2 = T + 2} ⋅B10 + {dT+2 ≠ T + 2} ⋅ sCBO(�) ⋅BB10 = sCBO(D) ⋅BTrent’s state transitions described by APTCG are as follows.

T = rCAT (A,B) ⋅ T2

T2 = rsgkAB ⋅ T3

T3 = enckAT (T,L, kAB,B) ⋅ T4

T4 = enckBT (T,L, kAB,A) ⋅ T5

T5 = sCTA(ENCkAT (T,L, kAB,B),ENCkBT (K,L, kAB,A)) ⋅ TThe sending action and the reading action of the same type data through the same channel



γ(rCAT (A,B), sCAT (A,B)) ≜ cCAT (A,B)γ(rCTA(ENCkAT (T,L, kAB,B),ENCkBT (K,L, kAB,A)),sCTA(ENCkAT (T,L, kAB,B),ENCkBT (K,L, kAB,A)))≜ cCTA(ENCkAT (T,L, kAB,B),ENCkBT (K,L, kAB,A))γ(rCAB(ENCkAB(A,T ),ENCkBT (T,L, kAB,A)), sCAB(ENCkAB(A,T ),ENCkBT (T,L, kAB,A)))≜ cCAB(ENCkAB(A,T ),ENCkBT (T,L, kAB,A))γ(rCBA(ENCkAB(dT+1)), sCBA(ENCkAB(dT+1))) ≜ cCBA(ENCkAB(dT+1))γ(rCAB(dAB), sCAB(dAB)) ≜ cCAB(dAB)Let all modules be in parallel, then the protocol A B T can be presented by the following

process term.

τI(∂H(Θ(A� B � T ))) = τI(∂H(A� B � T ))

93

where H = {rCAT (A,B), sCAT (A,B), rCAB(dAB), sCAB(dAB),rCTA(ENCkAT (T,L, kAB,B),ENCkBT (K,L, kAB,A)),sCTA(ENCkAT (T,L, kAB,B),ENCkBT (K,L, kAB,A)),rCAB(ENCkAB(A,T ),ENCkBT (T,L, kAB,A)),sCAB(ENCkAB(A,T ),ENCkBT (T,L, kAB,A)),rCBA(ENCkAB(dT+1)), sCBA(ENCkAB(dT+1))∣D ∈ ∆},

I = {cCAT (A,B), cCBA(ENCkAB(dT+1)), cCAB(dAB),cCTA(ENCkAT (T,L, kAB,B),ENCkBT (K,L, kAB,A)),cCAB(ENCkAB(A,T ),ENCkBT (T,L, kAB,A)),{kAB = NULL},{kAB ≠ NULL}, deckAT (ENCkAT (T,L, kAB,B)),enckAB(A,T ), deckAB(ENCkAB(dT+1)), deckAB(ENCkAB(RB)),{dT+1 = T + 1},{dT+1 ≠ T + 1}, enckAB(T + 2,D),deckBT (ENCkBT (T,L, kAB,A)), deckAB(ENCkAB(A,T )),enckAB(T + 1),{dAB ≠ �},{dAB = �}, deckAB(ENCkAB(dT+2,D)),{dT+2 = T + 2},{dT+2 ≠ T + 2}, rsgkAB , enckAT (T,L, kAB,B),enckBT (T,L, kAB,A)∣D ∈ ∆}.


Theorem 7.5. The Kerberos protocol in Figure 18 is secure.




That is, the Kerberos protocol in Figure 18 τI(∂H(A � B � T )) can exhibit desired external

behaviors:




section 4.10.2, the Kerberos protocol is confidential;

2. For replay attack, the using of the time stamp T , makes that τI(∂H(A � B � T )) =∑D∈∆(rCAI (D) ⋅ sCBO(�)) ⋅ τI(∂H(A� B � T )), it is desired;





similar to the protocol in section 5.4, the Kerberos protocol can be against the man-in-

the-middle attack;



94

Alice Bob

CAI CAB CBO

Trent

CAO CBA CBI

Figure 19: Neuman-Stubblebine protocol


security protocols.

7.6 Neuman-Stubblebine Protocol

The Neuman-Stubblebine protocol shown in Figure 19 uses symmetric keys for secure communi-

cation, that is, the key kAB between Alice and Bob is privately shared to Alice and Bob, Alice,





number RA through the action rsgRA , sends RA,A to Bob through the channel CAB (the

corresponding sending action is denoted sCAB(RA,A));

2. Bob receives RA,A from Alice through the channel CAB (the corresponding reading action

is denoted rCAB(RA,A)), he generates a random number RB through an action rsgRB ,

encrypts RA,A, TB by kBT through an action enckBT (RA,A, TB), and sends

RB,B,ENCkBT (RA,A, TB) to Trent through the channel CBT (the corresponding sending

action is denoted sCBT (RB,B,ENCkBT (RA,A, TB)));

3. Trent receives RB,B,ENCkBT (RA,A, TB) through the channel CBT (the corresponding

reading action is denoted rCBT (RB,B,ENCkBT (RA,A, TB))), he decrypts the message

ENCkBT (RA,A, TB) through an action deckBT (ENCkBT (RA,A, TB)), generates a ran-

dom session key kAB through an action rsgkAB , then he encrypts B,RA, kAB, TB by kAT

95

through an action enckAT (B,RA, kAB, TB), encrypts A,kAB, TB by kBT through an action

enckBT (A,kAB, TB), and sends them to Alice through the channel CTA (the corresponding

sending action is denoted sCTA(ENCkAT (B,RA, kAB, TB),ENCkBT (A,kAB, TB),RB));


action is denoted rCTA(ENCkAT (B,dRA , kAB, TB),ENCkBT (A,kAB, TB),RB)), she de-

crypts ENCkAT (B,dRA , kAB, TB) by kAT through an action deckAT (ENCkAT (B,dRA , kAB, TB)),if dRA = RA, he encrypts RB by kAB through an action enckAB(RB), and sends

ENCkBT (A,kAB, TB),ENCkAB(RB) to Bob through the channel CAB (the corresponding

sending action is denoted sCAB(ENCkBT (A,kAB, TB),ENCkAB(RB))); else if dRA ≠ RA,


sCAB(�));

5. Bob receives dAB from Alice (the corresponding reading action is denoted rCAB(dAB)),if dAB = �, he sends � to Alice through the channel CBA (the corresponding send-

ing action is denoted sCBA(�)); else if dAB ≠ �, she decrypts ENCkBT (A,kAB, TB) by

kBT through an action deckBT (ENCkBT (A,kAB, TB)), decrypts ENCkAB(dRB) by kABthrough an action deckAB(ENCKAB(dRB)), if dRB = RB, he generates a random number

RD through an action rsgRD , encrypts RD by kAB through an action enckAB(RD), and

sends it to Alice through the channel CBA (the corresponding sending action is denoted

sCBA(ENCkAB(RD))), else if dRB ≠ RB, he sends � to Alice through the channel CBA(the corresponding sending action is denoted sCBA(�));

6. Alice receives dBA from Bob (the corresponding reading action is denoted rCBA(dBA)), if

dBA = �, she sends � to Bob through the channel CAB (the corresponding sending action is

denoted sCAB(�)); else if dBA ≠ �, she decrypts ENCkAB(RD) by kAB through an action

deckAB(ENCkAB(RD)), if isFresh(RD) = TRUE, she generates a random number R′

D

through an action rsgR′D , encrypts R′

D,D by kAB through an action enckAB(R′

D,D), and

sends it to Bob through the channel CAB (the corresponding sending action is denoted

sCAB(ENCkAB(R′

D,D))), else if isFresh(RD) = FALSE, he sends � to Bob through the

channel CAB (the corresponding sending action is denoted sCAB(�));

7. Bob receives d′AB from Alice (the corresponding reading action is denoted rCAB(d′AB)), if

d′AB = �, he sends � to the outside through the channel CBO (the corresponding sending

action is denoted sCBO(�)); else if d′AB ≠ �, she decrypts ENCkAB(R′

D,D) by kAB through

an action deckAB(ENCkAB(R′

D,D)), if isFresh(dR′D) = TRUE, she sends D to the outside

through the channel CBO (the corresponding sending action is denoted sCBO(D)), else

if isFresh(d′RD) = FALSE, he sends � to the outside through the channel CBO (the




A = ∑D∈∆ rCAI (D) ⋅A2


A3 = sCAB(RA,A) ⋅A4

A4 = rCTA(ENCkAT (B,dRA , kAB, TB),ENCkBT (A,kAB, TB),RB) ⋅A5

96

A5 = deckAT (ENCkAT (B,dRA , kAB, TB)) ⋅A6

A6 = {dRA = RA} ⋅A7 + {dRA ≠ RA} ⋅ sCAB(�) ⋅A9

A7 = enckAB(RB) ⋅A8

A8 = sCAB(ENCkBT (A,kAB, TB),ENCkAB(RB)) ⋅A9


A10 = {dBA ≠ �} ⋅A11 + {dBA = �} ⋅ sCAB(�) ⋅AA11 = deckAB(ENCkAB(RD)) ⋅A12

A12 = {isFresh(dRD) = TRUE} ⋅A13 + {isFresh(dRD) = FALSE} ⋅ sCAB(�) ⋅AA13 = rsgR′D ⋅A14

A14 = enckAB(R′

D,D) ⋅A15

A15 = sCAB(ENCkAB(R′

D,D)) ⋅ABob’s state transitions described by APTCG are as follows.


B1 = rCAB(RA,A) ⋅B2

B2 = rsgRB ⋅B3

B3 = enckBT (RA,A, TB) ⋅B4

B4 = sCBT (RB,B,ENCkBT (RA,A, TB)) ⋅B5


B6 = {dAB ≠ �} ⋅B7 + {dAB = �} ⋅ sCBA(�) ⋅B13

B7 = deckBT (ENCkBT (A,kAB, TB)) ⋅B8

B8 = deckAB(ENCKAB(dRB)) ⋅B9

B9 = {dRB ≠ RB} ⋅ sCBO(�) ⋅B13 + {dRB = RB} ⋅B10

B10 = rsgRD ⋅B11

B11 = enckAB(RD) ⋅B12

B12 = sCBA(ENCkAB(RD)) ⋅B13

B13 = rCAB(d′AB) ⋅B14

B14 = {d′AB = �} ⋅ sCBO(�) ⋅B + {d′AB ≠ �} ⋅B15

B15 = deckAB(ENCkAB(R′

D,D)) ⋅B16

B16 = {isFresh(R′

D) = FLASE} ⋅ sCBO(�) ⋅B + {isFresh(R′

D) = TRUE} ⋅B17

B17 = sCBO(D) ⋅BTrent’s state transitions described by APTCG are as follows.

T = rCBT (RB,B,ENCkBT (RA,A, TB)) ⋅ T2

T2 = deckBT (ENCkBT (RA,A, TB)) ⋅ T3

T3 = rsgkAB ⋅ T4

T4 = enckAT (B,RA, kAB, TB) ⋅ T5

97

T5 = enckBT (A,kAB, TB) ⋅ T6

T6 = sCTA(ENCkAT (B,RA, kAB, TB),ENCkBT (A,kAB, TB),RB) ⋅ TThe sending action and the reading action of the same type data through the same channel



γ(rCAB(RA,A), sCAB(RA,A)) ≜ cCAB(RA,A)γ(rCBT (RB,B,ENCkBT (RA,A, TB)), sCBT (RB,B,ENCkBT (RA,A, TB)))≜ cCBT (RB,B,ENCkBT (RA,A, TB))γ(rCTA(ENCkAT (B,dRA , kAB, TB),ENCkBT (A,kAB, TB),RB),sCTA(ENCkAT (B,dRA , kAB, TB),ENCkBT (A,kAB, TB),RB)) ≜cCTA(ENCkAT (B,dRA , kAB, TB),ENCkBT (A,kAB, TB),RB)γ(rCAB(dAB), sCAB(dAB)) ≜ cCAB(dAB)γ(rCBA(dBA), sCBA(dBA)) ≜ cCBA(dBA)γ(rCAB(d′AB), sCAB(d′AB)) ≜ cCAB(d′AB)Let all modules be in parallel, then the protocol A B T can be presented by the following

process term.

τI(∂H(Θ(A� B � T ))) = τI(∂H(A� B � T ))

where H = {rCAB(RA,A), sCAB(RA,A), rCAB(dAB), sCAB(dAB),rCBA(dBA), sCBA(dBA), rCAB(d′AB), sCAB(d′AB)′rCBT (RB,B,ENCkBT (RA,A, TB)), sCBT (RB,B,ENCkBT (RA,A, TB)),rCTA(ENCkAT (B,dRA , kAB, TB),ENCkBT (A,kAB, TB),RB),sCTA(ENCkAT (B,dRA , kAB, TB),ENCkBT (A,kAB, TB),RB)∣D ∈ ∆},

I = {cCAB(RA,A), cCBT (RB,B,ENCkBT (RA,A, TB)),cCTA(ENCkAT (B,dRA , kAB, TB),ENCkBT (A,kAB, TB),RB),cCAB(dAB), cCBA(dBA), cCAB(d′AB),{kAB = NULL}, rsgRA ,{kAB ≠ NULL}, deckAT (ENCkAT (B,dRA , kAB, TB)),{dRA = RA},{dRA ≠ RA}, enckAB(RB),{dBA = �},{dBA ≠ �},deckAB(ENCkAB(RD)),{isFresh(RD) = TRUE},{isFresh(RD) = FALSE},rsgR′D , enckAB(R

′

D,D), rsgRB , enckBT (RA,A, TB),{dAB ≠ �},{dAB = �}, deckBT (ENCkBT (A,kAB, TB)), deckAB(ENCKAB(dRB)),{dRB ≠ RB},{dRB = RB}, rsgRD , enckAB(RD),{d′AB = �},{d′AB ≠ �},deckAB(ENCkAB(R′

D,D)),{isFresh(dR′D) = FLASE},{isFresh(dR′D) = TRUE},deckBT (ENCkBT (RA,A, TB)), rsgkAB , enckAT (B,RA, kAB, TB),enckBT (A,kAB, TB)∣D ∈ ∆}.


Theorem 7.6. The Neuman-Stubblebine protocol in Figure 19 is secure.



τI(∂H(A� B � T )) = ∑D∈∆(rCAI (D) ⋅ (sCBO(�) + sCBO(D))) ⋅ τI(∂H(A� B � T )).

98

For the details of proof, please refer to section 2.9, and we omit it.

That is, the Neuman-Stubblebine protocol in Figure 19 τI(∂H(A� B � T )) can exhibit desired

external behaviors:




section 4.10.2, the Neuman-Stubblebine protocol is confidential;



among Trent, Alice and Bob, and the use of the random numbers RA, RB, RD and R′

D, the

protocol would be τI(∂H(A� B � T )) = ∑D∈∆(rCAI (D)⋅sCBO(�))⋅τI(∂H(A� B � T )), it

is desired, the Neuman-Stubblebine protocol can be against the man-in-the-middle attack;

3. For replay attack, the using of the random numbers T , RA, RB, RD and R′

D, makes that

τI(∂H(A� B � T )) = ∑D∈∆(rCAI (D) ⋅ sCBO(�)) ⋅ τI(∂H(A� B � T )), it is desired;





security protocols.

7.7 Denning-Sacco Protocol

The Denning-Sacco protocol shown in Figure 20 uses asymmetric keys and symmetric keys for

secure communication, that is, the key kAB between Alice and Bob is privately shared to Alice

and Bob, Alice’s, Bob’s and Trent’s public keys pkA, pkB and pkT can be publicly gotten.



ing reading action is denoted rCAI (D)), if kAB is not established, she sends A,B to Trent


2. Trent receives A,B through the channel CAT (the corresponding reading action is denoted

rCAT (A,B)), he signs Alice’s and Bob’s public keys pkA and pkB through the actions

signskT (A,pkA) and signskT (B,pkB), and sends the signatures to Alice through the chan-

nel CTA (the corresponding sending action is denoted sCTA(SIGNskT (A,pkA), SIGNskT (B,pkB)));


action is denoted rCTA(SIGNskT (A,pkA), SIGNskT (B,pkB))), she de-signs SIGNskT (B,pkB)through an action de-signpkT (SIGNskT (B,pkB)) to get pkB, generates a random session

99

Alice Bob

CAI CAB CBO

Trent

CAO CBA CBI

Figure 20: Denning-Sacco protocol

key kAB through an action rsgkAB , signsA,B, kAB, TA through an action signskA(A,B, kAB, TA),and encrypts the signature by pkB through an action encpkB(SIGNskA(A,B, kAB, TA)),then sends ENCpkB(SIGNskA(A,B, kAB, TA)), SIGNskT (A,pkA), SIGNskT (B,pkB) to Bob


sCAB(ENCpkB(SIGNskA(A,B, kAB, TA)), SIGNskT (A,pkA), SIGNskT (B,pkB)));

4. Bob receives ENCpkB(SIGNskA(A,B, kAB, TA)), SIGNskT (A,pkA), SIGNskT (B,pkB) from

Alice (the corresponding reading action is denoted

rCAB(ENCpkB(SIGNskA(A,B, kAB, TA)), SIGNskT (A,pkA), SIGNskT (B,pkB))), he de-

signs SIGNskT (A,pkA) through an action de-signpkT (SIGNskT (A,pkA)) to get pkA, de-

crypts ENCpkB(SIGNskA(A,B, kAB, TA)) through an action

decskB(ENCpkB(SIGNskA(A,B, kAB, TA))) and de-sign SIGNskA(A,B, kAB, TA) through

an action de-signpkA(SIGNskA(A,B, kAB, TA)) to get kAB and TA, if isV alid(TA) =TRUE, he generates a random number RD through an action rsgRD , encrypts RD by kABthrough an action enckAB(RD), and sends it to Alice through the channel CBA (the corre-

sponding sending action is denoted sCBA(ENCkAB(RD))), else if isV alid(TA) = FALSE,

he sends ENCkAB(�) to Alice through the channel CBA (the corresponding sending action

is denoted sCBA(ENCkAB(�)));

5. Alice receives ENCkAB(dBA) from Bob (the corresponding reading action is denoted

rCBA(ENCkAB(dBA))), if dBA = �, she sends ENCkAB(�) to Bob through the channel

CAB (the corresponding sending action is denoted sCAB(ENCkAB(�))); else if dBA ≠ �, if

isFresh(dBA) = TRUE, she generates a random number R′

D through an action rsgR′D ,

encrypts R′

D,D by kAB through an action enckAB(R′

D,D), and sends it to Bob through

the channel CAB (the corresponding sending action is denoted sCAB(ENCkAB(R′

D,D))),else if isFresh(dBA) = FALSE, he sends ENCkAB(�) to Bob through the channel CAB(the corresponding sending action is denoted sCAB(ENCkAB(�)));

6. Bob receives ENCkAB(d′AB) from Alice (the corresponding reading action is denoted

100

rCAB(ENCkAB(d′AB))), if d′AB = �, he sends � to the outside through the channel CBO(the corresponding sending action is denoted sCBO(�)); else if d′AB ≠ �, if isFresh(dR′D) =TRUE, she sends D to the outside through the channel CBO (the corresponding sending

action is denoted sCBO(D)), else if isFresh(d′RD) = FALSE, he sends � to the outside

through the channel CBO (the corresponding sending action is denoted sCBO(�)).



A = ∑D∈∆ rCAI (D) ⋅A2



A4 = rCTA(SIGNskT (A,pkA), SIGNskT (B,pkB)) ⋅A5


A6 = rsgkAB ⋅A7

A7 = signskA(A,B, kAB, TA) ⋅A8

A8 = encpkB(SIGNskA(A,B, kAB, TA)) ⋅A9

A9 = sCAB(ENCpkB(SIGNskA(A,B, kAB, TA)), SIGNskT (A,pkA), SIGNskT (B,pkB)) ⋅A10

A10 = rCBA(ENCkAB(dBA)) ⋅A11

A11 = {dBA ≠ �} ⋅A12 + {dBA = �} ⋅ sCAB(ENCkAB(�)) ⋅AA12 = {isFresh(dBA) = TRUE} ⋅A13 + {isFresh(dBA) = FALSE} ⋅ sCAB(ENCkAB(�)) ⋅AA13 = rsgR′D ⋅A14

A14 = enckAB(R′

D,D) ⋅A15

A15 = sCAB(ENCkAB(R′

D,D)) ⋅ABob’s state transitions described by APTCG are as follows.


B1 = rCAB(ENCpkB(SIGNskA(A,B, kAB, TA)), SIGNskT (A,pkA), SIGNskT (B,pkB)) ⋅B2

B2 = de-signpkT (SIGNskT (A,pkA)) ⋅B3

B3 = decskB(ENCpkB(SIGNskA(A,B, kAB, TA))) ⋅B4

B4 = de-signpkA(SIGNskA(A,B, kAB, TA)) ⋅B5

B5 = {isV alid(TA) = TRUE} ⋅B6 + {isV alid(TA) = FALSE} ⋅ sCBA(ENCkAB(�)) ⋅B9

B6 = rsgRD ⋅B7

B7 = enckAB(RD) ⋅B8

B8 = sCBA(ENCkAB(dBA)) ⋅B9

B9 = rCAB(ENCkAB(d′AB)) ⋅B10

B10 = deckAB(ENCkAB(d′AB)) ⋅B11

B11 = {d′AB = �} ⋅ sCBO(�) ⋅B + {d′AB ≠ �} ⋅B12

101

B12 = {isFresh(dR′D) = FLASE} ⋅ sCBO(�)B + {isFresh(dR′D) = TRUE} ⋅B13



T2 = signskT (A,pkA) ⋅ T3

T3 = signskT (B,pkB) ⋅ T4

T4 = sCTA(SIGNskT (A,pkA), SIGNskT (B,pkB)) ⋅ TThe sending action and the reading action of the same type data through the same channel



γ(rCAT (A,B), sCAT (A,B)) ≜ cCAT (A,B)γ(rCTA(SIGNskT (A,pkA), SIGNskT (B,pkB)), sCTA(SIGNskT (A,pkA), SIGNskT (B,pkB)))≜ cCTA(SIGNskT (A,pkA), SIGNskT (B,pkB))γ(rCAB(ENCpkB(SIGNskA(A,B, kAB, TA)), SIGNskT (A,pkA), SIGNskT (B,pkB)),sCAB(ENCpkB(SIGNskA(A,B, kAB, TA)), SIGNskT (A,pkA), SIGNskT (B,pkB)))≜ cCAB(ENCpkB(SIGNskA(A,B, kAB, TA)), SIGNskT (A,pkA), SIGNskT (B,pkB))γ(rCBA(ENCkAB(dBA)), sCBA(ENCkAB(dBA))) ≜ cCBA(ENCkAB(dBA))γ(rCAB(ENCkAB(d′AB)), sCAB(ENCkAB(d′AB))) ≜ cCAB(ENCkAB(d′AB))Let all modules be in parallel, then the protocol A B T can be presented by the following

process term.

τI(∂H(Θ(A� B � T ))) = τI(∂H(A� B � T ))

where H = {rCAT (A,B), sCAT (A,B), rCBA(ENCkAB(dBA)), sCBA(ENCkAB(dBA)),rCAB(ENCkAB(d′AB)), sCAB(ENCkAB(d′AB)),rCTA(SIGNskT (A,pkA), SIGNskT (B,pkB)), sCTA(SIGNskT (A,pkA), SIGNskT (B,pkB)),rCAB(ENCpkB(SIGNskA(A,B, kAB, TA)), SIGNskT (A,pkA), SIGNskT (B,pkB)),sCAB(ENCpkB(SIGNskA(A,B, kAB, TA)), SIGNskT (A,pkA), SIGNskT (B,pkB))∣D ∈ ∆},

I = {cCAT (A,B), cCBA(ENCkAB(dBA)), cCAB(ENCkAB(d′AB)),cCTA(SIGNskT (A,pkA), SIGNskT (B,pkB)),cCAB(ENCpkB(SIGNskA(A,B, kAB, TA)), SIGNskT (A,pkA), SIGNskT (B,pkB)),{kAB = NULL},{kAB ≠ NULL}, de-signpkT (SIGNskT (B,pkB)),rsgkAB , signskA(A,B, kAB, TA), encpkB(SIGNskA(A,B, kAB, TA)),{isFresh(dBA) = TRUE},{isFresh(dBA) = FALSE},{dBA ≠ �},{dBA = �},rsgR′D , enckAB(R

′

D,D), de-signpkT (SIGNskT (A,pkA)),decskB(ENCpkB(SIGNskA(A,B, kAB, TA))), de-signpkA(SIGNskA(A,B, kAB, TA)),{isV alid(TA) = TRUE},{isV alid(TA) = FALSE}, rsgRD , enckAB(RD),deckAB(ENCkAB(d′AB)),{d′AB = �},{d′AB ≠ �},{isFresh(dR′D) = TRUE},{isFresh(dR′D) = FLASE}, signskT (A,pkA), signskT (B,pkB)∣D ∈∆}.


102

Theorem 7.7. The Denning-Sacco protocol in Figure 20 is secure.




That is, the Denning-Sacco protocol in Figure 20 τI(∂H(A � B � T )) can exhibit desired

external behaviors:

1. For the modeling of confidentiality, it is similar to the protocol in section 4.10.2, the

Denning-Sacco protocol is confidential;

2. For the man-in-the-middle attack, because pkA and pkB are signed by Trent, the protocol

would be τI(∂H(A � B � T )) = ∑D∈∆(rCAI (D) ⋅ sCBO(�)) ⋅ τI(∂H(A � B � T )), it is

desired, the Denning-Sacco protocol can be against the man-in-the-middle attack;

3. For replay attack, the using of the time stamp TA, random numbers RD and R′

D, makes

that τI(∂H(A� B � T )) = ∑D∈∆(rCAI (D) ⋅ sCBO(�)) ⋅ τI(∂H(A� B � T )), it is desired;


5. For the unexpected and non-technical leaking of skA, skB, kAB, or they being not strong



security protocols.

7.8 DASS Protocol

The DASS (Distributed Authentication Security Service) protocol shown in Figure 21 uses asym-

metric keys and symmetric keys for secure communication, that is, the key kAB between Alice

and Bob is privately shared to Alice and Bob, Alice’s, Bob’s and Trent’s public keys pkA, pkBand pkT can be publicly gotten.



ing reading action is denoted rCAI (D)), if kAB is not established, she sends B to Trent

through the channel CAT (the corresponding sending action is denoted sCAT (B));

2. Trent receives B through the channel CAT (the corresponding reading action is denoted

rCAT (B)), he signs Bob’s public key pkB through the action signskT (B,pkB), and sends the

signature to Alice through the channel CTA (the corresponding sending action is denoted

sCTA(SIGNskT (B,pkB)));

103

Alice Bob

CAI CAB CBO

Trent

CAO CBA CBI

Figure 21: DASS protocol


ing action is denoted rCTA(SIGNskT (B,pkB))), she de-signs SIGNskT (B,pkB) through

an action de-signpkT (SIGNskT (B,pkB)) to get pkB, generates a random session key kABthrough an action rsgkAB , generates a public key pkP through an action rsgpkP and gen-

erates a private key skP through an action rsgskP , signs L,A, kAB, skP , pkP through an

action signskA(L,A, kAB, skP , pkP ) where L is the life cycle of kAB, and encrypts the time

stamp TA by kAB through an action enckAB(TA), encrypts kAB by pkB through an action

encpkB(kAB) and then re-encrypts it by skP through an action encskP (ENCpkB(kAB)),then sends ENCkAB(TA), SIGNskA(L,A, kAB, skP , pkP ),ENCskP (ENCpkB(kAB)) to Bob


sCAB(ENCkAB(TA), SIGNskA(L,A, kAB, skP , pkP ),ENCskP (ENCpkB(kAB))));

4. Bob receives ENCkAB(TA), SIGNskA(L,A, kAB, skP , pkP ),ENCskP (ENCpkB(kAB)) from

Alice (the corresponding reading action is denoted

rCAB(ENCkAB(TA), SIGNskA(L,A, kAB, skP , pkP ),ENCskP (ENCpkB(kAB)))), he sends

the name of Alice A to Trent through the channel CBT (the corresponding sending action

is denoted sCBT (A));

5. Trent receives the name of Alice A from Bob through the channel CBT (the corresponding

reading action is denoted rCBT (A)), signs A and pkA through an action signskT (A,pkA),and sends the signature SIGNskT (A,pkA) to Bob through the channel CTB (the corre-

sponding sending action is denoted sCTB(SIGNskT (A,pkA)));

6. Bob receives the signature from Trent through the channel CTB (the corresponding read-

ing action is denoted rCTB(SIGNskT (A,pkA))), he de-signs SIGNskT (A,pkA) through an

action de-signpkT (SIGNskT (A,pkA)) to get pkA, de-signs SIGNskA(L,A, kAB, skP , pkP )through an action de-signpkA(SIGNskA(L,A, kAB, skP , pkP )) and decrypts ENCskP (ENCpkB(kAB))and ENCkAB(TA) through an action decpkP (ENCskP (ENCpkB(kAB))) and an action

decskB(ENCpkB(kAB)) and an action deckAB(TA) to get kAB and TA, if isV alid(TA) =

104

TRUE, he encrypts the time stamp TB by kAB through an action enckAB(TB), and

sends it to Alice through the channel CBA (the corresponding sending action is de-

noted sCBA(ENCkAB(TB))), else if isV alid(TA) = FALSE, he sends ENCkAB(�) to Alice

through the channel CBA (the corresponding sending action is denoted sCBA(ENCkAB(�)));

7. Alice receives ENCkAB(dBA) from Bob (the corresponding reading action is denoted

rCBA(ENCkAB(dBA))), if dBA = �, she sends ENCkAB(�) to Bob through the channel

CAB (the corresponding sending action is denoted sCAB(ENCkAB(�))); else if dBA ≠ �, if

isFresh(dBA) = TRUE, she generates a random number RD through an action rsgRD ,

encrypts RD,D by kAB through an action enckAB(RD,D), and sends it to Bob through

the channel CAB (the corresponding sending action is denoted sCAB(ENCkAB(RD,D))),else if isFresh(dBA) = FALSE, he sends ENCkAB(�) to Bob through the channel CAB(the corresponding sending action is denoted sCAB(ENCkAB(�)));

8. Bob receives ENCkAB(dAB) from Alice (the corresponding reading action is denoted

rCAB(ENCkAB(dAB))), if dAB = �, he sends � to the outside through the channel CBO(the corresponding sending action is denoted sCBO(�)); else if dAB ≠ �, if isFresh(dRD) =TRUE, she sends D to the outside through the channel CBO (the corresponding sending

action is denoted sCBO(D)), else if isFresh(dRD) = FALSE, he sends � to the outside

through the channel CBO (the corresponding sending action is denoted sCBO(�)).



A = ∑D∈∆ rCAI (D) ⋅A2


A3 = sCAT (B) ⋅A4

A4 = rCTA(SIGNskT (B,pkB)) ⋅A5


A6 = (rsgkAB ∥ rsgpkP ∥ rsgskP ) ⋅A7

A7 = signskA(L,A, kAB, skP , pkP ) ⋅A8

A8 = (encskP (ENCpkB(kAB)) ∥ enckAB(TA)) ⋅A9

A9 = sCAB(ENCkAB(TA), SIGNskA(L,A, kAB, skP , pkP ),ENCskP (ENCpkB(kAB))) ⋅A10

A10 = rCBA(ENCkAB(dBA)) ⋅A11

A11 = {dBA ≠ �} ⋅A12 + {dBA = �} ⋅ sCAB(ENCkAB(�)) ⋅AA12 = {isFresh(dBA) = TRUE} ⋅A13 + {isFresh(dBA) = FALSE} ⋅ sCAB(ENCkAB(�)) ⋅AA13 = rsgRD ⋅A14

A14 = enckAB(RD,D) ⋅A15

A15 = sCAB(ENCkAB(RD,D)) ⋅ABob’s state transitions described by APTCG are as follows.


B1 = rCAB(ENCkAB(TA), SIGNskA(L,A, kAB, skP , pkP ),ENCskP (ENCpkB(kAB))) ⋅B2

105

B2 = sCBT (A) ⋅B3

B3 = rCTB(SIGNskT (A,pkA)) ⋅B4

B4 = de-signpkT (SIGNskT (A,pkA)) ⋅B5

B5 = de-signpkA(SIGNskA(L,A, kAB, skP , pkP )) ⋅B6

B6 = (decpkP (ENCskP (ENCpkB(kAB))) ∥ decskB(ENCpkB(kAB)) ∥ deckAB(TA)) ⋅B7

B7 = {isV alid(TA) = TRUE} ⋅B8 + {isV alid(TA) = FALSE} ⋅ sCBA(ENCkAB(�)) ⋅B11

B8 = rsgTB ⋅B9

B9 = enckAB(TB) ⋅B10

B10 = sCBA(ENCkAB(dBA)) ⋅B11

B11 = rCAB(ENCkAB(dAB)) ⋅B12

B12 = deckAB(ENCkAB(dAB)) ⋅B13

B13 = {dAB = �} ⋅ sCBO(�) ⋅B + {dAB ≠ �} ⋅B14

B14 = {isFresh(dRD) = FLASE} ⋅ sCBO(�)B + {isFresh(dRD) = TRUE} ⋅B15


T = rCAT (B) ⋅ T2

T2 = signskT (B,pkB) ⋅ T3

T3 = sCTA(SIGNskT (B,pkB)) ⋅ T4

T4 = rCBT (A) ⋅ T5

T5 = signskT (A,pkA) ⋅ T6

T6 = sCTA(SIGNskT (A,pkA)) ⋅ TThe sending action and the reading action of the same type data through the same channel



γ(rCAT (B), sCAT (B)) ≜ cCAT (B)γ(rCBT (A), sCAT (A)) ≜ cCAT (A)γ(rCTA(SIGNskT (B,pkB)), sCTA(SIGNskT (B,pkB)))≜ cCTA(SIGNskT (B,pkB))γ(rCTB(SIGNskT (A,pkA)), sCTB(SIGNskT (A,pkA)))≜ cCTB(SIGNskT (A,pkA))γ(rCAB(ENCkAB(TA), SIGNskA(L,A, kAB, skP , pkP ),ENCskP (ENCpkB(kAB))),sCAB(ENCkAB(TA), SIGNskA(L,A, kAB, skP , pkP ),ENCskP (ENCpkB(kAB)))≜ cCAB(ENCkAB(TA), SIGNskA(L,A, kAB, skP , pkP ),ENCskP (ENCpkB(kAB)))γ(rCBA(ENCkAB(dBA)), sCBA(ENCkAB(dBA))) ≜ cCBA(ENCkAB(dBA))γ(rCAB(ENCkAB(dAB)), sCAB(ENCkAB(dAB))) ≜ cCAB(ENCkAB(dAB))Let all modules be in parallel, then the protocol A B T can be presented by the following

process term.

106

τI(∂H(Θ(A� B � T ))) = τI(∂H(A� B � T ))

whereH = {rCAT (B), sCAT (B), rCBT (A), sCBT (A), rCBA(ENCkAB(dBA)), sCBA(ENCkAB(dBA)),rCAB(ENCkAB(dAB)), sCAB(ENCkAB(dAB)),rCTA(SIGNskT (B,pkB)), sCTA(SIGNskT (B,pkB)),rCTB(SIGNskT (A,pkA)), sCTB(SIGNskT (A,pkA)),rCAB(ENCkAB(TA), SIGNskA(L,A, kAB, skP , pkP ),ENCskP (ENCpkB(kAB))),sCAB(ENCkAB(TA), SIGNskA(L,A, kAB, skP , pkP ),ENCskP (ENCpkB(kAB)))∣D ∈ ∆},

I = {cCAT (B), cCBT (A), cCBA(ENCkAB(dBA)), cCAB(ENCkAB(dAB)),cCTA(SIGNskT (B,pkB)), cCTB(SIGNskT (A,pkA))cCAB(ENCkAB(TA), SIGNskA(L,A, kAB, skP , pkP ),ENCskP (ENCpkB(kAB))),{kAB = NULL},{kAB ≠ NULL}, de-signpkT (SIGNskT (B,pkB)),rsgkAB , rsgpkp , rsgskP , signskA(L,A, kAB, skP , pkP ), encskP (ENCpkB(kAB)), enckAB(TA),{isFresh(dBA) = TRUE},{isFresh(dBA) = FALSE},{dBA ≠ �},{dBA = �},rsgRD , enckAB(RD,D), de-signpkT (SIGNskT (A,pkA)),decskB(ENCpkB(SIGNskA(L,A, kAB, skP , pkP ))), decpkP (ENCskP (ENCpkB(kAB))),decskB(ENCpkB(kAB)), deckAB(TA),{isV alid(TA) = TRUE},{isV alid(TA) = FALSE}, rsgRD , enckAB(RD),deckAB(ENCkAB(dAB)),{d′AB = �},{dAB ≠ �},{isFresh(dRD) = TRUE},{isFresh(dRD) = FLASE}, signskT (A,pkA), signskT (B,pkB)∣D ∈∆}.


Theorem 7.8. The DASS protocol in Figure 21 is secure.




That is, the DASS protocol in Figure 21 τI(∂H(A � B � T )) can exhibit desired external

behaviors:

1. For the modeling of confidentiality, it is similar to the protocol in section 4.10.2, the DASS

protocol is confidential;



desired, the DASS protocol can be against the man-in-the-middle attack;

3. For replay attack, the using of the time stamp TA, TB, and random number RD, makes

that τI(∂H(A� B � T )) = ∑D∈∆(rCAI (D) ⋅ sCBO(�)) ⋅ τI(∂H(A� B � T )), it is desired;


107

Alice Bob

CAI CAB CBO

Trent

CAO CBA CBI

Figure 22: Woo-Lam protocol




security protocols.

7.9 Woo-Lam Protocol

The Woo-Lam protocol shown in Figure 22 uses asymmetric keys and symmetric keys for secure

communication, that is, the key kAB between Alice and Bob is privately shared to Alice and

Bob, Alice’s, Bob’s and Trent’s public keys pkA, pkB and pkT can be publicly gotten.



ing reading action is denoted rCAI (D)), if kAB is not established, she sends A,B to Trent


2. Trent receives A,B through the channel CAT (the corresponding reading action is denoted

rCAT (A,B)), he signs Bob’s public key pkB through the action signskT (pkB), and sends the

signature to Alice through the channel CTA (the corresponding sending action is denoted

sCTA(SIGNskT (pkB)));


ing action is denoted rCTA(SIGNskT (pkB))), she de-signs SIGNskT (pkB) through an ac-

tion de-signpkT (SIGNskT (pkB)) to get pkB, generates a random number RA through an

action rsgRA and encrypts A,RA by pkB through an action encpkB(A,RA), and sends

108

ENCpkB(A,RA) to Bob through the channel CAB (the corresponding sending action is

denoted sCAB(ENCpkB(A,RA)));

4. Bob receives ENCpkB(A,RA) from Alice (the corresponding reading action is denoted

rCAB(ENCpkB(A,RA))), he decrypts ENCpkB(A,RA) through an action decskB(ENCpkB(A,RA))to getA andRA, encryptsRA by pkT through an action encpkT (RA), then sendsA,B,ENCpkT (RA)to Trent through the channel CBT (the corresponding sending action is denoted

sCBT (A,B,ENCpkT (RA)));

5. Trent receives A,B,ENCpkT (RA) from Bob through the channel CBT (the corresponding

reading action is denoted rCBT (A,B,ENCpkT (RA))), he decrypts the message through

an action decskT (ENCpkT (RA)), signs pkA through an action signskT (pkA), generates

a random session key kAB through an action rsgkAB and signs RA, kAB,A,B through

an action signskT (RA, kAB,A,B), encrypts SIGNskT (RA, kAB,A,B) through an action

encpkB(SIGNskT (RA, kAB,A,B)) and sends the them to Bob through the channel CTB(the corresponding sending action is denoted

sCTB(SIGNskT (pkA),ENCpkB(SIGNskT (RA, kAB,A,B))));

6. Bob receives the signatures from Trent through the channel CTB (the corresponding read-

ing action is denoted rCTB(SIGNskT (pkA),ENCpkB(SIGNskT (RA, kAB,A,B)))), he de-

signs SIGNskT (pkA) through an action de-signpkT (SIGNskT (pkA)) to get pkA, decrypts

ENCpkB(SIGNskT (RA, kAB,A,B)) through an action decskB(ENCpkB(SIGNskT (RA, kAB,A,B))),generates a random number RB through an action rsgRB , encrypts them through an action

encpkA(SIGNskT (RA, kAB,A,B),RB) and sends ENCpkA(SIGNskT (RA, kAB,A,B),RB)to Alice through the channel CBA (the corresponding sending action is denoted

sCBA(ENCpkA(SIGNskT (RA, kAB,A,B),RB)));

7. Alice receives ENCpkA(SIGNskT (dRA , kAB,A,B),RB) from Bob (the corresponding read-

ing action is denoted rCBA(ENCpkA(SIGNskT (dRA , kAB,A,B),RB))), she decrypts the

message through an action decskA(ENCpkA(SIGNskT (RA, kAB,A,B),RB)),de-sign SIGNskT (RA, kAB,A,B) through an action de-signpkT (SIGNskT (RA, kAB,A,B)),if dRA ≠ RA, she sends ENCkAB(�) to Bob through the channel CAB (the corresponding

sending action is denoted sCAB(ENCkAB(�))); else if dRA = RA, encrypts RB,D by kABthrough an action enckAB(RB,D), and sends it to Bob through the channel CAB (the

corresponding sending action is denoted sCAB(ENCkAB(RB,D)));

8. Bob receives ENCkAB(dAB) from Alice (the corresponding reading action is denoted

rCAB(ENCkAB(dAB))), if dAB = �, he sends � to the outside through the channel CBO(the corresponding sending action is denoted sCBO(�)); else if dAB ≠ �, if dRB = RB, she

sends D to the outside through the channel CBO (the corresponding sending action is

denoted sCBO(D)), else if dRB ≠ RB, he sends � to the outside through the channel CBO(the corresponding sending action is denoted sCBO(�)).



A = ∑D∈∆ rCAI (D) ⋅A2


109


A4 = rCTA(SIGNskT (pkB)) ⋅A5

A5 = de-signpkT (SIGNskT (pkB)) ⋅A6

A6 = rsgRA ⋅A7

A7 = encskP (A,RA) ⋅A8

A8 = sCAB(ENCskP (A,RA)) ⋅A9

A9 = rCBA(ENCpkA(SIGNskT (dRA , kAB,A,B),RB)) ⋅A10

A10 = {dRA = RA} ⋅A11 + {dRA ≠ RA} ⋅ sCAB(ENCkAB(�)) ⋅AA11 = enckAB(RB,D) ⋅A12

A12 = sCAB(ENCkAB(RB,D)) ⋅ABob’s state transitions described by APTCG are as follows.


B1 = rCAB(ENCskP (A,RA)) ⋅B2

B2 = decskB(ENCpkB(A,RA)) ⋅B3

B3 = sCBT (A,B,ENCpkT (RA)) ⋅B4

B4 = rCTB(SIGNskT (pkA),ENCpkB(SIGNskT (RA, kAB,A,B))) ⋅B5

B5 = de-signpkT (SIGNskT (pkA)) ⋅B6

B6 = decskB(ENCpkB(SIGNskT (RA, kAB,A,B))) ⋅B7

B7 = rsgRB ⋅B8

B8 = encpkA(SIGNskT (RA, kAB,A,B),RB) ⋅B9

B9 = sCBA(ENCpkA(SIGNskT (RA, kAB,A,B),RB)) ⋅B10

B10 = rCAB(ENCkAB(dAB)) ⋅B11

B11 = deckAB(ENCkAB(dAB)) ⋅B12

B12 = {dAB = �} ⋅ sCBO(�) ⋅B + {dAB ≠ �} ⋅B13

B13 = {dRB ≠ RB} ⋅ sCBO(�)B + {dRB = RB} ⋅B14



T2 = signskT (pkB) ⋅ T3

T3 = sCTA(SIGNskT (pkB)) ⋅ T4

T4 = rCBT (A,B,ENCpkT (RA)) ⋅ T5

T5 = decskT (ENCpkT (RA)) ⋅ T6

T6 = signskT (pkA) ⋅ T7

T7 = rsgkAB ⋅ T8

T8 = signskT (RA, kAB,A,B) ⋅ T9

110

T9 = encpkB(SIGNskT (RA, kAB,A,B)) ⋅ T10

T10 = sCTB(SIGNskT (pkA),ENCpkB(SIGNskT (RA, kAB,A,B))) ⋅ TThe sending action and the reading action of the same type data through the same channel



γ(rCAT (A,B), sCAT (A,B)) ≜ cCAT (A,B)γ(rCBT (A,B,ENCpkT (RA)), sCAT (A,B,ENCpkT (RA))) ≜ cCAT (A,B,ENCpkT (RA))γ(rCTA(SIGNskT (pkB)), sCTA(SIGNskT (pkB)))≜ cCTA(SIGNskT (pkB))γ(rCTB(SIGNskT (pkA),ENCpkB(SIGNskT (RA, kAB,A,B))),sCTB(SIGNskT (pkA),ENCpkB(SIGNskT (RA, kAB,A,B))))≜ cCTB(SIGNskT (A,pkA))γ(rCAB(ENCskP (A,RA)), sCAB(ENCskP (A,RA)))≜ cCAB(ENCskP (A,RA))γ(rCBA(ENCpkA(SIGNskT (dRA , kAB,A,B),RB)),sCBA(ENCpkA(SIGNskT (dRA , kAB,A,B),RB)))≜ cCBA(ENCpkA(SIGNskT (dRA , kAB,A,B),RB))γ(rCAB(ENCkAB(RB,D)), sCAB(ENCkAB(RB,D))) ≜ cCAB(ENCkAB(RB,D))Let all modules be in parallel, then the protocol A B T can be presented by the following

process term.

τI(∂H(Θ(A� B � T ))) = τI(∂H(A� B � T ))

where H = {rCAT (A,B), sCAT (A,B), rCBT (A,B,ENCpkT (RA)), sCAT (A,B,ENCpkT (RA)),rCTA(SIGNskT (pkB)), sCTA(SIGNskT (pkB)),rCTB(SIGNskT (pkA),ENCpkB(SIGNskT (RA, kAB,A,B))),sCTB(SIGNskT (pkA),ENCpkB(SIGNskT (RA, kAB,A,B))),rCAB(ENCskP (A,RA)), sCAB(ENCskP (A,RA)),rCBA(ENCpkA(SIGNskT (dRA , kAB,A,B),RB)),sCBA(ENCpkA(SIGNskT (dRA , kAB,A,B),RB)),rCAB(ENCkAB(RB,D)), sCAB(ENCkAB(RB,D))∣D ∈ ∆},

I = {cCAT (A,B), cCAT (A,B,ENCpkT (RA)), cCTA(SIGNskT (pkB)),cCTB(SIGNskT (A,pkA)), cCAB(ENCskP (A,RA)),cCBA(ENCpkA(SIGNskT (dRA , kAB,A,B),RB)), cCAB(ENCkAB(RB,D)),{kAB = NULL},{kAB ≠ NULL}, de-signpkT (SIGNskT (pkB)),rsgRA , encskP (A,RA),{dRA = RA},{dRA ≠ RA}, enckAB(RB,D),decskB(ENCpkB(A,RA)), decskB(ENCpkB(A,RA)), de-signpkT (SIGNskT (pkA)),decskB(ENCpkB(SIGNskT (RA, kAB,A,B))), rsgRB , encpkA(SIGNskT (RA, kAB,A,B),RB),deckAB(ENCkAB(dAB)),{dAB = �},{dAB ≠ �},{dRB = RB},{dRB ≠ RB}, signskT (pkB), decskT (ENCpkT (RA)),signskT (pkA), rsgkAB , signskT (RA, kAB,A,B), encpkB(SIGNskT (RA, kAB,A,B))∣D ∈ ∆}.


111

Theorem 7.9. The Woo-Lam protocol in Figure 22 is secure.




That is, the Woo-Lam protocol in Figure 22 τI(∂H(A � B � T )) can exhibit desired external

behaviors:

1. For the modeling of confidentiality, it is similar to the protocol in section 4.10.2, the

Woo-Lam protocol is confidential;



desired, the Woo-Lam protocol can be against the man-in-the-middle attack;

3. For replay attack, the using of the random number RA, RB, makes that τI(∂H(A � B �T )) = ∑D∈∆(rCAI (D) ⋅ sCBO(�)) ⋅ τI(∂H(A� B � T )), it is desired;





security protocols.

112

Bob CarolC

TI

CT

O

Dave

Trent

Alice

Figure 23: Secret splitting protocol

8 Analyses of Other Protocols

In this chapter, we will introduce some other useful security protocols, including secret splitting

protocols in section 8.1, bit commitment protocols in section 8.2, anonymous key distribution

protocols in section 8.3.

8.1 Analyses of Secret Splitting Protocols

The hypothetical secret splitting protocol is shown in Figure 23. Trent receives a message, splits

into four parts, and each part is sent to Alice, Bob, Carol and Dave. Then Trent gathers the

four parts from Alice, Bob, Carol and Dave, combines into a message. If the combined message

is the original message, then sends out the message.


1. Trent receives some messages D from the outside through the channel CTI (the correspond-

ing reading action is denoted rCTI (D)), he generates three random numbers R1,R2,R3 of

equal lengths to D through three actions rsgR1 , rsgR2 and rsgR3 respectively. Then

he does an XOR operation to the data D, R1, R2 and R3 through an XOR action

xor(R1,R2,R3,D) to get R4 = XOR(R1,R2,R3,D), he sends R1, R2, R3, R4 to Alice,

Bob, Carol, and Dave through the channels CTA, CTB, CTC and CTD respectively (the

corresponding sending actions are denoted sCTA(R1), sCTB(R2), sCTC(R3), sCTD(R4));

2. Alice receives R1 from Trent through the channel CTA (the corresponding reading action is

denoted rCTA(R1)), she may store R1, we assume that she sends R1 to Trent immediately

through the channel CAT (the corresponding sending action is denoted sCAT (R1));

113

3. Bob receives R2 from Trent through the channel CTB (the corresponding reading action is

denoted rCTB(R2)), he may store R2, we assume that he sends R2 to Trent immediately

through the channel CBT (the corresponding sending action is denoted sCBT (R2));

4. Carol receives R3 from Trent through the channel CTC (the corresponding reading action

is denoted rCTC(R3)), he may store R3, we assume that he sends R3 to Trent immediately

through the channel CCT (the corresponding sending action is denoted sCCT (R3));

5. Dave receives R4 from Trent through the channel CTD (the corresponding reading action

is denoted rCTD(R4)), she may store R4, we assume that he sends R4 to Trent immediately

through the channel CDT (the corresponding sending action is denoted sCDT (R4));

6. Trent receives dR1 , dR3 , dR3 , and dR4 from Alice, Bob, Carol and Dave through the

channel CAT , CBT , CCT , and CDT respectively (the corresponding reading actions are

denoted rCAT (dR1), rCBT (dR2), rCCT (dR3), rCDT (dR4)), he does an XOR operation to

the data dR1 , dR2 , dR3 and dR4 through an XOR action xor(dR1 , dR2 , dR3 , dR4) to get

D′ = XOR(dR1 , dR2 , dR3 , dR4), if D = D′, he sends D to the outside through the channel

CTO (the corresponding sending action is denoted sCTO(D)).


Trent’s state transitions described by APTCG are as follows.

T = ∑D∈∆ rCTI (D) ⋅ T2

T2 = (rsgR1 ∥ rsgR2 ∥ rsgR3) ⋅ T3

T3 = xor(R1,R2,R3,D) ⋅ T4

T4 = (sCTA(R1) ∥ sCTB(R2) ∥ sCTC(R3) ∥ sCTD(R4)) ⋅ T5

T5 = (rCAT (dR1) ∥ rCBT (dR2) ∥ rCCT (dR3) ∥ rCDT (dR4)) ⋅ T6

T6 = xor(dR1 , dR2 , dR3 , dR4) ⋅ T7

T7 = {D =D′} ⋅ sCTO(D) ⋅ TAlice’s state transitions described by APTCG are as follows.

A = rCTB(R2) ⋅A2

A2 = sCBT (R2) ⋅ABob’s state transitions described by APTCG are as follows.

B = rCTB(R2) ⋅B2

B2 = sCBT (R2) ⋅BCarol’s state transitions described by APTCG are as follows.

C = rCTB(R2) ⋅C2

C2 = sCBT (R2) ⋅CDave’s state transitions described by APTCG are as follows.

Da = rCTB(R2) ⋅Da2

Da2 = sCBT (R2) ⋅Da

114




γ(rCTA(R1), sCTA(R1)) ≜ cCTA(R1)γ(rCTB(R2), sCTB(R2)) ≜ cCTB(R2)γ(rCTC(R3), sCTC(R3)) ≜ cCTC(R3)γ(rCTD(R4), sCTD(R4)) ≜ cCTD(R4)γ(rCAT (dR1), sCAT (dR1)) ≜ cCAT (dR1)γ(rCBT (dR2), sCBT (dR2)) ≜ cCBT (dR2)γ(rCCT (dR3), sCCT (dR3)) ≜ cCCT (dR3)γ(rCDT (dR4), sCDT (dR4)) ≜ cCDT (dR4)Let all modules be in parallel, then the protocol A B C Da T can be presented by the


τI(∂H(Θ(A� B � C �Da� T ))) = τI(∂H(A� B � C �Da� T ))

where H = {rCTA(R1), sCTA(R1), rCTB(R2), sCTB(R2), rCTC(R3), sCTC(R3),rCTD(R4), sCTD(R4), rCAT (dR1), sCAT (dR1), rCBT (dR2), sCBT (dR2),rCCT (dR3), sCCT (dR3), rCDT (dR4), sCDT (dR4)∣D ∈ ∆},

I = {cCTA(R1), cCTB(R2), cCTC(R3), cCTD(R4), cCAT (dR1), cCBT (dR2),cCCT (dR3), cCDT (dR4), rsgR1 , rsgR2 , rsgR3 , xor(R1,R2,R3,D),xor(dR1 , dR2 , dR3 , dR4),{D =D′}∣D ∈ ∆}.


Theorem 8.1. The secret splitting protocol in Figure 23 is secure.



τI(∂H(A� B � C �Da� T )) = ∑D∈∆(rCTI (D) ⋅ sCTO(D)) ⋅ τI(∂H(A� B � C �Da� T )).For the details of proof, please refer to section 2.9, and we omit it.

That is, the protocol in Figure 23 τI(∂H(A � B � C � Da � T )) can exhibit desired external

behaviors, and satisfies the main goal of secret splitting. It must be noted that the distribution

and gathering of R1,R2,R3,R4 have not any cryptographic assurance, they can be made an

information leakage.

8.2 Analyses of Bit Commitment Protocols

In this chapter, we will introduce analyses of bit commitment protocols. We introduce analyses of

bit commitment protocol based on symmetric cryptography in section 8.2.1, and bit commitment

protocol based on one-way function in section 8.2.2.

115

Alice Bob

CBA

CAB

Figure 24: Bit commitment protocol 1

8.2.1 Bit Commitment Protocol 1

The protocol shown in Figure 24 uses symmetric cryptography to implement bit commitment.


1. Bob receives some requests D from the outside through the channel CBI (the corresponding

reading action is denoted rCBI (D)), he generates a random sequence R through an action

rsgR, then Bob sends R to Alice through the channel CBA (the corresponding sending

action is denoted sCBA(R));

2. Alice receives R from Bob through the channel CBA (the corresponding reading action is

denoted rCBA(R)), she generates the commitment b through an action rsgb and generate a

random key k through an action rsgk, encrypts b and R by k through an action enck(R, b),and sends ENCk(R, b) to Bob through the channel CAB (the corresponding sending action

is denoted sCAB(ENCk(R, b)));

3. Bob receives the message ENCk(R, b) from Alice through the channel CAB (the corre-

sponding reading action is denoted rCAB(ENCk(R, b))), he cannot decrypt the message

for the absence of k; after some time, he sends a commitment release request r to Alice

through the channel CBA (the corresponding sending action is denoted sCBA(r));

4. Alice receives r from Bob through the channel CBA (the corresponding reading action is

denoted rCBA(r)), she sends k to Bob through the channel CAB (the corresponding sending

action is denoted sCAB(k));

5. Bob receives k from Alice through the channel CAB (the corresponding reading action

is denoted rCAB(k)), he decrypts ENCk(dR, b) through an action deck(ENCk(dR, b)), if

dR = R, he sends b to the outside through the channel CBO (the corresponding sending

action is denoted sCBO(b)); else if dR ≠ R, he sends � to the outside through the channel

CBO (the corresponding sending action is denoted sCBO(�)).



A = rCBA(R) ⋅A2

A2 = rsgb ⋅A3

116

A3 = rsgk ⋅A4

A4 = sCAB(ENCk(R, b)) ⋅A5

A5 = rCBA(r) ⋅A6

A6 = sCAB(k) ⋅ABob’s state transitions described by APTCG are as follows.

B = ∑D∈∆ rCBI (D) ⋅B2

B2 = rsgR ⋅B3

B3 = sCBA(R) ⋅B4

B4 = rCAB(ENCk(R, b)) ⋅B5

B5 = sCBA(r) ⋅B6

B6 = rCAB(k) ⋅B7

B7 = deck(ENCk(dR, b)) ⋅B8

B8 = {dR = R} ⋅B9 + {dR ≠ R} ⋅B10

B9 = sCBO(b) ⋅BB10 = sCBO(�) ⋅BThe sending action and the reading action of the same type data through the same channel



γ(rCBA(R), sCBA(R)) ≜ cCBA(R)γ(rCAB(ENCk(R, b)), sCAB(ENCk(R, b))) ≜ cCAB(ENCk(R, b))γ(rCBA(r), sCBA(r)) ≜ cCBA(r)γ(rCAB(k), sCAB(k)) ≜ cCAB(k)Let all modules be in parallel, then the protocol A B can be presented by the following process

term.

τI(∂H(Θ(A� B))) = τI(∂H(A� B))

where H = {rCBA(R), sCBA(R), rCAB(ENCk(R, b)), sCAB(ENCk(R, b)),rCBA(r), sCBA(r), rCAB(k), sCAB(k)∣D ∈ ∆},

I = {cCBA(R), cCAB(ENCk(R, b)), cCBA(r), cCAB(k),rsgb, rsgk, rsgR, deck(ENCk(dR, b)),{dR = R},{dR ≠ R}∣D ∈ ∆}.


Theorem 8.2. The bit commitment protocol 1 in Figure 24 is secure.



τI(∂H(A� B)) = ∑D∈∆(rCBI (D) ⋅ (sCBO(b) + sCBO(�))) ⋅ τI(∂H(A� B)).For the details of proof, please refer to section 2.9, and we omit it.

117

Alice Bob

CBA

CAB

Figure 25: Bit commitment protocol 2

That is, the protocol in Figure 24 τI(∂H(A � B)) can exhibit desired external behaviors, that

is, if the bits are committed, the system would be τI(∂H(A� B)) = ∑D∈∆(rCBI (D) ⋅ sCBO(b)) ⋅τI(∂H(A � B)); otherwise, the system would be τI(∂H(A � B)) = ∑D∈∆(rCBI (D) ⋅ sCBO(�)) ⋅τI(∂H(A� B)).Note that, the main security goals are bit commitment, the the protocol in Figure 24 cannot

satisfy other security goals, such as confidentiality.

8.2.2 Bit Commitment Protocol 2

The protocol shown in Figure 25 uses one-way function to implement bit commitment.


1. Alice receives some requests D from the outside through the channel CAI (the correspond-

ing reading action is denoted rCAI (D)), she generates a random sequence R1 through an

action rsgR1 , and a random sequence R2 through an action rsgR2 , generates the com-

mitment b through an action rsgb, computes the hash of R1,R2, b through an action

hash(R1,R2, b), and sends HASH(R1,R2, b),R1 to Bob through the channel CAB (the

corresponding sending action is denoted sCAB(HASH(R1,R2, b),R1));

2. Bob receives the message HASH(R1,R2, b),R1) from Alice through the channel CAB (the

corresponding reading action is denoted rCAB(HASH(R1,R2, b),R1)), after some time, he

sends a commitment release request r to Alice through the channel CBA (the corresponding

sending action is denoted sCBA(r));

3. Alice receives r from Bob through the channel CBA (the corresponding reading action is

denoted rCBA(r)), she sends R1,R2, b to Bob through the channel CAB (the corresponding

sending action is denoted sCAB(R1,R2, b));

4. Bob receives dR1 ,R2, b from Alice through the channel CAB (the corresponding reading ac-

tion is denoted rCAB(dR1 ,R2, b)), if dR1 = R1 and HASH(R1,R2, b) =HASH(dR1 ,R2, b),he sends b to the outside through the channel CBO (the corresponding sending action is

denoted sCBO(b)); else if dR1 ≠ R1 or HASH(R1,R2, b) ≠ HASH(dR1 ,R2, b), he sends

� to the outside through the channel CBO (the corresponding sending action is denoted

sCBO(�)).

118



A = ∑D∈∆ rCBI (D) ⋅A2

A2 = rsgR1 ⋅A3

A3 = rsgR2 ⋅A4

A4 = rsgb ⋅A5

A5 = hash(R1,R2, b) ⋅A6

A6 = sCAB(HASH(R1,R2, b),R1) ⋅A7

A7 = rCBA(r) ⋅A8

A8 = sCAB(R1,R2, b) ⋅ABob’s state transitions described by APTCG are as follows.

B = rCAB(HASH(R1,R2, b),R1) ⋅B2

B2 = sCBA(r) ⋅B3

B3 = rCAB(dR1 ,R2, b) ⋅B4

B4 = {dR1 = R1}⋅{HASH(R1,R2, b) =HASH(dR1 ,R2, b)}⋅B5+({dR1 ≠ R1}+{HASH(R1,R2, b) ≠HASH(dR1 ,R2, b)}) ⋅B6

B5 = sCBO(b) ⋅BB6 = sCBO(�) ⋅BThe sending action and the reading action of the same type data through the same channel



γ(rCAB(HASH(R1,R2, b),R1), sCAB(HASH(R1,R2, b),R1)) ≜ cCAB(HASH(R1,R2, b),R1)γ(rCBA(r), sCBA(r)) ≜ cCBA(r)γ(rCAB(dR1 ,R2, b), sCAB(dR1 ,R2, b)) ≜ cCAB(dR1 ,R2, b)Let all modules be in parallel, then the protocol A B can be presented by the following process

term.

τI(∂H(Θ(A� B))) = τI(∂H(A� B))

where H = {rCAB(HASH(R1,R2, b),R1), sCAB(HASH(R1,R2, b),R1), rCBA(r), sCBA(r),rCAB(dR1 ,R2, b), sCAB(dR1 ,R2, b)∣D ∈ ∆},

I = {cCAB(HASH(R1,R2, b),R1), cCBA(r), cCAB(dR1 ,R2, b),rsgR1 , rsgR2 , rsgb, hash(R1,R2, b),{dR1 = R1},{HASH(R1,R2, b) =HASH(dR1 ,R2, b),{dR1 ≠ R1},{HASH(R1,R2, b) ≠HASH(dR1 ,R2, b)}}∣D ∈ ∆}.


Theorem 8.3. The bit commitment protocol 2 in Figure 25 is secure.

119

Alice KDC

CAI CAK CKO

CAO CKA CKI

Figure 26: Anonymous key distribution protocol



τI(∂H(A� B)) = ∑D∈∆(rCAI (D) ⋅ (sCBO(b) + sCBO(�))) ⋅ τI(∂H(A� B)).For the details of proof, please refer to section 2.9, and we omit it.

That is, the protocol in Figure 25 τI(∂H(A � B)) can exhibit desired external behaviors, that

is, if the bits are committed, the system would be τI(∂H(A� B)) = ∑D∈∆(rCBI (D) ⋅ sCBO(b)) ⋅τI(∂H(A � B)); otherwise, the system would be τI(∂H(A � B)) = ∑D∈∆(rCBI (D) ⋅ sCBO(�)) ⋅τI(∂H(A� B)).Note that, the main security goals are bit commitment, the the protocol in Figure 25 cannot

satisfy other security goals, such as confidentiality.

8.3 Analyses of Anonymous Key Distribution Protocols

The protocol shown in Figure 26 uses asymmetric cryptography to implement anonymous key

distribution.


1. Alice receives some requests D from the outside through the channel CBI (the correspond-

ing reading action is denoted rCBI (D)), she generates a public/private key pair through

an action rsgpkA,skA , and sends the key request r to KDC through the channel CAK (the

corresponding sending action is denoted sCAK(r));

2. The KDC receives the key request r from Alice through the channel CAK (the corre-

sponding reading action is denoted rCAK(r)), he generates a series of keys ki through

actions rsgki for 1 ≤ i ≤ n, and encrypts these keys by his public key pkK through actions

encpkK(ki) for 1 ≤ i ≤ n, then sends these encrypted keys to Alice through the channel

CKA (the corresponding sending action is denoted sCKA(ENCpkK(k1),⋯,ENCpkK(kn)));

3. Alice receives the encrypted keys from the KDC through the channel CKA (the corre-

sponding reading action is denoted rCKA(ENCpkK(k1),⋯,ENCpkK(kn))), she randomly

selects one ENCpkK(kj) for 1 ≤ j ≤ n, encrypts it by her public key pkA through an ac-

tion encpkA(ENCpkK(kj)), and sends the doubly encrypted key ENCpkA(ENCpkK(kj))to the KDC through the channel CAK (the corresponding sending action is denoted

sCAK(ENCpkA(ENCpkK(kj))));

120

4. The KDC receives the doubly encrypted key from Alice through the channel CAK (the cor-

responding reading action is denoted rCAK(ENCpkA(ENCpkK(kj)))), he decrypts it by his

private key skK through an action decskK(ENCpkA(ENCpkK(kj))) to get ENCpkA(kj),and sends ENCpkA(kj) to Alice through the channel CKA (the corresponding sending

action is denoted sCKA(ENCpkA(kj)));

5. Alice receives ENCpkA(kj) from the KDC through the channel CKA (the corresponding

reading action is denoted rCKA(ENCpkA(kj))), she decrypts it by her private key skAthrough an action decskA(ENCpkA(kj)) to get kj , and sends kj to the outside through the

channel CAO (the corresponding sending action is denoted sCAO(kj)).



A = ∑D∈∆ rCAI (D) ⋅A2

A2 = rsgpkA,skA ⋅A3

A3 = sCAK(r) ⋅A4

A4 = rCKA(ENCpkK(k1),⋯,ENCpkK(kn)) ⋅A5

A5 = encpkA(ENCpkK(kj)) ⋅A6

A6 = sCAK(ENCpkA(ENCpkK(kj))) ⋅A7

A7 = rCKA(ENCpkA(kj)) ⋅A8

A8 = decskA(ENCpkA(kj)) ⋅A9

A9 = sCAO(kj) ⋅AThe KDC’s state transitions described by APTCG are as follows.

K = rCAK(r) ⋅K2

K2 = rsgk1 ∥ ⋯ ∥ rsgkn ⋅K3

K3 = encpkK(k1) ∥ ⋯ ∥ encpkK(kn) ⋅K4

K4 = sCKA(ENCpkK(k1),⋯,ENCpkK(kn)) ⋅K5

K5 = rCAK(ENCpkA(ENCpkK(kj))) ⋅K6

K6 = decskK(ENCpkA(ENCpkK(kj))) ⋅K7

K7 = sCKA(ENCpkA(kj)) ⋅KThe sending action and the reading action of the same type data through the same channel



γ(rCAK(r), sCAK(r)) ≜ cCAK(r)γ(rCKA(ENCpkK(k1),⋯,ENCpkK(kn)), sCKA(ENCpkK(k1),⋯,ENCpkK(kn)))≜ cCKA(ENCpkK(k1),⋯,ENCpkK(kn))γ(rCAK(ENCpkA(ENCpkK(kj))), sCAK(ENCpkA(ENCpkK(kj)))) ≜ cCAK(ENCpkA(ENCpkK(kj)))γ(rCKA(ENCpkA(kj)), sCKA(ENCpkA(kj))) ≜ cCKA(ENCpkA(kj))

121

Let all modules be in parallel, then the protocol A K can be presented by the following process

term.

τI(∂H(Θ(A�K))) = τI(∂H(A�K))

where H = {rCAK(r), sCAK(r), rCKA(ENCpkA(kj)), sCKA(ENCpkA(kj)),rCKA(ENCpkK(k1),⋯,ENCpkK(kn)), sCKA(ENCpkK(k1),⋯,ENCpkK(kn)),rCAK(ENCpkA(ENCpkK(kj))), sCAK(ENCpkA(ENCpkK(kj)))∣D ∈ ∆},

I = {cCAK(r), cCKA(ENCpkA(kj)), cCAK(ENCpkA(ENCpkK(kj))),cCKA(ENCpkK(k1),⋯,ENCpkK(kn)), rsgpkA,skA , encpkA(ENCpkK(kj)),decskA(ENCpkA(kj)), rsgk1 ,⋯, rsgkn , encpkK(k1),⋯, encpkK(kn),decskK(ENCpkA(ENCpkK(kj)))∣D ∈ ∆}.


Theorem 8.4. The anonymous key distribution protocol in Figure 26 is secure.



τI(∂H(A�K)) = ∑D∈∆(rCAI (D) ⋅ sCAO(kj)) ⋅ τI(∂H(A�K)).For the details of proof, please refer to section 2.9, and we omit it.

That is, the protocol in Figure 26 τI(∂H(A � K)) can exhibit desired external behaviors, and

is secure.

122

Alice The bank

CAI CAB CBO

The merchant

CAO CBA CBI

Figure 27: Digital Cash Protocol 1

9 Analyses of Digital Cash Protocols

Digital cash makes it possible to use cash digitally. Digital cash maybe have the following six

properties:

1. Independence. The digital cash is independent on the location, and can be used through

the network;

2. Security. The digital cash cannot be copied and reused;

3. Privacy. The privacy of the owner of the digital cash is protected;

4. Off-line payment. The digital cash can be used off line;

5. Transferability. The digital cash can be transferred to the other users;

6. Divisibility. The digital cash can be divided into small pieces of digital cashes.

In this chapter, we will introduce four digital cash protocols in the following sections. In the

analyses of these four protocols, we will mainly analyze the security and privacy properties.

9.1 Digital Cash Protocol 1

The Digital Cash Protocol 1 shown in Figure 27 is the basic digital cash protocol to ensure the

anonymity.


1. Alice receives some requests D from the outside through the channel CAI (the corre-

sponding reading action is denoted rCAI (D)), she generates n $mi orders with each order

123

encrypted by the bank’s public key pkB through actions encpkB(mi) for 1 ≤ i ≤ n, and

sends them to the bank through the channel CAB (the corresponding sending action is

denoted sCAB(ENCpkB(m1),⋯,ENCpkB(mn)));

2. The bank receives these orders from Alice through the channel CAB (the correspond-

ing reading action is denoted rCAB(ENCpkB(m1),⋯,ENCpkB(mn))), he randomly selects

n − 1 orders and decrypts them through actions decskB(ENCpkB(mj)) for 1 ≤ j ≤ n − 1

to ensure that each mj = m. Then he sign the left ENCpkB(mk) through an action

signskB(ENCpkB(mk)), checks the identity of Alice and deducts $m from Alice’s account

through an action sCBO(−m), then sends

SIGNskB(ENCpkB(mk)) to Alice through the channel CBA (the corresponding sending

action is denoted sCBA(SIGNskB(ENCpkB(mk))));

3. Alice receives the signed order SIGNskB(ENCpkB(mk)) from the bank through the chan-

nel CBA (the corresponding reading action is denoted rCBA(SIGNskB(ENCpkB(mk)))),she may send the sighed order to some merchant through the channel CAM (the corre-

sponding sending action is denoted sCAM (SIGNskB(ENCpkB(mk))));

4. The merchant receives the signed cash from Alice through the channel CAM (the corre-

sponding reading action is denoted rCAM (SIGNskB(ENCpkB(mk)))), he sends it to the

bank through the channel CMB (the corresponding sending action is denoted

sCMB(SIGNskB(ENCpkB(mk))));

5. The bank receives the signed cash from the merchant through the channel CMB (the

corresponding reading action is denoted rCMB(SIGNskB(ENCpkB(mk)))), he de-signs

the cash through an action de-sign(SIGNskB(ENCpkB(mk))), then decrypts it through

an action decskB(ENCpkB(mk)), checks the identity of the merchant and credits $m to

the merchant’s account through an action sCBO(+m).



A = ∑D∈∆ rCAI (D) ⋅A2

A2 = encpkB(m1) ∥ ⋯ ∥ encpkB(mn) ⋅A3

A3 = sCAB(ENCpkB(m1),⋯,ENCpkB(mn)) ⋅A4

A4 = rCBA(SIGNskB(ENCpkB(mk))) ⋅A5

A5 = sCAM (SIGNskB(ENCpkB(mk))) ⋅AThe bank’s state transitions described by APTCG are as follows.

B = rCAB(ENCpkB(m1),⋯,ENCpkB(mn)) ⋅B2

B2 = decskB(ENCpkB(m1)) ∥ ⋯ ∥ decskB(ENCpkB(mn−1)) ⋅B3

B3 = signskB(ENCpkB(mk)) ⋅B4

B4 = sCBO(−m) ⋅B5

B5 = sCBA(SIGNskB(ENCpkB(mk))) ⋅B6

B6 = rCMB(SIGNskB(ENCpkB(mk))) ⋅B7

124

B7 = de-sign(SIGNskB(ENCpkB(mk))) ⋅B8

B8 = sCBO(+m) ⋅BThe merchant’s state transitions described by APTCG are as follows.

M = rCAM (SIGNskB(ENCpkB(mk))) ⋅M2

M2 = sCMB(SIGNskB(ENCpkB(mk))) ⋅M




γ(rCAB(ENCpkB(m1),⋯,ENCpkB(mn)), sCAB(ENCpkB(m1),⋯,ENCpkB(mn)))≜ cCAB(ENCpkB(m1),⋯,ENCpkB(mn))γ(rCBA(SIGNskB(ENCpkB(mk))), sCBA(SIGNskB(ENCpkB(mk))))≜ cCBA(SIGNskB(ENCpkB(mk)))γ(rCMB

(SIGNskB(ENCpkB(mk))), sCMB(SIGNskB(ENCpkB(mk))))

≜ cCMB(SIGNskB(ENCpkB(mk)))

γ(rCAM (SIGNskB(ENCpkB(mk))), sCAM (SIGNskB(ENCpkB(mk))))≜ cCAM (SIGNskB(ENCpkB(mk)))Let all modules be in parallel, then the protocol A B M can be presented by the following

process term.

τI(∂H(Θ(A� B �M))) = τI(∂H(A� B �M))

where H = {rCAB(ENCpkB(m1),⋯,ENCpkB(mn)), sCAB(ENCpkB(m1),⋯,ENCpkB(mn)),rCBA(SIGNskB(ENCpkB(mk))), sCBA(SIGNskB(ENCpkB(mk))),rCMB

(SIGNskB(ENCpkB(mk))), sCMB(SIGNskB(ENCpkB(mk))),

rCAM (SIGNskB(ENCpkB(mk))), sCAM (SIGNskB(ENCpkB(mk)))∣D ∈ ∆},

I = {cCAB(ENCpkB(m1),⋯,ENCpkB(mn)), cCBA(SIGNskB(ENCpkB(mk))),cCMB

(SIGNskB(ENCpkB(mk))), cCAM (SIGNskB(ENCpkB(mk))),encpkB(m1),⋯, encpkB(mn), decskB(ENCpkB(m1)),⋯, decskB(ENCpkB(mn−1)),signskB(ENCpkB(mk)), de-sign(SIGNskB(ENCpkB(mk)))∣D ∈ ∆}.


Theorem 9.1. The Digital Cash Protocol 1 in Figure 27 is anonymous.



τI(∂H(A� B �M)) = ∑D∈∆(rCAI (D) ⋅ sCBO(−m) ⋅ sCBO(+m)) ⋅ τI(∂H(A� B �M)).For the details of proof, please refer to section 2.9, and we omit it.

That is, the Digital Cash Protocol 1 in Figure 27 τI(∂H(A � B � M)) can exhibit desired

external behaviors:

1. The digital cash of Alice SIGNskB(ENCpkB(mk)) is anonymous for the merchant and the

bank;

125

Alice The bank

CAI CAB CBO

The merchant

CAO CBA CBI


2. The protocol cannot resist replay attack, for digital cash, this is the so-called double

spending problem, either for Alice or the merchant. The system would be τI(∂H(A� B �M)) = ∑D∈∆(rCAI (D) ⋅ sCBO(−m) ⋅ sCBO(+m) ⋅ sCBO(+m)) ⋅ τI(∂H(A� B �M)).



anonymity and resist replay attacks.



ing reading action is denoted rCAI (D)), she generates n $mi orders containing a ran-

dom number Ri with each order encrypted by the bank’s public key pkB through actions

encpkB(mi,Ri) for 1 ≤ i ≤ n, and sends them to the bank through the channel CAB (the

corresponding sending action is denoted sCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn)));

2. The bank receives these orders from Alice through the channel CAB (the corresponding

reading action is denoted rCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn))), he randomly

selects n − 1 orders and decrypts them through actions decskB(ENCpkB(mj ,Rj)) for

1 ≤ j ≤ n − 1 to ensure that each mj = m and Rj is fresh. Then he sign the left

ENCpkB(mk,Rk) through an action signskB(ENCpkB(mk,Rk)), checks the identity of

Alice and deducts $m from Alice’s account through an action sCBO(−m), then sends

SIGNskB(ENCpkB(mk,Rk)) to Alice through the channel CBA (the corresponding send-

ing action is denoted sCBA(SIGNskB(ENCpkB(mk,Rk))));

126

3. Alice receives the signed order SIGNskB(ENCpkB(mk,Rk)) from the bank through the

channel CBA (the corresponding reading action is denoted rCBA(SIGNskB(ENCpkB(mk,Rk)))),she may send the sighed order to some merchant through the channel CAM (the corre-

sponding sending action is denoted sCAM (SIGNskB(ENCpkB(mk,Rk))));


sponding reading action is denoted rCAM (SIGNskB(ENCpkB(mk,Rk)))), he sends it to

the bank through the channel CMB (the corresponding sending action is denoted

sCMB(SIGNskB(ENCpkB(mk,Rk))));

5. The bank receives the signed cash from the merchant through the channel CMB (the corre-

sponding reading action is denoted rCMB(SIGNskB(ENCpkB(mk,Rk)))), he de-signs the

cash through an action de-sign(SIGNskB(ENCpkB(mk,Rk))), then decrypts it through

an action decskB(ENCpkB(mk,Rk)), if isFresh(Rk) = TRUE, he checks the identity of

the merchant and credits $m to the merchant’s account through an action sCBO(+m);else if isFresh(Rk) = FALSE, he sends � to the outside through the channel CBO (the




A = ∑D∈∆ rCAI (D) ⋅A2

A2 = encpkB(m1,R1) ∥ ⋯ ∥ encpkB(mn,Rn) ⋅A3

A3 = sCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn)) ⋅A4

A4 = rCBA(SIGNskB(ENCpkB(mk,Rk))) ⋅A5

A5 = sCAM (SIGNskB(ENCpkB(mk,Rk))) ⋅AThe bank’s state transitions described by APTCG are as follows.

B = rCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn)) ⋅B2

B2 = decskB(ENCpkB(m1,R1)) ∥ ⋯ ∥ decskB(ENCpkB(mn−1,Rn−1)) ⋅B3

B3 = signskB(ENCpkB(mk,Rk)) ⋅B4


B5 = sCBA(SIGNskB(ENCpkB(mk,Rk))) ⋅B6

B6 = rCMB(SIGNskB(ENCpkB(mk,Rk))) ⋅B7

B7 = de-sign(SIGNskB(ENCpkB(mk,Rk))) ⋅B8

B8 = {isFresh(Rk) = TRUE} ⋅ sCBO(+m) ⋅B + {isFresh(Rk) = FALSE} ⋅ sCBO(�) ⋅BThe merchant’s state transitions described by APTCG are as follows.

M = rCAM (SIGNskB(ENCpkB(mk,Rk))) ⋅M2

M2 = sCMB(SIGNskB(ENCpkB(mk,Rk))) ⋅M




127

γ(rCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn)), sCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn)))≜ cCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn))γ(rCBA(SIGNskB(ENCpkB(mk,Rk))), sCBA(SIGNskB(ENCpkB(mk,Rk))))≜ cCBA(SIGNskB(ENCpkB(mk,Rk)))γ(rCMB

(SIGNskB(ENCpkB(mk,Rk))), sCMB(SIGNskB(ENCpkB(mk,Rk))))

≜ cCMB(SIGNskB(ENCpkB(mk,Rk)))

γ(rCAM (SIGNskB(ENCpkB(mk,Rk))), sCAM (SIGNskB(ENCpkB(mk,Rk))))≜ cCAM (SIGNskB(ENCpkB(mk,Rk)))Let all modules be in parallel, then the protocol A B M can be presented by the following

process term.

τI(∂H(Θ(A� B �M))) = τI(∂H(A� B �M))

where H = {rCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn)),sCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn)),rCBA(SIGNskB(ENCpkB(mk,Rk))), sCBA(SIGNskB(ENCpkB(mk,Rk))),rCMB

(SIGNskB(ENCpkB(mk,Rk))), sCMB(SIGNskB(ENCpkB(mk,Rk))),

rCAM (SIGNskB(ENCpkB(mk,Rk))), sCAM (SIGNskB(ENCpkB(mk,Rk)))∣D ∈ ∆},

I = {cCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn)), cCBA(SIGNskB(ENCpkB(mk,Rk))),cCMB

(SIGNskB(ENCpkB(mk,Rk))), cCAM (SIGNskB(ENCpkB(mk,Rk))),encpkB(m1,R1),⋯, encpkB(mn,Rn), decskB(ENCpkB(m1,R1)),⋯, decskB(ENCpkB(mn−1,Rn−1)),signskB(ENCpkB(mk,Rk)), de-sign(SIGNskB(ENCpkB(mk,Rk))),{isFresh(Rk) = TRUE},{isFresh(Rk) = FALSE}∣D ∈ ∆}.


Theorem 9.2. The Digital Cash Protocol 2 in Figure 28 is anonymous and resists replaying.



τI(∂H(A � B � M)) = ∑D∈∆(rCAI (D) ⋅ sCBO(−m) ⋅ (sCBO(+m) + sCBO(�))) ⋅ τI(∂H(A � B �M)).For the details of proof, please refer to section 2.9, and we omit it.


external behaviors:


bank;

2. The protocol can resist replay attacks, for the use of the random number in each digital

cash;

3. The bank does not know who cheats him when the double spending problem occurs, either

the owner of the cash or the merchant.

128

Alice The bank

CAI CAB CBO

The merchant

CAO CBA CBI




anonymity, resist replay attacks and know who partly.



ing reading action is denoted rCAI (D)), she generates n $mi orders containing a ran-

dom number Ri with each order encrypted by the bank’s public key pkB through actions

encpkB(mi,Ri) for 1 ≤ i ≤ n, and sends them to the bank through the channel CAB (the

corresponding sending action is denoted sCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn)));


reading action is denoted rCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn))), he randomly

selects n − 1 orders and decrypts them through actions decskB(ENCpkB(mj ,Rj)) for

1 ≤ j ≤ n − 1 to ensure that each mj = m and Rj is fresh. Then he sign the left

ENCpkB(mk,Rk) through an action signskB(ENCpkB(mk,Rk)), checks the identity of

Alice and deducts $m from Alice’s account through an action sCBO(−m), then sends

SIGNskB(ENCpkB(mk,Rk)) to Alice through the channel CBA (the corresponding send-

ing action is denoted sCBA(SIGNskB(ENCpkB(mk,Rk))));

3. Alice receives the signed order SIGNskB(ENCpkB(mk,Rk)) from the bank through the

channel CBA (the corresponding reading action is denoted rCBA(SIGNskB(ENCpkB(mk,Rk)))),she generates a random string R and encrypts it through an action encpkB(R), she may

send the sighed order to some merchant through the channel CAM (the corresponding

sending action is denoted sCAM (SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R)));

4. The merchant receives the signed cash from Alice through the channel CAM (the cor-

responding reading action is denoted rCAM (SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R))),

129

he sends it to the bank through the channel CMB (the corresponding sending action is

denoted

sCMB(SIGNskB(ENCpkB(mk,Rk))));

5. The bank receives the signed cash from the merchant through the channel CMB (the corre-

sponding reading action is denoted rCMB(SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R))), he

de-signs the cash through an action de-sign(SIGNskB(ENCpkB(mk,Rk))), then decrypts

it through an action decskB(ENCpkB(mk,Rk)) and decskB(ENCpkB(R)), if isFresh(Rk) =TRUE, he checks the identity of the merchant and credits $m to the merchant’s account

through an action sCBO(+m); else if isFresh(Rk) = FALSE and isFresh(R) = TRUE,

he sends �A to the outside through the channel CBO (the corresponding sending action is

denoted sCBO(�A)); else if isFresh(Rk) = FALSE and isFresh(R) = FALSE, he sends

�M to the outside through the channel CBO (the corresponding sending action is denoted

sCBO(�M)).



A = ∑D∈∆ rCAI (D) ⋅A2

A2 = encpkB(m1,R1) ∥ ⋯ ∥ encpkB(mn,Rn) ⋅A3

A3 = sCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn)) ⋅A4

A4 = rCBA(SIGNskB(ENCpkB(mk,Rk))) ⋅A5

A5 = encpkB(R) ⋅A6

A6 = sCAM (SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R)) ⋅AThe bank’s state transitions described by APTCG are as follows.

B = rCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn)) ⋅B2

B2 = decskB(ENCpkB(m1,R1)) ∥ ⋯ ∥ decskB(ENCpkB(mn−1,Rn−1)) ⋅B3

B3 = signskB(ENCpkB(mk,Rk)) ⋅B4


B5 = sCBA(SIGNskB(ENCpkB(mk,Rk))) ⋅B6

B6 = rCMB(SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R)) ⋅B7

B7 = de-sign(SIGNskB(ENCpkB(mk,Rk))) ⋅B8

B8 = decskB(ENCpkB(R)) ⋅B9

B9 = {isFresh(Rk) = TRUE} ⋅ sCBO(+m) ⋅ B + {isFresh(Rk) = FALSE} ⋅ {isFresh(R) =TRUE} ⋅ sCBO(�A) ⋅B+ {isFresh(Rk) = FALSE} ⋅ {isFresh(R) = FALSE} ⋅ sCBO(�M) ⋅BThe merchant’s state transitions described by APTCG are as follows.

M = rCAM (SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R)) ⋅M2

M2 = sCMB(SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R)) ⋅M

130




γ(rCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn)), sCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn)))≜ cCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn))γ(rCBA(SIGNskB(ENCpkB(mk,Rk))), sCBA(SIGNskB(ENCpkB(mk,Rk))))≜ cCBA(SIGNskB(ENCpkB(mk,Rk)))γ(rCMB

(SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R)),sCMB

(SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R)))≜ cCMB

(SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R))γ(rCAM (SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R)),sCAM (SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R)))≜ cCAM (SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R))Let all modules be in parallel, then the protocol A B M can be presented by the following

process term.

τI(∂H(Θ(A� B �M))) = τI(∂H(A� B �M))

where H = {rCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn)),sCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn)),rCBA(SIGNskB(ENCpkB(mk,Rk))), sCBA(SIGNskB(ENCpkB(mk,Rk))),rCMB

(SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R)),sCMB

(SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R)),rCAM (SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R)),sCAM (SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R))∣D ∈ ∆},

I = {cCAB(ENCpkB(m1,R1),⋯,ENCpkB(mn,Rn)), cCBA(SIGNskB(ENCpkB(mk,Rk))),cCMB

(SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R)), cCAM (SIGNskB(ENCpkB(mk,Rk)),ENCpkB(R)),encpkB(m1,R1),⋯, encpkB(mn,Rn), decskB(ENCpkB(m1,R1)),⋯, decskB(ENCpkB(mn−1,Rn−1)),signskB(ENCpkB(mk,Rk)), de-sign(SIGNskB(ENCpkB(mk,Rk))), encpkB(R), decskB(ENCpkB(R)),{isFresh(Rk) = TRUE},{isFresh(Rk) = FALSE},{isFresh(R) = TRUE},{isFresh(R) =FALSE}∣D ∈ ∆}.


Theorem 9.3. The Digital Cash Protocol 3 in Figure 29 is anonymous, and resists replaying

and knowing who partly.



τI(∂H(A � B � M)) = ∑D∈∆(rCAI (D) ⋅ sCBO(−m) ⋅ (sCBO(+m) + sCBO(�A) + sCBO(�M))) ⋅τI(∂H(A� B �M)).For the details of proof, please refer to section 2.9, and we omit it.


external behaviors:

131

Alice The bank

CAI CAB CBO

The merchant

CAO CBA CBI



bank;

2. The protocol can resist replay attack, for the use of the random number in each digital

cash;

3. The bank know who cheats him when the double spending problem occurs, either the

owner of the cash or the merchant. But he does not know exactly the identity of the

person.



anonymity, resist replay attacks and know who exactly.


1. Alice receives some requests D from the outside through the channel CAI (the corre-

sponding reading action is denoted rCAI (D)), she generates n $mi orders containing

m, a random number Ri, and n pair of string Ii1L, Ii1R,⋯, IinL, IinR, with each order

blinded through actions blindk1(mi,Ri, Ii1L, Ii1R,⋯, IinL, IinR) for 1 ≤ i ≤ n, and sends

them to the bank through the channel CAB (the corresponding sending action is denoted

sCAB(BLINDk1(m1,R1, I1L, I1R),⋯,BLINDk1(mn,Rn, InL, InR)));


reading action is denoted

rCAB(BLINDk1(m1,R1, I11L, I11R,⋯, I1nL, I1nR),⋯,BLINDk1(mn,Rn, I1nL, I1nR,⋯, InnL, InnR))),

132

he randomly selects n − 1 orders and asks Alice to unblind them through actions

unblindk1(BLINDk1(mj ,Rj , Ij1L, Ij1R,⋯, IjnL, IjnR)) and to reveal Ij1L, Ij1R,⋯, IjnL, IjnR(see section 8.2) for 1 ≤ j ≤ n− 1 to ensure that each mj =m and Rj is fresh. Then he sign

the left

BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR) through an action

signskB(BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR)), checks the identity of Alice and deducts

$m from Alice’s account through an action sCBO(−m), then sends

SIGNskB(BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR)) to Alice through the channel CBA(the corresponding sending action is denoted

sCBA(SIGNskB(BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR))));

3. Alice receives the signed order SIGNskB(BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR)) from

the bank through the channel CBA (the corresponding reading action is denoted

rCBA(SIGNskB(BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR)))), she unblinds the sighed

order through an action unblindk1(SIGNskB(BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR)))to get SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR) she may send the sighed order to some

merchant through the channel CAM (the corresponding sending action is denoted

sCAM (SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR)));


sponding reading action is denoted rCAM (SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR))), he

ask Alice to reveal half of Ij1L, Ij1R,⋯, IjnL, IjnR (see section 8.2), and sends it to the bank

through the channel CMB (the corresponding sending action is denoted

sCMB(SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR), I ′k1L, I

′

k1R,⋯, I ′knL, I ′knR));

5. The bank receives the signed cash from the merchant through the channel CMB (the cor-

responding reading action is denoted

rCMB(SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR), I ′k1L, I

′

k1R,⋯, I ′knL, I ′knR)), he de-signs the

cash through an action de-sign(SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR)), if isFresh(Rk) =TRUE, he checks the identity of the merchant and credits $m to the merchant’s account

through an action sCBO(+m); else if isFresh(Rk) = FALSE and isFresh(I ′k1L, I′

k1R,⋯, I ′knL, I ′knR) =TRUE, he gets the identity of Alice and sends �A to the outside through the channel CBO(the corresponding sending action is denoted sCBO(�A)); else if isFresh(Rk) = FALSEand isFresh(I ′k1L, I

′

k1R,⋯, I ′knL, I ′knR) = FALSE, he sends �M to the outside through the

channel CBO (the corresponding sending action is denoted sCBO(�M)).



A = ∑D∈∆ rCAI (D) ⋅A2

A2 = blindk1(m1,Ri, I11L, I11R,⋯, I1nL, I1nR) ∥ ⋯ ∥ blindk1(mn,Rn, In1L, In1R,⋯, InnL, InnR) ⋅A3

A3 = sCAB(BLINDk1(m1,R1, I1L, I1R),⋯,BLINDk1(mn,Rn, InL, InR)) ⋅A4

A4 = rCBA(SIGNskB(BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR))) ⋅A5

A5 = unblindk1(SIGNskB(BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR))) ⋅A6

A6 = sCAM (SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR)) ⋅AThe bank’s state transitions described by APTCG are as follows.

133

B = rCAB(BLINDk1(m1,R1, I11L, I11R,⋯, I1nL, I1nR),⋯,BLINDk1(mn,Rn, I1nL, I1nR,⋯, InnL, InnR)) ⋅B2

B2 = unblindk1(BLINDk1(m1,R1, I11L, I11R,⋯, I1nL, I1nR)) ∥ ⋯∥ unblindk1(BLINDk1(mn−1,Rn−1, In−11L, In−11R,⋯, In−1nL, In−1nR)) ⋅B3

B3 = signskB(BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR)) ⋅B4


B5 = sCBA(SIGNskB(BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR))) ⋅B6

B6 = rCMB(SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR), I ′k1L, I

′

k1R,⋯, I ′knL, I ′knR) ⋅B7

B7 = de-sign(SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR)) ⋅B8

B8 = {isFresh(Rk) = TRUE} ⋅ sCBO(+m) ⋅B+ {isFresh(Rk) = FALSE} ⋅ {isFresh(I ′k1L, I

′

k1R,⋯, I ′knL, I ′knR) = TRUE} ⋅ sCBO(�A) ⋅B+ {isFresh(Rk) = FALSE} ⋅ {isFresh(I ′k1L, I

′

k1R,⋯, I ′knL, I ′knR) = FALSE} ⋅ sCBO(�M) ⋅BThe merchant’s state transitions described by APTCG are as follows.

M = rCAM (SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR)) ⋅M2

M2 = sCMB(SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR), I ′k1L, I

′

k1R,⋯, I ′knL, I ′knR) ⋅MThe sending action and the reading action of the same type data through the same channel



γ(rCAB(BLINDk1(m1,R1, I11L, I11R,⋯, I1nL, I1nR),⋯,BLINDk1(mn,Rn, I1nL, I1nR,⋯, InnL, InnR)),sCAB(BLINDk1(m1,R1, I11L, I11R,⋯, I1nL, I1nR),⋯,BLINDk1(mn,Rn, I1nL, I1nR,⋯, InnL, InnR)))≜ cCAB(BLINDk1(m1,R1, I11L, I11R,⋯, I1nL, I1nR),⋯,BLINDk1(mn,Rn, I1nL, I1nR,⋯, InnL, InnR))γ(rCBA(SIGNskB(BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR))),sCBA(SIGNskB(BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR))))≜ cCBA(SIGNskB(BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR)))γ(rCMB

(SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR), I ′k1L, I′

k1R,⋯, I ′knL, I ′knR),sCMB


k1R,⋯, I ′knL, I ′knR))≜ cCMB


k1R,⋯, I ′knL, I ′knR)γ(rCAM (SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR)),sCAM (SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR)))≜ cCAM (SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR))Let all modules be in parallel, then the protocol A B M can be presented by the following

process term.

τI(∂H(Θ(A� B �M))) = τI(∂H(A� B �M))

where H = {rCAB(BLINDk1(m1,R1, I11L, I11R,⋯, I1nL, I1nR),⋯,BLINDk1(mn,Rn, I1nL, I1nR,⋯, InnL, InnR)),sCAB(BLINDk1(m1,R1, I11L, I11R,⋯, I1nL, I1nR),⋯,BLINDk1(mn,Rn, I1nL, I1nR,⋯, InnL, InnR)),rCBA(SIGNskB(BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR))),sCBA(SIGNskB(BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR))),rCMB


k1R,⋯, I ′knL, I ′knR),

134

sCMB(SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR), I ′k1L, I

′

k1R,⋯, I ′knL, I ′knR),rCAM (SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR)),sCAM (SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR))∣D ∈ ∆},

I = {cCAB(BLINDk1(m1,R1, I11L, I11R,⋯, I1nL, I1nR),⋯,BLINDk1(mn,Rn, I1nL, I1nR,⋯, InnL, InnR)),cCBA(SIGNskB(BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR))),cCMB


k1R,⋯, I ′knL, I ′knR),cCAM (SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR)),blindk1(m1,Ri, I11L, I11R,⋯, I1nL, I1nR),⋯, blindk1(mn,Rn, In1L, In1R,⋯, InnL, InnR),unblindk1(SIGNskB(BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR))),unblindk1(BLINDk1(m1,R1, I11L, I11R,⋯, I1nL, I1nR)),⋯, unblindk1(BLINDk1(mn−1,Rn−1, In−11L, In−11R,⋯, In−1nL, In−1nR)),signskB(BLINDk1(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR)),de-sign(SIGNskB(mk,Rk, Ik1L, Ik1R,⋯, IknL, IknR)),{isFresh(Rk) = TRUE},{isFresh(Rk) = FALSE},{isFresh(I ′k1L, I

′

k1R,⋯, I ′knL, I ′knR) = TRUE},{isFresh(I ′k1L, I′

k1R,⋯, I ′knL, I ′knR) = FALSE}∣D ∈∆}.


Theorem 9.4. The Digital Cash Protocol 4 in Figure 30 is anonymous, resists replaying, and

knowing who exactly.



τI(∂H(A � B � M)) = ∑D∈∆(rCAI (D) ⋅ sCBO(−m) ⋅ (sCBO(+m) + sCBO(�A) + sCBO(�M))) ⋅τI(∂H(A� B �M)).For the details of proof, please refer to section 2.9, and we omit it.


external behaviors:


bank;

2. The protocol can resist replay attacks, for the use of the random number in each digital

cash;

3. The bank know who cheats him when the double spending problem occurs, either the

owner of the cash or the merchant. And he knows exactly the identity of the person.

135

10 Analyses of Secure Elections Protocols

Secure elections protocols should be able to prevent cheating and maintain the voter’s privacy.

An ideal secure election protocol should have the following properties:

1. Legitimacy: only authorized voters can vote;

2. Oneness: no one can vote more than once;

3. Privacy: no one can determine for whom anyone else voted;

4. Non-replicability: no one can duplicate anyone else’s vote;

5. Non-changeability: no one can change anyone else’s vote;

6. Validness: every voter can make sure that his vote has been taken into account in the final

tabulation.

In this chapter, we will introduce seven secure elections protocols in the following sections. In

the analyses of these seven protocols, we will mainly analyze the security and privacy properties.

10.1 Secure Elections Protocol 1

The secure elections protocol 1 is shown in Figure 31, which is a basic one to implement the

basic voting function. In this protocol, there are a CTF (Central Tabulating Facility), to collect

the votes, and four voters: Alice, Bob, Carol and Dave.


1. Alice receives some voting request DA from the outside through the channel CAI (the

corresponding reading action is denoted rCAI (DA)), she generates the votes vA, encrypts

vA by CTF’s public key pkT through an action encpkT (vA), and sends it to CTF through

the channel CAT (the corresponding sending action is denoted sCAT (ENCpkT (vA)));

2. Bob receives some voting request DB from the outside through the channel CBI (the

corresponding reading action is denoted rCBI (DB)), he generates the votes vB, encrypts

vB by CTF’s public key pkT through an action encpkT (vB), and sends it to CTF through

the channel CBT (the corresponding sending action is denoted sCBT (ENCpkT (vB)));

3. Carol receives some voting request DC from the outside through the channel CCI (the

corresponding reading action is denoted rCCI (DC)), he generates the votes vC , encrypts

vC by CTF’s public key pkT through an action encpkT (vC), and sends it to CTF through

the channel CCT (the corresponding sending action is denoted sCCT (ENCpkT (vC)));

4. Dave receives some voting request DD from the outside through the channel CDI (the

corresponding reading action is denoted rCDI (DD)), he generates the votes vD, encrypts

vD by CTF’s public key pkT through an action encpkT (vD), and sends it to CTF through

the channel CDT (the corresponding sending action is denoted sCDT (ENCpkT (vD)));

136

Bob CarolC

TI

CT

O

Dave

CTF

Alice

CA

I

CA

O

CB

I

CB

O

CC

I

CC

O

CD

I

CD

O

Figure 31: Secure elections protocol 1

5. CTF receives encrypted votes from Alice, Bob, Carol and Dave through the channels CAT ,

CBT , CCT and CDT (the corresponding reading actions are denoted rCAT (ENCpkT (vA)),rCBT (ENCpkT (vB)), rCCT (ENCpkT (vC)) and rCDT (ENCpkT (vD)) respectively), decrypts

the encrypted votes through actions decskT (ENCpkT (vA)), decskT (ENCpkT (vB)),decskT (ENCpkT (vC)), and decskT (ENCpkT (vD)) to get vA, vB, vC and vD, then sends

vA+vB+vC+vD to the outside through the channel CTO (the corresponding sending action

is denoted sCTO(vA + vB + vC + vD)).

Where DA,DB,DC ,DD ∈ ∆, ∆ is the set of data.



A2 = encpkT (vA) ⋅A3

A3 = sCAT (ENCpkT (vA)) ⋅ABob’s state transitions described by APTCG are as follows.

B = ∑DB∈∆ rCBI (DB) ⋅B2

B2 = encpkT (vB) ⋅B3

B3 = sCBT (ENCpkT (vB)) ⋅BCarol’s state transitions described by APTCG are as follows.

C = ∑DC∈∆ rCCI (DC) ⋅C2

137

C2 = encpkT (vC) ⋅C3

C3 = sCCT (ENCpkT (vC)) ⋅CDave’s state transitions described by APTCG are as follows.

D = ∑DD∈∆ rCDI (DD) ⋅D2

D2 = encpkT (vD) ⋅D3

D3 = sCDT (ENCpkT (vD)) ⋅DCTF’s state transitions described by APTCG are as follows.

T = rCAT (ENCpkT (vA)) ∥ rCBT (ENCpkT (vB)) ∥ rCCT (ENCpkT (vC)) ∥ rCDT (ENCpkT (vD))⋅T2

T2 = decskT (ENCpkT (vA)) ∥ decskT (ENCpkT (vB)) ∥ decskT (ENCpkT (vC))∥ decskT (ENCpkT (vD)) ⋅ T3

T3 = sCTO(vA + vB + vC + vD) ⋅ TThe sending action and the reading action of the same type data through the same channel



γ(rCAT (ENCpkT (vA)), sCAT (ENCpkT (vA))) ≜ cCAT (ENCpkT (vA))γ(rCBT (ENCpkT (vB)), sCBT (ENCpkT (vB))) ≜ cCBT (ENCpkT (vB))γ(rCCT (ENCpkT (vC)), sCCT (ENCpkT (vC))) ≜ cCCT (ENCpkT (vC))γ(rCDT (ENCpkT (vD)), sCDT (ENCpkT (vD))) ≜ cCDT (ENCpkT (vD))Let all modules be in parallel, then the protocol A B C D T can be presented by the


τI(∂H(Θ(A� B � C �D � T ))) = τI(∂H(A� B � C �D � T ))

where H = {rCAT (ENCpkT (vA)), sCAT (ENCpkT (vA)),rCBT (ENCpkT (vB)), sCBT (ENCpkT (vB)),rCCT (ENCpkT (vC)), sCCT (ENCpkT (vC)),rCDT (ENCpkT (vD)), sCDT (ENCpkT (vD))∣DA,DB,DC ,DD ∈ ∆},

I = {cCAT (ENCpkT (vA)), cCBT (ENCpkT (vB)), cCCT (ENCpkT (vC)),cCDT (ENCpkT (vD)), encpkT (vA), encpkT (vB), encpkT (vC), encpkT (vD),decskT (ENCpkT (vA)), decskT (ENCpkT (vB)), decskT (ENCpkT (vC)),decskT (ENCpkT (vD))∣DA,DB,DC ,DD ∈ ∆}.


Theorem 10.1. The secure elections protocol 1 in Figure 31 is secure, but basic.



τI(∂H(A � B � C � D � T )) = ∑DA,DB ,DC ,DD∈∆(rCAI (DA) ∥ rCBI (DB) ∥ rCCI (DC) ∥rCDI (DD) ⋅ sCTO(vA + vB + vC + vD)) ⋅ τI(∂H(A� B � C �D � T )).For the details of proof, please refer to section 2.9, and we omit it.

138

Bob CarolC

TI

CT

O

Dave

CTF

Alice

CA

I

CA

O

CB

I

CB

O

CC

I

CC

O

CD

I

CD

O


That is, the protocol in Figure 31 τI(∂H(A � B � C � D � T )) can exhibit desired external

behaviors, and is secure. But, for the properties of secure elections protocols:

1. Legitimacy: all voters can vote;

2. Oneness: anyone can vote more than once;


4. Non-replicability: CTF can duplicate anyone else’s vote;

5. Non-changeability: CTF can change anyone else’s vote;

6. Validness: every voter cannot make sure that his vote has been taken into account in the

final tabulation.


The secure elections protocol 2 is shown in Figure 32, which is a improved one based on the

secure elections protocol 1 in section 10.1. In this protocol, there are a CTF (Central Tabulating

Facility), to check the identity of voters and collect the votes, and four voters: Alice, Bob, Carol

and Dave.


139


corresponding reading action is denoted rCAI (DA)), she generates the votes vA, signs vAby her private key skA through an action signskA(vA), then encrypts it by CTF’s public key

pkT through an action encpkT (SIGNskA(vA)), and sends it to CTF through the channel

CAT (the corresponding sending action is denoted sCAT (ENCpkT (SIGNskA(vA))));


corresponding reading action is denoted rCBI (DB)), he generates the votes vB, signs vBby his private key skB through an action signskB(vB), then encrypts it by CTF’s public key

pkT through an action encpkT (SIGNskB(vB)), and sends it to CTF through the channel

CBT (the corresponding sending action is denoted sCBT (ENCpkT (SIGNskB(vB))));


corresponding reading action is denoted rCCI (DC)), he generates the votes vC , signs vCby his private key skC through an action signskC(vC), then encrypts it by CTF’s public key

pkT through an action encpkT (SIGNskC(vC)), and sends it to CTF through the channel

CCT (the corresponding sending action is denoted sCCT (ENCpkT (SIGNskC(vC))));


corresponding reading action is denoted rCDI (DD)), he generates the votes vD, signs vDby his private key skD through an action signskD(vD), then encrypts it by CTF’s public key

pkT through an action encpkT (SIGNskD(vD)), and sends it to CTF through the channel

CDT (the corresponding sending action is denoted sCDT (ENCpkT (SIGNskD(vD))));

5. CTF receives encrypted votes from Alice, Bob, Carol and Dave through the channels CAT ,

CBT , CCT and CDT (the corresponding reading actions are denoted

rCAT (ENCpkT (SIGNskA(vA))), rCBT (ENCpkT (SIGNskB(vB))),rCCT (ENCpkT (SIGNskC(vC))) and rCDT (ENCpkT (SIGNskD(vD))) respectively), decrypts

the encrypted votes through actions decskT (ENCpkT (SIGNskA(vA))),decskT (ENCpkT (SIGNskB(vB))), decskT (ENCpkT (SIGNskC(vC))),and decskT (ENCpkT (SIGNskD(vD))) , then de-signs them through actions

de-signpkA(SIGNskA(vA)), de-signpkB(SIGNskB(vB)), de-signpkC(SIGNskC(vC)), and

de-signpkD(SIGNskD(vD)) to get vA, vB, vC and vD, then sends vA+vB+vC+vD,A,B,C,Dto the outside through the channel CTO (the corresponding sending action is denoted

sCTO(vA + vB + vC + vD,A,B,C,D)).




A2 = signskA(vA) ⋅A3

A3 = encpkT (SIGNskA(vA)) ⋅A4

A4 = sCAT (ENCpkT (SIGNskA(vA))) ⋅ABob’s state transitions described by APTCG are as follows.


B2 = signskB(vB) ⋅B3

140

B3 = encpkT (SIGNskB(vB)) ⋅B4

B4 = sCBT (ENCpkT (SIGNskB(vB))) ⋅BCarol’s state transitions described by APTCG are as follows.


C2 = signskC(vC) ⋅C3

C3 = encpkT (SIGNskC(vC)) ⋅C4

C4 = sCCT (ENCpkT (SIGNskC(vC))) ⋅CDave’s state transitions described by APTCG are as follows.


D2 = signskD(vD) ⋅D3

D3 = encpkT (SIGNskD(vD)) ⋅D4

D4 = sCDT (ENCpkT (SIGNskD(vD))) ⋅DCTF’s state transitions described by APTCG are as follows.

T = rCAT (ENCpkT (SIGNskA(vA))) ∥ rCBT (ENCpkT (SIGNskB(vB)))∥ rCCT (ENCpkT (SIGNskC(vC))) ∥ rCDT (ENCpkT (SIGNskD(vD))) ⋅ T2

T2 = decskT (ENCpkT (SIGNskA(vA))) ∥ decskT (ENCpkT (SIGNskB(vB)))∥ decskT (ENCpkT (SIGNskC(vC))) ∥ decskT (ENCpkT (SIGNskD(vD))) ⋅ T3

T3 = de-signpkA(SIGNskA(vA)) ∥ de-signpkB(SIGNskB(vB))∥ de-signpkC(SIGNskC(vC)) ∥ de-signpkD(SIGNskD(vD)) ⋅ T4

T4 = sCTO(vA + vB + vC + vD,A,B,C,D) ⋅ TThe sending action and the reading action of the same type data through the same channel



γ(rCAT (ENCpkT (SIGNskA(vA))), sCAT (ENCpkT (SIGNskA(vA))))≜ cCAT (ENCpkT (SIGNskA(vA)))γ(rCBT (ENCpkT (SIGNskB(vB))), sCBT (ENCpkT (SIGNskB(vB))))≜ cCBT (ENCpkT (SIGNskB(vB)))γ(rCCT (ENCpkT (SIGNskC(vC))), sCCT (ENCpkT (SIGNskC(vC))))≜ cCCT (ENCpkT (SIGNskC(vC)))γ(rCDT (ENCpkT (SIGNskD(vD))), sCDT (ENCpkT (SIGNskD(vD))))≜ cCDT (ENCpkT (SIGNskD(vD)))Let all modules be in parallel, then the protocol A B C D T can be presented by the



where H = {rCAT (ENCpkT (SIGNskA(vA))), sCAT (ENCpkT (SIGNskA(vA))),rCBT (ENCpkT (SIGNskB(vB))), sCBT (ENCpkT (SIGNskB(vB))),

141

rCCT (ENCpkT (SIGNskC(vC))), sCCT (ENCpkT (SIGNskC(vC))),rCDT (ENCpkT (SIGNskD(vD))), sCDT (ENCpkT (SIGNskD(vD)))∣DA,DB,DC ,DD ∈ ∆},

I = {cCAT (ENCpkT (SIGNskA(vA))), cCBT (ENCpkT (SIGNskB(vB))),cCCT (ENCpkT (SIGNskC(vC))), cCDT (ENCpkT (SIGNskD(vD))),signskA(vA), signskB(vB), signskC(vC), signskD(vD),encpkT (SIGNskA(vA)), encpkT (SIGNskB(vB)), encpkT (SIGNskC(vC)),encpkT (SIGNskD(vD)), decskT (ENCpkT (SIGNskA(vA))),decskT (ENCpkT (SIGNskB(vB))), decskT (ENCpkT (SIGNskC(vC))),decskT (ENCpkT (SIGNskD(vD))), de-signpkA(SIGNskA(vA)),de-signpkB(SIGNskB(vB)), de-signpkC(SIGNskC(vC)),de-signpkD(SIGNskD(vD))∣DA,DB,DC ,DD ∈ ∆}.


Theorem 10.2. The secure elections protocol 2 in Figure 32 is improved based on the secure

elections protocol 1.



τI(∂H(A � B � C � D � T )) = ∑DA,DB ,DC ,DD∈∆(rCAI (DA) ∥ rCBI (DB) ∥ rCCI (DC) ∥rCDI (DD) ⋅ sCTO(vA + vB + vC + vD,A,B,C,D)) ⋅ τI(∂H(A� B � C �D � T )).For the details of proof, please refer to section 2.9, and we omit it.





3. Privacy: CTF can determine for whom anyone else voted;

4. Non-replicability: CTF can duplicate anyone else’s vote;

5. Non-changeability: CTF can change anyone else’s vote;

6. Validness: every voter cannot make sure that his vote has been taken into account in the

final tabulation.




Facility), to check the identity of voters and collect the votes, and four voters: Alice, Bob, Carol

and Dave.


142

Bob CarolC

TI

CT

O

Dave

CTF

Alice

CA

I

CA

O

CB

I

CB

O

CC

I

CC

O

CD

I

CD

O



corresponding reading action is denoted rCAI (DA)), she generates a message containing

all possible voting results VA and a random number RA, blinds this message through an

action blindkA(VA,RA), totally there are 10 such messages are generated, then she sends

these 10 messages to CTF through the channel CAT (the corresponding sending action is

denoted sCAT (10 ×BLINDkA(VA,RA), kA,A));


corresponding reading action is denoted rCBI (DB)), he generates a message containing

all possible voting results VB and a random number RB, blinds this message through an

action blindkB(VB,RB), totally there are 10 such messages are generated, then she sends

these 10 messages to CTF through the channel CBT (the corresponding sending action is

denoted sCBT (10 ×BLINDkB(VB,RB), kB,B));


corresponding reading action is denoted rCCI (DC)), he generates a message containing

all possible voting results VC and a random number RC , blinds this message through an

action blindkC(VC ,RC), totally there are 10 such messages are generated, then she sends

these 10 messages to CTF through the channel CCT (the corresponding sending action is

denoted sCCT (10 ×BLINDkC(VC ,RC), kC ,C));


corresponding reading action is denoted rCDI (DD)), he generates a message containing

all possible voting results VD and a random number RD, blinds this message through an

143

action blindkD(VD,RD), totally there are 10 such messages are generated, then she sends

these 10 messages to CTF through the channel CDT (the corresponding sending action is

denoted sCDT (10 ×BLINDkD(VD,RD), kD,D));

5. CTF receives the messages from Alice, Bob, Carol and Dave through the channels CAT ,

CBT , CCT and CDT (the corresponding reading actions are denoted

rCAT (10 × BLINDkA(VA,RA), kA,A), sCBT (10 × BLINDkB(VB,RB), kB,B), sCCT (10 ×BLINDkC(VC ,RC), kC ,C), and sCDT (10 ×BLINDkD(VD,RD), kD,D) respectively), he

checks the names of Alice, Bob, Carol and Dave to make sure that they submit the

blinded messages in the first time and stores the their names through the actions check(A),check(B), check(C) and check(D), then he unblinds randomly their 9 sets of messages to

make sure that they are formed correctly through the actions 9×unblindkA(BLINDkA(VA,RA)),9 × unblindkB(BLINDkB(VB,RB)), 9 × unblindkC(BLINDkC(VC ,RC)),and 9 × unblindkD(BLINDkD(VD,RD)). Then he sighs their left message through the

actions signskT (BLINDkA(VA,RA)), signskT (BLINDkB(VB,RB)),signskT (BLINDkC(VC ,RC)), and signskT (BLINDkD(VD,RD)), and sends them to Al-

ice, Bob, Carol and Dave through the channels CTA, CTB, CTC and CTD (the correspond-

ing sending actions is denoted sCTA(SIGNskT (BLINDkA(VA,RA))),sCTB(SIGNskT (BLINDkB(VB,RB))), sCTC(SIGNskT (BLINDkC(VC ,RC))),and sCTD(SIGNskT (BLINDkD(VD,RD))));

6. Alice receives the signed message from CTF through the channel CTA (the corresponding

reading action is denoted rCTA(SIGNskT (BLINDkA(VA,RA)))), she unblinds the mes-

sage through the action unblindkA(SIGNskT (BLINDkA(VA,RA))), selects her vote vAfrom VA, encrypts the vote through an action encpkT (SIGNskT (vA,RA)), and sends her

encrypted vote to CTF through the channel CAT (the corresponding sending action is

denoted sCAT (ENCpkT (SIGNskT (vA,RA))));

7. Bob receives the signed message from CTF through the channel CTB (the corresponding

reading action is denoted rCTB(SIGNskT (BLINDkB(VB,RB)))), he unblinds the mes-

sage through the action unblindkB(SIGNskT (BLINDkB(VB,RB))), selects his vote vBfrom VB, encrypts the vote through an action encpkT (SIGNskT (vB,RB)), and sends his

encrypted vote to CTF through the channel CBT (the corresponding sending action is

denoted sCBT (ENCpkT (SIGNskT (vB,RB))));

8. Carol receives the signed message from CTF through the channel CTC (the corresponding

reading action is denoted rCTC(SIGNskT (BLINDkC(VC ,RC)))), he unblinds the mes-

sage through the action unblindkC(SIGNskT (BLINDkC(VC ,RC))), selects his vote vCfrom VC , encrypts the vote through an action encpkT (SIGNskT (vC ,RC)), and sends his

encrypted vote to CTF through the channel CCT (the corresponding sending action is

denoted sCCT (ENCpkT (SIGNskT (vC ,RC))));

9. Dave receives the signed message from CTF through the channel CTD (the corresponding

reading action is denoted rCTD(SIGNskT (BLINDkD(VD,RD)))), he unblinds the mes-

sage through the action unblindkD(SIGNskT (BLINDkD(VD,RD))), selects his vote vDfrom VD, encrypts the vote through an action encpkT (SIGNskT (vD,RD)), and sends his

encrypted vote to CTF through the channel CDT (the corresponding sending action is

denoted sCDT (ENCpkT (SIGNskT (vD,RD))));

144

10. CTF receives the votes from Alice, Bob, Carol and Dave through the channels CAT , CBT ,

CCT and CDT (the corresponding reading actions are denoted

rCAT (ENCpkT (SIGNskT (vA,RA))), rCBT (ENCpkT (SIGNskT (vB,RB))),rCCT (ENCpkT (SIGNskT (vC ,RC))), and rCDT (ENCpkT (SIGNskT (vD,RD))) respectively),

he decrypts and de-signs these votes through the actions decskT (ENCpkT (SIGNskT (vA,RA))),decskT (ENCpkT (SIGNskT (vB,RB))), decskT (ENCpkT (SIGNskT (vC ,RC))),decskT (ENCpkT (SIGNskT (vD,RD))) and de-signpkT (SIGNskT (vA,RA)),de-signpkT (SIGNskT (vB,RB)), de-signpkT (SIGNskT (vC ,RC)),de-signpkT (SIGNskT (vD,RD)). If isFresh(RA) = TRUE, he tabulates vA through an

action tab(vA), else tab(0); if isFresh(RB) = TRUE, he tabulates vB through an action

tab(vB), else tab(0); if isFresh(RC) = TRUE, he tabulates vC through an action tab(vC),else tab(0); if isFresh(RD) = TRUE, he tabulates vD through an action tab(vD), else

tab(0). Finally, he sends the voting results TAB to the outside through the channel CTO(the corresponding sending action is denoted sCTO(TAB)).




A2 = blindkA(VA,RA) ⋅A3

A3 = sCAT (10 ×BLINDkA(VA,RA), kA,A) ⋅A4

A4 = rCTA(SIGNskT (BLINDkA(VA,RA))) ⋅A5

A5 = unblindkA(SIGNskT (BLINDkA(VA,RA))) ⋅A6

A6 = encpkT (SIGNskT (vA,RA)) ⋅A7

A7 = sCAT (ENCpkT (SIGNskT (vA,RA))) ⋅ABob’s state transitions described by APTCG are as follows.


B2 = blindkB(VB,RB) ⋅B3

B3 = sCBT (10 ×BLINDkB(VB,RB), kB,B) ⋅B4

B4 = rCTB(SIGNskT (BLINDkB(VB,RB))) ⋅B5

B5 = unblindkB(SIGNskT (BLINDkB(VB,RB))) ⋅B6

B6 = encpkT (SIGNskT (vB,RB)) ⋅B7

B7 = sCBT (ENCpkT (SIGNskT (vB,RB))) ⋅BCarol’s state transitions described by APTCG are as follows.


C2 = blindkC(VC ,RC) ⋅C3

C3 = sCCT (10 ×BLINDkC(VC ,RC), kC ,C) ⋅C4

C4 = rCTC(SIGNskT (BLINDkC(VC ,RC))) ⋅C5

C5 = unblindkC(SIGNskT (BLINDkC(VC ,RC))) ⋅C6

C6 = encpkT (SIGNskT (vC ,RC)) ⋅C7

145

C7 = sCCT (ENCpkT (SIGNskT (vC ,RC))) ⋅CDave’s state transitions described by APTCG are as follows.


D2 = blindkD(VD,RD) ⋅D3

D3 = sCDT (10 ×BLINDkD(VD,RD), kD,D) ⋅D4

D4 = rCTD(SIGNskT (BLINDkD(VD,RD))) ⋅D5

D5 = unblindkD(SIGNskT (BLINDkD(VD,RD))) ⋅D6

D6 = encpkT (SIGNskT (vD,RD)) ⋅D7

D7 = sCDT (ENCpkT (SIGNskT (vD,RD))) ⋅DCTF’s state transitions described by APTCG are as follows.

T = rCAT (10 ×BLINDkA(VA,RA), kA,A) ∥ sCBT (10 ×BLINDkB(VB,RB), kB,B)∥ sCCT (10 ×BLINDkC(VC ,RC), kC ,C) ∥ sCDT (10 ×BLINDkD(VD,RD), kD,D) ⋅ T2

T2 = check(A) ∥ check(B) ∥ check(C) ∥ check(D) ⋅ T3

T3 = 9 × unblindkA(BLINDkA(VA,RA)) ∥ 9 × unblindkB(BLINDkB(VB,RB))∥ 9 × unblindkC(BLINDkC(VC ,RC)) ∥ 9 × unblindkD(BLINDkD(VD,RD)) ⋅ T4

T4 = signskT (BLINDkA(VA,RA)) ∥ signskT (BLINDkB(VB,RB))∥ signskT (BLINDkC(VC ,RC)) ∥ signskT (BLINDkD(VD,RD)) ⋅ T5

T5 = sCTA(SIGNskT (BLINDkA(VA,RA))) ∥ sCTB(SIGNskT (BLINDkB(VB,RB)))∥ sCTC(SIGNskT (BLINDkC(VC ,RC))) ∥ sCTD(SIGNskT (BLINDkD(VD,RD))) ⋅ T6

T6 = rCAT (ENCpkT (SIGNskT (vA,RA))) ∥ rCBT (ENCpkT (SIGNskT (vB,RB)))∥ rCCT (ENCpkT (SIGNskT (vC ,RC))) ∥ rCDT (ENCpkT (SIGNskT (vD,RD))) ⋅ T7

T7 = decskT (ENCpkT (SIGNskT (vA,RA))) ∥ decskT (ENCpkT (SIGNskT (vB,RB)))∥ decskT (ENCpkT (SIGNskT (vC ,RC))) ∥ decskT (ENCpkT (SIGNskT (vD,RD))) ⋅ T8

T8 = de-signpkT (SIGNskT (vA,RA)) ∥ de-signpkT (SIGNskT (vB,RB))∥ de-signpkT (SIGNskT (vC ,RC)) ∥ de-signpkT (SIGNskT (vD,RD)) ⋅ T9

T9 = (({isFresh(RA) = TRUE} ⋅ tab(vA) + {isFresh(RA) = FALSE} ⋅ tab(0))∥ ({isFresh(RB) = TRUE} ⋅ tab(vB) + {isFresh(RB) = FALSE} ⋅ tab(0))∥ ({isFresh(RC) = TRUE} ⋅ tab(vC) + {isFresh(RC) = FALSE} ⋅ tab(0))∥ ({isFresh(RD) = TRUE} ⋅ tab(vD) + {isFresh(RD) = FALSE} ⋅ tab(0))) ⋅ T10

T10 = sCTO(TAB) ⋅ TThe sending action and the reading action of the same type data through the same channel



γ(rCAT (10 ×BLINDkA(VA,RA), kA,A), sCAT (10 ×BLINDkA(VA,RA), kA,A))≜ cCAT (10 ×BLINDkA(VA,RA), kA,A)γ(rCTA(SIGNskT (BLINDkA(VA,RA))), sCTA(SIGNskT (BLINDkA(VA,RA))))≜ cCTA(SIGNskT (BLINDkA(VA,RA)))γ(rCAT (ENCpkT (SIGNskT (vA,RA))), sCAT (ENCpkT (SIGNskT (vA,RA))))≜ cCAT (ENCpkT (SIGNskT (vA,RA)))

146

γ(rCBT (10 ×BLINDkB(VB,RB), kB,B), sCBT (10 ×BLINDkB(VB,RB), kB,B))≜ cCBT (10 ×BLINDkB(VB,RB), kB,B)γ(rCTB(SIGNskT (BLINDkB(VB,RB))), sCTB(SIGNskT (BLINDkB(VB,RB))))≜ cCTB(SIGNskT (BLINDkB(VB,RB)))γ(rCBT (ENCpkT (SIGNskT (vB,RB))), sCBT (ENCpkT (SIGNskT (vB,RB))))≜ cCBT (ENCpkT (SIGNskT (vB,RB)))γ(rCCT (10 ×BLINDkC(VC ,RC), kC ,C), sCCT (10 ×BLINDkC(VC ,RC), kC ,C))≜ cCCT (10 ×BLINDkC(VC ,RC), kC ,C)γ(rCTC(SIGNskT (BLINDkC(VC ,RC))), sCTC(SIGNskT (BLINDkC(VC ,RC))))≜ cCTC(SIGNskT (BLINDkC(VC ,RC)))γ(rCCT (ENCpkT (SIGNskT (vC ,RC))), sCCT (ENCpkT (SIGNskT (vC ,RC))))≜ cCCT (ENCpkT (SIGNskT (vC ,RC)))γ(rCDT (10 ×BLINDkD(VD,RD), kD,D), sCDT (10 ×BLINDkD(VD,RD), kD,D))≜ cCDT (10 ×BLINDkD(VD,RD), kD,D)γ(rCTD(SIGNskT (BLINDkD(VD,RD))), sCTD(SIGNskT (BLINDkD(VD,RD))))≜ cCTD(SIGNskT (BLINDkD(VD,RD)))γ(rCDT (ENCpkT (SIGNskT (vD,RD))), sCDT (ENCpkT (SIGNskT (vD,RD))))≜ cCDT (ENCpkT (SIGNskT (vD,RD)))Let all modules be in parallel, then the protocol A B C D T can be presented by the



where H = {rCAT (10 ×BLINDkA(VA,RA), kA,A), sCAT (10 ×BLINDkA(VA,RA), kA,A),rCTA(SIGNskT (BLINDkA(VA,RA))), sCTA(SIGNskT (BLINDkA(VA,RA))),rCAT (ENCpkT (SIGNskT (vA,RA))), sCAT (ENCpkT (SIGNskT (vA,RA))),rCBT (10 ×BLINDkB(VB,RB), kB,B), sCBT (10 ×BLINDkB(VB,RB), kB,B),rCTB(SIGNskT (BLINDkB(VB,RB))), sCTB(SIGNskT (BLINDkB(VB,RB))),rCBT (ENCpkT (SIGNskT (vB,RB))), sCBT (ENCpkT (SIGNskT (vB,RB))),rCCT (10 ×BLINDkC(VC ,RC), kC ,C), sCCT (10 ×BLINDkC(VC ,RC), kC ,C),rCTC(SIGNskT (BLINDkC(VC ,RC))), sCTC(SIGNskT (BLINDkC(VC ,RC))),rCCT (ENCpkT (SIGNskT (vC ,RC))), sCCT (ENCpkT (SIGNskT (vC ,RC))),rCDT (10 ×BLINDkD(VD,RD), kD,D), sCDT (10 ×BLINDkD(VD,RD), kD,D),rCTD(SIGNskT (BLINDkD(VD,RD))), sCTD(SIGNskT (BLINDkD(VD,RD))),rCDT (ENCpkT (SIGNskT (vD,RD))), sCDT (ENCpkT (SIGNskT (vD,RD)))∣DA,DB,DC ,DD ∈ ∆},

I = {cCAT (10 ×BLINDkA(VA,RA), kA,A), cCTA(SIGNskT (BLINDkA(VA,RA))),cCAT (ENCpkT (SIGNskT (vA,RA))), cCBT (10 ×BLINDkB(VB,RB), kB,B),cCTB(SIGNskT (BLINDkB(VB,RB))), cCBT (ENCpkT (SIGNskT (vB,RB))),cCCT (10 ×BLINDkC(VC ,RC), kC ,C), cCTC(SIGNskT (BLINDkC(VC ,RC))),cCCT (ENCpkT (SIGNskT (vC ,RC))), cCDT (10 ×BLINDkD(VD,RD), kD,D),cCTD(SIGNskT (BLINDkD(VD,RD))), cCDT (ENCpkT (SIGNskT (vD,RD))),blindkA(VA,RA), blindkB(VB,RB), blindkC(VC ,RC), blindkD(VD,RD),unblindkA(SIGNskT (BLINDkA(VA,RA))), unblindkB(SIGNskT (BLINDkB(VB,RB))),

147

unblindkC(SIGNskT (BLINDkC(VC ,RC))), unblindkD(SIGNskT (BLINDkD(VD,RD))),encpkT (SIGNskT (vA,RA)), encpkT (SIGNskT (vB,RB)), encpkT (SIGNskT (vC ,RC)),encpkT (SIGNskT (vD,RD)), check(A), check(B), check(C), check(D),9 × unblindkA(BLINDkA(VA,RA)),9 × unblindkB(BLINDkB(VB,RB)),9 × unblindkC(BLINDkC(VC ,RC)),9 × unblindkD(BLINDkD(VD,RD)),signskT (BLINDkA(VA,RA)), signskT (BLINDkB(VB,RB)),signskT (BLINDkC(VC ,RC)), signskT (BLINDkD(VD,RD)),decskT (ENCpkT (SIGNskT (vA,RA))), decskT (ENCpkT (SIGNskT (vB,RB))),decskT (ENCpkT (SIGNskT (vC ,RC))), decskT (ENCpkT (SIGNskT (vD,RD))),de-signpkT (SIGNskT (vA,RA)), de-signpkT (SIGNskT (vB,RB)),de-signpkT (SIGNskT (vC ,RC)), de-signpkT (SIGNskT (vD,RD)),{isFresh(RA) = TRUE}, tab(vA),{isFresh(RA) = FALSE}, tab(0),{isFresh(RB) = TRUE}, tab(vB),{isFresh(RB) = FALSE},{isFresh(RC) = TRUE}, tab(vC),{isFresh(RC) = FALSE},{isFresh(RD) = TRUE}, tab(vD),{isFresh(RD) = FALSE}∣DA,DB,DC ,DD ∈ ∆}.






τI(∂H(A � B � C � D � T )) = ∑DA,DB ,DC ,DD∈∆(rCAI (DA) ∥ rCBI (DB) ∥ rCCI (DC) ∥rCDI (DD) ⋅ sCTO(TAB)) ⋅ τI(∂H(A� B � C �D � T )).For the details of proof, please refer to section 2.9, and we omit it.









tabulation, if CTF is trustworthy.

But, CTF still can make valid signatures to cheat.


The secure elections protocol 4 is shown in Figure 34, which is a improved one based on the secure

elections protocol 3 in section 10.3. In this protocol, there are a CLA (Central Legitimization

148

Bob Carol

CT

I

CT

O

Dave

CTF

Alice

CLA

CA

I

CA

O

CB

I

CB

O

CC

I

CC

O

CD

I

CD

O


Agency) to check the identity of voters and a CTF (Central Tabulating Facility) to collect the

votes, and four voters: Alice, Bob, Carol and Dave.



corresponding reading action is denoted rCAI (DA)), she generates a request rA, encrypts

it by CLA’s public key through an action encpkL(rA), and sends it to CLA through the

channel CAL (the corresponding sending action is denoted sCAL(ENCpkL(rA)));


corresponding reading action is denoted rCBI (DB)), he generates a request rB, encrypts

it by CLA’s public key through an action encpkL(rB), and sends it to CLA through the

channel CBL (the corresponding sending action is denoted sCBL(ENCpkL(rB)));


corresponding reading action is denoted rCCI (DC)), he generates a request rC , encrypts

it by CLA’s public key through an action encpkL(rC), and sends it to CLA through the

channel CCL (the corresponding sending action is denoted sCCL(ENCpkL(rC)));


corresponding reading action is denoted rCDI (DD)), he generates a request rD, encrypts

it by CLA’s public key through an action encpkL(rD), and sends it to CLA through the

channel CDL (the corresponding sending action is denoted sCDL(ENCpkL(rD)));

149

5. CLA receives the requests from Alice, Bob, Carol and Dave through the channels CAL,

CBL, CCL and CDL (the corresponding reading actions are denoted sCAL(ENCpkL(rA)),sCBL(ENCpkL(rB)), sCCL(ENCpkL(rC)), and sCDL(ENCpkL(rD)) respectively), he de-

crypts these encrypted requests through the actions decskL(ENCpkL(rA)), decskL(ENCpkL(rB)),decskL(ENCpkL(rC)), and decskL(ENCpkL(rD)) to get rA, rB, rC and rD, records the

names of Alice, Bob, Carol and Dave through actions rec(A), rec(B), rec(C) and rec(D);Both CLA and CTF maintain a table of valid numbers, and the table of CTF is ob-

tained from that of CLA; then CLA randomly selects numbers RA, RB, RC and RD,

encrypts them through actions encpkA(RA), encpkB(RB), encpkC(RC) and encpkD(RD)and sends them to Alice, Bob, Carol and Dave through the channels CLA, CLB, CLCand CLD respectively (the corresponding sending action is denoted sCLA(ENCpkA(RA)),sCLB(ENCpkB(RB)), sCLC(ENCpkC(RC)), and sCLD(ENCpkD(RD)));

6. Alice receives the encrypted number from CLA through the channel CLA (the correspond-

ing reading action is denoted rCLA(ENCpkA(RA))), she decrypts the encrypted number

through an action decskA(ENCpkA(RA)) to get RA, generates a random identity number

IA through an action rsgIA and her vote vA, encrypted IA,RA, vA by CTF’s public key

through an action encpkT (IA,RA, vA) and sends the encrypted message to CTF through the

channel CAT (the corresponding sending action is denoted sCAT (ENCpkT (IA,RA, vA)));

7. Bob receives the encrypted number from CLA through the channel CLB (the correspond-

ing reading action is denoted rCLB(ENCpkB(RB))), he decrypts the encrypted number

through an action decskB(ENCpkB(RB)) to get RB, generates a random identity number

IB through an action rsgIB and his vote vB, encrypted IB,RB, vB by CTF’s public key

through an action encpkT (IB,RB, vB) and sends the encrypted message to CTF through

the channel CBT (the corresponding sending action is denoted sCBT (ENCpkT (IB,RB, vB)));

8. Carol receives the encrypted number from CLA through the channel CLC (the correspond-

ing reading action is denoted rCLC(ENCpkC(RC))), he decrypts the encrypted number

through an action decskC(ENCpkC(RC)) to get RC , generates a random identity number

IC through an action rsgIC and his vote vC , encrypted IC ,RC , vC by CTF’s public key

through an action encpkT (IC ,RC , vC) and sends the encrypted message to CTF through the

channel CCT (the corresponding sending action is denoted sCCT (ENCpkT (IC ,RC , vC)));

9. Dave receives the encrypted number from CLA through the channel CLD (the correspond-

ing reading action is denoted rCLD(ENCpkA(RD))), he decrypts the encrypted number

through an action decskD(ENCpkD(RD)) to get RD, generates a random identity number

ID through an action rsgID and his vote vD, encrypted ID,RD, vD by CTF’s public key

through an action encpkT (ID,RD, vD) and sends the encrypted message to CTF through

the channel CDT (the corresponding sending action is denoted sCDT (ENCpkT (ID,RD, vD)));

10. CTF receives the encrypted messages from Alice, Bob, Carol and Dave through the chan-

nels CAT , CBT , CCT and CDT (the corresponding reading actions are denoted

rCAT (ENCpkT (IA,RA, vA)), rCBT (ENCpkT (IB,RB, vB)), rCCT (ENCpkT (IC ,RC , vC)), and

rCDT (ENCpkT (ID,RD, vD)) respectively), he decrypts these encrypted messages through

actions decskT (ENCpkT (IA,RA, vA)), decskT (ENCpkT (IB,RB, vB)),decskT (ENCpkT (IC ,RC , vC)), and decskT (ENCpkT (ID,RD, vD)). If isExisted(RA) =TRUE, he removes RA from its table through an action remove(RA), records the vote vA

150

and the pair of IA and vA into the voting results TAB through an action rec(IA, vA), else

he does nothing; if isExisted(RB) = TRUE, he removes RB from its table through an

action remove(RB), records the vote vB and the pair of IB and vB into the voting results

TAB through an action rec(IB, vB), else he does nothing; if isExisted(RC) = TRUE,

he removes RC from its table through an action remove(RC), records the vote vC and

the pair of IC and vC into the voting results TAB through an action rec(IC , vC), else

he does nothing; if isExisted(RD) = TRUE, he removes RD from its table through an

action remove(RD), records the vote vD and the pair of ID and vD into the voting results

TAB through an action rec(ID, vD), else he does nothing. Finally, he sends the voting

results TAB to the outside through the channel CTO (the corresponding sending action is

denoted sCTO(TAB)).




A2 = encpkL(rA) ⋅A3

A3 = sCAL(ENCpkL(rA)) ⋅A4

A4 = rCLA(ENCpkA(RA)) ⋅A5

A5 = decskA(ENCpkA(RA)) ⋅A6

A6 = rsgIA ⋅A7

A7 = encpkT (IA,RA, vA) ⋅A8

A8 = sCAT (ENCpkT (IA,RA, vA)) ⋅ABob’s state transitions described by APTCG are as follows.


B2 = encpkL(rB) ⋅B3

B3 = sCBL(ENCpkL(rB)) ⋅B4

B4 = rCLB(ENCpkB(RB)) ⋅B5

B5 = decskB(ENCpkB(RB)) ⋅B6

B6 = rsgIB ⋅B7

B7 = encpkT (IB,RB, vB) ⋅B8

B8 = sCBT (ENCpkT (IB,RB, vB)) ⋅BCarol’s state transitions described by APTCG are as follows.


C2 = encpkL(rC) ⋅C3

C3 = sCCL(ENCpkL(rC)) ⋅C4

C4 = rCLC(ENCpkC(RC)) ⋅C5

C5 = decskC(ENCpkC(RC)) ⋅C6

C6 = rsgIC ⋅C7

151

C7 = encpkT (IC ,RC , vC) ⋅C8

C8 = sCCT (ENCpkT (IC ,RC , vC)) ⋅CDave’s state transitions described by APTCG are as follows.


D2 = encpkL(rD) ⋅D3

D3 = sCDL(ENCpkL(rD)) ⋅D4

D4 = rCLD(ENCpkD(RD)) ⋅D5

D5 = decskD(ENCpkD(RD)) ⋅D6

D6 = rsgID ⋅D7

D7 = encpkT (ID,RD, vD) ⋅D8

D8 = sCDT (ENCpkT (ID,RD, vD)) ⋅DCLA’s state transitions described by APTCG are as follows.

L = sCAL(ENCpkL(rA)) ∥ sCBL(ENCpkL(rB))∥ sCCL(ENCpkL(rC)) ∥ sCDL(ENCpkL(rD)) ⋅L2

L2 = decskL(ENCpkL(rA)) ∥ decskL(ENCpkL(rB))∥ decskL(ENCpkL(rC)) ∥ decskL(ENCpkL(rD)) ⋅L3

L3 = rec(A) ∥ rec(B) ∥ rec(C) ∥ rec(D) ⋅L4

L4 = encpkA(RA) ∥ encpkB(RB) ∥ encpkC(RC) ∥ encpkD(RD) ⋅L5

L5 = sCLA(ENCpkA(RA)) ∥ sCLB(ENCpkB(RB))∥ sCLC(ENCpkC(RC)) ∥ sCLD(ENCpkD(RD)) ⋅LCTF’s state transitions described by APTCG are as follows.

T = rCAT (ENCpkT (IA,RA, vA)) ∥ rCBT (ENCpkT (IB,RB, vB))∥ rCCT (ENCpkT (IC ,RC , vC)) ∥ rCDT (ENCpkT (ID,RD, vD)) ⋅ T2

T2 = decskT (ENCpkT (IA,RA, vA)) ∥ decskT (ENCpkT (IB,RB, vB))∥ decskT (ENCpkT (IC ,RC , vC)) ∥ decskT (ENCpkT (ID,RD, vD)) ⋅ T3

T3 = (({isExisted(RA) = TRUE} ⋅ remove(RA) ⋅ rec(IA, vA) + {isExisted(RA) = FALSE})∥ ({isExisted(RB) = TRUE} ⋅ remove(RB) ⋅ rec(IB, vB) + {isExisted(RB) = FALSE})∥ ({isExisted(RC) = TRUE} ⋅ remove(RC) ⋅ rec(IC , vC) + {isExisted(RC) = FALSE})∥ ({isExisted(RD) = TRUE} ⋅ remove(RD) ⋅ rec(ID, vD) + {isExisted(RD) = FALSE})) ⋅ T4




γ(rCAL(ENCpkL(rA)), sCAL(ENCpkL(rA))) ≜ cCAL(ENCpkL(rA))γ(rCLA(ENCpkA(RA)), sCLA(ENCpkA(RA))) ≜ cCLA(ENCpkA(RA))γ(rCAT (ENCpkT (IA,RA, vA)), sCAT (ENCpkT (IA,RA, vA))) ≜ cCAT (ENCpkT (IA,RA, vA))γ(rCBL(ENCpkL(rB)), sCBL(ENCpkL(rB))) ≜ cCBL(ENCpkL(rB))

152

γ(rCLB(ENCpkB(RB)), sCLB(ENCpkB(RB))) ≜ cCLB(ENCpkB(RB))γ(rCBT (ENCpkT (IB,RB, vB)), sCBT (ENCpkT (IB,RB, vB))) ≜ cCBT (ENCpkT (IB,RB, vB))γ(rCCL(ENCpkL(rC)), sCCL(ENCpkL(rC))) ≜ cCCL(ENCpkL(rC))γ(rCLC(ENCpkC(RC)), sCLC(ENCpkC(RC))) ≜ cCLC(ENCpkC(RC))γ(rCCT (ENCpkT (IC ,RC , vC)), sCCT (ENCpkT (IC ,RC , vC))) ≜ cCCT (ENCpkT (IC ,RC , vC))γ(rCDL(ENCpkL(rD)), sCDL(ENCpkL(rD))) ≜ cCDL(ENCpkL(rD))γ(rCLD(ENCpkD(RD)), sCLD(ENCpkD(RD))) ≜ cCLD(ENCpkD(RD))γ(rCDT (ENCpkT (ID,RD, vD)), sCDT (ENCpkT (ID,RD, vD))) ≜ cCDT (ENCpkT (ID,RD, vD))Let all modules be in parallel, then the protocol A B C D L T can be presented by the


τI(∂H(Θ(A� B � C �D � L� T ))) = τI(∂H(A� B � C �D � L� T ))

where H = {rCAL(ENCpkL(rA)), sCAL(ENCpkL(rA)),rCLA(ENCpkA(RA)), sCLA(ENCpkA(RA)),rCAT (ENCpkT (IA,RA, vA)), sCAT (ENCpkT (IA,RA, vA)),rCBL(ENCpkL(rB)), sCBL(ENCpkL(rB)),rCLB(ENCpkB(RB)), sCLB(ENCpkB(RB)),rCBT (ENCpkT (IB,RB, vB)), sCBT (ENCpkT (IB,RB, vB)),rCCL(ENCpkL(rC)), sCCL(ENCpkL(rC)),rCLC(ENCpkC(RC)), sCLC(ENCpkC(RC)),rCCT (ENCpkT (IC ,RC , vC)), sCCT (ENCpkT (IC ,RC , vC)),rCDL(ENCpkL(rD)), sCDL(ENCpkL(rD)),rCLD(ENCpkD(RD)), sCLD(ENCpkD(RD)),rCDT (ENCpkT (ID,RD, vD)), sCDT (ENCpkT (ID,RD, vD))∣DA,DB,DC ,DD ∈ ∆},

I = {cCAL(ENCpkL(rA)), cCLA(ENCpkA(RA)),cCAT (ENCpkT (IA,RA, vA)), cCBL(ENCpkL(rB)),cCLB(ENCpkB(RB)), cCBT (ENCpkT (IB,RB, vB)),cCCL(ENCpkL(rC)), cCLC(ENCpkC(RC)),cCCT (ENCpkT (IC ,RC , vC)), cCDL(ENCpkL(rD)),cCLD(ENCpkD(RD)), cCDT (ENCpkT (ID,RD, vD)),encpkL(rA), encpkL(rB), encpkL(rC), encpkL(rD),decskA(ENCpkA(RA)), decskB(ENCpkB(RB)), decskC(ENCpkC(RC)),decskD(ENCpkD(RD)), rsgIA , rsgIB , rsgIC , rsgID ,encpkT (IA,RA, vA), encpkT (IB,RB, vB), encpkT (IC ,RC , vC), encpkT (ID,RD, vD),decskL(ENCpkL(rA)), decskL(ENCpkL(rB)),decskL(ENCpkL(rC)), decskL(ENCpkL(rD)),rec(A), rec(B), rec(C), rec(D), encpkA(RA), encpkB(RB),encpkC(RC), encpkD(RD), decskT (ENCpkT (IA,RA, vA)),decskT (ENCpkT (IB,RB, vB)), decskT (ENCpkT (IC ,RC , vC)), decskT (ENCpkT (ID,RD, vD)),{isExisted(RA) = TRUE}, remove(RA), rec(IA, vA),{isExisted(RA) = FALSE},{isExisted(RB) = TRUE}, remove(RB), rec(IB, vB),{isExisted(RB) = FALSE},{isExisted(RC) = TRUE}, remove(RC), rec(IC , vC),{isExisted(RC) = FALSE},

153

{isExisted(RD) = TRUE}, remove(RD), rec(ID, vD),{isExisted(RD) = FALSE}∣DA,DB,DC ,DD ∈ ∆}.






τI(∂H(A � B � C � D � L � T )) = ∑DA,DB ,DC ,DD∈∆(rCAI (DA) ∥ rCBI (DB) ∥ rCCI (DC) ∥rCDI (DD) ⋅ sCTO(TAB)) ⋅ τI(∂H(A� B � C �D � L� T )).For the details of proof, please refer to section 2.9, and we omit it.

That is, the protocol in Figure 34 τI(∂H(A � B � C � D � L � T )) can exhibit desired

external behaviors, and is secure. But, for the properties of secure elections protocols:







tabulation, if CLA and CTF are trustworthy.

But, CLA and CTF still can conspire to distribute valid numbers to illegal voters.




Facility) to check the identity of voters and collect the votes, and four voters: Alice, Bob, Carol

and Dave.




it by CTF’s public key through an action encpkT (rA), and sends it to CTF through the

channel CAT (the corresponding sending action is denoted sCAT (ENCpkT (rA)));



it by CTF’s public key through an action encpkT (rB), and sends it to CTF through the

channel CBT (the corresponding sending action is denoted sCBT (ENCpkT (rB)));

154

Bob CarolC

TI

CT

O

Dave

CTF

Alice

CA

I

CA

O

CB

I

CB

O

CC

I

CC

O

CD

I

CD

O




it by CTF’s public key through an action encpkT (rC), and sends it to CTF through the

channel CCT (the corresponding sending action is denoted sCCT (ENCpkT (rC)));



it by CTF’s public key through an action encpkT (rD), and sends it to CTF through the

channel CDT (the corresponding sending action is denoted sCDT (ENCpkT (rD)));

5. CTF receives the requests from Alice, Bob, Carol and Dave through the channels CAT ,

CBT , CCT and CDT (the corresponding reading actions are denoted sCAT (ENCpkT (rA)),sCBT (ENCpkT (rB)), sCCT (ENCpkT (rC)), and sCDT (ENCpkT (rD)) respectively), he de-

crypts these encrypted requests through the actions decskT (ENCpkT (rA)), decskT (ENCpkT (rB)),decskT (ENCpkT (rC)), and decskT (ENCpkT (rD)) to get rA, rB, rC and rD, records the

names of Alice, Bob, Carol and Dave through actions rec(A), rec(B), rec(C) and rec(D);CTF maintain a table of valid numbers; then CTF encrypts all numbers R through actions

encpkA(R), encpkB(R), encpkC(R) and encpkD(R) and sends them to Alice, Bob, Carol

and Dave through the channels CTA, CTB, CTC and CTD respectively (the corresponding

sending action is denoted sCTA(ENCpkA(R)), sCTB(ENCpkB(R)), sCTC(ENCpkC(R)),and sCTD(ENCpkD(R)));

6. Alice receives the encrypted number from CTF through the channel CTA (the correspond-

ing reading action is denoted rCTA(ENCpkA(R))), she decrypts the encrypted number

155

through an action decskA(ENCpkA(R)) to randomly select one RA, generates a random

identity number IA through an action rsgIA and her vote vA, encrypted IA,RA, vA by

CTF’s public key through an action encpkT (IA,RA, vA) and sends the encrypted mes-

sage to CTF through the channel CAT (the corresponding sending action is denoted

sCAT (ENCpkT (IA,RA, vA)));

7. Bob receives the encrypted number from CTF through the channel CTB (the correspond-

ing reading action is denoted rCTB(ENCpkB(R))), he decrypts the encrypted number

through an action decskB(ENCpkB(R)) to randomly select one RB, generates a random

identity number IB through an action rsgIB and his vote vB, encrypted IB,RB, vB by

CTF’s public key through an action encpkT (IB,RB, vB) and sends the encrypted mes-

sage to CTF through the channel CBT (the corresponding sending action is denoted

sCBT (ENCpkT (IB,RB, vB)));

8. Carol receives the encrypted number from CTF through the channel CTC (the correspond-

ing reading action is denoted rCTC(ENCpkC(R))), he decrypts the encrypted number

through an action decskC(ENCpkC(R)) to randomly select one RC , generates a random

identity number IC through an action rsgIC and his vote vC , encrypted IC ,RC , vC by

CTF’s public key through an action encpkT (IC ,RC , vC) and sends the encrypted mes-

sage to CTF through the channel CCT (the corresponding sending action is denoted

sCCT (ENCpkT (IC ,RC , vC)));

9. Dave receives the encrypted number from CTF through the channel CTD (the correspond-

ing reading action is denoted rCTD(ENCpkA(R))), he decrypts the encrypted number

through an action decskD(ENCpkD(R)) to randomly select one RD, generates a random

identity number ID through an action rsgID and his vote vD, encrypted ID,RD, vD by

CTF’s public key through an action encpkT (ID,RD, vD) and sends the encrypted mes-

sage to CTF through the channel CDT (the corresponding sending action is denoted

sCDT (ENCpkT (ID,RD, vD)));



rCAT (ENCpkT (IA,RA, vA)), rCBT (ENCpkT (IB,RB, vB)), rCCT (ENCpkT (IC ,RC , vC)), and

rCDT (ENCpkT (ID,RD, vD)) respectively), he decrypts these encrypted messages through

actions decskT (ENCpkT (IA,RA, vA)), decskT (ENCpkT (IB,RB, vB)),decskT (ENCpkT (IC ,RC , vC)), and decskT (ENCpkT (ID,RD, vD)). If isExisted(RA) =TRUE, he removes RA from its table through an action remove(RA), records the vote vAand the pair of IA and vA into the voting results TAB through an action rec(IA, vA), else

he does nothing; if isExisted(RB) = TRUE, he removes RB from its table through an

action remove(RB), records the vote vB and the pair of IB and vB into the voting results

TAB through an action rec(IB, vB), else he does nothing; if isExisted(RC) = TRUE,

he removes RC from its table through an action remove(RC), records the vote vC and

the pair of IC and vC into the voting results TAB through an action rec(IC , vC), else

he does nothing; if isExisted(RD) = TRUE, he removes RD from its table through an

action remove(RD), records the vote vD and the pair of ID and vD into the voting results

TAB through an action rec(ID, vD), else he does nothing. Finally, he sends the voting

results TAB to the outside through the channel CTO (the corresponding sending action is

denoted sCTO(TAB)).

156




A2 = encpkT (rA) ⋅A3

A3 = sCAT (ENCpkT (rA)) ⋅A4

A4 = rCTA(ENCpkA(R)) ⋅A5

A5 = decskA(ENCpkA(R)) ⋅A6

A6 = rsgIA ⋅A7

A7 = encpkT (IA,RA, vA) ⋅A8

A8 = sCAT (ENCpkT (IA,RA, vA)) ⋅ABob’s state transitions described by APTCG are as follows.


B2 = encpkT (rB) ⋅B3

B3 = sCBT (ENCpkT (rB)) ⋅B4

B4 = rCTB(ENCpkB(R)) ⋅B5


B6 = rsgIB ⋅B7

B7 = encpkT (IB,RB, vB) ⋅B8

B8 = sCBT (ENCpkT (IB,RB, vB)) ⋅BCarol’s state transitions described by APTCG are as follows.


C2 = encpkT (rC) ⋅C3

C3 = sCCT (ENCpkT (rC)) ⋅C4

C4 = rCTC(ENCpkC(R)) ⋅C5

C5 = decskC(ENCpkC(R)) ⋅C6

C6 = rsgIC ⋅C7

C7 = encpkT (IC ,RC , vC) ⋅C8

C8 = sCCT (ENCpkT (IC ,RC , vC)) ⋅CDave’s state transitions described by APTCG are as follows.


D2 = encpkT (rD) ⋅D3

D3 = sCDT (ENCpkT (rD)) ⋅D4

D4 = rCTD(ENCpkD(R)) ⋅D5

D5 = decskD(ENCpkD(R)) ⋅D6

D6 = rsgID ⋅D7

157

D7 = encpkT (ID,RD, vD) ⋅D8

D8 = sCDT (ENCpkT (ID,RD, vD)) ⋅DCTF’s state transitions described by APTCG are as follows.

T = sCAT (ENCpkT (rA)) ∥ sCBT (ENCpkT (rB))∥ sCCT (ENCpkT (rC)) ∥ sCDT (ENCpkT (rD)) ⋅ T2

T2 = decskT (ENCpkT (rA)) ∥ decskT (ENCpkT (rB))∥ decskT (ENCpkT (rC)) ∥ decskT (ENCpkT (rD)) ⋅ T3

T3 = rec(A) ∥ rec(B) ∥ rec(C) ∥ rec(D) ⋅ T4

T4 = encpkA(R) ∥ encpkB(R) ∥ encpkC(R) ∥ encpkD(R) ⋅ T5

T5 = sCTA(ENCpkA(R)) ∥ sCTB(ENCpkB(R))∥ sCTC(ENCpkC(R)) ∥ sCTD(ENCpkD(R)) ⋅ T6

T6 = rCAT (ENCpkT (IA,RA, vA)) ∥ rCBT (ENCpkT (IB,RB, vB))∥ rCCT (ENCpkT (IC ,RC , vC)) ∥ rCDT (ENCpkT (ID,RD, vD)) ⋅ T7

T7 = decskT (ENCpkT (IA,RA, vA)) ∥ decskT (ENCpkT (IB,RB, vB))∥ decskT (ENCpkT (IC ,RC , vC)) ∥ decskT (ENCpkT (ID,RD, vD)) ⋅ T8





γ(rCAT (ENCpkT (rA)), sCAT (ENCpkT (rA))) ≜ cCAT (ENCpkT (rA))γ(rCTA(ENCpkA(R)), sCTA(ENCpkA(R))) ≜ cCTA(ENCpkA(R))γ(rCAT (ENCpkT (IA,RA, vA)), sCAT (ENCpkT (IA,RA, vA))) ≜ cCAT (ENCpkT (IA,RA, vA))γ(rCBT (ENCpkT (rB)), sCBT (ENCpkT (rB))) ≜ cCBT (ENCpkT (rB))γ(rCTB(ENCpkB(R)), sCTB(ENCpkB(R))) ≜ cCTB(ENCpkB(R))γ(rCBT (ENCpkT (IB,RB, vB)), sCBT (ENCpkT (IB,RB, vB))) ≜ cCBT (ENCpkT (IB,RB, vB))γ(rCCT (ENCpkT (rC)), sCCT (ENCpkT (rC))) ≜ cCCT (ENCpkT (rC))γ(rCTC(ENCpkC(R)), sCTC(ENCpkC(R))) ≜ cCTC(ENCpkC(R))γ(rCCT (ENCpkT (IC ,RC , vC)), sCCT (ENCpkT (IC ,RC , vC))) ≜ cCCT (ENCpkT (IC ,RC , vC))γ(rCDT (ENCpkT (rD)), sCDT (ENCpkT (rD))) ≜ cCDT (ENCpkT (rD))γ(rCTD(ENCpkD(R)), sCTD(ENCpkD(R))) ≜ cCTD(ENCpkD(R))γ(rCDT (ENCpkT (ID,RD, vD)), sCDT (ENCpkT (ID,RD, vD))) ≜ cCDT (ENCpkT (ID,RD, vD))Let all modules be in parallel, then the protocol A B C D T can be presented by the


158


where H = {rCAT (ENCpkT (rA)), sCAT (ENCpkT (rA)),rCTA(ENCpkA(R)), sCTA(ENCpkA(R)),rCAT (ENCpkT (IA,RA, vA)), sCAT (ENCpkT (IA,RA, vA)),rCBT (ENCpkT (rB)), sCBT (ENCpkT (rB)),rCTB(ENCpkB(R)), sCTB(ENCpkB(R)),rCBT (ENCpkT (IB,RB, vB)), sCBT (ENCpkT (IB,RB, vB)),rCCT (ENCpkT (rC)), sCCT (ENCpkT (rC)),rCTC(ENCpkC(R)), sCTC(ENCpkC(R)),rCCT (ENCpkT (IC ,RC , vC)), sCCT (ENCpkT (IC ,RC , vC)),rCDT (ENCpkT (rD)), sCDT (ENCpkT (rD)),rCTD(ENCpkD(R)), sCTD(ENCpkD(R)),rCDT (ENCpkT (ID,RD, vD)), sCDT (ENCpkT (ID,RD, vD))∣DA,DB,DC ,DD ∈ ∆},

I = {cCAT (ENCpkT (rA)), cCTA(ENCpkA(R)),cCAT (ENCpkT (IA,RA, vA)), cCBT (ENCpkT (rB)),cCTB(ENCpkB(R)), cCBT (ENCpkT (IB,RB, vB)),cCCT (ENCpkT (rC)), cCTC(ENCpkC(R)),cCCT (ENCpkT (IC ,RC , vC)), cCDT (ENCpkT (rD)),cCTD(ENCpkD(R)), cCDT (ENCpkT (ID,RD, vD)),encpkT (rA), encpkT (rB), encpkT (rC), encpkT (rD),decskA(ENCpkA(R)), decskB(ENCpkB(R)), decskC(ENCpkC(R)),decskD(ENCpkD(R)), rsgIA , rsgIB , rsgIC , rsgID ,encpkT (IA,RA, vA), encpkT (IB,RB, vB), encpkT (IC ,RC , vC), encpkT (ID,RD, vD),decskT (ENCpkT (rA)), decskT (ENCpkT (rB)),decskT (ENCpkT (rC)), decskT (ENCpkT (rD)),rec(A), rec(B), rec(C), rec(D), encpkA(R), encpkB(R),encpkC(R), encpkD(R), decskT (ENCpkT (IA,RA, vA)),decskT (ENCpkT (IB,RB, vB)), decskT (ENCpkT (IC ,RC , vC)), decskT (ENCpkT (ID,RD, vD)),{isExisted(RA) = TRUE}, remove(RA), rec(IA, vA),{isExisted(RA) = FALSE},{isExisted(RB) = TRUE}, remove(RB), rec(IB, vB),{isExisted(RB) = FALSE},{isExisted(RC) = TRUE}, remove(RC), rec(IC , vC),{isExisted(RC) = FALSE},{isExisted(RD) = TRUE}, remove(RD), rec(ID, vD),{isExisted(RD) = FALSE}∣DA,DB,DC ,DD ∈ ∆}.






τI(∂H(A � B � C � D � T )) = ∑DA,DB ,DC ,DD∈∆(rCAI (DA) ∥ rCBI (DB) ∥ rCCI (DC) ∥rCDI (DD) ⋅ sCTO(TAB)) ⋅ τI(∂H(A� B � C �D � T )).For the details of proof, please refer to section 2.9, and we omit it.

159










The anonymous valid numbers distribution can avoid the distribution of valid numbers to illegal

voters.




Facility) to check the identity of voters and collect the votes, and four voters: Alice, Bob, Carol

and Dave.




it by CTF’s public key through an action encpkT (rA), and sends it to CTF through the

channel CAT (the corresponding sending action is denoted sCAT (ENCpkT (rA)));



it by CTF’s public key through an action encpkT (rB), and sends it to CTF through the

channel CBT (the corresponding sending action is denoted sCBT (ENCpkT (rB)));



it by CTF’s public key through an action encpkT (rC), and sends it to CTF through the

channel CCT (the corresponding sending action is denoted sCCT (ENCpkT (rC)));



it by CTF’s public key through an action encpkT (rD), and sends it to CTF through the

channel CDT (the corresponding sending action is denoted sCDT (ENCpkT (rD)));

160

Bob CarolC

TI

CT

O

Dave

CTF

Alice

CA

I

CA

O

CB

I

CB

O

CC

I

CC

O

CD

I

CD

O


5. CTF receives the requests from Alice, Bob, Carol and Dave through the channels CAT ,

CBT , CCT and CDT (the corresponding reading actions are denoted sCAT (ENCpkT (rA)),sCBT (ENCpkT (rB)), sCCT (ENCpkT (rC)), and sCDT (ENCpkT (rD)) respectively), he de-

crypts these encrypted requests through the actions decskT (ENCpkT (rA)), decskT (ENCpkT (rB)),decskT (ENCpkT (rC)), and decskT (ENCpkT (rD)) to get rA, rB, rC and rD, records the

names of Alice, Bob, Carol and Dave through actions rec(A), rec(B), rec(C) and rec(D);CTF maintain a table of valid numbers; then CTF encrypts all numbers R through actions

encpkA(R), encpkB(R), encpkC(R) and encpkD(R) and sends them to Alice, Bob, Carol

and Dave through the channels CTA, CTB, CTC and CTD respectively (the corresponding

sending action is denoted sCTA(ENCpkA(R)), sCTB(ENCpkB(R)), sCTC(ENCpkC(R)),and sCTD(ENCpkD(R)));

6. Alice receives the encrypted number from CTF through the channel CTA (the correspond-

ing reading action is denoted rCTA(ENCpkA(R))), she decrypts the encrypted number

through an action decskA(ENCpkA(R)) to randomly select one RA, generates a random

identity number IA through an action rsgIA and her vote vA, generates a pair of pub-

lic/private keys through an action rsgpk′A,sk′

A, encrypted IA,RA, vA through an action

encpk′A(IA,RA, vA) and sends the encrypted message to CTF through the channel CAT(the corresponding sending action is denoted sCAT (ENCpk′A(IA,RA, vA)));

7. Bob receives the encrypted number from CTF through the channel CTB (the corresponding

reading action is denoted rCTB(ENCpkB(R))), he decrypts the encrypted number through

an action decskB(ENCpkB(R)) to randomly select one RB, generates a random identity

161

number IB through an action rsgIB and his vote vB, generates a pair of public/private keys

through an action rsgpk′B ,sk′

B, encrypted IA,RA, vA through an action encpk′B(IA,RA, vA)

and sends the encrypted message to CTF through the channel CBT (the corresponding

sending action is denoted sCBT (ENCpk′B(IB,RB, vB)));

8. Carol receives the encrypted number from CTF through the channel CTC (the correspond-

ing reading action is denoted rCTC(ENCpkC(R))), he decrypts the encrypted number

through an action decskC(ENCpkC(R)) to randomly select one RC , generates a random

identity number IC through an action rsgIC and his vote vC , generates a pair of pub-

lic/private keys through an action rsgpk′C ,sk′

C, encrypted IA,RA, vA through an action

encpk′C(IA,RA, vA) and sends the encrypted message to CTF through the channel CCT(the corresponding sending action is denoted sCCT (ENCpk′C(IC ,RC , vC)));

9. Dave receives the encrypted number from CTF through the channel CTD (the correspond-

ing reading action is denoted rCTD(ENCpkA(R))), he decrypts the encrypted number

through an action decskD(ENCpkD(R)) to randomly select one RD, generates a random

identity number ID through an action rsgID and his vote vD, generates a pair of pub-

lic/private keys through an action rsgpk′D,sk′

D, encrypted IA,RA, vA through an action

encpk′D(IA,RA, vA) and sends the encrypted message to CTF through the channel CDT(the corresponding sending action is denoted sCDT (ENCpk′D(ID,RD, vD)));



rCAT (ENCpk′A(IA,RA, vA)), rCBT (ENCpk′B(IB,RB, vB)), rCCT (ENCpk′C(IC ,RC , vC)), and

rCDT (ENCpk′D(ID,RD, vD)) respectively), he sends them to the outside through the chan-

nel CTO (the corresponding sending actions are denoted sCTO(ENCpk′A(IA,RA, vA)),sCTO(ENCpk′B(IB,RB, vB)), sCTO(ENCpk′C(IC ,RC , vC)), and sCTO(ENCpk′D(ID,RD, vD))respectively); then he sends the request rT to request the voter to reveal their votes through

the channels CTA, CTB, CTC and CTD (the corresponding sending actions are denoted

sCTA(rT ), sCTB(rT ), sCTC(rT ), and sCTD(rT ));

11. Alice receives the request rT from CTF through the channel CTA (the corresponding

reading action is denoted rCTA(rT )), she sends RA, IA.sk′

A to CTF through the channel

CAT (the corresponding sending action is denoted sCAT (RA, IA, sk′A));

12. Bob receives the request rT from CTF through the channel CTB (the corresponding reading

action is denoted rCTB(rT )), she sends RB, IB.sk′

B to CTF through the channel CBT (the

corresponding sending action is denoted sCBT (RB, IB, sk′B));

13. Carol receives the request rT from CTF through the channel CTC (the corresponding

reading action is denoted rCTC(rT )), he sends RC , IC .sk′

C to CTF through the channel

CCT (the corresponding sending action is denoted sCCT (RC , IC , sk′C));

14. Dave receives the request rT from CTF through the channel CTD (the corresponding

reading action is denoted rCTD(rT )), he sends RD, ID.sk′

D to CTF through the channel

CDT (the corresponding sending action is denoted sCDT (RD, ID, sk′D));

15. CTF receives the message from Alice, Bob, Carol and Dave through the channels CAT ,

CBT , CCT and CDT (the corresponding reading actions are denoted rCAT (RA, IA, sk′A),rCBT (RB, IB, sk′B), rCCT (RC , IC , sk′C), and rCDT (RD, ID, sk′D) respectively), he decrypts

162

the above encrypted messages through actions decsk′A(ENCpk′A(IA,RA, vA)),decsk′B(ENCpk′B(IB,RB, vB)), decsk′C(ENCpk′C(IC ,RC , vC)), and

decsk′D(ENCpk′D(ID,RD, vD)). If isExisted(RA) = TRUE, he removes RA from its table

through an action remove(RA), records the vote vA and the pair of IA and vA into the

voting results TAB through an action rec(IA, vA), else he does nothing; if isExisted(RB) =TRUE, he removes RB from its table through an action remove(RB), records the vote

vB and the pair of IB and vB into the voting results TAB through an action rec(IB, vB),else he does nothing; if isExisted(RC) = TRUE, he removes RC from its table through an

action remove(RC), records the vote vC and the pair of IC and vC into the voting results

TAB through an action rec(IC , vC), else he does nothing; if isExisted(RD) = TRUE, he

removes RD from its table through an action remove(RD), records the vote vD and the

pair of ID and vD into the voting results TAB through an action rec(ID, vD), else he does

nothing. Finally, he sends the voting results TAB to the outside through the channel CTO(the corresponding sending action is denoted sCTO(TAB)).




A2 = encpkT (rA) ⋅A3

A3 = sCAT (ENCpkT (rA)) ⋅A4

A4 = rCTA(ENCpkA(R)) ⋅A5

A5 = decskA(ENCpkA(R)) ⋅A6

A6 = rsgIA ⋅A7

A7 = rsgpk′A,sk′A ⋅A8

A8 = encpk′A(IA,RA, vA) ⋅A9

A9 = sCAT (ENCpk′A(IA,RA, vA)) ⋅A10

A10 = rCTA(rT ) ⋅A11

A11 = sCAT (RA, IA, sk′A) ⋅ABob’s state transitions described by APTCG are as follows.


B2 = encpkT (rB) ⋅B3

B3 = sCBT (ENCpkT (rB)) ⋅B4

B4 = rCTB(ENCpkB(R)) ⋅B5


B6 = rsgIB ⋅B7

B7 = rsgpk′B ,sk′B ⋅B8

B8 = encpk′B(IB,RB, vB) ⋅B9

B9 = sCBT (ENCpk′B(IB,RB, vB)) ⋅B10

B10 = rCTB(rT ) ⋅B11

163

B11 = sCBT (RB, IB, sk′B) ⋅BCarol’s state transitions described by APTCG are as follows.


C2 = encpkT (rC) ⋅C3

C3 = sCCT (ENCpkT (rC)) ⋅C4

C4 = rCTC(ENCpkC(R)) ⋅C5

C5 = decskC(ENCpkC(R)) ⋅C6

C6 = rsgIC ⋅C7

C7 = rsgpk′C ,sk′C ⋅C8

C8 = encpk′C(IC ,RC , vC) ⋅C9

C9 = sCCT (ENCpk′C(IC ,RC , vC)) ⋅C10

C10 = rCTC(rT ) ⋅C11

C11 = sCCT (RC , IC , sk′C) ⋅CDave’s state transitions described by APTCG are as follows.


D2 = encpkT (rD) ⋅D3

D3 = sCDT (ENCpkT (rD)) ⋅D4

D4 = rCTD(ENCpkD(R)) ⋅D5

D5 = decskD(ENCpkD(R)) ⋅D6

D6 = rsgID ⋅D7

D7 = rsgpk′D,sk′D ⋅D8

D8 = encpk′D(ID,RD, vD) ⋅D9

D9 = sCDT (ENCpk′D(ID,RD, vD)) ⋅D10

D10 = rCTD(rT ) ⋅D11

D11 = sCDT (RD, ID, sk′D) ⋅DCTF’s state transitions described by APTCG are as follows.

T = sCAT (ENCpkT (rA)) ∥ sCBT (ENCpkT (rB))∥ sCCT (ENCpkT (rC)) ∥ sCDT (ENCpkT (rD)) ⋅ T2

T2 = decskT (ENCpkT (rA)) ∥ decskT (ENCpkT (rB))∥ decskT (ENCpkT (rC)) ∥ decskT (ENCpkT (rD)) ⋅ T3

T3 = rec(A) ∥ rec(B) ∥ rec(C) ∥ rec(D) ⋅ T4

T4 = encpkA(R) ∥ encpkB(R) ∥ encpkC(R) ∥ encpkD(R) ⋅ T5

T5 = sCTA(ENCpkA(R)) ∥ sCTB(ENCpkB(R))∥ sCTC(ENCpkC(R)) ∥ sCTD(ENCpkD(R)) ⋅ T6

T6 = rCAT (ENCpk′A(IA,RA, vA)) ∥ rCBT (ENCpk′B(IB,RB, vB))∥ rCCT (ENCpk′C(IC ,RC , vC)) ∥ rCDT (ENCpk′D(ID,RD, vD)) ⋅ T7

164

T7 = sCTO(ENCpk′A(IA,RA, vA)) ∥ sCTO(ENCpk′B(IB,RB, vB))∥ sCTO(ENCpk′C(IC ,RC , vC)) ∥ sCTO(ENCpk′D(ID,RD, vD)) ⋅ T8

T8 = sCTA(rT ) ∥ sCTB(rT ) ∥ sCTC(rT ) ∥ sCTD(rT ) ⋅ T9

T9 = rCAT (RA, IA, sk′A) ∥ rCBT (RB, IB, sk′B)∥ rCCT (RC , IC , sk′C) ∥ rCDT (RD, ID, sk′D) ⋅ T10

T10 = decsk′A(ENCpk′A(IA,RA, vA)) ∥ decsk′b(ENCpk′B(IB,RB, vB))∥ decsk′C(ENCpk′C(IC ,RC , vC)) ∥ decsk′D(ENCpk′D(ID,RD, vD)) ⋅ T11





γ(rCAT (ENCpkT (rA)), sCAT (ENCpkT (rA))) ≜ cCAT (ENCpkT (rA))γ(rCTA(ENCpkA(R)), sCTA(ENCpkA(R))) ≜ cCTA(ENCpkA(R))γ(rCAT (ENCpk′A(IA,RA, vA)), sCAT (ENCpk′A(IA,RA, vA))) ≜ cCAT (ENCpk′A(IA,RA, vA))γ(rCTA(rT ), sCTA(rT )) ≜ cCTA(rT )γ(rCAT (RA, IA, sk′A), sCAT (RA, IA, sk′A)) ≜ cCAT (RA, IA, sk′A)γ(rCBT (ENCpkT (rB)), sCBT (ENCpkT (rB))) ≜ cCBT (ENCpkT (rB))γ(rCTB(ENCpkB(R)), sCTB(ENCpkB(R))) ≜ cCTB(ENCpkB(R))γ(rCBT (ENCpk′B(IB,RB, vB)), sCBT (ENCpk′B(IB,RB, vB))) ≜ cCBT (ENCpk′B(IB,RB, vB))γ(rCTB(rT ), sCTB(rT )) ≜ cCTB(rT )γ(rCBT (RB, IB, sk′B), sCBT (RB, IB, sk′B)) ≜ cCBT (RB, IB, sk′B)γ(rCCT (ENCpkT (rC)), sCCT (ENCpkT (rC))) ≜ cCCT (ENCpkT (rC))γ(rCTC(ENCpkC(R)), sCTC(ENCpkC(R))) ≜ cCTC(ENCpkC(R))γ(rCCT (ENCpk′C(IC ,RC , vC)), sCCT (ENCpk′C(IC ,RC , vC))) ≜ cCCT (ENCpk′C(IC ,RC , vC))γ(rCTC(rT ), sCTC(rT )) ≜ cCTC(rT )γ(rCCT (RC , IC , sk′C), sCCT (RC , IC , sk′C)) ≜ cCCT (RC , IC , sk′C)γ(rCDT (ENCpkT (rD)), sCDT (ENCpkT (rD))) ≜ cCDT (ENCpkT (rD))γ(rCTD(ENCpkD(R)), sCTD(ENCpkD(R))) ≜ cCTD(ENCpkD(R))γ(rCDT (ENCpk′D(ID,RD, vD)), sCDT (ENCpk′D(ID,RD, vD))) ≜ cCDT (ENCpk′D(ID,RD, vD))γ(rCTD(rT ), sCTD(rT )) ≜ cCTD(rT )γ(rCDT (RD, ID, sk′D), sCDT (RD, ID, sk′D)) ≜ cCDT (RD, ID, sk′D)Let all modules be in parallel, then the protocol A B C D T can be presented by the


165


where H = {rCAT (ENCpkT (rA)), sCAT (ENCpkT (rA)),rCTA(ENCpkA(R)), sCTA(ENCpkA(R)),rCAT (ENCpk′A(IA,RA, vA)), sCAT (ENCpk′A(IA,RA, vA)),rCTA(rT ), sCTA(rT ),rCAT (RA, IA, sk′A), sCAT (RA, IA, sk′A),rCBT (ENCpkT (rB)), sCBT (ENCpkT (rB)),rCTB(ENCpkB(R)), sCTB(ENCpkB(R)),rCBT (ENCpk′B(IB,RB, vB)), sCBT (ENCpk′B(IB,RB, vB)),rCTB(rT ), sCTB(rT ),rCBT (RB, IB, sk′B), sCBT (RB, IB, sk′B),rCCT (ENCpkT (rC)), sCCT (ENCpkT (rC)),rCTC(ENCpkC(R)), sCTC(ENCpkC(R)),rCCT (ENCpk′C(IC ,RC , vC)), sCCT (ENCpk′C(IC ,RC , vC)),rCTC(rT ), sCTC(rT ),rCCT (RC , IC , sk′C), sCCT (RC , IC , sk′C),rCDT (ENCpkT (rD)), sCDT (ENCpkT (rD)),rCTD(ENCpkD(R)), sCTD(ENCpkD(R)),rCDT (ENCpk′D(ID,RD, vD)), sCDT (ENCpk′D(ID,RD, vD)),rCTD(rT ), sCTD(rT ),rCDT (RD, ID, sk′D), sCDT (RD, ID, sk′D)∣DA,DB,DC ,DD ∈ ∆},

I = {cCAT (ENCpkT (rA)), cCTA(ENCpkA(R)),cCAT (ENCpk′A(IA,RA, vA)), cCBT (ENCpkT (rB)),cCTB(ENCpkB(R)), cCBT (ENCpk′B(IB,RB, vB)),cCCT (ENCpkT (rC)), cCTC(ENCpkC(R)),cCCT (ENCpk′C(IC ,RC , vC)), cCDT (ENCpkT (rD)),cCTD(ENCpkD(R)), cCDT (ENCpk′D(ID,RD, vD)),cCTA(rT ), cCAT (RA, IA, sk′A), cCTB(rT ), cCBT (RB, IB, sk′B),cCTC(rT ), cCCT (RC , IC , sk′C), cCTD(rT ), cCDT (RD, ID, sk′D),encpkT (rA), encpkT (rB), encpkT (rC), encpkT (rD),decskA(ENCpkA(R)), decskB(ENCpkB(R)), decskC(ENCpkC(R)),decskD(ENCpkD(R)), rsgIA , rsgIB , rsgIC , rsgID ,rsgpk′A,sk

′

A, rsgpk′B ,sk

′

B, rsgpk′C ,sk

′

C, rsgpk′D,sk

′

D,

encpk′A(IA,RA, vA), encpk′B(IB,RB, vB), encpk′C(IC ,RC , vC), encpk′D(ID,RD, vD),decskT (ENCpkT (rA)), decskT (ENCpkT (rB)),decskT (ENCpkT (rC)), decskT (ENCpkT (rD)),rec(A), rec(B), rec(C), rec(D), encpkA(R), encpkB(R),encpkC(R), encpkD(R), decsk′A(ENCpk′B(IA,RA, vA)),decsk′B(ENCpk′B(IB,RB, vB)), decsk′C(ENCpk′C(IC ,RC , vC)), decsk′D(ENCpk′D(ID,RD, vD)),{isExisted(RA) = TRUE}, remove(RA), rec(IA, vA),{isExisted(RA) = FALSE},{isExisted(RB) = TRUE}, remove(RB), rec(IB, vB),{isExisted(RB) = FALSE},{isExisted(RC) = TRUE}, remove(RC), rec(IC , vC),{isExisted(RC) = FALSE},{isExisted(RD) = TRUE}, remove(RD), rec(ID, vD),{isExisted(RD) = FALSE}∣DA,DB,DC ,DD ∈ ∆}.

166






τI(∂H(A � B � C � D � T )) = ∑DA,DB ,DC ,DD∈∆((rCAI (DA) ∥ rCBI (DB) ∥ rCCI (DC) ∥rCDI (DD))⋅(sCTO(ENCpk′A(IA,RA, vA)) ∥ sCTO(ENCpk′B(IB,RB, vB)) ∥ sCTO(ENCpk′C(IC ,RC , vC)) ∥sCTO(ENCpk′D(ID,RD, vD))) ⋅ sCTO(TAB)) ⋅ τI(∂H(A� B � C �D � T )).For the details of proof, please refer to section 2.9, and we omit it.










Additionally, (1) If a voter observes that his vote is not properly counted, he can protest; (2) A

voter can change his votes later.

167

References

[1] B. Schneier. (1996). Applied cryptography: protocols, algorithms, and source code in

c, 2nd ed. government information quarterly, 13(3), 336.

[2] M. Burrows, M. Abadi, and R. M. Needham. (1989). A logic of authentication. Pro-

ceedings of the Royal Society of London A, 426:233-271, 1989. A preliminary version

appeared as Digital Equipment Corporation Systems Research Center report No. 39.

[3] Y. Wang. (2016). Algebraic laws for true concurrency. arXiv preprint arXiv:

1611.09035.

[4] F.W. Vaandrager. (1986). Verification of two communication protocols by means of

process algebra. Report CS-R8608, CWI, Amsterdam.

[5] J. F. Groote, A. Ponse. (1994). Process algebra with guards: combining hoare logic

with process algebra. Formal Aspects of Computing, 6(2): 115-164.

[6] F. Moller. (1990). The importance of the left merge operator in process algebras. In

M.S. Paterson, ed., Proceedings 17th Colloquium on Automata, Languages and Pro-

gramming (ICALP’90), Warwick, LNCS 443, 752-764. Springer.

[7] M. Abadi, A. D. Gordon. (1999). A calculus for cryptographic protocols: The spi

calculus. Information and computation, 148(1), 1-70.

[8] M. Abadi, B. Blanchet, C. Fournet. (2017). The applied pi calculus: Mobile values,

new names, and secure communication. Journal of the ACM (JACM), 65(1), 1-41.

[9] K.A. Bartlett, R.A. Scantlebury, and P.T. Wilkinson. A note on reliable full-duplex

transmission over half-duplex links. (1969). Communications of the ACM, 12(5):260-

261.

168

Documents

arXiv:2101.05140v1 [cs.LO] 13 Jan 2021