Discrete Dynamics in Nature and Society

Volume 2014 (2014), Article ID 904717, 7 pages

http://dx.doi.org/10.1155/2014/904717

## Fairness Analysis for Multiparty Nonrepudiation Protocols Based on Improved Strand Space

^{1}School of Information Engineering, Zhengzhou University, Zhengzhou 450001, China^{2}Shanghai Key Lab of Modern Optical System, Department of Control Science and Engineering, University of Shanghai for Science and Technology, Shanghai 200093, China

Received 5 November 2013; Revised 21 November 2013; Accepted 21 November 2013; Published 2 January 2014

Academic Editor: Guoliang Wei

Copyright © 2014 Lei Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Aimed at the problem of the fairness analysis for multiparty nonrepudiation protocols, a new formal analysis method based on improved strand space is presented. Based on the strand space theory, signature operation is added; the set of terms, the subterm relation and the set of penetrator traces are redefined and the assumption of free encryption is extended in the new method. The formal definition of fairness in multi-party non-repudiation protocols is given and the guideline to verify it based on improved strand space is presented. Finally, the fairness of multi-party non-repudiation protocols is verified with an example of Kremer-Markowitch protocol, which indicates that the new method is suitable for analyzing the fairness of multiparty nonrepudiation protocols.

#### 1. Introduction

As a crucial foundation of the realization of electronic commerce, nonrepudiation protocols provide the nonrepudiation services for the interbehavior between the network entities. Generally speaking, some security properties of the nonrepudiation protocols should be equipped with such as nonrepudiation, fairness, and timeliness, among which the fairness acts as the most important one. The nonrepudiation protocols are usually the ones being of one sender and multireceptors.

Formal methods, theory, and supporting tools paly an important role in the design, analysis, and verification of the security-related and cryptographic protocols [1]. There are numbers of approaches for analyzing the security protocol; however, it turns out to be that each one is subjected to its own limitations since it can only analyze a certain class of protocols or security properties. During the period of designing the security protocols, it is required to guarantee the security properties of security protocol as much as possible by applying multikinds of formal analysis methods. Currently, the formal analysis methods based on nonrepudiation protocols can be divided into two classes.(1)Belief logic method: in [2], Kailar firstly extended the BAN logic and applied it to the analysis of fairness of the nonrepudiation protocols; the authors in [3, 4] analyzed the fairness and timeliness of the nonrepudiation protocols by using belief logic, respectively. In [5, 6], the authors introduced the alternating-time temporal logic analyzing the fairness of the nonrepudiation protocols. However, the formal analysis based on the belief logic method only works under a lot of assumptions.(2)State space method: the automatic analysis method with a protocol checker adopted in [7] and Petri net method proposed in [8] both need to search the state space; while analyzing the complex space, human intervention is indispensable to both the two methods in case of the blast of state space.

In the recent years, some formal methods have been developed which are suitable for the analysis of nonrepudiation protocols; see, for example, [9–11]. However, fairness analysis for multi-party nonrepudiation protocols seems to be more complex, and only nonformal analysis for fairness, and so on, has been done by utilizing various typical kinds of nonrepudiation protocols in [12–14].

The theory of strand space is a proof technique which is based on induction and free encryption assumption; furthermore, this theorem can analyze any protocol for any size neither constrained from the amounts of participative entities nor dependent on the state space searching. Nevertheless, in the strand space theory, some cryptographic primitives are lack of definition, such as signature; therefore, it is not suitable for the analysis of the fairness for multi-party nonrepudiation protocols.

In this paper, the operation for signature in the strand space theorem is added and the set of terms, subterm relation, and the set of penetrator traces are redefined. The assumption of free encryption is extended in the new method. The formal definition of fairness in multi-party nonrepudiation protocols is given and the guideline to verify it based on improved strand space is presented. Finally, the fairness of multi-party nonrepudiation protocols is verified with an example of Kremer-Markowitch protocol, which indicates that the new method is suitable for analyzing the fairness of multi-party nonrepudiation protocols.

#### 2. The Basic Notions of Strand Space [15]

A strand is a sequence of events that a single principal may engage in. Each individual strand is a sequence of message transmissions and receptions, with specific values of all data such as keys and nonces. One may think of a strand space as containing all the legitimate executions of the protocol expected within its useful lifetime, together with all the actions that a penetrator might apply to the messages contained in those executions, together with penetrator part strands. The basic notions of a strand space, as follows.

Consider a set , the elements of which are the possible messages that can be exchanged between principals in a protocol, and we will refer to the elements of as terms.

A strand space is a pair with a trace mapping , in which is the set of a strand; here, the strand can represent any sequences and be denoted by .

Subterm: means that is a subterm of .

*Definition 1. *A signed term is a pair with and one of the symbols . One will write a signed term as or ; is the set of finite sequences of signed terms.

*Definition 2. *A strand space is a set with a trace mapping .

*Definition 3. *Fix a strand space with the following steps.(1)A node is a pair , with and an integer satisfying . The set of nodes is denoted by . One will say that the node belongs to the strand . Clearly, every node belongs to a unique strand.(2)If , means that term and term . It means that node sends the message , which is received by , creating a causal link between their strands.(3)If , then means that occur on the same strand. It expresses that is an immediate causal predecessor of in the strand.(4)An unsigned term occurs in if and only if term .(5) is an unsigned term set, node is an entry point of , if and only if , and whenever precedes on the same strand, term .(6)An unsigned term originates on if and only if .(7)An unsigned term is uniquely originating if and only if originates on a unique .

A bundle is a portion of a strand space. It consists of a number of strands legitimate or otherwise hooked together where one strand sends a message and another strand receives that same message. Typically, for a protocol to be correct, each such bundle must contain one strand for each of the legitimate principals apparently participating in this session, all agreeing on the principals, nonces, and session keys. Penetrator strands or stray legitimate strands may also be entangled in a bundle, even in a correct protocol, but they should not prevent the legitimate parties from agreeing on the data values or from maintaining the secrecy of the values chosen.

*Definition 4. *If ; ; and is the subgraph of , then is a bundle if and only if(1) is a finite acyclic graph;(2) and term is negative; thus, there exists a unique node , so that ;(3) and , then .

#### 3. The Improved Strand Space

In the basic theorem of strand space, only encryption and connection operation are defined for term set; however, neither the symmetric and asymmetric keys are distinguished nor the signature operation is defined. Nonrepudiation protocols are dependent on the cryptographic primitives of encryption and signature. Therefore, the basic strand space theorem is not suitable for analyzing the fairness of multi-party nonrepudiation protocols. In this paper, we redefine the term set as follows.

*Definition 5. *The term set satisfies the following conditions.(1) is a set of atomic messages.(2) is the set of identifiers, are used to denote origination party, receiving party and the trusted third party in our following discussions.(3) is the set of keys; and are nonintersect and is a monadic operator mapping one key of the key pair in the asymmetric cryptosystem to another and mapping the symmetric key to itself.(4), is the set of asymmetric keys; one denotes the private key set as and public key as .(5) is the set of symmetric keys; and are nonintersect and also nonintersect with .(6)Three binary operators ; ; and .

In this paper, we use the notation , , and to denote the encryption of message by key , connection between and , and the signature of message by private key , respectively.

Due to the addition of the operation signature, relations of subterms are redefined as follows.

*Definition 6. *The recursion of subterm relations is defined as the minimum relation which satisfies the following relations:(1);(2) if ;(3) if ;(4) if .

The stand space theorem builds the model of actions by a penetrator and gives some formal descriptions about the basic penetrations of a penetrator; the penetrator’s powers are mainly depicted by two ingredients, namely, a set of keys known initially to the penetrator and the capabilities to generate new messages from messages he receives.

The basic actions of the penetrator are characterized by a set of penetrator traces which are composed of the available atomic actions. Owing to the additions of operations such as signature, the penetrator traces are required to consist of some atomic operations including signature and verification. The penetrator traces are redefined with the following forms.

*Definition 7. *The penetrator traces include(1)text message: , ;(2)*key*: , ;(3)concatenation: ;(4)separation into components: ;(5)encryption: ;(6)decryption: ;(7)signature: , ;(8)verification: .

In the assumption of free encryption, it stipulates that a ciphertext can be regarded as a ciphertext in just one way. After and , the assumption of free encryption has been fully applied to different kinds of formal analysis methods.

In the basic strand space theorem, is the algebra freely generated from and by the two operators’ encryption and join. The following are some extensions of the assumption of free encryption due to the addition of signature operation.

*Axiom.* For , , , ,(1);(2);(3).

The improved strand space method is a formal analysis method consisting of some key concepts, for example, the redefined term set, relations between subterms, penetrator traces, extended assumption of free encryption, and the bundles in the basic strand space, and also combining with protocol traces and theorem proof.

#### 4. Definition of Fairness and Proof Line

Among numbers’ properties of the nonrepudiation protocols possess, fairness is the most important one which includes two aspects; first, when the protocols are completed, the origination party received the evidence of nonrepudiation protocols from receiving party and denoted by was well as receiving party received the evidence of nonrepudiation protocols from origination party and is denoted by ; second, when the protocols are terminated abruptly, it should have the capability to keep both sides of communication equal and neither sides in a dominant position. Hence, we make a formal definition as the following form about fairness.

*Definition 8. *If the origination party receives if and only if the receiving party receives , then we say that the nonrepudiation protocols satisfy the fairness.

In the multi-party nonrepudiation protocols, there exists one origination party and multireceiving parties, and in the process of protocol running, it is allowable that some receiving parties complete the protocols and the others terminate the protocols. If we denote the th receiver as , the th nonrepudiation evidence of receiving party as , and the th nonrepudiation evidence of origination party as , then the fairness is defined as follows.

*Definition 9. *If the origination party receives if and only if the receiving party receives , then one says that the nonrepudiation protocols satisfy the fairness.

We can consider the proof of fairness from two aspects: firstly, when origination party receives , it is sure that the receiving party receives ; secondly, when origination party receives , then the receiving party certainly receives . Hence, the conditions in Definition 9 are satisfied and the protocols are guaranteed to meet the fairness.

The proof steps of the fairness of multi-party nonrepudiation protocols by using the improved strand model are listed as follows.(1)Build the strand model for multi-party nonrepudiation protocols.(2)Prove that if there exists originator strand in bundle and the nodes in the stand contain term , then there must exist receiver strand as well as the nodes in this strand contain term .(3)Prove that if there exists receiver strand in bundle and the nodes in the strand contain term , then there must exist originator strand as well as the nodes in this stand contain term .

#### 5. Prove the Fairness of Protocol Based on Extended strand Method

##### 5.1. Protocol

protocol is a typical multi-party nonrepudiation protocol, and we denote the notation in the protocol as follows:(1), denotes origination party and the trusted third party TTP of protocols;(2) is the subset of and represents the receiver set which returns the valid evidence to , ;(3) represents the unique identifier of the current running protocol;(4): message from to ;(5): a symmetric secret key used when encrypts ;(6): cryptograph of message from to ;(7): customer sends a message to customer ;(8): customer broadcasts a message to customer ;(9): the obtained operations of to , namely, can always get messages from ;(10) encrypts secret key by utilizing the group encryption mechanism, and only can decrypt and obtain ;(11): the evidence of signatured cryptograph from originator to ;(12): signatured cryptograph from originator to receives evidence;(13): a secret key is sent to from the signatured by TTP and the evidence received by from secret key .

The protocol can be described as follows:(1);(2);(3);(4);(5).

Firstly, originator broadcasts and evidence to the receiver set , and responses by evidence when it receives the messages, and then submits to the trusted third party with group encryption form ; finally, and can obtain and evidence from by obtaining operations.

Nonrepudiation evidence ; for all . If there exists any argument, can submit to arbitration agency for arbitration.

##### 5.2. Strand Space

The obtained operations in protocol can be regarded as the message can be always received by and from . Denote as the sign term of node and as the unsigned parts of . The obtained operation can be defined as follows in the improved strand space.

*Definition 10. *If entity obtains message from by obtained operation, then strand satisfies . Denoting bundle as an arbitrary bundle satisfying , there always exists satisfying and .

strand space can be depicted with the following form.

*Definition 11. *Assuming that is a penetrator strand space, if is comprised of the following four kinds of strands, then one says that is a strand space. (1)The penetrator strand: .(2)The originator strand , whose traces are , ; , and ; . Here, is a trace set whose elements are the traces discussed above and the corresponding entity is originator .(3)The receiver strand , whose traces are , ; and ; . Here, is a trace set whose elements are the traces discussed above and the corresponding entity is receiver .(4)The trusted third strand , whose traces are . Here, is a trace set whose elements are the traces discussed above and the corresponding entity is the trusted third part .

We say that the originator strand, receiver strand, and trusted third strand are all regular strands whose nodes are called regular nodes. Given a strand in the , we can confirm that whether it belongs to penetrator strand, originator strand, receiver strand, or the trusted third part strand uniquely form its formal. Therefore, there is no confusion for omitting of the strand space .

##### 5.3. Analysis of Fairness of the Protocol

In order to prove protocol that satisfies the fairness, we need to prove the following two propositions.

Proposition 12. * Assume the following conditions are true:*(1)

*is a*

*strand space,*

*is a bundle in the*

*, and*

*is an originator strand in*

*which includes the compositions*

*and*

*of*

*;*(2)

*;*

*;*

*(*

*,*

*,*

*represent the private key of originator party, receiver party, and*

*, respectively, and*

*represents a private space known well by penetrator);*(3)

*;*

*,*

*,*

*are the only original terms in*

*;*

*then the bundle consists of a receiver strand as well as consists of the compositions and of .**Proposition 13. Assume the following conditions are true:(1) is a strand space, is a bundle in the , and is a receiver strand in which includes the compositions and of ;(2); ; (, , represents the private key of originator party, receiver party, and , respectively, and represents a private space known well by penetrator);(3), , are the only original terms in ;*

then the bundle consists of an originator strand as well as consists of the compositions and of .

*In the following section, we focus our attention on the proof of Proposition 12 in terms of a series of lemmas. Choose , , , , , , , , arbitrarily which satisfy the assumptions in Proposition 12. It is obvious that terms and are included in . The output value of node is denoted by whose term is denoted by .*

*Lemma 14. Term originates from regular node .*

*Proof. *As , we assume that term originates from regular node , and then we investigate the probability of positive node in the penetrator traces, respectively:(1), ; it follows from the assumption of free encryption that thus, is not its positive node;(2), ; it follows from the assumption of free encryption that ; thus, is not its positive node;(3); if is its positive node, then and we can confirm that . Therefore, there obviously exists positive node to make sure that , which is in contradiction with that is the original node;(4); if is its positive node, then and we can confirm that . Therefore, there obviously exists positive node to make sure that , which is in contradiction with that is the original node;(5); if is its positive node, we can confirm that since . Therefore, there obviously exsits positive node to make sure that , which is in contradiction with that is the original node;(6); if is its positive node, then and we can confirm that . Therefore, there obviously exists positive node to make sure that , which is in contradiction with that is the original node;(7); since , . Hence, if is its positive node, then and we can confirm that . Therefore, there obviously exists positive node to make sure that , which is in contradiction with that is the original node;(8); if is its positive node, then and we can confirm that . Therefore, there obviously exists positive node to make sure that , which is in contradiction with that is the original node.

Summing up the above discussions, it is impossible that is in only one penetrator strand. Therefore, is a regular node.

*Lemma 15. Assume that is on the regular strand ; then is a trusted third party of .*

*Proof. *Node is a positive regular node containing terms with the form of . Among the whole regular nodes, only the second and third nodes of the trusted third strand consist of such terms; furthermore, is the original node of ; hence, is the second node of the trusted third party strand. It follows from the creditability of the trusted third party that there must exist the third strand of this strand; therefore, is the trusted third party strand of bundle .

*Lemma 16. Term originates from regular node .*

*Proof. *As . Assuming that term originates from , we investigate the penetrator traces successively. With the similar proof of Lemma 14, we can conclude that is the regular node.

*Lemma 17. originates from regular node .*

*Proof. *As . It follows from the assumption that and is positive. Since there is no predecessor in the strand which locates, we can derive that originates from .

*Lemma 18. It is assumed that is on the regular strand ; then there exists predecessor of in the and .*

*Proof. *Because , , we have . It can be seen that originates from ; together with condition of Proposition 12, we have only original in the ; hence, does not originate from . Furthermore, , then there must exist predecessor of in the strand to guarantee .

*Lemma 19. Regular strand consisting of and is a receiver strand in the bundle of .*

*Proof. *Nodes and in the regular strand satisfy the following properties: is a positive regular node; consists of a subterm with form of ; and are predecessors in the strand ; and . Investigating the whole regular strands in the bundle of , we found that only the first and the second nodes of the receiver strand satisfy the conditions listed above. Regular strand consisting of and is a receiver strand in the bundle of . In addition, from Lemma 15 we can see that there exists a trusted third party to guarantee . According to Definition 10, there must exist a node in the receiver strand to make sure that , which is the third node in the receiver strand while investigating the receiver in bundle .

*Lemma 20. Receiver strand consists of terms and .*

*Proof. *According to the definition of receiver strand in the strand space, obviously contains and .

*Summing up the lemmas discussed above, we can derive that Proposition 12 is true.*

*In order to prove that Proposition 13 along the similar proof line, we can firstly prove there exists a trusted third party in the bundle in terms of the original of , and then prove that there exists originator strand in bundle by using the original of .*

*6. Conclusions*

*6. Conclusions*

*It can be seen that some operations have not been defined in the basic strand space theorem such as signature. In this paper, we add the signature operation and redefine the term set, relations between subterms, and penetrator traces as well as extend the assumption of free encryption. Furthermore, the formal definition of fairness of multiparty nonrepudiation protocols is put forward. Idea and method of fairness analysis for multi-party nonrepudiation protocols based on improved strand space have been discussed in detail. Analyzing the fairness of protocol by using the analysis method based on improved strand space, we can conclude that protocol satisfies the fairness property, which shows that our improved strand space method is suitable for fairness analysis for multi-party nonrepudiation protocols. Kim’s work [16] has revealed that protocol in [17] cannot meet the timeliness. Our further research topic would be to investigate the corresponding other properties for multi-party nonrepudiation protocols, such as nonrepudiation and/or timeliness. Consequently, it is an extension of our results and seems to be much more interesting and challenging.*

*Conflict of Interests*

*Conflict of Interests*

*The authors declare that there is no conflict of interests regarding the publication of this paper.*

*Acknowledgments*

*Acknowledgments*

*This work is supported by the 863 Program of China under Grant 2011AA01A201, Technological Brainstorm Project of Henan Province of China under Grant 12B520054, the National Natural Science Foundation of China under Grant 61074016, the Program for Professor of Special Appointment (Eastern Scholar) at Shanghai Institutions of Higher Learning, the Program for New Century Excellent Talents in University under Grant NCET-11-1051, the Leverhulme Trust of the UK, and the Alexander von Humboldt Foundation of Germany.*

*References*

*References*

- S. Gritzalis, D. Spinellis, and P. Georgiadis, “Security protocols over open networks and distributed systems: formal methods for their analysis, design, and verification,”
*Computer Communications*, vol. 22, no. 8, pp. 697–709, 1999. View at Publisher · View at Google Scholar · View at Scopus - R. Kailar, “Accountability in electronic commerce protocols,”
*IEEE Transactions on Software Engineering*, vol. 22, no. 5, pp. 313–328, 1996. View at Publisher · View at Google Scholar · View at Scopus - L. Botao and L. Junzhou, “On timeliness of a fair non-repudiation protocol,” in
*Proceedings of the 3rd International Conference on Information Security (InfoSecu '04)*, pp. 99–106, Shanghai, China, November 2004. View at Publisher · View at Google Scholar · View at Scopus - Y. Xu and X. Xie, “Analysis of electronic commerce protocols based on extended rubin logic,” in
*Proceedings of the 9th International Conference for Young Computer Scientists (ICYCS '08)*, pp. 2079–2084, Hunan, China, November 2008. View at Publisher · View at Google Scholar · View at Scopus - W. Jamroga, S. Mauw, and M. Melissen, “Fairness in non-repudiation protocols,” in
*Proceedings of the 7th International workshop on security and trust management*, pp. 122–139, Copenhagen, Denmark, June 2011. - S. Kremer and J. F. Raskin, “A game-based verification of non-repudiation and fair exchange protocols,” in
*CONCUR, 2001—Concurrency Theory*, pp. 551–565, Springer, Berlin, Heidelberg, 2001. View at Publisher · View at Google Scholar - R. Lanotte, A. Maggiolo-Schettini, and A. Troina, “Automatic analysis of a non-repudiation protocol,”
*Electronic Notes in Theoretical Computer Science*, vol. 112, pp. 113–129, 2005. View at Publisher · View at Google Scholar · View at Scopus - Y. Guo, C. Lin, and H. Yin, “Formal proof of the IDOP-SP protocol based on the Petri Net,” in
*Proceedings of the IEEE International Conference on Networking, Architecture, and Storage (IEEE NAS '08)*, pp. 161–162, Chongqing, June 2008. View at Publisher · View at Google Scholar · View at Scopus - L. Chen and X. Li, “Cryptographic protocol logic for analyzing a variety of security properties and its formal semantics,”
*International Journal of Advancements in Computing Technology*, vol. 4, no. 9, pp. 283–293, 2012. View at Google Scholar - J. Dreier, P. Lafourcade, and Y. Lakhnech, “Formal verification of e-Auction protocols,” in
*Proceedings of the 2nd International Conference on Principles of Security and Trust*, pp. 247–266, Rome, Italy, 2013. - H. Zhang, “Analysis on authentication secrecy of non-repudiation protocols,” in
*Proceedings of the International Conference on Electrical and Electronics Engineering*, pp. 705–711, Wuhan, China, 2011. - G. Draper-Gil, J. Zhou, J. L. Ferrer-Gomila, and M. F. Hinarejos, “An optimistic fair exchange protocol with active intermediaries,”
*International Journal of Information Security*, vol. 12, no. 4, pp. 299–318, 2013. View at Google Scholar - S. Kremer and O. A. Markowitch, “Multi-party non-repudiation protocol,” in
*Proceedings of the 15th International Conference on Information Security*, pp. 271–280, Beijing, China, 2000. - J. Zhou, J. Onieva, and J. Lopez, “Optimized multi-party certified email protocols,”
*Information Management and Computer Security*, vol. 13, no. 5, pp. 350–366, 2005. View at Publisher · View at Google Scholar · View at Scopus - F. J. T. Fabrega, J. C. Herzog, and J. D. Guttman, “Strand spaces: Why is a security protocol correct,” in
*Proceedings of the IEEE Symposium on Security and Privacy*, pp. 160–171, Oakland, Calif, USA, 1998. - K. Kim, S. Park, and J. Baek, “Improving fairness and privacy of Zhou-Gollmanns fair non-repudiation protocol,” in
*Proceedings of the International Workshops on Parallel Processing*, pp. 140–145, IEEE Computer Society Press, 1999. View at Publisher · View at Google Scholar - J. Zhou and D. Gollmann, “Fair non-repudiation protocol,” in
*Proceedings of the 17th IEEE Symposium on Security and Privacy*, pp. 55–61, May 1996. View at Scopus

*
*