Fairness Analysis for Multiparty Nonrepudiation Protocols Based on Improved Strand Space

Aimed at the problem of the fairness analysis for multiparty nonrepudiation protocols, a new formal analysis method based on improved strand space is presented. Based on the strand space theory, signature operation is added; the set of terms, the subterm relation and the set of penetrator traces are redefined and the assumption of free encryption is extended in the new method. The formal definition of fairness in multi-party non-repudiation protocols is given and the guideline to verify it based on improved strand space is presented. Finally, the fairness of multi-party non-repudiation protocols is verified with an example of KremerMarkowitch protocol, which indicates that the new method is suitable for analyzing the fairness of multiparty nonrepudiation protocols.


Introduction
As a crucial foundation of the realization of electronic commerce, nonrepudiation protocols provide the nonrepudiation services for the interbehavior between the network entities. Generally speaking, some security properties of the nonrepudiation protocols should be equipped with such as nonrepudiation, fairness, and timeliness, among which the fairness acts as the most important one. The nonrepudiation protocols are usually the ones being of one sender and multireceptors.
Formal methods, theory, and supporting tools paly an important role in the design, analysis, and verification of the security-related and cryptographic protocols [1]. There are numbers of approaches for analyzing the security protocol; however, it turns out to be that each one is subjected to its own limitations since it can only analyze a certain class of protocols or security properties. During the period of designing the security protocols, it is required to guarantee the security properties of security protocol as much as possible by applying multikinds of formal analysis methods. Currently, the formal analysis methods based on nonrepudiation protocols can be divided into two classes.
(1) Belief logic method: in [2], Kailar firstly extended the BAN logic and applied it to the analysis of fairness of the nonrepudiation protocols; the authors in [3,4] analyzed the fairness and timeliness of the nonrepudiation protocols by using belief logic, respectively. In [5,6], the authors introduced the alternating-time temporal logic analyzing the fairness of the nonrepudiation protocols. However, the formal analysis based on the belief logic method only works under a lot of assumptions. (2) State space method: the automatic analysis method with a protocol checker adopted in [7] and Petri net method proposed in [8] both need to search the state space; while analyzing the complex space, human intervention is indispensable to both the two methods in case of the blast of state space.
In the recent years, some formal methods have been developed which are suitable for the analysis of nonrepudiation protocols; see, for example, [9][10][11]. However, fairness analysis for multi-party nonrepudiation protocols seems to be more complex, and only nonformal analysis for fairness, 2 Discrete Dynamics in Nature and Society and so on, has been done by utilizing various typical kinds of nonrepudiation protocols in [12][13][14].
The theory of strand space is a proof technique which is based on induction and free encryption assumption; furthermore, this theorem can analyze any protocol for any size neither constrained from the amounts of participative entities nor dependent on the state space searching. Nevertheless, in the strand space theory, some cryptographic primitives are lack of definition, such as signature; therefore, it is not suitable for the analysis of the fairness for multi-party nonrepudiation protocols.
In this paper, the operation for signature in the strand space theorem is added and the set of terms, subterm relation, and the set of penetrator traces are redefined. The assumption of free encryption is extended in the new method. The formal definition of fairness in multi-party nonrepudiation protocols is given and the guideline to verify it based on improved strand space is presented. Finally, the fairness of multi-party nonrepudiation protocols is verified with an example of Kremer-Markowitch protocol, which indicates that the new method is suitable for analyzing the fairness of multi-party nonrepudiation protocols.

The Basic Notions of Strand Space [15]
A strand is a sequence of events that a single principal may engage in. Each individual strand is a sequence of message transmissions and receptions, with specific values of all data such as keys and nonces. One may think of a strand space as containing all the legitimate executions of the protocol expected within its useful lifetime, together with all the actions that a penetrator might apply to the messages contained in those executions, together with penetrator part strands. The basic notions of a strand space, as follows.
Consider a set , the elements of which are the possible messages that can be exchanged between principals in a protocol, and we will refer to the elements of as terms.
A strand space is a pair (Σ, tr) with a trace mapping tr: Σ → , in which Σ is the set of a strand; here, the strand can represent any sequences and be denoted by .

Definition 1.
A signed term is a pair ⟨ , ⟩ with ∈ and one of the symbols +, −. One will write a signed term as + or − ; (± ) is the set of finite sequences of signed terms.

Definition 2.
A strand space is a set Σ with a trace mapping tr: Σ → (± ).
Definition 3. Fix a strand space with the following steps.
(1) A node is a pair ⟨ , ⟩, with ∈ Σ and an integer satisfying 1 ≤ ≤ length (tr( )). The set of nodes is denoted by . One will say that the node ⟨ , ⟩ belongs to the strand . Clearly, every node belongs to a unique strand.
(3) If 1 , 2 ∈ , then 1 ⇒ 2 means that 1 , 2 occur on the same strand. It expresses that 1 is an immediate causal predecessor of 2 in the strand.
(4) An unsigned term occurs in ∈ if and only if ⫅ term ( ).
(5) is an unsigned term set, node ∈ is an entry point of , if and only if ( ) = + , and whenever precedes on the same strand, ⫅ term ( ).  A bundle is a portion of a strand space. It consists of a number of strands legitimate or otherwise hooked together where one strand sends a message and another strand receives that same message. Typically, for a protocol to be correct, each such bundle must contain one strand for each of the legitimate principals apparently participating in this session, all agreeing on the principals, nonces, and session keys. Penetrator strands or stray legitimate strands may also be entangled in a bundle, even in a correct protocol, but they should not prevent the legitimate parties from agreeing on the data values or from maintaining the secrecy of the values chosen. (2) 2 ∈ Ω and term 2 is negative; thus, there exists a unique node 1 , so that 1 → Ω 2 ; (3) 2 ∈ Ω and 1 ⇒ 1 , then 1 ⇒ Ω 2 .

The Improved Strand Space
In the basic theorem of strand space, only encryption and connection operation are defined for term set; however, neither the symmetric and asymmetric keys are distinguished nor the signature operation is defined. Nonrepudiation protocols are dependent on the cryptographic primitives of encryption and signature. Therefore, the basic strand space theorem is not suitable for analyzing the fairness of multiparty nonrepudiation protocols. In this paper, we redefine the term set as follows.
Definition 5. The term set satisfies the following conditions.
(1) ⊆ is a set of atomic messages.
(2) name ⊆ is the set of identifiers, ORT are used to denote origination party, receiving party and the trusted third party in our following discussions.
(3) ⊆ is the set of keys; and are nonintersect and inv: → is a monadic operator mapping one Discrete Dynamics in Nature and Society 3 key of the key pair in the asymmetric cryptosystem to another and mapping the symmetric key to itself.
is the set of asymmetric keys; one denotes the private key set as and public key as −1 .

(5)
⊂ is the set of symmetric keys; and are nonintersect and also nonintersect with −1 .
In this paper, we use the notation ( ), ℎ, and ( ) to denote the encryption of message by key , connection between and ℎ, and the signature of message by private key , respectively.
Due to the addition of the operation signature, relations of subterms are redefined as follows.
Definition 6. The recursion of subterm relations is defined as the minimum relation which satisfies the following relations: The stand space theorem builds the model of actions by a penetrator and gives some formal descriptions about the basic penetrations of a penetrator; the penetrator's powers are mainly depicted by two ingredients, namely, a set of keys known initially to the penetrator and the capabilities to generate new messages from messages he receives.
The basic actions of the penetrator are characterized by a set of penetrator traces which are composed of the available atomic actions. Owing to the additions of operations such as signature, the penetrator traces are required to consist of some atomic operations including signature and verification. The penetrator traces are redefined with the following forms. (2) key: ⟨+ ⟩, ∈ ; (3) concatenation: ⟨− , −ℎ, + ℎ⟩; (4) separation into components: ⟨− ℎ, + , + ℎ⟩; In the assumption of free encryption, it stipulates that a ciphertext can be regarded as a ciphertext in just one way. After V and , the assumption of free encryption has been fully applied to different kinds of formal analysis methods.
In the basic strand space theorem, is the algebra freely generated from and by the two operators' encryption and join. The following are some extensions of the assumption of free encryption due to the addition of signature operation.

Definition of Fairness and Proof Line
Among numbers' properties of the nonrepudiation protocols possess, fairness is the most important one which includes two aspects; first, when the protocols are completed, the origination party received the evidence of nonrepudiation protocols from receiving party and denoted by nrr was well as receiving party received the evidence of nonrepudiation protocols from origination party and is denoted by nro ; second, when the protocols are terminated abruptly, it should have the capability to keep both sides of communication equal and neither sides in a dominant position. Hence, we make a formal definition as the following form about fairness.
Definition 8. If the origination party receives nrr if and only if the receiving party receives nor , then we say that the nonrepudiation protocols satisfy the fairness.
In the multi-party nonrepudiation protocols, there exists one origination party and multireceiving parties, and in the process of protocol running, it is allowable that some receiving parties complete the protocols and the others terminate the protocols. If we denote the th receiver as , the th nonrepudiation evidence of receiving party as nrr , and the th nonrepudiation evidence of origination party as nro , then the fairness is defined as follows.
Definition 9. If the origination party receives nrr if and only if the receiving party receives nro , then one says that the nonrepudiation protocols satisfy the fairness.
We can consider the proof of fairness from two aspects: firstly, when origination party receives nrr , it is sure that the receiving party receives nro ; secondly, when origination party receives nro , then the receiving party certainly receives nrr . Hence, the conditions in Definition 9 are satisfied and the protocols are guaranteed to meet the fairness.
The proof steps of the fairness of multi-party nonrepudiation protocols by using the improved strand model are listed as follows.
(1) Build the strand model for multi-party nonrepudiation protocols.

4
Discrete Dynamics in Nature and Society (2) Prove that if there exists originator strand in bundle Ω and the nodes in the stand contain term nrr , then there must exist receiver strand as well as the nodes in this strand contain term nro .
(3) Prove that if there exists receiver strand in bundle Ω and the nodes in the strand contain term nro , then there must exist originator strand as well as the nodes in this stand contain term nrr .

5.1.
Protocol. protocol is a typical multi-party nonrepudiation protocol, and we denote the notation in the protocol as follows: (1) , denotes origination party and the trusted third party TTP of protocols; (2) = 1 ( 1 ), 2 ( 1 ), . . . : is the subset of and represents the receiver set which returns the valid evidence to , ∈ ; (3) represents the unique identifier of the current running protocol; (4) : message from to ; (10) ( ) encrypts secret key by utilizing the group encryption mechanism, and only ∈ can decrypt and obtain ; (11) = ( , , ): the evidence of signatured cryptograph from originator to ; (12) = ( , , ): signatured cryptograph from originator to receives evidence; : a secret key is sent to from the signatured by TTP and the evidence received by from secret key .
Firstly, originator broadcasts and evidence 0 to the receiver set , and ∈ responses by evidence when it receives the messages, and then submits to the trusted third party with group encryption form ( ); finally, and can obtain ( ) and evidence from by obtaining operations.

5.2.
Strand Space. The obtained operations in protocol can be regarded as the message can be always received by and from . Denote ( ) as the sign term of node and ( ) as the unsigned parts of ( ). The obtained operation can be defined as follows in the improved strand space. strand space can be depicted with the following form.
Definition 11. Assuming that (Σ, ) is a penetrator strand space, if Σ is comprised of the following four kinds of strands, then one says that Σ is a strand space.
We say that the originator strand, receiver strand, and trusted third strand are all regular strands whose nodes are called regular nodes. Given a strand in the Σ, we can confirm that whether it belongs to penetrator strand, originator strand, receiver strand, or the trusted third part strand uniquely form its formal. Therefore, there is no confusion for omitting of the strand space (Σ, ).

Analysis of Fairness of the
Protocol. In order to prove protocol that satisfies the fairness, we need to prove the following two propositions.
Discrete Dynamics in Nature and Society 5 Proposition 12. Assume the following conditions are true: (1) Σ is a strand space, Ω is a bundle in the Σ, and is an originator strand in 0 [ , , , , , , ] which includes the compositions and of ; (2) ∉ ; ∉ ; ∉ ( , , represent the private key of originator party, receiver party, and , respectively, and represents a private space known well by penetrator); In the following section, we focus our attention on the proof of Proposition 12 in terms of a series of lemmas. Choose Σ, Ω, , , , , , , arbitrarily which satisfy the assumptions in Proposition 12. It is obvious that terms and are included in . The output value ( ) of node ⟨ , 1⟩ is denoted by 0 whose term is denoted by V 0 .
Summing up the above discussions, it is impossible that 3 is in only one penetrator strand. Therefore, 3 is a regular node.

Lemma 15.
Assume that 3 is on the regular strand ; then is a trusted third party of Ω.
Proof. Node 3 is a positive regular node containing terms with the form of ( , , , ). Among the whole regular nodes, only the second and third nodes of the trusted third strand consist of such terms; furthermore, 3 is the original node of ; hence, 3 is the second node of the trusted third party strand. It follows from the creditability of the trusted third party that there must exist the third strand of this strand; therefore, is the trusted third party strand of bundle Ω.
Proof. As = ( , , ( )). Assuming that term originates from 2 , we investigate the penetrator traces successively. With the similar proof of Lemma 14, we can conclude that 2 is the regular node. Lemma 17. originates from regular node 0 .
Proof. As = ( , , ( )). It follows from the assumption that ⫅ 0 and 0 is positive. Since there is no predecessor in the strand which 0 locates, we can derive that originates from 0 .
Lemma 18. It is assumed that 2 is on the regular strand ; then there exists predecessor 1 of 2 in the and ⫅ ( 1 ).
Proof. Because ⫅ 2 , ¡ ¡ ⫅ 0 , we have 2 ̸ = 0 . It can be seen that originates from 0 ; together with condition (3) of Proposition 12, we have only original in the Σ; hence, 6 Discrete Dynamics in Nature and Society does not originate from 2 . Furthermore, ⫅ ⫅ ( 2 ), then there must exist predecessor 1 of 2 in the strand to guarantee ⫅ ( 1 ).
Lemma 19. Regular strand consisting of 1 and 2 is a receiver strand in the bundle of Ω.
Proof. Nodes 1 and 2 in the regular strand satisfy the following properties: (1) 2 is a positive regular node; (2) 2 consists of a subterm with form of ( , , ( )); (3) 1 and 2 are predecessors in the strand ; and (4) ⫅ ( 1 ). Investigating the whole regular strands in the bundle of Ω, we found that only the first and the second nodes of the receiver strand satisfy the conditions listed above. Regular strand consisting of 1 and 2 is a receiver strand in the bundle of Ω. In addition, from Lemma 15 we can see that there exists a trusted third party to guarantee (⟨ , 3⟩) = + ( ) . According to Definition 10, there must exist a node in the receiver strand to make sure that ( ) = − ( ) , which is the third node in the receiver strand while investigating the receiver in bundle Ω.

Lemma 20. Receiver strand consists of terms and .
Proof. According to the definition of receiver strand in the strand space, obviously contains and .
Summing up the lemmas discussed above, we can derive that Proposition 12 is true.
In order to prove that Proposition 13 along the similar proof line, we can firstly prove there exists a trusted third party in the bundle Ω in terms of the original of , and then prove that there exists originator strand in bundle Ω by using the original of , , .

Conclusions
It can be seen that some operations have not been defined in the basic strand space theorem such as signature. In this paper, we add the signature operation and redefine the term set, relations between subterms, and penetrator traces as well as extend the assumption of free encryption. Furthermore, the formal definition of fairness of multiparty nonrepudiation protocols is put forward. Idea and method of fairness analysis for multi-party nonrepudiation protocols based on improved strand space have been discussed in detail. Analyzing the fairness of protocol by using the analysis method based on improved strand space, we can conclude that protocol satisfies the fairness property, which shows that our improved strand space method is suitable for fairness analysis for multiparty nonrepudiation protocols. Kim's work [16] has revealed that protocol in [17] cannot meet the timeliness. Our further research topic would be to investigate the corresponding other properties for multi-party nonrepudiation protocols, such as nonrepudiation and/or timeliness. Consequently, it is an extension of our results and seems to be much more interesting and challenging.