Building and verifying a quasi-certification entity over - - PowerPoint PPT Presentation

• F. Kordon - Université P. & M. Curie - CC2016

Fabrice.Kordon@lip6.fr

Building and verifying a quasi-certification entity

• ver Distributed Hash Tables

Join work with X. Bonnaire, R. Cortes & O. Marin UPMC (France), UFSM (Chile), NYUS (China)

• F. Kordon - Université P. & M. Curie - CC2016

Certification, why?

Motivations

Digital filling for tax purpose

• Certify that somebody did it before a given deadline

Certified emails

• Use emails for legal purposes

Online game refereeing e-voting, etc.

2

• F. Kordon - Université P. & M. Curie - CC2016

Certification, why?

Motivations

Digital filling for tax purpose

• Certify that somebody did it before a given deadline

Certified emails

• Use emails for legal purposes

Online game refereeing e-voting, etc.

Existing Solutions

Centralized

• Public Key Infrastructures (traditional PKI)
• Scaling problem/prone to faults/implementation (atomic multicast)

Decentralized

• Certification on top of Distributed Hash Tables (DHT)
• Rapidly brings Byzantine consensus (for a 100.0% guarantee)

2

• F. Kordon - Université P. & M. Curie - CC2016

Certification, why?

Motivations

Digital filling for tax purpose

• Certify that somebody did it before a given deadline

Certified emails

• Use emails for legal purposes

Online game refereeing e-voting, etc.

Existing Solutions

Centralized

• Public Key Infrastructures (traditional PKI)
• Scaling problem/prone to faults/implementation (atomic multicast)

Decentralized

• Certification on top of Distributed Hash Tables (DHT)
• Rapidly brings Byzantine consensus (for a 100.0% guarantee)

2

Objective

( q u a s i )

• c

e r t i f y t h a t a g i v e n a c t i

• n

h a s b e e n p e r f

• r

m e d a t a c e r t a i n t i m e D i s t r i b u t e d c

• n

t e x t ( D H T )

• F. Kordon - Université P. & M. Curie - CC2016

DHT in a nutshell

Retrieve data (key + value)

put (v,k) get(k) → v

3

Figure 3.6.

• F. Kordon - Université P. & M. Curie - CC2016

DHT in a nutshell

Retrieve data (key + value)

put (v,k) get(k) → v

3

Figure 3.6.

a c c e s s i n l

• g

( n )

Totally decentralized + built)in redundancy for fault tolerance

• F. Kordon - Université P. & M. Curie - CC2016

DHT in a nutshell

Retrieve data (key + value)

put (v,k) get(k) → v

3

R

• t

n

• d

e

• F. Kordon - Université P. & M. Curie - CC2016

DHT in a nutshell

Retrieve data (key + value)

put (v,k) get(k) → v

3

R

• t

n

• d

e L e a f s e t

L c l

• s

e n

• d

e s ( + r

• t

)

• F. Kordon - Université P. & M. Curie - CC2016

DHT in a nutshell

Retrieve data (key + value)

put (v,k) get(k) → v

3

R

• t

n

• d

e L e a f s e t

L c l

• s

e n

• d

e s ( + r

• t

)

C l a s s i c a l v a l u e s f

• r

L

8 , 1 6 , 3 2 ( b e s t )

• F. Kordon - Université P. & M. Curie - CC2016

Quasi-certification — entities

A → an actor performing a service

4

A

• F. Kordon - Université P. & M. Curie - CC2016

Quasi-certification — entities

A → an actor performing a service S → leafset hash(service) offering the service

4

A S

1 - request init answers

• F. Kordon - Université P. & M. Curie - CC2016

Quasi-certification — entities

A → an actor performing a service S → leafset hash(service) offering the service

4

A S

1 - request init answers 2 - transaction End ack

• F. Kordon - Université P. & M. Curie - CC2016

Quasi-certification — entities

A → an actor performing a service S → leafset hash(service) offering the service C → certification authority leafset hash(A/service)

4

A S

1 - request init answers 2 - transaction End ack

C

3 - transaction ack

• F. Kordon - Université P. & M. Curie - CC2016

Quasi-certification — entities

A → an actor performing a service S → leafset hash(service) offering the service C → certification authority leafset hash(A/service)

4

A S

1 - request init answers 2 - transaction End ack

C

3 - transaction ack Certificate Log Entry 4 - certificate generation

• F. Kordon - Université P. & M. Curie - CC2016

Quasi-certification — protocol structure

5

A S C

5

• F. Kordon - Université P. & M. Curie - CC2016

Quasi-certification — protocol structure

5

A S C

A requests cert. service ack cert. service A requests leaf set receive leaf set

5

• F. Kordon - Université P. & M. Curie - CC2016

Quasi-certification — protocol structure

5

A S C

A requests cert. service ack cert. service A requests leaf set receive leaf set

the service

5

• F. Kordon - Université P. & M. Curie - CC2016

Quasi-certification — protocol structure

5

A S C

A requests cert. service ack cert. service A requests leaf set receive leaf set

the service

nodes ack transaction nodes request leaf set nodes receive leaf set

5

• F. Kordon - Université P. & M. Curie - CC2016

Quasi-certification — protocol structure

5

A S C

A requests cert. service ack cert. service A requests leaf set receive leaf set

the service

nodes ack transaction nodes request leaf set nodes receive leaf set

}

1: A & S secure exchanges

}3: S get trustset from C }

2: exchanges to perform the service

}

4: C elaborates the side certificate

5

• F. Kordon - Université P. & M. Curie - CC2016

Quasi-certification — protocol structure

5

A S C

A requests cert. service ack cert. service A requests leaf set receive leaf set

the service

nodes ack transaction nodes request leaf set nodes receive leaf set

}

1: A & S secure exchanges

}3: S get trustset from C }

2: exchanges to perform the service

}

4: C elaborates the side certificate

5

M a j

• r

i t y

⇒ L/2+1 answers

• F. Kordon - Université P. & M. Curie - CC2016

Quasi-certification — protocol structure

5

A S C

A requests cert. service ack cert. service A requests leaf set receive leaf set

the service

nodes ack transaction nodes request leaf set nodes receive leaf set

}

1: A & S secure exchanges

}3: S get trustset from C }

2: exchanges to perform the service

}

4: C elaborates the side certificate

5

D i v e r s i t y r

• u

t i n g

To serre the leafset

M a j

• r

i t y

⇒ L/2+1 answers

• F. Kordon - Université P. & M. Curie - CC2016

The verification process

Proof (by any method?)

Proven to be undecidable [FLP 85]

6

• F. Kordon - Université P. & M. Curie - CC2016

The verification process

Proof (by any method?)

Proven to be undecidable [FLP 85]

So what?

Being pragmatic Going for «quasi»

6

• F. Kordon - Université P. & M. Curie - CC2016

The verification process

Proof (by any method?)

Proven to be undecidable [FLP 85]

So what?

Being pragmatic Going for «quasi»

Two steps

• 1. modeling the protocol in a perfect world (no error)

Use of Petri nets

• 2. Probabilistic analysis to evaluate the failure rate

Use of a classical fault model, building a formula + numeric evaluation

6

• F. Kordon - Université P. & M. Curie - CC2016

Hypotheses

H1: perfect world H2: service reduced to 1 interaction H3: L+1 answer requested instead of L/2+1

• Symmetric net with Bags?

Modeling the protocol (step 1)

7

• F. Kordon - Université P. & M. Curie - CC2016

Modeling the protocol (step 1)

7

T y p e s a n d v a r i a b l e s

t y p e t s i d i s . . L ; t y p e t s i d x t s i d i s < t s i d , t s i d > ; v a r i i n t s i d ;

• F. Kordon - Université P. & M. Curie - CC2016

Modeling the protocol (step 1)

7

Types and variables

type tsid is 0..L; type tsidxtsid is <tsid, tsid>; var i in tsid;

<i> <i> <i> <i> <i> <i> <i> <tsid.all> <i> <tsid.all> <tsid.all> <i> <tsid.all> <i> <i> malicious_reservoir malS3 malS2 malS1 malA3 malA4 malA2 malA1 n4 n3 n2 n1 Sstart s2 s3 SsendTS SackCS AackCS AreqCS AgetTS AreqTS a4 a3 a2 a1 Astart

• F. Kordon - Université P. & M. Curie - CC2016

Modeling the protocol (step 1)

7

Types and variables

type tsid is 0..L; type tsidxtsid is <tsid, tsid>; var i in tsid;

<i> <i> <i> <i> <i> <i> <i> <tsid.all> <i> <tsid.all> <tsid.all> <i> <tsid.all> <i> <i> malicious_reservoir malS3 malS2 malS1 malA3 malA4 malA2 malA1 n4 n3 n2 n1 Sstart s2 s3 SsendTS SackCS AackCS AreqCS AgetTS AreqTS a4 a3 a2 a1 Astart <i> <i> <i> <i> <tsid.all> <i> <tsid.all> <i> <i> malicious_reservoir malS4 malS3 malA5 malA4 SstopAbort AstopAbort n6 n5 s3 s4 Sperform AendCS AstartCS a5 a4 AstopOK

• F. Kordon - Université P. & M. Curie - CC2016

Modeling the protocol (step 1)

7

Types and variables

type tsid is 0..L; type tsidxtsid is <tsid, tsid>; var i in tsid;

<i> <i> <i> <i> <i> <i> <i> <tsid.all> <i> <tsid.all> <tsid.all> <i> <tsid.all> <i> <i> malicious_reservoir malS3 malS2 malS1 malA3 malA4 malA2 malA1 n4 n3 n2 n1 Sstart s2 s3 SsendTS SackCS AackCS AreqCS AgetTS AreqTS a4 a3 a2 a1 Astart <i> <i> <i> <i> <tsid.all> <i> <tsid.all> <i> <i> malicious_reservoir malS4 malS3 malA5 malA4 SstopAbort AstopAbort n6 n5 s3 s4 Sperform AendCS AstartCS a5 a4 AstopOK <i> <i> <tsid.all, i> <i> <i> <i> <i> <tsid.all, i> <i, tsid.all> <i, tsid.all> <tsid.all, i> <i, tsid.all> <i> <i> <i> <i> <i> <i> <i> <i> malicious_reservoir malC1 malS6 malS5 malS4 CstopAbort SstopAbort n9 n8 n7 CgenCertif CsendTS1 c1 Cstart s4 s5 s6 SstopOK SreqTS SgetTS ScertCS CstopOK

• F. Kordon - Université P. & M. Curie - CC2016

Modeling the protocol (step 1)

7

Types and variables

type tsid is 0..L; type tsidxtsid is <tsid, tsid>; var i in tsid;

<i> <i> <i> <i> <i> <i> <i> <tsid.all> <i> <tsid.all> <tsid.all> <i> <tsid.all> <i> <i> malicious_reservoir malS3 malS2 malS1 malA3 malA4 malA2 malA1 n4 n3 n2 n1 Sstart s2 s3 SsendTS SackCS AackCS AreqCS AgetTS AreqTS a4 a3 a2 a1 Astart <i> <i> <i> <i> <tsid.all> <i> <tsid.all> <i> <i> malicious_reservoir malS4 malS3 malA5 malA4 SstopAbort AstopAbort n6 n5 s3 s4 Sperform AendCS AstartCS a5 a4 AstopOK <i> <i> <tsid.all, i> <i> <i> <i> <i> <tsid.all, i> <i, tsid.all> <i, tsid.all> <tsid.all, i> <i, tsid.all> <i> <i> <i> <i> <i> <i> <i> <i> malicious_reservoir malC1 malS6 malS5 malS4 CstopAbort SstopAbort n9 n8 n7 CgenCertif CsendTS1 c1 Cstart s4 s5 s6 SstopOK SreqTS SgetTS ScertCS CstopOK

• F. Kordon - Université P. & M. Curie - CC2016

Modeling the protocol (step 1)

7

Types and variables

type tsid is 0..L; type tsidxtsid is <tsid, tsid>; var i in tsid;

<i> <i> <i> <i> <i> <i> <i> <tsid.all> <i> <tsid.all> <tsid.all> <i> <tsid.all> <i> <i> malicious_reservoir malS3 malS2 malS1 malA3 malA4 malA2 malA1 n4 n3 n2 n1 Sstart s2 s3 SsendTS SackCS AackCS AreqCS AgetTS AreqTS a4 a3 a2 a1 Astart <i> <i> <i> <i> <tsid.all> <i> <tsid.all> <i> <i> malicious_reservoir malS4 malS3 malA5 malA4 SstopAbort AstopAbort n6 n5 s3 s4 Sperform AendCS AstartCS a5 a4 AstopOK <i> <i> <tsid.all, i> <i> <i> <i> <i> <tsid.all, i> <i, tsid.all> <i, tsid.all> <tsid.all, i> <i, tsid.all> <i> <i> <i> <i> <i> <i> <i> <i> malicious_reservoir malC1 malS6 malS5 malS4 CstopAbort SstopAbort n9 n8 n7 CgenCertif CsendTS1 c1 Cstart s4 s5 s6 SstopOK SreqTS SgetTS ScertCS CstopOK

• <tsid.all>

• F. Kordon - Université P. & M. Curie - CC2016

Modeling the protocol (step 1)

7

Types and variables

type tsid is 0..L; type tsidxtsid is <tsid, tsid>; var i in tsid;

<i> <i> <i> <i> <i> <i> <i> <tsid.all> <i> <tsid.all> <tsid.all> <i> <tsid.all> <i> <i> malicious_reservoir malS3 malS2 malS1 malA3 malA4 malA2 malA1 n4 n3 n2 n1 Sstart s2 s3 SsendTS SackCS AackCS AreqCS AgetTS AreqTS a4 a3 a2 a1 Astart <i> <i> <i> <i> <tsid.all> <i> <tsid.all> <i> <i> malicious_reservoir malS4 malS3 malA5 malA4 SstopAbort AstopAbort n6 n5 s3 s4 Sperform AendCS AstartCS a5 a4 AstopOK <i> <i> <tsid.all, i> <i> <i> <i> <i> <tsid.all, i> <i, tsid.all> <i, tsid.all> <tsid.all, i> <i, tsid.all> <i> <i> <i> <i> <i> <i> <i> <i> malicious_reservoir malC1 malS6 malS5 malS4 CstopAbort SstopAbort n9 n8 n7 CgenCertif CsendTS1 c1 Cstart s4 s5 s6 SstopOK SreqTS SgetTS ScertCS CstopOK

• <tsid.all>

Px ●

• F. Kordon - Université P. & M. Curie - CC2016

Modeling the protocol (step 1)

7

<i> <i> <i> <i> <i> <i> <i> <tsid.all> <i> <tsid.all> <tsid.all> <i> <tsid.all> <i> <i> malicious_reservoir malS3 malS2 malS1 malA3 malA4 malA2 malA1 n4 n3 n2 n1 Sstart s2 s3 SsendTS SackCS AackCS AreqCS AgetTS AreqTS a4 a3 a2 a1 Astart <i> <i> <i> <i> <tsid.all> <i> <tsid.all> <i> <i> malicious_reservoir malS4 malS3 malA5 malA4 SstopAbort AstopAbort n6 n5 s3 s4 Sperform AendCS AstartCS a5 a4 AstopOK <i> <i> <tsid.all, i> <i> <i> <i> <i> <tsid.all, i> <i, tsid.all> <i, tsid.all> <tsid.all, i> <i, tsid.all> <i> <i> <i> <i> <i> <i> <i> <i> malicious_reservoir malC1 malS6 malS5 malS4 CstopAbort SstopAbort n9 n8 n7 CgenCertif CsendTS1 c1 Cstart s4 s5 s6 SstopOK SreqTS SgetTS ScertCS CstopOK

Fok = |SstopOK| = L + 1 ∧ |CstopOK| = L + 1

Fok = |SstopOK| > L 2 ∧ |CstopOK| > L 2

• F. Kordon - Université P. & M. Curie - CC2016

Modeling the protocol (step 1)

7

<i> <i> <i> <i> <i> <i> <i> <tsid.all> <i> <tsid.all> <tsid.all> <i> <tsid.all> <i> <i> malicious_reservoir malS3 malS2 malS1 malA3 malA4 malA2 malA1 n4 n3 n2 n1 Sstart s2 s3 SsendTS SackCS AackCS AreqCS AgetTS AreqTS a4 a3 a2 a1 Astart <i> <i> <i> <i> <tsid.all> <i> <tsid.all> <i> <i> malicious_reservoir malS4 malS3 malA5 malA4 SstopAbort AstopAbort n6 n5 s3 s4 Sperform AendCS AstartCS a5 a4 AstopOK <i> <i> <tsid.all, i> <i> <i> <i> <i> <tsid.all, i> <i, tsid.all> <i, tsid.all> <tsid.all, i> <i, tsid.all> <i> <i> <i> <i> <i> <i> <i> <i> malicious_reservoir malC1 malS6 malS5 malS4 CstopAbort SstopAbort n9 n8 n7 CgenCertif CsendTS1 c1 Cstart s4 s5 s6 SstopOK SreqTS SgetTS ScertCS CstopOK

Fok = |SstopOK| = L + 1 ∧ |CstopOK| = L + 1 Fabort = |SstopAbort| > 0 ∨ |CstopAbort| > 0

Fabort = |SstopAbort| > L 2 ∨ |CstopAbort| > L 2

• F. Kordon - Université P. & M. Curie - CC2016

Modeling the protocol (step 1)

7

<i> <i> <i> <i> <i> <i> <i> <tsid.all> <i> <tsid.all> <tsid.all> <i> <tsid.all> <i> <i> malicious_reservoir malS3 malS2 malS1 malA3 malA4 malA2 malA1 n4 n3 n2 n1 Sstart s2 s3 SsendTS SackCS AackCS AreqCS AgetTS AreqTS a4 a3 a2 a1 Astart <i> <i> <i> <i> <tsid.all> <i> <tsid.all> <i> <i> malicious_reservoir malS4 malS3 malA5 malA4 SstopAbort AstopAbort n6 n5 s3 s4 Sperform AendCS AstartCS a5 a4 AstopOK <i> <i> <tsid.all, i> <i> <i> <i> <i> <tsid.all, i> <i, tsid.all> <i, tsid.all> <tsid.all, i> <i, tsid.all> <i> <i> <i> <i> <i> <i> <i> <i> malicious_reservoir malC1 malS6 malS5 malS4 CstopAbort SstopAbort n9 n8 n7 CgenCertif CsendTS1 c1 Cstart s4 s5 s6 SstopOK SreqTS SgetTS ScertCS CstopOK

Fabort Fok AF( ∨ ))

Fok = |SstopOK| = L + 1 ∧ |CstopOK| = L + 1 Fabort = |SstopAbort| > 0 ∨ |CstopAbort| > 0

• F. Kordon - Université P. & M. Curie - CC2016

Verifying the perfect world

About the complexity of the state space

Roughly 10L states 1 state= 13 int + 17 multistep ⇒ memory problem to check for L=32

8

1 E + 2 1 E + 4 1 E + 6 1 E + 8 1 E + 1 1 E + 1 2 1 E + 1 4 1 E + 1 6 1 E + 1 8 1 E + 2 1 E + 2 2 2 4 6 8 1 1 2 1 4 1 6 1 8 2 2 2 N u m b e r

• f

s t a t e s L e a f s e t s i z e

Size of the state space Reachability graph

• Symb. reach. graph

• F. Kordon - Université P. & M. Curie - CC2016

Verifying the perfect world

About the complexity of the state space

Roughly 10L states 1 state= 13 int + 17 multistep ⇒ memory problem to check for L=32

GreatSPN (use of symmetries)

L=24 fails after 11h45mn of CPU (costly canonisation function)

• Implementation limit = size of a hash table

8

1 E + 2 1 E + 4 1 E + 6 1 E + 8 1 E + 1 1 E + 1 2 1 E + 1 4 1 E + 1 6 1 E + 1 8 1 E + 2 1 E + 2 2 2 4 6 8 1 1 2 1 4 1 6 1 8 2 2 2 N u m b e r

• f

s t a t e s L e a f s e t s i z e

Size of the state space Reachability graph

• Symb. reach. graph

• F. Kordon - Université P. & M. Curie - CC2016

Verifying the perfect world

About the complexity of the state space

Roughly 10L states 1 state= 13 int + 17 multistep ⇒ memory problem to check for L=32

GreatSPN (use of symmetries)

L=24 fails after 11h45mn of CPU (costly canonisation function)

• Implementation limit = size of a hash table

PNXDD (decision diagrams + variable ordering)

Unfolding to P/T nets L=10 fails after 3h20mn (memory overflow > 16GB)

8

• F. Kordon - Université P. & M. Curie - CC2016

Verifying the perfect world

About the complexity of the state space

Roughly 10L states 1 state= 13 int + 17 multistep ⇒ memory problem to check for L=32

GreatSPN (use of symmetries)

L=24 fails after 11h45mn of CPU (costly canonisation function)

• Implementation limit = size of a hash table

PNXDD (decision diagrams + variable ordering)

Unfolding to P/T nets L=10 fails after 3h20mn (memory overflow > 16GB)

ITS-Tools (hierarchical decision diagrams)

Completed for L=32 in less than one minute

• Handling of symmetries in the system by means of a dedicated encoding

8

• F. Kordon - Université P. & M. Curie - CC2016

Verifying the perfect world

8

http://cosyverif.org

• F. Kordon - Université P. & M. Curie - CC2016

Probabilistic analysis (step 2)

Classical approach of the domain

Based on p, probability of node failure

• Hypotheses required
• Diversity routing to avoid coalitions

9

• F. Kordon - Université P. & M. Curie - CC2016

Probabilistic analysis (step 2)

Classical approach of the domain

Based on p, probability of node failure

• Hypotheses required
• Diversity routing to avoid coalitions

Origin of problems

Source 1 → failure of the protocol

• No answer to A + no ack to A
• Interactions between A, S (leafset)

Source 2 → inappropriate certificate

• Lost of a certificate (inconsistency)
• Interactions between S (leafset) and C (leafset)

9

• F. Kordon - Université P. & M. Curie - CC2016

Probabilistic analysis (step 2)

Classical approach of the domain

Based on p, probability of node failure

• Hypotheses required
• Diversity routing to avoid coalitions

Origin of problems

Source 1 → failure of the protocol

• No answer to A + no ack to A
• Interactions between A, S (leafset)

Source 2 → inappropriate certificate

• Lost of a certificate (inconsistency)
• Interactions between S (leafset) and C (leafset)

9

N u m e r i c a l a p p l i c a t i

• n

s

p = . 3 ( « u n t r u s t e d » ) 
 P = . 5 ( « t r u s t e d » )

• F. Kordon - Université P. & M. Curie - CC2016

Formulas and experimental values

Protocol failure

More that L/2 nodes are malicious The formula:

10

PL+1

i=1

L+1

i

• pi(1 − p)L+1−i − P L

2 i=1

L+1

i

• pi(1 − p)L+1−i

at most L+1 malicious nodes at most L/2 malicious nodes

⎞ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎠ ⎞ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎠

• F. Kordon - Université P. & M. Curie - CC2016

Formulas and experimental values

Protocol failure

More that L/2 nodes are malicious The formula:

10

PL+1

i=1

L+1

i

• pi(1 − p)L+1−i − P L

2 i=1

L+1

i

• pi(1 − p)L+1−i

at most L+1 malicious nodes at most L/2 malicious nodes

⎞ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎠ ⎞ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎠

L DHT - p = 0.3 CORPS - p = 0.05 8 0.188 6.64 × 10−5 16 0.079 6.57 × 10−8 32 0.016 8.24 × 10−14 TABLE 3. Probability o

• F. Kordon - Université P. & M. Curie - CC2016

Formulas and experimental values

Protocol failure

More that L/2 nodes are malicious The formula:

Inappropriate certificate generation

Two parts

• Existence of more L/2 malicious nodes
• Unable to retrieve at least L/2 + 1 identical answers

The formula (combines problems between S and C)

10

PL+1

i=1

L+1

i

• pi(1 − p)L+1−i − P L

2 i=1

L+1

i

• pi(1 − p)L+1−i

at most L+1 malicious nodes at most L/2 malicious nodes

⎞ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎠ ⎞ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎠

L DHT - p = 0.3 CORPS - p = 0.05 8 0.188 6.64 × 10−5 16 0.079 6.57 × 10−8 32 0.016 8.24 × 10−14 TABLE 3. Probability o

1 − (1 − P> L

2 )2

• F. Kordon - Université P. & M. Curie - CC2016

Formulas and experimental values

Protocol failure

More that L/2 nodes are malicious The formula:

Inappropriate certificate generation

Two parts

• Existence of more L/2 malicious nodes
• Unable to retrieve at least L/2 + 1 identical answers

The formula (combines problems between S and C)

10

PL+1

i=1

L+1

i

• pi(1 − p)L+1−i − P L

2 i=1

L+1

i

• pi(1 − p)L+1−i

at most L+1 malicious nodes at most L/2 malicious nodes

⎞ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎠ ⎞ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎠

L DHT - p = 0.3 CORPS - p = 0.05 8 0.188 6.64 × 10−5 16 0.079 6.57 × 10−8 32 0.016 8.24 × 10−14 TABLE 3. Probability o

1 − ⇣ 1 − PL+1

i=1

L+1

i

• pi(1 − p)L+1−i + P L

2

i=1

L+1

i

• pi(1 − p)L+1−i⌘2

1 − (1 − P> L

2 )2

• F. Kordon - Université P. & M. Curie - CC2016

Formulas and experimental values

Protocol failure

More that L/2 nodes are malicious The formula:

Inappropriate certificate generation

Two parts

• Existence of more L/2 malicious nodes
• Unable to retrieve at least L/2 + 1 identical answers

The formula (combines problems between S and C)

10

PL+1

i=1

L+1

i

• pi(1 − p)L+1−i − P L

2 i=1

L+1

i

• pi(1 − p)L+1−i

at most L+1 malicious nodes at most L/2 malicious nodes

⎞ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎠ ⎞ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎠

L DHT - p = 0.3 CORPS - p = 0.05 8 0.188 6.64 × 10−5 16 0.079 6.57 × 10−8 32 0.016 8.24 × 10−14 TABLE 3. Probability o

1 − ⇣ 1 − PL+1

i=1

L+1

i

• pi(1 − p)L+1−i + P L

2

i=1

L+1

i

• pi(1 − p)L+1−i⌘2

1 − (1 − P> L

2 )2

L DHT - p = 0.3 CORPS - p = 0.05 8 0.216 4.97 × 10−4 16 0.075 3.50 × 10−8 32 0.014 4.24 × 10−13

• F. Kordon - Université P. & M. Curie - CC2016

Conclusion

Quasi-certification entity (elaboration + verification)

Low probability of failure + Good message complexity (not discussed)

11

• F. Kordon - Université P. & M. Curie - CC2016

Conclusion

Quasi-certification entity (elaboration + verification)

Low probability of failure + Good message complexity (not discussed)

11

Application to digital tax filling in France

• 36.5 M revenues declarations (in 2012)
• a wrong tax certificate every 5132 years
• lost of a tax certificate every 997 years

• F. Kordon - Université P. & M. Curie - CC2016

Conclusion

Quasi-certification entity (elaboration + verification)

Low probability of failure + Good message complexity (not discussed)

3 years of work (details recently fixed)

• Work partially published in TrustCom’2013
• Without formal proof (there was yet glitches details with hypotheses)

11

Application to digital tax filling in France

• 36.5 M revenues declarations (in 2012)
• a wrong tax certificate every 5132 years
• lost of a tax certificate every 997 years

• F. Kordon - Université P. & M. Curie - CC2016

Conclusion

Quasi-certification entity (elaboration + verification)

Low probability of failure + Good message complexity (not discussed)

3 years of work (details recently fixed)

• Work partially published in TrustCom’2013
• Without formal proof (there was yet glitches details with hypotheses)

Realistic problem with applicability to e-government

Probably numerous applications in the future The model is now a metric for the Model Checking Contest Potential applicability for Symmetric Nets with Bags

• Excellent playground for this type of problems

11

Application to digital tax filling in France

• 36.5 M revenues declarations (in 2012)
• a wrong tax certificate every 5132 years
• lost of a tax certificate every 997 years