The spi calculus
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

The Spi Calculus PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

The Spi Calculus. A Calculus for Cryptographic Protocols Presented By Ramesh Yechangunja. Introduction.

Download Presentation

The Spi Calculus

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

The spi calculus

The Spi Calculus

A Calculus for Cryptographic Protocols

Presented By

Ramesh Yechangunja



Developed by Martin Abadi and Andrew D.Gordon at the Systems Research Center, it is an extension of the Pi Calculus with cryptographic primitives designed for describing and analyzing cryptographic protocols.



  • Reliance on the powerful scoping constructs of the pi calculus

  • Radical definition of the environment as an arbitrary spi calculus process

  • Representation of security properties, both integrity and secrecy, as equivalences



  • Channels may be restricted, so that only certain processes may communicate on them. (Similar to CSP)

  • The scope of the restriction may change during computation. This is termed scope extrusion. (Different from the earlier process calculi)

The spi calculus

  • An output process ā‹N›.P is ready to output on channel a. If an interaction occurs, term N is communicated on a and then process P runs.

  • An input processa(x).P is ready to input from channel a. If an interaction occurs in which N is communicated on a, then process P[N/x] runs.

The spi calculus

  • A compositionP|Q behaves as processes P and Q running in parallel.

  • A restriction (vn)P is a process that makes a new, private name n, and then behaves as P.

  • A pair splitting process let (x,y) = M in P behaves as P[N/x][L/y] if term M is the pair (N,L). Otherwise, the process is stuck.

In addition spi calculus introduces primitives for shared key cryptography

In addition spi calculus introduces primitives for shared-key cryptography

  • The term {M}N represents the ciphertext obtained by encrypting M under the key N.

  • The process case L of {x}N in P attempts to decrypt the term L with the key N. If L is a ciphertext of the form {M}N, then the process behaves as P[M/x]. Otherwise, the process is stuck.

A first cryptographic example

A first cryptographic example

Consider two principals A and B that share a key KAB with a public channel cAB. The protocol is simply that A sends a message M under KAB to B, on cAB.

Message 1 A→B: {M}KABon cAB

In the spi calculus, we write

A(M) ≜ cAB‹{M}KAB ›

The spi calculus


B ≜ cAB(x).case x of {y}KAB in F(y)

Inst(M) ≜ (vK)(A(M)|B)

Security properties are expressed as equivalences. We use the following specification:

A(M) ≜ cAB‹{M}KAB ›

Bspec(M) ≜ cAB(x).case x of {y}KAB in F(M)

Instspec(M) ≜ (vKAB)(A(M)|Bspec(M))

The spi calculus


We obtain the properties:

Authenticity: Inst(M) ≃ Instspec(M), for all M

Secrecy: Inst(M) ≃ Inst(M’) if F(M) ≃ F(M’),

for all M,M’

An example with key establishment

An example with key establishment

We consider the Wide Mouthed Frog protocol.

1. New key KAB under KAS 2. New key KAB under KSB under new key KAB




The protocol is

The protocol is

Message 1 A→S: {KAB}KASon cAS

Message 2 S→B: {KAB}KSBon cSB

Message 3 A→B: {M}KABon cAB

In the spi calculus, we can express it as:

A(M) ≜ (vKAB)( cAS‹{KAB}KAS ›. cAB ‹{M}KAB ›)

S ≜ cAS(x).case x of {y}KAS in cSB ‹{y}KSB ›

B ≜ cSB(x).case x of {y}KSB in

cAB(z).case z of {w}y in F(w)

Inst(M) ≜ (vKAS) (vKSB)( A(M)|S|B)

A complete authentication example with a flaw

A complete authentication example ( with a flaw)

Consider a system with a server and n other principals. Each principal has an input channel which is public, namely, C1, C2,…,Cn and Cs. The server shares a pair of keys with each other principal, Ksi and Kis.

We extend the previous example to this n+1 principals:

Message 1 A→S: A,{B,KAB}KASon cS

Message 2 S→B: {A,KAB}KSBon cB

Message 3 A→B: A,{M}KABon cB

The spi calculus


An instance of the protocol is determined by a choice of parties and by the message sent i.e. an instance I is the triple (i,j,M).

i – source address

j - destination address

Given an instance (i,j,M), the following process corresponds to role of A:

Send(i,j,M) ≜ (vK)(cS‹(i,{j,K}KiS )›| cj‹(i,{M}K)›)

The following process corresponds to the role of B:

Recv(j) ≜ cj(ycipher).case ycipher of {xA,xkey}KSj in

cj(zA,zcipher).[xA, zA]

case zcipher of {zplain }xkeyin F(xA,j, zplain)

The spi calculus


The server S is the same for all instances:

S ≜ cj(xA,xcipher).

i1..n[xA is i] case xcipher of {xB,xkey}KiSin

j1..n[xB is j] cj ‹{xA,xkey}KS j ›

where i1..k Pi is the k-way composition

P1 |…|Pk

Finally we define a whole system, parameterized on a list of instances of the protocol:

Sys(I1,…, Im) ≜ (vKsi)(vKis)

(Send(I1) |…| Send(Im) |


!Recv(1) |…| !Recv(n) )

The spi calculus


Unfortunately, the protocol is vulnerable to a replay attack that invalidates the authenticity. An attacker can replay messages of one instance and get them mistaken for messages of the other instance.

A complete authentication example repaired

A complete authentication example (repaired)

The previous protocol is improved by adding nonce handshakes as protection against replay attacks.

The new protocol is:

Message 1 A→S: A on cS

Message 2 S→A: NSon cA

Message 3 A→S: A,{A,A,B,KAB, NS }KASon cS

Message 4 S→B: * on cB

Message 5 B→S: NBon cS

Message 6 S→B: {S,A,B,KAB, NB }KS Bon cB

Message 7 A→B: A,{M }KAB on cB

The spi calculus


In spi calculus, nonces are represented as newly created names.

Send(i,j,M) ≜ cS‹i›|

ci (xnonce).

(vK)(cS‹(i,{i,i,j,K,xnonce}KiS )›| cj‹(i,{M}K)›)

S ≜ cS(xA). i1..n[xA is i] (vNS) (ci‹NS›|

cS(x’A,xcipher).[x’A is i]

case xcipher of {yA,zA, xB, xkey, xnonce}KiSin

j1..n[yAis i][zA is i][xB is j][xnonce is NS]

(cj‹*›| cS (ynonce). cj‹{S,i,j, xkey,ynonce}KS j ›))

The spi calculus


Recv(j) ≜ cj(w). (vNB) (cS‹NB›|


case ycipher of {xS, xA, xB, xkey,ynonce} KS j in

j1..n[xSis S][xA is i][xB is j][ynonce is NB]

cj(zA,zcipher).[zA is xA]

case zcipher of {zplain }xkeyin F(i,j, zplain))

Sys(I1,…, Im) ≜ (vKsi)(vKis)

(Send(I1) |…| Send(Im) |


!Recv(1) |…| !Recv(n) )

The spi calculus


The authenticity property is obtained:

Sys(I1,…, Im) ≃ Sysspec(I1,…, Im)

for any instances I1,…, Im

This holds good because of the nonces.

Secrecy: Sys(I1,…, Im) ≃ Sysspec(J1,…, Jm)

if each pair (I1, J1 ),… (Im, Jm) is




  • Harder to write protocols but very detailed.

  • Main advantage is its formal precision

  • May not be a good tool for finding flaws but yields more convincing proofs of correctness

  • Protocols prone to attacks are developed without explicit specifications for an attacker. Such precise treatments have not been done before.

  • Login