ProNoBiS Activities in Verona Roberto Segala University of Verona with Augusto Parma and Andrea Turrini ProNoBiS meeting Roberto Segala Paris, May 21 2006 1 University of Verona
List of Activities • Comparative semantics – Alternating and non-alternating models – Simulation and bisimulation relations • Logical characterizations – Extensions of HM logic • Non-discrete measures – Stochastic Transition Systems • Verification of crypto protocols – Task-based PIOAs • Oblivious transfer – Aproximate simulations • Authentication, matching conversations ProNoBiS meeting Roberto Segala Paris, May 21 2006 2 University of Verona
Probabilistic Automata ( NA ) NA = ( Q , q 0 , E , H , D ) Transition relation D ⊆ Q × ( E ∪ H ) × Disc( Q ) Internal (hidden) actions External actions: E ∩ H = ∅ Initial state: q 0 ∈ Q States ProNoBiS meeting Roberto Segala Paris, May 21 2006 3 University of Verona
Alternating vs. non-alternating NA A SA u u u flip flip flip flip flip flip p 2 p 3 p 2 p 3 .2 .8 .7 .3 .2 .8 .7 .3 .2 .8 .7 .3 h t h t h t h t h t h t beep beep beep beep beep beep pb pb 1 1 1 1 ProNoBiS meeting Roberto Segala Paris, May 21 2006 4 University of Verona
Relations between models • Embeddings ( E ) – SA as an instance of A and of NA – A as an instance of NA – Embeddings as structure restrictions • Transformations ( T ) – Folkloristic ways to represent the same object within the three models ProNoBiS meeting Roberto Segala Paris, May 21 2006 5 University of Verona
Strong Bisimulation of NA Strong bisimulation between A 1 and A 2 ∀ q, s, a, µ ∃ µ ′ Relation R ⊆ Q x Q, µ a q Q=Q 1 ∪ Q 2 , such that + R R q 0 s 0 µ ′ a s a a 1 s 1 q 1 q 2 µ R µ ′ [LS89] b b b ⇔ 1 1 1 q 3 q 4 s 3 ∀ C ∈ Q / R . µ ( C ) = µ ′ ( C ) ProNoBiS meeting Roberto Segala Paris, May 21 2006 6 University of Verona
Bisimulation Literature In literature there are also • Strong bisimulation of Hansson on SA – Relates only nondeterministic states • Strong bisimulation of Philippou on A – Relates all states – Probabilistic states are a technicality • Weak bisimulation of Philippou on A – Relates all states – Probabilistic states are meaningful – Uses conditional probabilities on self loop ProNoBiS meeting Roberto Segala Paris, May 21 2006 7 University of Verona
Taxonomy Nondeterministic typology N • Based on T ransformations • Check bisimilarity of images in NA T A 1 T (A 1 ) SA T ~ ~ ? N ? NA A A 2 T (A 2 ) ProNoBiS meeting Roberto Segala Paris, May 21 2006 8 University of Verona
Taxonomy Mixed typology M • Based on E mbeddings • Check bisimilarity of images in NA E A 1 E (A 1 ) SA E ~ ~ ? M ? NA A A 2 E (A 2 ) ProNoBiS meeting Roberto Segala Paris, May 21 2006 9 University of Verona
Taxonomy and Literature [Segala, Turrini] Equivalences SA A N ~ N Strong ~ M ~ ~ Weak ≈ ≈ p M ProNoBiS meeting Roberto Segala Paris, May 21 2006 10 University of Verona
Logical Characterizations [Parma, Segala] • Logic: true | ¬φ | φ∧φ | ◊ a φ | [ φ ] p • Semantics: µ satisfies a formula – ◊ a φ : for each q in support of µ there is a transition (q,a, µ′ ) such that µ′|= φ – [ φ ] p : µ ({q|q |=φ }) ≥ p • Observation: ◊ p a φ corresponds to ◊ a[ φ] p ProNoBiS meeting Roberto Segala Paris, May 21 2006 11 University of Verona
Stochastic Transition Systems [Cattani, Segala, Kwiatkowska, Norman] ST = ( Q , q 0 , E , H , F Q , F A , D ) Transition relation D ⊆ Q × ( E ∪ H ) × P( Q,F Q ) σ -field on actions σ -field on states Internal (hidden) actions External actions: E ∩ H = ∅ Initial state: q 0 ∈ Q States ProNoBiS meeting Roberto Segala Paris, May 21 2006 12 University of Verona
STS: Problems • Not all schedulers lead to measurability – Let X ⊆ [0,1] be non measurable – Choose x uniformly in [0,1] – Schedule a only if x ∈ X – What is the probability of ◊ a? • Define measurable schedulers – From F EXEC to F A × Q – Then we obtain Markov Kernels • Markow kernels preserved by projection – Important for modular reasoning • How about bisimulation? ProNoBiS meeting Roberto Segala Paris, May 21 2006 13 University of Verona
UC-Security [Canetti] Simulator Ideal functionality ∃ ? Environment ∀ Adversary Real protocol ∀ ProNoBiS meeting Roberto Segala Paris, May 21 2006 14 University of Verona
UC-Security with PIOAs [Canetti, Cheung, Kaynar, Liskov, Lynch, Pereira, Segala] Adversary Simulator Ideal functionality ∃ ∀ ? Environment ∀ Adversary Real protocol ∀ ProNoBiS meeting Roberto Segala Paris, May 21 2006 15 University of Verona
Oblivious Transfer [Canetti, Cheung, Kaynar, Liskov, Lynch, Pereira, Segala] Hard core Ideal Simulator Adversary predicate functionality Hard core Protocol Adversary predicate Random bit Protocol Adversary Random bit Real protocol Adversary ProNoBiS meeting Roberto Segala Paris, May 21 2006 16 University of Verona
Aproximate Simulations [Segala, Turrini] Given { A k } and { B k } consider { R k }. R ⊆ Q Ak x Q Ak For each c ∈ N, p ∈ Poly, exists k ∈ N, for each k>k, ε >0, µ 1, µ 2 If + ∀ µ 1 reached in at most p(k) steps ∀ µ 1 L(R k , ε ) µ 2 µ 1 L(R,e) µ 2 ∀ µ 1 〉 µ 1 ’ ∀ µ 1 = (1- ε ) µ 1 ’+ εµ 1 ’’ Then ∀ µ 2 〉 µ 2 ’ ∀ µ 2 = (1-e) µ 2 ’+ εµ 2 ’’ ∀ µ 1 ’ L(R k , ε +k -c ) µ 2’ ∀ µ 1 ’ L(R) µ 2 ’ ProNoBiS meeting Roberto Segala Paris, May 21 2006 17 University of Verona
Implications on executions Let { R k } be an aprox sim from { A k } to { B k } For each c ∈ N, p ∈ Poly, exists k ∈ N, for each k>k, µ 1 If ∀ µ 1 is reachable in A k in p(k) steps Then exists µ 2 ∀ µ 2 reachable in B k in p(k) steps ∀ µ1 L(R,p(k)k -c ) µ 2 ProNoBiS meeting Roberto Segala Paris, May 21 2006 18 University of Verona
Application to Authentication Matching Conversation • Specification: – Actual protocol – States keep history – Adversary does almost everything – All invalid transitions removed • Implementation – Actual protocol – States keep history – Adversary is a PPT algorithm • Simulation – Identity on states • Properties – All executions of specification satisfy matching conversations – Failure of simulation imply breaking a signature protocol ProNoBiS meeting Roberto Segala Paris, May 21 2006 19 University of Verona
Open problems • Logics – Complete the picuture with simulations • Stochastic Transition Systems – Understand bisimulation – Get soundness results – Understand restrictions to the model • Verification – Refine the methods – Test on more complex case studies – Compare with soundness proofs for symbolic methods ProNoBiS meeting Roberto Segala Paris, May 21 2006 20 University of Verona
Recommend
More recommend