the applied pi calculus with proofs
play

The Applied Pi Calculus. . . with Proofs Bruno Blanchet INRIA - PowerPoint PPT Presentation

Aug 22, 2023 •279 likes •799 views

Introduction The language Main theorem Proof Conclusion The Applied Pi Calculus. . . with Proofs Bruno Blanchet INRIA Paris-Rocquencourt joint work with Mart n Abadi and C edric Fournet April 2015 Bruno Blanchet (INRIA) Applied

  1. Introduction The language Main theorem Proof Conclusion The Applied Pi Calculus. . . with Proofs Bruno Blanchet INRIA Paris-Rocquencourt joint work with Mart´ ın Abadi and C´ edric Fournet April 2015 Bruno Blanchet (INRIA) Applied pi calculus April 2015 1 / 47

  2. Introduction The language Main theorem Proof Conclusion The applied pi calculus Designed by Abadi and Fournet ( Mobile Values, New Names, and Secure Communication , POPL’01). Extension of the pi calculus with terms instead of names for messages. Language for modeling security protocols: Terms represent protocol messages. Function symbols represent cryptographic primitives. The properties of these primitives are modeled by equations. The input language of ProVerif is a dialect of the applied pi calculus. The applied pi calculus and ProVerif are widely used. Interesting to make them converge, with a solid theoretical foundation. Bruno Blanchet (INRIA) Applied pi calculus April 2015 2 / 47

  3. Introduction The language Main theorem Proof Conclusion Our contribution Minor changes to the language Closer to ProVerif Detailed proofs of all results Minor fixes; some side-conditions were not explicit 74 pages of proofs. . . Revised examples New example on indifferentiability Bruno Blanchet (INRIA) Applied pi calculus April 2015 3 / 47

  4. Introduction The language Main theorem Proof Conclusion Related work Avik Chaudhuri (private communication, 2007) found a counter-example to “observational equivalence equals labelled bisimilarity”, due to a missing side-condition. Bengtson et al, LICS’09 mentioned a similar counter-example; proposed a framework for defining various extensions of the pi calculus (psi-calculi), with machine-checked proofs. Jia Liu ( http://lcs.ios.ac.cn/~jliu/papers/LiuJia0608.pdf ) made the missing side-condition explicit, and gave a proof of “observational equivalence equals labelled bisimilarity”; closer to the original applied pi calculus paper; extension to a stateful variant (POST’14, with Arapinis, Ritter, and Ryan). Bruno Blanchet (INRIA) Applied pi calculus April 2015 4 / 47

  5. Introduction The language Main theorem Proof Conclusion Syntax: processes L , M , N , T , U , V ::= terms a , b , c , . . . , k , . . . , m , n , . . . , s name x , y , z variable f ( M 1 , . . . , M l ) function application P , Q , R ::= processes (or plain processes) null process 0 P | Q parallel composition ! P replication ν n . P name restriction (“new”) if M = N then P else Q conditional u ( x ) . P message input u � M � . P message output Bruno Blanchet (INRIA) Applied pi calculus April 2015 5 / 47

  6. Introduction The language Main theorem Proof Conclusion Syntax: processes L , M , N , T , U , V ::= terms a , b , c , . . . , k , . . . , m , n , . . . , s name x , y , z variable f ( M 1 , . . . , M l ) function application P , Q , R ::= processes (or plain processes) null process 0 P | Q parallel composition ! P replication ν n . P name restriction (“new”) if M = N then P else Q conditional N ( x ) . P message input N � M � . P message output Bruno Blanchet (INRIA) Applied pi calculus April 2015 5 / 47

  7. Introduction The language Main theorem Proof Conclusion Syntax: extended processes A , B , C ::= extended processes P plain process A | B parallel composition ν n . A name restriction ν x . A variable restriction { M / x } active substitution Active substitutions model the knowledge of the adversary. { M 1 / x 1 , . . . , M l / x l } for { M 1 / x 1 } | . . . |{ M l / x l } . Substitutions are cycle-free. At most one substitution for each variable. Exactly one when the variable is restricted. Bruno Blanchet (INRIA) Applied pi calculus April 2015 6 / 47

  8. Introduction The language Main theorem Proof Conclusion Sorts Variables, names, and functions come with sorts: u : τ means that u has sort τ . Examples of sorts: Integer, Key, Data, . . . There are infinite numbers of variables and names of each sort. f : τ 1 × · · · × τ l → τ means that f has arguments of sorts τ 1 , . . . , τ l and a result of sort τ . Bruno Blanchet (INRIA) Applied pi calculus April 2015 7 / 47

  9. Introduction The language Main theorem Proof Conclusion Sorts Special sort Channel � τ � for channels. Bruno Blanchet (INRIA) Applied pi calculus April 2015 8 / 47

  10. Introduction The language Main theorem Proof Conclusion Sorts Special sort Channel for channels. The unsorted applied pi is a particular case of the sorted applied pi, using the single sort Channel. The sort system enforces that: Functional applications are well-sorted. M and N are of the same sort in the conditional expression. N has sort Channel in the input and output expressions. The sort system can enforce that channels are names or variables: choose types of functions so that no function returns sort Channel. Active substitutions preserve sorts. Bruno Blanchet (INRIA) Applied pi calculus April 2015 8 / 47

  11. Introduction The language Main theorem Proof Conclusion Semantics: equations The signature Σ is equipped with an equational theory closed under substitutions of terms for variables and names; intuitively, defined from equations that do not contain names; respects the sort system; non-trivial, that is, there exist two different terms in each sort. Example fst(( x , y )) = x snd(( x , y )) = y dec(enc( x , y ) , y ) = x check( x , sign( x , sk( y )) , pk( y )) = ok Equality modulo the equational theory: Σ ⊢ M = N . Bruno Blanchet (INRIA) Applied pi calculus April 2015 9 / 47

  12. Introduction The language Main theorem Proof Conclusion Semantics: preliminary definitions Processes are considered equal modulo renaming of bound names and variables. Needed to define P { M / x } . A context is a (possibly extended) process with a hole. An evaluation context is a context whose hole is not under a replication, a conditional, an input, or an output. E ::= evaluation context hole A | E parallel composition E | A parallel composition ν n . E name restriction ν x . E variable restriction Bruno Blanchet (INRIA) Applied pi calculus April 2015 10 / 47

  13. Introduction The language Main theorem Proof Conclusion Semantics: structural equivalence Structural equivalence ≡ equivalence relation closed by application of evaluation contexts ≡ A | 0 Par- 0 A A | ( B | C ) ≡ ( A | B ) | C Par-A Par-C A | B ≡ B | A ! P ≡ P | ! P Repl ν n . 0 ≡ New- 0 0 New-C ν u .ν v . A ≡ ν v .ν u . A A | ν u . B ≡ ν u . ( A | B ) New-Par when u �∈ fv ( A ) ∪ fn ( A ) ν x . { M / Alias x } ≡ 0 { M / { M / x } | A { M / x } | A ≡ x } Subst { M / { N / Rewrite x } ≡ x } when Σ ⊢ M = N Bruno Blanchet (INRIA) Applied pi calculus April 2015 11 / 47

  14. Introduction The language Main theorem Proof Conclusion Semantics: internal reduction Internal reduction → closed by structural equivalence closed by application of evaluation contexts N � x � . P | N ( x ) . Q → P | Q Comm if M = M then P else Q → Then P if M = N then P else Q → Else Q for any ground terms M and N such that Σ �⊢ M = N Using structural equivalence: ν x . ( { M / N � M � . P | N ( x ) . Q ≡ x } | N � x � . P | N ( x ) . Q ) ν x . ( { M / → x } | P | Q ) by Comm P | Q { M / ≡ x } Bruno Blanchet (INRIA) Applied pi calculus April 2015 12 / 47

  15. Introduction The language Main theorem Proof Conclusion Preliminary definitions dom ( A ): domain, set of variables that A exports. fv ( A ): free variables A is closed when its free variables are all defined by an active substitution, that is, dom ( A ) = fv ( A ). E [ ] closes A when E [ A ] is closed. A ⇓ a when A → ∗ ≡ E [ a � M � . P ] for some evaluation context E [ ] that does not bind a . A can send a message on channel a . Bruno Blanchet (INRIA) Applied pi calculus April 2015 13 / 47

  16. Introduction The language Main theorem Proof Conclusion Observational equivalence Definition An observational bisimulation is a symmetric relation R between closed extended processes with the same domain such that A R B implies: 1 if A ⇓ a , then B ⇓ a ; 2 if A → ∗ A ′ and A ′ is closed, then B → ∗ B ′ and A ′ R B ′ for some B ′ ; 3 E [ A ] R E [ B ] for all closing evaluation contexts E [ ]. Observational equivalence ( ≈ ) is the largest such relation. Intuitively, A ≈ B when an adversary (evaluation context) cannot distinguish A from B . Hard to prove because of the universal quantification over all contexts. Use a labeled bisimulation. Bruno Blanchet (INRIA) Applied pi calculus April 2015 14 / 47

  17. Introduction The language Main theorem Proof Conclusion Equality in a frame A frame ϕ is an extended process built up from 0 and active substitutions { M / x } by parallel composition and restriction. The frame of A , ϕ ( A ), is obtained replacing every plain process in A with 0 . Definition Two terms M and N are equal in the frame ϕ , written ( M = N ) ϕ , if and only if fv ( M ) ∪ fv ( N ) ⊆ dom ( ϕ ), ϕ ≡ ν � n .σ , M σ = N σ , and { � n } ∩ ( fn ( M ) ∪ fn ( N )) = ∅ for some names � n and substitution σ . Independent of the representative ν � n .σ . Bruno Blanchet (INRIA) Applied pi calculus April 2015 15 / 47

Recommend

Security proofs in the symbolic model the applied pi calculus Karthikeyan Bhargavan INRIA

Security proofs in the symbolic model the applied pi calculus Karthikeyan Bhargavan INRIA

Security proofs in the symbolic model the applied pi calculus Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic

413 views • 39 slides
Proofs, upside down A functional correspondence between natural deduction and the sequent calculus

Proofs, upside down A functional correspondence between natural deduction and the sequent calculus

Proofs, upside down A functional correspondence between natural deduction and the sequent calculus Matthias Puech APLAS13 Melbourne, December 11, 2013 1 / 19 An intuition Natural deductions are reversed sequent calculus proofs 2 / 19

955 views • 66 slides
The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of Software Chinese Academy of Sciences BASICS09, Shanghai, China October 13, 2009 Background Formal verification of security protocols from

312 views • 28 slides
APMA Calculus Options Which Course Should I Take? School of Engineering & Applied Science

APMA Calculus Options Which Course Should I Take? School of Engineering & Applied Science

APMA Calculus Options Which Course Should I Take? School of Engineering & Applied Science University of Virginia July 3, 2018 APMA Calculus Sequences Originally, there was a single 3-semester sequence with 3 different starting points,

334 views • 15 slides
Linear lower bound on degrees of Positivstellensatz calculus proofs for the parity (Dima

Linear lower bound on degrees of Positivstellensatz calculus proofs for the parity (Dima

Linear lower bound on degrees of Positivstellensatz calculus proofs for the parity (Dima Grigoriev) talk by Anastasia Sofronova Seminar Modern Methods in CS April 21, 2020 1 / 17 Proof systems an unsatisfiable formula in CNF.

597 views • 23 slides
Section 7.3 Formal Proofs in Predicate Calculus All proof rules for propositional calculus extend

Section 7.3 Formal Proofs in Predicate Calculus All proof rules for propositional calculus extend

Section 7.3 Formal Proofs in Predicate Calculus All proof rules for propositional calculus extend to predicate calculus. Example . k . x p ( x ) P k +1. x p ( x ) x p ( x ) P k +2. x p ( x ) 1, 2, MP But we need

321 views • 8 slides
MAT137 - Calculus with proofs Assignment #2 due on Thursday. Practice Test: Friday 3pm to

MAT137 - Calculus with proofs Assignment #2 due on Thursday. Practice Test: Friday 3pm to

MAT137 - Calculus with proofs Assignment #2 due on Thursday. Practice Test: Friday 3pm to Saturday 3pm TODAY: More continuity FRIDAY: Limit computations! (Videos 2.19, 2.20) What can we conclude? Let c R . Let f and g be functions. Assume f

192 views • 6 slides
Lecture 2.5: Proofs in propositional calculus Matthew Macauley Department of Mathematical

Lecture 2.5: Proofs in propositional calculus Matthew Macauley Department of Mathematical

Lecture 2.5: Proofs in propositional calculus Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 4190, Discrete Mathematical Structures M. Macauley (Clemson) Lecture 2.5: Proofs

576 views • 9 slides
MAT137 - Calculus with proofs Assignment #1 due on THURSDAY. TODAY: Limits geometrically WED:

MAT137 - Calculus with proofs Assignment #1 due on THURSDAY. TODAY: Limits geometrically WED:

MAT137 - Calculus with proofs Assignment #1 due on THURSDAY. TODAY: Limits geometrically WED: The definition of limit (Videos 2.5, 2.6) Limits from a graph Find the value of 1. lim x 2 f ( x ) 2. lim x 0 f ( f ( x )) Floor Given a

376 views • 4 slides
Calculus 3 Chapter 15. Multiple Integrals 15.3. Area by Double IntegrationExamples and Proofs

Calculus 3 Chapter 15. Multiple Integrals 15.3. Area by Double IntegrationExamples and Proofs

Calculus 3 Chapter 15. Multiple Integrals 15.3. Area by Double IntegrationExamples and Proofs of Theorems February 2, 2020 () Calculus 3 February 2, 2020 1 / 9 Table of contents Exercise 15.3.8 1 Exercise 15.3.14 2 Exercise 15.3.20

509 views • 16 slides
The Simply Typed Lambda Calculus Jonathan Prieto-Cubides Master in Applied Mathematics Logic and

The Simply Typed Lambda Calculus Jonathan Prieto-Cubides Master in Applied Mathematics Logic and

The Simply Typed Lambda Calculus Jonathan Prieto-Cubides Master in Applied Mathematics Logic and Computation Group Universidad EAFIT Medelln, Colombia 1th June 2017 (In Agda ) Contents Lambda Calculus Typed Lambda Calculus Syntax

1.05k views • 24 slides
MAT137 - Calculus with proofs Assignment #3 due on November 5 Assignment #4 due on November 26

MAT137 - Calculus with proofs Assignment #3 due on November 5 Assignment #4 due on November 26

MAT137 - Calculus with proofs Assignment #3 due on November 5 Assignment #4 due on November 26 TODAY: Functions and inverse functions FRIDAY: Exponentials and logarithms Watch videos 4.5, 4.7, 4.8, 4.9 Supplementary videos: 4.6, 4.10, 4.11

396 views • 5 slides
MAT137 - Calculus with proofs Test 1 opens on Friday, October 23. See details on course website.

MAT137 - Calculus with proofs Test 1 opens on Friday, October 23. See details on course website.

MAT137 - Calculus with proofs Test 1 opens on Friday, October 23. See details on course website. TODAY: Squeeze theorem and more proof with limits FRIDAY: Continuity ( Watch videos 2.14, 2.15 ) Limits involving sin(1 / x ) The limit lim x

257 views • 9 slides
MAT137 - Calculus with proofs Assignment #3 due on November 5 Assignment #4 due on November 26

MAT137 - Calculus with proofs Assignment #3 due on November 5 Assignment #4 due on November 26

MAT137 - Calculus with proofs Assignment #3 due on November 5 Assignment #4 due on November 26 TODAY: Functions and inverse functions Watch videos 4.3, 4.3 by Wednesday Worm up A worm is crawling across a table. The path of the worm looks

399 views • 6 slides
Analysis of electronic voting protocols in applied pi calculus Mark Ryan University of

Analysis of electronic voting protocols in applied pi calculus Mark Ryan University of

Analysis of electronic voting protocols in applied pi calculus Mark Ryan University of Birmingham based on joint work with Ben Smyth Steve Kremer Mounira Kourjieh IFIP WG 1.3, Udine, Italy September 2009 Outline Electronic voting Applied

695 views • 30 slides
MAT137 - Calculus with proofs TODAY: Continuity MONDAY is a holiday (no class) WEDNESDAY: More

MAT137 - Calculus with proofs TODAY: Continuity MONDAY is a holiday (no class) WEDNESDAY: More

MAT137 - Calculus with proofs TODAY: Continuity MONDAY is a holiday (no class) WEDNESDAY: More Continuity Required videos 2.16, 2.17 Supplementary video: 2.18 Undefined function Let a R and let f be a function. Assume f ( a ) is undefined.

190 views • 7 slides
Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Euclid (300 BC) Proofs, Continued Today Proofs : A style guide Proofs should be easy to verify. All the cleverness goes into finding/writing the proof, not reading/verifying it! P vs. NP (informally) : P =

682 views • 21 slides
Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
Verifying Electronic Voting Protocols in the Applied Pi Calculus Mark Ryan University of

Verifying Electronic Voting Protocols in the Applied Pi Calculus Mark Ryan University of

Verifying Electronic Voting Protocols in the Applied Pi Calculus Mark Ryan University of Birmingham joint work with St ephanie Delaune and Steve Kremer LSV Cachan, France SoCS Seminar November 2007 Outline Electronic voting Electronic

763 views • 33 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
VIRTUAL CONFERENCE ictcm.com | #ICTCM Designing a Technology-Rich Applied Calculus Course

VIRTUAL CONFERENCE ictcm.com | #ICTCM Designing a Technology-Rich Applied Calculus Course

32 nd International Conference on Technology in Collegiate Mathematics VIRTUAL CONFERENCE ictcm.com | #ICTCM Designing a Technology-Rich Applied Calculus Course Katharine Fisher Senior Lecturer The University of Toledo

854 views • 43 slides
Work MCV4U: Calculus & Vectors Work is when a force is applied to an object, causing it to

Work MCV4U: Calculus & Vectors Work is when a force is applied to an object, causing it to

a l g e b r a i c v e c t o r s a l g e b r a i c v e c t o r s Work MCV4U: Calculus & Vectors Work is when a force is applied to an object, causing it to move. It is defined as the the product of the objects displacement and the

810 views • 3 slides
Calculus 3 Chapter 15. Multiple Integrals 15.1. Double and Iterated Integrals over

Calculus 3 Chapter 15. Multiple Integrals 15.1. Double and Iterated Integrals over

Calculus 3 Chapter 15. Multiple Integrals 15.1. Double and Iterated Integrals over RectanglesExamples and Proofs of Theorems December 13, 2019 () Calculus 3 December 13, 2019 1 / 6 Table of contents Exercise 15.1.6 1 Exercise 15.1.16

221 views • 11 slides
Lecture 1 : Lambda Calculus CS6202 Introduction 1 Lambda Calculus Lambda Calculus

Lecture 1 : Lambda Calculus CS6202 Introduction 1 Lambda Calculus Lambda Calculus

CS6202: Advanced Topics in Programming Languages and Systems Lecture 1 : Lambda Calculus CS6202 Introduction 1 Lambda Calculus Lambda Calculus Untyped Lambda Calculus Evaluation Strategy Techniques - encoding, extensions,

791 views • 56 slides

More recommend