Non-monotonic Properties forProving Correctness in a Framework of Compositional Logic

Koji Hasebe

Mitsuhiro Okada

(Dept. of Philosophy, Keio University)

Purposes

Make more explicit compositionality of the original compositional logic

(Durgin-Mitchell-Pavlovic 2001, Datta-Derek-Mitchell-Pavlovic 2003)

Divide an honest principal's role into primitive actions

Simplify the inferences of compositional logic

Do not use , , temporal operators

Give a semantics which is sound for our system

¬ ∨

Distinguish the monotonic properties and the non-monotonic ones

1

Review of Compositional logic Durgin-Mitchell-Pavlovic (2001), Datta-Derek-Mitchell-Pavlovic (2003)

Inference system based on Floyd-Hoare style logical framework to prove a protocol correctness

ϕα ][ P

An advantageous point:

: "after a protocol action , holds from P 's view"

ϕ

For proving correctness of a compound protocol, we can reuse properties of its components.

Pα

2

: "if Q honestly follows his/her role-component , then holds".

New idea of ours

Divide an honest principal's role into primitive actions (sending, receiving, etc.)

ϕα ⊃)( QHonestQα ϕ

ϕ⊃)(QHonest : "a principal Q is honest, then holds. "ϕ(cf.)

Formalize honesty assumptions with explicit reference to a role-component

3

(denoted by )

The language (1): formulas

Atomic formulas:

msendsP,mreceivesP ,mgeneratesP

),(mfresh ,ts = ),,( kPPublicKey QP ↔k atomic non-action formulas:

),(_ nmsendsfirstlyP

atomic action formulas:

(with n m)

A sequence of actions:

nααα ;;1 Lr=

KK ,,,,,, 21 ααγβα

(described by a non-commutative conjunct of atomic action formulas)

4

: Q 's role-component : a sequence of actions performed by P : Q honestly follows a role-component : a property (a sequence of atomic action formulas or a non-action formula)

: a set of properties

iαr

)( iHonest αr

Δ

βr

ϕiαr

ϕβαα ][|),(,),( 1

rrK

r−ΔnHonestHonest

The language (2): basic form of assertion

If Q honestly follows his/her role-components , and if holds, after P performs a sequence of action holds from P 's view.

Δϕ

nαα rK

r,,1

βr

5

Receives, Fresh : monotonic properties Firstly Sends : non-monotonic properties

is a monotonic property if we can freely apply the weakening rule.

Weakening rule and monotonicity

ϕβββαααϕββαα

];;[|),;;(

];[|),;(

231231

2121 rrrrrr

rrrr

−Δ−Δ

HonestHonest

ϕ

e.g.

To include non-monotonic properties Require some restrictions on the weakening rule However, provide us more powerful derivations

weakening

6

Axioms and inference rules

1. Logical inferences with equality

2. Action properties axioms axiom about actions axioms for relationship between properties

3. Honesty inferences

4. Weakening rule

7

1. Examples of Logical inference rules

ϕα ][|r

−Γ ψαϕ ][|,r

−Δψα ][|,

r−ΔΓ

tx =−Γ ][| αr ϕα ][|r

−Δ]/[][|, xtϕαr−ΔΓ

Cut

Equality

Inference rules for non-commutative conjunction ( ; )

8

in ααα ];;[| 1 L− (for each i=1,...,n)

2. Action properties axioms (1)

Axiom about actions:

9

Examples of axioms relationship between properties:

Nonce verification 1:))}({'()),(()),,(( *

1−kmmreceivesPmfreshQkPK

))}({'();''(| *1−−

kmmreceivesPmsendsQ

Freshness 1:)(| nfreshngeneratesP −

2. Action properties axioms (2)(related to the non-monotonic property "firstly sends")

Firstly Sends:

msendsQHonest Q ][|),( βαrv −Δ

Ordering of actions:αα ));,((|)),,((),( nmfsendsPnmfsendsPngeneratesP −

(Here is an action including .)α

€

n

These are useful to derive ordering of actions.

),(]'[|),'( nmfsendsQHonest Q βαrv −Δ

10

Idea of the Honesty Inference

But, this is not enough. We need some inferences using assumptions about a principal's honesty.

One can derive some performance of actions by a principal different from the viewer.

(e.g.) P receives a message . is a secret part of Q's public key. contains a fresh value.

Therefore, P knows that Q sends .

1}{ −Km

1−Km

1}{ −Km

We introduce the following three types of honesty inferences.11

from P's view:

Substitution (sending):

txmsendsQHonest

xtmsendsQ

=−Γ−Γ

][|)(,]/[][|

αα

rr

3. Honesty inferences (1)

receiving

12

Q honestly follows Q sends m'. Q does not follows Q sends m'' with m m'', m'' m'.

Matching:

'][|),'(,

][|

msendsQmmsendsQHonest

msendsQ

αα

rr

−Γ−Γ

3. Honesty inferences (2)

:),'( mmsendsQHonest

≠

(where m m')

does not appear below this inference.)''( msendsQHonestCondition:

13

Deriving another action (receiving):

'][|);'(,

][|

mreceivesQmsendsQmreceivesQHonest

msendsQ

αα

rr

−Γ−Γ

sending generating

3. Honesty inferences (3)

14

A composing process of honesty assumptions

ϕββαα ];[|);(, 2121 −Γ Hon ψβααϕ ][|);(,, 343 −Δ HonNMO NMO

ψβββαααα ];;[|);(),;(,, 3214321 −ΔΓ HonHon

ψβββαααα ];;[|);;;(,, 3214321 −ΔΓ Hon

ϕβββαα ];;[|);(, 32121 −Γ Hon ψβββααϕ ];;[|);(,, 32143 −Δ Hon

ψβββαααααααα ];;[|);;;(),;;;(,, 32143214321 −ΔΓ HonHon

4231 ;;; αααα2143 ;;; αααα

2413 ;;; αααα

Other possibilities of combination:

4132 ;;; αααα

15

Examples of correctness proofs

Proof of the agreement property for the Needham-Schroeder public key protocol.

Proof of the matching conversations for the Challenge Response protocol:

1

1

},,{,,:.3

},,{,,,:.2

,,:.1

21

122

1

−

−

→

→→

P

Q

K

K

qnnqpQP

pnnnpqPQnqpQP

KQ

KP

KQ

nQP

nnPQ

pnQP

}{:.3

},{:.2

},{:.1

2

21

1

→→

→

16

If the initiator (say, A) communicates with the responder (say, B) using the concrete values of nonces and , then there exists B actually performing the responder's role with the same nonces and .

1N 2N

2N1N

Example 1: Needham-Schroeder protocol (1)

(Needham-Schroeder, 1978)

initiator's concrete actions

responder's role

KBaN

N

},{sends:

generates :

12

11

αα

P

Q

K

K

nn

n

pn

},{send:

generate :

},{receives :

213

22

11

ββ

β

KB

KA

N

NN

}{sends :

},{receives :

24

213

αα

KQn }{receives : 24β

],,,[ 21 nnQPβr

KAKB NNsendsBNgenBaNrecB

BQHonest

};{;;},{];;[|

),;;(

2121321

321

αααβββ

−=

Agreement Property from A’s view:

],,,[ 21 NNBAαr

17

Example 1: Needham-Schroeder protocol (2)

msendsBBQ ];;[| 321 ααα−=

A's view:by the information about key and nonce ,AK 1N

by an equality inference,msendsBBQNn ];;[|, 32111 ααα−==

KAKP nNsendsBBQNnnnsendsQHonest },{];;[|,),},{( 213211121 ααα−==

by the honesty inference (matching),

)1(

with 1n m

with 1N m

msendsBBQNn ];;[|, 32111 ααα−==

KBaN

N

},{send:2

generate :1

1

1

KP

KQ

nn

n

pn

},{send:3

generate :2

},{receive :1

21

2

1

KB

KA

N

NN

}{send :4

},{receive :3

2

21

KQn }{receive :4 2

A’s role Q’s role

18

Example 1: Needham-Schroeder protocol (3)

On the other hand, by the information about key and nonce ,

BK

1N

KBaNreceivesBBQ },{];;[| 1321 ααα−=

KBaNreceivesB },{];;[| 1321 ααα−

113211 ];;[|),},{( NnBQpnreceivesQHonest KQ =−= ααα

by the honesty inference (substitution),

)2(

KBaN

N

},{send:2

generate :1

1

1

KP

KQ

nn

n

pn

},{send:3

generate :2

},{receive :1

21

2

1

KB

KA

N

NN

}{send :4

},{receive :3

2

21

KQn }{receive :4 2

A’s role Q’s role

19

(Here .)

Example 1: Needham-Schroeder protocol (4)

Then by composition of honesty assumptions,

111 ][|)( NnHon =−αβ rKBnNsendsBHonNn },{][|)(, 21311 αβ r

−=Cut

KBnNsendsBHonHon },{][|)(),( 2131 αββ r−

Comp(Hon)KBnNsendsBHon },{][|);( 2131 αββ r

−

321 ;; αααα =r

KANNsendsBHon },{][|);( 2131 αββ r−

23231 ][|);(),;( NgeneratesBHonHon αββββ r−

2321 ][|);;( NgeneratesBHon αβββ r−

Comp(Hon)

Honest(Role)

)1()2(

Finally,

KBaN

N

},{send:2

generate :1

1

1

KP

KQ

nn

n

pn

},{send:3

generate :2

},{receive :1

21

2

1

KB

KA

N

NN

}{send :4

},{receive :3

2

21

KQn }{receive :4 2

A’s role Q’s role

KBaN

N

},{send:2

generate :1

1

1

KP

KQ

nn

n

pn

},{send:3

generate :2

},{receive :1

21

2

1

KB

KA

N

NN

}{send :4

},{receive :3

2

21

KQn }{receive :4 2

A’s role Q’s role

20

Example 2: CR protocol

222122

1

);,(;);,(][|

)(),(

mreceivesANmfsendsBmreceivesBNmfsendsAA

RespHonestNfresh

CR

CR

−

3. Finally, we get

21;][| mreceivesAmsendsAACR−

211 ;][|)(),( msendsBmreceivesBARespHonestNfresh CRCR −

1. Following sequents are provable:

211 );,(][| mreceivesANmfsendsAACR−

),(;][|)(),( 2211 NmfsendsBmreceivesBARespHonestNfresh CRCR −

2. By “firstly sends”

order

21

Soundness theorem

Primitive state:

State: a multiset of primitive states

P has information m: Message m is transmitted through the network:

)(mP),( PmNet

Trace: a finite sequence of states

Trace Semantics

Theorem. If a sequent S is provable in our system, then S is true for any trace s which includes no duplicated atomic actions.

22

Conclusions and future work

Made more explicit the compositionality of compositional logic

Simplified the inference rules Gave a trace semantics

Extend by adding , , temporal operators for more powerful derivations

¬ ∨

23