the applied pi calculus with proofs · introductionthe languagemain theoremproofconclusion the...

Introduction The language Main theorem Proof Conclusion

The Applied Pi Calculus. . .with Proofs

Bruno Blanchet

INRIA Paris-Rocquencourt

joint work with Martın Abadi and Cedric Fournet

April 2015

Bruno Blanchet (INRIA) Applied pi calculus April 2015 1 / 47


The applied pi calculus

Designed by Abadi and Fournet (Mobile Values, New Names, andSecure Communication, POPL’01).

Extension of the pi calculus with terms instead of names for messages.

Language for modeling security protocols:

Terms represent protocol messages.Function symbols represent cryptographic primitives.The properties of these primitives are modeled by equations.The input language of ProVerif is a dialect of the applied pi calculus.

The applied pi calculus and ProVerif are widely used.

Interesting to make them converge, with a solid theoretical foundation.



Our contribution

Minor changes to the language

Closer to ProVerif

Detailed proofs of all results

Minor fixes; some side-conditions were not explicit74 pages of proofs. . .

Revised examples

New example on indifferentiability



Related work

Avik Chaudhuri (private communication, 2007)

found a counter-example to “observational equivalence equals labelledbisimilarity”, due to a missing side-condition.

Bengtson et al, LICS’09

mentioned a similar counter-example;proposed a framework for defining various extensions of the pi calculus(psi-calculi), with machine-checked proofs.

Jia Liu (http://lcs.ios.ac.cn/~jliu/papers/LiuJia0608.pdf)

made the missing side-condition explicit, and gave a proof of“observational equivalence equals labelled bisimilarity”;closer to the original applied pi calculus paper;extension to a stateful variant (POST’14, with Arapinis, Ritter, andRyan).


http://lcs.ios.ac.cn/~jliu/papers/LiuJia0608.pdf


Syntax: processes

L,M,N,T ,U,V ::= termsa, b, c , . . . , k , . . . ,m, n, . . . , s namex , y , z variablef (M1, . . . ,Ml) function application

P,Q,R ::= processes (or plain processes)0 null processP |Q parallel composition!P replicationνn.P name restriction (“new”)if M = N then P else Q conditionalu(x).P message inputu〈M〉.P message output



Syntax: processes

L,M,N,T ,U,V ::= termsa, b, c , . . . , k , . . . ,m, n, . . . , s namex , y , z variablef (M1, . . . ,Ml) function application

P,Q,R ::= processes (or plain processes)0 null processP |Q parallel composition!P replicationνn.P name restriction (“new”)if M = N then P else Q conditionalN(x).P message input

N〈M〉.P message output



Syntax: extended processes

A,B,C ::= extended processesP plain processA |B parallel compositionνn.A name restrictionνx .A variable restriction{M/x} active substitution

Active substitutions model the knowledge of the adversary.

{M1/x1 , . . . ,Ml/xl} for {M1/x1} | . . . |{Ml/xl}.

Substitutions are cycle-free.

At most one substitution for each variable.

Exactly one when the variable is restricted.



Sorts

Variables, names, and functions come with sorts:

u : τ means that u has sort τ .

Examples of sorts: Integer, Key, Data, . . .There are infinite numbers of variables and names of each sort.

f : τ1 × · · · × τl → τ means that f has arguments of sorts τ1, . . . , τland a result of sort τ .



Sorts

Special sort Channel〈τ〉 for channels.

The unsorted applied pi is a particular case of the sorted applied pi,using the single sort Channel.

The sort system enforces that:

Functional applications are well-sorted.

M and N are of the same sort in the conditional expression.

N has sort Channel in the input and output expressions.

The sort system can enforce that channels are names or variables:choose types of functions so that no function returns sort Channel.

Active substitutions preserve sorts.



Sorts

Special sort Channel for channels.

The unsorted applied pi is a particular case of the sorted applied pi,using the single sort Channel.

The sort system enforces that:

Functional applications are well-sorted.

M and N are of the same sort in the conditional expression.

N has sort Channel in the input and output expressions.

The sort system can enforce that channels are names or variables:choose types of functions so that no function returns sort Channel.

Active substitutions preserve sorts.



Semantics: equations

The signature Σ is equipped with an equational theory

closed under substitutions of terms for variables and names;

intuitively, defined from equations that do not contain names;

respects the sort system;

non-trivial, that is, there exist two different terms in each sort.

Example

fst((x , y)) = x

snd((x , y)) = y

dec(enc(x , y), y) = x

check(x , sign(x , sk(y)), pk(y)) = ok

Equality modulo the equational theory: Σ ` M = N.



Semantics: preliminary definitions

Processes are considered equal modulo renaming of bound names andvariables.

Needed to define P{M/x}.A context is a (possibly extended) process with a hole.An evaluation context is a context whose hole is not under a replication, aconditional, an input, or an output.

E ::= evaluation contexthole

A |E parallel compositionE |A parallel compositionνn.E name restrictionνx .E variable restriction



Semantics: structural equivalence

Structural equivalence ≡equivalence relation

closed by application of evaluation contexts

Par-0 A ≡ A | 0Par-A A |(B |C ) ≡ (A |B) |CPar-C A |B ≡ B |ARepl !P ≡ P | !P

New-0 νn.0 ≡ 0New-C νu.νv .A ≡ νv .νu.ANew-Par A | νu.B ≡ νu.(A |B)

when u 6∈ fv(A) ∪ fn(A)

Alias νx .{M/x} ≡ 0Subst {M/x} |A ≡ {M/x} |A{M/x}Rewrite {M/x} ≡ {N/x} when Σ ` M = N



Semantics: internal reduction

Internal reduction →closed by structural equivalence


Comm N〈x〉.P |N(x).Q → P |Q

Then if M = M then P else Q → P

Else if M = N then P else Q → Qfor any ground terms M and Nsuch that Σ 6` M = N

Using structural equivalence:

N〈M〉.P |N(x).Q ≡ νx .({M/x} |N〈x〉.P |N(x).Q)

→ νx .({M/x} |P |Q) by Comm

≡ P |Q{M/x}



Preliminary definitions

dom(A): domain, set of variables that A exports.

fv(A): free variables

A is closed when its free variables are all defined by an activesubstitution, that is, dom(A) = fv(A).

E [ ] closes A when E [A] is closed.

A ⇓a when A→∗≡ E [a〈M〉.P] for some evaluation context E [ ] thatdoes not bind a.

A can send a message on channel a.



Observational equivalence

Definition

An observational bisimulation is a symmetric relation R between closedextended processes with the same domain such that A R B implies:

1 if A ⇓a, then B ⇓a;

2 if A→∗ A′ and A′ is closed, then B →∗ B ′ and A′ R B ′ for some B ′;

3 E [A] R E [B] for all closing evaluation contexts E [ ].

Observational equivalence (≈) is the largest such relation.

Intuitively, A ≈ B when an adversary (evaluation context) cannotdistinguish A from B.

Hard to prove because of the universal quantification over allcontexts.

Use a labeled bisimulation.



Equality in a frame

A frame ϕ is an extended process built up from 0 and active substitutions{M/x} by parallel composition and restriction.

The frame of A, ϕ(A), is obtained replacing every plain process in Awith 0.

Definition

Two terms M and N are equal in the frame ϕ, written (M = N)ϕ, if andonly if

fv(M) ∪ fv(N) ⊆ dom(ϕ),

ϕ ≡ νn.σ, Mσ = Nσ, and {n} ∩ (fn(M) ∪ fn(N)) = ∅for some names n and substitution σ.

Independent of the representative νn.σ.



Static equivalence

Definition

Two closed frames ϕ and ψ are statically equivalent, written ϕ ≈s ψ,when

dom(ϕ) = dom(ψ) and

for all terms M and N, (M = N)ϕ if and only if (M = N)ψ.

Two closed extended processes are statically equivalent, written A ≈s B,when their frames are statically equivalent.

Static equivalence ϕ ≈s ψ expresses that the frames cannot bedistinguished by performing equality tests.

A ≈s B expresses that the current knowledge of the adversary in theprocesses A and B does not allow it to distinguish A from B.The dynamic behavior of A and B is ignored.



Labels

The labelled semantics defines Aα−→ A′ where α is a label:

N(M): input of M on channel N;

νx .N〈x〉: output of x on channel N.x must not occur in N.

bv(N(M))def= ∅ and bv(νx .N〈x〉) def

= {x}.fv(N(M))

def= fv(N) ∪ fv(M) and fv(νx .N〈x〉) def

= fv(N).

The conference paper has labels a〈u〉 and νu.a〈u〉 for outputs.

We simplify the semantics by having a single output label.

One always needs to create a fresh variable for the output message.

A refined semantics allows νu.N〈M〉 as label.



Labeled semantics

In N(x).PN(M)−−−→ P{M/x}

Out-Varx /∈ fv(N〈M〉.P)

N〈M〉.P νx .N〈x〉−−−−−→ P |{M/x}

ScopeA

α−→ A′ u does not occur in α

νu.Aα−→ νu.A′

ParA

α−→ A′ bv(α) ∩ fv(B) = ∅A |B α−→ A′ |B

StructA ≡ B B

α−→ B ′ B ′ ≡ A′

Aα−→ A′



Labeled bisimilarity

Definition

A labelled bisimulation is a symmetric relation R on closed extendedprocesses such that A R B implies:

1 A ≈s B;

2 if A→ A′ and A′ is closed, then B →∗ B ′ and A′ R B ′ for some B ′;

3 if Aα−→ A′, A′ is closed, and fv(α) ⊆ dom(A), then B →∗ α−→→∗ B ′

and A′ R B ′ for some B ′.

Labelled bisimilarity (≈l) is the largest such relation.

Item 1 guarantees that the adversary cannot distinguish A from Busing its current knowledge.

Items 2 and 3 guarantee that this property is preserved by reduction.



Main theorem

Theorem

Observational equivalence is labelled bisimilarity: ≈ = ≈l .



Bengtson et al’s counter example

A = νa.({a/x} | x(y).b〈M〉.0) B = νa.({a/x} | 0)

A and B are not observationally equivalent

The context x〈N〉 distinguishes them.

According to the POPL’01 paper:

A and B have the same frame and no transitions,so they are labelled bisimilar.

A possible fix is to require that exported variables must not be ofchannel type.

In our semantics,

A has a labelled transition x(N),so A and B are not labelled bisimilar.



Motivation

Structural equivalence complicates the analysis of possible reductionsin a process.

In a process A |B,

substitutions in A may influence the possible reductions in B,and conversely, substitutions in B may influence reductions in A.



Partial normal forms

Partial formal form of an extended process A:

pnf(A) = νn.({M/x} |P)

with (fv(P) ∪ fv(M)) ∩ {x} = ∅.

Formally defined by induction on A.

Lemma

A ≡ pnf(A).



Structural equivalence on plain processes

Structural equivalence�≡ on plain processes

equivalence relation


Par-0′ P | 0 �≡ PPar-A′ P |(Q |R)

�≡ (P |Q) |RPar-C′ P |Q �≡ Q |PRepl′ !P

�≡ P | !PNew-0′ νn.0

�≡ 0New-C′ νn.νn′.P

�≡ νn′.νn.PNew-Par′ P | νn.Q �≡ νn.(P |Q) when n 6∈ fn(P)Rewrite′ P{M/x}

�≡ P{N/x} when Σ ` M = N



Structural equivalence on partial normal forms

Structural equivalence◦≡ on extended processes in partial normal form

equivalence relation

P�≡ P ′ (fv(P) ∪ fv(P ′)) ∩ dom(σ) = ∅

νn.(σ |P)◦≡ νn.(σ |P ′)

n′ is a reordering of n

νn.(σ |P)◦≡ νn′.(σ |P)

n′ /∈ fn(σ)

νn.(σ | νn′.P)◦≡ νn, n′.(σ |P)

dom(σ) = dom(σ′) Σ ` xσ = xσ′ for all x ∈ dom(σ)(fv(xσ) ∪ fv(xσ′)) ∩ dom(σ) = ∅ for all x ∈ dom(σ)

νn.(σ |P)◦≡ νn.(σ′ |P)



Links between structural equivalences

Lemma

If A ≡ B, then pnf(A)◦≡ pnf(B).

If P�≡ Q, then P ≡ Q.

If A◦≡ B, then A ≡ B.

By induction on the derivations.



Internal reduction

Internal reduction →� on plain processes

closed by�≡


Comm′ N〈M〉.P |N(x).Q →� P |Q{M/x}

Then′ if M = M then P else Q →� P

Else′ if M = N then P else Q →� Qfor any ground terms M and Nsuch that Σ 6` M = N

Internal reduction →◦ on extended processes in partial normal form

closed by◦≡

P →� P ′

νn.(σ |P)→◦ νn.(σ |P ′)



Link between internal reductions

Lemma

If A→ B, then pnf(A)→◦ pnf(B).

If P →� Q, then P → Q.

If A→◦ B, then A→ B.

By induction on the derivations.



Labelled reduction on plain processes

Labelled reduction Pα−→� A on plain processes

In′ N(x).PN(M)−−−→� P{M/x}

Out-Var′x /∈ fv(N〈M〉.P)

N〈M〉.P νx .N〈x〉−−−−−→� P |{M/x}

Scope′P

α−→� A n does not occur in α

νn.Pα−→� νn.A

Par′P

α−→� A bv(α) ∩ fv(Q) = ∅P |Q α−→� A |Q

Struct′P�≡ Q Q

α−→� B B ≡ A

Pα−→� A



Labelled reduction on partial normal forms

Labelled reduction Aα−→◦ B, where

A is an extended process in partial normal form and

B is an extended process

A◦≡ νn.(σ |P) P

α′−→� B ′ B ≡ νn.(σ |B ′)

fv(σ) ∩ bv(α′) = ∅ Σ ` ασ = α′

the elements of n do not occur in α

Aα−→◦ B



Links between labelled reductions

Lemma (Characterization of labelled reductions)

Pα−→� A if and only if for some n, P1, P2, A1, N, M, P ′, x,

P�≡ νn.(P1 |P2), A ≡ νn.(A1 |P2), {n} ∩ fn(α) = ∅,

bv(α) ∩ fv(P1 |P2) = ∅, and one of the following two cases holds:

1 α = N(M), P1 = N(x).P ′, and A1 = P ′{M/x}; or2 α = νx .N〈x〉, P1 = N〈M〉.P ′, and A1 = P ′ |{M/x}.

Lemma

If Aα−→ B, then pnf(A)

α−→◦ B.If P

α−→� A, then Pα−→ A.

If Aα−→◦ B, then A

α−→ B.



Decomposition of labelled reductions: plain processes

Lemma

Suppose that P0 is closed, α is νx .N ′〈x〉 or N ′(M ′) for some ground termN ′, and P0

α−→� A. Then one of the following cases holds:

1 P0 = P |Q and either Pα−→� A′ and A ≡ A′ |Q, or Q

α−→� A′ andA ≡ P |A′, for some P, Q, and A′;

2 P0 = νn.P, Pα−→� A′, and A ≡ νn.A′ for some P, A′, and n that does

not occur in α;

3 P0 = !P, Pα−→� A′, and A ≡ A′ | !P for some P and A′;

4 P0 = N(x).P, α = N ′(M ′), Σ ` N = N ′, and A ≡ P{M′/x} for some

N, x, P, N ′, and M ′;

5 P0 = N〈M〉.P, α = νx .N ′〈x〉, Σ ` N = N ′, x /∈ fv(P0), andA ≡ P |{M/x} for some N, M, P, x, and N ′.



Decomposition of labelled reductions: partial normal forms

Lemma

If

νn.(σ |P) is a closed extended process in partial normal form,

νn.(σ |P)α−→◦ A,

fv(α) ⊆ dom(σ), and

the elements of n do not occur in α,

then Pασ−−→� A′, A ≡ νn.(σ |A′), and bv(α) ∩ dom(σ) = ∅ for some A′.



Composition of labelled reductions

Lemma

If

P and Q are closed processes, N is a ground term,

PN(x)−−−→� A, and

Qνx .N〈x〉−−−−−→� B,

then P |Q →� R and R ≡ νx .(A |B) for some R.



Decomposition of internal reductions: plain processes

Lemma

Suppose that P0 is a closed process and P0 →� R. Then one of thefollowing cases holds:

1 P0 = P |Q for some P and Q, and one of the following cases holds:1 P →� P ′ and R ≡ P ′ |Q for some closed process P ′,

2 PN(x)−−−→� A, Q

νx.N〈x〉−−−−−→� B, and R ≡ νx .(A |B) for some A, B, x, andground term N,

and two symmetric cases obtained by swapping P and Q;

2 P0 = νn.P, P →� Q ′, and R ≡ νn.Q ′ for some n and some closedprocesses P and Q ′;

3 P0 = !P, P |P →� Q ′, and R ≡ Q ′ | !P for some closed processes Pand Q ′.

4 P0 = if M = N then P else Q and either Σ ` M = N and R ≡ P, orΣ ` M 6= N and R ≡ Q, for some M, N, P, and Q.



Decomposition of internal reductions: partial normal forms

Lemma

If

νn.(σ |P) is a closed extended process in partial normal form and

νn.(σ |P)→◦ A,then P →� P ′ and A ≡ νn.(σ |P ′) for some closed process P ′.



Proof technique

Induction on the derivations.

Strenghten the inductive invariant, to be able to apply the currentlemma to a derivation built as a result of applying the inductivehypothesis.



Static equivalence

Lemma

Static equivalence is

invariant by structural equivalence and reduction, and

closed by application of closing evaluation contexts.

For the second point,

show that we can restrict ourselves to contexts E = νu.( |C ) suchthat all subcontexts of E are closing.

proceed by structural induction on E .



Context closure

Lemma

≈l is closed by application of closing evaluation contexts.

Restrict attention to contexts of the form νu.( |C ).

To every relation R on closed extended processes, we associate R′={(νu.(A |C ), νu.(B |C )) | A R B, νu.( |C ) closing for A and B}.We prove that, if R is a labelled bisimulation, then R′ is a labelledbisimulation up to ≡, hence R ⊆ R′ ⊆ ≈l .

For R = ≈l , this property entails that ≈l is closed by application ofevaluation contexts νu.( |C ).



Context closure

To every relation R on closed extended processes, we associate R′={(νu.(A |C ), νu.(B |C )) | A R B, νu.( |C ) closing for A and B}.We prove that, if R is a labelled bisimulation, then R′ is a labelledbisimulation up to ≡.

Definition

A relation R on closed extended processes is a labelled bisimulation up to≡ if and only if R is symmetric and A R B implies:

1 A ≈s B;

2 if A→ A′ and A′ is closed, then B →∗ B ′ and A′ ≡R≡ B ′ for some closedB ′;

3 if Aα−→ A′, A′ is closed, and fv(α) ⊆ dom(A), then B →∗ α−→→∗ B ′ and

A′ ≡R≡ B ′ for some closed B ′.



Context closure

To every relation R on closed extended processes, we associate R′={(νu.(A |C ), νu.(B |C )) | A R B, νu.( |C ) closing for A and B}.We prove that, if R is a labelled bisimulation, then R′ is a labelledbisimulation up to ≡.Assume S R′ T , with S = νu.(A |C ), T = νu.(B |C ), and A R B.

S ≈s T follows from A ≈s B by a previous lemma.For reductions, consider the partial normal forms of A, B, C :pnf(A) = νn.(σ |P), pnf(B) = νn′.(σ′ |P ′), pnf(C ) = νn′′.(σ′′ |P ′′).

A reduction on S = νu.(A |C ) implies a reduction on P |P ′′σ, so areduction on P and/or P ′′σ (by the decomposition lemmas).

A reduction on P implies a reduction A, so the same reduction on Bsince R is a labelled bisimulation, so a reduction on P ′.

A reduction on P ′′σ implies a reduction on P ′′σ′ by static equivalenceA ≈s B.

Hence we obtain a reduction on P ′ |P ′′σ′, hence on T = νu.(B |C ).



Characterizing barbs

Lemma

Let A be a closed extended process.

A ⇓a if and only if A→∗ νx .a〈x〉−−−−→ A′ for some fresh variable x and some A′.

A ≡ E [a〈M〉.P] for some evaluation context E [ ] that does not bind aif and only if

Aνx .a〈x〉−−−−→ A′ for some fresh variable x and some A′.



Labelled bisimilarity implies observational equivalence

Lemma≈l ⊆ ≈.

≈l satisfies the three properties of observational bisimulations:

1 ≈l preserves barbs, by characterization of barbs and Properties 2and 3 of a labelled bisimilation.

2 Suppose that A ≈l B, A→∗ A′, and A′ is closed. Close allintermediate processes in A→∗ A′, then conclude that B →∗ B ′ andA′ ≈l B

′ for some B ′ by Property 2 of a labelled bisimilation.

3 ≈l is closed by application of closing evaluation contexts, as shownpreviously.

Moreover, ≈l is symmetric. Since ≈ is the largest observationalbisimulation, we obtain ≈l ⊆ ≈.



Observational equivalence implies static equivalence

Lemma≈ ⊆ ≈s .

If A and B are observationally equivalent, then A |C and B |C have thesame barb ⇓a for every C = if M = N then a〈s〉, where a does not occurin A or B and fv(M) ∪ fv(N) ⊆ dom(A).

Assuming that A is closed, fv(M) ∪ fv(N) ⊆ dom(A), and a does notoccur in A, we have(M = N)ϕ(A) if and only if A | if M = N then a〈s〉 ⇓a.

(Shown using partial normal forms.)



Characterizing inputs

Let T pN(M)

def= p〈p〉 |N〈M〉.p(x).

Lemma

Let A be a closed extended process. Let N and M be terms such thatfv(N〈M〉) ⊆ dom(A) and p does not occur in A, M, and N.

If AN(M)−−−→ A′ and p does not occur in A′,

then A |T pN(M) →→ A′ and A′ 6⇓p.

If A |T pN(M) →

∗ A′ and A′ 6⇓p, then A→∗ N(M)−−−→→∗ A′.

Shown using partial normal forms.



Characterizing outputs

Let T p,q

νx .N〈x〉def= p〈p〉 |N(x).p(y).q〈x〉.

Lemma

Let A be a closed extended process and N such that fv(N) ⊆ dom(A).

If Aνx .N〈x〉−−−−−→ A′ and p and q do not occur in A, A′, and N,

then A |T p,q

νx .N〈x〉 →→ νx .(A′ | q〈x〉), νx .(A′ | q〈x〉) 6⇓p, andx /∈ dom(A).

If A |T p,q

νx .N〈x〉 →∗ A′′, A′′ 6⇓p, x /∈ dom(A), and p and q do not occur

in A and N,

then A→∗ νx .N〈x〉−−−−−→→∗ A′ and A′′ ≡ νx .(A′ | q〈x〉) for some A′.

Shown using partial normal forms.



Extrusion

Lemma (Extrusion)

Let A and B two closed extended processes with a same domain that

contains x . Let Ex [ ]def= νx .(

∏x∈x nx〈x〉 | ) using names nx that do not

occur in A or B. If Ex [A] ≈ Ex [B], then A ≈ B.

If A is a closed extended process with {x} ⊆ dom(A) and Ex [A]→ C ′,then A→ A′ and C ′ ≡ Ex [A′] for some closed extended process A′.(Proved using partial normal forms.)

Let A R B if and only if {x} ⊆ dom(A) = dom(B) and Ex [A] ≈ Ex [B], forsome x and some names nx that do not occur in A or B.

We show that R is an observational bisimulation.



Observational equivalence implies labelled bisimilarity

Lemma≈ ⊆ ≈l .

The relation ≈ is symmetric. It satisfies the three properties of labelledbisimulations:

1 If A ≈ B, then A ≈s B, shown previously.

2 If A ≈ B, A→ A′, and A′ is closed, then B →∗ B ′ and A′ ≈ B ′ forsome B ′, by Property 2 of the definition of observational bisimulation.

3 If A ≈ B, Aα−→ A′, A′ is closed, and fv(α) ⊆ dom(A), then

B →∗ α−→→∗ B ′ and A′ ≈ B ′ for some B ′. To prove this property, werely on characteristic parallel contexts Tα, shown in previous lemmas.In the output case, we obtain a pair νx .(A′ | q〈x〉) ≈ νx .(B ′ | q〈x〉),and conclude by the extrusion lemma.

Hence ≈ is a labelled bisimulation, and ≈ ⊆ ≈l , since ≈l is the largestlabelled bisimulation.



Conclusion

Importance of detailed proofs.

Could be interesting to formalize in a theorem prover, e.g. Coq.

Partial normal forms are likely to be useful for proving many otherresults about the applied pi calculus.

With the minor changes we made, one should be able to show that

The plain processes of the applied pi calculus are a subset of theProVerif input language.The semantics and the notions of observational equivalence match.

Does anybody want to read the draft?


the applied pi calculus with proofs · introductionthe languagemain theoremproofconclusion the...

Documents