A formalization of the spi calculus in Coq Sébastien Briais École Normale Supérieure de Lyon
INRIA-Microsoft Research 2007, November 29th Orsay, FRANCE
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
1 / 65
Plan
1
The spi calculus
2
... in Coq
3
Proofs
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
2 / 65
The spi calculus
Plan
1
The spi calculus
2
... in Coq
3
Proofs
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
3 / 65
The spi calculus
Syntax and labelled semantics
The spi calculus
Extension of the pi calculus that incorporates cryptographic messages [AG98] To model and study cryptographic protocols.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
4 / 65
The spi calculus
Syntax and labelled semantics
Syntax
Countably infinite set of names. Communication channels, nonces, atomic data, ... Messages M, N ::= x | (M . N) | EncsN M Expressions E, F
::= x | (E . F ) | EncsF E | π1 (E) | π2 (E) | DecsF E
Guards φ ::= [ E = F ] | [ E : N ]
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
5 / 65
The spi calculus
Syntax and labelled semantics
Syntax (continued)
Processes P, Q ::= 0 | E(x).P | EhF i.P | φP | (νx) P | P |Q | P + Q | !P
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
6 / 65
The spi calculus
Syntax and labelled semantics
Syntax (continued)
Processes P, Q ::= 0 | E(x).P | EhF i.P | φP | (νx) P | P |Q | P + Q | !P
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
6 / 65
The spi calculus
Syntax and labelled semantics
Late LTS
I NPUT
E(x).P
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
7 / 65
The spi calculus
Syntax and labelled semantics
Evaluation of expressions and guards Expressions : ec (a) := a ec (EncsF E) := EncsN M ec ((E1 . E2 )) := ec (DecsF E) := ec (π1 (E)) := ec (π2 (E)) := ec (E) :=
Sébastien Briais (ENS Lyon)
if ec (E) = M ∈ M and ec (F ) = N ∈ M (M1 . M2 ) if ec (E1 ) = M1 ∈ M and ec (E2 ) = M2 ∈ M M if ec (E) = EncsN M ∈ M and ec (F ) = N ∈ M M1 if ec (E) = (M1 . M2 ) ∈ M M2 if ec (E) = (M1 . M2 ) ∈ M ⊥ otherwise
A formalization of the spi calculus in Coq
8 / 65
The spi calculus
Syntax and labelled semantics
Late LTS
I NPUT
ec (E) = a ∈ N E(x).P
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
9 / 65
The spi calculus
Syntax and labelled semantics
Late LTS
I NPUT
ec (E) = a ∈ N a
E(x).P − →
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
9 / 65
The spi calculus
Syntax and labelled semantics
Syntax (continued)
Processes P, Q ::= 0 | E(x).P | EhF i.P | φP | (νx) P | P |Q | P + Q | !P Agents A ::= P | (x)P | (ν z˜ ) hMiP where {z˜ } ⊆ n(M)
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
10 / 65
The spi calculus
Syntax and labelled semantics
Syntax (continued)
Processes P, Q ::= 0 | E(x).P | EhF i.P | φP | (νx) P | P |Q | P + Q | !P Agents A ::= P | (x)P | (ν z˜ ) hMiP where {z˜ } ⊆ n(M)
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
10 / 65
The spi calculus
Syntax and labelled semantics
Late LTS
I NPUT
ec (E) = a ∈ N a
E(x).P − →(x)P
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
11 / 65
The spi calculus
Syntax and labelled semantics
Late LTS
I NPUT
ec (E) = a ∈ N a
E(x).P − →(x)P
Sébastien Briais (ENS Lyon)
O UTPUT
ec (E) = a ∈ N
ec (F ) = M ∈ M a
→ hMiP EhF i.P −
A formalization of the spi calculus in Coq
11 / 65
The spi calculus
Syntax and labelled semantics
Late LTS
I NPUT
ec (E) = a ∈ N a
O UTPUT
E(x).P − →(x)P a
C LOSE - L
ec (E) = a ∈ N
ec (F ) = M ∈ M a
→ hMiP EhF i.P − a
P− →F
Q− →C τ
P |Q − →
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
11 / 65
The spi calculus
Syntax and labelled semantics
Operations on agents Pseudo-application : If F = (x)P is an abstraction and C = (ν z˜ ) hMiQ is a concretion (with {z˜ } ∩ fn(P) = ∅), then F • C := (ν z˜ ) (P{M/x } | Q)
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
12 / 65
The spi calculus
Syntax and labelled semantics
Late LTS
I NPUT
ec (E) = a ∈ N a
O UTPUT
E(x).P − →(x)P a
C LOSE - L
ec (E) = a ∈ N
ec (F ) = M ∈ M a
→ hMiP EhF i.P − a
P− →F
Q− →C τ
P |Q − →F •C
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
13 / 65
The spi calculus
Syntax and labelled semantics
Late LTS
I NPUT
ec (E) = a ∈ N a
O UTPUT
E(x).P − →(x)P a
C LOSE - L
Q− →C τ
ec (F ) = M ∈ M a
→ hMiP EhF i.P − µ
a
P− →F
P |Q − →F •C
Sébastien Briais (ENS Lyon)
ec (E) = a ∈ N
I F T HEN
P− → P0 µ
φP − → P0
A formalization of the spi calculus in Coq
13 / 65
The spi calculus
Syntax and labelled semantics
Evaluation of expressions and guards Expressions : ec (a) := a ec (EncsF E) := EncsN M ec ((E1 . E2 )) := ec (DecsF E) := ec (π1 (E)) := ec (π2 (E)) := ec (E) :=
if ec (E) = M ∈ M and ec (F ) = N ∈ M (M1 . M2 ) if ec (E1 ) = M1 ∈ M and ec (E2 ) = M2 ∈ M M if ec (E) = EncsN M ∈ M and ec (F ) = N ∈ M M1 if ec (E) = (M1 . M2 ) ∈ M M2 if ec (E) = (M1 . M2 ) ∈ M ⊥ otherwise
Guards : e([ E = F ]) := true si ec (E) = ec (F ) = M ∈ M e([ E : N ]) := true si ec (E) = a ∈ N e(φ) := false dans les autres cas Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
14 / 65
The spi calculus
Syntax and labelled semantics
Late LTS
I NPUT
ec (E) = a ∈ N a
O UTPUT
E(x).P − →(x)P a
C LOSE - L
Q− →C τ
ec (F ) = M ∈ M a
→ hMiP EhF i.P − µ
a
P− →F
P |Q − →F •C
Sébastien Briais (ENS Lyon)
ec (E) = a ∈ N
I F T HEN
P− → P0 µ
φP − → P0
A formalization of the spi calculus in Coq
e(φ) = true
15 / 65
The spi calculus
Syntax and labelled semantics
Late LTS
I NPUT
ec (E) = a ∈ N a
O UTPUT
ec (E) = a ∈ N
E(x).P − →(x)P a
C LOSE - L
a
→ hMiP EhF i.P − µ
a
P− →F
Q− →C τ
P |Q − →F •C
I F T HEN
P− → P0
e(φ) = true µ
P− →A µ
µ
φP − → P0
µ
R ES
ec (F ) = M ∈ M
(νz) P − → (νν z) A
z 6∈ n(µ)
PAR - L
P− →A µ
P |Q − → A|Q
+ S UM, R EP - et A LPHA.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
15 / 65
The spi calculus
Hedged bisimulation
Bisimulations Two processes are bisimilar if they can play the same transitions, i.e. they obey the game P R Q
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
16 / 65
The spi calculus
Hedged bisimulation
Bisimulations Two processes are bisimilar if they can play the same transitions, i.e. they obey the game P R Q
Sébastien Briais (ENS Lyon)
µ
P0
A formalization of the spi calculus in Coq
16 / 65
The spi calculus
Hedged bisimulation
Bisimulations Two processes are bisimilar if they can play the same transitions, i.e. they obey the game P R Q
Sébastien Briais (ENS Lyon)
µ µ
P0 Q0
A formalization of the spi calculus in Coq
16 / 65
The spi calculus
Hedged bisimulation
Bisimulations Two processes are bisimilar if they can play the same transitions, i.e. they obey the game P R Q
Sébastien Briais (ENS Lyon)
µ µ
P0 R Q0
A formalization of the spi calculus in Coq
16 / 65
The spi calculus
Hedged bisimulation
Bisimulations Two processes are bisimilar if they can play the same transitions, i.e. they obey the game P R Q
Q R P
Sébastien Briais (ENS Lyon)
µ µ
and µ µ
P0 R Q0
Q0 R P0
A formalization of the spi calculus in Coq
16 / 65
The spi calculus
Hedged bisimulation
Bisimulations in the spi calculus Bisimulations of pi calculus are too fine-grained. Indeed, if P(c, M) := (νk ) chEncsk Mi. 0 (where k 6∈ {c} ∪ n(M)) Requiring an exact match between actions makes distinguish P(c, M) from P(c, N). Whereas these two processes should be considered equivalent (since the encryption key is not disclosed to the environment). Environment-sensitive bisimulations : extend the notion of bisimulation with a data structure to encode environment knowledge. Framed bisimulation (Abadi, Gordon), alley bisimulation (Boreale et al.), hedged bisimulation (Borgström, Nestmann), ...
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
17 / 65
The spi calculus
Hedged bisimulation
The attacker knowledge represented as hedges A hedge h ∈ H is a finite set of pairs of messages. Intuitively (M, N) ∈ h means that M and N are indistinguishable.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
18 / 65
The spi calculus
Hedged bisimulation
Late hedged bisimulation A symmetric hedged relation R
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
19 / 65
The spi calculus
Hedged bisimulation
Hedged relations
A hedged relation R is a subset of H × P × P such that whenever (h, P, Q) ∈ R, we have fn(P) ⊆ n(π1 (h)) and fn(Q) ⊆ n(π2 (h)). A hedged relation R is symmetric if whenever (h, P, Q) ∈ R we have (h−1 , Q, P) ∈ R.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
20 / 65
The spi calculus
Hedged bisimulation
Late hedged bisimulation A symmetric hedged relation R is a (strong) late hedged bisimulation if whenever (h, P, Q) ∈ R, we have that 1
τ
if P − → P 0 then τ there exists Q 0 such that Q − → Q 0 and (h, P 0 , Q 0 ) ∈ R
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
21 / 65
The spi calculus
Hedged bisimulation
Late hedged bisimulation A symmetric hedged relation R is a (strong) late hedged bisimulation if whenever (h, P, Q) ∈ R, we have that 1
2
τ
if P − → P 0 then τ there exists Q 0 such that Q − → Q 0 and (h, P 0 , Q 0 ) ∈ R a
if P − → (x)P 0 (with x 6∈ n(π1 (h))) then
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
21 / 65
The spi calculus
Hedged bisimulation
Late hedged bisimulation A symmetric hedged relation R is a (strong) late hedged bisimulation if whenever (h, P, Q) ∈ R, we have that 1
2
τ
if P − → P 0 then τ there exists Q 0 such that Q − → Q 0 and (h, P 0 , Q 0 ) ∈ R a
if P − → (x)P 0 (with x 6∈ n(π1 (h))) then a there exist y and Q 0 such that Q − → (y )Q 0 (with y 6∈ n(π2 (h)))
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
21 / 65
The spi calculus
Hedged bisimulation
Late hedged bisimulation A symmetric hedged relation R is a (strong) late hedged bisimulation if whenever (h, P, Q) ∈ R, we have that 1
2
τ
if P − → P 0 then τ there exists Q 0 such that Q − → Q 0 and (h, P 0 , Q 0 ) ∈ R a
if P − → (x)P 0 (with x 6∈ n(π1 (h))) and (a, b) ∈ h then b
there exist y and Q 0 such that Q − → (y )Q 0 (with y 6∈ n(π2 (h)))
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
21 / 65
The spi calculus
Hedged bisimulation
Late hedged bisimulation A symmetric hedged relation R is a (strong) late hedged bisimulation if whenever (h, P, Q) ∈ R, we have that τ 1 if P − → P 0 then τ there exists Q 0 such that Q − → Q 0 and (h, P 0 , Q 0 ) ∈ R a 2 if P − → (x)P 0 (with x 6∈ n(π1 (h))) and (a, b) ∈ h then b
there exist y and Q 0 such that Q − → (y )Q 0 (with y 6∈ n(π2 (h))) and for all M we have (h, P 0 {M/x }, Q 0 {M/y }) ∈ R.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
21 / 65
The spi calculus
Hedged bisimulation
The attacker knowledge represented as hedges A hedge h ∈ H is a finite set of pairs of messages. Intuitively (M, N) ∈ h means that M and N are indistinguishable. The synthesis S(h) of a hedge h
S YN -I NC
S YN -E NC - S
S YN -PAIR
Sébastien Briais (ENS Lyon)
(M, N) ∈ h (M, N) ∈ S(h)
(M1 , N1 ) ∈ S(h)
(M2 , N2 ) ∈ S(h) s s (EncM2 M1 , EncN2 N1 ) ∈ S(h)
(M1 , N1 ) ∈ S(h)
(M2 , N2 ) ∈ S(h)
((M1 . M2 ), (N1 . N2 )) ∈ S(h)
A formalization of the spi calculus in Coq
22 / 65
The spi calculus
Hedged bisimulation
Late hedged bisimulation A symmetric hedged relation R is a (strong) late hedged bisimulation if whenever (h, P, Q) ∈ R, we have that τ 1 if P − → P 0 then τ there exists Q 0 such that Q − → Q 0 and (h, P 0 , Q 0 ) ∈ R a 2 if P − → (x)P 0 (with x 6∈ n(π1 (h))) and (a, b) ∈ h then b
there exist y and Q 0 such that Q − → (y )Q 0 (with y 6∈ n(π2 (h))) and for all (M, N) ∈ S(h) we have (h, P 0 {M/x }, Q 0 {N/y }) ∈ R.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
23 / 65
The spi calculus
Hedged bisimulation
Late hedged bisimulation A symmetric hedged relation R is a (strong) late hedged bisimulation if whenever (h, P, Q) ∈ R, we have that τ 1 if P − → P 0 then τ there exists Q 0 such that Q − → Q 0 and (h, P 0 , Q 0 ) ∈ R a 2 if P − → (x)P 0 (with x 6∈ n(π1 (h))) and (a, b) ∈ h then b
there exist y and Q 0 such that Q − → (y )Q 0 (with y 6∈ n(π2 (h))) and for all B and (M, N) such that h `B (M, N) we have (h ∪ B, P 0 {M/x }, Q 0 {N/y }) ∈ R.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
23 / 65
The spi calculus
Hedged bisimulation
Late hedged bisimulation A symmetric hedged relation R is a (strong) late hedged bisimulation if whenever (h, P, Q) ∈ R, we have that τ 1 if P − → P 0 then τ there exists Q 0 such that Q − → Q 0 and (h, P 0 , Q 0 ) ∈ R a 2 if P − → (x)P 0 (with x 6∈ n(π1 (h))) and (a, b) ∈ h then b
there exist y and Q 0 such that Q − → (y )Q 0 (with y 6∈ n(π2 (h))) and for all B and (M, N) such that h `B (M, N) we have (h ∪ B, P 0 {M/x }, Q 0 {N/y }) ∈ R. 3
a
if P − → (ν c˜) hMiP 0 (with {c˜} ∩ n(π1 (h)) = ∅) and (a, b) ∈ h then n o b ˜ hNiQ 0 there exist d˜ , Q 0 and N such that Q − → (ν d) n o (with d˜ ∩ n(π2 (h)) = ∅)
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
23 / 65
The spi calculus
Hedged bisimulation
Late hedged bisimulation A symmetric hedged relation R is a (strong) late hedged bisimulation if whenever (h, P, Q) ∈ R, we have that τ 1 if P − → P 0 then τ there exists Q 0 such that Q − → Q 0 and (h, P 0 , Q 0 ) ∈ R a 2 if P − → (x)P 0 (with x 6∈ n(π1 (h))) and (a, b) ∈ h then b
there exist y and Q 0 such that Q − → (y )Q 0 (with y 6∈ n(π2 (h))) and for all B and (M, N) such that h `B (M, N) we have (h ∪ B, P 0 {M/x }, Q 0 {N/y }) ∈ R. 3
a
if P − → (ν c˜) hMiP 0 (with {c˜} ∩ n(π1 (h)) = ∅) and (a, b) ∈ h then n o b ˜ hNiQ 0 there exist d˜ , Q 0 and N such that Q − → (ν d) n o (with d˜ ∩ n(π2 (h)) = ∅) and (h ∪ {(M, N)} , P 0 , Q 0 ) ∈ R.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
23 / 65
The spi calculus
Hedged bisimulation
Analysis of a hedge The analysis A(h) is the smallest hedge that is closed by analz(·). A NA -I NC
A NA -D EC - S
(M, N) ∈ h (M, N) ∈ analz(h)
(EncsM2 M1 , EncsN2 N1 ) ∈ analz(h)
(M2 , N2 ) ∈ S(h)
(M1 , N1 ) ∈ analz(h) A NA -F ST
A NA -S ND
Sébastien Briais (ENS Lyon)
((M1 . M2 ), (N1 . N2 )) ∈ analz(h) (M1 , N1 ) ∈ analz(h) ((M1 . M2 ), (N1 . N2 )) ∈ analz(h) (M2 , N2 ) ∈ analz(h)
A formalization of the spi calculus in Coq
24 / 65
The spi calculus
Hedged bisimulation
Late hedged bisimulation A symmetric hedged relation R is a (strong) late hedged bisimulation if whenever (h, P, Q) ∈ R, we have that τ 1 if P − → P 0 then τ there exists Q 0 such that Q − → Q 0 and (h, P 0 , Q 0 ) ∈ R a 2 if P − → (x)P 0 (with x 6∈ n(π1 (h))) and (a, b) ∈ h then b
there exist y and Q 0 such that Q − → (y )Q 0 (with y 6∈ n(π2 (h))) and for all B and (M, N) such that h `B (M, N) we have (h ∪ B, P 0 {M/x }, Q 0 {N/y }) ∈ R. 3
a
if P − → (ν c˜) hMiP 0 (with {c˜} ∩ n(π1 (h)) = ∅) and (a, b) ∈ h then n o b ˜ hNiQ 0 there exist d˜ , Q 0 and N such that Q − → (ν d) n o (with d˜ ∩ n(π2 (h)) = ∅) and (A(h ∪ {(M, N)}), P 0 , Q 0 ) ∈ R.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
25 / 65
The spi calculus
Hedged bisimulation
Irreducibles
I(h) is the smallest hedge such that S(I(h)) = S(A(h)). A hedge h is irreducible iff I(h) = h
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
26 / 65
The spi calculus
Hedged bisimulation
Late hedged bisimulation A symmetric hedged relation R is a (strong) late hedged bisimulation if whenever (h, P, Q) ∈ R, we have that τ 1 if P − → P 0 then τ there exists Q 0 such that Q − → Q 0 and (h, P 0 , Q 0 ) ∈ R a 2 if P − → (x)P 0 (with x 6∈ n(π1 (h))) and (a, b) ∈ h then b
there exist y and Q 0 such that Q − → (y )Q 0 (with y 6∈ n(π2 (h))) and for all B and (M, N) such that h `B (M, N) we have (h ∪ B, P 0 {M/x }, Q 0 {N/y }) ∈ R. 3
a
if P − → (ν c˜) hMiP 0 (with {c˜} ∩ n(π1 (h)) = ∅) and (a, b) ∈ h then n o b ˜ hNiQ 0 there exist d˜ , Q 0 and N such that Q − → (ν d) n o (with d˜ ∩ n(π2 (h)) = ∅) and (I(h ∪ {(M, N)}), P 0 , Q 0 ) ∈ R.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
27 / 65
The spi calculus
Hedged bisimulation
Irreducibles, consistency
I(h) is the smallest hedge such that S(I(h)) = S(A(h)). A hedge h is irreducible iff I(h) = h A hedge h is consistent iff : Whenever (M, N) ∈ h I I I I I
M ∈ N ⇐⇒ N ∈ N whenever (M 0 , N 0 ) ∈ h : M = M 0 ⇐⇒ N = N 0 M 6= (M1 . M2 ) and N 6= (N1 . N2 ) if M = EncsM2 M1 then (M2 , N2 ) 6∈ S(h) if N = EncsN2 N1 then (M2 , N2 ) 6∈ S(h)
A consistent hedge is irreducible.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
28 / 65
The spi calculus
Hedged bisimulation
Hedged relations
A hedged relation R is a subset of H × P × P such that whenever (h, P, Q) ∈ R, we have fn(P) ⊆ n(π1 (h)) and fn(Q) ⊆ n(π2 (h)). A hedged relation R is symmetric if whenever (h, P, Q) ∈ R we have (h−1 , Q, P) ∈ R. A hedged relation R is consistent if whenever (h, P, Q) ∈ R, we have that h is a consistent hedge.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
29 / 65
The spi calculus
Hedged bisimulation
Late hedged bisimulation A symmetric consistent hedged relation R is a (strong) late hedged bisimulation if whenever (h, P, Q) ∈ R, we have that τ 1 if P − → P 0 then τ there exists Q 0 such that Q − → Q 0 and (h, P 0 , Q 0 ) ∈ R a 2 if P − → (x)P 0 (with x 6∈ n(π1 (h))) and (a, b) ∈ h then b
there exist y and Q 0 such that Q − → (y )Q 0 (with y 6∈ n(π2 (h))) and for all B and (M, N) such that h `B (M, N) we have (h ∪ B, P 0 {M/x }, Q 0 {N/y }) ∈ R. 3
a
if P − → (ν c˜) hMiP 0 (with {c˜} ∩ n(π1 (h)) = ∅) and (a, b) ∈ h then n o b ˜ hNiQ 0 there exist d˜ , Q 0 and N such that Q − → (ν d) n o (with d˜ ∩ n(π2 (h)) = ∅) and (I(h ∪ {(M, N)}), P 0 , Q 0 ) ∈ R.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
30 / 65
The spi calculus
Other LTS
A word on open hedged bisimulation
We have defined an open variant of late hedged bisimulation, following Sangiorgi’s idea of open bisimulation in the pi calculus. The idea is to move the instantiation of input names before the transitions take place. For instance, the input clause roughly becomes P (σ, ρ) .B se | Q
Sébastien Briais (ENS Lyon)
a
Pσ − → (x)P 0
P0 |
b
Qρ − → (y )Q 0 Q 0
A formalization of the spi calculus in Coq
31 / 65
The spi calculus
Other LTS
A symbolic LTS Idea : record without checking the conditions needed to enable transitions.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
32 / 65
The spi calculus
S-I NPUT
Other LTS
ea (E)
E(x).P 7−−−−−→ (x)P {[ E : N ]}
S-O UTPUT
ea (E)
EhF i.P 7−−−−−−−−−→ hea (F )iP {[ E : N ],[ F : M ]}
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
33 / 65
The spi calculus
Other LTS
Abstract (or symbolic) evaluation of expressions : ea (a) ea (EncsF E) ea ((E . F )) ea (DecsF E)
a Encsea (F ) ea (E) (ea (E) . ea (F )) E1 Decsea (F ) ea (E) ea (π1 (E)) := E1 π1 (ea (E)) ea (π2 (E)) := E2 π2 (ea (E))
Sébastien Briais (ENS Lyon)
:= := := :=
if a ∈ N
if ea (E) = EncsE2 E1 otherwise if ea (E) = (E1 . E2 ) otherwise if ea (E) = (E1 . E2 ) otherwise
A formalization of the spi calculus in Coq
34 / 65
The spi calculus
Other LTS
S-I NPUT
ea (E)
E(x).P 7−−−−−→ (x)P {[ E : N ]}
µ
P 7− →A
S-O UTPUT
S-G UARD
ea (E)
EhF i.P 7−−−−−−−−−→ hea (F )iP {[ E : N ],[ F : M ]}
φP 7−−−−→ A c&{φ}
E0
E
Q 7−→ C
P 7−→ F S-C LOSE - L
c µ
c2
c1
τ
P | Q 7−−−−−−−−−−−→ F • C {[ E = E 0 ]}&c1 &c2
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
35 / 65
The spi calculus
Other LTS
S-I NPUT
ea (E)
E(x).P 7−−−−−→ (x)P {[ E : N ]}
µ
P 7− →A
S-O UTPUT
S-G UARD
ea (E)
EhF i.P 7−−−−−−−−−→ hea (F )iP {[ E : N ],[ F : M ]}
φP 7−−−−→ A c&{φ}
E0
E
Q 7−→ C
P 7−→ F S-C LOSE - L
c µ
c2
c1
τ
P | Q 7−−−−−−−−−−−→ F • C {[ E = E 0 ]}&c1 &c2 µ
P 7− →A S-R ES
c µ
(νz) P 7−−−−→ (νν z) A
z 6∈ n(µ)
ν+ (z,c)
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
36 / 65
... in Coq
Plan
1
The spi calculus
2
... in Coq
3
Proofs
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
37 / 65
... in Coq
Motivations
Why formalize in Coq ?
Dream : extract a certified (correct by construction) bisimulation checker. Validate hand-written proofs. Provide an interactive framework to reason formally about cryptographic protocols within the spi calculus model. It’s fun !
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
38 / 65
... in Coq
Binders
Representation of binders
There exist several techniques to encode binders : I I I I
de Bruijn indices locally nameless higher-order abstract syntax nominal
We have chosen de Bruijn representation.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
39 / 65
... in Coq
Binders
de Bruijn representation
Representation of a(x).[ Decsk x : M ](νl) bhli. 0 : z y x ... l k j ...c b a s
0λ. [ Dec11 0 : M ] ν 3 h0i. 0
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
40 / 65
... in Coq
Binders
Operations on de Bruijn indices Parametrised by the binding depth d memd (i, t) returns true iff i is free in t liftd (k , t) makes room for k new binders in t Used in parallel composition of an agent and a process : (λ.P) | Q := λ.(P | lift0 (1, Q)) := ν k hF i(P | lift0 (k , Q))
(ν k hF iP) | Q For instance : z y x ...c b a
z y x ...c b a λ.1 h0i. 0
0λ.0 h24i. 0
z y x ...c b a λ. ( 1 h0i. 0 | 1λ.0 h25i. 0 ) Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
41 / 65
... in Coq
Binders
swapd (k , t) makes a circular permutation of the k first indices in t lowd (t) removes the first index Used in restriction of an agent : ν (λ.P) := λ.ν swap0 (1, P) := ν k +1 hF iP if memk (0, F ) = true := ν k hlowk (F )iν swap0 (k , P) otherwise
ν (ν k hF iP)
lsubstd (k , E, t) substitutes the |E| first indices with the corresponding expression of E in t. The k first indices are bound in E. (λ.P) • (ν k hF iQ) := ν k (lsubst0 (k , F , P) | Q)
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
42 / 65
... in Coq
Binders
Concretely in Coq We have several types : names, messages, expressions, guards, processes, agents. These “de Bruijn” operations should be defined for each of these types, i.e. : Definition name_lift (d:nat) (k:nat) (x:name) : name := ... Definition message_lift ... Definition expression_lift ... Definition formula_lift ... Definition process_lift ... Definition agent_lift ... and similarly for the other operations. Moreover, several (about 60) facts hold for these operations. For instance, we have : ∀d, d 0 , k , k 0 , x : swapd+k +d 0 (k 0 , liftd (k , x)) = liftd (k , swapd+d 0 (k 0 , x)) Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
43 / 65
... in Coq
Binders
Abstracting de Bruijn indices Not scalable and tedious. Instead, define and specify all these operations on names and lift them to other types thanks to “good” iterators. In practice : deBruijnNat
deBruijnType
definitions of de Bruijn operations proofs of technical results
specifications of de Bruijn operations definitions of “lifters”
name
message expression
formulae
process agents Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
44 / 65
... in Coq
Semantics
Asbtracting the LTS
There are several LTS to define. Some properties are shared (for instance, structural congruence preserves the semantics) These LTS all follow the same pattern. Instead of defining each LTS separately, we make a functor and thus defer the definition of the semantics to the definitions of the semantics of actions.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
45 / 65
... in Coq
Semantics
Actions
We rely on a set of actions A and several functions to manipulate them : mkSil : A (silent) mkInp : E → A ∪ {⊥} (input) mkOutp : E × E → (A × E) ∪ {⊥} (output) mkRes : A → A ∪ {⊥} (restriction) mkIf : F × A → A ∪ {⊥} (guard) mkInt : A × A → A ∪ {⊥} (interact)
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
46 / 65
... in Coq
Semantics
The functor that defines an LTS
S ILENT
I NPUT
mkSil
τ.P −−−→ P O UTPUT
α
Eλ.P − → λ.P
mkOutp(E, F ) = (α, M) ∈ A × E α
EhF i.P − → hMiP β
α
C LOSE - L
mkInp(E) = α ∈ A
P− →F
Q− →C
mkInt(α, β) = γ ∈ A γ
P |Q − →F •C α
R ES
P− →A
mkRes(α) = β ∈ A β
→ νA νP −
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
47 / 65
... in Coq
α
I F T HEN
P− → P0
Semantics
α
mkIf(φ, α) = β ∈ A PAR - L
β
φP − → P0 P− →A
R EP - ACT
α
P +Q − →A α
R EP - CLOSE
Sébastien Briais (ENS Lyon)
P− →F
α
P |Q − → A|Q α
α
S UM - L
P− →A
β
P− →C
P− →A α
!P − → A|!P
mkInt(α, β) = γ ∈ A
γ
!P − → (F • C) | ! P
A formalization of the spi calculus in Coq
48 / 65
Proofs
Plan
1
The spi calculus
2
... in Coq
3
Proofs
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
49 / 65
Proofs
Structural congruence
Structural congruence preserves the semantics
P ≡ Q iff P and Q represents intuitively the same process. For instance, (P, +, 0) and (P, | , 0) are monoids. We extend this definition to agents. A classical result is
Theorem µ
µ
If P ≡ Q and P − → A then there exists B such that A ≡ B and Q − → B.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
50 / 65
Proofs
Structural congruence
This theorem constitutes a good crash test for our formalization. With our definitions, we show
Theorem If the set of actions A and the functions mkSil, mkInp, . . . satisfy some α conditions, then if P ≡ Q and P − → A then there exist β and B such β
that A ≡ B, Q − → B and α = β.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
51 / 65
Proofs
Structural congruence
This theorem constitutes a good crash test for our formalization. With our definitions, we show
Theorem If the set of actions A and the functions mkSil, mkInp, . . . satisfy some α conditions, then if P ≡ Q and P − → A then there exist β and B such β
that A ≡ B, Q − → B and α = β. Thanks to our formalization, we have noticed that this result does not hold for the symbolic LTS ! Indeed let P := (νx) x(z). 0 and Q := y hk i. 0. We have P | Q ≡ (νx) (x(z). 0 | y hk i. 0). P | Q cannot perform any internal transition whereas τ (νx) (x(z). 0 | y hk i. 0) 7−−−−−−−−−−−−−−−−−−−−→ (νx) (0 | 0) (νx) {[ x : N ],[ y : N ],[ x = y ],[ k : M ]}
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
51 / 65
Proofs
Hedges
Back to the analysis
We defined the analysis A(h) as being the smallest hedge that is closed by analz(·). In Coq, this requires some work to show that this definition makes sense. To show the existence, we exhibit a multiset that stricly decreases. Fortunately, the CoLoR library shows that multiset ordering is well-founded.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
52 / 65
Proofs
Examples of bisimulation
A small example of bisimulation Define P(c, M) := (νk ) chEncsk Mi. 0 where k 6∈ {c} ∪ n(M). We show that for any c, M and N we have P(c, M) ∼ ˙ hLH P(c, N) where h = I({(c, c), (M, M), (N, N)}). In Coq : P(c, M) := νlift0 (1, c)hEncs0 lift0 (1, M)i. 0. We exhibit a late hedged bisimulation. R :=
{(h0 (c, M, N), P(c, M), P(c, N))} ∪ {(h1 (c, M, N, k , k ), 0, 0) | k 6∈ n(h0 (c, M, N))} ∪ {(h0 (c, N, M), P(c, N), P(c, M))} ∪ {(h1 (c, N, M, k , k ), 0, 0) | k 6∈ n(h0 (c, N, M))}
where h0 (c, M, N) := I({(c, c), (M, M), (N, N)}) h1 (c, M, N, k , l) := h0 ∪ {(Encsk M, Encsk N)} Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
53 / 65
Proofs
Examples of bisimulation
A variant Define Q(c, M, M 0 ) = (νk ) chEncsk Mi.chEncsk M 0 i. 0 where k 6∈ {c} ∪ n(M, M 0 ). We show that for any c, M, N and N 0 , if N 6= N 0 then there is no hedge h such that (c, c) ∈ h (i.e. the channel c is known by the attacker) and Q(c, M, M) ∼ ˙ hLH Q(c, N, N 0 ). The proof proceeds by contradiction. h0 := I(h ∪ {Encsk M, Encsl N}) � h00 := I(h0 ∪ Encsk M, Encsl N 0 ) At some point, we have that h00 is consistent. This implies necessarily that N = N 0 . Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
54 / 65
Conclusion
Conclusion We have formalized an “abstract” pi calculus P, Q ::= | | | |
0 | P +Q P |Q | !P (νx) P | τ.P E(x).P | EhF i.P φP
and have made two instantiations of this calculus : monadic pi calculus and spi calculus. We have shown a general theorem about structural congruence. We have defined 3 LTS for the spi calculus and studied their properties. We have thus fixed several errors in the handwritten proofs. We have formalized the hedges and then defined late hedged bisimulation in Coq. Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
55 / 65
Conclusion
Future work
Continue the formalization until realizing our dream of having a correct-by-construction bisimulation checker. Test our de Bruijn “library” on other formalisms (POPLMark ?) Develop tactics to ease reasoning in Coq with our framework.
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
56 / 65
Conclusion
Thanks ! Questions ?
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
57 / 65
Bibliography
D. Sangiorgi A Theory of Bisimulation for the π-calculus. M. Abadi and A. Gordon A Calculus for Cryptographic Protocols : The Spi Calculus J. Borgström, S. Briais and U. Nestmann Symbolic Bisimulations in the Spi Calculus S. Briais and U. Nestmann Open Bisimulation, Revisited
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
58 / 65
Operations on agents Pseudo-application : If F = (x)P is an abstraction and C = (ν z˜ ) hMiQ is a concretion (with {z˜ } ∩ fn(P) = ∅), then F • C := (ν z˜ ) (P{M/x } | Q) Restriction : (νν x) P := (νx) P (νν x) ((y )P) := (y )(νx) P if y 6= x ˜ ˜ (νν x) ((ν z ) hMiP) := (ν z ) hMi(νx) P if y 6∈ {z˜ } and x 6∈ n(M) (νν x) ((ν z˜ ) hMiP) := (νx z˜ ) hMiP if y 6∈ {z˜ } and x ∈ n(M) Parallel composition : ((x)P) | Q := (x)(P | Q) if x 6∈ fn(Q) ((ν z˜ ) hMiP) | Q := (ν z˜ ) hMi(P | Q) if {z˜ } ∩ fn(Q) = ∅
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
59 / 65
Possible inputs
Let h ∈ H, (M, N) ∈ M × M Let B ⊆ N × N a consistent hedge such that π1 (B) ∩ n(π1 (h)) = ∅ π2 (B) ∩ n(π2 (h)) = ∅ i.e. the names of B are fresh component-wise w.r.t. those of h. We write h `B (M, N) if ∀(b1 , b2 ) ∈ B : b1 ∈ n(M) ∨ b2 ∈ n(N) (M, N) ∈ S(h ∪ B)
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
60 / 65
A LTS that collects type constraints
NC-S ILENT
τ
ec (E) = a ∈ N
NC-I NPUT
{a}
∅
NC-O UTPUT
a
E(x).P ,−−→ (x)P
τ.P ,− →P ec (E) = a ∈ N
ec (F ) = M ∈ M a
EhF i.P ,−−→ hMiP {a}
µ
P ,− →A NC-I F T HEN
S µ
e(φ) = true
φP ,−−−−−→ A S∪nc(φ)
where nc([ E : N ]) := {ec (E)} and nc([ E = F ]) := ∅. Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
61 / 65
Theorem The two semantics are equivalent : 1
µ
µ
If P − → A there exists S ⊆ N such that P ,− → A. S
2
µ
µ
If P ,− → A then P − → A. S
Lemma µ
If P ,− → A and σ : N → M is a substitution such that Sσ ⊆ N then S µσ
Pσ ,−→ Aσ. Sσ
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
62 / 65
A symbolic LTS Idea : record without checking the conditions needed to enable transitions. A transition constraint has the form (ν z˜ ) Φ where Φ is a finite set of guards and z˜ is a finite set of names that occur in Φ, i.e. {z˜ } ⊆ n(Φ) Composition of constraints : I
Conjunction of c1 = (ν z˜1 ) Φ1 and c2 = (ν z˜2 ) Φ2 c1 & c2 := (Φ1 ∪ Φ2 )
I
Restriction of name x. If c = (ν z˜ ) Φ and x 6∈ {z˜ } : ν+ (x, c) := (νx z˜ ) Φ if x ∈ fn(c) := c otherwise
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
63 / 65
Define >o as being the smallest precongruence on expressions that satisfies : π1 ((E1 . E2 )) >o E1 if ec (E2 ) 6= ⊥ π2 ((E1 . E2 )) >o E2 if ec (E1 ) 6= ⊥ DecsE2 EncsE2 E1 >o E1 if ec (E2 ) 6= ⊥ Extend this relation to agents in : A >= o B (A, B are concrete agents) A >eo B (A is symbolic, B is concrete) (two ways to handle concretions)
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
64 / 65
Theorem Let P, Q ∈ P and assume that P >o Q. 1
2
µ
µ
S µ
S µ
S
S
If P ,− → A then Q ,− → B and A >= o B If Q ,− → B then P ,− → A and A >= o B
Theorem Let P, Q ∈ P and σ : N → M a substitution. 1
ec (µs σ)
µs
If P 7−→ A and e(cσ) = true then Pσ ,−−−−→ B with Aσ >eo B c
2
nc(cσ)
µ
µs
S
c
If Pσ ,− → B then P 7−→ A with e(cσ) = true, nc(cσ) = S, ec (µs σ) = µ and Aσ >eo B
Sébastien Briais (ENS Lyon)
A formalization of the spi calculus in Coq
65 / 65
