The Cpi-calculus: a Model for Confidential Name Passing
Ivan Proki\'c (Faculty of Technical Sciences, University of Novi Sad,, Serbia)

TL;DR
The paper introduces the Cpi-calculus, a formal model extending pi-calculus to enforce confidentiality by preventing channels from being forwarded, thus controlling information dissemination in distributed systems.
Contribution
It presents a subcalculus of pi-calculus where channels are confidential and cannot be forwarded, enabling formal reasoning about privacy without extra language constructs.
Findings
Channels cannot be forwarded once received
Encoding of pi-calculus into Cpi-calculus demonstrated
Representation of privacy notions like group creation and name hiding
Abstract
Sharing confidential information in distributed systems is a necessity in many applications, however, it opens the problem of controlling information sharing even among trusted parties. In this paper, we present a formal model in which dissemination of information is disabled at the level of the syntax in a direct way. We introduce a subcalculus of the pi-calculus in which channels are considered as confidential information. The only difference with respect to the pi-calculus is that channels once received cannot be forwarded later on. By means of examples, we give an initial idea of how some privacy notions already studied in the past, such as group creation and name hiding, can be represented without any additional language constructs. We also present an encoding of the (sum-free) pi-calculus in our calculus.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
The -calculus: a Model for Confidential Name Passing
Ivan Prokić Faculty of Technical Sciences, University of Novi Sad, Serbia
Abstract
Sharing confidential information in distributed systems is a necessity in many applications, however, it opens the problem of controlling information sharing even among trusted parties. In this paper, we present a formal model in which dissemination of information is disabled at the level of the syntax in a direct way. We introduce a subcalculus of the -calculus in which channels are considered as confidential information. The only difference with respect to the -calculus is that channels once received cannot be forwarded later on. By means of examples, we give an initial idea of how some privacy notions already studied in the past, such as group creation and name hiding, can be represented without any additional language constructs. We also present an encoding of the (sum-free) -calculus in our calculus.
1 Introduction
Sharing sensitive information over the internet has become an everyday routine: sending personal data and/or credit card number for online shopping is just one of the examples where the sensitive information can be disposed to other parties. Such cases open the problem of controlling information sharing even among trusted parties. The problem of privacy can (and must) be perceived both from a legal and technological point of view. One of the first who explored privacy in the information age, a legal scholar, Alan Westin had recognized that “Building privacy controls into emerging technologies will require strong effort…” [21]. On the other hand, new technologies can also provide new ways to deal with privacy problems [18]. According to Solove [17], there are four types of privacy violation: invasions, information collection, information processing, and information dissemination (see also [11]). The focus of this paper will be on presenting the techniques for controlling information dissemination in distributed systems.
Although there is a further taxonomy for information dissemination violation by Solove, all these sub-types roughly speak about harms of revealing the personal data or threats of spreading information. In distributed systems where communication of entities is central, controlling the flow of confidential information poses some obstacles. The capability of forwarding, that makes it possible to disseminate received information, may be recognized as one problem in controlling such systems.
Even in the examples of well-structured communications between two parties, such as the ones respecting the protocols specified by session types [10], it can be permissible for any party to forward (i.e., delegate) its session end-point. The session delegation is crucial for establishing sessions between the two parties [5, 19], such as in
[TABLE]
where creates a fresh channel and sends one end-point along to . However, it is also possible that the receiving party forwards the channel (cf. session delegation), as we may specify . Such forwarding capability may be appealing to have in some cases (e.g., forwarding tasks from a master to a slave process), but considering is a channel created by , pointing to some private data and shared exclusively with , one might argue that should not gain the capability of session delegation just by receiving . Hence, if we consider the name of channel to be confidential, should be the one who decides whether to let a third party knows about the channel. In addition, we may argue that in some cases there is no predefined set of parties that may receive in any future. Indeed, should be able to send end-point to any other party she decides. Therefore, we may conclude that confidential information can also be shared in open-ended systems, where the set of users of the information cannot be statically predefined.
In this paper, we present a formal model in which dissemination of information is disabled at the level of the syntax in a direct way. We build on the -calculus [16], a process model tailored for communication-centric systems, by introducing a subcalculus which we call Confidential -calculus, abbreviated . The only information shared in our calculus are names of channels, so channels are the confidential information. This is the only difference of our model with respect to the -calculus, names of channels are confidential and hence once received cannot be forwarded later on. By means of examples, the paper gives an initial idea of how some privacy notions already studied in the past, such as group creation and name hiding, can be represented without any additional language constructs. We also define the non-forwarding property and show that, naturally, all processes satisfy this property. This result is then reused to differentiate the -calculus processes that never forward received channels: if a process is bisimilar to a process then the process satisfies the non-forwarding property. We also propose an encoding from -calculus into -calculus and show its completeness. The paper presents initial results of the investigation of the model, formalization of some of the results are left for an extended version of the paper.
The paper is organized as follows. In Section 2, we start by presenting the syntax and semantics of -calculus, and we state some properties of the labeled transition system. In Section 3 we define a behavioral equivalence relation, called strong bisimilarity. Using the definition of strong bisimilarity we state and prove that the closed domains for channels are directly representable in . Another consequence of this result is the possibility of creating channels with similar behavior to channels [13]. Using the strong bisimilarity relation and non-forwarding of processes, we also propose a method for differentiating -calculus processes that never forward received channels. In addition Section 4 presents some further informal insights on and several interesting scenarios which are naturally represented in our model. Even though non-forwarding property restricts the syntax of the -calculus, in Section 5 we show the is expressive enough to model the -calculus. The base idea of the encoding is to create dedicated processes for each channel that handle sending the respective channels. In Section 6 we conclude and point to the related work.
2 Process Model
In this section, we present the syntax and semantics of . The main difference with respect to the -calculus processes is that in names received in an input cannot be later used as an object of an output, hence disallowing forwarding. Apart from this difference, the remainder of this section should come as no surprise to a reader familiar with the -calculus. To make a clear distinction between names of variables bound in input and names of channels, we introduce two disjoint countable sets and , where is the set of variables, ranged over by , and is the set of channel names, ranged over by . We denote with the union of sets and , and we let range over .
Syntax.
Table 1 presents the syntax of the language. An inactive process is represented with [math]. The prefixed process comprehends process , which on name sends channel and then proceeds as , process which on name receives a channel and substitutes the received channel for in , and the last prefix which exhibits only if and are the same name. Notice that in our language, differently from the -calculus, there is a syntactic restriction of the objects in prefixes: only a channel () can be sent and only a variable () can be used as a placeholder for a channel to be received. For example, -calculus process is not part of the syntax. There is no restriction on subjects of prefixes and names to be matched, these can be either variables or channels (). Parallel composition stands for two processes simultaneously active, that may interact. Channel restriction expresses that a new channel , known only to process , is created. Replicated process introduces an infinite behavior. Intuitively, consider stands for an infinite parallel composition of copies of process (i.e., ). Here, we do not consider the choice operator (i.e., the sum) since we believe it is not fundamental to our approach, but we remark choice can be added in expected lines.
In and , the channel and the variable are binding with scope . The set of bound names , for any process , is defined as the union of bound channels and bound variables in . The set of free names and the set of names , for any , are defined analogously. In addition, we use to denote the set of all free channels appearing as objects of output prefixes in process .
Semantics.
We present an operational semantics for our model in terms of the labeled transition system, which build on observable labeled actions , defined as
[TABLE]
Action sends the channel on the channel , while receives the channel on channel . In action the sent channel is bound, and stands for internal action. Notice that, as in the -calculus, names bound in the input (variables) cannot appear in labels of observable actions. To retain the same notation as for processes, we denote by , and , the sets of free, bound and all names of observable , respectively. As we noted above, these sets contain only channels, and not variables.
The transition relation is defined inductively by the rules given in Table 2. Notice that the action labels and transition rules are defined exactly as in the -calculus [16]. The symmetric rules for (par-l), (comm-l) and (close-l) are elided from the table. Rules (out), (in) and (match) are consistent with the explanations of the corresponding syntactic constructs. Rule (res) ensures that the action of the process is the action of the process scoped over by channel restriction if the channel specified in restriction is not mentioned in the action. Rule (open) opens the scope of the restricted channel, enabling the extrusion of its scope while ensuring that subject and the object of the action are different channels. Rule (par-l) lifts the action of one of the branches, and the side condition ensures that the channel bound in the action is not specified as free in the other branch. In rule (comm-l) two processes performing dual actions, one sending and other receiving along , synchronize their actions in the respective parallel composition. In rule (close-l) the channel sent () by the left process is bound and after the synchronization with the right process (performing the dual action), the scope of is closed while avoiding unintended name capture. Rules (rep-act), (rep-comm) and (rep-close) describe the actions of a replicated process. The first rule lifts the action of a single copy of the replicated process and activates in parallel. The second and the third rules show cases when two copies of replicated process synchronize their actions, either through communicating a free or bound channel, where, again, in both cases a copy of is activated in parallel. As usual, we identify -convertible processes, and thus, we use our transition rules up to -conversion when needed.
We now present some specific results of the transition relation in the -calculus. Our first result shows the relation between the set of free channels appearing as objects of output prefixes in the process and the process redexes: this set can be (possibly) enlarged only by opening the scope of a bound channel. Even more, the input actions do not affect the set of free channels appearing as objects of output prefixes in the process.
Lemma 1
Let .
If then . 2. 2.
If then and . 3. 3.
If then and . 4. 4.
If then .
Proof 2.1**.**
The proof is by induction on the derivation . We only discuss the base case of , when rule (open) is applied. Then, and is derived from . By of this Lemma, we get and . Since , we conclude .
As a direct consequence of Lemma 1 we get the next corollary.
Corollary 2.2**.**
If and then . 2. 2.
If then there is no process and channel such that .
What we can conclude from Corollary 2.2 combining its two statements is that a process cannot send a channel that it previously has received if the channel was not specified as an object of an output prefix in the first place. To show that this property is preserved also by all possible redexes of the process let us first relate the set of free channels appearing in output prefixes of the set and any its execution trace. The result is a direct consequence of Lemma 1.
Corollary 2.3**.**
If then .
The next theorem states that if the channel received by a process was not previously specified as an object of an output prefix, it will not be sent in any of the process possible evolutions. Hence, for the processes forwarding a channel, in a sense that a process can send a channel he learns through receiving, is not possible. Before the theorem, we present the precise definition of non-forwarding.
Definition 2.4** (Non-forwarding Property).**
A process satisfies the non-forwarding property if whenever
[TABLE]
then if and , for some , then , for all .
Notice that in the last definition we could also add the condition , for all . But, since without loss of generality we can assume all bound outputs are fresh, we can omit such condition. The next theorem attests that all processes respect the non-forwarding property, but in a more rigorous way, where the only restriction for the channel is not to be specified as the free object of any output prefix.
Theorem 2.5** (The Processes Respect the Non-Forwarding Property).**
Let
[TABLE]
Then, if and , for some , then , for all .
Proof 2.6**.**
*Since without loss of generality we can assume all bound outputs are fresh and , using Corollary 2.3 we get , for . Hence, by Corollary 2.2 we get , for . *
The result of Theorem 2.5 should come as no surprise, processes are designed to respect the non-forwarding property. However, considering the -calculus, it appears to be nontrivial to differentiate processes that respect the non-forwarding property. To attack this goal, we will see in the next section that Theorem 2.5 can be reused in Proposition 3.10.
3 Behavioral equivalence
Based on the notion of observable actions, introduced in Section 2, we investigate some specific behavioral identities of our model. To this end, we introduce a behavioral equivalence, called strong bisimulation, which, colloquially speaking, relates two processes if one can play a symmetric game over them: each action of one process can be mimicked by the other (and with the order reversed), leading to two processes that are again related. The relation that we are interested in is the largest such relation, called strong bisimilarity.
Definition 3.7** (Strong bisimilarity).**
The largest symmetric binary relation over processes , satisfying
[TABLE]
for some process , is called strong bisimilarity.
Notice that, since our transition rules match those of the -calculus, our strong bisimilarity relation is precisely one of the -calculus [16], restricted to the processes. One consequence of the non-forwarding property of our calculus is the possibility of the creation of closed domains for channels. A property, resembling the creation of a secure channel, which scope is statically determined, can be formally stated using the definition of strong bisimilarity.
Proposition 3.8** (Closed Domains for Channels).**
For any process , channel and prefix , the following equality holds
[TABLE]
Proof 3.9**.**
The proof follows by coinduction on the definition of the strong bisimulation (see Appendix A).
In both processes in Proposition 3.8 the left thread creates a new channel and sends it over a (private) channel to the right thread. The equality states that then the channel cannot be received afterward in the left thread. This is due to the fact that the right thread cannot forward received channels. We may notice that both processes in the proposition define the final scope for channel , hence, determining a closed domain for the channel. The interpretation of this proposition can be twofold. On one hand, the right thread after receiving a fresh channel () cannot send the received channel, since it respects the non-forwarding property. On the other hand, the left thread sends the channel (to the right thread) only once and the channel afterward behaves “statically”, since then it cannot be exchanged even between any two sub-processes of process . Further explanations are given in the next section.
The -calculus processes that do not forward names.
The processes satisfy our non-forwarding property (Definition 2.4): if the received channel is new to the process it will not be sent later on. Generally, the -calculus processes do not meet the non-forwarding property. However, we may notice that there are some -calculus processes which are not part of the syntax but still respect this property. For example, consider the -calculus process
[TABLE]
where any received channel along is then sent on , but since is restricted, the process will not output the received channel. But the condition that the channel along which the forwarding is performed (here ) is restricted is not enough. For example, the -calculus process does not satisfy the non-forwarding property.
This hints that differentiating -calculus processes that do not forward received channels, in any of their possible evolutions, may not be a simple task. As one solution to the problem we propose the next result which states that a -calculus process , and any of its possible evolutions, do not forward received channels if one can find a process , such that and are bisimilar. In the theorem, we refer to the non-forwarding property of Definition 2.4, extended to consider all -calculus processes. Naturally, the result of the next theorem refers to sum-free -calculus processes, since in this paper we are not considering the sum operator in the .
Proposition 3.10** (The -calculus Processes That do not Forward Names).**
Let be a -calculus process. If there is a process , such that , then satisfies the non-forwarding property.
Proof 3.11**.**
The proof is derived to Appendix A.
Although the result of Proposition 3.10 is only of the existential nature, we believe it is a step towards more practical results. One such result might be proving that for a given -calculus process one can derive a process such that if then respect the non-forwarding property. There we can also use a relaxed definition of the non-forwarding property, in which processes do not forward names received along some predefined set of channels. We leave such investigations for future work.
4 Examples
In this section, we further investigate some interesting scenarios representable in . Since a process in our calculus can learn new names but cannot gain the capability to send such names, we may distinguish two levels of channel ownership of a process that are invariant to the process evolution:
administrator: the process that creates the channel, it has all capabilities over the channel;
- -
user: the process that learns the channel name through communication (scope extrusion) and can communicate along the channel but cannot send it.
Hence, all administrators are also users but the conversely is not true. Also, notice that any process that receives a channel can become a user for that channel (but not administrator), and, hence, all processes may be considered as potential users for any channel. If we consider modelling our opening example in calculus
[TABLE]
is the administrator for and becomes a user after the reception. In it is not possible for afterward to send to a third party (e.g., to ). If wants to get the access to channel he can only tell and let her decide whether she wants to send to or not. Therefore, we can have
- •
, where sends to channel , and then terminates;
- •
, where receives the channel from and decides to send along the received channel, and
- •
, where can finally receive along channel .
We remark this simple example relies on the purely concurrent setting, here can be held by three or more parties at the same time. The correlation of the and the linearity of session types would need further investigation.
4.1 Authentication
In the -calculus specifying means is the administrator for channel . Process can extrude the scope of by sending, but none of the receiving processes will ever become administrators for the received channel , since they will never gain the capability for sending . Since sending capability cannot be transferred to other processes, we may conclude the administrator property over some channel can be used as an authentication over processes. For example, a process that previously has received may check at any point if the other party with whom he is communicating at the moment over is actually an administrator or only a user for channel . This can be done by specifying
[TABLE]
where first the private session with other party listening on is established by sending a fresh channel , and then along a channel is expected to be received. If the channel received is , then the other party has proved to be an administrator for . Notice that itself does not have to be an administrator for in this example.
As another example, consider that the above process has two threads running in parallel
[TABLE]
where, before activating and and their possible interactions, both threads test whether the other one is an administrator for channel . Namely, after the first synchronization, the left thread matches the received channel with , i.e., we obtain configuration . If the channel received is , then the right thread concludes that the left thread is an administrator for and sends the same channel back. Then, the left thread also matches the received channel with and continues only if the two names match, leading to . After that, both threads have proved to be administrators for , meaning that both have proved that they originate from process .
4.2 Modelling groups and name hiding
Controlling name sharing in the -calculus has been investigated in past and several process models are proposed to this end. In [2], on the -calculus syntax, an additional construct is introduced, called group creation, and a typing discipline is developed. The intention of the group construct is to restrict communications: channels specified to be in a group cannot be communicated outside the scope of the corresponding group construct. Hence, the group creation closes the domain for channels specified in the construct. In [6], on the -calculus syntax, an additional construct hide is introduced. Construct hide has similar properties to channel restriction, but it is more static since it forbids the channel extrusion for the channel specified to be hidden. Again, roughly speaking, hide construct closes the domain for a channel specified in the construct. In what follows, we try to represent similar behaviors without any additional language constructs, but directly in the calculus (and hence, directly in the -calculus). Formalization of the relationship between the mentioned models and the is left for future work.
As one way to represent closed domain for a channel in the we may consider process
[TABLE]
resembling the one from Proposition 3.8, where the left thread creates the channel , sends it to the right thread and then terminates. The right thread receives the channel, after which the two actions synchronize and the starting process silently evolves to . As we have shown in Proposition 3.8, process (and any its subprocess) cannot perform output with object since channel was not originally created by process . For this property we can state that name will never leak out of the scope of , hence that all communications along channel are private to process . Also, we may observe that channel in process has a static behavior, similar to channels [13].
This constellation indeed resembles the group creation of the -calculus with groups and name hiding. The similarity is that in the -calculus with groups, a channel declared as a member of a group cannot be acquired as a result of communication by the process outside the scope of the group. The major difference is that in our example the channel behaves as a -like channel, i.e., the channel cannot be acquired as a result of communication by any process. This brings us to our next example, that combines channel declaration and authentication, presented in Section 4.1. Consider that for a given channel, we want to statically determine a boundary for the possible channel extrusion, the part of the process we shall call a group. In that case, we may conclude that only members of the group should be able to receive the given channel. As a concrete example consider process
[TABLE]
where by we denote that the scope of channel determines the group for channel . Now, to make sure that channel , whose administrator is process , is sent only to processes scoped over with , before each sending of channel , we must make sure that the receiver is an administrator for channel . Hence, instead of construct in , we would use
[TABLE]
where first a private session with the process willing to receive is established through channel , and then the channel received on is matched with . Only if the name received on is , i.e., after the other process has proved that he is a member of the group, channel is sent. Notice that if the other process can send this means the process originates either from or from .
4.3 Open-ended groups
Groups described in the previous example provide an interesting framework to investigate sharing protected resources in distributed environments but has the limitation that a group, once created, always has a fixed scope, which sometimes might be considered too restrictive. In open-ended groups are directly modeled, since sending a resource in does not transmit the capability for its further dissemination. For example, in the administrator of , that is the process that creates the group, can send the name of the group to other processes, while the receiving process only becomes a user of the group and does not gain the capability to invite new members to the group.
5 Encoding Uncontrolled Name Passing
In this section, we show how to model forwarding in , as in the standard -calculus. We start by presenting the basic idea, which we later formalize by means of an encoding.
Throughout this section, we use the polyadic version of our calculus. This enables us to formalize our ideas in a more crisp way, but, as in the -calculus, each polyadic communication can be represented by a sequence of monadic ones. Furthermore, we will use poliadicity in a controlled way, so that we do not introduce a non-well sorted communications [14].
In the -calculus, there is no syntactic restriction on names that can appear as objects of output prefixes, hence a process like may be specified. One way to represent this process in is to:
- •
create a special process dedicated for (repeatedly) sending channel , called handler of the channel,
- •
while sending channel also send a channel dedicated for communicating with the handler, and
- •
bypass sending of the received channel to the handler process.
Hence, we may try to represent the -calculus process introduced above as
[TABLE]
where the process in the middle now sends together with channel dedicated for communicating with the handler process (the rightmost one), and the leftmost process receives both channels and instead of sending along it sends to the handler along . The handler process receives and sends (again, together with ) along the received channel, in such way mimicking forwarding. Such representation does not work in the case when the leftmost process is not an administrator for channel (e.g., assume process is derived from ), since then the process cannot send to the handler process. To this end, we must refine our representation of forwarding to support situations when processes are potentially not administrators for any given channel. Thus, we introduce another type of handler processes which are in charge of forwarding channels that are subjects of output actions. For example, the starting -calculus process would be represented as
[TABLE]
where we added the rightmost thread, which is the handler process of channel , used to bypass sending of channel in the leftmost thread. Now the communication in this process goes as follows: first, the two leftmost threads synchronize on channel (as in previous examples), leading to
[TABLE]
where the name is instantiated with handler name (eliding from the substitution in process ). Then, instead of sending on , the new channel is created and sent to the handlers of and
[TABLE]
enabling handler of channel to send to the handler of channel , leading to where sending (together with the handling name ) along channel is finally activated.
Notice that we need a few generalizations of this approach:
- •
each name can be sent infinitely many times, hence, each handling process must be repeatedly available for communication;
- •
each channel can be used either as a subject or as an object of output action, and, hence, for each channel we need both types of handler processes (one as for and the other as for in the last example). For the rest of this section we will call the handler of a channel a process that comprehends both types of handlers mentioned above for that channel;
- •
in the source language, processes synchronize their dual (i.e., input/output) actions directly, while in the target language output process first synchronize with the handler process, and only after that handler process synchronize with the input process. In the example above, process may proceed even though the channel has not been received by any process. Hence, we need a mechanism to allow processes in the target language to synchronize their actions directly.
We formalize these ideas by introducing an encoding as a pair , where is a translation function and is a renaming policy [7]. The translation maps each -calculus (source) term into the (target) term , and while doing so it uses the renaming policy, that maps each name of the source term into a tuple of names , where and are not names of any source term, and for each name different names and are used. Also, the translation uses some additional names, which we assume to be from a reserved set of names, disjoint from all names of the source language and all names introduced by the renaming policy. All these definitions follow the idea of [7].
The translation function is defined in Table 3. The first rule in the table translates a process scoped with the channel restriction. The source process is encoded as scoped with the original channel name and the two names associated to by the renaming policy, i.e. and , and it introduces the handler process for the channel in parallel with . We use to abbreviate . The handler process has two threads in parallel. The left thread is repeatedly available to be invoked on (see the rule of output) and it sends channel along the received channel. The use of this process will be only to send to the right thread of any other handler process (as in the example above). The right thread of the handler is repeatedly available to be invoked on and it receives a pair of names (see the rule for output). Along the left received name () it receives a channel (from the left thread of some handler process) and outputs the channel together with “addresses” of the handler, and , and, in addition, a new channel . By sending and , we make possible for the process that receives (see the rule for input) to be able afterward to directly invoke the handler for . By sending a new channel to the receiving process and also (in the continuation of the right thread of the handler) to the sending process we establish a private connection between the two processes, which then can directly synchronize and activate their continuations at the same time.
The encoding of the output process creates two fresh channels and , and sends one end of to the left thread handler process of name (the subject of the output) and the other end of , together with and , to the right thread of the handler process for name (the object of the output). In the continuation, before activating the image of , along a channel is received and used for the output (to synchronize directly with the input process). We remark that in this rule names and are taken to be from the reserved set of names, and hence cannot appear as free in . The same assumption is made for names and in the rule for input, hence there also and are not free in . In the rule for input four channels are received, the channel together with addresses of his handler and a fresh channel (see the right thread of a handler process). The received fresh channel is only used, as we noted, to synchronize with the sending process (same as the channel received in this synchronization). The rest of the rules shows that the encoding is homomorphism elsewhere.
Notice the encoding does not interfere with our notion of ownership described in Section 4. The role of channel administrator is still present, i.e., handlers are included in that domain. Hence, controlling such domain can still be done, in contrast to the regular -calculus processes where one cannot statically identify a domain where the sending the channel capability is confined to.
We may also notice that in the rule for output (Table 3) the two channels (the addresses) of the two handler processes are used, one for the object and the other for the subject of the prefix. This reflects the fact that in order to be capable to mimic all the actions of the source term, we need to introduce handler processes for all free names of the input and output prefixes of the source term. Since the handler processes are introduced directly in the rule for restricted channels (Table 3), we give our main result for the correctness of the encoding only for the -calculus processes that contain only bound names. A -calculus process that has no free names is called closed.
As closed -calculus processes can only exhibit transitions, and those match the reduction semantic [16], for the simplicity we chose to deal with the reduction semantics of the -calculus. Therefore, our operational correspondence result relates the set of closed -calculus processes, with the reduction semantics (using the reduction relation , as defined in [16]), and -processes with the labeled transition system. Notice that the reduction relation of the -calculus relies on the structural congruence relation [16], which, by rule , may introduce free names. These newly introduced names are not of our interest, as they do not require handlers. To this end, for a -calculus process we define , a subset of that is invariant with respect to the structural congruence relation. Hence, we define , and otherwise coincides with . Notice that this means , if .
We use to denote the transitive closure of . We are now ready to present our result, showing that if the source term reduces to then the encoding of reduces in a number of steps to the process bisimilar to the encoding of the process . Again, we assume that the -calculus processes are sum-free. First, we present an auxiliary result.
Lemma 5.12**.**
If then where
- •
if then
[TABLE]
- •
if then .
Proof 5.13**.**
The proof is derived to Appendix B.
The above result can already be seen as a form of non-standard completeness as it uses the top-level handlers. This hints that the completeness result can also be stated for -calculus processes that are not closed, with the encoding that is not compositional, but weakly compositional, such as the encoding from the join-calculus into the -calculus [4]. We leave such investigations for future work.
Our main result, given in the next theorem, is a direct consequence of Lemma 5.12.
Theorem 5.14** (Operational Correspondence: Completeness).**
Let be a closed (sum-free) -calculus process. If then .
We also believe that our encoding satisfies the soundness property [7]. This claim relies on the fact that the encoding manipulates the source names in a controlled way. Each name of a source term is translated into a triple of names, and a renaming policy ensures that for different source names different triples of names are used. Other names introduced by the encoding are bound. Using this fact and the fact that each source prefix is translated into a sequence of prefixes of always the same length, we may notice that different post-processing steps might get interleaved, but post-processing steps of different reduction steps in a source term cannot interfere with each other. We also leave formalization of this claim for future work.
6 Conclusions and related work
The notion of secrecy has been studied intensively in process calculi in the past and the variety of techniques have been proposed. The most related to our work are process models building on the -calculus, such as [2, 6, 3, 11, 8, 20].
Cardelli et al. [2] introduce a language construct for group creation and a typing discipline, where a group is a type for a channel. The group creation construct blocks communications of channels that are declared as members of the group outside the initial scope of the group, hence preventing the leakage of protected channels. Kouzapas and Philippou [11] extend the model of -calculus with groups by constructs that allow reasoning about the private data in information systems. The work of Giunti et. al. [6] introduces an operator called hide which binds a name and has a similar behavior as a name restriction, but in contrast to name restriction it blocks a name extrusion, for which the scope of the hide operator forms a kind of a group that the “hidden” name cannot exit. The paper by Vivas and Yoshida [20] introduces an operator called filter that is statically associated to a process and blocks all actions of the process along names that are not contained in the (polarized) filter. We also mention [8, 3] where the types associate the security levels to channels, where, in the latter work downgrading the security level of a channel is admissible and it is achieved by introducing special, so-called, declassified input and output prefix constructs. All the above approaches share the property that, when building on the -calculus model, additional language construct and/or a typing discipline is introduced in order to represent some specific aspect of secrecy in a dedicated way. We believe that -calculus appears to be more suitable as an underlying model when studying secrecy, and as such that many aspects of secrecy can be represented in a more canonical way. As a first step, we plan to make a precise representation of group creation [2] in the -calculus, following the intuition provided in Section 4.2.
Several fragments of the -calculus have been used in different ways and for different purposes. The asynchronous -calculus [9], proposed by Honda and Takoro, constrains the syntax by allowing only an inactive process to be the continuation of the output prefix, in this way modelling asynchronous communications. The Localised -calculus [12], proposed by Merro and Sangiorgi, disallows the input capability for the received names and does not consider the matching operator. There, the syntactic restriction is that input placeholder cannot appear as a subject of an input, but, in contrast to our work, the forwarding of names is allowed. The Private -calculus [15], proposed by Sangiorgi, makes the restriction that objects of output prefixes are always considered as bound, making the symmetry with the input prefixes. Although in Private -calculus the forwarding of names is not possible, it differs significantly from our work in the restriction that one name can be sent only once. All these calculi share our goal to investigate specific notions in a dedicated way, without requiring the introduction of specialized primitives, instead by considering a suitable fragment of the -calculus.
In this paper, we have presented Confidential -calculus, a fragment of the -calculus [16] in which the forwarding of received names is disabled at the syntax level. To the best of our knowledge, this is the first process model based on the -calculus that represents the controlled name passing by constraining and not extending the original syntax. Some specific properties of our labeled transition system are given and the non-forwarding property is defined. All processes satisfy this property and the method to differentiate the -calculus process that never forward received names is proposed, relying on the strong bisimilarity relation of processes and processes. The strong bisimilarity relation is also used to show that the creation of closed domains for channels is directly representable in the . Examples presented in the paper already give some intuition on scenarios directly representable in , such as authentication and group modelling, and a complete formalization of these ideas is left for future work. The encoding presented here shows that our model is as expressive as the -calculus, and the formal verification of the correctness of the encoding is given in the form of the completeness of operational correspondence. The soundness of the encoding is left for future work.
Acknowledgments. The author would like to thank Hugo Torres Vieira and Jovanka Pantović for supervising the work presented here and a great help, to Daniel Hirschkoff for valuable email discussions, and to anonymous reviewers for useful remarks and suggestions. This work has been partially supported by the Ministry of Education and Science of the Republic of Serbia, project ON174026.
Appendix A Proofs from Section 3
Proposition 1**.**
3.8* For any process , channel and prefix , next equality holds*
[TABLE]
Proof A.15**.**
The proof follows by coinduction, by showing that the relation
[TABLE]
where , is contained in the strong bisimilarity, i.e., .
We show that each action of one process can be mimicked by the other process in the pair in , leading to processes that are again in relation . Let the process in the first pair
[TABLE]
Then, since actions of the starting process can only be actions of its two branches, we conclude that either or or it is the synchronization of these two actions, in which case . We reject the first two options, since the subject of the action is bound in the starting process and by rule (res) it cannot be observed outside of the process. Hence, we conclude and . Then, by applying (out), (open), (in), (close-l) and (res), respectively, we get
[TABLE]
and since and cannot appear as an object in the prefixes in we conclude . Hence, we have \big{(}(\nu k)(\nu l)(m?y.[y=l]\pi.0\;|\;P\{l/x\}),(\nu k)(\nu l)(m?y.0\;|\;P\{l/x\})\big{)}\in{\cal R}. The symmetric case is analogous.
Now let us consider processes in the second pair of . If
[TABLE]
then observable can originate from both of the branches or from their synchronization.
—Left branch:* If the observable originate from the left branch, then , and by (in), (par-l) and (res) we get*
[TABLE]
where, by the side condition of (res) we conclude . In the same way we get
[TABLE]
and \big{(}(\nu k)(\nu l)([n=l]\pi.0\;|\;Q),(\nu k)(\nu l)(0\;|\;Q)\big{)}\in{\cal R} holds.
—Right branch:* If the action originates from the right branch, i.e., from , we distinguish two cases:*
- (i)
if by rules (par-r) and (res) is derived
[TABLE]
where we conclude that , hence . Then by the same rules we get
[TABLE]
and \big{(}(\nu k)(\nu l)(m?y.[n=l]\pi.0\;|\;Q^{\prime}),(\nu k)(\nu l)(m?y.0\;|\;Q^{\prime})\big{)}\in{\cal R} holds.
- (ii)
if by rules (par-r), (res) and (open) is derived
[TABLE]
then . Notice that the scope of channel cannot be extruded this way since . Hence, process cannot perform output action with object . Then by the same rules we get
[TABLE]
and, again, \big{(}(\nu l)(m?y.[n=l]\pi.0\;|\;Q^{\prime}),(\nu l)(m?y.0\;|\;Q^{\prime})\big{)}\in{\cal R} holds.
—Synchronization of branches:* We again distinguish two cases:*
- (i)
if from
[TABLE]
where we can make the same observation on as before to conclude that , by rules (comm-r) and (res) is derived
[TABLE]
Then, using , and the same rules as above we get
[TABLE]
and we get \big{(}(\nu k)(\nu l)([n=l]\pi.0\;|\;Q^{\prime}),(\nu k)(\nu l)(0\;|\;Q^{\prime})\big{)}\in{\cal R}.
- (ii)
if from
[TABLE]
where as before we can assume , by rules (close-r) and (res) is derived
[TABLE]
then using , we may observe
[TABLE]
and \big{(}(\nu k)(\nu l)(\nu n)([n=l]\pi.0\;|\;Q^{\prime}),(\nu k)(\nu l)(\nu n)(0\;|\;Q^{\prime})\big{)}\in{\cal R}.
The symmetric cases and the rest of the pairs from are analogous. For the rest of the pairs note that in all left branch of the first components we have , where , and hence, its observational power is equivalent to the observational power of inactive process [math] appearing as the left branch in the right components.
Proposition 2**.**
3.10* Let be a (sum-free) -calculus process. If there is a process , such that , then satisfies the non-forwarding property.*
Proof A.16**.**
Let be a be a (sum-free) -calculus process and let Let us fix , and assume and . Since without loss of generality we can assume all bound outputs are fresh, we get , for all , directly. In addition to the first assumption, let us assume there is such that . Since (where ), we conclude there are processes such that
[TABLE]
and , for all , where and . We now distinguish two cases.
If then we get a direct contradiction with Theorem 2.5. 2. 2.
If , we choose a fresh channel and a substitution that is defined only on channel and maps it to . Then, from , by consequitive application of Lemma of **[16]**, we conclude , for all . Since we get . Now from
[TABLE]
and , we again conclude there are processes such that
[TABLE]
where , for all and , for all . Since has been chosen to be a fresh channel, we get , and since and , we fall into the first case, and hence, we again get contradiction with Theorem 2.5.
Appendix B Proofs from Section 5
Abbreviations.
For the sake of readability, use the abbreviation
[TABLE]
assuming that , and we omit writing trailing [math]’s whenever possible.
We may notice that the encoding defined in Table 3 does not introduce any free names by itself, except in the rule for output (and matching prefixed output), where names and are introduced. We may also notice also that these introduced names are the ones specified in the renaming policy of names and , respectively. Hence, the following result is straightforward.
Lemma B.17** (Name invariance).**
Let be a -calculus process and let substitutions and be such that , for all . Then .
For the operational correspondence, we will need only one case of the name invariance result, and we state it in the next corollary.
Corollary B.18**.**
If and then
[TABLE]
For the operational correspondence we will need definition of strong bisimilarity of polyadic -calculus. Such definition is exactly the same as Definition 3.7, except that labels of the LTS (where rules in Table 2 are adapted for polyadic calculus following expected lines) are carrying a tuple of channels, i.e.,
[TABLE]
For such strong bisimilarity relation we may show to obey some standard properties stated in the next proposition.
Proposition B.19**.**
* is an equivalence relation and a non-input congruence;* 2. 2.
; 3. 3.
; 4. 4.
; 5. 5.
; 6. 6.
; 7. 7.
; 8. 8.
, if ; 9. 9.
; 10. 10.
; 11. 11.
.
We take the structural congruence relation as it is defined for the -calculus processes in [16].
Lemma B.20**.**
If then .
Proof B.21**.**
The proof is by case analysis on the structural congruence rule applied.
.
We distinguish two cases for prefix .
- (a)
If , then by definition of the encoding and Proposition B.19 we get
[TABLE] 2. (b)
If , then, again, by definition of the encoding and Proposition B.19 we get
[TABLE] 2. 2.
. By the definition of the encoding and Proposition B.19 we get
[TABLE] 3. 3.
. By the definition of the encoding and Proposition B.19 we get
[TABLE] 4. 4.
, if . By the definition of the encoding and Proposition B.19 we get
[TABLE] 5. 5.
The rest of the cases are analogous.
Lemma B.22**.**
Let and be -calculus processes.
If then . 2. 2.
If then there exist a -calculus process such that and . 3. 3.
if and then .
Proof B.23**.**
The only structural congruence rule affecting free names is , and by the definition . 2. 2.
Assume . If then the proof is finished. Now assume . Then can appear only in in a sub-process of the form . In this case we may show, by induction on the structure of , that using the structural congruence rule , we can get rid of all such matchings that mention name . 3. 3.
Follows by an easy induction on derivation.
- Lemma 5.12
If then where
- –
if , then
[TABLE]
- –
if then .
Proof B.24**.**
The proof is by induction on derivation.
Base case*: . Since and are free in the starting process, we can encode it as*
[TABLE]
where if then If then . Then,
[TABLE]
where the output process synchronize with the left thread of the handler of name and with the right thread of the handler of name . At this point, the two handlers can synchronize and the last process evolves to
[TABLE]
where, after the synchronization of the two handlers, name (together with , and ) is finally received in the input process, after which channel is also received in the left-hand side process, making the encoding of processes an only unlocked in the synchronization:
[TABLE]
By Corollary B.18 we get
[TABLE]
Hence, we conclude the last derived process in equation (1) is equal to
[TABLE]
Since , by Proposition B.19 we have that the last derived process is strongly bisimilar to
[TABLE] 2. 2.
* is derived from . By induction hypothesis*
[TABLE]
where and if then
[TABLE]
*and if then . Now, if , let us take *
[TABLE]
If let us take . Then, by (par-l) we can derive
[TABLE]
By Lemma B.19 we get then
[TABLE]
where , by the definition of strong bisimilarity. We can now conclude
[TABLE] 3. 3.
* is derived from . Again, by induction hypothesis*
[TABLE]
where and if then
[TABLE]
while if then . Since,
[TABLE]
we distinguish two cases:
- (a)
if then . Since , by Proposition B.19 we get
[TABLE]
where transition(s) follows by the induction hypothesis and rule (res). By Proposition B.19
[TABLE]
and by definition and transitivity of strong bisimilarity we get
[TABLE] 2. (b)
if , then . By Lemma B.22 there exist such that and . Since is a congruence and by Lemma B.20 we get and . Then, by definition of the encoding and Proposition B.19 we have
[TABLE]
Since and , by Lemma B.22 we get . By the same lemma we conclude there exist such that and . Hence, again
[TABLE]
*By definition and transitivity of strong bisimilarity we get *
[TABLE] 4. 4.
* is derived from , where and . By induction hypothesis*
[TABLE]
where , and if then
[TABLE]
while if then . By Lemma B.20 and Lemma B.22, implies and ), and implies . Then, by Proposition B.19 we get , hence, by definition of strong bisimilarity
[TABLE]
where , which completes the proof.
As a direct consequence of Lemma 5.12, we get the operational correspondence result for the encoding of closed -calculus processes.
- Theorem 5.14
Let be a closed (sum-free) -calculus process. If then .
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1]
- 2[2] Luca Cardelli, Giorgio Ghelli & Andrew D. Gordon (2005): Secrecy and group creation . Inf. Comput. 196(2), pp. 127–155, 10.1016/j.ic.2004.08.003 . · doi ↗
- 3[3] Silvia Crafa & Sabina Rossi (2007): Controlling information release in the pi-calculus . Inf. Comput. 205(8), pp. 1235–1273, 10.1016/j.ic.2007.01.001 . · doi ↗
- 4[4] Cédric Fournet & Georges Gonthier (1996): The Reflexive CHAM and the Join-Calculus . In Hans-Juergen Boehm & Guy L. Steele Jr., editors: Conference Record of POPL’96: The 23rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, Papers Presented at the Symposium, St. Petersburg Beach, Florida, USA, January 21-24, 1996 , ACM Press, pp. 372–385, 10.1145/237721.237805 . · doi ↗
- 5[5] Simon J. Gay & Malcolm Hole (2005): Subtyping for session types in the pi calculus . Acta Inf. 42(2-3), pp. 191–225, 10.1007/s 00236-005-0177-z . · doi ↗
- 6[6] Marco Giunti, Catuscia Palamidessi & Frank D. Valencia (2012): Hide and New in the Pi-Calculus . In Bas Luttik & Michel A. Reniers, editors: Proceedings Combined 19th International Workshop on Expressiveness in Concurrency and 9th Workshop on Structured Operational Semantics, EXPRESS/SOS 2012, Newcastle upon Tyne, UK, September 3, 2012. , EPTCS 89, pp. 65–79, 10.4204/EPTCS.89.6 . · doi ↗
- 7[7] Daniele Gorla (2010): Towards a unified approach to encodability and separation results for process calculi . Inf. Comput. 208(9), pp. 1031–1053, 10.1016/j.ic.2010.05.002 . · doi ↗
- 8[8] Matthew Hennessy (2005): The security pi-calculus and non-interference . J. Log. Algebr. Program. 63(1), pp. 3–34, 10.1016/j.jlap.2004.01.003 . · doi ↗
