This paper explores the use of trace equivalence and epistemic logic within process algebras to accurately formalize and verify security properties, bridging the gap between intuitive security notions and formal methods.
Contribution
It demonstrates that trace equivalence is congruent and aligns with logical equivalence in epistemic logic, providing a formal foundation for security verification.
Findings
01
Trace equivalence is congruent.
02
Logical equivalence matches trace equivalence.
03
Trace equivalence is relevant with non-adaptive attackers.
Abstract
In process algebras, security properties are expressed as equivalences between processes, but which equivalence is suitable is not clear. This means that there is a gap between an intuitive security notion and the formulation. Appropriate formalization is essential for verification, and our purpose is bridging this gap. By chasing scope extrusions, we prove that trace equivalence is congruent. Moreover, we construct an epistemic logic for the applied pi calculus and show that its logical equivalence agrees with the trace equivalence. We use the epistemic logic to show that trace equivalence is pertinent in the presence of a non-adaptive attacker.
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSecurity and Verification in Computing · User Authentication and Security Systems · Advanced Authentication Protocols Security
Full text
Trace Equivalence and Epistemic Logic to Express Security Properties
Kiraku Minami
Abstract
In process algebras, security properties are expressed as equivalences between processes, but which equivalence is suitable is not clear. This means that there is a gap between an intuitive security notion and the formulation. Appropriate formalization is essential for verification, and our purpose is bridging this gap. By chasing scope extrusions, we prove that trace equivalence is congruent. Moreover, we construct an epistemic logic for the applied pi calculus and show that its logical equivalence agrees with the trace equivalence. We use the epistemic logic to show that trace equivalence is pertinent in the presence of a non-adaptive attacker.
Acknowledgements
I am sincerely appreciative of Professor Masahito Hasegawa who provided helpful comments and suggestions. I would also like to convey a sense of gratitude to my family for their moral support and warm encouragements.
In modern society, information and communications technology is indispensable to our daily lives, and a number of communication protocols are proposed to securely transmit information using a network. Verification of safety of these protocols is also essential, but it is not easy.
In the first place, how to define security notions is not clear. As a matter of fact, various different definitions of the same security property have been proposed. In addition, how to model communication is also not clear; many such models have been developed. In this work, we focus on process algebras because it allows us to handle composition easily. In process algebras, typical security properties such as secrecy are represented by an equivalence between processes.
For instance, secrecy of a message M is expressed as equivalence between a process sending M and a process sending M′.
Many process equivalences exist in the literature, but which is the most suitable for capturing security properties is not always clear. For instance, Delaune, Kremer and Ryan [10] proposed the definition of privacy in electronic voting in terms of the applied pi calculus [1] as follows.
A voting protocol respects vote-privacy (or just privacy) if
[TABLE]
for all possible votes a and b.
Intuitively, this definition states that an attacker cannot distinguish two situations where votings are swapped.
Note that indistinguishability is expressed by labelled bisimilarity ≈l in this definition. Is it the most suitable? This is a nontrivial question. Chadha, Delaune and Kremer [7] claim that trace equivalence is more suitable regarding privacy.
In fact, an outputted message is not explicitly expressed in the applied pi calculus. It is represented via an alias variable. This feature enables us to handle cryptographic protocols and suggests that trace equivalence means an attacker’s indistinguishability. This is because an attacker can observe only labelled transition. We recall the syntax and semantics of the calculus in Chapter 2.
Bisimilarity and traced equivalences are both well-studied equivalence relations on labelled transition systems.
However, trace equivalence in the applied pi calculus (and
other variants of the pi calculus [19, 20, 18]) has not drawn much attention.
This is probably because trace equivalence is the coarsest among major equivalences. However, security properties sometimes require that actually different processes are regarded as the same. Thereby, a fine equivalence such as bisimilarity does not have to be always adequate.
Epistemic logic is often used to capture security notions (e.g. [7, 15, 22]). It enables us to directly express security properties. For example, when a message M sent by an agent a is anonymous, we can say that an adversary cannot know who sent M. In an epistemic logic, we can express it with a formula such like ¬KSend(a,M). This logical formulation is close to our intuition. Nevertheless, research about an epistemic logic for the applied pi calculus is few.
1.2 Contributions
We prove that trace equivalence for the applied pi calculus is a congruence in Chapter 3. Secondly, we give an epistemic logic that characterizes trace equivalence in Chapter 4. In addition, we define security properties such as secrecy and role-interchangeability [15, 22] using trace equivalence and our epistemic logic. Moreover, we show that secrecy and openness generally are not preserved by parallel composition.
On the other hand, total secrecy is characterized by trace equivalence, so it is preserved by an application of a context.
The same partly holds for role-interchangeability.
Finally, we prove that the satisfaction problem for the epistemic logic is undecidable.
Our results suggest that trace equivalence is more suitable to express security notions than labelled bisimilarity.
Chapter 2 The Applied Pi Calculus
2.1 Syntax
The applied pi calculus [1] is an extension of the pi calculus [19, 20, 18] and can handle cryptographic protocols.
Let Σ be a signature equipped with an equational theory. Σ consists of a finite set of function symbols with their arity.
Names, variables, and terms are defined on Σ by the following grammar:
[TABLE]
The above f is a function symbol with arity n on Σ.
We say that a term is ground when it contains no variables. Meta-variables u,v are used to represent over both names and variables. We describe a sequence of terms M1,...,Mn as M. We denote by n(M) and v(M) the set of names and variables in M.
The grammar for processes is given below:
[TABLE]
0 cannot do anything. M⟨N⟩.P sends N on a channel M and then behaves as P. M(x).P waits for input from a channel M and then behaves as P with the variable x replaced by the received message. In both cases, we omit P if it is 0. The process νn.P creates a new restricted name n and then behaves as P. A restricted name is often regarded as a nonce, a key and so on. The conditional branch ifM=NthenPelseQ behaves as P when M=N and as Q otherwise. Note that M=N means equality on Σ. We omit Q if Q is 0. P+Q nondeterministically behaves P or Q. P∣Q is the parallel composition of P and Q; the replication !P behaves as unbounded copies of P running concurrently.
We call processes defined above plain processes. Moreover, we define extended processes:
[TABLE]
We consider that {M/x} is floating around processes. If it touches other processes, a substituion happens. We will describe in detail later. If we want to impose reins on this effect, we restrict variables. {M/x} often represents messages outputted to an environment. Moreover, it is sometimes interpreted as attacker’s knowledge in view of security because an active substitution {M/x} appears when a process sends a message M to an environment. When M~=M1,…,Mn and x~=x1,…,xn,{M~/x~} expresses {M1/x1}∣…∣{Mn/xn}. In particular, if n=0, it is a null process 0.
Let u=u1,...,un. Then νu.A=νu1....νun.A.
Let σ={M/x}, then Mσ is a term obtained by replacing all xi with Mi. We denote by fn(A) and fv(A) the sets of free names and variables respectively. These are inductively defined below.
[TABLE]
[TABLE]
Furthermore, We denote by bn(A) and rv(A) the sets of bound names and restricted variables respectively. Note that νx. appears only in an extended process.
[TABLE]
[TABLE]
We also define n(A)=fn(A)∪bn(A) and v(A)=fv(A)∪rv(A).
The domain dom(A) of an extended process A is also inductively defined below. If variables in other concurrently running processes are in dom(A), A affects them.
[TABLE]
We basically identify an extended process with an α-equivalent process, but we carefully handle α-equivalent processes in Chapter 3, 4.
Hereafter, we assume three restrictions. First, suppose that substitutions are cycle-free with respect to variables.
Definition 2.1**.**
An active substitution σ is cycle-free ⇔defσ is written as {M1/x1,...,Mn/xn} by reordering so that each Mi does not contain x1,...,xi by reordering.
Secondly, we can compose A and B in parallel only if dom(A)∩dom(B)=∅. Lastly, we can restrict only variables in a domain. We say that A is closed if fv(A)=dom(A).
Note the proposition below.
Proposition 2.2**.**
Consider an active substitution σ={M1/x1,...,Mn/xn} where each Mi does not contain x1,...,xi. Then, there exists an active substitution ρ≡σ such that each xiρ contains no variables other than ones in fv(σ)∖dom(σ).
Proof.
We prove by induction on n. The base case is trivial. We consider the induction case.
Let σ′={Mn/xn} and σ′′={M1σ′/x1,...,Mn−1σ′/xn−1}. Each Miσ′ does not contain xn, so there exists ρ′≡σ′′ such that each xiρ′ contains no variables other than ones in fv(σ′′)∖dom(σ′′) by induction hypothesis. Then,
[TABLE]
ρ′∣σ′ meets the condition against n. Note that fv(σ′′)∖dom(σ′′)⊆fv(σ)∖dom(σ).
∎
2.2 Semantics
2.2.1 Internal Reduction
Internal communication, conditional branch and nondeterministic choice are unobservable actions.
A context is an expression containing one hole. The hole is represented by [_]. An evaluation context is a context whose hole is neither under a replication, a conditional, nor an action prefix.
Structural equivalence ≡ is the smallest equivalence relation between extended processes which is closed under an application of an evaluation context and α-conversion, such that:
[TABLE]
That is, ∣ beheves like a commutative monoid, and + behaves like a commutative magma. Restriction is also commutative.
Note that {M/x} in A{M/x} is not an active substitution, it is an ordinal substitution. A{M/x} is the same as A expect that all free occurences of x is replaced with M, and it is a capture-avoiding substitution. The last rule depends on Σ.
We omit redundant parentheses when distinction between structural equivalent processes is not necessary.
Definition 2.3**.**
Internal reduction → is the smallest relation between extended processes closed under structural equivalence and application of evaluation contexts such that:
[TABLE]
The second rule requires that M and N are ground, and it is essential. If this condition is not satisfied, unreasonable reduction happens when an active substituion concurrently exists. For example, consider ifx=athenPelseQ∣{a/x}.
An internal reduction is often called silent action.
2.2.2 Labelled Transition
Labelled semantics enables us to express unsafe communication.
We denote by α a labelled action. The labelled semantics gives a ternary relation A⟶αA′ on two processes and a label. A label is an input form or an output form. In the former case, α is written as M(N). It means that a message N is received on a channel M. In the latter case, α is written as νx.M⟨x⟩, where x is a variable which is fresh. It means that a message is sent on channel M via an alias variable x. It is a notable feature that a sent message does not explicitly appear in a label.
We define n(α), fv(α) and rv(α) as with a process.
[TABLE]
Additionally, we regard that a silent action contains no variables and names.
We recall structural operational semantics for the applied pi calculus.
M(x).P⟶M(N)P{N/x}
x∈/fv(M⟨N⟩.P)
M⟨N⟩.P⟶νx.M⟨x⟩P∣{N/x}
A⟶αA′∧u∈/n(α)∪v(α)
νu.A⟶ανu.A′
A⟶αA′∧rv(α)∩fv(B)=∅
A∣B⟶αA′∣B
A≡A′∧A′⟶αB′∧B′≡B
A⟶αB
We denote by μ a silent action and a labelled action. We define ⟹ as the transitive reflective closure of ⟶, and ⟹α as ⟹⟶α⟹. ⟹μ is the former when μ is silent and is the latter when μ=α.
2.3 Equivalence
2.3.1 Labelled Bisimulation
If fn(A)∩bn(A)=∅ and any bound name is not restricted twice, we say that A is name-distinct [7]. If fv(A)∩rv(A)=∅ and any restricted variable is not restricted twice, we say that A is variable-distinct.
When A and B are name-variable-distinct and fn(A)∩bn(B)=bn(A)∩fn(B)=bn(A)∩bn(B)=∅, we say that A and B are bind-exclusive.
A frame is an extended process made from 0 and active substitutions by restriction and parallel composition. φ and ψ are used to represent frames.
We define a map fr from an extended process to a frame below.
[TABLE]
From now, we identify a frame with a structural equivalent frame.
Definition 2.4**.**
(M=N)φ⇔defv(M)∪v(N)⊆dom(φ)∧Mσ=Nσ* where φ≡νn.σ∧n∩(n(M)∪n(N))=∅ for some names n and active substituions σ.*
It follows from [1, Lemma D.1] that this definition is well-defined.
Definition 2.5**.**
The static equivalence ≈s on closed frames is given by
[TABLE]
for closed frames φ and ψ.
The static equivalence on closed processes is given by
[TABLE]
for closed processes A and B.
We say that φ and ψ are statically equivalent when φ≈sψ. In addition, we say that A and B are static equivalent when A≈sB.
It is proved in [1, Lemma 4.1] that a static equivalence is closed by an application of an evaluation context.
We recall labelled bisimulation. It intuitively means that two processes operate in the same manner.
Definition 2.6**.**
A binary relation R between closed extended processes is called a labelled simulation if and only if whenever ARB,
A≈sB**
2. 2.
A⟶μA′∧A′:closed∧fv(μ)⊆dom(A)⇒∃B′s.t.B⟹μB′∧ARB**
If both R and R−1 are labelled simulations, we say that R is a labelled bisimulation.
We call the largest labelled bisimulation a labelled bisimilarity.
It is proved in [1, Theorem 4.1] the labelled bisimilarity is closed by an application of an evaluation context.
Note that structural equivalence is stronger than labelled bisimilarity.
Lemma 2.7**.**
Let σ and ρ be active substitutions. We assume that their images of variables contain no variables in domains. Then, σ≡ρ⇒[dom(σ)=dom(ρ)∧∀x∈dom(σ);xσ=xρ].
Proof.
We assume that σ≡ρ. It immediately follows that dom(σ)=dom(ρ). We arbitrarily take x∈dom(σ).
Because structural equivalence is preserved by a parallel composition,
[TABLE]
Because xσ does not contain variables in dom(σ),
[TABLE]
The left-hand side can act as below:
[TABLE]
Hence, the right-hand side must act as below:
[TABLE]
In other words, it must hold that xρ=xσ.
∎
2.3.2 Trace Equivalence
At first, we define a trace. It can be regarded as a history of observable actions.
Definition 2.8**.**
A trace tr is a finite derivation tr=A0⟹μ1...⟹μnAn such that every Ai is closed and fv(μi)⊆dom(Ai−1) for all i. If An can perform no actions, the trace tr is said to be complete or maximal.
Given a trace tr, let tr[i] be its i-th process Ai and tr[i,j] be the subderivation Ai⟹μi+1...⟹μjAj where 0≤i≤j≤n. The length of a trace tr is denoted by ∣tr∣=n.
If each ⟹μi accord with ⟶μi, we say that tr is full.
Definition 2.9**.**
Let tr be a trace A0⟹μ1...⟹μnAn and tr′ be a trace B0⟹μ1′...⟹μm′Bm.
tr∼ttr′⇔defn=m∧μi=μi′∧Ai≈sBiforalli.
When tr∼ttr′**, we say that they are statically equivalent.
Definition 2.10**.**
Let tr be a trace A0⟹μ1...⟹μnAn.
We arbitrarily take processes A01,...,A0m0,...,An−1,1,...,An−1,mn−1 such that
[TABLE]
and each transition is derived without α-conversion. If μi is silent, mi can be 0. The above derivation is denoted by unfold(tr).
Note that unfold(tr) is not always unique.
Definition 2.11**.**
A trace tr is safe with respect to A.
⇔def Every action in tr contains no elements in bn(A)∪rv(A) and each transition is derived without α-conversion.
If tr is a trace of A, we merely say that tr is safe or tr is a safe trace.
Definition 2.12**.**
Let A and B be two closed name-variable-distinct extended processes. A⊆tB if and only if we can always complete the procedure below.
We α-convert A and B such that A and B are bind-exclusive.
2. 2.
We arbitrarily choose a trace tr of A which is safe with respect to A and B.
3. 3.
We take a safe trace of B which is static equivalent to tr.
When A⊆tB∧B⊆tA, we say that they are trace equivalent and denote by A≈tB.
Let A and B be two name-variable-distinct extended processes. We α-convert A and B such that A and B are bind-exclusive. Let σ be a map that maps a variable in (fv(A)∖dom(A))∪(fv(B)∖dom(B)) to a ground term. When Aσ≈tBσ for all σ and capture-avoiding, we also say that they are trace equivalent and denote as A≈tB.
Note that σ causes capture-avoiding substitution.
This definition may look strange, but this is equivalent to the standard definition.
Proposition 2.13**.**
Let A and B be two closed name-variable-distinct extended processes.
A⊆tB⇔* For any trace tr of A, there exists a trace tr′ of B such that tr∼ttr′.*
Proof.
⇒) We arbitrarily take a trace tr of A.
First, we α-convert A and B to A′ and B′ respectively such that A′ and B′ are bind-exclusive and they bind no names in actions that are in tr. We replace A with A′ in tr.
Secondly, we convert processes in tr to structural equivalent processes such that
[TABLE]
Thirdly, we α-convert processes in tr such that every transition is derived without α-conversion.
Now, we got a safe trace tr′′ of A′, so we can obtain a safe trace tr′ of B′ such that tr′′∼ttr′ because of A⊆tB.
Then, we α-convert B′ in tr′′ to B and obtain a trace of B that is statically equivalent to tr.
⇐) We α-convert A and B to A′ and B′ respectively such that A′ and B′ are bind-exclusive.
Next, we arbitrarily choose a trace tr of A′ which is safe with respect to A′ and B′.
We α-convert A′ in tr to A.
By assumption, we obtain a trace tr′ of B that is statically equivalent to tr.
We replace B with B′ in tr′.
Moreover, we convert processes in tr′ to structural equivalent processes such that
[TABLE]
In addition, we α-convert processes in tr′ such that every transition is derived without α-conversion.
Now, we got a safe trace of B′ that is statically equivalent to tr.
∎
Definition 2.14**.**
[TABLE]
Derivations are closed under structural equivalence, so structural equivalence is finer than trace equivalence. In addition, labelled bisimilarity is also finer than trace equivalence.
Example 2.15**.**
We consider
[TABLE]
They have the same traces, so they are trace equivalent. However, they are not bisimilar. In fact, P⟶a⟨s⟩.b⟨s⟩ is not simulated by Q.
We later show that a non-adaptive active attacker cannot distinguish trace equivalent processes.
Problem 2.16**.**
Input: Closed extended processes A,B and a trace tr∈tr(B).
Question: Does there exist a trace tr′∈tr(A) such that tr∼ttr′?
Proposition 2.17**.**
There are signatures for which Problem 2.16 is undecidable, even though the input processes are restricted to plain processes.
Proof.
It is proved in [2, Proposition 5] that static equivalence is undecidable in general.
We reduce the decision problem for static equivalence to Problem 2.16.
Let φ and ψ be traces. We assume that dom(φ)=dom(ψ).
Let \varphi=\nu\widetilde{n}.\{\raisebox{1.72218pt}{\smallM_{1}}\raisebox{0.0pt}{\large/}\raisebox{-0.86108pt}{\smallx_{1}},...,\raisebox{1.72218pt}{\smallM_{l}}\raisebox{0.0pt}{\large/}\raisebox{-0.86108pt}{\smallx_{l}}\},\psi=\nu\widetilde{m}.\{\raisebox{1.72218pt}{\smallN_{1}}\raisebox{0.0pt}{\large/}\raisebox{-0.86108pt}{\smallx_{1}},...,\raisebox{1.72218pt}{\smallN_{l}}\raisebox{0.0pt}{\large/}\raisebox{-0.86108pt}{\smallx_{l}}\}.
Let P=νn.a⟨M1⟩...a⟨Ml⟩,Q=νm.a⟨N1⟩...a⟨Nl⟩, where a∈/n∪m.
Let tr be P\overset{\nu x_{1}.\overline{a}\langle x_{1}\rangle}{\longrightarrow}\nu\widetilde{n}.(\overline{a}\langle M_{2}\rangle...\overline{a}\langle M_{l}\rangle|\{\raisebox{1.72218pt}{\smallM_{1}}\raisebox{0.0pt}{\large/}\raisebox{-0.86108pt}{\smallx_{1}}\})\overset{\nu x_{2}.\overline{a}\langle x_{2}\rangle}{\longrightarrow}...\overset{\nu x_{l}.\overline{a}\langle x_{l}\rangle}{\longrightarrow}\nu\widetilde{n}.\{\raisebox{1.72218pt}{\smallM_{1}}\raisebox{0.0pt}{\large/}\raisebox{-0.86108pt}{\smallx_{1}},...,\raisebox{1.72218pt}{\smallM_{l}}\raisebox{0.0pt}{\large/}\raisebox{-0.86108pt}{\smallx_{l}}\}.
We prove that φ≈sψ⇔ there exists a trace tr′∈tr(A) such that tr∼ttr′.
A trace tr′∈tr(Q) whose actions correspond to tr is the only below:
[TABLE]
We assume that tr∼ttr′. Then, \nu\widetilde{n}.\{\raisebox{1.72218pt}{\smallM_{1}}\raisebox{0.0pt}{\large/}\raisebox{-0.86108pt}{\smallx_{1}},...,\raisebox{1.72218pt}{\smallM_{l}}\raisebox{0.0pt}{\large/}\raisebox{-0.86108pt}{\smallx_{l}}\}\approx_{s}\nu\widetilde{m}.\{\raisebox{1.72218pt}{\smallN_{1}}\raisebox{0.0pt}{\large/}\raisebox{-0.86108pt}{\smallx_{1}},...,\raisebox{1.72218pt}{\smallN_{l}}\raisebox{0.0pt}{\large/}\raisebox{-0.86108pt}{\smallx_{l}}\}, so ⇐ holds.
Next, we assume that φ≈sψ. Then,
[TABLE]
Therefore, it follows that tr∼ttr′. Namely, ⇒ also holds.
∎
Proposition 2.18**.**
If the static equivalence on a signature Σ is decidable, Problem 2.16 is decidable.
Proof.
The number of traces in tr(A) whose actions correspond to ones in tr is finite because every action yields finite processes.
This is why we only have to check whether each process is statically equivalent to the correspondent process in tr.
∎
Definition 2.19**.**
A convergent subterm theory is an equational theory defined by finite equations whose each right-hand side is a proper subterm of the left-hand side.
For example, if Σ={dec,enc} and an equational theory on Σ is defined by
[TABLE]
this theory is convergent subterm.
It is proved in [2, Theorem 1] that static equivalence on a convergent subterm theory is decidable, so the corollary below immediately follows.
Corollary 2.20**.**
If the equational theory on Σ is a convergent subterm theory , then Problem 2.16 is decidable.
2.4 Examples
We express Diffie-Hellman key exchange and the man-in-the-middle attack by the applied pi calculus.
The fundamental Diffie-Hellman protocol enables two parties to make a shared secret key by exchanging messages on public channels.
We consider the binary function symbol f and the unary function symbol g. They satisfy f(x,g(y))=f(y,g(x)). We intend that f(x,y)=yxmodp and g(x)=αxmodp where p is a prime, α is a generator of (Z/pZ)∗, and x and y are elements in (Z/pZ)∗.
However, such a specific definition is not necessary for the discussion below.
Diffie-Hellman protocol is expressed in the applied pi calculus as below. Note that kA and kB are variables. Alice behaves as νa,kA.c⟨g(a)⟩.d(x).(PA∣{f(a,x)/kA}) and Bob behaves as νb,kB.c(y).d⟨g(b)⟩.(PB∣{f(b,y)/kB}). We suppose that PA does not contain x for simplicity. PB is similar.
[TABLE]
In the first transition, Alice sent g(a) on a channel c, and Bob received it. In the second transition, Bob sent g(b) on a channel d, and Alice received it.
Then, Alice makes a shared key using g(b). That is, she calculates f(a,g(b)). Similarly, Bob calculates f(b,g(a)). They coincide by the equation above.
The transitions above represent a good case. If someone eavesdrops, it is expressed as below.
[TABLE]
Unlike the first example, sending and receiving are observable. Note that the domain of the last process contains z and w. The environment —now it is an eavesdropper— can use them freely. In other words, the eavesdropper gets the value of g(a) and g(b). On the other hand, she cannot directly use a and b because they are restricted. Moreover, she cannot calculate a and b from g(a) and g(b) because such equations do not exist. This corresponds to the complexity of discrete logarithm problems.
If an active attacker exists, this protocol is no longer safe.
[TABLE]
The attacker sent g(r) to Bob and sent g(s) to Alice.
Then, Alice calculates f(a,g(s)) and use it as a secret key. The value is same with f(s,z) in this situation, so the attacker can read secret messages encrypted by the key. Bob is similar. This man-in-the-middle attack is well known. This is why Diffie-Hellman protocol needs authentication.
Chapter 3 Congruency of Trace Equivalence
This chapter proves the theorem below by case analysis, and this is our main result.
Theorem 3.1**.**
≈t* is a congruence.*
In this chapter and the next chapter, we assume that every process is bind-exclusive. Otherwise, we α-convert so that it is satisfied.
This chapter and the appendix use many results in [1]
At first, we summarize lemmas for this chapter. We omit all proofs here. See Appendix. We will define the notion of normal processes later (Definition 3.12, 3.13 and the remark before them).
3.1 The Case of Applying a Context without Composition
This case is straightforward, and the proof is simple, but some propositions rely on Proposition 3.19.
Proposition 3.7**.**
P≈tQ⇒M⟨N⟩.P≈tM⟨N⟩.Q**
Proof.
Assume that P≈tQ.
For all assignments σ, it is sufficient to prove that Mσ⟨Nσ⟩.Pσ≈tMσ⟨Nσ⟩.Qσ. Thus, we can suppose that P,Q,M and N are closed without loss of generality.
We arbitrarily take a safe trace tr of M⟨N⟩.P.
Here, unfold(tr) is M⟨N⟩.P⟶νx.M⟨x⟩A⟶μ … and A≡P∣{N/x} for some x.
By Proposition 3.19, P∣{N/x}≈tQ∣{N/x}, so there exists a trace of Q∣{N/x} which is statically equivalent to the part A⟶μ … of unfold(tr). We add M⟨N⟩.Q⟶νx.M⟨x⟩ to it and we get a trace of M⟨N⟩.Q that is statically equivalent to unfold(tr). We omit some silent actions and get the desired trace. Hence, M⟨N⟩.P⊆tM⟨N⟩.Q and vice versa.
∎
Proposition 3.8**.**
P≈tQ⇒M(x).P≈tM(x).Q**
Proof.
Assume that P≈tQ.
For all assignments σ, it is sufficient to prove that Mσ(x).Pσ≈tMσ(x).Qσ. Thus, we can suppose that M is closed and fv(P)∪fv(Q)⊆{x} without loss of generality. Note that x is not mapped by σ because it is not free in M(x).P and M(x).Q.
We arbitrarily take a safe trace tr of M(x).P.
Here, unfold(tr) is M(x).P⟶M(N)P′⟶μ … and P′≡P{N/x} for some ground N.
By P≈sQ, there exists a trace of Q{N/x} which is statically equivalent to the part P′⟶μ … of unfold(tr). We add M(x).Q⟶M(N) to it and we get the desired trace of M(x).Q that is statically equivalent to unfold(tr). We omit some silent actions and get the desired trace. Hence, M(x).P⊆tM(x).Q and vice versa.
∎
Proposition 3.9**.**
A≈tB⇒νu.A≈tνu.B* (When u is a variable, u∈dom(A).)*
Proof.
Assume that A≈tB.
For all assignments σ, it is sufficient to prove that (νu.A)σ≈t(νu.B)σ. Thus, we can suppose that A and B are closed without loss of generality.
We arbitrarily take a safe trace tr of νu.A.
Here, unfold(tr) is νu.A⟶μ1C1⟶μ2....
By Lemma 3.3, there exists C1′ such that
A⟶μ1C1′∧C1≡νu.C1′.
Moreover, we use Lemma 3.3 repeatedly, and we get
[TABLE]
We take a trace of B which is statically equivalent to the second line and add νu. to each process. This is possible because tr is safe. Recall that every action in a safe trace contains no bound names and restricted variables. Hence, μi does not contain u.
[TABLE]
The last line is statically equivalent to unfold(tr). Note that restriction preserves static equivalence. We omit some internal reductions and get the desired trace. Hence, νu.A⊆tνu.B and vice versa.
∎
Proposition 3.10**.**
P≈tQ⇒ifM=NthenPelseR≈tifM=NthenQelseR.
Proof.
Assume that P≈tQ. For all assignments σ, it is sufficient to prove that
[TABLE]
Thus, we can suppose that P,Q,R,M and N are closed without loss of generality.
We arbitrarily take a safe trace tr of ifM=NthenPelseR.
Here, unfold(tr) is
[TABLE]
We know that A≡P∨A≡R, so we can regard A⟶μ... as a trace of P or R.
In the former case, there exists a trace of Q which is statically equivalent to it.
We add ifM=NthenQelseR⟶ to it and get a trace of ifM=NthenQelseR which is statically equivalent to unfold(tr).
In the latter case, we add ifM=NthenQelseR⟶ to A⟶μ... and get a trace of ifM=NthenQelseR which is statically equivalent to unfold(tr).
We omit some internal reductions and get the desired trace. Hence,
[TABLE]
and vice versa.
∎
Proposition 3.11**.**
P≈tQ⇒P+R≈tQ+R.
Proof.
Assume that P≈tQ. For all assignments σ, it is sufficient to prove that
[TABLE]
Thus, we can suppose that P,Q and R are closed without loss of generality.
We arbitrarily take a safe trace tr of P+R.
Here, unfold(tr) is P+R⟶A⟶μ....
We know that A≡P∨A≡R, so we can regard A⟶μ... as a trace of P or R.
In the former case, there exists a trace of Q which is statically equivalent to it.
We add Q+R⟶ to it and get a trace of Q+R which is statically equivalent to unfold(tr).
In the latter case, we add Q+R⟶ to A⟶μ... and get a trace of Q+R which is statically equivalent to unfold(tr).
We omit some internal reductions and get the desired trace. Hence, P+R⊆tQ+R and vice versa.
∎
Hereafter, we often use partial normal forms [1]. pnf(A) is the partial normal form of A. We call a process which is partial normal form a normal process.
Definition 3.12**.**
Let σ and ρ be active substitutions.
We assume that σ∣ρ≡{M1/x1,...,Mn/xn} where each Mi does not contain x1,...,xi by reordering.
We define σ0=0 and σi+1=σi{Mi+1/xi+1}∣{Mi+1/xi+1}. Then, we also define σ⊎ρ=σn.
Definition 3.13**.**
We suppose that pnf(A)=νn.(σ∣P) and pnf(B)=νm.(ρ∣Q).
[TABLE]
Note that A≡pnf(A).
Lemma 3.14**.**
If A and P are closed and A∣!P⟶B, it holds one of the following:
∃A′s.t.A⟶A′∧B≡A′∣!P.
2. 2.
∃P′′s.t.P∣P⟶P′′∧B≡A∣P′′∣!P.
3. 3.
∃Es.t.A∣P⟶E∧B≡E∣!P.
Proof.
Let pnf(A)=νn.(σ∣Q).
Then, pnf(A∣!P)=νn.(σ∣Q∣!P). Note that n(P)∩n=∅.
By [1, Lemma B.23], Q∣!P⟶R∧B≡νn.(σ∣R) for some closed R.
By [1, Lemma B.24], we consider the following four cases:
Q⟶Q′∧R≡Q′∣!P for some closed Q′.
A≡νn.(σ∣Q)⟶νn.(σ∣Q′) and νn.(σ∣Q′)∣!P≡νn.(σ∣Q′∣!P)≡B.
Then, A′=νn.(σ∣Q′) satisfies case 1 of this lemma.
2. 2.
!P⟶P′∧R≡Q∣P′ for some closed P′.
By [1, Lemma B.24], P∣P⟶P′′∧P′≡P′′∣!P for some closed P′′.
B≡νn.(σ∣R)≡νn.(σ∣Q)∣P′′∣!P≡A∣P′′∣!P, so case 1 of this lemma is satisfied.
3. 3.
Q⟶N(x)B′∧!P⟶νx.N⟨x⟩C∧R≡νx.(B′∣C) for some B′,C,x and ground N.
By [1, Lemma B.18], P⟶νx.N⟨x⟩D∧C≡D∣!P for some D.
Then,
[TABLE]
Thus, E=νn.(σ∣νx.(B′∣D)) satisfies case 3 of this lemma.
4. 4.
!P⟶N(x)B′∧Q⟶νx.N⟨x⟩C∧R≡νx.(B′∣C) for some B′,C,x and ground N.
In addition, νn.(σ∣Q∣E)∣!P≡νn.(σ∣Q∣E∣!P)≡B, so F=νn.(σ∣Q∣E) satisfies case 2 of this lemma.
∎
Corollary 3.17**.**
If A and P are closed and A∣!P⟶αB and fv(α)⊆dom(A) and n(α)∩bn(A∣!P)=∅, then A∣P⟶αC∧B≡C∣!P for some C.
Proposition 3.18**.**
P≈tQ⇒!P≈t!Q.
Proof.
Assume that P≈tQ.
For all assignments σ, it is sufficient to prove that !Pσ≈t!Qσ. Thus, we can suppose that P and Q are closed without loss of generality.
We arbitrarily take a safe trace tr of !P. By corollary 3.15, 3.17, we obtain a trace which is of the form Pn∣!P⟶μ1A1∣!P⟶μ2A2∣!P⟶μ3... and statically equivalent to unfold(tr). We also obtain Pn⟶μ1A1⟶μ2A2⟶μ3... to convert each process in unfold(tr). Here, n depends on tr and Pn is n concurrent processes. Strictly speaking, processes in Pn are not same when bn(P)=∅. In this case, we α-convert P and make processes in Pn bind-exclusive.
By Proposition 3.19, Pn≈tQn, so there exists a trace of Qn which is statically equivalent to Pn⟶μ1A1⟶μ2A2⟶μ3....
We add ∣!Q to each process in the trace, omit some internal reductions and get the desired trace. Hence, !P⊆t!Q and vice versa.
∎
3.2 The Case of Parallel Composition
Proposition 3.19**.**
A≈tB⇒A∣C≈tB∣C.
This proof is very long and complex, so we present an outline at first. We suppose that A,B and C are closed as before.
First, we define a concurrent normal form. This is a special form of a trace of a process which is of the form A∣C. A concurrent normal trace completely captures the change of scope of bound names.
Secondly, we prove that every safe trace of A∣C can be transformed into a concurrent normal form. This proof is constructive.
Thirdly, we constitute a correspondent trace from the concurrent normal trace by division into cases.
Finally, we convert the extracted traces, combine them and prove that the result is statically equivalent to the given trace.
In this section, we always assume that structural equivalent processes are constructed without α-conversion.
3.2.1 A Definition of a Concurrent Normal Trace
Definition 3.20**.**
[σρ]=(σ⊎ρ)∣dom(σ).
Lemma 3.21**.**
σρ≡[σρ].
Proof.
See Appendix.
∎
Lemma 3.22**.**
ρσ≡ρ[σρ].
Proof.
See Appendix.
∎
Lemma 3.23**.**
(σ∣P)ρ≡[σρ]∣P[ρσ].
Proof.
See Appendix.
∎
Concurrent normal form completely records communication.
Definition 3.24**.**
A concurrent normal trace tr of A∣C is a trace which satisfies the following conditions.
tr* is full and safe.*
2. 2.
Each process in tr is of the form νrmsm.(νxm.Amρm∣νym.Cmσm).
for some N1,N2,M and x, and the other parts of Dm+1 are same as counterparts in Dm.
4. (d)
•
Cmσm⟶N2(x)Cm+1σm,
•
Amρm⟶νx.N1⟨x⟩νm.Am+1ρm,
•
sm+1=smm,
•
σm+1=σm⊎{M/x},
•
m=n(M)∩bn(Am),
•
N1[σmρm]=N2[ρmσm]: ground,
•
sm∩n(N2)=∅,
•
rm∩n(N1)=∅.,
•
M[ρmσm]: ground,
•
xm+1=xmx,
•
n(M)∩rm=∅,
for some N1,N2,M and x, and the other parts of Dm+1 are same as counterparts in Dm.
4. 4.
For every Dm⟶N(M)Dm+1 in tr, it holds one of the following:
(a)
Amρm⟶N(M)[ρmσm]Am+1ρm* and elements in Dm+1 except for Am+1 are same as counterparts in Dm.*
2. (b)
Cmσm⟶N(M)[σmρm]Cm+1σm* and elements in Dm+1 except for Cm+1 are same as counterparts in Dm.*
5. 5.
For every Dm⟶νx.N⟨x⟩Dm+1 in tr, it holds one of the following:
(a)
•
Amρm⟶νx.N⟨x⟩[ρmσm]νm.Am+1ρm,
•
σm+1=σm⊎{M/x},
•
sm+1=smm,
•
m=n(M)∩bn(Am)**
•
M[ρmσm]: ground,
•
n(M)∩rm=∅,
and the other parts of Dm+1 are same as counterparts in Dm.
2. (b)
•
Cmσm⟶νx.N⟨x⟩[σmρm]νm.Cm+1σm,
•
ρm+1=ρm⊎{M/x},
•
rm+1=rmm,
•
m=n(M)∩bn(Cm),
•
M[σmρm]: ground,
•
n(M)∩sm=∅,
and the other parts of Dm+1 are same as counterparts in Dm.
6. 6.
(a)
At 3a, let Am′ be a process obtained by applying ρm to only for the part related to the transition from Am. Then, Am′⟶Am+1, and 3b is similar.
2. (b)
At 3c, let Am′ be a process obtained by substituting only for the part related to the transition from Am. Then, Am′⟶N1[σmρm](x)Am+1. Cm is similar, and 3d is similar.
3. (c)
At 4a, let Am′ be a process obtained by substituting only for the part related to the transition from Am. Then, Am′⟶N(ρm⊎σm)(M)Am+1, and 4b is similar.
4. (d)
At 5a, let Am′ be a process obtained by substituting only for the part related to the transition from Am. Then, Am′⟶νx.N(ρm⊎σm)⟨x⟩Am+1, and 5b is similar.
3.2.2 A Transformation into a Concurrent Normal Form
We can transform all full safe traces of a parallel composed process into a concurrent normal form.
Lemma 3.25**.**
For any full safe trace of A∣C, there exists a concurrent normal trace of A∣C such that they are statically equivalent.
Proof.
We transform the given trace in order from the top. Assuming that we transformed the first m-th process.
Let Am=σ∣P∧Cm=ρ∣Q. Note that Amρ≡[σρ]∣P[ρσ] and Cmσ≡[ρσ]∣Q[σρ].
Then, νxy.σ⊎ρ∣P[ρσ]∣Q[σρ]⟶μD′. That is, (σ⊎ρ)∣dom(σ⊎ρ)∖xy∣P[ρσ]∣Q[σρ]⟶μD′.
First, we consider when μ is silent.
By [1, Lemma B.23], P[ρσ]∣Q[σρ]⟶R∧D′≡(σ⊎ρ)∣dom(σ⊎ρ)∖xy∣R for some closed R.
We consider four cases.
P[ρσ]⟶P′[ρσ]∧R≡P′[ρσ]∣Q[σρ] for some P′ where fv(P′)⊆dom(ρ).
Furthermore, let P′′ be a process obtained by applying [ρσ] to only for the part related to the transition from P. Then, P′′⟶P′.
Amρ⟶[σρ]∣P′[ρσ]≡(σ∣P′)ρ.
Hence,
[TABLE]
This is the desired form.
2. 2.
Q[σρ]⟶Q′[σρ]∧R≡P[ρσ]∣Q′[σρ] for some Q′ where fv(Q′)⊆dom(σ).
Furthermore, let Q′′ be a process obtained by applying [σρ] to only for the part related to the transition from Q. Then, Q′′⟶Q′.
There exists m,t,M,Q′ and Q2 such that Q[σρ]≡(νmt.(N1⟨M⟩.Q′∣Q2))[σρ] and F≡(νm.({M/x}∣νt.(Q′∣Q2)))[ρσ] where m⊆n(M)∧t∩n(M)=∅∧n(M)∩s=∅ and M[σρ] is ground.
3.2.3 Extracting a Trace of a Component Process from Concurrent Normal Form
Given a concurrent normal trace of A∣C, we construct traces of A and C which are each process in them is of the form νsm.Amρm or νrm.Cmσm. Assuming that we transformed the first m-th process.
We omit many subscripts and symmetric cases.
In case 3a in Definition 3.24, we get νsm.Amρm⟶νsm+1.Am+1ρm+1.
By Lemma 3.4, [σρ]∣P[ρσ]⟶N(M)ρAm+1ρ. Note that (N(M)[ρσ])[σρ]=(N(M)ρ)[σρ].
Amρ⟶N(M)ρAm+1ρ.
We get νsm.Amρm⟶N(M)ρmνsm+1.Am+1ρm+1.
Case 5a is similar to case 4a. We get νsm.Amρm⟶νx.N⟨x⟩ρmνsm+1.Am+1ρm+1.
3.2.4 Composition of Traces
Given trace-equivalent processes A,B, an arbitrary process C, and a trace of A∣C, we construct a statically equivalent trace of B∣C. By subsection 3.2.2, we can suppose that a given trace tr of A∣C is a concurrent normal form without loss of generality. We extract traces tr′ and tr′′′ of A and C as mentioned in subsection 3.2.3. There exists a safe trace tr′′ of B such that it satisfies the conditions below:
Each transition νsm.Amρm⟶μνsm+1.Am+1ρm+1 in tr′ corresponds to the transition νsm′.Bm⟹μνsm+1′.Bm+1 in tr′′. Moreover, Bm is of the form ζm∣Sm, it is normal and dom(ζm)=dom(σm). Especially, Sm is closed.
Each process in a constructed trace is of the form νrmsm′.(νxm.Bm∣νym.Cmζm).
We again omit many subscripts. Note that an internal reduction and a receive action do not change a frame. In addition, sm′ contains no names in other processes because of bind-exclusiveness. Let z=dom(σ).
(3.20) is in tr′ and corresponds to (3.19). Recall subsection 3.2.3. (3.21) is in tr′′ and corresponds to (3.20). (3.22) is deriverd from (3.21). Note that x does not appear in Cm.
(3.22) contains an output, so it changes a frame. We have to check that static equivalence is preserved.
νs.[σρ]≈sνs′.ζ because νs.Amρ≈sνs′.Bm.
νsm.[(σ⊎{M/x})ρ]≈sνs′m′.(ζ⊎{M′/x}) because νsm.Am+1ρ≈sνs′m′.Bm+1.
In addition, νrs.(νx.[σρ]∣νy.[ρσ])≈sνrs′.(νx.ζ∣νy.ρζ).
This is because νrs.(νx.Amρ∣νy.Cmσ)≈sνrs′.(νx.Bm∣νy.Cmζ).
P[ρσ]⟶νx.(Nρ)[σρ]⟨x⟩D∧νm.Am+1ρ≡[σρ]∣D for some D. By Lemma 3.6. Recall Definition 3.24.
Let P[ρσ]≡(νml.(N⟨M⟩.P′∣P2))[ρσ]∧D≡(νm.({M/x}∣νl.(P′∣P2)))[ρσ].
Thus we have finished the proof of Lemma 3.19 and Theorem 3.1.
Chapter 4 An Epistemic Logic for the Applied Pi Calculus
From now, we suppose that all processes are name-variable-distinct. We redefine trace equivalence as below.
Definition 4.1**.**
[TABLE]
Definition 4.2**.**
Let A and B be closed processes.
[TABLE]
Let A and B be two processes. Let σ be a map that maps a variable in (fv(A)∖dom(A))∪(fv(B)∖dom(B)) to a ground term. When Aσ≈tBσ for all σ and capture-avoidings, we also denote as A≈tB.
Please note that this definition is equivalent to the previous definition because of Proposition 2.13.
4.1 Syntax
We adopt equality of terms as a primitive proposition. We give syntax of formulas.
[TABLE]
where M1,M2 and M are terms, and μ is an action.
4.2 Semantics
Our logic is an LTL-like logic with an epistemic operator.
Let A be a name-variable-distinct extended process that fv(A)∖dom(A)=x, ρ be an assignment from x to ground terms, tr be a trace of Aρ and 0≤i≤∣tr∣,M1 and M2 be terms.
We suppose that δ and φ contain no variables other than x∪dom(tr[i]).
[TABLE]
We also define validity of formulas containing free variables.
Let dom(tr[i])=y. We suppose that φ contains no variables other than x,y and z.
[TABLE]
Definition 4.3**.**
A⊨φ* if and only if ∀ρ∀tr∈tr(Aρ);A,ρ,tr,0⊨φ.*
Definition 4.4**.**
A⊑sB* if and only if ∀δ∀ρ;A,ρ,Aρ,0⊨δ⇒B,ρ,Bρ,0⊨δ.*
A≡sB* if and only if A⊑sB∧B⊑sA.*
Definition 4.5**.**
A⊑LB⇔def∀ρ∀tr∈tr(Aρ)∃tr′∈tr(Bρ)**
s.t.∀i∀φ;[A,ρ,tr,i⊨φ⇔B,ρ,tr′,i⊨φ].
A≡LB* if and only if A⊑LB∧B⊑LA.
*
Proposition 4.6**.**
We assume that A⊑LB. Then B⊨φ⇒A⊨φ.
Proof.
Assuming that B⊨φ, we arbitrarily take ρ and tr∈tr(Aρ).
By arbitrariness of ρ and tr, it holds that A⊨φ.
∎
4.3 Correspondence with Trace Equivalence
We prove that trace equivalent processes satisfy the same formulas and vice versa.
Lemma 4.7**.**
[∀ρ;Aρ≈sBρ]* ⇔A≡sB*
Proof.
⇒) We prove A⊑sB by induction on the syntax of static formulas.
Let x=(fv(A)∖dom(A))∪(fv(B)∖dom(B)).
We arbitrarily take an assignment ρ from x to terms. We suppose A,ρ,Aρ,0⊨δ and δ contains no variables other than free variables of A. Here, we omitted restriction of a domain.
⊤.
Trivially, B,ρ,Bρ,0⊨⊤.
2. 2.
M1=M2.
By assumption, (M1ρ=M2ρ)fr(Aρ).
By Aρ≈sBρ, (M1ρ=M2ρ)fr(Bρ).
This means that B,ρ,Bρ,0⊨M1=M2.
3. 3.
M∈dom.
M must be a variable x.
By definition, x∈dom(Aρ).
By Aρ≈sBρ, x∈dom(Bρ).
This means that B,ρ,Bρ,0⊨x∈dom.
4. 4.
δ1∨δ2
By assumption, A,ρ,Aρ,0⊨δ1∨δ2.
By definition, A,ρ,Aρ,0⊨δ1 or A,ρ,Aρ,0⊨δ2.
By induction hypothesis, B,ρ,Bρ,0⊨δ1 or B,ρ,Bρ,0⊨δ2.
This means that B,ρ,Bρ,0⊨δ1∨δ2.
5. 5.
¬δ.
By assumption, A,ρ,Aρ,0⊨δ.
By induction hypothesis, B,ρ,Bρ,0⊨δ.
This means that B,ρ,Bρ,0⊨¬δ.
Thus, A⊑sB and vice versa.
⇐) We arbitrarily take an assignment ρ from x to terms.
We arbitrarily take x∈dom(Aρ). Then, A,ρ,Aρ,0⊨x∈dom.
By assumption, B,ρ,Bρ,0⊨x∈dom. That is, x∈dom(Bρ).
Thus, dom(Aρ)⊆dom(Bρ). The converse is similar.
We suppose that (M=N)fr(Aρ). This means that A,ρ,Aρ,0⊨M=N. By assumption, B,ρ,Bρ,0⊨M=N. In other words, (M=N)fr(Bρ). Similarly, (M=N)fr(Bρ)⇒(M=N)fr(Aρ). Therefore, Aρ≈sBρ.
∎
by induction on the syntax of modal formulas. Here, we omitted restriction of a domain.
We take arbitrarily an assignment ρ from x to terms. We also arbitrarily take traces tr and tr′ of Aρ and Bρ. We arbitrarily take i.
δ.
We suppose that A,ρ,tr,i⊨δ.
This means that tr[i],0,tr[i],0⊨δ. Here, the first 0 expresses an empty map.
By tr∼ttr′, tr[i]≈str′[i]. By Lemma 4.7, tr[i]≡str′[i].
Thus, tr′[i],0,tr′[i],0⊨δ. This implies that B,ρ,tr′,i⊨δ
The converse is similar.
2. 2.
φ1∨φ2.
By induction hypothesis,
A,ρ,tr,i⊨φ1⇔B,ρ,tr′,i⊨φ1,
and A,ρ,tr,i⊨φ2⇔B,ρ,tr′,i⊨φ2
Thus, A,ρ,tr,i⊨φ1∨φ2⇔B,ρ,tr′,i⊨φ1∨φ2.
3. 3.
¬φ.
By induction hypothesis, A,ρ,tr,i⊨φ⇔B,ρ,tr′,i⊨φ.
Thus, A,ρ,tr,i⊨¬φ⇔B,ρ,tr′,i⊨¬φ.
4. 4.
⟨μ⟩−φ.
We suppose that A,ρ,tr,i⊨⟨μ⟩−φ.
By definition, tr[i−1]⟹μtr[i]intr∧A,ρ,tr,i−1⊨φ.
tr′[i−1]⟹μtr′[i]intr′ because tr∼ttr′.
By induction hypothesis, B,ρ,tr,i−1⊨φ.
Thus, B,ρ,tr′,i⊨⟨μ⟩−φ.
The converse is similar.
5. 5.
Fφ.
We suppose that A,ρ,tr,i⊨Fφ.
By definition, ∃j≥is.t.A,ρ,tr,j⊨φ.
By induction hypothesis, B,ρ,tr′,j⊨φ.
Thus, B,ρ,tr′,i⊨Fφ.
The converse is similar.
6. 6.
Kφ.
We suppose that A,ρ,tr,i⊨Kφ.
By definition, ∀ρ′∀tr′′∈tr(Aρ′);tr[0,i]∼ttr′′[0,i]⇒A,ρ′,tr′′,i⊨φ.
We arbitrarily take ρ′ and tr′′′∈tr(Bρ′) such as tr′[0,i]∼ttr′′′[0,i]
By assumption, there exists a trace tr′′ of Aρ′ such as tr′′′∼ttr′′.
Now, tr[0,i]∼ttr′[0,i]∼ttr′′′[0,i]∼ttr′′[0,i], so A,ρ′,tr′′,i⊨φ.
By induction hypothesis, B,ρ′,tr′′′,i⊨φ.
By arbitrariness of ρ′ and tr′′′, it follows that B,ρ,tr′,i⊨Kφ.
The converse is similar.
We complete to prove (4.2), and it immediately follows that A≈tB⇒A⊑LB.
2) We take arbitrarily an assignment ρ from x to terms. We also take arbitrarily a trace tr of Aρ.
By assumption, ∃tr′∈tr(Bρ)s.t.∀i∀φ;[A,ρ,tr,i⊨φ⇔B,ρ,tr′,i⊨φ].
We prove tr∼ttr′.
Let tr=A0:=Aρ⟹μ1A1⟹μ2,...,⟹μnAn. It holds that A,ρ,tr,0⊨F⟨μn⟩...⟨μ1⟩⊤, so it also holds that B,ρ,tr′,0⊨F⟨μn⟩...⟨μ1⟩⊤.
Moreover, ∀μ;A,ρ,tr,0⊨F⟨μ⟩⟨μn⟩...⟨μ1⟩⊤ and ∀μ;A,ρ,tr,0⊨F⟨μn⟩...⟨μ1⟩⟨μ⟩⊤. Thus, ∀μ;B,ρ,tr′,0⊨F⟨μ⟩⟨μn⟩...⟨μ1⟩⊤ and ∀μ;B,ρ,tr′,0⊨F⟨μn⟩...⟨μ1⟩⟨μ⟩⊤.
Therefore, tr′ is of the form B0:=Bρ⟹μ1B1⟹μ2,...,⟹μnBn.
We arbitrarily take i. We suppose that (M=N)fr(Ai).
Now, A,ρ,tr,i⊨M=N. Hence, B,ρ,tr′,i⊨M=N.
That is, (M=N)fr(Bi). Thus (M=N)fr(Ai)⇒(M=N)fr(Bi) and the converse similarly holds.
It follows that Ai≈sBi. Therefore, tr∼ttr′.
By arbitrariness of tr, it immediately follows that A⊑LB⇒A⊆tB.
∎
We can immediately conclude that the next theorem holds.
Theorem 4.9**.**
A≈tB⇔A≡LB.
4.4 Applications
In this section, we abbreviate ¬F¬φ to Gφ ,¬K¬φ to Pφ, ¬(¬φ1∨¬φ2) to φ1∧φ2, ¬φ1∨φ2 to φ1→φ2 and ¬(M1=M2) to M1=M2.
At first, we define minimal secrecy. This can be regarded as a generalization of minimal anonymity [15, Definition 2.3].
Definition 4.10**.**
x* is minimally secret with respect to δ in A iff A⊨G(δ(x)→P(¬δ(x))).*
As a matter of fact, this is a very weak property. For instance, although A and B satisfy it, A∣B does not always satisfy. In addition, although x is minimally secret with respect to nontrivial δ, x is not always minimally secret with respect to ¬δ.
Example 4.11**.**
Let δ(z):z=a∧z=b. Let
[TABLE]
Then
[TABLE]
In fact, when ρ=[x↦a], we can take the trace below:
[TABLE]
However, when x is assigned to a term other than a and b, there exist no traces whose actions correspond to the above.
When ρ=[x↦c], we can take the trace below:
[TABLE]
However, when x is assigned to a or b, there exist no traces whose actions correspond to the above.
Besides, although x is minimally secret with respect to δ in A, x is not always secret in A2.
Example 4.12**.**
Let δ(z):z=a. Let
[TABLE]
Then
[TABLE]
In fact, when ρ=[x↦a], we can take the trace below:
[TABLE]
However, when x is assigned to a term other than a, there exist no traces whose actions correspond to the above.
What is more, minimal secrecy is not preserved by restriction. Even though δ does not contain the restricted name, preservation does not hold in general.
Example 4.13**.**
Let δ(z):z=a. Let
[TABLE]
Then
[TABLE]
In fact, when ρ=[x↦a], we can take the trace below:
[TABLE]
However, when x is assigned to a term other than a, there exist no traces whose actions correspond to the above. Note that (νn.Q)σ can do nothing for any assignment σ because of capture-avoiding.
Moreover, although x is minimally secret with respect to δ1 and δ2 in A, x is not always minimally secret with respect to δ1∨δ2. δ2=¬δ1 is a counterexample.
On the other hand, ∧ preserves minimal secrecy.
Proposition 4.14**.**
If x is minimally secret with respect to δ1 and δ2 in A, then x is minimally secret with respect to δ1∧δ2 in A.
Proof.
We arbitrarily take ρ, tr∈tr(Aρ) and i. We suppose that A,ρ,tr,i⊨δ1∧δ2.
By definition, A,ρ,tr,i⊨δ1.
By assumption, A,ρ,tr,i⊨P(¬δ1).
It immediately follows that A,ρ,tr,i⊨P(¬δ1∨¬δ2).
By arbitrariness of ρ,tr and i, we conclude that A⊨G(δ1∧δ2→P(¬δ1∨¬δ2)).
∎
We define total secrecy. This can also be regarded as a generalization of total anonimity [15, Definition 2.4].
Definition 4.15**.**
x* is totally secret in A(x,y) iff*
[TABLE]
where δ contains no variables other than ones in {z}∪z∪w and satisfies that ∀N∀ψ∃M:grounds.t.ψ⊨¬δ(M,N,w). Besieds, ∣y∣=∣z∣ and w∩({x}∪y)=∅.
Proposition 4.16**.**
x* is totally secret in A(x,y)⇔A(x,y)≈tA(x′,y).*
Proof.
⇒) We suppose for the sake of contradiction that A(x,y)≈tA(x′,y)
Then, there exist M1,M2 and N which are closed and whose every name is not in bn(A) such that A(M1,N)≈tA(M2,N).
We suppose that A(M1,N)⊆tA(M2,N) without loss of generality. That is, there exists tr∈tr(A(M1,N)) such that any trace of A(M2,N) is not statically equivalent to tr.
Let δ(z,z) be z=M2∨z=N.
[TABLE]
The below follows because of how to take tr.
[TABLE]
This contradicts total secrecy.
⇐) We arbitrarily take δ,ρ,tr and i, where δ meets the demand of Definition 4.15.
We suppose that A(x,y),ρ,tr,i⊨δ(x,y,w).
We take M such that fr(tr[i])⊨¬δ(M,ρ(y),w).
Let ρ′ be
[TABLE]
By assumption, A(ρ(x),ρ(y))≈tA(M,ρ(y)).
Hence, there exists tr′∈tr(A(M,ρ(y))) such that tr∼ttr′.
By Lemma 4.7, tr[i]≡str′[i] and tr′[i],0,tr′[i],0⊨¬δ(M,ρ(y),w).
Thus, A(x,y),ρ′,tr′,i⊨¬δ(M,ρ(y),w).
Therefore, A(x,y),ρ,tr,i⊨P(¬δ(x,ρ(y),w)).
That is, A(x,y)⊨G(δ(x,y,w)→P(¬δ(x,ρ(y),w))).
∎
Theorem 4.17**.**
If x is totally secret in A(x,y), then x is also totally secret in E[A(x,y)] for all contexts E[_].
Proof.
It immediately follows from Proposition 4.16 and Theorem 3.1.
∎
Our framework can also introduce role interchangeability [22, Subsection 2.2.3] to the applied pi calculus.
Definition 4.18**.**
Let fv(A)∖dom(A)⊆{x1,...,xp}, J be a finite set and I={1,...,p}.
(xi,δk)* is role interchangeable with respect to {δj(zj,yj)}j∈J in A iff*
⇒(xi,δk)* is role interchangeable with respect to {δj}j∈J in A for all {δj}j∈J and k.*
When p=2, the converse holds. It immediately follows from Proposition 4.19.
Proposition 4.21**.**
A(x1,x2)≈tA(x2,x1)**
⇔(x1,δk)* is role interchangeable with respect to {δj}j∈J in A for all {δj}j∈J and k.*
We define openness. This can be regarded as a generalization of identity [22, Subsection 2.2.5].
Definition 4.22**.**
x* is open with respect to δ in A iff*
[TABLE]
This is also very weak. As a matter of fact, openness is neither preserved by restriction nor parallel composition.
Example 4.23**.**
Let δ(z):z=m. Let
[TABLE]
Then ∀ρ∀tr∈trmax(Pρ);
[TABLE]
However,
[TABLE]
Example 4.24**.**
Let δ(z):z=m. Let
[TABLE]
We arbitrarily take ρ,tr∈tr(Pρ) and tr′∈tr(Qρ). Then
[TABLE]
where σ=[x↦m] and tr0 is
[TABLE]
In fact, when σ′=σ, we can take the trace below:
[TABLE]
Then, tr0∼ttr1. That is, x is not open with respect to δ in P∣Q.
Problem 4.25**.**
Input: An extended process A, an assignment ρ, a trace tr∈tr(A), a non-negative number i≤∣tr∣ and a formula φ.
Question: Does A,ρ,tr,i⊨φ hold?
This problem is trivially undecidable in general because word problem is undecidable in general.
Proposition 4.26**.**
Problem 4.25 is undecidable in general, even when the word problem in Σ is decidable.
Proof.
We again reduce the decision problem for static equivalence to Problem 4.25.
Let φ and ψ be frames. We assume that dom(φ)=dom(ψ).
Let \varphi=\nu\widetilde{n}.\{\raisebox{1.72218pt}{\smallM_{1}}\raisebox{0.0pt}{\large/}\raisebox{-0.86108pt}{\smallx_{1}},...,\raisebox{1.72218pt}{\smallM_{l}}\raisebox{0.0pt}{\large/}\raisebox{-0.86108pt}{\smallx_{l}}\},\psi=\nu\widetilde{m}.\{\raisebox{1.72218pt}{\smallN_{1}}\raisebox{0.0pt}{\large/}\raisebox{-0.86108pt}{\smallx_{1}},...,\raisebox{1.72218pt}{\smallN_{l}}\raisebox{0.0pt}{\large/}\raisebox{-0.86108pt}{\smallx_{l}}\}.
Let P=νn.a⟨M1⟩...a⟨Ml⟩,Q=νm.a⟨N1⟩...a⟨Nl⟩, where a∈/n∪m.
Let A=ifx=bthenPelseQ and ρ:x↦b.
Let tr be A\rho\overset{\nu x_{1}.\overline{a}\langle x_{1}\rangle}{\longrightarrow}\nu\widetilde{n}.(\overline{a}\langle M_{2}\rangle...\overline{a}\langle M_{l}\rangle|\{\raisebox{1.72218pt}{\smallM_{1}}\raisebox{0.0pt}{\large/}\raisebox{-0.86108pt}{\smallx_{1}}\})\overset{\nu x_{2}.\overline{a}\langle x_{2}\rangle}{\longrightarrow}...\overset{\nu x_{l}.\overline{a}\langle x_{l}\rangle}{\longrightarrow}\nu\widetilde{n}.\{\raisebox{1.72218pt}{\smallM_{1}}\raisebox{0.0pt}{\large/}\raisebox{-0.86108pt}{\smallx_{1}},...,\raisebox{1.72218pt}{\smallM_{l}}\raisebox{0.0pt}{\large/}\raisebox{-0.86108pt}{\smallx_{l}}\}.
We prove that φ≈sψ⇔A,ρ,tr,i⊨P(x=b).
tr is the only trace of A which is statically equivalent to tr.
We arbitrarily take an assignment ρ′ which does not map x to b.
A trace tr′∈tr(Aρ′) whose actions correspond to tr is the only below:
[TABLE]
Because A,ρ′,tr′,i⊨x=b, it holds that A,ρ,tr,i⊨P(x=b)⇒φ≈sψ.
On the other hand, it holds that tr∼ttr′ if φ≈sψ. This is similar to the proof of Proposition 2.17.
Hence, it follows that φ≈sψ⇒A,ρ,tr,i⊨P(x=b).
∎
Lemma 4.27**.**
Let A be an extended process and B a closed extended process.
Consider a modal formula φ, assignments ρ,ρ′ and an arbitrary tr∈tr(B), together with a permutation π which does not alter names in A, tr[0,i] and φ for some i≤∣tr∣.
We assume that ρ′ is obtained by π from ρ.
Let Xi={tr′∈tr(Aρ)∣tr′[0,i]∼ttr[0,i]} and Yi={tr′∈tr(Aρ′)∣tr′[0,i]∼ttr[0,i]}.
Then there exists a bijection fi:Xi→Yi such that
[TABLE]
Proof.
We define fi as fi(tr′)=π(tr′).
By assumption, ρ′=π(ρ).
[TABLE]
∎
Lemma 4.28**.**
Let T be a finite set of variables. Let S be a finite set of names.
We define an equivalence relation ≍S between assignments which is a map from T to names.
[TABLE]
Then the quotient space by ≍S is finite.
Proof.
Let T={x1,...,xl,y1,...,ymn} and
[TABLE]
where a1,...,al are names in S and b1,...,bn are names which is not in S. In addition, i=j⇒bi=bj, but we do not assume that i=j⇒ai=aj.
Then ρ≍Sρ′⇔[ρ(xi)=ρ′(xi) and ρ′(yi)=π(ρ(yi)) for some π].
Each equivalence class is determined by a division of variables such as described above. The number of such divisions is finite, so the quotient space is finite.
∎
We a bit change semantics of Kφ.
[TABLE]
where ρ′ is an assignment to names.
Proposition 4.29**.**
If static equivalence and word problem in Σ are decidable and ρ is restricted to an assignment to names, then Problem 4.25 is decidable.
Proof.
We prove by induction on φ.
⊤.
A,ρ,tr,i⊨⊤ always holds, so this is decidable.
2. 2.
M1=M2.
By assumption, this is decidable.
3. 3.
M∈dom.
This is trivially decidable.
4. 4.
δ1∨δ2.
By induction hypothesis, δ1 and δ2 are decidable, so δ1∨δ2 is so.
Moreover, ¬δ,φ1∨φ2 and ¬φ are similar.
5. 5.
⟨μ⟩−φ.
Whether tr[i−1]⟶μtr[i] holds in tr is clearly decidable.
By induction hypothesis, A,ρ,tr,i−1⊨φ is decidable, so ⟨μ⟩−φ is so.
6. 6.
Fφ.
By induction hypothesis, A,ρ,tr,i⊨φ,...,A,ρ,tr,∣tr∣⊨φ are decidable, so Fφ is so.
7. 7.
Kφ.
We consider a quotient space by ≍n(tr[0,i])∪n(A)∪n(φ). By Lemma 4.28, this space is finite. Here, n(tr[0,i]) is a set of names which appear in tr[0,i].
Each equivalence class is determined by a division of variables, so this is computable.
We arbitrarily take a representative ρ′ of each equivalence class.
By Proposition 2.18, whether there exists tr′∈tr(Aρ′) such that tr[0,i]∼ttr′[0,i] is decidable.
If such traces exist, the number of them is finite.
We arbitrarily take tr′∈tr(Aρ′) such as tr′[0,i]∼ttr[0,i].
By induction hypothesis, A,ρ′,tr′,i⊨φ is decidable.
for some π such that ρ′′=π(ρ′). Moreover, tr′[0,i]∼tfi(tr′)[0,i]. This is because fi(tr′[0,i])∼ttr[0,i].
This is why we only have to check whether a representative ρ′ of each equivalence class satisfies that A,ρ′,tr′,i⊨φ.
This procedure can always be completed because of the finiteness of the quotient space.
In other words, A,ρ,tr,i⊨Kφ is decidable.
∎
It is proved in [2, Theorem 1] that static equivalence on a convergent subterm theory is decidable, so the corollary below immediately follows.
Corollary 4.30**.**
If the equational theory on Σ is a convergent subterm theory and ρ is restricted to an assignment to names, then Problem 4.25 is decidable.
We again change semantics.
[TABLE]
where ρ′ is an assignment to names and inputted messages in tr are only variables.
Problem 4.31**.**
Input: An extended process A and a formula φ.
Question: Does A⊨φ hold?
Corollary 4.32**.**
If the equational theory on Σ is a convergent subterm theory and A contains no replications, Problem 4.31 is decidable.
Chapter 5 Related Work
5.1 Process Algebras
Process algebras are special labelled transition systems. Many kinds of them are proposed. Calculus of Communicating Systems (CCS) [17] is one of the origins. In CCS, a process can do interaction and silent action. This is a difference between an automaton and a process. However, communication topology cannot change because a process cannot exchange messages.
The pi calculus [19, 20, 18] is an extension of CCS. The pi calculus processes can pass and create names, so this model handles mobility, that is, change of topology of process connection. The pi calculus is simple, but it is powerful enough to simulate the lambda calculus.
The spi calculus [3] is an extension of the pi calculus. It enables us to handle symmetric key encryption based on the Dolev-Yao model [11]. In the spi calculus, two cyphertexts obtained by encrypting different plaintexts are indistinguishable unless an observer gets a secret key. Abadi and Gordon proved authenticity and secrecy of Wide Mouthed Frog protocol to use the spi calculus.
We focused on the applied pi calculus [1]. It is also an extension of the pi calculus. It can handle an arbitrary algebra, so in particular, it can handle public key encryption. Proverif [5] is a tool to check bisimilarity and it is used for formal methods. In this calculus, a process can send not only names but also terms via an alias variable. We can handle not only merely secrecy but also stricter properties such as non-malleability because of these features.
5.2 Logics
Combining logic and a labelled transition system is well investigated.
Hennessy-Milner logic [13] is an origin of logic about the behaviour of labelled transition systems. It is a modal logic characterizing observational congruence on labelled transition systems. Namely, systems satisfying the same modal formulas are observational equivalent when these labelled transition systems are image-finite.
Logical characterizations of strong static equivalence and labelled bisimulation in the applied pi calculus are provided in [21]. This logic resembles Hennessy-Milner logic, but it also states relations between terms. Strong static equivalence demands that two frames enable a term to reduce same times and it is strictly stronger than ordinal static equivalence. In the report, only convergent subterm theories are considered.
An epistemic logic for the applied pi calculus was already developed by Chadha, Delaune and Kremer [7]. They defined formulas Has and evt. Has directly represents an attacker’s knowledge, and evt means that a particular event had occurred. They also suggested that trace equivalence is more suitable than labelled bisimilarity when we handle privacy. On the other hand, a correspondent relation between logic and behaviour of processes was not provided. As a matter of fact, α-equivalent processes do not always satisfy the same formulas.
Knight, Mardare and Panangaden [14] provided an epistemic logic for a labelled transition system. This framework is based on Hennessy-Milner logic, and it handles multiple agent’s knowledge. Knowledge is based on a sequence of transitions, which is called a history. They also proved weak completeness to construct Fischer-Ladner closure. However, compositionality was not discussed.
5.3 Formal Approaches
Formal methods enable us to prove that a security protocol satisfies desired properties. Many methods were developed.
Nowadays, multiple cryptographic protocols are often composed (e.g. electronic voting). Universally composability [6] ensures that security properties are preserved by embedding in other protocols. In this framework, a program is expressed as a probabilistic polynomial time interactive Turing machine. In addition, security properties are represented as indistinguishability between an actual protocol and an ideal protocol.
Dolev-Yao model assumes that it is impossible to break a cypher without a key, but of course, real encryption algorithms are not perfect. That is, soundness of Dolev-Yao model is not trivial. However, it was proved in [16] that Dolev-Yao model is sound if encryption is IND-CCA secure.
Hoare logic is used to prove the correctness of a program. Variants of Hoare logic are often used to prove safeness of a security protocol.
The safeness of encryption is often proved using games. Namely, it is proved that the probability is almost 21 that a probabilistic polynomial time attacker decodes a cryptogram of 1 bit. In this regard, the game is transformed into a trivial game. Probabilistic Hoare logic ensures that transformation of games is reasonable. For instance, the security of ElGamal cryptosystem was proved by this logic in [8], but the proof was not perfectly formal.
Protocol composition logic [9] is also a variant of Hoare logic. It enables us to modularize a proof for a protocol because it is possible sequentially to compose Hoare triples. In the paper, ISO-9798-3 protocol was divided into two parts, and it was proved that the protocol is safe composing proofs that each part is safe.
Privacy and anonymity are also well studied and formulated.
Three privacy-type properties, vote-privacy, receipt-freeness and coercion-resistance, of electronic voting were formulated in [10] using the applied pi calculus. It is noteworthy that indistinguishability is represented by labelled bisimilarity. Three voting protocols are considered in the paper. For instance, it was proved that FOO92 [12] satisfies privacy and does not satisfy receipt-free.
(Strong) Unlinkability and (strong) anonymity were formulated by the applied pi calculus in [4]. These are defined for special forms of processes called well-formed p-party protocols. Unlinkability was formulated using traces, while strong unlinkability was formulated using labelled bisimilarity. Anonymity was similar. It is proved that unlinkability is not stronger than anonymity and vice versa. Namely, they are independent notions.
Tsukada, Sakurada, Mano and Manabe [22] studied sequential and parallel compositionality of security notions to use an epistemic logic for a multiagent system. They proved that neither anonymity nor privacy is generally preserved by composition. They also provided a sufficient condition for preservation. In addition, role interchangeability implies privacy and anonymity under the suitable assumption. Privacy of FOO92 was also proved in the multi-agent system. However, this word “parallel” merely means that the same agent acts two actions. In other words, concurrency was not considered.
Chapter 6 Conclusion
6.1 Summary
In this thesis, we proved that trace equivalence is a congruence and provided an epistemic logic for the applied pi calculus to handle secrecy. We defined concurrent normal traces to use partial normal forms for analyzing transitions of parallel composed processes. In addition, we formulated secrecy, role-interchangeability, and openness to generalize privacy, role-interchangeability, and onymity regarding multiagent systems. Moreover, we associated trace equivalence with total secrecy.
Minimal secrecy is not preserved by an application of context, but total secrecy is preserved because of congruency of trace equivalence. We also give a sufficient condition for role-interchangeability.
The definition of concurrent normal traces is very complex. This is caused by difficulty in handling bound names.
We conclude that trace equivalence is a suitable notion to express indistinguishability in the view of security in the presence of a non-adaptive active adversary.
6.2 Future Work
In this thesis, we focused on trace equivalence. Many interesting problems remain.
It is proved in [2, Proposition 5] that even static equivalence is not decidable. On the other hand, [2, Theorem 1] proves that static equivalence is decidable in polynomial time for convergent subterm theories. We intend to study conditions to make trace equivalence decidable.
Secondly, our epistemic logic states only an adversary’s knowledge. We intend to construct a logic for a process’s knowledge. It will bridge a gap between multiagent systems and process calculi.
Thirdly, formalizations of other security properties such as non-malleability and unlinkability are also next topics.
Finally, what logic is suitable for security in the presence of an adaptive attacker is still open.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
1[1] Martín Abadi, Bruno Blanchet, and Cédric Fournet. The applied pi calculus: Mobile values, new names, and secure communication. ar Xiv preprint ar Xiv:1609.03003 , 2016.
2[2] Martín Abadi and Véronique Cortier. Deciding knowledge in security protocols under equational theories. Theoretical Computer Science , 367(1-2):2–32, 2006.
3[3] Martín Abadi and Andrew D Gordon. A calculus for cryptographic protocols: The spi calculus. Information and computation , 148(1):1–70, 1999.
4[4] Myrto Arapinis, Tom Chothia, Eike Ritter, and Mark Ryan. Analysing unlinkability and anonymity using the applied pi calculus. In Computer Security Foundations Symposium (CSF), 2010 23rd IEEE , pages 107–121. IEEE, 2010.
5[5] Bruno Blanchet, V Cheval, X Allamigeon, and B Smyth. Proverif: Cryptographic protocol verifier in the formal model. URL http://prosecco. gforge. inria. fr/personal/bblanche/proverif , 2010.
6[6] Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. In Foundations of Computer Science, 2001. Proceedings. 42nd IEEE Symposium on , pages 136–145. IEEE, 2001.
7[7] Rohit Chadha, Stéphanie Delaune, and Steve Kremer. Epistemic logic for the applied pi calculus. In Formal Techniques for Distributed Systems , pages 182–197. Springer, 2009.
8[8] Ricardo Corin and Jerry den Hartog. A probabilistic hoare-style logic for game-based cryptographic proofs (extended version). IACR Cryptology e Print Archive , 2005:467, 2005.