Introduction The language Main theorem Proof Conclusion
The Applied Pi Calculus. . . with Proofs
Bruno Blanchet
INRIA Paris-Rocquencourt
joint work with Mart´ın Abadi and C´edricFournet
April 2015
Bruno Blanchet (INRIA) Applied pi calculus April 2015 1 / 47 Introduction The language Main theorem Proof Conclusion The applied pi calculus
Designed by Abadi and Fournet (Mobile Values, New Names, and Secure Communication, POPL’01). Extension of the pi calculus with terms instead of names for messages. Language for modeling security protocols: Terms represent protocol messages. Function symbols represent cryptographic primitives. The properties of these primitives are modeled by equations. The input language of ProVerif is a dialect of the applied pi calculus. The applied pi calculus and ProVerif are widely used. Interesting to make them converge, with a solid theoretical foundation.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 2 / 47 Introduction The language Main theorem Proof Conclusion Our contribution
Minor changes to the language Closer to ProVerif Detailed proofs of all results Minor fixes; some side-conditions were not explicit 74 pages of proofs. . . Revised examples New example on indifferentiability
Bruno Blanchet (INRIA) Applied pi calculus April 2015 3 / 47 Introduction The language Main theorem Proof Conclusion Related work
Avik Chaudhuri (private communication, 2007) found a counter-example to “observational equivalence equals labelled bisimilarity”, due to a missing side-condition. Bengtson et al, LICS’09 mentioned a similar counter-example; proposed a framework for defining various extensions of the pi calculus (psi-calculi), with machine-checked proofs. Jia Liu (http://lcs.ios.ac.cn/~jliu/papers/LiuJia0608.pdf) made the missing side-condition explicit, and gave a proof of “observational equivalence equals labelled bisimilarity”; closer to the original applied pi calculus paper; extension to a stateful variant (POST’14, with Arapinis, Ritter, and Ryan).
Bruno Blanchet (INRIA) Applied pi calculus April 2015 4 / 47 Introduction The language Main theorem Proof Conclusion Syntax: processes
L, M, N, T , U, V ::= terms a, b, c,..., k,..., m, n,..., s name x, y, z variable f (M1,..., Ml ) function application
P, Q, R ::= processes (or plain processes) 0 null process P | Q parallel composition !P replication νn.P name restriction (“new”) if M = N then P else Q conditional u(x).P message input uhMi.P message output
Bruno Blanchet (INRIA) Applied pi calculus April 2015 5 / 47 Introduction The language Main theorem Proof Conclusion Syntax: processes
L, M, N, T , U, V ::= terms a, b, c,..., k,..., m, n,..., s name x, y, z variable f (M1,..., Ml ) function application
P, Q, R ::= processes (or plain processes) 0 null process P | Q parallel composition !P replication νn.P name restriction (“new”) if M = N then P else Q conditional N(x).P message input NhMi.P message output
Bruno Blanchet (INRIA) Applied pi calculus April 2015 5 / 47 Introduction The language Main theorem Proof Conclusion Syntax: extended processes
A, B, C ::= extended processes P plain process A | B parallel composition νn.A name restriction νx.A variable restriction M { /x } active substitution
Active substitutions model the knowledge of the adversary.
M1 Ml M1 Ml { /x1 ,..., /xl } for { /x1 } | ... |{ /xl }. Substitutions are cycle-free. At most one substitution for each variable. Exactly one when the variable is restricted.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 6 / 47 Introduction The language Main theorem Proof Conclusion Sorts
Variables, names, and functions come with sorts: u : τ means that u has sort τ. Examples of sorts: Integer, Key, Data, . . . There are infinite numbers of variables and names of each sort.
f : τ1 × · · · × τl → τ means that f has arguments of sorts τ1, . . . , τl and a result of sort τ.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 7 / 47 The unsorted applied pi is a particular case of the sorted applied pi, using the single sort Channel. The sort system enforces that: Functional applications are well-sorted. M and N are of the same sort in the conditional expression. N has sort Channel in the input and output expressions. The sort system can enforce that channels are names or variables: choose types of functions so that no function returns sort Channel. Active substitutions preserve sorts.
Introduction The language Main theorem Proof Conclusion Sorts
Special sort Channelhτi for channels.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 8 / 47 Introduction The language Main theorem Proof Conclusion Sorts
Special sort Channel for channels. The unsorted applied pi is a particular case of the sorted applied pi, using the single sort Channel. The sort system enforces that: Functional applications are well-sorted. M and N are of the same sort in the conditional expression. N has sort Channel in the input and output expressions. The sort system can enforce that channels are names or variables: choose types of functions so that no function returns sort Channel. Active substitutions preserve sorts.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 8 / 47 Introduction The language Main theorem Proof Conclusion Semantics: equations
The signature Σ is equipped with an equational theory closed under substitutions of terms for variables and names; intuitively, defined from equations that do not contain names; respects the sort system; non-trivial, that is, there exist two different terms in each sort. Example fst((x, y)) = x snd((x, y)) = y dec(enc(x, y), y) = x check(x, sign(x, sk(y)), pk(y)) = ok
Equality modulo the equational theory: Σ ` M = N.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 9 / 47 Introduction The language Main theorem Proof Conclusion Semantics: preliminary definitions
Processes are considered equal modulo renaming of bound names and variables. M Needed to define P{ /x }. A context is a (possibly extended) process with a hole. An evaluation context is a context whose hole is not under a replication, a conditional, an input, or an output.
E ::= evaluation context hole A | E parallel composition E | A parallel composition νn.E name restriction νx.E variable restriction
Bruno Blanchet (INRIA) Applied pi calculus April 2015 10 / 47 Introduction The language Main theorem Proof Conclusion Semantics: structural equivalence
Structural equivalence ≡ equivalence relation closed by application of evaluation contexts Par-0 A ≡ A | 0 Par-A A |(B | C) ≡ (A | B) | C Par-C A | B ≡ B | A Repl !P ≡ P | !P New-0 νn.0 ≡ 0 New-C νu.νv.A ≡ νv.νu.A New-Par A | νu.B ≡ νu.(A | B) when u 6∈ fv(A) ∪ fn(A) M Alias νx.{ /x } ≡ 0 M M M Subst { /x } | A ≡ { /x } | A{ /x } M N Rewrite { /x } ≡ { /x } when Σ ` M = N
Bruno Blanchet (INRIA) Applied pi calculus April 2015 11 / 47 Introduction The language Main theorem Proof Conclusion Semantics: internal reduction
Internal reduction → closed by structural equivalence closed by application of evaluation contexts Comm Nhxi.P | N(x).Q → P | Q Then if M = M then P else Q → P Else if M = N then P else Q → Q for any ground terms M and N such that Σ 6` M = N Using structural equivalence:
M NhMi.P | N(x).Q ≡ νx.({ /x } | Nhxi.P | N(x).Q) M → νx.({ /x } | P | Q) by Comm M ≡ P | Q{ /x }
Bruno Blanchet (INRIA) Applied pi calculus April 2015 12 / 47 Introduction The language Main theorem Proof Conclusion Preliminary definitions
dom(A): domain, set of variables that A exports. fv(A): free variables A is closed when its free variables are all defined by an active substitution, that is, dom(A) = fv(A). E[ ] closes A when E[A] is closed. A ⇓a when A →∗≡ E[ahMi.P] for some evaluation context E[ ] that does not bind a. A can send a message on channel a.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 13 / 47 Introduction The language Main theorem Proof Conclusion Observational equivalence
Definition An observational bisimulation is a symmetric relation R between closed extended processes with the same domain such that A R B implies:
1 if A ⇓a, then B ⇓a;
2 if A →∗ A0 and A0 is closed, then B →∗ B0 and A0 R B0 for some B0;
3 E[A] R E[B] for all closing evaluation contexts E[ ]. Observational equivalence( ≈) is the largest such relation.
Intuitively, A ≈ B when an adversary (evaluation context) cannot distinguish A from B. Hard to prove because of the universal quantification over all contexts. Use a labeled bisimulation.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 14 / 47 Introduction The language Main theorem Proof Conclusion Equality in a frame
A frame ϕ is an extended process built up from 0 and active substitutions M { /x } by parallel composition and restriction. The frame of A, ϕ(A), is obtained replacing every plain process in A with 0. Definition Two terms M and N are equal in the frame ϕ, written (M = N)ϕ, if and only if fv(M) ∪ fv(N) ⊆ dom(ϕ), ϕ ≡ νen.σ, Mσ = Nσ, and {en} ∩ (fn(M) ∪ fn(N)) = ∅ for some names en and substitution σ. Independent of the representative νen.σ.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 15 / 47 Introduction The language Main theorem Proof Conclusion Static equivalence
Definition
Two closed frames ϕ and ψ are statically equivalent, written ϕ ≈s ψ, when dom(ϕ) = dom(ψ) and for all terms M and N,(M = N)ϕ if and only if (M = N)ψ.
Two closed extended processes are statically equivalent, written A ≈s B, when their frames are statically equivalent.
Static equivalence ϕ ≈s ψ expresses that the frames cannot be distinguished by performing equality tests.
A ≈s B expresses that the current knowledge of the adversary in the processes A and B does not allow it to distinguish A from B. The dynamic behavior of A and B is ignored.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 16 / 47 Introduction The language Main theorem Proof Conclusion Labels
The labelled semantics defines A −→α A0 where α is a label: N(M): input of M on channel N; νx.Nhxi: output of x on channel N. x must not occur in N.
bv(N(M)) =def ∅ and bv(νx.Nhxi) =def {x}. fv(N(M)) =def fv(N) ∪ fv(M) and fv(νx.Nhxi) =def fv(N).
The conference paper has labels ahui and νu.ahui for outputs. We simplify the semantics by having a single output label. One always needs to create a fresh variable for the output message. A refined semantics allows νue.NhMi as label.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 17 / 47 Introduction The language Main theorem Proof Conclusion Labeled semantics
N(M) M In N(x).P −−−→ P{ /x }
x ∈/ fv(NhMi.P) Out-Var νx.Nhxi M NhMi.P −−−−−→ P |{ /x } A −→α A0 u does not occur in α Scope νu.A −→α νu.A0 A −→α A0 bv(α) ∩ fv(B) = ∅ Par A | B −→α A0 | B A ≡ BB −→α B0 B0 ≡ A0 Struct A −→α A0
Bruno Blanchet (INRIA) Applied pi calculus April 2015 18 / 47 Introduction The language Main theorem Proof Conclusion Labeled bisimilarity
Definition A labelled bisimulation is a symmetric relation R on closed extended processes such that A R B implies:
1 A ≈s B; 2 if A → A0 and A0 is closed, then B →∗ B0 and A0 R B0 for some B0; α α 3 if A −→ A0, A0 is closed, and fv(α) ⊆ dom(A), then B →∗−→→∗ B0 and A0 R B0 for some B0.
Labelled bisimilarity( ≈l ) is the largest such relation.
Item 1 guarantees that the adversary cannot distinguish A from B using its current knowledge. Items 2 and 3 guarantee that this property is preserved by reduction.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 19 / 47 Introduction The language Main theorem Proof Conclusion Main theorem
Theorem
Observational equivalence is labelled bisimilarity: ≈ = ≈l .
Bruno Blanchet (INRIA) Applied pi calculus April 2015 20 / 47 Introduction The language Main theorem Proof Conclusion Bengtson et al’s counter example
a a A = νa.({ /x } | x(y).bhMi.0) B = νa.({ /x } | 0)
A and B are not observationally equivalent The context xhNi distinguishes them. According to the POPL’01 paper: A and B have the same frame and no transitions, so they are labelled bisimilar. A possible fix is to require that exported variables must not be of channel type. In our semantics, A has a labelled transition x(N), so A and B are not labelled bisimilar.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 21 / 47 Introduction The language Main theorem Proof Conclusion Motivation
Structural equivalence complicates the analysis of possible reductions in a process. In a process A | B, substitutions in A may influence the possible reductions in B, and conversely, substitutions in B may influence reductions in A.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 22 / 47 Introduction The language Main theorem Proof Conclusion Partial normal forms
Partial formal form of an extended process A:
pnf(A) = νn.({Me/ } | P) e ex
with (fv(P) ∪ fv(Me )) ∩ {ex} = ∅. Formally defined by induction on A. Lemma A ≡ pnf(A).
Bruno Blanchet (INRIA) Applied pi calculus April 2015 23 / 47 Introduction The language Main theorem Proof Conclusion Structural equivalence on plain processes
Structural equivalence ≡ on plain processes equivalence relation closed by application of evaluation contexts Par-00 P | 0 ≡ P Par-A0 P |(Q | R) ≡ (P | Q) | R Par-C0 P | Q ≡ Q | P Repl0 !P ≡ P | !P New-00 νn.0 ≡ 0 New-C0 νn.νn0.P ≡ νn0.νn.P New-Par0 P | νn.Q ≡ νn.(P | Q) when n 6∈ fn(P) 0 M N Rewrite P{ /x } ≡ P{ /x } when Σ ` M = N
Bruno Blanchet (INRIA) Applied pi calculus April 2015 24 / 47 Introduction The language Main theorem Proof Conclusion Structural equivalence on partial normal forms ◦ Structural equivalence ≡ on extended processes in partial normal form equivalence relation P ≡ P0 (fv(P) ∪ fv(P0)) ∩ dom(σ) = ∅ ◦ 0 νen.(σ | P) ≡ νen.(σ | P ) 0 en is a reordering of en ◦ 0 νen.(σ | P) ≡ νen .(σ | P) n0 ∈/ fn(σ) 0 ◦ 0 νen.(σ | νn .P) ≡ νen, n .(σ | P) dom(σ) = dom(σ0)Σ ` xσ = xσ0 for all x ∈ dom(σ) (fv(xσ) ∪ fv(xσ0)) ∩ dom(σ) = ∅ for all x ∈ dom(σ) ◦ 0 νen.(σ | P) ≡ νen.(σ | P)
Bruno Blanchet (INRIA) Applied pi calculus April 2015 25 / 47 Introduction The language Main theorem Proof Conclusion Links between structural equivalences
Lemma ◦ If A ≡ B, then pnf(A) ≡ pnf(B). If P ≡ Q, then P ≡ Q. ◦ If A ≡ B, then A ≡ B.
By induction on the derivations.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 26 / 47 Introduction The language Main theorem Proof Conclusion Internal reduction
Internal reduction → on plain processes closed by ≡ closed by application of evaluation contexts 0 M Comm NhMi.P | N(x).Q → P | Q{ /x } 0 Then if M = M then P else Q → P 0 Else if M = N then P else Q → Q for any ground terms M and N such that Σ 6` M = N
Internal reduction →◦ on extended processes in partial normal form ◦ closed by ≡ 0 P → P 0 νen.(σ | P) →◦ νen.(σ | P )
Bruno Blanchet (INRIA) Applied pi calculus April 2015 27 / 47 Introduction The language Main theorem Proof Conclusion Link between internal reductions
Lemma
If A → B, then pnf(A) →◦ pnf(B).
If P → Q, then P → Q.
If A →◦ B, then A → B. By induction on the derivations.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 28 / 47 Introduction The language Main theorem Proof Conclusion Labelled reduction on plain processes
α Labelled reduction P −→ A on plain processes
0 N(M) M In N(x).P −−−→ P{ /x }
x ∈/ fv(NhMi.P) Out-Var0 νx.Nhxi M NhMi.P −−−−−→ P |{ /x } α 0 P −→ A n does not occur in α Scope α νn.P −→ νn.A α 0 P −→ A bv(α) ∩ fv(Q) = ∅ Par α P | Q −→ A | Q α 0 P ≡ QQ −→ BB ≡ A Struct α P −→ A
Bruno Blanchet (INRIA) Applied pi calculus April 2015 29 / 47 Introduction The language Main theorem Proof Conclusion Labelled reduction on partial normal forms
α Labelled reduction A −→◦ B, where A is an extended process in partial normal form and B is an extended process 0 ◦ α 0 0 A ≡ νen.(σ | P) P −→ B B ≡ νen.(σ | B ) fv(σ) ∩ bv(α0) = ∅ Σ ` ασ = α0 the elements of en do not occur in α α A −→◦ B
Bruno Blanchet (INRIA) Applied pi calculus April 2015 30 / 47 Introduction The language Main theorem Proof Conclusion Links between labelled reductions
Lemma (Characterization of labelled reductions) α 0 P −→ A if and only if for some n, P1,P2,A1,N,M,P , x, e P ≡ νen.(P1 | P2),A ≡ νen.(A1 | P2), {en} ∩ fn(α) = ∅, bv(α) ∩ fv(P1 | P2) = ∅, and one of the following two cases holds: 0 0 M 1 α = N(M),P1 = N(x).P , and A1 = P { /x }; or 0 0 M 2 α = νx.Nhxi,P1 = NhMi.P , and A1 = P |{ /x }.
Lemma α α If A −→ B, then pnf(A) −→◦ B. α α If P −→ A, then P −→ A. α α If A −→◦ B, then A −→ B.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 31 / 47 Introduction The language Main theorem Proof Conclusion Decomposition of labelled reductions: plain processes
Lemma 0 0 0 Suppose that P0 is closed, α is νx.N hxi or N (M ) for some ground term 0 α N , and P0 −→ A. Then one of the following cases holds: α 0 0 α 0 1 P0 = P | Q and either P −→ A and A ≡ A | Q, or Q −→ A and A ≡ P | A0, for some P, Q, and A0; α 0 0 0 2 P0 = νn.P,P −→ A , and A ≡ νn.A for some P, A , and n that does not occur in α; α 0 0 0 3 P0 = !P,P −→ A , and A ≡ A | !P for some P and A ; 0 0 0 M0 4 P0 = N(x).P, α = N (M ), Σ ` N = N , and A ≡ P{ /x } for some N, x, P, N0, and M0; 0 0 5 P0 = NhMi.P, α = νx.N hxi, Σ ` N = N , x ∈/ fv(P0), and M 0 A ≡ P |{ /x } for some N, M, P, x, and N .
Bruno Blanchet (INRIA) Applied pi calculus April 2015 32 / 47 Introduction The language Main theorem Proof Conclusion Decomposition of labelled reductions: partial normal forms
Lemma If νen.(σ | P) is a closed extended process in partial normal form, α νen.(σ | P) −→◦ A, fv(α) ⊆ dom(σ), and the elements of en do not occur in α, ασ 0 0 0 then P −−→ A ,A ≡ νen.(σ | A ), and bv(α) ∩ dom(σ) = ∅ for some A .
Bruno Blanchet (INRIA) Applied pi calculus April 2015 33 / 47 Introduction The language Main theorem Proof Conclusion Composition of labelled reductions
Lemma If P and Q are closed processes, N is a ground term, N(x) P −−−→ A, and νx.Nhxi Q −−−−−→ B,
then P | Q → R and R ≡ νx.(A | B) for some R.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 34 / 47 Introduction The language Main theorem Proof Conclusion Decomposition of internal reductions: plain processes
Lemma
Suppose that P0 is a closed process and P0 → R. Then one of the following cases holds:
1 P0 = P | Q for some P and Q, and one of the following cases holds: 0 0 0 1 P → P and R ≡ P | Q for some closed process P , N(x) νx.Nhxi 2 P −−−→ A, Q −−−−−→ B, and R ≡ νx.(A | B) for some A, B, x, and ground term N, and two symmetric cases obtained by swapping P and Q; 0 0 2 P0 = νn.P,P → Q , and R ≡ νn.Q for some n and some closed processes P and Q0; 0 0 3 P0 = !P,P | P → Q , and R ≡ Q | !P for some closed processes P and Q0.
4 P0 = if M = N then P else Q and either Σ ` M = N and R ≡ P, or Σ ` M 6= N and R ≡ Q, for some M, N, P, and Q.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 35 / 47 Introduction The language Main theorem Proof Conclusion Decomposition of internal reductions: partial normal forms
Lemma If νen.(σ | P) is a closed extended process in partial normal form and νen.(σ | P) →◦ A, 0 0 0 then P → P and A ≡ νen.(σ | P ) for some closed process P .
Bruno Blanchet (INRIA) Applied pi calculus April 2015 36 / 47 Introduction The language Main theorem Proof Conclusion Proof technique
Induction on the derivations. Strenghten the inductive invariant, to be able to apply the current lemma to a derivation built as a result of applying the inductive hypothesis.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 37 / 47 Introduction The language Main theorem Proof Conclusion Static equivalence
Lemma Static equivalence is invariant by structural equivalence and reduction, and closed by application of closing evaluation contexts.
For the second point, show that we can restrict ourselves to contexts E = νue.( | C) such that all subcontexts of E are closing. proceed by structural induction on E.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 38 / 47 Introduction The language Main theorem Proof Conclusion Context closure
Lemma
≈l is closed by application of closing evaluation contexts.
Restrict attention to contexts of the form νue.( | C). To every relation R on closed extended processes, we associate R0= {(νue.(A | C), νue.(B | C)) | A R B, νue.( | C) closing for A and B}. We prove that, if R is a labelled bisimulation, then R0 is a labelled 0 bisimulation up to ≡, hence R ⊆ R ⊆ ≈l .
For R = ≈l , this property entails that ≈l is closed by application of evaluation contexts νue.( | C).
Bruno Blanchet (INRIA) Applied pi calculus April 2015 39 / 47 Introduction The language Main theorem Proof Conclusion Context closure
To every relation R on closed extended processes, we associate R0= {(νue.(A | C), νue.(B | C)) | A R B, νue.( | C) closing for A and B}. We prove that, if R is a labelled bisimulation, then R0 is a labelled bisimulation up to ≡. Definition A relation R on closed extended processes is a labelled bisimulation up to ≡ if and only if R is symmetric and A R B implies:
1 A ≈s B;
2 if A → A0 and A0 is closed, then B →∗ B0 and A0 ≡R≡ B0 for some closed B0; α α 3 if A −→ A0, A0 is closed, and fv(α) ⊆ dom(A), then B →∗−→→∗ B0 and A0 ≡R≡ B0 for some closed B0.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 39 / 47 Introduction The language Main theorem Proof Conclusion Context closure
To every relation R on closed extended processes, we associate R0= {(νue.(A | C), νue.(B | C)) | A R B, νue.( | C) closing for A and B}. We prove that, if R is a labelled bisimulation, then R0 is a labelled bisimulation up to ≡. 0 Assume S R T , with S = νue.(A | C), T = νue.(B | C), and A R B. S ≈s T follows from A ≈s B by a previous lemma. For reductions, consider the partial normal forms of A, B, C: 0 0 0 00 00 00 pnf(A) = νen.(σ | P), pnf(B) = νen .(σ | P ), pnf(C) = νen .(σ | P ). 00 A reduction on S = νue.(A | C) implies a reduction on P | P σ, so a reduction on P and/or P00σ (by the decomposition lemmas). A reduction on P implies a reduction A, so the same reduction on B since R is a labelled bisimulation, so a reduction on P0. A reduction on P00σ implies a reduction on P00σ0 by static equivalence A ≈s B. 0 00 0 Hence we obtain a reduction on P | P σ , hence on T = νue.(B | C).
Bruno Blanchet (INRIA) Applied pi calculus April 2015 39 / 47 Introduction The language Main theorem Proof Conclusion Characterizing barbs
Lemma Let A be a closed extended process. νx.ahxi A ⇓a if and only if A →∗−−−−→ A0 for some fresh variable x and some A0.
A ≡ E[ahMi.P] for some evaluation context E[ ] that does not bind a if and only if νx.ahxi A −−−−→ A0 for some fresh variable x and some A0.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 40 / 47 Introduction The language Main theorem Proof Conclusion Labelled bisimilarity implies observational equivalence
Lemma ≈l ⊆ ≈.
≈l satisfies the three properties of observational bisimulations:
1 ≈l preserves barbs, by characterization of barbs and Properties 2 and 3 of a labelled bisimilation. ∗ 0 0 2 Suppose that A ≈l B, A → A , and A is closed. Close all intermediate processes in A →∗ A0, then conclude that B →∗ B0 and 0 0 0 A ≈l B for some B by Property 2 of a labelled bisimilation.
3 ≈l is closed by application of closing evaluation contexts, as shown previously.
Moreover, ≈l is symmetric. Since ≈ is the largest observational bisimulation, we obtain ≈l ⊆ ≈.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 41 / 47 Introduction The language Main theorem Proof Conclusion Observational equivalence implies static equivalence
Lemma ≈ ⊆ ≈s . If A and B are observationally equivalent, then A | C and B | C have the same barb ⇓a for every C = if M = N then ahsi, where a does not occur in A or B and fv(M) ∪ fv(N) ⊆ dom(A). Assuming that A is closed, fv(M) ∪ fv(N) ⊆ dom(A), and a does not occur in A, we have (M = N)ϕ(A) if and only if A | if M = N then ahsi ⇓a. (Shown using partial normal forms.)
Bruno Blanchet (INRIA) Applied pi calculus April 2015 42 / 47 Introduction The language Main theorem Proof Conclusion Characterizing inputs
p def Let TN(M) = phpi | NhMi.p(x). Lemma Let A be a closed extended process. Let N and M be terms such that fv(NhMi) ⊆ dom(A) and p does not occur in A, M, and N.
N(M) If A −−−→ A0 and p does not occur in A0, p 0 0 then A | TN(M) →→ A and A 6⇓p.
p ∗ 0 0 ∗ N(M) ∗ 0 If A | TN(M) → A and A 6⇓p, then A → −−−→→ A .
Shown using partial normal forms.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 43 / 47 Introduction The language Main theorem Proof Conclusion Characterizing outputs
Let T p,q =def phpi | N(x).p(y).qhxi. νx.Nhxi Lemma Let A be a closed extended process and N such that fv(N) ⊆ dom(A). νx.Nhxi If A −−−−−→ A0 and p and q do not occur in A, A0, and N, then A | T p,q →→ νx.(A0 | qhxi), νx.(A0 | qhxi) 6⇓p, and νx.Nhxi x ∈/ dom(A). If A | T p,q →∗ A00,A00 6⇓p, x ∈/ dom(A), and p and q do not occur νx.Nhxi in A and N, νx.Nhxi then A →∗−−−−−→→∗ A0 and A00 ≡ νx.(A0 | qhxi) for some A0.
Shown using partial normal forms.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 44 / 47 Introduction The language Main theorem Proof Conclusion Extrusion
Lemma (Extrusion) Let A and B two closed extended processes with a same domain that def Q contains x. Let Ex [ ] = νx.( nx hxi | ) using names nx that do not e e e x∈ex occur in A or B. If E [A] ≈ E [B], then A ≈ B. ex ex If A is a closed extended process with {x} ⊆ dom(A) and E [A] → C 0, e ex then A → A0 and C 0 ≡ E [A0] for some closed extended process A0. ex (Proved using partial normal forms.) Let A R B if and only if {x} ⊆ dom(A) = dom(B) and E [A] ≈ E [B], for e ex ex some ex and some names enx that do not occur in A or B. We show that R is an observational bisimulation.
Bruno Blanchet (INRIA) Applied pi calculus April 2015 45 / 47 Introduction The language Main theorem Proof Conclusion Observational equivalence implies labelled bisimilarity
Lemma ≈ ⊆ ≈l . The relation ≈ is symmetric. It satisfies the three properties of labelled bisimulations:
1 If A ≈ B, then A ≈s B, shown previously. 2 If A ≈ B, A → A0, and A0 is closed, then B →∗ B0 and A0 ≈ B0 for some B0, by Property 2 of the definition of observational bisimulation. α 3 If A ≈ B, A −→ A0, A0 is closed, and fv(α) ⊆ dom(A), then B →∗−→→α ∗ B0 and A0 ≈ B0 for some B0. To prove this property, we rely on characteristic parallel contexts Tα, shown in previous lemmas. In the output case, we obtain a pair νx.(A0 | qhxi) ≈ νx.(B0 | qhxi), and conclude by the extrusion lemma.
Hence ≈ is a labelled bisimulation, and ≈ ⊆ ≈l , since ≈l is the largest labelled bisimulation. Bruno Blanchet (INRIA) Applied pi calculus April 2015 46 / 47 Introduction The language Main theorem Proof Conclusion Conclusion
Importance of detailed proofs. Could be interesting to formalize in a theorem prover, e.g. Coq. Partial normal forms are likely to be useful for proving many other results about the applied pi calculus. With the minor changes we made, one should be able to show that The plain processes of the applied pi calculus are a subset of the ProVerif input language. The semantics and the notions of observational equivalence match. Does anybody want to read the draft?
Bruno Blanchet (INRIA) Applied pi calculus April 2015 47 / 47