A Bisimulation for Dynamic Sealing
Eijiro Sumii Benjamin C. Pierce University of Pennsylvania University of Pennsylvania [email protected] [email protected]
Abstract Originally, sealing was a dynamic mechanism. Morris also pro- posed a static variant [19], in which the creation and use of seals at We define λseal, an untyped call-by-value λ-calculus with primi- module boundaries follow a restricted pattern that can be verified by tives for protecting abstract data by sealing, and develop a bisim- the compiler, removing the need for run-time sealing and unsealing. ulation proof method that is sound and complete with respect to Other researchers found that a similar effect could be obtained by contextual equivalence. This provides a formal basis for reason- enriching a static type system with mechanisms for type abstraction ing about data abstraction in open, dynamic settings where static (see CLU [13], for example). Type abstraction became the primary techniques such as type abstraction and logical relations are not ap- method for achieving data abstraction in languages from CLU to the plicable. present day. It is also well understood via the theory of existential types [16]. Categories and Subject Descriptors Recently, however, as programming languages and the environ- ments in which they operate become more and more open—e.g., D.3.3 [Programming Languages]: Language Constructs and Fea- addressing issues of persistence and distribution—dynamic sealing tures—abstract data types; D.3.1 [Programming Languages]: is being rediscovered. For example, Rossberg [26] proposes to use Formal Definitions and Theory; F.3 [Theory of Computation]: a form of dynamic sealing to allow type abstraction to coexist with Logics and Meanings of Programs; E.3 [Data]: Data Encryption; dynamic typing; Leifer et al. [12] use hashes of implementations C.2.2 [Computer-Communication Networks]: Network Proto- of abstract types to protect abstractions among different programs cols—protocol verification running on different sites; Dreyer et al. [7] use a variant of sealing (somewhere between static and dynamic) to give a type-theoretic General Terms account of ML-like modules and functors; finally, we [21] have proposed a translation (conjectured to be fully abstract) of System- Theory, Languages, Security F-style type abstraction into dynamic sealing. 1 Introduction Another reason for the renewal of interest in sealing is that it hap- pens to coincide with perfect encryption (under shared-key cryp- Dynamic sealing: Birth, death, and rebirth tography), that is, with an ideal encryption scheme where a cipher- text can be decrypted only if the key under which it was encrypted Sealing is a linguistic mechanism for protecting abstract data. As is known explicitly. Perfect encryption is a common abstraction originally proposed by Morris [18, 19], it consists of three con- in current research on both systems security and programming lan- structs: seal creation, sealing, and unsealing. A fresh seal is created guages, for example in modeling and reasoning about cryptographic for each module that defines abstract data. Data is sealed when it is protocols (e.g., the spi-calculus [3]). passed out of the module, so that it cannot be inspected or modified by outsiders who do not know the seal; the data is unsealed again Problem when it comes back into the module, so that it can be manipulated concretely. Data abstraction is preserved as long as the seal is kept Although interest in dynamic sealing is reviving, there remains a local to the module. significant obstacle to its extensive study: the lack of sufficiently powerful methods for reasoning about sealing. First, to the best of our knowledge, there has been no work at all on proof techniques for sealing in untyped sequential languages. (There are several ver- sions of bisimulation for the spi-calculus, but encoding other lan- guages such as λ-calculus into spi-calculus raises the question of what abstraction properties are preserved by the encoding itself.) Second, even in statically typed settings, the published techniques Permission to make digital or hard copies of all or part of this work for personal or for obtaining abstraction properties are in general very weak. For classroom use is granted without fee provided that copies are not made or distributed instance, the first two [12, 26] of the works cited above use (variants for profit or commercial advantage and that copies bear this notice and the full citation of) the colored brackets of Zdancewic et al. [8, 32] but only prove on the first page. To copy otherwise, to republish, to post on servers or to redistribute (or even state) abstraction properties for cases where abstract data is to lists, requires prior specific permission and/or a fee. POPL’04, January 14Ð16, 2004, Venice, Italy. published by itself with no interface functions provided (i.e., once Copyright 2004 ACM 1-58113-729-X/04/0001 ...$5.00 sealed, data is never unsealed).
161
Abstraction as equivalence however, it is difficult to directly prove contextual equivalence be- cause it demands that we consider an infinite number of contexts. We aim to establish a method for proving abstraction of programs using dynamic sealing in an untyped setting. To this end, let us first consider how to state the property of abstraction in the first place. Equivalence by bisimulation Take, for example, the following module implementing complex numbers in an imaginary ML-like language. To overcome this difficulty, we define a notion of bisimulation for our language (by extending applicative bisimulation [4]) and module PolarComplex = use it as a tool for proving contextual equivalence. Essentially, a abstype t = real * real bisimulation records a set of pairs of “corresponding values” of let from_re_and_im : real * real -> t = two different programs. In the example of PolarComplex and fun (x, y) -> CartesianComplex, the bisimulation is (roughly): (sqrt(x * x+y*y),atan2(y, x)) let to_re_and_im : t -> real * real = {(PolarComplex,CartesianComplex)}∪ fun (r, t) -> {(PolarComplex.from_re_and_im, (r * cos(t), r * sin(t)) CartesianComplex.from_re_and_im), let multiply :t*t->t= (PolarComplex.to_re_and_im, fun ((r1, t1), (r2, t2)) -> CartesianComplex.to_re_and_im), (r1 * r2, t1 + t2) (PolarComplex.multiply, end CartesianComplex.multiply)}∪ {((x,y),(x,y)) | x,y real numbers}∪ Using dynamic sealing instead of type abstraction, this module can {({(r,θ)}k,{(r cos θ,r sinθ)}k ) | r ≥ 0} be written as follows for some secret seal k. The first part is the modules themselves. The second part is the module PolarComplex = individual elements of the modules. The third is arguments of let from_re_and_im = from_re_and_im as well as results of to_re_and_im. The last is fun (x, y) -> the representations of complex numbers sealed under k or k, where let z = (sqrt(x * x+y*y),atan2(y, x)) in {}denotes sealing.
162
d,e ::= term 4.56]] = 5.79. For simplicity, we adopt the left-to-right evaluation x variable order. As usual, substitutions [e/x] avoid capturing free variables λx.e function by implicit α-conversion. The meaning of freshness is formalized e1 e2 application by requiring k ∈ s in (E-New). We write s e ⇓ if s e ⇓ t v for c constant some t and v. op(e1,...,en) primitive if e1 then e2 else e3 conditional branch Because of fresh seal generation, our evaluation is not quite de- / (e1,...,en) tupling terministic. For instance, we have both 0 νx.x ⇓ {k1} k1 and / #i(e) projection 0 νx.x ⇓ {k2} k2 for k1 = k2. Nevertheless, we have the follow- k seal ing property: νx.e fresh seal generation { } e1 e2 sealing Property 2.1. Evaluation is deterministic modulo the names of let { } = in else ⇓ ⇓ x e1 e2 e3 e4 unsealing freshly generated seals. That is, for any s e t v and s e , , = u v w :: value t v , we have v =[k/x]e0 and v =[k /x]e0 for some e0 with λx.e function Seals(e ) ⊆ s, some k with {k}⊆t \s, and some k with {k }⊆t \s. c constant 0 (v ,...,v ) tuple 1 n PROOF. Straightforward induction on the derivation of s e ⇓ k seal t v. {v}k sealed value
Figure 1. Syntax of λseal In what follows, we implicitly use the following properties of eval- uation without explicitly referring to them.
Property 2.2. Every value evaluates only to itself. That is, for any Notation s and v with s ⊇ Seals(v), we have s v ⇓ s v. Furthermore, if s v ⇓ t w, then t = s and w = v. Throughout the paper, we use overbars as shorthands for ( , ) ,..., sequences—e.g., we write x and v v instead of x1 xn and PROOF. Straightforward induction on the syntax of values. ( , ),...,( , ) ≥ { } v1 v1 vn vn where n 0. Similarly, k is a shorthand for the set {k1,...,kn} where ki = k j for any i and j. When s and t are Property 2.3. Evaluation never decreases the seal set. That is, for sets, s t is defined to be s ∪t if s ∩t = 0/, and undefined otherwise. any s e ⇓ t v, we have s ⊆ t.
2 Syntax and Semantics PROOF. Straightforward induction on the derivation of s e ⇓ t v. λseal is the standard untyped, call-by-value λ-calculus extended with sealing. Its syntax is given in Figure 1. Seal k is an element 3 Contextual Equivalence of the countably infinite set K of all seals. We use meta-variables s and t for finite subsets of K . Fresh seal generation νx.e generates a In standard untyped λ-calculus, contextual equivalence for closed fresh seal k, binds it to x and evaluates e. The meaning of freshness values1 can be defined by saying that v and v are contextually { } will soon be clarified below. Sealing e1 e2 evaluates e1 to value equivalent if [v/x]e ⇓⇐⇒[v /x]e ⇓ for any term e.Inλseal, let { } = v and e2 to seal k, and seals v under k. Unsealing x e1 however, contextual equivalence cannot be defined for two values in else e2 e3 e4 evaluates e1 to seal k1 and e2 to sealed value in isolation. For instance, consider λ{x}k.x + 1 and λ{x}k .x + 2. {v}k .Ifk1 = k2, the unsealing succeeds and e3 is evaluated with x Whether these values are equivalent or not depends on what val- 2 bound to v. Otherwise, the unsealing fails and e4 is evaluated. ues sealed under k or k are known to the context. If the origi- nal terms which created k and k were νz.({2}z,λ{x}z.x + 1) and The calculus is also parametrized by first-order constants and prim- νz.({1}z,λ{x}z.x+2), for example, then the only values sealed un- itives such as real numbers and their arithmetics. We use infix no- der k or k are 2 and 1, respectively. Thus, the equivalence above tations for binary primitives like e1 + e2. We assume that constants does hold. On the other hand, it does not hold if the terms were, true false include booleans and . We also assume that op includes say, νz.({3}z,λ{x}z.x + 1) and νz.({4}z,λ{x}z.x + 2). This ob- the equality = for constants. servation that we have to consider multiple pairs of values at once leads to the following definition of contextual equivalence. We adopt the standard notion of variable binding and write FV(e) for the set of free variables in e. We also write Seals(e) for the set Definition 3.1. A value relation R is a set of pairs of values. of seals that appear in term e. Definition 3.2. The contextual equivalence ≡ is the largest rela- let = in (λ . ) ⊥ We write x e1 e2 for x e2 e1. We also write for tion among seal sets s and s and value relations R , such that for (λ . )(λ . ) λ{ } . λ .let { } = in else ⊥ x xx x xx and x k e for y x k y e any (s,s ,R ) ∈≡and for any (v,v ) ∈ R , we have the following where y ∈ FV(e). Furthermore, we write λ(x,y).e for λz.let x = properties. # (z) in let y = # (z) in e where z ∈ FV(e). We use similar no- 1 2 tations of pattern matching throughout the paper. 1. Seals(v) ⊆ s and Seals(v ) ⊆ s .
The semantics of λseal is given in Figure 2 by big-step evaluation 1For the sake of simplicity, we focus on equivalence of closed s e ⇓ t v annotated with the set s of seals before the evaluation values (as opposed to open expressions) in this paper. For open and the set t of seals after the evaluation. It is parametrized by expressions e and e with free variables x1,...,xn, it suffices to con- the meaning [[op(c1,...,cn)]] of primitives. For example, [[1.23 + sider the equivalence of λx1....λxn.e and λx1....λxn.e instead.
163
Seals(e) ⊆ s s e ⇓ s λx.e s e ⇓ s v s [v/x]e ⇓ t w (E-Lam) 1 1 1 2 2 2 (E-App) s λx.e ⇓ s λx.e s e1 e2 ⇓ t w
s e ⇓ s c ... s − e ⇓ s c [[op(c ,...,c )]] = c (E-Const) 1 1 1 n 1 n n n 1 n (E-Prim) s c ⇓ s c s op(e1,...,en) ⇓ sn c
s e ⇓ s true s e ⇓ t v s e ⇓ s false s e ⇓ t v 1 1 1 2 (E-Cond-True) 1 1 1 3 (E-Cond-False) s if e1 then e2 else e3 ⇓ t v s if e1 then e2 else e3 ⇓ t v
s e ⇓ s v ... s − e ⇓ s v s e ⇓ t (v ,...,v ) 1 ≤ i ≤ n 1 1 1 n 1 n n n (E-Tuple) 1 n (E-Proj) s (e1,...,en) ⇓ sn (v1,...,vn) s #i(e) ⇓ t vi
k ∈ s s {k} [k/x]e ⇓ t v s e1 ⇓ s1 v s1 e2 ⇓ s2 k ⇓ (E-Seal) ν . ⇓ (E-New) { } ⇓ { } (E-Do-Seal) s k s k s x e t v s e1 e2 s2 v k
s e1 ⇓ s1 k s1 e2 ⇓ s2 {v}k s2 [v/x]e3 ⇓ t w let { } = in else ⇓ (E-Unseal-Succ) s x e1 e2 e3 e4 t w ⇓ ⇓ { } = ⇓ s e1 s1 k1 s1 e2 s2 v k2 k1 k2 s2 e4 t w let { } = in else ⇓ (E-Unseal-Fail) s x e1 e2 e3 e4 t w Figure 2. Semantics of λseal
2. s [v/x]e ⇓⇐⇒ s [v/x]e ⇓ for any e with Seals(e)=0/. that we should not confuse two worlds where the uses of seals are different. This is the reason why we defined ≡ as a set of triples ,..., ≡ ,..., ( , ,{( , ),..., ( , , ) ( , ) We write s v1 vn s v1 vn for s s v1 v1 s s R rather than just a function that takes a pair s s of seal ( , )}) ∈≡ vn vn . In order to lighten the notation, we do not en- sets and returns the “largest” set R of pairs of equivalent values. ,..., ,..., close these v1 vn and v1 vn in parentheses. We also write ≡ ( , ) ∈ ( , , ) ∈≡ s v R s v when v v R and s s R . Intuitively, it Conversely, again as the examples above suggest, there are cases can be read as “value v with seal set s and value v with seal set s where (s,s ,R1) ∈≡and (s,s ,R2) ∈≡for R1 ⊆ R2. This im- are contextually equivalent under contexts’ knowledge R .” plies that there is a partial order among the value relations R in contextual equivalence. We could alternatively define contextual Note that no generality is lost by requiring Seals(e)=0/ in the def- equivalence only with such value relations that are maximal in this inition above: if e needs its own seals, it can freshly generate an ordering, but this would just complicate the technicalities that fol- arbitrary number of them by using ν;ife knows some of the seals k low. in s and k in s, it suffices to require (k,k ) ∈ R . Thus, our contex- tual equivalence subsumes standard contextual equivalence where We will use the following lemmas about contextual equivalence in a context knows none, all, or part of the seals (or, more generally, what follows. values involving the seals). Lemma 3.4. Application, projection, fresh seal generation, and unsealing preserve contextual equivalence. That is: Example 3.3. Let s = {k} and s = {k }. We have s {2}k ≡ s {1}k since the context has no means to unseal the values sealed 1. For any (u,u ) ∈ R and (v,v ) ∈ R with (s,s ,R ) ∈≡,if under k or k . (A formal proof of this claim based on bisimulation s uv ⇓ t w and s u v ⇓ t w , then (t,t ,R ∪{(w,w )}) ∈ will be given later.) We also have s λ{x} .x+1 ≡ s λ{x} .x+2 k k ≡. since the context cannot make up any values sealed under k or k. (( ,..., ),( ,..., )) ∈ ( , , ) ∈≡ 2. For any v1 vn v1 vn R with s s R ,we Furthermore, we have ( , , ∪{( , )}) ∈≡ ≤ ≤ have s s R vi vi for any 1 i n. s {2}k,λ{x}k.x + 1 ≡ s {1}k ,λ{x}k .x + 2 3. For any (s,s,R ) ∈≡, we have (s {k},s {k},R because applications of the functions to the sealed values yield the {(k,k)}) ∈≡for any k ∈ s and k ∈ s. same integer 3. Similarly, 4. For any ({v} ,{v } ) ∈ and (k,k ) ∈ with (s,s , ) ∈≡, s {4} ,λ{x} .x + 1 ≡ s {5} ,λ{x} .x k k R R R k k k k we have (s,s,R ∪{(v,v)}) ∈≡. holds. However, PROOF. Take e as let z = xy in e0, let y = #i(x) in e0, νx.e0, s {2}k,λ{x}k.x + 1,{4}k,λ{x}k.x + 1 and let {z}x = y in e0, respectively, in the definition of (s,s ,R ) ∈ ≡ { } ,λ{ } . + ,{ } ,λ{ } . s 1 k x k x 2 5 k x k x ≡. does not hold, because applications of the last functions to the first sealed values yield different integers 3 and 1. Lemma 3.5. Contextually equivalent values put in the same value context yield contextually equivalent values. That is, for any ( , , ) ∈≡ ( , ) ∈ =[ / ] = As the last example shows, even if (s,s ,R1) ∈≡and (s,s ,R2) ∈≡, s s R and v v R , and for any w v x e0 and w [ / ] ( )=0/ ( , , ∪{( , )}) ∈≡ we do not always have (s,s ,R1 ∪ R2) ∈≡. Intuitively, this means v x e0 with Seals e0 ,wehave s s R w w .
164
PROOF. Immediate from the definition of contextual equivalence, seal both of two sealed values whose contents are distinguishable, using the property of substitution that [[v/x]e0/x]e =[v/x]([e0/x]e) or (ii) the context can unseal only one of the two sealed values. when {x}∩FV(e)=0/. Condition 7, the most interesting one, is about what a context can Lemma 3.6. Any subset of contextually equivalent values are con- do to distinguish two functions. Obviously, this will involve ap- textually equivalent. That is, for any (s,s,R ) ∈≡, we have plying them to some arguments—but what arguments? Certainly (s,s,S) ∈≡for any S ⊆ R . not arbitrary terms, because in general a context has only a par- tial knowledge of (values involving) the seals in s and s. All that PROOF. Immediate from the definition of contextual equiva- a context can do for making up the arguments is to carry out some lence. computation d using values u and u from its knowledge. Therefore, the arguments have forms [u/x]d and [u/x]d.
4 Bisimulation An important and perhaps surprising point here is that it actually suffices to consider cases where these arguments are values. This Giving a direct proof of contextual equivalence is generally diffi- restriction is useful and even crucial for proving bisimulation of cult, because the definition involves universal quantification over functions: if the arguments [u/x]d and [u/x]d were not values, we an infinite number of contexts. Thus, we want a more convenient should evaluate them before applying the functions; in particular, if tool for proving contextual equivalence. For this purpose, we define evaluation of one argument converges, then evaluation of the other the notion of bisimulation as follows. argument must converge as well; proving this property amounts to proving the contextual equivalence of u and u, which was the whole Definition 4.1. A bisimulation X is a relation among seal sets s and purpose of our bisimulation! s and value relations R such that every (s,s,R ) ∈ X satisfies the following conditions. Fortunately, our restriction of the arguments to values can be jus- tified by the “fundamental property” proved in the next section, 1. For each (v,v ) ∈ R , we have Seals(v) ⊆ s and Seals(v ) ⊆ s . which says that the special forms [u/x]d and [u /x]d are preserved by evaluation. The only change required as a result of this restric- 2. For each (v,v ) ∈ R , v and v are of the same kind. That is, both are functions, both are constants, both are tuples, both tion is the addition of {(k,k )} to knowledge R in Condition 7: it are seals, or both are sealed values. compensates for the fact that d can no longer be a fresh seal gen- eration, while the context can still generate its own fresh seals k 3. For each (c,c ) ∈ R , we have c = c . and k when making up the arguments. Without such a change, our bisimulation would indeed be unsound: a counter-example would (( ,..., ),( ,..., )) ∈ = (0/,0/,{(λ .{true} ,λ .{false} )}) 4. For each v1 vn v1 vn R , we have n n and be x x x x , for which contexts like ( , , ∪{( , )}) ∈ ≤ ≤ ν .let { } =[] in if then () else ⊥ s s R vi vi X for every 1 i n. y z y y z can distinguish the two functions. ( , ) ∈ ( , ) ∈ = ⇐⇒ 5. For each k1 k1 R and k2 k2 R ,wehavek1 k2 = k1 k2. The rest of Condition 7 is straightforward: the results w and w of function application should also be bisimilar. 6. For each ({v}k,{v }k ) ∈ R , we have either (k,k ) ∈ R and (s,s , ∪{(v,v )}) ∈ X, or else (k,k ) ∈ and (k ,k ) ∈ Example 4.2. Let s = {k}, s = {k }, and = {({2} ,{1} )}. R R R R k k for every k. Then {(s,s ,R )} is a bisimulation, as can be seen by a straightfor- ward check of the conditions above. (λ . ,λ . ) ∈ ∩ 7. Take any x e x e R . Take also any k and k with s Example 4.3. Let s = {k ,k }, s = {k }, and {k} = s ∩{k } = 0/. Moreover, let v =[u/x]d and v =[u /x]d 1 2 ( , ) ∈ {( , )} ( )=0/ for any u u R k k and Seals d . Then, we R = {(({2}k ,{4}k ),({1}k ,{5}k )), 1 2 ({ } ,{ } ), have s{k} (λx.e)v ⇓⇐⇒ s {k } (λx.e )v ⇓. Further- 2 k1 1 k ({4} ,{5} )}. more, if s {k} (λx.e)v ⇓ t w and s {k } (λx.e )v ⇓ k2 k t w , then (t,t ,R {(k,k )}∪{(w,w )}) ∈ X. Then {(s,s,R )} is a bisimulation. This example illustrates the fact that the number of seals may differ in the left-hand side and ( , ) ∈ For any bisimulation X, we write s vXR s v when v v R in the right-hand side of bisimulation. Note that the closure con- and (s,s,R ) ∈ X. This can be read “values v and v with seal sets s dition (Condition 4) in the definition of bisimulation demands that and s are bisimilar under contexts’ knowledge R .” we include not only the original pairs, but also their corresponding components. The intuitions behind the definition of bisimulation are as follows. Each of the conditions excludes pairs of values that are distin- Example 4.4. Suppose we want to show that the pair guishable by a context (except for Condition 1, which just re- ({2}k, λ{x}k.x + 1) is bisimilar to ({1}k , λ{x}k .x + 2)), as- stricts the scoping of seals). Condition 2 excludes pairs of val- suming that seals k and k are not known to the context. Again, ues of different kinds, e.g., 123 and λx.x. Condition 3 excludes the closure conditions in the definition force us to include the pairs of different constants. Condition 4 excludes pairs of tuples corresponding components of the pairs (Condition 4), as well as with distinguishable elements. Condition 5 excludes cases such the results of evaluating the second components applied to the first as (k,k) ∈ R and (k,k) ∈ R with k = k, for which contexts components (Condition 7); moreover, since Condition 7 allows the like let {x}y = {()}z in x else ⊥ can distinguish the left-hand context to enrich the set of seals with arbitrary seals of its own, our side (setting y = z = k) and the right-hand side (setting y = k and bisimulation will consist of an infinite collection of similar sets, z = k). Condition 6 excludes cases where (i) the context can un- differing in the context’s choice of seals.
165
Formally, let G be the following function on sets of pairs of seals: The construction of the bisimulation follows the same pattern as Example 4.4, except that the operator G is more interesting: {( , )} = {(({ } , λ{ } . + ), G k0 k0 2 k x k x 1 ({1}k , λ{x}k .x + 2)), G{(k0,k )} = ({2} , {1} ), 0 k k {(v,v )} (λ{x} .x + 1, λ{x} .x + 2), k k ∪{(λ(x,y).{(x + 0.0,y + 0.0)} , (3, 3)} k λ(x,y).{(sqrt(x × x + y × y),atan2(y,x))}k ), ∪{(k , k )} 0 0 (λ{(x,y)}k.(x,y), λ{( ,θ)} .( × cos θ, × sin θ)), Then r k r r (λ({(x1,y1)}k,{(x2,y2)}k). = {({ , }, { , }, {( , )}) | ∈{ }∧ ∈{ }} X k k0 k k0 G k0 k0 k k0 k k0 {(x1 × x2 − y1 × y2,x1 × y2 + y1 × x2)}k, λ({( ,θ )} ,{( ,θ )} ).{( × ,θ + θ )} )} is a bisimulation. The only non-trivial work required to show this r1 1 k r2 2 k r1 r2 1 2 k ∪{((x,y),(x,y)) | x and y are arbitrary real numbers} is checking Condition 7 for the pair (λ{x}k.x + 1, λ{x}k .x + 2) ∈ ∪{({( θ, θ)} ,{( ,θ)} ) | ≥ } {( , )} ∈{ } ∈{ } r cos r sin k r k r 0 G k0 k0 , for each k0 and k0 with k k0 and k k0 . ∪{( , )} k0 k0 Consider any v =[u/x]d and v =[u/x]d with (u,u) ∈ {( , )}{( , )} ( )={ , }∩{ } = { , }∩ Example 4.6 (Applicative vs. Generative Functors). In this ex- G k0 k0 k1 k1 and Seals d k k0 k1 k k0 ample, we use bisimulation to show the equivalence of two instan- { } = 0/ (λ{ } . + ) (λ{ } . + ) k1 . If the evaluations of x k x 1 v and x k x 2 v tiations of a generative functor, where generativity is modeled by diverge, then the condition holds. fresh seal generation and the equivalence really depends on the gen- erativity. Let us focus on cases where the evaluation of (λ{x}k.x + 1)v con- verges (without loss of generality, thanks to symmetry), that is, A functor is a parameterized module—a function from modules to { } { } where v is of the form w k. Then, either d is of the form d0 xi and modules. For example, a module implementing sets by binary trees = = { } ui k, or else d is a variable xi and ui w k. However, the former can be parameterized by the type of elements and their comparison {( , )} case is impossible: k is not in the first projection of G k0 k0 or function. In the same imaginary ML-like language as in Section 1, {( , )} such a functor might be written as follows: k1 k1 by their definitions. So we must be in the latter case. functor Set(module Element : sig Since the only element of the form {w}k in the first projection of type t {(k0,k )}{(k1,k )} is {2} where the corresponding element G 0 1 k val less_than : t -> t -> bool in its second projection is {1} , we have v = {2} and v = {1} . k k k end) = (λ{ } . + ) (λ{ } . + ) Then, the only evaluations of x k x 1 v and x k x 2 v type elt = Element.t are abstype set = Element.t tree let empty : set = Leaf {k,k0}{k1} (λ{x}k.x + 1)v ⇓ {k,k0,k1} 3 let rec add : elt -> set -> set = and fun x -> 166 Set(module Element = following function g, which generates a fresh seal for each applica- type t = int tion instead of using the same seal k for all instantiations. let less_than : t -> t -> bool = λlt.νz. funx->funy->(x 167 S = {(U,U),(V,V ),(W,W ), — corresponding keys and constants known to the attacker (k,k ),(A,A),(B,B),(E,E), (λ .{ } ,λ .{ } ),(λ .{ } ,λ .{ } ),( , ), x x kA x x k x x kB x x k kE kE A B (w,w ),({w} ,{w } ),({w} ,{w } ), kA kA kB kB — corresponding components from principal B at Step 1 (λ{( , )} .assert( = ) ν .({( , , )} ,λ{ } .assert( = ) { } ), x y kB y A ; z x z B kA z0 kB z0 z ; i z λ{(x,y)} .assert(y = A);νz.({(x,z,B)} ,λ{z } .assert(z = z);{ j} )), kB kA 0 kB 0 z — corresponding components from principal A at Step 2, communicating with B (({(kAB,A)}k ,λ{(y0,z,x0)}k .assert(y0 = kAB);assert(x0 = B);{z}k ), B A B ({( , )} ,λ{( , , )} .assert( = ) assert( = ) { } )), kAB A k y0 z x0 k y0 kAB ; x0 B ; z k B A B ({(k ,A)} ,{(k ,A)} ), AB kB AB kB (λ{(y0,z,x0)}k .assert(y0 = kAB);assert(x0 = B);{z}k , A B λ{(y ,z,x )} .assert(y = k );assert(x = B);{z} ), 0 0 kA 0 AB 0 kB — corresponding components from principal B at step 3, communicating with A (({(kAB,kB,B)}k ,λ{z0}k .assert(z0 = kAB);{i} ), A B kB ({(k ,k ,B)} ,λ{z } .assert(z = k );{ j} )), AB B kA 0 kB 0 AB k B ({(k ,k ,B)} ,{(k ,k ,B)} ), AB B kA AB B kA (λ{z0}k .assert(z0 = kAB);{i} , B kB λ{ } .assert( = ) { } ), z0 k z0 kAB ; j B kB — corresponding components from principal A at step 4, communicating with B ({k } ,{k } ), B kB B kB — corresponding components from principal B at step 5, communicating with A ({i} ,{ j} ), kB kB — corresponding components from principal A at Step 2, communicating with E (({(kAE ,A)}k ,λ{(y0,z,x0)}k .assert(y0 = kAE );assert(x0 = E);{z}k ), E A E ({( , )} ,λ{( , , )} .assert( = ) assert( = ) { } )), kAE A k y0 z x0 k y0 kAE ; x0 E ; z k E A E ({(k ,A)} ,{(k ,A)} ), AE kE AE kE (λ{(y0,z,x0)}k .assert(y0 = kAE );assert(x0 = E);{z}k , A E λ{(y ,z,x )} .assert(y = k );assert(x = E);{z} ), 0 0 kA 0 AE 0 kE (( , ),( , )), kAE A kAE A ( , ), kAE kAE — corresponding components from principal B at Step 3, communicating with E (({(w,k ,B)} ,λ{z } .assert(z = k );{i} ), B kA 0 kB 0 B kB ({( , , )} ,λ{ } .assert( = ) { } )), w kB B k z0 k z0 kB ; j A B kB ({(w,k ,B)} ,{(w ,k ,B)} ), B kA B kA (λ{z0}k .assert(z0 = kB);{i} , B kB λ{ } .assert( = ) { } )), z0 k z0 kB ; j B kB — corresponding components from principal A at Step 4, communicating with E ({w} ,{w } )} kE kE Figure 3. Bisimulation for the Needham-Schroeder-Lowe protocol 168 The idea of the encoding is as follows. We use sealing, unsealing Since we would have and fresh seal generation as (perfect) encryption, decryption, and ({(w,k )} ,{(w ,k )} ) ∈ fresh key generation. The whole system is expressed as a tuple of B kA B kA S (functions representing) keys known to the attacker and terms U instead of and V representing principals B and A. ({( , , )} ,{( , , )} ) ∈ w kB B k w k B k S =(λ .{ } ,λ .{ } , , , ) A B A W x x kA x x kB kE U V ( , ) ∈ ({( , )} , along with kAE kAE S, we would have kAE kB kA Each principal is encoded as a pair of the last value it sent (if {(k ,k )} ) ∈ by taking w = k and w = k in the defi- any) and a continuation function waiting to receive a next mes- AE B kA S AE AE sage. When the message is received, the function returns the next nition of X above. Since we would have state of the principal. Communication occurs by a context apply- (λ{(y0,z)}k .assert(y0 = kAE );{z}k , ing these functions in an appropriate order (when the environment A E λ{(y0,z)} .assert(y0 = k );{z} ) ∈ S is behaving normally) or perhaps in some strange, arbitrary order kA AE kE (when the environment is under the control of a malicious attacker). as well instead of Thus, contexts play the role of the network, scheduler, and attack- (λ{(y0,z,x0)}k .assert(y0 = kAE );assert(x0 = E);{z}k , ers. More details about the encoding—including a more detailed A E justification of the claim that it is a reasonable encoding of the λ{(y ,z,x )} .assert(y = k );assert(x = E);{z} ) ∈ 0 0 kA 0 AE 0 kE S protocol above—can be found in previous work [30]. We write assert(e1);e2 as syntactic sugar for if e1 then e2 else ⊥. we should also have ({k } ,{k } ) ∈ by applying these func- B kE B kE S tions to the previous ciphertexts, according the condition of bisim- U =(B,λ{(x,y)} .assert(y = A); kB ulation for functions (Condition 7). Furthermore, since (kE ,k ) ∈ νz.({(x,z,B)} , E kA ( , ) ∈ λ{z } .assert(z = z); S, we would need kB kB S as well, according to the condi- 0 kB 0 tion of bisimulation for sealed values (Condition 6). Then, since {i}z)) = λ .let =(if = then else ({i} ,{ j} ) ∈ S, we should require (i, j) ∈ S. This contradicts V x kx x B kB kB kB if x = E then kE else ⊥) in with the condition of bisimulation for constants (Condition 3) if ν .({( , )} , i = j. Observe how the same attack is prevented in the fixed ver- y y A kx λ{( , , )} .assert( = ) sion of this protocol: the assertion assert(x = E) fails since x is y0 z x0 kA y0 y ; 0 0 assert(x0 = x); bound to B. { } )) z kx 5 Soundness and Completeness Now, take any integers i and j. We prove that the system W above Bisimilarity, written ∼, is the largest bisimulation. It exists because (where the secret value sent from B to A is i) and the system W the union of two bisimulations is always a bisimulation. We will below (where the secret is j) are bisimilar, which means that the need several simple lemmas about bisimulation in the development protocol keeps i and j secret against attackers. that follows. U =(B,λ{(x,y)} .assert(y = A); kB Lemma 5.1 (Monotonicity). Take any bisimulation X. For any νz.({(x,z,B)} , kA ( , , ) ∈ ( , , ) ∈ ⊆ s s R X and t t S X with R S,if s vXR s v , then λ{z } .assert(z = z); 0 kB 0 t vXS t v . { j}z)) = λ .let =(if = then else V x kx x B kB if = then else ⊥) in PROOF. Immediate from the definitions of s vXR s v and x E kE ν .({( , )} , t vXS t v . y y A kx λ{( , , )} .assert( = ) y0 z x0 k y0 y ; A assert( = ) Lemma 5.2 (Addition of Constants). Take any bisimulation X x0 x ; and (s,s,R ) ∈ X. Then, X ∪{(s,s,R ∪{(c,c)})} is a bisimula- {z}k )) x tion for any constant c. W =(λx.{x} ,λx.{x} ,k ,U ,V ) kA kB E PROOF. Straightforward by checking the conditions of bisimula- The construction of the bisimulation X is by induction, following tion. the same basic pattern as Example 4.7. The base case is (0/,0/,0/) ∈ X. The induction rule is as follows. Take any (s,s,R ) ∈ X. Take Lemma 5.3 (Addition of Fresh Seals). Take any bisimulation X any w =[v/x]e and w =[v /x]e with (v,v ) ∈ R and Seals(e)=0/. and (s,s,R ) ∈ X. Then, X ∪{(s {k},s {k},R {(k,k)})} Take any t ⊇ s and t ⊇ s of the forms {kA,kB,kE ,kAB,kAE ,kB,k} is a bisimulation for any k ∈ s and k ∈ s . { , , , , , , } ( , , ) ∈ and kA kB kE kAB kAE kB k . Then, t t T X for any subset T of the set S given in Figure 3. It is routine to check the conditions PROOF. Straightforward by checking the conditions of bisimula- of bisimulation for this X. tion. It is well known that the secrecy property does not hold for the We want to show that the bisimilarity ∼ coincides with the contex- original version of this protocol (i.e., without Lowe’s fix), in which tual equivalence ≡. Since we defined ∼ by co-induction, the easy { , } { , , } direction is showing that contextual equivalence implies bisimilar- the third message is NA NB kA instead of NA NB B kA (i.e., the B is missing). This flaw is mirrored in our setting as well: if we ity. tried to construct a bisimulation for this version in the same way as above, it would fail to be a bisimulation for the following reason. Lemma 5.4 (Completeness of Bisimilarity). ≡⊆∼. 169 PROOF. Since ∼ is the greatest bisimulation, it suffices to check to prove the soundness and completeness of bisimilarity under this ∼ that ≡ is a bisimulation, which is routine using the lemmas about extension, with an additional lemma that = respects =1 (which can contextual equivalence. be proved by induction on the syntax of values being compared). Next, we need to prove soundness, i.e., that bisimilarity implies Of course, the more observations we allow, the more difficult it be- contextual equivalence. For this purpose, we define the following comes to establish the equivalence of two given modules. For ex- relation. ample, the two implementations of complex numbers given in the introduction are no longer equivalent (or bisimilar) under the exten- ∼ Definition 5.5 (Bisimilarity in Context). We define = as sion above, because there are many polar representations of 0 + 0i {( , , ,[ / ] ,[ / ] ) | ∼ ∧ ( )=0/} while there is only one cartesian representation. So, for example, a s s R v x e0 v x e0 s v R s v Seals e0 context like ∼ ∼ ∧ ...∧ [] = [] where s v R s v is a shorthand for s v1 R s v1 C let x = .from_re_and_im(0.0, 0.0) in ∼ [] s vn R s vn. let y = .from_re_and_im(-1.0, 0.0) in x =1 [].multiply x y ∼ ( , , , , ) ∈ ∼ We write s e =R s e for s s R e e =. The intuition of ∼ would distinguish CartesianComplex and PolarComplex. To re- this definition is: = relates bisimilar values v and v put in context cover the equivalence, the polar representation of 0 + 0i must be e0. standarized and checks inserted wherever it can be created: The two lemmas below are the key properties of our bisimulation. let from_re_and_im = The first states that evaluation preserves =∼, the second that =∼ im- fun (x, y) -> plies observational equivalence (i.e., if evaluation of one expression let z = converges, then evaluation of the other expression also converges). if x = 0.0 && y = 0.0 then (0.0, 0.0) else (sqrt(x * x+y*y),atan2(y, x)) in Lemma 5.6 (Fundamental Property, Part I). Suppose 170 + place, which cuts down the intermediate terms and reduces the size Eρ (x,bool)=x + of a bisimulation. Eρ (x,τ1 × ...× τn)=let (y1,...,yn)=x in ( +(y ,τ ),..., +(y ,τ )) λ Eρ 1 1 Eρ n n Abramsky [4] studied applicative bisimulation for the -calculus. +( ,τ → σ)=λ .let = −( ,τ) in +( ,σ) λ . λ . (λ . ) Eρ x y z xEρ y Eρ z For functions x e and x e to be bisimilar, it requires that x e d +( ,∀α.τ)=λ .let = () in +( ,τ) and (λx.e)d are observationally equivalent for any closed d, and Eρ x y z x Eρ z +( ,∃α.τ)=ν . + ( ,τ) Eρ x z Eρ,α →z x that they evaluate to bisimilar values if the evaluations converge. + Thus, it requires the two arguments to be the same, which actually Eρ (x,α)={x}ρ(α) + makes the soundness proof harder [9]. We avoided this problem Eρ (x,α)=x if α ∈ Dom(ρ) by allowing some difference between the arguments of functions in − our bisimulation. Eρ (x,bool)=if x then true else false − Eρ (x,τ1 × ...× τn)=let (y1,...,yn)=x in Jeffrey and Rathke [10] defined bisimulation for λ-calculus with − − (Eρ (y1,τ1),...,Eρ (yn,τn)) name generation, of which our seal generation is an instance. Al- − + − Eρ (x,τ → σ)=λy.let z = xEρ (y,τ) in Eρ (z,σ) though their theory does distinguish private and public names, it − − Eρ (x,∀α.τ)=λy.νz.Eρ,α →z(x,τ) lacks a proper mechanism to keep track of contexts’ knowledge − − Eρ (x,∃α.τ)=Eρ (x,τ) of name-involving values in general, such as functions containing − names inside the bodies. As a result, they had to introduce addi- Eρ (x,α)=let {y}ρ(α) = x in y else ⊥ − tional language constructs—such as global references [10] or com- Eρ (x,α)=x if α ∈ Dom(ρ) munication channels [11]—for the bisimulation to be sound. We solved this problem by using a set of relations (rather than a sin- Figure 4. Translation of type abstraction into dynamic sealing gle relation) between values as a bisimulation, i.e., by considering multiple pairs of values at once. it would be possible to define bisimulation for type abstraction in A well-known method of proving the abstraction obtained by type a similar manner to the definition of our bisimulation for dynamic abstraction is logical relations [15, 25]. Although they are tradi- sealing. This is interesting because such bisimulation may be com- tionally defined on denotational models, they have recently been plete with respect to contextual equivalence as in this work, while it studied in the syntactic setting of term models as well [22, 23]. In is difficult to obtain complete logical relations for type abstraction previous work [30], we have defined syntactic logical relations for [22, 23]. perfect encryption and used them to prove secrecy properties of se- curity protocols. Although logical relations are analogous to bisim- Mechanical support for bisimulation proofs is also of natural inter- ulations in that both relate corresponding values between two dif- est. Full automation is hopeless, since general cases subsume the ferent programs, logical relations are defined by induction on types halting problem (i.e., whether the evaluation of a λ-expression con- and cannot be applied in untyped settings. Moreover, logical rela- verges or diverges), but many of the conditions of bisimulation are tions in more sophisticated settings (such as recursive functions and easy to check or satisfy by adding elements to the bisimulation. One recursive types) than simply typed λ-calculus tend to become rather challenging point would be the case analysis on function arguments complicated. Indeed, “keys encrypting keys” (as in security proto- [u/x]d and [u /x]d in Condition 7, shown in detail in Example 4.4. cols) required non-trivial extension in the logical relations above, while they imposed no difficulty to our bisimulation in this paper. Acknowledgements 8 Conclusions We would like to thank Mart«õn Abadi, Andre Scedrov, Naoki λ Kobayashi, and the members of Programming Language Club at the We have defined a bisimulation for seal and proved its soundness University of Pennsylvania for suggestions and support throughout and completeness with respect to contextual equivalence. the development of this work. There are several directions for future work. One is to apply our bisimulation to more examples, e.g., to prove the full abstraction of 9 References our translation of type abstraction into dynamic sealing—indeed, this was actually the original motivation for the present work. When [1] Mart«õn Abadi and C«edric Fournet. Mobile values, new names, the target language is untyped, the translation of source term M : τ and secure communication. In Proceedings of the 28th ACM let = ( ) in +( ,τ) + can be given as x erase M E0/ x , where E is defined SIGPLAN-SIGACT Symposium on Principles of Program- − like Figure 4 along with its dual E in a type-directed manner. In- ming Languages, pages 104Ð115, 2001. tuitively, E+ is a “firewall” that protects terms from contexts, where − [2] Mart«õn Abadi and Andrew D. Gordon. A bisimulation method is a “sandbox” that protects contexts from terms. Bisimulation E for cryptographic protocols. Nordic Journal of Computing, would help proving properties of this translation. We may also be 5:267Ð303, 1998. Preliminary version appeared in Program- able to use such an interpretation of type abstraction by dynamic ming Languages and Systems Ð ESOP’98, 7th European Sym- sealing as a (both formal and informal) basis for reasoning about type abstraction in broader settings. posium on Programming, Lecture Notes in Computer Science, Springer-Verlag, vol. 1381, pages 12Ð26, 1998. Another possibility is to define and use bisimulation for other forms [3] Mart«õn Abadi and Andrew D. Gordon. A calculus for cryp- of information hiding, such as type abstraction. Our treatment of tographic protocols: The spi calculus. Information and Com- seals are analogous to the treatment of generative names in general putation, 148(1):1Ð70, 1999. Preliminary version appeared [24, 29], of which abstract types are an instance as soon as they es- in Proceedings of the 4th ACM Conference on Computer and cape from their scope (by communication [28], for example). Thus, Communications Security, pp. 36Ð47, 1997. 171 [4] Samson Abramsky. The lazy lambda calculus. In David A. [19] James H. Morris Jr. Types are not sets. In Proceedings of Turner, editor, Research Topics in Functional Programming, the 1st Annual ACM SIGACT-SIGPLAN Symposium on Prin- pages 65Ð117. Addison Wesley, 1990. ciples of Programming Languages, pages 120Ð124, 1973. [5] Michele Boreale, Rocco De Nicola, and Rosario Pugliese. [20] Roger Needham and Michael Schroeder. Using encryption for Proof techniques for cryptographic processes. SIAM Jour- authentication in large networks of computers. Communica- nal on Computing, 31(3):947Ð986, 2002. Preliminary version tions of the ACM, 21(12):993Ð999, 1978. appeared in 14th Annual IEEE Symposium on Logic in Com- [21] Benjamin Pierce and Eijiro Sumii. Relating cryptography and puter Science, pp. 157Ð166, 1999. polymorphism, 2000. Manuscript. http://www.yl.is.s. [6] Johannes Borgstr¬om and Uwe Nestmann. On bisimulations u-tokyo.ac.jp/˜sumii/pub/. for the spi calculus. In 9th International Conference on Alge- [22] Andrew M. Pitts. Existential types: Logical relations and braic Methodology and Software Technology, volume 2422 of operational equivalence. In Proceedings of the 25th Inter- Lecture Notes in Computer Science, pages 287Ð303. Springer- national Colloquium on Automata, Languages and Program- Verlag, 2002. ming, volume 1443 of Lecture Notes in Computer Science, [7] Derek Dreyer, Karl Crary, and Robert Harper. A type sys- pages 309Ð326. Springer-Verlag, 1998. tem for higher-order modules. In Proceedings of the 30th [23] Andrew M. Pitts. Parametric polymorphism and operational ACM SIGPLAN-SIGACT Symposium on Principles of Pro- equivalence. Mathematical Structures in Computer Science, gramming Languages, pages 236Ð249, 2003. 10:321Ð359, 2000. Preliminary version appeared in HOOTS [8] Dan Grossman, Greg Morrisett, and Steve Zdancewic. Syn- II Second Workshop on Higher-Order Operational Techniques tactic type abstraction. ACM Transactions on Programming in Semantics, Electronic Notes in Theoretical Computer Sci- Languages and Systems, 22(6):1037Ð1080, 2000. ence, vol. 10, 1998. [9] Douglas J. Howe. Proving congruence of bisimulation in [24] Andrew M. Pitts and Ian Stark. Observable properties of functional programming languages. Information and Com- higher order functions that dynamically create local names, putation, 124(2), 1996. or: what’s new? In Mathematical Foundations of Computer Science, volume 711 of Lecture Notes in Computer Science, [10] Alan Jeffrey and Julian Rathke. Towards a theory of bisimu- pages 122Ð141. Springer-Verlag, 1993. lation for local names. In 14th Annual IEEE Symposium on Logic in Computer Science, pages 56Ð66, 1999. [25] John C. Reynolds. Types, abstraction and parametric poly- [11] Alan Jeffrey and Julian Rathke. A theory of bisimulation for morphism. In Information Processing 83, Proceedings of the a fragment of concurrent ML with local names. Theoretical IFIP 9th World Computer Congres, pages 513Ð523, 1983. Computer Science, 2003. To appear. An extended abstract [26] Andreas Rossberg. Generativity and dynamic opacity for ab- appeared in 15th Annual IEEE Symposium on Logic in Com- stract types. In Proceedings of the 5th International ACM puter Science, pp. 311Ð321, 2000. SIGPLAN Conference on Principles and Practice of Declara- tive Programming, pages 241Ð252, 2003. [12] James J. Leifer, Gilles Peskine, Peter Sewell, and Keith Wans- brough. Global abstraction-safe marshalling with hash types. [27] Davide Sangiorgi and Robin Milner. The problem of “weak In Proceedings of the Eighth ACM SIGPLAN International bisimulation up to”. In CONCUR ’92, Third International Conference on Functional Programming, pages 87Ð98, 2003. Conference on Concurrency Theory, volume 630 of Lecture [13] Barbara Liskov. A history of CLU. In The Second ACM SIG- Notes in Computer Science, pages 32Ð46. Springer-Verlag, PLAN Conference on History of Programming Languages, 1992. pages 133Ð147, 1993. [28] Peter Sewell. Modules, abstract types, and distributed ver- [14] Gavin Lowe. An attack on the Needham-Schroeder public- sioning. In Proceedings of the 28th ACM SIGPLAN-SIGACT key authentication protocol. Information Processing Letters, Symposium on Principles of Programming Languages, pages 56(3):131Ð133, 1995. 236Ð247, 2001. [15] John C. Mitchell. On the equivalence of data representations. [29] Ian Stark. Names and Higher-Order Functions. PhD thesis, http://www.dcs.ed.ac. In Artificial Intelligence and Mathematical Theory of Compu- University of Cambridge, 1994. uk/home/stark/publications/thesis.html tation: Papers in Honor of John McCarthy, pages 305Ð330. . Academic Press, 1991. [30] Eijiro Sumii and Benjamin C. Pierce. Logical relations for en- [16] John C. Mitchell and Gordon D. Plotkin. Abstract types cryption. In 14th IEEE Computer Security Foundations Work- have existential types. ACM Transactions on Programming shop, pages 256Ð269, 2001. Long version to appear in the Languages and Systems, 10(3):470Ð502, 1988. Preliminary Journal of Computer Security. version appeared in Proceedings of the 12th ACM SIGACT- [31] Eijiro Sumii and Benjamin C. Pierce. A bisimulation for SIGPLAN Symposium on Principles of Programming Lan- dynamic sealing. http://www.cis.upenn.edu/˜sumii/, guages, pages 37Ð51, 1985. 2003. [17] James H. Morris Jr. Lambda-Calculus Models of Program- [32] Steve Zdancewic, Dan Grossman, and Greg Morrisett. Prin- ming Languages. PhD thesis, Massachusetts Institute of Tech- cipals in programming languages: A syntactic proof tech- nology, 1968. nique. In Proceedings of the Fourth ACM SIGPLAN Interna- [18] James H. Morris Jr. Protection in programming languages. tional Conference on Functional Programming, pages 197Ð Communications of the ACM, 16(1):15Ð21, 1973. 207, 1999. 172