Introduction The language Main theorem Proof Conclusion The Applied Pi Calculus. with Proofs Bruno Blanchet INRIA Paris-Rocquencourt joint work with Mart´ın Abadi and C´edricFournet April 2015 Bruno Blanchet (INRIA) Applied pi calculus April 2015 1 / 47 Introduction The language Main theorem Proof Conclusion The applied pi calculus Designed by Abadi and Fournet (Mobile Values, New Names, and Secure Communication, POPL'01). Extension of the pi calculus with terms instead of names for messages. Language for modeling security protocols: Terms represent protocol messages. Function symbols represent cryptographic primitives. The properties of these primitives are modeled by equations. The input language of ProVerif is a dialect of the applied pi calculus. The applied pi calculus and ProVerif are widely used. Interesting to make them converge, with a solid theoretical foundation. Bruno Blanchet (INRIA) Applied pi calculus April 2015 2 / 47 Introduction The language Main theorem Proof Conclusion Our contribution Minor changes to the language Closer to ProVerif Detailed proofs of all results Minor fixes; some side-conditions were not explicit 74 pages of proofs. Revised examples New example on indifferentiability Bruno Blanchet (INRIA) Applied pi calculus April 2015 3 / 47 Introduction The language Main theorem Proof Conclusion Related work Avik Chaudhuri (private communication, 2007) found a counter-example to \observational equivalence equals labelled bisimilarity", due to a missing side-condition. Bengtson et al, LICS'09 mentioned a similar counter-example; proposed a framework for defining various extensions of the pi calculus (psi-calculi), with machine-checked proofs. Jia Liu (http://lcs.ios.ac.cn/~jliu/papers/LiuJia0608.pdf) made the missing side-condition explicit, and gave a proof of \observational equivalence equals labelled bisimilarity"; closer to the original applied pi calculus paper; extension to a stateful variant (POST'14, with Arapinis, Ritter, and Ryan). Bruno Blanchet (INRIA) Applied pi calculus April 2015 4 / 47 Introduction The language Main theorem Proof Conclusion Syntax: processes L; M; N; T ; U; V ::= terms a; b; c;:::; k;:::; m; n;:::; s name x; y; z variable f (M1;:::; Ml ) function application P; Q; R ::= processes (or plain processes) 0 null process P j Q parallel composition !P replication νn:P name restriction (\new") if M = N then P else Q conditional u(x):P message input uhMi:P message output Bruno Blanchet (INRIA) Applied pi calculus April 2015 5 / 47 Introduction The language Main theorem Proof Conclusion Syntax: processes L; M; N; T ; U; V ::= terms a; b; c;:::; k;:::; m; n;:::; s name x; y; z variable f (M1;:::; Ml ) function application P; Q; R ::= processes (or plain processes) 0 null process P j Q parallel composition !P replication νn:P name restriction (\new") if M = N then P else Q conditional N(x):P message input NhMi:P message output Bruno Blanchet (INRIA) Applied pi calculus April 2015 5 / 47 Introduction The language Main theorem Proof Conclusion Syntax: extended processes A; B; C ::= extended processes P plain process A j B parallel composition νn:A name restriction νx:A variable restriction M f =x g active substitution Active substitutions model the knowledge of the adversary. M1 Ml M1 Ml f =x1 ;:::; =xl g for f =x1 g j ::: jf =xl g. Substitutions are cycle-free. At most one substitution for each variable. Exactly one when the variable is restricted. Bruno Blanchet (INRIA) Applied pi calculus April 2015 6 / 47 Introduction The language Main theorem Proof Conclusion Sorts Variables, names, and functions come with sorts: u : τ means that u has sort τ. Examples of sorts: Integer, Key, Data, . There are infinite numbers of variables and names of each sort. f : τ1 × · · · × τl ! τ means that f has arguments of sorts τ1; : : : ; τl and a result of sort τ. Bruno Blanchet (INRIA) Applied pi calculus April 2015 7 / 47 The unsorted applied pi is a particular case of the sorted applied pi, using the single sort Channel. The sort system enforces that: Functional applications are well-sorted. M and N are of the same sort in the conditional expression. N has sort Channel in the input and output expressions. The sort system can enforce that channels are names or variables: choose types of functions so that no function returns sort Channel. Active substitutions preserve sorts. Introduction The language Main theorem Proof Conclusion Sorts Special sort Channelhτi for channels. Bruno Blanchet (INRIA) Applied pi calculus April 2015 8 / 47 Introduction The language Main theorem Proof Conclusion Sorts Special sort Channel for channels. The unsorted applied pi is a particular case of the sorted applied pi, using the single sort Channel. The sort system enforces that: Functional applications are well-sorted. M and N are of the same sort in the conditional expression. N has sort Channel in the input and output expressions. The sort system can enforce that channels are names or variables: choose types of functions so that no function returns sort Channel. Active substitutions preserve sorts. Bruno Blanchet (INRIA) Applied pi calculus April 2015 8 / 47 Introduction The language Main theorem Proof Conclusion Semantics: equations The signature Σ is equipped with an equational theory closed under substitutions of terms for variables and names; intuitively, defined from equations that do not contain names; respects the sort system; non-trivial, that is, there exist two different terms in each sort. Example fst((x; y)) = x snd((x; y)) = y dec(enc(x; y); y) = x check(x; sign(x; sk(y)); pk(y)) = ok Equality modulo the equational theory: Σ ` M = N. Bruno Blanchet (INRIA) Applied pi calculus April 2015 9 / 47 Introduction The language Main theorem Proof Conclusion Semantics: preliminary definitions Processes are considered equal modulo renaming of bound names and variables. M Needed to define Pf =x g. A context is a (possibly extended) process with a hole. An evaluation context is a context whose hole is not under a replication, a conditional, an input, or an output. E ::= evaluation context hole A j E parallel composition E j A parallel composition νn:E name restriction νx:E variable restriction Bruno Blanchet (INRIA) Applied pi calculus April 2015 10 / 47 Introduction The language Main theorem Proof Conclusion Semantics: structural equivalence Structural equivalence ≡ equivalence relation closed by application of evaluation contexts Par-0 A ≡ A j 0 Par-A A j(B j C) ≡ (A j B) j C Par-C A j B ≡ B j A Repl !P ≡ P j !P New-0 νn:0 ≡ 0 New-C νu.νv:A ≡ νv.νu:A New-Par A j νu:B ≡ νu:(A j B) when u 62 fv(A) [ fn(A) M Alias νx:f =x g ≡ 0 M M M Subst f =x g j A ≡ f =x g j Af =x g M N Rewrite f =x g ≡ f =x g when Σ ` M = N Bruno Blanchet (INRIA) Applied pi calculus April 2015 11 / 47 Introduction The language Main theorem Proof Conclusion Semantics: internal reduction Internal reduction ! closed by structural equivalence closed by application of evaluation contexts Comm Nhxi:P j N(x):Q ! P j Q Then if M = M then P else Q ! P Else if M = N then P else Q ! Q for any ground terms M and N such that Σ 6` M = N Using structural equivalence: M NhMi:P j N(x):Q ≡ νx:(f =x g j Nhxi:P j N(x):Q) M ! νx:(f =x g j P j Q) by Comm M ≡ P j Qf =x g Bruno Blanchet (INRIA) Applied pi calculus April 2015 12 / 47 Introduction The language Main theorem Proof Conclusion Preliminary definitions dom(A): domain, set of variables that A exports. fv(A): free variables A is closed when its free variables are all defined by an active substitution, that is, dom(A) = fv(A). E[ ] closes A when E[A] is closed. A +a when A !∗≡ E[ahMi:P] for some evaluation context E[ ] that does not bind a. A can send a message on channel a. Bruno Blanchet (INRIA) Applied pi calculus April 2015 13 / 47 Introduction The language Main theorem Proof Conclusion Observational equivalence Definition An observational bisimulation is a symmetric relation R between closed extended processes with the same domain such that A R B implies: 1 if A +a, then B +a; 2 if A !∗ A0 and A0 is closed, then B !∗ B0 and A0 R B0 for some B0; 3 E[A] R E[B] for all closing evaluation contexts E[ ]. Observational equivalence( ≈) is the largest such relation. Intuitively, A ≈ B when an adversary (evaluation context) cannot distinguish A from B. Hard to prove because of the universal quantification over all contexts. Use a labeled bisimulation. Bruno Blanchet (INRIA) Applied pi calculus April 2015 14 / 47 Introduction The language Main theorem Proof Conclusion Equality in a frame A frame ' is an extended process built up from 0 and active substitutions M f =x g by parallel composition and restriction. The frame of A, '(A), is obtained replacing every plain process in A with 0. Definition Two terms M and N are equal in the frame ', written (M = N)', if and only if fv(M) [ fv(N) ⊆ dom('), ' ≡ νen.σ, Mσ = Nσ, and feng \ (fn(M) [ fn(N)) = ; for some names en and substitution σ. Independent of the representative νen.σ. Bruno Blanchet (INRIA) Applied pi calculus April 2015 15 / 47 Introduction The language Main theorem Proof Conclusion Static equivalence Definition Two closed frames ' and are statically equivalent, written ' ≈s , when dom(') = dom( ) and for all terms M and N,(M = N)' if and only if (M = N) . Two closed extended processes are statically equivalent, written A ≈s B, when their frames are statically equivalent.