The Logical Meeting Point of Multiset Rewriting and Process Algebra

Transcription

1 MFPS MU May 25, 2004 The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano ervesato iliano@itd.nrl.navy.mil ITT Industries, NRL Washington, D

2 Motivations Security protocol specifications Transition-based Process-based Different languages and techniques Ad-hoc translations Attempt at a unified approach Rewriting re-interpretation of logic Open derivations Left rule semantics Foundation of multiset rewriting Bridge to process algebra Effective protocol specification language I.ervesato: The Logical Meeting Point of MSR and PA 1/26

3 Linear Logic Formulas A, B ::= a 1 A B A ο B! A T A & B x. A x. A -system ω LV sequents Γ ; Δ --> Σ onstructor:, Empty: Unrestricted context Linear context Signature Goal formula I.ervesato: The Logical Meeting Point of MSR and PA 2/26

4 -system ω Some LV Rules Left rules Γ; Δ, A, B --> Σ Γ; Δ, A B --> Σ Γ; Δ --> Σ A Γ; Δ, B --> Σ Γ; Δ, Δ, A οb --> Σ Σ - t Γ; Δ, [t/x]a --> Σ Γ; Δ, x.a --> Σ Γ; Δ, A --> Σ,x Γ; Δ, x.a --> Σ Structural rules Γ; A --> Σ A Γ, A; Δ, A --> Σ Γ, A; Δ --> Σ ut rules Γ; Δ --> Σ A Γ; Δ, A --> Σ Γ; Δ,Δ --> Σ Γ; --> Σ A Γ, A; Δ --> Σ Γ; Δ --> Σ Γ, A; Δ--> Σ Γ; Δ,!A --> Σ Right rules I.ervesato: The Logical Meeting Point of MSR and PA 3/26

5 Logical Derivations Γ ; --> Σ Γ ; Δ --> Σ Γ ; Δ --> Σ Proof of from Δ and Γ Emphasis on is input Finite losed -system ω Γ; Δ --> Σ Rules shown Major premise Preserves Minor premise Starts subderivation I.ervesato: The Logical Meeting Point of MSR and PA 4/26

6 A Rewriting Re-Interpretation Γ ; --> Σ Γ ; Δ --> Σ Γ ; Δ --> Σ Γ; Δ --> Σ Transition From conclusion To major premise Emphasis on Γ, Δ and Σ is output, at best Does not change Possibly infinite Open Minor premise Auxiliary rewrite chain Finite Topped with axiom I.ervesato: The Logical Meeting Point of MSR and PA 5/26

7 State and Transitions States Σ is a list Σ ; Γ ; Δ Γ and Δ are commutative monoids No Does not change Transitions Σ; Γ; Δ Σ ; Γ ; Δ * for reflexive and transitive closure onstructor:, Empty: I.ervesato: The Logical Meeting Point of MSR and PA 6/26

8 Interpreting Unary Rules Γ; Δ, A, B --> Σ Γ; Δ, A B --> Σ Σ; Γ; (Δ, A B ) Σ; Γ; (Δ, A, B) Σ - t Γ; Δ, [t/x]a--> Σ Γ; Δ, x.a --> Σ Σ; Γ; (Δ, x. A) Σ; Γ; (Δ, [t/x]a) if Σ - t Γ; Δ, A --> Σ,x Γ; Δ, x.a --> Σ Γ, A; Δ --> Σ Γ; Δ,!A --> Σ Σ; Γ; (Δ, x. A) (Σ, x); Γ; (Δ, A) Σ; Γ; (Δ,!A) Σ; (Γ, A); Δ I.ervesato: The Logical Meeting Point of MSR and PA 7/26

9 Binary Rules and Axiom Γ ; A --> Σ A Γ; Δ --> Σ A Γ; Δ, B --> Σ Γ; Δ, Δ, A οb --> Σ Minor premise Auxiliary rewrite chain Top of tree Focus shifts to RHS Axiom rule Observation I.ervesato: The Logical Meeting Point of MSR and PA 8/26

10 Observations Γ,Γ ; A --> Σ,Σ A Observation states Σ ; Δ In Δ, we identify, with with 1 ategorical semantics Identified with For Σ = x 1,, x n De Bruijn s telescopes x 1. x n. Δ Γ; Δ --> Σ Σ. A A Δ = Δ Σ; Δ = Σ. Δ Observation transitions Σ; Γ; Δ * Σ ; Δ I.ervesato: The Logical Meeting Point of MSR and PA 9/26

11 Interpreting Binary Rules Γ; A --> Σ A Σ; Γ; Δ * Σ; Δ Σ; Γ; Δ * Σ ; Δ if Σ; Γ; Δ Σ ; Γ ; Δ and Σ ; Γ ; Δ * Σ ; Δ Γ; Δ --> Σ A Γ; Δ, B --> Σ Γ; Δ, Δ, A οb --> Σ Γ; Δ --> Σ A Γ; Δ, A --> Σ Γ; Δ, Δ --> Σ Σ; Γ; (Δ, Δ, A ο B) Σ; Γ; (Δ, B) if Σ; Γ; Δ * Σ; A Σ; Γ; Δ, Δ Σ; Γ; (A, Δ) if Σ; Γ; Δ * Σ; A I.ervesato: The Logical Meeting Point of MSR and PA 10/26

12 Formal orrespondence Soundness If Σ ; Γ ; Δ * Σ,Σ ; Δ then Γ ; Δ --> Σ Σ. Δ ompleteness? No! We have only crippled right rules ; ; a ο b, b ο c * ; a ο c I.ervesato: The Logical Meeting Point of MSR and PA 11/26

13 System ω With cut, rule for ο can be simplified to Σ; Γ; (Δ, A, A ο B) Σ; Γ; (Δ, B) ut elimination holds = in-lining of auxiliary rewrite chains But areful with extra signature symbols areful with extra persistent objects No rule for needs a premise does not depend on * I.ervesato: The Logical Meeting Point of MSR and PA 12/26

14 Multiset Rewriting Multiset: set with repetitions allowed a ::= a, a ommutative monoid Multiset rewriting (a.k.a. Petri nets) Rewriting within the monoid Fundamental model of distributed computing Alternative: Process Algebras Basis for security protocol spec. languages MSR family several others Many extensions, more or less ad hoc I.ervesato: The Logical Meeting Point of MSR and PA 13/26

15 First-Order Multiset Rewriting Multiset elements are F0 atomic formulas Rules have the form Semantics x 1 x n. a(x) y 1 y k. b(x,y) Σ ; a(t), s R, (a(x) y. b(x,y)) Σ,y ; b(t,y), s Several encodings into linear logic [Martí-Oliet, Meseguer, 91] if Σ - t I.ervesato: The Logical Meeting Point of MSR and PA 14/26

16 ω-multisets vs. Multiset Rewriting MSR 1 is an instance of ω-multisets Uses only, 1,,, and ο ο never nested, always persistent Σ ; s R Σ ; s iff Σ ; R ; s * Σ ; s Interpretation of MSR as linear logic Logical explanation of multiset rewriting MSR is logic Guideline to design rewrite systems I.ervesato: The Logical Meeting Point of MSR and PA 15/26

17 The Asynchronous π-alculus Another fundamental model of distributed computing Language P ::= 0 P Q ν x. P!P x(y).p x<y> Semantics Structural equivalence omm. monoidal congruence of and 0 Binder mobility congruence of ν ν x. ν y. P ν y. ν x. P 0 ν x. 0 P ν x. Q ν x. (P Q) if x FN(P)!P!P P Reaction law x<y> x(z). P Q => [y/z]p Q I.ervesato: The Logical Meeting Point of MSR and PA 16/26

18 Properties If P =>* Q then ; ; P * Σ; Γ; Δ where Q = Σ.!Γ Δ mod!a =!A A Note: with!p!p P as a transition If P =>* Q then ; ; P * Σ; Γ; Δ where Q = Σ.!Γ Δ I.ervesato: The Logical Meeting Point of MSR and PA 17/26

19 ω-multisets vs. Process Algebra Simple encoding of asynchronous π-calculus into ω-multisets Doesn t show that π-calculus is logic Uses only a fraction of ω-multiset syntax Inverse encoding? As hard as going from multiset rewriting to π-calculus Other languages Join calculus Strand spaces To do: Synchronous π-calculus I.ervesato: The Logical Meeting Point of MSR and PA 18/26

20 MSR 3 Instance of ω-multisets for cryptographic protocol specification Security-relevant signature Typing infrastructure Modules, equations, - security 3 rd generation MSR 1: First-order multiset rewriting with Undecidability of protocol analysis MSR 2: MSR 1 + typing Actual specification language More theoretical results Implementation underway I.ervesato: The Logical Meeting Point of MSR and PA 19/26

21 Example - security Needham-Schroeder public-key protocol 1. A B: {n A, A} kb 2. B A: {n A, n B } ka 3. A B: {n B } kb an be expressed in several ways State-based Explicit local state As in MSR 2 Process-based: embedded ontinuation-passing style As in process algebra (Intermediate approaches) I.ervesato: The Logical Meeting Point of MSR and PA 20/26

22 A B: {n A, A} kb State-Based B A: {n A, n B } ka A B: {n B } kb - security MSR 2 spec. A: princ. { L: princ B:princ.pubK B nonce mset. } B: princ. k B : pubk B. n A : nonce. net ({n A, A} kb ), L (A, B, k B, n A ) B: princ. k B : pubk B. k A : pubk A. k A ': prvk k A. n A : nonce. n B : nonce. net ({n A, n B } ka ), L (A, B, k B, n A ) net ({n B } kb ) Interpretation of L Rule invocation Implementation detail ontrol flow Local state of role Explicit view Important for DOS I.ervesato: The Logical Meeting Point of MSR and PA 21/26

23 A B: {n A, A} kb Process-Based B A: {n A, n B } ka A B: {n B } kb A:princ. B: princ. k B : pubk B. n A : nonce. net ({n A, A} kb ), ( k A : pubk A. k A ': prvk k A. n B : nonce. - security net ({n A, n B } ka ) net ({n B } kb )) Succinct ontinuation-passing style Rule asserts what to do next Lexical control flow State is implicit Abstract I.ervesato: The Logical Meeting Point of MSR and PA 22/26

24 A B: {n A, A} kb NSPK in Process Algebra B A: {n A, n B } ka A B: {n B } kb - security A:princ. B: princ. k B : pubk B. k A : pubk A. k A ': prvk k A. n B : nonce. νn A : nonce. net ({n A, A} kb ). net <{n A, n B } ka >. net ({n B } kb ). 0 Same structure! Not a coincidence MSR 3 very close to Process Algebra ω-multiset encodings of π-calculus and Join alculus MSR 3 is promising middle-ground for relating State-based Process-based representations of a problem I.ervesato: The Logical Meeting Point of MSR and PA 23/26

25 State-Based vs. Process-Based State-based languages Multiset Rewriting NRL Prot. Analyzer, APSL/IL, Paulson s approach, State transition semantics - security Process-based languages Process Algebra Strand spaces, spi-calculus, Independent communicating threads I.ervesato: The Logical Meeting Point of MSR and PA 24/26

26 MSR 3 Bridges the Gap Difficult to go from one to the other Different paradigms PB PB - security State vs. process distance Other distance SB MSR 3 SB State Process translation done once and for all in MSR 3 I.ervesato: The Logical Meeting Point of MSR and PA 25/26

27 onclusions ω-multisets Logical foundation of multiset rewriting Relationship with process algebras Unified logical view Better understanding of where we are Hint about where to go next MSR 3.0 Language for security protocol specification Succinct representations Simpler specifications Economy of reasoning Bridge between State-based representation Process-based representation I.ervesato: The Logical Meeting Point of MSR and PA 26/26