Complexity of automatic verification of cryptographic protocols

Similar documents
A process algebraic analysis of privacy-type properties in cryptographic protocols

Analysing privacy-type properties in cryptographic protocols

Automated Verification of Privacy in Security Protocols:

A method for proving observational equivalence

Verification of Security Protocols in presence of Equational Theories with Homomorphism

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols

Communication security: Formal models and proofs

Group Diffie Hellman Protocols and ProVerif

A Computationally Complete Symbolic Attacker for Equivalence Properties

Cryptographic Protocols Notes 2

Lengths may break privacy or how to check for equivalences with length

Introduction to Cryptography Lecture 13

Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete

CS 395T. Probabilistic Polynomial-Time Calculus

No#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability

Automata-based analysis of recursive cryptographic protocols

CSCI3390-Lecture 14: The class NP

POLYNOMIAL SPACE QSAT. Games. Polynomial space cont d

The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability

Lecture 26. Daniel Apon

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

Computer Science and Logic A Match Made in Heaven

Interactive Proofs. Merlin-Arthur games (MA) [Babai] Decision problem: D;

Entity Authentication

Extending ProVerif s Resolution Algorithm for Verifying Group Protocols

CSCI 1590 Intro to Computational Complexity

Umans Complexity Theory Lectures

NSL Verification and Attacks Agents Playing Both Roles

Time-Bounding Needham-Schroeder Public Key Exchange Protocol

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality

conp, Oracles, Space Complexity

CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL

The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security

Chapter 2. Reductions and NP. 2.1 Reductions Continued The Satisfiability Problem (SAT) SAT 3SAT. CS 573: Algorithms, Fall 2013 August 29, 2013

Formalising security properties in electronic voting protocols

Probabilistically Checkable Arguments

Introduction to Advanced Results

Complexity of domain-independent planning. José Luis Ambite

Deciding the Security of Protocols with Commuting Public Key Encryption

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

Verification of the TLS Handshake protocol

NP Complete Problems. COMP 215 Lecture 20

Deducibility constraints, equational theory and electronic money

Notes on Complexity Theory Last updated: October, Lecture 6

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Notes on Zero Knowledge

Automated verification of equivalence properties of cryptographic protocols

Proving More Observational Equivalences with ProVerif

George Danezis Microsoft Research, Cambridge, UK

Analysing Layered Security Protocols

Computability and Complexity Theory: An Introduction

Provable security. Michel Abdalla

Strand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001

P = k T IME(n k ) Now, do all decidable languages belong to P? Let s consider a couple of languages:

Chapter 10 Elliptic Curves in Cryptography

A simple procedure for finding guessing attacks (Extended Abstract)

Modeling and Verifying Ad Hoc Routing Protocols

Dr George Danezis University College London, UK

Computability and Complexity CISC462, Fall 2018, Space complexity 1

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

Circuits. Lecture 11 Uniform Circuit Complexity

1 Number Theory Basics

MPRI Course on Concurrency. Lecture 14. Application of probabilistic process calculi to security

Definition: conp = { L L NP } What does a conp computation look like?

Identifying an Honest EXP NP Oracle Among Many

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

NP-completeness was introduced by Stephen Cook in 1971 in a foundational paper.

Katz, Lindell Introduction to Modern Cryptrography

Security Protocols and Application Final Exam

Dynamic Noninterference Analysis Using Context Sensitive Static Analyses. Gurvan Le Guernic July 14, 2007

Sums of Products. Pasi Rastas November 15, 2005

A Theory of Dictionary Attacks and its Complexity

Umans Complexity Theory Lectures

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Review of unsolvability

ECash and Anonymous Credentials

Anonymous Proxy Signature with Restricted Traceability

AUTOMATED VERIFICATION OF ASYMMETRIC ENCRYPTION. Van Chan NGO

CS154, Lecture 17: conp, Oracles again, Space Complexity

Lecture 8: Complete Problems for Other Complexity Classes

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.

6-1 Computational Complexity

The Sizes of Skeletons: Security Goals are Decidable

Introduction to Interactive Proofs & The Sumcheck Protocol

Randomized Complexity Classes; RP

Lecture 9 - Symmetric Encryption

Coordination. Failures and Consensus. Consensus. Consensus. Overview. Properties for Correct Consensus. Variant I: Consensus (C) P 1. v 1.

Algebraic Dynamic Programming. Solving Satisfiability with ADP

Lecture 20: conp and Friends, Oracles in Complexity Theory

Definition: Alternating time and space Game Semantics: State of machine determines who

6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC

A Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures

Lecture 3: Interactive Proofs and Zero-Knowledge

Detecting Wormhole Attacks in Wireless Networks Using Local Neighborhood Information

COMPLEXITY THEORY. Lecture 17: The Polynomial Hierarchy. TU Dresden, 19th Dec Markus Krötzsch Knowledge-Based Systems

LOGIC PROPOSITIONAL REASONING

Monotonic Set-Extended Prefix Rewriting and Verification of Recursive Ping-Pong Protocols

Transcription:

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1

Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs designed to secure communications Rely on cryptographic primitives 2 / 29

Context The protocol: Honest participants 3 / 29

Context The protocol: Honest participants Controls the network Intruder 3 / 29

Context The protocol: Honest participants Controls the network Security properties Intruder 3 / 29

On the web Protocol HTTPS Password based authentication Confidentiality of personal data 4 / 29

Payment with credit card Authorization through PIN code Wireless payment Confidentiality of the transaction Authenticity of the bank card 5 / 29

Electronic passport RFID chip inside the passport Secret key printed on the passport Confidentiality of personal data Anonymity Untraceability 6 / 29

Electronic voting Vote from personal computer Vote from dedicated machines Verifiability of the votes Confidentiality of the vote No partial results One vote per voter Anonymity of the voter Coercition resistance 7 / 29

Attacks Designing a secure protocol is hard! Concrete attacks on: authentication used by Google Apps unlinkability of french passports authentication of credit card (Yes-Card) vote privacy on the Helios e-voting system anonymity of routing protocols These attacks are the consequence of a bad design and not of a: implementation bug weak cryptographic primitives usage of magical hacking techniques 8 / 29

Existing models Cryptographic model Symbolic model 9 / 29

Existing models Cryptographic model Symbolic model Bitstring Messages 9 / 29

Existing models Cryptographic model Symbolic model Bitstring Messages Real algorithms Cryptographic primitives 9 / 29

Existing models Cryptographic model Symbolic model Bitstring Messages Real algorithms Cryptographic primitives Function symbols 9 / 29

Existing models Cryptographic model Symbolic model Bitstring Messages Terms Real algorithms Cryptographic primitives Function symbols 9 / 29

Existing models Cryptographic model Symbolic model Bitstring Messages Terms Real algorithms Cryptographic primitives Function symbols PPT Attacker Idealized 9 / 29

Existing models Cryptographic model Symbolic model Bitstring Messages Terms Real algorithms Cryptographic primitives Function symbols PPT Attacker Idealized Difficult and by hand Proofs "Easier" and mechanized 9 / 29

Existing models Cryptographic model Symbolic model Bitstring Messages Terms Real algorithms Cryptographic primitives Function symbols PPT Attacker Idealized Difficult and by hand Proofs "Easier" and mechanized Strong and clear Security guarantees Unclear 9 / 29

Symbolic models Symbolic terms Nonces: a, b, c,... Variables: Functions symbols: enc, dec, hi,,... x, y, z,... enc(x, y) hx, yi a x enc hi x y x y 10 / 29

Symbolic models Symbolic terms Nonces: a, b, c,... Variables: Functions symbols: enc, dec, hi,,... x, y, z,... enc(x, y) hx, yi a x enc hi x y x y Rewrite rules dec(enc(x, y),y)! x proj 1 (hx, yi)! x 10 / 29

Symbolic models Symbolic terms Nonces: a, b, c,... Variables: Functions symbols: enc, dec, hi,,... x, y, z,... enc(x, y) hx, yi a x enc hi x y x y Rewrite rules dec(enc(x, y),y)! x proj 1 (hx, yi)! x Example: dec(enc(hm 1,m 2 i,k),k)!hm 1,m 2 i 10 / 29

Symbolic models Symbolic terms Nonces: a, b, c,... Variables: Functions symbols: enc, dec, hi,,... x, y, z,... enc(x, y) hx, yi a x enc hi x y x y Subterm convergent Rewrite rules dec(enc(x, y),y)! x proj 1 (hx, yi)! x Monadic convergent Example: dec(enc(hm 1,m 2 i,k),k)!hm 1,m 2 i unblind(sign(blind(x, y),z),y)! sign(x, z) 10 / 29

Symbolic models Example : Electronic passport Knows k e Knows k e n T enc(hn R,n T,k R i,k e ) enc(hn T,n R,k T i,k e ) Passeport Reader 11 / 29

Symbolic models Example : Electronic passport Freshly generated by Passport Knows k e Knows k e n T enc(hn R,n T,k R i,k e ) enc(hn T,n R,k T i,k e ) Passeport Reader 11 / 29

Symbolic models Example : Electronic passport Freshly generated by Passport Knows k e Knows k e n T enc(hn R,n T,k R i,k e ) enc(hn T,n R,k T i,k e ) Passeport Reader Reader expects a nonce and returns it 11 / 29

Symbolic models Example : Electronic passport Freshly generated by Passport Knows k e Knows k e n T enc(hn R,n T,k R i,k e ) enc(hn T,n R,k T i,k e ) Passeport Reader Reader expects a nonce and returns it Freshly generated by Reader 11 / 29

Symbolic models Example : Electronic passport Knows k e Knows k e n T enc(hn R,n T,k R i,k e ) enc(hn T,n R,k T i,k e ) Passeport Reader Knowledge of intruder: nonces he can generate + 1: n T 2: enc(hn R,n T,k R i,k e ) 3: enc(hn T,n R,k T i,k e ) 11 / 29

Symbolic models Another trace of the Electronic passport Knows k e Knows k e n T KO Passeport enc(hn R, KO,k R i,k e ) Error Reader Knowledge of intruder: nonces he can generate (e.g. KO) + 1: n T 2: enc(hn R, KO,k R i,k e ) 3: Error 12 / 29

Applied pi calculus 0 Nil P + Q Non deterministic choice P Q Parallel if u = v then P else Q Test in(c, x).p Input out(c, u).p Output k.p Name restriction!p Replication 13 / 29

Applied pi calculus Knows k e Knows k e n T enc(hn R,n T,k R i,k e ) enc(hn T,n R,k T i,k e ) Passeport P (k e )= Reader n T.out(c, n T ).in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) Main process:! k e!p (k e ) R(k e ) 14 / 29

Trace A trace = one execution of the process P (k e )= n T.out(c, n T ).in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) Initial configuration: Set of private names (;, k e.p (k e ),id) The process Substitution representing the knowledge of the attacker 15 / 29

Trace P (k e )= n T.out(c, n T ).in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) w 1 16 / 29

Trace P (k e )= n T.out(c, n T ).in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) w 1 16 / 29

Trace P 1 = out(c, n T ).in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) w 1 16 / 29

Trace P 2 = in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) ({k e,n T }, P 2, { n T / w1 }) w 1 16 / 29

Trace P 2 = in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) in(c, M) ({k e,n T }, P 2, { n T / w1 }) w 1 16 / 29

Trace P 2 = in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) in(c, M) ({k e,n T }, P 2, { n T / w1 }) Cannot contain private names w 1 16 / 29

Trace P 2 = in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) in(c, M) ({k e,n T }, P 2, { n T / w1 }) Cannot contain private names Can contain variables from the frame, i.e. w 1 16 / 29

Trace P 2 = in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) in(c, M) ({k e,n T }, P 2, { n T / w1 }) Cannot contain private names Can contain variables from the frame, i.e. w 1 Ex: M = hn I,w 1 i 16 / 29

Trace P 2 = in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) in(c, M) ({k e,n T }, P 2, { n T / w1 }) Cannot contain private names Can contain variables from the frame, i.e. w 1 Ex: M = hn I,w 1 i x!hn I,n T i 16 / 29

Trace P 3 = if proj 3 (dec(hn I,n T i,k e )) = n T then k T.out(c, hn T, proj 1 (dec(hn I,n T i,k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) in(c, M) ({k e,n T }, P 2, { n T / w1 }) ({k e,n T }, P 3, { n T / w1 }) Cannot contain private names Can contain variables from the frame, i.e. w 1 Ex: M = hn I,w 1 i x!hn I,n T i 16 / 29

Trace P 3 = if proj 3 (dec(hn I,n T i,k e )) = n T then k T.out(c, hn T, proj 1 (dec(hn I,n T i,k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) out(c, w 1 ) in(c, M) ({k e },P(k e ),id) ({k e,n T }, P 1,id) ({k e,n T }, P 2, { n T / }) w1 ({k e,n T }, P 3, { n T / }) w1 out(c, w 1 ).in(c, M) {k e,n T } { n T / w1 } The sequence of label with the set and the frame represents a trace. w 1 16 / 29

Internal communication Communication can happen internally on private channels ({d}, in(d, x).p out(d, a).q, ) ({d},p{ a / x } Q, ) 17 / 29

Security properties What we verify well : Confidentiality, authenticity Trace properties Tools : Avispa, ProVerif, Scyther, CSP/FdR What we don t verify well : Anonymity, privacy, traceability, properties for electronic voting Equivalence properties Tools : ProVerif, AkiSs, SPEC, APTE 18 / 29

Trace equivalence Untraceability of electronic passport Situation 1 Situation 2 19 / 29

Trace equivalence Untraceability of electronic passport Situation 1 Situation 2 19 / 29

Trace equivalence Untraceability of electronic passport Situation 1 Situation 2 Two protocols are in equivalence if for all traces of one of the protocol, we can find an equivalent trace in the other protocol 19 / 29

Trace equivalence Untraceability of electronic passport Situation 1 Situation 2 Two protocols are in equivalence if for all traces of one of the protocol, we can find an equivalent trace in the other protocol M 1,M 2,...,M k Knowledges of the attacker obtain in two traces with similar actions N 1,N 2,...,N k 19 / 29

Decision procedure How to automatically decide equivalence? General problem: Undecidable Usual restrictions: Bounded number of sessions, stronger notion of equivalence, simple algebraic properties for the cryptographic properties, Technics used : Saturation of Horn Clauses, Constraint solving, Equivalence of constraint systems 20 / 29

Decision procedure How difficult is it to automatically decide equivalence? P : Decidable by a deterministic Turing machine in polynomial time EXP : Decidable by a deterministic Turing machine in exponential time NP : Decidable by a non-deterministic Turing machine in polynomial time NEXP : Decidable by a non-deterministic Turing machine in exponential time PSPACE : Decidable by a deterministic Turing machine in polynomial space Σ0 = P and Σi = NP Σ i-1 Σ1 = NP 21 / 29

Complexity Applied Pi Calculus Static equivalence Trace equivalence Observational equivalence Diff equivalence Positive, finite, subterm convergent Finite, subterm convergent P complete [AC 04] P complete [AC 04] Decidable? CoNP complete Decidable?? Finite, monadic convergent P hard??? 22 / 29

Complexity Results Applied Pi Calculus Static equivalence Trace equivalence Observational equivalence Diff equivalence Positive, finite, subterm convergent P complete [AC 04] Decidable [CK 17] conexp hard CoNP complete Finite, subterm convergent P complete [AC 04] Decidable [CK 17] conexp hard conexp hard? Finite, monadic convergent P hard conexp hard conexp hard? Pure Pi Calculus Static equivalence Trace equivalence Positive, finite LOGSPACE coσ2 complete Finite LOGSPACE coσ2 complete Observational equivalence PSPACE easy coσ4 hard PSPACE easy coσ4 hard 23 / 29

Complexity Results Applied Pi Calculus Static equivalence Trace equivalence Observational equivalence Diff equivalence Positive, finite, subterm convergent PTIME complete [AC 04] Decidable [CK 17] conexp easy? conexp hard conexp complete? CoNP complete Finite, subterm convergent PTIME complete [AC 04] Decidable [CK 17] conexp hard conexp complete? conexp hard conexp complete? conp complete? Finite, monadic convergent PTIME hard conexp hard conexp hard? Pure Pi Calculus Static equivalence Trace equivalence Positive, finite LOGSPACE coσ2 complete Finite LOGSPACE coσ2 complete Observational equivalence PSPACE easy coσ4 hard PSPACE easy coσ4 hard 24 / 29

Trace equivalence in pi-calculus Reduction from QSAT2 No else branche, no cryptographic primitive A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 9~x = 9x 1 9x 2...9x n 8~y = 8y 1 8y 2...8y m 25 / 29

Boolean formula in pi-calculus c 1 c 2 ^ c3 26 / 29

Boolean formula in pi-calculus c 1 c 2 ^ c3 in(c 1,x).in(c 2,y).( if x =1then if y =1then out(c 3, 1) if x =1then if y =0then out(c 3, 0) if x =0then if y =0then out(c 3, 0) if x =0then if y =0then out(c 3, 0) ) 26 / 29

Boolean formula in pi-calculus c 1 c 2 ^ c3 in(c 1,x).in(c 2,y).( if x =1then if y =1then out(c 3, 1) if x =1then if y =0then out(c 3, 0) if x =0then if y =0then out(c 3, 0) if x =0then if y =0then out(c 3, 0) ) Enforces that inputs are booleans! 26 / 29

Boolean formula in pi-calculus c 1 c 2 ^ c3 in(c 1,x).in(c 2,y).( if x =1then if y =1then out(c 3, 1) if x =1then if y =0then out(c 3, 0) if x =0then if y =0then out(c 3, 0) if x =0then if y =0then out(c 3, 0) ) in(c 1,x) out(c 3,x^ y) in(c 2,y) 26 / 29

Boolean formula in pi-calculus c 1 c 2 c 3 ^ c 4 c 6 _ c 5 27 / 29

Boolean formula in pi-calculus c 1 c 2 c 3 ^ c 4 c 6 _ c 5 out(c 2,b 2 ) out(c 1,b 1 ) in(c 1,x) inp out(c 3,b 3 ) in(c 2,y) out(c 4,x^ y) in(c 3,x) out(c 5, x) in(c 4,x) P (x) in(c 5,y) 27 / 29 out(c 6,x_ y) in(c 6,x)

Boolean formula in pi-calculus c 1 c 2 c 3 ^ c 4 c 6 _ c 5 Enforces that inputs are booleans! out(c 2,b 2 ) out(c 1,b 1 ) in(c 1,x) inp out(c 3,b 3 ) in(c 2,y) out(c 4,x^ y) in(c 3,x) out(c 5, x) in(c 4,x) P (x) in(c 5,y) 27 / 29 out(c 6,x_ y) in(c 6,x)

Boolean formula in pi-calculus c 1 c 2 c 3 ^ c 4 c 6 _ c 5 Enforces that inputs are booleans! x '(b 1,b 2,b 3 ).P (x) out(c 2,b 2 ) out(c 1,b 1 ) in(c 1,x) inp out(c 3,b 3 ) in(c 2,y) out(c 4,x^ y) in(c 3,x) out(c 5, x) in(c 4,x) P (x) in(c 5,y) 27 / 29 out(c 6,x_ y) in(c 6,x)

Universal quantification A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 How to express universality in pi-calculus? 28 / 29

Universal quantification A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 How to express universality in pi-calculus? Guess(y).P def = d.((out(d, 0)+out(d, 1) in(d, y).p ) 28 / 29

Universal quantification A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 How to express universality in pi-calculus? Guess(y).P def = d.((out(d, 0)+out(d, 1) in(d, y).p ) Can reduce in either P { 0 / y } or P { 1 / y } 28 / 29

Reduction A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 A def = in(c, ~x). test ^ ~x. B def = in(c, ~x). test ^ ~x. Guess(~y ). out(c, 0)+out(c, 1) (v '(~x, ~y ). out(c, v) + out(c, 1)) 29 / 29

Reduction A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 A def = in(c, ~x). test ^ ~x. B def = in(c, ~x). test ^ ~x. Guess(~y ). out(c, 0)+out(c, 1) (v '(~x, ~y ). out(c, v) + out(c, 1)) The processes can only output if the inputs are booleans 29 / 29

Reduction A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 A def = in(c, ~x). test ^ ~x. B def = in(c, ~x). test ^ ~x. Guess(~y ). out(c, 0)+out(c, 1) (v '(~x, ~y ). out(c, v) + out(c, 1)) The processes can only output if the inputs are booleans Whatever the boolean input, the process B can always output 0 or 1 29 / 29

Reduction A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 A def = in(c, ~x). test ^ ~x. B def = in(c, ~x). test ^ ~x. Guess(~y ). out(c, 0)+out(c, 1) (v '(~x, ~y ). out(c, v) + out(c, 1)) The processes can only output if the inputs are booleans Whatever the boolean input, the process B can always output 0 or 1 If 8~y. ' (~x 0,~y)=1 holds then A can never output 0 when ~x 0 is input 29 / 29

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback