Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic

1. Non-monotonic Properties forProving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

2. Purposes • Make more explicit compositionality of the original compositional logic (Durgin-Mitchell-Pavlovic 2001, Datta-Derek-Mitchell-Pavlovic 2003) • Divide an honest principal's role into primitive actions • Simplify the inferences of compositional logic • Do not use , , temporal operators • Distinguish the monotonic properties and the non-monotonic ones • Give a semantics which is sound for our system 1

3. Review of Compositional logic Durgin-Mitchell-Pavlovic (2001), Datta-Derek-Mitchell-Pavlovic (2003) • Inference system based on Floyd-Hoare style logical framework to prove a protocol correctness : "after a protocol action , holds from P 's view" • An advantageous point: For proving correctness of a compound protocol, we can reuse properties of its components. 2

4. New idea of ours • Divide an honest principal's role into primitive actions (sending, receiving, etc.) • Formalize honesty assumptions with explicit reference to a role-component : "if Q honestlyfollows his/her role-component , then holds". (cf.) : "a principal Q is honest, then holds. " 3

5. The language (1): formulas • Atomic formulas: • atomic action formulas: (denoted by ) (with n m) • atomic non-action formulas: • A sequence of actions: (described by a non-commutative conjunct of atomic action formulas) 4

6. : Q 's role-component • : a sequence of actions performed by P • : Q honestly follows a role-component • : a property (a sequence of atomic action formulas or a non-action formula) • : a set of properties If Q honestly follows his/her role-components , and if holds, after P performs a sequence of action holds from P 's view. The language (2): basic form of assertion 5

7. Weakening rule and monotonicity • is a monotonic property if we can freely apply the weakening rule. weakening e.g. • Receives, Fresh : monotonic properties • Firstly Sends : non-monotonic properties • To include non-monotonic properties • Require some restrictions on the weakening rule • However, provide us more powerful derivations 6

8. Axioms and inference rules • Logical inferences with equality • Action properties axioms • axiom about actions • axioms for relationship between properties • Honesty inferences • Weakening rule 7

9. 1. Examples of Logical inference rules • Cut • Equality • Inference rules for non-commutative conjunction ( ; ) 8

10. 2. Action properties axioms (1) • Nonce verification 1: • Axiom about actions: (for each i=1,...,n) • Examples of axioms relationship between properties: • Freshness 1: 9

11. 2. Action properties axioms (2)(related to the non-monotonic property "firstly sends") • Firstly Sends: • Ordering of actions: (Here is an action including .) These are useful to derive ordering of actions. 10

12. Idea of the Honesty Inference One can derive some performance of actions by a principal different from the viewer. (e.g.) from P's view: • P receives a message . • is a secret part of Q's public key. • contains a fresh value. Therefore, P knows that Q sends . But, this is not enough. We need some inferences using assumptions about a principal's honesty. We introduce the following three types of honesty inferences. 11

13. 3. Honesty inferences (1) • Substitution (sending): • receiving 12

14. 3. Honesty inferences (2) • Matching: (where m m') • Q honestly follows Q sends m'. • Q does not follows Q sends m'' with m m'', m'' m'. Condition: does not appear below this inference. 13

15. 3. Honesty inferences (3) • Deriving another action (receiving): • sending • generating 14

16. Other possibilities of combination: A composing process of honesty assumptions 15

17. Examples of correctness proofs • Proof of the agreement property for the Needham-Schroeder public key protocol. • Proof of the matching conversations for the Challenge Response protocol: 16

18. If the initiator (say, A) communicates with the responder (say, B) using the concrete values of nonces and , then there exists B actually performing the responder's role with the same nonces and . Example 1: Needham-Schroeder protocol (1) (Needham-Schroeder, 1978) initiator's concrete actions responder's role Agreement Property from A’s view: 17

19. A’s role Q’s role Example 1: Needham-Schroeder protocol (2) A's view: by the information about key and nonce , with by an equality inference, with by the honesty inference (matching), 18

20. A’s role Q’s role Example 1: Needham-Schroeder protocol (3) On the other hand, by the information about key and nonce , by the honesty inference (substitution), 19

21. A’s role Q’s role A’s role Q’s role Example 1: Needham-Schroeder protocol (4) Then by composition of honesty assumptions, Cut Comp(Hon) (Here .) Finally, Honest(Role) Comp(Hon) 20

22. 1. Following sequents are provable: 2. By “firstly sends” order 3. Finally, we get Example 2: CR protocol 21

23. Soundness theorem Trace Semantics • Primitive state: • P has information m: • Message m is transmitted through the network: • State: a multiset of primitive states • Trace: a finite sequence of states Theorem.If a sequent S is provable in our system, then S is true for any trace s which includes no duplicated atomic actions. 22

24. Conclusions and future work • Made more explicit the compositionality of compositional logic • Simplified the inference rules • Gave a trace semantics • Extend by adding , , temporal operators for more powerful derivations 23