The Logical Meeting Point of Multiset Rewriting and Process Algebra

1
The Logical Meeting Pointof Multiset
Rewritingand Process Algebra

• Iliano Cervesato iliano_at_itd.nrl.navy.mil
• ITT Industries, inc _at_ NRL Washington, DC
• http//theory.stanford.edu/iliano

MFPS 20 _at_ CMU
May 25, 2004
2
Motivations

• Security protocol specifications
• Transition-based
• Process-based
• Different languages and techniques
• Ad-hoc translations
• Attempt at a unified approach
• Rewriting re-interpretation of logic
• Open derivations
• Left rule semantics
• Foundation of multiset rewriting
• Bridge to process algebra
• Effective protocol specification language

3
Linear Logic

• Formulas
• A, B a 1 A ? B A ?? B ! A
• T A B ?x. A ?x. A
• LV sequents
• G D --gtS C

• Constructor ,
• Empty ?

- logic- system w- rewriting - processes-
security
Goalformula
Unrestrictedcontext
Linearcontext
Signature
4
Some LV Rules
Structural rules
G A --gtS A
Left rules
G D, A, B --gtS C G D, A?B --gtS C
G, A D , A --gtS C G, A D --gtS C
G D --gtS A G D, B --gtS C G D, D , A??B
--gtS C
Cut rules
G D --gtS A G D, A --gtS C G D,D --gtS C
S - t G D, t/xA --gtS C G D, ?x.A --gtS C
- logic- system w- rewriting - processes-
security
G ? --gtS A G, A D --gtS C G D --gtS C
G D, A --gtS,x C G D, x.A --gtS C
G, A D--gtS C G D , !A --gtS C
Right rules


5
Logical Derivations
G C --gtS C

• Proof of C from D and G
• Emphasis on C
• C is input
• Finite
• Closed
• Rules shown
• Major premise
• Preserves C
• Minor premise
• Starts subderivation

G D --gtS CG D --gtS C
- logic- system w- rewriting - processes-
security
G D --gtS C
6
A Rewriting Re-Interpretation

• Transition
• From conclusion
• To major premise
• Emphasis on G, D and S
• C is output, at best
• Does not change
• Possibly infinite
• Open
• Minor premise
• Auxiliary rewrite chain
• Finite
• Topped with axiom

G C --gtS C
G D --gtS CG D --gtS C
- logic- system w- rewriting - processes-
security
G D --gtS C
7
State and Transitions

• States
• S G D
• S is a list
• G and D are commutative monoids
• No C
• Does not change
• Transitions
• S G D ? S G D
• ? for reflexive and transitive closure

• Constructor ,
• Empty ?

- logic- system w- rewriting - processes-
security
8
Interpreting Unary Rules
G D, A, B --gtS C G D, A?B --gtS C
S G (D, A?B ) ? S G (D, A, B)
G D, A --gtS,x C G D, x.A --gtS C
S G (D, ?x. A) ? (S, x) G (D, A)
- logic- system w- rewriting - processes-
security
G, A D --gtS C G D , !A --gtS C

• S G (D, !A) ? S (G, A) D

9
Binary Rules and Axiom
G A --gtS A

• Minor premise
• Auxiliary rewrite chain
• Top of tree
• Focus shifts to RHS
• Axiom rule
• Observation

G D --gtS A G D, B --gtS C G D, D , A??B
--gtS C
- logic- system w- rewriting - processes-
security
10
Observations
G,G A --gtS,S A
G D --gtS ?S. A

• Observation states
• S D
• In D, we identify
• , with ?
• ? with 1
• Categorical semantics
• Identified with ?x1. ?xn. D
• For S x1, , xn
• De Bruijns telescopes
• Observation transitions
• S G D ? S D

A
D ?D
- logic- system w- rewriting - processes-
security
S D ?S. ?D
11
Interpreting Binary Rules
G A --gtS A
S G D ? S D S G D ? S Dif S G
D ? S G Dand S G D ? S D

• S G (D, D, A ?? B) ? S G (D, B)if S G D
  ? S A

- logic- system w- rewriting - processes-
security
S G D, D ? S G (A, D) if S G D ? S A


12
Formal Correspondence

• Soundness
• If S G D ? S,S Dthen G D --gtS ?S.
  ? D
• Completeness?
• No! We have only crippled right rules
• ? ? a ?? b, b ?? c ? ? a ?? c

- logic- system w- rewriting - processes-
security
13
System w

• With cut, rule for ?? can be simplified to
• S G (D, A, A ?? B) ? S G (D, B)
• Cut elimination holds
• in-lining of auxiliary rewrite chains
• But
• Careful with extra signature symbols
• Careful with extra persistent objects
• No rule for ? needs a premise
• ? does not depend on ?

- logic- system w- rewriting - processes-
security
14
Multiset Rewriting

• Multiset set with repetitions allowed
• a ? a, a
• Commutative monoid
• Multiset rewriting (a.k.a. Petri nets)
• Rewriting within the monoid
• Fundamental model of distributed computing
• Alternative Process Algebras
• Basis for security protocol spec. languages
• MSR family
• several others
• Many extensions, more or less ad hoc

- logic- system w- rewriting - processes-
security
15
First-Order Multiset Rewriting

• Multiset elements are F0 atomic formulas
• Rules have the form
• ?x1xn. a(x) ? ?y1yk. b(x,y)
• Semantics
• Several encodings into linear logic
• Martí-Oliet, Meseguer, 91

- logic- system w- rewriting - processes-
security
S a(t), s ?R, (a(x) ? ?y. b(x,y)) S,y
b(t,y), s
if S - t
16
w-Multisets vs. Multiset Rewriting

• MSR 1 is an instance of w-multisets
• Uses only ?, 1, ?, ?, and ??
• ?? never nested, always persistent
• S s ?R S siff S R s ? S
  s
• Interpretation of MSR as linear logic
• Logical explanation of multiset rewriting
• MSR is logic
• Guideline to design rewrite systems

- logic- system w- rewriting - processes-
security
17
The Asynchronous p-Calculus

• Another fundamental model of distributed
  computing
• Language
• P 0 PQ n x. P !P x(y).P
  xltygt
• Semantics
• Structural equivalence
• Comm. monoidal congruence of and 0
• Binder mobility congruence of n
• n x. n y. P ? n y. n x. P
• 0 ? n x. 0
• P n x. Q ? n x. (P Q) if x ? FN(P)
• !P ? !P P
• Reaction law
• xltygt x(z). P Q ?? y/zP Q

- logic- system w- rewriting - processes-
security
18
Properties

• If P ?? Q
• then ? ? P ? S G D
• where Q ?S. !G ? D mod !A !A?A
• Note with !P ? !P P as a transition
• If P ?? Q
• then ? ? P ? S G D
• where Q ?S. !G ? D

- logic- system w- rewriting - processes-
security
19
w-Multisets vs. Process Algebra

• Simple encoding of asynchronous p-calculus into
  w-multisets
• Doesnt show that p-calculus is logic
• Uses only a fraction of w-multiset syntax
• Inverse encoding?
• As hard as going from multiset rewriting to
  p-calculus
• Other languages
• Join calculus
• Strand spaces
• To do Synchronous p-calculus

- logic- system w- rewriting - processes-
security
20
MSR 3

• Instance of w-multisets for cryptographic
  protocol specification
• Security-relevant signature
• Typing infrastructure
• Modules, equations,
• 3rd generation
• MSR 1 First-order multiset rewriting with ?
• Undecidability of protocol analysis
• MSR 2 MSR 1 typing
• Actual specification language
• More theoretical results
• Implementation underway

- logic- system w- rewriting - processes-
security
21
Example

• Needham-Schroeder public-key protocol
• A ? B nA, AkB
• B ? A nA, nBkA
• A ? B nBkB
• Can be expressed in several ways
• State-based
• Explicit local state
• As in MSR 2
• Process-based embedded ?
• Continuation-passing style
• As in process algebra
• (Intermediate approaches)

- logic- system w- rewriting - processes-
security
22
State-Based
A ? B nA, AkB B ? A nA, nBkA A ? B nBkB
MSR 2 spec.

• ?A princ.
• ?L princ ? ?Bprinc.pubK B ? nonce ? mset.
• ?B princ. ?kB pubK B.
• ?
• ? ?nA nonce.
• net (nA, AkB), L (A, B, kB, nA)
• ?B princ. ?kB pubK B.
• ?kA pubK A. ?kA' prvK kA.
• ?nA nonce. ?nB nonce.
• net (nA, nBkA), L (A, B, kB, nA)
• ? net (nBkB)

• Interpretation of L
• Rule invocation
• Implementation detail
• Control flow
• Local state of role
• Explicit view
• Important for DOS

- logic- system w- rewriting - processes-
security
23
Process-Based
A ? B nA, AkB B ? A nA, nBkA A ? B nBkB

• ?Aprinc.
• ?B princ. ?kB pubK B.
• ? ? ?nA nonce.
• net (nA, AkB),
• (?kA pubK A. ?kA' prvK kA. ?nB
  nonce.
• net (nA, nBkA) ? net (nBkB))

- logic- system w- rewriting - processes-
security

• Succinct
• Continuation-passing style
• Rule asserts what to do next
• Lexical control flow

• State is implicit
• Abstract

24
NSPK in Process Algebra
A ? B nA, AkB B ? A nA, nBkA A ? B nBkB

• ?Aprinc.
• ?B princ. ?kB pubK B.
• ?kA pubK A. ?kA' prvK kA. ?nB nonce.
• nnA nonce.
• net (nA, AkB) .
• net ltnA, nBkAgt .
• net (nBkB) . 0

• Same structure !
• Not a coincidence
• MSR 3 very close to Process Algebra
• w-multiset encodings of p-calculus
• and Join Calculus

- logic- system w- rewriting - processes-
security

• MSR 3 is promising middle-ground for relating
• State-based
• Process-based
• representations of a problem

25
State-Based vs. Process-Based

• State-based languages
• Multiset Rewriting
• NRL Prot. Analyzer, CAPSL/CIL, Paulsons
  approach,
• Statetransitionsemantics
• Process-based languages
• Process Algebra
• Strand spaces, spi-calculus,
• Independentcommunicatingthreads

- logic- system w- rewriting - processes-
security
26
MSR 3 Bridges the Gap

• Difficult to go from one to the other
• Different paradigms

- logic- system w- rewriting - processes-
security
State ? Process translation done once and for all
in MSR 3
27
Conclusions

• w-multisets
• Logical foundation of multiset rewriting
• Relationship with process algebras
• Unified logical view
• Better understanding of where we are
• Hint about where to go next
• MSR 3.0
• Language for security protocol specification
• Succinct representations
• Simpler specifications
• Economy of reasoning
• Bridge between
• State-based representation
• Process-based representation