Title: The Logical Meeting Point of Multiset Rewriting and Process Algebra
1The Logical Meeting Pointof Multiset
Rewritingand Process Algebra
- Iliano Cervesato iliano_at_itd.nrl.navy.mil
- ITT Industries, inc _at_ NRL Washington, DC
- http//theory.stanford.edu/iliano
MFPS 20 _at_ CMU
May 25, 2004
2Motivations
- Security protocol specifications
- Transition-based
- Process-based
- Different languages and techniques
- Ad-hoc translations
- Attempt at a unified approach
- Rewriting re-interpretation of logic
- Open derivations
- Left rule semantics
- Foundation of multiset rewriting
- Bridge to process algebra
- Effective protocol specification language
3Linear Logic
- Formulas
- A, B a 1 A ? B A ?? B ! A
- T A B ?x. A ?x. A
-
- LV sequents
- G D --gtS C
- logic- system w- rewriting - processes-
security
Goalformula
Unrestrictedcontext
Linearcontext
Signature
4Some LV Rules
Structural rules
G A --gtS A
Left rules
G D, A, B --gtS C G D, A?B --gtS C
G, A D , A --gtS C G, A D --gtS C
G D --gtS A G D, B --gtS C G D, D , A??B
--gtS C
Cut rules
G D --gtS A G D, A --gtS C G D,D --gtS C
S - t G D, t/xA --gtS C G D, ?x.A --gtS C
- logic- system w- rewriting - processes-
security
G ? --gtS A G, A D --gtS C G D --gtS C
G D, A --gtS,x C G D, x.A --gtS C
G, A D--gtS C G D , !A --gtS C
Right rules
5Logical Derivations
G C --gtS C
- Proof of C from D and G
- Emphasis on C
- C is input
- Finite
- Closed
- Rules shown
- Major premise
- Preserves C
- Minor premise
- Starts subderivation
G D --gtS CG D --gtS C
- logic- system w- rewriting - processes-
security
G D --gtS C
6A Rewriting Re-Interpretation
- Transition
- From conclusion
- To major premise
- Emphasis on G, D and S
- C is output, at best
- Does not change
- Possibly infinite
- Open
- Minor premise
- Auxiliary rewrite chain
- Finite
- Topped with axiom
G C --gtS C
G D --gtS CG D --gtS C
- logic- system w- rewriting - processes-
security
G D --gtS C
7State and Transitions
- States
- S G D
- S is a list
- G and D are commutative monoids
- No C
- Does not change
- Transitions
- S G D ? S G D
- ? for reflexive and transitive closure
- logic- system w- rewriting - processes-
security
8Interpreting Unary Rules
G D, A, B --gtS C G D, A?B --gtS C
S G (D, A?B ) ? S G (D, A, B)
G D, A --gtS,x C G D, x.A --gtS C
S G (D, ?x. A) ? (S, x) G (D, A)
- logic- system w- rewriting - processes-
security
G, A D --gtS C G D , !A --gtS C
9Binary Rules and Axiom
G A --gtS A
- Minor premise
- Auxiliary rewrite chain
- Top of tree
- Focus shifts to RHS
- Axiom rule
- Observation
G D --gtS A G D, B --gtS C G D, D , A??B
--gtS C
- logic- system w- rewriting - processes-
security
10Observations
G,G A --gtS,S A
G D --gtS ?S. A
- Observation states
- S D
- In D, we identify
- , with ?
- ? with 1
- Categorical semantics
- Identified with ?x1. ?xn. D
- For S x1, , xn
- De Bruijns telescopes
- Observation transitions
- S G D ? S D
A
D ?D
- logic- system w- rewriting - processes-
security
S D ?S. ?D
11Interpreting Binary Rules
G A --gtS A
S G D ? S D S G D ? S Dif S G
D ? S G Dand S G D ? S D
- S G (D, D, A ?? B) ? S G (D, B)if S G D
? S A
- logic- system w- rewriting - processes-
security
S G D, D ? S G (A, D) if S G D ? S A
12Formal Correspondence
- Soundness
- If S G D ? S,S Dthen G D --gtS ?S.
? D - Completeness?
- No! We have only crippled right rules
- ? ? a ?? b, b ?? c ? ? a ?? c
- logic- system w- rewriting - processes-
security
13System w
- With cut, rule for ?? can be simplified to
- S G (D, A, A ?? B) ? S G (D, B)
- Cut elimination holds
- in-lining of auxiliary rewrite chains
- But
- Careful with extra signature symbols
- Careful with extra persistent objects
- No rule for ? needs a premise
- ? does not depend on ?
- logic- system w- rewriting - processes-
security
14Multiset Rewriting
- Multiset set with repetitions allowed
- a ? a, a
- Commutative monoid
- Multiset rewriting (a.k.a. Petri nets)
- Rewriting within the monoid
- Fundamental model of distributed computing
- Alternative Process Algebras
- Basis for security protocol spec. languages
- MSR family
- several others
- Many extensions, more or less ad hoc
- logic- system w- rewriting - processes-
security
15First-Order Multiset Rewriting
- Multiset elements are F0 atomic formulas
- Rules have the form
- ?x1xn. a(x) ? ?y1yk. b(x,y)
- Semantics
- Several encodings into linear logic
- Martí-Oliet, Meseguer, 91
- logic- system w- rewriting - processes-
security
S a(t), s ?R, (a(x) ? ?y. b(x,y)) S,y
b(t,y), s
if S - t
16w-Multisets vs. Multiset Rewriting
- MSR 1 is an instance of w-multisets
- Uses only ?, 1, ?, ?, and ??
- ?? never nested, always persistent
- S s ?R S siff S R s ? S
s - Interpretation of MSR as linear logic
- Logical explanation of multiset rewriting
- MSR is logic
- Guideline to design rewrite systems
- logic- system w- rewriting - processes-
security
17The Asynchronous p-Calculus
- Another fundamental model of distributed
computing - Language
- P 0 PQ n x. P !P x(y).P
xltygt - Semantics
- Structural equivalence
- Comm. monoidal congruence of and 0
- Binder mobility congruence of n
- n x. n y. P ? n y. n x. P
- 0 ? n x. 0
- P n x. Q ? n x. (P Q) if x ? FN(P)
- !P ? !P P
- Reaction law
- xltygt x(z). P Q ?? y/zP Q
- logic- system w- rewriting - processes-
security
18Properties
- If P ?? Q
- then ? ? P ? S G D
- where Q ?S. !G ? D mod !A !A?A
- Note with !P ? !P P as a transition
- If P ?? Q
- then ? ? P ? S G D
- where Q ?S. !G ? D
- logic- system w- rewriting - processes-
security
19w-Multisets vs. Process Algebra
- Simple encoding of asynchronous p-calculus into
w-multisets - Doesnt show that p-calculus is logic
- Uses only a fraction of w-multiset syntax
- Inverse encoding?
- As hard as going from multiset rewriting to
p-calculus - Other languages
- Join calculus
- Strand spaces
- To do Synchronous p-calculus
- logic- system w- rewriting - processes-
security
20MSR 3
- Instance of w-multisets for cryptographic
protocol specification - Security-relevant signature
- Typing infrastructure
- Modules, equations,
- 3rd generation
- MSR 1 First-order multiset rewriting with ?
- Undecidability of protocol analysis
- MSR 2 MSR 1 typing
- Actual specification language
- More theoretical results
- Implementation underway
- logic- system w- rewriting - processes-
security
21Example
- Needham-Schroeder public-key protocol
- A ? B nA, AkB
- B ? A nA, nBkA
- A ? B nBkB
- Can be expressed in several ways
- State-based
- Explicit local state
- As in MSR 2
- Process-based embedded ?
- Continuation-passing style
- As in process algebra
- (Intermediate approaches)
- logic- system w- rewriting - processes-
security
22State-Based
A ? B nA, AkB B ? A nA, nBkA A ? B nBkB
MSR 2 spec.
- ?A princ.
- ?L princ ? ?Bprinc.pubK B ? nonce ? mset.
- ?B princ. ?kB pubK B.
- ?
- ? ?nA nonce.
- net (nA, AkB), L (A, B, kB, nA)
- ?B princ. ?kB pubK B.
- ?kA pubK A. ?kA' prvK kA.
- ?nA nonce. ?nB nonce.
- net (nA, nBkA), L (A, B, kB, nA)
- ? net (nBkB)
- Interpretation of L
- Rule invocation
- Implementation detail
- Control flow
- Local state of role
- Explicit view
- Important for DOS
- logic- system w- rewriting - processes-
security
23Process-Based
A ? B nA, AkB B ? A nA, nBkA A ? B nBkB
- ?Aprinc.
- ?B princ. ?kB pubK B.
- ? ? ?nA nonce.
- net (nA, AkB),
- (?kA pubK A. ?kA' prvK kA. ?nB
nonce. - net (nA, nBkA) ? net (nBkB))
- logic- system w- rewriting - processes-
security
- Succinct
- Continuation-passing style
- Rule asserts what to do next
- Lexical control flow
- State is implicit
- Abstract
24NSPK in Process Algebra
A ? B nA, AkB B ? A nA, nBkA A ? B nBkB
- ?Aprinc.
- ?B princ. ?kB pubK B.
- ?kA pubK A. ?kA' prvK kA. ?nB nonce.
- nnA nonce.
- net (nA, AkB) .
- net ltnA, nBkAgt .
- net (nBkB) . 0
- Same structure !
- Not a coincidence
- MSR 3 very close to Process Algebra
- w-multiset encodings of p-calculus
- and Join Calculus
- logic- system w- rewriting - processes-
security
- MSR 3 is promising middle-ground for relating
- State-based
- Process-based
- representations of a problem
25State-Based vs. Process-Based
- State-based languages
- Multiset Rewriting
- NRL Prot. Analyzer, CAPSL/CIL, Paulsons
approach, - Statetransitionsemantics
- Process-based languages
- Process Algebra
- Strand spaces, spi-calculus,
- Independentcommunicatingthreads
- logic- system w- rewriting - processes-
security
26MSR 3 Bridges the Gap
- Difficult to go from one to the other
- Different paradigms
- logic- system w- rewriting - processes-
security
State ? Process translation done once and for all
in MSR 3
27Conclusions
- w-multisets
- Logical foundation of multiset rewriting
- Relationship with process algebras
- Unified logical view
- Better understanding of where we are
- Hint about where to go next
- MSR 3.0
- Language for security protocol specification
- Succinct representations
- Simpler specifications
- Economy of reasoning
- Bridge between
- State-based representation
- Process-based representation