A Bisimilarity Congruence for the Applied pi-Calculus Sufficiently Coarse to Verify Privacy Properties

This paper is the first thorough investigation into the coarsest notion of bisimilarity for the applied pi-calculus that is a congruence relation: open barbed bisimilarity. An open variant of labelled bisimilarity (quasi-open bisimilarity), better suited to constructing bisimulations, is proven to coincide with open barbed bisimilarity. These bisimilary congruences are shown to be characterised by an intuitionistic modal logic that can be used, for example, to describe an attack on privacy whenever a privacy property is violated. Open barbed bisimilarity provides a compositional approach to verifying cryptographic protocols, since properties proven can be reused in any context, including under input prefix. Furthermore, open barbed bisimilarity is sufficiently coarse for reasoning about security and privacy properties of cryptographic protocols; in constrast to the finer bisimilarity congruence, open bisimilarity, which cannot verify certain privacy properties.

[1]  Lars-Henrik Eriksson,et al.  Weak Nominal Modal Logic , 2017, FORTE.

[2]  Vincent Cheval,et al.  A procedure for deciding symbolic equivalence between sets of constraint systems , 2017, Inf. Comput..

[3]  Maribel Fernández,et al.  Intruder deduction problem for locally stable theories with normal forms and inverses , 2017, Theor. Comput. Sci..

[4]  Stéphanie Delaune,et al.  Deducibility constraints and blind signatures , 2014, Inf. Comput..

[5]  Mark Ryan,et al.  Analysing Unlinkability and Anonymity Using the Applied Pi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[6]  Martín Abadi,et al.  Private authentication , 2004, Theor. Comput. Sci..

[7]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[8]  Davide Sangiorgi,et al.  On Barbed Equivalences in pi-Calculus , 2001, CONCUR.

[9]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[10]  Ross Horne,et al.  SPEC: An Equivalence Checker for Security Protocols , 2016, APLAS.

[11]  Mark Ryan,et al.  Symbolic bisimulation for the applied pi calculus , 2007, J. Comput. Secur..

[12]  Davide Sangiorgi,et al.  A theory of bisimulation for the π-calculus , 2009, Acta Informatica.

[13]  Martín Abadi,et al.  A Bisimulation Method for Cryptographic Protocols , 1998, Nord. J. Comput..

[14]  Martín Abadi,et al.  The Applied Pi Calculus , 2016, J. ACM.

[15]  David Baelde,et al.  Partial Order Reduction for Security Protocols , 2015, CONCUR.

[16]  Robert E. Tarjan,et al.  Three Partition Refinement Algorithms , 1987, SIAM J. Comput..

[17]  Martín Abadi,et al.  Deciding knowledge in security protocols under equational theories , 2006, Theor. Comput. Sci..

[18]  Ugo Montanari,et al.  Dynamic congruence vs. progressing bisimulation for CCS , 1992, Fundam. Informaticae.

[19]  Robin Milner,et al.  The Polyadic π-Calculus: a Tutorial , 1993 .

[20]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[21]  Ross Horne,et al.  A Characterisation of Open Bisimilarity using an Intuitionistic Modal Logic , 2017, CONCUR.

[22]  Uwe Nestmann,et al.  Symbolic Bisimulation in the Spi Calculus , 2004, CONCUR.

[23]  Hans Hüttel,et al.  A Logical Characterisation of Static Equivalence , 2007, MFPS.

[24]  Johannes Borgström,et al.  A Complete Symbolic Bisimilarity for an Extended Spi Calculus , 2009, SecCo@CONCUR.

[25]  Robin Milner,et al.  Barbed Bisimulation , 1992, ICALP.

[26]  Shang-Wei Lin,et al.  Quasi-Open Bisimilarity with Mismatch is Intuitionistic , 2018, LICS.

[27]  Uwe Nestmann,et al.  On Bisimulations for the Spi Calculus , 2002, AMAST.

[28]  Jia Liu,et al.  A complete symbolic bisimulation for full applied pi calculus , 2009, Theor. Comput. Sci..

[29]  Robin Milner,et al.  Algebraic laws for nondeterminism and concurrency , 1985, JACM.

[30]  Vincent Cheval,et al.  The DEEPSEC Prover , 2018, CAV.

[31]  Vincent Cheval,et al.  Proving More Observational Equivalences with ProVerif , 2013, POST.

[32]  Alwen Tiu,et al.  Automating Open Bisimulation Checking for the Spi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[33]  Björn Victor,et al.  Computing strong and weak bisimulations for psi-calculi , 2012, J. Log. Algebraic Methods Program..

[34]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[35]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[36]  Alwen Tiu A Trace Based Bisimulation for the Spi Calculus: An Extended Abstract , 2007, APLAS.

[37]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[38]  Véronique Cortier,et al.  SAT-Equiv: An Efficient Tool for Equivalence Properties , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[39]  Rocco De Nicola,et al.  Proof techniques for cryptographic processes , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[40]  Marco Pistore,et al.  A Partition Refinement Algorithm for the -Calculus , 2001, Inf. Comput..

[41]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[42]  Uwe Nestmann,et al.  Open Bisimulation, Revisited , 2005, EXPRESS.

[43]  Björn Victor,et al.  Psi-calculi: a framework for mobile processes with nominal data and logic , 2011, Log. Methods Comput. Sci..

[44]  Björn Victor,et al.  Weak Equivalences in Psi-Calculi , 2010, 2010 25th Annual IEEE Symposium on Logic in Computer Science.

[45]  Faron Mollerz,et al.  The Mobility Workbench | a Tool for the -calculus | , 1994 .