The Applied Pi Calculus

We study the interaction of the programming construct “new,” which generates statically scoped names, with communication via messages on channels. This interaction is crucial in security protocols, which are the main motivating examples for our work; it also appears in other programming-language contexts. We define the applied pi calculus, a simple, general extension of the pi calculus in which values can be formed from names via the application of built-in functions, subject to equations, and be sent as messages. (In contrast, the pure pi calculus lacks built-in functions; its only messages are atomic names.) We develop semantics and proof techniques for this extended language and apply them in reasoning about security protocols. This article essentially subsumes the conference paper that introduced the applied pi calculus in 2001. It fills gaps, incorporates improvements, and further explains and studies the applied pi calculus. Since 2001, the applied pi calculus has been the basis for much further work, described in many research publications and sometimes embodied in useful software, such as the tool ProVerif, which relies on the applied pi calculus to support the specification and automatic analysis of security protocols. Although this article does not aim to be a complete review of the subject, it benefits from that further work and provides better foundations for some of it. In particular, the applied pi calculus has evolved through its implementation in ProVerif, and the present definition reflects that evolution.

[1]  Alfredo Pironti,et al.  Proving the TLS Handshake Secure (as it is) , 2014, IACR Cryptol. ePrint Arch..

[2]  Cédric Fournet,et al.  Verified Cryptographic Implementations for TLS , 2012, TSEC.

[3]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[4]  Ugo Montanari,et al.  CC-Pi: A Constraint-Based Language for Specifying Service Level Agreements , 2007, ESOP.

[5]  Birgit Pfitzmann,et al.  Cryptographic Security of Reactive Systems Extended Abstract , 2000 .

[6]  Björn Victor,et al.  A Sorted Semantic Framework for Applied Process Calculi (Extended Abstract) , 2013, TGC.

[7]  Nobuko Yoshida,et al.  On Reduction-Based Process Semantics , 1995, Theor. Comput. Sci..

[8]  Joshua D. Guttman,et al.  Strand spaces: why is a security protocol correct? , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[9]  Andreas Pfitzmann,et al.  Anonymity, Unobservability, and Pseudonymity - A Proposal for Terminology , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[10]  Véronique Cortier,et al.  YAPA: A Generic Tool for Computing Intruder Knowledge , 2009, TOCL.

[11]  Davide Sangiorgi,et al.  On the bisimulation proof method , 1998, Mathematical Structures in Computer Science.

[12]  Davide Sangiorgi,et al.  Expressing mobility in process algebras : first-order and higher-order paradigms , 1993 .

[13]  Davide Sangiorgi,et al.  Communicating and Mobile Systems: the π-calculus, , 2000 .

[14]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[15]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[16]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[17]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[18]  Luca Cardelli,et al.  Mobility and Security , 2000 .

[19]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[20]  Flemming Nielson,et al.  Control Flow Analysis for the pi-calculus , 1998, CONCUR.

[21]  John Ulrich,et al.  Automated Analysis of Cryptographic Protocols Using Mur ' , 1997 .

[22]  Andrew D. Gordon,et al.  Types and effects for asymmetric cryptographic protocols , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[23]  Corrado Priami,et al.  Modelling biochemical pathways through enhanced pi-calculus , 2004, Theor. Comput. Sci..

[24]  John C. Mitchell,et al.  A derivation system and compositional logic for security protocols , 2005, J. Comput. Secur..

[25]  Bruno Blanchet,et al.  Automatic proof of strong secrecy for security protocols , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[26]  José Meseguer,et al.  A rewriting-based inference system for the NRL Protocol Analyzer and its meta-logical properties , 2006, Theor. Comput. Sci..

[27]  Mads Dam Proving trust in systems of second-order processes , 1998, Proceedings of the Thirty-First Hawaii International Conference on System Sciences.

[28]  Virgil D. Gligor,et al.  On message integrity in cryptographic protocols , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[29]  Peter Y. A. Ryan,et al.  An Attack on a Recursive Authentication Protocol. A Cautionary Tale , 1998, Inf. Process. Lett..

[30]  Andrew D. Gordon,et al.  TulaFale: A Security Tool for Web Services , 2003, FMCO.

[31]  Véronique Cortier,et al.  Decidability of Trace Equivalence for Protocols with Nonces , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[32]  Björn Victor,et al.  Spi Calculus Translated to --Calculus Preserving May-Tests , 2004, LICS 2004.

[33]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[34]  Mark Ryan,et al.  Symbolic bisimulation for the applied pi calculus , 2007, J. Comput. Secur..

[35]  José Meseguer,et al.  A Formal Definition of Protocol Indistinguishability and Its Verification Using Maude-NPA , 2014, STM.

[36]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.

[37]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[38]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..

[39]  Christof Paar,et al.  DROWN: Breaking TLS Using SSLv2 , 2016, USENIX Security Symposium.

[40]  Véronique Cortier,et al.  From Security Protocols to Pushdown Automata , 2015, ACM Trans. Comput. Log..

[41]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[42]  Martín Abadi,et al.  Security Protocols: Principles and Calculi , 2007, FOSAD.

[43]  Benjamin C. Pierce,et al.  Pict: a programming language based on the Pi-Calculus , 2000, Proof, Language, and Interaction.

[44]  Bernard P. Zajac Applied cryptography: Protocols, algorithms, and source code in C , 1994 .

[45]  Philippa Gardner,et al.  Strong Bisimulation for the Explicit Fusion Calculus , 2004, FoSSaCS.

[46]  Sylvain Conchon,et al.  Jocaml: mobile agents for Objective-Caml , 1999, Proceedings. First and Third International Symposium on Agent Systems Applications, and Mobile Agents.

[47]  Michael Backes,et al.  Zero-Knowledge in the Applied Pi-calculus and Automated Verification of the Direct Anonymous Attestation Protocol , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[48]  Véronique Cortier,et al.  Computational soundness of observational equivalence , 2008, CCS.

[49]  Jia Liu,et al.  A complete symbolic bisimulation for full applied pi calculus , 2009, Theor. Comput. Sci..

[50]  Martín Abadi,et al.  Just fast keying in the pi calculus , 2004, TSEC.

[51]  John C. Mitchell,et al.  Foundations for programming languages , 1996, Foundation of computing series.

[52]  Luca Cardelli,et al.  Mobile Ambients , 1998, FoSSaCS.

[53]  Björn Victor,et al.  Spi calculus translated to /spl pi/-calculus preserving may-tests , 2004, Proceedings of the 19th Annual IEEE Symposium on Logic in Computer Science, 2004..

[54]  Mark Ryan,et al.  Stateful applied pi calculus: Observational equivalence and labelled bisimilarity , 2017, J. Log. Algebraic Methods Program..

[55]  Sergio Maffeis,et al.  On the Expressive Power of Polyadic Synchronisation in pi-calculus , 2002, EXPRESS.

[56]  Jia Liu,et al.  A Proof of Coincidence of Labeled Bisimilarity and Observational Equivalence in Applied Pi Calculus , 2011 .

[57]  Bruce Schneier,et al.  Applied cryptography : protocols, algorithms, and source codein C , 1996 .

[58]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[59]  Angelos D. Keromytis,et al.  Just fast keying: Key agreement in a hostile internet , 2004, TSEC.

[60]  Matthew Green,et al.  Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice , 2015, CCS.

[61]  Cas J. F. Cremers Unbounded verification, falsification, and characterization of security protocols by pattern refinement , 2008, CCS.

[62]  Bruno Blanchet,et al.  A Computationally Sound Mechanized Prover for Security Protocols , 2008, IEEE Transactions on Dependable and Secure Computing.

[63]  Bruno. Blanchet,et al.  Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif , 2016, Found. Trends Priv. Secur..

[64]  John C. Mitchell,et al.  A probabilistic poly-time framework for protocol analysis , 1998, CCS '98.

[65]  Andrew D. Gordon,et al.  Verified Interoperable Implementations of Security Protocols , 2006, CSFW.

[66]  Rohit Chadha,et al.  Automated Verification of Equivalence Properties of Cryptographic Protocols , 2012, ACM Trans. Comput. Log..

[67]  Ivan Lanese,et al.  The stream-based service-centred calculus: a foundation for service-oriented programming , 2013, Formal Aspects of Computing.

[68]  Daniel Hirschkoff A Full Formalisation of pi-Calculus Theory in the Calculus of Constructions , 1997, TPHOLs.

[69]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[70]  Furio Honsell,et al.  pi-calculus in (Co)inductive-type theory , 2001, Theor. Comput. Sci..

[71]  Mark Ryan,et al.  Stateful Applied Pi Calculus , 2014, POST.

[72]  Rocco De Nicola,et al.  Proof techniques for cryptographic processes , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[73]  Alfredo Pironti,et al.  Implementing TLS with Verified Cryptographic Security , 2013, 2013 IEEE Symposium on Security and Privacy.

[74]  Francesco Tiezzi,et al.  A Calculus for Orchestration of Web Services , 2007, ESOP.

[75]  Mathieu Baudet,et al.  Deciding security of protocols against off-line guessing attacks , 2005, CCS '05.

[76]  Mihir Bellare,et al.  Lecture Notes on Cryptography , 2001 .

[77]  Gérard Berry,et al.  The chemical abstract machine , 1989, POPL '90.

[78]  Peter H. Welch,et al.  Communicating Mobile Processes : Introducing occam-pi , 2005 .

[79]  Steve A. Schneider Security properties and CSP , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[80]  Mark Ryan,et al.  Verifying privacy-type properties of electronic voting protocols , 2009, J. Comput. Secur..

[81]  Cédric Fournet,et al.  Cryptographically verified implementations for TLS , 2008, CCS.

[82]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[83]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[84]  Robin Milner,et al.  Barbed Bisimulation , 1992, ICALP.

[85]  Benjamin Aziz,et al.  A Calculus for Secure Mobility , 2003, ASIAN.

[86]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[87]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[88]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[89]  Cédric Fournet,et al.  A hierarchy of equivalences for asynchronous calculi , 1998, J. Log. Algebraic Methods Program..

[90]  David A. Basin,et al.  Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[91]  Mark Ryan,et al.  Applied pi calculus , 2011, Formal Models and Techniques for Analyzing Security Protocols.

[92]  Martín Abadi,et al.  Authentication primitives and their compilation , 2000, POPL '00.

[93]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[94]  Manuel Mazzara,et al.  A pi-calculus based semantics for WS-BPEL , 2007, J. Log. Algebraic Methods Program..

[95]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[96]  Véronique Cortier,et al.  Computationally sound implementations of equational theories against passive adversaries , 2005, Inf. Comput..

[97]  Cas J. F. Cremers,et al.  Automated Analysis and Verification of TLS 1.3: 0-RTT, Resumption and Delayed Authentication , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[98]  Alwen Tiu,et al.  Automating Open Bisimulation Checking for the Spi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[99]  Frank Piessens,et al.  All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS , 2015, USENIX Annual Technical Conference.

[100]  Björn Victor,et al.  The fusion calculus: expressiveness and symmetry in mobile processes , 1998, Proceedings. Thirteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.98CB36226).

[101]  António Ravara,et al.  Encoding Cryptographic Primitives in a Calculus with Polyadic Synchronisation , 2011, Journal of Automated Reasoning.

[102]  Björn Victor,et al.  Psi-calculi: a framework for mobile processes with nominal data and logic , 2011, Log. Methods Comput. Sci..

[103]  C PaulsonLawrence The inductive approach to verifying cryptographic protocols , 1998 .

[104]  Alfredo Pironti,et al.  Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS , 2014, 2014 IEEE Symposium on Security and Privacy.

[105]  Martín Abadi,et al.  Computer-Assisted Verification of a Protocol for Certified Email , 2003, SAS.

[106]  Mathieu Baudet,et al.  Sécurité des protocoles cryptographiques : aspects logiques et calculatoires. (Security of cryptographic protocols : logical and computational aspects) , 2007 .

[107]  Mark Ryan,et al.  StatVerif: Verification of Stateful Processes , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[108]  Björn Victor,et al.  A Sorted Semantic Framework for Applied Process Calculi , 2013, Log. Methods Comput. Sci..

[109]  Robin Milner,et al.  Functions as processes , 1990, Mathematical Structures in Computer Science.

[110]  Alexander Aiken,et al.  Type systems for distributed data structures , 2000, POPL '00.

[111]  Michael Backes,et al.  CoSP: a general framework for computational soundness proofs , 2009, CCS.

[112]  Nikhil Swamy,et al.  Implementing and Proving the TLS 1.3 Record Layer , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[113]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[114]  Roberto M. Amadio,et al.  On the Reachability Problem in Cryptographic Protocols , 2000, CONCUR.

[115]  Bruno Blanchet,et al.  Automatic verification of correspondences for security protocols , 2008, J. Comput. Secur..

[116]  Robert Künnemann,et al.  Automated Analysis of Security Protocols with Global State , 2014, 2014 IEEE Symposium on Security and Privacy.

[117]  Martín Abadi,et al.  Analyzing security protocols with secrecy types and logic programs , 2002, POPL '02.

[118]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[119]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[120]  Vincent Cheval,et al.  Deciding equivalence-based properties using constraint solving , 2013, Theor. Comput. Sci..

[121]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[122]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption) , 2007, Journal of Cryptology.

[123]  Mark Ryan,et al.  Analysis of an Electronic Voting Protocol in the Applied Pi Calculus , 2005, ESOP.

[124]  Bruno Blanchet,et al.  Models and Proofs of Protocol Security: A Progress Report , 2009, CAV.

[125]  Sébastien Briais,et al.  Theory and tool support for the formal verification of cryptographic protocols , 2008 .

[126]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[127]  Benjamin Grégoire,et al.  Programming Language Techniques for Cryptographic Proofs , 2010, ITP.

[128]  Ralf Sasse,et al.  Automated Symbolic Proofs of Observational Equivalence , 2015, CCS.

[129]  Karthikeyan Bhargavan,et al.  Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[130]  Martín Abadi,et al.  Secure Implementation of Channel Abstractions , 2002, Inf. Comput..

[131]  John C. Mitchell,et al.  Automated analysis of cryptographic protocols using Mur/spl phi/ , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[132]  Nancy A. Lynch,et al.  Cryptographic protocols , 1982, STOC '82.

[133]  Steve Kremer,et al.  Formal Models and Techniques for Analyzing Security Protocols: A Tutorial , 2014, Found. Trends Program. Lang..

[134]  Stéphanie Delaune,et al.  Computing Knowledge in Security Protocols Under Convergent Equational Theories , 2010, Journal of Automated Reasoning.

[135]  Jonathan K. Millen,et al.  Three systems for cryptographic protocol analysis , 1994, Journal of Cryptology.

[136]  Bruno Blanchet,et al.  Reconstruction of attacks against cryptographic protocols , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[137]  Martín Abadi,et al.  Deciding knowledge in security protocols under equational theories , 2004, Theor. Comput. Sci..

[138]  David Pointcheval,et al.  Automated Security Proofs with Sequences of Games , 2006, CRYPTO.

[139]  Hugo Krawczyk,et al.  SKEME: a versatile secure key exchange mechanism for Internet , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.