Computationally Sound Verification of Source Code

Mihael Bakes

SaarlandUniversity,MPI-SWS

Matteo Maei

SaarlandUniversity

Dominique Unruh

SaarlandUniversity

July 26,2010

Abstrat

Inreasing attention has reently been given to the formal veriation of the soure ode of

ryptographi protools. The standard approah is to use symboli abstrations of ryptography

that makethe analysisamenabletoautomation. Thisleavesthe possibility ofattaksthat exploit

the mathematial properties of the ryptographi algorithms themselves. In this paper, we show

howtoonduttheprotoolanalysisonthesoureodelevel(F#inourase)inaomputationally

soundway,i.e.,takingintoaountryptographiseuritydenitions.

We build upon the prominent F7 veriation framework (Bengtson et al., CSF 2008) whih

omprisesaseuritytype-hekerforF#protoolimplementationsusingsymboliidealizationsand

theonurrentlambdaalulusRCFtomodelaorefragmentofF#.

Toleverage thispriorwork, wegiveonditionsunderwhihsymboliseurityofRCFprograms

usingryptographiidealizationsimpliesomputationalseurityofthesameprogramsusing

rypto-graphialgorithms. CombinedwithF7,thisyieldsaomputationallysound,automatedveriation

ofF#odeontainingpubli-keyenryptionsandsignatures.

For the atualomputationalsoundness proof, we use theCoSP framework(Bakes, Hofheinz,

andUnruh,CCS2009). WethusinheritthemodularityofCoSP,whihallowsfor easilyextending

ourprooftootherryptographiprimitives.

Contents

1 Introdution 2

1.1 Ourtehniques . . . 3

1.2 Relatedwork . . . 6

1.3 Notation. . . 6

2 RCF (review) 6

2.1 Syntaxandsemantis . . . 7

3 CoSPFramework (review) 9

4 TheDolev-Yao library 12

4.1 Thelibrary . . . 12

4.2 Dolev-Yaotransitionrelation . . . 13

5 Computationalsoundness 15

5.1 Denitions. . . 15

5.2 Symb.vs.omputationalexeution 17

5.3 Comp.soundnessoftheDY-library 24

5.4 Enryptionandsignatures . . . 25

6 The sealing-based library 29

6.1 DynamiSealing . . . 29

6.2 MappingDY-termsintoSB-terms 32

6.3 Preservationofsafety . . . 34

6.4 Computationalsoundness . . . 40

7 Conlusions 41

Proofs ofseurity protools are known to beerror-proneand, owing to thedistributed-system aspets

ofmultipleinterleavedprotoolruns,diultforhumanstogenerate. Hene,worktowardsthe

automa-tion of suh proofs started soon after the rst protools were developed. From the start, the atual

ryptographi operations in suh proofs were idealized into so-alled symboli or Dolev-Yao models,

following[DY83, EG83, Mer83℄(see,e.g.,[KMM94,Sh96,AG97,Low96,Pau98,BMV04℄). This

ideal-izationsimplies proofs byfreeingthem from ryptographidetails suh asomputationalrestritions,

probabilistibehavior,anderrorprobabilities. Unfortunately,theseidealizationsalsoabstratawayfrom

thealgebraipropertiesaryptographialgorithmmayexhibit. Thereforeasymbolianalysismay

over-lookattaksbasedontheseproperties. Inotherwords,symboliseuritydoesnotimplyomputational

seurity. Inordertoremovethislimitation,[AR02℄introduedtheoneptofomputationalsoundness.

We all a symboli abstration omputationally sound when symboli seurity implies omputational

seurity. Aomputationalsoundnessresultallowsustogetthebestoftwoworlds: Theanalysisanbe

performed(possibly automatially)using symboliabstrations,but thenal resultshold withrespet

totherealistiseuritymodelsusedbyryptographers.

Adrawbakommontotheexistingomputationalsoundnessresults,is,however,thattheyworkon

abstrat protool representations(e.g., the applied

π

-alulus[AF01℄). That is, although the analysis takesintoaounttheatualryptographialgorithms,itstillabstratsawayfromtheatualprotool

im-plementation. Thus,evenifweprovetheprotoolseure,theimplementationthatislaterdeployedmay

ontainimplementation errorsthat introduenewvulnerabilities. Toavoidthis issue, reentworkhas

takledtheproblemofverifyingseuritydiretlyonthesoureode,e.g.,[GLP05a,BFGT06,BBF

+

08℄.

Yet,thisveriationisagainbasedonsymboliidealizations.

Thus,weareleftwiththehoiebetweenveriationtehniquesthatabstratawayfromthe

rypto-graphialgorithms,andveriationtehniquesthatabstratfromtheprotoolimplementation. Tolose

thisgap,weneedaomputationalsoundnessresultthat appliesdiretly toprotoolimplementations.

Our result. We present a omputational soundness result for F# ode. For this, we use the RCF

alulus proposed by [BBF

+

08℄ as semantis for (a ore fragment of) F#. RCF allows for enoding

implementation in F# by oering a lambda-abstration onstrutor that allows for reasoning about

higher-order languages. Moreover,it supports onurrenyprimitives, indutive datastrutures,

reur-sion, and an expressive treatment of symboli ryptography using sealing mehanisms. Furthermore,

RCFsupportsverygeneraltrae-based seurityproperties thatare expressedin rst-orderlogi, using

assumptionsandassertions. (Previous omputationalsoundnessresultsarerestritedtoalulilikethe

applied

π

-alulus whih lak these features.) We speify aryptographi librarythat internally uses symboliabstrations,andprovethat ifaprotoolissymboliallyseurewhenlinkedtothat library,it

is omputationally seure when using atual ryptographialgorithms. Ourapproah enablesthe use

of existing symboli veriationtools,suh asthetype-hekerF7 [BBF

+

08℄. Therequirementto use

thesetoolsinpartiularruledoutpotentialhangestotheRCFsemantisthatwouldhavesimpliedto

establishaomputationalsoundnessresult. Westress,however,thatourresultdoesnotdependonany

partiularsymboliveriationtehnique.

Wehavederivedomputationalsoundnessforenryptions anddigitalsignatures. Ourresultis,

how-ever, extensible: most of our theorems are parametri in the set of ryptographiprimitives and the

remainingtheorems anbeeasily extended. Furthermore,bybasingon theso-alledCoSP framework

[BHU09℄, our proof solely onerns the semantis of RCFprograms and does not involve any

rypto-graphi arguments; thus extending our proofs to additional ryptographi abstrations supported by

CoSPdoesnotrequireadeepknowledgeofryptography,whihmakessuh anextensionaessibleto

CoSP (Setion 3). Themain ideaofourworkistoredue omputationalsoundnessofRCFto

om-putational soundness in the CoSP framework [BHU09℄. Thus, we rst give an overview of the ideas

underlying CoSP. All denitions in CoSP are relative to asymboli model that speies a set of

on-strutors and destrutors that symbolially represent omputational operations, and a omputational

implementation thatspeiesryptographialgorithmsfortheseonstrutorsanddestrutors. InCoSP,

aprotool is representedbyan innitetree that desribestheprotool asalabeled transition system.

SuhaCoSPprotoolontainsationsforperformingabstratomputations(applyingonstrutorsand

destrutorstomessages)andforommuniatingwithanadversary. ACoSPprotoolisendowedwithtwo

semantis,asymboliexeutionandaomputationalexeution. Inthesymboliexeution,messagesare

representedbyterms. Inthe omputationalexeution, messagesare bitstrings,and theomputational

implementationisusedinsteadofapplyingonstrutorsanddestrutors. A omputational

implementa-tionis omputationally sound ifanysymbolially seureCoSP protool is alsoomputationally seure.

The advantage of expressing omputational soundness results in CoSP is that the protool model in

CoSPis verygeneral. Hene the semantisofother alulianbeembeddedtherein, thus transferring

theomputationalsoundnessresultsfromCoSPtothesealuli.

DY library (Setions 4,5). Toapply CoSPtoRCF,werstdene alibrary

σ

M

DY

that enodesan arbitrary symboli model. This library internally represents all messages as terms in some datatype.

Manipulationofthese termsispossibleonlythroughthelibrary,neithertheprogramnortheadversary

andiretlymanipulatemessages.

σ

M

DY

alsoprovidesfuntionsforsendingandreeivingmessages. Given thelibrary

σ

M

DY

, weandene anotionof symboliseurity. A program

A

ontainsertaineventsand seuritypoliiesspeiedin rst-orderlogi. Weall

A

robustly

→

-

σ

M

DY

-safe iftheseuritypoliiesare satisedineverystepoftheexeutionwhen

A

runsin parallelwithanarbitraryopponentandislinked tothelibrary

σ

M

DY

.

Next,wespeifyaprobabilistiomputationalsemantisforRCFprograms

A

. Inthesesemantis,we speifyanalgorithm(theomputationalRCF-exeution)thatexeutes

A

. Ineahstepoftheexeution, theadversaryisaskedwhat redutionruleto applyto

A

. Lettingtheadversarymakethesesheduling deisionsresolvesthenon-determinismintheRCFprogramandsimultaneouslymakesourresultstronger

by making the worst-ase assumption that the adversary has total ontrol over the sheduling. All

messages are represented as bitstrings, and any invoation of

σ

M

DY

is replaed by the orresponding omputationfromtheomputationalimplementation. NotiethatintheomputationalRCF-exeution,

theadversaryisnotlimitedtoinvokinglibraryroutines;sinemessagesarebitstrings,theadversaryan

performarbitrarypolynomial-timeoperationsonthem. Ifallseuritypoliiesaresatisedin eahstep

oftheomputationalRCF-exeution,weall

A

robustlyomputationallysafe. Ourgoalis to showthat, ifan RCFprogram is robustly

→

-

σ

M

DY

-safe,then it is robustly omputa-tionallysafe. Toprovethis,weintroduetwointermediatesemantis.

•

Theredutionrelation : ThissemantisisverysimilartotheoriginalsemantisofRCF,exept

that all invoations of

σ

M

DY

are internalized, i.e., symboli ryptographi operations are atomi operationswithrespetto . Thisleadstothenotionofrobust -

σ

M

DY

-safety.

•

The symboli RCF-exeution

SExec

: This semantis is dened by taking the denition of the

omputationalRCF-exeution,andbyreplaingallomputationaloperationsbytheorresponding

symbolioperations. That is, thesymboliandthe omputationalRCF-exeution are essentially

the samealgorithm, oneoperatingon terms, the other doingthe orresponding operations from

theomputationalimplementation. This leadstothenotionofrobust

SExec

-safety. In therst step (f. Figure1), we show that robust

→

-

σ

M

DY

-safetyimplies robust -

σ

M

DY

-safety. This proofisfairlystraightforward,beause justinternalizesthedenition of

σ

M

DY

. Intheseondstep,weshowthatrobust -

σ

M

DY

-safetyimpliesrobust

SExec

-safety. Thersttehnial diulty herelies in thefat that robust -

σ

M

rob.

→

-

σ

M

DY

-safety rob. -

σ

M

DY

-safety

rob.omputationalsafety rob.

SExec

-safety 1.

2.

3.

Figure1: Mainstepsoftheomputationalsoundnessproof

SExec

-adversary,wehavetoonstrutanRCF-program

Q

thatperformsthesameationswhenrunning

in parallelwith

A

. Theseond diultyliesin thefatthat thelogifordesribingseurityproperties isquitegeneral. Inpartiular,itallowsforexpressingfatsabouttheatualodeof

σ

M

DY

(e.g.,theode ofonefuntionisasubtermoftheodeofanother). Sinethelibrary

σ

M

DY

isnotpresentinthesymboli RCF-exeution,weneed to identify riteriathat ensurethat the poliies do notdepend on theatual

odeof

σ

M

DY

.

In the third step, we use the fat that the symboli and the omputational RCF-exeution of

A

have essentially the same denition, exept that one performs symboli and the other omputational

operations. Thus,ifweexpresstheseexeutionsbyalabeledtransitionsystemthattreatsoperationson

messagesasatomisteps, weget thesametransitionsystem forbothexeutions, onlywithadierent

interpretation of these atomisteps. This transition systemis aCoSPprotool

Π

A

, andthe symboli

andtheomputationalexeutionofthatprotoolareequivalenttothesymboli andtheomputational

RCF-exeution of

A

. Thus, assuming a omputational soundness result in CoSP, we get that robust

SExec

-safetyimpliesrobustomputationalsafety. Combiningthiswiththeprevioussteps,wehavethat

robust

→

-

σ

M

DY

-safetyimpliesrobustomputationalsafety(Theorem1).

Notethat thisargumentationis fullygeneri, itdoesnotdepend onanypartiularsymbolimodel.

One we haveanew omputationalsoundness result in CoSP, this diretly translates into aresultfor

RCF.Note further that no atual ryptographiproofs need to be done; allryptographi details are

outsouredtoCoSP.Thelibrary

σ

M

DY

isverysimilarinspirittotheoneusedin[BFG10℄,webelievethat theveriationtehniquesusedtherean beappliedto robust

→

-

σ

M

DY

-safetyaswell.

Enryptionand signatures(Setion 5.4). Ourresultssofararefullygeneri. IntheCoSP

frame-work,aomputationalsoundnessresultexistsforpubli-keyenryption andsignatures. Combiningthis

result with our generi result, weget aself-ontainedomputational soundness result for enryptions

andsignaturesinRCF(Theorem2). TheresultintheCoSPframework imposesertainrestritionson

theuseoftheryptographiprimitives(e.g.,oneisnotallowedto sendseretkeysaround). Toensure

thatthese restritionsaremet, weintrodueawrapper-library

σ

Highlevel

for

σ

M

DY

. Aprogramthat only invokesfuntionsfrom

σ

Highlevel

isguaranteedtosatisfytheserestritions.

Sealing-based library (Setion 6). In the library

σ

M

DY

, we have internally represented symboli ryptographyastermsinsomedatatype. AnalternativeapproahisusedintheF7veriationframework

[BBF

+

08℄ foranalyzing RCF/F#-ode. Inthis approah, alibrarybased onseals isused. Roughly,a

seal onsistsofamutablerefereneandaessorfuntions. An enryption keypair, e.g.,ismodeledas

a sealed map. The enryption keyis a funtion that insertsthe plaintext into that map and returns

theindexoftheplaintext. Thederyptionkeyisafuntion thatretrievestheplaintextgiventheindex.

Seals haveproven well-suited for seurityanalysis by type-heking, sine they allow for polymorphi

types. Wepresentasealing-basedlibrary

σS

modelingenryptionsandsignatures. Weshowthatrobust safetywithrespetto

σS

impliesrobust -

σ

M

DY

-safetybyprovingtheexisteneofasimulationbetween exeutions with respet to the two libraries. Combined with Theorem2, this immediately returns a

omputationalsoundnessresultforthesealing-basedlibrary(Theorem4). Theadvantageofthis result

is that programs using

σS

an be analyzed using the F7 type-heker, sine the library itself is type-hekedwithpolymorphitypingannotations

1

.

Note that this part of our paper is spei to the ase of enryptions and signatures. Webelieve,

however,thattheproofanbeeasilyextended tootherprimitivesonaase-by-asebasis. Furthermore

1

tosealstoseuritywithrespettoaterm-basedabstrationthatisonsiderablysimplerbeauseitdoes

notrelyonasharedstate.

Restritions. Webrieydisussthelimitationsofourresultandexplainwhytheyarepresent.

Seurity properties. We only onsider safety properties (desribed by authorization poliies) that

are eiently deidable (in the sense that for any given trae, it is eiently deidable whether the

safetypropertyis fullled). Both therestritionto safetyproperties(as opposed tolivenessproperties)

and the restritionto eientlydeidable properties 2

are stateof the art in omputational soundness

results. Computationalsoundnessresultsforpropertiesbasedonobservationalequivaleneexist[CLC08℄;

applyingtheseto RCFwouldonstituteaninterestingextension toourwork.

Protool onditions. We impose ertain onditionson our protools. Most prominently, weforbid

to enrypt orsend seret keys. (As a side eet, this also avoids so-alled key-yles.) Again, these

onditionsarestateoftheartin omputationalsoundnessresults,and, ifremovedthere,theyanalso

beremovedfromourresult.

Authorization poliies. Construtors that representryptographioperations (suh as enryptions)

maynotourin theformulaeusedto express authorizationproperties. This isdue to thefat thata

statementsuh as

∃xyz.c

=

enc

(x, y, z)

doesnothaveasensibleomputational interpretation(there is noeientwaytohekit). Sine ourtreatmentisgeneri,alsoonstrutors thatrepresentharmless

primitivessuhaspairsareexludedfrom authorizationpoliies; allowingthemshould bepossiblebut

wouldonsiderably ompliateourtreatment. Webelieve,however,thatdisallowingtheseonstrutors

in authorization poliies doesnot onstitute a big restrition. In most ases, an authorization poliy

will dene high-levelrules (suh asif

P

haspaid for

x

, then

P

maydownload

x

). Statements about theatualformatof messages(e.g.,

m

isapair)will onlybe usedduring thesymboli veriationof thehigh-level properties, e.g.,aspart ofarenement type. We donotimpose any restritionsonthe

symboliveriationtehniques;arbitraryformulaeanbeusedthere aslongastheydonotappearin

thenalauthorizationpoliy.

Networkhannels. Weassumethat thereis onlyasinglepublinetworkhannel (i.e.,onlyasingle

hannel to the adversary). This is donefor simpliity only, our resultsould be easily extended to a

settingwithmorehannels. Or,onemightemulate severalhannelsbyaddingaheaderto allmessages

sentoverthepublihannel.

Assumptionsandassertionsin libraries. Oneisnotallowedtoaddassumptionsandassertions(i.e.,

authorization poliies) in the ode of thesymbolilibraries themselves. This is, however, notreally a

restritionsineonemayuseawrapperlibrarythat addstheseassumptionsandassertions.

Alternativeapproahes. Webrieydisussseveralpossiblealternativestoourapproahandexplain

theirdiulties.

Using CryptoVerif. Insteadof doinga symboliseurity veriation andthen applying a

omputa-tional soundness result, one ould perform the analysis diretly in the omputational setting using a

toolsuhasCryptoVerif [Bla06℄. CryptoVerifisatoolthat performsaseurityanalysis diretlyin the

omputational model. Tofollowthis approahin our setting, onewould haveto desribeanenoding

of RCF into CryptoVerif's alulus. Although this an easily be done for a fragment of RCF, many

featuresofRCFsuhasreursion,authorizationpoliiesin rst-orderlogi,andonurreny 3

are

prob-ablybeyond what CryptoVerif an handle. Also,CryptoVerif's approah probablydoesnotsale well

toomplexprograms. Finally,oneneedsto provethat theenodingof RCFintoCryptoVerif preserves

allrequiredseurityproperties; suh aproofmightbe notmuhsimplerthantheproofs inthepresent

paper. [BCFZ08℄pursue thisapproah;theydonot,however,provetheirenodingsound.

2

Byeiently deidableproperties,wedonotmeanthatit anbeeientlydeided whetheraprotool guarantees

thatthepropertyissatised,weonlymeanthatitanbeeientlydeidedwhether inagivenexeution,the property

wassatised.

3

CryptoVerifdoessupportonurrenynatively,butitsmodelofonurrenyassumesauniformrandomhoieineah

Reduingtotheapplied

π

-alulus. Analternativeapproahtoobtainomputationalsoundnesswould betoembedF#into theapplied pi-alulusandto exploit theomputationalsoundnessresultforthe

applied pi-alulus established in [BHU09℄. However,establishing this embedding would arguably not

beeasierthanourapproah: itrequirestoenodedatastrutures,reursion,thesealingmehanism,and

assertions/assumptions into the applied pi-alulus, inluding the whole FOL/F logi. Moreover, the

orretnessoftheenodinghastobeproventwieonesymbolially(theproofwouldfollowthesame

linesastheproofin [BFGT06℄)andonewithrespetto theomputationalsemantis.

Removingequalitytestsonlambda-expressions. Alargepartofthetehnialdiultiesinourproofs

stem from the fat that RCF allows to do syntati equality tests on lambda-abstrations. It is not,

however,easily possibletoremovethese tests: Ifwehange thesemantisofRCF,ourresultsbeome

inompatiblewithexistingtoolsliketheF7framework.Asyntatirestritionthatdisallowsomparisons

oflambda-abstrationsdoesnotseemtobepossibleeither;whihvariablesareinstantiatedwith

lambda-abstrationsonlybeomeslearatruntime.

1.2 Related work

TheproblemofomputationalsoundnesswasrstaddressedbyAbadiandRogawayin[AR02℄forpassive

adversaries and symmetri enryption. The protool language and seurity properties handled there

were extendedin [AJ01, Lau01, HLM03, BCK05, ABW06℄, but still apply onlyto passiveadversaries.

Subsequentworksstudied omputational soundnessagainstativeattaks(e.g., f. [BPW07,BPW03a,

BPW03b,BP04,SBB

+

06,Lau04,MW04,JLM05,BHU09℄). Reentworksalsofousedonomputational

soundnessinthesenseofobservationalequivaleneofryptographirealizationsofproesses(e.g.,[AF06,

CLC08,CL08℄). Alltheseworksdonottakletheomputationalsoundnessofprotoolimplementations.

Conurrentlywiththeannounementofthis work atFCC2009,[Fou09℄reported independentworkin

progressonatypesystemforRCFthatentailsomputationalsoundness.

The analysis of thesoure ode of protool implementationshasreently reeived inreasing

atten-tion. Goubault-LarreqandParrennesdevelopedastatianalysistehnique[GLP05b℄basedonpointer

analysis andlauseresolution forryptographiprotoolsimplementedin C.Theanalysisis limitedto

serey properties. Chaki and Datta reentlyproposed atehnique[CD09℄ basedon software model

heking for the automated veriation of serey and authentiation properties of protools

imple-mentedin C.Theanalysisprovidesseurityproofsforaboundednumberofsessionsandis eetivein

disoveringattaks. ItwasusedtoheksereyandauthentiationpropertiesoftheSSLhandshake

pro-toolforongurationsof uptothree serversand threelients. Bhargavanet al.proposed atehnique

[BFGT06, BCFZ08℄ for the veriation of F# protool implementations by automatially extrating

ProVerifmodels[Bla01℄. Theanalysisprovidesseurityproofsand,despiteitsnon-ompositionalnature,

salesremarkablywelland was suessfullyused to verify implementations ofreal-worldryptographi

protools suh as TLS [BCFZ08℄. None of these analysis tehniques enjoys omputational soundness

guarantees. [BCFZ08℄also proposesanembedding ofF#into thealulusof CryptoVerif. The

embed-dingisnot,however,proventobesound;also,aordingto[BCFZ08℄,itisdiulttoanalyzereursive

funtionswithCryptoVerif.

1.3 Notation

Givenaterm

t

,wewrite

t{t

′

_/x}

fortheresultofsubstitutingallfreeourrenesof

x

by

t

′

. Weassume

thatsubstitutionsareaptureavoiding,i.e.,boundnamesarerenamedwhenneessary. Wewrite

t

fora list

t1, . . . , t

n

wherethelength

n

ofthelistisleftimpliit. Givensets

P, C

oflogialformulae,wewrite

P

⊢

C

iforall

F

∈

C

,

F

isentailedby

P

.

2 RCF (review)

ThissetionoutlinestheRenedConurrentFPC[BBF

+

08℄,asimpleorealulusextendingtheFixed

a, b, c

name

h

onstrutor

M, N

::=

value

x, y, z

variable

()

unit

λx.A

funtion

(M, N)

pair

h M

onstrutorappliation

A, B

::=

expression

M

value

M N

funtion appliation

M

=

N

syntatiequality

let

x

=

A

in

B

let

let

(x, y) =

M

in

A

pairsplit

match

M

with

h x

then

A

else

B

onstrutormath

νa.A

restrition

A

_B

fork

a!M

transmissionof

M

onhannel

a

a?

reeivemessageohannel

assume

F

assumptionofformula

F

assert

F

assertionofformula

F

Figure2: Syntaxof RCFvaluesandexpressions

Strut Refl

A

≡

A

Strut Trans

A

≡

A

′′

_,

if

A

≡

A

′

and

A

′

_≡

_A

′′

Strut Let

let

x

=

A

in

B

≡

let

x

=

A

′

in

B,

if

A

≡

A

′

Strut Res

νa.A

≡

νa.A

′

_,

if

A

≡

A

′

Strut Fork 1

A

B

≡

A

′

_B,

if

A

≡

A

′

Strut Fork 2

B

A

≡

B

A

′

_,

if

A

≡

A

′

Strut Fork ()

()

A

≡

A

Strut Msg ()

a!M

≡

a!M

()

Strut Assume()

assume

C

≡

assume

C

()

Strut Res Fork1

A

′

(νa.A)

≡

νa.A

′

A,

if

a

6∈

fn

(A

′

)

Strut Res Fork2

νa.A

A

′

_≡

νa.A

_A

′

,

if

a

6∈

fn

(A

′

)

Strut Res Let

let

x

=

νa.A

in

B

≡

νa.

let

x

=

A

in

B,

if

a

6∈

fn

(B)

Strut Fork Asso

(A

A

′

₎

_A

′′

_≡

_A

_(A

′

_A

′′

₎

Strut Fork Comm

(A

A

′

₎

_A

′′

_≡

_(A

′

_A)

_A

′′

Strut Fork Let

let

x

= (A

A

′

₎

in

B

≡

A

(

let

x

=

A

′

in

B)

Figure3: Struturalequivalenerelation

A

≡

A

′

expressiveenoughtoenodealargepartofF#[BBF

+

08℄.

2.1 Syntax and semantis

The set of values is omposed of names, variables, unit, funtions, pairs, and type onstrutors (f.

Figure2). Namesaregeneratedatrun-timeandareonlyusedashannelidentiers,whilevariablesare

plae-holders for values. Unit, funtions, and pairsare standard. WhileRCForiginally inludes only

threetypeonstrutors(namely,introdutionformsforunionandreursivetypes),weextendthesyntax

ofthealulusto anarbitrarysetofonstrutors.

Conditionalsareenodedusingthefollowingsyntatisugar:

true

:=

inl

()

,

false

:=

inr

()

,and

if

M

=

N

then

A

else

B

abbreviates

let

y

= (M

=

N)

in match

y

with inl

x

then

A

else

B

forsomefresh

x, y

.

Anexpression representsaonurrentomputationthatmayreduetoavalue,ormaydiverge. The

semantisofexpressions is dened by astrutural equivalene relation

≡

4

and aredution relation

→

. 4

Theequivalenerelation

≡

onsideredinthispaperistheextensionoftheheatingrelation

A

⇛

B

proposedin[BBF

+

08 ℄

whereallheatingrulesaremadesymmetri. InAppendixA,weprovethatmakingtheheatingrelationsymmetriissound,

RedFun

(λx.A)

N

→

A

{

N/x

}

RedSplit

let

(x

1

, x

2

) = (N

1

, N

2

)

in

A

→

A

{

N

1

/x

1}{

N

2

/x

2}

RedMath

match

M

with

h x

then

A

else

B

→

A

{

N/x

}

if

M

=

h N

B

otherwise

RedEq

M

=

N

→

true

if

M

=

N

false

otherwise

RedComm

a!M

a?

→

M

RedAssert

assert

C

→

()

RedLetVal

let

x

=

M

in

A

→

A

{

M/x

}

RedLet

let

x

=

A

in

B

→

let

x

=

A

′

_in

_B,

if

A

→

A

′

RedRes

νa.A

→

νa.A

′

_,

if

A

→

A

′

RedFork 1

A

B

→

A

′

_B,

if

A

→

A

′

RedFork 2

B

A

→

B

A

′

_,

if

A

→

A

′

RedStrut

A

→

A

′

_,

if

A

≡

B, B

→

B

′

_{, B}

′

_≡

_A

′

Figure4: Redutionrelation

A

→

A

′

Theformerenablesonvenientrearrangementsofexpressions,whilethelatterdesribesthesemantisof

RCFommands.

Valuesareirreduible. Thesemantisoffuntionappliations,onditionals,letommands,pairsplits,

andonstrutormathesisstandard. Intuitively,therestrition

νa.A

generatesagloballyfreshhannel

a

that anonly beused in

A

and thename

a

is bound in

A

. Theexpression

A

B

evaluates

A

and

B

in parallel, and returnsthe resultof

B

(the result of

A

is disarded). Theexpression

a!M

outputs

M

onhannel

a

andreduesto theunitvalue

()

. Theevaluationof

a?

bloksuntilsomemessage

M

is

availableonhannel

a

,removes

M

fromthehannel,andthenreturns

M

.

The expressions

assume

F

and

assert

F

represent logial assumptions and assertionsfor modeling seuritypoliies. Theintendedmeaningisthatatanypointoftheexeution,theassertionsareentailed

bytheassumptions. Theformulae

F

arespeiedin FOL/F[BBF

+

08℄,avariantof rst-orderlogi.

Morepreisely, theformulae

F

ourring in an RCF-expressionsare formulaein the logi FOL/F, a variant of rst order logi extended with the onept of syntati funtion symbols. For syntati

funtion symbols

f

6=

f

′

, we have the additional axioms

⊢

(f

(x) =

f

(x

′

))

⇒

x

=

x

′

(F Injetive)

and

⊢

f

(x)

6=

f

′

(x

′

)

(F Distint). All syntatielements of RCF exept for variables (e.g.,

lambda-abstrations,names,onstrutors)areenodedas(possiblynullary)syntatifuntionsymbolsin

FOL/F-formulae. RCF-variablesareidentiedwithFOL/F-variables. Fordetails,see[BBF

+

08℄.

Theequivalenerelation

≡

introdueanormalformforRCF-expressions,astruture. Astrutureis anexpressionoftheform

S

:=

νa.

Π

i

∈

[1

,m

]

assume

F

i

Π

j

∈

[1

,n

]c

j

!M

j

Π

k

∈

[1

,o

]L

k

{e

k

}

where

e

k

is any expression apart from a let, restrition, fork, message send, or an assumption and

L

:=

{} |

let

x

=

L

in

B

. Notiethat anyexpressionisstruturallyequivalenttoastruture.

The FOL/F-formulae

F

i

in Sweall theative assumptions, andanyFOL/F-formula

F

with

e

i

=

assert

F

forsome

i

wealltheativeassertionsofS. Weannowformalizethefatthattheassumptions

followfromtheassertionsintheexeutionofanRCFexpression:

RCFexpressions an be transformedby strutural equivaleneinto anormalform, whih is alled

astruture andonsistsof asequeneofrestritionsfollowedbyaparallel omposition ofassumptions,

outputs,andlets. Theseassumptionsandtheassertionsreadytobereduedarealledative. Intuitively,

anexpressionissafeifallativeassertionsareentailedbytheativeassumptions.

An expression

A

is

→

-safeiffor allstruturesSsuhthat

A

→

∗

S,wehave thatSisstatiallysafe.

⋄

When reasoning about implementations of ryptographi protools, we are interested in the safety of

programsexeutedinparallelwithanarbitraryattaker. Thispropertyisalled robustsafety.

Denition2(Opponentsand robust

→

-safety) An expression

O

isan opponentif and onlyif

O

is losed and

O

ontains no assertions. A losed expression

A

is robustly

→

-safe if and only if the

appliation

O A

is

→

-safe forall opponents

O

.

⋄

Thenotionofrobust

→

-safetyisthesameastherobustsafetydenedin[BBF

+

08℄. Robust

→

-safety anbeautomatiallyveriedusingtheF7typeheker.

Inthefollowing,wewillsometimesneedtorestritourattentiontoprogramsthatonlyuseaertain

subsetofthesetofallonstrutors. Forthis,weassumethattheset ofRCFonstrutorsispartitioned

intopubli onstrutors andprivate onstrutors. Privateonstrutorsareusuallyusedinside alibrary.

Notehowever,thatthesemantisofRCFtreatsprivateandpublionstrutorsinthesameway. AnRCF

expressionthatdoesnotontainprivateonstrutors(neitherinonstrutorappliationsnorin

pattern-mathes)isalled p-free. WeallanRCF-expression

A

mp-free (formath-private-onstrutor-free) i

A

=

C[h1t1, . . . , h

n

t

n

]

where

h

i

are private onstrutors and

C

is aontext that doesnot ontain subterms of the form

match

·

with

h

·

then

·

else

for private onstrutors

h

. (That is, amp-free expressionmayhavepattern mathesusingprivateonstrutorsonlybelowprivateonstrutors.) We

allanRCF-expressionpureifitdoesnotontainassumptions,assertions,outputs(

M

!N

),inputs(

M

?

), orforks(

M

N

).

Furthermore,weallaFOL/F-funtionsymbolforbidden ifitisthefuntion symbolrepresentingan

RCF-lambda-abstration 5

oraprivateRCF-onstrutor.

3 CoSP Framework (review)

TheomputationalsoundnessproofdevelopedinthispaperfollowsCoSP[BHU09℄,ageneralframework

forondutingomputationalsoundnessproofsofsymboliryptographyandforembeddingtheseproofs

into proessaluli. CoSPenablesprovingomputationalsoundness resultsin aoneptuallymodular

andgeneriway: everyomputationalsoundnessproofforaryptographiabstrationphrasedinCoSP

automatiallyholdsforallembeddedaluli,andtheproessofembeddingproessaluliisoneptually

deoupledfromomputationalsoundnessproofs.

CoSPprovidesageneralsymbolimodelforexpressingryptographiabstrations.Werstintrodue

someentraloneptssuhasonstrutors,destrutors,anddedutionrelations.

Denition3 (CoSPterms) Aonstrutor

f

isasymbolwitha(possiblyzero)arity. Wewrite

f

/n

∈

C

todenote that

C

ontainsaonstrutor

f

witharity

n

. Anone

n

isasymbolwith zeroarity. Amessage type

T

over

C

and

N

is a set of terms over onstrutors

C

and nones

N

. A destrutor

d

of arity

n

, written

d

/n

, overamessage type

T

isa partial map

T

n

_→

_T

. If

d

isundenedon

t

1, . . . ,

tn

, wewrite

d

(

t

1, . . . ,

tn

) =

⊥

.

⋄

Tounifythenotationsforonstrutors,destrutors,andnones,wedenethepartialfuntion

eval

f

:

T

n

_→

_T

asfollows: If

f

isaonstrutorornone,

eval

f

(

t

1, . . . ,

tn

) :=

f

(

t

1, . . . ,

tn

)

if

f

(

t

1, . . . ,

tn

)

∈

T

and

eval

f

(

t

1, . . . ,

tn

) :=

⊥

otherwise. If

f

isadestrutor,

eval

f

(

t

1, . . . ,

tn

) :=

f

(

t

1, . . . ,

tn

)

if

f

(

t

1, . . . ,

tn

)

6=

⊥

and

eval

f

(

t

1, . . . ,

tn

) :=

⊥

otherwise. A dedution relation

⊢

CoSP

between

2

T

and

T

formalizes whih terms an be dedued from other

terms. The intuition of

S

⊢

CoSP

m

for

S

⊆

T

and

m

∈

T

is that theterm

m

anbededued from the termsin

S

.

5

InRCF,every onstrut fromthe language (inludinglambda-abstrations) isrepresented inFOL/Fformulaebya

speialfuntionsymbol;seethefullversionof[BBF

+

Denition4(Dedution relation) A dedution relation

⊢

CoSP

over a message type

T

isa relation between

2

T

and

T

.

⋄

Theonstrutors,destrutors,andnones,togetherwiththemessagetypeandthededutionrelation

formasymboli model. SuhasymbolimodeldesribesapartiularDolev-Yao-styletheory.

Denition5 (Symbolimodel) A symboli model

M

= (

C

,

N

,

T

,

D

,

⊢

CoSP

)

onsists of a set of on-strutors

C

,aset of nones

N

,amessagetype

T

over

C

and

N

with

N

⊆

T

,a setof destrutors

D

over

T

,andadedution relation

⊢

CoSP

over

T

.

⋄

ACoSP protool

Π

isdened asatreewith labellednodesandedges. Wedistinguishomputation

nodes,whihdesribeonstrutorappliations,destrutorsappliations,andnonereations,output and

inputnodes,whihdesribeommuniation,andontrolnodes,whihallowtheadversarytoinuenethe

ontrolowoftheprotool. Computationandoutputnodesrefertoearlieromputationandinputnodes;

themessagesomputedattheseearliernodesarethentakenasargumentsbytheonstrutor/destrutor

appliationsorsenttotheadversary.

For CoSP protools, both a symboli and a omputational exeution are dened by traversing

the tree. In the symboliexeution, the omputation nodes operate on terms, and the input/output

nodesreeive/send termsto the(symboli) adversary. Thesuessorsofontrol nodes arehosen

non-deterministially. In the omputational exeution, the omputation nodes operate on bitstrings

(us-ing aomputationalimplementation

Impl

), and theinput/output nodesreeive/send bitstringsto the (polynomial-time)adversary. Theadversaryhoosesthesuessorsofontrolnodes.

Denition6 (CoSPprotool) A CoSPprotool

Π

is a tree with a distinguished rootand labels on

both edges andnodes. Eah node hasaunique identier

ν

andoneof the following types: 6

•

Computation nodes areannotatedwith aonstrutor, destrutors, ornone

f

/n

together withthe

identiers of

n

(not neessarily distint) nodes. Computation nodes have exatly two suessors; the orresponding edgesarelabeledwith

yes

and

no

,respetively.

•

Output nodes are annotated with the identier of one node. An output node has exatly one

suessor.

•

Inputnodeshaveno furtherannotation. An inputnode has exatlyone suessor.

•

Controlnodesareannotatedwithabitstring

l

. Aontrolnodehasatleastoneanduptoountably

many suessorsannotatedwith distintbitstrings

l

′

∈ {0,

1}

∗

. (Weall

l

the out-metadataand

l

′

the in-metadata.)

If a node

ν

ontains an identier

ν

′

in its annotation, then

ν

′

has to be on the path from the root to

ν

(inluding the root, exluding

ν

), and

ν

′

mustbe a omputationnode or input node. In ase

ν

′

isa

omputationnode,the pathfrom

ν

′

to

ν

has toadditionally go throughthe outgoingedgeof

ν

′

withlabel

yes

.

⋄

Denition7(Symboliexeution) Leta symboli model

(

C

,

N

,

T

,

D

,

⊢

CoSP

)

and aCoSP protool

Π

begiven. A fulltraeisa(nite)listof tuples

(S

i

, ν

i

, f

i

)

suhthatthe followingonditionshold:

•

Corretstart:

S1

=

∅

,

ν1

isthe rootof

Π

,

f1

isatotallyundenedpartialfuntion mappingnode

identierstoterms.

•

Valid transition: For every two onseutive tuples

(S, ν, f

)

and

(S

′

_{, ν}

′

_{, f}

′

₎

in the list, let

ν

˜

bethe node identiersinthe annotationof

ν

anddene

˜

t

through

t

˜

j

:=

f

(˜

ν

j

)

. Wehave:

If

ν

is a omputation node with onstrutor, destrutor or none

f

, then

S

′

=

S

. If

m

:=

eval

f

(˜

t)

6=

⊥

,

ν

′

isthe

yes

-suessorof

ν

in

Π

,and

f

′

=

f

(ν

:=

m)

. If

m

=

⊥

,then

ν

′

isthe

no

-suessorof

ν

and

f

′

=

f

.

If

ν

is an input node, then

S

′

=

S

and

ν

′

isthe suessor of

ν

in

Π

and there exists an

m

with

S

⊢

CoSP

m

and

f

′

=

f

(ν

:=

m)

.

If

ν

isanoutput node,then

S

′

=

S

∪ {

˜

t1}

,

ν

′

isthe suessor of

ν

in

Π

and

f

′

=

f

.

6

Note in [BHU09℄, there is an additional type of node, the non-deterministi node. We have omitted the

Alist of node identiers

(ν

i

)

isa nodetraeif thereisafulltraewiththese node identiers.

⋄

Denition8(Computational implementation) Let a symboli model

M

= (

C

,

N

,

T

,

D

,

⊢

CoSP

)

be given. A omputational implementation of

M

is a family of funtions

Impl = (Impl

x

)

x

∈

C

∪

D

∪

N

suh that

Impl

f

for

f

/n

∈

C

∪

D

is apartial deterministi funtion N

×

({0,

1}

∗

)

n

_{→ {0,}

_1}

∗

, and

Impl

n

for

n

∈

N

isatotalprobabilistifuntion withdomainNandrange

{0,

1}

∗

(i.e.,itspeiesaprobability

dis-tribution onbitstringsthat depends onitsargument). The rstargumentof

Impl

f

and

Impl

n

represents the seurityparameter.

Allfuntions

Impl

f

havetobeomputablein deterministipolynomial-time, andall

Impl

n

havetobe

omputableinprobabilisti polynomial-time.

⋄

Denition9(Computational exeution) Letasymbolimodel

M

= (

C

,

N

,

T

,

D

,

⊢

CoSP

)

, a omputa-tional implementation

Impl

of

M

,anda CoSPprotool

Π

begiven. Let aprobabilisti polynomial-time

interative mahine

E

(theadversary) be given (polynomial-time in the sense that the number of steps in all ativations are bounded in the length of the rst input of

E

),and let

p

be a polynomial. We de-neaprobability distribution

Nodes

p

M

,

Impl

,

Π

,E

(k)

,the omputationalnodetrae, on(nite)listsofnode identiers (

ν

i

) aording tothe following probabilisti algorithm (both the algorithm and

E

are run on input

k

):

•

Initial state:

ν1

:=

ν

is the root of

Π

. Let

f

be an initially empty partial funtion from node

identierstobitstrings, andlet

n

beaninitially emptypartialfuntion from

N

tobitstrings.

•

For

i

= 2,

3, . . .

do the following:

Let

ν

˜

bethe node identiersinthe annotation of

ν

.

m

˜

j

:=

f

(˜

ν

j

)

. Proeeddepending onthe typeof node

ν

:

∗

If

ν

is aomputation node with none

n

∈

N

: Let

m

′

_:=

_n(N

₎

if

n(N

)

6=

⊥

and sample

m

′

aording to

Impl

n

(k)

otherwise. Let

ν

′

be the yes-suessor of

ν

,

f

′

_:=

_f

_(ν

_:=

_m

′

₎

,

and

n

′

_:=

_n(N

_:=

_m

′

₎

. Let

ν

:=

ν

′

,

f

:=

f

′

and

n

:=

n

′

.

∗

If

ν

isa omputation node with onstrutor or destrutor

f

, then

m

′

_{:= Impl}

f

(k,

m)

˜

. If

m

′

₆₌

_⊥

, then

ν

′

is the

yes

-suessor of

ν

, if

m

′

₌

_⊥

, then

ν

′

isthe

no

-suessor of

ν

. Let

f

′

:=

f

(ν

:=

m

′

)

. Let

ν

:=

ν

′

and

f

:=

f

′

.

∗

If

ν

isan inputnode,ask for abitstring

m

from

E

. Abortthe loop if

E

halts. Let

ν

′

be

the suessor of

ν

. Let

f

:=

f

(ν

:=

m)

and

ν

:=

ν

′

.

∗

If

ν

is anoutput node,send

m1

˜

to

E

. Abort the loop if

E

halts. Let

ν

′

bethe suessor

of

ν

. Let

ν

:=

ν

′

.

∗

If

ν

is aontrol node, annotated with out-metadata

l

, send

l

to

E

. Abort the loop if

E

halts. Upon reeiving an answer

l

′

,let

ν

′

be the suessor of

ν

along the edge labeled

l

′

(orthe lexiographially smallest edgeif thereisno edgewith label

l

′

). Let

ν

:=

ν

′

.

Let

ν

i

:=

ν

.

Let

len

bethe number ofnodes fromthe rootto

ν

plusthe total lengthofall bitstringsinthe rangeof

f

. If

len

> p(k)

,stop.

⋄

Denition10 (Trae property) A trae property

℘

is an eiently deidable and prex-losed set of (nite)listsof node identiers.

Let

M

= (

C

,

N

,

T

,

D

,

⊢

CoSP

)

beasymbolimodeland

Π

aCoSPprotool. Then

Π

symboliallysatises atrae property

℘

ieverynode traeof

Π

isin

℘

.

Let

Impl

be a omputational implementation of

M

and let

Π

be a CoSP protool. Then

(Π,

Impl)

omputationallysatisesatraeproperty

℘

ifor allprobabilistipolynomial-timeinterativemahines

E

andall polynomials

p

,

Nodes

p

M

,

Impl

,

Π

,E

(k)

∈

℘

withoverwhelmingprobability.

⋄

Denition11 (Computational soundness) A omputational implementation

Impl

of a symboli

model

M

= (

C

,

N

,

T

,

D

,

⊢

CoSP

)

is omputationally sound for a lass

P

of CoSP protools i for every trae property

℘

andfor every eient CoSPprotool

Π

,we have that

(Π,

Impl)

omputationally

In this paper, we do not restrit our attention to a spei symboli library. We instead provide a

omputational soundness result for any symboli library fullling ertain onditions that we detailin

thissetion.

4.1 The library

WerstdeneageneralDolev-Yaomodel,whihisasymboli modelsubjettoertainnatural

restri-tions.

Denition12 (DY Model) We say that a symboli model

M

= (

C

,

D

,

N

,

T

,

⊢

CoSP

)

is a DY model if

N

=

N

E

⊎

N

P

forountablyinnite

N

E,

N

P

,and

equals

/2

∈

D

where

equals

(x, x) :=

x

and

equals

(x, y) :=

⊥

for

x

6=

y

, and

⊢

CoSP

is the smallest relation suh that

m

∈

S

⇒

S

⊢

CoSP

m

,

n

∈

NE

⇒

S

⊢

CoSP

n

, and suh that for any onstrutor or destrutor

f

/n

∈

C

∪

D

and for any

t

1, . . . ,

tn

∈

T

satisfying

∀i

∈

[1, n].S

⊢

CoSP

ti

and

⊥ 6=

eval

f

(

t

1, . . . ,

tn

)

∈

T

,wehave

S

⊢

CoSP

f

(

t

1, . . . ,

tn

)

.

⋄

Inthefollowing,wewillonlyreasonaboutDYmodels. Intuitively,inaDYlibraryeahCoSPtermmis

representedby

message

M

,where

message

isaprivateonstrutorthattagsallvalueswhihthelibrary operateson and

M

is anenodingof m. CoSPonstrutors arerepresentedbyRCFonstrutors and nonesarerepresentedbyRCFnames. Foreahonstrutoranddestrutor

f

,thelibraryexportsa

fun-tion

lib

f

suhthat

σ

M

DY

(

lib

f

) (

message

M1, . . . ,

message

M

n

)

returns

some message

M

if

eval

f

(

m

1, . . . ,

mn

)

returns

m

,or

none

if

eval

f(

m

1, . . . ,

m

n

)

returns

⊥

. Inaddition,thelibraryexportsafuntion

nonce

that piksafreshname(tobeusedasanone)andfuntions

send

and

recv

forsendingandreeivingterms

oftheform

message

M

overapublihannel.

For example, if we have a symboli model ontaining enryptions and deryptions (suh as the

one presented in Setion5.4), we would represent a iphertext with key

ek

(k)

and randomness

r

as

message

(

enc

(

ek

(k), m, r))

. Thederyptionfuntioninthelibrarywouldthenbedenedby

σ

M

DY

(

lib

dec) :=

λx.

match

x

with

(

message

(

dk

(y)),

message

(

enc

(

ek

(y), z, w)))

then some

(

message

(z))

else none

. A none

wouldberepresentedas

message

(

nonce

(λx.a!x))

forsomefreshname

a

. 7

InsteadofgivingadenitionthatisspeitoapartiularDYmodel,wewillgiveageneraldenition

ofaDYlibraryforaDYmodel. Inthefollowing,weassumeanarbitraryembedding

ι

ofterms

T

into the set of losed RCF values. We further assume a xed name

a

chan

used internally by the library for ommuniation and we assume that there is a value-ontext

C

ι

[]

(a value with a hole) suh that

{C

ι

[a] :

a

6=

a

chan

isaname

}

=

ι(

N

)

.

Denition13 (DY Library) A DY library for

M

= (

C

,

D

,

N

,

T

,

⊢

CoSP

)

is a substitution

σ

M

DY

from variables toRCFfuntionssatisfying the following onditions:

•

Let

message

beaprivateonstrutor.

•

dom

σ

M

DY

=

{

lib

f

|

f

∈

C

∪

D

} ∪ {

nonce

,

send

,

recv

}

.

•

σ

M

DY

(

lib

f

)

is a pure funtion suh that the following holds for all

m

1, . . . ,

m

n

∈

T

: If

m

:=

eval

f

(

m

1, . . . ,

m

n

)

6=

⊥

,then

σ

M

DY

(

lib

f

) (

message

ι(

m

1), . . . ,

message

ι(

m

n

))

→

∗

some message

ι(

m

)

.

If

m

=

⊥

, then

σ

M

DY

(

lib

f

) (

message

ι(

m

1), . . . ,

message

ι(

m

n

))

→

∗

none

. In all other ases,

σ

M

DY

(

lib

f

) (. . .)

isstuk.

•

σ

M

DY

(

nonce

) =

fun

_

→

νa.

message

C

ι

[a]

.

•

σ

M

DY

(

send

) = (

fun

x

→

(

match

x

with message

_

then

a

chan

!

message

x

else

stuck

))

. Here

stuck

isa puredivergingRCF expression.

•

σ

M

DY

(

recv

) =

fun

_

→

a

chan

?

•

fv

(range(σ

M

DY

)) =

∅

and

fn

(range(σ

M

DY

)) =

achan

.

•

For any variable

x

∈

dom

σ

M

DY

, andany mp-free value

M

6=

x

, we have

σ

M

DY

(x)

6=

M σ

DY

M

. (We allasubstitutionsatisfying thisonditionondition equality-friendly.)

⋄

7

Therequirement that

σ

M

DY

is equality-friendlyis a tehnial ondition to ensure that the outome of equality-testsin aprogram exeution doesnotdepend onthe internal ode of thelibraryfuntions.

Forexample,ifwehadthat

σ

M

DY

(

lib

f

1

) = (λx.σ

M

DY

(

lib

f

2

)x)

,the test

lib

f

1

= (λx.

lib

f

2

x)

wouldsueedin aprogramlinkedto

σ

M

DY

. Toavoidsuhdependeniesontheinternalodeofthelibrary,weintrodue equality-friendliness. Note that equality-friendliness is only neessary beause RCF allows syntati

equalitytestsonlambda-abstrations.

Equality-friendliness an be enfored, e.g., by requiring that all

σ(f

)

are expressions of the form

λx.(

magic

;

A)

forsomeRCFexpression

A

where

magic

:= (λz.

match

z

with message

y

then

()

else

())

.

Tointerfaeanexpression

A

withalibrary

σ

M

DY

,weusetheexpression

Aσ

M

DY

. Wewillonlyonsider programs

A

suh that

fn

(A) =

∅

and

fv

(A)

⊆

dom

σ

M

DY

. In

σ

M

DY

,allmessages

M

are protetedby theprivateonstrutor

message

. However,ifanopponent wouldbeallowedtoperformapatternmathon

message

,heouldgettheinternalrepresentationof

M

andthus, e.g.,extrattheplaintextfromanenryption. Similarly,anadversaryapplying

message

ould

produe invalid messages. Thus, when using

σ

M

DY

, wehave to restrit ourselvesto p-free opponents. Thefollowingvariantofrobust

→

-safetymodelsthis.

Denition14 (Robust

→

-

σ

-safety) Let

σ

beasubstitution. WeallanRCFexpressiona

σ

-opponent i

fv

(O)

⊆

dom

σ

and

O

isp-freeandontainsneitherassertionsnorassumptions and

a

chan

∈

/

fn

(O)

. An RCF expression

A

with

fv

(A)

⊆

dom

σ

is robustly

→

-

σ

-safeitheappliation

(O A)σ

is

→

-safe

for all

σ

-opponents

O

.

⋄

Notethatin ontrasttoDenition 2,weexpliitlyapplythesubstitution

σ

representingthelibrary totheopponent. Thisis beauseap-freeopponenthasto invokelibraryfuntions inordertoperform

enryptions,outputs,et. Furthermore,wewillalsoneedthattheprogramsweanalyzeoperateonterms

tagged by

message

onlythroughthelibrary. Inorderto enfore this(andother invariantsthat willbe

usedinvarious loationsin theproofs)weintroduethefollowingwell-formednessondition:

Denition15 Let

A

be an RCF expression and

M

= (

C

,

N

,

T

,

D

,

⊢)

a DY model. We say

M

⊢

A

i

fv

(A)

⊆ {

lib

f

:

f

∈

C

∪

D

} ∪ {

nonce

,

send

,

recv

}

and

a

chan

∈

/

fn

(A)

and

A

is p-free and the

FOL/F-formulaein

A

do notontainforbidden funtion symbols.

⋄

4.2 Dolev-Yao transition relation

The COSP framework assumesthe atomiity of ryptographioperations. In general,however,

Dolev-Yao libraries may dene these operationsby a sequeneof ommands, whih may lead to non-atomi

omputations. For this reason, a onvenient tool for the embedding of a language in COSP is the

denition of a symboli semantis where ryptographi operations are exeuted atomially. This is

ahieved by dening anew redutionrelation

A

B

(f. Figure5), whih diersfrom the standard redutionrelation

A

→

B

inthat ryptographioperationsareatomiallyperformed.

Usingthe denition of , we anreformulate thenotion ofsafety. Our formulationis justied by

Lemma1below.

Denition16 ( -

σ

-Safety) A struture S is statially

σ

-safe i

P σ

⊢

Cσ

where

P

are the ative assumptions and

C

the ativeassertionsofS.

An expression

A

is -

σ

-safeiffor allSsuhthat

A

∗

Swe havethatSisstatially

σ

-safe.

⋄

InontrasttoDenition14,whendeningrobustsafetywithrespetto ,wetonotapply

σ

tothe opponentortheprogram,beause

σ

ishard-odedinto :

Denition17 (Robust -

σ

-safety) AnRCF expression

A

with

fv

(A)

⊆

dom

σ

is robustly -

σ

-safe ithe appliation

O A

is -

σ

-safe for all

σ

-opponents

O

.

⋄

Aneessaryingredientfortheomputationalsoundnessresultistheproofthatifaprogramis

→

-safe thenitisalso -

σ

(λx.A)N

A

{

N/x

}

let

(x

1

, x

2

) = (N

1

, N

2

)

in

A

A

{

N

1

/x

1

, N

2

/x

2

}

match

M

with

h x

then

A

else

B

(

A

{

N/x

}

if

M

=

h N

forsome

N

B

otherwise

M

=

N

(

true

if

M

=

N

false

otherwise

a!M

a?

M

assert

C

()

let

x

=

M

in

A

A

{

M/x

}

A

A

′

_⇒

_let

_x

₌

_A

_in

_B

_let

_x

₌

_A

′

_in

_B

A

A

′

_⇒

_νa.A

_νa.A

′

A

A

′

_⇒

_(A

_B)

_(A

′

_B)

A

A

′

_⇒

_(B

_A)

_(B

_A

′

₎

A

≡

B

B

′

_≡

_A

′

₌

_⇒

_A

_A

′

send

₍

_message

_M

₎

_a

_chan

_!

_message

_M

recv

_N

_a

_chan

_?

nonce

_M

_νa.

_message

_C

_ι

_[a]

σ

DY

M

(

lib

f

)

M

→

∗

N

=

⇒

lib

f

M

N

(

lib

f

∈

dom

σ

M

DY\{

send

,

recv

,

nonce

}

)

Figure5: Redutionrelation

A

B

Lemma1 Let

A

be p-free. If

Aσ

M

DY

is

→

-safe then

A

is -

σ

M

DY

-safe.

Proof. Bydenitionof

→

-safetyand -

σ

M

DY

-safety,weonlyhavetoshowthat

A

∗

_B

implies

Aσ

M

DY

→

∗

Bσ

M

DY

. The proof is by strutural indution on the derivation of

A

∗

_B

. The base ase is when

A

=

B

andno redutionstepisapplied, andtheproofis straightforward. Theindution asesarealso

straightforward,exeptfortheequality,math,andlibraryfuntionappliationrules.

Equality. Sine

→

tests

M σ

M

DY

=

N σ

M

DY

while tests

M

=

N

, we have to prove that

M σ

M

DY

=

N σ

M

DY

⇔

M

=

N

. The

⇐

diretion isstraightforward. Forprovingthe

⇒

diretion,weatually prove that

M

6=

N

⇒

M σ

M

DY

6=

N σ

M

DY

.

Sine

A

is p-free,weaneasilysee that

B

is mp-free andtherefore

M

and

N

are mp-free. Now weproeedbystrutural indutionon

M

. Werstreasononthebase ases:

M

=

a

Theonlyinterestingaseiswhen

N

=

x

. ByDenition 13,

range

σ

M

DY

isasetoffuntions,hene

σ

M

DY

(x)

6=

a

.

M

= ()

Analogoustothepreviousitem.

M

=

x

Theprooffollowsbyobservingthat

σ

M

DY

isequality-friendly.

Wenowreasonontheindution ases:

M

=

h M

′

_&

_N

₌

_h

′

_N

′

_&

_h

₆₌

_h

′

Welearlyhave

M σ

M

DY

6=

N σ

M

DY

.

M

=

h M

′

_&

_N

₌

_{h N}

′

If

h

isapublionstrutor, thentheproof followsdiretly from theindution hypothesis. If

h

isaprivateonstrutor, then we donotknowwhether

M

′

and

N

′

aremp-free

ornot. Wedo know,however,that theyare losed(byan inspetionof the -semantisand by

Denition 13). Therefore

M σ

M

DY

=

M

and

N σ