# Encoding cryptographic primitives in a calculus with polyadic synchronization.

**ABSTRACT** We thoroughly study the behavioral theory of epi, a -calculus extended with polyadic synchronization. We show that the nat- ural contextual equivalence, barbed congruence, coincides with early bisimilarity, which is thus its co-inductive characterization. Moreover, we relate early bisimilarity with the other usual notions, ground, late and open, obtaining a lattice of equivalence relations that clarifies the relashionship among the "standard" bisimilarities. Furthermore, we apply the theory developed to obtain an ex- pressiveness result: epi extended with (symmetrical) key encryp- tion primitives may be fully abstractly encoded in the original epi calculus. The proposed encoding is sound and complete with re- spect to barbed congruence. Therefore, cryptographic epi (crypto- epi) gets behavioral theory for free, what contrasts with other pro- cess languages with cryptographic constructs that usually require a big effort to develop such theory. Therefore, it is thus possible to use crypto-epi to analyze and to verify properties of security protocols using equational reasoning. To illustrate this claim, we prove the correctness of a protocol of secure message exchange.

**0**Bookmarks

**·**

**45**Views

- [Show abstract] [Hide abstract]

**ABSTRACT:**We thoroughly study the behavioural theory of epi, a π-calculus extended with polyadic synchronisation. We show that the natural contextual equivalence, barbed congruence, coincides with early bisimilarity, which is thus its co-inductive characterisation. Moreover, we relate early bisimilarity with the other usual notions, ground, late and open, obtaining a lattice of equivalence relations that clarifies the relationship among the “standard” bisimilarities. Furthermore, we apply the theory developed to obtain an expressiveness result: epi extended with key encryption primitives may be fully abstractly encoded in the original epi calculus. The proposed encoding is sound and complete with respect to barbed congruence; hence, cryptographic epi (crypto-epi) gets behavioural theory for free, which contrasts with other process languages with cryptographic constructs that usually require a big effort to develop such theory. Therefore, it is possible to use crypto-epi to analyse and to verify properties of security protocols using equational reasoning. To illustrate this claim, we prove compliance with symmetric and asymmetric cryptographic system laws, and the correctness of a protocol of secure message exchange.Journal of Automated Reasoning 01/2011; 46:293-323. · 0.57 Impact Factor

Page 1

Encoding cryptographic primitives in a

calculus with polyadic synchronization

Joana Martinho∗

Dep. of Mathematics, Instituto Superior T´ ecnico,

Technical University of Lisbon.

Av. Rovisco Pais, 1. 1049-001 Lisboa, Portugal

E-mail: joana dk@portugalmail.pt

Ant´ onio Ravara†

Security and Quantum Information Group,

Instituto de Telecomunicac ¸˜ oes, and

Dep. of Mathematics, Instituto Superior T´ ecnico,

Technical University of Lisbon.

Av. Rovisco Pais, 1. 1049-001 Lisboa, Portugal

E-mail: aravara@ist.utl.pt

Abstract

We thoroughly study the behavioral theory of epi, a π-calculus

extended with polyadic synchronization. We show that the nat-

ural contextual equivalence, barbed congruence, coincides with

early bisimilarity, which is thus its co-inductive characterization.

Moreover, we relate early bisimilarity with the other usual notions,

ground, late and open, obtaining a lattice of equivalence relations

that clarifies the relashionship among the “standard” bisimilarities.

Furthermore, we apply the theory developed to obtain an ex-

pressiveness result: epi extended with (symmetrical) key encryp-

tion primitives may be fully abstractly encoded in the original epi

calculus. The proposed encoding is sound and complete with re-

spect to barbed congruence. Therefore, cryptographic epi (crypto-

epi) gets behavioral theory for free, what contrasts with other pro-

cess languages with cryptographic constructs that usually require a

big effort to develop such theory.

Therefore, it is thus possible to use crypto-epi to analyze and to

verify properties of security protocols using equational reasoning.

To illustrate this claim, we prove the correctness of a protocol of

secure message exchange.

Categories and Subject Descriptors

tion]: Correctness Proofs; F.1.1 [Models of Computation]: Process

Algebra; F.1.3 [Specification, Verification, and Reasoning about

Programs]: Logics and Meanings of Programs; F.3.3 [Program

constructs]: Control Primitives

D.2.4 [Program Verifica-

General Terms

lus

Behavioral Theory, Cryptographic Mobile Calcu-

Keywords

graphic Primitives, Fully Abstract Encoding, π-calculus, Polyadic

Synchronization

Barbed Congruence, (Early) Bisimulation, Crypto-

∗Affiliation when developing a preliminary version of this work, until

October 2004.

†Corresponding author.

Permission to make digital or hard copies of all or part of this work for personal or

classroom use is granted without fee provided that copies are not made or distributed

for profit or commercial advantage and that copies bear this notice and the full citation

on the first page. To copy otherwise, to republish, to post on servers or to redistribute

to lists, requires prior specific permission and/or a fee.

International Conference on Theoretical and Mathematical Foundations of Computer

Science (TMFCS-08) July 7-10 2008, Orlando, FL, USA

Copyright c ? 2008 International Society for Research in Science and Technology

(ISRST)

1.

We study herein the behavioral theory of a π-calculus where, in-

stead of on simple names, processes synchronize in vectors of

names (epi, acronym standing for extended π-calculus). To illus-

trate the expressive power of the calculus and a possible application

area, we show that some cryptographic primitives are derivable in

epi. Therefore, if one extends the calculus with such primitives, the

resulting process language enjoys the same theory of the original

language, and thus one may use it to prove properties of security

protocols.

Introduction

Extended π-calculus.

nization (epi), proposed by Carbone and Maffeis [CM03] is an ex-

tension of the π-calculus of Milner, Parrow, and Walker [MPW92,

SW01] that generalizes the synchronization mechanism, based on

handshaking, i.e., the simultaneous execution of input/output ac-

tions, by allowing channel names to be composite.

The fact that in epi communication is only established if the

channel vectors match element-wise, enhances its expressive power

with respect to the π-calculus. In particular, Carbone and Maffeis

show that the matching construct1can be encoded in the π-calculus

withpolyadicsynchronisationbutnotintheπ-calculus.Inaddition,

they also prove that the higher the degree of synchronization (i.e.

the maximum length of the channel vectors), the higher the expres-

sive power of the calculus.

Carbone and Maffeis did not fully developed the behavioral the-

ory of the process language they proposed. Defining a grammar and

an operational semantics yields a description language and a rigor-

ous definition of its computational behavior, but a calculus (in the

logical sense) requires a theory to equate terms. A process calculus

is achieved either by axiomatically, inductively, or co-inductively

defining a behavioral equivalence (ideally a congruence).

The π-calculus with polyadic synchro-

Goals and contributions.

velop the behavioral theory of epi, defining a contextual equiva-

lence and looking for its co-inductive characterization; and to use

this theory to show how to define cryptographic primitives preserv-

ing it, thus allowing the calculus extended with such primitives to

be used to analyze and to verify security protocols.

The first goal is hence to study in detail the behavioral seman-

tics of epi: (1) defining an operational semantics (a late labeled

transition system semantics); (2) defining the usual equivalence no-

tions (in the context of mobile calculi): contextual and co-inductive

The aim of this paper is twofold: to de-

1The matching construct is a process like if x = y then P which compares

names x and y and, if they coincide, behaves like process P; otherwise does

nothing.

Page 2

(ground, late, early and open bisimilarities); and (3) extending re-

sults from the π-calculus to epi, namely obtaining congruence re-

sults, finding which (if any) bisimilarity coincides with the con-

textual equivalence, and establishing a lattice of inter-relations be-

tween the various equivalence relations;2. We find that, in epi, like

in π, barbed congruence coincides with early congruence (early

bisimilarity closed for all substitutions), and thus, we have a co-

inductive characterization of the “natural” contextual equivalence

of the calculus. Moreover, we relate all these “standard” notions of

co-inductive equivalences, ground, late, early, and open, bisimilar-

ities and congruences, obtaining a lattice of equivalence relations

that clarifies the relationship among them. To our knowledge, this

is original work, and provides to epi the basic behavioral theory of

a mobile calculus.

The second goal is to use the theory developed to show that

epi extended with nondeterministic, symmetrical, key encryption

primitives may be used to analyze and to verify security proto-

cols. To explore this possible application area, and to further show

the expressive power of epi, we define a new calculus, the crypto-

graphic π-calculus with polyadic synchronisation (crypto-epi), an

extension of epi with the referred cryptographic primitives (in the

spirit of the spi-calculus of Abadi and Gordon [AG97] — itself an

extension of the π-calculus with constructs that allow for encryp-

tion and decryption of messages — or of the applied π-calculus of

Abadi and Fournet [AF01] — another extension of the π-calculus

with a term algebra). These two primitives are suggested by Car-

bone and Maffeis in the introduction of their paper [CM03] as an-

other argument to support the expressiveness of the calculus they

propose—epi. However, they did not defined nor studied its exten-

sion with such primitives. Herein, we formally define crypto-epi:

(1) adding to the grammar of epi primitives for (symmetrically) en-

coding and decoding names; (2) providing transition rules to deal

withtheseconstructs,enrichingthelabeledtransitionsystemofepi;

(3) extending results from epi to crypto-epi, namely showing that

the new constructs preserve early bisimilarity. Then we show that

crypto-epi is fully abstractly encoded, with respect to barbed con-

gruence, in the original π-calculus with polyadic synchronisation,

thus reflecting the behavioral theory of epi back to crypto-epi, and

allowing the usual reasoning principles using behavioral equiva-

lences to be used in the latter.

The encoding is also proposed by Carbone and Maffeis in the

introduction of their paper, but they do not study its properties. To

our knowledge, our result is original: not only it shows that these

cryptographic primitives may be defined in epi as programming

constructs and do not need to be primitive, re-enforcing the expres-

sive power of epi, but also it provides standard behavioral theory

to a cryptographic mobile process calculus. Moreover, since the

results closely follow those of the pi-calculus, it should be straight-

forward to adapt tools like the Mobility Workbench [Vic94, VM94]

to epi and crypto-epi, achieving a powerful tool to prove by equa-

tional reasoning properties of security protocols. Note that other

cryptographiccalculilikethespi-calculusortheappliedpi-calculus

have a more evolved and sometimes cumbersome behavioral the-

ory. The extra structure for data handling severely complicates

equational reasoning: na¨ ıve adaptation of bisimulations are not ad-

equate; new notions developed are “heavy”, and difficult to auto-

mate [AF01, AG97, BAF07, BNP02, BN05]. To illustrate the use

of the theory developed, we prove the correctness of a protocol of

secure message exchange.

Structure of the paper.

in the following manner:

We structure the presentation of our work

2The result is a lattice similar to that of the π-calculus.

P ::=

0

|π.P

|!P

|(νx)P

|(P|P)

|(P + P)

processes

inaction

prefix

replication

restriction

parallel composition

choice

π ::=

τ

|x1· ... · xk(y)

|x1· ... · xk?y?

prefixes

internal

input

output

Figure 1. crypto-epi syntax.

• InSection2weintroducethesyntaxandalatelabeledtransition

semantics of the π-calculus with polyadic synchronisation, as

first proposed by Carbone and Maffeis.

• In Section 3 we define the four usual co-inductive notions of

equivalence (ground, late, early and open bisimilarity), and

compare these notions, concluding that they relate to each other

just as in the π-calculus. We further introduce the notions of

barbed bisimilarity, equivalence and congruence, and conclude

the latter coincides with early congruence. Although relying

on a similar result obtained for the π-calculus [San92], the

proof of the coincidence of the notions in epi requires several

adjustments.

• In Section 4 we extend the π-calculus with polyadic synchroni-

sation with the cryptographic primitives proposed by Carbone

and Maffeis in the introduction of their paper [CM03]. In addi-

tion to their work, we give an operational semantics to the new

calculus, adding new rules to the original labeled transition sys-

tem, and moreover, we analyze in detail a simple cryptographic

protocol, proving it correct. Furthermore, we prove fully ab-

stract (with respect to barbed congruence) the encoding they

propose of the cryptographic constructs in epi.

• Section 5 concludes the paper, listing our contributions and

giving directions for future research.

Due to the lack of space, we do not present herein the proofs of the

results obtained. These may be found in a technical report [MR07].

2.

The π-calculus with polyadic synchronization, epi, is a variant

of the π-calculus where the channels can consist of sequences of

names and communication is established if and only if the channel

vectors match element-wise.3

epi: π-calculus with Polyadic Synchronization

2.1

We introduce the syntax of the calculus in detail and also mention

some of the main differences between this and the π-calculus.

These differences will be explained in further detail in subsequent

parts throughout this section.

Syntax

DEFINITION 2.1. Processes

Let N be a countable set of names and x,x1,...,xk,y range over

N for some k ∈ N. The grammar in Figure 1 defines the class of

processes PS, ranged over by P, Q.

The decreasing order of precedence of operators follows that of

the definition, where the prefix operator has the highest precedence.

In what follows we use the notation π for π.0, and (νz,w)P for

(νz)(νw)P.

All operators used here are also present in the π-calculus and

their behavior is as expected. Nonetheless, note that restriction is

3We call π-calculus with biadic synchronization the particular case of the

π-calculus with polyadic synchronization where the composite channels

have at most two names.

Page 3

Action

τ

u?y?

u(y)

u(y)

Description

internal

free output

bound output

input

fn(α)

∅

bn(α)

∅

∅

{y}

{y}

nm(u) ∪ {y}

nm(u)

nm(u)

Table 1. Actions.

P

0

fn(P)

∅

bn(P)

∅

π.Q

!Q

(νy)Q

(Q | R)

(Q + R)

fn(π) ∪ (fn(Q)\bn(π))

fn(Q)

fn(Q)\{y}

fn(Q,R)

fn(Q,R)

bn(π) ∪ bn(Q)

bn(Q)

{y} ∪ bn(Q)

bn(Q,R)

bn(Q,R)

Table 2. Names in Processes.

made on names as in the π-calculus and not on composite channels:

this allows for partial restriction.

One should also note that in the π-calculus with polyadic syn-

chronization it is not necessary to include the match operator since

it can be encoded in the calculus. This is not possible in a ‘sen-

sible’ manner using the original π-calculus that, therefore, takes

the match operator as a primitive. This important separation re-

sult between the two calculi was obtained by Carbone and Maf-

feis [CM03], and it is the central expressiveness result about epi.

Consider u = x1· ... · xkand u = x1· ... · xk, where k ∈ N,

represent respectively the input and output channel vectors. Then,

nm(u) = nm(u) = {x1,...,xk}. As in the π-calculus, there

are four possible kinds of actions α in the present calculus, as

seen in Table 1. Let bn(α) denote the set of bound names in α,

fn(α) the set of free names in α and nm(α) the set of all names

in α (the union of the previous two sets). The respective notions

for prefixes, i.e., fn(π), bn(π), and nm(π), are defined similarly.

Furthermore, the notions of bound and free names in a process

P, denoted by bn(P) and fn(P) respectively, follow from those

of the π-calculus. Table 2 presents the rigorous definition of these

notions, where nm(P) denotes the names in the process P. Let

fn(P1,P2) = fn(P1)∪fn(P2), and consider similar definitions for

bn(P1,P2) and nm(P1,P2).

Note that we sometimes use polyadic CCS-like prefixes a · w

and a · y where no item is being sent or expected to be received.

We do this to highlight the fact that what could be transmitted is

irrelevant, the problem lies in the synchronization of the composite

channels. In general, u.P will be used as shorthand for u?y?.P

for some y, and u.P will be used as shorthand for u(y).P where

y ?∈ fn(P).

Substitution and α-convertibility are defined as in the π-

calculus [SW01], though we now require that the latter takes into

account the possibility of composite channels. Note that given a

substitution σ = {w/z} we denote the result of applying σ to z as

σ(z). In this case, we then have that σ(z) = w. Moreover, substi-

tution may imply the renaming via α-conversion of bound actions

to avoid unwanted captures of free names.

2.2

We define herein a late labeled transition semantics of the π-

calculus with polyadic synchronization. In addition, we provide

examples that reflect the differences between this calculus and the

π-calculus.

Late Labeled Transition Semantics

(PREFIX)

−

−→ P α.P

α

(CH1)

P

α

−→ P?

−→ P?

−→ P?

P|Q

P + Q

α

(PAR1)

P

α

α

−→ P?|Q

where bn(α) ∩ fn(Q) = ∅

(RES)

P

α

−→ P?

α

−→ (νx)P?

(νx)P

where x ?∈ nm(α)

(REP-ACT)

P

α

−→ P?

α

−→ P?|!P!P

(REP-COMM)

P

u?x?

−→ P?

τ

−→ (P?|P??{x/z})|!P

P

u(z)

−→ P??

!P

(REP-CLOSE)

P

u(x)

−→ P?

τ

−→ (νx)(P?|P??)|!P

P

u(x)

−→ P??

!P

where x ?∈ fn(P)

(OPEN)

P

u?x?

−→ P?

u(x)

−→ P?

(νx)P

where x ?∈ nm(u)

(CLOSE1)

P

P|Q

u(x)

−→ P?

−→ (νx)(P?|Q?)

Q

u(x)

−→ Q?

τ

(COMM1)

P

P|Q

u?x?

−→ P?

−→ P?|Q?{x/z}

α

−→ P?

Q

−→ P?

Figure 2. Late transition rules.

Q

u(z)

−→ Q?

τ

(CONV)

P

α

if Q =α P

DEFINITION 2.2. Late labeled transition relation

Let u = x1 · ... · xk, where k ∈ N. The late labeled transition

relation

−→⊆ PS × PS, where α is an action, is the smallest

relation generated by the set of rules in Figure 2.4

α

The rules follow in a straightforward manner those of the π-

calculus, considering now vectors of names as channels. Note once

again that the restriction rule, RES, considers singular and not com-

posite names, i.e., restriction is partial. Nevertheless, we enforce

an all-or-nothing behavior, that is, we require the match of all the

names in the vector channel to allow synchronization. The follow-

ing example reflects the consequences of this type of restriction.

EXAMPLE 2.3. Let P = (νx1)x1· x2?y? and Q = x1· x2?y?.

Then, P cannot perform the input action because of the restriction

in one of its channel names, while Q can. Consider now P =

x(y)y · z?v? |x?w?. Its reduction performs a substitution in (only)

one of the channel names, yelding w · z?v?.

4Note that not included in the figure are four rules: the symmetric form

CH2 of CH1 which has Q+P instead of P +Q, and the symmetric forms

PAR2, COMM2 and CLOSE2 of PAR1, COMM1, CLOSE1 in which the

roles of the left and right components are swapped.

Page 4

3.

In this section we develop the behavioral theory of epi. In short, we

define a contextual equivalence for epi—barbed congruence—and

find its co-inductive characterization. Following the literature for

the π-calculus [MPW92, San96], with the necessary adjustments

we introduce the “standard” notions of bisimilarity: ground, late,

early, and open. Then study their preservation by the operators of

epi and inter-relate these notions, getting a lattice of discriminating

power. Finally, we show that early congruence (early bisimilarity

closed for all substitutions) coincides with barbed congruence, be-

ing thus its co-inductive characterization.

Although not surprising, these results are technically difficult,

and some proofs deviate from those in the π-calculus. This work is

necessary to provide to epi behavioral theory.

Observational Semantics

3.1

In this part we prove that a “natural” contextual equivalence coin-

cides with early bisimilarity, which is thus a co-inductive charac-

terization of the latter. We rely on a similar result obtained for the

π-calculus by Sangiorgi [San92].

A Contextual Equivalence

DEFINITION 3.1. Barbs

The predicate ‘P exhibits barb β’, written P ↓β, is defined by:

- P ↓uif P can perform an input action on channel u

- P ↓uif P can perform an output action on channel u

A barb is an input or output channel identifier. Note that the

predicate just defined concerns only visible and immediate possi-

ble action. We now introduce the notion of barbed bisimilarity as

proposed by Milner and Sangiorgi [MS92].

DEFINITION 3.2. Barbed bisimilarity

1. A binary symmetric relation S is a barbed bisimulation if PSQ

implies:

- if P ↓βthen Q ↓βfor each barb β

- if P

−→ P?then there exists a Q?such that Q

P?SQ?

2. Processes P and Q are barbed bisimilar if PSQ for some

barbed bisimulation S.

3. Barbed bisimilarity, written ∼b, is the greatest barbed bisimu-

lation.

ττ

−→ Q?and

Barbed bisimilarity is a much coarser relation than the ones

introduced so far. The following example illustrates the difference

between barbed bisimilarity and those notions of bisimilarity.

EXAMPLE 3.3. Let P = m?n?.m?n? and Q = m?n?. Then, P

and Q are barbed bisimilar since their only barb is m. However, P

and Q are not ground, nor late, nor early nor open bisimilar since

m?n?

−→ m?n? and Q

Note that barbed bisimilarity is not a congruence since it is

not preserved by parallel composition, nor by replication, nor by

substitution. Nonetheless, barbed bisimilarity is preserved by the

remaining operators.

P

m?n?

−→ 0, which are obviously not bisimilar.

PROPOSITION 3.4. The relation ∼b is preserved by prefixing, re-

striction and choice operators.

Closing barbed bisimilarity for parallel composition yields an

equivalence notion.

DEFINITION 3.5. Barbed equivalence

Two processes P and Q are barbed equivalent, written ∼beq, if

P | R ∼bQ | R for every process R.

In order to define barbed congruence we must first introduce the

notion of context. Contexts are processes with a “hole”.

DEFINITION 3.6. Barbed congruence

1. A context is obtained when a ‘hole’ [·] replaces a process in

P ∈ PS.

2. The process obtained by replacing the [·] in C by P, where C

is a context and P a process, is denoted by C[P].

3. Two processes P and Q are barbed congruent, written ?b, if

C[P] ∼bC[Q] for every context C[·].

We now extend the result that establishes an alternative defini-

tion of barbed congruence in the π-calculus, as done by Sangiorgi

and Walker [SW01], to epi.

LEMMA 3.7. P ?b Q if and only if Pσ ∼beq Qσ for any

substitution σ

The notion of barbed congruence was proposed by Milner and

Sangiorgi [MS92], while the less demanding notion of barbed

equivalence was later proposed by Sangiorgi [San92]. Note that

barbed equivalence and barbed congruence do not coincide, as

there are processes barbed equivalent but not barbed congruent

(see Example 3.34 in the long version of this paper [MR07]).

3.2

Seeking for a co-inductive characterization of barbed congruence,

we define the usual notions of bisimilarity, and inter-relate them.

The first notion we will consider is that of ground bisimilarity,

where there is no name instantiation.

Four Notions of Bisimilarity

DEFINITION 3.8. Ground bisimilarity

1. A binary symmetric relation S is a ground bisimulation if PSQ

implies:

if P

−→ P?where bn(α) ∩ fn(P,Q) = ∅ then there is a Q?

such that Q

−→ Q?and P?SQ?.

2. Processes P and Q are ground bisimilar if PSQ for some

ground bisimulation S.

3. Ground bisimilarity, written ∼g, is the largest ground bisimu-

lation.5

α

α

The notion of ground bisimilarity is very simple since a process

merely has to imitate the other in its possible transitions and vice

versa without considering name instantiation. Unfortunately, as in

the π-calculus, a consequence of this is that ground bisimilarity is

not preserved by the parallel composition operator, as seen in the

following example.

EXAMPLE 3.9. Let P = (νa)(z(w).a · w?c? | a · y(b)) and Q =

z(w). Then both P and Q are ground bisimilar since after per-

forming the input action they both become inactive. Conversely,

P?= P | z?y?

τ

−→ (νa)(a · y?c? | a · y(b)),

which can also perform an internal action, while Q?= Q | z?y?

can only perform one internal action and then becomes inactive.

We can then conclude that although P and Q are ground bisimilar,

P?and Q?are not ground bisimilar.

Ground bisimilarity is not preserved by replication either. A

counter-example may be found in the long version of this paper.6

5The existence and uniqueness of a largest bisimulation is a direct conse-

quence of the Kn¨ aster-Tarski’s Fixed Point Theorem.

6Several propositions in the remaining of this section present results with

strict inclusions. The counter-examples may be found in the long version of

this paper.

Page 5

Nonetheless, ground bisimilarity is preserved, just like in the π-

calculus, by the remaining operators.

LEMMA 3.10. The relation ∼g is preserved by the restriction, the

prefixing and the choice operators.

We now introduce the notions of late and early bisimilarity,

which differ in their treatment of name instantiation for input ac-

tions. The definitions of these notions are standard. In late bisim-

ilarity we require that the derivative of a process simulates the

derivative of the other process (and vice versa) for all possible in-

stantiations of the bound parameter. It is called late because the

choice of the name instantiation is made after the choice of the

derivative.

DEFINITION 3.11. Late bisimilarity

Let u = x1· ... · xkwhere k ∈ N.

1. A binary symmetric relation S is a late bisimulation if PSQ

implies:

- if P

−→ P?where α = u?y?,u(y) or τ and bn(α) ∩

fn(P,Q) = ∅ then there is a Q?such that Q

P?SQ?.

- if P

−→ P?where y ?∈ fn(P,Q) then there is a Q?such

that Q

−→ Q?and for each w, P?{w/y}SQ?{w/y}.

2. Two processes P and Q are late bisimilar if PSQ for some late

bisimulation S.

3. Late bisimilarity, written ∼l, is the largest late bisimulation.

In early bisimilarity we require that under the same possible

name instantiation there is a derivative of each of the processes that

simulates the other and vice versa. It is named early because the

choice of the name instantiation is made before the choice of the

derivative.

α

α

−→ Q?and

u(y)

u(y)

DEFINITION 3.12. Early bisimilarity

Let u = x1· ... · xkwhere k ∈ N.

1. A binary symmetric relation S is an early bisimulation if PSQ

implies:

- if P

−→ P?where α = u?y?,u(y) or τ and bn(α) ∩

fn(P,Q) = ∅ then there is a Q?such that Q

P?SQ?.

- if P

−→ P?where y ?∈ fn(P,Q) then for each w there is a

Q?such that Q

−→ Q?and P?{w/y}SQ?{w/y}.

2. Two processes P and Q are early bisimilar if PSQ for some

early bisimulation S.

3. Early bisimilarity, written ∼e, is the largest early bisimulation.

Similarly to what happens in the π-calculus, in the π-calculus

with polyadic synchronization both late and early bisimilarity are

not preserved by input prefixing, but are preserved by all other

operators.

α

α

−→ Q?and

u(y)

u(y)

PROPOSITION 3.13. The relations ∼land ∼eare preserved by all

operators except input prefixing.

Moreover, as in the original π-calculus congruences for late

and early bisimilarity, ?l and ?e, are achieved by closing the

equivalences over all name substitutions [MPW92]. The relation

between the notions of late bisimilarity and late congruence, and of

early bisimilarity and early congruence, are shown in the following

proposition.

PROPOSITION 3.14. ?l⊂∼land ?e⊂∼e.

The notion of open bisimilarity was introduced by Sangiorgi

and proved to be a congruence relation in the π-calculus [San96].

That is also the case here: in epi, open bisimilarity is a congruence.

DEFINITION 3.15. Open bisimilarity

1. A binary symmetric relation S is an open bisimulation if PSQ

implies for every substitution σ:

If Pσ

−→ P?where bn(α) ∩ fn(Pσ,Qσ) = ∅ then there is a

Q?such that Qσ

−→ Q?and P?SQ?.

2. Two processes P and Q are open bisimilar if PSQ for some

open bisimulation S.

3. Open bisimilarity, written ∼o, is the largest open bisimulation.

As expected, open bisimilarity is a congruence.

α

α

PROPOSITION 3.16. Therelation∼oispreservedbyalloperators.

Thus the congruence properties appear to stem directly from

those of the π-calculus. However, ground bisimilarity is a full con-

gruence in the asynchronous π-calculus without match [San00]

(and a similar result holds for late and for early bisimilarity

[HHK95]), but this result does not hold if we consider the asyn-

chronous π-calculus with polyadic synchronization, as seen in Ex-

ample 3.9. Matching does not need to be considered as a primitive

in the π-calculus with polyadic synchronization (synchronous or

asynchronous) since it can be derived. Therefore, ground, late and

early bisimilarities are not congruences in the asynchronous π-

calculus with polyadic synchronisation (without match).

We now analyze the relationships between the bisimilarity re-

lations previously defined and present a general diagram that sum-

marizes these results in Corollary 3.20. The results and proofs are

similartothosepresentedfortheπ-calculus[MPW92,Qua99].The

largest open bisimulation is itself a late bisimulation, and it is also

included in late congruence.

PROPOSITION 3.17. ∼o⊂∼land ∼o⊂?l.

Late bisimilarity is itself an early bisimulation, although the

reverse does not hold. The same result holds if we consider the

notions of late and early congruences instead of late and early

bisimilarity.

PROPOSITION 3.18. ∼l⊂∼eand ?l⊂?e.

Our last result shows that if two processes are early bisimilar

then they are also ground bisimilar, although the reverse does not

hold.

PROPOSITION 3.19. ∼e⊂∼g.

We now summarize the results presented in the following dia-

gram where → stands for strict inclusion ⊂.

COROLLARY 3.20.

∼o

→

?

∼l

↑

?l

→

→

∼e

↑

?e

→

?

∼g

Sangiorgi obtained an alternative characterization of barbed

equivalenceby provingit coincidedwith earlybisimilarity [San92].

We extend that result for the π-calculus with polyadic synchroni-

sation, completing the behavioral theory.

THEOREM 3.21. ∼e=∼beq

COROLLARY 3.22. ?e=?b

Page 6

4.

To our knowledge, the first mention of a possible encoding of a

calculuswithcryptographicprimitivesintoacalculuswithpolyadic

synchronization was put forth by Abadi and Gordon [AG97]. The

idea can be summarized in the following way: the sending of a

message m encrypted under a key k over a channel a can be seen

as a · k?m?.P. In order to receive this message, the other party

needs to know the channel where the message is being transmitted

and the key, which could be represented as a · k(m).P.

An encoding of symmetrical key encryption primitives into π-

calculus with polyadic synchronisation is proposed by Carbone and

Maffeis in the introduction of their paper to further illustrate its

expressive power [CM03].

Encoding Cryptographic Primitives

[|encryptm ?kxinP |]

[|decryptx ?kminP |]

However, Carbone and Maffeis do not define the semantics of

the primitives, and thus do not study the properties of the encod-

ing (as moreover, they have not developed the behavioral theory of

epi). Herein we do all that work: we first add to epi two nonde-

terministic, symmetrical, key encryption primitives, encrypt and

decrypt, defining the cryptographic π-calculus with polyadic syn-

chronization (crypto-epi), and extend epi labeled transition system

with rules dealing with these new constructs. Then we show that

the new constructors preserve the bisimilarity relations defined to

epi, and finally, we prove that these cryptographic primitives are

derivable constructs: crypto-epi can be fully abstractly encoded

in epi; thus we prove that the original calculus does not need to

be extended with those primitives, at least from the point of view

of expressiveness. Moreover, since the encoding is fully abstract,

crypto-epi enjoys of all the behavioral theory of epi.

The main achievement here is thus a mobile calculus with

cryptographic primitives enjoying the “standard” behavioral the-

ory. Adapting analysis tools like the Mobility Workbench [Vic94,

VM94] should be straightforward.

def

= (νx)(!x · k?m? | [|P |])

def

= x · k(m).[|P |]

4.1

Syntax.

Definition 2.1): encryptm ?kxinP and decryptx ?kminP.

The first construct nondeterministically encrypts the cipher text m

under key k and returns the encrypted message as the fresh name x,

to be used in the scope of P, where it occurs bound. The decryption

of message x through the key k (used to encrypt the message) binds

the name m in the continuation P to the original message. Notice

that one, when encrypting, does not expect free occurrences of m

and k in P; and when decrypting, does not expect free occurrences

of x and k in P.

Labeled Transition Semantics.

(page 3), together with the rules in Figure 3 inductively define

the transition semantics of crypto-epi.

The behavioral theory of epi extends naturally to this new set-

ting.Thenotionsofbisimilarity,introducedinSection3,enjoysim-

ilar properties when consider the new constructs. Notice that the

decrypt primitive behaves like an input prefix, thus it does not pre-

serve ground, early or late bisimilarity, but naturally, it preserves

open bisimilarity. The notion of early congruence in crypto-epi

is obtained in the same manner, and the results in Corollary 3.22

also extend straightforwardly to this new setting. Therefore, the

theory developed can be used to analyze and (equationally) prove

properties of security protocols. To present the examples below

we need to introduce some results. First, notice that syntactical

equality is an early bisimilarity, and that any strong bisimilarity is

strictly included in the corresponding weak version. In particular,

=⊂?e⊂≈e.

Cryptographic epi

Consider two extra productions in the syntax of epi (cf.

The rules of epi in Figure 2

(ENC)

P

α

−→ P?

α

−→ encryptm ?kxinP?

encryptm ?kxinP

where α ?= u?x? and if α ∈ {u?y?,u(y),u(y)} then x ?∈ nm(u)

(ENC-OPEN)

P

u?x?

−→ P?

encryptm ?kxinP

u(x)

−→ !x · k?m? | P?

where x ?∈ nm(u)

(DEC)

−−

decryptx ?ky inP

x·k(y)

−→ P

Figure 3. Late transition rules for the cryptographic constructs.

Second, the usual structural congruence laws of the π-calculus

[MPW92, SW01] also hold in any bisimilarity. Therefore, we use

below instances of the following laws.7

LEMMA 4.1 (Structural Laws).

1. (PS,|,0) is a commutative mono¨ ıd with respect to ?e.

2. (νx)0 ?e 0 and (νx)!x · k?m? ?e 0

3. (νx)(P | Q) ?e (P | (νx)Q), if x / ∈ fn(P)

LEMMA 4.2.

1. encryptm ?kxinP ?e (νx)(!x · k?m? | P)

2. decryptx ?kminP ?e x · k(m).P

PROOF. Construct the respective bisimulations containing the pair

in question and, in the two last cases, the identity relation on

processes.

2

4.2

Sending a value in a free (i.e. public) channel is insecure, as any

context (i.e. observer) can have access to it. Bound (i.e. private)

channels are, in this framework, consider secure. Since one often

needs to send sensitive data in public channels, we would like to

show two basic properties: (1) decrypting an encrypted value with

the correct key gives back the original value, and no other key

produces it; and (2) sending encrypted values in public channels

is secure, as observers without the right keys cannot decrypt them.

To illustrate the use of these properties (and their correctness),

consider a cryptographic protocol for secure message exchange,

proposed by Carbone and Maffeis [CM03], defined as (νsec)(P |

Q) where P and Q are the following processes.

A secure message exchange

P

def

= (νk)sec?k?.public(y).decrypty ?kwinR

def

= (νm)sec(z).encryptm ?zxinpublic?x?.S

Assume that sec does not occur free neither in R nor in S, m does

not occur free in R, and k and z do not occur free in S. We show

the correctness of the protocol (with respect to weak bisimilarity,

to ignore silent moves): an external observer cannot get neither the

key k nor the clear text message m during the execution of the

protocol since the transfer of the knowledge of the key is done on

a secure—since private—channel (sec). Moreover, decrypting the

encrypted value x with the key k (and with it only) gives back the

original value m.

Q

7Instead of proving each of these laws one may prove the “Harmony

Lemma”, allowing to establish that structural congruence is a bisimulation.

Page 7

The following equation captures the correctness of the protocol.

(νsec)(P | Q) ≈e (νk,m)(R{m/w} | encryptm ?kxinS)

The analysis below proves the equation. Note that the protocol

is deterministic.

1. Consider the following processes.

P?def

= public(y).decrypty ?kwinR, and

Q?def

= (νm)encryptm ?kxinpublic?x?.S{k/z}.

The first step is the transmission of the key on channel sec:

τ

−→ (νsec,k)(P?| Q?).

2. Consider now the following processes.

P??def

= decryptx ?kwinR{x/y}, and

Q??def

= (νm)(!x · k?m? | S{k/z}).

The next step is the transmission of the encrypted message:

(νsec,k)(P?| Q?)

3. Finally, the encrypted message is decrypted:

(νsec,k,x)(P??| Q??)

(νsec,k,x,m)(R{x/y}{m/w} | (!x · k?m? | S{k/z}))

Since x / ∈ fn(R) and k,m / ∈ fn(S), then R{x/y} = R and

S{k/z} = S. Moreover, sec / ∈ fn(R) ∪ fn(S). Thus, using the

laws presented above, one concludes the proof by transitivity.

(νsec)(P | Q)

τ

−→ (νsec,k,x)(P??| Q??).

τ− →

(νsec,k,x,m)(R{x/y}{m/w} | (!x · k?m? | S{k/z}))

= (νsec,k,x,m)(R{m/w} | (!x · k?m? | S))

?e (νk,m)(R{m/w} | (νx)(!x · k?m? | S))

?e (νk,m)(R{m/w} | encryptm ?kxinS)

A Fully Abstract Encoding

In order to prove the soundness and completeness of the encoding

with respect to barbed congruence, which we proved in Corollary

3.22 to coincide with early congruence, we build on successive

auxiliary results.

Note that we will consider as a target language a sub-calculus of

epi without summation (as we just saw cryptographic protocols do

not necessarily make use of this construct). We shall consider this

calculus with and without cryptographic primitives (encoding the

first, crypto-epi, in the second, epi) because the proof is lighter.

Henceforth, whenever we write P we refer to a process of the

cryptographic π-calculus with polyadic synchronization.

4.3

LEMMA 4.3. Substitution Lemma

[|Pσ |] = [|P |]σ, for any substitution σ.

The following lemma shows a strong operational correspon-

dence between the actions of a process and the actions of its en-

coding.

LEMMA 4.4. Operational Correspondence

1. If [[P]]

[|P?|] = Q.

2. If P

α

−→ Q then there is a P?such that P

α

−→ P?and

α

−→ P?then [|P|]

The following lemma prepares the ground for proving the

soundness and the completeness of the encoding.

α

−→ [|P?|].

LEMMA 4.5.

1. If [|P |] ∼e [|Q|] then P ∼e Q.

2. If [|P |] ∼beq [|Q|] then P ∼beq Q.

PROOF.

1. We prove that R = {(P,Q) : [|P |] ∼e [|Q|]} is an early

bisimulation (cf. Definition 3.12 in page 5).

Case P

−→ P?(the case Q

analysis).

Then, by Lemma 4.4.2 we have that [[P]]

by hypothesis [|P |] ∼e [|Q|] then there is a Q?such that

[|Q|]

Q??such that Q

−→ Q??, where [|Q??|] = Q?.

We split the proof according to the possible transitions of [|P |].

Case α ∈ {τ,uy,u(y)}, where bn(α) ∩ fn(P,Q) = ∅.

By definition of ∼ewe have that [|P?|] ∼e [|Q??|] and there-

fore P?RQ??.

Case α = u(y) where y ?∈ fn(P,Q). The reasoning is similar

to the one above.

By definition of ∼e we have [|P?|]{w/y} ∼e [|Q??|]{w/y},

andbyapplicationofLemma4.3weknowthat[|P?{w/y}|] ∼e

[|Q??{w/y}|] holds as well. Therefore, we conclude that

P?{w/y}RQ??{w/y}.

2. Follows directly from Lemma 4.5.1 and Theorem 3.21, where

it was proved that early bisimulation coincides with barbed

equivalence.

αα

−→ Q?is similar, and we omit its

α

−→ [[P?]]. Since

α

−→ Q?, and by Lemma 4.4.1 we have that there is a

α

2

We are now in a position to prove a main result: there is a fully

abstract encoding of the cryptographic primitives in epi.

THEOREM 4.6. Soundness

If [|P |] ?b [|Q|] then P ?bQ

PROOF. If [|P |] ?b [|Q|] then for any substitution σ we have

that [|P |]σ ∼beq [|Q|]σ. By Lemma 4.3 we then know that

[|Pσ |] ∼beq [|Qσ |], and by Lemma 4.5.2 we have, as required,

Pσ ∼beq Qσ.

LEMMA 4.7.

1. If P ∼e Q then [|P |] ∼e [|Q|].

2. If P ∼beq Q then [|P |] ∼beq [|Q|].

PROOF. Similar to the one of the previous lemma.

2

2

THEOREM 4.8. Completeness

If P ?bQ then [|P |] ?b [|Q|].

PROOF. If P ?b Q then for any substitution σ we have that

Pσ ∼beq Qσ. By Lemma 4.7.2 then [|Pσ |] ∼beq [|Qσ |] and

by Lemma 4.3 we know that [|Pσ |] = [|P |]σ, thus we conclude

that [|P |]σ ∼beq [|Q|]σ, i.e., [|P |] ?b [|Q|].

5.Conclusions and Future Work

The various variants of π-calculus possess a very rich behavioral

theory, with contextual equivalences characterized by bisimula-

tions, and with axiomatic laws for reasoning about programs. How-

ever, the extra structure for data handling in cryptographic cal-

culi like the Applied π-calculus or Spi, severely complicates equa-

tional reasoning: na¨ ıve adaptation of bisimulations are not ade-

quate; new notions developed are “heavy”, and difficult to auto-

mate [AF01, AG97, BAF07, BNP02, BN05].

Our contribution is this: we provide standard behavioral theory

for a mobile calculus with nondeterministic, symmetrical key en-

cryption primitives. This work may be used not only to directly

analyze security protocols (possibly defining other cryptographic

primitives), but also to study the relationship with the other calculi,

2

Page 8

comparing the observational equivalences and trying to define en-

codings. Moreover, adapting analysis tools like the Mobility Work-

bench [Vic94, VM94] should be straightforward.

Aim and achievements.

One aim of this work is to show that

the π-calculus with polyadic synchronization, epi, is expressive

enough to provide behavioral theory for the study of cryptographic

protocols. In particular, we show that, in epi, explicit encryption

and decryption primitives (handy for specifying protocols, but a

burden when developing behavioral theory) are not needed because

they may be fully abstractly encoded. Thus, they may be simply de-

fined as programming constructs, what simplifies the development

of the behavioral theory and of analysis tools.

To attain this aim, we study in detail the behavioral seman-

tics of epi. We first define a contextual equivalence—barbed

congruence—and look for a co-inductive congruence relation

which characterizes it. To obtain such a result, we define in epi

the usual notions of bisimilarities proposed for the π-calculus,

and comparing them, establishing a lattice of inter-relations (sim-

ilar to that of the π-calculus). We establish that, in epi, barbed

congruence, the “natural” contextual equivalence, coincides with

early bisimilarity. Moreover, we extend epi with nondeterminis-

tic, symmetrical, cryptographic primitives, defining the syntax and

operational semantics of this new calculus. The behavioral the-

ory also extends naturally to this setting. Following Carbone and

Maffeis [CM03] we define an encoding of the new constructs for

encryption and decryption of messages into the original epi. Fur-

thermore, we prove that such an encoding is sound and complete

with respect to barbed congruence. This fully abstract encoding

allows to import to crypto-epi all the behavioral theory of epi. We

therefore conclude that the π-calculus with polyadic synchroniza-

tion (epi) is potentially expressive enough to provide behavioral

theory for, to analyze and to verify, security protocols. To illus-

trate the use of the theory developed, we prove the correctness of

a protocol of secure message exchange. This work strengthens the

hypothesis that a fully abstract encoding of a crypto calculus like

the Spi-calculus into epi is possible. Notice that Baldamus et al.

already proposed an encoding of Spi into the pi-calculus, but only

preserving may testing [BPV04].

Future work.

We plan to study if and how epi can express prop-

erties of cryptographic protocols such as authenticity and secrecy.

In particular, we shall address the following issues: (1) adapt the

Mobility Workbench to work with this setting; (2) deal with other

crypto primitives; (3) develop equational (axiomatic) theory; (4)

test with larger examples / known protocols; (5) look for a more

general encoding (the one presented is ad-hoc); and (6) study an

encoding of Spi and/or of Applied Pi into epi.

Acknowledgements

This research has initially been carried out in the context of Joana

Martinho’s Master in Software Systems Engineering at Aalborg

University, supervised by Luca Aceto and Ant´ onio Ravara. Special

thanks to Luca for all the support and guidance on this research.

We also thank Michele Boreale, Marco Carbone, Sergio Maffeis,

and the anonymous referees for useful comments on some of the

matters discussed herein. Ant´ onio Ravara was partially supported

by the EU FEDER and FCT, via the Center for Logic and Compu-

tation, and the EU IST proactive initiative FET-Global Computing

(project Sensoria, IST–2005–16004).

References

[AF01]Mart´ ın Abadi and C´ edric Fournet. Mobile values, new names,

and secure communication.In Proceedings of the 28th

ACM Symposium on Principles of Programming Languages

(POPL’01), pages 104–115. ACM Press, 2001.

[AG97]Mart´ ın Abadi and Andrew D. Gordon.

cryptographic protocols: The spi calculus. In Proceedings

of the 4th ACM Conference on Computer and Communications

Security, pages 36–47. ACM Press, 1997.

BrunoBlanchet,Mart´ ınAbadi,andC´ edricFournet. Automated

verification of selected equivalences for security protocols.

Journal of Logic and Algebraic Programming, 2007. To

appear.

Johannes Borgstr¨ om and Uwe Nestmann. On bisimulations

for the spi calculus. Mathematical Structures in Computer

Science, 15(3):487–552, 2005.

Michele Boreale, Rocco De Nicola, and Rosario Pugliese.

Proof techniques for cryptographic processes. SIAM Journal

on Computing, 31(3):947–986, 2002.

Michael Baldamus, Joachim Parrow, and Bj¨ orn Victor. Spi

calculus translated to π-calculus preserving may-testing. In

Proceedings of the 19th Annual IEEE Symposium on Logic in

Computer Science (LICS ’04), pages 21–31. i3ecsp, 2004.

Marco Carbone and Sergio Maffeis. On the expressive power

of polyadic synchronization in π-calculus. Nordic Journal of

Computing, 10(2):70–98, 2003.

Martin Hansen, Hans H¨ uttel, and Josva Kleist. Bisimulations

for asynchronous mobile processes. In Proceedings of the

Tiblisi Symposium on Language, Logic, and Computation.

Research paper HCRC/RP-72, Human Communication

Research Centre, University of Edinburgh, 1995.

Robin Milner, Joachim Parrow, and David Walker. A calculus

of mobile processes, part I/II. Journal of Information and

Computation, 100:1–77, 1992.

Joana Martinho and Ant´ onio Ravara. Encoding cryptographic

primitives in a calculus with polyadic synchronisation.

Technical report, Department of Mathematics, Instituto

Superior T´ ecnico, Technical University of Lisbon, Portugal,

2007. URL: www.math.ist.utl.pt/∼amar/papers/cepi-long.pdf.

Robin Milner and Davide Sangiorgi. Barbed bisimulation.

In Proceedings of the 19th International Colloquium on

Automata, Languages and Programming (ICALP ’92), volume

623 of Lecture Notes in Computer Science, pages 685–695.

Springer-Verlag, 1992.

Paola Quaglia. The pi-calculus: Notes on labelled semantics.

Bulletin of the European Association for Theoretical Computer

Science (EATCS), 68:104–114, 1999.

Davide Sangiorgi. Expressing Mobility in Process Algebras:

First-Order and Higher-Order Paradigms. PhD thesis CST–

99–93, Department of Computer Science, University of

Edinburgh, U. K., 1992.

Davide Sangiorgi. A theory of bisimulation for the π-

calculus. Acta Informatica, 33:69–97, 1996. An extract

appeared in Proceedings of the 4th International Conference

on Concurrency Theory (CONCUR ’93), Lecture Notes in

Computer Science 715, Springer-Verlag.

Davide Sangiorgi. Lazy functions and mobile processes. In

Gordon Plotkin, Colin Stirling, and Mads Tofte, editors, Proof,

Language and Interaction: Essays in Honour of Robin Milner.

M. I. T. Press, 2000.

Davide Sangiorgi and David Walker. The π-calculus: a Theory

of Mobile Processes. Cambridge University Press, 2001.

Bj¨ orn Victor. A Verification Tool for the Polyadic π-Calculus.

Licentiate thesis, Department of Computer Systems, Uppsala

University, Sweden, 1994. Available as report DoCS 94/50.

Bj¨ orn Victor and Faron Moller. The Mobility Workbench — a

tool for the π-calculus. In Proceedings of the 6th International

Conference on Computer Aided Verification (CAV ’94), volume

818 of Lecture Notes in Computer Science, pages 428–440.

Springer-Verlag, 1994.

A calculus for

[BAF07]

[BN05]

[BNP02]

[BPV04]

[CM03]

[HHK95]

[MPW92]

[MR07]

[MS92]

[Qua99]

[San92]

[San96]

[San00]

[SW01]

[Vic94]

[VM94]

#### View other sources

#### Hide other sources

- Available from psu.edu
- Available from António Ravara · May 20, 2014