Polynomial-time logic and livenessvarmo/tday-nelijarve/laud-slides.pdf · Polynomial-time logic and liveness (work in progress) Peeter Laud Cybernetica AS & Tartu University (joint

Polynomial-time logic and liveness(work in progress)

Peeter Laud

Cybernetica AS & Tartu University(joint work with Dominique Unruh)

February 5th, 2011

Peeter Laud (Cybernetica AS & Tartu University (joint work with Dominique Unruh))Polynomial-time logic and liveness February 5th, 2011 1 / 24

Propositional Logic

Let Varb be a set of propositional variables

Let b range over Varb

Let B = {true, false}

Propositional formulas F

F ::= true | b | ¬F | F1 ∨ F2

Aliases

false ≡ ¬true

F1 ∧ F2 ≡ ¬(¬F1 ∨ ¬F2)

F1 ⊃ F2 ≡ ¬F1 ∨ F2


Classical semantics of propositional formulas

Worlds

A world is a map W : Varb → B.

A formula being true in a world

W � true

W � b if W (b) = true

W � ¬F if W 6� F

W � F1 ∨ F2 if W � F1 or W � F2

A formula is valid if it is true in all worlds


First-order logic

Let F and P be finite sets of functional and predicate symbols.I With fixed aritiesI Ranged over by f and P, respectively

Let Vari be a set of first-order variables.I Ranged over by x

Terms t

t ::= x | f (t1, . . . , tn)

First-order formulas F

F ::= . . . | P(t1, . . . , tn) | ∃x .F

Aliases

∀x .F ≡ ¬∃x .¬F


Classical semantics of first-order formulas

Frames

A frame is F = (S, ιF , ιP), where

S ⊆ {0, 1}∗ is a set

ιF (f ) is a mapping Sarity(f ) → S

ιP(P) is a mapping Sarity(P) → B.

Worlds

A world in frame F is a pair (Wi ,Wb), where

Wi : Vari → S

Wb : Varb → B


Classical semantics of first-order formulas

Let F = (S, ιF , ιP) be fixed.

Evaluating terms

Let Wi : Vari → S

Define Wi (f (t1, . . . , tn)) = ιF (f )(Wi (t1), . . . ,Wi (tn))

A formula being true in a world

W � true

W � b if Wb(b) = true

W � ¬F if W 6� F

W � F1 ∨ F2 if W � F1 or W � F2

W � P(t1, . . . , tn) if ιP(P)(Wi (t1), . . . ,Wi (tn)) = true

W � ∃x .F if exists v ∈ S, such that(Wi [x 7→ v ],Wb) � F


First-order linear temporal logic

FO LT formulas F

F ::= . . . | ©F | F1 U F2

Aliases

♦F ≡ true U F

�F ≡ ¬♦¬FF1W F2 ≡ (F1 U F2) ∨�F1

Used to argue about traces produced by systems


Classical semantics of FO LT formulas

Traces

A trace T is a sequence T0, T1, T2, . . . of worlds

A formula being true in point i of trace T

(T , i) � ∃x .F if exists v ∈ S, such that(T [x 7→ v ], i) � F

(T , i) �©F if (T , i + 1) � F

(T , i) � F1 U F2 if exists j ≥ i , such that

(T , j) � F2(T , k) � F1 for all k ∈ {i , i + 1, . . . , j − 1}

where T [x 7→ v ] is (T0,i [x 7→ v ], T0,b), (T1,i [x 7→ v ], T1,b), . . .


Two views of cryptography

Formal (“Dolev-Yao”) view

Messages — elements of a term algebra.

Possible operations on messages are enumerated.

Choices in semantics — non-deterministic.I Protocol and the adversary are easily represented in some process

calculus.

Simpler to analyse.

Computational view

Messages — bit strings.

Possible operations on messages — everything in PPT.

Choices in semantics — probabilistic.I Protocol and adversary — a set of probabilistic interactive Turing

machines.

Closer to the real world.


LT logic and protocol properties

A run of a protocol produces a trace.

A trace may or may not satisfy a LT formula.

Many important protocol properties can be stated as trace properties:

I In formal model: all traces satisfy the formula.I In computational model: the probability that a trace does not satisfy

the formula is negligible in the security parameter.

Safety properties state that bad things never occurI Extensively studied

Liveness properties state that something good eventually occursI Much less studiedI Especially in the computational model


Games

Two players, E (proponent) and A (opponent).

A game is determined by its tree.I Each node labeled by E or A.I Each edge labeled by the name of the move.I The label of a non-leaf node denotes the party on the move.I The label of a leaf node denotes the winner.

A game tree may be infinite both in width and in depth.I Not really in this talk.


Game-based semantics for propositional formulas

Let W : Varb → B.

Game trees for formulas

The game tree [[true]] of true has a single node labeled E .

The game tree [[b]] of b ∈ Varb has a single node labeled with E isW (b) = true.

The game tree [[¬F ]] is the same as [[F ]], with node labels swapped.

The game tree [[F0 ∨ F1]] consists ofI the root node v , labeled with E ;I the trees [[F0]] and [[F1]];I Edges labeled z ∈ {0, 1} from the node v to the root nodes of [[Fz ]].

Semantics

W � F if E has winning strategy in [[F ]].


Example

A ∧ (B ∨ C )⊃ (A ∧ B) ∨ (A ∧ C )

If A and (B or C ) then pick (A ∧ B) ∨ (A ∧ C )I If B then pick A ∧ BI Otherwise (if C then) pick A ∧ C

otherwise pick A ∧ (B ∨ C ) to be attackedI If A then pick B ∨ CI Otherwise pick A


Semantics is not good enough

F ∨ ¬FGive a winning strategy for E .

I Without deeply examining F .

Do you pick F or ¬F???

We’d like to make A play against itself. . .

Let A attack both F and ¬F .

E causes A to play against itself, winning one game and losing one.

E wins because it wins when A loses.

Need to change semantics of disjunction


Semantics is not good enough

F ∨ ¬FGive a winning strategy for E .

I Without deeply examining F .

Do you pick F or ¬F???

We’d like to make A play against itself. . .

Let A attack both F and ¬F .

E causes A to play against itself, winning one game and losing one.

E wins because it wins when A loses.

Need to change semantics of disjunction


Game-based semantics of disjunction

Some notation

For game tree T and available move m, let Tm be the subtree afterthe move m.

For game trees T0, T1,. . .Tn, let T0|T1| · · · |Tn denote the followingtree:

I Root node v is labeled with E , has children w0, w1, . . . , wn.F Edge from v to wz is labeled with z .

I The node wz has the same label and possible moves as the root nodeof Tz .

I The tree following the move m from wi isT0| · · · |Ti−1|Tm

i |Ti+1| · · · |Tn.

Game corresponding to F0 ∨ F1

[[F0 ∨ F1]] = [[F0]]|[[F1]].


Game-based semantics for FO and LT formulasLet the frame F and the world W / trace T be fixed.

Game tree for ∃

[[∃x .F ]] =∣∣∣v∈S

[[F [v/x ]]]

Another formula constructor

@tF is a formula for a FO LT formula F and a term t.

(T , i) � @tF if (T , i + |t|) � F

In game-based setting, shift the trace.

Introduce the predicate | · | < | · | with obvious interpretation.

Syntactic sugar

©F ≡ @1F

F1 U F2 ≡ ∃x .(@xF2 ∧ ∀y .(|y | < |x | ⊃ @yF1))


Game-based semantics for FO and LT formulasLet the frame F and the world W / trace T be fixed.

Game tree for ∃

[[∃x .F ]] =∣∣∣v∈S

[[F [v/x ]]]

Another formula constructor

@tF is a formula for a FO LT formula F and a term t.

(T , i) � @tF if (T , i + |t|) � F

In game-based setting, shift the trace.

Introduce the predicate | · | < | · | with obvious interpretation.

Syntactic sugar

©F ≡ @1F

F1 U F2 ≡ ∃x .(@xF2 ∧ ∀y .(|y | < |x | ⊃ @yF1))


Example∀1x .(P2(x)⊃3 Q4(x))⊃5 (∀6x .P7(x)⊃8 ∀9x .Q10(x))

1 Pick ∀6x .P7(x)⊃8 ∀9x .Q10(x), then pick ∀9x .Q10(x).2 Get t9 from A.3 If Q(t), then we’re done.4 Otherwise check P(t).

I If P(t), then back up, select ∀1x .(P2(x)⊃3 Q4(x)) to attack, put t asx1.

I If ¬P(t), then back up, select ∀6x .P7(x) to attack, put t as x6.5 If A backs up and chooses a new t, then repeat from 3.

Stopping?

The game may be infinite.

We require that when first considering an ∃-node in the AST of theformula, the player must state how many descendants of the tree itwill consider.

I A must state it in step 2.I E states “1” in both branches of step 4.


Example∀1x .(P2(x)⊃3 Q4(x))⊃5 (∀6x .P7(x)⊃8 ∀9x .Q10(x))

1 Pick ∀6x .P7(x)⊃8 ∀9x .Q10(x), then pick ∀9x .Q10(x).2 Get t9 from A.3 If Q(t), then we’re done.4 Otherwise check P(t).

I If P(t), then back up, select ∀1x .(P2(x)⊃3 Q4(x)) to attack, put t asx1.

I If ¬P(t), then back up, select ∀6x .P7(x) to attack, put t as x6.5 If A backs up and chooses a new t, then repeat from 3.

Stopping?

The game may be infinite.

We require that when first considering an ∃-node in the AST of theformula, the player must state how many descendants of the tree itwill consider.

I A must state it in step 2.I E states “1” in both branches of step 4.


What if E and A were PPT?

What it means to be “polynomial-time”

Each execution step in time polynomial in the security parameter.

Care necessary with one player “outspending” the other one.

The number of attempts on quantifiers must be bounded, too.I The stated number may not be more that the previous largest number

plus p(η).

What does it give us?

Liveness properties in the computational setting.I Precise meanings for ♦F and �♦F .

Deductive power

All axioms and inference rules of FO and LT logic are still valid.


Contract-signing protocols

Two parties A and B, and a message M (the contract).I Signature verification keys pkA and pkB known to all.

As a result of the protocolI A obtains a “signature” of B on M and B obtains a “signature” of A

on M;I or, neither A nor B obtain each others signature.

Requires a trusted third party.

A contract signing protocol is optimistic if the TTP has to becontacted only if one of the parties misbehaves.


Asokan-Shoup-Waidner fair contract signing protocol

Let [{M}]A denote A’s signature on M.

Main protocol

A→ B : [{M,A,B,T}]A.B → A : [{M,A,B,T}]B . If time-out, A invokes Abort protocolA→ B : [{M,A,B}]A. If time-out, B invokes Resolve protocolB → A : [{M,A,B}]B . If time-out, A invokes Resolve protocol

Abort protocol

A→ T : [{M,A,B, abort}]AT → A :{

[{[{M,A,B,T}]A, [{M,A,B,T}]B}]T[{[{M,A,B, abort}]A}]T

Resolve protocol

A→ T :[{M,A,B,T}]A, [{M,A,B,T}]BT → A :[{[{M,A,B,T}]A, [{M,A,B,T}]B}]T

A signed contract is either ([{M,A,B}]A, [{M,A,B}]B) or[{[{M,A,B,T}]A, [{M,A,B,T}]B}]T .


Modeling the ASW protocol

The property we consider

If A obtains a signed contract for message M then B eventually also has asigned contract on M.

A

T

B

Crypto

Some variables

pkA, pkB , pkT — public keys outA, outB — output of A and Bmsg−→

XY— outgoing messages from X to Y

msg←−XY

— messages incoming to X from YtsB , tsT — messages B and T want to get signedfsB , fsT — signatures to messages from previous stepLB , LT — all messages ever signed by B / T



Behaviour of the network

�(∀x .(x ∈ msg−→BT⊃ ♦x ∈ msg←−

TB))

I Same for communication T → B.

�(∀x .(x ∈ msg−→AT⊃©x ∈ msg←−

TA))

I Same for other communication with A.

∀x .(x 6∈ msg←−YXW x ∈ msg−→

XY)

I for all X ,Y ∈ {A,B,T}

The signing machine

�(next(LX ) = LX ∪ tsX ) LX = ∅I Actually �(∃x .(x = LX ∪ tsX ∧©(x = Lx)))

�(all (\(m, s)->Vfy(pkX ,m, s)) (zip tsX next(fsX )))



Behaviour of the network

�(∀x .(x ∈ msg−→BT⊃ ♦x ∈ msg←−

TB))

I Same for communication T → B.

�(∀x .(x ∈ msg−→AT⊃©x ∈ msg←−

TA))

I Same for other communication with A.

∀x .(x 6∈ msg←−YXW x ∈ msg−→

XY)

I for all X ,Y ∈ {A,B,T}

The signing machine

�(next(LX ) = LX ∪ tsX ) LX = ∅I Actually �(∃x .(x = LX ∪ tsX ∧©(x = Lx)))

�(all (\(m, s)->Vfy(pkX ,m, s)) (zip tsX next(fsX )))



State of B and T

Formula relating SX , next(SX ), msg←−XY

, next(msg−→XY

), fsX ,

next(tsX ).I SX — the internal state of X

Timeouts will happen: �♦¬wait state(SB)

Security of signatures

�(∀(m, s).(Vfy(pkX ,m, s)⊃ ♦m ∈ LX ))

Otherwise A,B,T ,A, E together have broken the EF-CMA security ofsignatures.


�(∀x .(contract(x ,A,B) ∈ outA ⊃ ♦contract(x ,A,B) ∈ outB))



State of B and T


, next(msg−→XY

), fsX ,




�(∀(m, s).(Vfy(pkX ,m, s)⊃ ♦m ∈ LX ))






State of B and T


, next(msg−→XY

), fsX ,




�(∀(m, s).(Vfy(pkX ,m, s)⊃ ♦m ∈ LX ))





Conclusions

Semantics for first-order linear temporal logic, giving meaning topolynomial-time FO and LT effects.

Analysis of the liveness properties of the ASW protocol in thecomputational model.

Open question

How to model that the adversary does not know a certain value?I In computational model, this is not a trace property.


Documents

Polynomial-time logic and livenessvarmo/tday-nelijarve/laud-slides.pdf · Polynomial-time logic and liveness (work in progress) Peeter Laud Cybernetica AS & Tartu University (joint