ProNoBiS Activities in Verona Roberto Segala University of Verona - - PowerPoint PPT Presentation

pronobis activities in verona
SMART_READER_LITE
LIVE PREVIEW

ProNoBiS Activities in Verona Roberto Segala University of Verona - - PowerPoint PPT Presentation

Feb 15, 2024 20 likes •221 views

ProNoBiS Activities in Verona Roberto Segala University of Verona with Augusto Parma and Andrea Turrini ProNoBiS meeting Roberto Segala Paris, May 21 2006 1 University of Verona List of Activities Comparative semantics

slide-1
SLIDE 1

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 1

ProNoBiS Activities in Verona

Roberto Segala University of Verona

with Augusto Parma and Andrea Turrini

slide-2
SLIDE 2

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 2

List of Activities

  • Comparative semantics

– Alternating and non-alternating models – Simulation and bisimulation relations

  • Logical characterizations

– Extensions of HM logic

  • Non-discrete measures

– Stochastic Transition Systems

  • Verification of crypto protocols

– Task-based PIOAs

  • Oblivious transfer

– Aproximate simulations

  • Authentication, matching conversations
slide-3
SLIDE 3

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 3

Probabilistic Automata (NA)

NA = (Q , q0 , E , H , D)

Transition relation D ⊆ Q × (E∪H) × Disc(Q) Internal (hidden) actions External actions: E∩H = ∅ Initial state: q0 ∈ Q States

slide-4
SLIDE 4

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 4

Alternating vs. non-alternating

u flip flip p2

.7 .3

h t beep p3 pb

1 .2 .8

h t beep pb

1

u flip flip p2

.7 .3

h t beep p3

.2 .8

h t beep u h t

1

beep

.2 .8 .7 .3

h t

1

beep flip flip

NA A SA

slide-5
SLIDE 5

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 5

Relations between models

  • Embeddings (E )

– SA as an instance of A and of NA – A as an instance of NA – Embeddings as structure restrictions

  • Transformations (T )

– Folkloristic ways to represent the same

  • bject within the three models
slide-6
SLIDE 6

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 6

Strong Bisimulation of NA

Strong bisimulation between A1 and A2 Relation R ⊆ Q x Q, Q=Q1∪Q2, such that q0 q1 q3 q2 q4 s0 s1 s3

a b a b b

1 1

∀C ∈Q/R . µ (C ) = µ′ (C ) s µ′ q µ

a a

R R

∀ q, s, a, µ ∃ µ′

1 1

⇔ µ R µ′

+

[LS89]

slide-7
SLIDE 7

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 7

Bisimulation Literature

In literature there are also

  • Strong bisimulation of Hansson on SA

– Relates only nondeterministic states

  • Strong bisimulation of Philippou on A

– Relates all states – Probabilistic states are a technicality

  • Weak bisimulation of Philippou on A

– Relates all states – Probabilistic states are meaningful – Uses conditional probabilities on self loop

slide-8
SLIDE 8

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 8

Taxonomy

Nondeterministic typology N

  • Based on T ransformations
  • Check bisimilarity of images in NA

T (A1) T (A2 )

~?

A1 A2

T T SA A NA

~

N ?

slide-9
SLIDE 9

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 9

Taxonomy

Mixed typology M

  • Based on E mbeddings
  • Check bisimilarity of images in NA

E (A1) E (A2 )

~?

A1 A2

E E SA A NA

~

M?

slide-10
SLIDE 10

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 10

Taxonomy and Literature [Segala, Turrini]

pM

Weak ≈

~

N

~

N ~ M

Strong ~ A SA

Equivalences

slide-11
SLIDE 11

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 11

Logical Characterizations [Parma, Segala]

  • Logic: true | ¬φ | φ∧φ | ◊aφ | [φ]p
  • Semantics: µ satisfies a formula

– ◊aφ : for each q in support of µ there is a transition (q,a,µ′) such that µ′|= φ – [φ]p : µ({q|q|=φ}) ≥ p

  • Observation: ◊paφ corresponds to ◊a[φ]p
slide-12
SLIDE 12

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 12

Stochastic Transition Systems [Cattani, Segala, Kwiatkowska, Norman]

ST = (Q , q0 , E , H , FQ, FA, D)

Transition relation D ⊆ Q × (E∪H) × P(Q,FQ) σ-field on actions σ-field on states Internal (hidden) actions External actions: E∩H = ∅ Initial state: q0 ∈ Q States

slide-13
SLIDE 13

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 13

STS: Problems

  • Not all schedulers lead to measurability

– Let X ⊆ [0,1] be non measurable – Choose x uniformly in [0,1] – Schedule a only if x ∈ X – What is the probability of ◊a?

  • Define measurable schedulers

– From FEXEC to FA×Q – Then we obtain Markov Kernels

  • Markow kernels preserved by projection

– Important for modular reasoning

  • How about bisimulation?
slide-14
SLIDE 14

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 14

UC-Security [Canetti]

Ideal functionality Adversary Real protocol Environment Simulator

∀ ∃

?

slide-15
SLIDE 15

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 15

UC-Security with PIOAs

[Canetti, Cheung, Kaynar, Liskov, Lynch, Pereira, Segala]

Ideal functionality Adversary Real protocol Environment Simulator

∀ ∃

?

Adversary

slide-16
SLIDE 16

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 16

Oblivious Transfer

[Canetti, Cheung, Kaynar, Liskov, Lynch, Pereira, Segala]

Ideal functionality Adversary Real protocol Simulator Adversary Hard core predicate Random bit Adversary Protocol Random bit Protocol Adversary Hard core predicate

slide-17
SLIDE 17

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 17

Aproximate Simulations [Segala, Turrini]

Given {Ak} and {Bk} consider {Rk}. R ⊆ QAk x QAk For each c∈N, p∈Poly, exists k∈N, for each k>k, ε >0, µ1, µ2 If ∀ µ1 reached in at most p(k) steps ∀ µ1 L(Rk,ε) µ2 ∀ µ1 〉 µ1’ Then ∀ µ2 〉 µ2’ ∀ µ1’ L(Rk,ε+k-c) µ2’

+

µ1 L(R,e) µ2 ∀ µ1= (1-ε)µ1’+εµ1’’ ∀ µ2= (1-e)µ2’+εµ2’’ ∀ µ1’ L(R) µ2’

slide-18
SLIDE 18

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 18

Implications on executions

Let {Rk} be an aprox sim from {Ak} to {Bk} For each c∈N, p∈Poly, exists k∈N, for each k>k, µ1 If ∀ µ1 is reachable in Ak in p(k) steps Then exists µ2 ∀ µ2 reachable in Bk in p(k) steps ∀ µ1 L(R,p(k)k-c) µ2

slide-19
SLIDE 19

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 19

Application to Authentication Matching Conversation

  • Specification:

– Actual protocol – States keep history – Adversary does almost everything – All invalid transitions removed

  • Implementation

– Actual protocol – States keep history – Adversary is a PPT algorithm

  • Simulation

– Identity on states

  • Properties

– All executions of specification satisfy matching conversations – Failure of simulation imply breaking a signature protocol

slide-20
SLIDE 20

ProNoBiS meeting Paris, May 21 2006 Roberto Segala University of Verona 20

Open problems

  • Logics

– Complete the picuture with simulations

  • Stochastic Transition Systems

– Understand bisimulation – Get soundness results – Understand restrictions to the model

  • Verification

– Refine the methods – Test on more complex case studies – Compare with soundness proofs for symbolic methods