Download
1 / 20
200 likes | 325 Vues
ProNoBiS Activities in Verona. Roberto Segala University of Verona with Augusto Parma and Andrea Turrini. List of Activities. Comparative semantics Alternating and non-alternating models Simulation and bisimulation relations Logical characterizations Extensions of HM logic
E N D
ProNoBiSActivities in Verona Roberto Segala University of Verona with Augusto Parma and Andrea Turrini Roberto Segala University of Verona
List of Activities • Comparative semantics • Alternating and non-alternating models • Simulation and bisimulation relations • Logical characterizations • Extensions of HM logic • Non-discrete measures • Stochastic Transition Systems • Verification of crypto protocols • Task-based PIOAs • Oblivious transfer • Aproximate simulations • Authentication, matching conversations Roberto Segala University of Verona
Probabilistic Automata (NA) NA = (Q , q0 , E , H , D) Transition relation DÍ Q´ (EÈH) ´ Disc(Q) Internal (hidden) actions External actions:EÇH = Æ Initial state:q0Î Q States Roberto Segala University of Verona
Alternating vs. non-alternating NA A SA u u u flip flip flip flip flip flip p2 p3 p2 p3 .2 .8 .7 .3 .2 .8 .7 .3 .2 .8 .7 .3 h t h t h t h t h t h t beep beep beep beep beep beep pb pb 1 1 1 1 Roberto Segala University of Verona
Relations between models • Embeddings (E ) • SA as an instance of Aand of NA • A as an instance of NA • Embeddings as structure restrictions • Transformations (T ) • Folkloristic ways to represent the same object within the three models Roberto Segala University of Verona
Strong Bisimulation of NA Strong bisimulation between A1 and A2 Relation R Q x Q, Q=Q1ÈQ2, such that " q,s, a, $¢ q a + R R q0 s0 a s ¢ a a 1 s1 q1 q2 [LS89] R¢ b b b 1 1 1 q3 q4 s3 C Q/R . (C ) = ¢ (C ) Roberto Segala University of Verona
Bisimulation Literature In literature there are also • Strong bisimulation of Hansson on SA • Relates only nondeterministic states • Strong bisimulation of Philippou on A • Relates all states • Probabilistic states are a technicality • Weak bisimulation of Philippou on A • Relates all states • Probabilistic states are meaningful • Uses conditional probabilities on self loop Roberto Segala University of Verona
Taxonomy Nondeterministic typologyN • Based on T ransformations • Check bisimilarity of images in NA T A1 T (A1) SA A ~N ? T ~? NA A2 T (A2 ) Roberto Segala University of Verona
Taxonomy Mixed typologyM • Based on E mbeddings • Check bisimilarity of images in NA E A1 E (A1) SA A ~M? E ~? NA A2 E (A2 ) Roberto Segala University of Verona
Taxonomy and Literature[Segala, Turrini] Roberto Segala University of Verona
Logical Characterizations[Parma, Segala] • Logic: true | Øf| fÙf | àaf | [f]p • Semantics: m satisfies a formula • àaf : for each q in support of m there is a transition (q,a,m¢) such that m¢|= f • [f]p : m({q|q|=f}) ³ p • Observation: àpaf corresponds to àa[f]p Roberto Segala University of Verona
Stochastic Transition Systems[Cattani, Segala, Kwiatkowska, Norman] ST = (Q , q0 , E , H , FQ, FA, D) Transition relation DÍ Q´ (EÈH) ´ P(Q,FQ) s-field on actions s-field on states Internal (hidden) actions External actions:EÇH = Æ Initial state:q0Î Q States Roberto Segala University of Verona
STS: Problems • Not all schedulers lead to measurability • Let X Í [0,1] be non measurable • Choose x uniformly in [0,1] • Schedule a only if x Î X • What is the probability of àa? • Define measurable schedulers • From FEXEC to FA´Q • Then we obtain Markov Kernels • Markow kernels preserved by projection • Important for modular reasoning • How about bisimulation? Roberto Segala University of Verona
UC-Security [Canetti] Simulator Ideal functionality $ ? Environment " Adversary Real protocol " Roberto Segala University of Verona
UC-Security with PIOAs [Canetti, Cheung, Kaynar, Liskov, Lynch, Pereira, Segala] Adversary Simulator Ideal functionality $ " ? Environment " Adversary Real protocol " Roberto Segala University of Verona
Oblivious Transfer [Canetti, Cheung, Kaynar, Liskov, Lynch, Pereira, Segala] Hard core predicate Ideal functionality Simulator Adversary Hard core predicate Protocol Adversary Random bit Protocol Adversary Random bit Real protocol Adversary Roberto Segala University of Verona
Aproximate Simulations[Segala, Turrini] Given {Ak} and {Bk} consider {Rk}. R QAkx QAk For each cÎN, pÎPoly, exists kÎN, for each k>k, e>0, m1, m2 If • m1 reached in at most p(k) steps • m1 L(Rk,e) m2 • m1¾ñm1’ Then • m2¾ñm2’ • m1’ L(Rk,e+k-c) m2’ + • m1 L(R,e) m2 • m1= (1-e)m1’+em1’’ • m2= (1-e)m2’+em2’’ • m1’ L(R) m2’ Roberto Segala University of Verona
Implications on executions Let {Rk} be an aprox sim from {Ak} to {Bk} For each cÎN, pÎPoly, exists kÎN, for each k>k, m1 If • m1 is reachable in Ak in p(k) steps Then exists m2 • m2 reachable in Bk in p(k) steps • m1 L(R,p(k)k-c) m2 Roberto Segala University of Verona
Application to AuthenticationMatching Conversation • Specification: • Actual protocol • States keep history • Adversary does almost everything • All invalid transitions removed • Implementation • Actual protocol • States keep history • Adversary is a PPT algorithm • Simulation • Identity on states • Properties • All executions of specification satisfy matching conversations • Failure of simulation imply breaking a signature protocol Roberto Segala University of Verona
Open problems • Logics • Complete the picuture with simulations • Stochastic Transition Systems • Understand bisimulation • Get soundness results • Understand restrictions to the model • Verification • Refine the methods • Test on more complex case studies • Compare with soundness proofs for symbolic methods Roberto Segala University of Verona
