1 / 21

A Complete Axiomatization of Knowledge and Cryptographic Equality

A Complete Axiomatization of Knowledge and Cryptographic Equality. Mads Dam School of Computer Science and Communication KTH, Stockholm, Sweden. Joint work with Mika Cohen. Schloss Dagstuhl seminar: Specification, verification and test of open systems, Oct. 2006. Knowledge and Cryptography.

ananda
Download Presentation

A Complete Axiomatization of Knowledge and Cryptographic Equality

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Complete Axiomatization of Knowledge and Cryptographic Equality Mads Dam School of Computer Science and Communication KTH, Stockholm, Sweden Joint work with Mika Cohen Schloss Dagstuhl seminar: Specification, verification and test of open systems, Oct. 2006

  2. Knowledge and Cryptography Important but slippery combination • Many security-related concepts are naturally phrased in terms of knowledge • How should we think of knowledge in presence of cryptographic operations? In cryptography proper: • Knowledge of some bit • Likehood of a polytime probabilistic TM computing the bit is a negligible function in some security parameter k

  3. In Multi-Agent Semantics Multi-agent semantics (FHMV) • Global states s • Local states s|A • A knows F in state s if F forced from s|A Problem: Logical omniscience • A knows all mathematical facts • enc(x,k) ”contains” x • So A knows enc(x,k) contains x, for all x and k

  4. One approach Knowledge extraction: • A knows predicate F • A can compute F from data in A’s possession Computing F: • By classes of TM’s (Moses’88) • By explicitly given algorithms (HMV’94) • By Dolev-Yao type extraction/synthesis (most FM-type work)

  5. Another approach Abstract computational models: • Knowledge characterized by environments ability to tell systems apart • P passes test t, not(Q passes test t): P, Q have different information content for an external observer = knowledge Examples: • Trace, failures, testing models (CSP, SPI, Applied pi) • Static equivalence (Abadi, Fournet, Cortier,...): Two ”epistemic states of affairs” are the same if they validate the same equations

  6. Contribution First-order epistemic logic of abstract one-way computable functions • Akin to applied pi equational theories Computationally justified multi-agent semantics • Uses frame theories in style of framed bisimulation (Abadi-Gordon 99) • Characterization of static equivalence Sound and relatively complete axiomatization • Up to underlying algebraic theory (+ some more)

  7. Terms • t ::= c | x | m | f(t1,...,tn) • c 2 Const ¾ Pub • Could use pi-like notation for private constants • x: variable • de re reference – the ”bit string” x • m: place holder • de dicto reference – the ”value” m • Needed for technical reasons – see later • Appears only bound • M 2 Mes: • Terms without free variables + place holders

  8. Variables and Place Holders Examples: • 8x.(x = M!Ax = M): Invalid x might have the value M without A knowing this • 8m.(m = M!Am = M): Valid • Quantification expresses infinite conjunction F[M0/m] ÆF[M1/m] Æ ... Æ F[Mi/m] Æ ...

  9. Language Formulas: F ::= t = t’ | p(t1,..,tn) | 8x.F | 8m.F | AF | F ÆF | :F • No free place holders allowed • p: State dependent predicate • 8x: de re quantification • 8m: de dicto quantification • Only bound occurrences of place holders allowed

  10. Models Static multi-agent system • Locations: l2Loc • State: s2Loc!Mes • Agent projection: • Loc | AµLoc: Set of locations observed by A • s | A = s¹(Loc | A) • ´: Underlying message congruence • I(p,s) µMes£ ... £Mes • Predicate denoted by p • Must preserve ´

  11. Semantics Valuations and semantics for non-epistemic connectives is straightforward • In particular: s,V ²8m.F(m) iff for all M 2Mes: s,V ²F(M) • s,V²8x.F iff for all M2Mes: s,V[x M] ²F Epistemic accessibility: • s,V»As’,V’ • s’,V’ is epistemic counterpart of s,V • V(x) at s might for A be V’(x) at s’ • s,V ²AF iff whenever s’,V’ »As,V then s’,V’ ²F • »A is variant of Abadi-Gordon framed theories

  12. Message Extraction Infers(A,s): Messages seen by A in global state s • If M2Range(s|A) then Infers(A,s) • If M2Infers(A,s) and M ´ M’ then M’ 2 Infers(A,s) • If c2Pub then c2Infers(A,s) • If M1,...,Mn2Infers(A,s) then f(M1,...,Mn) 2Infers(A,s) In general does not follow from f(M1,...,Mn) 2Infers(A,s) that Mi2Infers(A,s) But may have g such that g(f(M1,...,Mn)) ´Mi

  13. Theory connecting s and s’ ThA(s,s’): Correspondence between messages needed to obtain if s and s’ is to be related ThA(s,s’) `ok if ThA(s,s’) is injective: • ThA(s,s’) `M!N, M’!N’ implies N´N’ s|A(l) = Ms’|A(l) = M’ ThA(s,s’) `M!M’ c 2 Pub ThA(s,s’) `c!c ThA(s,s’) ` Mi! Mi’ ThA(s,s’) `f(M1,...,Mn)! f(M1’,...,Mn’) ThA(s,s’) ` M ! M’ M ´ N M’ ´ N’ ThA(s,s’) `N ! N’

  14. Epistemic Accessibility Corollary If ThA(s,s’) `ok then ThA(s,s’) is an isomorphism from Infers(A,s) to Infers(A,s’) ThA*(s,s’): extension to non-inferred terms • If MInfers(A,s), M’Infers(A,s’) then ThA*(s,s’) `M!M’ • If ThA*(s,s’) `V(x) !V’(x) for all x then ThA*(s,s’) `V!V’ s,V»A s’,V’ iff ThA(s,s’) `ok and ThA*(s,s’) `V!V’ Lemma»A is an equivalence

  15. Message extraction, again Suppose h (”hashing”) satisfies: • h(M) ´h(M’) implies M´M’ (injectivity) • h(M) ´M for all M Define: A x == 9y.Ay = h(x) Proposition The following are equivalent: • V(x) 2Infers(A,s) • s,V²A x

  16. Relation to Static Equivalence Let Loc = Var • So states are also valuations A-term: t ::= x | c | f(t1,...,tn) where x2Loc | A and c2Pub Static equivalence (Abadi-Fournet): • s|A¼s’|A iff • For all A-terms t, t’, s(t) ´s(t’) iff s’(t) ´s’(t’) Corollary The following are equivalent: • ThA(s,s’) `ok • s|A ¼s’|A • For all A-terms t, t’, s²At = t’ iff s’²At = t’

  17. Axiomatization Expected stuff: • Prop. tautologies, m.p., modal K, T, 4, 5, Nec • Term congruence: M = M’ if M´M’ M  M’ if M´M’ • Leibniz: If F has no modality: t = t’, F[t/x] !F[t’/x] • Generalization for 8x: From F infer 8x.F • Instantiation for 8m: (8m.F[m/x]) !F[M/x]

  18. Axiomatization, 2 More interesting stuff: • y = f(x1,...,xn) ÆAx1Æ ...Æ Axn!Ay = f(x1,...,xn) • x = yÆAx!Ax=y • If c2Pub: x = c!Ax = c • AF(x) Æ :AxÆ :Ax’! AF(x’) • 9m. x = m (NB this is why we need 8m!) • 9x,y. x  yÆ:AxÆ:Ay • Instantiation for 8x: (8x.F) !F[y/x] • -rule for 8m: From F[M/x] for all M2Mes infer 8m. F[m/x]

  19. Results Theorem (Soundness and Relative Completeness): • `F iff ²F Proof: Canonical model construction Complete finitary axiomatization not possible

  20. Relation to earlier work Counterpart semantics introduced for BAN in [FCS’05] Completeness proof for (propositional) BAN in [M4M’05] Main differences: • Propositional • Finite message space • Slightly different setup: s²AF iff s!Ars’ implies s’²r(F) r is ”renaming function” akin to a frame theory • This makes rule of normality fail – not so here

  21. Directions Still some quirks to sort out: • Grounding of variables without 8m? • Minimality of axiomatization Applications: Schaum mix, voting, payment protocols • Use knowledge of cryptographically inaccessible content in interesting ways (blinding, dual signatures) Issues: • Finite model property (for propositional fragment?) • Decidability and model checking (do.) • Extensions to fixed points (BAN) and dynamics

More Related