the power of simulation relations sixty and beyond toronto, august 20, 2008 roberto segala -...
Post on 21-Dec-2015
223 views
TRANSCRIPT
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 1
The Power ofSimulation Relations
Roberto SegalaUniversity of Verona
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 2
Hierarchical Verification
I11 I12 I2 I3
S
S1 S2 S3
Some properties
verified here
Modules verified
separately
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 3
Implementation
• Some form of behavioral inclusion– Traces, Failures, Tests, …
• Features– Preserves properties of interest– Transitive– Compositional– Affine with logical implication
• … when properties are sets of behaviors
• Hard to check– Often Pspace-complete– But simulation relations help
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 4
Automata
A = (Q , q0 , E , H , D)
coffee
q0 q2
q1
q4
q3 q5
d
n
n
n
choc
ch
Execution: q0 n q1 n q2 ch q3 coffee q5
Trace: n n coffee
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 5
Forward Simulations
Forward simulation from A1 to A2 (A1 FA2) Relation R Q1 x Q2 such that
q q
s sa
aR R
q, s, a, q s
q0
q1
q3
q2
q4
s0
s1
s3 s4
a a
cb
a
b c
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 6
Simulation Implies Trace Inclusion
• The step condition can be applied repeatedly
q q
s sa
a q
sb
b q
sc
c q
sd
d …
…
• Thus existence of simulation implies trace inclusion– Even more it implies a close correspondence between
executions
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 7
Application of Simulation Relations
• Distributed Systems– Automata, I/O Automata
• Real-Time Systems– Add time component to states– Add time-passage actions or trajectories
• Time-passage modifies only time component
• Hybrid Systems– Time passage modifies entire state
• Randomized Systems– Transitions lead to probability measures
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 8
Example: Probabilistic Automata
q0
qh
qt
qpflip
flip
1/2
1/2
2/3
1/3
beep
qz
buzz
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 9
Example: Probabilistic Automata
q0
q1
q2
q3
q4
q5fair
unfair
flip
flip
1/2
1/2
2/3
1/3
beep
What is the probability of beeping?
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 10
Probabilistic Executions
q0 q1 q3
q4
q5
1/2
1/2
q0 q2
q3
q4
q5
unfair flip
2/3
1/3
beep(beep) = 2/3
(beep) = 1/2
fair beepflip 1/2
2/3
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 11
Example: Probabilistic Executions
q0
q1
q2
q3
q4
q3
q4
q5
q5
fair
unfair
flip
flip
beep
beep
1/21/2
2/3
1/3
1/2
1/2
1/4
2/6
7/12
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 12
Forward Simulations
Forward simulation from A1 to A2 (A1 FA2) Relation R Q1 x Q2 such that
q
s a
aR R
q, s, a,
q1
q2
s1
s2
s3
1/2
1/2
1/3
1/3
1/3
1/3
1/6
1/6
1/3
Lifting of R
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 13
Lifting and Transfer of Masses
q1 q2 s1 s2 s3
q1
q2
s1
s2
s3
1/2
1/2
1/3
1/3
1/3
1/3
1/6
1/6
1/3
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 14
Simulation Implies Behavioral Inclusion
• The step condition can be applied repeatedly
q
s
…
…
q
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 15
A Potential Area of ApplicationSecurity
• With simulations– Global properties validated via local properties– … almost as proving a property by induction
• Can we use simulations for security?– Properties are typically global– There is randomization
• Challenges– Specifications do not fail– Implementations fail with negligible probability– Some approximations appear to be necessary– Need for computational assumptions
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 16
Bellare and Rogaway MAP1 Protocol
• Nonces are generated randomly• The key s is the secret for a Message Authentication
Code– Specifically, MAC based on pseudo-random functions
A BRA
[B.A.RA.RB]s
[A.RB]s
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 17
Nonces
• Number ONCE– Typically drawn randomly
• Claim– For each constant c and polynomial p– There exists k such that for each k k
– If n1,n2,…,np(k) are random nonces from {0,1}k
– Then Pr[ijninj]<k-c
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 18
Message Authentication Code
• Triple (G,A,V)– G on input 1k generates s {0,1}k
– For each s and each a• Pr[V(s,a,A(s,a))=1]=1
• Forger– On input 1k obtains MAC of strings of its choice– Outputs a pair (a,b)– Successful if V(s,a,b)=1 and a different from previous
queries
• Secure MAC– Every feasible forger succeeds with negligible probability
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 19
MAP1: Matching Conversations
• Matching conversation between A and B– Every message from A to B delivered
unchanged• Possibly last message lost• Response from B returned to A
– Every message received by A generated by B• Messages generated by B delivered to A• Possibly last message lost
• Correctness condition– Matching conversation implies acceptance– Negligible probability of acceptance without
matching conversation
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 20
MAP1: Correctness Proof• Let A be a PPT machine that interacts with the agents
• Show that A induces “no-match” with negligible probability– Argue that repeated nonces occur with negligible probability– Argue that A is an attack against a message authentication code
• Features– Relies on underlying pseudo-random functions– Proves correctness assuming truly random functions– Builds a distinguisher for PRFs if an attack exists
• Criticism– The arguments are semi-formal and not immediate– Three different concepts intermixed
• Nonces • Message authentication codes• Matching conversations
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 21
MAP1: Hierarchical Analysis
• Agents indexed by X, Y, t
AdversaryKeeps history
(PPT function f)
A1 A2 A3 A4
Keygenerator
Noncegenerator(coin flip)
A5
AdversaryKeeps history
(PPT function f)
A1 A2 A3 A4
Keygenerator
Noncegenerator
(ideal)
A5
AdversaryKeep history
(no forged signatures)
A1 A2 A3 A4
Keygenerator
Noncegenerator
(ideal)
A5
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 22
Nonce Generators• State
– valueX,Y,t initially – FreshNonces initially {0,1}k
• Transitions– Input NonceRequestX,Y,t
– Effect• Let v R {0,1}k
• valueX,Y,t = v• FreshNonces = FreshNonces-{v}
– Output NonceResponseX,Y,t(n)– Precondition
• n = valueX,Y,t
– Effect• valueX,Y,t =
• Let v R FreshNonces
IdealCoin flip
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 23
Adversary
• Keeps a variable history– Holds all previous messages
• Real adversary– Runs a cycle where
• Computes the next message to send using a PPT function f• Sends the message• Waits for the answer if expected
• Ideal adversary– Highly nondeterministic– Stores all input– Sends messages that do not contain forged
authentications
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 24
Problems with Simulations
– Consider a transition of the real nonce generator– With some probability there is a repeated nonce– The ideal nonce generator does not repeat nonces– Thus, we cannot match the step
AdversaryKeeps history
(PPT function f)
A1 A2 A3 A4
Keygenerator
Noncegenerator(coin flip)
A5
AdversaryKeeps history
(PPT function f)
A1 A2 A3 A4
Keygenerator
Noncegenerator
(ideal)
A5
AdversaryKeep history
(no forged signatures)
A1 A2 A3 A4
Keygenerator
Noncegenerator
(ideal)
A5
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 25
Approximated Simulations [ST07]
• Change lifting on measures
– 1 2 iff• 1 = (1-)1’ + 1’’• 2 = (1-)2’ + 2’’• 1’ 2’
1’ 1’’
2’ 2’’
(1-)
1
2
{2/3 q1, 1/3 q2} = 2/3 {1/2 q1, 1/2 q2} + 1/3{1
q1}
{1/3 s1, 1/3 s2, 1/3 s3} = 2/3 {1/2 s1, 1/2 s2} + 1/3{1 s3}
? = 1/3
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 26
Approximated Simulations
{Ak} {Rk} {Bk}
• For each constant c and polynomial p• There exists k such that for each k k• Whenever
– 1 reached within p(k) steps in Ak
– 1 L(Rk,) 2
– 1 1’
• There exists 2’ such that– 2 2’– 1’ L(Rk,+k-c) 2’ 1 1
2 2’
+k-c
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 27
Approximated SimulationsStep Condition
(1-)
1
2
(1--k-c) 2’
1’ (1--k-c)
k-c
k-c
(1-)
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 28
p(k)
p(k)
Simulation Implies Behavioral Inclusion
• The step condition can be applied repeatedly
q
s
…
…0 k-c 2k-c 3k-c p(k)k-c
• Observation– pkk-c can be smaller than any k-c’ by choosing
c=c’+degree(p)
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 29
Example: Approximate SimulationsBellare-Rogaway MAP1 Protocol
• Negation of the step condition– 1: Two random nonces are equal with high probability– 2: Function f defines a forger for a signature scheme
AdversaryKeep history
(no forged signatures)
A1 A2 A3 A4
Keygenerator
Noncegenerator
(ideal)
A5
AdversaryKeeps history
(PPT function f)
A1 A2 A3 A4
Keygenerator
Noncegenerator
(ideal)
A5
AdversaryKeeps history
(PPT function f)
A1 A2 A3 A4
Keygenerator
Noncegenerator(coin flip)
A5
1 2
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 30
Step Condition
{Ak} {Rk} {Bk}
• For each constant c and polynomial p• There exists k for each k k• Whenever
– 1 reached within p(k) steps in Ak
– 1 L(Rk,) 2
– 1 1’• There exists 2’ such that
– 2 2’– 1’ L(Rk,+k-c) 2’
1 1
2 2’
+k-c
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 31
Negation of Step Condition
{Ak} {Rk} {Bk}
• There exists constant c and polynomial p• For each k there exists k k• There exists
– 1 reached within p(k) steps in Ak
– 1 L(Rk,) 2
– 1 1’• There is no 2’ such that
– 2 2’– 1’ L(Rk,+k-c) 2’
1 1
2 2’
+k-c• Signature forged in
1’– Probability at least k-c
• Nonce replicated in 1’– Probability at least k-c
(1-)
1
2
(1--k-c) 2’
1’(1--k-c)
k-c
k-c
(1-)
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 32
Nonces
• Number ONCE– Typically drawn randomly
• Claim– For each constant c and polynomial p– There exists k such that for each k k
– If n1,n2,…,np(k) are random nonces from {0,1}k
– Then Pr[ijninj]<k-c
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 33
Example: Approximate SimulationsBellare-Rogaway MAP1 Protocol
• Proof Completed
AdversaryKeep history
(no forged signatures)
A1 A2 A3 A4
Keygenerator
Noncegenerator
(ideal)
A5
AdversaryKeeps history
(PPT function f)
A1 A2 A3 A4
Keygenerator
Noncegenerator
(ideal)
A5
AdversaryKeeps history
(PPT function f)
A1 A2 A3 A4
Keygenerator
Noncegenerator(coin flip)
A5
1 2
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 34
Problems with NondeterminismMAP1 Protocol [BR93]
• Potential problems– Let s be the shared key– Adversary queries k agents– Agent i replies if ith bit of s is 1– The adversary knows the shared key
• Solution– One query at a time– Wait for the answer (agents as oracles)
AdversaryKeeps history
(PPT function f)
A1 A2 A3 A4
Keygenerator
Noncegenerator(coin flip)
A5
We Are Not Alone• Mitchell, Ramanathan, Scedrov, Teague
– Probabilistic polynomial time calculus
• Canetti, Cheung, Kaynar, Liskov, Lynch, Pereira, Segala– Task Probabilistic I/O Automata
• Chatzikokolakis, Palamidessi– Syntactic restrictions for schedulers
• Canetti– UC framework
• Backes, Pfitzmann, Waidner– Reactive simulatability Framework
• Van Breugel, Worrel– Metrics and approximation
• Desharnais, Gupta, Jagadeesan, Panangaden– Metrics and approximation
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 35
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 36
Work in Progress
• Applications– Soundness of Dolev-Yao model– Analysis of the Crypto-Library
• Approximated simulations versus– Approximated language inclusion (Task PIOAs)– Restricted schedulers– Metrics
• Flexibility on restrictions– Many ways to restrict– Are we restricting too much?
The Power of Simulation Relations Sixty and BeyondToronto, August 20, 2008 Roberto Segala - University of Verona 37
Summing Up
• Simulation relations are powerful– Interact well with hierarchical verification– Global properties verified via local arguments– Apply to several frameworks
• Security is a new interesting area – We have interesting case studies– We have still many open questions
• We are having a lot of fun