Observational Equivalence

14,000,000 Leading Edge Experts on the ideXlab platform

Scan Science and Technology

Contact Leading Edge Experts & Companies

Scan Science and Technology

Contact Leading Edge Experts & Companies

The Experts below are selected from a list of 5067 Experts worldwide ranked by ideXlab platform

Ugo Montanari - One of the best experts on this subject based on the ideXlab platform.

  • CONCUR - A First Order Coalgebraic Model of pi-Calculus Early Observational Equivalence
    CONCUR 2002 — Concurrency Theory, 2002
    Co-Authors: Maria Grazia Buscemi, Ugo Montanari
    Abstract:

    In this paper, we propose a compositional coalgebraic semantics of the ?-calculus based on a novel approach for lifting calculi with structural axioms to coalgebraic models. We equip the transition system of the calculus with permutations, parallel composition and restriction operations, thus obtaining a bialgebra. No prefix operation is introduced, relying instead on a clause format defining the transitions of recursively defined processes. The unique morphism to the final bialgebra induces a bisimilarity relation which coincides with Observational Equivalence and which is a congruence with respect to the operations. The permutation algebra is enriched with a name extrusion operator ? a la De Brujin, that shifts any name to the successor and generates a new name in the first variable x0. As a consequence, in the axioms and in the SOS rules there is no need to refer to the support, i.e., the set of significant names, and, thus, the model turns out to be first order.

  • a first order coalgebraic model of pi calculus early Observational Equivalence
    International Conference on Concurrency Theory, 2002
    Co-Authors: Maria Grazia Buscemi, Ugo Montanari
    Abstract:

    In this paper, we propose a compositional coalgebraic semantics of the ?-calculus based on a novel approach for lifting calculi with structural axioms to coalgebraic models. We equip the transition system of the calculus with permutations, parallel composition and restriction operations, thus obtaining a bialgebra. No prefix operation is introduced, relying instead on a clause format defining the transitions of recursively defined processes. The unique morphism to the final bialgebra induces a bisimilarity relation which coincides with Observational Equivalence and which is a congruence with respect to the operations. The permutation algebra is enriched with a name extrusion operator ? a la De Brujin, that shifts any name to the successor and generates a new name in the first variable x0. As a consequence, in the axioms and in the SOS rules there is no need to refer to the support, i.e., the set of significant names, and, thus, the model turns out to be first order.

  • Pi-Calculus Early Observational Equivalence: A First Order Coalgebraic Model
    2002
    Co-Authors: Maria Grazia Buscemi, Ugo Montanari
    Abstract:

    In this paper, we propose a compositional coalgebraic semantics of the pi-calculus based on a novel approach for lifting calculi with structural axioms to coalgebraic models. We equip the transition system of the calculus with permutations, parallel composition and restriction operations, thus obtaining a bialgebra. No prefix operation is introduced, relying instead on a clause format defining the transitions of recursively defined processes. The unique morphism to the final bialgebra induces a bisimilarity relation which coincides with Observational Equivalence and which is a congruence with respect to the operations. The permutation algebra is enriched with a name extrusion operator delta a' la De Brujin, that shifts any name to the successor and generates a new name in the first variable. As a consequence, in the axioms and in the SOS rules there is no need to refer to the support, i.e., the set of significant names, and, thus, the model turns out to be first order.

  • A first order coalgebraic model of π-calculus early Observational Equivalence
    Lecture Notes in Computer Science, 2002
    Co-Authors: Maria Grazia Buscemi, Ugo Montanari
    Abstract:

    In this paper, we propose a compositional coalgebraic semantics of the π-calculus based on a novel approach for lifting calculi with structural axioms to coalgebraic models. We equip the transition system of the calculus with permutations, parallel composition and restriction operations, thus obtaining a bialgebra. No prefix operation is introduced, relying instead on a clause format defining the transitions of recursively defined processes. The unique morphism to the final bialgebra induces a bisimilarity relation which coincides with Observational Equivalence and which is a congruence with respect to the operations. The permutation algebra is enriched with a name extrusion operator 6 a la De Brujin, that shifts any name to the successor and generates a new name in the first variable x 0 . As a consequence, in the axioms and in the SOS rules there is no need to refer to the support, i.e., the set of significant names, and, thus, the model turns out to be first order.

  • Observational Equivalence for synchronized graph rewriting with mobility
    International Symposium on Theoretical Aspects of Computer Software, 2001
    Co-Authors: Barbara Konig, Ugo Montanari
    Abstract:

    We introduce a notion of bisimulation for graph rewriting systems, allowing us to prove Observational Equivalence for dynamically evolving graphs and networks.We use the framework of synchronized graph rewriting with mobility which we describe in two different, but operationally equivalent ways: on graphs defined as syntactic judgements and by using tile logic. One of the main results of the paper says that bisimilarity for synchronized graph rewriting is a congruence whenever the rewriting rules satisfy the basic source property. Furthermore we introduce an up-to technique simplifying bisimilarity proofs and use it in an example to show the Equivalence of a communication network and its specification.

Barbara Konig - One of the best experts on this subject based on the ideXlab platform.

  • Observational Equivalence for synchronized graph rewriting with mobility
    International Symposium on Theoretical Aspects of Computer Software, 2001
    Co-Authors: Barbara Konig, Ugo Montanari
    Abstract:

    We introduce a notion of bisimulation for graph rewriting systems, allowing us to prove Observational Equivalence for dynamically evolving graphs and networks.We use the framework of synchronized graph rewriting with mobility which we describe in two different, but operationally equivalent ways: on graphs defined as syntactic judgements and by using tile logic. One of the main results of the paper says that bisimilarity for synchronized graph rewriting is a congruence whenever the rewriting rules satisfy the basic source property. Furthermore we introduce an up-to technique simplifying bisimilarity proofs and use it in an example to show the Equivalence of a communication network and its specification.

  • TACS - Observational Equivalence for Synchronized Graph Rewriting with Mobility
    Lecture Notes in Computer Science, 2001
    Co-Authors: Barbara Konig, Ugo Montanari
    Abstract:

    We introduce a notion of bisimulation for graph rewriting systems, allowing us to prove Observational Equivalence for dynamically evolving graphs and networks.We use the framework of synchronized graph rewriting with mobility which we describe in two different, but operationally equivalent ways: on graphs defined as syntactic judgements and by using tile logic. One of the main results of the paper says that bisimilarity for synchronized graph rewriting is a congruence whenever the rewriting rules satisfy the basic source property. Furthermore we introduce an up-to technique simplifying bisimilarity proofs and use it in an example to show the Equivalence of a communication network and its specification.

Nicolas Oury - One of the best experts on this subject based on the ideXlab platform.

  • TLCA - Observational Equivalence and program extraction in the Coq proof assistant
    Lecture Notes in Computer Science, 2003
    Co-Authors: Nicolas Oury
    Abstract:

    The Coq proof assistant allows one to specify and certify programs. Then, code can be extracted from proofs to different programming languages. The goal of this article is to substitute, at extraction time, some complex and fast data structures for the structures used for specification and proof. This is made under two principal constraints: (1) this substitution must be correct: the optimized data structures in the extracted program must have the same properties as the original ones, (2) on the proof side, the structure must keep a computable nature. If the framework described here is general, we focus on the case of functional arrays. This work leads us to formalize the notion of Observational Equivalence in the Coq system. We conclude with benchmarks.

  • Observational Equivalence and program extraction in the Coq proof assistant
    Lecture Notes in Computer Science, 2003
    Co-Authors: Nicolas Oury
    Abstract:

    The Coq proof assistant allows one to specify and certify programs. Then, code can be extracted from proofs to different programming languages. The goal of this article is to substitute, at extraction time, some complex and fast data structures for the structures used for specification and proof. This is made under two principal constraints: (1) this substitution must be correct: the optimized data structures in the extracted program must have the same properties as the original ones, (2) on the proof side, the structure must keep a computable nature. If the framework described here is general, we focus on the case of functional arrays. This work leads us to formalize the notion of Observational Equivalence in the Coq system. We conclude with benchmarks.

Ralf Sasse - One of the best experts on this subject based on the ideXlab platform.

  • Automated Symbolic Proofs of Observational Equivalence
    2015
    Co-Authors: David Basin, Jannik Dreier, Ralf Sasse
    Abstract:

    Many cryptographic security definitions can be naturally formulated as Observational Equivalence properties. However, existing automated tools for verifying the Observational Equivalence of cryptographic protocols are limited: they do not handle protocols with mutable state and an unbounded number of sessions. We propose a novel definition of Observational Equivalence for multiset rewriting systems. We then extend the Tamarin prover, based on multiset rewriting, to prove the Observational Equivalence of protocols with mutable state, an unbounded number of sessions, and equational theories such as Diffie-Hellman exponentiation. We demonstrate its effectiveness on case studies, including a stateful TPM protocol.

  • ACM Conference on Computer and Communications Security - Automated Symbolic Proofs of Observational Equivalence
    Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015
    Co-Authors: David Basin, Jannik Dreier, Ralf Sasse
    Abstract:

    Many cryptographic security definitions can be naturally formulated as Observational Equivalence properties. However, existing automated tools for verifying the Observational Equivalence of cryptographic protocols are limited: they do not handle protocols with mutable state and an unbounded number of sessions. We propose a novel definition of Observational Equivalence for multiset rewriting systems. We then extend the Tamarin prover, based on multiset rewriting, to prove the Observational Equivalence of protocols with mutable state, an unbounded number of sessions, and equational theories such as Diffie-Hellman exponentiation. We demonstrate its effectiveness on case studies, including a stateful TPM protocol.

Véronique Cortier - One of the best experts on this subject based on the ideXlab platform.

  • Deciding Equivalence-based properties using constraint solving
    Theoretical Computer Science, 2013
    Co-Authors: Vincent Cheval, Véronique Cortier, Stéphanie Delaune
    Abstract:

    Formal methods have proved their usefulness for analyzing the security of protocols. Most existing results focus on trace properties like secrecy or authentication. There are however several security properties, which cannot be defined (or cannot be naturally defined) as trace properties and require a notion of behavioral Equivalence. Typical examples are anonymity, privacy related properties or statements closer to security properties used in cryptography. In this paper, we consider three notions of Equivalence defined in the applied pi calculus: Observational Equivalence, may-testing Equivalence, and trace Equivalence. First, we study the relationship between these three notions. We show that for determinate processes, Observational Equivalence actually coincides with trace Equivalence, a notion simpler to reason with. We exhibit a large class of determinate processes, called simple processes, that capture most existing protocols and cryptographic primitives. While trace Equivalence and may-testing Equivalence seem very similar, we show that may-testing Equivalence is actually strictly stronger than trace Equivalence. We prove that the two notions coincide for image-finite processes, such as processes without replication. Second, we reduce the decidability of trace Equivalence (for finite processes) to deciding symbolic Equivalence between sets of constraint systems. For simple processes without replication and with trivial else branches, it turns out that it is actually sufficient to decide symbolic Equivalence between pairs of positive constraint systems. Thanks to this reduction and relying on a result first proved by M. Baudet, this yields the first decidability result of Observational Equivalence for a general class of equational theories (for processes without else branch nor replication). Moreover, based on another decidability result for deciding Equivalence between sets of constraint systems, we get decidability of trace Equivalence for processes with else branch for standard primitives.

  • A method for proving Observational Equivalence
    2009
    Co-Authors: Véronique Cortier, Stéphanie Delaune
    Abstract:

    Formal methods have proved their usefulness for analyzing the security of protocols. Most existing results focus on trace properties like secrecy (expressed as a reachability property) or authentication. There are however several security properties, which cannot be defined (or cannot be naturally defined) as trace properties and require the notion of Observational Equivalence. Typical examples are anonymity, privacy related properties or statements closer to security properties used in cryptography. In this paper, we consider the applied pi calculus and we show that for determinate processes, Observational Equivalence actually coincides with trace Equivalence, a notion simpler to reason with. We exhibit a large class of determinate processes, called simple processes, that capture most existing protocols and cryptographic primitives. Then, for simple processes without replication nor else branch, we reduce the decidability of trace Equivalence to deciding an Equivalence relation introduced by M. Baudet. Altogether, this yields the first decidability result of Observational Equivalence for a general class of equational theories.

  • CSF - A Method for Proving Observational Equivalence
    2009 22nd IEEE Computer Security Foundations Symposium, 2009
    Co-Authors: Véronique Cortier, Stéphanie Delaune
    Abstract:

    Formal methods have proved their usefulness for analyzing the security of protocols. Most existing results focus on trace properties like secrecy (expressed as a reachability property) or authentication. There are however several security properties, which cannot be defined (or cannot be naturally defined) as trace properties and require the notion of Observational Equivalence. Typical examples are anonymity, privacy related properties or statements closer to security properties used in cryptography.In this paper, we consider the applied pi calculus and we show that for determinate processes, Observational Equivalence actually coincides with trace Equivalence, a notion simpler to reason with.We exhibit a large class of determinate processes, called simple processes, that capture most existing protocols and cryptographic primitives. Then, for simple processes without replication nor else branch,we reduce the decidability of trace Equivalence to deciding an Equivalence relation introduced by M. Baudet. Altogether, this yields the first decidability result of Observational Equivalence for a general class of equational theories.

  • computational soundness of Observational Equivalence
    Computer and Communications Security, 2008
    Co-Authors: Hubert Comonlundh, Véronique Cortier
    Abstract:

    Many security properties are naturally expressed as indistinguishability between two versions of a protocol. In this paper, we show that computational proofs of indistinguishability can be considerably simplified, for a class of processes that covers most existing protocols. More precisely, we show a soundness theorem, following the line of research launched by Abadi and Rogaway in 2000: computational indistinguishability in presence of an active attacker is implied by the Observational Equivalence of the corresponding symbolic processes. We prove our result for symmetric encryption, but the same techniques can be applied to other security primitives such as signatures and public-key encryption. The proof requires the introduction of new concepts, which are general and can be reused in other settings.

  • Computational soundness of Observational Equivalence
    2008
    Co-Authors: Hubert Comon-lundh, Véronique Cortier
    Abstract:

    Many security properties are naturally expressed as indistinguishability between two versions of a protocol. In this paper, we show that computational proofs of indistinguishability can be considerably simplified, for a class of processes that covers most existing protocols. More precisely, we show a soundness theorem, following the line of research launched by Abadi and Rogaway in 2000: computational indistinguishability in presence of an active attacker is implied by the Observational Equivalence of the corresponding symbolic processes. Up to our knowledge, the only result of this kind is Adao and Fournet, in which, however, cryptographic primitives are not part of the syntax. Otherwise, previous works either considered a passive attacker, or, in case of active attackers, proved a soundness result for properties that can be defined on execution traces of the protocol. Anonymity for instance does not fall in the latter category. We prove our result for symmetric encryption, but the same techniques can be applied to other security primitives such as signatures and public-key encryption. The proof requires the introduction of new concepts, which are general and can be reused in other settings.

Observational Equivalence - 15 days free trial to Access Experts & Abstracts