Theory Days at Andup.1 Proving the Correctness of Dependency Graph Transformation Ilja Tšahhirov (joint work with Peeter Laud and Keiko Nakata)

Theory Days at Andup.2 Talk plan Dependency graphs: some background Execution semantics formalization First step – graph fragments equivalence Next steps

Theory Days at Andup.3 A Security Protocol A  B: { secret } K AB B  : OK

Theory Days at Andup.4 Dependency Graph E K M Λ V ?? D ok? 1 ?? ?

Theory Days at Andup.5 Dependency Graph Execution Initialize the graph node values with ┴ / false, Repeat{ Adversary sets the and -nodes Graph is evaluated Adversary is made aware of the values of -nodes } until the Adversary indicates to stop Adversary’s goal in the game is to produce different output depending on the secret message ??

Theory Days at Andup.6 Transforming Dependency Graph The game does not change if a graph is replaced with another graph, having the same semantics, for example: Can be replaced with Λ ΛΛ

Theory Days at Andup.7 GUI for executing transformations

Theory Days at Andup.8 The Goal of this Work One has to be sure that the transformation preserves the semantics, before applying it The analyzer already has tens of transformations encoded; some of them are quite complex (in terms of amount of nodes involved) Need to have a way of formally ensuring that: –Two fragments are equivalent, –Procedure for applying the transformation preserves graph semantics when exchanging one fragment with another, equivalent, fragment

Theory Days at Andup.9 Talk plan Dependency graphs: some background Execution semantics formalization First step – graph fragments equivalence Next steps

Theory Days at Andup.10 Graph A Graph is a set of nodes, each representing a computation A Node is identified by –Its identity (label) –Its operation. An operation is either bitstring-valued or boolean- valued. The operation dictates which input ports the node has Operations: RS, Nonce, Const, Keypair, Pubkey, SigVer, VerKey, SymKey, PubEnc, SymEnc, PubEncZ, SymEncZ, Signature, SignedMsg, Tuple, Proj, PubDec, SymDec, Send, Begin, End, Receive, Secret, Merge, Id, Error, And, Or, Req, True, False, IsOK, IsEq, IsNeq, TestSig, TestSigP, InputB, InputS, OutputB, OutputS A Graph is a set of nodes, each representing a computation A Node is identified by –Its identity (label) –Its operation. An operation is either bitstring-valued or boolean- valued. The operation dictates which input ports the node has Operations: RS, Nonce, Const, Keypair, Pubkey, SigVer, VerKey, SymKey, PubEnc, SymEnc, PubEncZ, SymEncZ, Signature, SignedMsg, Tuple, Proj, PubDec, SymDec, Send, Begin, End, Receive, Secret, Merge, Id, Error, And, Or, Req, True, False, IsOK, IsEq, IsNeq, TestSig, TestSigP InputB, InputS, OutputB, OutputS

Theory Days at Andup.11 Configuration During the graph evaluation a value is computed for each node Graph itself is not changed during evaluation – the evaluation result is stored in the configuration: –Environment: Label  Value –Input environment: Label*  Value Label: set of label of all nodes Label*: set of label of InputB-nodes

Theory Days at Andup.12 Graph Evaluation Informally, the graph evaluation proceeds as following: Initialize: –Initialize the input environment with external inputs –Initialize the environment to map every node to false Repeat { for each node { Compute operation result (the values of operation inputs are taken from the environment or input environment) Store the computed value in the environment } } until no more changes are observed (for each node the computed value is equal to what is stored in the environment)

Theory Days at Andup.13 Graph Evaluation - Example 3:And 4:OutputB 1:InputB 2:True ρ 1 = false φ 1 = true ρ 3 = false ρ 4 = false ρ 2 = false ρ 1 = true ρ 2 = true ρ 3 = true ρ 4 = true

Theory Days at Andup.14 Graph: Theorem Prover Encoding Definition label := nat. Inductive operation : Type := | andop (ll: list label) | trueop | falseop | inputop | outputop (l: label). Inductive node : Type := boolnode (l: label)(o: operation). Definition graph := list node. Definition g3' : graph := ( (boolnode 1 inputop) ::(boolnode 3 (andop (1::nil))) ::(boolnode 4 (outputop 3)) ::nil). 3:And 1:InputB 4: OutputB

Theory Days at Andup.15 Environment: Theorem Prover Encoding (*Definition – both for environment and input environment *) label := nat value := bool env := list (label * value) (* Access and update functions *) lookup (r:env)(l:label) : option bool uf (r:env)(l:nat)(v:bool) : option env

Theory Days at Andup.16 Operation Semantics Fixpoint bf (rho:env) (phi:env) (n:node) : option bool := match n with boolnode l o  match o with | trueop  Some true | falseop  Some false | andop ll  andbn rho ll | inputop  lookup phi l | outputop l1  lookup rho l1 end end.

Theory Days at Andup.17 Graph Evaluation Step Fixpoint evalstep (g:graph)(rho:env)(phi:env) {struct g} : option env := match g with | nil  Some rho | (boolnode l o ) :: tl  let v := lookup rho l in match v with | None  None | Some b  let v':= bf rho phi (boolnode l o) in match v' with | None  None | Some b'  if (bool_dec b b') then evalstep tl rho phi else uf rho l b' end end.

Theory Days at Andup.18 Graph Evaluation Fixpoint eval (g:graph)(rho phi:env)(n:nat): option env := match n with | 0  Some rho | S n'  match (evalstep g rho phi) with | None  None | Some rho'  let n'' := ‌rho'‌ in if (beq_nat n n'') then Some rho else eval g rho' phi n' end end.

Theory Days at Andup.19 Talk plan Dependency graphs: some background Execution semantics formalization First step – graph fragments equivalence Next steps

Theory Days at Andup.20 Equivalence Definition – Example 1:input 4:output 3:and 4:output 1:input 2:true g1g1 g2g2 phi := (1,v)::nil rho init1 := (1,false)::(4:false)::nil rho init2 := (1,false)::(2,false)::(3, false)::(4:false)::nil rho final1 := eval g 1 rho init1 phi 2 rho final2 := eval g 2 rho init2 phi 4 Equivalence means that lookup rho final1 4 = lookup rho final2 4

Theory Days at Andup.21 Equivalence Definition Given the graphs g 1, g 2, satisfying the following requirements: Each node must have unique label Both graphs must have same set of input and output nodes The equivalence of g 1 and g 2 holds if for every output node with label l on g 1, lookup (eval g 1 rho 1 phi ‌rho 1 ‌) l = lookup (eval g 2 rho 2 phi ‌rho 2 ‌) l

Theory Days at Andup.22 Proving Equivalence Key Lemmas about Semantics Lemma eval_is_evalstep_fixpoint: forall g rho rho' phi, eval g rho phi ‌rho‌ = rho'  evalstep g rho' phi = rho'. Lemma evalstep_fixpoint_is_correct: forall g rho phi, evalstep g rho phi = Some rho  forall l op, node_in_graph (boolnode l op) g  lookup rho l = bf rho phi (boolnode l op).

Theory Days at Andup.23 Equivalence Proof Plan for two particular fragments Given the graph definitions, limit the output equality to particular output nodes For each of the two graphs: –Show that evaluation result is a fixed point of evalstep (using eval_is_evalstep_fixpoint ) –Show that the environment ( rho ) holds for all the nodes their “final” value at evaluation result (using evalstep_fixpoint_is_correct ) –For each node present its value as a function from input environment ( phi ) For each of the output nodes: –Show that on the first and the second graphs the functional dependency of the node from the input environment is the same

Theory Days at Andup.24 Talk plan Dependency graphs: some background Execution semantics formalization First step – graph fragments equivalence Next steps

Theory Days at Andup.25 Next Steps Graph equivalence definition and proof framework was the first significant step towards integration with automated analyzer tool The remaining steps are: –Formally define exchanging the (sub-)graph on another graph –Show that if two sub-graphs, g 1 and g 2, are equivalent, then exchanging g 1 with g 2 on a graph, containing g 1, results in the equivalent graph –Bring back the complete operations set –Bring in the support for the infinite fragments / graphs

Theory Days at Andup.26 Thank you!