A Process Calculus for Universal Concurrent Constraint Programming

We introduce the Universal Timed Concurrent Constraint Programming (utcc) process calculus; a generalisation of Timed Concurrent Constraint Programming. The utcc calculus allows for the specification of mobile behaviours in the sense of Milner's $\pi$ -calculus: Generation and communication of private links. We first endow utcc with an operational semantics and then with a symbolic semantics to deal with problematic operational aspects involving infinitely many substitutions and divergent internal computations. The novelty of the symbolic semantics is to use temporal constraints to represent finitely infinitely-many substitutions. We also show that utcc has a strong connection with Pnueli's Temporal Logic. This connection can be used to prove reachability properties of processes. As a compelling example, we use utcc to exhibit the secrecy flaw of the Needham-Schroeder security protocol.

Introduction

Process calculi treat concurrent processes much like the $\lambda$ -calculus treat computable functions. They provide a language in which the structure of terms represents the structure of processes together with an operational semantics to represent computational steps. Concurrent Constraint Programming (CCP) [17] is a process calculus which combines the traditional operational view of process calculi with a declarative one based upon logic. This combination allows CCP to benefit from the large body of techniques of both process calculi and logic. In fact, CCP has successfully been used in the modelling of several concurrent scenarios: E.g., Biological, Timed, Reactive and Stochastic systems [19].

Nevertheless, the basic CCP lacks a mechanism to specify generation and communication of private links; i.e. mobility as usually understood in concurrency theory. Such mechanism is fundamental for the specification of systems where agents change their communication structure (mobile systems) as well as protocols where nonces (i.e, randomly-generated unguessable items) are transmitted. In fact, generation and communication of private links are the central operations of one of the main representative formalisms for mobility in concurrency theory, namely the $\pi$ -calculus [11].

We aim at extending CCP to specify mobility. The extension ought to comply with two criteria that distinguish basic CCP from other formalisms: (1) Logic correspondence which provides CCP with a unique declarative view of processes and (2) determinism which is the source of CCP's elegant and simple characterisations (e.g., the clousure operator semantics [17]). Another general criterion for our extension is (3) to be applicable to meaningful concurrent scenarios, in particular those not yet explored using CCP calculi.

Agents in CCP interact with each other by telling and asking information represented as constraints in a global store. The process tell(c) adds the constraint

to the store and the ask process when c do P executes

if c is entailed by the store. The process $\localp{x;c}{P}$ declares a private variable

for

constrained by

and $P\parallel Q$ stands for the parallel execution of P and Q. The computations of processes are deterministic in that the final store is always the same regardless of the execution order of parallel components.

Mobility can be modelled by adding linear parametric ask processes to CCP as done in Linear CCP [6]. A parametric ask A(x) can be viewed as a process when c do P with a variable x declared as a formal parameter. Intuitively, A(x) may evolve into P[y/x], i.e.

with x replaced by y, if c[y/x] is entailed by the store. Mobility is exhibited when y is a private variable (link) from some other process. This extension, however, does not adhere to Criterion (2), i.e. it is non-deterministic: If both c[y/x] and c[z/x] are entailed by the store, A(x) may evolve to either P[y/x] or P[z/x].

The above kind of non-determinism can be avoided by extending CCP only with persistent parametric asks following the semantics of the persistent $\pi$ -calculus in [14]. The idea is that if both

and

are entailed by the store, a persistent

evolves into $A(x) \parallel P[y/x] \parallel P[z/x]$ . Forcing every ask to be persistent, however, makes the extension not suitable for modelling typical scenarios where a process stops after performing its query (e.g., web-services requests).

Our strategy is therefore to extend CCP with temporary parametric ask operations. Intuitively, these operations behave as persistent parametric asks during a time-interval but may disappear afterwards. We do this by generalising the timed CCP model in [16]. We call this extension Universal Timed CCP (utcc). As explained below, we shall show that complies with previously-mentioned criteria (1-3).

Contributions. We first give utcc an operational semantics. However, parametric ask operations pose technical problems: They may generate infinitely many substitutions thus causing divergent (i.e., infinite) internal computations. We resolve this problem by endowing utcc with a novel symbolic semantics that uses temporal constraints to represent finitely a possible infinite number substitutions. We then show that allows for mobility and it is deterministic (Criterion 2). We shall show a strong correspondence with Linear-Time Temporal Logic (LTL) by providing a compositional encoding of utcc processes into LTL formulae (Criterion 1). This correspondence with the standard logic for the verification of concurrent systems allows for reachability analysis central to security protocols: If there is a way to reach a state where an intruder knows a secret, then there is a secrecy breach. To illustrate the applicability of (Criterion 3), we use it to model and predict the secrecy flaw in the well-known Needham-Schroeder Protocol [9].

To the our knowledge this is the first symbolic semantics for a CCP calculus as well as the first one in concurrency theory using temporal constraints as finite representations of substitutions. Furthermore, we are not aware of any other work applying a CCP calculus to model security protocols.

Preliminaries

CCP calculi are parametric in a constraint system (). A cs can be represented as a pair $(\Sigma ,\Delta )$ where $\Sigma$ is a signature of function and predicate symbols, and $\Delta$ is a first-order theory over $\Sigma$ . Given a $(\Sigma ,\Delta )$ , let $\cL$ be its underlying first-order language with variables x,y,..., and logic symbols ${\neg}, {\wedge}, {\vee}, {\imply}, {\Leftrightarrow}, {\exists}, \forall, \true $ and $ \false$ . Constraints c,d,... are formulae over $\cL.$ We say that c entails d in $\Delta$ , written $c\entails_{\Delta} d$ , iff $(c {\imply} d) \in \Delta$ (i.e., iff $c {\imply} d$ is true in all models of $\Delta$ ). We shall omit " $\Delta$ " in $\entails_{\Delta}$ when no confusion arises. For operational reasons $\entails$ is often required to be decidable.

We use $\vec{t}$ for a sequence of terms $t_1,\ldots,t_n$ with length $\vert \vec{t} \vert=n.$ If $\vert\vec{t} \vert= 0$ then $\vec{t}$ is written as $\epsilon$ . We use $c[\vec{t}/\vec{x}]$ , where $\vert\vec{t}\vert=\vert\vec{x}\vert$ and

's are pairwise distinct, to denote c with the free occurrences of x_i replaced with t_i. The substitution [t/x] will be similarly applied to other syntactic entities.

The calculus extends for timed systems [16]. Time is conceptually divided into time intervals (or time units). In a particular time interval, a process P gets an input c from the environment, it executes with this input as the initial store, and when it reaches its resting point, it outputs the resulting store d to the environment. The resting point determines a residual process Q which is then executed in the next time interval. The resulting store d is not automatically transferred to the next time interval.

Definition 1: Processes P, Q, ... in tcc are built from constraints in the underlying cs by the following syntax:

with the variables in x being pairwise distinct.

The process skip does nothing and tell(c) adds c to the store in the current time interval. If in the current time interval c can eventually be derived from the store, when c do P evolves into P within the same time interval. Otherwise when c do P evolves into skip. P||Q denotes P and Q running in parallel during the current time interval and (local x; c)P binds x in P by declaring it private to P under a constraint c. The bound variables bv(Q) (free variables fv(Q)) are those with a bound (a not bound) occurrence in Q. We write (local x)P as short for (local x; true)P

The unit-delay $\nextp{P}$ executes

in the next time interval. The time-out $\unlessp{c}{P}$ is also an unit-delay, but $P$ is executed in the next time unit iff $c$ is not entailed by the final store at the current time interval. We use $\mathbf{next}^{n}P$ as short for $\mathbf{next} \dots \mathbf{next} P$ , with $\mathbf{next}$ repeated

times. Finally, the replication $! P$ means $P\parallel \mathbf{next} P\parallel \mathbf{next}^{2}P\parallel \dots$ , i.e., unboundly many copies of $P$ but one at a time.

Universal Timed cc

In [16] it is shown that processes are finite-state. This means it cannot be used to describe infinite-state behaviours like those arising from mobility which is one of the main concerns in this paper. Mobility is understood in the sense of the $\pi$ -calculus, i.e, communication of private variables (or links). In this section we introduce an extension to which by following a logic approach it provides for mobile behaviour. We call this extension Universal tcc (utcc).

Abstractions

From a logic perspective we shall show that the new binder has a pleasant duality with the local operator: The processes $\localp{\vec{x};c}{P}$ and $\absp{\vec{x}}{c}{P}$ correspond, resp., to the existential and universal formulae $\exists \vec{x} (c \wedge F_P)$ and $\forall \vec{x} (c \imply F_P)$ where

corresponds to

Definition 2 (utcc Processes). The utcc processes result from replacing in the syntax in Definition 1 the expression when c do P with (abs x; c)P with the variables in x being pairwise distinct.

Intuitively, $Q=\absp{\vec{x}}{c}{P}$ performs $P[\vec{t}/\vec{x}]$ in the current time interval for all the terms $\vec{t}$ $c[\vec{t}/\vec{x}]$ is entailed by the store.

binds the variables $\vec{x}$ in

and

. Sets (.) and (.), are extended accordingly. Furthermore

evolves into $\skipp$ at the end of the time unit. We shall use $\whenp{c}{P}$ for the "empty" abstraction $\absp{\epsilon}{c}{P}.$

Mobile links. We conclude this section with a little example illustrating how mobility is obtained from the interplay between abstractions and local processes.

$\begin{example}[Mobility] Let $\Sigma$ be a signature with the unary predicates... ...hat $P \parallel Q$ produces $\outp_2(0)$ in the next time unit. \end{example}$

Operational Semantics (SOS)

The SOS transitions are given by the relations $\redi$ and $\Longrightarrow$ in Table 1. The internal transition $\left\langle P,d\right\rangle \redi \left\langle P',d' \right\rangle$ should be read as `` $P$ with store $d$ reduces, in one internal step, to $P'$ with store $d'$ ''. The observable transition $P\rede{(c,d)} R$ should be read as `` $P$ on input $c$ , reduces in one time unit to $R$ and outputs $d$ ''. The observable transitions are obtained from finite sequences of internal transitions.

Table 1: Internal and observable reductions. $\equiv$ and

are given in Definitions 3 and 4. In $\rAbs$ , $\vec{x} \neq \vec{t}$ denotes $\bigvee_{1\leq i \leq \vert\vec{x}\vert}x_i\neq t_i$ . If $\vert\vec{x}\vert=0$ , $\vec{x} \neq \vec{t}$ is defined as $\false$ .

$\begin{array}{l} \rightinfer[\rTell]{\left\langle \tellp{c},d\right\rangle \:... ...} \left\langle Q,d\right\rangle \: \notredi_{{}} {} } \\ \\ \end{array}$

We dwell a little upon the description of Rule $\rLocal$ as it may seem somewhat complex. Consider $Q = \localp{x;c}{P}$ in Rule $\rLocal$ . The global store is

and the local store is

. We distinguish between the external (corresponding to

) and the internal point of view (corresponding to

). From the internal point of view, the information about $x$ , possibly appearing in the ``global'' store $d$ , cannot be observed. Thus, before reducing

we first hide the information about $x$ that $Q$ may have in

by existentially quantifying $x$ in $d$ . Similarly, from the external point of view, the observable information about

that the reduction of internal agent

may produce (i.e., $c'$ ) cannot be observed. Thus we hide it by existentially quantifying

before adding it to the global store. Additionally, we make

the new private store of the evolution of the internal process.

Rule ${\rAbs}$ describes the behaviour of $\absp{\vec{x}}{c}{P}$ . If the store entails $c[\vec{t}/\vec{x}]$ then $P[\vec{t}/\vec{x}]$ is executed. Additionally, the abstraction persists in the current time interval to allow other potential replacements of $\vec{x}$ in

but

is augmented with $x_i \neq t_i$ to avoid executing $P[\vec{t}/\vec{x}]$ again.

Rule $\rObserv$ says that an observable transition from $P$ labelled with

is obtained from a terminating sequence of internal transitions from $\left\langle P, c\right\rangle$ to a $\left\langle Q,d\right\rangle$ . The process

to be executed in the next time interval is equivalent to $F(Q)$ (the ``future'' of

is obtained by removing from $Q$ abstractions and any local information which has been stored in

, and by ``unfolding'' the sub-terms within ``next'' and ``unless'' expressions.

$\begin{definition} Let $F$ be a partial function defined as: \begin{displaymat... ...P=\unlessp{c}{Q} $} \end{array} \right. \end{displaymath}\par \end{definition}$

We can now illustrate the observable transition showing the expected behaviour in our mobility example.

$\begin{example} % latex2html id marker 329 [Mobile Observable Transition] Let $P... ...$P \parallel Q \rede{(c,d)}R$ with $R \equiv \tellp{\outp_2(0)}.$ \end{example}$

Infinite behaviour within time-units

Due to abstractions the SOS may induce an infinite sequence of internal transitions within a time interval thus never producing an observable transition.

Abstraction Loops. One source of infinite internal behaviour involves looping (recursion) in abstractions. E.g. let $R=\absp{x}{\outp_1(x)}{ \localp{z}{\tellp{\outp_1(z)}})}$ . Each time

gets a link on $\outp_1$ , it generates a new link

on $\outp_1$ thus causing infinite internal behaviour. (A similar problem involves several abstractions producing mutual recursive behaviour.) This kind of looping problems can be avoided by requiring for each $\absp{x}{c}{P}$ that

must be a ``next'' expression. This restriction, however, may also disallow behaviour which will not cause infinite internal computations.

Infinitely Many Substitutions. Another source of infinite internal behaviour involves the cs under consideration. Let $R=\absp{x}{c}{P}.$ If the current store

entails

for infinitely many

's, then

will have to produce

for each such

. This kind of infinite internal behaviour can be avoided by allowing only guards

so that for any

the set $\{ t \vert d \entails c[t/x] \}$ modulo logic equivalence is finite. This seems inconvenient for the modelling of cryptographic knowledge as typically is done in process calculi: The presence of some messages entails the presence of arbitrary compositions among them. We discuss this at length in our security application in Section 6.

Symbolic Semantics

In this section we define a symbolic semantics for utcc whose basic idea is to use temporal constraints to represent in a finite way a possibly infinite number of substitutions as well as the information that an infinite loop may provide. It turns out that without appealing to the syntactic restrictions mentioned above, this semantics guarantees that every sequence of internal transitions is finite.

Symbolic Intuitions

A. Substitutions as Constraints. Take $R=\absp{x}{c}{P}.$ The operational semantics performs

for every

is entailed by the store

Instead, the symbolic semantics dictates that

should produce $e= d \wedge \forall x (c \imply d')$ where, similarly,

should be produced according to the symbolic semantics by

. Let

be an arbitrary term $d \entails c[t/x].$ The idea is that if

is operationally produced by

then

should be entailed by

. Since $d\entails c[t/x]$ then $e \entails d'[t/x] \entails e'.$ Therefore

entails the constraint that any arbitrary

produces.

B. Timed Dependencies in Substitutions. The symbolic semantics represents as temporal constraints dependencies between substitutions from one time interval to another. E.g., suppose that for

above, $P=\nextp{\tellp{e}}$ . Operationally, once we move to the next time unit, the constraints produced are of the form

for those

's the final store

in the previous time unit entails

. The symbolic semantics captures this as $e'=(\past d) \wedge \forall x ((\past c) \imply e)$ where $\past$ is the "previous" modality in temporal logic. Intuitively, $\past c'$ means that

holds in the previous time interval.

Temporal Formulae and Constraints

We shall use (a fragment of) the standard Linear-Time Temporal Logic (LTL) in [10] for our symbolic semantics.

$\begin{definition} Given a cs with a first-order language $\cL$, the \emph{LTL f... ...is a constraint in $\cL$, from now called \emph{state formula.} \end{definition}$

The modalities $\past F,\nextt F$ and $\always F$ state, resp., that

holds previously, next and always. We use $\forall x F$ for $\neg \exists x \neg F$ , and the eventual modality $\sometime F$ as an abbreviation of $\neg \always \neg F$ .

We presuppose the reader is familiar with the basic concepts of Model Theory. The non-logical symbols of $\cL$ are given meaning in an underlying $\cL$ -structure, or $\cL$ -model, $\cM(\cL)=(\cI,\cD).$ (They are interpreted via $\cI$ as relations over a domain $\cD$ of the corresponding arity.) A state

is a mapping assigning to each variable

in $\cL$ a value

in $\cD$ . This interpretation is extended to $\cL$ -expressions in the usual way ( $s[f(x)]=\cI(f)(s[x])$ ). We write $s \models_{\cM(\cL)} c$ iff

is true

in $\cM(\cL)$ . The state

is an

-variant of

iff

for each $y\neq x.$ We use $\sigma$ to range over infinite sequences of states. Furthermore, $\sigma$ is an

-variant of $\sigma'$ iff $\sigma(i)$ is an

-variant of $\sigma'(i)$ for each $i\geq0$ .

$\begin{definition} We say that $\sigma$ \emph{satisfies} $F$ in an $\cL$-struc... ...d} in $\cM(\cL)$ iff for all $\sigma,$ $\sigma \modelsltl F.$ \end{definition}$

LTL Theories. Given a cs $(\Delta, \Sigma)$ with first-order language $\cL$ , the LTL theory induced by $\Delta$ , $T(\Delta)$ is the set of LTL sentences that are LTL valid in all the $\cL$ -structures (or $\cL$ -models) of $\Delta.$ We write $F \entails_{T(\Delta)} G$ iff $(F \imply G) \in T(\Delta)$ . We omit " $\Delta$ " in $\entails_{T(\Delta)}$ when no confusion arises.

Future-free constraints. For the symbolic semantics we take the liberty of assuming that the constraints in processes and configurations are replaced with certain LTL formulae. Namely, future-free formulae: Those which do not contain occurrences of $\always$ and $\nextt.$ So, for example a process-store configuration of the form $\tuple{\absp{y}{\past c}{P}}{\past d}$ may appear in the transitions of the symbolic semantics. We shall abuse the notation by assuming that, in the context of the symbolic semantics, $c,d,c',d',\ldots$ range over future-free formulae. In the context of the SOS, however, $c,d,c',d',\ldots$ range over state formulae only.

$\begin{proposition}Let $(\Delta, \Sigma)$ be a \csystem with decidable entailm... ...ils_T G$ is decidable if $F,G$ are future-free LTL formulae. \end{proposition}$

Symbolic Reductions.

The internal and observable symbolic transitions $\redi_s, \Longrightarrow_s$ are defined as in Table 1 with $\entails$ replaced by $\entails_T$ and with $\rAbs$ and $\rObserv$ replaced, resp., by $\rAbsSym$ and $\rObservSym$ in Table 2 (with

and

representing future-free formulae rather than just state-formulae).

The rule $\rAbsSym$ represents with the temporal constraint $\forall \vec{x} (c \imply d')$ the substitutions that its operational counterpart $\rAbs$ would induce as intuitively explained in Section 4.1(A). Notice that in the reduction of

the variables $\vec{x}$ in

are hidden, via existential quantification, to avoid clashes with those in

The function

in $\rObservSym$ is similar to its operational counterpart

. However,

records the final global and local stores as well as abstraction guards as past information. As explained in Section 4.1(B) this past information is needed in next time unit.

Table 2: Symbolic Rules for Internal and Observable Transitions. The function

is given in Definition 7.

$\begin{array}{l} \rightinfer[\rAbsSym]{ \begin{array}{l} \tuple{ \absp{\vec{x}... ...e Q,d\right\rangle \: \not \hspace{-.1cm}\redisym {} } \\ \\ \end{array}$

$\begin{definition} Let ${F_s}$ a partial function from configurations to proces... ...isplaymath}where $c$ and $d$ represent future-free formulae. \end{definition}$

Finally, it is easy to verify that no infinite sequence $\gamma_1 \redisym \gamma_2 \redisym \ldots$ can be generated by the symbolic semantics. Thus we avoid the problems discussed in Section 3.2.

Semantic Results

$\begin{theorem}[Determinism]For every $P,c$ if $P\rede{(c,d)}Q$ and $P \rede{(... ...)}_s Q'$ then $Q\equiv Q'$ and $\entails_T d\Leftrightarrow d'$. \end{theorem}$

Operational Correspondence. The correspondence between the two semantics is given below. It states that the (untimed) constraints entailed by the outputs of any arbitrary long sequence of observable reductions coincide with those of the corresponding one in the symbolic semantics.

We say that

is abstracted-unless free iff it has no occurrences of processes of the form $\unlessp{c}{Q}$ under the scope of an abstraction.

$\begin{theorem}[Semantic Correspondence] Let $P$ be an abstracted-unless free p... ...formula $d$ and $i>0$, $d_i \entails d$ iff $d_i' \entails_T d.$ \end{theorem}$

We confined ourselves to abstracted-unless free processes due to the problem of representing the negation of entailment as logic formulae. Take $P=\absp{x}{\true}{Q}$ where $Q=\unlessp{e}{\tellp{e'}}.$ Let

be the final store in the first time unit when running

. Operationally, $\tellp{e'}[t/x]$ is executed in the second time unit for those

's $d \not\entails e[t/x].$ Following Section 4.1 one may try to capture this in the symbolic semantics with $\past d \wedge \forall x (\past (\neg e) \imply e')$ as if we had $Q=\whenp{\neg e}{\nextp{\tellp{e'}}}.$ This wrongly assumes, however, that in general $d \not \entails e[t/x]$ is equivalent to $d \entails \neg e[t/x].$

Abstract-unless free processes represent a meaningful and practical fragment of utcc They are sufficient to express all the examples and intended applications of this paper. Furthermore, we have proven they are able to model Turing Machines which bears witness to their universal expressiveness.

LTL Correspondence. The compositional encoding in Definition 8 gives a pleasant correspondence between $\utcc$ processes and LTL formulae. It shows the duality between local and abstraction operators, represented resp. as existential and universal quantified formulae.

$\begin{definition} Let $\os \cdot \cs$ a map from $\utcc$ processes to LTL for... ...\bangp{P}\cs &=& \Box \os P \cs \\ \end{array}\end{displaymath}\end{definition}$

$\begin{notation}Suppose that $P_1\rede{(\true,c_1)}_sP_2\rede{(\true,c_2)}_s\ldo... ...itten $P\Uparrow^c,$ iff for some $i>0,$ $c_i \entails_{T} c$. \end{notation}$

$\begin{theorem} % latex2html id marker 531 [Logic Correspondence] Let $\os \cdo... ... \os P \cs \entails_{T} \sometime c \mbox{ iff } P\Uparrow^c $. \end{theorem}$

A key aspect of Theorem 3 is that it allows using well-established techniques from LTL for reachability analysis of utcc processes: E.g., to verify if a given security protocol modelled in utcc can reach a state where secrecy is violated.

Applications

This section illustrates the use of in the analysis of security protocols. In particular, we shall exhibit the secrecy flaw of the Needham-Schroeder protocol (NS) [9].

**Figure 1:** Needham-Schroeder Protocol
$\begin{figure}\begin{center} \begin{tabular}{cc} $\begin{array}{lll} A\to B & : ... ...C & : & \{n\}_C \end{array}$\\ (a) & (b) \end{tabular}\end{center} \end{figure}$

Modelling NS in utcc. As typically done we follow the Dolev and Yao thread model [7] which presupposes an attacker that can eavesdrop, disassemble, compose, encrypt and decrypt messages with available keys. It also presupposes that cryptography is unbreakable. We begin by defining a cs based on [7] which follows the Dolev and Yao model.

$\begin{definition} % latex2html id marker 563Let $\Sigma_s$ be a signature wi... ...\csystem is the pair $(\Sigma_\texttt{s},\Delta_\texttt{s}).$ \end{definition}$

Intuitively, $\cP$ and $\cK$ represent the principal identifiers $A,B,\ldots$ and keys $k,k',\ldots$ . We use $\{m\}_k$ , $\{m_1,m_2\}$ , $k^{-1}$ , resp., for $\encp(m,k)$ (encryption), $\pairp(m_1,m_2)$ (composition) and $\invp(k)$ (inverse key). Furthermore, $\keypp(x)$ represents the public key of

. From [7] one can show that $\entailsec$ is decidable. The rule $\rEnc$ says that if one can infer that the message

as well as a key

are output on the global channel $\outp$ , then one may as well infer that $\{m\}_k$ is also output on $\outp$ . The other rules can be explained similarly.

Table: Security entailment relation.

$\begin{array}{cc} \rightinfer[\rPrj]{F \entailsec \outp(m_{i}) }{F \entailsec ... ...(m)}{F \entailsec \outp(k^{-1}) F\entailsec \outp(\{m\}_k)} \end{array}$

We now specify the principals. The NS model uses $\mathbf{Init}$ and $\mathbf{Resp}$ describing the role of the initiator and the responder

and

in Figure 1(a). Posting messages, nonce generation, message reception are modelled, resp., using tell, local and wait processes.

Notice that since Responder's nonce cannot be known by an attacker, $\mathbf{Resp}(t)$ states that

is secret.

We also define an observer $\cO$ telling $\failp$ whenever a secret appears unprotected on the global channel $\outp.$ Additionally the observer remembers every message that was ever on $\outp$ by transferring them across the time intervals.

We can use the symbolic semantics to show that $\mathcal{NS}$ eventually outputs $\failp:$

Alternatively, the above proposition can be proved using Theorem 3 and LTL deduction.

Notice that we cannot use the SOS to exhibit an output of $\failp$ since the secure will generate infinite substitutions within a time interval (see Section 3.2). E.g., If $F\entails \outp(m)$ then $F\entails \outp(\{ m,m \})$ and $F\entails \outp(\{m,m,m\})$ and so on. This illustrates the relevance of the symbolic semantics and the correspondence in Theorem 3.

Related and Concluding Remarks

Mobility has been introduced in other CCP-related formalisms. In particular LMNtal [18] and Atomic CCP [8] where logical variables also represent links. LMNtal has emerged as an unifying model of concurrency, as such it is not restricted to be deterministic. Similarly, Atomic CCP is non-deterministic. To our knowledge no correspondence between these languages and logic has been given.

Several process calculi have been specifically designed for the analysis of security protocols, e.g., [7,3,5]. Although can be used to reason about certain aspects of security protocols (e.g., secrecy), it was not designed exclusively for this domain of application. Nevertheless, its LTL characterisation offers a reasoning technique for reachability, to our knowledge not provided by the above calculi.

The rather successful logic programming approach to security protocols in [2] is closely related to ours in . The basic difference is that the underlying logic in [2] is Horn clauses while ours is LTL. Also our approach benefits from the operational view of process calculi. Finally, in [1] soft constraints are used to give an interesting quantitative approach to analysing integrity, confidentiality and authentication in security protocols. This approach is, however, more related to constraint satisfaction than to CCP.

Since preserves the basic properties of , we believe it allows for a smooth extension of the elegant clousure operator semantics in [16]. From a practical point of view, we have implemented in Oz [15] an interpreter executing programs written in . Following the SOS, the interpreter computes the final stores given the input sequences and the process to be executed. To avoid problems with infinitely many substitutions, we restricted

and

in Rules $\rEnc$ and $\rPair$ to have less than a fix number of applications of $\encp$ and $\pairp$ . In this way we have automatically verified Proposition 2.

Abstract: