Logical Analysis and Verification of Cryptographic Protocols - Loria

7.2. APPLIED PI CALCULUS 183
COMM c〈x〉.P | c(x).Q −→ P | Q
THEN if ψ then P else Q −→ P if ψ
ELSE if ψ then P else Q −→ Q if ¬ψ
Example 26 Consider the process ν a.(ν k.a〈k〉 | a(x).P ) which models the distribution
of key k using private channel a. We have ν a.(ν k.a〈k〉 | a(x).P ) ≡ ν x.({k/x} |
ν a.ν k.(a〈x〉 | a(x).P )). We can now model the communication using the COMM rule
ν x.({k/x} | ν a.ν k.(a〈x〉 | a(x).P )) −→ ν x.({k/x} | ν a.ν k.(0 | P )) ≡ ν k.P {k/x}
(where a �∈ fn(P )).
The labelled semantics ( α −→) extends internal reduction by the following rules.
We suppose that u is either a channel name or a variable of base type.
IN c(x).P c(M)
−−→ P {M/x}
OUT-ATOM c〈u〉.P c〈u〉
−−→ P
OPEN-ATOM
SCOPE
PAR
STRUCT
A c〈u〉
−−→ A ′ u �= c
ν u.c〈u〉
ν u.A −−−−→ A ′
A α −→ A ′ u does not occur in α
ν u.A α −→ ν u.A ′
A α −→ A ′ bv(α) ∩ fv(B) = bn(α) ∩ fn(B) = ∅
A | B α −→ A ′ | B
A ≡ B B α −→ B ′ B ′ ≡ A ′
A α −→ A ′
Example 27 Continuing example 26, and let us consider the process ν a.(ν k.a〈k〉 |
a(x).c〈sign(m, k)〉) i.e. we have added the output of a signed message using the key
distributed. Since internal reduction is closed by structural equivalence and by our
previous reasoning we have ν a.(ν k.a〈k〉 | a(x).c〈sign(m, k)〉) −→ ν k.c〈sign(m, k)〉.
We model the output of sign(m, k) to the environment using labelled semantics:
ν x.c〈x〉
ν k.c〈sign(m, k)〉 −−−−→ ν k.{sign(m, k)/x}.
An extended process A is said to be irreducible if there does not exist B, α
such that A −→ B or A α −→ B.
Remark. We will abbreviate (M1, . . . , Mn) as ˜ M and occasionally we write
˜xf for (xf(1), . . . , xf(n)) where f : {1, . . . , n} → {1, . . . , m}. We abbreviate
{M1/x1}| . . . |{Mk/xk} as { ˜ M/˜x} or σ. We also write σ, {M/x}, { ˜ M/˜x} for substitions