Results 1  10
of
29
From Rewrite Rules to Bisimulation Congruences
 THEORETICAL COMPUTER SCIENCE
, 1998
"... The dynamics of many calculi can be most clearly defined by a reduction semantics. To work with a calculus, however, an understanding of operational congruences is fundamental; these can often be given tractable definitions or characterisations using a labelled transition semantics. This paper consi ..."
Abstract

Cited by 71 (2 self)
 Add to MetaCart
The dynamics of many calculi can be most clearly defined by a reduction semantics. To work with a calculus, however, an understanding of operational congruences is fundamental; these can often be given tractable definitions or characterisations using a labelled transition semantics. This paper considers calculi with arbitrary reduction semantics of three simple classes, firstly ground term rewriting, then leftlinear term rewriting, and then a class which is essentially the action calculi lacking substantive name binding. General definitions of labelled transitions are given in each case, uniformly in the set of rewrite rules, and without requiring the prescription of additional notions of observation. They give rise to bisimulation congruences. As a test of the theory it is shown that bisimulation for a fragment of CCS is recovered. The transitions generated for a fragment of the Ambient Calculus of Cardelli and Gordon, and for SKI combinators, are also discussed briefly.
Models of Sharing Graphs: A Categorical Semantics of let and letrec
, 1997
"... To my parents A general abstract theory for computation involving shared resources is presented. We develop the models of sharing graphs, also known as term graphs, in terms of both syntax and semantics. According to the complexity of the permitted form of sharing, we consider four situations of sha ..."
Abstract

Cited by 60 (9 self)
 Add to MetaCart
To my parents A general abstract theory for computation involving shared resources is presented. We develop the models of sharing graphs, also known as term graphs, in terms of both syntax and semantics. According to the complexity of the permitted form of sharing, we consider four situations of sharing graphs. The simplest is firstorder acyclic sharing graphs represented by letsyntax, and others are extensions with higherorder constructs (lambda calculi) and/or cyclic sharing (recursive letrec binding). For each of four settings, we provide the equational theory for representing the sharing graphs, and identify the class of categorical models which are shown to be sound and complete for the theory. The emphasis is put on the algebraic nature of sharing graphs, which leads us to the semantic account of them. We describe the models in terms of the notions of symmetric monoidal categories and functors, additionally with symmetric monoidal adjunctions and traced
A Compositional Logic for Proving Security Properties of Protocols
 Journal of Computer Security
, 2002
"... We present a logic for proving security properties of protocols that use nonces (randomly generated numbers that uniquely identify a protocol session) and publickey cryptography. The logic, designed around a process calculus with actions for each possible protocol step, consists of axioms about ..."
Abstract

Cited by 50 (12 self)
 Add to MetaCart
We present a logic for proving security properties of protocols that use nonces (randomly generated numbers that uniquely identify a protocol session) and publickey cryptography. The logic, designed around a process calculus with actions for each possible protocol step, consists of axioms about protocol actions and inference rules that yield assertions about protocols composed of multiple steps. Although assertions are written using only steps of the protocol, the logic is sound in a stronger sense: each provable assertion about an action or sequence of actions holds in any run of the protocol that contains the given actions and arbitrary additional actions by a malicious attacker. This approach lets us prove security properties of protocols under attack while reasoning only about the sequence of actions taken by honest parties to the protocol. The main securityspecific parts of the proof system are rules for reasoning about the set of messages that could reveal secret data and an invariant rule called the "honesty rule." 1
Recursion from Cyclic Sharing: Traced Monoidal Categories and Models of Cyclic Lambda Calculi
, 1997
"... . Cyclic sharing (cyclic graph rewriting) has been used as a practical technique for implementing recursive computation efficiently. To capture its semantic nature, we introduce categorical models for lambda calculi with cyclic sharing (cyclic lambda graphs), using notions of computation by Moggi / ..."
Abstract

Cited by 45 (5 self)
 Add to MetaCart
. Cyclic sharing (cyclic graph rewriting) has been used as a practical technique for implementing recursive computation efficiently. To capture its semantic nature, we introduce categorical models for lambda calculi with cyclic sharing (cyclic lambda graphs), using notions of computation by Moggi / Power and Robinson and traced monoidal categories by Joyal, Street and Verity. The former is used for representing the notion of sharing, whereas the latter for cyclic data structures. Our new models provide a semantic framework for understanding recursion created from cyclic sharing, which includes traditional models for recursion created from fixed points as special cases. Our cyclic lambda calculus serves as a uniform language for this wider range of models of recursive computation. 1 Introduction One of the traditional methods of interpreting a recursive program in a semantic domain is to use the least fixedpoint of continuous functions. However, in the real implementations of program...
NonInterleaving Semantics for Mobile Processes
 Theoretical Computer Science
, 1995
"... This paper studies causality in ßcalculus. Our notion of causality combines the dependencies given by the syntactic structure of processes with those originated by passing names. Our studies show that two transitions not causally related may however occur in a fixed ordering in any computation, i.e ..."
Abstract

Cited by 41 (19 self)
 Add to MetaCart
This paper studies causality in ßcalculus. Our notion of causality combines the dependencies given by the syntactic structure of processes with those originated by passing names. Our studies show that two transitions not causally related may however occur in a fixed ordering in any computation, i.e., ßcalculus may implicitly express a precedence between actions. Our causality relation still induces the same partial order of transitions for all the computations that are obtained by shuffling transitions that are concurrent (i.e. related neither by causality nor by precedence). Other noninterleaving semantics are investigated and compared. The presentation takes advantage from a parametric definition of process behaviour given in an SOS style. All the results on bisimulationbased equivalences, congruences, axiomatizations and logics are taken (almost) without modifications from the interleaving theory. Finally, we extend our approach to higherorder ßcalculus, enriched with a spawn ...
A Theory of Bisimulation for the picalculus
, 1993
"... We study a new formulation of bisimulation for the calculus [MPW92], which we have called open bisimulation ( ). In contrast with the previously known bisimilarity equivalences, is preserved by all calculus operators, including input prefix. The differences among all these equivalences alread ..."
Abstract

Cited by 39 (0 self)
 Add to MetaCart
We study a new formulation of bisimulation for the calculus [MPW92], which we have called open bisimulation ( ). In contrast with the previously known bisimilarity equivalences, is preserved by all calculus operators, including input prefix. The differences among all these equivalences already appear in the sublanguage without name restrictions: Here the definition of can be factorised into a "standard" part which, modulo the different syntax of actions, is the CCS bisimulation, and a part specific to the calculus, which requires name instantiation. Attractive features of are: a simple axiomatisation (of the finite terms), with a completeness proof which leads to the construction of minimal canonical representatives for the equivalence classes of ; an "efficient" characterisation, based on a modified transition system. This characterisation seems promising for the development of automatedverification tools and also shows the callbyneed flavour of . Although in the...
A Compositional Logic for Protocol Correctness
 In Proceedings of 14th IEEE Computer Security Foundations Workshop
, 2001
"... We present a specialized protocol logic that is built around a process language for describing the actions of a protocol. In general terms, the relation between logic and protocol is like the relation between assertions in FloydHoare logic and standard imperative programs. Like FloydHoare logic, o ..."
Abstract

Cited by 33 (14 self)
 Add to MetaCart
We present a specialized protocol logic that is built around a process language for describing the actions of a protocol. In general terms, the relation between logic and protocol is like the relation between assertions in FloydHoare logic and standard imperative programs. Like FloydHoare logic, our logic contains axioms and inference rules for each of the main protocol actions and proofs are protocoldirected, meaning that the outline of a proof of correctness follows the sequence of actions in the protocol. We prove that the protocol logic is sound, in a specific sense: each provable assertion about an action or sequence of actions holds in any run of the protocol, under attack, in which the given actions occur. This approach lets us prove properties of protocols that hold in all runs, while explicitly reasoning only about the sequence of actions needed to achieve this property. In particular, no explicit reasoning about the potential actions of an attacker is required.
A derivation system for security protocols and its logical formalization
 In Proceedings of 16th IEEE Computer Security Foundations Workshop
, 2003
"... Many authentication and key exchange protocols are built using an accepted set of standard concepts such as DiffieHellman key exchange, nonces to avoid replay, certificates from an accepted authority, and encrypted or signed messages. We introduce a basic framework for deriving security protocols f ..."
Abstract

Cited by 30 (18 self)
 Add to MetaCart
Many authentication and key exchange protocols are built using an accepted set of standard concepts such as DiffieHellman key exchange, nonces to avoid replay, certificates from an accepted authority, and encrypted or signed messages. We introduce a basic framework for deriving security protocols from such simple components. As a case study, we examine the structure of a family of key exchange protocols that includes StationToStation (STS), ISO97983, Just Fast Keying (JFK), IKE and related protocols, deriving all members of the family from two basic protocols using a small set of refinements and protocol transformations. As initial steps toward associating logical derivations with protocol derivations, we extend a previous security protocol logic with preconditions and temporal assertions. Using this logic, we prove the security properties of the standard signature based ChallengeResponse protocol and the DiffieHellman key exchange protocol. The ISO97983 protocol is then proved correct by composing the correctness proofs of these two simple protocols. 1