Results 1  10
of
100
A calculus for cryptographic protocols: The spi calculus
 Information and Computation
, 1999
"... We introduce the spi calculus, an extension of the pi calculus designed for the description and analysis of cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the ..."
Abstract

Cited by 922 (55 self)
 Add to MetaCart
(Show Context)
We introduce the spi calculus, an extension of the pi calculus designed for the description and analysis of cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the spi calculus enables us to consider cryptographic issues in more detail. We represent protocols as processes in the spi calculus and state their security properties in terms of coarsegrained notions of protocol equivalence.
Decoding Choice Encodings
, 1999
"... We study two encodings of the asynchronous #calculus with inputguarded choice into its choicefree fragment. One encoding is divergencefree, but refines the atomic commitment of choice into gradual commitment. The other preserves atomicity, but introduces divergence. The divergent encoding is ..."
Abstract

Cited by 107 (5 self)
 Add to MetaCart
We study two encodings of the asynchronous #calculus with inputguarded choice into its choicefree fragment. One encoding is divergencefree, but refines the atomic commitment of choice into gradual commitment. The other preserves atomicity, but introduces divergence. The divergent encoding is fully abstract with respect to weak bisimulation, but the more natural divergencefree encoding is not. Instead, we show that it is fully abstract with respect to coupled simulation, a slightly coarserbut still coinductively definedequivalence that does not enforce bisimilarity of internal branching decisions. The correctness proofs for the two choice encodings introduce a novel proof technique exploiting the properties of explicit decodings from translations to source terms.
Proof Techniques for Cryptographic Processes
 in 14th Annual IEEE Symposium on Logic in Computer Science
, 1999
"... Contextual equivalences for cryptographic process calculi, like the spicalculus, can be used to reason about correctness of protocols, but their definition suffers from quantification over all possible contexts. Here, we focus on two such equivalences, namely maytesting and barbed equivalence, and ..."
Abstract

Cited by 72 (8 self)
 Add to MetaCart
(Show Context)
Contextual equivalences for cryptographic process calculi, like the spicalculus, can be used to reason about correctness of protocols, but their definition suffers from quantification over all possible contexts. Here, we focus on two such equivalences, namely maytesting and barbed equivalence, and investigate tractable proof methods for them. To this aim, we design an enriched labelled transition system, where transitions are constrained by the knowledge the environment has of names and keys. The new transition system is then used to define a trace equivalence and a weak bisimulation equivalence, that avoid quantification over contexts. Our main results are soundness and completeness of trace and weak bisimulation equivalence with respect to maytesting and barbed equivalence, respectively. They lead to more direct proof methods for equivalence checking. The use of these methods is illustrated with a few examples, concerning implementation of secure channels and verification of proto...
Graph Types For Monadic Mobile Processes
 University of Edinburgh
, 1996
"... . While types for name passing calculi have been studied extensively in the context of sorting of polyadic ßcalculus [5, 34, 9, 28, 32, 19, 33, 10, 17], the same type abstraction is not possible in the monadic setting, which was left as an open issue by Milner [21]. We solve this problem with an ex ..."
Abstract

Cited by 64 (8 self)
 Add to MetaCart
. While types for name passing calculi have been studied extensively in the context of sorting of polyadic ßcalculus [5, 34, 9, 28, 32, 19, 33, 10, 17], the same type abstraction is not possible in the monadic setting, which was left as an open issue by Milner [21]. We solve this problem with an extension of sorting which captures dynamic aspects of process behaviour in a simple way. Equationally this results in the full abstraction of the standard encoding of polyadic ßcalculus into the monadic one: the sorted polyadic ßterms are equated by a basic behavioural equality in the polyadic calculus if and only if their encodings are equated in a basic behavioural equality in the typed monadic calculus. This is the first result of this kind we know of in the context of the encoding of polyadic name passing, which is a typical example of translation of highlevel communication structures into ß calculus. The construction is general enough to be extendable to encodings of calculi with mo...
A coinductive calculus of streams
, 2005
"... We develop a coinductive calculus of streams based on the presence of a final coalgebra structure on the set of streams (infinite sequences of real numbers). The main ingredient is the notion of stream derivative, which can be used to formulate both coinductive proofs and definitions. In close analo ..."
Abstract

Cited by 38 (13 self)
 Add to MetaCart
We develop a coinductive calculus of streams based on the presence of a final coalgebra structure on the set of streams (infinite sequences of real numbers). The main ingredient is the notion of stream derivative, which can be used to formulate both coinductive proofs and definitions. In close analogy to classical analysis, the latter are presented as behavioural differential equations. A number of applications of the calculus are presented, including difference equations, analytical differential equations, continued fractions, and some problems from discrete mathematics and combinatorics.
A Process Calculus for Mobile Ad Hoc Networks
"... Abstract. We present the ωcalculus, a process calculus for formally modeling and reasoning about Mobile Ad Hoc Wireless Networks (MANETs) and their protocols. The ωcalculus naturally captures essential characteristics of MANETs, including the ability of a MANET node to broadcast a message to any o ..."
Abstract

Cited by 35 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present the ωcalculus, a process calculus for formally modeling and reasoning about Mobile Ad Hoc Wireless Networks (MANETs) and their protocols. The ωcalculus naturally captures essential characteristics of MANETs, including the ability of a MANET node to broadcast a message to any other node within its physical transmission range (and no others), and to move in and out of the transmission range of other nodes in the network. A key feature of the ωcalculus is the separation of a node’s communication and computational behavior, described by an ωprocess, from the description of its physical transmission range, referred to as an ωprocess interface. Our main technical results are as follows. We give a formal operational semantics of the ωcalculus in terms of labeled transition systems and show that the state reachability problem is decidable for finitecontrol ωprocesses. We also prove that the ωcalculus is a conservative extension of the πcalculus, and that late bisimulation (appropriately lifted from the πcalculus to the ωcalculus) is a congruence. Congruence results are also established for a weak version of late bisimulation, which abstracts away from two types of internal actions: τactions, as in the πcalculus, and µactions, signaling node movement. Finally, we illustrate the practical utility of the calculus by developing and analyzing a formal model of a leaderelection protocol for MANETs. 1
Checking NFA equivalence with bisimulations up to congruence
"... Abstract—We introduce bisimulation up to congruence as a technique for proving language equivalence of nondeterministic finite automata. Exploiting this technique, we devise an optimisation of the classical algorithm by Hopcroft and Karp [12] that, instead of computing the whole determinised automa ..."
Abstract

Cited by 33 (6 self)
 Add to MetaCart
(Show Context)
Abstract—We introduce bisimulation up to congruence as a technique for proving language equivalence of nondeterministic finite automata. Exploiting this technique, we devise an optimisation of the classical algorithm by Hopcroft and Karp [12] that, instead of computing the whole determinised automata, explores only a small portion of it. Although the optimised algorithm remains exponential in worst case (the problem is PSPACEcomplete), experimental results show improvements of several orders of magnitude over the standard algorithm. I.
Generalised Coinduction
, 2001
"... We introduce the lambdacoiteration schema for a distributive law lambda of a functor T over a functor F. Under certain conditions it can be shown to uniquely characterise functions into the carrier of a final Fcoalgebra, generalising the basic coiteration schema as given by finality. The duals of ..."
Abstract

Cited by 28 (3 self)
 Add to MetaCart
We introduce the lambdacoiteration schema for a distributive law lambda of a functor T over a functor F. Under certain conditions it can be shown to uniquely characterise functions into the carrier of a final Fcoalgebra, generalising the basic coiteration schema as given by finality. The duals of primitive recursion and courseofvalue iteration, which are known extensions of coiteration, arise as instances of our framework. One can furthermore obtain schemata justifying recursive specifications that involve operators such as addition of power series, regular operators on languages, or parallel and sequential composition of processes. Next...
Characterising testing preorders for finite probabilistic processes
 In LICS’07: Proceedings of the 22nd Annual IEEE Symposium on Logic in Computer Science. IEEE Computer Society Press, Los Alamitos, CA
"... In 1992 Wang & Larsen extended the may and must preorders of De Nicola and Hennessy to processes featuring probabilistic as well as nondeterministic choice. They concluded with two problems that have remained open throughout the years, namely to find complete axiomatisations and alternative cha ..."
Abstract

Cited by 27 (10 self)
 Add to MetaCart
(Show Context)
In 1992 Wang & Larsen extended the may and must preorders of De Nicola and Hennessy to processes featuring probabilistic as well as nondeterministic choice. They concluded with two problems that have remained open throughout the years, namely to find complete axiomatisations and alternative characterisations for these preorders. This paper solves both problems for finite processes with silent moves. It characterises the may preorder in terms of simulation, and the must preorder in terms of failure simulation. It also gives a characterisation of both preorders using a modal logic. Finally it axiomatises both preorders over a probabilistic version of CSP. 1.
Relational Reasoning about Contexts
 HIGHER ORDER OPERATIONAL TECHNIQUES IN SEMANTICS, PUBLICATIONS OF THE NEWTON INSTITUTE
, 1998
"... ..."
(Show Context)