Molly/TranscriptsRole.v at main · dandougherty/Molly · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
(* Time-stamp: <Mon 4/15/24 11:12 Dan Dougherty TranscriptsRole.v> *)

(**

    There is a real duality between encrytion and decryption,
    expressed in [Runtime.rtencr_iff].
    Namely, that when rkd and rke are runtime inverses,

    [rtencr rp rke re] if and only if [decr re rkd = Some rp]

    When working with neutral expressions, ie when the expression is
    not explicitly an [_Encr], it is natural to use decryption rather
    than encryption.  We might hope for an equivalence at the symbolic
    level.  But we can't because at the symbolic level not every term
    [t] has an inverse.  More precisely we can't always identify a
    symbolic term [t'] which is guranteed to be evauated to the
    runtime inverse of [t], even by well-behaved term-valuations.
    This is an essential feature of non-deterministic encryption.

    There is awkwardness even in formulating an equivalence at the
    runtime level, dues to the fact that a given [tv] might not be
    defined for both parts of a symbolic key pair (in particular, for
    the case we care about, when the [tv] is defined by pulling back
    along the statements of an eproc.

    Ultimately this is only a programming inconvenience since gven a
    tv it is natural to "complete" it by extending its domain to
    include both parts of a key pair whenever a key is in the domain.
    But we don't bother to do this (for now).  As a consequence we
    simply build the two approaches (the inro and the elim) into the
    DEFN of good term valuation.
*)

From Coq Require Export List Bool Arith. (* Includes PeanoNat *)
Export ListNotations.

From RC Require Import
  CpdtTactics
  Utilities
  ListUtil
  Decidability
  Sorts
  Act
  Runtime
  Term
  Subterms
  Role

.

(** * Runtime semantics of roles  *)

(**
The starting point is a RELATION from terms to runtime values.

This is in contrast to the definition of transcript for a proc (or an
eproc), where we start with a FUNCTON from locations to runtime values
(respectively, from eterms to runtime values).   This is unavoidable
since different term occurrences can have different values.

*)
Section TermVal.

  Context {RTV : RTVal}.

  (** The properties we will insist on for a termVal *)
  Section termValProps.

    (* Variable rl: Role. *)
    Variable tv: rel Term rtval.

    (** respect sorts *)
    Definition tv_sorts :=      forall t r,
        is_elementary t ->
        tv t r ->
        rtsort r = sort_of t.

    (** non-determinism can only arise from non-determinstic
    constructors ... tv is a function on elelmentary terms *)

    Definition tv_functional :=
      forall t r1 r2,
        is_elementary t ->
        tv t r1 -> tv t r2 ->
        r1 = r2.

    (** pairing: the obvious condition *)

    Definition tv_pair :=
      forall t1 t2 r,
        tv (Pr t1 t2) r ->
        exists r1 r2,
          (tv t1 r1 /\ tv t2 r2 /\
             rtpair r1 r2 = r).

    (** hashing: the obvious condition *)

    Definition tv_hash :=
      forall t1 r,
        tv (Hs t1) r ->
        exists r1,
          tv t1 r1 /\
            rthash r1 = r .

    (** quotation: the obvious condition *)

    Definition tv_qot :=
      forall  s (r: rtval),
        tv (Qt s) r ->
        r = rtquote s.


    (* -------------------------------------- *)
    (** inverses : subtle! *)

    Definition tv_key_pair :=
      forall t t' (r r' : rtval),
        makes_key_pair t t' = true ->
        tv t r ->
        tv t' r' ->
        rtkypr r r'.
    (* rtkypr r r' = true. *)

    (** says that tv maps both parts of a key pair

        we do NOT use this one *)

    Definition tv_key_pair_strong:=
      forall t t' r ,
        makes_key_pair t t' = true ->
        tv t r ->
        exists r',
          tv t' r' .

    (* -------------------------------------- *)
    (** encryption *)

    (** encryption needs care.
        See discussion at the top of this file.  *)

    (* the obvious condition for when the encryption is being
    constructed *)

    Definition encr_condition
      (p ke : Term) (re : rtval)  :=
      exists (rp rke : rtval),
        tv ke rke
        /\ tv p rp
        /\ rtencr rp rke re.


    (** note that here we do not say anything about having the
        encryption key, rather that we have access to the decryption
        key *)

    Definition decr_condition
      (p ke : Term) (re : rtval) :=
      exists (rp rkd: rtval),
        tv (inv ke) rkd
        /\ tv p rp
        /\ rtdecr re rkd = Some rp .

    Definition tv_encr : Prop :=
      forall (p ke : Term) (re : rtval),
        tv (En p ke) re ->
        (encr_condition p ke re
         \/ decr_condition p ke re) .


   End termValProps.


  (** *** Main definition for termVals  *)

  Definition good_term_rtval (tv: rel Term rtval) :=
    tv_sorts tv
    /\ tv_functional tv
    /\ tv_pair tv
    /\ tv_hash tv
    /\ tv_key_pair tv
    /\ tv_encr tv
    /\ tv_qot tv
  .


End TermVal.

(** * Transcripts for roles, from termVals
 *)

(** the role is needed to express that the acions line up
*)
Definition transcript_for_role `{RTVal}
  (rl: Role) (tr : transcript) : Prop
  :=  exists (tv: rel Term rtval),
    good_term_rtval tv
    /\ List_mapR (Act_mapR tv) rl tr.