Dusko Pavlovic

A new description of orthogonal bases

We show that an orthogonal basis for a finite-dimensional Hilbert space can be equivalently characterised as a commutative †-Frobenius monoid in the category FdHilb, which has finite-dimensional Hilbert spaces as objects and continuous linear maps as morphisms, and tensor product for the monoidal structure. The basis is normalised exactly when the corresponding commutative †-Frobenius monoid is special. Hence, both orthogonal and orthonormal bases are characterised without mentioning vectors, but just in terms of the categorical structure: composition of operations, tensor product and the †-functor. Moreover, this characterisation can be interpreted operationally, since the †-Frobenius structure allows the cloning and deletion of basis vectors. That is, we capture the basis vectors by relying on their ability to be cloned and deleted. Since this ability distinguishes classical data from quantum data, our result has important implications for categorical quantum mechanics.

A compositional logic for protocol correctness

Abstract: We present a specialized protocol logic that is built around a process language for describing the actions of a protocol. In general terms, the relation between logic and protocol is like the relation between assertions in Floyd-Hoare logic and standard imperative programs. Like Floyd-Hoare logic, our logic contains axioms and inference rules for each of the main protocol actions and proofs are protocol-directed, meaning that the outline of a proof of correctness follows the sequence of actions in the protocol. We prove that the protocol logic is sound, in a specific sense: each provable assertion about an action or sequence of actions holds in any run of the protocol, under attack, in which the given actions occur. This approach lets us prove properties of protocols that hold in all runs, while explicitly reasoning only about the sequence of actions needed to achieve this property. In particular, no explicit reasoning about the potential actions of an attacker is required.

Distance Bounding Protocols: Authentication Logic Analysis and Collusion Attacks

In this paper we consider the problem of securely measuring distance between two nodes in a wireless sensor network. The problem of measuring distance has fundamental applications in both localization and time synchronization, and thus would be a prime candidate for subversion by hostile attackers. We give a brief overview and history of protocols for secure distance bounding. We also give the first full-scale formal analysis of a distance bounding protocol, and we also show how this analysis helps us to reduce message and cryptographic complexity without reducing security. Finally, we address the important open problem of collusion. We analyze existing techniques for collusion prevention, and show how they are inadequate for addressing the collusion problems in sensor networks. We conclude with some suggestions for further research.

A derivation system for security protocols and its logical formalization

Many authentication and key exchange protocols are built using an accepted set of standard concepts such as Diffie-Hellman key exchange, nonces to avoid replay, certificates from an accepted authority, and encrypted or signed messages. We introduce a basic framework for deriving security protocols from such simple components. As a case study, we examine the structure of a family of key exchange protocols that includes station-to-station (STS), ISO-9798-3, just fast keying (JFK), IKE and related protocols, deriving all members of the family from two basic protocols using a small set of refinements and protocol transformations. As initial steps toward associating logical derivations with protocol derivations, we extend a previous security protocol logic with preconditions and temporal assertions. Using this logic, we prove the security properties of the standard signature based challenge-response protocol and the Diffie-Hellman key exchange protocol. The ISO-9798-3 protocol is then proved correct by composing the correctness proofs of these two simple protocols.

Secure protocol composition

Modular composition of security mechanisms is complicated by the way that one mechanism may reveal information that interferes with the security of another. We develop methods for modular reasoning about security protocols, using before-after assertions and protocol invariants. The before-after assertions allow us to prove properties of a sequential composition of protocol steps and therefore enable construction of complex protocols from smaller sub-protocols. Invariants provide a mechanism for ensuring that sub-protocols which are individually secure do not interact insecurely when they are composed to construct a bigger protocol. The application of the method is demonstrated by giving modular formal proofs involving two standard protocols.

Classical and quantum structuralism

In recent work, symmetric dagger-monoidal (SDM) categories have emerged as a convenient categorical formalization of quantum mechanics. The objects represent physical systems, the morphisms physical operations, whereas the tensors describe composite systems. Classical data turn out to correspond to Frobenius algebras with some additional properties. They express the distinguishing capabilities of classical data: in contrast with quantum data, classical data can be copied and deleted. The algebraic approach thus shifts the paradigm of ”quantization” of a classical theory to ”classicization” of a quantum theory. Remarkably, the simple SDM framework suffices not only for this conceptual shift, but even allows us to distinguish the deterministic classical operations (i.e. functions) from the nondeterministic classical operations (i.e. relations), and the probabilistic classical operations (stochastic maps). Moreover, a combination of some basic categorical constructions (due to Kleisli, resp. Grothendieck) with the categorical presentations of quantum states, provides a resource sensitive account of various quantum-classical interactions: of classical control of quantum data, of classical data arising from quantum measurements, as well as of the classical data processing inbetween controls and measurements. A salient feature here is the graphical calculus for categorical quantum mechanics, which allows a purely diagrammatic representation of classical-quantum interaction.

An encapsulated authentication logic for reasoning about key distribution protocols

Authentication and secrecy properties are proved by very different methods: the former by local reasoning, leading to matching knowledge of all principals about the order of their actions, the latter by global reasoning towards the impossibility of knowledge of some data. Hence, proofs conceptually decompose in two parts, each encapsulating the other as an assumption. From this observation, we develop a simple logic of authentication that encapsulates secrecy requirements as assumptions. We apply it within the derivational framework to derive a large class of key distribution protocols based on the authentication properties of their components.

Calculus in coinductive form

Coinduction is often seen as a way of implementing infinite objects. Since real numbers are typical infinite objects, it may not come as a surprise that calculus, when presented in a suitable way, is permeated by coinductive reasoning. What is surprising is that mathematical techniques, recently developed in the context of computer science, seem to be shedding a new light on some basic methods of calculus. We introduce a coinductive formalization of elementary calculus that can be used as a tool for symbolic computation, and geared towards computer algebra and theorem proving. So far, we have covered parts of ordinary differential and difference equations, Taylor series, Laplace transform and the basics of the operator calculus.

Deriving, Attacking and Defending the GDOI Protocol

As a part of a continued effort towards a logical framework for incremental reasoning about security, we attempted a derivational reconstruction of GDOI, the protocol proposed in IETF RFC 3547 for authenticated key agreement in group communication over IPsec. The difficulties encountered in deriving one of its authentication properties led us to derive an attack that had not surfaced in the previous extensive analyses of this protocol. The derivational techniques turned out to be helpful not only for constructing, analyzing and modifying protocols, but also attacks on them. We believe that the presented results demonstrate the point the derivational approach, which tracks and formalizes the way protocols are designed informally: by refining and composing basic protocol components.

Composition and refinement of behavioral specifications

This paper presents a mechanizable framework for specifying, developing, and reasoning about complex systems. The framework combines features from algebraic specifications, abstract state machines, and refinement calculus, all couched in a categorical setting. In particular, we show how to extend algebraic specifications to evolving specifications (especs) in such a way that composition and refinement operations extend to capture the dynamics of evolving, adaptive, and self-adaptive software development, while remaining efficiently computable. The framework is partially implemented in the Epoxi system.