Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lemmas' definitions do not correspond to the text #96

Open
dmahmo opened this issue Jan 9, 2023 · 2 comments
Open

Lemmas' definitions do not correspond to the text #96

dmahmo opened this issue Jan 9, 2023 · 2 comments

Comments

@dmahmo
Copy link

dmahmo commented Jan 9, 2023

In page 75 (Tamarin's manual), in the authentication section, the formalization given of Lowe's specifications does not correspond to the text nor to Lowe's definition itself. For example, "we say that a protocol guarantees to an initiator aliveness of another agent if, whenever A (acting as initiator) completes a run of the protocol, apparently with responder B, then B has previously been running the protocol."

Whereas in "lemma aliveness":
lemma aliveness:
"All a b t #i. Commit(a, b, t)@i ==> (Ex id #j. Create(b, id) @j) ... "

There is no condition over i and j (no condition about the order of the actions). According to the text and to the definition given by Lowe, "B has previously been running the protocol", so at least one should test if j < i ( & (#j < #i) in the lemma).

My comment applies to Weak-Agreement and Non-Injective agreement as well.
@rsasse
Copy link
Member

rsasse commented Jan 9, 2023

Hello, thanks for your report, but everything is fine here, no need for any change.

Note that j < i is always implicitly included here due to prefix-closedness. That is, for the formula to hold, the j on the right hand side must be before the i on the left-hand side, as otherwise we can look at the prefix of the trace ending at i, for which there would be no j, and thus violate the formula.

In the past we sometimes did explicitly add the time point relation you are wondering about, however it is just not necessary. Adding it could make reading formulas a bit easier at first, but clutters them a lot, so we do not add them usually. If you want to, you can add them to your own lemmas, and it will not make a difference to Tamarin.

@rsasse rsasse closed this as completed Jan 9, 2023
@jdreier
Copy link
Member

jdreier commented Jan 9, 2023

There is something to do here. First, the examples are inconsistent: injective authentication does have the j < i, whereas the others do not have it. Second, the fact that there is something implicit needs explication. (I am not sure whether prefix-closedness is the right term, but essentially, if a protocol does not ensure that the Running happens before the Commit, Tamarin can find an attack by just executing the Commit and stopping there. Hence the j < i is not necessary. )

Or maybe we should just put the j < i there as this does not hurt the verification?

(On a side note, there might also be a subtle difference between both versions when considering protocols with forced progress.)

@jdreier jdreier reopened this Jan 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rsasse @jdreier @dmahmo