on equivalences, metrics, and polynomial time · 2016-04-18 · traces itrace: asequenceofactionsl...

On Equivalences, Metrics, and Polynomial Time

Ugo Dal Lago(Joint work with Alberto Cappai)

DICE 2016, Eindhoven, April 2nd.

Disclaimer

In this talk:

I We give a few observations on the structureof some (pretty old!) security proofs.

I We show how techniques for programequivalence could be applied to ICCsystems.

I We do not define any new fancy technique forproving protocols secure;

I We do not study automation.

Proofs by Reduction

Property(Φ)def= (∀D.PPT (D)⇒ Pr(Success(D | Φ)) = negl(n)) .

Assumption(Φ) ⇒ Security(Π)

ExamplesOneWay(f) ⇒ PRG(G)PRG(G) ⇒ IND(Π)

Proofs by Reduction

Property(Φ)def= (∀D.PPT (D)⇒ Pr(Success(D | Φ)) = negl(n)) .

Assumption(Φ) ⇒ Security(Π)

ExamplesOneWay(f) ⇒ PRG(G)PRG(G) ⇒ IND(Π)

Proofs by Reduction

Property(Φ)def= (∀D.PPT (D)⇒ Pr(Success(D | Φ)) = negl(n)) .

Assumption(Φ) ⇒ Security(Π)

ExamplesOneWay(f) ⇒ PRG(G)PRG(G) ⇒ IND(Π)

Proofs by Reduction

Property(Φ)def= (∀D.PPT (D)⇒ Pr(Success(D | Φ)) = negl(n)) .

Assumption(Φ) ⇒ Security(Π)

ExamplesOneWay(f) ⇒ PRG(G)PRG(G) ⇒ IND(Π)

Proofs by Reduction

Property(Φ)def= (∀D.PPT (D)⇒ Pr(Success(D | Φ)) = negl(n)) .

Assumption(Φ) ⇒ Security(Π)

ExamplesOneWay(f) ⇒ PRG(G)PRG(G) ⇒ IND(Π)

Proofs by Reduction

D

Proofs by Reduction

DE

Proofs by Reduction

DE D

D

M

N

6≈

Proofs by Reduction

DE D

D

M

N

6≈

E

E

L

P

6≈=⇒

Game-Based Proofs

D

D

M

N

6≈

E

E

L

P

6≈=⇒

Game-Based Proofs

D

D

M

N

6≈

E

E

L

P

≈

≈

An Alternative Viewpoint

DE

An Alternative Viewpoint

E

An Alternative Viewpoint

1. Introduce a λ-calculus RSLR, and prove it complete forprobabilistic polynomial-time computation[Zhang10,DLPT11].

DM D[M ]

2. Define a notion a notion of equivalence close enough tocomputational indistinguishability.

3. Prove an appropriate context lemma in the form offull-abstraction for trace equivalence.

RSLR in One Slide

I Terms and Values:

t ::= x | v | 0(t) | 1(t) | tail(t) | tt | caseA(t, t, t, t) |recA(t, t, t, t) | rand;

v ::= m | λx : aA.t;

I Types: A ::= Str | �A→ A | �A→ A.I Type System’s Main Ingredients:

I Higher-order terms cannot be duplicated, while strings can.I Recursion can only be performed on �-free types [BC92].

Theorem (Polytime Completeness)The set of probabilistic functions which can be computed byRSLR terms coincides with the polytime computable ones.

RSLR in One Slide

I Terms and Values:

t ::= x | v | 0(t) | 1(t) | tail(t) | tt | caseA(t, t, t, t) |recA(t, t, t, t) | rand;

v ::= m | λx : aA.t;

I Types: A ::= Str | �A→ A | �A→ A.I Type System’s Main Ingredients:

I Higher-order terms cannot be duplicated, while strings can.I Recursion can only be performed on �-free types [BC92].

Theorem (Polytime Completeness)The set of probabilistic functions which can be computed byRSLR terms coincides with the polytime computable ones.

RSLR in One Slide

I Terms and Values:

t ::= x | v | 0(t) | 1(t) | tail(t) | tt | caseA(t, t, t, t) |recA(t, t, t, t) | rand;

v ::= m | λx : aA.t;

I Types: A ::= Str | �A→ A | �A→ A.I Type System’s Main Ingredients:

I Higher-order terms cannot be duplicated, while strings can.I Recursion can only be performed on �-free types [BC92].

Theorem (Polytime Completeness)The set of probabilistic functions which can be computed byRSLR terms coincides with the polytime computable ones.

RSLR in One Slide

I Terms and Values:

t ::= x | v | 0(t) | 1(t) | tail(t) | tt | caseA(t, t, t, t) |recA(t, t, t, t) | rand;

v ::= m | λx : aA.t;

I Types: A ::= Str | �A→ A | �A→ A.I Type System’s Main Ingredients:

I Higher-order terms cannot be duplicated, while strings can.I Recursion can only be performed on �-free types [BC92].

Theorem (Polytime Completeness)The set of probabilistic functions which can be computed byRSLR terms coincides with the polytime computable ones.

How Should we Compare Terms in RSLR?

I An equivalence relation: R ⊆ TA × TA.I This is the traditional approach.I It is pervasive, even in probabilistic λ-calculi

[JonesPlotkin90,DanosHarmer00,. . . ].I Too discriminating (e.g., tt vs. tt⊕ε ff).

I A metric: δ : TA × TA → R.I How to define it? How could one compare two terms in such

a way that their distance reflects their behaviour?I Not much is known [CrübilléDL2015].

I A parametric equivalence relation:R ⊆ TN→A × TN→A.

I The kind of concept one needs in cryptography.

How Should we Compare Terms in RSLR?

I An equivalence relation: R ⊆ TA × TA.I This is the traditional approach.I It is pervasive, even in probabilistic λ-calculi

[JonesPlotkin90,DanosHarmer00,. . . ].I Too discriminating (e.g., tt vs. tt⊕ε ff).

I A metric: δ : TA × TA → R.I How to define it? How could one compare two terms in such

a way that their distance reflects their behaviour?I Not much is known [CrübilléDL2015].

I A parametric equivalence relation:R ⊆ TN→A × TN→A.

I The kind of concept one needs in cryptography.

How Should we Compare Terms in RSLR?

I An equivalence relation: R ⊆ TA × TA.I This is the traditional approach.I It is pervasive, even in probabilistic λ-calculi

[JonesPlotkin90,DanosHarmer00,. . . ].I Too discriminating (e.g., tt vs. tt⊕ε ff).

I A metric: δ : TA × TA → R.I How to define it? How could one compare two terms in such

a way that their distance reflects their behaviour?I Not much is known [CrübilléDL2015].

I A parametric equivalence relation:R ⊆ TN→A × TN→A.

I The kind of concept one needs in cryptography.

Part I

Equivalences

Contexts

I Contexts:

C ::= t | [·] | λx.C | Ct | tC | 0(C) | 1(C) | tail(C)

| caseA(C, t, t, t) | caseA(t, C, C,C) | recA(C, t, t, t).

I Notice that we are working with linear contexts!I One can easily define a formal system for judgements in the

form Γ ` C[` A], with the obvious meaning.

Definition (Context Equivalence)Given two terms t, s such that ` t, s : A, we say that t and s arecontext equivalent iff for every context C such that` C[` A] : Str we have that JC[t]K(ε) = JC[s]K(ε).

Contexts

I Contexts:

C ::= t | [·] | λx.C | Ct | tC | 0(C) | 1(C) | tail(C)

| caseA(C, t, t, t) | caseA(t, C, C,C) | recA(C, t, t, t).

I Notice that we are working with linear contexts!I One can easily define a formal system for judgements in the

form Γ ` C[` A], with the obvious meaning.

Definition (Context Equivalence)Given two terms t, s such that ` t, s : A, we say that t and s arecontext equivalent iff for every context C such that` C[` A] : Str we have that JC[t]K(ε) = JC[s]K(ε).

Contexts

I Contexts:

C ::= t | [·] | λx.C | Ct | tC | 0(C) | 1(C) | tail(C)

| caseA(C, t, t, t) | caseA(t, C, C,C) | recA(C, t, t, t).

I Notice that we are working with linear contexts!I One can easily define a formal system for judgements in the

form Γ ` C[` A], with the obvious meaning.

Definition (Context Equivalence)Given two terms t, s such that ` t, s : A, we say that t and s arecontext equivalent iff for every context C such that` C[` A] : Str we have that JC[t]K(ε) = JC[s]K(ε).

Traces

I Trace: a sequence of actions l1 · l2 · . . . · ln such thatli ∈ {pass(v), view(m) | v ∈ V,m ∈ VStr}.

I Compatibility: the trace T is compatible A iff

T =

view(m) if A = Str;

pass(v) · S if A = aB → C, v ∈ VB and S is com-patible with C.

.

I Example: a term of type A = aStr→ bStr → Str requiresa trace like T = pass(m1) · pass(m2) · view(m).

DefinitionGiven two terms t, s we say that they are trace equivalent (andwe write t 'T s) if, for all traces T it holds thatPr(t,T) = Pr(s,T).

Full Abstraction

TheoremContext and trace equivalences coincide, i.e., for all t, s:t ≡ s ⇐⇒ t 'T s.

I This theorem cannot be proved by a simple induction (e.g.on contexts).

I We need a stronger invariant. . .I . . . which in turns requires some auxiliary concepts to be

introduced:I Term Distributions.I Context pairs and their semantics.

Full Abstraction

TheoremContext and trace equivalences coincide, i.e., for all t, s:t ≡ s ⇐⇒ t 'T s.

I This theorem cannot be proved by a simple induction (e.g.on contexts).

I We need a stronger invariant. . .I . . . which in turns requires some auxiliary concepts to be

introduced:I Term Distributions.I Context pairs and their semantics.

Full Abstraction

TheoremContext and trace equivalences coincide, i.e., for all t, s:t ≡ s ⇐⇒ t 'T s.

I This theorem cannot be proved by a simple induction (e.g.on contexts).

I We need a stronger invariant. . .I . . . which in turns requires some auxiliary concepts to be

introduced:I Term Distributions.I Context pairs and their semantics.

Full Abstraction

TheoremContext and trace equivalences coincide, i.e., for all t, s:t ≡ s ⇐⇒ t 'T s.

I This theorem cannot be proved by a simple induction (e.g.on contexts).

I We need a stronger invariant. . .I . . . which in turns requires some auxiliary concepts to be

introduced:I Term Distributions.I Context pairs and their semantics.

Term Distribution Labelled Semantics

T ⇒ε TT ⇒S {(λx.ti)pi}

T ⇒S·pass(v) {(ti{v/x})pi}T ⇒S S SV U

T ⇒S U

T ⇒S {(mi)pi}

T 7→S·view(m) ∑mi=m

pi

t→ {(ti)pi}T + {(t)p}V T + {(ti)p·pi}

I Further Generalization: same semantics, but on pairs inthe form (C,T).

I The Invariant: Two distributions P,Q on pairs (C,T) arerelated (written POQ) iff

P =

n∑i=1

pi · (Ci,Ti); Q =

n∑i=1

pi · (Ci, Si);

and Ti and Si are trace equivalent (for 1 ≤ i ≤ n).

Applicative Bisimilarity

I Trace equivalence does not really allow to get rid of theuniversal quantification on all contexts.

I Contexts, however, become traces, which have a nicerstructure.

I How about bisimulation [Abramsky90]?I Following [DLSangioriAlberti14,CrubilléDL14], one can

indeed:I See RSLR as a labelled Markov chain.I Define a notion of probabilistic bisimulation [LarsenSkou92]

over it.I Prove congruence (and soundness) of bisimilarity, using

Howe’s method.I Bisimilarity is not complete, because RSLR terms do not

have the expressive power which is necessary to simulate alltests [vBMMO04].

Applicative Bisimilarity

I Trace equivalence does not really allow to get rid of theuniversal quantification on all contexts.

I Contexts, however, become traces, which have a nicerstructure.

I How about bisimulation [Abramsky90]?I Following [DLSangioriAlberti14,CrubilléDL14], one can

indeed:I See RSLR as a labelled Markov chain.I Define a notion of probabilistic bisimulation [LarsenSkou92]

over it.I Prove congruence (and soundness) of bisimilarity, using

Howe’s method.I Bisimilarity is not complete, because RSLR terms do not

have the expressive power which is necessary to simulate alltests [vBMMO04].

Applicative Bisimilarity

I Trace equivalence does not really allow to get rid of theuniversal quantification on all contexts.

I Contexts, however, become traces, which have a nicerstructure.

I How about bisimulation [Abramsky90]?I Following [DLSangioriAlberti14,CrubilléDL14], one can

indeed:I See RSLR as a labelled Markov chain.I Define a notion of probabilistic bisimulation [LarsenSkou92]

over it.I Prove congruence (and soundness) of bisimilarity, using

Howe’s method.I Bisimilarity is not complete, because RSLR terms do not

have the expressive power which is necessary to simulate alltests [vBMMO04].

Part II

Metrics

From Equivalences to Metrics

I Context Metric:δCA (t, s) = sup`C[`A]:Str|JC[t]K(ε)− JC[s]K(ε)|.

I This is a pseudometric:

δC(t, t) = 0;

δC(t, s) = δC(s, t);

δC(t, r) ≤ δC(t, s) + δC(s, r).

I δC(t, s) = 0 iff t and s are contxt equivalent.I Trace Metric: δTA (t, s) = supT:A|Pr(t,T)− Pr(s,T)|.I The notion of a trace stays the same?

I No!I The action view(·) must be performed on finite sets of

strings rather than on single strings.I This is necessary to manage the case and rec constructs.I Consider, e.g., contexts in the form (λx.t)[·], where t tests

the value of x in many different ways.

From Equivalences to Metrics

I Context Metric:δCA (t, s) = sup`C[`A]:Str|JC[t]K(ε)− JC[s]K(ε)|.

I This is a pseudometric:

δC(t, t) = 0;

δC(t, s) = δC(s, t);

δC(t, r) ≤ δC(t, s) + δC(s, r).

I δC(t, s) = 0 iff t and s are contxt equivalent.I Trace Metric: δTA (t, s) = supT:A|Pr(t,T)− Pr(s,T)|.I The notion of a trace stays the same?

I No!I The action view(·) must be performed on finite sets of

strings rather than on single strings.I This is necessary to manage the case and rec constructs.I Consider, e.g., contexts in the form (λx.t)[·], where t tests

the value of x in many different ways.

From Equivalences to Metrics

I Context Metric:δCA (t, s) = sup`C[`A]:Str|JC[t]K(ε)− JC[s]K(ε)|.

I This is a pseudometric:

δC(t, t) = 0;

δC(t, s) = δC(s, t);

δC(t, r) ≤ δC(t, s) + δC(s, r).

I δC(t, s) = 0 iff t and s are contxt equivalent.I Trace Metric: δTA (t, s) = supT:A|Pr(t,T)− Pr(s,T)|.I The notion of a trace stays the same?

I No!I The action view(·) must be performed on finite sets of

strings rather than on single strings.I This is necessary to manage the case and rec constructs.I Consider, e.g., contexts in the form (λx.t)[·], where t tests

the value of x in many different ways.

From Equivalences to Metrics

I Context Metric:δCA (t, s) = sup`C[`A]:Str|JC[t]K(ε)− JC[s]K(ε)|.

I This is a pseudometric:

δC(t, t) = 0;

δC(t, s) = δC(s, t);

δC(t, r) ≤ δC(t, s) + δC(s, r).

I δC(t, s) = 0 iff t and s are contxt equivalent.I Trace Metric: δTA (t, s) = supT:A|Pr(t,T)− Pr(s,T)|.I The notion of a trace stays the same?

I No!I The action view(·) must be performed on finite sets of

strings rather than on single strings.I This is necessary to manage the case and rec constructs.I Consider, e.g., contexts in the form (λx.t)[·], where t tests

the value of x in many different ways.

From Equivalences to Metrics

I Context Metric:δCA (t, s) = sup`C[`A]:Str|JC[t]K(ε)− JC[s]K(ε)|.

I This is a pseudometric:

δC(t, t) = 0;

δC(t, s) = δC(s, t);

δC(t, r) ≤ δC(t, s) + δC(s, r).

I δC(t, s) = 0 iff t and s are contxt equivalent.I Trace Metric: δTA (t, s) = supT:A|Pr(t,T)− Pr(s,T)|.I The notion of a trace stays the same?

I No!I The action view(·) must be performed on finite sets of

strings rather than on single strings.I This is necessary to manage the case and rec constructs.I Consider, e.g., contexts in the form (λx.t)[·], where t tests

the value of x in many different ways.

From Equivalences to Metrics

Theorem (Full Abstraction)Context and trace metrics coincide, i.e., for all t, s:δC(t, s) = δT (t, s).

I How do we get this result?I The structure of the proof is similar to the one for

equivalences.I What plays the rôle of O is Oε, a notion of equivalence

parametrized by ε > 0.

Part III

Parametrized Equivalences

Computational Indistinguishability (CI)

DefinitionTwo distribution ensembles {Dn}n∈N and {En}n∈N (where bothDn and En are distributions on binary strings) are said to becomputationally indistinguishable iff for every PPT algorithm A

the following quantity is a negligible function of n ∈ N:

|Prx←Dn(A(x, 1n) = ε)− Prx←En(A(x, 1n) = ε)| .

I This is a key notion in modern cryptography. As anexample, pseudorandomness is a form of CI.

I The algorithm A can be assumed to sample from x justonce without altering the definition itself (provided the twoinvolved ensembles are efficiently computable)

Computational Indistinguishability (CI)

DefinitionTwo distribution ensembles {Dn}n∈N and {En}n∈N (where bothDn and En are distributions on binary strings) are said to becomputationally indistinguishable iff for every PPT algorithm A

the following quantity is a negligible function of n ∈ N:

|Prx←Dn(A(x, 1n) = ε)− Prx←En(A(x, 1n) = ε)| .

I This is a key notion in modern cryptography. As anexample, pseudorandomness is a form of CI.

I The algorithm A can be assumed to sample from x justonce without altering the definition itself (provided the twoinvolved ensembles are efficiently computable)

Parametric Context Equivalence (PCE)

I Two Observataions:1. While context distance is an absolute notion of distance,

CI depends on a parameter n, the so-called securityparameter.

2. In computational indistinguishability, one can comparedistributions over strings, while the context distance canevaluate how far terms of arbitrary types are.

I One is lead, quite naturally, to the following definition:

Definition (Parametric Context Equivalence)

Given two terms t, s such that ` t, s : aStr→ A, we say that tand s are parametrically context equivalent iff for every contextC such that ` C[` A] : Str we have that|JC[t1n]K(ε)− JC[s1n]K(ε)| is negligible in n.

Parametric Context Equivalence (PCE)

I Two Observataions:1. While context distance is an absolute notion of distance,

CI depends on a parameter n, the so-called securityparameter.

2. In computational indistinguishability, one can comparedistributions over strings, while the context distance canevaluate how far terms of arbitrary types are.

I One is lead, quite naturally, to the following definition:

Definition (Parametric Context Equivalence)

Given two terms t, s such that ` t, s : aStr→ A, we say that tand s are parametrically context equivalent iff for every contextC such that ` C[` A] : Str we have that|JC[t1n]K(ε)− JC[s1n]K(ε)| is negligible in n.

CI vs. PCE

TheoremLet t, s be two terms of type aStr→ Str. Then t, s are parametriccontext equivalent iff the distribution ensembles {Jt1nK}n∈N and{Js1nK}n∈N are computationally indistinguishable.

I This only holds for base types.I How about higher-order types?

I The literature of cryptography does not offer a precisedefinition of higher-order CI.

I Sometimes it is necessary to enforce linear access tocryptographic primitives. (e.g. security for passiveadversaries).

I Sometime, taking multiple accesses is necessary (e.g. inpseudorandom functions).

CI vs. PCE

TheoremLet t, s be two terms of type aStr→ Str. Then t, s are parametriccontext equivalent iff the distribution ensembles {Jt1nK}n∈N and{Js1nK}n∈N are computationally indistinguishable.

I This only holds for base types.I How about higher-order types?

I The literature of cryptography does not offer a precisedefinition of higher-order CI.

I Sometimes it is necessary to enforce linear access tocryptographic primitives. (e.g. security for passiveadversaries).

I Sometime, taking multiple accesses is necessary (e.g. inpseudorandom functions).

Parametric Trace Equivalence

I Contexts test families of terms rather than terms.I The action view(·) takes in input closed RSLR terms

D : aStr→ Str, that we call distinguishers.

DefinitionTwo terms t, s : aStr→ A are parametrically trace equivalent,and we write t 'T

n s, iff for every trace T which is parametricallycompatible with A, there is a negligible function ε : N→ R[0,1]

such that |Pr(t, pass(1n) · T)− Pr(s, pass(1n) · T)| ≤ ε(n).

TheoremParametric trace equivalence and parametric context equivalencecoincide.

Parametric Trace Equivalence

I Contexts test families of terms rather than terms.I The action view(·) takes in input closed RSLR terms

D : aStr→ Str, that we call distinguishers.

DefinitionTwo terms t, s : aStr→ A are parametrically trace equivalent,and we write t 'T

n s, iff for every trace T which is parametricallycompatible with A, there is a negligible function ε : N→ R[0,1]

such that |Pr(t, pass(1n) · T)− Pr(s, pass(1n) · T)| ≤ ε(n).

TheoremParametric trace equivalence and parametric context equivalencecoincide.

Parametric Trace Equivalence

I Contexts test families of terms rather than terms.I The action view(·) takes in input closed RSLR terms

D : aStr→ Str, that we call distinguishers.

DefinitionTwo terms t, s : aStr→ A are parametrically trace equivalent,and we write t 'T

n s, iff for every trace T which is parametricallycompatible with A, there is a negligible function ε : N→ R[0,1]

such that |Pr(t, pass(1n) · T)− Pr(s, pass(1n) · T)| ≤ ε(n).

TheoremParametric trace equivalence and parametric context equivalencecoincide.

An Example

I Let’s consider these two terms:

t = λn.(λk.λx.λy.ENC(xn, k))GEN(n);

s = λn.(λk.λx.λy.ENC(yn, k))GEN(n);

` t, s : �Str→ (�Str→ Str)→ (�Str→ Str)→ Str;

where ENC(x, k) = x⊕G(k) and G is a pseudorandomgenerator.

I We know that G is pseudorandom iff, given a source ofrandomness R, it holds that G ' R.

I We would like to show that if G ' R, then t ' s.

An Example

An Example

An Example

An Example

I Suppose now that t 6' s.I Then there exists a trace T such that:|Pr(t, pass(1n) · T)− Pr(s, pass(1n) · T)| is not negligible,where T = pass(v) · pass(u) · view(D).

I If this is true we can easily construct a trace S such that|Pr(G, pass(1n) · S)− Pr(R, pass(1n) · S)| is itself notnegligible.

I As a consequence, G 6'T R;I And this is a contradiction.I The trace S only consists of a distinguisher E, which can be

built out of v, u and D:

E = λx.if rand then (D(x⊕ v(i`x))) else (D(x⊕ u(i`x)))

An Example

I Suppose now that t 6' s.I Then there exists a trace T such that:|Pr(t, pass(1n) · T)− Pr(s, pass(1n) · T)| is not negligible,where T = pass(v) · pass(u) · view(D).

I If this is true we can easily construct a trace S such that|Pr(G, pass(1n) · S)− Pr(R, pass(1n) · S)| is itself notnegligible.

I As a consequence, G 6'T R;I And this is a contradiction.I The trace S only consists of a distinguisher E, which can be

built out of v, u and D:

E = λx.if rand then (D(x⊕ v(i`x))) else (D(x⊕ u(i`x)))

Challenges

1. Handling PairsI If we endow the language with a tensor product A⊗B, the

structure of traces becomes much more complicated.I Projection actions are simply not sound!I We would be able to handle protocols, and not only

primitives.2. Handling Copying

I Linear contexts are not adequate when modeling adversarieshaving access to oracles.

I RSLR is not complete for type-2 polytime complexity!3. Higher-Order Pseudorandomness?

I Cryptographers are only interested in ground and first-orderpseudorandomness.

I Parametric equivalences make sense at every type. But theyare too lax.

I But, again, what if we have a calculus which is complete forhigher-order polynomial time?

Challenges

1. Handling PairsI If we endow the language with a tensor product A⊗B, the

structure of traces becomes much more complicated.I Projection actions are simply not sound!I We would be able to handle protocols, and not only

primitives.2. Handling Copying

I Linear contexts are not adequate when modeling adversarieshaving access to oracles.

I RSLR is not complete for type-2 polytime complexity!3. Higher-Order Pseudorandomness?

I Cryptographers are only interested in ground and first-orderpseudorandomness.

I Parametric equivalences make sense at every type. But theyare too lax.

I But, again, what if we have a calculus which is complete forhigher-order polynomial time?

Challenges

1. Handling PairsI If we endow the language with a tensor product A⊗B, the

structure of traces becomes much more complicated.I Projection actions are simply not sound!I We would be able to handle protocols, and not only

primitives.2. Handling Copying

I Linear contexts are not adequate when modeling adversarieshaving access to oracles.

I RSLR is not complete for type-2 polytime complexity!3. Higher-Order Pseudorandomness?

I Cryptographers are only interested in ground and first-orderpseudorandomness.

I Parametric equivalences make sense at every type. But theyare too lax.

I But, again, what if we have a calculus which is complete forhigher-order polynomial time?

Why Pairs?

A → B

B → C

C → A

A → C

tA :Str⊗ (Str( Str)tB :Str( StrtC :Str( Str⊗ (Str( Str)

C[·A, ·B, ·C ]

Why Pairs?

A → B

B → C

C → A

A → C

tA :Str⊗ (Str( Str)tB :Str( StrtC :Str( Str⊗ (Str( Str)

C[·A, ·B, ·C ]

Why Pairs?

A → B

B → C

C → A

A → C

tA :Str⊗ (Str( Str)tB :Str( StrtC :Str( Str⊗ (Str( Str)

C[·A, ·B, ·C ]

Why Modalities?

Pseudorandom Functions:

Str( Str ⊗ !p(Str( Str)

CPA-IND

Str( Str ⊗ !p(Str( Str) ⊗ (Str⊗ Str( Str)

Why Modalities?

Pseudorandom Functions:

Str( Str ⊗ !p(Str( Str)

CPA-IND

Str( Str ⊗ !p(Str( Str) ⊗ (Str⊗ Str( Str)

Thank You!

Questions?