Giters

tamarin-prover / manual

Tamarin prover manual: source files

Home Page:https://tamarin-prover.github.io/manual

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Lemmas' definitions do not correspond to the text

dmahmo opened this issue · comments

commented

In page 75 (Tamarin's manual), in the authentication section, the formalization given of Lowe's specifications does not correspond to the text nor to Lowe's definition itself. For example, "we say that a protocol guarantees to an initiator aliveness of another agent if, whenever A (acting as initiator) completes a run of the protocol, apparently with responder B, then B has previously been running the protocol."

Whereas in "lemma aliveness":
lemma aliveness:
"All a b t #i. Commit(a, b, t)@i ==> (Ex id #j. Create(b, id) @j) ... "

There is no condition over i and j (no condition about the order of the actions). According to the text and to the definition given by Lowe, "B has previously been running the protocol", so at least one should test if j < i ( & (#j < #i) in the lemma).

My comment applies to Weak-Agreement and Non-Injective agreement as well.

commented

Hello, thanks for your report, but everything is fine here, no need for any change.

Note that j < i is always implicitly included here due to prefix-closedness. That is, for the formula to hold, the j on the right hand side must be before the i on the left-hand side, as otherwise we can look at the prefix of the trace ending at i, for which there would be no j, and thus violate the formula.

In the past we sometimes did explicitly add the time point relation you are wondering about, however it is just not necessary. Adding it could make reading formulas a bit easier at first, but clutters them a lot, so we do not add them usually. If you want to, you can add them to your own lemmas, and it will not make a difference to Tamarin.

commented

There is something to do here. First, the examples are inconsistent: injective authentication does have the j < i, whereas the others do not have it. Second, the fact that there is something implicit needs explication. (I am not sure whether prefix-closedness is the right term, but essentially, if a protocol does not ensure that the Running happens before the Commit, Tamarin can find an attack by just executing the Commit and stopping there. Hence the j < i is not necessary. )

Or maybe we should just put the j < i there as this does not hurt the verification?

(On a side note, there might also be a subtle difference between both versions when considering protocols with forced progress.)