On Interdependence of Secrets in Collaboration Networks

Sara Miner MoreDepartment of Mathematics and Computer Science

McDaniel College, Westminster, Maryland 21157, USAsmore@mcdaniel.edu

Pavel NaumovDepartment of Mathematics and Computer Science

McDaniel College, Westminster, Maryland 21157, USApnaumov@mcdaniel.edu

Abstract

The paper proposes Logic of Secrets in Collabo-ration Networks, a formal logical system for rea-soning about a set of secrets established over afixed configuration of communication channels.The system’s key feature, a multi-channel rela-tion called independence, is a generalization ofa two-channel relation known in the literature asnondeducibility. The main result is the complete-ness of the proposed system with respect to a se-mantics of secrets.

1 Introduction

Suppose several parties are connected by communicationchannels that form a network with a fixed topology. In thissetting, which we call a collaboration network, a pair ofparties connected by a channel uses this channel to estab-lish a secret. If the pairs of parties establish their secretscompletely independently from other pairs, then possessionof one or several of these secrets reveals no informationabout the other secrets. Assume, however, that secrets arenot picked completely independently. Instead, each partywith access to multiple channels may enforce some desiredinterdependency between the secrets it shares with otherparties. These “local” interdependencies between secretsknown to a single party may result in a “global” interdepen-dency between several secrets, not all of which are knownto any single party. Given the fixed topology of the collab-oration network, we study what global interdependenciesbetween secrets may exist in the system.

Q RP Sa d

b

c

Figure 1: Collaboration network G1.

Consider, for example, the collaboration network depictedin Figure 1. Suppose that the parties collaborate accordingto the following protocol. Party P picks a random value afrom {0, 1} and sends it to party Q. Party Q picks values band c from {0, 1} in such a way that a = b+ c mod 2 andsends both of these values toR. PartyR computes d = b+cmod 2 and sends value d to party S. In this protocol, it isclear that the values of a and d will always match. We viewa, b, c, and d as secrets, conditions a = b + c mod 2 andd = b + c mod 2 as local interdependencies, and condi-tion a = d mod 2 as a global interdependency. Note thatin the above example, all channels transmit secret messagesin one direction and, thus, the channel network forms a di-rected graph. However, in the more general setting, twoparties might establish the value of a secret through a dialogover their communication channel, with messages travelingin both directions. Thus, in general, we will not assume anyspecific direction on a channel.

If two or more secrets are not interdependent, then we willsay that they are independent. (A formal definition of in-dependence will be given in Definition 5.) In the logicalsystem presented in this paper we use independence, notinterdependence, as the basic notion simply because it pro-duces a slightly more elegant system. Another way to de-fine independence is to say that secrets are independent ifany values of these secrets that can occur in the protocolcan also occur simultaneously. For example, secrets a andb in the above protocol are independent, but secrets a and dare not. Furthermore, although secrets a, b, c in the aboveprotocol are all pairwise independent, the three secrets con-sidered together are not independent.

The independence examples that we have given so far arefor a single protocol, subject to a particular set of local in-terdependencies between secrets. If the topology remainsfixed, but the protocol is changed, then secrets which werepreviously independent could become interdependent, andvice versa. In this paper, however, we study the indepen-dence of secrets that follow from the topological structureof the network of channels, no matter which specific proto-col is used.

208Copyright is held by the author/owner(s). TARK ’09, July 6-8, 2009, California ISBN: 978-1-60558-560-4...$10.00

Q RbP Sa c

Figure 2: [a, b] → [a, c] holds on G2.

For example, it is relatively easy to see that for the graphG2 in Figure 2, if secrets a and b are independent, then se-crets a and c are also independent, regardless of the pro-tocol used. This is a property of the network topology,not of the protocol. We say that [a, b] → [a, c] is trueon topology G2, where [a, b] is our notation for the inde-pendence of secrets a and b. Another less obvious prop-erty of independence is true for graph G1 which definesthe network topology in Figure 1, namely, if channels a,b, and c are independent, then channels a and d are inde-pendent: that is, [a, b, c] → [a, d] is true on G1. As a finalexample, consider graph G3 in Figure 3, where the prop-erty [b, c] → ([a, e] → [a, d]) holds. In Section 6, we willprove each of these claims.

Q SP TRa b c d

e

Figure 3: [a, e] → ([b, c] → [a, d]) holds on G3.

In this paper, we present a logic that describes the indepen-dence properties of any network topology. The deductivesystem for this logic operates with binary relation G ` φ,where G is a graph that specifies a network topology, andφ is a propositional statement about secret independence.Our key results are the soundness and completeness of thisdeductive system with respect to the intended protocol se-mantics. It is interesting to note that one of the inferencerules of this deductive system modifies not only a formulaφ, but the graph G as well. The formulas in this logic cap-ture properties of a fixed topology, but the logic itself mod-ifies the topology as part of a derivation. This makes ourformal system very different from the traditional deductivesystems in mathematical logic.

Our work is related to the study of information flow. Mostof the literature in this area, however, studies informationflow from the language-based [8, 1] or probabilistic [4, 5]points of view. Historically ([6], page 185), one of the firstattempts to capture independence in our sense was under-taken by Goguen and Meseguer [3] through their notionof noninterference between two computing devices. Later,Sutherland [9] introduced a no information flow relation,which is essentially our independence relation restricted totwo-element sets. This relation has since become knownin the literature as nondeducibility. Cohen [2] presenteda related notion called strong dependence. Unlike nonde-ducibility, however, the strong dependence relation is notsymmetric. More recently, Halpern and O’Neill [5] intro-duced f -secrecy to reason about multiparty protocols. The

f -secrecy predicate is a version of nondeducibility that canrefer to a value of a certain function of the secret ratherthan the secret itself. However, all of these works focus onthe application of the independence relation in the analysisof secure protocols, whereas the main focus of our workis on logical properties of the relation itself. In a relatedwork [7], we consider a version of the independence rela-tion of the form [A,B], where A and B are not just secrets,but sets of secrets. However, our results in this more gen-eral case are restricted to complete graphs.

2 Protocol: A Formal Definition

Throughout this paper, we assume a fixed infinite alphabetof variables a, b, . . . , that we refer to as “secret variables”.By a network topology we mean a graph whose edges, or“channels”, are labeled by secret variables. We allow mul-tiple edges and loops. The set of all channels of graph Gwill be denoted by Ch(G). One channel may have sev-eral labels, but the same label can be assigned to only onechannel. Given this, we will often informally refer to “thechannel labeled with a” as simply “channel a”.

Definition 1 A semi-protocol over a graph G is a pair〈V,L〉 such that

1. V (c) is an arbitrary set of “values” for each channelc ∈ Ch(G),

2. L = {Lp}p∈P is a family of predicates, indexed byparties of the graph G, which we call “local condi-tions”. If c1, . . . ck is the list of all channels incidentwith party p, then Lp is a predicate on V (c1)× · · · ×V (ck).

Definition 2 A run of a semi-protocol 〈V,L〉 is a functionr such that

1. r(c) ∈ V (c) for any channel c ∈ Ch(G),

2. If c1, . . . ck is the list of all channels incident withparty p ∈ P , then Lp(r(c1), . . . , r(ck)) is true.

Definition 3 A protocol is any semi-protocol that has atleast one run.

The set of all runs of a protocol P is denoted by R(P).

Definition 4 A protocol P = 〈V,L〉 is called finite if theset V (c) is finite for any c ∈ Ch(G).

We conclude this section with the key definition of this pa-per. It is a multi-argument version of Sutherland’s binarynondeducibility predicate that we call independence.

Definition 5 A set of channels Q = {q1, . . . , qk} is calledindependent under protocol P if for any runs r1, . . . , rk ∈R(P) there is a run r ∈ R(P) such that r(qi) = ri(qi) forany i ∈ {1, . . . , k}.

209

3 Language of Secrets

Informally, by Φ(G), we denote the set of all properties ofsecrets in graphG. Formally, Φ(G) is a minimal set definedrecursively as follows: (i) for any finite set of secret vari-ables {a1, . . . , an} ⊆ Ch(G), [a1, . . . , an] ∈ Φ(G), (ii)the false constant ⊥ ∈ Φ(G), and (iii) for any formulas φand ψ ∈ Φ(G), the implication φ→ ψ ∈ Φ(G). As usual,we assume that conjunction, disjunction, and negation aredefined through → and ⊥.

Next, for any graph G, we define a relation denoted by �.Informally, P � φ means that formula φ is true under pro-tocol P over graph G.

Definition 6 For any protocol P over a graph G, and anyformula φ ∈ Φ(G) , we define the relation P � φ recur-sively as follows:

1. P 2 ⊥,

2. P � [a1, . . . , an] if the set of channels {a1, . . . , an} isindependent under protocol P ,

3. P � φ1 → φ2 if P 2 φ1 or P � φ2.

In this paper, we study the set of formulas that are trueunder any protocol P as long as graph G remains fixed.The set of all such formulas will be captured by the Logicof Secrets in Collaboration Networks. Below, we will listaxioms and inference rules for this logic and prove theirsoundness and completeness.

4 Graph Truncation

In preparation for the presentation of an inference rule usedin our system, we introduce a graph operation called trun-cation. As usual, a cut of a graph is a disjoint partitioningof the nodes of the graph into two sets. A crossing edgein a cut is an edge whose ends belong to different sets ofthe partition. For any set of nodes X of a graph G we useE(X) to denote the set of edges of G whose ends both be-long to X .

Definition 7 Let G be an arbitrary graph and (X,Y ) bean arbitrary cut of G (See Figure 4). We define the “trun-cation” graph GX of graph G as follows:

1. The vertices of graph GX are the elements of set X .

2. The edges of GX are all of the edges from E(X) plusthe crossing edges of the cut (X,Y ) modified in thefollowing way: if in graph G, a crossing edge c con-nects vertex v ∈ X with vertex u ∈ Y , then in graphGX , edge c loops from v back into v.

In the remainder of the paper, we refer to vertices as parties,edges as channels, and crossing edges as crossing channels.

X XY

G GX

Figure 4: Graph truncation.

5 Formal System: Axioms and Rules

We are ready to describe the Logic of Secrets in Collabora-tion Networks. We will write G ` φ to state that formulaφ ∈ Φ(G) is provable in this logic. The deductive systemfor this logic, in addition to propositional tautologies andModus Ponens inference rule, consists of the Small Set Ax-iom, the Monotonicity Axiom, the Disconnected PartitionAxiom, and the Truncation Inference Rule, defined below:

Small Set Axiom. Any set that contains less than two el-ements is independent: G ` [A], where A ⊆ Ch(G) and|A| < 2.

Monotonicity Axiom. Any subset of an independent setof channels is an independent set: G ` [A] → [B], whereB ⊆ A ⊆ Ch(G).

Disconnected Partition Axiom. For any partition of thegraph G into two disconnected components X and Y , ifthe channels in the X-part of A are independent and thechannels in the Y -part ofA are independent, then the wholeset A is independent: G ` [A∩E(X)] → ([A∩E(Y )] →[A]), where A ⊆ Ch(G).

Truncation Rule. Let C ⊆ Ch(G) be the set of allcrossing channels of partition (X,Y ) of graph G and φ ∈Φ(GX). If GX ` φ, then G ` [C] → φ.

6 Examples of Proofs

In this section we give examples of proofs in the Logic ofSecrets in Collaboration Networks. Although proofs in thistype of formal system are just sequences of formulas, forthe benefit of the reader, we have chosen to connect formu-las in these sequences with English sentences.

Theorem 1 G2 ` [a, b] → [a, c], where G2 is the graph inFigure 2.

Proof. GraphG′2 (see Figure 5) is a truncation of graphG2

along crossing channels a and b. By the Small Set Axiom,G′

2 ` [a] and G′2 ` [c]. Hence, by the Disconnected Parti-

tion Axiom, G′2 ` [a, c]. Finally, by the Truncation Rule,

G2 ` [a, b] → [a, c]. �

210

RP Sca b

Figure 5: Graph G′2 (shown) is a truncation of graph G2

from Figure 2.

Theorem 2 G1 ` [a, b, c] → [a, d], where G1 is the graphin Figure 1.

Proof. GraphG′1 (see Figure 6) is a truncation of graphG1

along crossing channels a, b, and c. By the Small Set Ax-iom, G′

1 ` [a] and G′1 ` [d]. Hence, by the Disconnected

Partition Axiom, G′1 ` [a, d]. Finally, by the Truncation

Rule, G1 ` [a, b, c] → [a, d]. �

RP Sda

b

c

Figure 6: Graph G′1 (shown) is a truncation of graph G1

from Figure 1.

Theorem 3 G3 ` [b, c] → ([a, e] → [a, d]), where G3 isthe graph in Figure 3.

Proof. GraphG′3 (see Figure 7) is a truncation of graphG3

along crossing channels b and c. GraphG′′3 (see Figure 8) is

a truncation of graph G′3 along crossing channels a and e.

By the Small Set Axiom,G′′3 ` [a] andG′′

3 ` [d]. Hence, bythe Disconnected Partition Axiom, G′′

3 ` [a, d]. Therefore,by the Truncation Rule, G′

3 ` [a, e] → [a, d]. Again by theTruncation Rule, G3 ` [b, c] → ([a, e] → [a, d]). �

Q SP Ta d

e

b c

Figure 7: Graph G′3 (shown) is a truncation of graph G3

from Figure 3.

SP Tdc

a

e

Figure 8: Graph G′′3 (shown) is a truncation of graph G′

3

from Figure 7.

7 Soundness

The proofs of soundness, particularly the soundness of thetruncation rule, are non-trivial. For each axiom and infer-ence rule, we provide its justification as a separate theorem.

Theorem 4 (Small Set) For any graph G, if P is an arbi-trary protocol overG and anyA ⊆ Ch(G) has at most oneelement, then P � [A].

Proof. If A = ∅, then P � [A] follows from the existenceof at least one run of any protocol. If A = {a1}, considerany run r1 ∈ R(P). Pick r to be r1. This guarantees thatr(a1) = r1(a1). �

Theorem 5 (Monotonicity) For any graph G and anyA,B ∈ Ch(G) with B ⊆ A, if P � [A], then P � [B].

Proof. Let A = {a1, . . . , ak}, and pick any runsr1, . . . , rk ∈ R(P). By the assumption that P � [A], thereis a run r such that r(ai) = ri(ai) for all i ∈ {1, . . . , k}.Since B ⊆ A, the claim follows. �

Theorem 6 (Disconnected Partition) For any graph G,any partition of G into two disconnected components Xand Y , and any A ⊆ Ch(G), if P � [A ∩ E(X)] andP � [A ∩ E(Y )], then P � [A].

Proof. Let A ∩ E(X) = {a1, . . . , ak} and A ∩ E(Y ) ={ak+1, . . . , an}. Pick any runs r1, . . . , rn ∈ R(P). By theassumption of the theorem, there are runs rX and rY suchthat rX(ai) = ri(ai) for all i ∈ {1, . . . , k} and rY (ai) =ri(ai) for all i ∈ {k + 1, . . . , n}. Define

r(c) ={rX(c) if c ∈ E(X)rY (c) if c ∈ E(Y )

Note that r satisfies the local conditions at any partyp ∈ X because these conditions are satisfied by rX .Similarly, r satisfies the local conditions at any partyp ∈ Y because these conditions are satisfied by rY . Inaddition, r(ai) = ri(ai) for any i ∈ {1, . . . , n}. �

Theorem 7 (Truncation) For any graph G, any cut(X,Y ) of G, and any formula φ ∈ Φ(GX), if there is aprotocol P over G such that P 2 φ and P � [C], whereC is the set of all crossing channels of the cut (X,Y ), thenthere is a protocol P ′ over the truncation graph GX suchthat P ′ 2 φ.

Proof. Let P = 〈V,L〉. We define a semi-protocol P ′

as the pair 〈V ′, L′〉, where V ′ is the restriction of V onCh(GX) and local condition L′p is defined at every party

211

p ∈ X as follows: let b1, . . . , bk be the set of all channelsincident with party p,

L′p(v1, . . . , vk) ≡ ∃r ∈ R(P) ∀i ∈ {1, . . . , k} (r(bi) = vi).

First, we will show that P ′ has at least one run and, there-fore, is a protocol. Indeed, sinceP is a protocol, it has a runr0. The restriction of r0 to only the channels in truncatedgraph GX clearly satisfies the local conditions L′p. Thus,this restriction is a run of P ′.

Lemma 1 For any run r′ ∈ R(P ′) there is a run r ∈R(P) such that r(b) = r′(b) for all b ∈ Ch(GX).

Proof. Since r′ satisfies the local conditions L′, for anyp ∈ X there is a run rp ∈ R(P) such that r′(b) = rp(b)for any channel b incident with party p. For any crossingchannel c ∈ C there is a unique party p ∈ X such that c isincident with p. We will denote this party by x(c). By theassumption of the theorem, P � [C]. Thus, there is a runr ∈ R(P) such that r(c) = rx(c)(c) for any c ∈ C. We areready to define run r ∈ R(P):

r(b) ={r′(b) if b ∈ Ch(GX)r(b) if b /∈ Ch(GX)

By the above definition, r(b) = r′(b) for all b ∈ E(X) ∪C. Thus, we only need to show that r ∈ R(P). Indeed,consider any party p in G. Let {b1, . . . , bn} be the set ofall channels incident with p. It is sufficient to show thatLp(r(b1), . . . , r(bn)).

If p /∈ X , then b1, . . . , bn /∈ E(X). Thus, r(bi) = r(bi) forany i ∈ {1, . . . , n}. The required condition follows fromthe fact that r ∈ R(P).

Suppose that p ∈ X . Note that for any channel c ∈ Cwhich is incident with p, we have r(c) = r(c) = rx(c)(c) =rp(c). On the other hand, if b is incident with p and b /∈ C,then r(b) = r′(b) = rp(b). Hence, r(b) = rp(b) for any bincident with pwhether or not b belongs toC. The requiredcondition follows from rp ∈ R(P). �

Lemma 2 For any set of channels Q = {q1, . . . , qn} ingraph GX , P � [Q] if and only if P ′ � [Q].

Proof. Assume first that P � [Q] and consider any runsr′1, . . . , r

′n ∈ R(P ′). We will construct a run r′ ∈ R(P ′)

such that r′(qi) = r′i(qi) for any i ∈ {1, . . . , n}. Indeed,by Lemma 1, there are runs r1, . . . , rn ∈ R(P) that matchruns r′1, . . . , r

′n on Ch(GX). By the assumption that P �

[Q], there must be a run r ∈ R(P) such that r(qi) = ri(qi)for all i ∈ {1, . . . , n}. Hence, r(qi) = ri(qi) = r′i(qi)for all i ∈ {1, . . . , n}. Let r′ be a restriction of run r tothe channels in GX . Run r′ satisfies the local conditions atany party inGX because it is equal to r on Ch(GX). Thus,r′ ∈ R(P ′). Finally, we notice that r′(qi) = r(qi) = r′i(qi)for any i ∈ {1, . . . , k}.

Next, we will assume that P ′ � [Q] and consider any runsr1, . . . , rn ∈ R(P). We will show that there is a runr ∈ R(P) such that r(qi) = ri(qi) for all i ∈ {1, . . . , n}.Indeed, let r′1, . . . , r

′n be restrictions of runs r1, . . . , rn to

the channels in Ch(GX). Each r′i satisfies the local con-ditions L′ at any party in GX because r′i is equal to rion each channel in Ch(GX). Thus, r′i ∈ R(P) for alli ∈ {1, . . . , n}. By the assumption that P ′ � [Q], thereis a run r′ ∈ R(P ′) such that r′(qi) = r′i(qi) = ri(qi)for all i ∈ {1, . . . , n}. By Lemma 1, there is a runr ∈ R(P) that matches r′ everywhere in Ch(GX). There-fore, r(qi) = r′(qi) = ri(qi) for all i ∈ {1, . . . , n}. �

Lemma 3 For any formula ψ ∈ Φ(GX), P � ψ if andonly if P ′ � ψ.

Proof. We use induction on the complexity of ψ. Thebase case follows from Lemma 2, and the induction step istrivial. �

The statement of Theorem 7 immediately follows fromLemma 3. �

8 Completeness

Our main result is the following completeness theorem forthe Logic of Secrets in Collaboration Networks:

Theorem 8 For any graph G, if P � φ for all finite proto-cols P over G, then G ` φ.

At the core of the proof is the construction of a finite pro-tocol. This protocol will be formed as a composition ofseveral simpler protocols, where each of the simpler proto-cols is defined recursively. The base case of this recursivedefinition is the parity protocol defined below.

8.1 Parity Protocol

Let G be a graph and A be a subset of Ch(G). We definethe “parity protocol” PA over G as follows. The set ofvalues of any channel c in graph G is a set of pairs suchthat

V (c) ={{〈b1, b2〉 | b1, b2 ∈ {0, 1}} if c ∈ A{〈b, b〉 | b ∈ {0, 1}} if c /∈ A

This means that under each run r ∈ PA, the value of eachchannel will be a pair. We identify each of the componentsof such a pair with one of the two ends of the channel. Ifchannel c connects party p with party q, then by the pro-jection prp(r(c)) we mean the component of the pair asso-ciated with p, and by prq(r(c)), the component associatedwith q. Now we are ready to specify the local condition

212

predicates Lp. If c1, . . . cn is the list of all channels inci-dent with p, then Lp is the statement

prp(r(c1)) + . . . prp(r(cn)) = 0 mod 2.

Theorem 9 PA is a finite protocol.

Proof. We need to prove existence of at least one run thatsatisfies all local conditions. Indeed, consider the run r0such that r0(c) = 〈0, 0〉 for any channel c. �

Definition 8 For any run r, if r(c) = 〈b1, b2〉, then⊕(r(c)) = b1 + b2 mod 2.

Theorem 10 For any run r of the parity protocol PA,∑c∈A

⊕(r(c)) = 0 mod 2.

Proof. Let P be the set of all parties of graph G. If we letInc(p) mean the set of all channels incident with party p,then∑

c∈A

⊕(r(c)) =∑

c∈Ch(G)

⊕(r(c))−∑c/∈A

⊕(r(c))

=∑p∈P

∑c∈Inc(p)

prp(r(c))−∑c/∈A

0

=∑p∈P

0− 0 = 0 mod 2.

�

Definition 9 Assume that π is a path in the graph G suchthat either:

1. π = a, c1, c2, . . . , cn, b is a simple path, where a, b ∈A and a 6= b, or

2. π = c1, c2, . . . , cn, c1 is a simple cyclic path.

For any run r of the parity protocolPA and path π inG, weintroduce a function called flip(r, π) that assigns a valuefrom V (c) to each channel c of the graph G as follows. Forany x ∈ Ch(G), let r(x) = 〈x1, x2〉, and define:

flip(r, π)(x) =

〈x1,¬x2〉 if x = a,〈¬x1,¬x2〉 if x ∈ {c1, . . . , cn},〈¬x1, x2〉 if x = b,〈x1, x2〉 if x 6∈ π.

Theorem 11 flip(r, π) ∈ R(PA) for any r ∈ PA andpath π in G.

Proof. The flip operation preserves the local conditions ofprotocol PA. �

Theorem 12 If |A| > 1 and graphG is connected, then forany a ∈ A and any v ∈ {0, 1} there is a run r ∈ R(PA)such that ⊕(r(a)) = v.

Proof. By Theorem 9, there is a run r of the protocol PA.Suppose that ⊕(r(a)) 6= v. Since |A| > 1 and graph G isconnected, there is a simple path π that connects channela with channel b ∈ A such that b 6= a. Consider runr′ = flip(r, π) and notice that ⊕(r′(a)) = v. �

Theorem 13 If |A| > 1 and graph G is connected, thenPA 2 [A].

Proof. Let A = {a1, . . . , ak}. Pick any values v1, . . . , vk

such that v1 + · · ·+vk = 1 mod 2. By Theorem 12, thereare runs r1, . . . , rk ∈ R(PA) such that ri(ai) = vi for anyi ∈ {1, . . . , k}. If PA � [A], then there is a run r ∈ R(PA)such that r(ai) = ri(ai) for any i ∈ {1, . . . , k}. There-fore, r(a1) + · · · + r(ak) = r1(a1) + · · · + rk(ak) =v1+· · ·+vk = 1 mod 2. This contradicts Theorem 10. �

Theorem 14 For any setB ⊆ Ch(G), any b ∈ B, and anyend u of channel b, at least one of the following conditionsis true:

1. there is a simple path that starts at party u, ends witha channel from A, and does not contain any channelsfrom B,

2. there is a non-trivial cut (X,Y ) of the graph G suchthat A ⊆ E(X) and the set of crossing channels ofthis cut is a subset of B.

Proof. Remove all channels in set B from graph G.We will refer to this new graph as G′. Let G′

u be theconnected component of G′ containing party u. If G′

u

contains no channels from A, then this connected com-ponent defines a cut of the original graph G whose onlycrossing channels are channels from B. If G′

u contains atleast one channel from A, then there is a simple path inG′

u that starts at party u and ends with a channel fromA. �

Theorem 15 For any set B ⊆ Ch(G) and any b ∈ B, atleast one of the following conditions is true:

1. there is a simple path that starts and ends with chan-nels from A, contains channel b, and does not containany other channels from B,

2. there is a simple cyclic path that contains channel band does not contain any other channels from B,

3. there is a non-trivial cut (X,Y ) of the graph G suchthat A ⊆ E(X) and the set of the crossing channelsof this cut is a subset of B.

213

Proof. Let channel b connect parties u and v. Remove allchannels in set B from graph G. We will refer to this newgraph as G′. Let G′

u and G′v be the connected components

of G′ containing parties u and v, respectively.

If G′u = G′

v , then there is a simple path from u to v in G′.Thus, there is a cyclic path inG that contains b and no otherchannels from set B. (This case also includes the situationwhen u = v.)

If either G′u or G′

v contains no channels from A, then thatconnected component defines a cut of the original graph Gwhose only crossing channels are channels from B.

Finally, assume that G′u and G′

v are two different con-nected components both of which contain channels fromA. Let au ∈ G′

u ∩ A and av ∈ G′u ∩ A. Thus, the original

graph G contains a simple path that starts with channel au,ends with channel av , and contains channel b but no otherchannels from set B. �

We are ready now to prove the key property of the parityprotocol that, together with Theorem 13, will be used inthe next section.

Theorem 16 For any set B ⊆ Ch(G), if there are no non-trivial cuts (X,Y ) of the graph G such that A ⊆ E(X)and the set of the crossing channels of this cut is a subsetof B, then PA � [B].

Proof. Let B = {b1, . . . , bk}. Consider any runsr1, . . . , rk ∈ R(PA). We will prove that there is a runr ∈ R(PA) such that r(bi) = ri(bi) for all i ∈ {1, . . . , k}.Indeed, by Theorem 9, protocol PA has at least one run r.We will modify run r to satisfy conditions r(bi) = ri(bi)for all i ∈ {1, . . . , k}. Our modification will consist ofrepeating the following procedure for each i ∈ {1, . . . , k}:

1. if bi /∈ A and r(bi) 6= ri(bi), then, by Theorem 15,there is a path π that contains b and no other elementof B. This path is either cyclic or starts and ends withan channel from A. Modify r to be flip(r, π). Thismodification guarantees that r(bi) = ri(bi). Sincepath π does not include any channels from B exceptb, the values of r(bj) for all j 6= i are not changed.

2. if bi ∈ A and r(bi) 6= ri(bi), then, assuming thatchannel b connects parties u and v, at least one ofthe following is true: pru(r(bi)) 6= pru(ri(bi)) orprv(r(bi)) 6= prv(ri(bi)). In the first case, by The-orem 14, there is a simple path c1, . . . , cn that startswith party u, ends with a channel from set A, anddoes not contain any channels from set B. Let π′

be a path b, c1, . . . , cn. Modify r to be flip(r, π′).If prv(r(bi)) 6= prv(ri(bi)), make a similar modifi-cation at node v. These modifications guarantee thatr(bi) = ri(bi). Since the paths do not include any

channels from B except b, the values of r(bj) for allj 6= i are not changed.

Let r be r with all the modifications described above.These modifications guarantee that r(bi) = r(bi) = ri(bi)for all i ∈ {1, . . . , k}. �

8.2 Recursive Construction

In this section we will generalize the parity protocolthrough a recursive construction. First, however, we willestablish a technical result that we will need for this con-struction.

Theorem 17 (protocol extension) For any cut (X,Y ) ofgraph G and any finite protocol P ′ on truncation GX ,there is a finite protocol P on G such that for any setQ ⊆ Ch(G),

P � [Q] iff P ′ � [Q ∩ E(GX)]

Proof. To define protocol P we need to specify a set of val-ues V (c) for each channel c ∈ Ch(G) and the set of localconditions for each party p in graph G. If c ∈ Ch(GX),then let V (c) be the same as in protocol P . Otherwise,V (c) = {ε}, where ε is an arbitrary element. The localconditions at the parties in X are the same as in protocolP ′, and the local conditions at the parties in Y are equal tothe boolean constant True. This completes the definitionof P . Clearly, P has at least one run as long as P ′ has arun.

(⇒) : Suppose that Q ∩ E(GX) = {q1, . . . , qk}. Notethat due to the soundness of the Monotonicity Axiom, P �[q1, . . . , qk]. Consider any r′1, . . . , r

′k ∈ R(P ′). Define

runs r1, . . . , rk as follows:

ri(c) ={r′i(c) if c ∈ Ch(GX),ε if c /∈ Ch(GX).

Note that runs ri and r′i, by definition, are equal on anychannel incident with any party in graph GX . Thus, risatisfies the local conditions at any such party. Hence,ri ∈ R(P) for any i ∈ {1, . . . , k}. Since P � [q1, . . . , qk],there is a run r ∈ R(P) such that r(qi) = ri(qi) for anyi ∈ {1, . . . , k}. Define r′ to be a restriction of r on sub-graph GX . Note that r′ satisfies all local conditions of P ′.Thus, r′ ∈ R(P ′). At the same time, r′(qi) = ri(qi) =r′i(qi).

(⇐) : Suppose that Q = {q1, . . . , qk}. Consider anyr1, . . . , rk ∈ R(P), and let r′1, . . . , r

′k be their respective

restrictions to subgraphGX . Since, for any i ∈ {1, . . . , k},run r′i satisfies the local conditions of P ′ at any node ofgraph GX , we can conclude that r′1, . . . , r

′k ∈ R(P ′). By

the assumption that P ′ � [Q ∩ E(GX)], there is a run r′ ∈

214

R(P ′) such that r′(q) = r′i(q) for any q ∈ Q ∩ E(GX).In addition, r′(q) = ε = r′i(q) for any q ∈ Q\E(GX).Hence, r′(qi) = r′i(qi) for any i ∈ {1, . . . , k}. Define runr as follows:

r(c) ={r′(c) if c ∈ Ch(GX),ε if c /∈ Ch(GX).

Note that r satisfies the local conditions of P at all nodes.Thus, r ∈ R(P). In addition, r(qi) = r′(qi) = r′i(qi) forall i ∈ {1, . . . , k}. �

We will now prove another key theorem in our construc-tion. The proof of this theorem recursively defines a gener-alization of the parity protocol.

Theorem 18 For any sets A,B1, . . . , Bn ⊆ Ch(G), ifG 0

∧1≤i≤n[Bi] → [A], then there is a finite protocol P

over G such that P � [Bi] for all 1 ≤ i ≤ n and P 2 [A].

Proof. We use induction on the number of parties in G.

1. If |A| ≤ 1, then, by the Small Set Axiom, G ` [A].Hence, G `

∧1≤i≤n[Bi] → [A], which is a contra-

diction.

2. If the vertices of graphG can be divided into two non-trivial disconnected sets X and Y , then, by the Dis-connected Sets Axiom,

G ` [A ∩ E(X)] → ([A ∩ E(Y )] → [A]).

Thus, taking into account the assumption that G 0∧1≤i≤n[Bi] → [A], either

G 0∧

1≤i≤n

[Bi] → [A ∩ E(X)],

orG 0

∧1≤i≤n

[Bi] → [A ∩ E(Y )].

Without loss of generality, we will assume the former.By the Monotonicity Axiom,

G 0∧

1≤i≤n

[Bi ∩ E(X)] → [A ∩ E(X)].

By the Small Set Axiom,

G 0 [∅] → (∧

1≤i≤n

[Bi ∩ E(X)] → [A ∩ E(X)]).

By the Truncation Rule,

GX 0∧

1≤i≤n

[Bi ∩ E(X)] → [A ∩ E(X)].

By the Induction Hypothesis, there is a protocol P ′ onGX such that

P ′ � [Bi ∩ E(X)],

for any i ∈ {1, . . . , n}, and

P ′ 2 [A ∩ E(X)].

Therefore, by Theorem 17, there is a protocol P onG such that P � [Bi], for any i ∈ {1, . . . , n}, andP 2 [A].

3. Suppose there is a non-trivial cut (X,Y ) of graph Gsuch that A ⊆ Ch(GX) and the set of all crossingchannels C of this cut is a subset of Bi0 for some i0 ∈{1, . . . , n}. By the assumption of the theorem,

G 0 [Bi0 ] → (∧

1≤i≤n

[Bi] → [A]).

By the Monotonicity Axiom,

G 0 [C] → (∧

1≤i≤n

[Bi ∩ E(GX)] → [A]).

By the Truncation Rule,

GX 0∧

1≤i≤n

[Bi ∩ E(GX)] → [A].

By the Induction Hypothesis, there is a protocol P ′ onGX such that

P ′ � [Bi ∩ E(GX)],

for any i ∈ {1, . . . , n}, and

P ′ 2 [A].

Therefore, by Theorem 17, there is a protocol P onG such that P � [Bi], for any i ∈ {1, . . . , n}, andP 2 [A].

4. Assume now that (i) |A| > 1, (ii) graph G is con-nected, and (iii) for any i ∈ {1, . . . , n} there are nonon-trivial cuts (X,Y ) of graph G such that A ⊆Ch(GX) and the set of all crossing channels of thiscut is a subset of Bi. Consider the parity protocol PA

over G. By Theorem 13, PA 2 [A]. By Theorem 16,PA � [Bi] for any i ∈ {1, . . . , n}.

�

8.3 Protocol Composition

Definition 10 For any protocols P1 = (V 1, L1), . . . ,Pn = (V n, Ln) over a graph G, we define the Cartesiancomposition P1 ×P2 × · · · × Pn to be a pair (V,L) suchthat

1. V (c) = V 1(c)× · · · × V n(c),

215

2. Lp(〈c11, . . . , cn1 〉, . . . , 〈c1k, . . . , cnk 〉)if and only if

∧1≤i≤n L

ip(c

i1, . . . , c

ik),

For each composition P = P1 × P2 × · · · × Pn , we let{r(c)}i denote the ith component of the value of secret cover run r.

Theorem 19 For any n > 0 and any finite protocolsP1, . . . ,Pn over a graph G, P = P1 × P2 × · · · × Pn

is a finite protocol over a graph G.

Proof. We need to show that P has at least one run.Indeed, let r1, . . . , rn be runs of P1, . . . ,Pn. Define r(c)to be 〈r1(c), . . . , rn(c)〉. It is easy to see that r satisfies thelocal conditions Lp for any party p of the graph G. Thus,r ∈ R(P). �

Theorem 20 For any protocol P = P1 × P2 × · · · × Pn

over a graph G and any set of channels Q,

P � [Q] if and only if ∀i (Pi � [Q]).

Proof. Let Q = {q1, . . . , q`}.

(⇒) : Assume P � [Q] and pick any i0 ∈ {1, . . . , n}.We will show that Pi0 � [Q]. Pick any runs r′1, . . . , r

′` ∈

R(Pi0). For each i ∈ {1, . . . , i0− 1, i0 + 1, . . . , n}, selectan arbitrary run ri ∈ R(Pi). We then define a series ofcomposed runs rj for j ∈ {1, . . . , `} by

rj(c) = 〈r1(c), . . . , ri0−1(c), r′j(c), ri0+1(c), . . . , rn(c)〉,

for each secret c ∈ Ch(G). Since the component partsof each rj belong in their respective sets R(Pi), the com-posed runs are themselves members of R(P). By our as-sumption, P � [Q], thus there is r ∈ R(P) such thatr(qi) = ri(qi) for any i0 ∈ {1, . . . , `}. Finally, weconsider the run r∗, where r∗(c) = {r(c)}i0 for eachc ∈ Ch(G). That is, we let the value of r∗ on c bethe itho component of r(c). By definition of composition,r∗ ∈ R(Pi0), and it matches the original r′1, . . . , r

′` ∈

R(Pi0) on channels q1, . . . , q`, respectively. Hence, wehave shown that Pi0 � [Q].

(⇐) : Assume ∀i (Pi � [Q]). We will show thatP � [Q]. Pick any runs r1, . . . , r` ∈ R(P). For eachi ∈ {1, . . . , n}, each j ∈ {1, . . . , `}, and each channelc, let ri

j(c) = {rj(c)}i. That is, for each c, define a runrij whose value on channel c equals the ith component

of rj(c). Note that by the definition of composition, foreach i and each j, ri

j is a run in R(Pi). Next, for eachi ∈ {1, . . . , n}, we use the fact that Pi � [Q] to constructa run ri ∈ R(Pi) such that ri(qj) = ri

j(qj). Finally, wecompose these n runs r1, . . . , rn to get run r ∈ R(P).We note that the value of each channel qj on r matches

the the value of qj in run rj ∈ R(P), demonstrating thatP � [Q]. �

We are now ready to prove the completeness theorem,which appeared earlier as Theorem 8:

Theorem For any graphG, ifP � φ for all finite protocolsP over G, then G ` φ.

Proof. We give a proof by contradiction. Let X be a max-imal consistent set of formulas from Φ(G) that contains¬φ. Let {A1, . . . , An} = {A ⊆ Ch(G) | G 0 [A]}and {B1, . . . , Bk} = {B ⊆ Ch(G) | G ` [B]}. Thus,G 0

∧1≤j≤k[Bj ] → [Ai], for any i ∈ {1, . . . , n}. We

will construct a protocol P such that P 2 [Ai] for anyi ∈ {1, . . . , n} and P � [Bj ] for any j ∈ {1, . . . , k}.

First consider the case where n = 0. Pick any symbol εand define P to be 〈V,L〉 such that V (c) = {ε} for anyc ∈ Ch(G) and local condition Lp to be the constant Trueat any party. By Definition 5, P � [C] for anyC ⊆ Ch(G).

We will assume now that n > 0. By Theorem 18, thereare finite protocols P1, . . . ,Pn such that Pi 2 [Ai] andPi � [Bj ] for all j ∈ {1, . . . , k}. Consider the compositionP of protocols P1, . . . ,Pn. By Theorem 20, P 2 [Ai] forany i ∈ {1, . . . , n} and P � [Bj ] for any j ∈ {1, . . . , j}.

By induction on structural complexity of any formulaψ ∈ Φ(G), one can show now that G ` ψ if and only ifψ ∈ X . Thus, P � ¬φ. Therefore, P 2 φ, which is acontradiction. �

Corollary 1 The set {(G,φ) | G ` φ} is decidable.

Proof. The complement of this set is recursively enumer-able due to the completeness of the system with respect tofinite protocols. �

9 Conclusion

We have presented a formal logical system for reasoningabout an independence relation and proved the complete-ness of this system with respect to a semantics of secrets.

As an extension, one could study a natural generalizationof this result to secrets shared by more than two parties. Inthat setting, a collaboration network is a hypergraph whoseedges (channels) may connect arbitrary number of vertices(parties).

216

References

[1] Torben Amtoft and Anindya Banerjee. A logic for in-formation flow analysis with an application to forwardslicing of simple imperative programs. Sci. Comput.Program., 64(1):3–28, 2007.

[2] Ellis Cohen. Information transmission in computa-tional systems. In Proceedings of Sixth ACM Sympo-sium on Operating Systems Principles, pages 113–139.Association for Computing Machinery, 1977.

[3] Joseph A Goguen and Jose Meseguer. Security policiesand security models. In Proceedings of IEEE Sympo-sium on Security and Privacy, pages 11–20, 1982.

[4] Joseph Y. Halpern and Kevin R. O’Neill. Secrecyin multiagent systems. In Proceedings of the Fif-teenth IEEE Computer Security Foundations Work-shop, pages 32–46, 2002.

[5] Joseph Y. Halpern and Kevin R. O’Neill. Secrecyin multiagent systems. ACM Trans. Inf. Syst. Secur.,12(1):1–47, 2008. (originally appeared as [4]).

[6] Donald MacKenzie. Mechanizing Proof: Computing,Risk, and Trust. MIT Press, 2004.

[7] Sara Miner More and Pavel Naumov. An independencerelation for sets of secrets. In H. Ono, M. Kanazawa,and R. de Queiroz, editors, Proceedings of 16th Work-shop on Logic, Language, Information and Compu-tation (Tokyo, 2009), LNAI 5514, pages 296–304.Springer, 2009.

[8] Andrei Sabelfeld and Andrew C. Myers. Language-based information-flow security. IEEE Journal on Se-lected Areas in Communications, 21(1):5–19, 2003.

[9] David Sutherland. A model of information. In Pro-ceedings of Ninth National Computer Security Confer-ence, pages 175–183, 1986.

217