Abstract
Separating sequential-program state into “visible” and “hidden” parts facilitates reasoning about knowledge, security and privacy: applications include zero-knowledge protocols, and security contexts with hidden “high-security” state and visible “low-security” state. A rigorous definition of how specifications relate to implementations, as part of that reasoning, must ensure that implementations reveal no more than their specifications: they must, in effect, preserve ignorance.
We propose just such a definition –a relation of ignorance-preserving refinement– between specifications and implementations of sequential programs. Its purpose is to enable a development-by-refinement methodology for applications like those above.
Since preserving ignorance is an extra obligation, the proposed refinement relation restricts (rather than extends) the usual. We suggest general principles for restriction, and we give specific examples of them.
To argue that we do not restrict too much –for “no refinements allowed at all” is trivially ignorance-preserving– we derive The Dining Cryptographers protocol via a program algebra based on the restricted refinement relation. It is also a motivating case study, as it has never before (we believe) been treated refinement-algebraically.
In passing, we discuss –and solve– the Refinement Paradox.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Hoare, C.: An axiomatic basis for computer programming. Commun. of ACM 12(10), 576–580, 583 (1969)
Dijkstra, E.: A Discipline of Programming. Prentice Hall, Englewood Cliffs (1976)
Back, R.J., von Wright, J.: Refinement Calculus: A Systematic Introduction. Springer, Heidelberg (1998)
Morgan, C.: Programming from Specifications, 2nd edn. Prentice Hall, Englewood Cliffs (1994), http://web.comlab.ox.ac.uk/oucl/publications/books/PfS/
Jacob, J.: Security specifications. In: Proc. of 1988 IEEE Symp. on Security and Privacy, S&P 1988, pp. 14–23. IEEE Comput. Soc. Press, Los Alamitos (1988)
Chaum, D.: The Dining Cryptographers problem: Unconditional sender and recipient untraceability. J. of Cryptol. 1(1), 65–75 (1988)
Halpern, J., O’Neill, K.: Secrecy in multiagent systems. In: Proc. of 15th IEEE Computer Security Foundations Wksh., CSFW 2002, pp. 32–46. IEEE Comput. Soc. Press, Los Alamitos (2002)
Fagin, R., Halpern, J., Moses, Y., Vardi, M.: Reasoning about Knowledge. MIT Press, Cambridge (1995)
Smyth, M.: Power domains. J. of Comput. and Syst. Sci. 16, 23–36 (1978)
Halpern, J., O’Neill, K.: Anonymity and information hiding in multiagent systems. In: Proc. of 16th IEEE Computer Security Foundations Wksh., CSFW 2003, pp. 75–88. IEEE Comput. Soc. Press, Los Alamitos (2003)
Mantel, H.: Preserving information flow properties under refinement. In: Proc. of 2001 IEEE Symp. Security and Privacy, S&P 2001, pp. 78–91. IEEE Comput. Soc. Press, Los Alamitos (2001)
Engelhardt, K., Moses, Y., van der Meyden, R.: Unpublished report (2005)
van der Meyden, R., Su, K.: Symbolic model checking the knowledge of the Dining Cryptographers. In: Proc. of 17th IEEE Computer Security Foundations Wksh., CSFW 2004, pp. 280–291. IEEE Comput. Soc. Press, Los Alamitos (2004)
Cohen, E.: Information transmission in sequential programs. ACM SIGOPS Operatings Syst. Review 11(5), 133–139 (1977)
Goguen, J., Meseguer, J.: Unwinding and inference control. In: Proc. of 1984 IEEE Symp. on Security and Privacy, S&P 1984, pp. 75–86. IEEE Comput. Soc. Press, Los Alamitos (1984)
Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE J. of Selected Areas of Commun. 21(1) (2003)
Leino, K., Joshi, R.: A semantic approach to secure information flow. Sci. of Comput. Program 37(1-3), 113–138 (2000)
Sabelfeld, A., Sands, D.: A PER model of secure information flow. Higher-Order and Symb. Comput. 14(1), 59–91 (2001)
Roscoe, A.W., Woodcock, J., Wulf, L.: Non-interference through determinism. J. of Comput. Security 4(1), 27–54 (1996)
Back, R.J., Kurki-Suonio, R.: Decentralisation of process nets with centralised control. In: Proc. of 2nd ACM SIGACT-SIGOPS Symp. on Principles of Distributed Computing, PODC 1983, pp. 131–142. ACM Press, New York (1983)
McIver, A., Morgan, C.: Abstraction, Refinement and Proof for Probabilistic Systems. In: Technical Monographs in Computer Science. Springer, Heidelberg (2005)
Hintikka, J.: Knowledge and Belief: an Introduction to the Logic of the Two Notions. Cornell University Press (1962); Available in a new edition, Hendricks and Symonds. Kings College Publ. (2005)
Halpern, J.Y., Moses, Y.: Knowledge and common knowledge in a distributed environment. J. of ACM 37(3), 549–587 (1990)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Morgan, C. (2006). The Shadow Knows: Refinement of Ignorance in Sequential Programs. In: Uustalu, T. (eds) Mathematics of Program Construction. MPC 2006. Lecture Notes in Computer Science, vol 4014. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11783596_21
Download citation
DOI: https://doi.org/10.1007/11783596_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-35631-8
Online ISBN: 978-3-540-35632-5
eBook Packages: Computer ScienceComputer Science (R0)