A Higher-Order Indistinguishability Logic for Cryptographic Reasoning

The field of cryptographic protocol verification in the computational model aims at obtaining formal security proofs of protocols. To facilitate writing such proofs, which are complex and hard to automate, Bana and Comon have proposed the Computationally Complete Symbolic Attacker (CCSA) approach, which is based on a first-order logic with a probabilistic computational semantics. Later, a meta-logic was built on top of the CCSA logic, to extend it with support for unbounded protocols and effective mechanisation. This meta-logic was then implemented in the SQUIRREL prover.In this paper, we propose a careful re-design of the SQUIRREL logic, providing clean and robust foundations for its future development. We show in this way that the original meta-logic was both needlessly complex and too restrictive. Our new, higher-order logic avoids the indirect definition of the meta-logic on top of the CCSA logic, decouples the logic from the notion of protocol, and supports advanced generic reasoning and non-computable functions. We also equip it with generalised cryptographic rules to reason about corruption. This theoretical work justifies our extension of SQUIRREL with higher-order reasoning, which we illustrate on case studies.


I. INTRODUCTION
Cryptographic protocols are widely used to secure all sorts of communications: web browsing, payment, instant messaging, etc. Concretely, they are simple distributed programs that rely on cryptographic constructions (encryption, signatures. . .).As the security of many critical systems, and the privacy of many users, depend on these protocols, it is essential to ensure they do not have flaws or vulnerabilities.In order to formally establish this, one must take into account the presence or an arbitrary adversary, or attacker.As it turns out, considering adversarial behaviours renders the analysis particularly difficult.Formal security proofs therefore tend to be rather complex and error prone.All these reasons have motivated much work on developing and implementing mechanised formal methods for cryptographic protocols.
The first step before devising verification techniques is to formally define the model under study.In our case, we must notably define what the adversary can and cannot do.One important class of models, sometimes called symbolic, only considers idealised attackers, to enable highly-automated verification techniques.This line of work pioneered by Dolev and Yao [1] has lead to mature verification tools [2]- [4].We are concerned in this paper with a more concrete model, the so-called computational model, in which messages are bitstrings and adversaries are probabilistic polynomial-time Turing machines (PPTMs).In this model, security properties generally do not hold in an absolute sense: although polynomial time attackers cannot mount brute force attacks, they may still luckily guess a secret key and break the property.Hence, one considers that a property holds when it is true with overwhelming probability for any PPTM attacker.Here, the probability is evaluated as a function f of a security parameter η -typically the length of secret keys.We say that a function f is negligible when it is asymptotically smaller than the inverse of any polynomial η −k , and that it is overwhelming when 1−f is negligible.We write the former f ∈ negl(η), and the latter f ∈ ow(η).Proving security in this sense is typically done through a reduction, showing that breaking the security of the system (with good probability) entails violating a computational hardness assumption on some cryptographic primitive.The computational model is more realistic than symbolic ones, and thus provides stronger security guarantees.It is the standard for cryptographers.But this comes at a cost: automating proofs is more difficult, and existing tools either have a limited scope (e.g.[5]), or use low-level modelling with little support for automated reasoning, and may require users to write intricate proofs involving probabilistic arguments (e.g.[6], [7]).

Example 1.
We provide examples of an information-theoretic fact phrased in terms of negligible probability, and a simple cryptographic assumption.
Consider two probabilistic machines that receive as input the security parameter η, and draw a bit-string of length η uniformly at random.If the two samplings are independent, the probability that the two machines return the same result is 2 −η , which is negligible in η.
Cryptographic assumptions are also phrased in terms of negligible probabilities, but crucially rely on limitations of the computational resources of the attacker.For instance, assume a keyed hash function, used with some randomly sampled key k of length η.Consider a probabilistic polynomial-time attacker with the ability to compute hashes using this key k, but without direct access to k.The collision resistance under hidden key attacks assumption states that there is a negligible probability (in η) that such an attacker finds two different messages with the same hash.The polynomial time assumption is crucial here, as unrestricted attackers clearly exist, because hash functions cannot be injective.
A few years ago, Bana and Comon have proposed a symbolic framework [8] allowing to prove computational security, providing a way to obtain strong security guarantees while writing high-level proofs that can be more easily automated.Their approach, called the Computationally Complete Symbolic Attacker (CCSA), builds on first-order logic.First-order terms are used to model messages, using function symbols for cryptographic operations and adversarial computations, and special constants called names to model secrets, nonces, etc. as in symbolic models.Complex security properties can then be naturally expressed as first-order formulas, using a single predicate ∼ interpreted as computational indistinguishabilitywe will provide later a full definition of this notion but, for now, we only use u ∼ true with u a boolean, which means that u is true with overwhelming probability.The semantics is given by considering a specific class of first-order structures, where terms are interpreted as probabilistic bit-strings.Function symbols representing adversarial computations are interpreted as PPTMs.Those representing cryptographic primitives are interpreted as deterministic Turing machines 1 satisfying the relevant security assumptions .Names are interpreted as independent uniform random samplings of bit-strings of length η.A proof system is finally associated to this logic, with rules that encode computational security assumptions on the primitives, whose soundness justifies the ability of the CCSA logic to carry security proofs in the computational model.This proof system, and the accompanying methodology, have been successfully used on various protocols [9]- [11].
Example 2. When n and n are distinct name symbols, the boolean term n = n is true with probability 1 − 2 −η in any CCSA model (equality is not a predicate in this logic, but is only used as a function symbol).Hence, the atomic formula (n = n ) ∼ true is valid.
Further, if h(_, _) is interpreted as a collision resistant keyed hash function (under hidden key attacks), and u, v are two closed terms in which k only occurs as second argument of h, then (if h(u, k) = h(v, k) then u = v else true) ∼ true is valid: this is because u and v can be seen as probabilistic polynomial time computations without access to k, except for the ability to compute hashes with that key.
In many cases though, we are interested in properties of the execution of protocols, such as "in any execution, no attacker can make it so that two honest agents disagree on the value of a supposedly shared key".To handle these, a meta-logic was developed in [12] on top of the CCSA logic, called base logic in this context, which internalises the notion of execution of a protocol.In addition to messages, meta-logic terms can describe timestamps (positions in an implicit execution trace) and indices (used to model unbounded collections).Special terms, called macros, are used to represent the attacker's knowledge and the inputs and outputs of the protocol at a particular timestamp.Meta-logic formulas are first interpreted 1 Randomised primitives, e.g.encryption, are modelled as deterministic algorithms inputting the randomness explicitly as an additional argument.in a trace model encoding one specific execution.They then devolve into boolean terms of the base logic, that can be interpreted as before.The proof rules on the base level are lifted to the meta level, yielding a proof system that can be used to prove properties of all protocol executions.That system has been implemented in the SQUIRREL proof assistant [13], and successfully used to study several protocols [12], [14], [15].
Example 3. In the Hash Lock protocol [16], a RFID tag owns a key k.At session i, it inputs a message x and outputs in return a pair n i , h( x, n i , k) where n i is freshly generated.This protocol ensures that the second components of the outputs of distinct tag sessions are always distinct, provided that the hash function h is collision resistant.
To verify this using the base logic, we have to model the successive inputs and outputs of the protocol.For each new session i, the input is an arbitrary attacker computation from the past outputs, which yields the following definitions: • in 0 = att 0 () and in i+1 = att i+1 (out 0 , . . ., out i ).
Then we have to check, for all i, j ∈ N, the validity of: Indeed, all of these formulas can be derived from axioms notably expressing the collision resistance of h.
The meta-logic allows to capture all of the above base logic formulas as the following meta-logic formula (with minor details elided), which is proved just as easily in the meta-logic as each of the previous base logic formulas was: ∀i, j. [i = j] P ⇒ [snd(output@T(i)) = snd (output@T(j))] P Here, P represents our protocol.In more details, it is formed of actions T(i), representing the interaction with session i of the tag.In this context, a trace model specifies in which finite domain D I the indices i are interpreted, and in which order the actions (T(i)) i∈D I are scheduled.In such a trace model, a term of sort timestamp is interpreted into some T(i) for i ∈ D I , or into the special initial timestamp init that precedes all actions.
The meta-logic allows macro terms such as output@T(i), which represents the protocol output at a given timestamp.In this case, using the ability to write indexed names to model unbounded collections we have: output@T(i) = n(i), h( input@T(i), n(i) , k) The input at a given timestamp (other than init) is then defined as the result of an unspecified adversarial computation on the frame at this timestamp, i.e. (roughly) the sequence of past outputs.The semantics of the output, input and frame macros are thus defined in a mutually recursive fashion, once the relative execution order of actions is fixed by a trace model, depending of course on the protocol specification P.
In the meta-logic, a sub-formula φ in square brackets is called local, and is interpreted as a boolean value.Global metalogic formulas are built on top of local ones: e.g.[φ] asserts that φ is overwhelmingly true.For clarity, we distinguish the two sorts of meta-logic connectives (e.g.local ∀ vs. global ∀).

Contributions:
In this paper, we present a new logic which both simplifies and generalises the meta-logic of [12], [14].This new development is beneficial in several ways.
i) Disentangling the logic from the protocol.The meta-logic approach inextricably intertwines the definition of the logic and the notion of protocol.The logic is thus tied to both a class of protocols and an execution model, which is detrimental to the readability and extensibility of the approach.This is visible in [14] which introduces stateful protocols along with a more flexible execution model (only a subset of actions is scheduled for execution): this forces a redefinition of the logic, potentially hiding the fact that most results and proof rules for the old logic actually carry over unchanged to the new one.
Our new logic is independent from any notion of protocol.Instead, it comes with a generic mechanism for forming mutually recursive definitions.This mechanism can be used to re-express the former macros encoding the notions of protocol and execution model.It could also be used to encode new execution models, with private channels, side channels, distance bounding, partially passive adversaries, etc.
ii) An expressive, self-contained logic.Rather than building a meta-logic, our new logic is self-contained.With this more direct presentation, it is no longer possible to justify cryptographic rules by lifting known CCSA rules.This is a liberation rather than a limitation: while the CCSA logic comes with strict overall assumptions on interpretations, we design our logic with minimal assumptions, adding constraints only when necessary.For instance, CCSA terms only model PPTMs, but we allow non-polynomial and even non-computable terms, which lets us considerably enrich the language of local formulas into a higher-order logic.
Despite this added expressivity, we show that existing proof rules can be adapted; when needed, we recover the necessary assumptions through usual logical devices.We also provide new proof rules for the generalised constructs of our new logic e.g.our logic supports unrestricted quantification in local formulas, which is handled by usual-looking sequent calculus rules, thanks to non-trivial observations on the probabilistic semantics.As for cryptographic rules, we significantly improve over the former meta-logic by taking corruptions into account, which was beyond the reach of all previous (base or meta) CCSA rules.We argue that the soundness arguments for our new rules are no more complex than the former lifting-based arguments, and less error-prone.
iii) A more pleasant framework for proofs.The generalisation of our logic to a higher-order language, and the generic recursive definition mechanism, provide a convenient language for the user to structure proofs in an abstract and modular way.
As a second, distinct contribution, we extended SQUIRREL to make it consistent with our higher-order semantics, and to implement our new proof rules.
We use this implementation to verify that all past case studies carried in the former meta-logic can be adapted to our new system, without any significant burden on the user.We also showcase the added expressivity on new case studies.First, taking advantage of the usual benefits of a higherorder language, we show that generic cryptographic reasoning techniques can be expressed in our system, in the form of a hybrid proof argument.Second, we show that our new cryptographic rules can be used to carry out protocol analyses where agents can be dynamically corrupted by the attacker.
Given the improved clarity and generality of our theoretical framework, and the experimental proof of its effectiveness to analyse both simple and advanced protocols, we believe that our new logic constitutes appropriate foundations for the SQUIRREL prover, and will facilitate its future development.
Related Work: As related work on verification of cryptographic designs has been discussed above, we now focus on other related lines of work in the literature.
There is a large body of work on logics with measuretheoretic quantifiers ∀x.φ asserting that φ holds in a probabilistic sense, with different meanings: "φ is true for almost all x" [17]; "φ is true for most x" [18]; or more quantitative measures (e.g.counting logics [19] or uncertainty logics [20], [21]).These works tackled a large panel of problems, e.g. the Curry-Howard correspondence between a counting logic and probabilistic functional programs [22]; establishing probability bounds using some knowledge with uncertainty logic [23]; or characterising complexity classes [17].
In this work, we are interested in a different kind of statements, of the form "φ is overwhelmingly true for all (families of) random variables x", which is a qualitative property on the asymptotic behaviour of φ.Moreover, our goal is to mechanise cryptographic reasoning, which explains our focus on building an implementable and usable proof system.
Another line of work [24], [25] consists in building the semantic foundations of statistical programming languages (e.g.[26]), which are languages mixing higher-order functions, continuous probabilities (e.g. on real numbers), and soft constraints.Accounting for these features requires complex domain-theoretic constructions, and building proof systems on top of such systems seems challenging (e.g.establishing that independent assignments commute is a non-trivial contribution of [24]).Our logic avoids this complexity by considering a fixed and finite probability space, which allows us to define our semantics and design a proof system for our logic with higher-order features.
Outline: The rest of the paper is structured as follows.We present the syntax and semantics of the logic in Section II, the core proof system in Section III.Information theoretic and cryptographic rules are presented in Section IV.We discuss our case studies and implementation in Section V.In Appendices A, B, and C we provide further details and definitions on typing rules, recursive definitions, and global formulas.We discuss in Appendix D how the former metalogic can be encoded into our higher-order logic.We show the soundness of our proof system in Appendix E. Finally, we introduce and prove sound additional information theoretic and cryptographic rules in Appendices F and G.We define a first-order logic over higher-order terms, where terms of sort bool will serve as local formulas.In order to recover the key features of the CCSA (meta-)logic, we equip our logic with a recursive definition mechanism, a specifically crafted probabilistic semantics, and we use tags (on types) and predicates (on terms) to constrain their interpretations where necessary.We introduce our terms with recursive definitions in Section II-A, explain in Section II-B how we equip them to obtain a suitable language of local formulas, before moving on to the global logic in Section II-C.

A. Terms
The terms of our logic are simply-typed λ-terms with a specific probabilistic semantics.We equip them with a strong notion of occurrence that helps justifying recursive definitions, and will be useful for cryptographic reasoning.
We assume a set of variables X , and a set of base types B containing at least bool.Simple types, generated from base types τ b ∈ B using the arrow constructor, will be denoted by the letter τ .Terms are then simply-typed λ-terms with booleans, with the following syntax, where x ∈ X : As usual, λ-terms are considered modulo alpha-renaming.We use ≡ to denote syntactic equality of terms up to α-renaming, and let fv(t) denote the free variables of t.The typing rules are as expected.They are given in Fig. 6.We omit types when they are irrelevant or can be inferred.
We define propositional connectives over terms using conditionals and boolean constants.For instance, t ∧ t stands for (if t then t else false).We call local formulas the terms of type bool, which can be constructed, e.g., from boolean connectives and variables of return type bool.
An environment E is a finite set of declarations of the form x : τ and definitions of the form x : τ = t.Both constructs bind x.We require that variables are bound at most once in E. We let E(x) = τ be the type of the declared or defined variable x in E.
Given some E, we define E * as the environment obtained from E by replacing each definition x : τ = t with the declaration x : τ .In other words, E * is a usual typing environment.We require that an environment E is well-formed in the sense that for each definition x : τ = t in E, we must have E * t : τ .Note that this allows mutually recursive definitions, as illustrated next.
Example 4. (a : τ 1 ), (b : In the end, we will only be interested in environments whose recursive definitions are well-founded, and hence uniquely where x is taken fresh defined.However, we will use a semantic notion of wellfoundedness: this requires that we first introduce tools to analyse recursive occurrences, and a semantics.1) Generalised subterms: We now define the set ST E (t) of the generalised subterms of t with respect to E. Our goal is to capture not only syntactic subterms, but also subterms that may need to be evaluated to effectively compute t.The difficulty is that the evaluation of t depends on the random tape and on the model.To cover all intermediate terms that may need to be computed (for any random tape and model), our notion captures all terms that may appear through the expansion of definitions of E. This will in general yield an infinite set of subterms.In order to determine which are relevant, we decorate each subterm t with the surrounding conditionals φ.Finally, we must keep track of variables α bound inside t that may occur in t .Formally, ST E (t) will thus be a set of triples ( α, φ, t ), called occurrences, where α is a sequence of typed variables, φ is a term of type bool in E, α, and t is a term well-typed in E, α.We require that E, α is an environment, i.e. variables bound in α are unbound in E. For a set S of occurrences, we define: Subterms ST E (t) are then defined as the smallest set satisfying the equations in Fig. 1.
This notion of generalised subterm will be useful to define well-founded recursive definitions but also, more importantly, to analyse the contents of recursive definitions when reasoning about freshness or cryptographic primitives.
2) Semantics of types: A type structure M associates to each base type τ b ∈ B and each η ∈ N a non-empty interpretation domain M τ b (η), together with an injective mapping from this domain to bit-strings.We require that M bool (η) = {0, 1} for all M and η.While this base type is interpreted uniformly over η, that will not always be the case: a type of cryptographic keys will crucially have to be interpreted as sets of bit-strings of length (polynomial in) η.
The semantics τ η M of type τ in the type structure M at security parameter η is then given by: 3) Semantics of terms: As in the CCSA logic, we endow terms with a probabilistic semantics, where probabilistic samplings depend on the security parameter η.Unlike in the CCSA logic, however, we consider random variables that are not necessarily computable.
A term structure M w.r.t.environment E (noted M : E) extends a type structure with the following elements: ) is a finite set of bit-strings of the same length called random tapes -T a M,η are random tapes for the adversary, while T h M,η will be used for honest samplings; • a partial mapping σ M associating to each variable E x : τ a family (X η ) η∈N of functions X η : T M,η → τ η M .We let M(x) denote σ M (x).Given a term structure M, RV M (τ ) denotes the set of all η-indexed families of random variables, i.e. functions from T M,η to τ η M .We use standard probability and measure theory definitions, which we recall in Appendix E-A.
Given a term structure M : E, x and τ such that E x : τ , and X ∈ RV M (τ ), we let M[x → X] be the structure which coincides with M, except on x, which it maps to X.
For any E t : τ , for any M : E, and for any η ∈ N and ρ ∈ T M,η , we define the semantics t η,ρ M:E ∈ τ η M as follows: where 1 η a is the indexed family of functions such that: is some arbitrary value in τ η M for all η = η and ρ ∈ T M,η .We then define t M:E ∈ RV M (τ ) as (ρ → t η,ρ M:E ) η∈N .The reader may have noticed an artificial complexity in the semantics of abstractions: x is interpreted as an indexed family of random variables 1 η a , but since η and ρ are fixed throughout the interpretation, only 1 η a (η)(ρ) matters.We chose this formulation for uniformity reasons: as we shall see in Section II-C, variables will truly be interpreted as families of random variables in the semantics of global formulas.

4) Recursive definitions:
We can now define the notion of well-founded recursive definition, and prove the existence and uniqueness of their semantics.Given a term φ of the form ∧ i t i and an environment E, we define φ \ {x 1 , . . ., x n } as the conjunction of all the t i which do not have free variables in {x 1 , . . ., x n }.Definition 1.We say that environment E is well-founded w.r.t.M : E when: ).We require < to be internalised as formulas, see Appendix B.
The definition above requires that recursive occurrences (x i t ) are strictly smaller in the semantics.The notion is quite flexible thanks to its use of generalised occurrences, allowing it to take into account the conditionals that surround the recursive occurrence.For instance, assuming that the well-founded ordering is directly reflected as a function (< : τ i → τ i → bool) ∈ E 0 , we could write: Note that, while we will later use our notion of generalised subterm taking recursive definitions into account, this feature is undesirable here, hence the use of ST E * ,x:τj (t j ) with an environment without definitions.
Crucially, we constrain the free variables of t to make sure that its interpretation does not rely on that of the x i in M: this interpretation is irrelevant as we intend to replace it by its recursively defined meaning -and we need the wellfoundedness conditions to keep holding as we update the model.Similarly, we must make sure that the filtering on φ is insensitive to the interpretation of the x i : rather than constraining the free variables, we only consider φ \ {x 1 , . . ., x n } for expressivity reasons.This allows us, for instance, to write The following proposition formally justifies our notion of well-foundedness; it is proved in Appendix B. Proposition 1.Let E be an environment that is well-founded w.r.t.M : E. Let M 0 be the restriction of M to the declarations of E. There exists a unique term structure M rec : E extending M 0 such that, for each (x i : Mrec:E for all η, ρ.Structures obtained from the previous result are called models of E. An environment can only have models if it is wellfounded.

B. Builtin Types and Function Symbols
In order to see our logic as an extension of the meta-logic of [12], [14], we need to make further assumptions on the models we consider, by assuming some built-ins, and restricting the interpretations of types and declared variables.
We first assume, for each type τ , that E contains two declarations for ∀ τ and ∃ τ , both with type (τ → bool) → bool.We require that any model M : E interprets them with the expected semantics, e.g.∀ τ η,ρ M:E (f ) = 1 when f (a) = 1 for all a ∈ τ η M .We use quantifiers with the usual notation, e.g.∀(x : τ ).t.
We also assume, for each type τ , a declaration = τ : τ → τ → bool, written in infix, and require that t = t η,ρ M:E = 1 iff t η,ρ M:E = t η,ρ M:E in all models.Finally, we assume for convenience that there exists a base type unit whose interpretation is always a singleton, and that () : unit is declared in all environments.
1) Restricting the interpretations of types: We assume given, for each base type τ b ∈ B, a set of labels label(τ b ) restricting τ b 's interpretation.For instance finite states that the type τ is finite; polynomial that it is of polynomial-size w.r.t.η; and fixed that τ η M = τ η M for any η, η ∈ N. The semantics for all labels are given in Appendix A. Labels are lifted to types in the natural way: for example, a type τ is finite if τ is a base type and finite ∈ label(τ ), or if τ = τ 1 → τ 2 where τ 1 and τ 2 are finite.
Example 5. When modelling protocols, we will often use types message, timestamp, index, which are meant to represent respectively all bit-strings, time points along the protocol execution, and indices that identify protocol sessions.We will further assume that label(index) = label(timestamp) = {finite, fixed} which is in line with the corresponding types in the former meta-logic.
2) Restricting variable declarations: We consider a subset N ⊆ X of variables which we call names.We only allow a name n ∈ N to appear in a declaration with a type of the form τ 0 → τ 1 where τ 0 is a finite type.
Models must interpret names in a precise way.Consider a model M : E and a name n ∈ N with n : τ 0 → τ 1 ∈ E. We require that n is interpreted as a polynomial-time computable random sampling using random bits in ρ h : there must exist a function n M such that, for every η ∈ N and random tape ρ Moreover, n M must run in polynomial time (w.r.t. 1 η ).We also require that the random variables be independent random samplings whenever (n, a) = (n , a ) -they must extract different random bits from ρ h .Moreover they must extract the same number of bits and follow the same distribution when n and n have the same output type (i.e.
Note that an environment contains a finite number of name symbols, each taking an argument in a finite type.Moreover, a name value requires at most a finite number of bits from ρ h .Thus, for any type model, there always exists a term model with large enough honest tapes for names to draw their randomness, while satisfying all of the above requirements -recall that tapes are finite bit-strings.Example 6.We replicate in our logic the meta-logic modelling of the Hash Lock protocol from Example 3, using the types of Example 5.The keyed hash function and pairing operation are modelled by declarations using a specific type for hashing keys: To model many sessions of the tag, we consider a declaration T : index → timestamp associating to each session index the time point when it is executed.The tag's key and each session's nonce will be modelled by names k : unit → key and n : index → message.
We declare init : timestamp, and let pred : timestamp → timestamp be the predecessor w.r.t. the scheduling order, and restrict our attention to models where pred induces a total order on timestamps, for which init is minimal.We assume that every time point is either init or some (T i).We finally make use of a construction match ẇ ith to perform case distinctions in terms -this may be encoded, again, by means of appropriate declarations and model restrictions.
The messages input and output at a particular time point, and the sequence of messages previously output (the frame), are modelled as three mutually recursive function definitionsall of type (timestamp → message) -where d is an arbitrary default term and att would later be constrained to represent an adversarial computation as in Example 3:

C. Global Formulas
Global formulas are first-order formulas2 , interpreted in firstorder structures of domain RV M (τ ) for each τ .The syntax is standard, except for decorations that distinguish global connectives from local ones, using some predicate variables p ∈ P: We interpret these formulas in structures that extend a term model M : E by providing, for each predicate symbol p taking arguments of types The semantics of formulas is then derived in a standard way.For instance, ∀(x : τ ).
We write M : E |= F whenever F M:E = 1, which we shorten as M |= F when E is clear from context.We say that a formula In practice, we work with specific predicate symbols, with a fixed semantics.We shall consider the following atoms and intuitive semantics: an overwhelming truth atom [φ], where φ is a local formula, which states that φ holds overwhelmingly; an equivalence atom t 1 ∼ t 2 , where t 1 and t 1 are samelength vectors of local terms, which states that the distributions induced by t 1 and t 2 are indistinguishable by any PPTM adversary; an atom const(t) which states that t is a constant value; an atom adv(t) expressing the fact that t can be computed by a PPTM using only the adversarial part of the random tape.Figure 6 includes typing rules for global atoms and formulas.Note that this list of predicates is not exhaustive: our logic and proof rules do accommodate extra predicate symbols.
The formal semantics of these specific predicates is given in Fig. 2. We illustrate it on simple predicates, before explaining the semantics of equivalence atoms.
Example 7. Given the fixed interpretation of ∀ τ , the atom adv(∀ τ ) is valid whenever τ is polynomial, and const(∀ τ ) is valid whenever τ is fixed.
In order to understand the semantics of the indistinguishability predicate, we first need to: i) define what is the class of PPTM adversaries against equivalence atoms t 1 ∼ t 2 ; ii) quickly describe our execution model, in particular how higherorder terms are handled.
1) Adversaries: Let t 1 ∼ t 2 be a well-typed equivalence in E, where t 1 , t 2 are two vectors of terms of length L. A machine A ∈ PPTMs against game t 1 ∼ t 2 is a Turing machine such that: i) A has L input tapes, and a special randomness input tape for the tape of random bits ρ a ; ii) A has a special query tape used to perform queries to functions for which it has a handle, where each query is composed of a function handle and the query arguments, adequately encoded as bit-strings; iii) A's randomness only comes from ρ a , i.e. once the random tape ρ a is fixed, A is a deterministic machine; and iv) A has a fixed but arbitrary number of working tapes, and runs in polynomial-time w.r.t. the length of its inputs, ignoring the length of the random tapes.
2) Execution model: We now sketch our execution model by quickly describing how the adversary is given access to higher-order terms (i.e.terms of types τ 1 → τ 2 ).
In an equivalence between sequences of terms t 1 ∼ t 2 with some higher-order terms, we allow the adversary to make queries to these terms using its query tape.Roughly, all functions available to the adversary have an associated short bitstring handle (an identifier).Then, the execution environment maintains a map from handles to functions, which it lets the adversary query on arbitrary inputs.
If f is a function whose return type is itself a function (i.e.f is of type τ 1 → (τ 2 → τ 3 )), then whenever A calls f , through its handle h f , on some input a, the execution environment computes the function g = f (a) of type τ 2 → τ 3 , binds g to the shortest fresh handle h g available, and returns h g to A.
Let s 1 and s 2 be the i-th terms of, respectively, t 1 and t 2 , and τ their type.Then, given the security parameter η and the random tape ρ ∈ T M,η , A receives on input tape i a bit-string which depends on τ : • if τ is a base type τ b , the bit-string encoding of s i η,ρ M:E (recall that base-types come with an encoding); M:E -and the execution environment now binds the handle h to s i η,ρ M:E ; Note that handles are similar to oracles: the associated functions may be uncomputable.This is in contrast with closures that the machine may compute and return to encode functions that it can compute -see Appendix G-A for details.
3) Semantics: The advantage Adv η M:E (A : where ρ a is the adversarial part of the pair of random tapes ρ. Here, the set of all tapes T M,η is equipped with the discrete σ-algebra (i.e.all subsets are measurable) and the uniform probability measure (recall that T M,η is always finite).
Since T M,η is equipped with the discrete probability measure, any function from T M,η to a measurable space is measurable.In particular, (ρ ∈ T M,η → φ η,ρ M:E ) η∈N is a (family of) random variables.This is essential in order to define the semantics of overwhelming truth atoms (but also equivalence atoms).Without this, it may not be possible to interpret [∀x.φ], which corresponds to a potentially uncountable intersection.The simplicity of this probabilistic setting is not a limitation for our cryptographic application: indeed, we ultimately only consider PTIME computations that draw a bounded amount of randomness from random tapes.The interested reader will find more details in Appendix C. Example 8. Assume E declares two names n : unit → τ and n : unit → τ .Given our constraints on the interpretation of names, the formula (n () ∼ n ()) is valid.Moreover, if we assume that τ is large, i.e. that the probability that name samplings in τ draw any given particular value is negligible, then [n () = n ()] is valid by independence of the two name samplings (see Appendix A for details).
In addition, we have n () ∼ n (), as computational indistinguishability is an equivalence relation.Note however that while ∼ is an equivalence relation, it is not a congruence: it is not stable by context application.Indeed, although n () ∼ n () and n () ∼ n () are valid, n (), n () ∼ n (), n () is in general not.It is usually possible to distinguish the left from the right, since on the left the adversary is always provided with two identical bit-strings, while on the right, n () and n () will be different with a non-negligible probability (except in degenerate cases, where the names n and n put all their weight on a single value of τ ).

III. PROOF SYSTEM
We have a two-level logic, with an outer global logic and an inner local logic.This structure is reflected in proof systems, which feature two kinds of judgements: a global judgement Standard rules: Global judgements are essentially standard first-order classical sequents, for which we consider only a restricted class of interpretation domains.We can thus equip them with the usual rules of classical sequent calculus.
More interestingly, local judgements can also be equipped with standard reasoning rules.Here, it must be noted that since local judgements have a global and a local set of hypotheses, all standard left rules have a global and local variant, e.g.we have two left "and" rules, one for ∧ and one for ∧.Our logic also features rules allowing to go back on forth between the two kinds of sequents.Our standard rules are described in Fig. 7.
Local vs global quantification: The reader may have noticed that while our logic features two kinds of universal quantifiers (local and global), our judgements do not make any distinctions between locally and globally universally quantified variables: both kinds are recorded in the same way in the environment E.
This surprising feature is explained by the observation that quantifications "commute" with [•]: we show next that [∀(x : τ ).φ] and ∀(x : τ ).[φ] are logically equivalent; the same holds for existential quantifiers, with the same proof.Proposition 2. Let E be a well-formed environment and φ be a local formula such that E ∀(x : τ ).φ : bool.For every model M of E, we have: Proof (sketch, see details in Appendix E-C).⇒ is clear.For ⇐, we build a (sequence of) random variable(s) A such that We do this by having A(η)(ρ) choose, if it exists, an arbitrary element a ∈ τ η M violating φ, i.e. such that φ η,ρ If no such element exists, A(η)(ρ) takes an arbitrary value in τ η M We can check that A indeed verifies Eq. ( 1).We conclude using the fact that ∀(x : τ ).[φ] implies that A key point of the ⇐ direction is that A is a sequence of random variables.This is made obvious by our semantics, since all functions from T M,η to {0, 1} are random variables w.r.t. the discrete σ-algebra on T M,η (thanks to T M,η 's finiteness).This is why the finiteness assumption is a crucial ingredient of our framework.
We can now give our right quantifiers rules, which have an identical treatment of local and global variables.
This does not mean that global and local quantification are identical, only that they coincide when in front of an atom [φ].We show in Appendix E-C the following.
The issue about global and local quantification does not arise in earlier works on the meta-logic.Indeed, in [14], local quantification only applies to two specific types (timepoints and index parameters).Terms of these types are only built with a restricted syntax, and have a particular ad-hoc semantics forcing their constancy.We lift these restrictions, which limited the logic's expressiveness and modelling power.
Local vs global connectives: Our proof system has rules exploiting the links between the two logics.For example, [φ∧ψ] implies [φ] ∧ [ψ]: indeed, if the conjunction of φ and ψ is overwhelmingly true, then φ must be overwhelmingly true, and ψ must be overwhelmingly true.
To that end, [14] introduced the ad-hoc notion of pure timestamp formula, which is a side-condition exploiting syntactic restrictions, to guarantee that terms of some specific types are always constant.We replace the pure trace formula side-condition of [14] -which no longer makes sense, since we removed all ad-hoc syntactic restrictions -with a proof obligation.Constancy is established through the global logic predicate const(•), which can itself be derived using general proof rules.
Fig. 3 presents a selected set of left and right rules relating local and global connectives.These rules are proved sound in Appendix E-E.G.CONST:APP

A. Constant Terms and Restricting Types
We designed a simple set of rules to establish that a term represents a constant computation (Fig. 4).The first two are rather simple: G.CONST:APP states that t t is constant whenever t and t are constant; and G.CONST:QUANT that a (local) binder Q(x : τ ).t over a fixed type τ is constant if its body t is whenever the bound variable x is constant.
The rule L.R-∀-CONST is more interesting.This is a stronger version of the right ∀ rule L.R-∀, which allows, when extending E with a new bound variable (x : τ ), to add a global constant hypothesis const(x) at the same time.This rule applies only with the proviso that τ is finite and fixed, i.e. its interpretation τ η M is a finite set independent from η.This allows us to prove a stronger property than Proposition 2: for fixed finite types, local quantification is equivalent to global quantification over constant values.Proposition 4. Let E be a well-formed environment and φ a local formula such that E ∀(x : τ ).φ : bool and {fixed, finite} ⊆ label(τ ).For every model M : E: Proof (sketch, details in Appendix E-C) .Thanks to Proposition 2, we only have to prove that The ⇒ direction is obvious.For the ⇐ direction, we use the fact that the conjunction ( 1≤j≤N X j η ) η∈N of a collection of N (finite, independent from η) η-indexed families of boolean random variables (X 1 η ) η∈N , . . ., (X N η ) η∈N is overwhelmingly true whenever the random variables (X  The proof is given in Appendix E-F.These rules have been designed with pragmatic considerations in mind.Our goal is to be able to prove the constant proof obligations coming from our rules, not to build a logic fully capturing constant computations.We therefore did not investigate this aspect of the logic further: e.g.questions of completeness are out-of-scope of this work.Instead, we justify the usefulness of our rules through practice, by showing that they are sufficient for all existing and new case-studies conducted in SQUIRREL.

B. Indistinguishability Rules
We present a selected set of rules of our logic related to the indistinguishability predicate ∼ in Fig. 5.The soundness of these rules must be established through cryptographic reductions [27].Roughly, given a PPTM adversary A against the conclusion of the rule, we must build a PPTM B against the premise, such that A's advantage is upper-bounded by B's advantage.Then, since all efficient adversaries against the premise have a negligible advantage, it follows that all efficient adversaries against the conclusion have a negligible advantage.Usually, the adversary B performs some computations and then calls A as a black-box.Note that if the conclusion contains higher-order terms (e.g.λ(x : τ ).t), then the adversary B must answer A's queries to the corresponding oracle (e.g.t{x → a} for some arbitrary input a ∈ τ from A).Of course, B can use its own oracles to do so.
Rule G.EQUIV:FA-ADV on Fig. 5 states that a term t that can be computed by the adversary can be safely removed from an indistinguishability. G.EQUIV:FA-APP allows to decompose a function application, by letting the adversary compute it.G.EQUIV:FA λ -APP generalises the previous rule by applying it under an abstraction -indeed, B only has to call A, answering A's calls to its oracle using the two oracles available to B.
These rules are all adaptations or extensions of existing rules from [8], [12], [14] to our higher-order logic.In particular, previous work did not allow higher-order terms, and consequently did not have to deal with oracle simulations.A more detailed set of rules, including some usual [8] structural rules, can be found in Fig. 8.We also present additional rules dedicated to oracles in Appendix E-G.

IV. ADVANCED RULES
We now present the more advanced rules of our logic, that rely on information theoretic arguments or capture cryptographic hardness assumptions.

A. Freshness in Equivalences
In this section, we present a rule exploiting the freshness of a name in an equivalence formula.Roughly, our rule states that u, n t ∼ u, n fresh () where n fresh is a fresh name.This rule is not unconditionally true: e.g. as seen in Example 8, n (), n () ∼ n (), n () is not valid.To be valid, we add a premise requiring that index t of name n is never read in u, under which condition, u and n t are independent.
Before formalising the independence condition, we present a result on ST E (•) stating that the semantics of a term t w.r.t.some model M : E and two different random tapes ρ 1 and ρ 2 is identical, as long as the interpretation by M of any declared variables in E coincide on ρ 1 and ρ 2 .Proposition 6.Let t be a term that is well-typed in E, and in eta-long form.Let M be models of E, η ∈ N and ρ 1 , ρ 2 ∈ T M,η .We have t η,ρ1 M: for all ( α, φ, (x u)) ∈ ST E (t) such that: x is a variable declaration bound in E (not in α); M extends M into a model of (E, α); and φ η,ρ1 M :E, α = 1.Example 9. Assume a type int modelling integers, a constant 0 : int and a predecessor function pred : int → int, restricted to have the expected interpretations, and let n : int → message be a name.Consider the recursive function i computing the list of the first i values of n.
= λ(i : int).if i = 0 then empty else n i, (pred i) Let i : int be a variable declaration.The only names appearing in occurrences in the (infinite) set of generalised subterms ST E ( i) are of the form (n (pred j i)) for j ∈ N (pred j denotes j applications of pred).Proposition 6 states that, as expected, the interpretation of ( i) only depends on the section of the random tapes containing these names.In particular, it does not depend on sections of the tape containing any (n j) for j > i.
1) The rule: Let n : τ 0 → τ and n fresh : unit → τ be names.We assume that n fresh does not appear in E, u and t (i.e. it is a fresh symbol), except in its declaration.Let Θ be a set of global hypotheses.We ask that all declared variables x of E occur only in eta-long form, and are either names or only depend on the adversarial tape (i.e.adv(x) ∈ Θ).
The following rule states that giving the value of a name symbol n at an index t which has not been involved in the computation of u is equivalent to sampling a value from the fresh name symbol n fresh : where φ n,t fresh ( u, t) is any well-typed formula in E implying the freshness of n t.Formally, we require that for every model M : E of Θ, for every η ∈ N and ρ ∈ T M,η : where, for any (possibly infinite) set of occurrences S, S n,t fresh (S) is a (possibly infinite) set of formulas expressing the fact that n is not sampled at index t in the set S: A detailed proof is given in Appendix F-A.
2) Choosing φ n,t fresh ( u, t): We left the choice of the formula φ n,t fresh ( u, t) open in our rule.Formally, we do not have a single rule, but a rule schema containing one rule for every formula φ n,t fresh ( u, t) satisfying the condition in Eq. ( 2).As it is, our rule schema is not effective.In Appendix F-B, we present an effective method to build a suitable formula φ n,t fresh ( u, t), making the rule implementable.To do this, we describe a technique to over-approximate the (possibly infinite) set of occurrences of ST E ( u, t) by a finite set of occurrences S approx , and we show that it is sound to take for φ n,t fresh ( u, t) the conjunction of all formulas in S n,t fresh (S approx ).Example 10.Continuing Example 9, consider ST E ( i), where i is the list of the i first instances of name n.All name occurrences in ST E ( i) are of the form for j ∈ N.All of these are subsumed by the occurrence (j : int, i > j, n j).Hence taking S approx to be this single occurrence soundly and finitely over-approximates ST E ( i).
Since this approximation must be finite, it cannot be perfect.The difficulty lies in building a formula precise enough to be useful (e.g.taking φ n,t fresh ( u, t) = false is sound, but useless), while keeping a high degree of automation (the approach we settled upon allows the computation of that formula to be fully automated).We justify the precision of the formulas generated by our approach through our concrete case studies (see Section V).
This two-step approach is modular: we prove the soundness of the rule once and for all, but allow for future improvements in our implementation.

B. Cryptographic Rules
Our proof system features several cryptographic rules capturing standard security assumptions.We describe below the rule for unforgeable signatures.Other rules are described in Appendix G.
Assume E contains the symbols pk, sign and verify for, resp., the public key associated to a private key, the signature of a message with a private key, and the verification that a signature matches a message and a public key: pk : key → pubkey sign : message → key → signature verify : signature → message → pubkey → bool The expected behaviour of these functions on correct signatures is described by the following axiom: The Existential Unforgeability under Chosen Message Attacks (EUF-CMA) assumption [28] is a standard cryptographic hypothesis stating that an adversary cannot construct valid signatures without knowing the secrecy signing key.More precisely, for a randomly sampled key k, an adversary with access to (pk k) and an a signing oracle sign(•, k), cannot produce a signature s and a message m such that (verify s m (pk k)) holds, without having called the oracle on m.The assumption is captured by the following rule: actually corresponds to a PPTM machine when evaluating s, m and t (see Appendix G-A) φ k key (s, m, t) and φ k sign (s, m, t) are, similarly to how we proceeded for the freshness rule, any formulas well-typed in E that imply, respectively, • the correct use of (k t): the attacker only has access to the public key and the signing oracle, i.e. (k t) can only appears in pk (k t) or sign _ (k t); • that m is not given to the signing oracle, i.e. sign m (k t) is never computed.Essentially, to show some φ when a signature is known to verify, we may assume either the key was badly used or the message was submitted to the oracle.The rule finally requires that t is constant (actually, we only need t deterministic).
In order to specify φ k key (s, m, t) and φ k sign (s, m, t) formally, we adapt the notion of generalised subterm.For a term u, ST E (u) is, essentially, the set of all subterms an adversary needs to compute to obtain u.We need here a similar set ST euf E,k,t (u), that is however aware of the fact that the public key and signing oracle are provided to the adversary.That is, any subterm of the form k u used either under pk or as signing key only needs to be computed by the adversary when u = t: indeed when u = t it will be provided by the oracle, and thus can safely be ignored.Formally, we define ST euf E,k,t (u) recursively just like ST E (u) (Fig. 1), with two exceptions when u is a function application: We can now formally express the conditions on φ k key (s, m, t) and φ k sign (s, m, t).For every model M : E of Θ, every η ∈ N and ρ ∈ T M,η , we require that: for every ( α, ψ, sign m 0 (k t 0 )) ∈ ST euf E,k,t (s, m, t).Proposition 8.The rule L.EUF is sound.
Proof (sketch, see Appendix G-B for details).Fix a model M : E satisfying the premises.We construct a Turing machine M that computes s η,ρ M:E and m η,ρ M:E , which is is doable in PTIME by assumption.More specifically, our machine uses oracles to compute the interpretations of subterms pk (k t ) and (sign m (k t )) when t = t.If k has to be evaluated on t η,ρ M:E outside of these oracle calls, the machine fails.Such failures cannot happen when φ k key (s, m, t) η,ρ M:E = 1.If, moreover, φ k sign (s, m, t) η,ρ M:E = 1, our adversary wins the EUF-CMA game which can only happen with negligible probability.We conclude that M |= [verify s m (pk (k t) ⇒ ¬(φ k key (s, m, t) ∧ φ k sign (s, m, t))], hence the conclusion of the rule is satisfied.

V. IMPLEMENTATION AND CASE-STUDY
SQUIRREL [13] is a proof assistant dedicated to analysing cryptographic protocols, implementing a proof system for the CCSA meta-logic [12], [14].Users describe protocols in a process algebra with mutable states (inspired by [29]), then specify and prove security properties.Proofs are built using tactics derived from proof rules: generic reasoning with COQinspired tactics (e.g.apply, rewrite); cryptographic and freshness reasoning with dedicated ones (e.g.fresh, euf).
We integrated into SQUIRREL most of the logic presented in this paper.The new version of the prover is consistent with the semantics of our logic, though it does not implement all of its features, as detailed next.It is open source and can be found at [13].The changes represent roughly 15 kLoC.
First, we added support for higher-order terms -though not for user-defined recursive terms yet, which will require a significant re-work of the occurrence approximation mechanisms.Second, we lifted syntactic restrictions on built-in types (e.g.timestamp, index), which we replaced with const(•) side-conditions.Finally, we implemented improved versions of several freshness and cryptographic tactics (IND-CCA, INT-CTXT, EUF-CMA), to support key corruption.
The rest of this section showcases these new features through two case-studies: a formalisation of the hybrid argument, which relies on higher-order reasoning, and an analysis of the signed Diffie-Hellman protocol with corruption.Also note that we ported to the new setting all existing case studies from previous work using SQUIRREL [12], [14], [15].
Listing 1. Hybrid argument in SQUIRREL (using polymorphism)

A. Case Study: Hybrid Argument
The hybrid argument is a standard technique to prove the indistinguishability of distributions [30], [31].Using our new higher-order features, we formalised and proved a version of it in SQUIRREL 4 , stated in Listing 1. Essentially, the hybrid argument states that to show (t l i) i≤N1 ∼ (t r i) i≤N1 for some constant N 1 , it suffices to show, for all N 0 ≤ N 1 : At its core, it is just an induction principle.The difficulty when using it in paper proofs, is to correctly show that the advantages of the distinguishers involved are negligible.Here, this is handled by the logic, and is proved by a simple induction -the only subtlety lies in dealing with higher-order terms.Consequently, our SQUIRREL formalisation is quite short (≤100 lines).Moreover, we implemented some basic higher-order matching into SQUIRREL, so that instantiating this lemma is in some cases automatic, when the apply tactic manages to infer the higher-order arguments t l and t r .
Discussion.This is not the first mechanised formalisation of the hybrid argument.Notably, one has been written in EasyCrypt 5 .EasyCrypt [6] is a general-purpose proof assistant with special support for cryptographic reasoning.It uses a higher-order logic built on top of a probabilistic Relational Hoare Logic [33].In EasyCrypt, protocols are encoded as programs -i.e.modules and functors, whose parameters encode oracles.Security properties are written as relational properties over pairs of programs.Contrary to SQUIRREL, probabilistic reasoning is exposed to the user.This framework is very precise and expressive, but that comes at a cost: writing EasyCrypt proofs tends to be long and arduous.One reason is that, to instantiate a lemma, the user must often manually define the programs it is being applied to.The hybrid argument formalisation in EasyCrypt is ∼650 lines, contains ∼15 different modules, and applying it usually requires to write additional modules -which is markedly more work than in SQUIRREL.
Although comparing the same developments in different tool is a hazardous task, we believe this illustrates the fact that our new logic provides an appealing trade-off between expressivity and usability.Precisely and thoroughly comparing SQUIRREL with other tools is left as future work.

B. Case Study: Forward Secrecy
The signed Diffie-Hellman protocol [34] (Signed-DH) is an authenticated key exchange protocol, between two agents A, B. Each agent starts with a long-term signing key, resp.k A , k B .By running the protocol, they wish to authenticate each other, and to derive a shared secret key which can then be used e.g. to exchange encrypted messages.
The protocol fixes a finite cyclic group G, with a generator g.First, A samples a value a uniformly at random in {1, . . ., |G|}, and sends g a to B. B answers with his own value g b for b freshly sampled, together with a signature sign( 1, A, g b , g a , k B ).After checking the signature, A sends back her own signature sign( 2, B, g a , g b , k A ) for B to check.If the signature checks out, A also computes the key k = H((g b ) a ) = H(g a•b ), where H is a Random Oracle [35].B derives the same key using his own secret value b and the group element g a received from A.
We analysed the Signed-DH protocol in our new version of SQUIRREL 6 .We proved mutual authentication for A and B, and Forward Secrecy [36], [37] of the key (from A's point of view, though a similar result should hold for B).Standard secrecy states that the key derived by A is indistinguishable from a fresh uniformly sampled key.Forward secrecy further mandates that the key remains secure going forward, i.e. even if the long-term keys (here k A and k B ) are later leaked to the adversary.In practice, this allows past communication between A and B, encrypted with g a•b , to remain confidential even if an adversary later gains control of A or B's devices.We express it in SQUIRREL as follows: global goal kA_fs (t, t 0 : timestamp, A,B:index) : const(t,t 0 ,A,B) ⇒ (frame@t 0 , if cond@t then kA(A,B)@t ∼ frame@t 0 , if cond@t then n fresh ).
Lemma kA_fs states that the key kA(A,B)@t derived by A at time t = A2(A,B) is indistinguishable from a fresh name n fresh , provided A correctly checked B's signature (condition cond@t).This holds at any later time t 0 ≥t, provided no corruption occurred before the key was established at t. Here, only B must not be corrupted.Hence the requirement that [ not (corrupt B < t) ].We allow corruption after t: in particular, corruption can occur in the time-frame ]t,t 0 ] without compromising the security of the key at time t 0 .
We proved this property, as well as the authentication properties, in our new version of SQUIRREL, using our new cryptographic tactics supporting key-corruption, in particular the unforgeability of the signature (EUF-CMA).

VI. CONCLUSION
We have presented a new logic for reasoning about cryptographic protocols.Unifying the CCSA base logic and its meta-logic into a higher-order logic, we obtain a general framework that is more expressive and extensible.We extended the SQUIRREL prover to conform to this new logic, and validated the extra expressiveness on new case studies.We believe this work constitutes a solid theoretical foundation for the SQUIRREL prover and its future extensions.
As future work, we intend to study how to leverage the new features of our logic -in particular, recursive definitions -to model different execution models, in order to study e.g.sidechannel behaviours, distance bounding protocols, or alternative attackers who can for instance influence the scheduling of actions.It would also be desirable to achieve some forms of completeness in our core sequent calculus, either as a cut elimination result or by relating provability and validity in a suitable class of models; both questions are currently wide open.

APPENDIX A TYPING RULES AND TYPES RESTRICTIONS
We give in this section the typing rules, and some additional details on the logic which we omitted from the body.
The typing rules of our logic are given in Fig. 6.
Type restrictions: We now present the semantics of type restrictions.Let τ be a type, and label(τ ) its associated set of labels.We give the semantics of each label by describing in what way it restricts its potential model M : E: • if fixed ∈ label(τ ) then we must have, for all η, η ∈ N, Convention: we require that E is only extended with fresh symbols (w.r.t.E), which is always possible by alpha-renaming.• if polynomial ∈ label(τ ) then there must exists a polynomial Q[X] such that, for all η ∈ N, Furthermore, there must exists a polynomial-time machine A such that A can enumerate all elements in τ η M .• if large ∈ label(τ ) then, for all name symbol 7n : where c τ > 0 is a positive real number, which can optionally depend on the type τ .
• if well-founded ∈ label(τ ) then we require that the distinguished symbol <: τ → τ → bool (used with infix notation) is interpreted as a well-founded order in M.More precisely, for every η ∈ N, there exists < such that < η,ρ M:E = < for every tape ρ ∈ T M,η , and ( τ η M , <) is a well-founded set.

APPENDIX B WELL-FOUNDED DEFINITIONS
We first present elided details from Definition 1, and then prove Proposition 1.
Internal order of a model: For an environment where E 0 contains only declarations to be well-founded w.r.t.some model M : E, Definition 1 requires that there exists a well-founded order < over {(x i , e) | i ∈ [1; n], e ∈ τ i η M } such that all recursive calls to defined variables are decreasing w.r.t.<.We need this well-founded order to be representable in the logic itself, to be able to use it in the rules of our proof system.This is captured by the requirements that < is the order represented by the internal order formulas of E, which we define below.
First, we require that any well-typed environment E comes with a finite set of predicates (terms well-typed in E 0 , not E, to ensure that they do not depend on the defined variables in E) called its internal order formulas where the (x i ) i∈ [1;n] are the defined variables of E, and (τ i ) i∈ [1;n] the type of their arguments (as in Eq. ( 3)).We stress the fact that these formulas are independent of the model: to make this formal, we modify the definition of environment, and require that an environment is a pair of a list of declarations and definitions (as in the body), and an additional finite set of formulas which are its internal order formulas (as we only need to assume the existence of the latter, we usually omit them from environment descriptions).
Then, we say that an order < is the internal order of E w.r.t. a term structure M when for every η ∈ N and we have (x i , a i ) < (x j , a j ) iff for every ρ ∈ T M,η Concretely, this restricts term structures from which models can be constructed to those such that < is a well-founded ordering represented by E's internal order formulas.
Proposition 1.Let E be an environment that is well-founded w.r.t.M : E. Let M 0 be the restriction of M to the declarations of E. There exists a unique term structure M rec : E extending M 0 such that, for each (x i : Mrec:E for all η, ρ.
Proof.Let E be a well-founded environment w.r.t.M : E. Let M 0 be the restriction of M to the declared variables of E.
Fix some value of η, and consider the well-founded order < over the pairs (x i , e) with e ∈ τ i η M given by Definition 1.We then define, for all i, the functions X i,η : T M,η → τ i η M → τ i η M , by well-founded induction.In other words, we define, for any j and e ∈ τ j η M , the value of X j,η when given e as second argument, assuming that all functions X i,η are defined when their second argument e is such that (x i , e ) < (x j , e).We can do this by taking X j,η (ρ)(e) = t j η,ρ Mrec:E,x:τj where M rec extends M 0 with M rec (x i ) = X i for all i and M rec (x) = e (even though our X i,η functions are partial at this point, as we justify next).Indeed, if some x i occurs in t j , it will give rise to an occurrence ( α, φ, x i t ) ∈ ST E * ,x:τj (t j ).Now, if this occurrence is used in computing t j η,ρ Mrec:E,x:τj , this means that we have some extension M of M rec such that φ η,ρ M :E,(x:τj ), α = 1 -otherwise the interpretation would not rely on this branch of nested conditionals.Because of the condition on the free variables of t , we have where M coincides with M on the defined variables x i and otherwise coincides with M (which is an extension of M rec , not M).Moreover, by definition of φ \ 1 , . . ., x n } we also have: We can thus conclude, by Definition 1, that (x i , t η,ρ M :E,(x:τj ), α ) < (x j , e), thus X i,η is well-defined on t η,ρ M :E,(x:τj ), α , i.e. x i t η,ρ M :E,(x:τj ), α is well-defined.Once the functions X i,η are totally defined, for all i and η, we can form M rec which extends M 0 with M rec (x i ) = X i .This new model satisfies the required fixed point equations by construction.Finally, to justify our uniqueness claim, one can easily verify that if two models M 1 rec and M 2 rec satisfied our requirements, they would have to provide equal interpretations for all x i ; this is done, as expected, by well-founded induction.

APPENDIX C GLOBAL FORMULAS
We make more detailed remarks regarding the probabilistic semantics of our global formula atoms.
Remark 3. The finiteness of T M,η immediately gives us that t η M:E is a family of random variables, but keeping this property without the requirement that T M,η be finite would be non-trivial.Indeed, consider the semantics of ∀(x : τ ).t, which is for a given η X ∀x.t and let, for every a ∈ τ η M , X t a be the function which we assume are random variables.Then, to show that X ∀x.t is a random variable, we must show (among other things) that is a measurable set of T M,η .If τ η M is at most countable, then this immediately follows from the fact that each X −1 t a ({1}) is measurable, and that measurable sets are closed under countable intersection.But if τ η M is uncountable (which is the case, e.g., if τ = message → bool), then this arguments no longer applies.Remark 4. Since T M,η must be finite, we can only represent random samplings with a finite amount of randomness in our logic.This puts some limits on what we can directly model in our logic using name symbols; e.g.we cannot model a random oracle [35] from message to message directly as a name symbol: indeed, we would need to use a message indexed name symbol, which itself requires an infinite number of random bits.Note that this limitation does not preclude us from modelling random oracles (see e.g.[14]), only from direct modelling using names.

APPENDIX D RELATIONSHIP TO META-LOGIC
In this section, we discuss how our new logic generalises the meta-logic of [14].This discussion targets readers already familiar with the meta-logic and its underlying base logic [8], who would like to understand how they can work with our new framework instead.
It should be clear that several features of the new logic are out of the reach of the meta-logic approach, but it is less obvious why all features of the former meta-logic can be recovered in our new framework.Indeed, the technical points that allow it are scattered throughout the exposition of our logic.We summarise and detail these points below.Ideally, this discussion should ultimately be formalised as a conservativity result: a local meta-logic formula should be valid iff its suitable translation in the new logic is valid.As we shall see, this may not be quite the case, and there might be cases where a meta-logic formula is valid while its translation in the new logic is not.These cases are not necessarily problematic, though: from a practical perspective, it is good enough (and even preferable) if provable meta-logic formulas translate to provable higherorder logic formulas.We do not provide theoretical arguments concerning this question -though the proximity of proof systems gives hope that this would be possible.Note, however, that our implementation and case studies provides positive empirical evidence in this direction.
a) Base logic: We first explain how our higher-order logic generalises the base CCSA logic [8].The base logic is a first-order logic whose function symbols are either names, honest function symbols, or adversarial function symbols.It features a single predicate ∼ interpreted as computational indistinguishability, which is also immediately available in our logic.Thus the only difficulty lies in the interpretation of Convention: Right rules for universal quantification assume that the introduce variable x is not bound in E. The rewrite rules cannot rewrite at a position that captures free variables in t or s.

Equivalence rules
Reduction rules (local version of these rules can be obtained using L.LOCALISE)  terms.In the base logic, terms are interpreted in computational models [8], which provide a PPTM for each function symbol (with some constraints discussed below).The interpretation has the same structure as our semantics t η,ρ M:E for terms, parameterised by η and random tapes ρ.A striking difference is that random tapes are infinite bitstrings in the base logic, while we consider only finite tapes in the higher-order logic.This is, however, not restrictive: since terms of the base logic are interpreted as machines that run in polynomial time in η, they can only access a finite amount of randomness for each η.We can thus construct from any computational model of the base logic a model in our sense with long enough finite tapes (for each η) such that the semantics of a base logic term is the same in both models.
We have argued so far why a base logic formula that is satisfied in all of our models, is also satisfied in all computational models, i.e. valid in the base logic.However, our models allow much more interpretations than the computational models of the base logic, hence the converse is not true 8 .We 8 Assuming that EQ is interpreted as equality, and that c and d are two function symbols of arity 0, the formula c ∼ d ⇒ EQ(c, d) ∼ true is valid in the base logic because function symbols are deterministic PTIME machines in the base logic.The same formula is not valid in our logic, unless one postulates a similar condition for c and d.
argue now under which conditions this can be recovered.Since each honest function symbol f of the base logic can only be interpreted by a deterministic PTIME machine in computational models, we must similarly restrict their interpretation in our models.This can be achieved by adding a global predicate det(•) expressing that a term has a deterministic interpretation: formally, det(t) M:E holds when, for any η and for any ρ, ρ ∈ T M,η , we have t η,ρ M:E = t η,ρ M:E .Then, for each honest function symbol f , we must ensure that they are deterministic and computable in polynomial time.This can be expressed by adding an axiom det(f ) ∧ adv(f ).Similarly, we would add adv(g) for every adversarial function symbol g.To be complete, similar restrictions should be put in place for free variables and quantifiers: we do not detail this step, which is actually not necessary since the meta-logic only makes use of closed and quantifier-free base logic formulas.
We finally discuss the treatment of names, which is the most complex issue.In the base logic, names are interpreted as independent uniform random samplings in {0, 1} η .Names in our logic are not necessarily sampled uniformly, and the probability that two names are equal is not necessarily negligible.The latter problem can be fixed by taking names over the type message with the assumption that this type is large (as in Example 8).The former problem may be fixed by further restricting the meaning of names in message.This would be necessary to obtain a conservativity result at the level of validity, however it is likely to be unnecessary to obtain a result at the level of provability, since proof systems for the base logic (and the meta-logic) actually never rely on the uniformity of distributions.
b) Indices and timestamps: We now discuss how the meta-logic can be embedded in our higher-order logic.The construction of the meta-logic on top of the base logic involves the notion of trace model.A trace model T notably fixes the domains of interpretation for the index and timestamp types.Both domains must be finite.Once this is set, a metainterpretation function translates meta-level terms and local formulas to base-level terms.The meta-interpretation of a metalogic term (t) T of sort message replaces indexed names n i by base logic names n v (where v is the value of i in T ) in a larger set of base logic names (which depends on T ).The meta-interpretation of a local meta-logic formula (φ) T (which is a base logic boolean term) replaces quantifications over timestamps and indices by finite boolean combinations, and replaces comparisons of timestamps and indices by their values (boolean constants).Once base logic terms are obtained by these meta-interpretations, they are further interpreted as PPTM according to a computational model.
In our new logic, models must play both the role of the trace and computational models of the former approach.We must thus constrain the interpretation of the types index and timestamp, but also the interpretation of the associated terms: in the meta-logic, terms of these types are interpreted at the meta-level and are thus independent of η and ρ.Hence, we work in the new logic with types index and timestamp tagged as both finite and fixed, and we restrict global quantifications over timestamps and indices to constant values9 : ∀(x : τ ).F becomes ∀(x : τ ).const(x) ⇒ F , and dually for ∃.Such a transformation is not needed for local quantifications, since they quantify over random variables 1 η a in our semantics.Indices in the meta-logic are unstructured: the only terms of sort index are variables, and they can only be compared for equality.In contrast, timestamps can be built using indexed constants (representing protocol actions) and a predecessor function, and they can be compared using an order.Moreover, the interpretation of this order in trace models must respect a partial order indicating sequential dependencies between protocol actions.All these constraints can be axiomatised in the new logic.
We finally address the find construct of meta-logic terms.Roughly, the term (find i suchthat φ in t else t ) attempts to find values for i such that φ holds, evaluates as t (which may rely on i) upon success, and t otherwise.Although this is not immediately available in the meta-logic, axiomatising the behaviour of this construct is quite natural.In fact, it is beneficial to do so by decomposing it using a choice operator (essentially Hilbert's epsilon operator) which associates to any predicate a value that makes it true, if it exists.We have introduced this operator, and associated axioms, in our standard library, enabling easier and sometimes more precise reasoning about quantifiers and find constructs.
c) Protocols and macros: The syntax and semantics of the meta-logic are parameterised by protocols, which must all share the same set of partially-ordered actions.These actions give rise to the language of actions on which timestamps are built, and the partial-order constrains trace models; we have seen that these aspects can be handled axiomatically.Next, macros are used in the meta-logic to reflect the semantics of protocols: for each action, the protocol specifies an executability condition, some state updates, and an output message.All these are represented in the logic by built-in macros of the form m@T where m ∈ {cond, output, . ..} and T is a timestamp.The semantics of macros is given as part of the meta-interpretation: once a trace model T is fixed we can define the meaning of macros by induction on timestamps.
In our new logic, this is replaced by recursive definitions.For each macro m and each protocol of interest P, we define the meaning of m w.r.t.P at a timestamp T as a recursive definition m P which takes a timestamp as argument: this is illustrated in Example 6. Obviously, this approach decouples the logic from the specific notion of protocol: we could use the logic to model a different kind of protocol or a different attacker model.Less obviously, this encoding of macros also changes the granularity of protocol annotations: in the metalogic, it is not possible to mix, in the same term, macros w.r.t.several protocols.This is made possible in the style proposed here, and has practical applications 10 .

A. Measure Theory: Standard Definitions
We recall some standard measure theory definitions.For any set S, we let P(S) be the power set of S. A σalgebra Σ over a set S is a non-empty subset of P(S) closed under countable unions and intersections.For any set S, the discrete σ-algebra on S is the power set of S. This is the finest σ-algebra on S. A set S equipped with a σ-algebra Σ on S is called a measurable space.A measurable function X from a measurable space (S 1 , Σ 1 ) to a measurable Notice that if Σ 1 is the discrete σ-algebra, then any function from (S 1 , Σ 1 ) to any measurable space is measurable.

B. Preliminaries
For any η-indexed families of reals A and B, we write A = ow B whenever A and B are overwhelmingly equal, i.e. if (A η − B η ) η∈N ∈ negl(η).
We lift this to events as follows: let E and E be two ηindexed families events on the same probability space Ω.We say that E and E have overwhelmingly equal probabilities, written E = ow E , if Proof.By an easy induction over φ.
We now recall and prove Proposition 2.
Proposition 2. Let E be a well-formed environment and φ be a local formula such that E ∀(x : τ ).φ : bool.For every model M of E, we have: Proof.We prove both directions separately.⇒ case.Assume the following: Let A ∈ RV M (τ ) be a η-indexed sequence of random variables.We need to show that where the probability is over ρ ∈ T M,η .
Let A be the η-indexed family of functions choosing, for any η and ρ, a value a ∈ τ η M making φ false when evaluated on tape ρ η a ]:(E,x:τ ) } if non-empty a witness otherwise where a witness is an arbitrary value in τ η M (recall that our semantics requires that τ η M = ∅), and choose(S) is an arbitrary choice function for set S.
Since all functions from T M,η to {0; 1} are random variables w.r.t. the discrete σ-algebra on T M,η (thanks to T M,η 's finitness), we get that, by applying Eq. ( 6) to A ∈ ow(η) (using Eq. ( 8)) which concludes the proof of Eq. ( 7) Remark 5. Proposition 2 establishes that universal quantification commutes with [•].The same result can be shown, with the same proof, for existential quantification.This may seem surprising, since, on the other hand, disjunction does not commute with This apparent contradiction comes from the fact that, contrary to intuition, global existential quantification is not the same as global disjunction.Indeed, global ∃ can take as a witness a random variable, while a disjunction forces to take a constant witness, and is thus a stronger condition.Basically, [φ 0 ] ∨ [φ 1 ] means that there exists a constant b, independent from η and ρ, such that [φ b ].On the other hand, ∃b.[φ b ] means that there exists a random variable b, that may depend on η and ρ, such that [φ b ], which is weaker.
There is then no contradiction: We recall and prove Proposition 4.

APPENDIX F FRESH RULES
This section is organised as follows: first, we prove the soundness of the G.EQUIV.FRESH rule in Appendix F-A; then, we give additional details on how we make the G.EQUIV.FRESH rule effective in Appendix F-B; we describe another equivalence freshness rule in Appendix F-C, which -together with the G.EQUIV.FRESH rule -allows to get rid of fresh names in an equivalence; and finally, we present the reachability freshness rule in Appendix F-D.

A. Soundness of The Fresh Equivalence Rule
We recall and prove Proposition 7.
Proposition 7. The rule G.EQUIV.FRESH is sound.
Proof.Consider an instance of the G.EQUIV.FRESH rule, and let M be a model of E. We must show that M satisfies the judgement E; Θ u, n t ∼ u, n fresh () For every η ∈ N, let β η M : T M,η → T M,η be the bijection swapping the random bits used by n M (η, t η,ρ M:E )(•) and n fresh () M (η, () η,ρ M:E )(•) Said otherwise, for every tape ρ = (ρ a , ρ h ), if we let ρ h be such that β η M (ρ) = (ρ a , ρ h ) then, for every name symbol n 0 of type τ 0 → τ and a ∈ τ 0 η M : Let ρ be such that Let us show, using Proposition 6, that Let ( α, ψ, (x v)) ∈ ST E ( u, t) and M such that To apply Proposition 6, we must prove that where a def = v η,ρ M :E, α .There are 3 possible cases: • If x is an adversarial function declaration, then since M(x)(η) can only use the component ρ a of ρ, and since ρ and β η M (ρ) coincide on ρ a , Eq. ( 18) trivially holds.• If x is a name symbol in N , we have three cases: -If x = n and x = n fresh then (18) holds by construction of β η M (ρ).
-If x = n, then we know that v starts by a term v and that ( α, ψ, n v) ∈ ST E ( u, t).Moreover, thanks to Eq. ( 16) and Eq. ( 2), we have Since M extends M into a model of (E, α), and since ψ η,ρ M :E, α = 1, we deduce that or equivalently t η,ρ M :E, α = a (as a def = v η,ρ M :E, α ).Hence (18) holds by construction of β η M (ρ).• Finally, the case x = n fresh cannot happen, since we require that n fresh does not appear in u and t.
Also, by construction of the bijection β η M , we have Putting everything together, we get that: (by Eq. ( 17)) = u, n fresh () η,ρ M:E Since this equality holds for every ρ such that φ n,t fresh ( u, t) η,ρ M:E , and since, by hypothesis, M satisfies E; Θ [φ n,t fresh ( u, t)], we know that Pr ρ ( φ n,t fresh ( u, t) η,ρ M:E ) ∈ ow(η), which implies that M is a bijection and tapes are sampled uniformly at random, we get that for every A ∈ PPTMs: Moreover, by Eq. ( 20) we have Hence Adv η M:E (A : u, n t ∼ u, n fresh ()) ∈ negl(η).

B. Making the Fresh Equivalence Rule Effective
We first define a subsumption relation between occurrences.Intuitively, o 0 is subsumed by o 1 , written o 0 o 1 , if the set of terms represented by o 0 is smaller (w.r.t.set inclusion) than the set of terms represented by o 1 .
Definition 2. Let E be a well-formed environment and Θ a set of global formulas.We say that an occurrence ( α 0 , φ 0 , t 0 ) is subsumed by another occurrence ( α 1 , φ 1 , t 1 ) w.r.t.E and Θ, which we write ( α 0 , φ 0 , t M:E = 1 for every M : E of Θ, and for every η ∈ N and ρ ∈ T M,η . We lift this subsumption relation to (possibly infinite) sets of occurrences in the natural way: S 0 S 1 if each occurrence in S 0 is subsumed by some occurrence in S 1 .
We now show that when an occurrence o 1 subsumes another occurrence o 0 , then the freshness formula associated to o 0 is entailed by the freshness formula associated to o 1 .Also, this entailment is naturally lifted to sets of occurrences.Proposition 13.Let E be a well-formed environment, Θ a set of global formulas, n a name symbol and t a term.For any set of occurrences S 0 and S 1 if S 0 E,Θ S 1 then for every model M : E of Θ, η ∈ N and ρ ∈ T M,η : φ η,ρ M:E = 1 for every φ ∈ S n,t fresh (S 1 ) implies φ η,ρ M:E = 1 for every φ ∈ S n,t fresh (S 0 ) The proof is given in Section F-B1.Hence, to make the fresh rule effective, it is sufficient to find a finite set of occurrences S such that ST E ( u, t) E,Θ S, and to let φ n,t fresh ( u, t) be the conjunction of all formulas in S n,t fresh (S).Essentially, S is a sound over-approximation of ST E ( u, t): it "covers" all the occurrences in ST E ( u, t), hence in particular all occurrences of the name n in u and t.
There are many ways to build such a set S. Of course, different sets S yield different formulas, with different degrees of precision.To make things more concrete, we present one effective way of building such a set S -this set will not be the most precise w.r.t.occurrences subsumption (such a most precise set may even not exist).Given a vector of terms u in some environment E, we must build a finite set of occurrences To make this formal, we first introduce a more standard (and effective) notion of sub-terms, which correspond to the idea of direct occurrence.We let ST 0 E (t) be the set of generalised subterms of t without recursion.The set ST 0 E (t) is defined using the same equations than ST E (t) of Fig. 1, except for the case t t when t is a variable x defined in E, which is replaced by ST 0 E (t ).
x 1 s u). Proof (sketch).We observe that any occurrence ( α, φ, t) in ST E ( u) appears either directly in u, or indirectly in the body of some inductively defined variable x 0 : τ 0 → τ 1 = λy.t 0 .In the latter case, we know that φ entails y ≤ x0,x1 u (by wellfoundedness of the model).Hence Then, if we let ψ be the condition such that (( α 0 , y), ψ, t) ∈ ST 0 E (t 0 ) (where ( α 0 , y) ⊆ α), we have that φ ⇒ ψ holds for all tapes (indeed, it is clear that φ = φ 0 ∧ ψ for some formula φ 0 ).Using the fact that weakening the condition of an occurrence yields a more general occurrence (w.r.t.E,Θ ), we get ( α, (y Hence, by transitivity of E,Θ , we have ( α, φ, t) E,Θ ( α, (y ≤ x0,x1 u) ∧ ψ, t).We conclude by removing from α all variables that are not bound in (y ≤ x0,x1 u) ∧ ψ and t, which gives an occurrence in 1) Proof of Proposition 13: We prove the following proposition, which is a generalised version of Proposition 13.Proposition 15.Let E be a well-formed environment, Θ a set of global formulas, n a name symbol and t a term.

C. Removing Fresh Names
Let n fresh be a name symbol of type unit → τ .Assume that n fresh is fresh, i.e. that it does not appear in E, u 1 , u 2 , except in its declaration.Then we have the rule The soundness of this rule is easily proved, by showing that the name n fresh can be directly sampled by the adversary using its own random bits (which changes nothing since n fresh does not appear in the rest of the computations).
Using this rule in combination with two applications of the G.EQUIV.FRESH rule allows to get rid of names which can be proved fresh, through the following (admissible) rule where [φ n1,t1 fresh ( u 1 , t 1 )] and [φ n2,t2 fresh ( u 2 , t 2 )] captures, resp., the freshness of n 1 t 1 and n 2 t 2 .This rule is essentially the rule implemented in SQUIRREL.

D. Freshness in Local Formulas
Let n be a name symbol with type τ 0 → τ , and t 0 , t be terms of type, resp., τ 0 and τ , in some well-typed environment E. Assume that τ is a large type, i.e. that large ∈ label(τ ).Let Θ be a set of global hypotheses.We ask that all declared variables x of E occur only in eta-long form, and are either names or only depend on the adversarial tape (i.e.adv(x) ∈ Θ).
The local freshness rule states that if an equality n t 0 = t M:E holds overwhelmingly often, then we know that n t 0 must appear somewhere in t's computation.Indeed, if n t 0 does not appear in t's computation then t M:E and n t 0 M:E are independent random variables.Since n t 0 M:E takes values in τ M , which is a large type, it follows that they have a negligible probability of collision.
This idea is captured by the following rule where φ n,t0 fresh (t, t 0 ) is a formula expressing the freshness of n t 0 in t, t 0 , defined as in Section IV-A.
where A running-time is polynomial w.r.t. 1 η .Moreover, the above must hold for any subterm in ST E (t), extending the environment if necessary to deal with bound variables (this essentially forces A to follows the same steps as • ).
We now explain how Eq. ( 32) must be understood when t has a higher-order type.Assume w.l.o.g. that t has type τ t 0 → . . .→ τ t l → τ where τ is a base-type.Then A must be compute in polynomial-time a closure A(1 η , e, ρ) such that, on any input (a i ) i∈[1;l] ∈ ( τ t Rules: We present in Fig. 10 a set of rules which allows to establish that a term can be computed in polynomialtime.The rule PT.INPUT is trivial, as x is an input of the machine.PT.APP simply composes the two PPTMs given by the premises.PT.NAME exploits that fact that we required that names are interpreted as polynomial-time computable random samplings.PT.ADV is immediate, since adv(x) requires that x is computable by a PPTM which only accesses the adversarial component of the random tape (note that the PPTIME judgement has no restrictions over the random tapes).Note that we cannot generalise this rule to an arbitrary term t, as we have no guarantee that the machine provided by adv(t) follows the semantics • .The PT.QUANT relies on the fact that if there exists a PPTM B computing t for any input x : τ , and if τ is polynomial, then we can compute ∀(x : τ ).t by evaluating B over all values of τ (e.g. with a for loop), which is possible since we required that polynomial base-types are enumerable in polynomial-time.The PT.LAMBDA simply builds a closure to the machine given by the premise.The rule PT.DEF:DELTA is immediate: the machine for the premise already computes t.Finally, PT.WEAK is a simple weakening rule allowing to remove unused definitions.
Proposition 17.The rules in Fig. 10 are sound.
We already quickly justified the soundness of each rules.We omit the details.
Handling recursive definitions: For now, we did not present any rule allowing to deal with recursive definitions (PT.DEF:DELTA does not allow to deal with recursive calls, considering our set of rules).Designing general-purpose criteria to establish that recursive procedures are polynomial-time goes beyond the scope of this work.
Still, we choose to present a basic criterion which covers the simple case where we have (mutually) recursive functions over finite and fixed types.This result can handle the recursive definition already in SQUIRREL (e.g.see Example 6), which is all we need for now.Proposition 18.Let E be an environment such that E = E 0 , (x i : τ i → τ i = λ(y i : τ i ).t i ) i∈ [1;n] where E 0 contains only variables declarations.Assume that for every i ∈ [1; n], the type τ i of the (possibly recursive) defined variable x i is finite and fixed, i.e. {finite, fixed} ⊆ label(τ i ).
Let (x i ) i∈[1;n] be fresh variable names.If, given input y i , the bodies of the defined variable (x i ) i∈ [1;n] are all computable by a PPTM, assuming (by recurrence) that other defined variables are computable, i.e.Note that we cannot easily weaken this result to only require that recursion is over values of a type τ for τ polynomial.Indeed, while this would bound the depth of the call-tree by a polynomial, this is insufficient.Take: where || denotes bit-string concatenation and one is the bitstring of length 1 with a single bit set to 1.The function f doubles in size at each recursive calls, and we clearly have |f (η)| ≈ 2 η , which is exponential.Bounding the depth of recursive calls is insufficient, it is necessary to also bound the size of the output of each call.
Proof of Proposition 18 (sketch).Take a model M, then recursion depth is finite and independent of η.Since all the bodies are computable in polynomial-time assuming that recursive calls have been computed, we compose a finite number of PPTM, which tields a PPTM.
The (non-adaptive) Indistinguishability under Chosen Ciphertext Attacks (IND-CCA-1) assumption [28] is a standard cryptographic hypothesis, stating that an adversary cannot distinguish the encryption of a message m from the encryption of a string of len m zeros, i.e. zero (len m); even when given access to the public encryption key, and restricted access to a decryption oracle.More precisely, for randomly sampled k and r, an adversary given access to pk k and to a decryption oracle returning the decryption of any ciphertext with k is asked to produce a message m of his choice.He is then provided by a so-called "left-or-right" encryption oracle (which may only be called once) with either aenc m r (pk k) or aenc (zero (len m)) r (pk k).He can afterwards no longer call the decryption oracle, and is asked to guess which ciphertext has been returned.The assumption is that such an attacker cannot do so with a non-negligible advantage.
We capture this assumption, for two distinct indexed names r and k, by the rule where φ k key ( u, m, t r , t k ) and φ r rand ( u, m, t r , t k ) are, similarly to the case of L.EUF, any formulas that imply, respectively • the correct use of the key k t k : the adversary only has access to the public key and the decryption oracle, meaning that k t k may only appear in pk (k t k ) or adec _ (k t k ); • the correct use of the randomness r t r : this random value is sampled by the left-or-right encryption oracle, and thus may not appear anywhere else.
Basically, under these conditions, the challenge ciphertexts encrypting m or zeros cannot be distinguished (even put together with any vector of terms u that also satisfy the conditions).As in the case of rule L.EUF, to formalise these conditions, we need to adapt the notion of generalised subterms to account for the oracles.We define ST cca E,k,t k (v) recursively just like ST E (v) (Fig. 1), with exceptions when v is a function application: We can then formally express the conditions on φ k key ( u, m, t r , t k ) and φ r rand ( u, m, t r , t k ).For every model M : E of Θ, every η ∈ N and ρ ∈ T M,η , we require that: 1) if φ k key ( u, m, t r , t k ) η,ρ M:E = 1 then ∀ α. ψ ⇒ t k = t 0 η,ρ M:E = 1 for every ( α, ψ, k t 0 ) ∈ ST euf E,k,t k ( u, m, t r , t k ); 2) if φ k rand ( u, m, t r , t k ) η,ρ M:E = 1 then ∀ α. ψ ⇒ t r = t 0 η,ρ M:E = 1 for every ( α, ψ, r t 0 ) ∈ ST euf E,k,t k ( u, m, t r , t k ).In practice, we effectively compute these two formulas in a way similar to what is explained for the G.EQUIV.FRESH rule in Appendix F-B.
Proposition 19.The rule G.CCA1 is sound.
That proposition is proved similarly to the soundness proofs for the previous two cryptographic rules.
Symmetric case: The rule above applies in the case of asymmetric encryption.A corresponding rule, though slightly more complex, can be written in the case of symmetric encryption.
In that case, the attacker does not get access to the encryption key, since it is the same as the decryption key.Instead, he has access to an additional oracle, that encrypts any message, and can be called any number of times, at any point.This slightly changes the definition of ST cca E,k,t k (•), to account for this additional oracle, in the expected way: occurrences of the key as third argument of the encryption function are not recorded.We also must add another condition, similar to φ r rand (•), to ensure that the same random is never used to encrypt two different plaintexts -indeed, encryptions can only be computed by the oracle, who samples a fresh random value each time.
Source code: Our paper comes with accompanying open source code and examples, made available in the SQUIRREL repository: https://github.com/squirrel-prover/squirrel-prover/II.HIGHER-ORDER CCSA LOGIC

Figure 3 .
Figure 3. Selected rules relating local and global connectives.

Figure 6 .
Figure 6.Typing rules for local terms and global formulas.

E;
Θ; α, (x i ) i∈[1;n] , y i pptm (t i {x i → x i | i ∈ [1; n]})then the following rule is a sound rule PT.DEF:REC-FINITE E; Θ; α, (x i ) i∈[1;n] pptm s E; Θ; α pptm s [1;n]where E 0 contains only declarations;• for each i, j ∈ [1; n], x i only occurs in λx.t j in subterms of the form (x i t ) with fv(t ) ∩ {x 1 , . . ., x n } = ∅; • for each η ∈ N, there exists a well-founded order < over E; Θ F comprises a set of global formulas Θ as hypotheses, and a global formula F as goal; and a local judgement E; Θ; Γ φ comprises a set of global hypotheses Θ, a set of local formulas Γ as local hypotheses, and a local formula φ as goal.A global judgement E; Θ F is valid iff ∧Θ ⇒F is satisfied by all models of E. Similarly, a local judgement E; Θ; Γ φ is valid iff ∧Θ ⇒ [∧Γ ⇒ φ] is satisfied by all models of E.