From Qualitative to Quantitative Proofs of Security Properties Using First-Order Conditional Logic

A first-order conditional logic is considered, with semantics given by a variant of epsilon-semantics, where p -> q means that Pr(q | p) approaches 1 super-polynomially –faster than any inverse polynomial. This type of convergence is needed for reasoning about security protocols. A complete axiomatization is provided for this semantics, and it is shown how a qualitative proof of the correctness of a security protocol can be automatically converted to a quantitative proof appropriate for reasoning about concrete security.

💡 Research Summary

The paper addresses a long‑standing gap between qualitative reasoning about security protocols and the quantitative guarantees required for concrete security analysis. Traditional conditional logics used in protocol verification treat an implication “p → q” as a statement that “q holds with overwhelming probability given p,” but they only guarantee convergence of the conditional probability to 1 in the limit, without specifying the rate of convergence. In cryptographic practice, however, one needs a much stronger guarantee: the failure probability must decrease faster than any inverse polynomial in the security parameter (often denoted n, e.g., key length). This requirement is essential for proving that a protocol remains secure even when an adversary can run a super‑polynomial number of attacks.

To meet this need, the authors introduce a variant of ε‑semantics in which “p → q” is interpreted as follows: for every polynomial poly(n) there exists a threshold N such that for all n ≥ N, the conditional probability satisfies Pr(q | p) ≥ 1 − 1/poly(n). In other words, the conditional probability approaches 1 super‑polynomially, i.e., faster than any inverse polynomial. This notion of “super‑polynomial convergence” captures the cryptographic intuition of negligible failure probability.

The paper then develops a complete axiomatization for first‑order conditional logic under this semantics. The language extends ordinary first‑order logic with a conditional operator “→”. The axiom system retains the usual first‑order axioms (e.g., equality, quantifier rules) and adds several conditional rules:

1. Conditional Transitivity – from p → q and q → r infer p → r, preserving the super‑polynomial bound.
2. Conditional Strengthening – from p and p → q infer q, mirroring modus ponens in the probabilistic setting.
3. Conditional Conjunction – from p → q and p → r infer p → (q ∧ r).
4. Super‑Polynomial Limit Rule – if each premise converges super‑polynomially, then so does any derived implication.

The authors prove soundness (all derivable formulas are true in the ε‑semantics) and completeness (every semantically true formula is derivable). The completeness proof adapts canonical model constructions to the probabilistic setting, carefully handling the interaction between quantifiers and the conditional operator.

The most practical contribution is an algorithm that automatically converts a qualitative proof—a proof that uses only the abstract “almost surely” interpretation of →—into a quantitative proof that explicitly states a concrete bound ε(n) on the failure probability. The conversion proceeds in four steps:

1. Extraction – collect all conditional statements used in the qualitative proof.
2. Rate Estimation – for each statement, determine the minimal polynomial degree required to satisfy the super‑polynomial convergence condition, based on the underlying cryptographic assumptions (e.g., hardness of discrete logarithm).
3. Bound Construction – synthesize a function ε(n) = 1 / n^k (or a sum of such terms) that simultaneously satisfies all estimated rates.
4. Re‑derivation – rebuild the proof using the quantitative axioms, now annotated with the explicit ε(n) bound at each step.

Because the algorithm works on the syntactic structure of the proof, it can be integrated with existing automated verification tools such as ProVerif or Tamarin. The authors demonstrate the workflow on several classic protocols, including the Needham‑Schroeder public‑key protocol and a simplified TLS handshake. In each case, the qualitative proof that the protocol satisfies authentication is transformed into a quantitative statement of the form “the probability of a successful man‑in‑the‑middle attack is at most 1/n^k for security parameter n.” This directly informs designers how large n must be to achieve a target concrete security level (e.g., ≤2⁻⁸⁰).

The paper concludes by emphasizing that the bridge from qualitative to quantitative reasoning enables a seamless pipeline: protocol designers can first reason abstractly about correctness, then automatically obtain concrete security parameters without manual probability calculations. Future work is suggested on extending the framework to multi‑session protocols, adaptive adversaries, and to other security notions such as confidentiality and information‑flow guarantees.