Proving Noninterference by a Fully Complete Translation to the Simply Typed lambda-calculus

Tse and Zdancewic have formalized the notion of noninterference for Abadi et al.’s DCC in terms of logical relations and given a proof of noninterference by reduction to parametricity of System F. Unfortunately, their proof contains errors in a key lemma that their translation from DCC to System F preserves the logical relations defined for both calculi. In fact, we have found a counterexample for it. In this article, instead of DCC, we prove noninterference for sealing calculus, a new variant of DCC, by reduction to the basic lemma of a logical relation for the simply typed lambda-calculus, using a fully complete translation to the simply typed lambda-calculus. Full completeness plays an important role in showing preservation of the two logical relations through the translation. Also, we investigate relationship among sealing calculus, DCC, and an extension of DCC by Tse and Zdancewic and show that the first and the last of the three are equivalent.

💡 Research Summary

The paper addresses a critical flaw in the existing proof of non‑interference for the Dependency Core Calculus (DCC) as presented by Tse and Zdancewic. Their approach reduced DCC to System F and relied on the parametricity of System F to obtain non‑interference. The central lemma of their work claimed that the logical relation defined for DCC is preserved under the translation to System F. The authors of the current paper exhibit a concrete counter‑example showing that this preservation does not hold, thereby invalidating the original proof.

In response, the authors introduce a new calculus called sealing calculus, which retains the essential security mechanisms of DCC—namely, label‑based dependency tracking and the seal/unseal primitives—while simplifying the type structure to make a clean translation possible. The sealing calculus is equipped with (i) a set of base types, function types, and sealed types indexed by security labels, (ii) term constructors for variables, λ‑abstractions, applications, and the seal/unseal operations, and (iii) typing rules that enforce label flow constraints (high‑security data cannot flow to low‑security contexts).

The core technical contribution is a fully complete and fully abstract translation from sealing calculus to the simply‑typed λ‑calculus. The translation function ⟦·⟧ maps each sealing‑calculus type to a simple‑type λ‑type and encodes sealℓ e as a higher‑order function that expects a “key” of type ℓ→α, while unsealℓ e is translated to the application of that key to the translated term. Two crucial properties are proved:

1. Full Completeness – Every closed, well‑typed term of sealing calculus translates to a closed, well‑typed term of the simply‑typed λ‑calculus that preserves operational behavior (normal forms correspond).
2. Full Abstraction – Observational equivalence in the target λ‑calculus reflects back to observational equivalence in the source sealing calculus; no new distinctions are introduced by the translation.

With these properties, the authors can transfer the basic lemma of logical relations from the simply‑typed λ‑calculus to sealing calculus. The basic lemma states that the logical relation is closed under λ‑abstraction and application for all simple types. Because the translation is both complete and abstract, the logical relation defined on sealing calculus terms is exactly the pre‑image of the λ‑calculus logical relation. Consequently, the non‑interference theorem follows directly from the basic lemma applied in the target language, avoiding the intricate parametricity arguments required for System F.

Beyond the main proof, the paper conducts a systematic comparison among three systems:

• Original DCC – the classic calculus with dependency labels and a modest set of primitives.
• Sealing Calculus – the new variant introduced here.
• Extended DCC (Tse‑Zdancewic) – the version enriched with additional flow‑sensitive constructs used in the flawed proof.

The authors demonstrate that sealing calculus and the extended DCC are semantically equivalent: each can be encoded into the other preserving typing and operational semantics, and both enforce the same security guarantees. In contrast, the original DCC is strictly weaker in expressive power (it cannot directly encode some of the extended flow‑sensitive constructs), but it can be embedded into sealing calculus via a straightforward encoding. This establishes a hierarchy where sealing calculus serves as a unifying framework that captures both the original and the extended systems.

The significance of the work lies in several dimensions:

• Methodological Simplicity – By reducing the security proof to the simply‑typed λ‑calculus, the authors exploit a well‑understood meta‑theory (logical relations for simple types) instead of the more complex parametricity of System F.
• Reliability of Translation‑Based Proofs – The introduction of full completeness and full abstraction as explicit criteria ensures that the translation does not inadvertently lose or gain security‑relevant distinctions, a pitfall that plagued the earlier DCC‑to‑System F reduction.
• Broader Applicability – The technique of constructing a fully complete translation to a minimal core language could be applied to other security‑typed calculi, offering a template for robust non‑interference proofs.
• Clarification of the Landscape – By precisely relating DCC, sealing calculus, and the extended DCC, the paper clarifies the expressive boundaries and shows that the essential security ideas can be captured in a simpler calculus without sacrificing power.

In conclusion, the paper not only repairs a critical error in the literature but also provides a cleaner, more trustworthy proof of non‑interference for a DCC‑like language. The fully complete translation to the simply‑typed λ‑calculus serves as a powerful bridge, allowing the well‑established logical‑relation machinery of the λ‑calculus to certify security properties of richer, label‑oriented languages. This contribution advances the state of the art in formal security verification and sets a precedent for future work on translation‑based proofs.