1 Introduction

Attestation logics [1, 14, 21, 15, 6, 5, 29] have been used for the specification of policies of distributed systems, such as access control systems [1], distributed authorization policies [14, 21], and evidential transactions (ETs) [15, 5, 6, 6, 29]. In these logics, one specifies policies involving attestation formulas of the form \(\mathsf {K} \mathop {:\rhd }F\), where \(\mathsf {K} \) is a principal (or agent) in the system.

Cyberlogic is an attestation logic for ETs. In Cyberlogic, cryptographic keys \(\mathsf {K} \) are identified with specific authorities, and attestations \(\mathsf {K} \mathop {:\rhd }A\) express the fact that principal \(\mathsf {K} \) attests to statement A. For example, \(\mathsf {K} \) may be a visa-granting authority and A the statement that the visa requester is authorized to enter the specified country by the end of the year and at most once. An evidential transaction might issue a visa given that proof of sufficient funds has been provided in the form of a digital certificate whose validity can then be verified by customs authorities upon entry.

Formally, evidence in ETs can be expressed as a Cyberlogic proof. To carry out an ET, a Cyberlogic proof demonstrating policy compliance shall be produced and communicated. ETs therefore enable trust in, for example, distributed exchanges in electronic commerce, by enabling the exchange of various forms of verifiable evidence, such as evidence of funds in the visa example above.

The problem of producing attestation logic proofs (and proof objects) has not been given enough attention so far. Attestation logics have been formalized as Hilbert-style proof systems [1, 15] that do not have the sub-formula property and therefore are not suitable for proof search. Other works on authorization logics [14, 21] have proposed sequent calculi which do possess the sub-formula property. However, the search space is too great to enable efficient proof search.

The established proof-theoretic method for proof search is focusing [3, 18]. Focusing distinguishes between inference rules that have “don’t know” and “don’t care” non-determinism to prune the proof search space. Interestingly, focused proof systems [7, 18] provide a proof-theoretical justification for backward and forward-chaining, two proof-search strategies for Horn clauses (logic programs). Such justification, however, breaks when programs contain modalities, such as attestation modalities, i.e., formulas of the form \(\mathsf {K} \mathop {:\rhd }F\). This is because focusing is lost whenever any of these formulas is encountered and therefore, improvements to the search space because of focusing is not so significant for attestation logics.

Our main goal is the study of Cyberlogic’s proof theory in order to enable proof search (similar to the search involved in logic programming) and the generation of proof certificates for the communication of evidence in ETs.

Our first contribution, detailed in Section 2, is a Gentzen style proof system for Cyberlogic that admits cut elimination. A feature of the proof system is that it enables the combination of evidence represented as logical derivations as well as digital evidence, e.g., signed hashes of documents, financial statements, medical records. The logic also includes a knowledge operator for sets of principals.

Our second contribution, detailed in Section 3, is the identification of a fragment of Cyberlogic, called Cyberlogic programs, akin to Horn clauses used in logic programming. This is motivated by the ongoing work on building distributed logic programming engines for ETs which extend existing engines [10] with attestations of the form \(\mathsf {K} \mathop {:\rhd }A\).

Our third contribution, also detailed in Section 3, addresses the challenge of how to efficiently construct Cyberlogic program proofs. We propose a focused inspired proof system for Cyberlogic programs and prove that it is sound and complete in this fragment. This system enables more efficient proof search.

Our last contribution, detailed in Section 4, addresses the challenge of how to efficiently communicate evidence. We propose a proof certificate format for Cyberlogic programs inspired by Foundational Proof Certificates (FPCs) [9]. FPCs enable the reconstruction of proofs by using simple logic programs as guides. This means that such certificates can elide parts that can be easily reconstructed or which one is willing to reconstruct.

2 Cyberlogic Proof Theory

Cyberlogic [29] is an intuitionistic modal logic which can be used for specifying ETs. The logic is parametrized by a finite set of principals \(\mathcal {K}= \{\mathsf {K} _1, \ldots , \mathsf {K} _n\}\), which are used in formulas as follows:

  • \(\mathsf {K} _i \mathop {:\rhd }F\): meaning that principal \(\mathsf {K} _i\) attests the (Cyberlogic) formula F;

  • \(\mathsf {kb}_\mathcal {Q}F\), where \(\mathcal {Q}\subseteq \mathcal {K}\): meaning that all principals in \(\mathcal {Q}\) know F, or, alternatively, that the combined knowledge of principals in \(\mathcal {Q}\) imply F; and

  • \(\mathsf {evidence}_{\mathsf {K} _i} A\): standing for an external evidence signed by principal \(\mathsf {K} _i\).

External evidences are left unspecified since they fall outside the logical scope and depend on the ET being formalized. For example, \(\mathsf {evidence}_{\mathsf {K} _i} A\) could be signed hashes of tickets, financial statments, medical records, etc. In Cyberlogic the evidence associated with an ET is a combination of a formal proof (in sequent calculus) and a collection of external evidences.

Cyberlogic formulas are constructed according to the following grammar:

$$ F, G {:}{:}= A \mid F \wedge G \mid F \vee G \mid F \supset G \mid \top \mid \bot \mid \mathsf {K} \mathop {:\rhd }F \mid \mathsf {kb}_{\mathcal {Q}} F \mid \forall x. F \mid \exists x. F $$

where A is an atom, \(\mathsf {K} \in \mathcal {K}\), and \(\mathcal {Q}\subseteq \mathcal {K}\). The formula \(\mathsf {K} \mathop {:\rhd }F\) is read as “principal \(\mathsf {K} \) attests F” and acts like the says modality in lax logics [13, 27]. The formula \(\mathsf {kb}_{\mathcal {Q}} F\) is read as “principals in \(\mathcal {Q}\) know F” and is inspired by the knows modality used in linear authorization logics [14, 21]. Different from that logic, Cyberlogic allows the direct specification of knowledge shared by multiple principals, as illustrated in Example 1.

Fig. 1.
figure 1

\(\textsf {CL}_\mathcal {K}\) – Cyberlogic proof system for \(\mathcal {K}= \{\mathsf {K} _1, \ldots , \mathsf {K} _n\}\). Here A is an atomic formula, \(\mathcal {Q}\subseteq \mathcal {K}\), and \(\varGamma \mid _\mathcal {Q}= \{ \mathsf {kb}_{\mathcal {Q}'} F \mid \mathsf {kb}_{\mathcal {Q}'} F \in \varGamma \wedge \mathcal {Q}' \subseteq \mathcal {Q}\}\). Moreover, in rules \(\exists _L\) and \(\forall _R\), \(\alpha \) is a fresh constant not appearing in \(\varGamma \) nor F.

Cyberlogic sequents are of the shape \(\varGamma \longrightarrow G\), where \(\varGamma \) is a multiset of formulas. The Cyberlogic proof system, \(\textsf {CL}_\mathcal {K}\), is depicted in Figure 1. Rules for the intuitionistic connectives \(\wedge , \vee , \supset , \forall , \exists \) are as in LJ [30]. The new rules are the ones involving assertions \(\mathsf {K} \mathop {:\rhd }F\) and \(\mathsf {kb}_\mathcal {Q}\). Note that a “built-in” contraction of the main formula is needed on the left premise of \(\supset _l\) and the premise of \(\forall _l\), as expected in intuitionistic logics. Also, the rule \(\mathsf {kb}_l\) has an explicit contraction on the premise. These contractions are needed for cut admissibility (Theorem 2).

Rules \(\mathop {:\rhd }\nolimits _{l}\) and \(\mathop {:\rhd }\nolimits _{r}\) specify that \(\mathop {:\rhd }\) is a lax modality [27, 21, 24]. The intuition behind \(\mathop {:\rhd }\nolimits _{l}\) is: if an assertion G of a principal \(\mathsf {K} \) is provable using F, then it is also provable if \(\mathsf {K} \) attests F. Rule \(\mathop {:\rhd }\nolimits _{r}\) specifies that principals are rational, i.e., they can always attest formulas that are derivable. Differently from existing systems with lax modalities, \(\textsf {CL}_\mathcal {K}\) has the rule \(\mathsf {ext}\). This rule allows a proof of an attestation \(\mathsf {K} \mathop {:\rhd }A\) to be completed whenever a principal provides evidence \(\mathsf {evidence}_\mathsf {K} A\) for the claim A. This formalizes the intuition that principals may use digital evidence signed by their private key. We leave the definition of evidence unspecified as it depends on the intended ET specified.

Rules \(\mathsf {kb}_l\) and \(\mathsf {kb}_r\) refine Cyberlogic by enabling the collection of logical theories known by a set of principals. Such theories act as knowledge bases. Rule \(\mathsf {kb}_l\) specifies that any common knowledge can be part of a knowledge base. The interesting rule is \(\mathsf {kb}_r\), which specifies that \(\mathsf {kb}_\mathcal {Q}F\) can only be proved using the local knowledge or evidence provided by principals in \(\mathcal {Q}\). This is formally captured by restricting \(\varGamma \) in \(\mathsf {kb}_r\)’s premise to the set \(\varGamma \mid _\mathcal {Q}= \{ \mathsf {kb}_{\mathcal {Q}'} F \mid \mathsf {kb}_{\mathcal {Q}'} F \in \varGamma \wedge \mathcal {Q}' \subseteq \mathcal {Q}\}\). This is a powerful construct that increases the expressiveness of Cyberlogic. In particular, it is straightforward to specify that certain assertions can be concluded from the shared knowledge of a set of principals.

Proposition 1

The following sequents are provable in \(\textsf {CL}_\mathcal {K}\) for all \(\mathsf {K} \in \mathcal {K}\) and formulas \(F_1, F_2\). \(F_1 \equiv F_2\) represents the sequents \((F_1 \longrightarrow F_2)\) and \((F_2 \longrightarrow F_1)\):

figure a

Moreover, the following sequents are not provable if \(\mathsf {K} _1 \ne \mathsf {K} _2\) and \(\mathcal {Q}_1 \ne \mathcal {Q}_2\):

figure b

In the remainder of the paper, we elide the set of principals \(\mathcal {K}\) whenever it can be deduced from the context.

Example 1

(Shared Knowledge) The ability to use \(\mathsf {kb}\) with multiple principals allows the derivation of facts that depend on the combination of knowledge of multiple principals. Consider that principal \(\mathsf {K} _1\) knows A and \(B \supset C\), and principal \(\mathsf {K} _2\) knows \(A \supset B\), then the following sequent is provable in \(\textsf {CL}\):

$$ \mathsf {kb}_{\{\mathsf {K} _1\}} A, \mathsf {kb}_{\{\mathsf {K} _1\}} B \supset C, \mathsf {kb}_{\{\mathsf {K} _2\}} A \supset B \longrightarrow \mathsf {kb}_{\{\mathsf {K} _1, \mathsf {K} _2\}} C $$

Remark 1

The original Cyberlogic paper [5] (and technical report [4]) proposed two kinds of attestations, \(\mathop {:\rhd }\) and \(\rhd \), to distinguish when an attestation is derived from a digital evidence or logical inferences. This combination, however, does not yield to a proof system with the cut-elimination property [28].

The meta-theory of \(\textsf {CL}\) has been analysed using the L-framework [25], which uses rewriting logic to automatically derive structural proofs of sequent calculi properties [26]. The following lemma was used in the proofs of cut-elimination and invertibility.

Lemma 1

If \(\varGamma , \mathsf {K} \mathop {:\rhd }F \longrightarrow G\), then \(\varGamma , F \longrightarrow G\).

The proof proceeds by structural induction on the derivation of \(\varGamma , \mathsf {K} \mathop {:\rhd }F \longrightarrow G\). The proof has been mechanically checked using the the L-framework with some few cases proved by hand.

As expected, \(\supset _r, \wedge _r, \wedge _l, \vee _l, \forall _r, \exists _l\) are invertible whereas \(\vee _r, \supset _l, \forall _l, \exists _r\) are not invertible. In addition, the rules \(\mathop {:\rhd }\nolimits _{l}\) and \(\mathsf {kb}_l\) are invertible whereas the \(\mathop {:\rhd }\nolimits _{r}\) and \(\mathsf {kb}_r\) are not invertible.

Lemma 2

If \(\varGamma , \mathsf {K} \mathop {:\rhd }F \longrightarrow \mathsf {K} \mathop {:\rhd }G\) then \(\varGamma , F \longrightarrow \mathsf {K} \mathop {:\rhd }G\).

This is a simple corollary of Lemma 1. Invertibility of \(\mathsf {kb}_l\) is straighforward because of the contraction of the main formula.

Rules \(\mathop {:\rhd }\nolimits _{r}\) and \(\mathsf {kb}_r\) are not invertible. The counter examples are:

Weakening is height perserving admissible in \(\textsf {CL}\).

Theorem 1

(Identity expansion).  \(F \longrightarrow F\) is provable in \(\textsf {CL}\) for any cyberlogic formula F.

The proof is by structural induction on F.

Theorem 2

(Cut elimination). If \(\varGamma \longrightarrow F\) and \(\varGamma , F \longrightarrow C\), then \(\varGamma \longrightarrow C\).

The proof proceeds by a nested induction on the structure of the proofs of \(\varGamma \longrightarrow F\) and \(\varGamma , F \longrightarrow C\), and the formula F. The noteworthy cases are the ones where cut needs to permute over \(\mathsf {kb}\) rules. For \(\mathsf {kb}_l\), contraction of the main formula is needed, and the permutation over \(\mathsf {kb}_r\) can be done only if cut is principal on the left (which is a lemma that can be proved). Details about these transformations are in Appendix A.

3 Cyberlogic Programs

Cyberlogic programs are fragment of \(\textsf {CL}\) which resembles Horn clauses in logic programming. Section 3.2 proposes a proof search operational semantics for cyberlogic programs and proves its soundness and completeness. The proof search discipline relies on ideas from focusing [3]. Focused proof systems for LJ [18] provide a proof theoretical justification of forward and backward chaining search. Each technique is enforced by the choice of polarity of atomic formulas: positive atoms lead to forward chaining and negative atoms lead to backward chaining. This correspondence, however, does not extend to cyberlogic due to attestation formulas \(\mathsf {K} \mathop {:\rhd }A\) which cause focusing to be lost [21]. Consider the following example where the formula under focus is in brackets:

In focused proof systems, forward chaining can be enforced by disallowing focus to be lost on the right formula in the left premise, i.e. \([\mathsf {K} _1 \mathop {:\rhd }a]\). However, if \(\mathop {:\rhd }\nolimits _{r}\) is applied to this sequent the premise would be \(\mathsf {K} _1 \mathop {:\rhd }a \longrightarrow a\), which is not provable (see Proposition 1). In fact, \([\mathsf {K} _1 \mathop {:\rhd }a]\) must lose focus on the right for the proof to be completed. Therefore, if \(\mathop {:\rhd }\) modalities are used in logic programs, other strategies for proof search need to be analysed.

3.1 Cyberlogic Program Syntax

Cyberlogic programs can be divided into goals, knowledge bases, common knowledge, and attestation clauses.

Goals (G) Cyberlogic programs are used to derive a goal G, defined as:

$$ G {:}{:}= \top \mid \mathsf {K} \mathop {:\rhd }\mathsf {kb}_\mathcal {Q}A \mid G_1 \wedge G_2 \mid \exists x. G $$

where A is an atomic formula. The restriction of \(\mathop {:\rhd }\mathsf {kb}_\mathcal {Q}\) to atoms does not reduce the expressiveness of goals, given the equivalences in Proposition 1.

Knowledge Bases (\(\mathcal {B}\)): A knowledge base, written \(\mathsf {kb}_{\{\mathsf {K} _i\}} \varGamma \), of a principal \(\mathsf {K} _i \in \mathcal {K}\) is a set of formulas \(\varGamma \) not containing the connectives \(\mathop {:\rhd }\) or \(\mathsf {kb}\). Here, \(\mathsf {kb}_{\{\mathsf {K} _i\}} \varGamma \) represents the set of formulas \(\{\mathsf {kb}_{\{K_i\}} F \mid F \in \varGamma \}\).

Intuitively, a knowledge base \(\mathsf {kb}_{\{\mathsf {K} _i\}} \varGamma \) can be interpreted as \(\mathsf {K} _i\)’s local knowledge. This means that \(\mathsf {K} _i\) may use its own prover to derive new facts. For example, if \(\varGamma \) is a collection of Horn-clauses, then \(\mathsf {K} _i\) may deploy a Prolog engine to derive some goal. Alternatively if \(\varGamma \) is a set of formulas in CNF form, then \(\mathsf {K} _i\) may use resolution provers. The absence of modal connectives in knowledge bases has important impacts on the design of the proof certificate described in Section 4, as those may rely on existing certificates for different provers [9].

Common Knowledge (\(\mathcal {C}\)): Common knowledge are knowledge bases that are known to all principals, written as \(\mathsf {kb}_{\emptyset }~\varGamma \). Since \(\emptyset \subseteq \mathcal {Q}\) for every \(\mathcal {Q}\), these formulas remain in the context when applying \(\mathsf {kb}_r\). In this sense they contain first order formulas that may be used by all principals.

Attestation Formulas (\(\mathcal {D}\)): Formulas of the form \(\mathsf {K} \mathop {:\rhd }\mathsf {kb}_\mathcal {Q}A\) are derived by attestation formulas of the form below where for all \(1 \le i \le n\), \(\mathsf {K} _i \in \mathcal {K}\), \(\mathcal {Q}_i \subseteq \mathcal {K}\), and \(A_1, \ldots , A_n,A\) are atomic formulas and \(\boldsymbol{X}\) are bounded by universal quantifiers:

$$\begin{aligned} \forall \boldsymbol{X}.\big (\mathsf {kb}_{\mathcal {Q}_1} (\mathsf {K} _1 \mathop {:\rhd }A_1) \wedge \cdots \wedge \mathsf {kb}_{\mathcal {Q}_n} (\mathsf {K} _n \mathop {:\rhd }A_n) \wedge G&\supset \mathsf {K} \mathop {:\rhd }(\mathsf {kb}_{\emptyset } A)\big ) \\ \forall \boldsymbol{X}.\big (\mathsf {kb}_{\mathcal {Q}_1} (\mathsf {K} _1 \mathop {:\rhd }A_1) \wedge \cdots \wedge \mathsf {kb}_{\mathcal {Q}_n} (\mathsf {K} _n \mathop {:\rhd }A_n) \wedge G&\supset \mathsf {K} \mathop {:\rhd }(\mathsf {kb}_{\{\mathsf {K} \}} A)\big ) \end{aligned}$$

Intuitively, an attestation formula belongs to a principal, namely \(\mathsf {K} \) in the right-hand side of \(\supset \). Such formulas derive \(\mathsf {K} \)’s attestation of an atomic formula which is its own knowledge (\(\mathsf {kb}_{\{\mathsf {K} \}} A\)), or common knowledge (\(\mathsf {kb}_\emptyset A\)). This means that \(\mathsf {K} \)’s attestation formulas cannot derive knowledge belonging to other principals. Furthermore to derive an attestation, one can use the knowledge base of other principals, i.e. the formulas \(\mathsf {kb}_{\mathcal {Q}_i}(\mathsf {K} _i \mathop {:\rhd }A_i)\) or additional goals, i.e. G. Finally notice that \(\mathsf {K} \mathop {:\rhd }(\mathsf {kb}_\emptyset A)\) and \(\mathsf {K} \mathop {:\rhd }(\mathsf {kb}_{\{\mathsf {K} \}} A)\) are attestation formulas themselves, where the left-hand side of \(\supset \) is empty (denoting \(\top \)).

The difference between formulas \(\mathsf {K} \mathop {:\rhd }A\) and \(\mathsf {K} \mathop {:\rhd }(\mathsf {kb}_{\{\mathsf {K} \}} A)\) is subtle. Note that the former can be derived using the evidence rule \(\mathsf {ext}\), while the latter cannot. \(\mathsf {K} \mathop {:\rhd }(\mathsf {kb}_{\{\mathsf {K} \}} A)\) is \(\mathsf {K} \)’s attestation that A follows from its local knowledge base. It is possible to specify that A can be derived from an external evidence, but this has to be made explicit by an attestation formula, e.g., \(\mathsf {kb}_{\{\mathsf {K} \}}(\mathsf {K} \mathop {:\rhd }A) \supset \mathsf {K} \mathop {:\rhd }(\mathsf {kb}_{\{\mathsf {K} \}} A)\). Note that this formula is not a tautology.

We are interested in proving goals from attestation formulas, knowledge bases, and common knowledge, which are formally represented by cyberlogic program sequents defined as follows.

Definition 1

(Cyberlogic Program Sequents (\(\mathsf {CPS}\))). A cyberlogic program sequent (\(\mathsf {CPS}\)) is a sequent \(\mathcal {C}, \mathcal {B},\mathcal {D}\longrightarrow G\), where \(\mathcal {B}\) is a set of knowledge bases, \(\mathcal {C}\) is a set of common knowledge formulas, \(\mathcal {D}\) is a set of attestation formulas, and G is a goal formula.

Example 2

(Local Computations) This example illustrates the use of \(\mathsf {kb}\) to specify when parts of a derivation can be proved locally using a principal’s knowledge. Consider that the following clause

$$ \mathsf {kb}_{\{\mathsf {K} _1\}} (\mathsf {K} _1 \mathop {:\rhd }F_1) \wedge \mathsf {kb}_{\{\mathsf {K} _2\}} (\mathsf {K} _2 \mathop {:\rhd }F_2) \supset \mathsf {K} \mathop {:\rhd }\mathsf {kb}_{\{\mathsf {K} \}} G $$

specifies that for \(\mathsf {K} \) to attest G, \(\mathsf {K} _1\) and \(\mathsf {K} _2\) have to attest \(F_1\) and \(F_2\) respectively, using their own local theories, common knowledge, or evidence. This means that computations carried out by \(\mathsf {K} _1\) and \(\mathsf {K} _2\) to derive their assertions \(\mathsf {K} _1 \mathop {:\rhd }F_1\) and \(\mathsf {K} _2 \mathop {:\rhd }F_2\) respectively, do not depend on other principals and therefore, the search for these derivations can be performed locally.

Example 3

(Levels of Trust)

This example illustrates the use of \(\mathsf {kb}\) to specify that some evidence should only be trusted if derived from trusted sources. Consider three principals \(\mathcal {K}= \{\mathsf {K} _T, \mathsf {K} _U, \mathsf {K} \}\) where \(\mathsf {K}\) trusts evidence from \(\mathsf {K} _T\), but not all evidence from \(\mathsf {K} _U\). Then the following clause

$$ \mathsf {kb}_{\{\mathsf {K},\mathsf {K} _T\}} (\mathsf {K} \mathop {:\rhd }\mathsf {critical(ok)}) \wedge \mathsf {kb}_\mathcal {K}(\mathsf {\mathsf {K} \mathop {:\rhd }nonCritical(ok)}) \supset \mathsf {K} \mathop {:\rhd }\mathsf {kb}_\emptyset (\mathsf {all(ok))} $$

specifies that \(\mathsf {K} \) can attest that everything is \(\mathsf {ok}\) as a common knowledge if all the non-critical and critical elements are \(\mathsf {ok}\). However, the check of critical parts can only be performed by principals \(\mathsf {K} \) trusts, namely \(\mathsf {K} \) itself or \(\mathsf {K} _T\). Information from \(\mathsf {K} _U\)’s knowledge bases cannot be used in the proof of \(\mathsf {critical(ok)}\).

Example 4

(Simplified Visa) Consider a visa issuing scenario where an applicant applies to a consulate (cons) for an entry visa. This is an example of an ET as, to obtain the visa, evidence has to be provided that, for example, the applicant has no crime records, or that they have sufficient funds. We illustrate how such an ET can be specified in Cyberlogic.

The formula below labelled main specifies conditions for a visa to be issued:

$$\begin{aligned} \begin{array}{rl} \mathbf {main:} &{} \forall \textsf {Id}.\forall \textsf {Doc}.\forall \textsf {V}.\big ( \mathsf {kb}_{\{\textsf {cons} \}}(\textsf {cons} \mathop {:\rhd }\textsf {visitOk}(\textsf {Id}, \textsf {Doc})) \\ &{} \wedge ~\mathsf {kb}_{\{\textsf {cons} \}} (\textsf {cons} \mathop {:\rhd }\textsf {prepVisa}(\textsf {Id}, \textsf {V})) \\ &{} \wedge ~\textsf {cons} \mathop {:\rhd }\mathsf {kb}_{\{\textsf {cons} \}}(\textsf {sufFin}(\textsf {Doc})) \wedge \textsf {police} \mathop {:\rhd }\mathsf {kb}_{\{\textsf {police} \}} (\textsf {noCrimeRec}(\textsf {Id})) \\ &{} \supset \textsf {cons} \mathop {:\rhd }\mathsf {kb}_{\textsf {cons}} (\textsf {issVisa}(\textsf {Id}, \textsf {Doc}, \textsf {V})) \big ) \end{array} \end{aligned}$$

The transaction for cons issuing a visa \(\textsf {V} \) to an applicant \(\textsf {Id} \) requires cons to attest validity of Id’s visit by itself (visitOk(Id, Doc)) and Id’s criminal record with the help of the police (noCrimeRec(Id)). In addition, cons also needs to attest Id’s financial status (sufFin(Doc)).

The following two clauses expand on how cons can attest sufFin(Doc): either via an employment contract or a bank statement.

$$\begin{aligned} \begin{array}{rl} \mathbf {cont:}~ \mathsf {kb}_{\{\textsf {cons} \}} \big ( \forall \textsf {Doc}.\forall \textsf {Cont}. &{}\!\!\big (\;\, \textsf {empContract}(\textsf {Doc}, \textsf {Cont}) \wedge \textsf {valid}(\textsf {Cont}) \\ &{}\;\; \supset ~\textsf {sufFin}(\textsf {Doc}) \big ) \big ) \end{array} \end{aligned}$$
$$\begin{aligned} \begin{array}{rl} \mathbf {bankStmt:} &{} \forall \textsf {Doc}.\forall \textsf {Stmt}. \big ( \mathsf {kb}_{\{\textsf {cons} \}}(\textsf {cons} \mathop {:\rhd }\textsf {bankStmt}(\textsf {Doc}, \textsf {Stmt})) \\ &{} \wedge ~\textsf {bank} \mathop {:\rhd }\mathsf {kb}_{\{\textsf {bank} \}} (\textsf {valid}(\textsf {Stmt})) \supset \textsf {cons} \mathop {:\rhd }\mathsf {kb}_{\{\textsf {cons} \}}(\textsf {sufFin}(\textsf {Doc})) \big ) \end{array} \end{aligned}$$

The formula labeled cont belongs to cons’s knowledge base. This means that cons can check the validity of an employment contract without evidence from other principals. For example, \(\mathsf {\textsf {valid}(Cont)}\) may check the contract duration and salary. The formula labeled bankStmt, on the other hand, takes the bank statement \(\mathsf {Stmt}\) from the given documents, \(\textsf {Doc} \), and requires the \(\textsf {bank} \) to validate it using its knowledge base. This makes sense as Id’s financial records are sensitive and do not need to be disclosed to anyone else apart from her financial institute.

These clauses also illustrate the subtle difference between goal formulas \(\mathsf {K} \mathop {:\rhd }\mathsf {kb}_{\{K\}} F\) and knowledge base formulas \(\mathsf {kb}_{\{K\}} \mathsf {K} \mathop {:\rhd }F\) . For example, in the main clause, the fact that applicant has come to their appointment at the consulate does not depend on other agents and that is why we use a knowledge base formula. The same applies to the visa preparation. On the other hand, the fact that applicant has sufficient funds may require evidence from other parties, e.g., the applicant’s \(\textsf {bank} \). Therefore this is specified as a goal.

3.2 \(\mathsf {CPS}\) Proof Search

Proof search of \(\mathsf {CPS}\) can be divided into the following phases: goal decomposition, \(\mathop {:\rhd }\nolimits _{l}\) application, attestation formula decomposition, \(\mathsf {K} \mathop {:\rhd }A\) decomposition, and first-order reasoning. We define a (focusing inspired) sequent calculus for the \(\mathsf {CPS}\) fragment, called \(\textsf {CL}_\mathcal {P}\) (Figure 2) for enforcing this proof search discipline. Sequents in \(\textsf {CL}_\mathcal {P}\) have the following shape: \(\varTheta ; \varLambda ; \varDelta \longrightarrow F\), where \(\varTheta \) contains \(\mathsf {kb}\) formulas, \(\varLambda \) contains attestation formulas, \(\varDelta \) contains formulas of the form \(\mathsf {K} \mathop {:\rhd }\mathsf {kb}_{\mathcal {Q}} A\), and F is either a goal formula, \(\mathsf {kb}_\mathcal {Q}(\mathsf {K} \mathop {:\rhd }A)\), \(\mathsf {K} \mathop {:\rhd }A\) or A, where A is an atom. Moreover, the part of the sequent containing the formula that is being decomposed will be enclosed in square brackets. This will help distinguishing the phases mentioned above.

Fig. 2.
figure 2

\(\textsf {CL}_\mathcal {P}\) – Sequent calculus for cyberlogic programs. A, \(A'\) and \(A_i\) are atoms, \(\varDelta ^\dagger \) is such that for all \(\mathsf {K} ' \mathop {:\rhd }\mathsf {kb}_\mathcal {Q}' A' \in \varDelta ^\dagger \), \(\mathsf {K} ' \ne \mathsf {K} \), and \(\varTheta ^\star = \{ F \mid \mathsf {kb}_\mathcal {Q}F \in \varTheta \}\).

Lemma 3

The \(\mathsf {kb}_r\) rules permutes down every left rule in the \(\mathsf {CPS}\) fragment.


First we note that, in the \(\mathsf {CPS}\) fragment, \(\wedge \), \(\vee \), \(\forall \), and \(\mathsf {kb}\) formulas on the left do not have \(\mathsf {kb}\) modalities as subformulas. We look at the case of \(\mathsf {kb}_l\), as the others follow a similar argument.

Since F is not a \(\mathsf {kb}\) formula, then \(F \notin (\varGamma , \mathsf {kb}_{\mathcal {Q}'} F, F)\mid _\mathcal {Q}\). Therefore we can conclude that \((\varGamma , \mathsf {kb}_{\mathcal {Q}'} F, F)\mid _\mathcal {Q}= (\varGamma , \mathsf {kb}_{\mathcal {Q}'} F)\mid _\mathcal {Q}\) and the permutation is:

The case for \(\mathop {:\rhd }\nolimits _{l}\) holds vacuously, as it is impossible to have \(\mathop {:\rhd }\nolimits _{l}\) immediately below \(\mathsf {kb}_r\) since the former requires the right formula to be of the shape \(\mathsf {K} \mathop {:\rhd }\).

The remaining case is \(\supset _l\). Observe that in the \(\mathsf {CPS}\) fragment, the formula \(F_2\) in \(F_1 \supset F_2\) is of the form \(\mathsf {K} \mathop {:\rhd }\mathsf {kb}_{\mathcal {Q}'} A\). Therefore, \((\varGamma , F_2)\mid _\mathcal {Q}= \varGamma \mid _\mathcal {Q}\). Also, \((\varGamma , F_1 \supset F_2)\mid _\mathcal {Q}= \varGamma \mid _\mathcal {Q}\). Thus the permutation is:

   \(\square \)

Notice that it is crucial for attestation formulas to have a \(\mathop {:\rhd }\) modality formula on the consequent, otherwise Lemma 3 would not hold. As seen below, this lemma is key to proving completeness of the proof search procedure for \(\mathsf {CPS}\).

Theorem 3

(Soundness and completeness of \({\mathbf {\mathsf{{CL}}}}_\mathcal {P}\)). \(\varTheta ; \varLambda ; \varDelta \longrightarrow [F]\) in \(\textsf {CL}_\mathcal {P}\) if and only if \(\varTheta , \varLambda , \varDelta \longrightarrow F\) in \(\textsf {CL}\)


Soundness is straightforward: a proof in \(\textsf {CL}_\mathcal {P}\) can be transformed into a proof in \(\textsf {CL}\) by using the same logical rules (possibly expanded – e.g. att becomes a sequence of \(\forall _l + \supset _l + \wedge _r + \mathsf {kb}_r\)) and skipping the phase transition rules \(\Rightarrow \) (which only change the syntax of the sequent, but not its content).

Completeness is achieved by reasoning about invertibility and permutability of inference rules in the specific case of \(\mathsf {CPS}\). We argue that each phase can be performed in the proposed order.

Goal decomposition The goal formula can be eagerly decomposed until becoming \(\mathsf {K} \mathop {:\rhd }\mathsf {kb}_\mathcal {Q}A\) before applying other rules because: \(\top _r\) and \(\wedge _r\) are invertible, and in the absence of \(\forall _r\) and \(\exists _l\), \(\exists _r\) permutes down every rule. Once the right side formula is \(\mathsf {K} \mathop {:\rhd }\mathsf {kb}_\mathcal {Q}A\), there are two options to continue: (1) change to \(\mathop {:\rhd }\nolimits _{l}\) application phase, or (2) apply rules \(\mathop {:\rhd }\nolimits _{r}+\mathsf {kb}_r+\mathsf {kb}_l\) in Figure 1.

The first case is discussed below. In the second case, we need to argue that \(\mathsf {kb}_r\) may be applied immediately above \(\mathop {:\rhd }\nolimits _{r}\). Once \(\mathop {:\rhd }\nolimits _{r}\) is applied, we could choose a formula from the context to continue with. However, \(\mathsf {kb}_r\) permutes down all left rules for the \(\mathsf {CPS}\) fragment, as shown in Lemma 3. Therefore any proof that continues with a formula in \(\varTheta \), \(\varLambda \), or \(\varDelta \) above \(\mathop {:\rhd }\nolimits _{r}\) can be transformed into a proof where \(\mathsf {kb}_r\) is applied immediately above \(\mathop {:\rhd }\nolimits _{r}\). Since \(\mathsf {kb}_l\) is invertible, it can be applied to exhaustion safely.

\(\mathop {:\rhd }\nolimits _{l}\) application After eagerly decomposing the goal, \(\mathop {:\rhd }\nolimits _{l}\) can be applied to exhaustion since it is an invertible rule (Lemma 2).

Attestation formula decomposition This phase contains only one rule, namely att, which encompasses \(\forall _l\), \(\supset _l\), \(\wedge _r\), and \(\mathsf {kb}_r\). The quantifier rule can always be delayed until its subformula is needed, and \(\wedge _r\) is an invertible rule, therefore these can be chained together without loss of completeness. Due to Lemma 3, the application of \(\mathsf {kb}_r\) can be permuted down for the \(\mathsf {CPS}\) fragment and thus it is safe to apply the rule as soon as possible.

The two top premises of att force the proof search to go back to applying invertible rules, which does not break completeness.

\(\mathsf {K} \mathop {:\rhd }A\) decomposition Once this state is reached, \(\varTheta \) is left with \(\mathsf {kb}\) formulas whose subformulas are in first-order logic (i.e., no modalities). In this case, one can either close the proof with an external evidence, or apply \(\mathop {:\rhd }\nolimits _{r}+\mathsf {kb}_l\) to release the atom on the right side. The eager application of \(\mathsf {kb}_l\) is justified due to its invertibility. It can also be delayed until this point because it permutes up \(\supset _l\) and \(\mathop {:\rhd }\nolimits _{r}\) in \(\textsf {CL}\), and it permutes up \(\mathsf {kb}_r\) in the \(\mathsf {CPS}\) fragment (Lemma 3).

First-order reasoning From this point onwards, there are no modalities in the sequent so it will be proved using only first-order reasoning.    \(\square \)

4 Proof Certificates

Cyberlogic programs may be used to derive facts about attestation (goals), using pure logical reasoning (knowledge bases), principal delegation (attestation formulas), and external evidence. Once a goal is derived, evidence shall be available so that any interested party can verify that the proof is correct. Verifiable evidence means that entities do not need to trust each other’s proof producing process, as long as they can check the proofs using their own trusted processes.

Given a cyberlogic program sequent of the shape: \(\varTheta ; \varLambda ; \varDelta \longrightarrow G\) one could take its full sequent calculus proof in \(\textsf {CL}_\mathcal {P}\) as evidence. If the interested parties know the calculus, checking validity of proofs reduces to checking the valid application of each rule. However, these proofs are too fine grained, and contain many uninteresting details that can be easily inferred. Proof certificates elide such details, and keep only the crucial steps for proof reconstruction.

Proof certificates for cyberlogic are defined inspired by \(\lambda \)-terms and foundational proof certificates [8, 20] (FPC). FPC is a framework for checking proofs in different formalisms using a small trusted kernel. The proposed kernels are the sequent calculus focused systems LKF and LJF [18] for LK and LJ respectively, augmented with predicates for guiding proof search [9]. The definition of proof certificates for a proof system \(\mathcal {S}\) relies on two parts: (1) a translation of \(\mathcal {S}\)’s formulas into LKF or LJF formulas; and (2) a correspondence of \(\mathcal {S}\) proofs (or proof steps) to LKF or LJF proof steps. Given these two elements, a proof certificate for a proof of F in \(\mathcal {S}\) consists of a predicate which guides a proof of F’ s translation in LKF or LJF. The following proof formats can be checked in FPC: resolution, \(\lambda \)-terms, Horn clauses, Frege proofs, matings, tableaux, etc.

Defining LKF or LJF FPCs for cyberlogic is challenging due to the modalities \(\mathop {:\rhd }\) and \(\mathsf {kb}\), and digital evidences. LKF has been used to check proofs in modal logics [19], but the translation of modal formulas into LK formulas used the modalities’ semantic definition. Instead, we propose a modular \(\textsf {CL}_\mathcal {P}\) kernel which allows facts derived from knowledge bases or external evidence to be checked by the appropriate engine or entity.

Fig. 3.
figure 3

\(\textsf {CL}_\mathcal {P}^a\)\(\textsf {CL}_\mathcal {P}\) kernel for verifying \(\textsf {CL}_\mathcal {P}\) proof certificates of Cyberlogic programs. \(\varDelta ^\dagger \) is such that for all \(\mathsf {K} ' \mathop {:\rhd }\mathsf {kb}_\mathcal {Q}' A' \in \varDelta ^\dagger \), \(\mathsf {K} ' \ne \mathsf {K} \) and \(\varTheta ^\star = \{ F \mid \mathsf {kb}_\mathcal {Q}F \in \varTheta \}\).

The \(\textsf {CL}_\mathcal {P}\) kernel \(\textsf {CL}_\mathcal {P}^a\) (Figure 3) is constructed by augmenting sequents with a certificate \(\varXi \) (a term indicating how the proof must proceed) and indices for the formulas in \(\varLambda \). A certificate for a proof of \(\varTheta ; \varLambda ; \varDelta \longrightarrow G\) is \(\varXi : \varTheta ; \varLambda _I ; \varDelta \longrightarrow G\), where \(\varXi \) is a term built from the predicates used in \(\textsf {CL}_\mathcal {P}^a\), and \(\varLambda _I\) is a mapping from indices to formulas in \(\varLambda \). The indices are used in \(\varXi \). The checking of a cyberlogic sequent \(\varTheta ; \varLambda ; \varDelta \longrightarrow G\) with certificate \(\varXi \) starts from the sequent \(\varXi : \varTheta ; \varLambda _I ; \varDelta \longrightarrow [G]\). Certificates denoted by the letter \(\varPsi \) can represent proofs in other formalisms and may be checked by another engine. The predicates in \(\varXi \) are used for the following purposes during a derivation in \(\textsf {CL}_\mathcal {P}^a\).

First of all, they indicate how the proof should continue when there are multiple choices. For example, if the sequent is of the form \(\varTheta ; \varLambda ; \varDelta \longrightarrow [\mathsf {K} \mathop {:\rhd }\mathsf {kb}_\mathcal {Q}A]\), then \(\varXi \) must be one of \(\mathsf {toSays_L}(\_)\) or \(\mathsf {fol}(\_)\), indicating whether to work on \(\mathop {:\rhd }\) modalities on the left, or finish the proof with first-order reasoning, respectively.

Secondly, certificates relay information at the appropriate moment. For example, \(\mathsf {split}(\_,\_)\) contains the certificates for each of the branches on a splitting rule, and \(\mathsf {ext}(\_)\) includes an external evidence for proposition A. Note that there is no certificate for \(\exists _R\) since these can be instantiated with meta-variables, and unification can be verified when the proof is completed.

The certificate for rule att is more interesting. It includes the index i of the attestation formula to be decomposed, the substitution \(\sigma \) for the \(\forall \) quantifier, and certificates for each premise. Note that each \(\varXi _1, ... \varXi _n\) must be \(\mathsf {ext}(\_)\) or \(\mathsf {fol}(\_)\).

Example 5

Consider Example 4, and let the indices of the formulas be their labels: main, cont, and bankStmt. The certificate for a proof that alice can get a visa is \(\varXi : \mathbf{cont} ; \mathbf{main} , \mathbf{bankStmt} ; \cdot \longrightarrow \textsf {cons} \mathop {:\rhd }\mathsf {kb}_{\{\textsf {cons} \}} \textsf {issVisa}(\textsf {alice},\textsf {doc},\textsf {visa})\). Where \(\varXi \) is:

$$ \mathsf {att}(\mathbf{main} , \{\textsf {Id} \mapsto \textsf {alice}, \textsf {Doc} \mapsto \textsf {doc}, \textsf {V} \mapsto \textsf {visa}\}, [\mathsf {fol}(\varPsi _{\textsf {visitOk}}), \mathsf {fol}(\varPsi _{\textsf {prepVisa}})], \varXi _G, \varXi _0) $$

The certificates \(\varPsi _\textsf {visitOk}\) and \(\varPsi _\textsf {prepVisa}\) are first-order logic proof certificates from derivations using the consulate’s own knowledge base.

Certificate \(\varXi _0\) corresponds to \(\mathsf {att}\)’s premise where the conclusion of main is added to the context. This branch can be closed by removing the modalities, so \(\varXi _0 = \mathsf {toGoal}(\mathsf {fol}(\mathsf {id}))\), where \(\mathsf {id}\) is a first-order logic directive to close the proof.

Certificate \(\varXi _G\) guides the proof of the new goal:

$$ \textsf {cons} \mathop {:\rhd }\mathsf {kb}_{\{\textsf {cons} \}}(\textsf {sufFin}(\textsf {doc})) \wedge \textsf {police} \mathop {:\rhd }\mathsf {kb}_{\{\textsf {police} \}} (\textsf {noCrimeRec}(\textsf {alice})) $$

and thus \(\varXi _G = \mathsf {split}(\varXi _{\mathsf {fin}},\varXi _{\mathsf {crime}})\). \(\varXi _{\mathsf {fin}}\) depends on how cons decides to check for sufficient funds. It could rely on the bank and use the attestation formula bankStmt, in which case \(\varXi _{\mathsf {fin}}\) has the shape

$$ \mathsf {toSays_L}(\mathsf {toAtt}(\mathsf {att}(\mathbf{bankStmt} , \_, \_, \_, \_))) $$

Or it could use cont from its knowledge base, in which case \(\varXi _{\mathsf {fin}}\) would be \(\mathsf {fol}(\_)\).

5 Related Work

Attestation logics have been proposed for the specification of policies of several distributed systems [14, 21, 15, 5, 29, 1]. We have been inspired by some of this work in the design of Cyberlogic. Actually, Cyberlogic was proposed some decades ago [29, 5], but until now its proof theory had not been carefully investigated. In particular, there were no statements on cut-elimination. Additionally, we have been inspired by the previous works on authorization logics [14, 21, 15] to extend Cyberlogic with knowledge operators.

The main contribution of our work is the study of proof search and proof certificates for attestation logics with knowledge operators.

In previous work [14] in intuitionistic authorization logic, knowledge was restricted to one principal. As demonstrated in Example 1, allowing for multiple principal knowledge databases ensures collaboration in reasoning.

Proof search for attestation logics is not adequately addressed in the literature. Either the proposed proof systems are Hilbert-style [1, 2, 17] which do not enjoy the sub-formula property and therefore are not suitable for proof search, or they are sequent calculus proof system, but not focused proof systems [14, 21, 29, 5, 16]. [14] only speculates that logic programming languages can be used to carry out proof search for fragments of attestation logic. We confirm this speculation with the definition of Cyberlogic programs.

Our main inspiration for proof certificate is the work on foundational proof certificates [9]. However, the existing work did not consider proof certificates for attestation logics. Closer to our objective is the work of Libal and Volpe [19], which define proof certificates for modal logics by encoding (the semantics of) these logics in LKF. Our work instead proposes proof certificates directly in Cyberlogic. This means that we are able to capitalize on rules, such as attestation rules, to build more compact certificates. Another difference is that our proof certificates may contain (pointers to) extra-logical evidence.

Cyberlogic has been formalized in Coq [11], encoding evidential transactions for Schengen Visa applications. Our approach is different in that it lays a proof theoretic foundation to Cyberlogic. In particular, proof search is formally justified as well as the representation of Cyberlogic proofs as FPCs.

Logic programming engines, such as ETB [10], have been proposed for programming ETs. However, these engines do not (yet) support attestations, such as \(\mathsf {K} \mathop {:\rhd }F\), local knowledge, such as \(\mathsf {kb}_\mathcal {Q}F\), nor the use of digital certificates. We believe that this work can greatly profit from the foundations laid by this paper.

Finally, works [15, 6] propose the use of evidence for authorization. Specifically, [16] show that a fragment of their system is decidable in linear time. It would be interesting to investigate how this fragment relates to Cyberlogic programs, and whether proof certificates as defined in this work can be applied to the decidable fragment. This is left for future work.

6 Conclusions

This paper lays the proof-theoretic foundations for Cyberlogic, an attestation logic for evidential transactions, and refine Cyberlogic with epistemic modalities. We identify a fragment of Cyberlogic, Cyberlogic programs, and propose a proof system similar to focused proof systems for enabling sound and complete proof search. The necessary permutations for completeness rely on the careful interplay between attestation, \(\mathop {:\rhd }\), and knowledge modalities, \(\mathsf {kb}_\mathcal {Q}\). We then propose a concise proof certificate format for proofs of Cyberlogic programs.

This paper is the first step for a framework enabling evidential transactions that we are currently implementing. In particular, we are extending Distributed Datalog engines available in [10] to support Cyberlogic. Moreover, we are integrating such engines with PKI infrastructure, available in, for example, Distributed Ledger Technologies. This means that evidence, both in the form of digital evidence and logical derivations in the form of FPCs, can be stored and audited through the Ledger Technologies.

We are currently investigating extensions to Cyberlogic programs to include other modalities, such as temporal and epistemic [23, 12] while still preserving its good proof search properties. We have also started to study conditions for when two attestation rules can be introduced in any order. If two clauses can be introduced in any order, then they can also be introduced in parallel. Therefore, this would provide proof-theoretic justification for proof search optimization. This could be used, for example, for proposing refinements to dependency graphs used for evaluating distributed logic programming [22] which take principals into account. These results will impact the maintenance of evidential transactions, whose applications can have important consequences to, e.g., certification in automotive and avionics domains.