Verification of Quantitative Hyperproperties Using Trace Enumeration Relations

Many important cryptographic primitives offer probabilistic guarantees of security that can be specified as quantitative hyperproperties; these are specifications that stipulate the existence of a certain number of traces in the system satisfying certain constraints. Verification of such hyperproperties is extremely challenging because they involve simultaneous reasoning about an unbounded number of different traces. In this paper, we introduce a technique for verifying quantitative hyperproperties based on the notion of trace enumeration relations. These relations allow us to reduce the problem of trace-counting into one of model-counting of formulas in first-order logic. We also introduce a set of inference rules for machine-checked reasoning about the number of satisfying solutions to first-order formulas (aka model counting). Putting these two components together enables semi-automated verification of quantitative hyperproperties on infinite-state systems. We use our methodology to prove confidentiality of access patterns in Path ORAMs of unbounded size, soundness of a simple interactive zero-knowledge proof protocol as well as other applications of quantitative hyperproperties studied in past work.


Introduction
Recent years have seen significant progress in automated and semi-automated techniques for the verification of security requirements of computer systems [4,10,16,19,30,47,50,55]. Much of this progress has built on the theory of hyperproperties [21], and these have been used extensively in analysis of whether systems satisfy secure information flow properties [1,2,6,8,15,28,35,37,39,49,57] such as observational determinism [41,55] and non-interference [32]. Unfortunately, the security specification of several important security primitives cannot be captured by secure information flow properties like observational determinism. In particular, observational determinism and non-interference are not applicable when reasoning about algorithms that offer probabilistic -as opposed to deterministic -guarantees of confidentiality and integrity. Prominent examples of security primitives offering probabilistic guarantees include Path ORAM [48] and various zero-knowledge proof protocols.
A promising direction for the verification of such protocols are the class of quantitative hyperproperties [29], one example of which is deniability [12,14]. Deniability states that for every infinitely-long sequence of observations that an adversary makes, there are (exponentially) many different secrets that could have resulted in exactly these observations. Therefore, the adversary learns very little about the secrets in an execution from a particular sequence of observations.
How does one prove a quantitative hyperproperty like deniability? Suppose our goal is to show that for every trace of adversary observations, there exist 2 n traces with the same observations but different secrets. Here n is a parameter of the system, e.g., the length of a password in bits. One option, first suggested by Yasuoka and Terauchi [54] and recently revisited by Finkbeiner, Hahn, and Torfah [29], is to consider the following k-trace property, where k = 2 n + 1.
∀π 0 . ∃π 1 , π 2 , . . . , π 2 n . The property states that for every trace of the system, there must exist 2 n other traces with identical observations and pairwise different secrets. In the above, π 0 , π 1 , . . . represent trace variables, obs(π j ) refers to the trace of adversary observations projected from the trace π j , while secret(π j ) refers to the trace of secret values in the trace π j . There are at least three problems with the verification of the above property. First, the size of this property grows exponentially with n; verification needs to reason about 2 n traces simultaneously and is not scalable. The second problem is quantifier alternation. Even if we could somehow reason about 2 n traces, we have to show that for every trace π 0 , there exist 2 n other traces satisfying the above condition. The third problem is that the above technique does not work for symbolic bounds. While it is possible -at least in principle -to use the above construction by picking a specific value of n, say 16, to show that 2 16 traces exist that satisfy deniability, we would like to show that the property holds for all n, where n is a state variable or parameter of the transition system. Capturing the dependence of the trace-count bound on parameters, such as n, is important because it shows that the attacker has to work exponentially harder as n increases. Such general proofs are not possible by reduction to a k-trace property because the construction requires k be bounded.
Recent work by Finkbeiner, Hahn, and Torfah [29] has made significant progress in addressing the first two problems by showing a reduction from k-trace property checking into the problem of maximum model counting [31]. However, their technique still produces a propositional formula whose size grows exponentially in the size of the quantitative hyperproperty. Further, model counting itself is a computationally hard problem that is known to be #P -complete, and maximum model counting is even harder. As a result, their technique does not scale well and times out on the verification of an 8-bit leakage bound for an 8-bit password. Finally, their method does not support symbolic bounds, and therefore cannot be used to verify parametric systems; we verify several examples of such systems in this paper (e.g., Path ORAM [48] of symbolic size).
In this work, we propose a new technique for quantitative hyperproperty verification that addresses each of the above problems. Our approach is based on the following insights. First, instead of trying to count the number of traces that have the same observations and different inputs, we instead show injectivity/surjectivity from satisfying assignments of a first-order formula to traces of a transition system. This allows us to bound the number of traces satisfying the quantitative hyperproperty by the number of satisfying solutions to this formula. We introduce the notion of a trace enumeration relation to formalize this relation between the first-order formula and traces of the transition system. An important advantage of the above reduction is that proving the validity of a trace enumeration relation is only a hyperproperty -not a quantitative hyperproperty.
Next, we develop a novel technique to bound the number of satisfiable solutions to a first-order logic formula, which is of independent interest. While this is a hard problem, we exploit the fact that our formulas have a significant amount of structure. We introduce a set of inference rules inspired by ideas from enumerative combinatorics [13,52,56]. These rules allow us to bound the number of satisfying assignments to a formula by making only satisfiability queries.
In summary, our techniques can prove quantitative hyperproperties with symbolic bounds on parametric infinite-state systems. We demonstrate their utility by verifying representative quantitative hyperproperties of diverse applications.

Contributions
1. We introduce a specification language for quantitative hyperproperties (QHPs) over symbolic transition systems and define formal satisfaction semantics for this language. Our specification language is more expressive than past work on QHP specification because it allows the bound to be a first-order formula over the state variables of the transition system. 2. We provide several examples of QHPs relevant to security verification. We identify a new class of QHPs, referred to as soundness hyperproperties, applicable to protocols that provide statistical guarantees of integrity. 3. We propose a novel semi-automated verification methodology for proving that a system satisfies a QHP. Our methodology applies to properties that involve a single instance of quantifier alternation and works by reducing the problem of QHP verification to that of checking non-quantitative hyperproperties over two and three traces of the system and counting satisfiable solutions to a formula in first-order logic. 4. We introduce a set of inference rules for bounding the number of satisfiable solutions to a first-order logic formula, using only satisfiability queries. 5. We demonstrate the applicability of our specification language and verification methodology by providing proofs of security for Path ORAM, soundness of a simple zero-knowledge protocol, as well as examples taken from prior work on quantitative security specifications. We show that our verification methodology scales to larger systems than could be handled in prior work.
To the best of our knowledge, our work is the first machine-checked proof of confidentiality of the access patterns in Path ORAM.

Motivating Example
In this section, we first introduce the model of transition systems used in this paper. We then discuss quantitative hyperproperty (QHP) specification and verification for our running example -a simple zero-knowledge puzzle.

Preliminaries
Let FOL(T ) denote first-order logic modulo a theory T . The theory T is assumed to be multi-sorted, includes the theory of linear integer arithmetic (LIA), and contains the = relation. Let Σ T be the theory T 's signature: the set consisting of the constant, function, and predicate symbols in the theory. We say that a formula is a Σ T -formula if it consists of the symbols in Σ T along with variables, logical connectives, and quantifiers. We only consider theories which are such that the set of satisfying assignments for any Σ T -formula is a countable set. 1 For every variable x, we will assume there exists a unique variable x , which we refer to as the primed version of x. We will use X, Y , and Z to denote sets of variables. Given a set of variables X, we will use X to refer to the set consisting of the primed version of each variable in X, that is X = {x | x ∈ X}. Similarly X 1 , X 2 , etc. are sets consisting of new variables defined as follows: We will use F (X) to denote the application of a function or predicate symbol F on the variables in the set X. A satisfying assignment σ to the formula F (X) is written as σ |= F (X). Given a formula F (X) and a satisfying assignment σ to this formula, we will denote the valuation of the variable x ∈ X in the assignment σ as σ(x). We will abuse notation in two ways and also write σ(X) to refer to a map from the variables x ∈ X to their assignments in σ. We will also write σ(G(X)) to denote the valuation of the term G(X) under the assignment σ.
The number of satisfiable assignments for the variables in the set X to a formula F (X, Y ) as a function of the variables Y will be denoted by #X.
is the cardinality of the set S. For example, consider the predicate f (i, n) . = (0 ≤ i < 2n). In this case, #i. f (i, n) = max (0, 2n), meaning that for a given value of n > 0, there are 2n satisfying assignments to i.

Definition 1 (Transition System).
A transition system M is defined as the tuple M = X, Init(X), Tx (X, X ) . X is a finite set of (uninterpreted) constants that represents the state variables of the transition system. Init and Tx are Σ Tformulas representing the initial states and the transition relation, respectively.
Init is defined over the signature Σ T ∪ X. Tx is over the signature Σ T ∪ X ∪ X ; X represents the pre-state of the transition and X represents its post-state.
A state of the system is an assignment to the variables in X. We use σ 0 , σ 1 , σ 2 etc. to represent states. A trace of the system M is an infinite sequence of states τ = σ 0 σ 1 σ 2 . . . σ i . . . such that Init(σ 0 ) is valid and for all i ≥ 0, Tx (σ i , σ i+1 ) is valid; in order to keep notation uncluttered, we will often drop the ≥ 0 qualifier when referring to trace indices. We assume that every state of the transition system has a successor: for all σ there exists some σ such that Tx (σ, σ ) is valid, ensuring every run of the system is infinite. We will represent traces by τ, τ 1 , τ 2 , etc. Given a trace τ, we refer to its i th element by τ i . If τ = σ 0 σ 1 . . . , then τ 0 = σ 0 and τ 1 = σ 1 . The notation τ [i,∞] refers to the suffix of trace τ starting at index i. The set of all traces of the system M is denoted by Φ M . Given a state σ and a variable x ∈ X, σ(x) is the valuation of x in the state σ.

Motivating Example: Zero-Knowledge Hats
Zero-knowledge (Z-K) proofs are constructions involving two parties: a prover and a verifier, where the prover's goal is to convince the verifier about the veracity of a given statement without revealing any additional information. We motivate the need for quantitative hyperproperty verification using a Z-K puzzle.
Puzzle Overview: Consider the following scenario. Peggy has a pair of otherwise identical hats of different colors (say, yellow and green). She wants to convince Victor, who is yellow-green color blind, that the hats are of different colors, without revealing the colors of the hats. This problem can be solved using the following interactive protocol. Peggy gives both hats to Victor, and Victor randomly chooses a hat behind a curtain and shows it to Peggy. Next, he goes back behind the curtain and uniformly randomly chooses if he wants to switch the hat or not. He now appears in front of Peggy and asks: "Did I switch?" If the hats are really of different colors, Peggy will be able to answer correctly with probability 1. If Peggy is cheating -the hats are in fact of the same colorher best strategy is to guess, and with probability 0.5 she will answer incorrectly. If the interaction is repeated k-times, Peggy will be caught with probability 1 − 2 −k . The interaction between Peggy and Victor only reveals the fact that Peggy can detect a switch and not the color of the hat, making this zero-knowledge.
Verification Objectives: A zero-knowledge proof must satisfy three properties: completeness (an honest prover should be able to convince an honest verifier of a true statement), soundness (a cheating prover can convince an honest verifier with negligible probability) and zero-knowledge (no information apart from the veracity of the statement should be revealed). Completeness is a standard trace property, while zero-knowledge is the 2-safety property of indistinguishability. Consequently, the main challenge in automated verification of the zeroknowledge protocol described above is that of soundness. In this section, we discuss its specification and verification using quantitative hyperproperties. Soundness as a Quantitative Hyperproperty: Consider the transition system M = X, Init(X), Tx (X, X ) , shown in Fig. 1, representing this protocol. The variable R is a parameter of the system and refers to the number of rounds of the protocol. C and P are boolean arrays representing the challenges from the verifier to the prover, and the responses from the prover to the verifier, respectively. i is the current round, and S is a boolean flag that corresponds to whether the zero-knowledge proof has succeeded. C and P are initialized nondeterministically to model the fact that the verifier chooses their challenges randomly, and a cheating prover's best strategy is guessing. While a cheating prover can use any strategy, if the challenges are indistinguishable to her, then the best strategy is to sample responses from a uniform distribution. Soundness is captured by the following quantitative hyperproperty (QHP): We will provide formal satisfaction semantics for QHPs in Sect. 3. For now, we informally describe its meaning. The term #π 1 : F (δ πj ,π k ). G (ψ π0,π1 ) ≥ 2 R − 1 introduces a counting quantifier which stipulates the existence of at least 2 R − 1 traces satisfying certain conditions: (i) these traces must all be pairwise-different, where difference is defined by satisfaction of the formula F (δ πj ,π k ) and (ii) all of these traces must be related to trace π 0 by the relation G (ψ π0,π1 ). The state predicates δ and ψ are defined as follows.
The requirement imposed by δ is that Peggy's responses be different at some step i for every pair of traces captured by the counting quantifier. ψ says that if trace π 0 is a trace where Peggy's cheating succeeds (i.e., S = true when i = R), then in all traces captured by π 1 , the challenges and number of rounds are the same as π 0 but Peggy's cheating is detected by Victor (i.e., S = false when i = R). These requirements are illustrated in Fig. 2 The QHP requires that for every trace in which a cheating prover succeeds in tricking the verifier for a given trace of challenges, there are 2 R − 1 other traces with the same challenges in which the prover's cheating is detected. Even though soundness is a probabilistic property over the distribution of the system's traces, it can be reduced to counting (and thus specified as a QHP) because each execution trace is sampled uniformly from a finite set. Therefore, if the QHP is satisfied, Peggy's probability of successful cheating is upper-bounded by 2 −R .

Solution Outline
To prove a QHP of the form ∀π 0 . #π 1 : Δ πj ,π k . ϕ N(Z), we construct a trace enumeration predicate V(Y, Z) and show an injective/bijective mapping from assignments to Y in V(Y, Z) and traces of the system. This allows us to prove ∀π 0 . #π 1 : Δ πj ,π k . ϕ #Y. V(Y, Z). This part of the proof relies on the notion of a trace enumeration relation (Sect. 4). In the next step, we show that #Y. V(Y, Z) N(Z) using the inference rules presented in Sect. 5. We now describe these steps in the context of the motivating example.
Verification of Soundness for the Z-K Hats Puzzle: Property 1 is illustrated in Fig. 2(b). τ 0 is a trace where the Z-K proof succeeds, while the proof fails for the set of traces Φ C = {τ 1 , τ 2 , . . . , τ C }. The red states show the particular step of the proof in which an incorrect response is given by the prover, and each of these steps as well as their associated prover responses are pairwise different.
. The first step in our methodology is to construct a parameterized relation, called a trace enumeration relation, U(Y, τ 0 , τ 1 ). This relates τ 0 to each trace in the set Φ C and is parameterized by Y. For every value of the parameter Y, U relates a trace in which the proof succeeds (τ 0 ) to a trace in which the proof fails (τ 1 ). For every trace τ 0 in which the proof succeeds, the set {τ 1 | ∃Y. U(Y, τ 0 , τ 1 )} corresponds to the set of traces with the same challenges and the same number of rounds, but with failed proofs of knowledge. Note this is a subset of Φ C .
Next, we construct a predicate V(Y, R) which defines valid assignments to V for a particular value of R. For a particular R, consider the set: Suppose we are able to show that the relation U is injective in Y and τ 0 for assignments to Y drawn from this set, then we can lower-bound the size of Φ C by the size of this set. In other words, we have reduced the problem of trace counting to the problem of counting assignments to V(Y, R).
Precisely stated, using V and U, we show the following.
1. For every trace τ 0 , and every assignment Y i satisfying V(Y i , τ 0 0 (R)), there exists a corresponding trace τ i that satisfies both U(Y i , τ 0 , τ i ) and ψ(τ 0 , τ i ). (Note τ 0 0 (R) refers to the valuation of R in the initial state of τ 0 .) 2. Given two different satisfying assignments to V for a particular value of R, say Y j and Y k , the corresponding traces τ j and τ k are guaranteed to have different prover responses; in other words, the traces satisfy δ(τ j , τ k ).
The above two properties, illustrated in Fig. 2(a), imply there is an injective mapping from satisfying assignments of V(Y, R) to traces in Φ C . Therefore, the number of traces in Φ C can be lower bounded by the number of satisfying assign- We have reduced the difficult problem of counting traces into a slightly easier problem of counting satisfying assignments to a FOL(T ) formula.
The final step is to bound #Y. V(Y, R). For example, one well-known idea from enumerative combinatorics is that if a set A is the union of disjoint sets B and C, then |A| = |B| + |C|. Translated to model counting, the above can be written as #X. 2 We present a set of inference rules in Sect. 5 that build on this and related ideas. These inference rules allow us derive a machine-checked proof of the bound #Y. V(Y, R) ≥ 2 R − 1, thus completing the proof of Property 1 for the Z-K hats puzzle.

Overview of Quantitative Hyperproperties
This section introduces a logic for the specification of quantitative hyperproperties over symbolic transition systems. We present satisfaction semantics for this logic and then discuss its applications in security verification. Fig. 3. Grammar of Quantitative HyperLTL. 2 We note there is an implied universal quantifier here. To be precise, we must write ∀Y. #X. F (X, Y ) = #X. G(X, Y ) + #X. H(X, Y ). Figure 3 shows the syntax of Quantitative HyperLTL, our extension of Hyper-LTL [30] that allows specification of quantitative hyperproperties over symbolic transition systems. There are two noteworthy differences from the presentation of HyperLTL in [30]. The first is the predicate P π1,π2,...,π k . This refers to a k-ary state predicate P that is applied to the first element of each trace in the subscript. These are analogous to atomic propositions in presentations that use Kripke structures and are defined as k-ary state predicates to capture relational properties over traces of the transition system. For example, consider the predicate P(σ 0 , σ 1 ) . = (input(σ 0 ) = input(σ 1 )). Given this definition, a system M with exactly two traces Φ M = {τ 1 , τ 2 } satisfies the HyperLTL formula ∀π 1 , π 2 . P π1,π2 iff input(τ 0 1 ) = input(τ 0 2 ). This hyperproperty requires that the input in the initial state of the system be deterministically initialized.

Quantitative Hyperproperties
The second difference is the new counting quantifier : #π: Δ πj ,π k . ψ N(Z). 3 Δ πj ,π k is an unquantified HyperLTL formula over two "fresh" trace variables π j and π k that encodes when two traces are considered different. ψ is another (possibly-quantified) HyperLTL formula. The operator can be ≤, =, or ≥. N (Z) is an integer-sorted term in FOL(T ) over the variables in the set Z, Z ⊂ X where X is the set of state variables of the transition system under consideration. Z typically refers to the subset of the state variables that define the parameters of the transition system; e.g. Z = {R} for the Z-K proof transition system in Fig. 1, the number of blocks in a model of Path ORAM, the size of an array, etc. Typically, the variables in the set Z do not change after initialization. Informally stated, the counting quantifier is satisfied if a maximally large set Φ C ⊆ Φ, satisfying the two conditions below, has cardinality count where count is the valuation of N (Z) in the initial state of every trace in Φ C . Those conditions are: (i) each of the traces in Φ C are pairwise different as defined by satisfaction of Δ πj ,π k , and (ii) every trace in this set satisfies the HyperLTL formula ψ.
The remaining operators are standard, so we do not discuss them further and instead provide formal satisfaction semantics.

Satisfaction Semantics of Quantitative HyperLTL
The validity judgement of a property ϕ by a set of traces Φ is defined with respect to a trace assignment Π : Vars → Φ. Here, Vars is the set of trace variables. We use π, π 1 , π 2 , . . . to refer to trace variables. 4 The partial function Π is a mapping from trace variables to traces. We use the notation Π[π → τ] to refer to a trace assignment that is identical to Π except for the trace variable π which now maps to the trace τ. We write Π |= Φ ψ if the set of traces Φ satisfies the property ψ under the trace assignment Π. We will drop the subscript Φ from |= Φ if it is clear from the context or irrelevant. The notation Π [i,∞] is an abbreviation for the new trace assignment obtained by taking the suffix starting from index i of every trace in Π: Π [i,∞] (π) = Π(π) [i,∞] for every trace π ∈ dom(Π) where dom(Π) is the domain of Π. We write Π |= Φ ψ when Π |= Φ ψ is not satisfied. Satisfaction rules for HyperLTL formulas are shown in Fig. 4.
ΦC ⊆ Φ is a maximally large set such that:

Definition 2 (Quantitative HyperLTL Satisfaction).
We say that the transition system M satisfies the property ψ, denoted by M |= ψ if the empty trace assignment ∅ satisfies formula ψ for the set of traces Φ M , that is ∅ |= ΦM ψ.
Additional Operators: The above showed the minimal set of operators required in Quantitative HyperLTL. The rest of this paper will use the other standard operators such as ∧ (conjunction), ⇒ (implication), F (future/eventually) and G (globally/always) which can be defined in terms of the operators in Fig. 3.

Well-Defined Formulas:
In order for the semantics of Quantified HyperLTL to be meaningful, we need certain semantic restrictions on the structure of QHPs.

Definition 3 (Well-defined QHPs). An instance of a counting quantifier #π:
Δ πj ,π k . ϕ N(Z) is said to be well-defined if: 1. ¬Δ πj ,π k is an equivalence relation over the set of all traces Φ, and 2. In every set of the traces Φ C captured by the counting quantifier in the semantics shown in Fig. 4, the term N (Z) has the same valuation for all initial states: ∀τ i , τ j ∈ Φ C . τ 0 i (N (Z)) = τ 0 j (N (Z)).

A Quantified HyperLTL formula is said to be well-defined if every instance of a counting quantifier in the formula is well-defined.
Example 1 (Well-defined QHPs). The QHPs presented in the rest of this paper are all well-defined, so here we give an example of a QHP that is not well-defined. Consider this variant of Property 1: ∀π 0 .#π 1 : true. G (ψ π0,π1 ) ≥ 2 R − 1. This is not a well-defined QHP because Δ πj ,π k in the counting quantifier is simply true, and its negation is not an equivalence relation over the set of traces.
Note that condition (1) in the definition above affects Δ πj ,π k while condition (2) places a restriction on ϕ. The former condition prevents double-counting of traces, while the latter ensures that the trace count is unambiguous.
The properties in our experiments require only syntactic checks to verify well-definedness. Specifically, Δ πj ,π k is always of the form F (P πj ,π k ) where P is of the form P(σ 1 , σ 2 ) . The negation of this is obviously an equivalence relation over the set of all traces. Secondly, our QHPs are of the form ∀π 0 . #π 1 : Δ πj ,π k . ϕ N(Z) where ϕ enforces equality of the variables in Z between the traces π 0 and π 1 . These two features guarantee well-definedness. In the rest of this paper, we only consider well-defined QHPs.

Applications of QHPs in Security Specification
Deniability: Our first example of a quantitative hyperproperty is deniability. Suppose obs(σ) is a term that corresponds to the adversary observable part of the state σ, while secret(σ) corresponds to the secret component of the state σ. Deniability is satisfied when every trace of adversary observations can be generated by at least N (Z) different secrets. For this, we define δ(σ 1 , σ 2 ) . = secret(σ 1 ) = secret(σ 2 ) and ≈ O (σ 1 , σ 2 ) . = obs(σ 1 ) = obs(σ 2 ).
. .  If we can show in a system satisfying deniability that each trace of secrets is equiprobable and N (Z) grows exponentially in some parameters of the system, then we can conclude that the system satisfies computational indistinguishability. Deniability can capture probabilistic notions of confidentiality, such as confidentiality of Path ORAM.
Soundness: While deniability encodes a form of confidentiality, soundness is its dual in the context of integrity. One example of soundness was given in Sect. 2.2 for the Z-K hats puzzle. Soundness is generally applicable to protocols that offer probabilistic integrity guarantees. For instance, many interactive challengeresponse protocols consist of repeated rounds such that if the prover succeeds in all rounds, the verifier can be convinced with a high probability that the prover is not cheating. This can be viewed as a QHP stating that for every trace in which a dishonest prover tricks a verifier into accepting an invalid proof, there are at least N (Z) other traces with different prover responses in which the cheating is detected. As usual, we require that traces be uniformly sampled from a finite set in order to state soundness as a QHP.
Soundness is stated as ∀π 0 .#π 1 : F (δ πj ,π k ). G (ψ π0,π1 ) ≥ N (Z). The relation δ is defined as two states having different prover responses. ψ requires the challenge-response protocol to fail in π 1 if it succeeded in π 0 and also that the system parameters (the variables in Z) be identical between π 0 and π 1 .

Summarizing QHP Specification:
These examples demonstrate that QHPs have important applications in security verification. They capture probabilistic notions of both confidentiality and integrity. In particular, the following form of QHPs consisting of a single quantifier alternation seems especially relevant for security verification: ∀π 0 . #π 1 : Δ πj ,π k . ϕ N(Z). Each of the examples of quantitative hyperproperties discussed in the previous subsection -deniability, soundness, as well as others like quantitative non-interference [46,54] fit in this template. Therefore, in the rest of this paper, we focus on developing scalable verification techniques for QHPs that follow this template.

Trace Enumerations
This section introduces the notion of a trace enumeration, which is a technique that allows us to reduce the problem of counting traces to that of counting satisfiable assignments to a formula in FOL(T ).

Trace Enumeration Relations
We now formalize injective trace enumerations, which allow us to lower-bound the number of traces captured by a counting quantifier in a QHP.

Definition 4 (Injective Trace Enumeration).
Let us consider a transition system M = X, Init(X), Tx (X, X ) and the relation U (Y, τ 1 , τ 2 ) where Y is a set of variables disjoint from X, τ 1 and τ 2 are traces of this transition system.
is a predicate over the variables in Y and Z. We say that the pair V(Y, Z) and U(Y, τ 1 , τ 2 ) form an injective trace enumeration of the system M for the QHP ∀π 0 . #π 1 : Δ πj ,π k . ϕ ≥ N (Z) iff the following conditions are satisfied:

Different assignments to the variables in
If V and U form an injective trace enumeration M for the property ∀π 0 . #π 1 : Δ πj ,π k . ϕ ≥ N (Z), then for every trace τ 0 , there exist at least as many traces satisfying the counting quantifier as there are satisfying assignments to Y in V(Y, Z). This is made precise in the following lemma. V(Y, Z) and U(Y, τ 1 , τ 2 ) form an injective trace enumeration of the system M for the QHP ∀π 0 . #π 1 : Δ πj ,π k . ϕ ≥ N (Z) and if #Y. V(Y, Z) is finite for all assignments to Z, then M |= ∀π 0 .#π 1 :
The above definition ensures that at least one response is incorrect. Notice that for every assignment to Y except the assignment of all zeros, the trace of responses defined by ∀j. P 1 [j] = P 0 [j]⊕Y[j] (where ⊕ is exclusive or) corresponds to a valid trace of the system and satisfies the counting quantifier in Property 1. Specifically, every such response from the prover is incorrect and will result in the protocol failing. We can use the above facts to define the relation U as follows: The pair V and U form an injective trace enumeration for the system M (defined in Fig. 1) for the Property 1. This is because different Y's will result in different prover responses for the same challenges. By Lemma 1, we can conclude that Analogous to injective trace enumerations, it is also possible to define surjective trace enumerations that upper-bound the number of traces captured by a counting quantifier. Details of surjective trace enumerations are presented in the extended version of the paper [43].

Model Counting
As discussed in the previous section, trace enumeration relations can bound the number of satisfying traces in a QHP. Given a QHP ∀π 0 . #π 1 : Δ πj ,π k . ϕ N (Z), appropriate trace enumeration predicates V(Y, Z) and U can be used to derive that ∀π 0 . #π 1 : Δ πj ,π k . ϕ #Y. V(Y, Z). The final step in our verification methodology is to show validity of #Y. V(Y, Z) N(Z). To that end, this section discusses our novel technique for model counting.

Model Counting via SMT Solving
Our approach borrows ideas from enumerative combinatorics [13,52,56] and introduces the inference rules shown in Fig. 6 to reason about model counts for formulas in FOL(T ). Each of the conclusions in the inference rules is a statement involving model counts of FOL(T ) formulas, while each of the premises is a formula in FOL(T ) that does not involve model counts and can, therefore, be checked using SAT/SMT solvers. Most of the rules are straightforward, and we do not describe them due to space constraints. The three interesting rules -Injectivity, Ind ≤ and Ind ≥ -are discussed below.
Injectivity: This rule is based on the following idea from enumerative combinatorics. Suppose we have two sets A and B. We can show that |A| ≤ |B| if there exists an injective function from A to B. Translating this to model counts, the set A in the rule corresponds to satisfying assignments to f (X), B corresponds to satisfying assignments to g(Y ) and F is the injective witness function.

Model Counting in the Motivating Example
The definition of the predicate V in the motivating example is shown below.
Recall that Y is an array of binary values (i.e. the integers 0 and 1) and consider the following predicates: Using these definitions, the proof is as follows.
. 5 Note steps 8 and 9 are automatically discharged by the SMT solver.

Experimental Results and Discussion
In this section, we present an experimental evaluation of the use of trace enumerations for the verification of quantitative hyperproperties.

Methodology
We studied five systems with varying complexity and QHPs. These were modeled in the Uclid5 modeling and verification framework [44,51], which uses the Z3 SMT solver (v4.8.6) [23] to discharge the proof obligations. The experiments were run on an Intel i7-4770 CPU @ 3.40 GHz with 8 cores and 32 GB RAM.
The verification conditions are currently manually generated from the models, but automation of this is straightforward and ongoing. The k-trace properties were proven using self-composition [9,10] and induction. A number of strengthening invariants had to be specified manually for the inductive proofs. Many of the invariants are relational and quantified and, therefore, difficult to infer algorithmically. We note that recent work has made progress toward automated inference of quantified invariants [27,36].

Overview of Results
Due to limited space, we only provide a brief description of our benchmarks for evaluation and refer the interested reader to the extended version of our paper [43] for a more detailed discussion. We have also made the models and associated proof scripts available at [25]. A brief overview of the case studies follows. 1. Electronic Purse. We model an electronic purse, with a secret initial balance, proposed by Backes et al. [7]. A fixed amount is debited from the purse until the balance is insufficient for the next transaction. We prove a deniability property: there is a sufficient number of traces with identical attacker observations but different initial balances. 2. Password Checker. We model the password checker from Finkbeiner et al. [29], but we allow passwords of unbounded length n. We prove quantitative non-interference: information leakage to an attacker is ≤n bits. 3. Array Shuffle. We implement a variant of the Fisher-Yates shuffle. We chose this because producing random permutations of an array is an important component of certain cryptographic protocols (e.g., Ring ORAM [40]). We prove a quantitative information flow property stating that all possible permutations are indeed generated by the shuffling algorithm. 4. ZK Hats. We prove soundness of the zero-knowledge protocol in Sect. 2. 5. Path ORAM. Discussed in Sect. 6.3.
The properties we prove on these models and the results of our evaluation are presented in Table 1 which shows the size of each model, the number of lines of proof code (this is the code for self-composition, property specification, etc.), the number of verification annotations (invariants and procedure pre-/post-conditions) and the verification time for each example. Once the auxiliary strengthening invariants are specified, the verification completes within a few seconds. This suggests that the methodology can scale to larger models, and even implementations. The main challenge in the application of the methodology is the construction of the trace enumeration relations, associated witness functions, and the specification of strengthening invariants. Each of these requires applicationspecific insight. Since most of our enumerations and invariants are quantified, some of the proofs also required tweaking the SMT solver's configuration options (e.g. turning off model-based quantifier instantiation in Z3).

Deniability of Path ORAM
In this section, we discuss our main case study: the application of trace enumerations for verifying deniability of server access patterns in Path ORAM [48], a practical variant of Oblivious RAM (ORAM) [33]. ORAMs refer to a class of algorithms that allow a client with a small amount of storage to store/load a large amount of data on an untrusted server while concealing the client access pattern from the server. Path ORAM stores encrypted data on the server in an augmented binary tree format. Each node stores Z data blocks, referred to as buckets of size Z. Additionally, the client has a small amount of local storage called the stash. The client maintains a secret mapping called the position map to keep track of the path where a data block is stored on the server. Each entry in the position map maps a client address to a leaf on the server. Path ORAM maintains the invariant that every block is stored somewhere along the path from the root to the leaf node that the block is mapped to by the position map.

Deniability of Server Access Patterns in Path ORAM:
We formulate security of access patterns in Path ORAM as a deniability property stating that for every infinitely-long trace of server accesses, there are (numBlks − 1)! traces of client accesses with identical server observations but different client requests.
The binary predicate δ imposes the requirement that the client's request are different in each of the traces captured by the counting quantifier, and the condition in ψ states that all the traces captured by the counting quantifier have the same observable access pattern as π 0 .

Verification of Deniability in Path ORAM:
To verify the QHP stated in Eq. 6, for every trace of server accesses we need to generate (numBlks − 1)! traces of client requests that produce the same server access. Suppose we have Path ORAM (a) that is initialized with some position map. Now consider the Path ORAM (b) with the same number of blocks, but with an initial position map that is a derangement of the position map of (a). 6 The key insight is that ORAM (b) can simulate an identical server access pattern as ORAM (a) by appropriately choosing a different client request that maps to the same leaf that is being accessed by (a) and then updating the position map identically as (a). This is shown in Fig. 7, which shows two Path ORAMs that produce identical server access patterns but service different client requests. ... The above insight leads to a trace enumeration where two traces are related via U if their position maps are derangements of each other, the client accesses are permuted as per the derangement while all other parameters of the ORAM are identical. We use this to prove Property 6. Further details are given in [43].

Related Work
Hyperproperties: Research into secure information flow started with the seminal work of Denning and Denning [24], Goguen and Meseguer [32] and Rushby [42]. The self-composition construction for the verification of secure information flow was introduced by Barthe et al. [10]. Clarkson and Schneider [21] introduced the class of specifications called hyperproperties. Clarkson and colleagues also introduced HyperLTL and HyperCTL * [19], which are temporal logics for specifying hyperproperties, while verification algorithms for these were introduced by Finkbeiner and colleagues in [30]. Cartesian Hoare Logic [47] was introduced by Sousa and Dillig and enables the specification and verification of hyperproperties over programs as opposed to transition systems. A number of subsequent efforts have studied hyperproperties in the context of program verification [5,26,45,53].
Quantitative Information Flow: Quantitative hyperproperties build on the rich literature of quantitative information flow (QIF) [3,17,20,34,46]. The QIF problem is to quantify (or bound) the number of bits of secret information that is attacker-observable. Certain notions of QIF can be expressed as QHPs. It is important to note QHPs can express security specifications (e.g., soundness) that are not QIF. Yasuoka and Terauchi studied QIF from a theoretical perspective and showed that it could be expressed as hypersafety and hyperliveness [54]. Approaches based on QIF measures such as min-entropy [46], Shannon entropy [18] etc. have also been applied in the context of static analysis [38].
Quantitative Hyperproperties: Quantitative Cartesian Hoare Logic (QCHL) enables verification of certain quantitative properties of programs [16]. QHPs are more expressive than QCHL, the latter counts events within a trace (e.g. memory accesses), while QHPs count the number of traces satisfying certain conditions.
The most closely related work to ours is of Finkbeiner et al. [29] who introduced Quantitative HyperLTL over Kripke structures. They also introduced a verification algorithm for this logic that is based on maximum model counting. However, their algorithm does not scale to reasonable-sized systems, and experiments from their paper show that the approach times out when checking an 8-bit leak in a password checker (using 8-bit passwords). We differ from their work in three important ways. First, our properties are defined over symbolic transition systems rather than Kripke structures. This allows modeling and verification of QHPs over infinite-state systems. Second, our bounds are symbolic, which enables us to express bounds as functions of transition system parameters. Finally, our definition of Quantitative HyperLTL is also more expressive. It is not possible to convert our QHPs into (non-quantitative) HyperLTL formulas with k-traces for any fixed value of k.

Verification of ORAMs:
In concurrent work with ours, Barthe et al. [11] and Darais et al. [22] have introduced specialized mechanisms to prove security of ORAMs. Barthe et al. [11] introduced a probabilistic separation logic (PSL) that (among other things) can be used to reason about the security of ORAMs. Unlike QHPs, PSL does not permit quantitative reasoning about probabilities of events and also does not (yet) support machine-checked reasoning. Darais et al. [22] introduce a type system that enforces obliviousness; they use this type system to implement a tree-based ORAM. Note that QHPs can express specifications other than obliviousness, and obliviousness need not necessarily be a QHP.

Conclusion
Quantitative hyperproperties are a powerful class of specifications that stipulate the existence of a certain number of traces satisfying certain constraints. Many important security guarantees, especially those involving probabilistic guarantees of security, can be expressed as quantitative hyperproperties. Unfortunately, verification of quantitative hyperproperties is a challenging problem because these specifications require simultaneous reasoning about a large number of traces of a system. In this paper, we introduced a specification language, satisfaction semantics, and a verification methodology for quantitative hyperproperties. Our verification methodology is based on reducing the problem of counting traces into that of counting the number of assignments that satisfy a first-order logic formula. Our methodology enables security verification of many interesting security protocols that were previously out of reach, including confidentiality of access pattern accesses in Path ORAM.