Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

106 CHAPTER 4. PROTOCOLS WITH VULNERABLE SIGNATURE SCHEMES no substitution is applied, and thus denoting C ′ the result of transformation, we have M(C ′ ) < M(C). Let us now consider the case of Apply rule, and let C ′ be the obtained modified I-constraint system. If the underlying intruder deduction rule is in LDEO, the fact that t is not a variable implies that the right-hand side of the rule will be instantiated by the strict maximal subterms t1, . . . , tk of t. we will thus have M(C ′ ) = M(C) ∪ {t1, . . . , tk} \ {t} and thus M(C ′ ) < M(C). It is now suffices to prove the Lemma for the rule in L”DEO \ LDEO: the applied rule is: f(P k(y), sig(x, Sk(y))), Sk”(P k(y), sig(x, Sk(y))) → sig(x, Sk(y)). The substitution σ is the most general unifier of the unification system � � t ? =∅ sig(x, Sk(y)), e1 ? =∅ f(P k(y), sig(x, Sk(y))), e2 ? =∅ Sk”(P k(y), sig(x, Sk(y))) for some e1, e2 ∈ E. since it is syntactic unification and since we can assume neither e1, neither e2 (by Lemma 9) nor t (by definition of the Apply rule) are variables, we must have t = sig(t1, t2), e1 = f(v1, v2), and e2 = Sk”(v3, v4). • If t2 ∈ X , we have σ(x) = t1, σ(t2) = Sk(y) and the unification system is then � transformed into: � ? =∅ sig(t1, Sk(y)) . v1 ? =∅ P k(y), v2 ? =∅ sig(t1, Sk(y)), v3 ? =∅ P k(y), v4 By the fact that t3 is replaced by y, x, y /∈ V ar(C), and the number of variables in σ is strictly less than the union of variables of the unification system, we deduce that nbv(C ′ ) < nbv(C). • If t2 /∈ X then t2 = Sk(t3). We have σ(x) = t1, σy = t3 and the unification system is then transformed into: � � ? =∅ sig(t1, Sk(t3)) . v1 ? =∅ P k(t3), v2 ? =∅ sig(t1, Sk(t3)), v3 ? =∅ P k(t3), v4 If the unification system is obvious, that is σ is the identity substitution, we have C ′ = C \ (E ⊲ t), and then M(C ′ ) = M(C) \ t which implies that M(C ′ ) < M(C). Else, we have nbv(C ′ ) < nbv(C). This concludes the proof. � Lemma 38 If C = (E1 ⊲ t1, . . . , En ⊲ tn) is a modified I-constraint system satisfied by a substitution σ with respect to I” (σ |=I” C), then it can be transformed into a constraint system in solved form by the rules of Figure 4.2. PROOF. Let C = (E1 ⊲t1, . . . , En⊲tn) be a modified I-constraint system not in solved form and let i be the smallest integer such that ti /∈ X , then C = (Cα, Ei ⊲ ti, Cβ) where Cα is in solved form, and t /∈ X . Let σ be a substitution such that
4.4. DECIDABILITY RESULTS 107 σ |=I” C, and let us prove that C can be reduced to another satisfiable modified I-constraint system C ′ by applying the transformation rules given in the algorithm. σ |=I” C, then σ |=I” (Cα, Ei \ X ⊲ ti, Cβ) (Lemma 9) and then, (Ei \ X )σ → ∗ I ∅ tiσ. We have two cases: • If tiσ ∈ (Ei \ X )σ, there exists a term u ∈ (Ei \ X ) such that uσ = tiσ. Let µ be the most general unifier of u and ti, then σ = θµ, and we can simplify C by applying the first transformation rule Unif, C =⇒ C ′ = (Cαµ, Cβµ). We have σ |=I” Cα and σ |=I” Cβ, then θ |=I” {Cαµ, Cβµ}. • If tiσ /∈ (Ei \ X )σ there exists a derivation starting from (Ei \ X )σ of goal tiσ, and then from Eiσ of goal tiσ. By lemma 32, there exists a derivation starting from Eiσ of goal tiσ such that for all steps in the derivation such that l → r is the applied rule with the substitution σ, for all s ∈ l and s /∈ X , we have sσ ⊆ Eiσ. This implies that we can reduce C to C ′ by applying the Apply rule of transformation and θ |=I” C ′ . We deduce that for all satisfiable modified I-constraint systems C such that C is not in solved form, C can be reduced to another satisfiable modified I-constraint system C ′ by applying the transformation rules. When applying the transformation rules to a modified I-constraint system, we reduce its complexity (Lemmas 36 and 37), this implies that when we reduce C, we will obtain at some step a satisfiable modified I-constraint system which can not be reducible, this modified I-constraint system is in solved form. This concludes the proof. � Lemma 39 Let C and C ′ be two modified I”-constraint systems such that C ′ is obtained from C by applying a transformation rule from figure 4.2. If C ′ is I”-satisfiable then so is C. PROOF. Let C and C ′ be two modified I”-constraint systems such that C ′ is obtained from C by applying a transformation rule and suppose that C ′ is I”-satisfiable. Let σ ′ be a solution of C ′ and let us prove that C is I”-satisfiable. Since a transformation rule can be applied on C, C can’t be in solved form. Suppose that C = (Cα, E ⊲ t, Cβ) where Cα is in solved form and t /∈ X . • If C ′ is obtained from C by applying Unif rule then, there exists a term u ∈ E\X such that u and t are syntactically unifiable. Let µ be the most general ∅-unifier then C ′ = (Cαµ, Cβµ). Since σ ′ |=I” C ′ , we have σ ′ µ |=I” (Cα, Cβ) and by the fact that µ is the most general ∅-unifier of t and a term in E we have σ ′ µ |=I” E ⊲ t. We deduce that σ ′ µ |=I” C. • If C ′ is obtained from C by applying Apply then there exists a rule lx, l1, . . . , ln → r ∈ L ′′ , a set of terms e1, . . . , en in E \ X such that
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23:
10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25:
12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27:
14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29:
16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31:
18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33:
20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69: 56 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 70 and 71: 58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 112 and 113: 100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 124 and 125: 112 CHAPTER 5. SATURATED DEDUCTION
Page 160 and 161: 148 CHAPTER 6. ON THE GROUND ENTAIL
Page 168 and 169:
156 CHAPTER 6. ON THE GROUND ENTAIL
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

Create successful ePaper yourself

Delete template?

Save as template?