Logical Analysis and Verification of Cryptographic Protocols - Loria

Chapter 5
Decidability results for saturated
deduction systems
In this chapter, we consider the class of cryptographic protocols
where the cryptographic primitives are represented by equational
theories generated by convergent rewrite systems satisfying the finite
variant property, which symbolically has been introduced in [86].
The finite variant property allows one to compute all possible normal
forms of the instances of a term t. Such a property is claimed to be a
key property for decidability results in cryptographic protocols verification
in presence of algebraic properties [80], and many common
equational theories have been proved to have this property, for example,
the Dolev-Yao theory with explicit destructors, the Abelian group
theory and others. A first contribution on this chapter is the decidability
of the ground reachability problems for our class of deduction
systems. Following the description given in Chapter 2, we employ
the finite variant property to reduce reachability problems modulo
an equational theory to reachability problems modulo the empty theory.
We then partially compute a transitive closure of the possible deductions.
We prove that the termination of this computation implies
the decidability of the ground reachability problems. We conjecture
that the overall construction amounts to proving that the deduction
system is F -local [40]. We then give a new criterion that permits us
to reduce general reachability problems to ground reachability problems.
This criterion is based on counting the number of variables in a
reachability problem before and after a deduction is guessed, and is a
generalisation of the one employed for the specific case of the DSKS
intruder model. The intuition behind this criterion is that a deduction
rule has to provide more relations between existing fact than it
introduces new unknown. We give an example showing that such an
111