Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
112 CHAPTER 5. SATURATED DEDUCTION SYSTEMS<br />
additional criterion is needed, in the sense that there exists deduction<br />
systems on which the saturation algorithm terminates, but for which<br />
the general reachability problems are undecidable. Another contribution<br />
<strong>of</strong> this chapter is a decidability result <strong>of</strong> the ground reachability<br />
problems for the theory <strong>of</strong> blind signature [136] using the initial definition<br />
<strong>of</strong> subterm introduced in [10, 31], a similar result was given<br />
in [9] using an extended definition <strong>of</strong> subterm. In [91], another decidability<br />
result has been obtained for the class <strong>of</strong> cryptographic protocols<br />
with blind signature schemes. This result has been obtained<br />
using a different technique than the one followed in this chapter: in<br />
[91], the authors showed the decidability <strong>of</strong> a fragment <strong>of</strong> first order<br />
logic <strong>and</strong> used this result to obtain the decidability for the class <strong>of</strong><br />
cryptographic protocols using blind signature schemes. In addition<br />
we give a decidability result to the general reachability problems for<br />
a class <strong>of</strong> subterm convergent equational theories, while a more general<br />
result was given in [31], the pro<strong>of</strong> given in this chapter for our<br />
special case is much shorter.<br />
Outline. In section 5.1, we introduce the basic notions we use in this<br />
chapter. We introduce the finite variant property in section 5.2.1, <strong>and</strong><br />
in section 5.2.2 we give some examples <strong>of</strong> equational theories having<br />
finite variant property. We introduce the saturation algorithm in<br />
Section 5.3.1 <strong>and</strong> show its properties in section 5.3.2. We give in section<br />
5.4 an algorithm to solve reachability problems. We show the<br />
decidability <strong>of</strong> the ground reachability problem in section 5.5.1, <strong>and</strong><br />
the decidability <strong>of</strong> the general reachability problem in section 5.5.3.<br />
Some application <strong>of</strong> our results are shown in section 5.6. We show<br />
in section 5.7 the decidability <strong>of</strong> the ground reachability problems for<br />
the blind signature theory, <strong>and</strong> in section 5.8, we show the decidability<br />
<strong>of</strong> the ground reachability problems for the subterm convergent<br />
theories.<br />
5.1 The model<br />
To analyse cryptographic protocols, we follow in this chapter the symbolic<br />
model described in Chapter 2. To this end, we assume an infinite set <strong>of</strong> variables<br />
X , an infinite set <strong>of</strong> constants C, a set <strong>of</strong> function symbols F. In addition<br />
to what is already intoducted in Chapter 2, we make use here <strong>of</strong> some additional<br />
notions that we will show next. Given an equational theory H ′ , <strong>and</strong> rewrite system<br />
R, rewriting modulo H ′ , also called equational rewriting, is the relation →H ′ \R<br />
defined as follows: given two terms s, t, we have s →H ′ \R t if <strong>and</strong> only if there