Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

112 CHAPTER 5. SATURATED DEDUCTION SYSTEMS additional criterion is needed, in the sense that there exists deduction systems on which the saturation algorithm terminates, but for which the general reachability problems are undecidable. Another contribution of this chapter is a decidability result of the ground reachability problems for the theory of blind signature [136] using the initial definition of subterm introduced in [10, 31], a similar result was given in [9] using an extended definition of subterm. In [91], another decidability result has been obtained for the class of cryptographic protocols with blind signature schemes. This result has been obtained using a different technique than the one followed in this chapter: in [91], the authors showed the decidability of a fragment of first order logic and used this result to obtain the decidability for the class of cryptographic protocols using blind signature schemes. In addition we give a decidability result to the general reachability problems for a class of subterm convergent equational theories, while a more general result was given in [31], the proof given in this chapter for our special case is much shorter. Outline. In section 5.1, we introduce the basic notions we use in this chapter. We introduce the finite variant property in section 5.2.1, and in section 5.2.2 we give some examples of equational theories having finite variant property. We introduce the saturation algorithm in Section 5.3.1 and show its properties in section 5.3.2. We give in section 5.4 an algorithm to solve reachability problems. We show the decidability of the ground reachability problem in section 5.5.1, and the decidability of the general reachability problem in section 5.5.3. Some application of our results are shown in section 5.6. We show in section 5.7 the decidability of the ground reachability problems for the blind signature theory, and in section 5.8, we show the decidability of the ground reachability problems for the subterm convergent theories. 5.1 The model To analyse cryptographic protocols, we follow in this chapter the symbolic model described in Chapter 2. To this end, we assume an infinite set of variables X , an infinite set of constants C, a set of function symbols F. In addition to what is already intoducted in Chapter 2, we make use here of some additional notions that we will show next. Given an equational theory H ′ , and rewrite system R, rewriting modulo H ′ , also called equational rewriting, is the relation →H ′ \R defined as follows: given two terms s, t, we have s →H ′ \R t if and only if there
5.2. FINITE VARIANT PROPERTY 113 exists a position p ∈ P os(s) such that s|p =H ′ lσ and t = s[rσ]p for some substitution σ and rule l → r ∈ R. A rewrite system R is H ′ -confluent if and only if for any terms t, u, v such w and that t → ∗ H\R u and t →∗ H\R v, there exists a term w verifying u →∗ H\R v →∗ H\R w. it said to be H′ -convergent if, in addition, =H ′ ◦ →R ◦ =H ′ is wellfounded. The notion of R-normal form defined in Chapter 2 is extended to H ′ \R-normal form as expected. These notions are initially given in [100]. We assume in the following two equational theories H and H ′ , and an H ′ - convergent rewrite system R generating H. Furthermore, we assume a complete simplification order ≻ over T (F, X ), that is ≻ is well-founded, monotone, stable, subterm, and total over ground terms (T (F)). We extend the strict order ≻ over T (F, X ) to the order � over T (F, X ) as follows: we have t1 � t2 if and only if t1 ≻ t2 or t1 = t2 for any terms t1, t2 ∈ T (F, X ). 5.2 Finite variant property In what follows, we make use of “AC ′′ to means the associativity and commutativity axioms. 5.2.1 Definition of finite variant property In [84, 87], the authors came twice through the following problem: Given an AC-convergent rewrite system R, is it possible (and how) to compute from any term t a finite set of instances tσ1, . . . , tσn such that {(tσ)↓ | σ ∈ Σ} = n� {(tσi)↓θ | θ ∈ Σ} i=1 where Σ is the set of normalised substitutions and (s)↓ is the AC-normal form of s with respect to R. In other words, the reductions in tσ only depend on reductions in finitely many (fixed) instances of t. This is typically what it is called in [86] the finite variant property: compute in advance all possible normal forms of an instance of t, independently of that instance. Definition 45 (H-variants modulo H ′ ) Given two terms t, t ′ ∈ T (F, X ), t ′ is an Hvariant of t if there is a substitution θ such that tθ =H t ′ . A complete set of H-variants modulo H ′ of t is a set V of H-variants of t such that, for every substitution σ, there is a term t ′ ∈ V and a substitution θ such that (tσ)↓ R =H ′ t′ θ.
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23:
10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25:
12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27:
14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29:
16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31:
18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33:
20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 72 and 73:
60 CHAPTER 3. PROTOCOLS WITH VULNER
Page 74 and 75: 62 CHAPTER 3. PROTOCOLS WITH VULNER
Page 112 and 113: 100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 126 and 127: 114 CHAPTER 5. SATURATED DEDUCTION
Page 160 and 161: 148 CHAPTER 6. ON THE GROUND ENTAIL
Page 174 and 175:
162 CHAPTER 6. ON THE GROUND ENTAIL
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?