Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

114 CHAPTER 5. SATURATED DEDUCTION SYSTEMS Definition 46 (finite variant property) The pair of equational theories (H, H ′ ) has the finite variant property if for every term t, we can effectively compute a finite complete set of H-variants modulo H ′ . Sometimes and for simplicity, we will simply say variants and complete set of variants when H and H ′ are clear from the context. When R is a H ′ -convergent rewrite system generating H, we have that (R, H ′ ) satisfies the finite variant property if and only if (H, H ′ ) satisfies the finite variant property. Definition 47 (R, H ′ ) satisfies the finite variant property if for any term t, there is a finite set of variants t1, . . . , tn, effectively computable, such that, for every substitution σ, there is an index i and a substitution θ such that (tσ)↓ H ′ \R =H ′ tiθ. In [86], the authors showed that if (R, H ′ ) has the finite variant property, we may not only compute in advance some instances ti of t such that (tσ)↓ is always an instance modulo H ′ of some ti , but actually compute in advance substitutions θi such that ti = (tθi)↓ is a complete set of variants and every normalised substitution can be factorised through θi. This result is summarised by the following lemma. Lemma 40 (R, H ′ ) has the finite variant property if and only if for any term t, there is a finite set of substitutions Σ(t) such that for any substitution σ, there exists a substitution θ ∈ Σ(t), and a substitution τ verifying (σ)↓ =H ′ θτ and (tσ)↓ =H ′ (tθ)↓τ In [86], S. Delaune and H. Comon-Lundh define the boundness property as follows: Definition 48 (boundedness property) (R, H ′ ) satisfies the boundedness property if for every term t, there exists an integer n such that for every normalised substitution σ, the normal form of tσ is reachable by a derivation whose length can be bounded by n: ∀t, ∃n, ∀σ, t((σ)↓) ≤n →H ′ \R (tσ)↓ and then, S. Delaune and H. Comon-Lundh showed the relationships between the boundness property and the finite variant property by proving the following theorem. Theorem 9 (R, H ′ ) satisfies the boundedness property if and only if (R, H ′ ) satisfies the finite variant property. 5.2.2 Equational theories having finite variant property In [86], S. Delaune and H. Comon-Lundh showed that for any equational theory H generated by a (∅-) convergent rewrite system R, if any R-basic narrowing
5.2. FINITE VARIANT PROPERTY 115 starting from any term t terminates then (R, ∅) satisfies the boundness property and hence, by theorem 9, (R, ∅) satisfies the finite variant property. Since the termination of basic narrowing derivations starting from right hand sides of rules of any convergent rewrite system R implies the termination of basic narrowing derivations starting from any term t with respect to R [123] (Chapter 2, theorem 1), the result obtained in [86] allows us to conclude that finite variant property holds for any equational theory H generated by a convergent rewriting system R such that any basic narrowing derivation starting from right hand sides of rules of R terminates. Furthermore, it is shown in [86] that the finite variant property holds for any equational theory H generated by a convergent optimally reducing [162] rewriting system R. In practice, many equational theories, which are relevant to cryptographic protocols, have the finite variant property. We give in the follow some of them: Dolev-Yao theory with explicit destructors The Dolev-Yao theory with explicit destructors is given by the following equational theory: ⎧ ⎪⎨ HDY : ⎪⎩ π1(< x, y >) = x π2(< x, y >) = ydec s (enc s (x, y), y) = x dec p (enc p (x, y), y −1 ) = x dec p (enc p (x, y −1 ), y) = x The application of Knuth-Bendix completion procedure [131] on HDY terminates successfully and outputs the rewrite system RDY ⎧ ⎪⎨ RDY : ⎪⎩ π1(< x, y >) → x π2(< x, y >) → y dec s (enc s (x, y), y) → x dec p (enc p (x, y), y −1 ) → x dec p (enc p (x, y −1 ), y) → x Following the results obtained in [21], RDY is a convergent rewrite system generating HDY . Furthermore, the right hand sides in all rules in RDY are not basic narrowable and hence, we conclude that the finite variant property holds for HDY . Exclusive Or theory The Exclusive Or theory HEO given by the equations x + x = 0 x + 0 = x x + x + y = y and the associativity and commutativity axioms for +. It is proven that REO = {x + x → 0, x + 0 → x, x + x + y → y} is a AC-convergent rewrite
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23:
10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25:
12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27:
14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29:
16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31:
18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33:
20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 72 and 73:
Page 74 and 75:
Page 76 and 77: 64 CHAPTER 3. PROTOCOLS WITH VULNER
Page 112 and 113: 100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 124 and 125: 112 CHAPTER 5. SATURATED DEDUCTION
Page 160 and 161: 148 CHAPTER 6. ON THE GROUND ENTAIL
Page 176 and 177:
164 CHAPTER 6. ON THE GROUND ENTAIL
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

Create successful ePaper yourself

Delete template?

Save as template?