Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

116 CHAPTER 5. SATURATED DEDUCTION SYSTEMS system generating the exclusive or theory, and such that (R, AC) satisfies the finite variant property [86]. Abelian group theory The Abelian group theory HAG is defined by the following set of equations: ⎧ ⎪⎨ x ∗ (y ∗ z) = (x ∗ y) ∗ z x ∗ y = y ∗ x RAG : ⎪⎩ x ∗ x−1 = 1 x ∗ 1 = x The following rewrite system ⎧ ⎪⎨ RAG : ⎪⎩ x ∗ 1 → x 1 −1 → 1 x ∗ x −1 → 1 x −1 ∗ y −1 → (x ∗ y) −1 (x ∗ y) −1 ∗ y → x −1 (x −1 ) −1 → x (x −1 ∗ y) −1 → x ∗ y −1 x ∗ (x −1 ∗ y) → y x −1 ∗ (y −1 ∗ z) → (x ∗ y) −1 ∗ z (x ∗ y) −1 ∗ (y ∗ z) → x −1 ∗ z is an AC-convergent system for abelian group theory [124], and (RAG, AC) satisfies the finite variant property [86]. In this chapter, we consider only equational theories H generated by convergent rewrite system R, or more formally, we consider only equational theories H for which there exists a rewrite system R such that R is an ∅-convergent rewrite system generating H. From now on, and for the aim of simplicity, we call an equational theory H has the finite variant property if H is generated by a convergent rewrite system R such that (R, ∅) has the finite variant property, that is for any term t, one can compute a finite set of substitutions Σ(t) = {θ1, . . . , θn} such that, for any substitution σ there exists i ∈ {1, . . . , n} and a substitution τ such that (σ)↓ = θiτ and (tσ)↓ = (tθi)↓τ. We call the substitutions θi variant substitutions of t and the terms (tθi)↓ variants of t. It is easy to see that the variant substitutions of any term t are in normal form. The finite variant property ensures that it is possible to compute a complete set of most general unifiers between two terms t and t ′ . Indeed, it suffices to compute�for these two terms the respective sets of variant substitutions , and to (try to) unify in the empty theory every pair of {θi} i∈{1,...,m} , � θ ′ j j∈{1,...,n}
5.3. SATURATION OF INTRUDER DEDUCTION RULES 117 terms (tθi)↓ = (t ′ θ ′ j)↓. Based on this technique, a complete, sound and terminating H-unification algorithm has been given in Section 2.1.8 (Chapter 2) when H is an equational theory generated by a convergent rewrite system having the finite variant property. 5.3 Saturation of intruder deduction rules In the rest of this chapter we assume that F is a signature, H represents an equational theory generated by a convergent rewriting system R, and such that (R, ∅) satisfies the finite variant property. Furthermore, we assume I0 = 〈F, TI0, H〉 to be an intruder deduction system (Definition 16, Chapter 2), L0 = LI0 to be intruder deduction rules associated to I0, that is, rules in LI0 are of the form x1, . . . , xn → f(x1, . . . , xn) where f is a public function symbol in F with arity n. Definition 49 (Increasing and decreasing deduction rule) Let � l → r be a deduction rule with � l is a set of terms and r is a term. � l → r is said to be decreasing rule if there is a term s ∈ � l such that s � r and � l → r is said to be increasing otherwise. From now on, if L is a set of deduction rules, we denote by Linc the set of increasing rules in L and by Ldec the set of decreasing rules in L. By definition of increasing and decreasing rules, we have L = Linc ∪ Ldec. Definition 50 Let E (respectively t) be a set of terms (respectively a term) in normal form and let D be a derivation starting from E of goal t, D : E = E0 → E0, t1 → . . . → En−2, tn−1 → En−1, t. We let Cons(D) be the sequence of terms constructed during the derivation D, Cons(D) = E0 ∪ {t1, . . . , tn−1}. Definition 51 (well-formed derivation) Let E (respectively t) be a set of terms (respectively a term) and let D be a derivation starting from E of goal t, D : E = E0 → E0, t1 → . . . → En−2, tn−1 → En−1, t. The derivation D is said to well-formed if for all rules � l → r applied with substitution σ, for all u ∈ � l \ X we have either uσ ∈ E or uσ was deduced by a former decreasing rule. Definition 52 (Strongly order locality) Let I1 = 〈F, TI1, H〉 be an intruder deduction system (Definition 16), we recall that TI1 = {f(x1, . . . , xn) such that xi is variable for every i, and f ∈ Fpub with arity n }. Let I2 = 〈F, LI2, ∅〉 be another intruder deduction system with LI2 a set of intruder deduction rules of the form l1, . . . , ln → r and li, r are terms in T (F, X ). I2 follows the definition of intruder deduction systems of [72]. I2 is said to be I1-strongly order local if the following three conditions are satisfied:
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23:
10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25:
12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27:
14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29:
16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31:
18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33:
20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79: 66 CHAPTER 3. PROTOCOLS WITH VULNER
Page 112 and 113: 100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 124 and 125: 112 CHAPTER 5. SATURATED DEDUCTION
Page 160 and 161: 148 CHAPTER 6. ON THE GROUND ENTAIL
Page 178 and 179:
166 CHAPTER 6. ON THE GROUND ENTAIL
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?