Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

118 CHAPTER 5. SATURATED DEDUCTION SYSTEMS Figure 5.1 Saturation algorithm modulo H Input: The intruder deduction rules L0. Initialisation: Let I = 〈F, L, ∅〉 be the variant of the intruder deduction system I0 (Definition 19, Chapter 2). We recall that L = � x1, . . . , xn → f(x1, . . . , xn) ∈ L0 θ variant substitution of f(x1, . . . , xn) x1θ, . . . , xnθ → (f(x1, . . . , xn)θ)↓ Step 1. Start with L ′ = L. Repeat the closure rule given below until no more new rule can be added on L ′ . Output: Output L ′ . �l1 → r1 ∈ L ′ inc ; � l2, s → r2 ∈ L ′ L ′ ← L ′ ∪ � ( � l1, � � l2 → r2)σ s /∈ X σ = mgu(r1, s) V ariant Let I ′ 1 = 〈F, LI ′ 1 , ∅〉 be the variant intruder deduction system of I1, LI ′ ⊆ LI2. 1 SOL1 For any set of ground terms E in normal form and any ground term t in normal form we have: t ∈ E I1 if and only if t ∈ E I2 . SOL2 For any set of terms E in normal form and any terms t in normal form such that t ∈ E I2 . For all I2-derivations D starting from E of goal t we have either D is well-formed or there is another I2-derivation D ′ starting from E of goal t such that Cons(D) ⊆ Cons(D ′ ) and D ′ is well-formed. 5.3.1 Saturation algorithm We define in Figure 5.1 the saturation algorithm modulo H which takes as input the set of deduction rules L0 and outputs another set of deduction rules called a saturated set of deduction rules. We define two new deduction systems I = 〈F, L, ∅〉 and I ′ = 〈F, L ′ , ∅〉. We
5.3. SATURATION OF INTRUDER DEDUCTION RULES 119 remark that I0 satisfies the definition of intruder deduction system as given in Definition 16 (Chapter 2) and in [73], and the intruder deduction systems I, I ′ satisfy the definition of intruder deduction system as given in [72]. 5.3.2 Properties of the saturation We prove in Lemmas 41 and 42 that I ′ is I0-strongly order local: in fact, the saturation algorithm given in Figure 5.1 implies easily that I ′ satisfies V ariant, Lemma 41 shows that SOL1 is satisfied and Lemma 42 shows that SOL2 is satisfied. Lemma 41 For any set of ground terms E in normal form and any ground term t in normal form we have: t ∈ E I0 if and only if t ∈ E I′ . PROOF. The direct implication is trivial since L ⊆ L ′ . Let us prove the converse implication. In Section 2.1.11 (Chapter 2), we proved that: E →I F implies E →I0 F for any two sets of ground terms E and F in normal form, an hence t ∈ E I implies t ∈ E I0 for any set of ground terms in normal form E and any ground term in normal form t. We prove now that t ∈ E I′ implies t ∈ E I for any set of ground terms in normal form E and any ground term in normal form t. Assume that there exists a I ′ -derivation starting from E of goal t. Let us define an arbitrary total order on the rules of L, and we extend this order to rules of L ′ \ L as follows: rules of L are smaller than the rules of L ′ \ L and rules of L ′ \ L are ordered according to the order of their construction during the saturation. Let M(D) be the multiset of rules applied in D. Let Ω(E, t) = {D | D : E →∗ I ′ F ∋ t}. By construction, the ordering on rules is total and well-founded, and thus the pre-ordering on derivations in Ω(E, t) is also total and well-founded. Since t ∈ E I′ , we have Ω(E, t) �= ∅, and thus M(Ω(E, t)) has a minimum element which is reached. Let D be a derivation in Ω(E, t) having the minimum M(D), and let us prove that D employs only rules in L. By contradiction, assume that D uses a rule � l → r ∈ L ′ \ L applied with a ground substitution σ on a set F . Since l → r /∈ L, it has been constructed by closure rule. Thus, there exists two rules � l1 → r1 ∈ L ′ inc and � l2 → r2 ∈ L ′ , a term s ∈ � l2 \ X such that s and r1 are unifiable, α = mgu(s, r1), � l = ( � l1, � l2 \ s)α and r = r2α. Replacing the application of the rule � l → r by two steps applying first the rule � l1 → r1 and then � l2 → r2 yields another derivation D ′ . Since � l → r must have an order bigger than the order of � l1 → r1 and � l2 → r2 and the last two rules are in L ′ , we deduce that D ′ ∈ Ω(E, t) and M(D ′ ) < M(D) which contradicts the minimality of M(D). �
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23:
10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25:
12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27:
14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29:
16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31:
18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33:
20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81: 68 CHAPTER 3. PROTOCOLS WITH VULNER
Page 112 and 113: 100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 124 and 125: 112 CHAPTER 5. SATURATED DEDUCTION
Page 160 and 161: 148 CHAPTER 6. ON THE GROUND ENTAIL
Page 180 and 181:
168 CHAPTER 6. ON THE GROUND ENTAIL
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

Create successful ePaper yourself

Delete template?

Save as template?