Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

122 CHAPTER 5. SATURATED DEDUCTION SYSTEMS PROOF. Let C 0 (respectively C) be a I1- (respectively I2-) constraint system and assume that C is obtained from C 0 at then end of Step 1. This implies that C 0 = (E1 ⊢ v1, . . . , En ⊢ vn, U) and C = ((E1θ)↓ ⊲ (v1θ)↓, . . . , (Enθ)↓ ⊲ (vnθ)↓) while θ is a substitution in normal form (the construction of θ is shown in Definition 28). Since C is I2-satisfiable there exists a normal substitution σ ′ such that (viθ)↓σ ′ ∈ (Eiθ)↓σ ′I2 and thus (viθσ ′ )↓ ∈ (Eiθσ ′ )↓ I2 , which implies that (viθσ ′ )↓ ∈ (Eiθσ ′ )↓ I1 (Lemma 41). Let σ = (θσ ′ )↓, we have that (viσ)↓ ∈ (Eiσ)↓ I0 , and by construction of θ, we have that θ |=I1 U, and hence σ |=I1 U which concludes the proof. � Transformation in solved form In the rest of this chapter, we denote by lx, l1, . . . , ln → r a LI2-rule such that lx is a finite set of variables and {l1, . . . , ln} is a finite set of non-variable terms. Unless otherwise specified, I2 is the intruder deduction system implicit in all notations. In the rest of this section, we prove a progress property: If a satisfiable modified constraint system is not in solved form, then a rule of Fig. 5.3 can be applied on it to yield another satisfiable modified constraint system. Figure 5.3 System of transformation rules. Unif : Reduce 1 : Cα, E ⊲ t, Cβ (Cα, (E ⊲ y)y∈lx , Cβ)σ Reduce 2 : Cα, E ⊲ t, Cβ (Cα, (E ⊲ y)y∈lx , E ∪ r ⊲ t, C′ β )σ Cα, E ⊲ t, Cβ (Cα, Cβ)σ u ∈ E \ X , t /∈ X , σ = mgu(u, t) lx, l1, . . . , ln → r ∈ LI2 inc � and t � /∈ X e1, . . . , en ∈ E \ X and σ = mgu( ei ? = ∅ li 1≤i≤n , r ? = ∅ t) lx, l1, . . . , ln → r ∈ LI2 dec and � t /∈ X e1, . . . , en ∈ E \ X and σ = mgu( ei ? � = ∅ li 1≤i≤n ) C ′ β is obtained from Cβ by adding r to left hand side of constraints Simplification step. Let C = (Cα, E ⊲ t, Cβ) be a modified constraint system such that Cα in solved form and t /∈ X . If we apply Reduce 1 (respectively Reduce 2) on C using a rule lx, l1, . . . , ln → r such that there is a variable x ∈ lx \V ar({l1, . . . , ln, r}) then the constraint E ⊲x will be in the obtained modified
5.4. ALGORITHM FOR SOLVING REACHABILITY PROBLEMS 123 constraint system C ′ and x does not appear twice in C ′ . By lemma 10, this constraint can be deleted from C ′ . As a consequence, we apply a simplification step on the deduction system LI2 that eliminates variables x ∈ lx \V ar({l1, . . . , ln, r}) for all rules lx, l1, . . . , ln → r ∈ LI2. The next Lemma shows that the application of a rule from Figure 5.3 on a modified constraint system outputs a modified constraint system. Lemma 45 Let C ′ be a modified constraint system. The application of Unif, Reduce 1 and Reduce 2 rules on C ′ outputs a modified constraint system. PROOF. Let C ′ = (E1 ⊲ t1, . . . , En ⊲ tn) be a modified constraint system. Definition 22 (Chapter 2) implies that Ei ⊆ Ei+1 and V ar(Ei) ⊆ V ar({t1, . . . , ti−1}) for i ∈ {1, . . . , n}. Assume C ′ = (E1 ⊲ x1, . . . , Ei−1 ⊲ xi−1, Ei ⊲ ti, Ei+1 ⊲ ti+1, . . . , En ⊲ tn) with ti /∈ X , and let us prove that the application of Unif, Reduce 1 and Reduce 2 rules on C ′ outputs a modified constraint system. Unif. The application of Unif on C ′ outputs C” = (E1σ ⊲ x1σ, . . . , Ei−1σ ⊲ xi−1σ, Ei+1σ ⊲ ti+1σ, . . . , Enσ ⊲ tnσ) with σ = mgu(u ? =∅ ti), u ∈ Ei \ X . Ej ⊆ Ej+1 implies Ejσ ⊆ Ej+1σ. We prove next that V ar(Ejσ) ⊆ V ar(x1σ, . . . , xi−1σ, ti+1σ, . . . , tj−1σ). Actually, we have V ar(Ej) ⊆ V ar(x1, . . . , xi−1, ti, . . . , tj−1). This implies that V ar(Ejσ) ⊆ V ar(x1σ, . . . , xi−1σ, tiσ, ti+1σ, . . . , tj−1σ). We have that tiσ = uσ and u ∈ Ei, thus V ar(tiσ) = V ar(uσ) ⊆ V ar(Eiσ) ⊆ V ar({x1σ, . . . , xi−1σ}). This implies that V ar(Ejσ) ⊆ V ar(x1σ, . . . , xi−1σ, ti+1σ, . . . , tj−1σ), and hence, the application of Unif rule on C ′ outputs a modified constraint system. Reduce 1. The application of Reduce 1 on C ′ outputs C” = (E1σ ⊲ x1σ, . . . , Ei−1σ ⊲ xi−1σ, (Eiσ ⊲ yσ)y∈lx, Ei+1σ ⊲ ti+1σ, . . . , Enσ ⊲ tnσ) with σ = mgu(r ? =∅ ti, (uk ? =∅ lk)1≤k≤m), uk ∈ Ei \ X , and lx, l1, . . . , lm → r ∈ LI2 inc . Ej ⊆ Ej+1 implies Ejσ ⊆ Ej+1σ. Let j ≤ i, we have that V ar(Ej) ⊆ V ar({x1, . . . , xj−1}) and hence, V ar(Ejσ) ⊆ V ar({x1σ, . . . , xj−1σ}). Let j > i, and let us prove that V ar(Ejσ) ⊆ V ar({x1σ, . . . , xi−1σ} ∪ {yσ} ∪ {ti+1σ, . . . , tj−1σ}). We have that y∈lx V ar(Ejσ) ⊆ V ar({x1σ, . . . , xi−1σ, tiσ, ti+1σ, . . . , tj−1σ}), and V ar(tiσ) = V ar(rσ) ⊆ V ar(lxσ) ∪ V ar({l1σ, . . . , lmσ}) ⊆ V ar(lxσ) ∪ V ar(Eiσ) ⊆ V ar(lxσ) ∪ V ar({x1σ, . . . , xi−1σ}). We conclude that V ar(Ejσ) ⊆ V ar({x1σ, . . . , xi−1σ} ∪ {yσ} ∪ {ti+1σ, . . . , tj−1σ}), and hence, the appli- y∈lx cation of Reduce 1 rule on C ′ outputs a modified constraint system. Reduce 2 . The application of Reduce 2 on C ′ outputs C” = (E1σ ⊲ x1σ, . . . , Ei−1σ ⊲ xi−1σ, (Eiσ ⊲ yσ)y∈lx, Eiσ ∪ rσ ⊲ tiσ, Ei+1σ ∪ rσ ⊲ ti+1σ, . . . , Enσ ∪ rσ ⊲ tnσ) with σ = mgu((uk ? =∅ lk)1≤k≤m), uk ∈ Ei \ X ,
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23:
10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25:
12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27:
14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29:
16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31:
18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33:
20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85: 72 CHAPTER 3. PROTOCOLS WITH VULNER
Page 112 and 113: 100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 124 and 125: 112 CHAPTER 5. SATURATED DEDUCTION
Page 160 and 161: 148 CHAPTER 6. ON THE GROUND ENTAIL
Page 184 and 185:
172 CHAPTER 6. ON THE GROUND ENTAIL
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

Create successful ePaper yourself

Delete template?

Save as template?