Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

124 CHAPTER 5. SATURATED DEDUCTION SYSTEMS and lx, l1, . . . , lm → r ∈ LI2 dec . Ej ⊆ Ej+1 implies Ejσ ⊆ Ej+1σ. Let j ≤ i, we have that V ar(Ej) ⊆ V ar({x1, . . . , xj−1}) and hence, V ar(Ejσ) ⊆ V ar({x1σ, . . . , xj−1σ}). By definition of decreasing rule (Definition 49), we have that li � r for 1 ≤ i ≤ m or x � r with x ∈ lx. • If li � r, then liσ � rσ, and thus V ar(rσ) ⊆ V ar(liσ) = V ar(uiσ). We conclude that V ar(rσ) ⊆ V ar(Eiσ). • If x � r for x ∈ lx then V ar(rσ) ⊆ V ar(xσ). If both cases, we deduce that V ar(Ejσ ∪ rσ) ⊆ V ar({x1σ, . . . , xi−1σ}) ∪ � y∈lx V ar(yσ) ∪ V ar({tiσ, . . . , tj−1σ}) for j ≥ i. We conclude that the application of Reduce 2 rule on C ′ outputs a modified constraint system. � We prove below that the correctness and completeness of the rules in Fig. 5.3 with respect to the satisfiability of modified constraint systems. Lemma 46 A satisfiable modified constraint system not in solved form can be reduced into another satisfiable modified constraint system by applying a rule of figure 5.3. PROOF. Let C = (Ej ⊲ tj)1≤j≤n be a satisfiable modified constraint system not in solved form and let i be the smallest integer such that ti /∈ X . Let C = (Cα, Ei ⊲ ti, Cβ) where Cα is in solved form. Since C is satisfiable there exists a substitution σ such that σ |=I2 C. Let us prove that C can be reduced into another satisfiable modified constraint system C ′ by applying transformation rules given in figure 5.3. By lemma 9 (Chapter 2), σ |=I2 C implies σ |=I2 (Cα, Ei \ X ⊲ ti, Cβ) and that, since I2 is I1-strongly order local, there is a well-formed derivation D starting from (Ei \ X )σ of goal tiσ. We have two cases: • If tiσ ∈ (Ei \ X )σ then there exists a term u ∈ Ei \ X such that uσ = tiσ. Let µ = mgu(ti, u), we have σ = µθ for some substitution θ. C can then be reduced to C ′ by applying Unif rule, C ′ = (Cαµ, Cβµ) and θ |=I2 C ′ . • If tiσ /∈ (Ei \ X )σ, let D : (Ei \ X )σ → . . . → F σ, tiσ and for every step in D where � l → r is the rule applied with the substitution γ, for every s ∈ � l \ X , we have either sγ ∈ (Ei\X )σ or sγ was constructed by a former decreasing rule. – Suppose that all applied rules in D are increasing and let � l → r be the last applied rule with the substitution γ, this implies that rγ = tiσ and for every s ∈ � l \ X , sγ ∈ (Ei \ X )σ and then for every s ∈ � l \ X there exists a term u ∈ Ei \ X such that sγ = uσ. Let µ be the most general unifier of � r ? =∅ ti, (s ? =∅ u) ∀s∈ e l\X ,u∈Ei\X and sγ=uσ � , we have σ = µθ and
5.4. ALGORITHM FOR SOLVING REACHABILITY PROBLEMS 125 � γ = µθ for some θ. This implies that C can be reduced to C ′ = (Cα, (Ei⊲ x) x∈ e l , Cβ)µ by applying Reduce 1 and θ |=I2 C ′ . – Suppose that D contains decreasing rules and let j be the first step where the applied rule is decreasing. Let � l → r be this rule applied with substitution γ. D : (Ei \X )σ = F0σ → F0σ, t1σ → . . . → Fj−1σ → Fj−1σ, tjσ → . . . → Fn−1σ, tiσ. Since D is well-formed, we deduce that for every s ∈ � l \ X , sγ ∈ (Ei \ X )σ and then, for every s ∈ l \ X there exists a term u ∈ Ei \ X such that sγ = uσ. Let µ be the most general unifier, we have γ = µθ and γ = µθ for some substitution θ. This implies that C can be reduced to C ′ = (Cα, (Ei ⊲ x) x∈ e l , (Ei ∪ r) ⊲ ti, C ′ β )µ by applying Reduce 2 and θ |=I2 C ′ . Lemma 47 Let C and C ′ be two modified constraint systems such that C ′ is obtained from C by applying a transformation rule. If C ′ is satisfiable then so is C. PROOF. Let C and C ′ be two modified constraint systems such that C ′ is obtained from C by applying a transformation rule and suppose that C ′ is satisfiable. Let σ ′ be a solution of C ′ and let us prove that C is satisfiable. Since a transformation rule can be applied on C, C can’t be in solved form. Suppose that C = (Cα, E ⊲ t, Cβ) where Cα is in solved form and t /∈ X . � • If C ′ is obtained from C by applying Unif rule then, there exists a term u ∈ E \ X such that u and t are unifiable. Let µ be the most general unifier then C ′ = (Cαµ, Cβµ). Since σ ′ |=I2 C ′ , we have σ ′ µ |=I2 (Cα, Cβ) and by the fact that µ is the most general unifier of t and a term in E we have σ ′ µ |=I2 E ⊲ t. We deduce that σ ′ µ |=I2 C. • If C ′ is obtained from C by applying Reduce 1 then there exists an increasing rule lx, l1, . . . , ln → r, a set of terms e1, . . . , en � in E \ X such that has solution. Let µ be the most general unifier. � r ? ? =∅ t, (li =∅ ei)1≤i≤n C ′ = (Cα, (E ⊲ x)x∈lx, Cβ)µ. Since σ ′ |=I2 C ′ and by definition of µ, we have σ ′ µ |=I2 C. • If C ′ is obtained from C by applying Reduce 2 then there exists a decreasing rule lx, l1, . . . , ln → r and a set of terms e1, . . . , en � � in E \ X such ? that (li =∅ ei)1≤i≤n has solution. Let µ be the most general unifier. C ′ = (Cα, (E ⊲ x)x∈lx, (E ∪ r) ⊲ t, C ′ β )µ. Since σ′ |=I2 C ′ and by definition of µ and modified constraint systems, we have σ ′ µ |=I2 C.
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23:
10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25:
12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27:
14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29:
16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31:
18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33:
20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87: 74 CHAPTER 3. PROTOCOLS WITH VULNER
Page 112 and 113: 100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 124 and 125: 112 CHAPTER 5. SATURATED DEDUCTION
Page 160 and 161: 148 CHAPTER 6. ON THE GROUND ENTAIL
Page 186 and 187:
174 CHAPTER 6. ON THE GROUND ENTAIL
Page 188 and 189:
176 CHAPTER 6. ON THE GROUND ENTAIL
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

Create successful ePaper yourself

Delete template?

Save as template?