Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

130 CHAPTER 5. SATURATED DEDUCTION SYSTEMS Figure 5.4 Martelli-Montanari ∅-unification algorithm Given an ∅-unification system U, repeatedly perform any of the following transformations. If no transformation applies, stop with success. • Select any equation of the form t ? = ∅ x where t is not a variable and x is a variable, and rewrite it as x ? = ∅ t. • Select any equation of the form x ? = ∅ x where x is variable, and erase it. • Select any equation of the form t ′ ? =∅ t” where t ′ and t” are not variables. If the two root function symbols are different, stop with failure; otherwise, assume t ′ = f(t1, . . . , tn) and t” = f(s1, . . . , sn) with f a function symbol with arity n and apply the following: If n = 0, then f is a constant symbol, and the equation is simply erased; otherwise, replace f(t1, . . . , tn) ? = ∅ f(s1, . . . , sn) with the following equations: t1 ? = ∅ s1, . . . , tn ? = ∅ sn. • Select any equation of the form x ? = ∅ t where x is a variable which occurs somewhere else in the unification system and where t �= x. If x occurs in t, then stop with failure; otherwise, apply the substitution σ = {x ↦→ t} to both terms of all other equations in the unification system (without erasing x ? = ∅ t). Martelli-Montanari unification algorithm. In this paragraph, we recall the unification algorithm due to Martelli-Montanari [147], which is used in the proof of the next lemma. In [147], A. Martelli and U. Montanari gave a ∅-unification algorithm based on the transformation of a given ∅-unification system U into an equivalent and simpler unification system. An unification system U is said to be in solved form if and only if it satisfies the following conditions: • every equation in U is of the form x ? =∅ t; • every variable which is the left member of some equation occurs only there. � � ? ? An ∅-unification system U = x1 =∅ t1, . . . , xn =∅ tn in solved form has the obvious unifier σ = {x1 ↦→ t1, . . . , xn ↦→ tn}, which is its most general ∅-unifier. We give in Figure 5.4 Martelli-Montanari ∅-unification algorithm. In [147], A. Martelli and U. Montanari proved that for any ∅-unification system U • their algorithm always terminates, no matter which choices are made,
5.5. DECIDABILITY RESULTS 131 • if the algorithm terminates with failure, U has no unifier, and if the algorithm terminates with success, U has been transformed into an equivalent ∅-unification system in solved form. We remark that Martelli-Montanari ∅-unification algorithm provides a widely general version from which most unification algorithms [35, 55, 148, 167, 177, 176, 197, 198] can be derived. Lemma 49 Let S = {s1, . . . , sn} and T = � {t1, . . . , tn} be two sets � of terms and let σ be the most general unifier of V = . If µ(T ) > 0 s1 ? ? =∅ t1, . . . , sn =∅ tn then either nbv(s1, . . . , sn) > nbv((s1, . . . , sn, t1, . . . , tn)σ) or nbv(s1, . . . , sn) = nbv((s1, . . . , sn, t1, . . . , tn)σ), S = Sσ and for all x ∈ V ar(T ) there is i ∈ {1, . . . , n} such that σ(x) � si. PROOF. Let V = � s1 ? =∅ t1, . . . , sn � ? =∅ tn . In order to solve V , we apply the first step of the unification algorithm of Martelli-Montanari [147] (Figure 5.4). We reduce V to V ′ � � = such that x1 ? =∅ u1, . . . , xk ? =∅ uk, xk+1 ? =∅ uk+1, . . . , xm ? =∅ um for every equation x ? =∅ u ∈ V ′ , we have either x ∈ V ar(S) and u ∈ Sub(T ) or x ∈ V ar(T ) and u ∈ Sub(S). We suppose that xj ∈ V ar(T ) for j ∈ {1, . . . , k}. • If k = m then we have xj ∈ V ar(T ) for j ∈ {1, . . . , m}. We suppose that xi �= xj for all i, j ∈ {1, . . . , m} and i �= j. This implies that Sσ = S and V ar(T ) are instantiated by subterms of S, that is V ar(T )σ are smaller or equal than terms in S. We conclude also that nbv(s1, . . . , sn) = nbv((s1, . . . , sn, t1, . . . , tn)σ). • If k �= m assume {uk+1, . . . , um} /∈ V ar(T ), we have different cases: – If for all different i, j ∈ {1, . . . , m} we have xi �= xj then m−k variables of S, xk+1, . . . , xm, are instantiated by subterms of T , uk+1, . . . , um. This implies that when we apply σ to U, new variables, V ar(uk+1, . . . , um)\ {x1, . . . , xk} will appear in Sσ. There exists a set T ′ �⊆ X such that T → ∗ U T ′ and T ′ = {x1, . . . , xk, uk+1, . . . , um}. Since µ(T ) > 0, we have |T ′ \X | > |V ar(T ′ \X )\(x1, . . . , xk)|. This implies that nbv(s1, . . . , sn) > nbv((s1, . . . , sn, t1, . . . , tn)σ). – If there is different i, j ∈ {1, . . . , m} such that xi = xj: ∗ If i, j ≤ k then we have to unify two subterms of S. Let ui and uj be these two subterms and α be their most general unifier. Let us apply α on V and � to solve V we have to solve V α = . To solve V α we reduce it to another � s1α ? =∅ t1, . . . , snα ? =∅ tn
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23:
10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25:
12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27:
14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29:
16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31:
18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33:
20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93: 80 CHAPTER 3. PROTOCOLS WITH VULNER
Page 112 and 113: 100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 124 and 125: 112 CHAPTER 5. SATURATED DEDUCTION
Page 160 and 161: 148 CHAPTER 6. ON THE GROUND ENTAIL
Page 190 and 191: 178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
180 CHAPTER 7. VOTER VERIFIABILITY
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

Create successful ePaper yourself

Delete template?

Save as template?