Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

134 CHAPTER 5. SATURATED DEDUCTION SYSTEMS modified constraint system C is transformed into (Cα, (E ⊲ y)y∈lx\{x}, E ⊲ x, E ∪ {x} ⊲ t, C ′ β )σ = Cασ, (Eσ ⊲ yσ)y∈lx\{x}, Eσ ⊲ x, Eσ ∪ {x} ⊲ tσ, C ′ β σ ≡ Cασ, (Eσ ⊲ yσ)y∈lx\{x}, Eσ ⊲ x, Eσ ⊲ tσ, Cβσ ≡ Cασ, (Eσ ⊲ yσ)y∈lx\{x}, Eσ ⊲ tσ, Cβσ where the first ≡ is by Lemma 9, and the second one by Lemma 10. Thus the resulting system is equivalent for solutions to one in which lx ⊆ V ar(l1, . . . , ln). We can then apply the same reasoning as above. � We may now conclude by applying the previous results and again König’s Lemma. Theorem 12 Let I0 = 〈F, L0, H〉 be a deduction system such that the saturation of L0 terminates , and the resulting deduction system is contracting. Then the I0-reachability problem is decidable. PROOF. It suffices to prove that the application of rules of Fig. 5.3 terminates. Assume there exists a modified I ′ -constraint system C and an infinite sequence of transformations starting from C. Let C1, . . . , Cn, . . . be the resulting sequence of modified constraint systems. By Lemma 50, at each step nbv(Ci) ≥ nbv(Ci+1) and if there is equality, then the substitution applied on Ci is the identity (does not instantiate the variables of C). Since we must have a positive number of variables, there is only a finite number of steps where the substitution is not the identity. Let Cn be the last obtained modified constraint system with nbv(Cn−1) > nbv(Cn). Since all subsequent transformation do not instantiate the variables of Cn and its successor, the sequence has only a finite number of different modified constraint systems. Since L ′ is finite, each modified constraint system has only a finite number of successors. Thus by König Lemma there is only a finite number of different modified constraint systems. � 5.6 Applications: some relevant equational theories We give here some examples of well-known equational theories where the saturation applied on the corresponding initial set of deduction rules terminates. 5.6.1 Dolev-Yao theory with explicit destructors The Dolev-Yao theory with explicit destructors is the classical Dolev-Yao model with explicit destructors such as decryption and projections. This theory is given by the following set of equations:
5.6. APPLICATIONS: SOME RELEVANT EQUATIONAL THEORIES 135 ⎧ ⎪⎨ HDV = ⎪⎩ dec s (enc s (x, y), y) = x, enc s (dec s (x, y), y) = x, dec p (enc p (x, P k(y)), Sk(y)) = x, enc p (dec p (x, Sk(y)), P k(y)) = x, π1(〈x, y〉) = x, π2(〈x, y〉) = y. By orienting equations of HDV from left to right, we obtain a rewrite system RDV generating HDV . We remark that RDV is convergent and HDV has finite variant property. The initial set of deduction rules is given by the following set of rules: ⎧ x, y → 〈x, y〉, x → π1(x), ⎪⎨ x → π2(x), L0 = x, y → enc ⎪⎩ p (x, y), x, y → decp (x, y), x, y → encs (x, y), x, y → decs (x, y). The saturation (modulo the simplification introduced after the lemma 10) outputs the following set of deduction rules: L ′ ⎧ 〈x, y〉 → x, 〈x, y〉 → y, ⎪⎨ dec = L0 ∪ ⎪⎩ p (x, Sk(y)), P k(y) → x, encp (x, P k(y)), Sk(y) → x, decs (x, y), y → x, encs (x, y), y → x, x, P k(y), Sk(y) → x. 5.6.2 Digital signature theory with duplicate signature key selection property The theory of digital signature with duplicate signature key selection property is defined in [66] ⎧ and is given by the following set of equations: ⎨ HDSKS = ⎩ ver(x, sig(x, Sk(y)), P k(y)) = 1, ver(x, sig(x, Sk ′ (y1, y2)), P k ′ (y1, y2)) = 1, sig(x, Sk ′ (P k(y), sig(x, Sk(y)))) = sig(x, Sk(y)). The equational theory HDSKS is generated by: ⎧ ⎪⎨ RDSKS = ⎪⎩ ver(x, sig(x, Sk(y)), P k(y)) → 1, ver(x, sig(x, Sk ′ (y1, y2)), P k ′ (y1, y2)) → 1, ver(x, sig(x, Sk(y)), P k ′ (P k(y), sig(x, Sk(y)))) → 1, sig(x, Sk ′ (P k(y), sig(x, Sk(y)))) → sig(x, Sk(y)). We remark that RDSKS is convergent and HDSKS has the finite variant property.
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23:
10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25:
12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27:
14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29:
16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31:
18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33:
20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97: 84 CHAPTER 4. PROTOCOLS WITH VULNER
Page 112 and 113: 100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 124 and 125: 112 CHAPTER 5. SATURATED DEDUCTION
Page 160 and 161: 148 CHAPTER 6. ON THE GROUND ENTAIL
Page 190 and 191: 178 CHAPTER 7. VOTER VERIFIABILITY
Page 196 and 197:
184 CHAPTER 7. VOTER VERIFIABILITY
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

Create successful ePaper yourself

Delete template?

Save as template?