Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

140 CHAPTER 5. SATURATED DEDUCTION SYSTEMS plication of Bl(x, y), y → x then the application of x, y → sig(x, y). Let d ′ be the obtained derivation, d ′ : E → . . . → Ei →Bl(x,y),y→x Ei, xσ →x,y→sig(x,y) Ei, xσ, sig(x, Sk(z))σ → . . . → En−1, t. By above and since xσ /∈ Ei we have either Bl(x, y)σ ∈ E or Bl(x, y)σ is obtained by a former decreasing rule. If xσ ∈ Ei then the rule applied at step i in d can be replaced by the application of x, y → sig(x, y). Let d ′′ be the obtained derivation, d ′′ : E → . . . → Ei →x,y→sig(x,y) Ei, sig(x, Sk(z))σ → . . . → En−1, t. This implies that each bad application of the rule sig(Bl(x, y), Sk(z)), y → sig(x, Sk(z)) can be replaced by one (or two) well-applied rules. We deduce that if the derivation D is not well-formed there is another well-formed derivation D ′′ starting from E of goal t such that Cons(D) ⊆ Cons(D ′′ ). � We recall that I0 = 〈FBS, TI0, HBS〉 and I ′ = 〈FBS, LI ′, ∅〉. We recall also that HBS has the finite variant property. The construction of I ′ and Lemma 52 implies that the conditions V ariant, SOL1 and SOL2 from Definition 52 are satisfied, and hence we conclude that I ′ is I0-strongly order local. In order to solve I0-ground reachability problems, we apply the algorithm defined in section 5.4. Since L ′ I is finite and I′ is I0-strongly order local, by lemmas (43, 44, 46, 47 and 48) we deduce the following theorem: Theorem 13 The I0-ground reachability problem is decidable. 5.8 Decidability of reachability problems for subterm convergent theories In this section, we give a decidability result for the reachability problems for a class of subterm convergent equational theories. We recall that subterm convergent equational theories have finite variant property [86]. The result of this section is entailed by a more general result by Baudet [31], but the proof here in this specific case is much shorter. We recall that F is a set of functions symbols and we denote by H a subterm convergent equational theory and by I0 = 〈F, L0, H〉 the initial deduction system such that L0 is the union of functions x1, . . . , xn → f(x1, . . . , xn) for some function symbols f ∈ F. Definition 54 (Subterm convergent theories.) An equational theory H is subterm convergent if it is generated by a convergent rewriting system R and for each rule l → r ∈ R, r is a strict subterm of l. In the rest of this section, we give an algorithm to decide the following reachability problem, “I0-Reachability Problem”: Input: An I0-constraint system C.
5.8. DECIDABILITY OF REACHABILITY PROBLEMS FOR SUBTERM CONVERGENT THEORIES141 Output: SAT if and only if there exists a substitution σ such that σ |=I0 C. We let I ′ = 〈F, L ′ , ∅〉 to be the saturated deduction system, we recall that I ′ is I0-strongly order local. We suppose that r /∈ � l for all rules � l → r ∈ L ′ that is rules not satisfying this property will be deleted. In the following lemma we prove that, in the case of subterm convergent equational theories and under our assumption on the form of initial deduction rules L0, Saturation terminates and the obtained new rules are decreasing. Lemma 53 The saturation of L0 terminates and for every rule � l → r ∈ L ′ \ L0 there exists a term s ∈ � l such that r is a strict subterm of s. PROOF. Let � l → r ∈ L ′ \ L0 and let us prove that this rule satisfies the following property: there is a term s ∈ � l such that r ∈ SSub(s). By induction on the number of saturations needed to obtain a rule � l → r. Let us first prove this property is true for rules obtained by the step 1 of the saturation. By definition of H, by the fact that variants of term are in normal form and given the assumption that all original rules are x1, . . . , xn → f(x1, . . . , xn), this implies: (f(x1, . . . , xn)θ)↓ ∈ SSub(f(x1, . . . , xn)θ) Thus, there exists i such that: (f(x1, . . . , xn)θ)↓ ∈ Sub(xiθ) If there is equality, the rule is removed (since r /∈ �l for all rules �l → r). This implies that all rules obtained from step 1 of saturation satisfies the property. Since L0 is finite and since subterm convergent equational theories have finite variant property [86], first step of saturation terminates. Since u ∈ SSub(v) implies u ≺ v, rules obtained by step 1 are decreasing. Let L be the set of rules obtained by step 1 and let us prove that rules obtained by closure satisfy the property. Let us prove it for the first rule obtained by closure. By definition of closure rule and since rules in L \ L0 are decreasing, the first closure will be applied on rules x1 . . . , xn → f(x1, . . . , xn) ∈ L0 and f(s1, . . . , sn), �l → r ∈ L \ L0. Again by definition of closure, the obtained rule is s1, . . . , sn, � � l → r. By definition of decreasing rule, there is a term u ∈ f(s1, . . . , sn), � � l such that r ∈ SSub(u), if u = � l then the new rule satisfies the property and if u = f(s1, . . . , sn) then there is an integer i such that r ∈ Subsi. If r ∈ SSubsi the obtained rule satisfies the property else the rule can not be in L ′ (since rules l → r with r ∈ l are deleted). We conclude that the first rule obtained by closure is decreasing and if we apply again closure, it will be applied on a rule in L0 and a rule not in L0. We conclude that rules obtained by step 2 satisfy the property and are decreasing . We conclude also that step 2 terminates. �
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23:
10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25:
12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27:
14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29:
16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31:
18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33:
20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103: 90 CHAPTER 4. PROTOCOLS WITH VULNER
Page 112 and 113: 100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 124 and 125: 112 CHAPTER 5. SATURATED DEDUCTION
Page 160 and 161: 148 CHAPTER 6. ON THE GROUND ENTAIL
Page 190 and 191: 178 CHAPTER 7. VOTER VERIFIABILITY
Page 202 and 203:
190 CHAPTER 7. VOTER VERIFIABILITY
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

Create successful ePaper yourself

Delete template?

Save as template?