Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

142 CHAPTER 5. SATURATED DEDUCTION SYSTEMS We recall that increasing rules are of form x1, . . . , xn → f(x1, . . . , xn) for a function symbol f ∈ F (Lemma 53). 5.8.1 Decidability result We recall that our goal is to solve I0-reachability problem. Algorithm. Let C 0 = ((E 0 i ⊢ v 0 i )i∈{1,...,n}, U 0 ). Step 1: Guess a variant I0-constraint system associated to C 0 . Let C = (E ′ 1 ⊲ t ′ 1, . . . , E ′ n ⊲ t ′ n) be the variant I0-constraint system associated to C 0 . C is constructed from C 0 as given in Definition 28 (Chapter 2). We remark that this step terminates and it is also correct (Lemma 44) and complete (Lemma 43). Unless otherwise specified, I ′ is the deduction system implicit in all notations in the rest of this section. We now introduce the notation ⊲inc to denote a deduction constraint that has to be solved using only increasing rules. We say a constraint E ⊲inc t is in solved form if t is a variable. The constraint system is in solved form if all the deduction constraints are in solved form. The application of a decreasing rule � l → r on a constraint E ⊲ t is defined as follows, and in accordance with the fact that I ′ is I0-strongly order local. • let σ be the mgu of the terms in � l \ X with a subset F of E \ X • if {x1, . . . , xk} = � l ∩ X , replace Cα, E ⊲ t, Cβ with: (Cα, E ⊲inc x1, . . . , E ⊲inc xk, E ∪ {r} ⊲ t, C ′ β)σ Where C ′ β is constructed from Cβ by adding r to each left-hand side. This last construction aims at preserving the inclusion of knowledge sets. Step 2. Iterate until the constraint system is in solved form or unsolvable: 1. Put all tagged deduction constraints E ⊲inc t in solved form; 2. If all constraints preceding an untagged E ⊲ t are in solved form, Apply non-deterministically |Sub(E) \ V ar(E)| decreasing rules on E. Replace E ⊲ t by the obtained deduction constraints, all tagged with inc. Let us prove the completeness and termination of Step 2.
5.8. DECIDABILITY OF REACHABILITY PROBLEMS FOR SUBTERM CONVERGENT THEORIES143 Completeness. The proof of the following lemma is trivial by the form of increasing rules. Lemma 54 If σ |= E ⊲inc f(t1, . . . , tn) then either f(t1, . . . , tn)σ ∈ Eσ or x1, . . . , xn → f(x1, . . . , xn) will be in L0 and for each i ∈ {1, . . . , n} we have σ |= E ⊲inc ti. The first part of the iteration consists either in transforming a deduction constraint E ⊲inc f(t1, . . . , tn) into E ⊲inc t1, . . . , E ⊲inc tn, or in unifying f(t1, . . . , tn) with e ∈ E. By Lemma 54, given a ground substitution σ such that σ |= E ⊲inc f(t1, . . . , tn) there exists a sequence of choices reducing E ⊲inc f(t1, . . . , tn) to a (possibly empty) set of deduction constraints Eτ ⊲incu1, . . . Eτ ⊲incuk where the u1, . . . , uk are variables or constants. If there is a constant which is not in Eτ the constraint is not satisfiable (by definition of increasing rules), and the sequence of choices fails. Let us now consider the second part of the iteration. Lemma 55 Assume σ |= E ⊲inc x with x the first variable in the sequence of deduction constraints such that t ∈ Sub(xσ) for some ground term t. Then either there exists u ∈ Sub(E) such that uσ = t or t ∈ Eσ L′ inc . PROOF. Let us assume there does not exist u ∈ Sub(E) such that uσ = t. By minimality of x and the determinacy of constraint systems we have t /∈ Sub(V ar(E)σ). Since Sub(Eσ) = Sub(E)σ ∪ Sub(V ar(E)σ) we have t /∈ Sub(Eσ) and, by hypothesis on x and t, t ∈ Sub(xσ). Since σ |= E ⊲inc x consider a derivation E1 = Eσ → . . . → En−1 ∪ xσ, and let i be minimal such that t ∈ Sub(Ei). The index i exists since t ∈ Sub(xσ), and is different from 1 since t /∈ Sub(Eσ). By definition of the increasing rules we then must have Ei = Ei−1, t. � Consider a I ′ -constraint system C = (Cα, E ⊲ t, Cβ) satisfied by a substitution σ and all deduction constraints in Cα are in solved form. By Lemma 53 and by the facts that I ′ is I0-strongly order local and r /∈ � l for all rules � l → r ∈ L ′ , all decreasing rules applied on Eσ yield a term in Sub(Eσ). Thus there are at most |Sub(E) \ V ar(E)| different terms that can be obtained by decreasing rule starting from Eσ and which are not in Sub(V ar(E)σ). Assume a term t is in Sub(V ar(E)σ) \ Sub(E)σ, and let x be the first variable (in the ordering of deduction constraints) such that t ∈ Sub(xσ). By definition of constraint systems there exists a deduction constraint Ex ⊲inc x in Cα. Since Ex ⊆ E, by Lemma 55, we have t ∈ Exσ L′ inc . Again, since Exσ ⊆ Eσ, this implies t ∈ Eσ L′ inc : the decreasing rule was not useful, and can be replaced by a sequence of derivation ending with an increasing rule. Thus in Eσ at most |Sub(E) \ V ar(E)| terms are deducible using decreasing rules that can not be deduced
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23:
10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25:
12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27:
14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29:
16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31:
18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33:
20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105: 92 CHAPTER 4. PROTOCOLS WITH VULNER
Page 112 and 113: 100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 124 and 125: 112 CHAPTER 5. SATURATED DEDUCTION
Page 160 and 161: 148 CHAPTER 6. ON THE GROUND ENTAIL
Page 190 and 191: 178 CHAPTER 7. VOTER VERIFIABILITY
Page 204 and 205:
192 CHAPTER 7. VOTER VERIFIABILITY
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

Create successful ePaper yourself

Delete template?

Save as template?