Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
6.3. FROM CRYPTOGRAPHIC PROTOCOLS TO LOGIC OF CLAUSES 157<br />
if var(u) �= ∅ then v is a constant;<br />
if var(v) �= ∅ then u is a ground term.<br />
A clause in CS is well-behaved if the terms u, v <strong>and</strong> wi, for all i, are well-behaved.<br />
A clause not in CS is well-behaved if for any atom I(w) in the clause, w is wellbehaved.<br />
E. Zalinescu showed that if I, P, S are finite set <strong>of</strong> clauses included<br />
respectively in the classes CI, CP <strong>and</strong> CS, <strong>and</strong> if I ∪ S is saturated by a variant <strong>of</strong><br />
ordered resolution with respect to a monotone atom ordering <strong>and</strong> P ∪ S is wellbehaved<br />
then the satisfiability <strong>of</strong> I ∪ P ∪ S is decidable.<br />
6.3.3 Delaune, Lin <strong>and</strong> Lynch work<br />
In [180], S. Delaune, H. Lin <strong>and</strong> Ch. Lynch introduced flexible <strong>and</strong> rigid clauses.<br />
A rigid clause is a clause where variables are only allowed to have one instantiation,<br />
<strong>and</strong> a flexible clause is a clause where variables are allowed as many<br />
instantiations as desired. S. Delaune, H. Lin <strong>and</strong> Ch. Lynch assume a finite set <strong>of</strong><br />
unary predicate symbols P, <strong>and</strong> a well-founded <strong>and</strong> total ordering > over P.<br />
Furthermore, they considered an embedding ordering � over term which is then<br />
extended to an atom ordering. They defined intruder clauses as defined in [84],<br />
that is with a unique function symbol, <strong>and</strong> then they extended this definition.<br />
To this end, they introduced a special flexible Horn clause <strong>of</strong> the form<br />
I0(f0(g(x1, . . . , xp), y2, . . . , yq), I1(xi1), . . . , Im(xim) → Im+1(f0(xi0, y2, . . . , yq))<br />
where f0 �= g, xij ∈ {x1, . . . , xp} for every j ∈ {0, . . . , m}, <strong>and</strong> Ij ∈ P for all<br />
j.They defined a protocol clause to be a rigid Horn clause <strong>of</strong> the form<br />
I1(u1), . . . , In(un) → I0(u0)<br />
where var(u0) ⊆ var({u1, . . . , un}), <strong>and</strong> I0 ≥ Ii for all i. Note also that intruder<br />
knowledge <strong>and</strong> the secrecy goal, represented as before, are considered as protocol<br />
clauses. They defined intruder theory as follows. Assuming CI to be a finite<br />
set <strong>of</strong> intruder clauses, CS a special clause such that CI ∪ CS is saturated by ordered<br />
resolution, <strong>and</strong> the unique predicate symbol in CI ∪ CS is I. The intruder<br />
theory ICI∪CS is the set <strong>of</strong> clauses which contains I1(u1), . . . , In(un) → I0(u0) if<br />
<strong>and</strong> only if<br />
I0, . . . , In ∈ P <strong>and</strong> I0 ≥ Ii for all i, <strong>and</strong><br />
I(u1), . . . , I(un) → I(u0) ∈ CI ∪ {CS, I(x) → I(x)}<br />
S. Delaune, H. Lin <strong>and</strong> Ch. Lynch reduced the insecurity problem to a satisfiability<br />
problem defined as follows. The insecurity problem takes as input a<br />
finite set CP <strong>of</strong> protocol clauses, a finite set CI <strong>of</strong> intruder clauses <strong>and</strong> a special