Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

170 CHAPTER 6. ON THE GROUND ENTAILMENT PROBLEMS Lemma 64 If S is a finite and saturated set of clauses then for every ground atom C, C ↓S is finite. PROOF. Let C be a ground atom and let T be the tree constructed as follows: the root of T is labelled by the atom C, if n is a node in T labelled by the atom D, each atom D ′ verifying D → R g S D′ will be added as direct successor of the node labelled by D. We remark that the set of atoms labelling the nodes of T is equal to the set C ↓S. Let us prove the lemma by contradiction. Suppose that C ↓S is infinite, this implies that the tree T is infinite. As, by lemma 63, each node in T has a finite number of direct successors, we deduce, by König ′ s lemma, that there is an infinite chain of atoms C → g RS C1 → g R . . . in the tree S T which contradicts the non existence of infinite chain starting from a ground atom using the relation → g R (lemma 62). We conclude that T is finite and hence S the set C ↓S is finite also. � Let S be a set of saturated clauses, C be a ground clause, and assume that C is entailed from S. Let π be a proof of S |= C. We define a partial order ≻π over atoms in the proof π as follows: for each clause C ′ in S, for each ground instance C ′ σ of C ′ labelling a leave of the proof π, we have Bsσ ≫ Asσ if As , Bs are atoms in C ′ such that Bs≻aAs . We define ≻π to be the transitive closure of ≫. Lemma 65 Let S be a set of clauses, C be a ground clause and π be a ground proof of B. S |= C. If A, B are two atoms in the proof π and A ≻π B then A → ∗ R g S PROOF. Let M = {B ∈ µ(π) such that ∃A ∈ µ(π), A ≻π B and B �∈ A ↓S} and let us prove that M = ∅ by contradiction. Suppose that M �= ∅ and let B be a maximal atom in M for the ordering ≻π. B can not be maximal in µ(π) for ≻π otherwise there would exist no atom A ∈ µ(π) such that A ≻π B which would imply B �∈ M. Thus there exists an atom A ∈ µ(π) such that A ≻π B. Let MB = {A such that A ∈ µ(π) and A ≻π B}. The argument above proves that MB �= ∅. Case 1. Let A be a minimal atom in MB for the ordering ≻π. By minimality of A in MB and maximality of B in M there is no atom D ∈ µ(π) such that A ≻π D ≻π B. There is a ground clause Cσ instance of a clause C in S such that Cσ is labelling a leave in the proof π, and there are two atoms A, B in Cσ, and two atoms A s , B s in C such that A s σ = A, B s σ = B and A s ≻aB s . By definition of the relation R g S , we thus have A → R g S B. Case 2. If A is not minimal in MB for ≻π, there exists a minimal atom A ′ ∈ MB such that A ≻π A ′ ≻π B. By the maximality of B in M, A ′ �∈ M and thus
6.5. A DECIDABILITY RESULT 171 A → ∗ R g S A ′ and by minimality of A ′ in MB the first case implies A ′ → R g S B. By transitivity we thus have A → ∗ R g S Thus for every atom A ∈ MB we have A →∗ R g B, which contradicts the assump- S tion B is maximal in M, and therefore M = ∅. � Lemma 66 Let S be a set of clauses and C be a ground clause, C = A1, . . . , An → B. Let π be a ground proof of S |= C and let A be an atom in π maximal with respect to atoms of π for the ordering ≻π. There exists a clause C ′ ∈ S ∪ � n i=1 Ai ∪ ¬B and an atom A ′ ∈ µ(C ′ ) such that A ′ in maximal with respect to atoms of C ′ for the ordering ≻a and A ′ σ = A. PROOF. Let π be a ground proof of S |= C. By definition, leaves of π are labelled by ground instances of clauses in S, positive unit clauses ∅ → Ai for 1 ≤ i ≤ n and negative unit clause B → ∅. Let A ∈ µ(π) be such that A is maximal with respect to atoms of π for the ordering ≻π. As atoms in π are ground, we have either A ∈ {A1, . . . , An, B} or there is a ground instance C1 of a clause in S, such that A ∈ µ(C1). If A ∈ {A1, . . . , An, B} and as each atom in the set {A1, . . . , An, B} is a unit clause then we conclude the lemma directly. Now, suppose that A �∈ {A1, . . . , An, B}. Then there exists a ground instance of a clause in S, C1 such that A ∈ µ(C1). As C1 is a ground instance of a clause in S, let C s 1 be that clause in S and let A s be an atom in C s 1 such that A is a ground instance of A s . We have σ is the applied ground substition. Now, let us prove that A s is maximal with respect to atoms in C s 1 for the ordering ≻a. Let the set of atoms M = {D such that D is an atom in C s 1 and D is maximal in C s 1 for ≻a} and let us prove that A s ∈ M. By contradiction, suppose that A s �∈ M, then there is an atom E s ∈ M such that E s ≻aA s and then E s σ ≻π A s σ, by definition of the ordering ≻π. We have that E s σ ∈ C1 and then E s σ ≻π A s σ is an atom of the proof π and that contradicts the maximality of A = A s σ with respect to atoms of π for the ordering ≻π. We conclude that A s is maximal with respect to atoms of C s 1 for the ordering ≻a which concludes the proof. � Let π be a proof of S |= C where S is a set of clauses and C is a ground clause. By definition of (refutational) proof, we remark that every atom appearing in π appears in a clause labelling a leave of π. Lemma 67 Let S be a finite saturated set of clauses, C be a ground clause and Π be the non-empty set of refutational ground proofs of S |= C. Given π ∈ Π let: B. δS(π, C) = (µ(π) ↓S) \ (µ(C) ↓S) If π ∈ Π is such that δS(π, C) is minimal then δS(π, C) = ∅.
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23:
10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25:
12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27:
14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29:
16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31:
18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33:
20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67:
Page 68 and 69:
Page 70 and 71:
58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 114 and 115:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
112 CHAPTER 5. SATURATED DEDUCTION
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133: 120 CHAPTER 5. SATURATED DEDUCTION
Page 160 and 161: 148 CHAPTER 6. ON THE GROUND ENTAIL
Page 190 and 191: 178 CHAPTER 7. VOTER VERIFIABILITY
Page 210 and 211: 198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213: 200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215: 202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217: 204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219: 206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221: 208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223: 210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225: 212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227: 214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229: 216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

Create successful ePaper yourself

Delete template?

Save as template?