Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
1.5. CONTRIBUTIONS AND PLAN OF THIS THESIS 17<br />
us to reduce the general reachability problem to the ground reachability problem.<br />
This criterion is a generalisation <strong>of</strong> the one employed for the specific cases<br />
in Chapter 4, <strong>and</strong> we give an example showing that such additional criterion<br />
is needed, that is the decidability <strong>of</strong> the ground reachability problem without<br />
this criterion does not imply the decidability <strong>of</strong> the general reachability problem.<br />
Another contribution <strong>of</strong> this chapter is a decidability result <strong>of</strong> the ground<br />
reachability problem for the theory <strong>of</strong> blind signature [136], <strong>and</strong> a decidability<br />
result <strong>of</strong> the general reachability problem for a class <strong>of</strong> subterm convergent<br />
equational theories. Other decidability results have been obtained for the theory<br />
<strong>of</strong> blind signature in [9, 91] but they are different from our. Similarly, a more<br />
general decidability result for the subterm convergent theory was given in [31],<br />
but our pro<strong>of</strong>s are simpler <strong>and</strong> can be easily generalised to other classes.<br />
1.5.2 Chapter 6: Decidability result for the ground entailment problem in<br />
the first order logic<br />
Deduction systems representing the intruder’s deductive capabilities can be<br />
viewed as sets <strong>of</strong> Horn clauses with one unary predicate. We generalise in<br />
Chapter 6 the saturation procedure employed in Chapter 5 in order to study<br />
the ground entailment problem for a new set <strong>of</strong> first order clauses. It is wellknown<br />
that the satisfiability <strong>and</strong> the ground entailment problem are undecidable<br />
for both clauses <strong>and</strong> Horn clauses sets, but several decidability results have<br />
been obtained for several fragments <strong>of</strong> first order logic [150, 28, 84, 180, 205].<br />
In this chapter, we introduce a new fragment <strong>of</strong> first order logic <strong>and</strong> we<br />
prove the decidability <strong>of</strong> its ground entailment problem. This decidability result<br />
relies on the use <strong>of</strong> the selected resolution (widely studied in the literature<br />
[134, 133, 137, 146, 164]) <strong>and</strong> on the use <strong>of</strong> an atom ordering compatible with a<br />
complete simplification term ordering. We remark that when the complete term<br />
ordering is arbitrary, a saturated set <strong>of</strong> clauses does not necessarily have a decidable<br />
ground entailment problem. We also show how to use this result in<br />
order to decide the insecurity problem for cryptographic protocols in the case<br />
<strong>of</strong> bounded number <strong>of</strong> sessions.<br />
While in this chapter the application <strong>of</strong> Horn clauses on security protocols<br />
is limited to the search <strong>of</strong> attacks, the analysis <strong>of</strong> cryptographic protocols using<br />
Horn clauses may go beyond that: actually one can use Horn clauses to prove<br />
the correctness <strong>of</strong> such protocols, <strong>and</strong> that by including the clauses describing<br />
the protocol in the saturation process.