Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
24 CHAPTER 2. PROTOCOL ANALYSIS USING CONSTRAINT SOLVING<br />
a normal form, this normal form is unique. A rewriting system is said to be<br />
convergent if it is confluent <strong>and</strong> terminating. If R is convergent, each term has a<br />
normal form which is unique, <strong>and</strong> for any terms s, t we have s ↔∗ R t if <strong>and</strong> only<br />
if s ↓= t ↓ [21].<br />
A rewrite system R is said to be ground confluent if for any ground terms<br />
t, u, v such that t→∗ Ru, t→∗R v, there exists a ground term w verifying u→∗R w <strong>and</strong><br />
v→∗ Rw. A rewrite system R is said to be ground convergent if it is ground confluent<br />
<strong>and</strong> terminating. If R is ground convergent, each ground term has a normal<br />
form which is unique.<br />
A substitution σ is said to be in normal form if for all x ∈ Supp(σ), the term<br />
xσ is in normal form.<br />
2.1.6 The completion procedures<br />
Given an equational theory H, <strong>and</strong> a rewrite system R, we say that H is generated<br />
by R if R <strong>and</strong> H are equivalent, that is for any terms s <strong>and</strong> t, we have<br />
s =H t if <strong>and</strong> only if s ↔∗ R t [21].<br />
In this section, we present techniques to construct a convergent rewrite system<br />
or a ground convergent rewrite system generating a given equational theory.<br />
Given an equational theory H, many procedures aiming to construct a<br />
convergent (or a ground convergent) rewrite system R equivalent to H have<br />
been given in the literature, for example [131, 23, 120]. In this section, we make<br />
use <strong>of</strong> the notions <strong>of</strong> two terms are ∅-unifiable <strong>and</strong> a most general ∅-unifier <strong>of</strong> two<br />
terms. Let u, v be two terms, a ∅-unifier (or unifier in the ∅-theory) <strong>of</strong> u <strong>and</strong> v is<br />
a substitution σ such that uσ = vσ. We say that u <strong>and</strong> v are unifiable in the<br />
∅-theory (or syntactically unifiable, or ∅-unifiable) if they have a ∅-unifier. We say<br />
that a substitution σ is more general modulo ∅ than a substitution σ ′ , <strong>and</strong> we write<br />
σ � σ ′ , if there exists a substitution θ such that σ ′ = σθ. Given two terms u<br />
<strong>and</strong> v, it is well-known that if u <strong>and</strong> v are ∅-unifiable then there exists a unique<br />
most general ∅-unifier θ, denoted by mgu(u, v), such that for every unifier σ <strong>of</strong><br />
u, v, there exists a substitution σ ′ verifying σ = θσ ′ [22]. The notions <strong>of</strong> ∅-unifier,<br />
∅-unifiable, most general ∅-unifier are generalised to an arbitrary theory in Section<br />
2.1.7.<br />
Given a pair <strong>of</strong> rewrite rules l → r <strong>and</strong> g → d, <strong>and</strong> an integer p ∈ P os(l) such<br />
that l|p �∈ X , l|p <strong>and</strong> g are ∅-unifiable with σ is their most general ∅-unifier, the<br />
pair 〈l[d]p)σ, rσ〉 is a critical pair <strong>of</strong> the rules l → r <strong>and</strong> g → d. The rules l → r<br />
<strong>and</strong> g → d do not need to be different in order to compute their critical pairs,<br />
furthermore, we assume that the rules l → r <strong>and</strong> g → d do not share variables,<br />
<strong>and</strong> to this end, we rename their variables before computing their critical pairs.<br />
Given a rewrite system R, we denote by CP (R) the set <strong>of</strong> all critical pairs<br />
obtained from the rules <strong>of</strong> R.