Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

24 CHAPTER 2. PROTOCOL ANALYSIS USING CONSTRAINT SOLVING a normal form, this normal form is unique. A rewriting system is said to be convergent if it is confluent and terminating. If R is convergent, each term has a normal form which is unique, and for any terms s, t we have s ↔∗ R t if and only if s ↓= t ↓ [21]. A rewrite system R is said to be ground confluent if for any ground terms t, u, v such that t→∗ Ru, t→∗R v, there exists a ground term w verifying u→∗R w and v→∗ Rw. A rewrite system R is said to be ground convergent if it is ground confluent and terminating. If R is ground convergent, each ground term has a normal form which is unique. A substitution σ is said to be in normal form if for all x ∈ Supp(σ), the term xσ is in normal form. 2.1.6 The completion procedures Given an equational theory H, and a rewrite system R, we say that H is generated by R if R and H are equivalent, that is for any terms s and t, we have s =H t if and only if s ↔∗ R t [21]. In this section, we present techniques to construct a convergent rewrite system or a ground convergent rewrite system generating a given equational theory. Given an equational theory H, many procedures aiming to construct a convergent (or a ground convergent) rewrite system R equivalent to H have been given in the literature, for example [131, 23, 120]. In this section, we make use of the notions of two terms are ∅-unifiable and a most general ∅-unifier of two terms. Let u, v be two terms, a ∅-unifier (or unifier in the ∅-theory) of u and v is a substitution σ such that uσ = vσ. We say that u and v are unifiable in the ∅-theory (or syntactically unifiable, or ∅-unifiable) if they have a ∅-unifier. We say that a substitution σ is more general modulo ∅ than a substitution σ ′ , and we write σ � σ ′ , if there exists a substitution θ such that σ ′ = σθ. Given two terms u and v, it is well-known that if u and v are ∅-unifiable then there exists a unique most general ∅-unifier θ, denoted by mgu(u, v), such that for every unifier σ of u, v, there exists a substitution σ ′ verifying σ = θσ ′ [22]. The notions of ∅-unifier, ∅-unifiable, most general ∅-unifier are generalised to an arbitrary theory in Section 2.1.7. Given a pair of rewrite rules l → r and g → d, and an integer p ∈ P os(l) such that l|p �∈ X , l|p and g are ∅-unifiable with σ is their most general ∅-unifier, the pair 〈l[d]p)σ, rσ〉 is a critical pair of the rules l → r and g → d. The rules l → r and g → d do not need to be different in order to compute their critical pairs, furthermore, we assume that the rules l → r and g → d do not share variables, and to this end, we rename their variables before computing their critical pairs. Given a rewrite system R, we denote by CP (R) the set of all critical pairs obtained from the rules of R.
2.1. PRELIMINARIES 25 Figure 2.1 Knuth-Bendix completion procedure Input: An equational theory H and a reduction order > over T (F, X ). Output: A finite convergent rewrite system R that is equivalent to H, if the procedure terminates successfully; or “fail”, if the procedure terminates unsuccessfully. Initialisation: If there exists an equation l · = r ∈ H such that l �= r, l ≯ r and r ≯ l then terminates with output fail � otherwise, i = 0 and R0 = l → r such that l · = r ∈ H and � l > r repeat Ri+1 = Ri; for all 〈l, r〉 ∈ CP (Ri) do 1. reduce l, r to some Ri-normal form l ↓, r ↓; 2. if l ↓�= r ↓ and neither l ↓> r ↓ nor r ↓> l ↓, then terminate with output fail; 3. if l ↓> r ↓, then Ri+1 = Ri ∪ {l ↓→ r ↓}; 4. if r ↓> l ↓, then Ri+1 = Ri ∪ {r ↓→ l ↓}; od i=i+1; until Ri = Ri−1; output Ri; Knuth-Bendix completion procedure The Knuth-Bendix completion procedures [131] (also called basic completion procedure), which is described in Figure 2.1, starts with an equational theory H and tries to find a convergent rewrite system R that is equivalent to H. We assume that the order > used in the procedure is a reduction order and it is given as an input of the procedure. We recall that a reduction order > is any order which is stable, well-founded, and monotone (see Section 2.1.5). The Knuth-Bendix procedure removes automatically all trivial equations (re- · spectively trivial critical pairs) of the form l = l (respectively 〈l, l〉 or 〈l, r〉 with l ↓= r ↓). Thus, the basic completion procedure may show three different types of behaviour, depending on the particular input H and >:
Page 1: Logical Analysis and Verification o
Page 5: Abstract This thesis is developed i
Page 8 and 9: viii
Page 10 and 11: x CONTENTS 2.1.7 Unification . . .
Page 12 and 13: xii CONTENTS 5.8 Decidability of re
Page 14 and 15: 2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17: 4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19: 6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21: 8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23: 10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25: 12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27: 14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29: 16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31: 18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33: 20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 70 and 71: 58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 86 and 87:
74 CHAPTER 3. PROTOCOLS WITH VULNER
Page 88 and 89:
Page 90 and 91:
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 114 and 115:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
112 CHAPTER 5. SATURATED DEDUCTION
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
148 CHAPTER 6. ON THE GROUND ENTAIL
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?