Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

28 CHAPTER 2. PROTOCOL ANALYSIS USING CONSTRAINT SOLVING Figure 2.3 Unfailing Knuth-Bendix procedure Input: An equational theory H and a complete simplification ordering > over T (F, X ). Initialisation: For each equation l · = r ∈ H, orient this equation into rule if possible repeat - Find an extended critical pair 〈l, r〉 - Reduce it using the existing equations as much as possible. - If the resulting pair is not trivial, orient it into a rule if possible. until no more new extended critical pair is generated. Output: the system constructed from the set of rules and equations obtained at the end of the procedure. then the pair 〈dσ, g[p ← r]σ〉 is an extended critical pair of the equations l = r and g · · = d. The equations l = r and g · = d do not need to be different in order to compute their extended critical pairs, furthermore, we assume that the equations l · = r and g · = d do not share variables, and to this end, we rename their variables before computing their extended critical pairs. · We remark that if the equations l = r and g · = d are orientable, then (2) and (3) become (2 ′ ) lσ > rσ and (3 ′ ) gσ > dσ, and the procedure to construct an extended critical pair become equivalent to the procedure to construct a critical pair. · Given a term s, s is said to be reducible by an equation l = r if there is a position p ∈ P os(s), and a substitution σ such that (i) s|p = lσ, and (ii) lσ > rσ. In this case, we say that s is reducible to s[p ← rσ] using the equation l · = r. Given an equational theory H and a complete simplification ordering >, in [120], the authors showed that if the procedure terminates and the obtained system does not contain unorientable equations then the obtained system is a convergent rewrite system equivalent to H. They showed also that if the procedure terminates and the obtained system contains unorientable equations then the obtained system is a ground convergent rewrite system equivalent to H. In the remainder of this chapter, we assume F to be a signature, H to be an equational theory on T (F, X ), and R to be a convergent rewrite system generating H. ·
2.1. PRELIMINARIES 29 2.1.7 Unification The unification is the process of solving the following problem: given an equational theory H, two terms s and t, find a substitution σ such that sσ =H tσ. The syntactic unification or standard unification is a special case of the unification where H = ∅. Definition 2 (Unification systems) Let H be an equational theory on T (F, X ). A H- unification system U is a finite set of pairs of terms in T (F, X ) denoted by U = {u1 v1, . . . , un ? =H ? =H vn}. It is satisfied by a substitution σ, and we note σ |=H U, if for all i ∈ {1, . . . , n} we have uiσ =H viσ. In this case we call σ a H-solution or a H-unifier of U. We say that U is H-unifiable if it has a H-solution. When H is generated by a convergent rewrite system R, the confluence of R implies that if σ is a solution of a H-unification system, then (σ)↓ is also a solution of the same unification system. Actually, if σ is a H-unifier of the terms s, t then uσ =H vσ, which implies that (uσ)↓ = (uσ)↓. Since (uσ)↓ = (u(σ)↓)↓, we deduce that if σ is a H-unifier of s, t then (σ)↓ is also a H-unifier of s, t. Accordingly we will consider only solutions in normal form of unification systems when the equation theory H is generated by a convergent rewrite system. Definition 3 (H-Unifiability Problem) Given an equational theory H, the Hunifiability problem is defined as follows: Input: A H-unification system U. Output: SAT if and only if there exists a substitution σ such that σ |=H U. Definition 4 A substitution σ is more general modulo H than a substitution σ ′ , and we write σ �H σ ′ , if there exists a substitution τ such that στ =H σ ′ . When H = ∅, the relation �H is denoted �. The relations �H and � are quasi-order relations [21]. Definition 5 (Complete set of unifiers) A complete set of H-unifiers of a Hunification system U is a set Σ of H-solutions of U such that, for any H-solution τ of U, there exists a substitution σ ∈ Σ such that σ �H τ. Definition 6 (minimal complete set of unifiers) A minimal complete set of Hunifiers of a H-unification system U is a complete set Σm of H-unifiers of U that satisfies the condition for all substitutions σ, σ ′ ∈ Σm, σ �H σ ′ implies σ = σ ′ .
Page 1: Logical Analysis and Verification o
Page 5: Abstract This thesis is developed i
Page 8 and 9: viii
Page 10 and 11: x CONTENTS 2.1.7 Unification . . .
Page 12 and 13: xii CONTENTS 5.8 Decidability of re
Page 14 and 15: 2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17: 4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19: 6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21: 8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23: 10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25: 12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27: 14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29: 16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31: 18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33: 20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 70 and 71: 58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 90 and 91:
78 CHAPTER 3. PROTOCOLS WITH VULNER
Page 92 and 93:
Page 94 and 95:
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 114 and 115:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
112 CHAPTER 5. SATURATED DEDUCTION
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
148 CHAPTER 6. ON THE GROUND ENTAIL
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?