Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

34 CHAPTER 2. PROTOCOL ANALYSIS USING CONSTRAINT SOLVING Definition 13 (Basic narrowing) A narrowing derivation started from a term t t = t0�Rt1�R . . . �Rtn is said to be a basic narrowing derivation if and only if it is based on NV.P os(t). From now on, we denote by �R the narrowing relation induced by R, and by �b R the basic narrowing relation induced by R. J.M. Hullot [123] studied the correspondence between narrowing and rewriting, and obtained many results in that field. We present below some of these results: Theorem 1 (J.M. Hullot results) Let H be an equational theory on T (F, X ) generated by the convergent rewrite system R. 1. Let t be an arbitrary term, and let σ be a substitution in normal form. Consider any →R-derivation issuing from tσ: tσ = t ′ 0 →R t ′ 1 →R . . . →R t ′ n, there exists an associated R-basic narrowing derivation issuing from t: t = t0 � b R t1 � b R . . . �b R tn, and there exists a substitution µ in normal form such that tnµ = t ′ n, and σ = θ0θ1 . . . θn−1µ with θi is the substitution used with the rule li → ri ∈ R in the step ti � b R ti+1. 2. Let s and t be two terms, M be g(s, t) where g is a new function symbol (g �∈ F). Let Σ be the set of all substitutions σ such that σ ∈ Σ if and only if there exists a R-basic narrowing derivation M = g(s, t) = M0 � b R M1 = g(s1, t1) � b R . . . �b R Mn = g(sn, tn), such that sn and tn are unifiable modulo ∅ theory, θ is a substitution in normal form, and σ = µθ where µ is the most general unifier of sn and tn. Then Σ is a complete set of H-unifiers of s and t. 3. If R is a convergent rewrite system such that for every rule l → r ∈ R, every R-basic narrowing derivation starting from r terminates, then any R-narrowing derivation starting from any term terminates. 4. If the convergent rewrite system R satisfies the hypothesis given in the above point (point (3)) then the construction given in the second point (point (2)) leads to a sound, complete and finite H-unification algorithm.
2.1. PRELIMINARIES 35 Remark. It is easy to see that the first point (point (1)) of Theorem 1 implies that: for any term t and for any substitution σ in normal form, there exists a term t ′ and a substitution σ ′ ∗ in normal form such that t �b R t′ and t ′ σ ′ = (tσ)↓. Lemma 4 Let H be an equational theory generated by a convergent rewrite system R such that the right hand side of every rule in R is not R-narrowable. Let t be a term and D be a R-basic narrowing derivation starting from t. Then, the length of D in bounded by �t�dag. PROOF. Let t be a term and D be a R-basic narrowing derivation starting from t, D : t = t0 � b R t1 � b R . . . �b R tn R is convergent and any basic narrowing derivation starting from the right members of the rules of R terminates (in fact, all right members of the rules of R are not R-basic narrowable), then every R-narrowing derivation starting from any term terminates (Theorem 1), and hence D terminates. We prove next that �D� ≤ �t�dag. Let Qi be the number of distinct subterms of ti where we can apply the basic narrowing. We note that if the basic narrowing can be applied on a term s at a position p and if there exists another subterm of s at position q such that t|p = t|q, we apply the basic narrowing at the positions p and q at the same time. Since all right members of R rules are not narrowable, and by definition of narrowing (Definition 11), we deduce that Qi+1 < Qi, and hence, �D� ≤ Q0. By definition, we have Q0 ≤ �t�dag, which implies that �D� ≤ �t�dag, and hence the length of any R-basic narrowing derivation starting from any term t is bounded by �t�dag. � Lemma 5 Let H be an equational theory generated by a convergent rewrite system R such that the right hand side of every rule in R is not R-narrowable. For any term t, and for any variant substitution θ of t, we can guess in NP time another variant substitution θ ′ of t such that θ ′ is more general modulo H than θ. PROOF. Let H be an equational theory generated by a convergent rewrite system R such that the right hand side of every rule in R is not R-narrowable. This implies that every R-narrowing derivation starting from any term terminates 1, and hence H has the finite variant property [86]. Let t be a term, the finite variant property implies that we can construct a finite set of variant substitutions Σ(t) = {σ1, . . . , σn} of t. We remark, by definition of finite variant property (Definition 46), that substitutions in Σ(t) are in normal form. Let σ ∈ Σ(t), and let the derivation tσ = t ′ 0 →R t ′ 1 →R . . . →R t ′ n such that t ′ n is in normal form. Theorem 1 implies that there exists a R-basic narrowing
Page 1: Logical Analysis and Verification o
Page 5: Abstract This thesis is developed i
Page 8 and 9: viii
Page 10 and 11: x CONTENTS 2.1.7 Unification . . .
Page 12 and 13: xii CONTENTS 5.8 Decidability of re
Page 14 and 15: 2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17: 4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19: 6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21: 8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23: 10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25: 12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27: 14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29: 16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31: 18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33: 20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 70 and 71: 58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 96 and 97:
84 CHAPTER 4. PROTOCOLS WITH VULNER
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
Page 104 and 105:
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 114 and 115:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
112 CHAPTER 5. SATURATED DEDUCTION
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
148 CHAPTER 6. ON THE GROUND ENTAIL
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

Create successful ePaper yourself

Delete template?

Save as template?