Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

44 CHAPTER 2. PROTOCOL ANALYSIS USING CONSTRAINT SOLVING Definition 21 (I-ground Constraint systems) Let I be an intruder system. � An I-ground constraint system C is denoted (E1 � ⊢ v1, . . . , En ⊢ vn, ) and is defined by a finite set of expressions Ei ⊢ vi, and v1 expressions vi ? ? =H t1, . . . , vn =H tn ? =H ti with: • Ei ∪ {ti} ⊆ T (F), vi ∈ X for i ∈ {1, . . . , n}, and • Ei ⊆ Ei+1 for i ∈ {1, . . . , n − 1}. 2.1.13 Modified I-constraint systems We introduce now a modified I-constraint systems. Definition 22 (modified I-Constraint systems) Let I be an intruder deduction system. A modified I-constraint system C is denoted (E1 ⊲ t1, . . . , En ⊲ tn) and is defined as follows: • ti ∈ T (F, X ) for i ∈ {1, . . . , n}, • E1 ⊆ T (F), and Ei ⊆ T (F, X ) for i ∈ {2, . . . , n}, • Ei ⊆ Ei+1 for i ∈ {1, . . . , n − 1}, • V ar(Ei) ⊆ V ar({t1, . . . , ti−1}) for i ∈ {2, . . . , n}. A modified I-Constraint system C is satisfied by a substitution σ, and we write σ |=I C, if for all i ∈ {1, . . . , n} we have tiσ ∈ Eiσ I and Eiσ, tiσ are in normal form . We remark that our definition of modified I-constraint system is different than the definition of I-constraint system introduced in [156] and showed in Section 2.1.12: while in [156] the authors considered each substitution σ with tσ ∈ Eσ I is a solution of E � t, we consider the fact that tσ ∈ Eσ I is not sufficient to have σ solution of E ⊲ t and we add the condition that Eσ and tσ must be in normal form. Let us consider again the example given in Section 2.1.12, that is C = ({a, b}� f(x, y), {a, b, x} � b), and the equational theory is H = {f(x, x) = a}. Following [156], the substitution σ = {x ↦→ y} is a solution of C, and we showed how its application is problematic. Definition 22 implies that σ is not a solution of C = ({a, b} ⊲ f(x, y), {a, b, x} ⊲ b). Definition 23 (modified I-ground constraint systems) Let I be an intruder deduction system. A modified I-ground constraint system C is denoted (E1 ⊲ t1, . . . , En ⊲ tn), with: • Ei ∪ {ti} ⊆ T (F) for i ∈ {1, . . . , n}, and
2.1. PRELIMINARIES 45 • Ei ⊆ Ei+1 for i ∈ {1, . . . , n − 1}. In the rest of this document, we will make use of the modified I-ground constraint systems (Definition 23) instead of the I-ground constraint system (Definition 21), and for the aim of simplicity, we will abuse of the notation and call modified I-ground constraint systems by I-ground constraint systems. An I-ground constraint system C = (E1 ⊲ t1, . . . , En ⊲ tn) is satisfied, and we I write |=I C, if for all i ∈ {1, . . . , n} we have ti ∈ Ei , and ti, Ei in normal form. Definition 24 (solved form) A modified I-constraint system (E1 ⊲ t1, . . . , En ⊲ tn) is said to be in solved form if for all i, we have ti ∈ X . Lemma 9 Let C be a modified I-constraint system, C = (Cα, E ⊲ t, Cβ) such that Cα is in solved form and t �∈ X . Then, for all substitutions σ we have: σ |=I C if and only if σ |=I (Cα, (E \ X ) ⊲ t, Cβ) . PROOF. It suffices to prove that if x ∈ E ∩ X and σ is a substitution such that σ |=I C, then we have σ |=I (Cα, (E \ {x}) ⊲ t, Cβ). Given x ∈ E, by definition 20, there exists a set of terms E ′ ⊆ E such that E ′ ⊲ x ∈ Cα. Since σ |=I C we have σ |=I E ′ ⊲ x, and by the fact that E ′ ⊆ E \ {x} we have σ |=I E \ {x} ⊲ x. Since we also have σ |=I (E ⊲t) then, σ |=I E \{x}⊲t. The reciprocal is obvious since E \ X ⊆ E. � Lemma 10 Let C = (Cα, E ⊲ x, Cβ) be a modified I-constraint system such that Cα is in solved form and x /∈ V ar(Cβ) and let C ′ = (Cα, Cβ). We have: 1. If σ |= C then σ |= C ′ . 2. If σ ′ |= C ′ then we can extend σ ′ to σ such that σ |= C. PROOF. � 1. Let C = (Cα, E ⊲ x, Cβ) and let σ be a closed substitution such that σ |= C. Since x /∈ V ar(Cβ), C ′ is a constraint system. It is trivial that σ |= C ′ . 2. Let σ ′ be a closed substitution such that σ ′ |= C ′ . Since V ar(E) ⊆ V ar(Cα), σ ′ is defined on V ar(Cα, E, Cβ). We have two cases: • If x /∈ V ar(Cα) then σ ′ (x) is not defined and x /∈ V ar(E). We then extend σ ′ to σ as follows: σ(y) = σ ′ (y) for y ∈ Supp(σ ′ ), σ(x) is a closed term in E. Since x /∈ V ar(Cα, Cβ, E) and xσ ∈ Eσ, we deduce that σ |= C. • If x ∈ V ar(Cα) then there exists Ex ⊲ x ∈ Cα. σ ′ |= (Cα, Cβ) implies that σ ′ |= Ex ⊲ x, and since Ex ⊆ E, we have σ ′ |= E ⊲ x and hence σ ′ |= C.
Page 1:
Logical Analysis and Verification o
Page 5: Abstract This thesis is developed i
Page 8 and 9: viii
Page 10 and 11: x CONTENTS 2.1.7 Unification . . .
Page 12 and 13: xii CONTENTS 5.8 Decidability of re
Page 14 and 15: 2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17: 4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19: 6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21: 8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23: 10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25: 12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27: 14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29: 16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31: 18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33: 20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 70 and 71: 58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 106 and 107:
94 CHAPTER 4. PROTOCOLS WITH VULNER
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 114 and 115:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
112 CHAPTER 5. SATURATED DEDUCTION
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
148 CHAPTER 6. ON THE GROUND ENTAIL
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

Create successful ePaper yourself

Delete template?

Save as template?