Logical Analysis and Verification of Cryptographic Protocols - Loria

66 CHAPTER 3. PROTOCOLS WITH VULNERABLE HASH FUNCTIONS
3.3.5 Symbolic derivation
Given a intruder system I = 〈F, LI, H〉, and a protocol P. At step i, a role in
P receives a (possibly ∅) message, checks its well-formedness by verifying that
it is as expected, and applies rules in LI to construct the response. We give in
Definition 30 (Chapter 2) a specification of role, this specification is adequate
when the intruder deduction rules are of the form x1, . . . , xn → f(x1, . . . , xn)
with f a public function symbol in F. Since, in this chapter, we consider a
different form of the intruder deduction rules (Definition 35), we represent a
role by a symbolic derivation [72].
Definition 40 (Symbolic Derivations) Let I = 〈F, LI, H〉 be an intruder deduction
system. A I-symbolic derivation is a tuple (V, S, K, In, Out) where V is a finite sequence
of variables (xi)i∈Ind, indexed by a linearly ordered set (Ind,