Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

74 CHAPTER 3. PROTOCOLS WITH VULNERABLE HASH FUNCTIONS PROOF. Let E be a set of ground terms in normal forms satisfying the following derivation: E →LI h E, r →LI h E, r, t such that r /∈ Subv(E, t) ∪ Cspec. In order to prove that there exists a set of ground terms in normal form F such that E → ∗ LI free F →LI h F, t, it suffices to prove that E →LI h E, t. We have E →LI h E, r and the only LI h rule is x → h(x). By definition, there exists a normal ground substitution σ such that xσ ∈ E and r = (h(xσ))↓. Since Sign(h(xσ)) = 1 by Lemma 14, we have Sign(r) = 1. Since E, r →LI E, r, t, there exists a normal h ground substitution σ ′ such that xσ ′ ∈ E, r and t = (h(xσ ′ ))↓. If xσ ′ = r, we have t = (h(r))↓. h(r) is in normal form, since all its factors are in normal form and r ∈ Subv(h(r)) \ {h(r), ɛ}, by Lemma 15 r ∈ Subv(t), which contradicts the hypothesis r /∈ Subv(E, t) ∪ Cspec. By contradiction, we have xσ ′ ∈ E and thus E, t. � E →LI h In the following lemma, t = 1 HC t′ denotes that there exists a one step rewriting between t and t ′ using (HC) equation. Lemma 17 Let t0, t, t ′ ∈ T (F〈, X ) such that t0 =HAU t =1 HC t′ and t0 = h(t1 · f(t1, t2, t3, t4) · t2). We have: t ′ =HAU h(t3 · g(t1, t2, t3, t4) · t4). PROOF. Let h(m1 · f/g(m1, m2, m3, m4) · m2) = h(m3 · g/f(m1, m2, m3, m4) · m4) be the ground instance of (HC) used between t and t ′ . Let us prove that m1 =HAU t1. If m1 �=HAU t1, we have either m1 is a prefix modulo h. of t1 or t1 is a prefix modulo HAU of m1. Let us review these two cases: • m1 is a prefix modulo HAU of t1: then t1 = m1 · x and x �=HAU ɛ, then f/g(m1, m2, m3, m4) ∈ Sub(t1), then m2 ∈ Sub(t1). And we have m2 = y · t2 with y �=HAU ɛ, then f(t1, t2, t3, t4) ∈ Sub(m2) then t1 ∈ Sub(m2). We conclude that t1 is a strict subterm of m2 and m2 is a strict subterm of t1 which is impossible. • t1 is a prefix modulo HAU of m1: by reasoning as above on t2 which is a suffix of m2, we can also prove that this case is impossible. Thus we have m1 =HAU t1, and thus f/g(m1, m2, m3, m4) =HAU f(t1, t2, t3, t4), that is mi =HAU ti for i ∈ {1, 2, 3, 4} and t ′ =HAU h(t3 · g(t1, t2, t3, t4) · t4). � Lemma 18 Let h(m), h(m ′ ) be two pure terms and σ be ground substitution such that σ |=Hh h(m) ? = h(m ′ ). Then one of the following holds: • σ |=HAU m ? = m ′ • σ |=HAU � m ? = x1 · g(x1, x2, y1, y2) · x2, m ′ ? � = y1 · f(x1, x2, y1, y2) · y2
3.4. SYMBOLIC FORMALISATION 75 with x1, x2, y1, y2 new variables (modulo the commutativity of ? =). PROOF. Let m1, m2, m3 ∈ T (Fh, X ) such that h(m1) = 1 HC h(m2) = 1 HC h(m3). If m1 =HAU t1 · f(t1, t2, t3, t4) · t2 then, by Lemma 17 we have � m2 =HAU t3 · g(t1, t2, t3, t4) · t4 m3 =HAU t1 · f(t1, t2, t3, t4) · t2 Let Sm1 = {m| h(m) =Hh h(m1)} then, by Lemma 17 we have Sm1 = {m| m =HAU m1} ∪ {m| m =HAU t3 · g(t1, t2, t3, t4) · t4}. We have σ |=Hh h(m) ? = h(m ′ ) that is h(mσ) =Hh h(m′ σ), and thus m ′ σ ∈ Smσ which implies that either mσ =HAU m′ σ and then σ |=HAU m ? = m ′ or mσ =HAU x1σ · f(x1σ, x2σ, y1σ, y2σ) · x2σ and m ′ σ =HAU y1σ � · g(x1σ, x2σ, y1σ, y2σ) · y2σ and m ? = x1 · g(x1, x2, y1, y2) · x2, m ′ ? � = y1 · f(x1, x2, y1, y2) · y2 . � then σ |=HAU Lemma 19 Let E be a set of ground terms in normal form. If E → ∗ Ifree f(t1, t2, t ′ 1, t ′ 2) and f(t1, t2, t ′ 1, t ′ 2) /∈ Sub(E) then E → ∗ Ifree t1, t2, t ′ 1, t ′ 2. PROOF. We have E → ∗ Ifree f(t1, t2, t ′ 1, t ′ 2) that is, there exists a finite sequence of rewritings starting from E leading to f(t1, t2, t ′ 1, t ′ 2): E →Ifree E1 →Ifree . . . →Ifree En−1 →IAU En−1, f(t1, t2, t ′ 1, t ′ 2). By hypothesis, we have f(t1, t2, t ′ 1, t ′ 2) ∈ Sub(En) \ Sub(E). Let Ei be the smallest set in the derivation such that f(t1, t2, t ′ 1, t ′ 2) ∈ Sub(Ei) \ Sub(Ei−1) [i ≥ 1]. By LI free and Hfree, the rule applied in the step i of the derivation is x1, x2, y1, y2 → f(x1, x2, y1, y2). This implies that there exists a normal ground substitution σ such that ti = xiσ and t ′ i = yiσ for i ∈ {1, 2} and t1, t2, t ′ 1, t ′ 2 ∈ Ei−1. We deduce that E → ∗ Ifree t1, t2, t ′ 1, t ′ 2. � Lemma 20 Let E ⊆ T (Fh) be a set of ground terms in normal form, and assume that E does not contain terms having the form f(t1, t2, t3, t4) or g(t1, t2, t3, t4) for some terms t1, . . . , t4. Let m1, m2 be two terms in T (Fh, X ) such that (h(m1) ? = h(m2)) is Hh-satisfiable. Let σ be a ground substitution which satisfies (h(m1) ? =Hh h(m2)). We have: E → ∗ IAU (m1σ)↓ if and only if E → ∗ IAU (m2σ)↓ PROOF. By symmetry, it suffices to prove that E → ∗ IAU (m1σ)↓ implies E → ∗ IAU (m2σ)↓. Since σ |=Hh (h(m1) ? = h(m2)), by Lemma 18 we have two cases: • If σ |=HAU m1 ? = m2 then the result is obvious.
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23:
10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25:
12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27:
14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29:
16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31:
18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33:
20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 34 and 35:
22 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 36 and 37: 24 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 70 and 71: 58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 112 and 113: 100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 124 and 125: 112 CHAPTER 5. SATURATED DEDUCTION
Page 136 and 137:
124 CHAPTER 5. SATURATED DEDUCTION
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
148 CHAPTER 6. ON THE GROUND ENTAIL
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?