Logical Analysis and Verification of Cryptographic Protocols - Loria

76 CHAPTER 3. PROTOCOLS WITH VULNERABLE HASH FUNCTIONS
�
• If σ |=HAU
�
m ? = x1 · g(x1, x2, y1, y2) · x2, m ′ ? �
= y1 · f(x1, x2, y1, y2) · y2 then
� m1σ =HAU x1σ · f(x1σ, x2σ, y1σ, y2σ) · x2σ
m2σ =HAU y1σ · g(x1σ, x2σ, y1σ, y2σ) · y2σ
Since E → ∗ IAU (m1σ)↓, we have E → ∗ IAU (x1σ · f(x1σ, x2σ, y1σ, y2σ) · x2σ)↓
and thus, E → ∗ IAU (x1σ)↓ · f((x1σ)↓, (x2σ)↓, (y1σ)↓, (y2σ)↓) · (x2σ)↓ which
implies that E → ∗ IAU (x1σ)↓, (x2σ)↓, f((x1σ)↓, (x2σ)↓, (y1σ)↓, (y2σ)↓).
By hypothesis, f((x1σ)↓, (x2σ)↓, (y1σ)↓, (y2σ)↓) /∈ SubE, Lemma 19
implies E → ∗ IAU (x1σ)↓, (x2σ)↓, (y1σ)↓, (y2σ)↓ and thus E → ∗ IAU
g((x1σ)↓, (x2σ)↓, (y1σ)↓, (y2σ)↓) which implies that E → ∗ IAU (y1σ)↓ ·
g((x1σ)↓, (x2σ)↓, (y1σ)↓, (y2σ)↓) · (y2σ)↓. We conclude that E → ∗ IAU (m2σ)↓.
3.5 Decidability results
We show next the decidability of respectively ordered IAU, ordered If, ordered
Ig, ordered Ifree-satisfiability problems, and we conjecture the decidability of
the ordered Ih-satisfiability problem.
3.5.1 Decidability of ordered IAU-satisfiability problem
We state below some basic facts on IAU = 〈{.}, LI AU, HAU〉.
Lemma 21 Let E and t be respectively a set of terms and a term in normal form with
respect to the equational theory HAU. We have:
1. all.Cons(E) ⊆ E IAU
,
2. E ⊆ all.Cons(E) IAU
,
3. E IAU
4. t ∈ E IAU
= all.Cons(E) IAU
,
if and only if all.Cons(t) ⊆ all.Cons(E).
PROOF.
Let E and t be respectively a set of ground terms and a ground term in
normal form with respect to the equational theory HAU.
1. Let c ∈ all.Cons(E) be a constant, and let e be a term in E such that c ∈
all.Cons(e). We have therefore e = e1.c.e2. By associativity of ., we have
e = e1.c.e2 = (e1.c).e2 = e1.(c.e2). Thus E →IAU E, (e1.c) →IAU E, (e1.c), c.
This implies all.Cons(E) ⊆ E IAU
.