Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
3.5. DECIDABILITY RESULTS 77<br />
2. By definition <strong>of</strong> IAU, it is easy to see that E ⊆ all.Cons(E) IAU<br />
.<br />
3. (1) <strong>and</strong> (2) implies easily (3).<br />
4. We have t ∈ E IAU<br />
is equivalent to E IAU<br />
= (E, t) IAU<br />
, which is equivalent<br />
to all.Cons(E) IAU<br />
= all.Cons(E, t) IAU<br />
by (3). By contradiction, assume<br />
that t ∈ E IAU<br />
<strong>and</strong> there is a constant c ∈ all.Cons(t) \ all.Cons(E). c /∈<br />
all.Cons(E) implies that c /∈ all.Cons(E) IAU<br />
, <strong>and</strong> c ∈ all.Cons(t) implies<br />
that c ∈ all.Cons(E, t) IAU<br />
. This contradicts the equality all.Cons(E) IAU<br />
all.Cons(E, t) IAU<br />
, <strong>and</strong> hence we deduce that all.Cons(t) ⊆ all.Cons(E).<br />
Now, we prove the converse. We have all.Cons(t) ⊆ all.Cons(E), this<br />
implies all.Cons(t) ⊆ all.Cons(E) IAU<br />
. By (2), we have t ∈ all.Cons(t) IAU<br />
,<br />
<strong>and</strong> hence, t ∈ all.Cons(E) IAU<br />
. By (3), we conclude that t ∈ E IAU<br />
.<br />
�<br />
The consequence <strong>of</strong> Lemma 21 is that only the set <strong>of</strong> constants appearing<br />
or not in the initial knowledge <strong>and</strong> the goal <strong>of</strong> a supposed derivation are relevant<br />
to decide its feasibility. This has the important implication, with respect<br />
to decidability, that it is not necessary to know the exact instance <strong>of</strong> intruder’s<br />
knowledge (his initial knowledge <strong>and</strong> the messages in the output <strong>of</strong> the symbolic<br />
derivation up to this point) <strong>and</strong> the goal (the next input message <strong>of</strong> the<br />
symbolic derivation) to decide whether a derivation exists. It suffices to know<br />
the guessable sets <strong>of</strong> constants <strong>of</strong> the knowledge <strong>and</strong> <strong>of</strong> the goal.<br />
We give in Figure 3.2 the algorithm that solve ordered IAU-satisfiability problem<br />
<strong>and</strong> then, show its correctness, completeness <strong>and</strong> termination.<br />
The definition <strong>of</strong> satisfiability <strong>of</strong> symbolic derivations allows us to conclude<br />
automatically the completeness <strong>of</strong> the algorithm:<br />
Lemma 22 (Completeness) The algorithm described in Figure 3.2 is complete.<br />
PROOF.<br />
Let C = (V, S, K, In, Out) be a IAU symbolic derivation, KI be the initial<br />
intruder knowledge, <strong>and</strong> ≺ be a linear ordering on the variables <strong>and</strong> constants<br />
<strong>of</strong> C. Assume that C is satisfiable, this implies, by definition, that there exists a<br />
IAU-symbolic derivation CI = (VI, SI, KI, InI, OutI), a closed composition Ca <strong>of</strong><br />
CI <strong>and</strong> C, <strong>and</strong> a substitution σ such that (1) σ |=IAU Ca <strong>and</strong> (2) for all x variable<br />
in C <strong>and</strong> c constant in C, x ≺ c implies c /∈ all.Cons(xσ). Hence, the intruder<br />
I receives all messages sent by the protocol participants, <strong>and</strong> every message<br />
they receive is send by the intruder. We have that xσ is defined for all x ∈ V,<br />
we let Px = all.Cons(xσ). Furthermore, we have that for all x ∈ In, (xσ)↓ ∈<br />
K ′ IσIAU with K ′ I = KI ∪ {x ′ | x ′ ∈ Out <strong>and</strong> x ′ ≺ x}, <strong>and</strong> by Lemma 21, we have<br />
=