Opening the AC-Unification Race

This note reports about the implementation of AC-unification algorithms, based on the variable-abstraction method of Stickel and on the constant-abstraction method of Livesey, Siekmann, and Herold. We give a set of 105 benchmark examples and compare execution times for implementations of the two approaches. This documents for other researchers what we consider to be the state-of-the-art performance for elementary AC-unification problems

The Role of Term Symmetry in E-Unification and E-Completion

A major portion of the work and time involved in completing an incomplete set of reductions using an E-completion procedure such as the one described by Knuth and Bendix [070] or its extension to associative-commutative equational theories as described by Peterson and Stickel [PS81] is spent calculating critical pairs and subsequently testing them for coherence. A pruning technique which removes from consideration those critical pairs that represent redundant or superfluous information, either before, during, or after their calculation, can therefore make a marked difference in the run time and efficiency of an E-completion procedure to which it is applied. The exploitation of term symmetry is one such pruning technique. The calculation of redundant critical pairs can be avoided by detecting the term symmetries that can occur between the subterms of the left-hand side of the major reduction being used, and later between the unifiers of these subterms with the left-hand side of the minor reduction. After calculation, and even after reduction to normal form, the observation of term symmetries can lead to significant savings. The results in this paper were achieved through the development and use of a flexible E-unification algorithm which is currently written to process pairs of terms which may contain any combination of Null-E, C (Commutative), AC (Associative-Commutative) and ACI (Associative-Commutative with Identity) operators. One characteristic of this E-unification algorithm that we have not observed in any other to date is the ability to process a pair of terms which have different ACI top-level operators. In addition, the algorithm is a modular design which is a variation of the Yelick model [Ye85], and is easily extended to process terms containing operators of additional equational theories by simply plugging in a unification module for the new theory

Complete Sets of Reductions Modulo A Class of Equational Theories which Generate Infinite Congruence Classes

In this paper we present a generalization of the Knuth-Bendix procedure for generating a complete set of reductions modulo an equational theory. Previous such completion procedures have been restricted to equational theories which generate finite congruence classes. The distinguishing feature of this work is that we are able to generate complete sets of reductions for some equational theories which generate infinite congruence classes. In particular, we are able to handle the class of equational theories which contain the associative, commutative, and identity laws for one or more operators. We first generalize the notion of rewriting modulo an equational theory to include a special form of conditional reduction. We are able to show that this conditional rewriting relation restores the finite termination property which is often lost when rewriting in the presence of infinite congruence classes. We then develop Church-Rosser tests based on the conditional rewriting relation and set forth a completion procedure incorporating these tests. Finally, we describe a computer program which implements the theory and give the results of several experiments using the program

Constrained completion: Theory, implementation, and results

The Knuth-Bendix completion procedure produces complete sets of reductions but can not handle certain rewrite rules such as commutativity. In order to handle such theories, completion procedure were created to find complete sets of reductions modulo an equational theory. The major problem with this method is that it requires a specialized unification algorithm for the equational theory. Although this method works well when such an algorithm exists, these algorithms are not always available and thus alternative methods are needed to attack problems. A way of doing this is to use a completion procedure which finds complete sets of constrained reductions. This type of completion procedure neither requires specialized unification algorithms nor will it fail due to unorientable identities. We present a look at complete sets of reductions with constraints, developed by Gerald Peterson, and the implementation of such a completion procedure for use with HIPER - a fast completion system. The completion procedure code is given and shown correct along with the various support procedures which are needed by the constrained system. These support procedures include a procedure to find constraints using the lexicographic path ordering and a normal form procedure for constraints. The procedure has been implemented for use under the fast HIPER system, developed by Jim Christian, and thus is quick. We apply this new system, HIPER- extension, to attack a variety of word problems. Implementation alternatives are discussed, developed, and compared with each other as well as with the HIPER system. Finally, we look at the problem of finding a complete set of reductions for a ternary boolean algebra. Given are alternatives to attacking this problem and the already known solution along with its run in the HIPER-extension system --Abstract, page iii

Dynamic Order-Sorted Term-Rewriting Systems

This thesis considers the problems of order-sorted equational logic and its operational interpretation, order-sorted term rewriting

Inductive verification of cryptographic protocols based on message algebras - trace and indistinguishability properties

Since 1981, a large variety of formal methods for the analysis of cryptographic protocols has evolved. In particular, the tool-supported inductive method has been applied to many protocols. Despite several improvements, the scope of these and other approaches is basically restricted to the simple enc-dec scenario (decryption reverts encryption) and to standard properties (confidentiality and authentication). In this thesis, we broaden the scope of the inductive method to protocols with algebraically specified cryptographic primitives beyond the simple enc-dec scenario and to indistinguishability properties like resistance against offline testing. We describe an axiomatization of message structures, justified by a rewriting-based model of algebraic equations, to provide complete case distinctions and partial orders thereby allowing for the definition of recursive functions and inductive reasoning. We develop a new proof technique for confidentiality properties based on tests of regular messages. The corresponding recursive functions are provably correct wrt. to an inductively defined attacker model. We introduce generic derivations to express indistinguishability properties. A central theorem then provides necessary and sufficient conditions that can be shown by standard trace properties. The general aspects of our techniques are thoroughly discussed and emphasized, along with two fully worked out real world case studies: PACE and TC-AMP are (to be) used for the German ID cards. To the best of our knowledge TC-AMP is among the most complex algebraically specified protocols that have been formally verified. In particular, we do not know of any approaches that apply formal analysis techniques to comparable cases.Seit 1981 wurden zahlreiche formale Methoden zur Analyse kryptographischer Protokolle entwickelt und erfolgreich angewendet. Trotz vieler Verbesserungen, beschränkt sich der Anwendungsbereich gerade induktiver Verfahren auf das einfache enc-dec Szenario (Entschlüsseln hebt Verschlüsseln ab) und auf Standardeigenschaften (Vertraulichkeit und Authentifizierung). In dieser Arbeit erweitern wir den Anwendungsbereich der werkzeug-unterstützten induktiven Methode auf Protokolle mit algebraisch spezifizierten kryptografischen Primitiven und auf Ununterscheidbarkeitseigenschaften wie die Resistenz gegen Offline-Testen. Eine Axiomatisierung von Nachrichtenstrukturen, abgeleitet aus einem konstruktiven Modell (Termersetzung), liefert die Basis für die Definition rekursiver Funktionen und induktives Schließen (partielle Ordnungen, Fallunterscheidungen). Eine neue Beweistechnik für Vertraulichkeitseigenschaften verwendet rekursive Testfunktionen, die beweisbar korrekt bzgl. eines induktiv definierten Angreifermodells sind. Die Formalisierung von Ununterscheidbarkeitseigenschaften durch generische Ableitungen und ein zentrales Theorem erlauben eine Reduktion auf Trace-Eigenschaften. Die allgemeinen Aspekte unserer Techniken werden zusammen mit zwei vollständig ausgearbeiteten realen Fallstudien, PACE und TC-AMP, diskutiert, die für den deutschen Personalausweis entwickelt wurden. TC-AMP gehört sicher zu den komplexesten algebraisch spezifizierten Protokollen, die formal verifiziert wurden. Insbesondere, sind uns keine Ansätze bekannt, die vergleichbare Fälle behandeln