A Proof Theoretic Analysis of Intruder Theories

We consider the problem of intruder deduction in security protocol analysis: that is, deciding whether a given message M can be deduced from a set of messages Gamma under the theory of blind signatures and arbitrary convergent equational theories modulo associativity and commutativity (AC) of certain binary operators. The traditional formulations of intruder deduction are usually given in natural-deduction-like systems and proving decidability requires significant effort in showing that the rules are "local" in some sense. By using the well-known translation between natural deduction and sequent calculus, we recast the intruder deduction problem as proof search in sequent calculus, in which locality is immediate. Using standard proof theoretic methods, such as permutability of rules and cut elimination, we show that the intruder deduction problem can be reduced, in polynomial time, to the elementary deduction problem, which amounts to solving certain equations in the underlying individual equational theories. We show that this result extends to combinations of disjoint AC-convergent theories whereby the decidability of intruder deduction under the combined theory reduces to the decidability of elementary deduction in each constituent theory. To further demonstrate the utility of the sequent-based approach, we show that, for Dolev-Yao intruders, our sequent-based techniques can be used to solve the more difficult problem of solving deducibility constraints, where the sequents to be deduced may contain gaps (or variables) representing possible messages the intruder may produce.Comment: Extended version of RTA 2009 pape

Computing knowledge in security protocols under convergent equational theories

International audienceThe analysis of security protocols requires reasoning about the knowledge an attacker acquires by eavesdropping on network traffic. In formal approaches, the messages exchanged over the network are modeled by a term algebra equipped with an equational theory axiomatizing the properties of the cryptographic primitives (e.g. encryption, signature). In this context, two classical notions of knowledge, deducibility and indistinguishability, yield corresponding decision problems.\par We propose a procedure for both problems under arbitrary convergent equational theories. Since the underlying problems are undecidable we cannot guarantee termination. Nevertheless, our procedure terminates on a wide range of equational theories. In particular, we obtain a new decidability result for a theory we encountered when studying electronic voting protocols. We also provide a prototype implementation

Proceedings of the 19th International Workshop on Unification

Proceedings of the 19th international workshop on Unification, held during RDP'2005 in Nara, Japan, on April 22, 2005.UNIF is the main international meeting on unification. Unification is concerned with the problem of identifying given terms, either syntactically or modulo a given logical theory. Syntactic unification is the basic operation of most automated reasoning systems, and unification modulo theories can be used, for instance, to build in special equational theories into theorem provers

Intruder Deduction for the Equational Theory of Exclusive-or with Commutative and Distributive Encryption

AbstractThe first step in the verification of cryptographic protocols is to decide the intruder deduction problem, that is the vulnerability to a so-called passive attacker. We extend the Dolev-Yao model in order to model this problem in presence of the equational theory of a commutative encryption operator which distributes over the exclusive-or operator. The interaction between the commutative distributive law of the encryption and exclusive-or offers more possibilities to decrypt an encrypted message than in the non-commutative case, which imply a more careful analysis of the proof system. We prove decidability of the intruder deduction problem for a commutative encryption which distributes over exclusive-or with a DOUBLE-EXP-TIME procedure. And we obtain that this problem is EXPSPACE-hard in the binary case

O problema da dedução do intruso para teorias AC-convergentes localmente estáveis

Tese (doutorado)—Universidade de Brasília, Instituto de Ciências Exatas, Departamento de Matemática, 2013.Apresenta-se um algoritmo para decidir o problema da dedução do intruso (PDI) para a classe de teorias localmente estáveis normais, que incluem operadores associativos e comutativos (AC). A decidibilidade é baseada na análise de reduções de reescrita aplicadas na cabeça de termos que são construídos a partir de contextos normais e o conhecimento inicial de um intruso. Este algoritmo se baseia em um algoritmo eficiente para resolver um caso restrito de casamento módulo AC de ordem superior, obtido pela combinação de um algoritmo para Casamento AC com Ocorrências Distintas, e um algoritmo padrão para resolver sistemas de equações Diofantinas lineares. O algoritmo roda em tempo polinomial no tamanho de um conjunto saturado construído a partir do conhecimento inicial do intruso para a subclasse de teorias para a qual operadores AC possuem inversos. Os resultados são aplicados para teoria AC pura e a teoria de grupos Abelianos de ordem n dada. Uma tradução entre dedução natural e o cálculo de sequentes permite usar a mesma abordagem para decidir o problema da dedução elementar para teorias localmente estáveis com inversos. Como uma aplicação, a teoria de assinaturas cegas pode ser modelada e então, deriva-se um algoritmo para decidir o PDI neste contexto, estendendo resultados de decidibilidade prévios. ______________________________________________________________________________ ABSTRACTWe present an algorithm to decide the intruder deduction problem (IDP) for the class of normal locally stable theories, which include associative and commutative (AC) opera- tors. The decidability is based on the analysis of rewriting reductions applied in the head of terms built from normal contexts and the initial knowledge of the intruder. It relies on a new and efficient algorithm to solve a restricted case of higher-order AC-matching, obtained by combining the Distinct Occurrences of AC-matching algorithm and a stan- dard algorithm to solve systems of linear Diophantine equations. Our algorithm runs in polynomial time on the size of a saturation set built from the initial knowledge of the intruder for the subclass of theories for which AC operators have inverses. We apply the results to the Pure AC equational theory and Abelian Groups with a given order n. A translation between natural deduction and sequent calculus allows us to use the same approach to decide the elementary deduction problem for locally stable theories with inverses. As an application, we model the theory of blind signatures and derive an algorithm to decide IDP in this context, extending previous decidability results

Pseudo-contractions as Gentle Repairs

Updating a knowledge base to remove an unwanted consequence is a challenging task. Some of the original sentences must be either deleted or weakened in such a way that the sentence to be removed is no longer entailed by the resulting set. On the other hand, it is desirable that the existing knowledge be preserved as much as possible, minimising the loss of information. Several approaches to this problem can be found in the literature. In particular, when the knowledge is represented by an ontology, two different families of frameworks have been developed in the literature in the past decades with numerous ideas in common but with little interaction between the communities: applications of AGM-like Belief Change and justification-based Ontology Repair. In this paper, we investigate the relationship between pseudo-contraction operations and gentle repairs. Both aim to avoid the complete deletion of sentences when replacing them with weaker versions is enough to prevent the entailment of the unwanted formula. We show the correspondence between concepts on both sides and investigate under which conditions they are equivalent. Furthermore, we propose a unified notation for the two approaches, which might contribute to the integration of the two areas