2,061 research outputs found
Unification modulo a partial theory of exponentiation
Modular exponentiation is a common mathematical operation in modern
cryptography. This, along with modular multiplication at the base and exponent
levels (to different moduli) plays an important role in a large number of key
agreement protocols. In our earlier work, we gave many decidability as well as
undecidability results for multiple equational theories, involving various
properties of modular exponentiation. Here, we consider a partial subtheory
focussing only on exponentiation and multiplication operators. Two main results
are proved. The first result is positive, namely, that the unification problem
for the above theory (in which no additional property is assumed of the
multiplication operators) is decidable. The second result is negative: if we
assume that the two multiplication operators belong to two different abelian
groups, then the unification problem becomes undecidable.Comment: In Proceedings UNIF 2010, arXiv:1012.455
Implementing a Unification Algorithm for Protocol Analysis with XOR
In this paper, we propose a unification algorithm for the theory which
combines unification algorithms for E\_{\std} and E\_{\ACUN} (ACUN
properties, like XOR) but compared to the more general combination methods uses
specific properties of the equational theories for further optimizations. Our
optimizations drastically reduce the number of non-deterministic choices, in
particular those for variable identification and linear orderings. This is
important for reducing both the runtime of the unification algorithm and the
number of unifiers in the complete set of unifiers. We emphasize that obtaining
a ``small'' set of unifiers is essential for the efficiency of the constraint
solving procedure within which the unification algorithm is used. The method is
implemented in the CL-Atse tool for security protocol analysis
Towards Correctness of Program Transformations Through Unification and Critical Pair Computation
Correctness of program transformations in extended lambda calculi with a
contextual semantics is usually based on reasoning about the operational
semantics which is a rewrite semantics. A successful approach to proving
correctness is the combination of a context lemma with the computation of
overlaps between program transformations and the reduction rules, and then of
so-called complete sets of diagrams. The method is similar to the computation
of critical pairs for the completion of term rewriting systems. We explore
cases where the computation of these overlaps can be done in a first order way
by variants of critical pair computation that use unification algorithms. As a
case study we apply the method to a lambda calculus with recursive
let-expressions and describe an effective unification algorithm to determine
all overlaps of a set of transformations with all reduction rules. The
unification algorithm employs many-sorted terms, the equational theory of
left-commutativity modelling multi-sets, context variables of different kinds
and a mechanism for compactly representing binding chains in recursive
let-expressions.Comment: In Proceedings UNIF 2010, arXiv:1012.455
Nominal Unification from a Higher-Order Perspective
Nominal Logic is a version of first-order logic with equality, name-binding,
renaming via name-swapping and freshness of names. Contrarily to higher-order
logic, bindable names, called atoms, and instantiable variables are considered
as distinct entities. Moreover, atoms are capturable by instantiations,
breaking a fundamental principle of lambda-calculus. Despite these differences,
nominal unification can be seen from a higher-order perspective. From this
view, we show that nominal unification can be reduced to a particular fragment
of higher-order unification problems: Higher-Order Pattern Unification. This
reduction proves that nominal unification can be decided in quadratic
deterministic time, using the linear algorithm for Higher-Order Pattern
Unification. We also prove that the translation preserves most generality of
unifiers
Unification modulo a 2-sorted Equational theory for Cipher-Decipher Block Chaining
We investigate unification problems related to the Cipher Block Chaining
(CBC) mode of encryption. We first model chaining in terms of a simple,
convergent, rewrite system over a signature with two disjoint sorts: list and
element. By interpreting a particular symbol of this signature suitably, the
rewrite system can model several practical situations of interest. An inference
procedure is presented for deciding the unification problem modulo this rewrite
system. The procedure is modular in the following sense: any given problem is
handled by a system of `list-inferences', and the set of equations thus derived
between the element-terms of the problem is then handed over to any
(`black-box') procedure which is complete for solving these element-equations.
An example of application of this unification procedure is given, as attack
detection on a Needham-Schroeder like protocol, employing the CBC encryption
mode based on the associative-commutative (AC) operator XOR. The 2-sorted
convergent rewrite system is then extended into one that fully captures a block
chaining encryption-decryption mode at an abstract level, using no AC-symbols;
and unification modulo this extended system is also shown to be decidable.Comment: 26 page
Key Substitution in the Symbolic Analysis of Cryptographic Protocols (extended version)
Key substitution vulnerable signature schemes are signature schemes that
permit an intruder, given a public verification key and a signed message, to
compute a pair of signature and verification keys such that the message appears
to be signed with the new signature key. A digital signature scheme is said to
be vulnerable to destructive exclusive ownership property (DEO) If it is
computationaly feasible for an intruder, given a public verification key and a
pair of message and its valid signature relatively to the given public key, to
compute a pair of signature and verification keys and a new message such that
the given signature appears to be valid for the new message relatively to the
new verification key. In this paper, we prove decidability of the insecurity
problem of cryptographic protocols where the signature schemes employed in the
concrete realisation have this two properties
E-Generalization Using Grammars
We extend the notion of anti-unification to cover equational theories and
present a method based on regular tree grammars to compute a finite
representation of E-generalization sets. We present a framework to combine
Inductive Logic Programming and E-generalization that includes an extension of
Plotkin's lgg theorem to the equational case. We demonstrate the potential
power of E-generalization by three example applications: computation of
suggestions for auxiliary lemmas in equational inductive proofs, computation of
construction laws for given term sequences, and learning of screen editor
command sequences.Comment: 49 pages, 16 figures, author address given in header is meanwhile
outdated, full version of an article in the "Artificial Intelligence
Journal", appeared as technical report in 2003. An open-source C
implementation and some examples are found at the Ancillary file
- âŠ