Unification modulo a 2-sorted Equational theory for Cipher-Decipher Block Chaining

We investigate unification problems related to the Cipher Block Chaining (CBC) mode of encryption. We first model chaining in terms of a simple, convergent, rewrite system over a signature with two disjoint sorts: list and element. By interpreting a particular symbol of this signature suitably, the rewrite system can model several practical situations of interest. An inference procedure is presented for deciding the unification problem modulo this rewrite system. The procedure is modular in the following sense: any given problem is handled by a system of `list-inferences', and the set of equations thus derived between the element-terms of the problem is then handed over to any (`black-box') procedure which is complete for solving these element-equations. An example of application of this unification procedure is given, as attack detection on a Needham-Schroeder like protocol, employing the CBC encryption mode based on the associative-commutative (AC) operator XOR. The 2-sorted convergent rewrite system is then extended into one that fully captures a block chaining encryption-decryption mode at an abstract level, using no AC-symbols; and unification modulo this extended system is also shown to be decidable.Comment: 26 page

A study on unification and disunification modulo

Dissertação (mestrado)—Universidade de Brasília, Instituto de Ciências Exatas, Departamento de Ciência da Computação, 2020.Estuda-se a comparação entre unificação assimétrica e desunificação módulo teorias equa- cionais em relação às suas complexidades, como desenvolvida por Ravishankar, Narendran e Gero. A unificação assimétrica é um tipo de unificação equacional em que as soluções devem fornecer o lado direito dos problemas apresentados na forma normal. E a desunifi- cação é resolver problemas com equações e “disequações” em relação à uma teoria equaci- onal dada. As soluções para os problemas de desunificação são substituições que tornam os dois termos de cada equação iguais, mas os dois termos de cada “disequação” diferen- tes. Unificação e desunificação equacional foram comparadas por os autores mencionados com relação as suas complexidades de tempo para duas teorias equacionais: a primeira associativa (A), comutativa (C), com unidade (U) e nilpotente (N), como (ACUN) e a segunda com tais propriedades, mas adicionando um homomorfismo (h), como (ACUNh), mostrando que desunificação pode ser resolvida em tempo polinomial enquanto unificação assimétrica é NP-difícil para ambas as teorias equacionais. Além disso, foi estudada a abordagem introduzidas por Zhiqiang Liu, em sua dissertação de doutorado, para converter osunificadores módulo ACUN em assimétricos, com símbolos de função não interpretados, usando as regras de inferência. Para a teoria associativa comutativa com homomorfismo (ACh), estudou-se a prova de que unificação módulo ACh é indecidível, assim como o algoritmo de semi-decisão, recentemente introduzido por Ajay Kumar Eeralla e Christopher Lynch, que apresenta um conjunto de regras de inferência para resolver o problema com limitações.Comparisons between asymmetric unification and disunification modulo AC concerning their complexities, as developed by Ravishankar, Narendran and Gero are studied. Asym- metric unification is a type of equational unification problem in which the solutions must give as right-hand sides of the input problem, normal forms regarding some rewriting sys- tem. And disunification problems require solving equations and "disequations" for a given equational theory. Solutions to the disunification problems are substitutions that make the two terms of each equation equal, but the two terms of each “disequation” different. These authors compared the complexity of the unification and disunification problems for two equational theories. The properties of the first equational theory are associativity (A), commutativity (C), the existence of unity (U), and nilpotence (N), abbreviated as ACUN. And, the second equational theory has the same properties but adds a homomorphism (h), for short, ACUNh. For such equational theories, details of the proof that disunification can be solved in polynomial time while the asymmetric unification is NP-hard have been studied. Besides, the approach for converting ACUN unifiers to asymmetric ones, with uninterpreted function symbols using the inference rules introduced by Zhiqiang Liu, in his Ph.D. dissertation, was studied. Narendran’s proof of the undecidability of the unifi- cation problem modulo the associative commutative theory with homomorphism ACh is studied. Also, the semi-decision algorithm, recently introduced by Ajay Kumar Eeralla and Christopher Lynch, is studied, which presents a set of inference rules for solving a bounded version of ACh unification

Equational methods in first order predicate calculus

We show that the application of the resolution principle to a set of clauses can be regarded as the construction of a term rewriting system confluent on valid formulas. This result allows the extension of usual properties and methods of equational theories (such as Birkhoff's theorem and the Knuth and Bendix completion algorithm) to quantifier-free first order theories. These results are extended to first order predicate calculus in an equational theory, as studied by Plotkin (1972), Slagle (1974) and Lankford (1975). This paper is a continuation of the work of Hsiang & Dershowitz (1983), who have already shown that rewrite methods can be used in first order predicate calculus. The main difference is the following: Hsiang uses rewrite methods only as a refutational proof technique, the initial set of formulas being unsatisfiable iff the equation TRUE = FALSE is generated by the completion algorithm. We generalise these methods to satisfiable theories; in particular, we show that the concept of confluent rewriting system, which is the main tool for studying equational theories, can be extended to any quantifier-free first order theory. Furthermore, we show that rewrite methods can be used even if formulas are kept in clausal form

Advanced Features in Protocol Verification: Theory, Properties, and Efficiency in Maude-NPA

The area of formal analysis of cryptographic protocols has been an active one since the mid 80’s. The idea is to verify communication protocols that use encryption to guarantee secrecy and that use authentication of data to ensure security. Formal methods are used in protocol analysis to provide formal proofs of security, and to uncover bugs and security flaws that in some cases had remained unknown long after the original protocol publication, such as the case of the well known Needham-Schroeder Public Key (NSPK) protocol. In this thesis we tackle problems regarding the three main pillars of protocol verification: modelling capabilities, verifiable properties, and efficiency. This thesis is devoted to investigate advanced features in the analysis of cryptographic protocols tailored to the Maude-NPA tool. This tool is a model-checker for cryptographic protocol analysis that allows for the incorporation of different equational theories and operates in the unbounded session model without the use of data or control abstraction. An important contribution of this thesis is relative to theoretical aspects of protocol verification in Maude-NPA. First, we define a forwards operational semantics, using rewriting logic as the theoretical framework and the Maude programming language as tool support. This is the first time that a forwards rewriting-based semantics is given for Maude-NPA. Second, we also study the problem that arises in cryptographic protocol analysis when it is necessary to guarantee that certain terms generated during a state exploration are in normal form with respect to the protocol equational theory. We also study techniques to extend Maude-NPA capabilities to support the verification of a wider class of protocols and security properties. First, we present a framework to specify and verify sequential protocol compositions in which one or more child protocols make use of information obtained from running a parent protocol. Second, we present a theoretical framework to specify and verify protocol indistinguishability in Maude-NPA. This kind of properties aim to verify that an attacker cannot distinguish between two versions of a protocol: for example, one using one secret and one using another, as it happens in electronic voting protocols. Finally, this thesis contributes to improve the efficiency of protocol verification in Maude-NPA. We define several techniques which drastically reduce the state space, and can often yield a finite state space, so that whether the desired security property holds or not can in fact be decided automatically, in spite of the general undecidability of such problems.Santiago Pinazo, S. (2015). Advanced Features in Protocol Verification: Theory, Properties, and Efficiency in Maude-NPA [Tesis doctoral no publicada]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/4852

On the Resolution Semiring

In this thesis, we study a semiring structure with a product based on theresolution rule of logic programming. This mathematical object was introducedinitially in the setting of the geometry of interaction program in order to modelthe cut-elimination procedure of linear logic. It provides us with an algebraicand abstract setting, while being presented in a syntactic and concrete way, inwhich a theoretical study of computation can be carried on.We will review first the interactive interpretation of proof theory withinthis semiring via the categorical axiomatization of the geometry of interactionapproach. This interpretation establishes a way to translate functional programsinto a very simple form of logic programs.Secondly, complexity theory problematics will be considered: while thenilpotency problem in the semiring we study is undecidable in general, it willappear that certain restrictions allow for characterizations of (deterministicand non-deterministic) logarithmic space and (deterministic) polynomial timecomputation

Pseudo-contractions as Gentle Repairs

Updating a knowledge base to remove an unwanted consequence is a challenging task. Some of the original sentences must be either deleted or weakened in such a way that the sentence to be removed is no longer entailed by the resulting set. On the other hand, it is desirable that the existing knowledge be preserved as much as possible, minimising the loss of information. Several approaches to this problem can be found in the literature. In particular, when the knowledge is represented by an ontology, two different families of frameworks have been developed in the literature in the past decades with numerous ideas in common but with little interaction between the communities: applications of AGM-like Belief Change and justification-based Ontology Repair. In this paper, we investigate the relationship between pseudo-contraction operations and gentle repairs. Both aim to avoid the complete deletion of sentences when replacing them with weaker versions is enough to prevent the entailment of the unwanted formula. We show the correspondence between concepts on both sides and investigate under which conditions they are equivalent. Furthermore, we propose a unified notation for the two approaches, which might contribute to the integration of the two areas