Context unification is in PSPACE

Contexts are terms with one `hole', i.e. a place in which we can substitute an argument. In context unification we are given an equation over terms with variables representing contexts and ask about the satisfiability of this equation. Context unification is a natural subvariant of second-order unification, which is undecidable, and a generalization of word equations, which are decidable, at the same time. It is the unique problem between those two whose decidability is uncertain (for already almost two decades). In this paper we show that the context unification is in PSPACE. The result holds under a (usual) assumption that the first-order signature is finite. This result is obtained by an extension of the recompression technique, recently developed by the author and used in particular to obtain a new PSPACE algorithm for satisfiability of word equations, to context unification. The recompression is based on performing simple compression rules (replacing pairs of neighbouring function symbols), which are (conceptually) applied on the solution of the context equation and modifying the equation in a way so that such compression steps can be in fact performed directly on the equation, without the knowledge of the actual solution.Comment: 27 pages, submitted, small notation changes and small improvements over the previous tex

An asymptotic bound for secant varieties of Segre varieties

This paper studies the defectivity of secant varieties of Segre varieties. We prove that there exists an asymptotic lower estimate for the greater non-defective secant variety (without filling the ambient space) of any given Segre variety. In particular, we prove that the ratio between the greater non-defective secant variety of a Segre variety and its expected rank is lower bounded by a value depending just on the number of factors of the Segre variety. Moreover, in the final section, we present some results obtained by explicit computation, proving the non-defectivity of all the secant varieties of Segre varieties of the shape (P^n)^4, with 1 < n < 11, except at most \sigma_199((P^8)^4) and \sigma_357((P^10)^4).Comment: 14 page

YAPA: A generic tool for computing intruder knowledge

Reasoning about the knowledge of an attacker is a necessary step in many formal analyses of security protocols. In the framework of the applied pi calculus, as in similar languages based on equational logics, knowledge is typically expressed by two relations: deducibility and static equivalence. Several decision procedures have been proposed for these relations under a variety of equational theories. However, each theory has its particular algorithm, and none has been implemented so far. We provide a generic procedure for deducibility and static equivalence that takes as input any convergent rewrite system. We show that our algorithm covers most of the existing decision procedures for convergent theories. We also provide an efficient implementation, and compare it briefly with the tools ProVerif and KiSs

Automating Security Analysis: Symbolic Equivalence of Constraint Systems

We consider security properties of cryptographic protocols, that are either trace properties (such as confidentiality or authenticity) or equivalence properties (such as anonymity or strong secrecy). Infinite sets of possible traces are symbolically represented using deducibility constraints. We give a new algorithm that decides the trace equivalence for the traces that are represented using such constraints, in the case of signatures, symmetric and asymmetric encryptions. Our algorithm is implemented and performs well on typical benchmarks. This is the first implemented algorithm, deciding symbolic trace equivalence

Forward Analysis and Model Checking for Trace Bounded WSTS

We investigate a subclass of well-structured transition systems (WSTS), the bounded---in the sense of Ginsburg and Spanier (Trans. AMS 1964)---complete deterministic ones, which we claim provide an adequate basis for the study of forward analyses as developed by Finkel and Goubault-Larrecq (Logic. Meth. Comput. Sci. 2012). Indeed, we prove that, unlike other conditions considered previously for the termination of forward analysis, boundedness is decidable. Boundedness turns out to be a valuable restriction for WSTS verification, as we show that it further allows to decide all $\omega$-regular properties on the set of infinite traces of the system

Decomposition of homogeneous polynomials with low rank

Let $F$ be a homogeneous polynomial of degree $d$ in $m+1$ variables defined over an algebraically closed field of characteristic zero and suppose that $F$ belongs to the $s$-th secant varieties of the standard Veronese variety $X_{m,d}\subset \mathbb{P}^{{m+d\choose d}-1}$ but that its minimal decomposition as a sum of $d$-th powers of linear forms $M_1, ..., M_r$ is $F=M_1^d+... + M_r^d$ with $r>s$. We show that if $s+r\leq 2d+1$ then such a decomposition of $F$ can be split in two parts: one of them is made by linear forms that can be written using only two variables, the other part is uniquely determined once one has fixed the first part. We also obtain a uniqueness theorem for the minimal decomposition of $F$ if the rank is at most $d$ and a mild condition is satisfied.Comment: final version. Math. Z. (to appear

Relating two standard notions of secrecy

Two styles of definitions are usually considered to express that a security protocol preserves the confidentiality of a data s. Reachability-based secrecy means that s should never be disclosed while equivalence-based secrecy states that two executions of a protocol with distinct instances for s should be indistinguishable to an attacker. Although the second formulation ensures a higher level of security and is closer to cryptographic notions of secrecy, decidability results and automatic tools have mainly focused on the first definition so far. This paper initiates a systematic investigation of the situations where syntactic secrecy entails strong secrecy. We show that in the passive case, reachability-based secrecy actually implies equivalence-based secrecy for digital signatures, symmetric and asymmetric encryption provided that the primitives are probabilistic. For active adversaries, we provide sufficient (and rather tight) conditions on the protocol for this implication to hold.Comment: 29 pages, published in LMC

Quantum and random walks as universal generators of probability distributions

Quantum walks and random walks bear similarities and divergences. One of the most remarkable disparities affects the probability of finding the particle at a given location: typically, almost a flat function in the first case and a bell-shaped one in the second case. Here I show how one can impose any desired stochastic behavior (compatible with the continuity equation for the probability function) on both systems by the appropriate choice of time- and site-dependent coins. This implies, in particular, that one can devise quantum walks that show diffusive spreading without loosing coherence, as well as random walks that exhibit the characteristic fast propagation of a quantum particle driven by a Hadamard coin.Comment: 8 pages, 2 figures; revised and enlarged versio

On Invariant Notions of Segre Varieties in Binary Projective Spaces

Invariant notions of a class of Segre varieties \Segrem(2) of PG(2^m - 1, 2) that are direct products of $m$ copies of PG(1, 2), $m$ being any positive integer, are established and studied. We first demonstrate that there exists a hyperbolic quadric that contains \Segrem(2) and is invariant under its projective stabiliser group \Stab{m}{2}. By embedding PG(2^m - 1, 2) into \PG(2^m - 1, 4), a basis of the latter space is constructed that is invariant under \Stab{m}{2} as well. Such a basis can be split into two subsets whose spans are either real or complex-conjugate subspaces according as $m$ is even or odd. In the latter case, these spans can, in addition, be viewed as indicator sets of a \Stab{m}{2}-invariant geometric spread of lines of PG(2^m - 1, 2). This spread is also related with a \Stab{m}{2}-invariant non-singular Hermitian variety. The case $m=3$ is examined in detail to illustrate the theory. Here, the lines of the invariant spread are found to fall into four distinct orbits under \Stab{3}{2}, while the points of PG(7, 2) form five orbits.Comment: 18 pages, 1 figure; v2 - version accepted in Designs, Codes and Cryptograph