Elementary Deduction Problem for Locally Stable Theories with Normal Forms
Mauricio Ayala-Rincón, Maribel Fernández, Daniele Nantes-Sobrinho
DD. Kesner and P. Viana (Eds.): LSFA 2012EPTCS 113, 2013, pp. 45–60, doi:10.4204/EPTCS.113.7 © M. Ayala-Rinc´on, M. Fern´andez & D. Nantes-SobrinhoThis work is licensed under theCreative Commons Attribution License.
Elementary Deduction Problem for Locally Stable Theorieswith Normal Forms ∗ Mauricio Ayala-Rinc´on †Departamentos de Matem´atica eComputac¸ ˜aoGrupo de Teoria da Computac¸ ˜aoUniversidade de Bras´ılia, Brazil [email protected]
Maribel Fern´andez
Department of InformaticsKing’s College London, UK [email protected]
Daniele Nantes-Sobrinho ‡Departamento de Matem´aticaGrupo de Teoria da Computac¸ ˜aoUniversidade de Bras´ılia, Brazil [email protected]
We present an algorithm to decide the intruder deduction problem (IDP) for a class of locally stabletheories enriched with normal forms. Our result relies on a new and efficient algorithm to solve a re-stricted case of higher-order associative-commutative matching, obtained by combining the
DistinctOccurrences of AC-matching algorithm and a standard algorithm to solve systems of linear Diophan-tine equations. A translation between natural deduction and sequent calculus allows us to use thesame approach to decide the elementary deduction problem for locally stable theories. As an appli-cation, we model the theory of blind signatures and derive an algorithm to decide IDP in this context,extending previous decidability results.
Introduction
There are different approaches to model cryptographic protocols and to analyse their security proper-ties [17]. One technique consists of proving that an attack requires solving an algorithmically hardproblem; another consists of using a process calculus, such as the spi-calculus [3], to represent the oper-ations performed by the participants and the attacker. In recent years, the deductive approach of Dolevand Yao [20], which abstracts from algorithmic details and models an attacker by a deduction system, hassuccessfully shown the existence of flaws in well-known protocols. A deduction system under Dolev-Yao’s approach specifies how the attacker can obtain new information from previous knowledge obtainedeither by eavesdropping the communication between honest protocol participants (in the case of a passiveattacker), or by eavesdropping and fraudulently emitting messages (in the case of an active attacker). The intruder deduction problem (IDP) is the question of whether a passive eavesdropper can obtain a certaininformation from messages observed on the network.Abadi and Cortier’s approach [1] proposes conditions for analysing message deducibility and indis-tinguishability relations for security protocols modelled in the applied pi-calculus [2]. In particular, [1]shows that IDP is decidable for locally stable theories. However, to ensure the soundness of this ap-proach, the definition of locally stable theories given in [1] needs to be modified (as confirmed via per-sonal communication with the second author of [1]). In this work, we made the necessary modificationsand propose a new approach to solve IDP in the context of locally stable theories. ∗ Work supported by grants from the CNPq/CAPES
Science without Borders programme and FAPDF PRONEX. † Author partially supported by CNPq. ‡ Corresponding author. Author supported by CNPq . The new approach we propose in order to provethe decidability of IDP is based on an algorithm to solve a restricted case of higher-order associative-commutative matching (AC-matching). To design this algorithm we use well-known results for solvingsystems of linear Diophantine equations (SLDE) [12, 15, 22, 27], which we combine with a polynomialalgorithm to solve the DO-ACM problem (Distinct Occurrences of AC-Matching) [8].In the case where the signature of the equational theory contains, for each AC function symbol ⊕ ,its corresponding inverse i ⊕ , we obtain a decidability result which is polynomial with relation to the sizeof the saturated set (built from the initial knowledge of the intruder). Thanks to the use of the algorithmfor solving SLDE over Z , we avoid an exponential time search over the solution space in the case ofAC symbols (improving over [1], where an exponential number of possible combinations have to beconsidered). For more details we refer the reader to the extended version of this paper [5].After introducing the class of locally stable theories and proving the decidability of the IDP forprotocols in this class, we show that the Elementary Deduction Problem (EDP) introduced in [29] is alsodecidable in polynomial time with relation to the size of a saturated set of terms. EDP is stated as follows:given a set G of messages and a message M , is there an E -context C [ . . . ] and messages M , . . . , M k ∈ G such that C [ M , . . . , M k ] ≈ E M ? Here, E is the equational theory modelling the protocol. We use thisapproach to model theories with blind signatures. As an application, using a previous result that links thedecidability of the EDP to the decidability of the IDP when the theory E satisfies certain conditions, weobtain decidability of IDP for a subclass of locally stable theories combined with the theory B of blindsignatures. In this way, we generalise a result from [1] (Section 5.2.4): it is not necessary to prove thatthe combination of the theories E and B is locally stable. Related Work.
The analysis of cryptographic protocols has attracted a lot of attention in the lastyears and several tools are available to try to identify possible attacks, see Maude-NPA [21], ProVerif [10],CryptoVerif [11], Avispa [4], Yapa [7].Sequent calculus formulations of Dolev Yao intruders [28] have been used in a formulation of openbisimulation for the spi-calculus. In [29], deductive techniques for dealing with a protocol with blindsignatures in mutually disjoint AC-convergent equational theories, containing a unique AC operator each,are considered. As an alternative approach, the intruder’s deduction capability is modelled inside asequent calculus modulo a rewriting system, following the approach of [9]. Then, the IDP is reduced inpolynomial time to EDP.By combining the techniques in [29] and [13], the IDP formulation for an Electronic Purse Protocolwith blind signatures was proved to reduce in polynomial time to EDP for an AC-convergent theorycontaining three different AC operators and rules for exponentiation [26], extending the previous results.However, no algorithm was provided to decide EDP. More precisely, assuming that EDP is solved in time O ( f ( n )) , it was proved that IDP reduces polynomially to EDP with complexity O ( n k × f ( n )) , for someconstant k . Thus, whenever the former problem is polynomial, the IDP is also polynomial. Contributions.
We present a technique to decide EDP or IDP in AC-convergent equational theories.Our approach is based on a “local stability” property inspired by [1], instead of proving that the deductionrules are “local” in the sense of [25] as done in many previous works [13, 16, 19, 24]. More precisely, the With this simple modification, the correctness proof in [1] can also be carried out, fixing a gap in Lemma 11. .Ayala-Rinc´on, M.Fern´andez &D.Nantes-Sobrinho 47main contributions of this paper are:• We adapt and refine the technique proposed in [1], where deducibility and indistinguishability rela-tions are claimed to be decidable in polynomial time for locally stable theories. First, we changedthe definition of locally stable theories, adding normal forms, which are needed to carry out thedecidability proofs. Second, we designed a new algorithm to decide IDP in locally stable theo-ries. The algorithm provided in [1] is polynomial for the class of subterm theories (Proposition10 in [1]), but the proof does not extend directly to locally stable theories (despite the statementin Proposition 16). Our algorithm relies on solving a restricted case of higher-order AC-matchingproblem that is used to decide the deduction relation. It is a combination of two standard algo-rithms: one for solving the DO-ACM problem [8] which has a polynomial bound in our case;and one for solving systems of Linear Diophantine Equations(SLDE), which is polynomial in Z [12, 15, 22, 27]. Using this algorithm we prove that IDP is decidable in polynomial time withrespect to the saturated set of terms, for locally stable theories with inverses.• A decidability result for the EDP for locally stable theories, which extends the work of Tiu andGor´e [29]. As an application, we present a strategy to decide IDP for locally stable theoriescombined with blind signatures. Here, the combination of theories does not need to be locallystable.In order to get the polynomial decidability result claimed in [1] for locally stable theories, we hadto restrict to theories that contain, for each AC symbol in the signature, the corresponding inverse. Theinverses are necessary when we interpret our term algebra inside the integers Z to solve SLDE (termsheaded by the inverse function will be seen as negative integers). If the theory does not contain inverses,we would have to solve the SLDE for N which is a well known NP-complete problem. Standard rewriting notation and notions are used (e.g. [6]). We assume the following sets: a countablyinfinite set N of names (we use a , b , c , m to denote names); a countably infinite set X of variables (weuse x , y , z to denote variables); and a finite signature S , consisting of function names and their arities. Wewrite arity ( f ) for the arity of a function f , and let ar ( S ) be the maximal arity of a function symbol in S .The set of terms is generated by the following grammar: M , N : = a | x | f ( M , . . . , M n ) where f ranges over the function symbols of S and n matches the arity of f , a denotes a name in N (representing principal names, nonces, keys, constants involved in the protocol, etc) and x a variable. Wedenote by V ( M ) the set of variables occurring in M . A message M is ground if V ( M ) = /0. The size | M | of a term M is defined by | u | =
1, if u is a name or a variable; and | f ( M , . . . , M n ) | = + (cid:229) ni = | M i | .The set of positions of a term M , denoted by P os ( M ) , is defined by P os ( M ) : = { e } , if M is a nameor a variable; and P os ( M ) : = { e } ∪ S ni = { ip | p ∈ P os ( M i ) } , if M = f ( M , . . . , M n ) where f ∈ S . Theposition e is called the root position. The size of | M | coincides with the cardinality of P os ( M ) . The setof subterms of M is defined as st ( M ) = { M | p | p ∈ P os ( M ) } , where M | p denotes the subterm of M at8 Elementary Deduction for Locally Stable Theories Combined withNormal Formsposition p . For a set G of terms, the notion of subterm can be extended as usual: st ( G ) : = S M ∈ G st ( M ) .For p ∈ P os ( M ) , we denote by M [ t ] p the term that is obtained from M by replacing the subterm atposition p by t .A term rewriting system (TRS) is a set R of oriented equations over terms in a given signature. Forterms s and t , s → R t denotes that s rewrites to t using an instance of a rewriting rule in R . The transitive,reflexive-transitive and equivalence closures of → R are denoted by + → R , ∗ → R and ∗ ↔ R , respectively. Theequivalence closure of the rewriting relation, ∗ ↔ R , is denoted by ≈ R .Given a TRS R in which some function symbols are assumed to be AC, and two terms s and t , s → R ∪ AC t if there exists w such that s = AC w and w → R t , where = AC denotes equality modulo AC(according to the AC assumption on function symbols). For every term s , the set of normal forms s ↓ R (closed modulo AC) of s is the set of terms t such that s ∗ → R ∪ AC t and t is irreducible for → R ∪ AC . R issaid to be AC-convergent whenever it is AC-terminating and AC-confluent.We equip the signature S with an equational theory ≈ E induced by a set of S -equations E , that is, ≈ E is the smallest equivalence relation that contains E and is closed under substitutions and compatiblewith S -contexts. An equational theory ≈ E is said to be equivalent to a TRS R whenever ≈ R = ≈ E .An equational theory ≈ E is AC-convergent when it has an equivalent rewrite system R which is AC-convergent. In the next sections, given an AC-convergent equational theory ≈ E , normal forms of termsare computed with respect to the TRS R associated to ≈ E , unless otherwise specified. To simplifythe notation we will denote by E the equational theory induced by the set of S -equations E . We willdenote by S E the signature used in the set of equations E . The size c E of an equational theory E with anassociated TRS R consisting of rules S ki = { l i → r i } is defined as c E = max ≤ i ≤ k {| l i | , | r i | , ar ( S ) + } . For R = /0, define c E = ar ( S ) + (cid:3) be a new symbol which does not yet occur in S ∪ X . A S - context is a term t ∈ T ( S , X ∪{ (cid:3) } ) and can be seen as a term with “holes”, represented by (cid:3) , in it. Contexts are denoted by C . If { p , . . . , p n } = { p ∈ P os ( C ) | C | p = (cid:3) } , where p i is to the left of p i + in the tree representation of C ,then C [ T . . . , T n ] : = C [ T ] p . . . [ T n ] p n . In what follows a context formed using only function symbols in S E will be called an E - context to emphasize the equational theory E .A term M is said to be an E - alien if M is headed by a symbol f / ∈ S E or a private name/constant. Wewrite M == N to denote syntactic equality of ground terms.In the rest of the paper, we use signatures, terms and equational theories to model protocols. Mes-sages exchanged between participants of a protocol during its execution are represented by terms. Equa-tional theories and rewriting systems are used to model the cryptographic primitives in the protocol andthe algebraic capabilities of an intruder.
Given a set G that represents the information available to an attacker, we may ask whether a givenground term M may be deduced from G using equational reasoning. This relation is written G ⊢ M andaxiomatised in a natural deduction like system of inference rules..Ayala-Rinc´on, M.Fern´andez &D.Nantes-Sobrinho 49Table 1: System N : a natural deduction system for intruder equational deduction M ∈ G ( id ) G ⊢ M G ⊢ M . . . G ⊢ M n ( f I ) f ∈ S E G ⊢ f ( M , . . . , M n ) G ⊢ N ( ≈ ) M ≈ E N G ⊢ M Let ⊕ be an arbitrary function symbol in S E for an equational theory E . We write a · ⊕ M for the term M ⊕ . . . ⊕ M , a times ( a ∈ N ). Given a set S of terms, we write sum ⊕ ( S ) for the set of arbitrary sums ofterms in S , closed modulo AC : sum ⊕ ( S ) = { ( a · ⊕ T ) ⊕ . . . ⊕ ( a n · ⊕ T n ) | a i ≥ , T i ∈ S } Define sum ( S ) = S ki = sum ⊕ i ( S ) , where ⊕ , . . . , ⊕ k are the AC-symbols of the theory.For a rule l → r ∈ R and a substitution q such that• either there exists a term s such that s = AC s , s = AC l q and t = r q ;• or there exist terms s and s such that s = AC s ⊕ s , s = AC l q and t = AC r q ⊕ s .we write s h → t and say that the reduction occurs in the head.As in [1] we associate with each set G of messages, a set of subterms in G that may be deduced from G by applying only “small” contexts. The concept of small is arbitrary — in the definition below, wehave bound the size of an E -context C by c E and the size of C ′ by c E , but other bounds may be suitable.Notice that limiting the size of an E -context by c E makes the context big enough to be an instance of anyof the rules in the TRS R associated to E . Definition 1 (Locally Stable) . An AC-convergent equational theory E is locally stable if, for every finiteset G = { M , . . . , M n } , where the terms M i are ground and in normal form, there exists a finite andcomputable set sat ( G ) , closed modulo AC, such that1. M , . . . , M n ∈ sat ( G ) ;2. if M , . . . , M k ∈ sat ( G ) and f ( M , . . . , M k ) ∈ st ( sat ( G )) then f ( M , . . . , M k ) ∈ sat ( G ) , for f ∈ S E ;3. if C [ S , . . . , S l ] h → M, where C is an E-context such that | C | ≤ c E , and S , . . . , S l ∈ sum ⊕ ( sat ( G )) ,for some AC symbol ⊕ , then there exist an E-context C ′ , a term M ′ , and terms S ′ , . . . , S ′ k ∈ sum ⊕ ( sat ( G )) , such that | C ′ | ≤ c E , and M ∗ → R ∪ AC M ′ = AC C ′ [ S ′ , . . . , S ′ k ] ;4. if M ∈ sat ( G ) then M ↓∈ sat ( G ) .5. if M ∈ sat ( G ) then G ⊢ M. Notice that the set sat ( G ) may not be unique. Any set sat ( G ) satisfying the five conditions is adequatefor the results. Remark 1.
The addition of rule 4 in the Definition 1 is necessary to prove case 1b of Lemma 1, where therewriting reduction occurs in a term M i ∈ sat ( G ) in a position different from the “head”. Normal formsare strictly necessary in the set sat ( G ) , they are essential to lift the applications of rewriting rules in thehead of “small” contexts to applications of rewriting rules in arbitrary positions of “small” contexts.With this additional condition, Lemma 11 in [1] can also be proved. This fact was confirmed via personalcommunication with the second author of [1]. Lemma 1.
Let E be a locally stable theory and G = { M , . . . , M n } a set of ground terms in normal form.For every E-context C , for every M i ∈ sat ( G ) , for every term T such that C [ M , . . . , M k ] → R ∪ AC T , thereexist an E-context C , and terms M ′ i ∈ sat ( G ) , such that T ∗ → R ∪ AC C [ M ′ , . . . , M ′ l ] .Proof. Suppose that C [ M , . . . , M k ] → AC T , for an E -context C and M i ∈ sat ( G ) . The proof is dividedin two cases:1. The reduction happens inside one of the terms M i :(a) if M i h → M ′ i then by definition of sat ( G ) (since E is locally stable), there exist an E -context C such that | C | ≤ c E and M ′ i ∗ → C [ S , . . . , S l ] where S j ∈ sum ⊕ ( sat ( G )) .Each S j ∈ sum ⊕ ( sat ( G )) is of the form S j = ( a · ⊕ M j ) ⊕ . . . ⊕ ( a n · ⊕ M j n ) , for M j k ∈ sat ( G ) .That is, S j = C j [ M j , . . . , M j k ] , for 1 ≤ j ≤ l . Therefore, C [ M , . . . , M i , . . . , M k ] h → C [ M , . . . , M ′ i , . . . , M k ] ∗ → AC C [ M , . . . , C [ S , . . . , S l ] , . . . , M k ]= AC C [ M ′′ , . . . , M ′′ s ] , (1)where M ′′ t ∈ sat ( G ) , for 1 ≤ t ≤ s .(b) if M i → AC M ′ i in a position different from “head”, then C [ M , . . . , M i , . . . , M k ] → C [ M , . . . , M ′ i , . . . , M k ] ∗ → AC C [ M , . . . , M i ↓ , . . . , M k ] . By case 4 in Definition 1, M i ↓∈ sat ( G ) .2. The case where the reduction does not occur inside the terms M i : this case if very technical andwill be omitted here. The complete proof can be found in the extended version of this paper.As a consequence we obtain the following Corollary: Corollary 1 ( [1]) . Let E be a locally stable theory. Let G = { M , . . . , M n } be a set of ground termsin normal form. For every E-context C , for every M ′ i ∈ sat ( G ) , for every T in normal form suchthat C [ M ′ , . . . , M ′ k ] ∗ → R ∪ AC T , there exist an E-context C and terms M j ′′ ∈ sat ( G ) such that T = AC C [ M ′′ , . . . , M ′′ l ] .Proof. The proof is the same as in [1].In the following we show that any term M deducible from G is equal modulo AC to an E -contextover terms in sat ( G ) . Lemma 2 ( [1]) . Let E be a locally stable theory. Let G = { M , . . . , M n } be a finite set of ground terms innormal form, and M be a ground term in normal form. Then G ⊢ M if and only if there exist an E-contextC and terms M ′ , . . . , M ′ k ∈ sat ( G ) such that M = AC C [ M ′ , . . . , M ′ n ] .Proof. The proof is the same as in [1].As a consequence of the previous results decidability of IDP for locally stable theories is obtained:
Theorem 1.
The Intruder Deduction Problem is decidable for locally stable theories.
In the next section we will provide a complexity bound for the decidability of the intruder deductionproblem for a restricted case of locally stable theories..Ayala-Rinc´on, M.Fern´andez &D.Nantes-Sobrinho 51
In order to obtain the polynomial complexity bound of our decidability algorithm we will need to con-sider the existence of inverses for each AC symbol in the signature of our equational theory. Our al-gorithm will rely on solving systems of linear Diophantine equations over Z and the inverses will beinterpreted as negative integers .(*) In the following results, let E be a locally stable theory whose signature S E contains, for eachAC function symbol ⊕ , its corresponding inverse i ⊕ . That is, the following results are related to equational theories E containing the following equation: x ⊕ i ⊕ ( x ) = e ⊕ (2)for each AC-symbol ⊕ in S E , where i ⊕ is the unary function symbol representing the inverse of ⊕ and e ⊕ is the corresponding neutral element. Definition 2 (Locally Stable with Inverses) . An AC-convergent equational theory E satisfying (*) is locally stable if, for every finite set G = { M , . . . , M n } , where the terms M i are ground and in normalform, there exists a finite and computable set sat ( G ) , closed modulo AC, such that1. M , . . . , M n ∈ sat ( G ) , e ⊕ ∈ sat ( G ) for each ⊕ ∈ S E ;2. if M , . . . , M k ∈ sat ( G ) and f ( M , . . . , M k ) ∈ st ( sat ( G )) then f ( M , . . . , M k ) ∈ sat ( G ) , for f ∈ S E ;3. if C [ S , . . . , S l ] h → M, where C is an E-context such that | C | ≤ c E , and S , . . . , S l ∈ sum ⊕ ( sat ( G )) ,for some AC symbol ⊕ , then there exist an E-context C ′ , a term M ′ , and terms S ′ , . . . , S ′ k ∈ sum ⊕ ( sat ( G )) , such that | C ′ | ≤ c E , and M ∗ → R ∪ AC M ′ = AC C ′ [ S ′ , . . . , S ′ k ] ;4. if M ∈ sat ( G ) then M ↓∈ sat ( G ) .5. if M ∈ sat ( G ) then i ⊕ ( M ) ↓∈ sat ( G ) for each AC symbol ⊕ in E.6. if M ∈ sat ( G ) then G ⊢ M. Based on a well-founded ordering over the symbols in the language, we prove that a restrictedcase of higher-order AC-matching (“is there an E -context C such that M = AC C [ M , . . . , M k ] for some M , . . . , M k ∈ sat ( G ) ?”) can be solved in polynomial time in | sat ( G ) | and | M | . This AC-matching prob-lem is solved using the DO-ACM (Distinct-Occurrences of AC-matching) [8], where every variable inthe term being matched occurs only once. In addition, we also use a standard and polynomial timealgorithm for solving SLDE over Z [12, 15, 22, 27].To facilitate the description of the algorithm below we have considered only one AC-symbol ⊕ whose corresponding inverse will be denoted by i . The proof can be extended similarly for theories withmultiple AC-symbols each one with its corresponding inverse. Lemma 3.
Let E be a locally stable theory satisfying (*), G = { M , . . . , M n } a finite set of ground mes-sages in normal form and M a ground term in normal form. Then the question of whether there exists anE-context C and T , . . . , T k ∈ sat ( G ) such that M = AC C [ T , . . . , T k ] is decidable in polynomial time in | M | and | sat ( G ) | . Proof.
Given G , we construct the set sat ( G ) = { T , . . . , T s } , which is computable and finite by Defini-tion 1. We can then check whether M = ? AC C [ T , . . . , T k ] for some E -context C and terms T , . . . , T k ∈ sat ( G ) using the following algorithm which is divided in its main component A), and procedures B) andC) for reducing linear Diophantine equations and selecting T i ’s from sat ( G ) , respectively.A) Algorithm 1.
1. For all positions p in M headed by ⊕ starting from the longest positions in decreasing order (po-sitions seen as sequences) solve the system of linear Diophantine equations (see part B below) for M | p with sat ( G ) ∪ S , where S is built incrementally from sat ( G ) , starting with S = /0, including all M | p that have solutions. In other words:Let P ′ = { p , . . . , p t } be the set of positions of M such that M | p is headed with ⊕ , organised indecreasing order. For each p j ∈ P ′ let M | p j be the subterm of M such that M | p j = n j ⊕ . . . ⊕ n j kj ( j = , . . . , t ) Recursively find, but suppressing step 1 in this recursive call, solutions for the arguments n j i , . . . , n j il of M | p j with n j im ∈ { n j , . . . , n j kj } with respective E -contexts C j i , . . . , C j il such that n j im = C j im [ T , . . . , T s im ] where T q ∈ sat ( G ) ∪ S j − , q = , . . . , s i m .Then one checks satisfiability of the SLDE generated from M | p j and sat ( G ) ∪ S j − ∪ { n j i , . . . , n j kl } (see steps B and C).If there is a solution then S j : = S j − ∪ { n j i , . . . , n j kl } ∪ { M | p j }
2. Let S : = S t . Classify the terms in sat ( G ) ∪ S by size.3. For each term T i ∈ sat ( G ) ∪ S (from terms of maximal size to terms of minimal size) check:• For each position q ∈ P os ( M ) such that T i = AC M | q doCheck whether the path between T i and the root of M contains a ⊕ : – if NOT, then delete M | q from M and move to T i + . – if YES (there is a ⊕ ) then M has a subterm N such that N = n ⊕ . . . ⊕ n j [ T i ] ⊕ . . . ⊕ n k and N cannot be constructed from sat ( G ) ∪ S . Therefore, M cannot be written as an E -context with terms from sat ( G ) .4. Check whether the remaining part of M still contains E -aliens. If it is not the case, we havefound an E -context C and terms M , . . . , M k ∈ sat ( G ) and M = AC C [ M , . . . , M k ] ; otherwise such an E -context does not exist.B) Reduction to linear Diophantine equations.
First, notice that, for each position p such that M | p is headed with ⊕ we have M | p = a m ⊕ . . . ⊕ a r m r , a j ∈ N (3)where m j is not headed with ⊕ and a j m j counts for m j ⊕ . . . ⊕ m j | {z } a j − times ..Ayala-Rinc´on, M.Fern´andez &D.Nantes-Sobrinho 53We want to prove that there are b , . . . , b q ∈ N such that b T ⊕ . . . ⊕ b q T q = AC M | p = a m ⊕ . . . ⊕ a r m r (4)This AC-equality is only possible when T i = g i m ⊕ . . . ⊕ g ri m r for each i , 1 ≤ i ≤ q ≤ s and g j i ∈ N .That is, b T ⊕ . . . ⊕ b q T q = AC a m ⊕ . . . ⊕ a r m r if and only if b ( g m ⊕ . . . ⊕ g r m r ) ⊕ b ( g m ⊕ . . . ⊕ g r m r ) ⊕ . . .. . . ⊕ b q ( g q m ⊕ . . . ⊕ g r q m r ) = a m ⊕ . . . ⊕ a r m r (5)if and only if ( g b ⊕ g b . . . ⊕ g q b q ) m ⊕ ( g b ⊕ g b . . . ⊕ g q b q ) m ⊕ . . .. . . ( g r b ⊕ g r b . . . ⊕ g r q b q ) m r = a m ⊕ . . . ⊕ a r m r (6)if and only if S = g b ⊕ g b . . . ⊕ g q b q = a g b ⊕ g b . . . ⊕ g q b q = a ... g r b ⊕ g r b . . . ⊕ g r q b q = a r (7)where S is a system of linear Diophantine equations over Z which can be solved in polynomial time [12,15, 22, 27]. Remark 2.
We will interpret the equations 3 and 4 inside integer arithmetic. If there exists an index jsuch that m j = i ( m ′ j ) and m ′ j is not headed with i then a j m j = a j ( i ( m ′ j )) and we will take it as ( − a j ) m ′ j .Therefore, we can take a j ∈ Z , for all j. We can use the same reasoning to conclude that b j ∈ Z , for all ≤ j ≤ q and g j i ∈ Z , for all i and j. C) Selecting the T ′ j s from sat ( G ) . For each T i ∈ sat ( G ) , 1 ≤ i ≤ s we want to check if T i = g i m ⊕ . . . ⊕ g r i m r . Algorithm 2:
For each T i ∈ sat ( G ) , 1 ≤ i ≤ s , solve the equation T i ⊕ x i = AC a m ⊕ . . . ⊕ a r m r where x i is a freshvariable.Since the T ′ i s and M are ground terms, this equation can be seen as an instance of the DO-ACMmatching problem which can be solved in time O ( | T i ⊕ x i | . | M | p | ) [8].If there exists T i ∈ sat ( G ) such that T i = g ∗ i m ⊕ . . . ⊕ g ∗ r i m r ⊕ u , where u is not empty, g ∗ i j ∈ N and the Algorithm 2 can no longer be applied then T i will not be selected.Notice that each step of the algorithm can be done in polynomial time in | M | and | sat ( G ) | . Therefore,the whole procedure is polynomial in | M | and sat ( G ) . Remark 3.
For the proof we can adopt an ordering in which, for instance, variables are smaller thanconstants, constants smaller than function symbols, and function symbols are also ordered, but othersuitable order can be used. Terms are compared by the associated lexicographical ordering built fromthis ordering on symbols.
Example 1 (Finite Abelian Groups) . We consider the theory of Abelian Groups where the signature is S AG = { + , , i } for i the inverse function and + the AC group operator. The equational theory E AG is:E AG = x + ( y + z ) = ( x + y ) + zx + y = y + xi ( x + y ) = i ( y ) + i ( x ) x + = xx + i ( x ) = i ( i ( x )) = xi ( ) = We define R AG by orienting the equations from left to right (excluding the equations for associativityand commutativity). R AG is AC-convergent. The size c E AG of the theory is at least 5. In the followingprove that E AG is locally stable with inverses for finite models, i.e., we define a set sat ( G ) satisfying theproperties in the Definition 1. For a given set G = { M , . . . , M k } of ground terms in normal form, sat ( G ) is the smallest set such that:1. M , . . . , M k ∈ sat ( G ) ;2. M , . . . , M k ∈ sat ( G ) and f ( M , . . . , M k ) ∈ st ( sat ( G )) then f ( M , . . . , M k ) ∈ sat ( G ) , f ∈ S AG ;3. if M i , M j ∈ sat ( G ) and M i + M j h → M via rule x + i ( x ) → then M ↓∈ sat ( G ) ;4. if M j ∈ sat ( G ) then i ( M j ) ↓∈ sat ( G ) ;5. if M i = AC M j and M i ∈ sat ( G ) then M j ∈ sat ( G ) . The set sat ( G ) defined for Finite Abelian Groups is finite. Although it was said in [1] that the theory of Abelian Groups is locally stable, no proof of such factwas found in the literature. With the proviso that the Abelian Group under consideration is finite, wehave demonstrated that | sat ( G ) | is exponential in the size of | G | .These results give rise to the decidability of deduction for locally stable theories. Notice that poly-nomiality on | sat ( G ) | relies on the use of the AC-matching algorithm proposed in Lemma 3. Unlike [1],we do not need to compute of the congruence class modulo AC of M (which may be exponential). Thisgives us a slightly different version of the decidability theorem: Theorem 2.
Let E be a locally stable theory satisfying (*). If G = { M , . . . , M n } is a finite set of groundterms in normal form and M is a ground term in normal form, then G ⊢ M is decidable in polynomialtime in | M | and | sat ( G ) | .Proof. The result follows directly from Lemmas 3 and 2.In the following example we consider the
Pure AC-theory which can be proven to be locally stablebut does not contain the inverse of the AC-symbol + . Example 2 (Pure AC Theory) . S AC contains only constant symbols, the AC-symbol ⊕ and the equationaltheory contains only the AC equations for ⊕ :AC = n x ⊕ y = y ⊕ x x ⊕ ( y ⊕ z ) = ( x ⊕ y ) ⊕ z o In this case, E = AC and R = /0 is the AC-convergent TRS associated to E. Let G = { M , . . . , M k } be afinite set of ground terms in normal form. Let us define sat ( G ) for the pure AC theory as the smallest setsuch that .Ayala-Rinc´on, M.Fern´andez &D.Nantes-Sobrinho 55
1. M , . . . , M k ∈ sat ( G ) ;2. if M i , M j ∈ sat ( G ) and M i ⊕ M j ∈ st ( sat ( G )) then M i ⊕ M j ∈ sat ( G ) .3. if M i = AC M j and M i ∈ sat ( G ) then M j ∈ sat ( G ) .The set sat ( G ) is finite since we add only terms whose size is smaller or equal than the maximal size ofthe terms in G . It is easy to see that the set sat ( G ) satisfies the rules 1,2, 4 and 5. Since R = /0 it followsthat 3 is also satisfied. Therefore, AC is locally stable. The size of sat ( G ) : • Steps 1 and 2: only subterms in sat ( G ) are added.• Step 3: for each M i ∈ sat ( G ) add M j = AC M i ∈ sat ( G ) . Notice that the number of terms added insat ( G ) , in this case, depends on the number of occurrences of ⊕ in M i . Suppose that M i contains noccurrences of ⊕ : M i = M i ⊕ . . . ⊕ M i n + . There are ( n + ) ! terms M j such that M = AC M j .Suppose that each M i in G contains n i occurrences of ⊕ .Then, | M i | = n i + (cid:229) j = | M i j | + n i . Let n = max ≤ i ≤ k { n i } .There exists an index r such that M r contains n r = n occurrences of ⊕ . Since | G | = k (cid:229) i = | M i | it followsthat n ≤ | M r | − n + (cid:229) j = | M r j | ≤ | G | . Then the number of terms added in step 3 is k (cid:229) i = ( n i + ) ! ≤ ( n + ) ! · k ≤ ( | G | + ) ! · k . Remark 4.
In this case one can adapt Lemma 3 such that the algorithm would rely on solving systemsof linear Diophantine equations over N which is NP-complete [27]. Therefore, the complexity of IDP forpure AC would be exponential, agreeing with previous results [23]. To establish necessary concepts for the next results, we recall the well-known translation between naturaldeduction and sequent calculus systems to model the IDP as a proof search in sequent calculus, whoseproperties (such as cut or subformula) facilitate the study of decidability of deductive systems. For anAC-convergent equational theory E, the System N in Table 1 is equivalent to the ( id ) -rule of the sequentcalculus (Table 2) introduced in [29]: M ≈ E C [ M ,..., M k ] C[ ] an E-context, and M , . . . , M k ∈ G ( id ) G ⊢ M Consequently, IDP for System N is equivalent to the Elementary Deduction Problem : Definition 3.
Given an AC-convergent equational theory E and a sequent G ⊢ M ground and in normalform, the elementary deduction problem (EDP) for E, written G (cid:13) E M, is the problem of deciding whetherthe ( id ) -rule is applicable in G ⊢ M. Theorem 3.
Let E be a locally stable equational theory satisfying (*). Let G ⊢ M be a ground sequent innormal form. The elementary deduction problem for the theory E ( G (cid:13) E M) is decidable in polynomialtime in | sat ( G ) | and | M | .Proof. By Lemma 3, the problem whether M = AC C [ M , . . . , M k ] for an E -context C and terms M , . . . , M k ∈ sat ( G ) is decidable in polynomial time in | sat ( G ) | and | M | . If M = AC C [ M , . . . , M k ] for an E -context C and terms M , . . . , M k ∈ sat ( G ) then there exist an E -context C ′ and terms M ′ , . . . , M ′ n ∈ G such that C [ M ′ , . . . , M ′ n ] ∗ → R ∪ AC M . It is enough to observe that for all T ∈ sat ( G ) , T can be constructed from theterms in G .If there is no E -context C and terms M , . . . , M k ∈ sat ( G ) such that M = AC C [ M , . . . , M k ] then, byCorollary 1, there are no E -context and terms M ′ , . . . , M ′ t ∈ sat ( G ) such that C [ M ′ , . . . , M ′ t ] ∗ → R ∪ AC M . Therefore, there is no E -context C ′′ and terms M ′′ , . . . , M ′′ l ∈ G such that C ′′ [ M ′′ , . . . , M ′′ l ] ∗ → R ∪ AC M . Thus, the EDP for E is decidable in polynomial time in | sat ( G ) | and | M | . Blind signature is a basic cryptographic primitive in e-cash. This concept was introduced by DavidChaum in [14] to allow a bank (or anyone) sign messages without seeing them. David Chaum’s ideawas to use this homomorphic property in such a way that Alice can multiply the original message witha random (encrypted) factor that will make the resulting image meaningless to the Bank. If the Bankagrees to sign this random-looking data and return it to Alice, she is able to divide out the blinding factorsuch that the Bank’s signature in the original message will appear.Given a locally stable equational theory E , we extend the signature S E with S C , a set containingfunction symbols for “constructors” for blind signatures, in order to obtain decidability results for theextension of the IDP for System N taking into account some rules for blind signatures. Extended Syntax
The signature S consists of function symbols and is defined by the union of two sets: S = S C ∪ S E ( with S E ∩ S C = /0), where S C = { pub ( ) , sign ( , ) , blind ( , ) , { } , < , > } represents the constructors , whose interpretations are: pub ( M ) gives the public key generated from aprivate key M ; blind ( M , N ) gives M encrypted with N using blinding encryption; sign ( M , N ) gives M signed with a private key N ; { M } N gives M encrypted with the key N using Dolev-Yao symmetricencryption; h M , N i constructs a pair of terms from M and N . Then the extended grammar of the set of terms or messages is given as M , N : = a | x | f ( M , . . . , M n ) | pub ( M ) | sign ( M , N ) | blind ( M , N ) | { M } N |h M , N i Notice that, with the extension an E -alien term M is a term headed with f ∈ S C or M is a privatename/constant. An E -alien subterm M of N is said to be an E - factor of N if there is another subterm F of N such that M is an immediate subterm of F and F is headed by a symbol f ∈ S E . This notion can.Ayala-Rinc´on, M.Fern´andez &D.Nantes-Sobrinho 57be extended to sets in the obvious way: a term M is an E -factor of G if it is an E -factor of a term in G .These notions were introduced in [29].The operational meaning of each constructor will be defined by their corresponding inference rulesin the sequent calculus to be described. Extending the EDP to Model Blind Signatures
Following the approach proposed in [29], we extend EDP with blind signatures using the sequent calculus S described in Table 2. In this way, we can model intruder deduction for the combination of a locallystable theory E with blind signatures in a modular way: the theory E is used in the id rule, whileblind signatures are modelled with additional deduction rules. As shown below, this approach has theadvantage that we can derive decidability results for the intruder deduction problem without needing toprove that the combined theory is locally stable (in contrast with the results in the previous section andin [1]). Table 2: System S : Sequent Calculus for the Intruder M ≈ E C [ M ,..., M k ] C[ ] an E-context, M , . . . , M k ∈ G ( id ) G ⊢ M G ⊢ M G , M ⊢ T ( cut ) G ⊢ T G , h M , N i , M , N ⊢ T ( p L ) G , h M , N i ⊢ T G ⊢ M G ⊢ N ( p R ) G ⊢ h M , N i G ⊢ M G ⊢ K ( e R ) G ⊢ { M } K G , { M } K ⊢ K G , { M } K , M , K ⊢ N ( e L ) G , { M } K ⊢ N G ⊢ M G ⊢ K ( sign R ) G ⊢ sign ( M , K ) G ⊢ M G ⊢ K ( blind R ) G ⊢ blind ( M , K ) G , sign ( M , K ) , pub ( L ) , M ⊢ N ( sign L ) K = AC L G , sign ( M , K ) , pub ( L ) ⊢ N G , blind ( M , K ) ⊢ K G , blind ( M , K ) , M , K ⊢ N ( blind L ) G , blind ( M , K ) ⊢ N G , sign ( blind ( M , R ) , K ) ⊢ R G , sign ( blind ( M , R ) , K ) , sign ( M , K ) , R ⊢ N ( blind L ) G , sign ( blind ( M , R ) , K ) ⊢ N G ⊢ A G , A ⊢ M ( acut ) , A is an E -factor of G ∪ { M } G ⊢ M Analysing the system S one can make the following observations:1. The rules p L , e L , sign L , blind L , blind L and acut are called left rules with h M , N i , { M } K , sign ( M , K ) , blind ( M , K ) , sign ( blind (( M , R ) , K ) and A as principal term , respectively. The rules p R , e R , sign R and blind R are called right rules .8 Elementary Deduction for Locally Stable Theories Combined withNormal Forms2. The rule ( acut ) , called analytic cut is necessary to prove cut rule admissibility . A complete proofcan be found in [26, 29]. Remark 5.
Considerations about locally stable theories with blind signatures:1. All the results proved on Section 2 are valid under this extension with blind signatures since theresults depend only on the equational theory E and on the symbols in S E . Unlike example 5.2.4 [1],the theory of Blind Signatures is not considered as part of the equational theory, the functionsare abstracted in the set of constructors with the operational meaning represented in the sequentcalculus.2. In [29] it is shown that the intruder deduction problem for S is polynomially reducible to theEDP for E: if the EDP problem in E has complexity f ( m ) then the deduction problem G ⊢ M in S has complexity O ( n k . f ( n )) for some constant k . This result was proved for an AC-convergentequational theory E containing only one AC symbol and extended to finite a combination of disjointAC-convergent equational theories each one containing only one AC-symbol.3. In [26], it was proved that deduction in S reduces polynomially to EDP in the case of the AC-convergent equational theory EP , which contains three different AC-symbols and rules for expo-nentiation and cannot be split into disjoint parts. As a consequence of the results mentioned in the above remark, we can state the following result:
Corollary 2.
Let E be a locally stable theory satisfying (*) containing only one AC-symbol or formed bya finite and disjoint combination of AC-symbols. Let G a finite set of ground terms in normal form andM a ground term in normal form. The IDP for the theory E combined with blind signatures ( G ⊢ M) isdecidable in polynomial time in | sat ( G ) | and | M | . We have shown that the IDP is decidable for locally stable theories. In order to obtain the polynomialityresult, a restriction on the equational theory is necessary: the theory must contain inverses of all AC-symbols. We have proposed an algorithm to solve a restricted case of higher-order AC-matching by usingthe DO-ACM matching algorithm combined with an algorithm to solve linear Diophantine equations over Z . Based on this algorithm, we obtain a polynomial decidability result for IDP for a class of locally stabletheories with inverses. Our algorithm does not need to compute the set of normal forms modulo AC ofa given term (which may be exponential). Therefore, we can conclude that the deducibility relation isdecidable in polynomial time for a very restricted class of equational theories, it does not work for alllocally stable theories as [1] has claimed. It also decides the IDP for the combination of locally stabletheories with the theory of blind signatures, using a translation between natural deduction and sequentcalculus. References [1] M. Abadi and V. Cortier. Deciding knowledge in security protocols under equational theories.
TheoreticalComputer Science , 367(1-2):2–32, 2006. doi: . Here, m is the size of the input of EDP and n is the cardinality of the set St ( G ∪ { M } ) defined in [29] .Ayala-Rinc´on, M.Fern´andez &D.Nantes-Sobrinho 59 [2] M. Abadi and C. Fournet. Mobile Values, New Names, and Secure Communication. In Proc. 28 th ACMSIGPLAN-SIGACT symposium on Principles of programming languages (POPL’01) , pages 104–115, 2001.doi: .[3] M. Abadi and A.D. Gordon A Calculus for Cryptographic Protocols: The spi Calculus.
Information andComputation , 148(1): 1–70, 1999. doi: .[4] A. Armando et al . The AVISPA Tool for the Automated Validation of Internet Security Protocols and Appli-cations. In
Proc. 17 th Computer Aided Verification (CAV’05) , volume 3576, pages 281–285. Springer-Verlag2005. doi: .[5] M. Ayala-Rinc´on, M. Fern´andez and D. Nantes-Sobrinho. Elementary Deduction Problems for Locally StableTheories with Normal Forms (extended version). .[6] F. Baader and T. Nipkow.
Term Rewriting and All That . CUP, 1998.[7] M. Baudet, V. Cortier and S. Delaune. YAPA: A Generic Tool for Computing Intruder Knowledge. In
Proc.of 20 th International Conference on Rewriting Techniques and Applications (RTA’09) , volume 5595 of
LNCS ,pages 148-163. Springer, 2009. arXiv:1005.0737 , doi: .[8] D. Benanav, D. Kapur, P. Narendran, and L. Wang. Complexity of matching problems. In
Journal of SymbolicComputation , 3(1/2): 203–216, 1987. doi: .[9] V. Bernat and H. Comon-Lundh. Normal proofs in intruder theories. In
Proc. 11 th Asian Computing ScienceConference, Advances in Computer Science - Secure Software and Related Issues (ASIAN’06) , volume 4435of
LNCS , pages 151–166. Springer-Verlag, 2006. doi: .[10] B. Blanchet. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In
Proc. 14 th IEEEComputer Security Foundations Workshop (CSFW’01) , pages 82–96, IEEE Comp. Soc., 2001. http://doi.ieeecomputersociety.org/10.1109/CSFW.2001.930138 .[11] B. Blanchet. A Computationally Sound Mechanized Prover for Security Protocols. In
IEEE Transactions onDependable and Secure Computing , volume 5 (4), pages 193–207, 2008. doi: [12] A. Boudet, E. Contejean and H. Devie. A new AC Unification Algorithm with an Algorithm for SolvingSystems of Linear Diophantine Equations. In
Proc. 5 th Annual Symposium on Logic in Computer Science(LICS ’90) , pages 289–299, 1990. doi: .[13] B. Bursuc, H. Comon-Lundh, and S. Delaune. Deducibility constraints, equational theory and electronicmoney. In
Rewriting, Computation and Proof, Essays Dedicated to Jean-Pierre Jouannaud on the occa-sion of his 60th Birthday , volume 4600 of
LNCS , pages 196–212. Springer-Verlag, 2007. doi: .[14] D. Chaum. Blind Signatures for Untraceable Payments. In
Proc. of Advances in Cryptology(CRYPTO’82) , pages 199–203, Plenum Press, 1982. http://blog.koehntopp.de/uploads/Chaum.BlindSigForPayment.1982.PDF .[15] M. Clausen and A. Fortenbacher. Efficient Solution of Linear Diophantine Equations. In
Journal of SymbolicComputation , Volume 8(1-2), pages 201–216, 1989. doi: .[16] H. Comon-Lundh and V. Shmatikov. Intruder Deduction, Constraint Solving and Insecurity Decisions inPresence of Exclusive or. In
Proc. 18 th IEEE Symposium on Logic in Computer Science (LICS’03) , pages 271–280. IEEE Comp. Soc., 2003. http://doi.ieeecomputersociety.org/10.1109/LICS.2003.1210067 .[17] V. Cortier, S. Delaune, and P. Lafourcade. A survey of algebraic properties used in cryptographic protocols.
Journal of Computer Security , 14(1):1–43, 2006.[18] S. Delaune.
V´erification des protocoles cryptographiques et propri´et´es alg´ebriques . PhD thesis, ´EcoleNormale Sup´erieure de Cachan, 2006. http://tel.archives-ouvertes.fr/tel-00132677/en/ . [19] S. Delaune. Easy Intruder Deduction Problems with Homomorphisms. Information Processing Letters ,volume 97(6), pages 213–218, 2006. doi: .[20] D. Dolev and A. Yao. On the security of public keys protocols. In
IEEE Transactions on InformationTheory , volume 29(2), pages 198–208, 1983. http://doi.ieeecomputersociety.org/10.1109/SFCS.1981.32 .[21] S. Escobar, C. Meadows and J. Meseguer. Maude-NPA: Cryptographic Protocol Analysis Modulo EquationalProperties. In
Foundations of Security Analysis and Design V, FOSAD 2007/2008/2009 Tutorial Lectures ,volume 5705 of
LNCS , pages 1–50. Springer-Verlag, 2007. doi: .[22] M. A. Frumkin. Polynomial time Algorithms in the Theory of Linear Diophantine Equations. In
Proc. ofFundamentals of Computation Theory , volume 56 of
LNCS , pages 386–392, Springer-Verlag, 1977. doi: .[23] P. Lafourcade, D. Lugiez and R. Treinen. Intruder Deduction for AC -Like Equational Theories with Homo-morphisms In Proc. 16 th International Conference on Term Rewriting and Applications (RTA’05) , volume3467 of
LNCS , pages 308–322, Springer-Verlag, 2005. doi: .[24] P. Lafourcade. Intruder Deduction for the equational theory of exclusive-or with commutative and distributiveencryption. In
Electr. Notes Theor. Comput. Sci. , volume 171(4): 37–57, 2007. doi: .[25] D. McAllester. Automatic recognition of tractability in inference relations.
Journal of the ACM , volume 40,pages 284–303, 1990. doi: .[26] D. Nantes-Sobrinho and M. Ayala-Rinc´on. Reduction of the Intruder Deduction Problem into EquationalElementary Deduction for Electronic Purse Protocols with Blind Signatures. In
Proc. 17 th Int. Workshopon Logic, Language, Information and Computation (WoLLIC’10) , volume 6188 of
LNCS , pages 218–231,Springer-Verlag, 2010. doi: .[27] C. Papadimitriou. Computational Complexity. Addison-Wesley, Inc.[28] A. Tiu. A trace based simulation for the spi calculus: An extended abstract. In
Proc. 5 th Asian Symposium onProgramming Languages and Systems (APLAS’07) , volume 4807 of
LNCS , pages 367–382, Springer-Verlag,2007. arXiv:0901.2166 .[29] A. Tiu and R. Gor´e and J. Dawson. A proof theoretic analysis of intruder theories. In
Proc. 20 th Interna-tional Conference on Rewriting Techniques and Applications (RTA’09) , volume 5595 of
LNCS , pages 103–117.Springer-Verlag, 2009. doi:10.2168/LMCS-6(3:12)2010