On Asymmetric Unification for the Theory of XOR with a Homomorphism
Christopher Lynch, Andrew M. Marshall, Catherine Meadows, Paliath Narendran, Veena Ravishankar
aa r X i v : . [ c s . CC ] J un On Asymmetric Unification for the Theory of XOR witha Homomorphism
Christopher Lynch , Andrew M. Marshall , Catherine Meadows , Paliath Narendran ,and Veena Ravishankar Clarkson University, Potsdam, NY, U.S.A. [email protected] University of Mary Washington, Fredericksburg, VA, U.S.A. [email protected], [email protected] Naval Research Laboratory, Washington, D.C., U.S.A. [email protected] University at Albany-SUNY, Albany, NY, U.S.A. [email protected]
Abstract.
Asymmetric unification, or unification with irreducibility constraints,is a newly developed paradigm that arose out of the automated analysis of crypto-graphic protocols. However, there are still relatively few asymmetric unificationalgorithms. In this paper we address this lack by exploring the application ofautomata-based unification methods. We examine the theory of xor with a ho-momorphism, ACUNh, from the point of view of asymmetric unification, anddevelop a new automata-based decision procedure. Then, we adapt a recentlydeveloped asymmetric combination procedure to produce a general asymmetric-ACUNh decision procedure. Finally, we present a new approach for obtaininga solution-generating asymmetric-ACUNh unification automaton. We also com-pare our approach to the most commonly used form of asymmetric unificationavailable today, variant unification.
We examine the newly developed paradigm of asymmetric unification in the theoryof xor with a homomorphism. Asymmetric unification is motivated by requirementsarising from symbolic cryptographic protocol analysis [6]. These symbolic analysismethods require unification-based exploration of a space in which the states obey richequational theories that can be expressed as a decomposition R ⊎ ∆ , where R is a set ofrewrite rules that is confluent, terminating, and coherent modulo ∆ . However, in orderto apply state space reduction techniques, it is usually necessary for at least part ofthis state to be in normal form, and to remain in normal form even after unificationis performed. This requirement can be expressed as an asymmetric unification problem { s = ↓ t , . . . , s n = ↓ t n } where the = ↓ denotes a unification problem with the restrictionthat any unifier leaves the right-hand side of each equation irreducible.At this point there are relatively few such algorithms. Thus in most cases whenasymmetric unification is needed, an algorithm based on variant unification [8] is used. Lynch, Marshall, Meadows, Narendran, Ravishankar
Variant unification turns an R ⊎ ∆ -problem into a set of ∆ -problems. Application of vari-ant unification requires that a number of conditions on the decomposition be satisfied.In particular, the set of ∆ -problems produced must always be finite (this is equivalent tothe finite variant property [4]) and ∆ -unification must be decidable and finitary. Unfor-tunately, there is a class of theories commonly occurring in cryptographic protocols thatdo not have decompositions satisfying these necessary conditions: theories including anoperator h that is homomorphic over an Abelian group operator + , that is AGh . Thereare a number of cryptosystems that include an operation that is homomorphic over anAbelian group operator, and a number of constructions that rely on this homomorphicproperty. These include for example RSA [12], whose homomorphic property is used inChaum’s blind signatures [3], and Pallier cryptosystems [11], used in electronic votingand digital cash protocols. Thus an alternative approach is called for.In this paper we concentrate on asymmetric unification for a special case of
AGh :the theory of xor with homomorphism, or
ACUNh . We first develop an automata-based
ACUNh -asymmetric decision procedure. We then apply a recently developed combi-nation procedure for asymmetric unification algorithms to obtain a general asymmet-ric decision procedure allowing for free function symbols. This requires a non-trivialadaptation of the combination procedure, which originally required that the algorithmscombined were not only decision procedures but produced complete sets of unifiers. Inaddition, the decomposition of
ACUNh we use is ∆ = ACh . It is known that unificationmodulo
ACh is undecidable [10], so our result also yields the first asymmetric decisionprocedure for which ∆ does not have a decidable finitary unification algorithm.We then consider the problem of producing complete sets of asymmetric unifiers for ACUNh . We show how the decision procedure developed in this paper can be adapted toproduce an automaton that generates a (possibly infinite) complete set of solutions. Wethen show, via an example, that asymmetric unification modulo
ACUNh is not finitary.
Section 2 provides a brief description of preliminaries. Section 3 develops an automatonbased decision procedure for the
ACUNh -theory. In Section 4 an automaton approachthat produces substitutions is outlined. Section 5 develops the modified combinationmethod needed to obtain general asymmetric algorithms. In Section 6 we conclude thepaper and discuss further work.
We use the standard notation of equational unification [1] and term rewriting sys-tems [1]. Σ -terms, denoted by T ( Σ , X ) , are built over the signature Σ and the (count-ably infinite) set of variables X . The terms t | p and t [ u ] p denote respectively the subtermof t at the position p , and the term t having u as subterm at position p . The symbol of t occurring at the position p (resp. the top symbol of t ) is written t ( p ) (resp. t ( ε ) ). Theset of positions of a term t is denoted by Pos ( t ) , the set of non variable positions for a n Asymmetric Unification for the Theory of XOR with a Homomorphism 3 term t over a signature Σ is denoted by Pos ( t ) Σ . A Σ -rooted term is a term whose topsymbol is in Σ . The set of variables of a term t is denoted by Var ( t ) . A term is ground if it contains no variables. Definition 2.1.
Let Γ be an E-unification problem, let X denote the set of variablesoccurring in Γ and C the set of free constants occurring in Γ . For a given linear order-ing < on X ∪ C , and for each c ∈ C define the set V c as { x | x is a variable with x < c } .An E -unification problem with linear constant restriction (LCR) is an E-unificationproblem with constants, Γ , where each constant c in Γ is equipped with a set V c ofvariables. A solution of the problem is an E-unifier σ of Γ such that for all c , x withx ∈ V c , the constant c does not occur in x σ . We call σ an E -unifier with LCR.A rewrite rule is an ordered pair l → r such that l , r ∈ T ( Σ , X ) and l X . Weuse R to denote a term rewrite system which is defined as a set of rewrite rules. Therewrite relation on T ( Σ , X ) , written t → R s , hold between t and s iff there exists a non-variable p ∈ Pos Σ ( t ) , l → r ∈ R and a substitution σ , such that t | p = l σ and s = t [ r σ ] p .The relation → R / E on T ( Σ , X ) is = E ◦ → R ◦ = E . The relation → R , E on T ( Σ , X ) is defined as: t → R , E t ′ if there exists a position p ∈ Pos Σ ( t ) , a rule l → r ∈ R anda substitution σ such that t | p = E l σ and t ′ = t [ r σ ] p . The transitive (resp. transitiveand reflexive) closure of → R , E is denoted by → + R , E (resp. → ∗ R , E ). A term t is → R , E irreducible (or in R , E-normal form ) if there is no term t ′ such that t → R , E t ′ . If → R , E isconfluent and terminating we denote the irreducible version of a term, t , by t ↓ R , E . Definition 2.2.
We call ( Σ , E , R ) a weak decomposition of an equational theory ∆ over a signature Σ if ∆ = R ⊎ E and R and E satisfy the following conditions:1. Matching modulo E is decidable.2. R is terminating modulo E, i.e., the relation → R / E is terminating.3. The relation → R , E is confluent and E-coherent, i.e., ∀ t , t , t if t → R , E t and t = E t then ∃ t , t such that t → ∗ R , E t , t → + R , E t , and t = E t . This definition is a modification of the definition in [6]. where asymmetric unifica-tion and the corresponding theory decomposition are first defined. The last restrictionsensure that s → ! R / E t iff s → ! R , E t (see [8, 6]). Definition 2.3 (Asymmetric Unification).
Given a weak decomposition ( Σ , E , R ) of anequational theory, a substitution σ is an asymmetric R , E -unifier of a set S of asym-metric equations { s = ↓ t , . . . , s n = ↓ t n } iff for each asymmetric equations s i = ↓ t i , σ is an ( E ∪ R ) -unifier of the equation s i = ? t i and ( t i ↓ R , E ) σ is in R , E-normal form.A set of substitutions Ω is a complete set of asymmetric R , E-unifiers of S (denotedCSAU R ∪ E ( S ) or just CSAU ( S ) if the background theory is clear) iff: (i) every memberof Ω is an asymmetric R , E-unifier of S , and (ii) for every asymmetric R , E-unifier θ of S there exists a σ ∈ Ω such that σ ≤ Var ( S ) E θ .Example 2.1. Let R = { x ⊕ → x , x ⊕ x → , x ⊕ x ⊕ y → y } and E be the AC theory for ⊕ . Consider the equation y ⊕ x = ↓ x ⊕ a , the substitution σ = { y a } is an asymmetricsolution but, σ = { x , y a } is not. Lynch, Marshall, Meadows, Narendran, Ravishankar
Definition 2.4 (Asymmetric Unification with Linear Constant Restriction).
Let S be a set of asymmetric equations with some LCR. A substitution σ is an asymmetric R , E -unifier of S with LCR iff σ is an asymmetric solution to S and σ satisfies theLCR. Definition 2.5.
Let R be a term rewriting system and E be a set of identities. We say ( R , E ) is R , E -convergent if and only if(a) → R , E is terminating, and (b) for all terms s, t, if s ≈ R ∪ E t, there exist terms s ′ , t ′ such that s → ! R , E s ′ , t → ! R , E t ′ , and s ′ ≈ E t ′ Definition 2.6.
A term t is an R , ∆ -normal form of a term s if and only if s → ! R , ∆ t. Thisis often represented as t = s y R , ∆ . ACU Nh -unification Decision Procedure via anAutomata Approach
In this section we develop a new asymmetric unification algorithm for the theory
ACUNh . The theory
ACUNh consists of the following identities: x + x ≈ , x + ≈ x , h ( x + y ) ≈ h ( x ) + h ( y ) , h ( ) ≈ , ( x + y ) + z ≈ x + ( y + z ) , x + y ≈ y + x Following the definition of asymmetric unification, we first decompose the theory intoa set of rewrite rules, R , modulo a set of equations, ∆ . Actually, there are two such de-compositions possible. The first decomposition keeps associativity and commutativity as identities ∆ and the rest as rewrite rules. This decomposition has the following AC -convergent term rewriting system R : x + x → , x + → x , x + ( y + x ) → y , h ( x + y ) → h ( x ) + h ( y ) , h ( ) →
0, as well as R ′ : x + x → , x + → x , x + ( y + x ) → y , h ( x ) + h ( y ) → h ( x + y ) , h ( ) → + is given a higher precedence over h ).The second decomposition has associativity , commutativity and the distributive ho-momorphism identity as ∆ , i.e., ∆ = ACh . Our goal here is to prove that the followingterm rewriting system R : x + x → , x + → x , x + ( y + x ) → y , h ( ) → ACh -convergent. The proof for convergence of → R , ACh is provided in Appendix A .Decidability of asymmetric unification for the theory R , ACh can be shown by au-tomata -theoretic methods analogous to the method used for deciding the Weak SecondOrder Theory of One successor (WS1S) [5, 2]. In WS1S we consider quantificationover finite sets of natural numbers, along with one successor function. All equationsor formulas are transformed into finite-state automata which accepts the strings thatcorrespond to a model of the formula [9, 13]. This automata-based approach is key toshowing decidability of WS1S, since the satisfiability of WS1S formulas reduces to theautomata intersection-emptiness problem. We follow the same approach here.To be precise, what we show here is that ground solvability of asymmetric unifica-tion, for a given set of constants, is decidable. We explain at the end of this section whythis is equivalent to solvability in general, in Lemma 3.1 and Lemma 3.2. This is the background theory.n Asymmetric Unification for the Theory of XOR with a Homomorphism 5
Problems with one constant : For ease of exposition, let us consider the case where thereis only one constant a . Thus every ground term can be represented as a set of naturalnumbers. The homomorphism h is treated as a successor function. Just as in WS1S, theinput to the automata are column vectors of bits. The length of each column vector isthe number of variables in the problem. Σ = ... , . . . , ... . The deterministicfinite automata (DFA) are illustrated here. The + operator behaves like the symmetricset difference operator.We illustrate how an automaton is constructed for each equation in standard form.In order to avoid cluttering up the diagrams the dead state has been included only for thefirst automaton. The missing transitions lead to the dead state by default for the others.Recall that we are considering the case of one constant a . q start D (cid:16) (cid:17) , (cid:16) (cid:17) , (cid:16) (cid:17) , (cid:16) (cid:17) (cid:16) (cid:17) , (cid:16) (cid:17) , (cid:16) (cid:17) , (cid:16) (cid:17) (cid:16) (cid:17) , (cid:16) (cid:17) , (cid:16) (cid:17) , (cid:16) (cid:17) , (cid:16) (cid:17) , (cid:16) (cid:17) , (cid:16) (cid:17) , (cid:16) (cid:17) (a) Automaton for P = Q + R q start q q q (cid:16) (cid:17) (cid:16) (cid:17) (cid:16) (cid:17) (cid:16) (cid:17) , (cid:16) (cid:17) (cid:16) (cid:17) (cid:16) (cid:17) , (cid:16) (cid:17) , (cid:16) (cid:17)(cid:16) (cid:17) , (cid:16) (cid:17) (cid:16) (cid:17) (b) Automaton for P = ↓ Q + R Fig. 1: Automata Construction
Fig . a : Let P i , Q i and R i denote the i th bits of P , Q and R respectively . P i has a value 1,when either Q i or R i has a value 1. We need 3-bit alphabet symbols for this equation. Theinput for this automaton are column vectors of 3-bits each, i.e., Σ = { (cid:16) (cid:17) , · · · , (cid:16) (cid:17) } .For example, if R = 0, Q = 1, then P = 1. The corresponding alphabet symbol is (cid:18) P Q R (cid:19) = (cid:16) (cid:17) . Hence, only strings with the alphabet symbols { (cid:16) (cid:17) , (cid:16) (cid:17) , (cid:16) (cid:17) , (cid:16) (cid:17) } are accepted by this automaton. The rest of the input symbols { (cid:16) (cid:17) , (cid:16) (cid:17) , (cid:16) (cid:17) , (cid:16) (cid:17) } go to the dead state D , as they violate the XOR property. Note that the string (cid:16) (cid:17)(cid:16) (cid:17) is accepted by this automaton. This corresponds to P = a + h ( a ) , Q = h ( a ) and R = a . Fig . b : To preserve asymmetry on the right-hand side of this equation, Q + R shouldbe irreducible. If either Q or R is empty, or if they have any term in common, then a Lynch, Marshall, Meadows, Narendran, Ravishankar reduction will occur. For example, if Q = h ( a ) and R = h ( a ) + a , there is a reduction,whereas if R = h ( a ) and Q = a , irreducibility is preserved, since there is no commonterm and neither one is empty. Since neither Q nor R can be empty, any accepted stringshould have one occurrence of (cid:16) (cid:17) and one occurrence of (cid:16) (cid:17) . q start q (cid:0) (cid:1) (cid:0) (cid:1) (cid:0) (cid:1) (cid:0) (cid:1) (a) Automaton for X = h ( Y ) q start q q (cid:0) (cid:1) (cid:0) (cid:1) (cid:0) (cid:1) (cid:0) (cid:1)(cid:0) (cid:1) (cid:0) (cid:1) (b) Automaton for X = ↓ h ( Y ) Fig. 2: Automata construction
Fig . a : We need 2-bit vectors as alphabet symbols since we have two unknowns X and Y . Remember that h acts like the successor function. q is the only accepting state. Astate transition occurs with bit vectors (cid:0) (cid:1) , (cid:0) (cid:1) . If Y =1 in current state, then X =1 inthe next state, hence a transition occurs from q to q , and vice versa. The ordering ofvariables is ( YX ) . Fig . b : In this equation, h ( Y ) should be in normal form. So Y cannot be 0, but cancontain terms of the form u + v . ( YX ) is the ordering of variables. Therefore the bit vector (cid:0) (cid:1) should be succeeded by (cid:0) (cid:1) , with possible occurrences of the bit vector (cid:0) (cid:1) inbetween. Thus the string either ends with (cid:0) (cid:1) or (cid:0) (cid:1) . For example, if Y = h ( a ) + a , then X = h ( a ) + h ( a ) , which results in the string (cid:0) (cid:1)(cid:0) (cid:1)(cid:0) (cid:1) is accepted by this automaton. Fig . a : This automaton represents the disequality X a = Y a . In general, if there aretwo or more constants, we have to guess which components are not equal. This enablesus to handle the disequality constraints mentioned in the next section. Fig . b : This automaton represents the disequality X = a , where a is a constant. Example 3.1.
Let n U = ↓ V + Y , W = h ( V ) , Y = ↓ h ( W ) o be an asymmetric unificationproblem. We need 4-bit vectors and 3 automata since we have 4 unknowns in 3 equa-tions, with bit-vectors represented in this ordering of set variables: (cid:18) VWYU (cid:19) . We includethe × (“don’t-care”) symbol in state transitions to indicate that the values can be either0 or 1. This is done to avoid cluttering the diagrams. Note that here this × symbol is aplaceholder for the variables which do not have any significance in a given automaton.The automata constructed for this example are indicated in Fig . a , Fig . b and Fig . a . n Asymmetric Unification for the Theory of XOR with a Homomorphism 7 q start q (cid:0) (cid:1) , (cid:0) (cid:1) (cid:0) (cid:1) , (cid:0) (cid:1) (cid:0) (cid:1) , (cid:0) (cid:1) , (cid:0) (cid:1) , (cid:0) (cid:1) (a) Automaton for X = Y q start q q ( ) ( ) ( ) , ( )( ) ( ) (b) Automaton for X = a Fig. 3: Automata constructionThe string (cid:18) (cid:19)(cid:18) (cid:19)(cid:18) (cid:19)(cid:18) (cid:19) is accepted by all the three automata. The correspond-ing asymmetric unifier is { V a , W h ( a ) , Y h ( a ) , U ( h ( a ) + a ) } . q start q q (cid:18) × × (cid:19) (cid:18) × × (cid:19) (cid:18) × × (cid:19) (cid:18) × × (cid:19)(cid:18) × × (cid:19) (cid:18) × × (cid:19) (a) Automata for Example 3.1, Part 1 q start q q q (cid:18) × (cid:19) (cid:18) × (cid:19) (cid:18) × (cid:19) (cid:18) × (cid:19) , (cid:18) × (cid:19) (cid:18) × (cid:19) (cid:18) × (cid:19) , (cid:18) × (cid:19) , (cid:18) × (cid:19)(cid:18) × (cid:19) , (cid:18) × (cid:19) (cid:18) × (cid:19) (b) Automata for Example 3.1, Part 2 Fig. 4: Automata exampleOnce we have automata constructed for all the formulas, we take the intersectionand check if there exists a string accepted by all the automata. If the intersection is notempty, then we have a solution or an asymmetric unifier for the given problem.
Problems with more than one constant : This technique can be extended to the casewhere we have more than one constant. Suppose we have k constants, say c , . . . , c k . Lynch, Marshall, Meadows, Narendran, Ravishankar q start q (cid:18) ×× (cid:19) (cid:18) ×× (cid:19) (cid:18) ×× (cid:19) (cid:18) ×× (cid:19) (a) Automata for Example 3.1, Part 3 h ( x )+ b = ? ↓ x + y start b = ? ↓ y h ( x ) = ? ↓ x + y = ? ↓ { x h ( x ) + b , y h ( y ) }{ x h ( x ) , y h ( y ) + b } { x b , y h ( y ) } { y b } { x h ( x ) , y h ( y ) } (b) Substitution producing automaton Fig. 5: Automata example
Algorithm 1
ACUNh -decision Procedure for a single constant
Require:
Asymmetric
ACUNh -unification problem S .For S construct automata for each equation as outlined in the paragraph “Problems with oneconstant”. Let these be A , A ,..., A n .“Intersect the automata”: Let A be the automaton that recognizes T ni = L ( A i ) . if L ( A ) = /0 then return ‘no solution.’ else return a solution. end if We express each variable X in terms of the constants as follows: X = X c + . . . + X c k .For example, if Y is a variable and a , b , c are the constants in the problem, then wecreate the equation Y = Y a + Y b + Y c .If we have an equation X = h ( Y ) with constants a , b , c , then we have equations X a = h ( Y a ) , X b = h ( Y b ) and X c = h ( Y c ) . However, if it is an asymmetric equation X = ↓ h ( Y ) all Y a , Y b and Y c cannot be zeros simultaneously.Similarly, if the equation to be solved is X = W + Z , with a , b , c as constants, weform the equations X a = W a + Z a , X b = W b + Z b and X c = W c + Z c and solve the eq-uations. But if it is an asymmetric equation X = ↓ W + Z then we cannot have W a , W b , W c to be all zero simultaneously, and similarly with Z a , Z b , Z c .Our approach is to design a nondeterministic algorithm by guessing which constantcomponent in each variable has to be 0, i.e., for each variable Y and each constant b , we n Asymmetric Unification for the Theory of XOR with a Homomorphism 9 “flip a coin” as to whether Y b will be set equal to 0 by the target solution . Now for thecase X = ↓ W + Z , we do the following:for all constants a do:if X a = W a = Z a = then skipelse if W a = then set X a = Z a if Z a = then set X a = W a if both W a and Z a are non-zero then set X a = ↓ W a + Z a Similarly, for the case X = ↓ h ( Y ) we follow these steps:for all constants a do:if X a = Y a = then skipelse set X a = ↓ h ( Y a ) This is summarized in Algorithm 2. Thus, it follows that
Algorithm 2
Nondeterministic Algorithm when we have more than one constant if there are m variables and k constants then represent each variable in terms of its k constant components.Guess which constant components have to be 0.Form symmetric and asymmetric equations for each constant.Solve each set of equations by the Deterministic Finite Automata (DFA) construction asoutlined in Algorithm 1. end if Theorem 3.1.
Algorithm 2 is a decision procedure for ground asymmetric unificationmodulo ( R , ACh ) .Proof. This holds by construction, as outlined in “Problems with only one constant”and “Problems with more than one constant”.We now show that general asymmetric unification modulo
ACUNh , where the so-lutions need not be ground solutions over the current set of constants, is decidable byshowing that a general solution exists if and only if there is a ground solution in theextended signature where we add an extra constant.We represent each term as a sum of terms of the form h i ( α ) where α is either aconstant or variable. The superscript (power) i is referred to as the degree of the simpleterm h i ( α ) . The degree of a term is the maximum degree of its summands. Lemma 3.1
Let t be an irreducible term and d be its degree. Let V ar ( t ) = { X , X , . . . , X n } . Suppose c is a constant that does not appear in t. Then for any D > d, t θ isirreducible, where θ = (cid:8) X c , X h D ( c ) , X h D ( c ) , . . . , X n h ( n − )( D ) ( c ) (cid:9) . The linear constant restrictions in Section 5 can also be handled this way: a constant restrictionof the form a X can be taken care of by setting X a =
00 Lynch, Marshall, Meadows, Narendran, Ravishankar
Lemma 3.2
Let Γ = (cid:8) s ≈ ? ↓ t , . . . , s n ≈ ? ↓ t n (cid:9) be an asymmetric unification problem.Let β be an asymmetric unifier of Γ and V = V R an ( β ) = { X , . . . X m } . Let D = + max ≤ i ≤ n degree ( s i β , t i β ) , and c be a constant that does not appear in Γ . Then θ = (cid:8) X c , X h D ( c ) , . . . , X m h ( n − ) D ( c ) (cid:9) is an asymmetric unifier of Γ . General solutions over variables , without this extra constant c , can be enumerated byback-substituting (abstracting) terms of the form h j ( c ) and checking whether the ob-tained substitutions are indeed solutions to the problem.The exact complexity of this problem is open. In this section we create automata to find all solutions of an ACUNh asymmetric unifi-cation problem with constants. We also have linear constant restrictions and disequali-ties for combination. Our terms will be built from elements in the set described below.
Definition 4.1.
Let C be a set of constants and X be a set of variables. Define H ( X , C ) as the set { h i ( t ) | t ∈ X ∪ C } . We also define H n ( X , C ) as { h i ( t ) | t ∈ X ∪ C , i ≤ n } . Forany object t we define Const ( t ) to be the set of constants in t, except for 0. For an objectt, define H ( t ) = H ( Var ( t ) , Const ( t )) and H n ( t ) = H n ( Var ( t ) , Const ( t )) . Terms are sums. We often need to talk about the multiset of terms in a sum.
Definition 4.2.
Let t be a term whose R h normal form is t + · · · + t n . Then we definemset ( t ) = { t , · · · , t n } . Inversely, if T = { t , · · · , t n } then Σ T = t + · · · + t n . A term in normal form modulo R can be described as a sum in the following way. Theorem 4.1.
Let t be a term in R normal form. Then there exists an H ⊆ H ( t ) suchthat t = Σ H.Proof.
Since t is reduced by h ( x + y ) → h ( x ) + h ( y ) , it cannot have an h symbol above a + symbol. So it must be a sum of terms of the form h i ( s ) where i ≥ s is a constant.Since t is also reduced by R , there can be no duplicates in the sum.We show that every substitution θ that is irreducible with respect to R , can berepresented as a sequence of smaller substitutions, which we will later use to constructan automaton. Definition 4.3.
Let ζ be a substitution and X be a set of variables. Then ζ is a zerosubstitution on X if Dom ( ζ ) ⊆ X and x ζ = for all x ∈ Dom ( ζ ) . Theorem 4.2.
Let t be an object and θ be a ground substitution in R normal form,such that Dom ( θ ) = Var ( t ) . Let m be the maximum degree in mset ( Ran ( θ )) Then thereare substitutions ζ , θ , · · · , θ m such that n Asymmetric Unification for the Theory of XOR with a Homomorphism 11 ζ is a zero substitution on Dom ( θ ) ,2. ζθ · · · θ m = θ ,3. Dom ( θ i ) = Var ( t ζθ · · · θ i − i )
4. for all i and all variables x in Dom ( θ i ) , x θ i = Σ T for some nonempty T ⊆ Const ( Ran( θ )) ∪ { h ( x ) } .Proof. By the previous theorem, we know that each x θ is a sum of h -terms or is 0. Then ζ and θ i can be defined as follows, where S x = mset ( x θ ) and S ix is the set of terms in S with degree i : – If x θ = x ζ = x ζ = x . – For all x ∈ Dom ( θ i ) • If the maximum degree of S x is i then x θ i = Σ S ix . • If no terms in S x have degree i then x θ i = h ( x ) . • If S x has terms of degree i and also terms of degree greater than i then x θ i = h ( x ) + Σ S ix .In the rest of this section we will be considering the ACUNh asymmetric equation u = ? ↓ v , where u and v are in R normal form, and we will build an automaton to representall the solutions of u = ? ↓ v . We will need the following definitions. Definition 4.4.
Let t be an object. Define loseh ( t ) = Σ { h i ( t ) | h i + ( t ) ∈ mset ( t ↓ R h ) } . In the next four automata definitions we will use the following notation: Let P be aset of ACUNh asymmetric equations. Let m be the maximum degree of terms in P . Let Θ be the set of all substitutions θ such that Dom ( θ ) ⊆ Var ( P ) and for all x ∈ Dom ( θ ) , x θ = Σ T where T is a nonempty subset of Const ( P ) ∪ { h ( x ) } . Let u = ? ↓ v be an ACUNhasymmetric equation.First we define an automaton to solve the ACUNh asymmetric unification problemwith constants.
Definition 4.5.
The automaton M ( u = ? ↓ v , P ) consists of the quintuple ( Q , q u = ? ↓ v , F , Θ , δ ) , where Q is the set of states, q u = ? ↓ v is the start state, F is the set of accepting states, Θ is the alphabet, and δ is the transition function, defined as follows: – Q is a set of states of the form q s = ? ↓ t , where s = Σ S and t = Σ T , for some S and Tsubsets of H m ( P ) . – F = { q s = ? ↓ t ∈ Q | mset ( s ) = mset ( t ) } – δ : Q × Θ −→ Q such that δ ( q s = ? ↓ t , θ ) = q loseh ( s θ ) ↓ R = ? ↓ loseh ( t θ ) if Dom ( θ i ) = Var(s = ? ↓ t ) , mset (( s θ ) ↓ R ) ∩ H ( P ) = mset ( t θ ) ∩ H ( P ) , and mset ( t θ ) contains noduplicates. Next we define an automaton to solve linear constant restrictions.
Definition 4.6.
Let R be a set of linear constant restrictions of the form ( x , c ) . M LCR ( R , P ) = ( { q } , q , { q } , Θ , δ LCR ) where δ LCR ( q , θ ) = q if for all variables x and all ( x , c ) ∈ R, c Const ( x θ ) . Next we define an automaton to solve disequalities between a variable and a con-stant.
Definition 4.7.
Let D be a set of disequalities of the form x = c where x is a variableand c is a constant. M VC ( D , P ) = ( { q , q } , q , { q , q } , Θ , δ VC ) where δ VC ( q , θ ) = q if for all variables x and all x = c ∈ D, x θ = c. Also δ VC ( q , θ ) = q . Finally we define automata for solving disequalities between variables
Definition 4.8.
Let x and y be variables. Then M VV ( x = y , P ) = ( { q , q } , q o , { q } , Θ , δ x = y ) where δ x = y ( q , θ ) = q if mset ( x θ ) = T ∪ { h ( x ) } and mset ( y θ ) = T ∪ { h ( y ) } for some T . Also δ x = y ( q , θ ) = q if mset ( x θ ) = mset ( y θ ) and mset ( x θ )[ x y ] = mset ( y θ ) . These are all valid automata. In particular, the first automaton described has a finitenumber of states, and each transition yields a state in the automaton. Now we show thatthese automata can be used to find all asymmetric ACUNh unifiers.We need a few properties before we show our main theorem, that the constructedautomaton finds all solutions.
Lemma 4.1
Let t be an object and θ be a substitution, such that, for all x ∈ Var ( t ) ,mset ( x θ ) does not contain a variable. Then mset ( t θ ) does not contain a variable.Proof. Consider s ∈ mset ( t ) . If s is not a variable then s θ is not a variable. If s is avariable, then, by our hypothesis, s θ is not a variable. Lemma 4.2
Let s = ? ↓ t be an ACUNh asymmetric unification equation in P, wheremset ( s ) and mset ( t ) contain no variables and mset ( s ↓ R ) ∩ H ( P ) = mset ( t ) ∩ H ( P ) .Then for all substitutions σ , s σ and t σ are not unifiable.Proof. s and t are not unifiable, because, wlog, the multiplicity of some constant in mset ( s ↓ R ) is not in mset ( t ↓ R ) . When we apply a substitution, that same constant willappear in mset (( s σ ) ↓ R ) but not mset (( t σ ) ↓ R ) , since mset ( s ) and mset ( t ) contain novariables. So s σ and t σ are not unifiable. Lemma 4.3
Let t be such that mset ( t ) contains a duplicate. Then ∀ σ , t σ is reducibleby R .Proof. We know t is reducible by R because mset ( t ) contains a duplicate. But then t σ also contains a duplicate. n Asymmetric Unification for the Theory of XOR with a Homomorphism 13 Lemma 4.4
Let s = ? ↓ t be an ACUNh asymmetric unification equation in P, such thatmset ( s ) and mset ( t ) contain no variables. Suppose also that mset ( s ↓ R ) ∩ H ( P ) = mset ( t ) ∩ H ( P )) and mset ( t ) contains no duplicates. Then σ is an ACUNh asymmetricunifier of s = ? ↓ t if and only if σ is an ACUNh asymmetric unifier of loseh ( s ↓ R ) = ? ↓ loseh ( t ) .Proof. Let s ′ = loseh ( s ↓ R ) and t ′ = loseh ( t ) . If mset ( s ′ ) and mset ( t ′ ) contain no con-stants, then s = ? ↓ t and s ′ = ? ↓ t ′ have the same solutions. Since mset ( s ) and mset ( t ) con-tain no variables, the multiset of constants in s is the same as the multiset of constantsin s σ . Similarly for t and t σ . Therefore s = ? ↓ t has the same solutions as s ′ = ? ↓ t ′ . Theorem 4.3.
Let P be a set of asymmetric ACUNh equations, such that all terms inP are reduced by R . Let θ be a substitution which is reduced by R . Let R be a set oflinear constant restrictions. Let D be a set of variable/constant disequalities. Let D ′ bea set of variable/variable disequalities.Then θ is a solution to P if and only if there exists a zero substitution ζ on P whereall right hand sides in P are irreducible, and a sequence of substitutions θ , · · · , θ m suchthat θ ≤ ζθ · · · θ m and1. The string θ · · · θ m is accepted by M (( u = ? ↓ v ) ζ ) ↓ R , P ′ ζ ) for all u = ? ↓ v ∈ P.2. The string θ · · · θ m is accepted by M LCR ( R , P ′ ζ ) .3. The string θ · · · θ m is accepted by M VC ( D , P ′ ζ ) .4. The string θ · · · θ m is accepted by M VV ( x = y , P ′ ζ ) for all x = y ∈ D ′ .where P ′ = P ∪ { c = ? ↓ c } for a fresh constant c.Proof. First we show that Item 1 holds for a ground substitution θ reduced by R . Bythe previous theorem, θ can be represented as ζθ · · · θ m .We show by induction that, for all i , if θ = ζθ · · · θ i and δ ( q ( u = ? ↓ v ) ζ , θ · · · θ i ) = q s = ? ↓ t then θσ is an asymmetric ACUNh unifier of u = ? ↓ v if and only if σ is an asymmetricACUNh unifier of s = ? ↓ t . In the base case, θ = ζ and ( s = ? ↓ t ) = ( u = ? ↓ v ) ζ , so it is true.For the inductive step, we assume the statement is true for i and prove it for i + σ ′ be an arbitrary substitution, and instantiate σ θσ ′ in the inductive as-sumption, where θ = ζθ · · · θ i . Our assumption implies that θθ i + σ is an asymmetricACUNh unifier of u = ? ↓ v if and only if θ i σ is an asymmetric ACUNh unifier of s = ? ↓ t (i.e., σ is an asymmetric ACUNh unifier of ( s = ? ↓ t ) θ i + ). If we can now show that σ is an asymmetric ACUNh unifier of ( s = ? ↓ t ) θ i + if and only if σ is an ACUNh uni-fier of loseh ( s θ i + ) = ? ↓ loseh ( t θ i + ) . and mset ( s θ i + ∩ H ( P ′ ) = mset ( t θ i + ) ∩ H ( P ′ ) and mset ( t θ i + ) contains no duplicates, then we are done. By Lemma 4.1, we knowthat mset ( s = ? ↓ t ) θ i + contains no variables. Then we apply Lemma 4.4 to prove theinduction step.This proves our inductive statement. If θ is not an asymmetric ACUNh unifier of u = ? ↓ v , then Lemmas 4.2 and 4.3 imply that the transition function will not be applicable at some point. Our inductive statement shows that θ is an asymmetric ACUNh unifierof u = ? ↓ v if and only if there is a final state with id as an asymmetric ACUNh unifier,which will be an accepting state.This concludes the case for a ground substitution θ . It θ is not ground, then thefact that P ′ contains a fresh constant c means that we create substitutions with an ad-ditional constant. We have already shown in this paper that nonground solutions aregeneralizations of solutions involving one additional constant.It is straightforward to see that the other automata only accept valid solutions oflinear constant restrictions and disequations.If desired, we could intersect all the automata, yielding an automaton representingall the solutions of the problem (think of the results after applying ζ as a set of initialstates). This shows that the set of solutions can be represented by a regular language,with or without LCRs and disequalities. If we only want to decide asymmetric unifica-tion, we just check if there is an accepting state reachable from an initial state. We couldenumerate all the solutions by finding all accepting states reachable in 1 step, 2 steps,etc. If there is a cycle on a path to an accepting state, then there are an infinite numberof solutions, otherwise there are only a finite number of solutions. This will find allthe ground substitutions. To find all solutions, we generalize the solutions we find andcheck them. Indeed, the only terms that need to be generalized are those containing c .This is decidable because there are only a finite number of generalizations.In Figure (5b), we show the automaton created for the problem h ( x ) + b = ? ↓ x + y ,without linear constant restrictions and disequality constraints. In this example, the onlyzero substitution that works is the identity. Notice that c never appears in the domainof a substitution, because no such substitution satisfies the conditions for the transitionfunction. This leads to the following theorem. Theorem 4.4.
Asymmetric ACUNh unification with constants is not finitary.Proof.
The automaton constructed for h ( x ) + b = ? ↓ x + y has a cycle on a path to anaccepting state. Therefore there are an infinite number of solutions. Since there is no c in the range of the solution, all the solutions are ground. So no solution can be moregeneral than another one, which means this infinite set of solutions is also a minimalcomplete set of solutions. In order to obtain a general asymmetric ACUNh-unification decision procedure weneed to add free function symbols. We can do this by using disjoint combination. Theproblem of asymmetric unification in the combination of disjoint theories was studiedin [7] where an algorithm is developed for the problem. However, the algorithm of [7]does not immediately apply to the two methods developed in this paper. This is due tothe nature of the two automata based approaches. More formally, let ∆ and ∆ denotetwo equational theories with disjoint signatures Σ and Σ . Let ∆ be the combination, n Asymmetric Unification for the Theory of XOR with a Homomorphism 15 ∆ = ∆ ∪ ∆ , of the two theories having signature Σ ∪ Σ . The algorithm of [7] solvesthe asymmetric ∆ -unification problem. It assumes that there exists a finitary completeasymmetric ∆ i -unification algorithm with linear constant restrictions, A i . Based on thisassumption the algorithm is able to check solutions produced by the A and A algo-rithms for theory-preserving and injective properties, discarding those that are not. Asubstitution σ i is injective modulo ∆ i if x σ i = ∆ i y σ i iff x = y , and σ i is theory preserving if for any variable x of index i , x σ i is not a variable of index j = i . For the automatonit is not always possible to check solutions, however, it is possible to build constraintsinto the automaton that enforce these conditions. Algorithm 3 is a modification of thealgorithm from [7] with the following properties: – ∆ = ACUNh and ∆ = F Ω , for some free theory F Ω with symbols Ω . – For each ∆ -pure problem, partition, and theory index, an automaton is constructedenforcing the injective and theory preserving restrictions. Since these restrictionsare built into the automata, the only ∆ solutions produced will be both theorypreserving and injective. – The solution produced by the F Ω algorithm is checked as in the original algorithm.If the solution is found not to be injective or theory preserving it is discarded.The new modified version is presented in Algorithm 3 (included in the appendix due tospace). Given the decision procedure of Section 3 we obtain the following. Theorem 5.1.
Assume there exists an asymmetric ACUNh decision procedure that en-forces linear constant restrictions, theory indexes, and injectivity. Then Algorithm 3 isa general asymmetric ACUNh decision procedure.Proof.
The result follows directly from the proof contained in [7]. There it is shownthat Algorithm 3 is both sound and complete. The only modification is that in [7] thecombination algorithm checks the ∆ solutions for the properties of being injective andtheory preserving, while in Algorithm 3 it is assumed that the algorithm A itself willenforce these restrictions.If instead of a decision procedure we want to obtain a general asymmetric ACUNh unification algorithm we can use the automata based algorithm from Section 4 and againa modification of the asymmetric combination algorithm of [7]. Here, the modificationto the combination algorithm is even smaller. We just remove the check on injective andtheory preserving substitutions. Again these restrictions are enforced by the automata.The solutions to the
ACUNh and the free theory are combined as is done in [7] sincethey obey the same linear constant restrictions. Since asymmetric
ACUNh unificationwith constants is not finitary (Theorem 4.4), the general asymmetric
ACUNh unificationalgorithm will not in general produce a finite set of solutions. However, based on thealgorithm of Section 4 we easily obtain the following result.
Theorem 5.2.
Assume there exists an asymmetric ACUNh algorithm that enforces lin-ear constant restrictions, theory indexes and injectivity, and produces a complete set ofunifiers. Then there exists a general asymmetric ACUNh algorithm producing a com-plete set of unifiers.
We have provided a decision procedure and an algorithm for asymmetric unificationmodulo
ACUNh using a decomposition R ⊎ ACh . This is the first example of an asym-metric unification algorithm for a theory in which unification modulo the set ∆ of ax-ioms is undecidable. It also has some practical advantages: it is possible to tell by in-spection of the automaton used to construct unifiers whether or not a problem has afinitary solution. Moreover, the construction of the automaton gives us a natural way ofenumerating solutions; simply traverse one of the loops one more time to get the nextunifier.There are a number of ways in which we could extend this work. For example,the logical next step is to consider the decidability of asymmetric unification of AGh with a ∆ = ACh . If the methods we used for
ACUNh extend to
AGh , then we have anasymmetric unification algorithm for
AGh , although with ∆ = ACh instead of AC . Onthe other hand, if we can prove undecidability of asymmetric unification for AGh with ∆ = ACh as well as with ∆ = AC , this could give us new understanding of the problemthat might allow us to obtain more general results. Either way, we expect the results togive increased understanding of asymmetric unification when homomorphic encryptionis involved. Bibliography [1] Baader, F., Snyder, W.: Unification theory. Handbook of Automated Reasoning 1,445–532 (2001)[2] B¨uchi, J.R.: Weak second-order arithmetic and finite automata. MathematicalLogic Quarterly 6(1-6), 66–92 (1960)[3] Chaum, D.: Blind signature system. In: Proceedings of CRYPTO ’83. p. 153(1983)[4] Comon-Lundth, H., Delaune, S.: The finite variant property: how to get rid ofsome algebraic properties, in Proc
RTA’05 , Springer LNCS 3467, 294–307, 2005[5] Elgot, C.C.: Decision problems of finite automata design and related arithmetics.Transactions of the American Mathematical Society 98(1), 21–51 (1961)[6] Erbatur, S., Escobar, S., Kapur, D., Liu, Z., Lynch, C.A., Meadows, C., Meseguer,J., Narendran, P., Santiago, S., Sasse, R.: Asymmetric Unification: A New Unifi-cation Paradigm for Cryptographic Protocol Analysis. In: Automated Deduction,(CADE-24), LNCS, vol. 7898, pp. 231–248 (2013)[7] Erbatur, S., Kapur, D., Marshall, A.M., Meadows, C.A., Narendran, P., Ringeis-sen, C.: On asymmetric unification and the combination problem in disjoint theo-ries. In: Foundations of Software Science and Computation (FOSSACS-17), vol-ume 8412 LNCS. pp. 274–288 (2014)[8] Escobar, S., Meseguer, J., Sasse, R.: Variant narrowing and equational unification.Electr. Notes in Theoretical Computer Science 238(3), 103–119 (2009)[9] Klaedtke, F., Ruess, H.: Parikh automata and monadic second-order logics withlinear cardinality constraints (2002) n Asymmetric Unification for the Theory of XOR with a Homomorphism 17 [10] Narendran, P.: Solving linear equations over polynomial semirings. In: Pro-ceedings, 11th Annual IEEE Symposium on Logic in Computer Science, NewBrunswick, New Jersey, USA, July 27-30, 1996. pp. 466–472. IEEE ComputerSociety (1996)[11] Paillier, P.: Public-key cryptosystems based on composite degree residu-osity classes. In: Proceedings of EUROCRYPT ’99. pp. 223–238 (1999), https://doi.org/10.1007/3-540-48910-X_16 [12] Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital sig-natures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978), http://doi.acm.org/10.1145/359340.359342 [13] Vardi, M.Y., Wilke, T.: Automata: From Logics to Algorithms. Logic and au-tomata 2, 629–736 (2008)
A Proof of R , ACh convergence
A.1 R is ACh -convergent
To begin with let us show that the theory, → R / ACh , is terminating.
Lemma A.1 → R / ACh is terminating.Proof.
We use a polynomial interpretation. The signature of R is Σ = { + , h , } . Wetake the polynomial interpretation P h = ∗ X , P = , P + = X + Y . It is not hardto see that the rewrite rules are decreasing and the identities are preserved under thisinterpretation. Hence → R , ACh is terminating.The identities in
ACh can be further decomposed, retaining associativity and commuta-tivity as identities ∆ and viewing the other identity as a rewrite rule R h .Thus R h is the term rewriting system: h ( x + y ) → h ( x )+ h ( y ) with the identities AC : ( x + y ) + z ≈ x + ( y + z ) , x + y ≈ y + x Note that R = R ∪ R h . Thus −→ R , AC = −→ R , AC ∪ −→ R h , AC . All these term rewriting systems, R , R and R h , are AC -convergent.We define some terms which will be used later: Definition A.1.
A term is a + -term if and only if it has only variables and constants,and no occurrences of h. Definition A.2.
A term is a pure + -term if and only if it is a + -term with no constants(i.e., it belongs to T ( { + } , V ) ). In order to prove that R is ACh -convergent we first prove the following lemmas:
Lemma A.2
If s and t are irreducible by → R h , AC , then so is s + t. Proof.
The only rule in R h has h as the root of its left-hand side. Hence for the term s + t there is no reduction possible. Corollary A.2.1 ( s + t ) y R h , AC = s y R h , AC + t y R h , AC Lemma A.3
If s is a + -term, then s . ACh t if and only if s . AC t y R h , AC .Proof. Since s is a + -term, s is of the form Y + . . . + Y n + c + . . . + c m , where the Y i ’sneed not be distinct. Let t ′ be the normal form of t modulo R h , i.e., t ′ = t y R h , AC .“if” part: If s AC matches with t ′ , then s is ACh matchable with t .Let θ be a matching substitution such that s θ ≈ AC t ′ . The substitution θ also ACh matches s with t , i.e., s θ ≈ ACh t , because AC is a subset of ACh .“only if” part: If s ACh matches with t , then s AC matches with t ′ .Suppose s σ ≈ ACh t , where σ is substitution. Let σ ′ be a substitution defined as z σ ′ = z σ y R h , AC for all z ∈ Dom ( σ ) . We now show that s σ ′ ≈ AC t ′ .We have s σ ≈ ACh t and by Corollary A.2.1, s σ ′ = s σ y R h , AC , i.e., s σ → ! R h , AC s σ ′ .Thus s σ ′ ≈ AC t ′ . Corollary A.3.1
A term s is reducible at the root (i.e., at position ε ) by −→ R , ACh ifand only if s y R h , AC is reducible at the root by −→ R , AC . Lemma A.4
If s is a pure + -term, then s . ACh h ( t ) if and only if s . ACh t.Proof.
For the “if” part, let θ be the matching substitution. Then the substitution θ ′ ,defined as y θ ′ = h ( y θ ) for all y matches s with h ( t ) .For the “only if” part, suppose β is a substitution that ACh -matches s with h ( t ) .We can assume without loss of generality that t is a ground term. Since R h is AC -convergent, we can also assume that the normal form of h ( t ) , modulo → R h , AC , is ofthe form h i ( a ) + . . . + h i n ( a n ) where the a i ’s are constants and each exponent i j isa positive integer greater than zero. Therefore for each variable X k , X k β ≈ ACh h ( t k ) for some ground term t k . Thus β ′ , defined as y β ′ = s ′ if y β ≈ ACh h ( s ′ ) will match s with t . Lemma A.5
If s is a + -term and s . ACh h ( t ) then s . ACh t. n Asymmetric Unification for the Theory of XOR with a Homomorphism 19 Proof.
Since s is a + -term, s must be of the form X + . . . + X m + b + . . . + b n wheresome of the X i ’s can be equal (i.e., variables can be repeated). However, clearly s cannothave constants and thus must be a pure + -term. The rest of the proof follows from the“only if” part of the previous lemma. Lemma A.6
For all t , s , t ′′ : if t is reducible at the root (i.e., at position ε ) by −→ R , ACh and t ′′ ≈ AC t + s then t ′′ is also reducible by −→ R , ACh .Proof.
Suppose t ≈ ACh l σ where σ is a substitution and l → r ∈ R . The case where l = h ( ) is trivial.Suppose l is the left-hand side of one of the other rules. Then l is a + -term. Let t = t y R h , AC . By the proof of Lemma A.3, t ≈ AC l σ ′ , where σ ′ is defined as y σ ′ = y σ y R h , AC for all y ∈ Dom ( σ ) . From this we have l σ ′ = l σ y R h , AC , i.e., l σ → ! R h , AC l σ ′ .Let t ′′ ≈ AC t + s . By Corollary A.2.1, t + s −→ ! R h , AC t + b s where b s = s y R h , AC .Since t is reducible at the root by −→ R , AC , so is t + b s , as can be seen from an exam-ination of the rules. Thus t ′′ −→ ! R h , AC t + b s ≈ AC l ′ β for some rule ( l ′ → r ′ ) in R .This implies that t ′′ ≈ ACh l ′ β . Lemma A.7
For all t, if h ( t ) is reducible by −→ R , ACh then t = or t is reducibleby −→ R , ACh .Proof.
Suppose t = t is not reducible by −→ R , ACh . Then there must be someleft-hand side l in R such that l . ACh h ( t ) . Since t = l cannot be h ( ) , so l must be a + -term. If l . ACh h ( t ) , by Lemma A.5 we know that l . ACh t , which is a contradiction. Lemma A.8
For all s , s ′ , if s is reducible by −→ R , ACh and s ≈ AC s ′ , then s ′ is reducibleby −→ R , ACh .Proof.
Assume the contrary. Let t be the smallest term such that t is reducible by −→ R , ACh and there is another term t ′ , AC -equivalent to t , such that t ′ is irreducibleby −→ R , ACh . Clearly t cannot be reducible at the root. Let p = ε be an outermostposition in t such that t | p is a redex. Let p = p ′ · i . Obviously, t | p cannot be h ( ) . Theparent of node p cannot have a + -symbol because then that subterm, i.e., t | p ′ , will be aredex too, by the proof of Lemma A.6. Thus it has to be an h : in other words, h ( t | p ) isa subterm of t . Since t ′ ≈ AC t , t ′ should have a subterm h ( t ′ ) where t ′ ≈ AC t | p . If t ′ isreducible then so is t ′ ; if not, then t ′ is a smaller counterexample. Corollary A.8.1
For all t , t ′ , t ′′ : if t is reducible by −→ R , ACh and t ′′ ≈ AC t + t ′ thent ′′ is also reducible by −→ R , ACh . Lemma A.9
For all s , s , s : if s −→ R h , AC s , and s −→ R , ACh s , then s is alsoreducible by −→ R , ACh . Proof.
Suppose s reduces to s at some position p and s reduces to s at some position q , i.e., s −→ pR h , AC s and s −→ qR , ACh s . Thus there is a substitution θ such that s | p ≈ AC ( h ( x + y )) θ and s = s [ h ( x θ ) + h ( y θ )] p . Two cases have to be considered: p < q : Either h ( x θ ) or h ( y θ ) is reducible by −→ R , ACh . Assume, without loss ofgenerality, that h ( x θ ) is reducible by −→ R , ACh . By Lemma A.7, x θ is either 0 or re-ducible by −→ R , ACh . If x θ is reducible by −→ R , ACh , then x θ + y θ is also reducibleby −→ R , ACh , by Corollary A.8.1. If x θ =
0, then clearly x θ + y θ = + y θ is reducibleby −→ R , ACh . q . p : Let p = q · π . Let s = s | q and s = s [ h ( x θ ) + h ( y θ )] π . Thus s −→ π R h , AC s and s is reducible at the root by −→ R , ACh . By Corollary A.3.1, s y R h , AC is reducibleat the root by −→ R , AC , i.e., s y R h , AC ≈ AC l β for some left-hand side l . Thus (puttingit all together), s | q −→ ! R h , AC s y R h , AC ≈ AC l β . Thus, again by Corollary A.3.1, s | q isreducible by −→ R , ACh .Finally, we can prove the convergence.
Lemma A.10 −→ R , ACh is ACh-convergent.Proof.
We prove by contradiction. Suppose −→ R , ACh is not
ACh -convergent. Since −→ R , ACh is terminating, there must be terms s and t such that s and t are in normalform modulo −→ R , ACh and s ACh t . Since −→ R h , AC is AC -convergent, the normalforms of s and t modulo −→ R h , AC cannot be AC -equal. Let b s and b t be respectively thenormal forms of s and t modulo −→ R h , AC . If either b s or b t is reducible by −→ R , ACh ,then, by Lemma A.9, either s or t will be reducible by −→ R , ACh . But since −→ R , AC is AC -convergent, either b s or b t must be reducible by −→ R , AC . This also leads to acontradiction, since −→ R , AC = −→ R , AC ∪ −→ R h , AC . B Asymmetric Combination Algorithm n Asymmetric Unification for the Theory of XOR with a Homomorphism 21
Algorithm 3
Combination ∆ = ACUNh and ∆ = F Ω Require: Γ , the initial unification problem over the signature Σ ∪ Σ . while there exist non-pure terms doRight abstraction: For each alien subterm t of t , let x be a variable not occurring in thecurrent system and let t ′ be the term obtained from replacing t by x in t . Then the originalequation is replaced by two equations s = ↓ t ′ and x = ↓ t . Left abstraction:
For each alien subterm s of s let x be a variable not occurring in thecurrent system and let s ′ be the term obtained from replacing s by x in s . Then the originalequation is replaced by two equations s ′ = ↓ t and s = ↓ x . end whilewhile there exist non-pure equations doSplit non-pure equations : Each non-pure equation of the form s = ↓ t is replaced by twoequations s = ↓ x , x = ↓ t where x is always a new variable. The results is a system Γ of pureequations. end whileVariable identification : Consider all the possible partitions of the set of variables. Each par-tition produces a new system Γ as follows. The variables in each class of the partition are“identified” with each other by choosing an element of the class as a representative and replac-ing in the system all occurrences of variables in each class by their representative. Choose an ordering and theory indices : For each Γ we consider all possible strict order-ings < on the variables of the system and all mappings ind from the set of variables into theset of indices { , } . Each pair ( <, ind ) yields a new system Γ . Split the system : Each Γ is split into two systems Γ , and Γ , , the first containing only 1-equations and the second only 2-equations. In the system Γ , i the variables of index j = i aretreated as constants. Each Γ , i is now a unification problem with linear constant restriction,where the linear ordering < defines the set V c for each constant c corresponding to an index j = i variable. Build
ACUNh automata : For each Γ i , construct the corresponding automata including thelinear constant restriction and dis-equalities of the following form: – x = y , if x and y are unique variables from Γ not equated by the partition. – x = y , if x and y are unique variables from Γ , x ∈ Γ , , and y ∈ Γ , . Solve Γ i , and Γ i , : For the initial system Γ let { ( Γ , , Γ , ) ,..., ( Γ n , , Γ n , ) } be the output ofthe decomposition. for i = ,..., n and j = , doif the automata for Γ i , have a non-empty intersection and the syntactic unification algorithmon Γ i , returns an injective and theory-preserving solution then return true.return true.