Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Conclusions
References

Effectively checking or disproving the finite variant property

Profile image of Santiago EscobarSantiago Escobar
https://doi.org/10.1007/978-3-540-70590-1_6
visibility

description

24 pages

link

1 file

Abstract

An equational theory decomposed into a set B of equational axioms and a set ∆ of rewrite rules has the finite variant (FV) property in the sense of Comon-Lundh and Delaune iff for each term t there is a finite set {t1, . . . , tn} of →∆,B-normalized instances of t so that any instance of t normalizes to an instance of some ti modulo B. This is a very useful property for cryptographic protocol analysis, and for solving both unification and disunification problems. Yet, at present the property has to be established by hand, giving a separate mathematical proof for each given theory: no checking algorithms seem to be known. In this paper we give both a necessary and a sufficient condition for FV from which we derive, both an algorithm ensuring the sufficient condition, and thus FV, and another disproving the necessary condition, and thus disproving FV. These algorithms can check automatically a number of examples and counterexamples of FV known in the literature.

Related papers

Effective Symbolic Protocol Analysis via Equational Irreducibility Conditions
Serdar Erbatur

2012

We address a problem that arises in cryptographic protocol analysis when the equational properties of the cryptosystem are taken into account: in many situations it is necessary to guarantee that certain terms generated during a state exploration are in normal form with respect to the equational theory. We give a tool-independent methodology for state exploration, based on unification and narrowing, that generates states that obey these irreducibility constraints, called contextual symbolic reachability analysis, prove its soundness and completeness, and describe its implementation in the Maude-NPA protocol analysis tool. Contextual symbolic reachability analysis also introduces a new type of unification mechanism, which we call asymmetric unification, in which any solution must leave the right side of the solution irreducible. We also present experiments showing the effectiveness of our methodology.

View PDFchevron_right
On the Decidability of (ground) Reachability Problems for Cryptographic Protocols (extended version)
Yannick Chevalier

Corr, 2009

Analysis of cryptographic protocols in a symbolic model is relative to a deduction system that models the possible actions of an attacker regarding an execution of this protocol. We present in this paper a transformation algorithm for such deduction systems provided the equational theory has the finite variant property. the termination of this transformation entails the decidability of the ground reachability problems. We prove that it is necessary to add one other condition to obtain the decidability of non-ground problems, and provide one new such criterion. Definition 1. Let G be a signature and X be an infinite set of variables. A strict order ≻ on T(G, X ) is called a rewrite order iff it is

View PDFchevron_right
Asymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis
Serdar Erbatur

2013

We present a new paradigm for unification arising out of a technique commonly used in cryptographic protocol analysis tools that employ unification modulo equational theories. This paradigm relies on: (i) a decomposition of an equational theory into (R, E) where R is confluent, terminating, and coherent modulo E, and (ii) on reducing unification problems to a set of problems s = ? t under the constraint that t remains R/E-irreducible. We call this method asymmetric unification. We first present a general-purpose generic asymmetric unification algorithm. and then outline an approach for converting special-purpose conventional S. Escobar and S. 232 S. Erbatur et al. unification algorithms to asymmetric ones, demonstrating it for exclusiveor with uninterpreted function symbols. We demonstrate how asymmetric unification can improve performanceby running the algorithm on a set of benchmark problems. We also give results on the complexity and decidability of asymmetric unification.

View PDFchevron_right
Maude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties
Santiago Escobar

Lecture Notes in Computer Science, 2009

In this tutorial, we give an overview of the Maude-NRL Protocol Analyzer (Maude-NPA), a tool for the analysis of cryptographic protocols using functions that obey dierent equational theories. We show the reader how to use Maude-NPA, and how it works, and also give some of the theoretical background behind the tool. The earliest protocol analysis tools, such as the Interrogator [30] and the NRL Protocol Analyzer (NPA) [35], while not strictly speaking model checkers, relied on state exploration, and, in the case of NPA, could be used to verify security properties specied in a temporal logic language. Later, researchers used generic model checkers to analyze protocols, such as FDR [32] and later Murphi [40]. More recently the focus has been on special-purpose model-checkers developed specically for cryptographic protocol analysis, such as Blanchet's ProVerif [8], the AVISPA tool [3], and Maude-NPA itself [23].

View PDFchevron_right
Unification modulo a property of the El Gamal Encryption Scheme
Paliath Narendran
View PDFchevron_right
A Unification Algorithm for Analysis of Protocols with Blinded Signatures
Paliath Narendran

Lecture Notes in Computer Science, 2005

Analysis of authentication cryptographic protocols, particularly finding flaws in them and determining a sequence of actions that an intruder can take to gain access to the information which a given protocol purports not to reveal, has recently received considerable attention. One effective way of detecting flaws is to hypothesize an insecure state and determine whether it is possible to get to that state by a legal sequence of actions permitted by the protocol from some legal initial state which captures the knowledge of the principals and the assumptions made about an intruder's behavior. Relations among encryption and decryption functions as well as properties of number theoretic functions used in encryption and decryption can be specified as rewrite rules. This, for example, is the approach used by the NRL Protocol Analyzer, which uses narrowing to reason about such properties of cryptographic and number-theoretic functions. Following [14], a related approach is proposed here in which equation solving modulo most of these properties of cryptographic and numbertheoretic functions is done by developing new unification algorithms for such theories. A new unification algorithm for an equational theory needed to reason about protocols that use the Diffie-Hellman algorithm is developed. In this theory, multiplication forms an Abelian group; exponentiation function distributes over multiplication, and exponents can commute. This theory is useful for analyzing protocols which use blinded signatures. It is proved that the unification problem over this equational theory can be reduced to the unification problem modulo the theory of Abelian groups with commuting homomorphisms with an additional constraint. Baader's unification algorithm for the theory of Abelian groups with commuting homomorphisms, which reduces the unification problem to solving equations over the polynomial ring over the integers with the commuting homomorphisms serving as indeterminates, is generalized to give a unification algorithm over the theory of Abelian groups with commuting homomorphism with a linear constraint. It is also shown that the unification problem over a (simple) extension of the equational theory considered here (which is also an extension of the equational theory considered in [14]) is undecidable.

View PDFchevron_right
Equational Cryptographic Reasoning in the Maude-NRL Protocol Analyzer
Santiago Escobar

Electronic Notes in Theoretical Computer Science, 2007

The Maude-NRL Protocol Analyzer (Maude-NPA) is a tool and inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It both extends and provides a formal framework for the original NRL Protocol Analyzer, which limited itself to an equational theory ∆ of convergent rewrite rules. In this paper we extend our framework to include theories of the form ∆ B, where B is the theory of associativity and commutativity and ∆ is convergent modulo B. Order-sorted B-unification plays a crucial role; to obtain this functionality we describe a sort propagation algorithm that filters out unsorted B-unifiers provided by the CiME unification tool. We show how extensions of some of the state reduction techniques of the original NRL Protocol Analyzer can be applied in this context. We illustrate the ideas and capabilities of the Maude-NPA with an example involving the Diffie-Hellman key agreement protocol.

View PDFchevron_right
Protocol analysis in Maude-NPA using unification modulo homomorphic encryption
Santiago Escobar

2011

A number of new cryptographic protocols are being designed to secure applications such as video-conferencing and electronic voting. Many of them rely upon cryptographic functions with complex algebraic properties that must be accounted for in order to be correctly analyzed by automated tools. Maude-NPA is a cryptographic protocol analysis tool based on narrowing and typed equational unification which takes into account these algebraic properties. It has already been used to analyze protocols involving bounded associativity, modular exponentiation, and exclusive-or. All of the above can be handled by the same general variant-based equational unification technique. However, there are important properties, in particular homomorphic encryption, that cannot be handled by variantbased unification in the same way. In these cases the best available approach is to implement specialized unification algorithms and combine them within a modular framework. In this paper we describe how we apply this approach within Maude-NPA, with respect to encryption homomorphic over a free operator. We also describe the use of Maude-NPA to analyze several protocols using such an encryption operation. To the best of our knowledge, this * S. is the first implementation of homomorphic encryption of any sort in a tool for verifying the security of a protocol in the presence of active attackers.

View PDFchevron_right
A rewriting approach to satisfiability procedures
Silvio Ranise

Information and Computation/information and Control, 2003

We show how a well-known superposition-based inference system for first-order equational logic can be used almost directly for deciding satisfiability in various theories including lists, encryption, extensional arrays, extensional finite sets, and combinations of them. We also give a superposition-based decision procedure for homomorphism.

View PDFchevron_right

References (21)

  1. T. Arts and J. Giesl. Termination of term rewriting using dependency pairs. Theor. Comput. Sci., 236(1-2):133-178, 2000.
  2. H. Comon-Lundh and S. Delaune. The finite variant property: How to get rid of some algebraic properties. In J. Giesl, editor, Term Rewriting and Applica- tions, 16th International Conference, RTA 2005, Nara, Japan, April 19-21, 2005, Proceedings, volume 3467 of Lecture Notes in Computer Science, pages 294-307. Springer, 2005.
  3. H. Comon-Lundh and V. Shmatikov. Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In LICS, pages 271-280. IEEE Computer Society, 2003.
  4. N. Dershowitz and J.-P. Jouannaud. Rewrite systems. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, Vol. B, pages 243-320. North-Holland, 1990.
  5. S. Escobar, C. Meadows, and J. Meseguer. A rewriting-based inference system for the nrl protocol analyzer and its meta-logical properties. Theor. Comput. Sci., 367(1-2):162-202, 2006.
  6. S. Escobar, J. Meseguer, and R. Sasse. Variant narrowing and equational uni- fication. In Accepted at: 7th International Workshop on Rewriting Logic and its Applications, 2008.
  7. J. Giesl and D. Kapur. Dependency pairs for equational rewriting. In A. Mid- deldorp, editor, RTA, volume 2051 of Lecture Notes in Computer Science, pages 93-108. Springer, 2001.
  8. J. Giesl, P. Schneider-Kamp, and R. Thiemann. Automatic termination proofs in the dependency pair framework. In U. Furbach and N. Shankar, editors, IJCAR, volume 4130 of Lecture Notes in Computer Science, pages 281-286. Springer, 2006.
  9. J. Giesl, R. Thiemann, and P. Schneider-Kamp. Proving and disproving termina- tion in the dependency pair framework. In F. Baader, P. Baumgartner, R. Nieuwen- huis, and A. Voronkov, editors, Deduction and Applications, 23.-28. October 2005, volume 05431 of Dagstuhl Seminar Proceedings. Internationales Begegnungs-und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl, Germany, 2006.
  10. J.-M. Hullot. A catalogue of canonical term rewriting systems. Technical Report CSL-113, SRI International, 1980.
  11. J.-P. Jouannaud, C. Kirchner, and H. Kirchner. Incremental construction of uni- fication algorithms in equational theories. In J. Díaz, editor, ICALP, volume 154 of Lecture Notes in Computer Science, pages 361-373. Springer, 1983.
  12. J.-P. Jouannaud and H. Kirchner. Completion of a set of rules modulo a set of equations. SIAM J. Comput., 15(4):1155-1194, 1986.
  13. J. Meseguer. Conditioned rewriting logic as a united model of concurrency. Theor. Comput. Sci., 96(1):73-155, 1992.
  14. J. Meseguer. Membership algebra as a logical framework for equational speci- fication. In F. Parisi-Presicce, editor, WADT, volume 1376 of Lecture Notes in Computer Science, pages 18-61. Springer, 1997.
  15. J. Meseguer and P. Thati. Symbolic reachability analysis using narrowing and its application to verification of cryptographic protocols. Higher-Order and Symbolic Computation, 20(1-2):123-160, 2007.
  16. É. Payet. Detecting non-termination of term rewriting systems using an unfolding operator. In G. Puebla, editor, Logic-Based Program Synthesis and Transforma- tion, 16th International Symposium, LOPSTR 2006, Venice, Italy, July 12-14, 2006, Revised Selected Papers, volume 4407 of Lecture Notes in Computer Science, pages 194-209. Springer, 2007.
  17. É. Payet and F. Mesnard. Non-termination inference of logic programs. ACM Trans. Program. Lang. Syst., 28(2):256-289, 2006.
  18. G. E. Peterson and M. E. Stickel. Complete sets of reductions for some equational theories. J. ACM, 28(2):233-264, 1981.
  19. TeReSe, editor. Term Rewriting Systems. Cambridge University Press, Cambridge, 2003.
  20. E. Viola. E-unifiability via narrowing. In A. Restivo, S. R. D. Rocca, and L. Roversi, editors, ICTCS, volume 2202 of Lecture Notes in Computer Science, pages 426-438. Springer, 2001.
  21. P. Viry. Equational rules for rewriting logic. Theor. Comput. Sci., 285(2):487-517, 2002.

Related papers

Effectively Checking the Finite Variant Property
Santiago Escobar

2008

An equational theory decomposed into a set B of equational axioms and a set Δ of rewrite rules has the finite variant (FV) property in the sense of Comon-Lundh and Delaune iff for each term t there is a finite set {t 1,...,t n } of →Δ,B -normalized instances of t so that any instance of t normalizes to an instance of some t i modulo B. This is a very useful property for cryptographic protocol analysis, and for solving both unification and disunification problems. Yet, at present the property has to be established by hand, giving a separate mathematical proof for each given theory: no checking algorithms seem to be known. In this paper we give both a necessary and a sufficient condition for FV from which we derive an algorithm ensuring the sufficient condition, and thus FV. This algorithm can check automatically a number of examples of FV known in the literature.

View PDFchevron_right
Variant Narrowing and Equational Unification
Santiago Escobar

Electronic Notes in Theoretical Computer Science, 2009

Narrowing is a well-known complete procedure for equational E-unification when E can be decomposed as a union E = ∆ B with B a set of axioms for which a finitary unification algorithm exists, and ∆ a set of confluent, terminating, and B-coherent rewrite rules. However, when B = ∅, effective narrowing strategies such as basic narrowing easily fail to be complete and cannot be used. This poses two challenges to narrowing-based equational unification: (i) finding effective narrowing strategies that are complete modulo B under mild assumptions on B, and (ii) finding sufficient conditions under which such narrowing strategies yield finitary E-unification algorithms. Inspired by Comon and Delaune's notion of E-variant for a term, we propose a new narrowing strategy called variant narrowing that has a search space potentially much smaller than full narrowing, is complete, and yields a finitary E-unification algorithm when E has the finite variant property. We also discuss applications to symbolic reachability analysis of concurrent systems specified as rewrite theories, and in particular to the formal analysis of cryptographic protocols modulo the algebraic properties of the underlying cryptographic functions.

View PDFchevron_right
On Forward Closure and the Finite Variant Property
Paliath Narendran

Frontiers of Combining Systems, 2013

Equational unification is an important research area with many applications, such as cryptographic protocol analysis. Unification modulo a convergent term rewrite system is undecidable, even with just a single rule. To identify decidable (and tractable) cases, two paradigms have been developed-Basic Syntactic Mutation [14] and the Finite Variant Property [6]. Inspired by the Basic Syntactic Mutation approach, we investigate the notion of forward closure along with suitable redundancy constraints. We show that a convergent term rewriting system R has a finite forward closure if and only if R has the finite variant property. We also show the undecidability of the finiteness of forward closure, therefore determining if a system has the finite variant property is undecidable.

View PDFchevron_right
On Unification Modulo One-Sided Distributivity: Algorithms, Variants and Asymmetry
Paliath Narendran

Logical Methods in Computer Science, 2015

An algorithm for unification modulo one-sided distributivity is an early result by Tidén and Arnborg. More recently this theory has been of interest in cryptographic protocol analysis due to the fact that many cryptographic operators satisfy this property. Unfortunately the algorithm presented in the paper, although correct, has recently been shown not to be polynomial time bounded as claimed. In addition, for some instances, there exist most general unifiers that are exponentially large with respect to the input size. In this paper we first present a new polynomial time algorithm that solves the decision problem for a non-trivial subcase, based on a typed theory, of unification modulo onesided distributivity. Next we present a new polynomial algorithm that solves the decision problem for unification modulo one-sided distributivity. A construction, employing string compression, is used to achieve the polynomial bound. Lastly, we examine the one-sided distributivity problem in the new asymmetric unification paradigm. We give the first asymmetric unification algorithm for one-sided distributivity.

View PDFchevron_right
Theories of Homomorphic Encryption, Unification, and the Finite Variant Property
Paliath Narendran

2014

Recent advances in the automated analysis of cryptographic protocols have aroused new interest in the practical application of unification modulo theories, especially theories that describe the algebraic properties of cryptosystems. However, this application requires unification algorithms that can be easily implemented and easily extended to combinations of different theories of interest. In practice this has meant that most tools use a version of a technique known as variant unification. This requires, among other things, that the theory be decomposable into a set of axioms B and a set of rewrite rules R such that R has the finite variant property with respect to B. Most theories that arise in cryptographic protocols have decompositions suitable for variant unification, but there is one major exception: the theory that describes encryption that is homomorphic over an Abelian group. In this paper we address this problem by studying various approximations of homomorphic encryption over an Abelian group. We construct a hierarchy of increasingly richer theories, taking advantage of new results that allow us to automatically verify that their decompositions have the finite variant property. This new verification procedure also allows us to construct a rough metric of the complexity of a theory with respect to variant unification, or variant complexity. We specify different versions of protocols using the different theories, and analyze them in the Maude-NPA cryptographic protocol analysis tool to assess their behavior. This gives us greater * Jose Meseguer and Fan Yang have been partially

View PDFchevron_right

Cited by

Folding Variant Narrowing and Optimal Variant Termination
Santiago Escobar

Lecture Notes in Computer Science, 2010

Automated reasoning modulo an equational theory E is a fundamental technique in many applications. If E can be split as a disjoint union E ∪ Ax in such a way that E is convergent, sort-decreasing, and coherent modulo a set of equational axioms Ax, narrowing with E modulo Ax provides a complete E-unification algorithm. However, except for the hopelessly inefficient case of full narrowing, nothing seems to be known about effective narrowing strategies in the general modulo case beyond the quite depressing observation that basic narrowing is incomplete modulo AC. Narrowing with equations E modulo axioms Ax can be turned into a practical automated reasoning technique by systematically exploiting the notion of E, Ax-variants of a term. After reviewing such a notion, originally proposed by Comon-Lundh and Delaune, and giving various necessary and/or sufficient conditions for it, we explain how narrowing strategies can be used to obtain narrowing algorithms modulo axioms that are: (i) variant complete (generate a complete set of variants for any input term), (ii) minimal (such a set does not have redundant variants), and (iii) are optimally variant terminating (the strategy will terminate for an input term t iff t has a finite complete set of variants). We define a strategy called folding variant narrowing that satisfies above properties (i)-(iii); in particular, when E ∪ Ax has the finite variant property, that is, when any term t has a finite complete set of variants, this strategy terminates on any input term and provides a finitary E ∪ Ax-unification algorithm. We also explain how folding variant narrowing has a number of interesting applications in areas such as unification theory, cryptographic protocol verification, and proofs of termination, confluence and coherence of a set of rewrite rules R modulo an equational theory E.

View PDFchevron_right
Unification and Narrowing in Maude 2.4
Santiago Escobar

Lecture Notes in Computer Science, 2009

Maude is a high-performance reflective language and system supporting both equational and rewriting logic specification and programming for a wide range of applications, and has a relatively large worldwide user and open-source developer base. This paper introduces novel features of Maude 2.4 including support for unification and narrowing. Unification is supported in Core Maude, the core rewriting engine of Maude, with commands and metalevel functions for order-sorted unification modulo some frequently occurring equational axioms. Narrowing is currently supported in its Full Maude extension. We also give a brief summary of the most important features of Maude 2.4 that were not part of Maude 2.0 and earlier releases. These features include communication with external objects, a new implementation of its module algebra, and new predefined libraries. We also review some new Maude applications.

View PDFchevron_right
Protocol Analysis Modulo Combination of Theories: A Case Study in Maude-NPA
Santiago Escobar

Lecture Notes in Computer Science, 2011

There is a growing interest in formal methods and tools to analyze cryptographic protocols modulo algebraic properties of their underlying cryptographic functions. It is well-known that an intruder who uses algebraic equivalences of such functions can mount attacks that would be impossible if the cryptographic functions did not satisfy such equivalences. In practice, however, protocols use a collection of wellknown functions, whose algebraic properties can naturally be grouped together as a union of theories E1∪. . .∪En. Reasoning symbolically modulo the algebraic properties E1 ∪ . . . ∪ En requires performing (E1 ∪ . . . ∪ En)unification. However, even if a unification algorithm for each individual Ei is available, this requires combining the existing algorithms by methods that are highly non-deterministic and have high computational cost. In this work we present an alternative method to obtain unification algorithms for combined theories based on variant narrowing. Although variant narrowing is less efficient at the level of a single theory Ei, it does not use any costly combination method. Furthermore, it does not require that each Ei has a dedicated unification algorithm in a tool implementation. We illustrate the use of this method in the Maude-NPA tool by means of a well-known protocol requiring the combination of three distinct equational theories.

View PDFchevron_right
Maude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties
Santiago Escobar

Lecture Notes in Computer Science, 2009

In this tutorial, we give an overview of the Maude-NRL Protocol Analyzer (Maude-NPA), a tool for the analysis of cryptographic protocols using functions that obey dierent equational theories. We show the reader how to use Maude-NPA, and how it works, and also give some of the theoretical background behind the tool. The earliest protocol analysis tools, such as the Interrogator [30] and the NRL Protocol Analyzer (NPA) [35], while not strictly speaking model checkers, relied on state exploration, and, in the case of NPA, could be used to verify security properties specied in a temporal logic language. Later, researchers used generic model checkers to analyze protocols, such as FDR [32] and later Murphi [40]. More recently the focus has been on special-purpose model-checkers developed specically for cryptographic protocol analysis, such as Blanchet's ProVerif [8], the AVISPA tool [3], and Maude-NPA itself [23].

View PDFchevron_right
580 California St., Suite 400
San Francisco, CA, 94104
© 2025 Academia. All rights reserved