Results 1  10
of
17
An Eunification algorithm for analyzing protocols that use modular exponentiation
, 2003
"... Modular multiplication and exponentiation are common operations in modern cryptography. Uni cation problems with respect to some equational theories that these operations satisfy are investigated. Two dierent but related equational theories are analyzed. A uni cation algorithm is given for one of ..."
Abstract

Cited by 20 (0 self)
 Add to MetaCart
Modular multiplication and exponentiation are common operations in modern cryptography. Uni cation problems with respect to some equational theories that these operations satisfy are investigated. Two dierent but related equational theories are analyzed. A uni cation algorithm is given for one of the theories which relies on solving syzygies over multivariate integral polynomials with noncommuting indeterminates. For the other theory, in which the distributivity property of exponentiation over multiplication is assumed, the uni ability problem is shown to be undecidable by adapting a construction developed by one of the authors to reduce Hilbert's 10th problem to the solvability problem for linear equations over semirings. A new algorithm for computing strong Grobner bases of right ideals over the polynomial semiring Z<X 1 ; : : : ; Xn> is proposed; unlike earlier algorithms proposed by Baader as well as by Madlener and Reinert which work only for right admissible term orderings with the boundedness property, this algorithm works for any right admissible term ordering. The algorithms for some of these uni cation problems are expected to be integrated into Research supported in part by the NSF grant nos. CCR0098114 and CDA9503064, the ONR grant no. N000140110429, and a grant from the Computer Science Research Institute at Sandia National Labs.
Solving Linear Equations Over Polynomial Semirings
 RUTGER UNIVERSITY (NJ
"... We consider the problem of solving linear equations over various semirings. In particular, solving of linear equations over polynomial rings with the additional restriction that the solutions must have only nonnegative coefficients is shown to be undecidable. Applications to undecidability proofs o ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
We consider the problem of solving linear equations over various semirings. In particular, solving of linear equations over polynomial rings with the additional restriction that the solutions must have only nonnegative coefficients is shown to be undecidable. Applications to undecidability proofs of several unification problems are illustrated, one of which, unification modulo one associativecommutative function and one endomorphism, has been a longstanding open problem. The problem of solving multiset constraints is also shown to be undecidable.
Unification and Matching modulo Nilpotence
 In Proc. CADE13, volume 1104 of LNCS
, 1996
"... . We consider equational unification and matching problems where the equational theory contains a nilpotent function, i.e., a function f satisfying f(x;x) = 0 where 0 is a constant. Nilpotent matching and unification are shown to be NPcomplete. In the presence of associativity and commutativity, t ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
. We consider equational unification and matching problems where the equational theory contains a nilpotent function, i.e., a function f satisfying f(x;x) = 0 where 0 is a constant. Nilpotent matching and unification are shown to be NPcomplete. In the presence of associativity and commutativity, the problems still remain NPcomplete. But when 0 is also assumed to be the unity for the function f , the problems are solvable in polynomial time. We also show that the problem remains in P even when a homomorphism is added. Secondorder matching modulo nilpotence is shown to be undecidable. Subject area: MECHANISMS: unification 1 Introduction Equational unification is an important computational problem in automated theorem proving. Its usefulness derives from the ability to `build in' many proof steps into the pattern matching algorithm, possibly shortening the search for a proof. As a new practical application, we define a class of set constraints and show that problems in this class ca...
Deciding knowledge in security protocols for monoidal equational theories
 In Proc. of the Joint Workshop on Foundations of Computer Security and Automated Reasoning for Security Protocol Analysis (FCSARSPA’07), Wroc̷law
, 2007
"... Abstract. In formal approaches, messages sent over a network are usually modeled by terms together with an equational theory, axiomatizing the properties of the cryptographic functions (encryption, exclusive or,...). The analysis of cryptographic protocols requires a precise understanding of the att ..."
Abstract

Cited by 7 (5 self)
 Add to MetaCart
Abstract. In formal approaches, messages sent over a network are usually modeled by terms together with an equational theory, axiomatizing the properties of the cryptographic functions (encryption, exclusive or,...). The analysis of cryptographic protocols requires a precise understanding of the attacker knowledge. Two standard notions are usually used: deducibility and indistinguishability. Only few results have been obtained (in an adhoc way) for equational theories with associative and commutative properties, especially in the case of static equivalence. The main contribution of this paper is to propose a general setting for solving deducibility and indistinguishability for an important class (called monoidal) of these theories. Our setting relies on the correspondence between a monoidal theory E and a semiring SE which allows us to give an algebraic characterization of the deducibility and indistinguishability problems. As a consequence we recover easily existing decidability results and obtain several new ones. 1
Combination Problems for Commutative/Monoidal Theories or How Algebra Can Help in Equational Unification
 J. Applicable Algebra in Engineering, Communication and Computing
, 1996
"... We study the class of theories for which solving unification problems is equivalent to solving systems of linear equations over a semiring. It encompasses important examples like the theories of Abelian monoids, idempotent Abelian monoids, and Abelian groups. This class has been introduced by the au ..."
Abstract

Cited by 7 (7 self)
 Add to MetaCart
We study the class of theories for which solving unification problems is equivalent to solving systems of linear equations over a semiring. It encompasses important examples like the theories of Abelian monoids, idempotent Abelian monoids, and Abelian groups. This class has been introduced by the authors independently of each other as "commutative theories " (Baader) and "monoidal theories" (Nutt). We show that commutative theories and monoidal theories indeed define the same class (modulo a translation of the signature), and we prove that it is undecidable whether a given theory belongs to it. In the remainder of the paper we investigate combinations of commutative/monoidal theories with other theories. We show that finitary commutative/monoidal theories always satisfy the requirements for applying general methods developed for the combination of unification algorithms for disjoint equational theories. Then we study the adjunction of monoids of homomorphisms to commutative /monoidal t...
Unification in Monoidal Theories is Solving Linear Equations over Semirings
 Intelligenz, DFKI GmbH, Stuhlsatzenhausweg 3, D66123 Saarbrucken
, 1992
"... Although unification algorithms have been developed for numerous equational theories there is still a lack of general methods. In this paper we apply algebraic techniques to the study of a whole class of theories, which we call monoidal. Our approach leads to general results on the structure of unif ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Although unification algorithms have been developed for numerous equational theories there is still a lack of general methods. In this paper we apply algebraic techniques to the study of a whole class of theories, which we call monoidal. Our approach leads to general results on the structure of unification algorithms and the unification type of such theories. An equational theory is monoidal if it contains a binary operation which is associative and commutative, an identity for the binary operation, and an arbitrary number of unary symbols which are homomorphisms for the binary operation and the identity. Monoidal theories axiomatize varieties of abelian monoids. Examples are the theories of abelian monoids (AC), idempotent abelian monoids (ACI), and abelian groups. To every monoidal theory we associate a semiring. Intuitively, semirings are rings without subtraction. We show that every unification problem in a monoidal theory can be translated into a system of linear equations over t...
A unification algorithm for analysis of protocols with blinded signatures
, 2002
"... Abstract. Analysis of authentication cryptographic protocols, particularly finding flaws in them and determining a sequence of actions that an intruder can take to gain access to the information which a given protocol purports not to reveal, has recently received considerable attention. One effectiv ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. Analysis of authentication cryptographic protocols, particularly finding flaws in them and determining a sequence of actions that an intruder can take to gain access to the information which a given protocol purports not to reveal, has recently received considerable attention. One effective way of detecting flaws is to hypothesize an insecure state and determine whether it is possible to get to that state by a legal sequence of actions permitted by the protocol from some legal initial state which captures the knowledge of the principals and the assumptions made about an intruder’s behavior. Relations among encryption and decryption functions as well as properties of number theoretic functions used in encryption and decryption can be specified as rewrite rules. This, for example, is the approach used by the NRL Protocol Analyzer, which uses narrowing to reason about such properties of cryptographic and numbertheoretic functions. Following [14], a related approach is proposed here in which equation