Abstract not found

this article).

Following Buchberger's approach to computing a Gröbner basis of a polynomial ideal in polynomial rings, a completion procedure for finitely generated right ideals in Z[H] is given, where H is an ordered monoid presented by a finite, convergent semi-Thue system (\Sigma; T). Taking a finite set F ` Z[H] we get a (possibly infinite) basis of the right ideal generated by F, such that using this basis we have unique normal forms for all p 2 Z[H] (especially the normal form is 0 in case p is an element of the right ideal generated by F). As the ordering and multiplication on H need not be compatible, reduction has to be defined carefully in order to make it Noetherian. Further we no longer have p \Delta x! p 0 for p 2 Z[H]; x 2 H. Similar to Buchberger's s-polynomials, confluence criteria are developed and a completion procedure is given. In case T = ; or (\Sigma; T) is a convergent, 2--monadic presentation of a group providing inverses of length 1 for the generators or (\Sigma; T) is a convergent presentation of a commutative monoid, termination can be shown. So in this cases finitely generated right ideals admit finite Gröbner bases. The connection to the subgroup problem is discussed.

Modular multiplication and exponentiation are common operations in modern cryptography. Uni cation problems with respect to some equational theories that these operations satisfy are investigated. Two dierent but related equational theories are analyzed. A uni cation algorithm is given for one of the theories which relies on solving syzygies over multivariate integral polynomials with noncommuting indeterminates. For the other theory, in which the distributivity property of exponentiation over multiplication is assumed, the uni ability problem is shown to be undecidable by adapting a construction developed by one of the authors to reduce Hilbert's 10th problem to the solvability problem for linear equations over semi-rings. A new algorithm for computing strong Grobner bases of right ideals over the polynomial semiring Z<X 1 ; : : : ; Xn> is proposed; unlike earlier algorithms proposed by Baader as well as by Madlener and Reinert which work only for right admissible term orderings with the boundedness property, this algorithm works for any right admissible term ordering. The algorithms for some of these uni cation problems are expected to be integrated into Research supported in part by the NSF grant nos. CCR-0098114 and CDA-9503064, the ONR grant no. N00014-01-1-0429, and a grant from the Computer Science Research Institute at Sandia National Labs.

We consider the problem of solving linear equations over various semirings. In particular, solving of linear equations over polynomial rings with the additional restriction that the solutions must have only non-negative coefficients is shown to be undecidable. Applications to undecidability proofs of several unification problems are illustrated, one of which, unification modulo one associative-commutative function and one endomorphism, has been a long-standing open problem. The problem of solving multiset constraints is also shown to be undecidable.

We study the class of theories for which solving unification problems is equivalent to solving systems of linear equations over a semiring. It encompasses important examples like the theories of Abelian monoids, idempotent Abelian monoids, and Abelian groups. This class has been introduced by the authors independently of each other as "commutative theories " (Baader) and "monoidal theories" (Nutt). We show that commutative theories and monoidal theories indeed define the same class (modulo a translation of the signature), and we prove that it is undecidable whether a given theory belongs to it. In the remainder of the paper we investigate combinations of commutative/monoidal theories with other theories. We show that finitary commutative/monoidal theories always satisfy the requirements for applying general methods developed for the combination of unification algorithms for disjoint equational theories. Then we study the adjunction of monoids of homomorphisms to commutative /monoidal t...

. We consider equational unification and matching problems where the equational theory contains a nilpotent function, i.e., a function f satisfying f(x;x) = 0 where 0 is a constant. Nilpotent matching and unification are shown to be NP-complete. In the presence of associativity and commutativity, the problems still remain NP-complete. But when 0 is also assumed to be the unity for the function f , the problems are solvable in polynomial time. We also show that the problem remains in P even when a homomorphism is added. Second-order matching modulo nilpotence is shown to be undecidable. Subject area: MECHANISMS: unification 1 Introduction Equational unification is an important computational problem in automated theorem proving. Its usefulness derives from the ability to `build in' many proof steps into the pattern matching algorithm, possibly shortening the search for a proof. As a new practical application, we define a class of set constraints and show that problems in this class ca...

Abstract. In formal approaches, messages sent over a network are usually modeled by terms together with an equational theory, axiomatizing the properties of the cryptographic functions (encryption, exclusive or,...). The analysis of cryptographic protocols requires a precise understanding of the attacker knowledge. Two standard notions are usually used: deducibility and indistinguishability. Only few results have been obtained (in an ad-hoc way) for equational theories with associative and commutative properties, especially in the case of static equivalence. The main contribution of this paper is to propose a general setting for solving deducibility and indistinguishability for an important class (called monoidal) of these theories. Our setting relies on the correspondence between a monoidal theory E and a semiring SE which allows us to give an algebraic characterization of the deducibility and indistinguishability problems. As a consequence we recover easily existing decidability results and obtain several new ones. 1

Although unification algorithms have been developed for numerous equational theories there is still a lack of general methods. In this paper we apply algebraic techniques to the study of a whole class of theories, which we call monoidal. Our approach leads to general results on the structure of unification algorithms and the unification type of such theories. An equational theory is monoidal if it contains a binary operation which is associative and commutative, an identity for the binary operation, and an arbitrary number of unary symbols which are homomorphisms for the binary operation and the identity. Monoidal theories axiomatize varieties of abelian monoids. Examples are the theories of abelian monoids (AC), idempotent abelian monoids (ACI), and abelian groups. To every monoidal theory we associate a semiring. Intuitively, semirings are rings without subtraction. We show that every unification problem in a monoidal theory can be translated into a system of linear equations over t...

Abstract. We present an undecidability result for the verification of security protocols. Since the perfect cryptography assumption is unrealistic for cryptographic primitives with visible algebraic properties, several recent works relax this assumption, allowing the intruder to exploit these properties. We are interested in the Abelian groups theory in combination with the homomorphism axiom. We show that the security problem for a bounded number of sessions (expressed by satisfaisability of symbolic deducibility constraints) is undecidable, obtaining in this way the first undecidability result concerning a theory for which unification is known to be decidable. 1