## The finite variant property: How to get rid of some algebraic properties (2005)

Venue: | In Proceedings of RTA’05, LNCS 3467 |

Citations: | 40 - 8 self |

### BibTeX

@INPROCEEDINGS{Comon-lundh05thefinite,

author = {Hubert Comon-lundh and Stéphanie Delaune and France Télécom R},

title = {The finite variant property: How to get rid of some algebraic properties},

booktitle = {In Proceedings of RTA’05, LNCS 3467},

year = {2005},

pages = {294--307},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We consider the following problem: Given a term t, a rewrite system R, a finite set of equations E ′ such that R is E ′-convergent, com-pute finitely many instances of t: t1,..., tn such that, for every substi-tution σ, there is an index i and a substitution θ such that tσ ↓ =E ′ tiθ (where tσ ↓ is the normal form of tσ w.r.t. →E ′ \R). The goal of this paper is to give equivalent (resp. sufficient) conditions for the finite variant property and to systematically investigate this property for equational theories, which are relevant to security protocols verification. For instance, we prove that the finite variant property holds for Abelian Groups, and a theory of modular exponentiation and does not hold for the theory ACUNh (Associativity, Commutativity, Unit, Nilpotence, homomorphism).

### Citations

749 | Rewrite systems
- Dershowitz, Jouannaud
- 1990
(Show Context)
Citation Context ...of the finite variant property, and we conclude in Section 9. Missing proofs can be found in [4]. 2 Preliminaries 2.1 Terms, Substitutions, Unification We use classical notations and terminology from =-=[7]-=- on terms, unification, rewrite systems. T (F, X) is the set of terms built over the finite (ranked) alphabet F of function symbols and the set of variable symbols X. T (F, ∅) is also written T (F). T... |

168 |
Canonical Forms and Unification
- Hullot
- 1980
(Show Context)
Citation Context ... Note that the latter is well-defined since → E\R preserves the positions which are not in the redex. In case of non-equational narrowing, there are several well-known results, for instance: Lemma 2 (=-=[8]-=-). Let t be a term and σ a normalized substitution. Every innermost derivation sequence (w.r.t R) starting from tσ is based on Ō(t). It follows that basic narrowing is a complete unification procedure... |

73 | Intruder Deductions, Constraint Solving and Insecurity Decision in Presence of Exclusive Or
- Comon-Lundh, Shmatikov
- 2003
(Show Context)
Citation Context ... exponentiation and does not hold for the theory ACUNh (Associativity, Commutativity, Unit, Nilpotence, homomorphism). 1 Introduction In our recent work on the verification of cryptographic protocols =-=[3, 5]-=- we came twice across the following problem: Given an AC-convergent rewrite system R, is it possible (and how) to compute from any term t a finite set of instances tσ1,...,tσn such that {tσ↓R | σ ∈ Σ}... |

64 | Mechanized proofs of a recursive authentication protocol
- Paulson
- 1997
(Show Context)
Citation Context ...rite system RKIT. Furthermore (basic) narrowing w.r.t. RKIT terminates. 4.2 Exclusive Or Theory (ACUN) This theory has been given in introduction. It is mandatory when protocols rely on exclusive or (=-=[15]-=- vs [17]). As recalled in Example 1, the rewrite system R+ for this theory is AC-convergent. 4.3 Abelian Groups Theory (AG) The Abelian Groups theory is defined by the following set of equations: x ∗ ... |

43 | New decidability results for fragments of firstorder logic and application to cryptographic protocols
- Comon-Lundh, Cortier
- 2003
(Show Context)
Citation Context ... exponentiation and does not hold for the theory ACUNh (Associativity, Commutativity, Unit, Nilpotence, homomorphism). 1 Introduction In our recent work on the verification of cryptographic protocols =-=[3, 5]-=- we came twice across the following problem: Given an AC-convergent rewrite system R, is it possible (and how) to compute from any term t a finite set of instances tσ1,...,tσn such that {tσ↓R | σ ∈ Σ}... |

35 |
An attack on a recursive authentication protocol; a cautionary tale
- Ryan, Schneider
- 1998
(Show Context)
Citation Context ...tem RKIT. Furthermore (basic) narrowing w.r.t. RKIT terminates. 4.2 Exclusive Or Theory (ACUN) This theory has been given in introduction. It is mandatory when protocols rely on exclusive or ([15] vs =-=[17]-=-). As recalled in Example 1, the rewrite system R+ for this theory is AC-convergent. 4.3 Abelian Groups Theory (AG) The Abelian Groups theory is defined by the following set of equations: x ∗ (y ∗ z) ... |

30 | A new method for undecidability proofs of first order theories
- Treinen
- 1992
(Show Context)
Citation Context ...ree function symbol, it might become undecidable. Actually, the status of the first order theories of above-mentioned quotient algebras is unknown. On the undecidability side, the method described in =-=[18]-=- can not be applied in a straightforward way. On the decidability side, the finite variant property does not help since the first-order theory of T (F)/=AC is undecidable [18]. 9 Conclusion We believe... |

28 |
M'ethodes et outils de conception syst'ematique d'algorithmes d'unification dans les th'eories 'equationnelles. Th`ese de doctorat d"etat en informatique, Universit'e de Nancy 1
- Kirchner
- 1985
(Show Context)
Citation Context ...se the same rewrite rules at the same positions. We didn’t find this lemma in the litterature. A similar lemma, but only for a one step derivation, and without the regularity assumption, is proved in =-=[11]-=- for instance. The proof does not extend to an arbitrary derivation length. Actually, we do not know whether or not the lemma would still hold without the regularity assumption (which we indeed use in... |

27 | A unification algorithm for the group Diffie-Hellman protocol
- Meadows, Narendran
- 2002
(Show Context)
Citation Context ...ce, we show that the theory of Abelian Groups has the boundedness property, relyingson the unusual orientation of the inverse rule (Section 6.2). We use proof techniques which are similar to those of =-=[12]-=-. We also show in Section 7 that there are equational theories for which unifiability is in PTIME, while there is no convergent AC-rewrite system for the theory yielding the finite variant property. F... |

20 | An E-unification algorithm for analyzing protocols that use modular exponentiation,” in Rewriting Techniques and Applications
- Kapur, Narendran, et al.
- 2003
(Show Context)
Citation Context ...d in protocol constructions. Exponentiation has more properties, which should be considered to capture to whole power of an attacker. However, we only consider the two above axioms since, as shown in =-=[10]-=-, many extensions yield undecidable unification problems, hence undecidability of confidentiality, even for a bounded number of sessions. 4.5 Combinations The theory ACUNh consists of the axioms of AC... |

19 |
A decision procedure for the verification of security protocols with explicit destructors
- Delaune, Jacquemard
- 2004
(Show Context)
Citation Context ... a matter of taste. However, there are subtle differences between the two approaches; some protocols can be attacked if we consider explicit destructors, while they cannot otherwise (see for instance =-=[6]-=-). This relies on the ability to apply the decryption algorithm d( , ) on a message x with a key y, even when x is not a cyphertext. Proposition 1. Orienting equations of DYT from left to right and ad... |

19 | On the unification problem for Cartesian closed categories
- Narendran, Pfenning, et al.
- 1993
(Show Context)
Citation Context ...are met for several equational theories, which are relevant to cryptographic protocols. Our sufficient criteria is related to the notion of optimally reducing (AC)-term rewriting system introduced in =-=[14]-=-. Indeed being an optimally reducing rewrite system is a sufficient condition to satisfy our criteria, and therefore the boundedness property. We provide however with strictly weaker sufficient condit... |

12 |
A catalogue of canonical term rewriting systems
- Hullot
- 1980
(Show Context)
Citation Context ...re we reach its normal form. However, an unusual orientation of some rules yields a presentation for which the finite variant property holds. This orientation has first been proposed by Lankford (see =-=[9]-=-). We get the following rewrite system: R ′ ∗ = ⎧ ⎪⎨ ⎪⎩ x ∗ 1 → x x−1−1 → x 1−1 → 1 (x−1 ∗ y) −1 → x ∗ y−1 x ∗ x−1 → 1 x ∗ (x−1 ∗ y) → y x−1 ∗ y−1 → (x ∗ y) −1 x−1 ∗ (y−1 ∗ z) → (x ∗ y) −1 ∗ z (x ∗ y)... |

10 | Complete Axiomatizations of Some Quotient Term Algebras, Theoretical Computer Science 118
- Comon
- 1993
(Show Context)
Citation Context ...ex i and a substitution θ such that φσ↓E =E ′ φiθ. In particular, φ is solvable modulo E iff one of the φi is solvable modulo E ′ . Then, since the Σ1 fragment of the theory of T (F)/=AC is decidable =-=[1]-=-, we get the following new results: Corollary 3. The Σ1 fragments of the first-order theories of quotient term algebras T (F)/=ACUN, T (F)/=AG, T (F)/=DH are decidable. Such results cannot be derived ... |

10 |
Intruder theories (ongoing work), in: I
- Comon-Lundh
- 2004
(Show Context)
Citation Context ... together with the finiteness of equivalence classes modulo E ′ is claimed to be the key property for decidability results in cryptographic protocols verification, in presence of algebraic properties =-=[2]-=-. That is why we are especially interested in studying the finite variant property for equational theories which are relevant to cryptography and which define infinite equivalence classes. When E ′ = ... |

8 | Unification and Matching Modulo Nilpotence
- Guo, Narendran, et al.
- 1996
(Show Context)
Citation Context ...pply them to the relevant theories listed in Section 4. In Section 7, we prove that the theory ACUNh (Associativity, Commutativity, Unit, Nilpotence, homomorphism), for which unifiability is in PTIME =-=[13]-=-, does not have the finite variant property. In Section 8, we show other applications of the finite variant property, and we conclude in Section 9. Missing proofs can be found in [4]. 2 Preliminaries ... |

7 |
E-unifiability via narrowing
- Viola
- 2001
(Show Context)
Citation Context ...he other hand, basic narrowing is incomplete for E-unification. We didn’t find any reference for the incompleteness of basic AC-narrowing, hence we show it in Section 3.2. E. Viola already noticed in =-=[19]-=- that the standard completeness proof of basic narrowing does not extend to the AC-case and proposes another narrowing strategy, introducing extensions of rules. This notion of narrowing restores comp... |

2 | On the complexity of the theories of weak direct products (preliminary report
- Rackoff
- 1974
(Show Context)
Citation Context ...volves quantifier elimination : ∀z.x �= a + f(z) ∨ y �= a + z + f(z). In the case of Abelian Groups, it is actually known that the first-order theory of finitely generated Abelian Groups is decidable =-=[16]-=-. However, adding a binary free function symbol, it might become undecidable. Actually, the status of the first order theories of above-mentioned quotient algebras is unknown. On the undecidability si... |