[a] [a] [b] [a] [c]

Knowledge Problems in Protocol Analysis:
Extending the Notion of Subterm Convergent

Carter Bunch , Saraid Dwyer Satterfield , Serdar Erbatur\lmcsorcid0000-0002-7574-195X , Andrew M. Marshall\lmcsorcid0000-0002-0522-8384 and Christophe Ringeissen\lmcsorcid0000-0002-5937-6059 University of Mary Washington, Fredericksburg, VA, USA University of Texas at Dallas, Richardson, TX, USA Université de Lorraine, CNRS, Inria, LORIA, F-54000 Nancy, France

Abstract.

We introduce a new form of restricted term rewrite system, the graph-embedded term rewrite system. These systems, and thus the name, are inspired by the graph minor relation and are more flexible extensions of the well-known homeomorphic-embedded property of term rewrite systems. As a motivating application area, we consider the symbolic analysis of security protocols, and more precisely the two knowledge problems defined by the deduction problem and the static equivalence problem. In this field restricted term rewrite systems, such as subterm convergent ones, have proven useful since the knowledge problems are decidable for such systems. Many of the same decision procedures still work for examples of systems which are “beyond subterm convergent”. However, the applicability of the corresponding decision procedures to these examples must often be proven on an individual basis. This is due to the problem that they don’t fit into an existing syntactic definition for which the procedures are known to work. Here we show that many of these systems belong to a particular subclass of graph-embedded convergent systems, called contracting convergent systems. On the one hand, we show that the knowledge problems are decidable for the subclass of contracting convergent systems. On the other hand, we show that the knowledge problems are undecidable for the class of graph-embedded systems. Going further, we compare and contrast these graph embedded systems with several notions and properties already known in the protocol analysis literature. Finally, we provide several combination results, both for the combination of multiple contracting convergent systems, and then for the combination of contracting convergent systems with particular permutative equational theories.

Key words and phrases:

Term Rewriting, Security Protocols, Deduction, Static Equivalence

We would like to thank the anonymous reviewers of this article for their helpful comments, feedback, and suggestions. Their input has improved the paper. We also thank Paliath Narendran for his helpful input.

1. Introduction

In this paper we introduce a new form of term rewrite system, called the graph-embedded term rewrite systems, and motivate the study and use of such rewrite systems by demonstrating their usefulness in the application of security protocols.

The research area of cryptographic protocol analysis contains a number of innovative algorithms and procedures for checking various security properties of protocols, see for example [AC06, BCD13, CCcCK16, cCDK12, DDKS17]. These procedures consider protocols modeled in a symbolic way, typically via a rewrite system or equational theory. Often the procedure is proven sound and complete for specific classes of theories. One of the most common classes are those theories that can be represented by subterm convergent term rewrite systems. That is, term rewrite systems where the right-hand side of the rules are strict subterms of the left-hand side or a constant. For example, see the procedures developed in [AC06, cCDK12]. Interestingly, many of these same procedures also work for theories that are “beyond subterm convergent”. That is, they are not strictly subterm convergent. However, since these examples don’t fit into a known class of theories for which soundness and completeness proofs already exist, they must be proven on an individual bases. For example, the procedures of [AC06, BCD13, CCcCK16, cCDK12, DDKS17] are shown to work on the theory of blind signatures, see Example 1 below. However, the theory is not subterm convergent, notice in the final rule, $\mathit{unblind}(\mathit{sign}(\mathit{blind}(x,y),z),y)\rightarrow\mathit{sign}(x,z)$ , that $\mathit{sign}(x,z)$ is not a strict subterm of $\mathit{unblind}(\mathit{sign}(\mathit{blind}(x,y),z),y)$ . Thus, in each case a unique proof is needed to show applicability of the procedure on the theory of blind signatures. Several additional examples of beyond subterm theories are given throughout this paper. This begs the question of whether there is a syntactic definition of a class of term rewrite systems such that the definition encapsulates these beyond subterm examples yet still maintains some of the useful properties needed to ensure applicability of the above procedures.

In this paper we answer the question in the positive by introducing first graph-embedded term rewrite systems and then a particular subclass called contracting rewrite systems. These systems are inspired by the notions of graph embeddings and graph minors. Here we are able to translate the notion to term rewrite systems. This translation is done in a very similar fashion to what has been done with homeomorphic embeddings. We are able to provide a rewrite schema which induces graph-embedded systems in a similar way in which homeomorphic-embedded systems are induced by a rewrite system (see [BN98] for more details). To the best of our knowledge these systems have not been explored before. We then explore some of the properties of these new systems. Interestingly, the graph-embedded systems encompass most of the beyond subterm examples from many of the protocol analysis procedure papers [AC06, BCD13, CCcCK16, cCDK12, DDKS17]. As an initial step, in this paper we concentrate on the knowledge problems considered in [AC06] using the notion of locally stable theories. Local stability is a desirable property which ensures the decidability of the critical symbolic security question of deducibility. In the class of graph-embedded convergent systems, we are now able to identify a particular subclass called the contracting convergent systems, which are beyond subterm convergent, encompass most of the beyond subterm examples of [AC06, BCD13, CCcCK16, cCDK12, DDKS17], and are locally stable. As a consequence, the knowledge problems of deduction and static equivalence are decidable for the subclass of contracting convergent systems. We show that the knowledge problems are undecidable for the class of graph-embedded convergent systems in general. Going further, we also compare the graph-embedded systems to the Finite Variant Property (FVP), another useful property in protocol analysis, and show that the two do not define the same set of term rewrite systems but that a sub-class of graph embedding system, a restricted form of the contracting systems, can be defined which always guarantees the FVP. We consider the cap problem [ANR07a], a related knowledge problem, showing it is also decidable for contracting systems, when certain signature requirements are met. In addition to the procedure in [AC06] we also investigate graph-embedded term rewrite systems with the YAPA procedure [BCD13], showing that contracting graph-embedded term rewrite systems have the layered property, an important property for guaranteeing success of the YAPA procedure. Lastly we present several combination results for contracting convergent term rewrite systems.

This paper represents an exploration of graph-embedded term rewrite systems and their application to protocol analysis. We hope that the formulation proves useful in areas beyond security protocols as homeomorphic embeddings have proven useful in many areas. We conclude the paper with a discussion of several open questions related to graph-embedded systems.

An initial version of these results was presented in [SEMR23]. The current paper expands on [SEMR23] by including a number of new results and answering several questions left open in [SEMR23], specifically:

•

We consider the cap problem, left open in [SEMR23], showing new decidability results (see Section 6.1).
•

We expand on the FVP results of [SEMR23] by including new positive results (see Section 6.2).
•

We answer a question on graph-embedded systems and the YAPA procedure left open in [SEMR23], showing that a restricted form of graph embedded systems are layered (see Section 6.3).
•

We have included new combination results between contracting convergent systems, which were not considered in [SEMR23] (see Section 7).
•

Finally, we have made several improvements on the material of [SEMR23]. We have simplified the definition of contracting convergent TRS, making the definition easier to understand. We have also fixed an issue with the proof of the undecidability of the knowledge problems in graph-embedded systems presented in [SEMR23], correcting a problem that allowed trivial solutions.

Paper Outline.

The remainder of the paper is organized as follows. Section 2 contains the preliminaries, introducing the necessary background material on term-rewrite systems, graph theory and security protocol analysis. Section 3 introduces the graph-embedded term rewrite systems and explores some of their basic properties. Then, the next sections are related to the motivating application area of this paper for graph-embedded systems, security protocol analysis. The knowledge problems are shown to be undecidable for the class of graph-embedded convergent systems (Section 4) and decidable for the subclass of contracting convergent systems (Section 5). Section 6 considers the relation to the cap problem, to the FVP, and to the YAPA procedure. Section 7 considers the combination question in contracting convergent systems. Finally, Section 8 contains the concluding remarks, future work, and open problems.

2. Preliminaries

We use the standard notation of equational unification [BS01] and term rewriting systems [BN98]. Given a first-order signature $\Sigma$ and a (countable) set of variables $V$ , the $\Sigma$ -terms over variables $V$ are built in the usual way by taking into account the arity of each function symbol in $\Sigma$ . Arity $0$ function symbols are called constants. Each $\Sigma$ -term is well-formed: if it is rooted by a $n$ -ary function symbol in $\Sigma$ , then it has necessarily $n$ direct subterms. The set of $\Sigma$ -terms over variables $V$ is denoted by $T(\Sigma,V)$ . The set of variables (resp., constants) from $V$ (resp., $\Sigma$ ) occurring in a term $t\in T(\Sigma,V)$ is denoted by $\mathit{Var}(t)$ (resp., $\mathit{Cst}(t)$ ). A term $t$ is ground if $\mathit{Var}(t)=\emptyset$ . A $\Sigma$ -rooted term is a term whose root symbol is in $\Sigma$ . For any position $p$ in a term $t$ (including the root position $\epsilon$ ), $t(p)$ is the symbol at position $p$ , $t|_{p}$ is the subterm of $t$ at position $p$ , and $t[u]_{p}$ is the term $t$ in which $t|_{p}$ is replaced by $u$ . A substitution is an endomorphism of $T(\Sigma,V)$ with only finitely many variables not mapped to themselves. A substitution is denoted by $\sigma=\{x_{1}\mapsto t_{1},\dots,x_{m}\mapsto t_{m}\}$ , where the domain of $\sigma$ is $Dom(\sigma)=\{x_{1},\dots,x_{m}\}$ and the range of $\sigma$ is $Ran(\sigma)=\{t_{1},\dots,t_{m}\}$ . Application of a substitution $\sigma$ to $t$ is written $t\sigma$ .

The size of a term $t$ , denoted by $|t|$ , is defined inductively as follows: $|f(t_{1},\dots,t_{n})|=1+\Sigma_{i=1}^{n}|t_{i}|$ if $f$ is a $n$ -ary function symbol with $n\geq 1$ , $|c|=1$ if $c$ is a constant, and $|x|=1$ if $x$ is a variable. The depth of a term $t$ , denoted by $depth(t)$ , is defined inductively as follows: $depth(f(t_{1},\dots,t_{n}))=1+\max_{i=1,\dots,n}depth(t_{i})$ if $f$ a $n$ -ary function symbol with $n\geq 1$ , $depth(c)=0$ if $c$ is a constant, and $depth(x)=0$ if $x$ is a variable.

Let $V_{C}$ denote a finite set of context variables (sometimes called holes) such that $V_{C}\cap V=\emptyset$ . We use the notation $\diamond_{i}$ to represent the context variable $\diamond_{i}\in V_{C}$ . A context is a linear term containing only context variables. More formally, a context is a term, $C\in T(\Sigma,V_{C})$ , where each variable (context hole) occurs at most once. Thus, the size of a context follows from the size of a term, where any hole occurrence counts for $1$ . Given a context $C$ with $m$ variables and $m$ terms $S_{1},\dots,S_{m}\in T(\Sigma,V)$ , $C[S_{1},\dots,S_{m}]$ denotes the term $C\{\diamond_{1}\mapsto S_{1},\dots,\diamond_{m}\mapsto S_{m}\}$ where for $i=1,\dots,m$ , $\diamond_{i}$ denotes the $i$ -th context variable occurring in the term $C$ , and $C$ is called the context part of $C[S_{1},\dots,S_{m}]$ . When $S_{1},\dots,S_{m}\in\mathcal{S}$ , $C[S_{1},\dots,S_{m}]$ is said to be a context instantiated with terms in $\mathcal{S}$ . Given a positive integer $n$ , $C[S_{1},\dots,S_{m}]$ is said to be small (with respect to $n$ ) if its context part $C$ satisfies $|C|\leq n$ .

Equational Theories

Given a set $E$ of $\Sigma$ -axioms (i.e., pairs of terms in $T(\Sigma,V)$ , denoted by $l=r$ ), the equational theory $=_{E}$ is the congruence closure of $E$ under the law of substitutivity (by a slight abuse of terminology, $E$ is often called an equational theory). Equivalently, $=_{E}$ can be defined as the reflexive transitive closure $\leftrightarrow_{E}^{*}$ of an equational step $\leftrightarrow_{E}$ defined as follows: $s\leftrightarrow_{E}t$ if there exist a position $p$ of $s$ , $l=r$ (or $r=l$ ) in $E$ , and substitution $\sigma$ such that $s|_{p}=l\sigma$ and $t=s[r\sigma]_{p}$ . An equational theory $E$ is said to be permutative if for any $l=r$ in $E$ , the number of occurrences of any (function or variable) symbol in $l$ is equal to the number of occurrences of that symbol in $r$ . Well-known theories such as Associativity ( $A=\{(x+y)+z=x+(y+z)\}$ ), Commutativity ( $C=\{x+y=y+x\}$ ), and Associativity-Commutativity ( $AC=A\cup C$ ) are permutative theories. A theory $E$ is said to be shallow if variables can only occur at a depth at most $1$ in axioms of $E$ . For example, $C$ is shallow but $A$ and $AC$ are not.

Rewrite Relations

A term rewrite system (TRS) is a pair $(\Sigma,R)$ , where $\Sigma$ is a signature and $R$ is a finite set of rewrite rules of the form $l\rightarrow r$ such that $l,r$ are $\Sigma$ -terms, $l$ is not a variable and $\mathit{Var}(r)\subseteq\mathit{Var}(l)$ . A function symbol $f$ is a constructor for $R$ if $\{f\}\cap\{l(\epsilon)~|~l\rightarrow r\in R\}=\emptyset$ . A term $s$ rewrites to a term $t$ w.r.t $R$ , denoted by $s\rightarrow_{R}t$ (or simply $s\rightarrow t$ ), if there exist a position $p$ of $s$ , $l\rightarrow r\in R$ , and substitution $\sigma$ such that $s|_{p}=l\sigma$ and $t=s[r\sigma]_{p}$ . If the rewrite step occurs at the root position (resp., at some non-rooted position) of the term $s$ we denote this as $s\rightarrow_{R}^{\epsilon}t$ (resp., $s\stackrel{{\scriptstyle\neq\epsilon}}{{\rightarrow_{R}}}t$ ). When $\sigma$ is a variable renaming, we say that $s$ rewrites to $t$ applying a variable instance of $l\rightarrow r$ . The reflexive transitive closure of $\rightarrow_{R}$ is denoted by $\rightarrow_{R}^{*}$ . We write $\rightarrow_{R}^{0,1}$ to denote $0$ or $1$ rewrite step w.r.t $R$ . The composition of relations is denoted by the $(.)$ operator; for instance, $\rightarrow_{R}.\rightarrow_{R}$ is defined as follows: for any $s,u$ , $s\rightarrow_{R}.\rightarrow_{R}u$ if there exists some $t$ such that $s\rightarrow_{R}t\rightarrow_{R}u$ . A TRS $R$ is terminating if there are no infinite rewriting sequences with respect to $\rightarrow_{R}$ . A TRS $R$ is confluent if, whenever $t\rightarrow_{R}^{*}s_{1}$ and $t\rightarrow_{R}^{*}s_{2}$ , there exists a term $w$ such that $s_{1}\rightarrow_{R}^{*}w$ and $s_{2}\rightarrow_{R}^{*}w$ . A confluent and terminating TRS is called convergent. In a convergent TRS $R$ , we have the existence and the uniqueness of $R$ -normal forms, denoted by $t{\downarrow}_{R}$ for any term $t$ . When $R$ is clear from the context, the normal form of $t$ may be written $t{\downarrow}$ . Given a substitution $\sigma$ , $\sigma{\downarrow}=\{x\mapsto(x\sigma){\downarrow}\}_{x\in Dom(\sigma)}$ is the substitution corresponding to the normal form of $\sigma$ . A substitution $\sigma$ is in $R$ -normal form (or $R$ -normalized) if $\sigma=\sigma{\downarrow}$ .

A convergent term rewrite system (TRS) $R$ is said to be subterm convergent if for any $l\rightarrow r\in R$ , $r$ is either a strict subterm of $l$ or a constant. An equational theory, $E$ , is subterm convergent if it is presented by a subterm convergent TRS. That is, there exists a subterm convergent TRS, $R$ , such that $=_{E}$ and $=_{R}$ coincide. By a slight abuse of notation, the equational theory of $R$ , given by $\{l=r~|~l\rightarrow r\in R\}$ , may also be denoted by $R$ . The size of a TRS $R$ is defined as

c_{R}=max_{\{l~|~l\rightarrow r\in R\}}(|l|,ar(R)+1)

where $ar(R)$ is the maximal arity of any function symbol occurring in $R$ .

Remark 1.

We should note that in some papers the definition of subterm convergent is expanded to also include ground terms on the right-hand side. We will use the more classical definition here, allowing only strict subterms and constants on the right-hand side.

{defi}

[Homeomorphic Embedding] The homeomorphic embedding, $\trianglerighteq_{emb}$ is a binary relation on terms such that: $s\trianglerighteq_{emb}t$ if one of the following conditions hold:

(1)

$s=x=t$ for some variable $x$ ,
(2)

$s=f(s_{1},\ldots,s_{n})$ and $t=f(t_{1},\ldots,t_{n})$ and $s_{1}\trianglerighteq_{emb}t_{1},\ldots,s_{n}\trianglerighteq_{emb}t_{n}$ ,
(3)

$s=f(s_{1},\ldots,s_{n})$ and $s_{i}\trianglerighteq_{emb}t$ for some $i$ , $1\leq i\leq n$ .

A TRS $R$ is said to be a homeomorphic-embedded TRS if for any $l\rightarrow r\in R$ , $l\trianglerighteq_{emb}r$ .

More interestingly we can also define $\trianglerighteq_{emb}$ as the reduction relation $\rightarrow^{*}_{R_{emb}}$ induced by the rewrite system $R_{emb}=\{f(x_{1},\ldots,x_{n})\rightarrow x_{i}~|~f\mbox{ is $n$-ary},n\geq 1,~1\leq i\leq n\}$ .

{exa}

[Blind Signatures] The theory of blind signatures [cCDK12] is a
homeomorphic-embedded convergent TRS:

	$\displaystyle\mathit{checksign}(\mathit{sign}(x,y),\mathit{pk}(y))$	$\displaystyle\rightarrow x$
	$\displaystyle\mathit{unblind}(\mathit{blind}(x,y),y)$	$\displaystyle\rightarrow x$
	$\displaystyle\mathit{unblind}(\mathit{sign}(\mathit{blind}(x,y),z),y)$	$\displaystyle\rightarrow\mathit{sign}(x,z)$

Notions of Knowledge

The applied pi calculus and frames are used to model attacker knowledge [AF01]. In this model, the set of messages or terms which the attacker knows, and which could have been obtained from observing a protocol session, are the set of terms in $Ran(\sigma)$ of the frame $\phi=\nu\tilde{n}.\sigma$ , where $\sigma$ is a substitution ranging over ground terms. We also need to model cryptographic concepts such as nonces, keys, and publicly known values. We do this by using names, which are constants.

Here also, we need to track the names which the attacker knows, such as public values, and the names which the attacker does not know a priori, such as freshly generated nonces. In a frame $\nu\tilde{n}.\sigma$ , $\tilde{n}$ is a finite set of restricted names, these names represent freshly generated names which the attacker doesn’t initially know. The set of names occurring in a term $t$ is denoted by $\mathit{fn}(t)$ . For any frame $\phi=\nu\tilde{n}.\sigma$ , let $\mathit{fn}(\phi)$ be the set of names $\mathit{fn}(\sigma)\backslash\tilde{n}$ where $\mathit{fn}(\sigma)=\bigcup_{t\in Ran(\sigma)}\mathit{fn}(t)$ ; and for any term $t$ , let $t\phi$ denote by a slight abuse of notation the term $t\sigma$ . We say that a term $t$ satisfies the name restriction (of $\phi$ ) if $\mathit{fn}(t)\cap\tilde{n}=\emptyset$ . Given any convergent TRS $R$ , the frame $\phi$ is $R$ -normalized if $\sigma$ is $R$ -normalized.

{defi}

[Deduction] Let $\phi=\nu\tilde{n}.\sigma$ be a frame, and $t$ a ground term. We say that $t$ is deduced from $\phi$ modulo $E$ , denoted by $\phi\vdash_{E}t$ , if there exists a term $\zeta$ such that $\zeta\sigma=_{E}t$ and $\mathit{fn}(\zeta)\cap\tilde{n}=\emptyset$ . The term $\zeta$ is called a recipe of $t$ in $\phi$ modulo $E$ .

Another form of knowledge is the ability to tell if two frames are statically equivalent modulo $E$ , sometimes also called indistinguishability.

{defi}

[Static Equivalence] Two terms $s$ and $t$ are equal in a frame $\phi=\nu\tilde{n}.\sigma$ modulo an equational theory $E$ , denoted $(s=_{E}t)\phi$ , if $s\sigma=_{E}t\sigma$ , and ${\tilde{n}}\cap(\mathit{fn}(s)\cup\mathit{fn}(t))=\emptyset$ . The set of all equalities $s=t$ such that $(s=_{E}t)\phi$ is denoted by $Eq(\phi)$ . Given a set of equalities $Eq$ , the fact that $(s=_{E}t)\phi$ for any $s=t\in Eq$ is denoted by $\phi\models Eq$ . Two frames $\phi=\nu\tilde{n}.\sigma$ and $\psi=\nu\tilde{n}.\tau$ are statically equivalent modulo $E$ , denoted as $\phi\approx_{E}\psi$ , if $Dom(\sigma)=Dom(\tau)$ , $\phi\models Eq(\psi)$ and $\psi\models Eq(\phi)$ .

Remark 2.

Again the above definition relies on the use of the frame definition from the pi calculus. One can view the set $\tilde{n}$ of bound names as those secrets the attack doesn’t have initial knowledge of for any run of the protocol. Each of the frames thus represent runs of the protocols when the attacker can then compare.

The local stability property was introduced in [AC06] and improved in [AFN17] as a collection of conditions which is sufficient to get decidability of deduction thanks to a reduction to deduction modulo the empty theory. A simplified definition of this property is introduced below. It is simplified because we do not consider $AC$ -symbols as in [AC06, AFN17]. For the following definition let $st(t)$ be the set of subterms of a term $t$ .

{defi}

[Local Stability [AC06]] A convergent TRS, $R$ , is locally stable if, for every $R$ -normalized frame $\phi=\nu\tilde{n}.\sigma$ , there exists a finite set $sat(\phi)$ of ground terms such that:

•

$Ran(\sigma)\subseteq sat(\phi)$ and $\mathit{fn}(\phi)\subseteq sat(\phi)$ ;
•

if $M_{1},\ldots,M_{k}\in sat(\phi)$ and $f(M_{1},\ldots,M_{k})\in st(sat(\phi))$ , then $f(M_{1},\ldots,M_{k})\in sat(\phi)$ ;
•

if $C[S_{1},\ldots,S_{l}]\rightarrow_{R}^{\epsilon}M$ , where $C$ is a context with $|C|\leq c_{R}$ and $\mathit{fn}(C)\cap\tilde{n}=\emptyset$ , and $S_{1},\ldots,S_{l}\in sat(\phi)$ , then there exist a context $C^{\prime}$ and $S_{1}^{\prime},\ldots,S_{k}^{\prime}\in sat(\phi)$ such that $|C^{\prime}|\leq c_{R}^{2}$ , $\mathit{fn}(C^{\prime})\cap\tilde{n}=\emptyset$ , and $M\rightarrow_{R}^{*}C^{\prime}[S_{1}^{\prime},\ldots,S_{k}^{\prime}]$ ;
•

if $M\in sat(\phi)$ then $\phi\vdash_{R}M$ .

Beside local stability, the additional property of local finiteness is useful for the decidability of static equivalence. In a locally finite theory, only finitely many equalities have to be checked for static equivalence. Helpfully, in a convergent TRS with no $AC$ -symbols, local stability implies local finiteness [AC06]. Since we do not consider $AC$ -symbols in this paper, the approach presented in [AC06] leads to the following result:

{thmC}

[[AC06]] The deduction and static equivalence problems are both decidable in any locally stable TRS.

Since any subterm convergent TRS is locally stable, the decidability of both deduction and static equivalence in the class of subterm convergent TRSs follows from Theorem 2. {exa} Let $E$ be the equational theory presented by the subterm convergent TRS $\{\mathit{dec}(\mathit{enc}(x,y),y)\rightarrow x\}$ . Notice that this theory is subterm convergent and contains no AC symbols. Thus, from Theorem 2 static equivalence is decidable. If we are given two frames, $\phi=\nu\{n\}.\{v\mapsto\mathit{enc}(a,n)\}$ and $\psi=\nu\{n\}.\{v\mapsto\mathit{enc}(b,n)\}$ , then we can apply the saturation based procedure defined in [AC06] to find that these two frames are statically equivalent modulo $E$ . However, consider now $\phi^{\prime}=\nu\{n\}.\{v\mapsto\mathit{enc}(a,n),w\mapsto n\}$ and $\psi^{\prime}=\nu\{n\}.\{v\mapsto\mathit{enc}(b,n),w\mapsto n\}$ . Since $\mathit{dec}(v,w)=_{E}a\in Eq(\phi^{\prime})$ but $\mathit{dec}(v,w)=_{E}a\notin Eq(\psi^{\prime})$ , $\phi^{\prime}$ and $\psi^{\prime}$ are not statically equivalent modulo $E$ .

In this paper, we lift this result to rewrite systems that are beyond the class of subterm convergent rewrite systems.

Term Graphs

Each term $t$ can be viewed in a graphical representation, called a term graph. Each node in the graph is labeled either by a function symbol or a variable. Each function symbol node also has an associated successor number, corresponding to the arity of the function. Edges connect the nodes of the term graph based on the subterm relation. The notion of term graph is illustrated in Examples 3 and 7.

{defi}

[Term Graph Measures] We introduce some convenient notation:

•

Let $\mathit{VP}(t)$ denote the list of leaf nodes in the term graph of a term $t$ labeled by a variable. Notice that two distinct nodes could be labeled by the same variable.
•

Let $\mathit{FP}(t)$ denote the list of nodes in the term graph of $t$ labeled by a function symbol. Notice that two distinct nodes could be labeled by the same function symbol.
•

Let $\mathit{FS}(t)$ denote the set of function symbols in the term $t$ .

Some Graph Theory

We will also need a few notions from graph theory, we introduce those in this section. We will typically use $G$ to denote a graph, $V$ the set of vertices and $E\subseteq V\times V$ the set of edges of the graph.

{defi}

[Graph Isomorphism] Let $G=(V,E)$ and $G^{\prime}=(V^{\prime},E^{\prime})$ be two graphs. We say that $G$ and $G^{\prime}$ are isomorphic, denoted $G\simeq G^{\prime}$ , if there exists a bijection $\phi:V\rightarrow V^{\prime}$ with $xy\in E$ iff $\phi(x)\phi(y)\in E^{\prime}$ , $\forall x,y\in V$ .

{defi}

[Edge Contraction] Let $G=(V,E)$ and $e=xy$ . $G/e$ is the graph $G^{\prime}=(V^{\prime},E^{\prime})$ such that $V^{\prime}=(V\setminus\{x,y\})\cup\{v_{e}\}$ , where $v_{e}$ is a new vertex, and $E^{\prime}=\{vw\in E~|~\{v,w\}\cap\{x,y\}=\emptyset\}\cup\{v_{e}w~|~xw\in E\setminus\{e\}\text{ or }yw\in E\setminus\{e\}\}$ .

We say that $G^{\prime}$ is obtained from $G$ by contracting the edge $e$ .

We use the following definition of graph minor which essentially says that a graph minor of a graph $G$ can be obtained by a series of graph contractions (see [Die06] for more details).

{defi}

[Graph Minor] The graph $G^{\prime}$ is a graph minor of the graph $G$ , if there exist graphs $G_{0},~G_{1},~\ldots,~G_{n}$ and edges $e_{i}\in G_{i}$ such that $G=G_{0}$ , $G_{n}\simeq G^{\prime}$ , and $G_{i+1}=G_{i}/e_{i}$ for $i=0,\ldots,n-1$ . We use the notation $G\succcurlyeq G^{\prime}$ if $G^{\prime}$ is a graph minor of $G$ .

Next, we extend the graph minor definition above to terms using term graphs. For terms $t$ and $t^{\prime}$ , $t\succcurlyeq t^{\prime}$ if for the corresponding term graphs of $t$ and $t^{\prime}$ , denoted as $G$ and $G^{\prime}$ respectively, we have $G\succcurlyeq G^{\prime}$ .

Remark 3.

Note, in the classical definition of graph minor (see [Die06]), if $G$ is a subgraph of a larger graph $G_{large}$ and $G\succcurlyeq G^{\prime}$ , then also $G_{large}\succcurlyeq G^{\prime}$ . However, this component of the definition is not necessary for the results of this paper and by leaving it out we are able to simplify the later definitions and presentation.

The above type of embedding, denoted by $\succcurlyeq$ , provides more flexibility than the traditional subterm relation while still preserving some features we need.

{exa}

Notice that $G^{\prime}$ is obtained from $G$ by first applying a sequence of edge contractions, contracting the edge depicted by $||$ at each step, resulting in $G_{2}$ , and finally $G_{2}\simeq G^{\prime}$ . Therefore, $G\succcurlyeq G^{\prime}$ .

We can now extend the above graph-theoretic notions to the term rewrite setting.

3. Graph-Embedded Systems

The key to translating from the graph theory setting to the term setting is to use the same method, edge contractions, but then only consider the term graphs representing well-formed terms. That is, we need to enforce the notion of a well formed term.

To begin we need to model the graph isomorphism. A restricted form of isomorphism can be translated into the term rewriting setting by considering permutations.

{defi}

[Leaf and Subterm Permutations] We define two types of permutations, $\approx_{s}$ and $\approx_{l}$ :

(1)
For terms $t$ and $t^{\prime}$ , we say $t$ is subterm permutatively equal to $t^{\prime}$ , denoted $t\approx_{s}t^{\prime}$ , if one of the following is true:
1. (a)
  
  $t=t^{\prime}$ , where $t$ and $t^{\prime}$ are constants or variables, or
2. (b)
  
  $t=f(u_{1},\ldots,u_{n})$ and $t^{\prime}=f(u_{\sigma(1)},\ldots,u_{\sigma(n)})$ where $f$ is a $n$ -ary function symbol, $n\geq 1$ , and $\sigma$ is a permutation of the indexes $(1,\ldots,n)$ .
(2)

For terms $t$ and $t^{\prime}$ , we say $t$ is leaf permutatively equal to $t^{\prime}$ , denoted $t\approx_{l}t^{\prime}$ , if $t^{\prime}=t\sigma$ and $\sigma$ is the unique endomorphism of $T(\Sigma\cup V)$ such that its restriction to $\mathit{Var}(t)\cup Cst(t)$ is a permutation on $\mathit{Var}(t)\cup\mathit{Cst}(t)$ , and $u\sigma=u$ for any constant/variable $u$ not in $\mathit{Var}(t)\cup\mathit{Cst}(t)$ .

The first type of permutation, $\approx_{s}$ , allows for permutation inside the term but preserves the layer like structure of the function symbols in the term graph. The second type of permutation in the classical leaf permutability and is restricted to the leaf nodes, i.e., just the variables and constants of the term graph. We will use a combination of the above two permutations in the definition employed for graph-embedded TRS. {defi}[Permutatively Equal] For terms $t$ and $t^{\prime}$ , we say $t$ is permutatively equal to $t^{\prime}$ , denoted $t\approx t^{\prime}$ , if $t\approx_{s}t^{\prime\prime}\approx_{l}t^{\prime}$ , for some term $t^{\prime\prime}$ .

Remark 4.

It is useful here to remark on the motivation of the above definition, $\approx$ . The goal is to model the graph isomorphism property. At the same time one needs to be careful not to be too broad and remove layer preserving properties of Definition 4 and thus later protocol properties such as local stability (see Definition 2). In addition, one cannot be too restricted and disallow working protocol representations such as Example 7 which requires more than just leaf permutability. However, it may be possible to improve upon the above definition and allow for additional systems while still maintaining the decidability of the knowledge problems shown here, see the discussion in Section 8.

The next step is to develop a set of rewrite schemas which preserve a type of graph minor relation on the term graphs. This set of rewrite schemata then induces a graph-embedded term rewrite system. Notice that this is very similar to what is often done when considering the homeomorphic embeddings, see Definition 1.

{defi}

[Graph Embedding] Consider the following reduction relation, $\rightarrow^{*}_{R_{gemb}}$ , where $R_{gemb}$ is the set of rules given by the instantiation of the following rule schema:

\left\{\begin{array}[]{ll}&\text{for any }f\in\Sigma\\ (1)&f(x_{1},\ldots,x_{n})\rightarrow x_{i}\\ (2)&f(x_{1},\ldots,~x_{i-1},~x_{i},~x_{i+1}~\ldots,~x_{n})\rightarrow f(x_{1},\ldots,~x_{i-1},~x_{i+1},~\ldots,~x_{n})\\ &\text{and for any }f,g\in\Sigma\\ (3)&f(x_{1},\ldots,x_{i-1},g(\bar{z}),x_{i+1},~\ldots,x_{m})\rightarrow g(x_{1},\ldots,~x_{i-1},\bar{z},x_{i+1},~\ldots,x_{m})\\ (4)&f(x_{1},\ldots,x_{i-1},g(\bar{z}),x_{i+1},~\ldots,x_{m})\rightarrow f(x_{1},\ldots,~x_{i-1},\bar{z},x_{i+1},~\ldots,x_{m})\end{array}\right\}

We say a term $t^{\prime}$ is graph-embedded in a term $t$ , denoted $t\succcurlyeq_{gemb}t^{\prime}$ , if $t^{\prime}$ is a well formed term and there exists a term $s$ such that $t\rightarrow_{R_{gemb}}^{*}s\approx t^{\prime}$ .

A TRS $R$ is graph-embedded if for any $l\rightarrow r\in R$ , $l\succcurlyeq_{gemb}r$ or $r$ is a constant.

Remark 5.

Notice that the rules in $R_{gemb}$ ignore function arity, thus intermediate terms between $t$ and $t^{\prime}$ may not be well formed. It is only the final term for which function arity and the relation between variables and functions must obey the standard term definition requirements. The schemata are being used to establish the graph-embedded property of a TRS.

Remark 6.

The rules of Definition 4 provide a convenient schemata for defining graph-embedded systems. However, they are also very useful in proving properties about graph-embedded systems. Notice that any rewrite step in a graph-embedded system corresponds to one or more steps of the above rules, thus proofs about graph-embedded TRSs can often be reduced to arguments on the properties of the rules of Definition 4.

Definition 4 provides a rewrite relation interpretation of graph-embedded systems which is contained in the $\succcurlyeq$ relation given in Definition 2. This is due to the fact that if one applies one of the rule schema from Definition 2 to a term, $t$ , this correspond to one or more edge contractions applied to the term graph of $t$ , therefore we obtain the following:

Lemma 7.

For any terms $t$ and $t^{\prime}$ , $t\succcurlyeq_{gemb}t^{\prime}$ implies $t\succcurlyeq t^{\prime}$ , i.e., $\succcurlyeq_{gemb}~\subseteq~\succcurlyeq$ .

{exa}

Consider the two terms $t=f(h(a,b),h(c,d))$ and $t^{\prime}=f(d,a)$ . Then, $t\succcurlyeq_{gemb}t^{\prime}$ , since $t\rightarrow_{R_{gemb}}^{*}s\approx t^{\prime}$ where the derivation $t\rightarrow_{R_{gemb}}^{*}s$ is as follows:

\rightarrow_{R_{gemb}}^{*}

\rightarrow_{R_{gemb}}^{*}

{exa}

[Malleable Encryption] Consider the theory of Malleable Encryption, $R_{mal}$ :

	$\displaystyle\mathit{dec}(\mathit{enc}(x,y),y)$	$\displaystyle\rightarrow x$
	$\displaystyle\mathit{mal}(\mathit{enc}(x,y),z)$	$\displaystyle\rightarrow\mathit{enc}(z,y)$

For the second rule, let $t_{1}=\mathit{mal}(\mathit{enc}(x,y),z)$ , and consider the following derivation $t_{1}\rightarrow_{R_{gemb}}^{*}t_{3}$ :

\rightarrow_{R_{gemb}}^{(rule~3)}

\rightarrow_{R_{gemb}}^{(rule~2)}

Since $t_{3}\approx\mathit{enc}(z,y)$ , we have $\mathit{mal}(\mathit{enc}(x,y),z)\succcurlyeq_{gemb}\mathit{enc}(z,y)$ . The first rule of $R_{mal}$ being subterm, $\mathit{dec}(\mathit{enc}(x,y),y)\succcurlyeq_{gemb}x$ . Thus, $R_{mal}$ is a graph-embedded TRS.

{exa}

The theory of blind signatures from Example 1 is also a graph-embedded TRS. All but the final rule are subterm. For the final rule,

\mathit{unblind}(\mathit{sign}(\mathit{blind}(x,y),z),y)\rightarrow_{R_{gemb}}\mathit{sign}(\mathit{blind}(x,y),z)

via the $R_{gemb}$ rule (1). Then,

\mathit{sign}(\mathit{blind}(x,y),z)\rightarrow_{R_{gemb}}\mathit{sign}(x,y,z)

via the $R_{gemb}$ rule (4). Notice again that this intermediate term is not well formed. Finally

\mathit{sign}(x,y,z)\rightarrow_{R_{gemb}}\mathit{sign}(x,z)\approx\mathit{sign}(x,z)

via $R_{gemb}$ rule (2).

{exa}

[Addition] Consider the theory of Addition, $R_{add}$ , from [AC06]:

	$\displaystyle\mathit{plus}(x,s(y))$	$\displaystyle\rightarrow\mathit{plus}(s(x),y)$
	$\displaystyle\mathit{plus}(x,0)$	$\displaystyle\rightarrow x$
	$\displaystyle\mathit{pred}(s(x))$	$\displaystyle\rightarrow x$

$R_{add}$ is a graph-embedded TRS. Notice that $\mathit{plus}(x,s(y))\approx\mathit{plus}(s(x),y)$ .

{exa}

[Prefix with Pairing] The theory of prefix with pairing [CDL06, DDKS17] is a graph-embedded TRS:

	$\displaystyle\mathit{dec}(\mathit{enc}(x,y),y)$	$\displaystyle\rightarrow x$
	$\displaystyle(\mathit{enc}(<x,y>,z))$	$\displaystyle\rightarrow\mathit{enc}(x,z)$
	$\displaystyle\mathit{fst}(<x,y>)$	$\displaystyle\rightarrow x$
	$\displaystyle\mathit{snd}(<x,y>)$	$\displaystyle\rightarrow y$

{exa}

[Trap-door Commitment] The theory of trap-door commitment [cCDK12] is a graph-embedded TRS:

	$\displaystyle\mathit{open}(\mathit{td}(x,y,z),y)$	$\displaystyle\rightarrow x$
	$\displaystyle\mathit{open}(\mathit{td}(x_{1},y,z),f(x_{1},y,z,x_{2}))$	$\displaystyle\rightarrow x_{2}$
	$\displaystyle\mathit{td}(x_{2},f(x_{1},y,z,x_{2}),z)$	$\displaystyle\rightarrow\mathit{td}(x_{1},y,z)$
	$\displaystyle f(x_{2},f(x_{1},y,z,x_{2}),z,x_{3})$	$\displaystyle\rightarrow f(x_{1},y,z,x_{3})$

{exa}

[Strong Secrecy] Subterm convergent theories where the right hand sides are strict subterms or constants are graph-embedded. For example, the following system for considering a form of strong secrecy [Bla04, CCcCK16]:

	$\displaystyle\mathit{fst}(<x,y>)$	$\displaystyle\rightarrow x$
	$\displaystyle\mathit{snd}(<x,y>)$	$\displaystyle\rightarrow y$
	$\displaystyle\mathit{adec}(\mathit{aenc}(x,\mathit{pk}(y)),y)$	$\displaystyle\rightarrow x$
	$\displaystyle\mathit{dec}(\mathit{enc}(x,y),y)$	$\displaystyle\rightarrow x$
	$\displaystyle\mathit{check}(\mathit{sign}(x,y),\mathit{pk}(y))$	$\displaystyle\rightarrow\mathit{ok}$
	$\displaystyle\mathit{msg}(\mathit{sign}(x,y))$	$\displaystyle\rightarrow x$

3.1. Some Properties of Graph-Embedded Systems

As an initial step we explore some of the basic properties of the graph-embedded TRSs. Similar to the class of subterm TRSs, the graph-embedded TRSs have several nice properties such as termination.

We can first note that the $\succcurlyeq_{gemb}$ relation is a partial order on the class of terms. This follows from Lemma 7 and the fact that the graph-embedded relation is a partial ordering on the class of finite graphs (See Proposition 1.7.3 from [Die06]).

In addition, rewriting at the root position preserves the graph-embedded property. This is due to the fact that for any graph-embedded TRS $R$ and for any $l\rightarrow r\in R$ , $l\succcurlyeq_{gemb}r$ . Thus, $l\sigma=t_{1}\succcurlyeq_{gemb}t_{2}=r\sigma$ . More formally, if $t_{1}$ and $t_{2}$ are terms, $R$ a graph-embedded TRS, and $t_{1}\rightarrow_{R}^{\epsilon}t_{2}$ , then, $t_{1}\succcurlyeq_{gemb}t_{2}$ .

Graph-embedded systems also have the nice property of being size reducing when rewrite steps are applied and thus terminating.

Lemma 8.

Let $R$ be a graph-embedded TRS such that for all $l\rightarrow r\in R$ , $l\rightarrow_{R_{gemb}}^{+}\cdot\approx r$ . Assume $t\rightarrow_{R}t^{\prime}$ . Then,

•

$|\mathit{Var}(t^{\prime})|\leq|\mathit{Var}(t)|$ ,
•

$|\mathit{VP}(t^{\prime})|\leq|\mathit{VP}(t)|$ ,
•

$\mathit{FS}(t^{\prime})\subseteq\mathit{FS}(t)$ ,
•

$|\mathit{FP}(t^{\prime})|<|\mathit{FP}(t)|$ .

Proof 3.1.

No rule from Definition 4 introduces additional function symbols or variables, satisfying the first and third condition. All rules from Definition 4 remove function symbols except the second rule and $\approx$ . Notice that if rule 2 is applied then one of the other rules must also be applied to ensure the final term is well formed. Finally, since we require that at least one rewrite step is applied, the size of the term will be reduced even if $\approx$ doesn’t reduce the size of the term. Thus the remaining conditions are satisfied.

Remark 9.

Notice that if only $\approx$ steps are applied in a graph-embedded system then termination is not guaranteed. However, if at least one rewrite rule from $R_{gemb}$ is applied then by Lemma 8, the system will be terminating.

Comparing Definitions

We compare the definitions of graph embedded and homeomorphic embedding. Consider Malleable Encryption, $R_{mal}$ , from Example 7. $R_{mal}$ is a graph-embedded TRS, as is shown in Example 7. However, $R_{mal}$ is not a homeomorphic-embedded TRS. This can be seen in the rule $\mathit{mal}(\mathit{enc}(x,y),z)\rightarrow\mathit{enc}(z,y)$ . There is no way to obtain the term $\mathit{enc}(z,y)$ from the term $\mathit{mal}(\mathit{enc}(x,y),z)$ by application of only the projection rule, $f(x_{1},\ldots,x_{n})\rightarrow x_{i}$ . Thus, it’s easy to see that there exist graph-embedded TRSs which are not homeomorphic-embedded TRSs. Furthermore, we see that homeomorphic-embedded TRSs are a subset of graph-embedded TRSs.

{exa}

Consider the theory of trap-door commitment from Example 7. Notice that this theory is not a homeomorphic-embedded TRS. For the final rule,

f(x_{2},f(x_{1},y,z,x_{2}),z,x_{3})\rightarrow f(x_{1},y,z,x_{3}),

we cannot obtain the right-hand side from the left by the simple projection type relation of Definition 1.

In the rest of the paper we look at how graph-embedded TRSs can be used to both extend results in security protocols and also give a formal syntactic definition to classes of protocol presentations for which the decidability of the two knowledge problems are already known but are not contained in the class of strictly subterm convergent theories. We focus on theories with the local stability property as introduced in [AC06] (and extended in [AFN17]). For this purpose, we need to consider a restricted form of graph-embedded system called contracting system introduced in Definition 13. One can show that without such a restriction, the knowledge problems for graph-embedded TRSs are undecidable in general.

4. Undecidable Knowledge Problems

It is shown in [AC06] that the knowledge problems are undecidable in general. For graph-embedded systems we construct a proof that uses a reduction from the Modified Post Correspondence Problem (MPCP), a well known undecidable problem. This proof is similar to two other undecidability proofs developed in [ALL⁺12], and in the research report [ANR07b] of the paper [ANR07a].

Let $\Gamma=\{a,b\}$ be the alphabet of the $MPCP$ problem. Then, an instance of the problem is a finite set of string pairs, $S=\{(\alpha_{i},\beta_{i})|~i\in[1,n]\}\subseteq\Gamma^{+}\times\Gamma^{+}$ , and two input strings $\alpha_{0}\in\Gamma^{*}$ , and $\beta_{0}\in\Gamma^{*}$ . A solution is a sequence of indexes $i_{1},\ldots i_{k}\in[1,n]$ such that $\alpha_{i_{1}}\alpha_{i_{2}}\ldots\alpha_{i_{k}}=\beta_{i_{1}}\beta_{i_{2}}\ldots\beta_{i_{k}}$ , $\alpha_{0}$ is a suffix of $\alpha_{i_{1}}\alpha_{i_{2}}\ldots\alpha_{i_{k}}$ , and $\beta_{0}$ is a suffix of $\beta_{i_{1}}\beta_{i_{2}}\ldots\beta_{i_{k}}$ . That is, there are string $\alpha^{\prime},\beta^{\prime}\in\Gamma^{*}$ s.t. $\alpha_{i_{1}}\alpha_{i_{2}}\ldots\alpha_{i_{k}}=\alpha^{\prime}\cdot\alpha_{0}=\beta^{\prime}\cdot\beta_{0}=\beta_{i_{1}}\beta_{i_{2}}\ldots\beta_{i_{k}}$ . Notice that the standard $PCP$ is easily reducible to this $MPCP$ by setting $\alpha_{0}$ and $\beta_{0}$ to the empty string.

Lemma 10.

The deduction problem is undecidable for the class of homeomorphic-embedded convergent TRSs.

Proof 4.1.

Let $MPCP=\alpha_{0},~\beta_{0},\textit{ and }\{(\alpha_{i},\beta_{i})|~i\in[1,n]\}$ over the alphabet $\Gamma=\{a,b\}$ . Consider unary function symbols $locked$ , $unlocked$ , $a$ , $b$ , $g_{1},\dots,g_{n}$ , a quaternary function $f$ , and constants $c$ , $d$ , $e$ .

Each string from the $MPCP$ can be viewed as a sequence of applications of the unary function symbols. We can convert a string over $\Gamma$ into a term using function symbols $a$ and $b$ as follows. For an alphabet symbol $\widetilde{\gamma}\in\Gamma$ , represent by $\gamma$ the corresponding function symbol. That is, if $\widetilde{\gamma}=a$ , then $\gamma=a()$ . Likewise, if $\widetilde{\gamma}=b$ , then $\gamma=b()$ . Now for each pair of strings, $(\alpha_{i},\beta_{i})$ , we can recursively construct the function interpretation of each string, $\widetilde{\alpha}$ , as follows: $\widetilde{\alpha_{i}}(x)=\widetilde{\gamma\alpha_{i}^{\prime}}(x)=\gamma(\widetilde{\alpha_{i}^{\prime}}(x))$ , and $\widetilde{\beta_{i}}(x)=\widetilde{\gamma\beta_{i}^{\prime}}(x)=\gamma(\widetilde{\beta_{i}^{\prime}}(x))$ .

Let $R=B\cup U$ where

	$\displaystyle B$	$\displaystyle=\bigcup_{i=1}^{n}\{f(\widetilde{\alpha_{i}}(x),g_{i}(y),\widetilde{\beta_{i}}(z),unlocked(z))\rightarrow f(x,y,z,unlocked(z))\},$
	$\displaystyle U$	$\displaystyle=\{f(x,y,x,locked(unlocked(z)))\rightarrow f(x,y,x,unlocked(z))\}.$

The rules in $B$ are called the block rules, while the rule in $U$ is called the unlock one. The function symbols $g_{1},\dots,g_{n}$ (and the $locked$ in the final rule) ensure there are no critical pairs between rules and thus we have a convergent TRS.

Now construct the frame $\phi=\nu\tilde{n}.\sigma$ where $\tilde{n}=\{c,e\}$ and $\sigma=\{x\mapsto\widetilde{\alpha_{0}}(c),y\mapsto\widetilde{\beta_{0}}(c),z\mapsto locked(unlocked(e))\}$ , and let the target ground term to be deduced be $f(c,d,c,unlocked(e))$ .

Let us show that there exists a recipe $\zeta$ such that $\zeta\sigma\rightarrow_{R}^{!}f(c,d,c,unlocked(e))$ iff there is a solution to the $MPCP$ .

•

Let $\alpha_{i_{1}}\alpha_{i_{2}}\ldots\alpha_{i_{k}}=\beta_{i_{1}}\beta_{i_{2}}\ldots\beta_{i_{k}}$ , be a solution to the $MPCP$ problem. Let $\alpha^{\prime}\cdot\alpha_{0}=\alpha_{i_{1}}\alpha_{i_{2}}\ldots\alpha_{i_{k}}$ and $\beta^{\prime}\cdot\beta_{0}=\beta_{i_{1}}\beta_{i_{2}}\ldots\beta_{i_{k}}$ . Then, $\widetilde{\alpha^{\prime}}(x)\sigma=\widetilde{\beta^{\prime}}(y)\sigma$ . Now, for each block, $i$ in the $MPCP$ , there exists a single block rule, containing $g_{i}$ , that removes the $\alpha_{i}$ and $\beta_{i}$ . Therefore, the recipe $\zeta=f(\widetilde{\alpha^{\prime}}(x),g_{i_{1}}(\ldots(g_{i_{k}}(d))),\widetilde{\beta^{\prime}}(y),z)$ is a solution recipe since:

	$\displaystyle\zeta\sigma$	$\displaystyle=f(\widetilde{\alpha^{\prime}(\alpha_{0}(c))},g_{i_{1}}(\ldots(g_{i_{k}}(d))),\widetilde{\beta^{\prime}(\beta_{0}(c))},locked(unlocked(e)))\rightarrow_{R}^{unlock}$
		$\displaystyle f(\widetilde{\alpha^{\prime}(\alpha_{0}(c))},g_{i_{1}}(\ldots(g_{i_{k}}(d))),\widetilde{\beta^{\prime}(\beta_{0}(c))},unlocked(e))\rightarrow^{!}_{R}f(c,d,c,unlocked(e))$

•

Let $\zeta$ be a recipe term such that $\zeta\sigma\rightarrow^{!}_{R}f(c,d,c,unlocked(e))$ then there is a solution to the $MPCP$ and it can be extracted from the indexes of the $g_{i}$ function symbol in the term $\zeta\sigma$ . This is due to the fact that the two strings must be the same, otherwise the unlock rule in $U$ cannot be applied. Notice also that this rule must be applied before any of the remaining rules since it “unlocks” the function $unlocked$ which is required for the other block rules. Next since each of the rules represents a string pair in the $MPCP$ problem, if $\zeta\sigma$ reduces to the target $f(c,d,c,unlocked(e))$ , then the strings in $\zeta\sigma$ are composed exactly of $MPCP$ string pairs. Finally, the recipe cannot just be $f(c,d,c,unlocked(e))$ since $c,e\in\tilde{n}$ . In addition, the recipe cannot contain $unlocked(e)$ before applying the substitution $\sigma$ , since $e\in\tilde{n}$ .

{exa}

Consider the following $MPCP$ :

\overbrace{\left(\frac{ba}{baa}\right)}^{\text{\text{pair 1}}},~\overbrace{\left(\frac{ab}{ba}\right)}^{\text{\text{pair 2}}},~\overbrace{\left(\frac{\vphantom{b}aaa}{aa}\right)}^{\text{\text{pair 3}}}

Assume the two starting string are: $\alpha_{0}=aa$ and $\beta_{0}=a$ .

Following the construction of Lemma 10:

R=\left\{\begin{array}[]{ll}f(b(a(x)),g_{1}(y),b(a(a(z))),unlocked(z))&\rightarrow f(x,y,z,unlocked(z))\\ f(a(b(x)),g_{2}(y),b(a(z)),unlocked(z))&\rightarrow f(x,y,z,unlcoked(z))\\ f(a(a(a(x))),g_{3}(y),a(a(z)),unlocked(z))&\rightarrow f(x,y,z,unlocked(z))\\ f(x,y,x,locked(unlocked(z)))&\rightarrow f(x,y,x,unlocked(z))\end{array}\right\}

In addition, $\widetilde{\alpha_{0}}(c)=a(a(c))$ and $\widetilde{\beta_{0}}(c)=a(c)$ . Notice there is a solution with indexes 1 and 3. That is, $baa\cdot\alpha_{0}=\alpha_{1}\cdot\alpha_{3}=baaa\cdot\beta_{0}=\beta_{1}\cdot\beta_{3}$ .

The starting frame is: $\phi=\nu\{c,e\}.\{x\mapsto a(a(c)),~y\mapsto a(c),z\mapsto locked(unlocked(e))\}$ . Then, there is a solution recipe: $\zeta=f(b(a(a(x))),g_{1}(g_{3}(d)),b(a(a(a(y)))),z)$ , since $\zeta\sigma\rightarrow^{!}_{R}f(c,d,c,unlocked(e))$ .

As a corollary of Lemma 10 we obtain the following.

Corollary 11.

The deduction problem is undecidable for the class of graph-embedded convergent TRSs.

Remark 12.

Note that the knowledge problems of deduction and static-equivalence were already proven undecidable in general in [AC06], where a reduction from PCP is also used. However, the system used in the proof from [AC06] is not graph-embedded and it’s not clear how to directly adapt that proof to the graph-embedded case of Lemma 10.

Finally, let us note that the above proof fixes an error with the proof of the same result presented in [SEMR23]. There, the system would erroneously allow trivial solutions since it did not include an unlock type rule that forces the two string to be equal.

5. Decidable Knowledge Problems

We consider below a restricted form of the graph-embedded TRS for which we can show decidability of the knowledge problems. The key to the definition is to start with a graph-embedded system but then to require a set of “projection rules”. These rules, in a way, provide access to subterms which may be modified during some rewrite derivation. Access to these subterms is important for the success of the saturation based decision procedure ([AC06]) for showing decidability of the knowledge problems (see Definition 16 below). Having access to subterms is a critical property in a number of definitions for which the knowledge problems are considered. It is a key feature in subterm convergent TRSs. It is also a feature in $\Delta$ -strong theories, defined in [ANR07a], where the cap problem, a form of the deduction problem, is studied for such theories (see Section 6.1). We can now introduce the type of projection rules we will require.

{defi}

[Projecting Rule] Let $R$ be a TRS, $x$ a variable and $t$ a term with a single occurrence of $x$ . A projecting rule in $R$ over $t$ leading to $x$ is a rule in $R$ which is a variant of $t^{\prime}\rightarrow x$ where $t^{\prime}$ is a superterm of $t$ with no additional occurrences of $x$ .

Remark 13.

The requirement that $x$ only occurs once in the left-hand side allows us to rule out projecting rules which don’t help in producing new knowledge during the saturation procedure (Definition 16). For example, a rule of the form $f(x,g(x))\rightarrow x$ requires that you already have knowledge of the subterm of $g()$ in order to derive the subterm. However, this restriction doesn’t require that the entire term be linear. For example, $\mathit{dec}(\mathit{enc}(x,y),y)\rightarrow x$ is a valid projecting rule since you only need to know $y$ to unlock the $enc()$ term and obtain the subterm instantiating $x$ .

How these projecting rules relate to the entire term-rewrite system can now be defined. We consider the relation to a rewrite derivation, using the graph-embedded rules, and then the permutation relation.

{defi}

[Projection-Closed Derivation] Let $R$ be a TRS. A non-empty $R_{gemb}$ -derivation is said to be projection-closed with respect to $R$ if it has the form

s\rightarrow_{R_{gemb}}^{l\rightarrow r,\gamma}s^{\prime}\rightarrow_{R_{gemb}}^{*}t

where

•

$s$ is a linear term and $t$ is a well formed term,
•

$l\rightarrow r$ is a $R_{gemb}$ rule among (1), (2) and (4),
•

$\gamma$ is a substitution ranging over variables,
•

if $l\rightarrow r$ is rule (1), $f(x_{1},\ldots,x_{n})\rightarrow x_{i}$ , then for any $x_{i}\gamma$ occurring in $t$ there exists a projecting rule in $R$ over $f(x_{1},\ldots,x_{n})\gamma$ leading to $x_{i}\gamma$ ,
•

if $l\rightarrow r$ is rule (4), $f(x_{1},\ldots,x_{i-1},g(\bar{z}),x_{i+1},~\ldots,x_{m})\rightarrow f(x_{1},\ldots,~x_{i-1},\bar{z},x_{i+1},~\ldots,x_{m})$ , then for any $z_{i}\gamma$ occurring in $t$ there exists a projecting rule in $R$ over $g(\bar{z})\gamma$ leading to $z_{i}\gamma$ ,
•

$s^{\prime}\rightarrow_{R_{gemb}}^{*}t$ is either projection-closed with respect to $R$ or empty.

{defi}

[Projection-Closed Permutative Equality] Let $R$ be a TRS and $l=r$ a permutative equality obtained by one or zero applications of $\approx_{s}$ followed by one or zero applications of $\approx_{l}$ . The equality $l=r$ is said to be projection-closed with respect to $R$ if the following holds: for any variable $x$ occurring in a strict subterm $l^{\prime}\neq x$ of $l$ and in a strict subterm $r^{\prime}$ of $r$ such that $l^{\prime}\neq r^{\prime}$ , then there exists a projecting rule in $R$ over $l^{\prime}$ leading to $x$ .

Based on Definitions 13 and 13, we can now introduce the subset of graph-embedded rules for which we can obtain decidability of the knowledge problems.

{defi}

[Contracting TRS]

A TRS $R$ is said to be contracting if for any non-subterm rule $l\rightarrow r$ in $R$ one of the following holds:

•

there exist a position $p$ of $l$ , a substitution $\sigma$ ranging over variables, a projection-closed derivation $g\rightarrow_{R_{gemb}}^{+}d$ with respect to $R$ such that $l{|_{p}}=g\sigma$ and $r=d\sigma$ is of depth $1$ ,
•

$l=r$ is a permutative equality of depth $2$ which is projection-closed with respect to $R$ .

A contracting TRS, $R$ , is strictly contracting if for any $l\rightarrow r\in R$ , $depth(l)>depth(r)$ .

Remark 14.

Note that the projection-closed derivation in Definition 13 starts at some subterm of $l$ , say $l|_{p}$ . To get this subterm $l|_{p}$ from $l$ thanks a rewriting derivation with respect to $R_{gemb}$ , it suffices to apply repeatedly rule $(1)$ in $R_{gemb}$ at the root until it reaches $l|_{p}$ . These root applications of rule $(1)$ don’t necessarily require projecting rules, as the non-root applications of rule $(1)$ will in the projection-closed derivation. See Example 5 below an illustration of this fact.

It is also worth pointing out that the requirement on $g$ being a linear term (in Definition 13) is a way to identify individual instances of variables, which is needed to identifying the variable for which a projection rule is required (in Definition 13). However, the requirement that $g$ be linear is not a restriction requiring that $l$ (in Definition 13) be a linear term. Notice that $\sigma$ is a substitution ranging over variables and used to match $l|_{p}$ with $g$ . Thus, even if $g$ is linear, it doesn’t require that $l$ is linear.

Although the definition restricts the set of graph-embedded systems it is still sufficient to model many security protocols of interest. We include several such examples below.

{exa}

Consider the theory of blind signatures from Example 1. This theory is contracting. Let’s look at the rule: $\mathit{unblind}(\mathit{sign}(\mathit{blind}(x,y),z),y)\rightarrow\mathit{sign}(x,z)$ and see how it satisfies the above definitions for contracting convergent systems by identifying the subterm $l|_{p}$ , and the projection-closed derivation. Let’s construct this derivation step by step.

•

Let $l=\mathit{unblind}(\mathit{sign}(\mathit{blind}(x,y),z),y)$ . We can start the projection-closed derivation at the subterm $\mathit{sign}(\mathit{blind}(x,y),z)$ , that is $l|_{1}=\mathit{sign}(\mathit{blind}(x,y),z)$ . We can obtain this subterm by first applying an instance of rule 1 at the root of $l$ . Then, $l=\mathit{unblind}(\mathit{sign}(\mathit{blind}(x,y),z),y)\rightarrow_{R_{gemb}}^{\epsilon,\textit{rule 1}}\mathit{sign}(\mathit{blind}(x,y),z)$ .

•

Now we can apply a projection-closed derivation on $l|_{1}$ :

(1)

Let $l|_{1}=\mathit{sign}(\mathit{blind}(x,y),z)$ , $g=\mathit{sign}(\mathit{blind}(x_{1},x_{2}),x_{3})$ , and $\sigma=\{x_{1}\mapsto x,~x_{2}\mapsto y,~x_{3}\mapsto z,\}$ . Then, $l|_{1}=g\sigma$ .

(2)

There is a projection-closed derivation:

	$\displaystyle g=\mathit{sign}(\mathit{blind}(x_{1},x_{2}),x_{3})$	$\displaystyle\rightarrow_{R_{gemb}}^{\textit{rule 4}}\mathit{sign}(x_{1},x_{2},x_{3})$
	$\displaystyle\mathit{sign}(x_{1},x_{2},x_{3})$	$\displaystyle\rightarrow_{R_{gemb}}^{\textit{rule 2}}\mathit{sign}(x_{1},x_{3})$

(3)

$r=\mathit{sign}(x,z)=\mathit{sign}(x_{1},x_{3})\sigma$ , and $r$ is depth $1$ .

We also need the required projecting rule, given the above projection-closed derivation:

•

The step, $\mathit{sign}(\mathit{blind}(x_{1},x_{2}),x_{3})\rightarrow_{R_{gemb}}^{\textit{rule 4}}\mathit{sign}(x_{1},x_{2},x_{3})$ , applied rule 4 below the rule, to remove the $blind()$ function symbol, there must be a projecting rule. There are two variable, $x_{1}$ and $x_{2}$ , under the $blind()$ symbol. However, notice that $x_{2}$ is removed in the next step. Therefore, we need only one projecting rule, $t^{\prime}\rightarrow x_{1}$ , which is the rule $\mathit{unblind}(\mathit{blind}(x,y),y)\rightarrow x$ . Following Definition 5, $t^{\prime}=\mathit{unblind}(\mathit{blind}(x,y),y)$ , $t=\mathit{blind}(x,y)$ , and $x$ only occurs once in $t^{\prime}$ .

Notice that the remaining rules of the blind signatures theory are subterm. Therefore, blind signatures is a contracting convergent TRS.

{exa}

Consider several additional convergent TRSs given in previous examples:

•

The theory of addition, introduced in Example 7, is a contracting TRS and provides a good example of the use of permutative equality in Definition 13. Consider the rule $\mathit{plus}(x,s(y))\rightarrow\mathit{plus}(s(x),y)\in R_{add}$ . Notice that $\mathit{plus}(x,s(y))\approx\mathit{plus}(s(x),y)$ and that on the left-hand side $y$ appears in the subterm $s(y)$ but does not appear in the same subterm on the right-hand side. Thus, there needs to be the rule $\mathit{pred}(s(x))\rightarrow x$ .
•

The theory of prefix with pairing from Example 7 is a contracting TRS.
•

Any subterm convergent TRS such that the right-hand side is either a strict subterm or a constant is contracting. For example, the theory of pairing with encryption, $R=\{\mathit{fst}(\left\langle x,y\right\rangle)\rightarrow x,\mathit{snd}(\left\langle x,y\right\rangle)\rightarrow y,\mathit{dec}(\mathit{enc}(x,y),y)\rightarrow x\}$ , and the theory of Example 7.

{exa}

Consider several of the previous example TRSs:

•

The theory of trap-door commitment of Definition 7 is not a contracting TRS. Notice that it is missing the required projecting rules. For example, for the rule
$td(x_{2},f(x_{1},y,z,x_{2}),z)\rightarrow td(x_{1},y,z)$ , there would need to be projecting rules for $x_{1}$ , $y$ , and $z$ . Interestingly, this theory is also not locally stable [cCDK12]. However, if we add the rules,

\mathit{fst}(f(x_{1},x_{2},x_{3},x_{4}))\rightarrow x_{1},\mathit{snd}(f(x_{1},x_{2},x_{3},x_{4}))\rightarrow x_{2},\mathit{thd}(f(x_{1},x_{2},x_{3},x_{4}))\rightarrow x_{3},

then the theory is contracting and locally stable.

•

The theory of Example 7 is not contracting. Notice that for the rule $\mathit{mal}(\mathit{enc}(x,y),z)\rightarrow\mathit{enc}(z,y)$ , the node labeled with $z$ is moved under the $\mathit{enc}$ node on the right-hand side. This violates the requirements of Definition 13, which does not allow the $R_{gemb}$ rule (3), which would be required in this case. Thus, even with additional projecting rules, it cannot be made to be contracting. This theory is also not locally stable, as shown in [cCDK12].

Remark 15.

If we consider now the TRS from the undecidability proof of Lemma 10 we can see that while the system is graph-embedded it is not contracting. The required projecting rules do not exist.

We now develop a few results and definitions we need to show the decidability of the knowledge problems for contracting, graph-embedded convergent systems.

{defi}

[Graph-Embedded Subterms] Let $R$ be a contracting TRS and $\phi=\nu\tilde{n}.\sigma$ be a frame. For a term $t\in Ran(\sigma)$ , let $st(t)$ be the set of subterms of a term $t$ . Then, the set of graph-embedded subterms of a term $t$ , denoted as $gst(t)$ , is defined as: $gst(c)=\{c\}$ , where $c$ is a name or a constant, $gst(t)=\{t^{\prime}|t\rightarrow_{R_{gemb}}^{*}t^{\prime\prime}\approx t^{\prime},\text{ and }t^{\prime}\text{ is a well formed term }\}\cup\bigcup_{t^{\prime\prime}\in st(t)}gst(t^{\prime\prime})$ . In addition, $gst(\phi)=\cup_{t\in Ran(\sigma)}gst(t)$ .

Notice that for any term $t$ , $gst(t)$ is a finite set. This is due to the fact that when recursively constructing $gst(t)$ in Definition 15, $t^{\prime}$ is equal or smaller in size to $t$ , and any term $t^{\prime\prime}\in st(t)$ must be strictly smaller than $t$ . Thus, we have the following result.

Lemma 16.

For any term $t$ and any frame $\phi$ , $gst(t)$ and $gst(\phi)$ are finite sets.

Based on the extended definition of subterms, $gst$ , we can now construct a saturation set for frames. Computing such a saturation set is the goal of many procedures that consider security notions such as deducibility. The saturation set represents the knowledge of the attacker and their ability to deduce a term from that knowledge, see [AC06] for more background. When considering this saturation procedure, recall that for any frame, $\phi=\nu\tilde{n}.\sigma$ , $\sigma$ is a ground substitution. For the following it is also useful to recall the definition of $c_{R}$ from Section 2.

{defi}

[Frame Saturation for Contracting Convergent TRSs] Let $R$ be any contracting convergent TRS and $\phi=\nu\tilde{n}.\sigma$ any $R$ -normalized frame. Define the set $sat(\phi)$ to be the smallest set such that $Ran(\sigma)\subseteq sat(\phi)$ , and $c\in sat(\phi)$ for every $c\in\mathit{fn}(\phi)$ , and closed under the following two rules:

(1)

if $M_{1},\ldots,M_{l}\in sat(\phi)$ and $f(M_{1},\ldots,M_{l})\in gst(\phi)$ , then $f(M_{1},\ldots,M_{l})\in sat(\phi)$ ,
(2)

if $M_{1},\ldots,M_{l}\in sat(\phi)$ , $C[M_{1},\ldots,M_{l}]\rightarrow_{R}^{\epsilon}M$ , where $C$ is a context, $|C|\leq c_{R}$ , $\mathit{fn}(C)\cap\tilde{n}=\emptyset$ , and $M\in gst(\phi)$ , then $M\in sat(\phi)$ .

Remark 17.

It is important to note that $sat(\phi)$ should contain the set of deducible terms from the frame. For example, it would be tempting to just place all of $gst(\phi)$ into $sat(\phi)$ immediately, but this would add non-deducible terms to the set and invalidate the results.

Also notice for Definition 16, by applying an empty context, the second rule ensures that for any $S\in sat(\phi)$ , if $S\rightarrow_{R}^{\epsilon}S^{\prime}$ and $S^{\prime}\in gst(\phi)$ , then $S^{\prime}\in sat(\phi)$ .

This set is also finite which is critical to computing the possible attackers knowledge thus having a finite set is useful for any practical procedure for deciding deducibility.

Lemma 18.

Let $R$ be any contracting convergent TRS. For any $R$ -normalized frame $\phi$ , $sat(\phi)$ is finite.

Proof 5.1.

New terms not originally contained in $\phi$ are only added to $sat(\phi)$ if they are first contained in $gst(\phi)$ . Since $gst(\phi)$ is finite by Lemma 16, $sat(\phi)$ is finite.

5.1. Closure Under Small Context

The following definition and lemmas will be useful in proving the main motivating result as they show key components of the local stability property given in Definition 2.

{defi}

[Closure Under Small Context] Let $R$ be any contracting convergent TRS and $\phi=\nu\tilde{n}.\sigma$ any $R$ -normalized frame. A finite set of ground terms, $\mathcal{S}$ , is closed under small $\phi$ -restricted context by $R$ if the following property holds: for any context $C$ with $|C|\leq c_{R}$ and $\mathit{fn}(C)\cap\tilde{n}=\emptyset$ , and any $S_{1},\ldots,S_{l}\in\mathcal{S}$ , if $C[S_{1},\ldots,S_{l}]\rightarrow_{R}^{\epsilon}M$ then there exist a context $C^{\prime}$ and $S_{1}^{\prime},\ldots,S_{k}^{\prime}\in\mathcal{S}$ such that $|C^{\prime}|\leq c_{R}^{2}$ , $\mathit{fn}(C^{\prime})\cap\tilde{n}=\emptyset$ , and $M\rightarrow_{R}^{*}C^{\prime}[S_{1}^{\prime},\ldots,S_{k}^{\prime}]$ . When $\phi$ is clear from the context, $\mathcal{S}$ is said to be closed under small context by $R$ .

Using $c_{R}^{2}$ as an upper bound is somewhat arbitrary since we need just some fixed bound. We use $c_{R}^{2}$ since it is sufficient for the results in this paper and it is the bound used in [AC06].

In the following, we show that the frame saturation for a contracting convergent TRS $R$ (cf. Definition 16) is closed under small context by $R$ .

Lemma 19.

For any contracting convergent TRS $R$ and any $R$ -normalized frame $\phi$ , let $sat(\phi)$ be the set given in Definition 16. Then, $sat(\phi)$ is closed under small context by $R$ .

Proof 5.2.

Assume $t\stackrel{{\scriptstyle\epsilon}}{{\rightarrow}}_{R}^{l\rightarrow r,\gamma}t^{\prime}$ where $t=l\gamma$ is a small context instantiated by terms in $sat(\phi)$ . By analyzing the different forms of rule $l\rightarrow r$ that occurs in a contracting TRS $R$ , we show that for any variable $x\in\mathit{Var}(l)$ , if $x\gamma$ is a strict subterm of some term in $sat(\phi)$ , then $x\gamma$ is also in $sat(\phi)$ . Thus, $x\gamma$ is a small context instantiated by terms in $sat(\phi)$ , as well as $t^{\prime}=r\gamma$ since $\mathit{Var}(r)\subseteq\mathit{Var}(l)$ .

First, if $l\rightarrow r$ is a rule such that $r$ is either a constant or a strict subterm of $l$ , then the property holds according to [AC06].

Second, consider $l\rightarrow r$ is a rule such that $depth(l)>depth(r)=1$ . Assume $r=h(x_{1},\dots,x_{n})$ and let $i$ be any integer in $\{1,\dots,n\}$ . Any $x_{i}$ occurs in $l$ either at depth at most $1$ or at some depth strictly greater than $1$ .

•

If $x_{i}$ occurs in $l$ at depth at most $1$ , then $x_{i}\gamma$ is a small context instantiated by terms in $sat(\phi)$ .
•

if $x_{i}$ occurs in $l$ at some depth strictly greater than $1$ , then $x_{i}\gamma$ is a small context instantiated by terms in $sat(\phi)$ thanks to Definition 13.

Then, $r\gamma=h(x_{1}\gamma,\dots,x_{n}\gamma)$ is a small context instantiated by terms in $sat(\phi)$ . Indeed, by construction, the context part of $r\gamma$ cannot be greater than the context part of $l\gamma$ .

Third, consider the case $l\rightarrow r$ such that $depth(l)=depth(r)=2$ . Assume $r=h(r_{1},\dots,r_{n})$ , and let $i$ be any integer in $\{1,\dots,n\}$ .

•

If $r_{i}$ is a variable occurring at depth at most $1$ in $l$ , then $r_{i}\gamma$ is a small context instantiated by terms in $sat(\phi)$ .
•

If $r_{i}$ is a variable occurring at depth $2$ in $l$ , then $r_{i}\gamma$ is a small context instantiated by terms in $sat(\phi)$ thanks to Definition 13.
•

If $r_{i}$ is a non-variable term occurring as a direct subterm $l_{j}$ of $l$ for some $j\in[1,n]$ , then $r_{i}\gamma=l_{j}\gamma$ is a small context instantiated by terms in $sat(\phi)$ .
•

If $r_{i}$ is a non-variable term $f(\bar{x})$ not occurring as a direct subterm of $l$ , then there are two cases for any variable $x\in\bar{x}$ : if $x$ occurs at depth at most $1$ in $l$ , then $x\gamma$ is a small context instantiated by terms in $sat(\phi)$ ; otherwise $x$ also occurs at depth $2$ in $l$ and $x\gamma$ is a small context instantiated by terms in $sat(\phi)$ thanks to Definition 13.

Then, $r\gamma=h(r_{1}\gamma,\dots,r_{n}\gamma)$ is a small context instantiated by terms in $sat(\phi)$ . Indeed, by definition of $l\rightarrow r$ where $r$ is obtained from $l$ via root and leaf permutations, the context part of $r\gamma$ cannot be greater than the context part of $l\gamma$ .

5.2. Local Stability

We can now show that any contracting convergent TRS has the local stability property introduced in Definition 2. For the frame saturation given in Definition 16, it suffices to check that all the items defining local stability (cf Definition 2) are satisfied. For any contracting convergent TRS, Lemma 19 establishes all but the last item of Definition 2, and this item has already been shown in [AC06]. {lemC}[[AC06]] For any locally stable TRS $R$ , any $R$ -normalized frame $\phi$ and any ground term $M$ , if $M\in sat(\phi)$ then $\phi\vdash M$ . This result is proven in [AC06] where the authors also consider the more complicated case of systems with $AC$ -symbols.

Theorem 20.

Any contracting convergent TRS is locally stable.

Proof 5.3.

The first two conditions follow from Definition 16 where $sat(\phi)$ is given in the particular case of a contracting convergent TRS. Then, the third condition follows from Lemma 19. The final condition follows from Lemma 5.2.

Directly from Theorem 20 and Theorem 2, we obtain the following corollary.

Corollary 21.

The deduction and static equivalence problems are both decidable for the class of contracting convergent TRSs.

The deduction and static equivalence problems are thus decidable for any TRS from Example 5.

6. Relation to Existing Notions and Properties

In this section we consider an additional knowledge problem, the cap problem [ANR07a], the relation of contracting TRS to the finite variant property [CD05], and the relation to the layered convergent property [BCD13].

6.1. The Cap Problem

The cap problem [ANR07a, ANR07b] is another knowledge problem introduced to model an intruder’s ability to obtain access to something that was intended to be secret. We show that the cap problem can be considered as a particular deduction problem.

{defi}

[Cap Problem] Let $\Sigma$ be a signature containing a constant, $m$ , called the secret. A subset $\Sigma_{ir}\subseteq\Sigma\setminus\{m\}$ of publicly known symbols from the signature $\Sigma$ is called the intruder repertoire. Symbols not in the intruder repertoire are called private. The intruder repertoire is said to be complete if $\Sigma_{ir}=\Sigma\setminus\{m\}$ . A cap term is a linear term built over $\Sigma_{ir}$ . Given a set $S$ of ground terms built over $\Sigma$ such that at least one of the terms contains $m$ , and a convergent TRS, $R$ , over $\Sigma\setminus\{m\}$ , the cap problem asks if there exist a cap term $t$ with $\mathit{Var}(t)=\{x_{1},\dots,x_{n}\}$ and ground terms $s_{1},\dots,s_{n}\in S$ such that $t\{x_{1}\mapsto s_{1},\dots,x_{n}\mapsto s_{n}\}\downarrow_{R}=m$ .

As shown below, the cap problem can be easily related to the deduction problem, provided that the intruder repertoire is complete.

Lemma 22.

If the intruder deduction problem is decidable for a convergent TRS $R$ , then the cap problem with a complete intruder repertoire is also decidable for $R$ .

Proof 6.1.

Consider the frame $\phi=\nu\{m\}.\sigma$ where $m$ is the constant denoting the secret and $\sigma=\{x_{1}\mapsto s_{1},~\ldots,~x_{n}\mapsto s_{n}\}$ where $S=\{s_{1},\dots,s_{n}\}$ is the set of ground terms given by the cap problem. Then, following the respective definitions, there exists a recipe $\zeta$ such that $\zeta\sigma\downarrow_{R}=m$ iff there exists a cap term for the cap problem.

Applying Theorem 20 together with the above lemma, we obtain the following.

Corollary 23.

The cap problem with a complete intruder repertoire is decidable for any contracting convergent TRS.

Remark 24.

As illustrated above one of the differences between the cap problem and deduction is that the cap problem allows for a restricted signature over which the intruder must work. The deduction problem assumes that essentially the entire signature, minus some restricted names, is public. However, it should be possible to extend the definition of deduction to allow for a restricted intruder repertoire. This new definition would then encapsulate the current deduction definition and the cap problem. Indeed, although this would need to be shown, it seems like the current deduction procedures could work for this new definition by restricting their saturation procedures to building terms only over the intruder repertoire.

6.2. Relation to the Finite Variant Property

The Finite Variant Property (FVP) is a useful property which is utilized in a number of applications, including protocol analysis. The FVP was introduced in [CD05] (see also [BGLN13, ESM12] for additional examples in using the FVP). It has been shown [CD05] that a TRS has the FVP iff it has the following boundedness property.

{defi}

[Boundedness Property] A convergent TRS, $R$ , has the boundedness property if $\forall t\exists n\forall\sigma~:~t(\sigma{\downarrow})\rightarrow_{R}^{\leq n}(t\sigma){\downarrow}$ . That is, for any term $t$ there exists a bound, $n$ , on the number of step required to reach the normal form, and this bound is independent of the substitution.

One could naturally ask if the graph-embedded or contracting definitions just lead to systems with the FVP. This is not the case but some of the contracting systems listed in Example 5, such as blind signatures, do have the FVP as shown below. This is not surprising, given that the FVP can be useful for proving properties like termination. Another interesting question could be: are there meaningful examples from the protocol analysis literature for which deduction and static equivalence are decidable, do not have the FVP, but are representable by contracting convergent TRSs? Here we answer this question positively.

{exa}

Consider again the theory of Addition, $R_{add}$ , from Example 7. $R_{add}$ is a contracting convergent TRS, is locally stable, and contains no $AC$ -symbols, thus deduction and static equivalence are decidable. However, $R_{add}$ does not have the FVP, we can see this by considering the rule $\mathit{plus}(x,s(y))\rightarrow\mathit{plus}(s(x),y)$ and the boundedness property. Notice that for any finite bound $n$ one can select a normal form substitution, $\sigma$ , such that $\mathit{plus}(x,s(y))\sigma\overset{>n}{\rightarrow_{R_{add}}}(\mathit{plus}(x,s(y))\sigma){\downarrow}$ . Namely, $\sigma=\{y\mapsto s^{n+1}(z)\}$ . Since $R_{add}$ does not have the boundedness property it can’t have the FVP [CD05]. Yet, $R_{add}$ is a contracting convergent TRS. Notice that the second and third rules are already subterm. The first rule is obtained by applying Definition 3. Therefore, $R_{add}$ satisfies Corollary 21.

As a positive result, there is an easy way to get a strictly contracting TRS with the FVP:

Lemma 25.

Assume $R$ is any strictly contracting convergent TRS such that for any rule $l\rightarrow r$ in $R$ , $r$ is either a variable or a non-variable term rooted by a constructor symbol. Then, $R$ has the FVP.

Proof 6.2.

Consider any rule $l\rightarrow r$ in $R$ . By assumption, $R$ is strictly contracting, and so $r$ is of depth at most $1$ . If $r$ is variable, there is no way to overlap at a non-variable position in $r$ with the left-hand side of any rule in $R$ . Assume now $r$ is of depth $1$ . If there is a non-variable overlap in $r$ with the left-hand side of any rule in $R$ , this overlap can only occur at the root position of $r$ . Since the function symbol at the root position of $r$ is necessarily a constructor symbol, it cannot occur at the root-position of any left-hand side of $R$ . Since there is no non-variable overlap in $r$ with the left-hand side of any rule in $R$ , this is simple way for $R$ to satisfy the property of being forward-closed as defined in [BGLN13]. Then, relying on the fact that a TRS has the FVP iff it has a finite forward closure [BGLN13], we can conclude that $R$ has the FVP.

{exa}

For the theory of blind signatures and the theory of prefix with pairing (Example 5), the corresponding TRSs satisfy the assumption of Lemma 25. Consequently, these two strictly contracting convergent TRSs have the FVP.

For the theory of trap-door commitment, the strictly contracting convergent TRS obtained by considering additional rules (see Example 5) does not satisfy the assumption of Lemma 25.

6.3. Relation to the Layered Convergent Property

The layered convergent property is yet another useful property for TRS modeling security protocols because it can be used to ensure that the YAPA [BCD13] tool for protocol analysis doesn’t fail. YAPA is a tool for computing intruder knowledge in the formal analysis of security protocols and it is able to work with a large number of protocol specifications. While YAPA allows us to consider private symbols in addition to public ones, we assume here that all the function symbols are publicly known. In this classical setting, the tool is not guaranteed to terminate or return successfully, it could return a “don’t know” answer. However, it is shown in [BCD13] that the “layered convergent” property for a given TRS, with some additional conditions, can be used to show termination. This property is defined using a particular term decomposition to express any left-hand side of the TRS.

{defi}

[Term Decomposition] Let $n,~p$ , and $q$ be non-negative integers. A $(n,p,q)$ -decomposition of a term $l$ is a context $C$ with $n+p+q$ context holes and $l=C[l_{1},\ldots,l_{n},~y_{1},\ldots,y_{p},~z_{1},\ldots,z_{q}]$ where:

•

$l_{1},\ldots,l_{n}$ are mutually distinct non-variable terms,
•

$y_{1},\ldots,y_{p}$ and $z_{1},\ldots,z_{n}$ are mutually distinct variables, and
•

$y_{1},\ldots,y_{p}\in Var(l_{1},\ldots,l_{n})$ but $z_{1},\ldots,z_{n}\not\in Var(l_{1},\ldots,l_{n})$ .

{defi}

[Layered TRS] A TRS, $R$ , is layered if there exists an ascending chain of sub sets $\emptyset=R_{0}\subseteq R_{1}\subseteq\dots R_{n+1}=R\>(n\geq 0)$ s.t. for every rule $l\rightarrow r\in R_{i+1}\backslash R_{i}$ and every $(n,p,q)$ -decomposition $l=D[l_{1},\ldots,l_{m},~y_{1},\ldots,y_{p},~z_{1},\ldots,z_{q}]$ one of the following holds:

(1)

$\mathit{Var}(r)\subseteq\mathit{Var}(l_{1},\ldots,l_{m})$ .
(2)

There exist $C_{0},C_{1},\ldots C_{k}$ and $s_{1},\ldots s_{k}$ such that $r=C_{0}[s_{1},\ldots,s_{k}]$ and for any $j=1,\dots,k$ , we have $C_{j}[l_{1},\ldots,l_{m},~y_{1},\ldots,y_{p},~z_{1},\ldots,z_{q}]\stackrel{{\scriptstyle\epsilon}}{{\rightarrow}}_{R_{i}}^{0,1}s_{j}$ .

Remark 26.

What is interesting here is that both the contracting definition (Definition 13) and the layered definition (Definition 6.3) point to the ability of accessing subterms as a key component to ensuring that the knowledge problems are decidable. Indeed, there is a relation between the two definitions, as shown in the next result.

Theorem 27.

Any contracting TRS is layered.

Proof 6.3.

Let $R$ be a contracting TRS and $R_{1}=\{l\rightarrow r\in R~|~r\text{ is a subterm of }l\text{ or a constant}\}$ . It has already been shown in [BCD13] that any subterm convergent TRS is layered. Thus, if $R_{1}=R$ we are done. Otherwise, let $R_{2}=R$ and any rule $l\rightarrow r\in R_{2}\backslash R_{1}$ must be contracting but not subterm. Let $l\rightarrow r\in R_{2}\backslash R_{1}$ and consider any arbitrary $(n,p,q)$ -decomposition
$l=D[l_{1},\ldots,l_{m},~y_{1},\ldots,y_{p},~z_{1},\ldots,z_{q}]$ . If $r\in\{l_{1},\ldots,l_{m}\}\cup\{y_{1},\ldots,y_{p}\}\cup\{z_{1},\ldots,z_{q}\}$ , then we are done. Thus, assume that $r\neq l_{i}$ , for any $1\leq i\leq m$ and also $r\not\in\{y_{1},\ldots,y_{p}\}\cup\{z_{1},\ldots,z_{q}\}$ . Let $r=C_{0}[s_{1},\ldots,s_{k}]$ , we show how to construct $C_{0}$ and how to obtain each $s_{i}$ , $1\leq i\leq k$ , from the decomposition. There are two cases based on $depth(r)$ :

•

Assume $depth(r)=1$ . Then, each $s_{i}$ is a variable. If $s_{i}\in\{y_{1},\ldots,y_{p}\}\cup\{z_{1},\ldots,z_{q}\}$ for all $1\leq i\leq k$ , then by definition we are done. Thus, assume there exists at least one $s_{i}\not\in\{y_{1},\ldots,y_{p}\}\cup\{z_{1},\ldots,z_{q}\}$ , which implies that $s_{i}\in Var(l_{j})$ for some $l_{j}$ , $1\leq j\leq m$ , in $l$ , but $s_{i}$ is not a subterm of $l_{i}$ in $r$ . thus, by Definition 13 there is a rule $t^{\prime}\rightarrow s_{i}\in R_{1}$ such that $t^{\prime}=C_{i}[l_{j}]$ .
•

Assume $depth(r)=2$ . Here again we can assume that each $s_{i}$ are variables. This is due to the fact that non-variable portions of the term can be placed in the context $C_{0}$ . If $s_{i}$ is contained in $\{y_{1},\ldots,y_{p}\}\cup\{z_{1},\ldots,z_{q}\}$ , then by definition we are done. Otherwise, $s_{i}\in Var(l_{i})$ , for some $1\leq i\leq m$ , in $l$ , but $s_{i}$ is no longer a subterm of $l_{i}$ in $r$ . Thus, by Definition 13 there is a rule in $R_{1}$ of the form $C_{i}[l_{i}]\rightarrow s_{i}$ .

Remark 28.

Notice that the above proof outlines a natural and simple layered system for any contracting TRS $R$ . Let $R_{0}=\emptyset$ , $R_{1}=\{l\rightarrow r\in R~|~r\text{ is a subterm of }l\}$ , and $R_{2}=R\setminus R_{1}$ . Then $R_{0}\cup R_{1}\cup R_{2}=R$ and any rule needed to deduce variables for decompositions of $R_{2}$ rules will be subterm and thus contained in $R_{1}$ . Note that there are TRSs which are layered for $n=1$ but not contracting.

Theorem 27 implies that for contracting convergent TRS, the YAPA procedure won’t fail, i.e., return a “don’t know” answer. However, this result doesn’t prove termination. However, we conjecture that the YAPA procedure does terminate for contracting convergent TRS.

7. Contracting Convergent Systems in Unions of Theories

In this section, we investigate the knowledge problems in unions of theories including at least a contracting convergent TRS. We mainly focus on constructor-sharing unions of theories, where it is possible to reuse existing modularity results and combination methods [EMR17]. Let us first consider the class of strictly contracting convergent TRSs. As shown below, this class is closed by constructor-sharing union:

Theorem 29.

If $R_{1}$ and $R_{2}$ are two strictly contracting convergent TRSs such that the function symbols shared by $R_{1}$ and $R_{2}$ are constructors for both $R_{1}$ and $R_{2}$ , then $R_{1}\cup R_{2}$ is strictly contracting convergent.

Proof 7.1.

First, note that a strictly contracting TRS is terminating. By definition, if $R_{1}$ and $R_{2}$ are strictly contracting, then so is $R_{1}\cup R_{2}$ . Thus, $R_{1}\cup R_{2}$ is terminating. By assumption $R_{1}$ and $R_{2}$ are confluent, and so also locally confluent. The local confluence is a modular property for constructing-sharing TRSs [Mid90]. Thus, $R_{1}\cup R_{2}$ is locally confluent. Then, $R_{1}\cup R_{2}$ is confluent since $R_{1}\cup R_{2}$ is terminating. Consequently, $R_{1}\cup R_{2}$ is both confluent and terminating, equivalently, it is convergent.

The combination framework developed in [EMR17] for the knowledge problems in unions of constructor-sharing theories can be applied to contracting convergent TRSs that are not necessarily strictly contracting:

Theorem 30.

If $R_{1}$ and $R_{2}$ are two contracting convergent TRSs such that the function symbols shared by $R_{1}$ and $R_{2}$ are constructors for both $R_{1}$ and $R_{2}$ , then both deduction and static equivalence are decidable in $R_{1}\cup R_{2}$ .

Proof 7.2.

Directly from [EMR17] where it is shown that, for constructor sharing theories, the knowledge problems are decidable for $R_{1}\cup R_{2}$ if they are decidable for $R_{1}$ and $R_{2}$ . Section 5.2 establishes the decidability of the knowledge problems for contracting convergent TRSs.

We now study the case of unions of theories defined as a contracting convergent TRS $R$ plus an equational theory $E$ that cannot be oriented as a convergent TRS. Typical examples for $E$ are provided by permutative theories. Fortunately, deduction is decidable in the class of permutative theories.

Theorem 31.

Deduction is decidable in any permutative theory.

Proof 7.3.

Consider the problem of checking whether a term $t$ is deduced from $\phi=\nu\tilde{n}.\sigma$ modulo any permutative theory $E$ . For any term $s$ such that $|s|>|t|$ , we have $s\sigma\neq_{E}t$ : otherwise, we would have $|s\sigma|\geq|s|>|t|$ and $s\sigma=_{E}t$ implies $|s\sigma|=|t|$ . Thus, only finitely many terms $s$ (up to a renaming) have to be considered in order to check whether $t$ is deduced from $\phi$ modulo $E$ .

When an equational theory $E$ is defined by a finite set of permutative axioms built using function symbols that do not occur as the root positions, these symbols can be viewed as constructors for $E$ . It has been shown in [EMR17] that a permutative theory can be successfully combined with a theory given by a convergent TRS, provided that the shared symbols are constructors for both theories. Thus, directly from [EMR17] we obtain:

Theorem 32.

Let $R$ be any contracting convergent TRS and $E$ any permutative presentation such that any function symbol $f$ shared by $R$ and $E$ is a constructor for $R$ and, for any axiom $l=r$ in $E$ , $f$ does not occur neither as a root symbol of $l$ nor as a root symbol of $r$ . Then, deduction is decidable in $R\cup E$ .

{exa}

[Intruder Theory with a Permutative Axiom] Let us consider a theory used in practice to model a group messaging protocol [CCG⁺18]. For this protocol, the theory modeling the intruder can be defined [Ngu19] as a combination $R\cup K$ where

K=\{\mathit{keyexch}(x,\mathit{pk}(x^{\prime}),y,\mathit{pk}(y^{\prime}))=\mathit{keyexch}(x^{\prime},\mathit{pk}(x),y^{\prime},\mathit{pk}(y))\}

and

R=\left\{\begin{array}[]{ll}\begin{array}[]{lcl}\mathit{adec}(\mathit{aenc}(m,\mathit{pk}(sk)),sk)&\rightarrow&m\\ \mathit{checksign}(\mathit{sign}(m,sk),m,\mathit{pk}(sk))&\rightarrow&ok\end{array}&\begin{array}[]{lcl}\mathit{getmsg}(\mathit{sign}(m,sk))&\rightarrow&m\\ \mathit{sdec}(\mathit{senc}(m,k),k)&\rightarrow&m\end{array}\end{array}\right\}.

$R$ is a subterm convergent TRS and $K$ is a variable-permuting theory sharing with $R$ the constructor symbol $\mathit{pk}$ . Theorem 32 applies to $R\cup K$ , leading to a combined decision procedure for deduction in $R\cup K$ .

Deduction is decidable in permutative theories, as stated in Theorem 31. However, the static equivalence problem is undecidable in general for permutative theories or even leaf permutative theories, as show recently in [EMNR24]. However, we conjecture there are useful subclasses of permutative theories, including the theory $K$ introduced in Example 32, for which static equivalence is decidable and thus for which a static equivalence form of Theorem 32 could be developed. We plan to investigate this in a future work.

8. Conclusions and Future Work

In this paper, we have explored the idea of graph-embedded term rewrite systems and shown their applicability in protocol analysis for identifying protocols with the local stability property. This in turn allows for the identification of protocols with decidable deduction and static-equivalence problems. We have also compared and contrasted this new definition to several other concept, including the FVP, the cap problem, and Layered TRS. Finally, we have developed several combination results for these TRS. In the first version of this paper [SEMR23] we had identified several problems and areas for further research. Some of those problems have now been answered in this paper, in particular:

•

We had conjectured in [SEMR23] that the cap problem should be decidable for contracting systems and have show this to be the case, see Section 6.1. However, one has to be careful how the signature is defined, and we currently require it to be completely public (except for some constants).
•

We asked in [SEMR23] about the relation between the graph-embedded systems and the layered systems. This has now been developed in Section 6.3.

We have also made a number of improvements over the presentation in [SEMR23]:

•

We have improved and simplified the definition of contracting convergent TRS.
•

We have improved the proof of the undecidability of the knowledge problems for graph-embedded TRS.

While we have answer some problems from [SEMR23], additional problems still remain to be investigated. For example, While the knowledge problems are undecidable for graph-embedded convergent systems in general and they are decidable for contracting, there is a gap between the two classes of systems. That is, how much can the contracting subclass be extended before the undecidable barrier is encountered? With respect to graph theory ideas, we are also interested in knowing if additional graph theory ideas could be useful in symbolic security protocol analysis. For example, not absolutely all theories considered in [AC06, CCcCK16, cCDK12, DDKS17] are graph-embedded. It would be interesting to know if such systems could be considered via graph minor concepts. Just as in [SEMR23], we remain interested in seeing how ideas from graph theory, translated into the TRS setting, are useful for question not only in protocol analysis but also in other rewriting domains. We had also asked about termination and if the new definition could be useful in developing termination results for procedures such as [AC06, CCcCK16, cCDK12, DDKS17]. It remains to investigate termination in these procedures.

Finally, in addition to answering some of the open problems of [SEMR23], we have developed a number of new results not asked about in [SEMR23]. This includes identifying a subclass of graph-embedded systems that guarantee the FVP, see Section 6, and developing new combination results, see Section 7. In particular, we have investigated the union of contracting convergent systems with some permutative theories. As a future work, we plan to study how undecidability proofs known for unification in permutative theories could be adapted to static equivalence.

References

[AC06] Martín Abadi and Véronique Cortier. Deciding knowledge in security protocols under equational theories. Theor. Comput. Sci., 367(1-2):2–32, 2006.
[AF01] Martín Abadi and Cédric Fournet. Mobile values, new names, and secure communication. In Chris Hankin and Dave Schmidt, editors, Conference Record of POPL 2001: The 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, London, UK, January 17-19, 2001, pages 104–115. ACM, 2001.
[AFN17] Mauricio Ayala-Rincón, Maribel Fernández, and Daniele Nantes-Sobrinho. Intruder deduction problem for locally stable theories with normal forms and inverses. Theor. Comput. Sci., 672:64–100, 2017.
[ALL⁺12] Siva Anantharaman, Hai Lin, Christopher Lynch, Paliath Narendran, and Michaël Rusinowitch. Unification modulo homomorphic encryption. J. Autom. Reason., 48(2):135–158, 2012.
[ANR07a] Siva Anantharaman, Paliath Narendran, and Michaël Rusinowitch. Intruders with caps. In Franz Baader, editor, Term Rewriting and Applications, 18th International Conference, RTA 2007, Paris, France, June 26-28, 2007, Proceedings, volume 4533 of Lecture Notes in Computer Science, pages 20–35. Springer, 2007.
[ANR07b] Siva Anantharaman, Paliath Narendran, and Michael Rusinowitch. Intruders with caps. Research report, Laboratoire d’Informatique Fondamentale d’Orléans, 2007. URL: https://hal.science/hal-00144178.
[BCD13] Mathieu Baudet, Véronique Cortier, and Stéphanie Delaune. YAPA: A generic tool for computing intruder knowledge. ACM Trans. Comput. Log., 14(1):4, 2013.
[BGLN13] Christopher Bouchard, Kimberly A. Gero, Christopher Lynch, and Paliath Narendran. On forward closure and the finite variant property. In Pascal Fontaine, Christophe Ringeissen, and Renate A. Schmidt, editors, Frontiers of Combining Systems - 9th International Symposium, FroCoS 2013, Nancy, France, September 18-20, 2013. Proceedings, volume 8152 of Lecture Notes in Computer Science, pages 327–342. Springer, 2013.
[Bla04] Bruno Blanchet. Automatic proof of strong secrecy for security protocols. In 2004 IEEE Symposium on Security and Privacy (S&P 2004), 9-12 May 2004, Berkeley, CA, USA, pages 86–100. IEEE Computer Society, 2004.
[BN98] Franz Baader and Tobias Nipkow. Term rewriting and all that. Cambridge University Press, 1998.
[BS01] Franz Baader and Wayne Snyder. Unification theory. In John Alan Robinson and Andrei Voronkov, editors, Handbook of Automated Reasoning, pages 445–532. Elsevier and MIT Press, 2001.
[CCcCK16] Rohit Chadha, Vincent Cheval, Ştefan Ciobâcă, and Steve Kremer. Automated verification of equivalence properties of cryptographic protocols. ACM Trans. Comput. Log., 17(4):23:1–23:32, 2016.
[cCDK12] Ştefan Ciobâcă, Stéphanie Delaune, and Steve Kremer. Computing knowledge in security protocols under convergent equational theories. J. Autom. Reasoning, 48(2):219–262, 2012.
[CCG⁺18] Katriel Cohn-Gordon, Cas Cremers, Luke Garratt, Jon Millican, and Kevin Milner. On ends-to-ends encryption: Asynchronous group messaging with strong security guarantees. In David Lie, Mohammad Mannan, Michael Backes, and XiaoFeng Wang, editors, Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15-19, 2018, pages 1802–1819. ACM, 2018.
[CD05] Hubert Comon-Lundh and Stéphanie Delaune. The finite variant property: How to get rid of some algebraic properties. In Jürgen Giesl, editor, Term Rewriting and Applications, 16th International Conference, RTA 2005, Nara, Japan, April 19-21, 2005, Proceedings, volume 3467 of Lecture Notes in Computer Science, pages 294–307. Springer, 2005.
[CDL06] Véronique Cortier, Stéphanie Delaune, and Pascal Lafourcade. A survey of algebraic properties used in cryptographic protocols. J. Comput. Secur., 14(1):1–43, 2006.
[DDKS17] Jannik Dreier, Charles Duménil, Steve Kremer, and Ralf Sasse. Beyond subterm-convergent equational theories in automated verification of stateful protocols. In Matteo Maffei and Mark Ryan, editors, Principles of Security and Trust - 6th International Conference, POST 2017, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2017, Uppsala, Sweden, April 22-29, 2017, Proceedings, volume 10204 of Lecture Notes in Computer Science, pages 117–140. Springer, 2017.
[Die06] Reinhard Diestel. Graph Theory, volume 173 of Graduate Texts in Mathematics. Springer, third edition, 2006.
[EMNR24] Serdar Erbatur, Andrew M. Marshall, Paliath Narendran, and Christophe Ringeissen. Deciding knowledge problems modulo classes of permutative theories. In Juliana Bowles and Harald Søndergaard, editors, Logic-Based Program Synthesis and Transformation, pages 47–63, Cham, 2024. Springer Nature Switzerland.
[EMR17] Serdar Erbatur, Andrew M. Marshall, and Christophe Ringeissen. Notions of knowledge in combinations of theories sharing constructors. In Leonardo de Moura, editor, Automated Deduction - CADE 26 - 26th International Conference on Automated Deduction, Gothenburg, Sweden, Proceedings, volume 10395 of LNCS, pages 60–76. Springer, 2017.
[ESM12] Santiago Escobar, Ralf Sasse, and José Meseguer. Folding variant narrowing and optimal variant termination. J. Log. Algebr. Program., 81(7-8):898–928, 2012.
[Mid90] Aart Middeldorp. Modular Properties of Term Rewriting Systems. PhD thesis, Vrije Universiteit, Amsterdam, 1990.
[Ngu19] Ky Nguyen. Formal verification of a messaging protocol. Internship report, 2019. Work done under the supervision of Vincent Cheval and Véronique Cortier.
[SEMR23] Saraid Dwyer Satterfield, Serdar Erbatur, Andrew M. Marshall, and Christophe Ringeissen. Knowledge problems in security protocols: Going beyond subterm convergent theories. In Marco Gaboardi and Femke van Raamsdonk, editors, 8th International Conference on Formal Structures for Computation and Deduction, FSCD 2023, July 3-6, 2023, Rome, Italy, volume 260 of LIPIcs, pages 30:1–30:19. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2023. URL: https://doi.org/10.4230/LIPIcs.FSCD.2023.30, doi:10.4230/LIPICS.FSCD.2023.30.

Knowledge Problems in Protocol Analysis: Extending the Notion of Subterm Convergent

Abstract.

Key words and phrases:

1. Introduction

Paper Outline.

2. Preliminaries

Equational Theories

Rewrite Relations

Remark 1.

Notions of Knowledge

Remark 2.

Term Graphs

Some Graph Theory

Remark 3.

3. Graph-Embedded Systems

Remark 4.

Remark 5.

Remark 6.

Lemma 7.

3.1. Some Properties of Graph-Embedded Systems

Lemma 8.

Proof 3.1.

Remark 9.

Comparing Definitions

4. Undecidable Knowledge Problems

Lemma 10.

Proof 4.1.

Corollary 11.

Remark 12.

5. Decidable Knowledge Problems

Remark 13.

Remark 14.

Remark 15.

Lemma 16.

Remark 17.

Lemma 18.

Proof 5.1.

5.1. Closure Under Small Context

Lemma 19.

Proof 5.2.

5.2. Local Stability

Theorem 20.

Proof 5.3.

Corollary 21.

6. Relation to Existing Notions and Properties

6.1. The Cap Problem

Lemma 22.

Proof 6.1.

Corollary 23.

Remark 24.

6.2. Relation to the Finite Variant Property

Lemma 25.

Proof 6.2.

6.3. Relation to the Layered Convergent Property

Remark 26.

Theorem 27.

Proof 6.3.

Remark 28.

7. Contracting Convergent Systems in Unions of Theories

Theorem 29.

Proof 7.1.

Theorem 30.

Proof 7.2.

Theorem 31.

Proof 7.3.

Theorem 32.

8. Conclusions and Future Work

References

Knowledge Problems in Protocol Analysis:
Extending the Notion of Subterm Convergent