Solving the insecurity problem for assertions

R Ramanujam
The Institute of Mathematical Sciences, Chennai (Retd.)
Homi Bhabha National Institute, Mumbai (Retd.)
Azim Premji University, Bengaluru (Visiting)
Bengaluru, India
Email: jam@imsc.res.in Vaishnavi Sundararajan
Dept of Computer Science & Engineering
Indian Institute of Technology Delhi
New Delhi, India
Email: vaishnavi@cse.iitd.ac.in S P Suresh
Chennai Mathematical Institute
CNRS UMI 2000 ReLaX
Chennai, India
Email: spsuresh@cmi.ac.in Partially supported by a grant from the Infosys Foundation.

Abstract

In the symbolic verification of cryptographic protocols, a central problem is deciding whether a protocol admits an execution which leaks a designated secret to the malicious intruder. In [38], it is shown that, when considering finitely many sessions, this “insecurity problem” is NP-complete. Central to their proof strategy is the observation that any execution of a protocol can be simulated by one where the intruder only communicates terms of bounded size. However, when we consider models where, in addition to terms, one can also communicate logical statements about terms, the analysis of the insecurity problem becomes tricky when both these inference systems are considered together. In this paper we consider the insecurity problem for protocols with logical statements that include equality on terms and existential quantification. Witnesses for existential quantifiers may be unbounded, and obtaining small witness terms while maintaining equality proofs complicates the analysis considerably. We extend techniques from [38] to show that this problem is also in NP.

1 Introduction

1.1 Symbolic analysis of cryptographic protocols

Symbolic analysis of security protocols is a long-standing field of study, with the Dolev-Yao model [22] being the standard. In this model, cryptographic operations are abstracted as operators in a term algebra, and the ability to build new messages from old ones is specified by rewrite rules or a proof system. The model includes an intruder who controls the network, and can see, block, inject, redirect, as well as derive terms, but cannot break cryptography. Informally, protocols are specified as a finite sequence of communications between principals/agents. We now illustrate this model using an example.

Example 1.

Alice sends to Bob her public key as well as a randomly-chosen value encrypted in Bob’s public key. Bob receives it, decrypts it using his private key, encrypts it in Alice’s public key, and sends it back to her. We split each communication into a send and a receive. We formalize the protocol as two roles: an initiator role ${{\sf init}}(A,B)$ (left column) and a responder role ${{\sf resp}}(B)$ (right column). We use $!C$ and $?C$ to denote a send and a receive respectively by an agent $C\in\{A,B\}$ . $k_{A}$ and $k_{B}$ stand for the private keys of $A$ and $B$ respectively, $\mathit{pk}(k)$ stands for the public key corresponding to a key $k$ , and $\{t\}_{k}$ stands for the encryption of a message $t$ using a key $k$ .

	$\displaystyle A$	$\displaystyle:\text{Generate fresh}\ m$
	$\displaystyle!A$	$\displaystyle:(\mathit{pk}(k_{A}),\{m\}_{\mathit{pk}(k_{B})})$
	$\displaystyle?A$	$\displaystyle:\{m\}_{\mathit{pk}(k_{A})}$

width 2pt $\displaystyle?B$ $\displaystyle:(x,\{y\}_{\mathit{pk}(k_{B})})$ $\displaystyle!B$ $\displaystyle:\{y\}_{x}$

The protocol itself can be thought of as a program running potentially unboundedly-many copies (sessions) of ${{\sf init}}$ and ${{\sf resp}}$ in parallel. Each copy instantiates parameters $A$ and $B$ with agent names, while $x$ and $y$ denote parts of messages received while participating in a session, and will be instantiated accordingly. An execution (run) of a protocol is an interleaving of a finite set of sessions, such that every sent message can be generated by the sender (based on their current knowledge), and received messages by the intruder $I$ (since every received message comes from the channel, and could have been potentially tampered with by the intruder).

Is there any execution of this protocol at the end of which the intruder can derive $m$ ? This property is called confidentiality. In fact, the intruder can effect the following man-in-the-middle attack, at the end of which $A$ thinks $m$ is secret between her and $B$ , while $B$ thinks $m$ is secret between him and $I$ . $B$ receives a message where $x$ can be matched with $\mathit{pk}(k_{I})$ and $y$ with $m$ , and thus sends out $\{m\}_{\mathit{pk}(k_{I})}$ .

	$\displaystyle!A$	$\displaystyle:(\mathit{pk}(k_{A}),\{m\}_{\mathit{pk}(k_{B})})$
	$\displaystyle?B$	$\displaystyle:(\mathit{pk}(k_{I}),\{m\}_{\mathit{pk}(k_{B})})$
	$\displaystyle!B$	$\displaystyle:\{m\}_{\mathit{pk}(k_{I})}$
	$\displaystyle?A$	$\displaystyle:\{m\}_{\mathit{pk}(k_{A})}$

1.2 Communicating “assertions”

The Dolev-Yao model and its extensions have been studied extensively over the last forty years. People have studied extensions that express richer classes of protocols and security properties [1, 10, 7, 17], and associated decidability and complexity results [12, 8, 16, 15, 30, 18, 36, 37, 23, 9, 14, 2, 20]. Various verification tools have also been built based on these formal models [21, 10, 11, 33, 13].

In this paper, we consider an extension introduced in [35], which gives agents the power to communicate terms as well as logical formulas about them. These formulas, called assertions, involve equality of terms, existential quantification, conjunction, and disjunction. For instance, we can reveal partial information about some encrypted term $\{m\}_{k}$ to a recipient who does not know the key $k$ (for instance, that the value of $m$ is either $0$ or $1$ , without revealing which) by sending the assertion $\exists{x}{y}\bigl{[}\{x\}_{y}=\{m\}_{k}\ \wedge\ x\in\{0,1\}\bigr{]}$ . So we see that assertions allow us to model protocols that involve some kinds of certification. Traditionally, such certification is often modelled using zero-knowledge proofs.

The Dolev-Yao model can also be extended with a special class of zero-knowledge terms [7, 6]. But in these extensions, one important component is missing: logical reasoning over certificates. This is especially important in situations where certificates communicate partial information. For example, two partial-information certificates of the form $x\in\{0,1\}$ and $x\in\{0,2\}$ can lead to the inference of strictly greater information, namely $x=0$ , potentially violating some security guarantees. This is one of the main features of the model in [35]. Making “assertions”, as that paper refers to such logical statements, first-class citizens provides a threefold advantage: a more transparent specification of protocols which captures design intent better, the ability to explicitly reason about certificates and thus analyze protocols more precisely, and the ability to state some security properties more easily. In [35], the authors express examples (the FOO [24] and Helios [3] e-voting protocols) and specify security properties using assertions. We describe the modelling of the FOO protocol in detail in Section 2.3.

In [35], any communicated assertion is “believed” by the recipients. One way to implement this feature is to communicate a zero knowledge proof of the assertion. But formally, we send the assertion itself rather than a term standing for a zero-knowledge proof, which also allows us the possibility of choosing other implementations for the assertion. Another way in which [35] differs from other modelling using ZKP terms is that these proofs need not be built ab initio every time. One can compose a new proof by combining existing proofs. These can be implemented using composable ZKPs [26]. These issues have been discussed in [31], which considers a logical language with conjunction and existential quantification and modular construction of ZKPs for these formulas. However, unlike [31], assertions also allow “destructive reasoning” from existing knowledge via elimination rules.

The main focus in this paper is to solve an interesting technical problem in our model with assertions – the insecurity problem for finitely many sessions.

1.3 The insecurity problem for finitely many sessions

The attack on Example 1 indicates that even for simple protocols, one needs to consider non-trivial scenarios to detect security violations. A canonical problem of interest is the insecurity problem, which asks if a given protocol admits a run that leaks a secret to the intruder. A run is characterized by an interleaving of protocol roles ( $A$ and $B$ in Example 1), with a substitution for the variables in messages received by agents during these roles. There can be infinitely many such substitutions, i.e. a potentially infinite number of executions, and thus, the insecurity problem is undecidable in general [4, 23, 27]. In [38], the authors consider a restricted set of runs, and show that the insecurity problem is in NP when one considers at most $K$ sessions, for some fixed $K$ .

Even with only a finite number of sessions, the intruder can inject arbitrarily large terms in place of variables. Thus, there is no bound on the size of terms encountered in a run. The work in [38] gets around this complication by showing that if there is any attack at all given by an interleaving of roles and a substitution, there is an attack given by the same interleaving and a ‘small’ substitution. This “new” attack is such that the intruder can derive the same terms at the end, and the size of all messages transmitted is bounded by a polynomial in the size of the protocol specification. Hence the insecurity problem with boundedly many sessions can be solved in NP.

As with terms, one can formulate the insecurity problem for assertions as well. The general problem continues to be undecidable, so we consider the case of finitely many sessions. With existential quantification, we now have two types of variables – those used to identify parts of received messages (instantiated at runtime by the actual message sent by the intruder), and quantified variables that occur in assertions. As earlier, there is no a priori bound on the size of terms assigned to the first kind of variables. But there is another source of unboundedness: to derive a quantified assertion $\exists{x}.~{}\alpha$ , one must derive $\alpha(t)$ for some “witness” $t$ . There is no a priori bound on the size of $t$ either, and proof search is further complicated by any potential interaction between these two sources of unboundedness. When we simulate a substitution for the “intruder” variables with a small one, the witnesses for quantifiers might change too, but we still need to preserve some derivations under these new witnesses.

We extend the techniques of [38], while considering interactions between multiple substitutions and having to preserve more complex derivations, to obtain a somewhat surprising result. In this paper, we show that the insecurity problem for assertions for finitely many sessions remains in NP.

1.4 Related work

There are many extensions of the basic Dolev-Yao model that aim to capture various cryptographic operators and their properties [2, 8, 15, 16, 17, 20, 30]. Algebraic properties of operators like xor, blinding, distributive encryption etc. are studied by means of equation theories, which are also referred to as intruder theories in the security literature. Equations in these theories are implicitly universally quantified, and the intention is that any term matching one side of the equation may be replaced by the other side. For example, if the theory contains a rule of the form $\textit{unblind}(\textit{sign}(\textit{blind}(x,y),k),y)=\textit{sign}(x,k)$ , it means that any instance of the LHS can be replaced by the corresponding instance of the RHS. Such equations correspond to proof rules in the system for deriving terms in this paper (examples of such systems are given in Section 2.1).

Equality assertions, on the other hand, are to be treated literally, and not as rewrite rules. For instance, given an assertion of the form $\{x\}_{k}=\{t\}_{k}$ , we cannot replace all terms of the form $\{u\}_{k}$ by $\{t\}_{k}$ . In fact, these equality assertions are objects that are manipulated by proof rules, rather than being another style of expressing derivations between terms.

Along with studying the derivability problem for such extensions, several of these papers also extend the results of [38] by addressing the active intruder problem for finitely many sessions. For instance, [15, 16] obtain NP decision procedures in the case of extending Dolev-Yao with rules for xor. The current paper, however, extends [38] along a different dimension, to solve both the passive and active intruder problems for assertions, and is thus not subsumed by any of these works on equation theories.

1.5 Organization of the paper

In Section 2, we first introduce the syntax for terms and assertions. We present an example of modelling with assertions via the FOO e-voting protocol, and then present the proof system for assertions. Then we define protocols and runs for this new system. In Section 3, we first present a high-level overview of the various steps involved in solving the insecurity problem, and then we move on to Section 4, where we present the technical results in detail and prove that insecurity for the assertion system is in NP. We present some ideas for future research in Section 5.

2 Modeling security protocols

2.1 Terms: Syntax and Derivation System

In this model, each communicated message is modelled as a term in an algebra, which has operators for pairing, encryption, hashing etc. New terms can be derived from old ones using proof rules, which specify the behaviour of these operators. We begin with a set $\mathscr{N}$ of names (atomic terms, with no further structure), and a set of variables $\mathscr{V}$ . We denote by $\mathscr{A}\subseteq\mathscr{N}$ the set of agents, with $I\in\mathscr{A}$ being the malicious intruder. We denote by $\mathscr{V}_{q}\subset\mathscr{V}$ the variables used for quantification, and by $\mathscr{V}_{i}$ the set $\mathscr{V}\setminus\mathscr{V}_{q}$ . The set of terms, denoted by $\mathscr{T}$ , is given by

t\in\mathscr{T}::=x\mid m\mid{\sf f}(t_{1},\ldots,t_{n})

where $x\in\mathscr{V}$ , $m\in\mathscr{N}$ , $t_{1},\ldots t_{n}\in\mathscr{T}$ , and ${\sf f}$ is an $n$ -ary operator. The set of ground terms are those without variables. A substitution $\sigma$ is a partial function with finite support from $\mathscr{V}_{i}$ to $\mathscr{T}$ . Its domain is denoted by ${\sf dom}(\sigma)$ . We assume that $\sigma(x)=x$ for $x\not\in{\sf dom}(\sigma)$ . The set of subterms of $t$ is denoted by ${\sf st}(t)$ , and defined as usual. The set of variables appearing in $t$ is denoted by ${\sf vars}(t)$ .

Each ${\sf f}$ has constructor rules and destructor rules, expressed in terms of sequents of the form $X\vdash t$ (to be read as “ $t$ is derived from $X$ ”), where $X\cup\{t\}$ is a finite set of terms. Figure 1 gives the general form of a constructor rule (on the left) and a destructor rule (on the right). In a destructor rule, the conclusion $t_{i}$ is an immediate subterm of the leftmost premise, which is designated as the major premise of the rule. The ${\sf ax}$ rule (which derives $X\vdash t$ when $t\in X$ ) is also considered a destructor rule for technical purposes. We say $X\vdash_{\mathit{dy}}t$ if there is a proof of $X\vdash t$ using these constructor and destructor rules, and $X\vdash_{\mathit{dy}}S$ to mean that $X\vdash_{\mathit{dy}}t$ for every $t\in S$ .

tensy

\displaystyle\penalty 1X\vdash t_{1}\cdots X\vdash t_{n}

\displaystyle X\vdash{\sf f}(t_{1},\ldots,t_{n})

tensy

\displaystyle\penalty 1X\vdash{\sf f}(t_{1},\ldots,t_{n})\quad X\vdash u_{1}\cdots X\vdash u_{m}

\displaystyle X\vdash t_{i}

Figure 1: General form of constructor and destructor rules

For any proof $\pi$ of $X\vdash t$ , we denote by ${\sf axioms}(\pi)$ the set $X$ , by ${\sf conc}(\pi)$ the term $t$ , and by ${\sf terms}(\pi)$ all terms occurring in $\pi$ . $\pi$ is said to be normal if a constructor rule does not yield the major premise of a destructor rule. We only consider proof systems which enjoy the following three properties:

•

Normalization: Every proof $\pi$ of $X\vdash t$ can be converted into a normal proof $\varpi$ of the same.
•

Subterm property: For any normal proof $\varpi$ of $X\vdash t$ , ${\sf terms}(\varpi)\subseteq{\sf st}(X\cup\{t\})$ , and if $\varpi$ ends in a destructor rule, ${\sf terms}(\varpi)\subseteq{\sf st}(X)$ .
•

Efficient derivability checks: There is a PTIME algorithm for checking derivability.

The normalization and subterm properties combined are referred to as locality in the security literature. This is a notion identified in [32], and is crucially used in solving the derivability problem for many classes of inference systems, including many intruder theories.

Example 2.

A term algebra with pairing, symmetric and asymmetric encryption operations, where $m,k\in\mathscr{N}$ and $t,u\in\mathscr{T}$ is given by $t:=m\mid\mathit{pk}(k)\mid(t,u)\mid\{t\}_{k}\mid\{\!|t|\!\}_{\mathit{pk}(k)}$ . The proof system for this algebra is shown in Table 1. This system enjoys normalization and the subterm property [38].

tensy ${\sf ax}(m\in X)$ $\displaystyle X\vdash m$	tensy $\displaystyle\penalty 1X\vdash(t_{1},t_{2})$ ${\sf split}$ $\displaystyle X\vdash t_{i}$		tensy $\displaystyle\penalty 1X\vdash k$ ${\sf pk}$ $\displaystyle X\vdash\mathit{pk}(k)$
tensy $\displaystyle\penalty 1X\vdash t\quad X\vdash u$ ${\sf pair}$ $\displaystyle X\vdash(t,u)$	tensy $\displaystyle\penalty 1X\vdash\{t\}_{k}\quad X\vdash k$ ${\sf sdec}$ $\displaystyle X\vdash t$		tensy $\displaystyle\penalty 1X\vdash t\quad X\vdash k$ ${\sf senc}$ $\displaystyle X\vdash\{t\}_{k}$
tensy $\displaystyle\penalty 1X\vdash\{\!\|t\|\!\}_{\mathit{pk}(k)}\quad X\vdash k$ ${\sf adec}$ $\displaystyle X\vdash t$		tensy $\displaystyle\penalty 1X\vdash t\quad X\vdash\mathit{pk}(k)$ ${\sf aenc}$ $\displaystyle X\vdash\{\!\|t\|\!\}_{\mathit{pk}(k)}$

Table 1: Proof system for the term algebra in Example 2

2.2 Assertions

We consider an assertion syntax which includes equality over terms (to avoid overloading the $=$ operator, we denote equality between $t$ and $u$ by ${{t}\bowtie{u}}$ ), predicates, conjunction, existentially quantified assertions, list membership, and a $\ \mathit{says}\$ connective. Existential quantification allows us to make statements that convey partial information about terms, in particular, allowing us to hide terms or parts thereof. The $\ \mathit{says}\$ connective works like a signature over assertions, indicating who endorses the fact conveyed by the assertion. List membership, which we denote by $\twoheadleftarrow$ , acts as a restricted form of disjunction. Predicates allow us to express some protocol-specific facts. As we will see over the later sections, this fragment allows us to express example protocols of interest, as well as yields a decidable active intruder problem for boundedly many sessions.

In the following, $t,u\in\mathscr{T}$ , $P$ is an $m$ -ary predicate, $u_{1},\ldots,u_{m},t_{0}\in\mathscr{N}\cup\mathscr{V}$ , and $t_{1},\ldots,t_{n}\in\mathscr{N}$ ,¹¹1We could consider arbitrary terms in list membership, but this simple syntax suffices for most examples. Similarly for $P(u_{1},\ldots.u_{m})$ . $x\in\mathscr{V}_{q}$ , and $\mathit{pk}(k)$ is the public key corresponding to a secret key $k$ .

	$\displaystyle\alpha$	$\displaystyle:={{t}\bowtie{u}}\mid P(u_{1},\ldots,u_{m})\mid t_{0}\twoheadleftarrow[t_{1},\ldots,t_{n}]$
		$\displaystyle\hskip 14.22636pt\mid\alpha_{0}\wedge\alpha_{1}\mid\exists x.~{}\alpha(x)\mid\mathit{pk}(k)\ \mathit{says}\ \alpha$

By atomic assertions, we mean assertions that are not of the form $\alpha\wedge\beta$ or $\exists{x}\alpha$ .

We denote the free (resp. bound) variables occurring in an assertion $\alpha$ by ${\sf fv}(\alpha)$ and ${\sf bv}(\alpha)$ . ${\sf vars}(\alpha)={\sf fv}(\alpha)\cup{\sf bv}(\alpha)$ . The set of subterms (resp. subformulas) of $\alpha$ is given by ${\sf st}(\alpha)$ (resp. ${\sf sf}(\alpha)$ ). We can lift these notions to sets of assertions as usual. For a substitution $\lambda$ , we obtain $\lambda(\alpha)$ by replacing $x$ in $\alpha$ by $\lambda(x)$ for all $x\in{\sf fv}(\alpha)$ .

We now define the public terms of an assertion $\alpha$ . These are essentially the terms that $\alpha$ is “about”, which are always communicated along with $\alpha$ . Quantified variables in an assertion stand for “private” terms, so if a term $t$ occurring in $\alpha$ has quantified variables, it cannot itself be public. But it is not reasonable to declare all other subterms to be public terms either. For instance, if an assertion talks about ${\sf senc}(v,k)$ , the term ${\sf senc}(v,k)$ should be public, but probably not $v$ or $k$ itself. Hence we define the public terms of $\alpha$ , denoted ${\sf pubs}(\alpha)$ , as the set of all maximal subterms of $\alpha$ which contain no quantified variables. In other words, $t\in{\sf pubs}(\alpha)$ iff $t\in{\sf st}(\alpha)$ , ${\sf vars}(t)\cap\mathscr{V}_{q}=\emptyset$ , and $\forall u\in{\sf st}(\alpha):\ t\in{\sf st}(u)\implies{\sf vars}(u)\cap\mathscr{V}_{q}\neq\emptyset$ .

Example 3.

$A$ (with secret key $k$ ) encrypts a vote $v$ in a key $r$ unknown to $B$ and states that it is one of two allowed values.

A\rightarrow B:\{v\}_{r},\ \mathit{pk}(k)\ \mathit{says}\ \bigl{\{}\exists xy.{{\{x\}_{y}}\bowtie{\{v\}_{r}}}\wedge x\twoheadleftarrow[0,1]\bigr{\}}

The set of public terms of this assertion is $\bigl{\{}\{v\}_{r},0,1\bigr{\}}$ .

Assertions, like terms, can be involved in sends and receives. However, since assertions are logical formulas, we can also have agents check them for derivability and take some action based on the result of this check, without any send/receive. We call such an action an ${\sf assert}$ . As part of an ${\sf assert}~{}{\alpha}$ action, an agent $A$ checks to see if $\alpha$ is derivable from their current knowledge. If it is, $A$ continues with their role, otherwise $A$ aborts. An ${\sf assert}$ action allows us to model some minimal branching based on the derivability of assertions from agents’ local states.

Note that this does not involve any absolute notion of the “truth” (or lack thereof) of an assertion. An agent can only locally check if an assertion can be “verified”, i.e. obtained from what they know about the system at that point in the execution. It might well be the case that while an ${\sf assert}~{}\alpha$ check passes for an agent $A$ , a different agent $B$ might not have enough information to be able to derive $\alpha$ , and abort. Conversely, if some agent’s internal state has been compromised somehow and made inconsistent, they might even be able to ${\sf assert}$ something like $0=1$ , which is patently false. We are only concerned with the verifiability of assertions, and not their absolute truth values.

Having introduced this system, we now present the modelling of the well-known FOO e-voting protocol [24]. This is a minor modification of the presentation in [35].

2.3 Example: FOO e-voting Protocol

The FOO e-voting protocol was proposed in 1992 and closely mirrors the way one votes offline. There is a voter $V$ , an authority $A$ who verifies voter identities, and a collector $C$ who computes the final tally.

To model this using only terms [24, 29], blinding is used. One can use $t$ and $b$ to make a blind pair ${\sf blind}(t,b)$ , and get ${\sf sign}(t,k)$ from ${\sf sign}({\sf blind}(t,b),k)$ and $b$ . The voter authenticates themselves to the authority using their signing key $\mathit{sk}_{V}$ , and uses the blinding operation to have the authority certify it without knowing the actual vote. The authority’s signature ${\sf sign}(\cdot,\mathit{sk}_{A})$ percolates through to the vote when the voter removes the blind, and the voter can then anonymously send (denoted by $\looparrowright$ ) this signed vote to the collector for inclusion into the final tally. This specification is shown below.

	$\displaystyle V\rightarrow A$	$\displaystyle:{\sf sign}({\sf blind}(\{v\}_{r},b),\mathit{sk}_{V})$
	$\displaystyle A\rightarrow V$	$\displaystyle:{\sf sign}({\sf blind}(\{v\}_{r},b),\mathit{sk}_{A})$
	$\displaystyle V\looparrowright C$	$\displaystyle:{\sf sign}(\{v\}_{r},\mathit{sk}_{A})$

We model the voting phase of FOO as below, following [35]. We use $\{\alpha\}^{A}$ as shorthand for $A\ \mathit{says}\ \alpha$ . In fact, the use of assertions allows one to also specify an eligibility check for voters via an ${\sf assert}$ . If the user is not eligible, the protocol aborts. Further, voters can also state that their vote is for an allowable candidate from the list $\ell$ . These are left implicit in the terms-only modelling.

	$\displaystyle V\rightarrow A$	$\displaystyle:\{v\}_{p},\bigl{\{}\exists xr.{{\{x\}_{r}}\bowtie{\{v\}_{p}}}\wedge x\twoheadleftarrow\ell\bigr{\}}^{V}$
	$\displaystyle A$	$\displaystyle:{\sf assert}~{}{\sf el}(V)$
	$\displaystyle A\rightarrow V$	$\displaystyle:\bigl{\{}{\sf el}(V)\wedge\bigl{\{}\exists xr.{{\{x\}_{r}}\bowtie{\{v\}_{p}}}\wedge x\twoheadleftarrow\ell\bigr{\}}^{V}\bigr{\}}^{A}$
	$\displaystyle V\looparrowright C$	$\displaystyle:\{v\}_{q},\exists Uys.\bigl{\{}{\sf el}(U)\wedge\bigl{\{}\exists xr.{{\{x\}_{r}}\bowtie{\{y\}_{s}}}\wedge x\twoheadleftarrow\ell\bigr{\}}^{U}\bigr{\}}^{A}$
		$\displaystyle\hskip 14.22636pt\wedge\bigl{\{}\exists w.{{\{y\}_{w}}\bowtie{\{v\}_{q}}}\bigr{\}}$

$V$ first sends to $A$ their encrypted vote along with an assertion claiming that it is for a candidate from the list $\ell$ . The authority checks the voter’s eligibility via the ${\sf assert}$ action on the ${\sf el}$ predicate. If the check passes, the authority issues a certificate stating that the voter is allowed to vote, crucially, without modifying the term containing the vote. $V$ then existentially quantifies out their name from this certificate, and anonymously sends to $C$ a re-encryption of the vote authorized by $A$ along with a certificate to that effect. Here, $p$ and $q$ are freshly-generated ephemeral keys. Thus, the intent behind the various communications is made more transparent than in the model with blind signatures. One can show that this satisfies anonymity [35].

One can also specify security properties in a more natural manner (as compared to the terms-only model). For instance, one can say that vote secrecy is ensured in the above protocol if there is no run where the intruder can derive the assertion $\exists{xy}:[\{v\}_{p}=\{x\}_{y}\wedge x=v]$ . Note that this means that while anyone can derive the value of $v$ , which is public, they should not be able to identify the value inside the encrypted vote $\{v\}_{p}$ as being a particular public name. To express this in the terms-only formulation, one has to check whether two runs that only differ in the vote $v$ can be distinguished by the intruder [19]. It can be seen from [35] that proving such properties might involve considering multiple runs simultaneously, but their specification itself does not refer to a notion of equivalence.

Example 4.

Consider a protocol where $V$ sends to $A$ the vote encrypted in a fresh key $k$ , and an assertion that the vote belongs to an allowable list $\ell$ of candidates. This looks as follows. $V\rightarrow A:\{v\}_{k},\exists xr.\bigl{\{}{{\{x\}_{r}}\bowtie{\{v\}_{k}}}\wedge x\twoheadleftarrow\ell\bigr{\}}$ .

Suppose this same protocol is used for two elections that $V$ participates in simultaneously, where the first election has candidates $0$ and $1$ (so $\ell_{1}=[0,1]$ ) and the second has candidates $0$ and $2$ (so $\ell_{2}=[0,2]$ ).

$V$ wants to vote for $0$ in both elections. Since the vote is for the same candidate, $V$ (unwisely) decides to reuse the same term, instead of re-encrypting in a fresh key. So we have a run where $V$ sends both $\exists xr.\bigl{\{}{{\{x\}_{r}}\bowtie{\{v\}_{k}}}\wedge x\twoheadleftarrow[0,1]\bigr{\}}$ and $\exists ys.\bigl{\{}{{\{y\}_{s}}\bowtie{\{v\}_{k}}}\wedge y\twoheadleftarrow[0,2]\bigr{\}}$ . Now, since the same term $\{v\}_{k}$ is involved in both assertions, an observer ought to be able to deduce that the vote is actually for $0$ . This would allow them access to both the identity of a voter as well as their vote, falsifying anonymity. The assertion system formally captures such inference via a proof system.

2.4 Abstractability and Proof System

Before we present the proof system, we need to fix under what conditions one can derive a new assertion from existing ones. In a security context, it becomes important to distinguish when a term is accessible inside an assertion versus when it is not. To substitute a term $u$ (with, say, $v$ ) inside a term $t$ , an agent $A$ essentially needs to break the term down to that position, replace $u$ with $v$ , and construct the whole term back. This depends on other terms $A$ has access to. We formalize this notion as “abstractability”, which requires us to first define the set of term positions of an assertion.

We will view terms as trees, with $\mathbb{P}(t)\subseteq\mathbb{N}^{*}$ denoting the set of positions of the term $t$ , and $\varepsilon$ the empty word in $\mathbb{N}^{*}$ . We will also view assertions as trees, with any operator forming the root of its subtree, and its operands standing for its children. We will only be interested in the position where terms occur in assertions, not those of the various operators. We define these as follows.

Definition 5 (Term positions of an assertion).

We define the term positions of an assertion $\alpha$ , denoted $\mathbb{P}(\alpha)$ , as follows:

•

$\mathbb{P}({{t}\bowtie{t^{\prime}}})=\{0\cdot p\mid p\in\mathbb{P}(t)\}\cup\{1\cdot p\mid p\in\mathbb{P}(t^{\prime})\}$
•

$\mathbb{P}(P(u_{0},\ldots,u_{m}))=\{0,\ldots,m\}$
•

$\mathbb{P}(t\twoheadleftarrow[t_{1},\ldots,t_{n}])=\{0,1,\ldots,n\}$
•

$\mathbb{P}(\alpha\wedge\beta)=\{0\cdot p\mid p\in\mathbb{P}(\alpha)\}\cup\{1\cdot p\mid p\in\mathbb{P}(\beta)\}$
•

$\mathbb{P}(\exists{x}.\alpha)=\{0\cdot p\mid p\in\mathbb{P}(\alpha)\}$
•

$\mathbb{P}(\mathit{pk}(k)\ \mathit{says}\ \alpha)=\{0,00\}\cup\{1\cdot p\mid p\in\mathbb{P}(\alpha)\}$

For $t,r\in\mathscr{T}$ , and $p\in\mathbb{P}(t)$ , ${t}|_{p}$ is the subterm of $t$ rooted at $p$ . The set of positions of $r$ in $t$ is $\mathbb{P}_{r}({t})\coloneqq\{p\in\mathbb{P}(t)\mid{t}|_{p}=r\}$ . For $P\subseteq\mathbb{P}(t)$ , ${t}[{r}]_{P}$ is obtained by replacing the subterm of $t$ occurring at each $p\in P$ with $r$ . We will use analogous notation for assertions.

Definition 6 (Abstractable positions of a term).

Let $S\cup\{t\}\subseteq\mathscr{T}$ . The set of abstractable positions of $t$ w.r.t. $S$ , denoted $\mathbb{A}(S,t)$ , is defined as follows. For $p\in\mathbb{P}(t)$ , let $\mathbb{Q}_{p}=\{\varepsilon\}\cup\{qi\in\mathbb{P}(t)\mid q$ is a proper prefix of $p\}$ . Then $\mathbb{A}(S,t)\coloneqq\{p\in\mathbb{P}(t)\mid S\vdash_{\mathit{dy}}{t}|_{q}$ for all $q\in\mathbb{Q}_{p}\}$ .

For example, let $t=(\{\{m\}_{k}\}_{k^{\prime}},(n_{1},n_{2}))$ . Then, $\mathbb{P}(t)=\{\varepsilon,0,1,00,01,10,11,000,001\}$ . Consider the set $S=\{\{m\}_{k}\}_{k^{\prime}},(n_{1},n_{2})$ . Then, $\mathbb{A}(S,t)=\{\varepsilon,0,1,10,11\}$ . The abstractable positions are shown in bold in Figure 2.

Figure 2: Abstractable positions w.r.t.

S=\{\{m\}_{k}\}_{k^{\prime}},(n_{1},n_{2})\}

Now, an inductive definition seems like it might suffice to lift the notion of abstractable positions for assertions. However, a problem arises when we consider an assertion of the form $\exists x.\alpha$ . Let $\alpha=\exists b.\{{{\{m\}_{b}}\bowtie{\{m\}_{k}}}\}$ . Suppose we want to get $\exists ab.\{{{\{a\}_{b}}\bowtie{\{m\}_{k}}}\}$ from $\alpha$ in the presence of the set $S=\{m,k\}$ . That position of $m$ in $\alpha$ must be abstractable w.r.t $S$ , i.e. we require that $S\vdash_{\mathit{dy}}\{m\}_{b}$ , but $S$ does not even contain the quantified variable $b$ . We must therefore consider derivability from $S\cup\{b\}$ in this case, not $S$ .

Definition 7 (Abstractable positions of an assertion).

The set of abstractable positions of $\alpha$ w.r.t. $S$ , denoted by $\mathbb{A}(S,\alpha)$ , is:

•

$\mathbb{A}(S,{{t_{0}}\bowtie{t_{1}}})=\{i\cdot p\mid i\in\{0,1\},\ p\in\mathbb{A}(S,t_{i})\}$
•

$\mathbb{A}(S,P(u_{1},\ldots,u_{m}))=\{i\mid 1\leq i\leq m,S\vdash_{\mathit{dy}}u_{i}\}$
•

$\mathbb{A}(S,t\twoheadleftarrow[t_{1},\ldots,t_{n}])=\{0\}$
•

$\mathbb{A}(S,\alpha_{0}\wedge\alpha_{1})=\{i\cdot p\mid i\in\{0,1\},\ p\in\mathbb{A}(S,\alpha_{i})\}$
•

$\mathbb{A}(S,\exists{x}.\alpha)=\{0\cdot p\mid p\in\mathbb{A}(S\cup\{x\},\alpha)\}$
•

$\mathbb{A}(S,\mathit{pk}(k)\ \mathit{says}\ \alpha)=\{0\}\cup\{1\cdot p\mid p\in\mathbb{A}(S,\alpha)\}$

We now state a fundamental property of abstractability, which will be used in some of the more technical proofs later.

Lemma 8.

Let $S\cup\{t,r\}\subseteq\mathscr{T}$ s.t. $S\vdash_{\mathit{dy}}r$ . If $x\notin{\sf vars}(S)$ and $P=\mathbb{P}_{x}({t})\subseteq\mathbb{A}(S\cup\{x\},t)$ , then $\mathbb{A}(S,{t}[{r}]_{P})\cap\mathbb{P}(t)=\mathbb{A}(S\cup\{x\},t)$ .

Proof.

For any term $a$ and any set $Q\subseteq\mathbb{P}(a)$ , we let ${a}|_{Q}$ denote $\{{a}|_{q}\mid q\in Q\}$ . We now observe some general properties of abstractability.

For any $T,a$ and $q\in\mathbb{A}(T,a)$ s.t. ${a}|_{q}$ is non-atomic, either $\{q0,q1\}\subseteq\mathbb{A}(T,a)$ and ${a}|_{\{q0,q1\}}\vdash_{\mathit{dy}}{a}|_{q}$ via a constructor rule, or $q$ is a maximal position in $\mathbb{A}(T,a)$ (it is not the prefix of any other position in the set). We have the following two properties.

1.

Let $M=\{q\in\mathbb{P}(a)\mid q$ is a maximal position in $\mathbb{A}(T,a)\}$ . Then for every $p\in\mathbb{A}(T,a)$ , ${a}|_{M}\vdash_{\mathit{dy}}{a}|_{p}$ via a proof consisting only of constructor rules.
2.

Suppose $Q\subseteq\mathbb{P}(a)$ is prefix-closed (if $q\in Q$ and $p$ is a prefix of $q$ , then $p\in Q$ ) and sibling-closed (if $qi\in Q$ and $qj\in\mathbb{P}(a)$ , then $qj\in Q$ ). If $T\vdash_{\mathit{dy}}{a}|_{q}$ for every maximal $q\in Q$ , then $Q\subseteq\mathbb{A}(T,a)$ .

We now prove the statement of the lemma. Let $u={t}[{r}]_{P}$ , and let $A$ and $B$ denote $\mathbb{A}(S\cup\{x\},t)$ and $\mathbb{A}(S,u)\cap\mathbb{P}(t)$ respectively. Note that $A$ and $B$ are both prefix-closed and sibling-closed. Let $M$ (resp. $N$ ) be the set of maximal positions in $A$ (resp. $B$ ).

Since $P\subseteq A$ is the set of $x$ -positions in $t$ , $P\subseteq M$ and no $q\in M$ is a prefix of a position in $P$ . Thus, for every $q\in M$ , either ${t}|_{q}=x$ , or $x\notin{\sf vars}({t}|_{q})$ . If ${t}|_{q}=x$ , ${u}|_{q}=r$ , and $S\vdash_{\mathit{dy}}{u}|_{q}$ (since $S\vdash_{\mathit{dy}}r$ ). If $x\notin{\sf vars}({t}|_{q})$ , then ${u}|_{q}={t}|_{q}$ and $S\vdash_{\mathit{dy}}{u}|_{q}$ . This is because $q\in\mathbb{A}(S\cup\{x\},t)$ , so $S\cup\{x\}\vdash_{\mathit{dy}}{t}|_{q}$ , but $x$ does not occur in the conclusion. Thus we have $S\vdash_{\mathit{dy}}{u}|_{q}$ for every $q\in M$ . Since $A$ is prefix-closed and sibling-closed, by 2, we get $A\subseteq\mathbb{A}(S,u)$ . Since $A\subseteq\mathbb{P}(t)$ as well, we get $A\subseteq B$ .

By similar reasoning as above, we can see that $S\cup\{x\}\vdash_{\mathit{dy}}{t}|_{q}$ for each $q\in N$ . (For some of these positions $q$ , $x$ does not occur at all in the subterm at that position, and ${t}|_{q}={u}|_{q}$ is derivable from $S$ . For other positions $q$ , ${t}|_{q}=x$ and is derivable from $S\cup\{x\}$ .) Therefore $B\subseteq A$ . ∎

The assertion proof system is shown in Table 2. We say $S;A\vdash_{\mathit{a}}\alpha$ if $\alpha$ can be derived from $S;A$ using these rules. We say $S;A\vdash_{\mathit{a}}\Gamma$ if $S;A\vdash_{\mathit{a}}\gamma$ for every $\gamma\in\Gamma$ .

${{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 22.22859pt\hbox{$\displaystyle\penalty 1$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=44.45718pt\hbox{\kern 2.10002pt${\sf ax}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle S;A\cup\{\alpha\}\vdash\alpha$}}}}}$	${{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 7.89053pt\hbox{$\displaystyle\penalty 1S\vdash_{\mathit{dy}}t$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=33.47356pt\hbox{\kern 2.10002pt${\sf eq}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle S;A\vdash{{t}\bowtie{t}}$}}}}}$	${{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1S;A\vdash{{t_{0}}\bowtie{u_{0}}}\quad S;A\vdash{{t_{1}}\bowtie{u_{1}}}$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=80.85707pt\hbox{\kern 2.10002pt${\sf cons}$}}}\hbox{\kern 6.04233pt\hbox{$\displaystyle S;A\vdash{{{\sf f}(t_{0},t_{1})}\bowtie{{\sf f}(u_{0},u_{1})}}$}}}}}$
${{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1S;A\vdash{{t}\bowtie{u}}$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=34.95297pt\hbox{\kern 2.10002pt${\sf sym}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle S;A\vdash{{u}\bowtie{t}}$}}}}}$	${{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1S;A\vdash{{t_{1}}\bowtie{t_{2}}}\cdots S;A\vdash{{t_{k}}\bowtie{t_{k+1}}}$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=81.56544pt\hbox{\kern 2.10002pt${\sf trans}$}}}\hbox{\kern 20.45163pt\hbox{$\displaystyle S;A\vdash{{t_{1}}\bowtie{t_{k+1}}}$}}}}}$	${{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1S;A\vdash{{{\sf f}(t_{1},\ldotp\ldotp,t_{r})}\bowtie{{\sf f}(u_{1},\ldotp\ldotp,u_{r})}}$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=80.27394pt\hbox{\kern 2.10002pt${\sf proj}_{i}^{\P}$}}}\hbox{\kern 22.2822pt\hbox{$\displaystyle S;A\vdash{{t_{i}}\bowtie{u_{i}}}$}}}}}$
${{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1S;A\vdash\alpha_{0}\quad S;A\vdash\alpha_{1}$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=62.32292pt\hbox{\kern 2.10002pt$\wedge\sf i$}}}\hbox{\kern 11.00067pt\hbox{$\displaystyle S;A\vdash\alpha_{0}\wedge\alpha_{1}$}}}}}$	${{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1S;A\vdash\alpha_{0}\wedge\alpha_{1}$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=40.32156pt\hbox{\kern 2.10002pt$\wedge\sf e_{i}$}}}\hbox{\kern 6.63481pt\hbox{$\displaystyle S;A\vdash\alpha_{i}$}}}}}$	${{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1S;A\vdash t\twoheadleftarrow l\quad S;A\vdash{{t}\bowtie{u}}$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=78.8196pt\hbox{\kern 2.10002pt${\sf subst}$}}}\hbox{\kern 20.23679pt\hbox{$\displaystyle S;A\vdash u\twoheadleftarrow l$}}}}}$
${{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1S;A\vdash{\alpha}[{t}]_{P}\quad S\vdash_{\mathit{dy}}t$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=57.92734pt\hbox{\kern 2.10002pt$\exists\sf i^{{\ddagger}}$}}}\hbox{\kern 10.6126pt\hbox{$\displaystyle S;A\vdash\exists{x}.\alpha$}}}}}$	${{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1S;A\vdash\exists{}{x}.\alpha\quad S\cup\{y\};A\cup\{{\alpha}[{y}]_{P}\}\vdash\gamma$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=117.84402pt\hbox{\kern 2.10002pt$\exists\sf e^{\S}$}}}\hbox{\kern 46.49818pt\hbox{$\displaystyle S;A\vdash\gamma$}}}}}$	${{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 4.22046pt\hbox{$\displaystyle\penalty 1S;A\vdash\alpha\quad S\vdash_{\mathit{dy}}k$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=60.17168pt\hbox{\kern 2.10002pt${\sf say}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle S;A\vdash\mathit{pk}(k)\ \mathit{says}\ \alpha$}}}}}$
${{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1S;A\vdash t\twoheadleftarrow[n]$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=42.73074pt\hbox{\kern 2.10002pt${\sf prom}$}}}\hbox{\kern 3.79167pt\hbox{$\displaystyle S;A\vdash{{t}\bowtie{n}}$}}}}}$	${{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1S;A\vdash t\twoheadleftarrow l_{1}\ldots S;A\vdash t\twoheadleftarrow l_{m}$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=84.38501pt\hbox{\kern 2.10002pt${\sf int}$}}}\hbox{\kern 9.15344pt\hbox{$\displaystyle S;A\vdash t\twoheadleftarrow(l_{1}\cap\ldots\cap l_{m})$}}}}}$	${{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1S;A\vdash{{t}\bowtie{n_{i}}}\quad S\vdash_{\mathit{dy}}n_{i}(\forall i\leq n)$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=90.66133pt\hbox{\kern 2.10002pt${\sf wk}$}}}\hbox{\kern 14.64963pt\hbox{$\displaystyle S;A\vdash t\twoheadleftarrow[n_{1},\ldots,n_{k}]$}}}}}$

Table 2: Derivation system

\vdash_{\mathit{a}}

for assertions.

\P

states that

\{0i,1i\mid i\leq r\}\subseteq\mathbb{A}(S,{{{\sf f}(t_{1},\ldots,t_{r})}\bowtie{{\sf f}(u_{1},\ldots,u_{r}))}}

{\dagger}

demands that

P\subseteq\mathbb{P}_{x}({\alpha})\cap\mathbb{A}(S\cup\{x\},\alpha)

, and no position in

P

occurs in the scope of a

\ \mathit{says}\

{\ddagger}

stands for

P=\mathbb{P}_{x}({\alpha})\subseteq\mathbb{A}(S\cup\{x\},\alpha)

\S

states that

y\notin{\sf fv}(S)\cup{\sf fv}(A)\cup{\sf fv}(\gamma)

and

P=\mathbb{P}_{x}({\alpha})

We say that $S;A\vdash_{\mathit{eq}}\alpha$ if $\alpha$ can be derived from $S;A$ by a proof which does not use any of the rules from $\{\wedge\sf i,\wedge\sf e,\exists\sf i,\exists\sf e,{\sf say}\}$ . Recall that an atomic assertion is one that is not of the form $\alpha\wedge\beta$ or $\exists{x}.\alpha$ . The $\vdash_{\mathit{eq}}$ system is used typically when $A\cup\{\alpha\}$ consists only of atomic assertions, and we want to ensure that there is no use of the rules for $\wedge$ and $\exists$ in these proofs. To ensure this, we also need to avoid the ${\sf say}$ rule. Otherwise, we might allow a derivation of $\mathit{pk}(k)\ \mathit{says}\ (\alpha\wedge\beta)$ using $\alpha\wedge\beta$ , which itself can be derived only using $\wedge\sf i$ (since the LHS contains only atomic assertions).

The proofs in Section 4 crucially appeal to some properties of $\vdash_{\mathit{eq}}$ proofs, which we detail below.

Definition 9.

Suppose $E\cup\{\alpha\}$ consists only of atomic formulas and $\pi$ is a proof of $T;E\vdash_{\mathit{eq}}\alpha$ . We use “ ${\sf r}_{1}$ precedes ${\sf r}_{2}$ in $\pi$ ” to mean that the conclusion of some application of ${\sf r}_{1}$ is a premise of an application of ${\sf r}_{2}$ in $\pi$ .

We say that $\pi$ is normal if the following hold.

1.

All $\vdash_{\mathit{dy}}$ subproofs are normal.
2.

${\sf sym}$ can only be preceded by ${\sf ax}$ or ${\sf prom}$ .
3.

${\sf eq}$ can only be preceded by a destructor rule.
4.

No premise of a ${\sf trans}$ is of the form ${{a}\bowtie{a}}$ , or the conclusion of a ${\sf trans}$ .
5.

Adjacent premises of a ${\sf trans}$ are not conclusions of ${\sf cons}$ .
6.

${\sf int}$ cannot be preceded by ${\sf int}$ or ${\sf wk}$ .
7.

No subproof ending in ${\sf proj}$ contains ${\sf cons}$ .

We now state the normalization theorem and subterm property for $\vdash_{\mathit{eq}}$ proofs. First, we define the following notions.

•

${\sf terms}(\pi)\coloneqq\{t\mid$ a subproof of $\pi$ derives $\alpha$ and $t$ is a maximal subterm of $\alpha\}$ .
•

${\sf lists}(E)\coloneqq\{\ell\mid\exists{t}:t\twoheadleftarrow{\ell}$ is in $E\}$ .
•

${\sf lists}(\pi)\coloneqq\{\ell\mid$ a subproof of $\pi$ derives $t\twoheadleftarrow{\ell}\}$ .

Theorem 10 (Normalization & Subterm Property for $\vdash_{\mathit{eq}}$ ).

1.

If $(T;E)\vdash_{\mathit{eq}}\alpha$ then there is a normal proof of $(T;E)\vdash\alpha$ in the $\vdash_{\mathit{eq}}$ system.
2.
For any normal proof $\pi$ of $T;E\vdash_{\mathit{eq}}\alpha$ , letting $Y={\sf st}(T)\cup{\sf st}(E\cup\{\alpha\})$ , we have:
- •
  
  ${\sf terms}(\pi)\subseteq Y$ .
- •
  
  ${\sf lists}(\pi)\subseteq{\sf lists}(E\cup\{\alpha\})\cup\{[n]\mid n\in Y\}$ .

Armed with these notions, we present a saturation-based procedure in Algorithm 1 for deciding whether $T;E\vdash_{\mathit{eq}}\alpha$ , where $E\cup\{\alpha\}$ consists only of atomic assertions. The procedure computes the set

\mathscr{E}^{{\alpha}}_{{T},{E}}\coloneqq\bigl{\{}\beta\mid\beta\text{ is atomic},\beta\in Z,(T;E)\vdash_{\mathit{eq}}\beta\bigr{\}}

where $Z$ is as defined in Algorithm 1, and checks if $\alpha\in\mathscr{E}^{{\alpha}}_{{T},{E}}$ .

Letting $M=|{\sf st}(T)\cup{\sf st}(E\cup\{\alpha\})|$ and $N=|{\sf lists}(E)|$ , it can be seen that the algorithm runs in time polynomial in $M+N$ . There are at most $(M+N)^{2}$ atomic formulas that can be added in $C$ , and hence the while loop runs for at most $(M+N)^{2}$ iterations. In each iteration, the amount of work to be done is polynomial in $M+N$ . (Recall that $\vdash_{\mathit{dy}}$ can be decided in PTIME.) Thus the algorithm works in time polynomial in $M+N$ , and hence polynomial in the size of $(T;E\cup\{\alpha\})$ .

Algorithm 1 Algorithm to compute

\mathscr{E}^{{\alpha}}_{{T},{E}}

, given

(T;E),\alpha

Y\leftarrow{\sf st}(S)\cup{\sf st}(E\cup\{\alpha\})

;

Z\leftarrow\big{\{}\beta\mid\beta\text{ is atomic},{\sf st}(\beta)\in Y,

{\sf lists}(\beta)\subseteq{\sf lists}(E)\cup\{[n]\mid n\in Y\}\big{\}};

B\leftarrow\emptyset

;

C\leftarrow E

;

6:while

(B\neq C)

B\leftarrow C

;

C\leftarrow B\cup\big{\{}\beta\in Z\mid\beta\text{ can be obtained from $B$ using}

\text{one application of any rule in $\vdash_{\mathit{a}}$}\big{\}}

;

10:end while

11:return

B

2.5 Protocols and runs

Following [10, 38], a protocol is given by a finite set of roles, each role consisting of a finite sequence of alternating receives and sends (each send triggered by a receive).²²2This model considers actions of the form ${\sf assert}~{}\alpha$ to model rudimentary branching in protocols, which we used for specifying the FOO protocol. But we omit these in the formal model, for ease of presentation. We discuss handling such branching in Section 5.4. These are the actions of honest agents. Every sent message is added to the Dolev-Yao intruder’s knowledge base. Each received message is assumed to have come from the intruder, so it must be derivable by the intruder. We assume that only assertions are communicated – a term $t$ can be modelled via the assertion ${{t}\bowtie{t}}$ , whose only public term is $t$ .

A protocol $\mathit{Pr}$ is a finite set of roles, each of the form $({\beta_{1}},{\alpha_{1}})\ldots({\beta_{m}},{\alpha_{m}})$ , where the $\alpha_{i}$ s and $\beta_{i}$ s are assertions. An $x\in{\sf fv}(\mathit{Pr})$ is said to be an agent variable if it occurs first in an $\alpha_{i}$ ; otherwise it is an intruder variable. Each role is a sequence of actions by an agent, receiving the $\beta_{i}$ s and sending the $\alpha_{i}$ s in response. The $\alpha_{i}$ s and $\beta_{i}$ s can have bound variables from $\mathscr{V}_{q}$ as well as free variables from $\mathscr{V}_{i}$ . Instantiating the free variables with appropriately-typed ground terms yields a session. A run is obtained by interleaving a finite number of sessions that satisfy the required derivability conditions. It is convenient to instantiate the free variables of a role in two stages. Agent variables are instantiated with names before starting a session, but intruder variables can be mapped to terms only at runtime.

A session of a protocol $\mathit{Pr}$ is a sequence of the form $u:{\beta_{1}}\!\Rightarrow\!{\alpha_{1}}\ \cdots\ u:{\beta_{\ell}}\!\Rightarrow\!{\alpha_{\ell}}$ where $u\in\mathscr{A}$ and $(\beta_{1},\alpha_{1})\cdots(\beta_{\ell},\alpha_{\ell})$ is a prefix of a role of $\mathit{Pr}$ with all the agent variables instantiated by values from $\mathscr{N}$ . A set of sessions $S$ of $\mathit{Pr}$ is coherent if ${\sf fv}(\xi)\cap{\sf fv}(\xi^{\prime})=\emptyset$ for distinct $\xi,\xi^{\prime}\in S$ . One can always achieve coherence by renaming intruder variables as necessary.

A run is an interleaving of sessions where each message sent by an agent should be constructible from their knowledge. A knowledge state is a pair $(X;\Phi)$ where $X$ is a finite set of terms and $\Phi$ is a finite set of assertions. A knowledge function ${\sf k}$ is such that ${\sf dom}({\sf k})=\mathscr{A}$ and for each $a\in\mathscr{A}$ , ${\sf k}(a)$ is a knowledge state.

Given a knowledge state $(X;\Phi)$ and an assertion $\alpha$ , we define ${\it update}((X;\Phi),\alpha)\coloneqq(X\cup{\sf pubs}(\alpha),\Phi\cup\{\alpha\})$ .

Definition 11.

A run of a protocol $\mathit{Pr}$ is a pair $(\xi,\sigma)$ where:

•

$\xi\coloneqq u_{1}:{\beta_{1}}\!\Rightarrow\!{\alpha_{1}},\ldots,u_{n}:{\beta_{n}}\!\Rightarrow\!{\alpha_{n}}$ is an interleaving of a finite, coherent set of sessions of $\mathit{Pr}$ .
•

$\sigma$ is a ground substitution with ${\sf dom}(\sigma)={\sf fv}(\xi)$ .

•

There is a sequence ${\sf k}_{0}\ldots{\sf k}_{n}$ of knowledge functions s.t.:

–

${\sf k}_{0}(a)=(X_{a};\emptyset)$ , where $X_{a}$ is a finite set of initial terms known to $a$ ( $a$ ’s secret key, public keys, public names etc).

–

For all $i<n$ ,

{\sf k}_{i+1}(a)=\begin{cases}{\sf k}_{i}(a)&\mbox{if $a\neq u_{i},a\neq I$}\\ {\it update}({\sf k}_{i}(a),\beta_{i})&\mbox{if $a=u_{i}$}\\ {\it update}({\sf k}_{i}(a),\alpha_{i})&\mbox{if $a=I$}\end{cases}

–

For $i\leq n$ , ${\sf k}_{i}(u_{i})\vdash_{\mathit{a}}\alpha_{i}$ and $\sigma({\sf k}_{i-1}(I))\vdash_{\mathit{a}}\sigma(\beta_{i})$ .

Note that honest agent derivations of the form ${\sf k}_{i}(u_{i})\vdash_{\mathit{a}}\alpha_{i}$ do not depend on accidental unification with intruder variables under $\sigma$ ; rather, they hold even in the “abstract”.

We can write an $A$ -session and a $B$ -session for the Example 1 protocol as $A:\beta_{1}\Rightarrow\alpha_{1},A:\beta_{3}\Rightarrow\alpha_{3}$ and $B:\beta_{2}\Rightarrow\alpha_{2}$ . (To save space, we denote by $p_{A}$ and $p_{B}$ the keys $\mathit{pk}(k_{A})$ and $\mathit{pk}(k_{B})$ .) We assume that $A$ starts a session by receiving a dummy name $s$ , and ends the session by sending $s$ out, and code up each communicated term $t$ from Example 1 as the assertion ${{t}\bowtie{t}}$ . Note that $A,B,p_{A},m$ , and $p_{B}$ are names used to instantiate agent variables in these sessions. The set of these two sessions is coherent.

$\beta_{1}={{s}\bowtie{s}}\qquad\qquad\hskip 8.53581pt\alpha_{1}=\{{{(p_{A},\{m\}_{p_{B}})}\bowtie{(p_{A},\{m\}_{p_{B}})}}\}\\ \beta_{2}=\{{{(x,\{y\}_{p_{B}})}\bowtie{(x,\{y\}_{p_{B}})}}\}\qquad\hskip 5.69054pt\alpha_{2}=\{{{\{y\}_{x}}\bowtie{\{y\}_{x}}}\}\\ \beta_{3}=\{{{\{m\}_{p_{A}}}\bowtie{\{m\}_{p_{A}}}}\}\qquad\qquad\hskip 14.22636pt\alpha_{3}={{s}\bowtie{s}}$

Consider the substitution $\sigma=[x\mapsto p_{A},y\mapsto m]$ applied to $\xi=A:\beta_{1}\Rightarrow\alpha_{1},B:\beta_{2}\Rightarrow\alpha_{2},A:\beta_{3}\Rightarrow\alpha_{3}$ . This would be a run $(\xi,\sigma)$ where the intruder just observes traffic on the network, but does not interfere otherwise.

Let $X_{B}=\{A,B,p_{A},p_{B},k_{B}\}$ . ${\sf k}_{0}(B)=(X_{B};\emptyset)$ . Note that ${\sf k}_{1}(B)={\sf k}_{0}(B)$ . There is an update to $B$ ’s knowledge state only upon receipt of $\beta_{2}$ . So, ${\sf k}_{2}(B)={\it update}({\sf k}_{1}(B),\beta_{2})$ is given by $(X^{\prime};\Phi)$ where $X^{\prime}=X\cup\{(p_{A},\{m\}_{p_{B}})\}$ and $\Phi=\{\{{{(p_{A},\{m\}_{p_{B}})}\bowtie{(p_{A},\{m\}_{p_{B}})}}\}$ .

We can also consider a run with the same $\xi$ under a substitution $\sigma=[x\mapsto\mathit{pk}(k_{I}),y\mapsto m]$ , which represents the man-in-the-middle attack shown earlier.

A secrecy property is given by an assertion $\gamma$ that the intruder should not know. A $K$ -bounded attack which violates the secrecy of $\gamma$ is a run of the protocol with at most $K$ sessions where $\sigma({\sf k}_{n}(I))\vdash_{\mathit{a}}\sigma(\gamma)$ .

Definition 12 ( $K$ -bounded insecurity problem).

Given a protocol $\mathit{Pr}$ and a designated assertion $\gamma$ , check whether there exists a $K$ -bounded attack on $\mathit{Pr}$ violating the secrecy of $\gamma$ .

Henceforth, we will use “insecurity problem” to mean the $K$ -bounded insecurity problem for some $K$ .

3 Proof strategy for the insecurity problem

In the subsequent sections, we will show that the $K$ -bounded insecurity problem for assertions is in NP. But first, we provide an overview of the proof strategy we will employ.

Given a protocol $\mathit{Pr}$ , a secrecy property specified by an assertion $\gamma$ and a bound $K$ (in unary), one way to check if there is a $K$ -bounded attack works as follows: Guess a coherent set of sessions of size $K$ , an interleaving $\xi=u_{1}:{\beta_{1}}\!\Rightarrow\!{\alpha_{1}},\ldots,u_{n}:{\beta_{n}}\!\Rightarrow\!{\alpha_{n}}$ , and a substitution $\sigma$ with ${\sf dom}(\sigma)={\sf fv}(\xi)$ , and check that $(\xi,\sigma)$ satisfies the conditions in Definition 11. For this, we need an effective check for derivabilities of the form $\sigma({\sf k}_{i-1}(I))\vdash_{\mathit{a}}\sigma(\beta_{i})$ .

As with terms, this needs us to bound the size of terms assigned to variables by $\sigma$ . However, we also have quantified variables in our proofs, for which witnesses need to be assigned. To check whether a formula of the form $\exists{x}.~{}\alpha$ is derivable, one would in general have to check if $\alpha(t)$ is derivable for some $t$ , which might be unboundedly large. To get an effective algorithm, we have to show that if there is a witness at all, there is a witness of small size.

One way to represent these witnesses is via a substitution $\mu$ which maps each quantified variable $x$ to the appropriate witness. To obtain small witnesses, we adapt the techniques of [38]. For this, it is helpful to first simplify the LHS to contain only atomic formulas. Any normal proof of $\alpha$ from such an LHS will not involve $\wedge\sf e$ or $\exists\sf e$ . We further show, via Theorem 16, that these proofs can be decomposed into multiple proofs, one for each atomic subformula of $\alpha$ (with witnesses instantiated by $\mu$ ), and then applying $\wedge\sf i$ and $\exists\sf i$ .

Applying Theorem 16 to each derivability check $\sigma({\sf k}_{i-1}(I))\vdash_{\mathit{a}}\sigma(\beta_{i})$ for $1\leq i\leq n$ , we get a set of witness substitutions $\{\mu_{1},\dots,\mu_{n}\}$ . We would like to ensure that all of these, along with $\sigma$ , can be chosen to be “small”.

In order to obtain these small substitutions, we follow the techniques of [38]. This involves identifying and mapping to atomic terms variables that do not map to any term that “corresponds” to one in the protocol specification. However, unlike [38], we need to do this simultaneously for multiple substitutions – $\sigma$ (which instantiates intruder variables) and $\mu_{i}$ (which instantiates quantified variables). The various $\mu_{i}$ s might be influenced by $\sigma$ , so preserving derivabilities when moving to small substitutions becomes a challenge. In order to do this, we employ a notion of “typed proofs”, both for the $\vdash_{\mathit{dy}}$ and $\vdash_{\mathit{eq}}$ systems. We show that any proof can be converted to a typed equivalent, and typed proofs make it easier for us to replace the substitutions therein with small ones while preserving derivations.

We will now present the solution in detail.

4 Solving the insecurity problem for $\vdash_{\mathit{a}}$

We fix a protocol $\mathit{Pr}$ and a run $(\xi,\sigma)$ of $\mathit{Pr}$ . By renaming variables if necessary, we can ensure that ${\sf fv}(\xi)\cap\mathscr{V}_{q}=\emptyset$ . Thus, in all proof sequents that we consider, no variable has both free and bound occurrences, and no variable is quantified by distinct quantifiers. Furthermore, whenever we use $(S;A)$ , we mean that $S$ is a set of terms, $A$ is a set of assertions, and $S$ derives the public terms of all assertions in $A$ .

We also use ${\sf vars}(S;A)$ to mean ${\sf vars}(S)\cup{\sf vars}(A)$ and ${\sf fv}(S;A)$ to mean ${\sf vars}(S)\cup{\sf fv}(A)$ .

As a first step, we move to an LHS consisting solely of atomic formulas. For this, we will employ the following two “left” properties enjoyed by the $\vdash_{\mathit{a}}$ system.

Lemma 13.

1.

$(S;A\cup\{\alpha\wedge\beta\})\vdash_{\mathit{a}}\gamma$ iff $(S;A\cup\{\alpha,\beta\})\vdash_{\mathit{a}}\gamma$ .
2.

Let $S,A,\exists x.\alpha$ and $\gamma$ be such that $x\notin{\sf vars}(S)\cup{\sf vars}(A\cup\{\gamma\})$ and $\mathbb{P}_{x}({\alpha})\subseteq\mathbb{A}(S\cup\{x\},\alpha)$ . Then $(S;A\cup\{\exists x.\alpha\})\vdash_{\mathit{a}}\gamma$ iff $(S\cup\{x\};A\cup\{\alpha\})\vdash_{\mathit{a}}\gamma$ .

Proof.

To save space, we use $A,\varphi$ to mean $A\cup\{\varphi\}$ in the proof to follow.

For the left to right direction, let $\pi$ be a proof of $S;A,\alpha\wedge\beta\vdash\gamma$ . The following is a proof of $S;A,\alpha,\beta\vdash\gamma$ .

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 28.8292pt\hbox{$\displaystyle\penalty 1$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=57.65839pt\hbox{\kern 3.00003pt${\sf ax}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle S;A,\alpha,\beta\vdash\alpha$}}}}\hskip 5.0pt plus 1.0fil\penalty 2\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 28.4588pt\hbox{$\displaystyle\penalty 1$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=56.9176pt\hbox{\kern 3.00003pt${\sf ax}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle S;A,\alpha,\beta\vdash\beta$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=203.56927pt\hbox{\kern 3.00003pt$\wedge\sf i$}}}\hbox{\kern 64.57181pt\hbox{$\displaystyle S;A,\alpha,\beta\vdash\alpha\wedge\beta$}}}}\hskip 5.0pt plus 1.0fil\penalty 2\hskip 5.0pt plus 1.0fil{\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 28.70251pt\hbox{$\displaystyle\penalty 1\pi$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 30.16376pt$\vbox to16.14578pt{\leaders\vbox to5.38193pt{\vss\hbox{$\cdot$}\vss}\vfill}$\hbox{}}}\hbox{\kern 0.0pt\hbox{$\displaystyle S;A,\alpha\wedge\beta\vdash\gamma$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=322.56003pt\hbox{}}}\hbox{\kern 133.06068pt\hbox{$\displaystyle S;A,\alpha,\beta\vdash\gamma$}}}}

For the other direction, let $\pi$ be a proof of $S;A,\alpha,\beta\vdash\gamma$ . We obtain a proof of $S;A,\alpha\wedge\beta\vdash\gamma$ below. We omit the $S;A$ part of the LHS to conserve space.

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 28.99756pt\hbox{$\displaystyle\penalty 1$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=57.99512pt\hbox{\kern 3.00003pt${\sf ax}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle\alpha\wedge\beta\vdash\alpha\wedge\beta$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=102.49176pt\hbox{\kern 3.00003pt$\wedge\sf e{}$}}}\hbox{\kern 31.00235pt\hbox{$\displaystyle\alpha\wedge\beta\vdash\beta$}}}}\hskip 5.0pt plus 1.0fil\penalty 2\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 28.99756pt\hbox{$\displaystyle\penalty 1$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=57.99512pt\hbox{\kern 3.00003pt${\sf ax}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle\alpha\wedge\beta\vdash\alpha\wedge\beta$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=102.49176pt\hbox{\kern 3.00003pt$\wedge\sf e{}$}}}\hbox{\kern 30.63196pt\hbox{$\displaystyle\alpha\wedge\beta\vdash\alpha$}}}}\hskip 5.0pt plus 1.0fil\penalty 2\hskip 5.0pt plus 1.0fil{\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 13.82063pt\hbox{$\displaystyle\penalty 1\pi$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 15.28188pt$\vbox to16.14578pt{\leaders\vbox to5.38193pt{\vss\hbox{$\cdot$}\vss}\vfill}$\hbox{}}}\hbox{\kern 0.0pt\hbox{$\displaystyle\alpha,\beta\vdash\gamma$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=193.3854pt\hbox{\kern 3.00003pt$$}}}\hbox{\kern 71.6383pt\hbox{$\displaystyle\alpha\wedge\beta,\beta\vdash\gamma$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=377.64812pt\hbox{}}}\hbox{\kern 168.81999pt\hbox{$\displaystyle\alpha\wedge\beta\vdash\gamma$}}}}

We have freely used the cut rule, which is admissible in our system.

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1S;A\vdash\varphi\qquad S;B,\varphi\vdash\psi$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=105.26704pt\hbox{}}}\hbox{\kern 24.61801pt\hbox{$\displaystyle S;A\cup B\vdash\psi$}}}}

If $\pi_{0}$ and $\pi_{1}$ are derivations of the left and right premises as above, then we can replace each axiom rule occurring in $\pi_{1}$ and deriving $\varphi$ , with the proof $\pi_{0}$ , thus yielding a proof of $S;A\cup B\vdash\psi$ .

For the left to right direction, let $\pi$ be a proof of $S;A,\exists{x}.\alpha\vdash\gamma$ . Note that we have a proof $\pi_{1}$ of $\exists{x}.\alpha$ from $(S,x;A,\alpha)$ , where the $\exists\sf i$ rule is justified because the abstractability side condition $\mathbb{P}_{x}({\alpha})\subseteq\mathbb{A}(S\cup\{x\},\alpha)$ is assumed. We can then use the ${\sf cut}$ rule (which is admissible in $\vdash_{\mathit{a}}$ ) on this proof along with the proof $\pi$ to get $(S,x;A,\alpha)\vdash_{\mathit{a}}\gamma$ .

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 28.58092pt\hbox{$\displaystyle\penalty 1$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=57.16183pt\hbox{\kern 3.00003pt${\sf ax}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle S,x;A,\alpha\vdash\alpha$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=101.65848pt\hbox{\kern 3.00003pt$\exists\sf i$}}}\hbox{\kern 14.39069pt\hbox{$\displaystyle S,x;A,\alpha\vdash\exists{x}.\alpha$}}}}\hskip 5.0pt plus 1.0fil\penalty 2\hskip 5.0pt plus 1.0fil{\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 28.1765pt\hbox{$\displaystyle\penalty 1\pi$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 29.63774pt$\vbox to16.14578pt{\leaders\vbox to5.38193pt{\vss\hbox{$\cdot$}\vss}\vfill}$\hbox{}}}\hbox{\kern 0.0pt\hbox{$\displaystyle S;A,\exists{x}.\alpha\vdash\gamma$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=217.93056pt\hbox{\kern 3.00003pt${\sf cut}$}}}\hbox{\kern 80.9942pt\hbox{$\displaystyle S,x;A,\alpha\vdash\gamma$}}}}

For the other direction, let $\pi$ be a proof of $S,x;A,\alpha\vdash\gamma$ . We obtain a proof of $S;A,\exists{x}.\alpha\vdash\gamma$ as follows.

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 39.49411pt\hbox{$\displaystyle\penalty 1$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=78.98822pt\hbox{\kern 3.00003pt${\sf ax}$}}}\hbox{\kern 0.0pt\hbox{$\displaystyle S;A,\exists{x}.\alpha\vdash\exists{x}.\alpha$}}}}\hskip 5.0pt plus 1.0fil\penalty 2\hskip 5.0pt plus 1.0fil{\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{\kern 25.12094pt\hbox{$\displaystyle\penalty 1\pi$}}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 26.58218pt$\vbox to16.14578pt{\leaders\vbox to5.38193pt{\vss\hbox{$\cdot$}\vss}\vfill}$\hbox{}}}\hbox{\kern 0.0pt\hbox{$\displaystyle S,x;A,\alpha\vdash\gamma$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=189.427pt\hbox{\kern 3.00003pt$\exists\sf e$}}}\hbox{\kern 63.68687pt\hbox{$\displaystyle S;A,\exists{x}.\alpha\vdash\gamma$}}}}

∎

This leads us to a notion of kernel.

Definition 14.

The atoms of an assertion $\alpha$ , denoted ${\sf at}(\alpha)$ , is the set of all maximal subformulas of $\alpha$ that are atomic. The kernel of $(S;A)$ , denoted $\mathit{ker}(S;A)$ , is given by $(T;E)$ where $T=S\cup{\sf bv}(A)$ and $E=\{\beta\in{\sf at}(\alpha)\mid\alpha\in A\}$ .

Any $x\in{\sf bv}(A)$ which is added to $T$ can be thought of as an “eigenvariable” which witnesses an existential assertion in $A$ . If we derive some $\gamma$ from $(T\cup\{x\};\beta)$ , since we only consider $\gamma$ such that ${\sf vars}(\gamma)\cap{\sf bv}(A)=\emptyset$ , we can also derive it from $(T;\exists{x}.\beta)$ . Lemma 13 can thus always be applied, and it can be shown that kernels preserve derivability, i.e. $(S;A)\vdash_{\mathit{a}}\gamma$ iff $\mathit{ker}(S;A)\vdash_{\mathit{a}}\gamma$ for any $\gamma$ .

Here is another basic property of kernels, which is crucially used in many proofs later.

Lemma 15.

Suppose $(T;E)=\mathit{ker}(S;A)$ for some $(S;A)$ . If $(T;E)\vdash_{\mathit{a}}\alpha$ and $a\in{\sf pubs}(\alpha)$ , then $T\vdash_{\mathit{dy}}a$ . If $(T;E)\vdash_{\mathit{eq}}{{t}\bowtie{u}}$ then $T\vdash_{\mathit{dy}}t$ and $T\vdash_{\mathit{dy}}u$ .

Proof.

Recall that we only consider $(S;A)$ such that ${\sf fv}(S;A)\cap\mathscr{V}_{q}=\emptyset$ , and $S\nvdash_{\mathit{dy}}{\sf pubs}(\beta)\in S$ for all $\beta\in A$ . Since $(T;E)=\mathit{ker}(S;A)$ , we have $T=S\cup{\sf bv}(A)$ and $E=\{\gamma\in{\sf at}(\beta)\mid\beta\in A\}$ . Thus $T\vdash_{\mathit{dy}}{\sf pubs}(\gamma)\in T$ for every $\gamma\in E$ , and ${\sf vars}(E)\cap\mathscr{V}_{q}\subseteq T$ .

Let $\pi$ be a proof of $(T;E)\vdash_{\mathit{a}}\alpha$ . Note that $\pi$ has no occurrence of $\exists\sf e$ or $\wedge\sf e$ . We assume that all premises of ${\sf eq}$ are normal $\vdash_{\mathit{dy}}$ proofs ending in a destructor (by repeatedly turning all $\text{constructor}+{\sf eq}$ patterns into ${\sf eq}+{\sf cons}$ ). We show by induction that $T\vdash_{\mathit{dy}}{\sf pubs}(\alpha)$ . Let ${\sf r}$ denote the last rule of $\pi$ .

•

${\sf r}={\sf ax}$ : $\alpha\in E$ . So $T\vdash_{\mathit{dy}}{\sf pubs}(\alpha)$ .
•

${\sf r}={\sf eq}$ : $\alpha$ is ${{t}\bowtie{t}}$ with $T\vdash_{\mathit{dy}}t$ via a proof ending in destructor. Since any term in $T$ is either in $\mathscr{V}_{q}$ or contains no variables from $\mathscr{V}_{q}$ , and since $t\in{\sf st}(T)$ , we see that ${\sf pubs}(\alpha)$ is $\{t\}$ or $\emptyset$ , and $T\vdash_{\mathit{dy}}{\sf pubs}(\alpha)$ in both cases.
•

${\sf r}\in\{{\sf sym},{\sf trans},{\sf prom},{\sf int},{\sf subst},\wedge\sf i\}$ : Any $t\in{\sf pubs}(\alpha)$ is in ${\sf pubs}(\beta)$ for one of the premises $\beta$ , and the result follows.
•

${\sf r}={\sf cons}$ : $\alpha$ is of the form ${{t}\bowtie{u}}$ , where $t={\sf f}(t_{0},t_{1})$ and $u={\sf f}(u_{0},u_{1})$ , and the immediate subproofs of $\pi$ derive ${{t_{0}}\bowtie{u_{0}}}$ and ${{t_{1}}\bowtie{u_{1}}}$ . Now, any term in ${\sf pubs}(\alpha)$ is a public term of one of the premises (and we can apply IH), unless it is $t$ or $u$ . Say it is $t$ . Then, $t$ is a maximal subterm of $\alpha$ which avoid $\mathscr{V}_{q}$ , and thus it must be that $t_{0}$ and $t_{1}$ are also public terms of the premises. Thus $T\vdash_{\mathit{dy}}\{t_{0},t_{1}\}$ by IH, and hence $T\vdash_{\mathit{dy}}t$ . Similarly for $u$ .
•

${\sf r}={\sf proj}$ : $\alpha$ is ${{t}\bowtie{u}}$ , and any public term of $\alpha$ is a public term of the premise (and we can apply IH), unless it is $t$ or $u$ . But by abstractability, $T\vdash_{\mathit{dy}}\{t,u\}$ , and we are done.
•

${\sf r}={\sf wk}$ : $\alpha$ is $t\twoheadleftarrow[n_{0},\ldots,n_{k}]$ , where $t$ and all the $n_{i}$ ’s are variables or names. The premise is ${{t}\bowtie{n_{i}}}$ for some $i$ , and we also require that $S\vdash_{\mathit{dy}}n_{i}$ for all $i$ . Combining this with the IH, we see that $S\vdash_{\mathit{dy}}{\sf pubs}(\alpha)$ .
•

${\sf r}={\sf say}$ : $\alpha$ is of the form $\mathit{pk}(k)\ \mathit{says}\ \beta$ , and $\beta$ is proved by the immediate subproof. We also have that $S\vdash k$ and hence $S\vdash\mathit{pk}(k)$ . Any other public term occurring in $\alpha$ occurs in $\beta$ , so by IH we have that $S\vdash_{\mathit{dy}}{\sf pubs}(\alpha)$ .
•

${\sf r}=\exists\sf i$ : $\alpha$ is of the form $\exists{x}.\beta$ , with premise $\gamma={\beta}[{r}]_{P}$ , where $P=\mathbb{P}_{x}({\beta})$ . We also have, by the other requirements for the rule, $T\vdash_{\mathit{dy}}r$ and $P\subseteq\mathbb{A}(T\cup\{x\},\beta)$ . By Lemma 8, $P\subseteq\mathbb{A}(T,\gamma)$ . Consider any $a={\alpha}|_{q}\in{\sf pubs}(\alpha)$ . If $a\in{\sf pubs}(\gamma)$ , then we can apply IH. Otherwise, $q$ has to be a sibling of some position in $p\in P$ . In other words, $a$ is public in $\alpha$ because its sibling is $x$ , but in $\gamma$ , the $x$ is replaced by $r$ (and ${\sf vars}(r)\cap\mathscr{V}_{q}=\emptyset$ ), so $a$ is no longer a maximal subterm avoiding $\mathscr{V}_{q}$ . Since the set of abstractable positions is sibling-closed, $q\in\mathbb{A}(T,\alpha)$ , and since subterms at abstractable positions are derivable, $T\vdash_{\mathit{dy}}a$ .

Now consider an $\vdash_{\mathit{eq}}$ proof of $(T;E)\vdash{{t}\bowtie{u}}$ . It has been shown above that $T\vdash_{\mathit{dy}}{\sf pubs}({{t}\bowtie{u}})$ . Consider $t$ . Either $t\in{\sf pubs}({{t}\bowtie{u}})$ , in which case we are done. Otherwise, every maximal subterm of $t$ which avoids $\mathscr{V}_{q}$ is derivable from $T$ , and every $x\in{\sf vars}(t)\cap\mathscr{V}_{q}$ is in $T$ . From these, we can “build up” $t$ using constructor rules only, thereby proving that $T\vdash_{\mathit{dy}}t$ . Similarly we can show that $T\vdash_{\mathit{dy}}u$ . ∎

As mentioned earlier, by proof normalization, we decompose a proof $\pi$ of $(S;A)\vdash\alpha$ into several proofs of atomic subformulas of $\alpha$ (equalities, predicates, list membership, and says assertions), and a proof $\pi_{0}$ which uses these atoms as axioms, and applies $\wedge\sf i$ and $\exists\sf i$ , all with the kernel as LHS.

For each of these atomic subformulas, we would like to operate in a proof system which does not involve conjunction or existential quantification. This is easy to do for equalities, predicates, and lists, because the only way to derive such assertions is by deriving other equalities, predicates, and lists.

However, consider subformulas of the form $\mathit{pk}(k)\ \mathit{says}\ \beta$ . We can derive those in two ways – either by using ${\sf ax}$ (if the formula is already in the LHS) or by using the ${\sf say}$ rule on $\beta$ and $k$ . In the latter case, $\beta$ might contain logical operators! Thus, we need to break down $\beta$ as well.

We thus formalize the hereditary atoms of a formula as:

{\sf hat}(\gamma)=\begin{cases}{\sf hat}(\alpha)\cup{\sf hat}(\beta)&\text{if $\gamma=\alpha\wedge\beta$}\\ {\sf hat}(\alpha)&\text{if $\gamma=\exists{x}.\alpha$}\\ \left\{\mathit{pk}(k)\ \mathit{says}\ \alpha\right\}\cup{\sf hat}(\alpha)&\text{if $\gamma=\mathit{pk}(k)\ \mathit{says}\ \alpha$}\\ \{\gamma\}&\text{otherwise}\end{cases}

We now reduce any proof of $S;A\vdash_{\mathit{a}}\alpha$ to one with a very particular structure, as depicted in Figure 3. This new proof has as its LHS the kernel $(T;E)$ of $(S;A)$ , and derives $\alpha$ . This proof first involves multiple proofs, each of which is an $\vdash_{\mathit{eq}}$ proof ³³3Recall that $\vdash_{\mathit{eq}}$ is the subsystem that does not use any rules from $\{\wedge\sf i,\wedge\sf e,\exists\sf i,\exists\sf e,{\sf say}\}$ . of some hereditary atom of $\alpha$ , with witnesses appropriately assigned to bound variables by a substitution $\mu$ . These proofs are then followed by applications of the ${\sf ax}$ , $\wedge\sf i$ , $\exists\sf i$ and ${\sf say}$ rules (represented by $\vdash_{i}$ in the Figure 3) to get $\alpha$ .

Refer to caption — Figure 3: Structure of the new proof guaranteed by Theorem 16

Consider the set $X$ of all hereditary atoms of $\alpha$ which feature in the above reduction. Suppose $\beta\in X$ is of the form $\mathit{pk}(k)\ \mathit{says}\ (\exists{x}.\delta)$ , but $\exists{x}.\delta\notin X$ . Then $\beta$ can only be derived from the LHS by the ${\sf ax}$ rule, since there is no other rule in the $\vdash_{\mathit{eq}}$ system that derives a $\ \mathit{says}\$ assertion. Thus we do not obtain $\exists{x}.\delta$ using the $\exists\sf i$ rule, and so we do not need to provide a witness for such an $x$ . This is precisely formulated in the next theorem.

In the statement of the theorem, [a] ensures that all witnesses are derivable, [b] ensures that all the atoms in $X$ have a proof (with witnesses instantiated appropriately), and [c] ensures that the final intros-only proof exists. Finally, [d] ensures that the proper abstractability conditions for applications of $\exists\sf i$ are satisfied. For any set of assertions, we denote the set $\{x\in{\sf bv}(\beta)\mid\beta\in X\}$ by ${\sf bv}(X)$ .

Theorem 16.

For a formula $\alpha$ s.t. ${\sf bv}(\alpha)\cap{\sf vars}(S;A)=\emptyset$ , and $(T;E)=\mathit{ker}(S;A)$ , $(S;A)\vdash_{\mathit{a}}\alpha$ iff there is $X\subseteq{\sf hat}(\alpha)$ and $\mu$ with ${\sf dom}(\mu)={\sf bv}(\alpha)\setminus{\sf bv}(X)$ s.t.:

[a]

$\forall{}x\in{\sf dom}(\mu):T\vdash_{\mathit{dy}}\mu(x)$ .
[b]

For all $\beta\in X$ , $(T;E)\vdash_{\mathit{eq}}\mu(\beta)$ .
[c]

$(T;\mu(X))\vdash_{\mathit{a}}\alpha$ via a proof using rules from $\{{\sf ax},\wedge\sf i,\exists\sf i,{\sf say}\}$ .
[d]

$\forall{}x\in{\sf dom}(\mu),t\in{\sf st}(\alpha)$ : $\mathbb{P}_{x}({t})\subseteq\mathbb{A}(T\cup{\sf dom}(\mu),t)$ .

Proof.

$(\Rightarrow)$

Suppose $(S;A)\vdash_{\mathit{a}}\alpha$ . Then, since kernels preserve derivability, $(T;E)\vdash_{\mathit{a}}\alpha$ . Let $\pi$ be a normal proof of $(T;E)\vdash\alpha$ . Since $E$ only has atomic assertions, it is easy to see that there is no occurrence of the $\wedge\sf e$ and $\exists\sf e$ rules. Recall that we only consider $\alpha$ such that no $x$ is quantified by quantifiers occurring in two distinct positions in $\alpha$ , and that no variable occurs both free and bound in $\alpha$ . For each $x\in{\sf bv}(\alpha)$ introduced in $\pi$ via an $\exists\sf i$ application, let $t_{x}$ be the witness used by the $\exists\sf i$ rule introducing the quantifier $\exists{x}$ in $\alpha$ . Define $\mu(x)\coloneqq t_{x}$ for each such $x$ . The side conditions for the $\exists\sf i$ occurrences guarantee that $T\vdash_{\mathit{dy}}\mu(x)$ for each $x\in{\sf dom}(\mu)$ , thus satisfying [a].

Let $X\subseteq{\sf hat}(\alpha)$ be all the hereditary atoms of $\alpha$ appearing on the RHS in various subproofs of $\pi$ . By normalization, one can always place the logical rules after deriving atomic formulas. Hence, we can decompose $\pi$ into proofs $\pi_{\beta}$ of $(T;E)\vdash\mu(\beta)$ for each $\beta\in X$ , and a proof $\widehat{\pi}$ deriving $(T;\mu(X))\vdash\alpha$ using only the ${\sf ax},\wedge\sf i,\exists\sf i$ and ${\sf say}$ rules. This proves [b] and [c].

We now prove [d]. It is evident that each subproof of $\widehat{\pi}$ has conclusion $\mu(\beta)$ for some $\beta\in{\sf sf}(\alpha)$ , with $\widehat{\pi}$ itself deriving $\mu(\alpha)=\alpha$ . We will now show that for every subproof $\pi_{0}$ of $\widehat{\pi}$ with conclusion $\mu(\beta)$ and last rule ${\sf r}$ , we have (letting $Z_{\beta}={\sf bv}(\beta)\setminus{\sf bv}(X)$ ):

\forall{}x\in Z_{\beta},\forall{}t\in{\sf st}(\mu(\beta)):\mathbb{P}_{x}({t})\subseteq\mathbb{A}(T\cup Z_{\beta},t).

(1)

${\sf r}={\sf ax}$ :: $\mu(\beta)\in\mu(X)$ , so $Z_{\beta}=\emptyset$ , and so (1) holds vacuously.
${\sf r}=\wedge\sf i$ :: $\beta$ of the form $\beta_{0}\wedge\beta_{1}$ , and ${\sf bv}(\beta_{0})$ and ${\sf bv}(\beta_{1})$ are disjoint, and no variable has both free and bound occurrences. So no variable in ${\sf bv}(\beta_{i})$ occurs in $\beta_{1-i}$ . So if $x\in{\sf bv}(\beta_{i})$ , and any $t\in{\sf st}(\mu(\beta_{1-i}))$ , then $\mathbb{P}_{x}({t})=\emptyset$ . So (1) for $\pi_{0}$ follows by IH (applied on the immediate subproofs).
${\sf r}={\sf say}$ :: $\beta$ is of the form $\mathit{pk}(k)\ \mathit{says}\ \beta^{\prime}$ and every bound variable of $\beta$ is also bound in $\beta^{\prime}$ , so we get (1) from IH.
${\sf r}=\exists\sf i$ :: $\beta=\exists{z}.\gamma$ , and $\mu(\beta)=\exists{z}.\mu^{\prime}(\gamma)$ , where $\mu^{\prime}=\mu\upharpoonright(Z_{\gamma})$ . The immediate subproof of $\pi_{0}$ has conclusion $\mu(\gamma)$ .

Now for any $r\in{\sf st}(\mu(\beta))$ , letting $P=\mathbb{P}_{z}({r})$ , $t={r}[{\mu(z)}]_{P}\in{\sf st}(\mu(\gamma))$ . For any $x\in\mathscr{V}$ , we have $\mathbb{P}_{x}({r})=\mathbb{P}_{x}({t})\cap\mathbb{P}(r)$ and $\mathbb{A}(T\cup Z_{\beta},r)=\mathbb{A}(T\cup Z_{\gamma},t)\cap\mathbb{P}(r)$ (by Lemma 8).

By IH, for all $x\in Z_{\gamma}$ and $t\in{\sf st}(\mu(\gamma))$ , $\mathbb{P}_{x}({t})\subseteq\mathbb{A}(T\cup Z_{\gamma},t)\subseteq\mathbb{A}(T\cup Z_{\beta},t)$ . So for all $x\in Z_{\beta}\setminus\{z\}$ and $r\in{\sf st}(\mu(\beta))$ , $\mathbb{P}_{x}({r})\subseteq\mathbb{A}(T\cup Z_{\beta},r)$ .

For $z$ , the abstractability side condition for $\exists\sf i$ implies that for all $r\in{\sf st}(\mu(\beta))$ , $\mathbb{P}_{z}({r})\subseteq\mathbb{A}(T\cup Z_{\beta},r)$ . Thus, equation (1) follows for $\pi_{0}$ .

Applying (1) to $\widehat{\pi}$ , we get [d].

$(\Leftarrow)$

This is the easier direction. We just compose all the $\vdash_{\mathit{eq}}$ proofs and the intros-only proof to obtain an $\vdash_{\mathit{a}}$ proof $\pi$ of $(T;E)\vdash\alpha$ . The abstractability condition [d] ensures that the $\exists\sf i$ is always enabled in $\pi$ .

Thus, $(T;E)\vdash_{\mathit{a}}\alpha$ iff $(S;A)\vdash_{\mathit{a}}\alpha$ , and so we are done. ∎

For the rest of the paper, we use the following notation. $(T_{i};E_{i})\coloneqq\mathit{ker}({\sf k}_{i}(I))$ and $(U_{i};F_{i})\coloneqq\mathit{ker}({\sf k}_{i}(u_{i}))$ for $1\leq i\leq n$ . Note that $T_{i}\subseteq T_{i+1}$ and $E_{i}\subseteq E_{i+1}$ for every $i$ .

Since ${\sf dom}(\sigma)={\sf fv}(\xi)$ , we have $\sigma(x)=x$ for all $x\in\mathscr{V}_{q}$ . It follows that $\sigma(\mathit{ker}(S;A))=\mathit{ker}(\sigma(S;A))$ , for any $(S;A)$ .

Applying Theorem 16 to the $\sigma({\sf k}_{i-1}(I))\vdash_{\mathit{a}}\sigma(\beta_{i})$ derivations in Definition 11, for every $i\leq n$ we get $X_{i}\subseteq{\sf hat}(\beta_{i})$ and a substitution $\mu_{i}$ with domain ${\sf bv}(\beta_{i})\setminus{\sf bv}(X_{i})$ s.t.:

•

for every $x\in{\sf dom}(\mu_{i})$ , $\sigma(T_{i-1})\vdash_{\mathit{dy}}\mu_{i}(x)$ , and
•

$\sigma(T_{i-1};E_{i-1})\vdash_{\mathit{eq}}\sigma\mu_{i}(\gamma)$ for $\gamma\in X_{i}$ .

For every $i\leq n$ , Definition 11 also states ${\sf k}_{i}(u_{i})\vdash_{\mathit{a}}\alpha_{i}$ , and thus, $\sigma({\sf k}_{i}(u_{i}))\vdash_{\mathit{a}}\sigma(\alpha_{i})$ . So Theorem 16 guarantees $Y_{i}\subseteq{\sf hat}(\alpha_{i})$ and a substitution $\theta_{i}$ with domain ${\sf bv}(\alpha_{i})\setminus{\sf bv}(Y_{i})$ s.t.:

•

for every $x\in{\sf dom}(\theta_{i})$ , $\sigma(U_{i})\vdash_{\mathit{dy}}\theta_{i}(x)$ , and
•

$\sigma(U_{i};F_{i})\vdash_{\mathit{eq}}\sigma\theta_{i}(\gamma)$ , where $\gamma\in Y_{i}$ .

For any $\gamma\in X_{i}\cup Y_{i}$ , three possibilities arise.

•

$\gamma$ is of the form ${{t}\bowtie{u}}$ .
•

$\gamma$ is of the form $\mathit{pk}(k)\ \mathit{says}\ \delta$ . Such a formula can only be derived using ${\sf ax}$ , as no other rule in the $\vdash_{\mathit{eq}}$ system generates it. Hence such assertions can be ignored for the rest of this section, which is about preserving non-trivial $\vdash_{\mathit{eq}}$ proofs even after changing some substitutions.
•

$\gamma$ is of the form $P(u_{0},\ldots,u_{m})$ or $t\twoheadleftarrow\ell$ . Such formulas only mention variables or names, so $\lambda(x)$ is already small for any $\lambda\in\{\sigma,\theta_{i},\mu_{i}\mid i\leq n\}$ and any variable $x$ occurring in $\gamma$ . Hence we can ignore such formulas too for the rest of the section, since these formulas do not undergo any change.

Hence we simplify the presentation for the rest of this section by only considering equality assertions $\gamma$ .

We now have, for every $i\leq n$ , substitutions $\mu_{i}$ and $\theta_{j}$ , each with domain ${\sf bv}(\beta_{i})$ and ${\sf bv}(\alpha_{j})$ . However, these substitutions do not necessarily map variables to ground terms. It is possible that $\theta_{j}(\alpha_{j})$ has as a subterm a variable from the domain of some “earlier” $\mu_{i}$ , i.e. one where $i<j$ .

If $(T;E)\vdash{{x}\bowtie{y}}$ , then $x$ and $y$ ought to actually stand for the same ground term. To capture this, we need a “compound” substitution that maps each variable in the domain of each $\mu$ and each $\theta$ to a ground term. We now present a motivating example which is followed by the formal definition of this ground substitution.

Example 17.

Suppose $y\in{\sf bv}(\beta_{1})$ , and $x\in{\sf bv}(\alpha_{2})$ . Consider a situation where $\theta_{2}(x)=\{y\}_{k}$ and $\mu_{1}(y)=(m_{0},m_{1})$ , where $m_{0},m_{1}\in\mathscr{N}$ . Also suppose $(T_{2};E_{2})\vdash{{x}\bowtie{z}}$ for some $z\in{\sf dom}(\sigma)$ . We need a $\lambda$ which maps $x$ and $z$ to the same ground term, i.e. $\lambda$ needs to be s.t. $\lambda(x)=\lambda(z)$ . We can take $\lambda$ to be $\sigma\mu_{1}\theta_{2}$ . We see that $\lambda(x)=\sigma(\mu_{1}(\theta_{2}(x)))=\sigma(\mu_{1}(\{y\}_{k}))=\sigma(\{(m_{0},m_{1})\}_{k})=\{(m_{0},m_{1})\}_{k}$ . Observe that ${\sf dom}(\lambda)={\sf dom}(\sigma)\cup{\sf dom}(\mu_{1})\cup{\sf dom}(\theta_{2})$ , and since $z\notin{\sf dom}(\mu_{1})\cup{\sf dom}(\theta_{2})$ , $\lambda(z)=\sigma(z)$ .

Definition 18.

The compound substitution which maps any variable in ${\sf dom}(\sigma)\cup\{{\sf dom}(\mu_{i})\cup{\sf dom}(\theta_{i})\mid 1\leq i\leq n\}$ to a ground term is given by $\omega\coloneqq\sigma\mu_{1}\theta_{1}\ldots\mu_{n}\theta_{n}$ .

Note that for $\lambda\in\{\sigma,\theta_{i},\mu_{i}\mid i\leq n\},\omega(\lambda(x))=\omega(x)$ .

Lemma 19.

Suppose $\lambda$ is such that $\lambda(r)=\lambda(s)$ for each ${{r}\bowtie{s}}\in E$ , and $T;E\vdash_{\mathit{eq}}{{t}\bowtie{u}}$ . Then $\lambda(t)=\lambda(u)$ .

Proof.

Suppose $T;E\vdash{{t}\bowtie{u}}$ via a proof $\pi$ with last rule ${\sf r}$ . The proof is by induction on the structure of $\pi$ . The following cases arise.

•

${\sf r}={\sf ax}$ : In this case, ${{t}\bowtie{u}}\in E$ , so by assumption, $\lambda(t)=\lambda(u)$ .
•

${\sf r}={\sf eq}$ : In this case $t=u$ , so $\lambda(t)=\lambda(u)$ as well.
•

${\sf r}={\sf trans}$ : Suppose ${{t_{0}}\bowtie{t_{1}}},\ldots,{{t_{n-1}}\bowtie{t_{n}}}$ are the premises of ${\sf r}$ , with $t=t_{0}$ and $u=t_{n}$ . By IH, $\lambda(t_{i-1})=\lambda(t_{i})$ for all $i\leq n$ . It follows that $\lambda(t)=\lambda(u)$ .

•

${\sf r}={\sf cons}$ : Let $t={\sf f}(t_{1},\ldots,t_{n})$ and $u={\sf f}(u_{1},\ldots,u_{n})$ and let ${{t_{1}}\bowtie{u_{1}}},\ldots,{{t_{n}}\bowtie{u_{n}}}$ be the premises of ${\sf r}$ . By IH, $\lambda(t_{i})=\lambda(u_{i})$ for all $i\leq n$ . Thus we have the following:

$\lambda(t)$	$=\lambda({\sf f}(t_{1},\ldots,t_{n}))={\sf f}(\lambda(t_{1}),\ldots,\lambda(t_{n}))$
	$={\sf f}(\lambda(u_{1}),\ldots,\lambda(u_{n}))=\lambda({\sf f}(t_{1},\ldots,t_{n}))=\lambda(u)$ .

•

${\sf r}={\sf proj}$ : Let ${{{\sf f}(t_{1},\ldots,t_{n})}\bowtie{{\sf f}(u_{1},\ldots,u_{n})}}$ be the premise of the last rule with $t=t_{i}$ and $u=u_{i}$ respectively. By IH, $\lambda({\sf f}(t_{1},\ldots,t_{n}))=\lambda({\sf f}(u_{1},u_{n}))$ . So, $\lambda(t)=\lambda(u)$ .

∎

Lemma 20.

For any $i\in\{1,\ldots,n\}$ ,

1.

if ${{t}\bowtie{u}}\in E_{i}\cup F_{i}$ , then $\omega(t)=\omega(u)$ .
2.

if $\sigma(T_{i-1};E_{i-1})\vdash_{\mathit{eq}}\sigma\mu_{i}({{t}\bowtie{u}})$ , then $\omega(t)=\omega(u)$ .
3.

if $\sigma(U_{i};F_{i})\vdash_{\mathit{eq}}\sigma\theta_{i}({{t}\bowtie{u}})$ , then $\omega(t)=\omega(u)$ .

Proof.

In addition to $E_{i},F_{i}$ for $0<i\leq n$ , we also use $E_{0}=\emptyset$ , for which claim 1 is vacuously true. We prove the claims simultaneously by induction on $i>0$ . Assume that they hold for all $j<i$ via IH1, IH2, and IH3.

1.

Suppose ${{t}\bowtie{u}}\in E_{i}$ . Then, $\exists{}j<i:{{t}\bowtie{u}}\in{\sf sf}(\alpha_{j})$ , and $\sigma(U_{j};F_{j})\vdash_{\mathit{eq}}\sigma\theta_{j}({{t}\bowtie{u}})$ . By IH3, $\omega(t)=\omega(u)$ . If ${{t}\bowtie{u}}\in F_{i}$ , then $\exists{}j\leq i:{{t}\bowtie{u}}\in\mathit{IE}_{j}$ , and $\sigma(T_{j-1};E_{j-1})\vdash_{\mathit{eq}}\sigma\mu_{j}({{t}\bowtie{u}})$ . If $j<i$ , by IH2, $\omega(t)=\omega(u)$ . If $j=i$ , by IH1, $\omega({r})=\omega({s})$ for every ${{{r}}\bowtie{{s}}}\in E_{i-1}$ . Any ${{a}\bowtie{b}}\in\sigma(E_{i-1})$ is of the form $\sigma({{r}\bowtie{s}})$ for some ${{r}\bowtie{s}}\in E_{i-1}$ . Thus, $\omega(a)=\omega(\sigma(r))=\omega(r)=\omega(s)=\omega(\sigma(s))=\omega(b)$ . By Lemma 19, $\omega(\sigma\mu_{j}(t))=\omega(\sigma\mu_{j}(u))$ , i.e. $\omega(t)=\omega(u)$ .
2.

Suppose $\sigma(T_{i-1});\sigma(E_{i-1})\vdash_{\mathit{eq}}\sigma\mu_{i}({{t}\bowtie{u}}$ . As above, for each ${{a}\bowtie{b}}\in\sigma(E_{i-1})$ , $\omega(a)=\omega(\widehat{s})$ . By appealing to Lemma 19, we get $\omega(\sigma\mu_{i}(t))=\omega(\sigma\mu_{i}(u))$ , i.e. $\omega(t)=\omega(u)$ .
3.

The proof is similar to the above. ∎

We developed this preliminary setup for both honest agent derivations as well as intruder derivations in order to demonstrate the interplay between $\theta$ and $\mu$ , as evidenced in the definition of $\omega$ . However, the insecurity problem itself is concerned only with intruder derivability, and therefore, in the next few sections we will focus only on $\beta_{i},(T_{i};E_{i})$ , and $\mu_{i}$ . We will discuss honest agent derivations later.

4.1 Typed proofs for $\vdash_{\mathit{dy}}$ and $\vdash_{\mathit{eq}}$

In order to obtain “small” versions of the various substitutions $\sigma,\theta_{i},$ and $\mu_{i}$ while preserving their interaction, we consider a universe of “anchor terms”. These are abstract terms that appear in the protocol specification, and for which we have a bound on size. We call these anchors “types”. We would eventually like to be able to convert any proof into one that only involves typed terms, i.e. terms that correspond to one of these types under $\omega$ .

Definition 21 (Types and typed terms).

We use the sets $\mathscr{C}$ (consisting of the terms occurring in $\xi$ before applying any substitution) and $\mathscr{D}$ (the same set, but without variables) to type the terms appearing in any proof.

\mathscr{C}\coloneqq\bigcup_{i\leq n}\bigl{\{}\bigl{(}{\sf st}(T_{i}\cup U_{i})\cup{\sf st}(E_{i}\cup F_{i})\bigr{)}\bigr{\}}\quad\quad\mathscr{D}\coloneqq\mathscr{C}\setminus\mathscr{V}

A term $t$ is typed if $t\in\sigma(\mathscr{D})\cup\omega(\mathscr{C})\cup\mathscr{V}_{q}$ .

Note that we must consider $\sigma(\mathscr{D})$ separately from $\omega(\mathscr{C})$ . Consider a term of the form $(m,x)\in\mathscr{D}$ , where $x\notin{\sf dom}(\sigma)$ . $\sigma((m,x))=(m,x)$ , but this cannot be in $\omega(\mathscr{C})$ , since $\omega(\mathscr{C})$ only contains ground terms. Thus, $\sigma(\mathscr{D})\not\subseteq\omega(\mathscr{C})$ .

We now define a notion of “zappable terms”, which are terms that do not correspond to any type in $\mathscr{C}$ . The idea is these terms can be freely “zapped”.⁴⁴4In order to motivate the key ideas behind typing, we will often use the word “zap” to mean replacing terms by an atomic name. However, we will formally define this zapping operation in the next subsection.

Definition 22 (Zappable terms).

A term $t$ is zappable if there is an $x\in{\sf dom}(\omega)$ such that $\omega(t)=\omega(x)$ , but there is no $u\in\mathscr{D}$ such that $\omega(x)=\omega(u)$ . We refer to such an $x$ as a minimal variable.

Here are a couple of easy observations that relate to zappable terms.

Observation 23.

•

If a term $t$ is zappable, then $t\notin\mathscr{D}$ .
•

If a term $t\in\omega(\mathscr{C})$ is not zappable, then $t\in\omega(\mathscr{D})$ .
•

For $t,u$ s.t. $\omega(t)=\omega(u)$ , $t$ is zappable iff $u$ is zappable.

Lemma 24.

Suppose $t={\sf f}(t_{0},t_{1})$ and $u={\sf f}(u_{0},u_{1})$ are typed, and $\omega(t)=\omega(u)$ . One of the following is true:

•

$t$ and $u$ are not zappable, and $t_{0},t_{1},u_{0},u_{1}$ are typed, or
•

$t$ and $u$ are zappable, and $t=u$ .

Proof.

Observe that for any $a\in\sigma(\mathscr{C})$ , $a\in\sigma(\mathscr{D})$ , or $a=\sigma(x)=x$ for some $x\notin{\sf dom}(\sigma)$ (in which case $a\in\mathscr{V}_{q}$ ), or $a=\sigma(x)$ for $x\in{\sf dom}(\sigma)$ (in which case $a=\omega(x)$ also, so $a\in\omega(\mathscr{C})$ ). Thus $\sigma(\mathscr{C})\subseteq\sigma(\mathscr{D})\cup\omega(\mathscr{C})\cup\mathscr{V}_{q}$ .

Now $t$ and $u$ are typed, and are non-atomic. So $t,u\notin\mathscr{V}_{q}$ , and so $t,u\in\sigma(\mathscr{D})\cup\omega(\mathscr{C})$ . We consider two cases:

•

Neither $t$ nor $u$ is zappable: Consider $t$ . If $t\in\sigma(\mathscr{D})$ , each $t_{i}\in\sigma(\mathscr{C})\subseteq\sigma(\mathscr{D})\cup\omega(\mathscr{C})\cup\mathscr{V}_{q}$ . If $t\in\omega(\mathscr{C})$ , then since $t$ is not zappable, $t=\omega(a)$ for some $a\in\mathscr{D}$ . Then $a$ has to be of the form ${\sf f}(a_{1},\dots,a_{k})$ , with each $a_{i}\in\mathscr{C}$ and $t_{i}=\omega(a_{i})$ . Thus each $t_{i}\in\omega(\mathscr{C})\subseteq\sigma(\mathscr{D})\cup\omega(\mathscr{C})\cup\mathscr{V}_{q}$ . Reasoning about $u$ in a similar manner, we see that each $u_{i}\in\sigma(\mathscr{D})\cup\omega(\mathscr{C})\cup\mathscr{V}_{q}$ . So each $t_{i}$ and $u_{i}$ is typed.
•

One of $t$ and $u$ is zappable: Say $t$ is zappable. Then, since $\omega(t)=\omega(u)$ , $u$ is zappable as well. Therefore $t,u\notin\sigma(\mathscr{D})$ , which implies that $t,u\in\omega(\mathscr{C})$ . Therefore both $t$ and $u$ are ground terms, so $t=\omega(t)=\omega(u)=u$ . ∎

We now devise notions of “typed proofs” for the $\vdash_{\mathit{dy}}$ as well as the $\vdash_{\mathit{eq}}$ system, which will help us obtain bounds on the sizes of terms appearing in the ranges of various substitutions. Then, we show that every proof in these systems can be converted into a typed proof.

Consider a proof $\pi$ witnessing $\sigma(T_{i})\vdash_{\mathit{dy}}t$ for some $t$ . Any term in $T_{i}$ , since $T_{i}$ is part of a kernel, is either a bound variable outside the domain of $\sigma$ (i.e. in $\mathscr{V}_{q}$ ) or a public term of some assertion. Note that any variables in public terms of assertions must not be quantified, hence they fall into the domain of $\sigma$ . Thus, any such $t$ derived from $\sigma(T_{i})$ is either in $\mathscr{V}_{q}$ , or a ground term of the form $\sigma(v)$ for some $v$ .

Now, it is possible that $\pi$ mentions some term $u\not\in\omega(\mathscr{C})$ , even if $t\in\omega(\mathscr{C})$ . If a destructor rule is applied to $u$ in order to obtain a proof of $t$ , we cannot “zap” $u$ into an atomic name while still preserving derivability. This leads us to the following definition of a typed proof in the $\vdash_{\mathit{dy}}$ system, which preserves derivability even after zapping variables as necessary.

Definition 25.

[Typed $\vdash_{\mathit{dy}}$ proof] A $\vdash_{\mathit{dy}}$ proof $\pi$ is typed if for each subproof $\pi^{\prime}$ , either $\pi^{\prime}$ ends in a constructor rule, or ${\sf conc}(\pi^{\prime})\in\sigma(\mathscr{D})\cup\mathscr{V}_{q}$ , where ${\sf conc}(\pi^{\prime})$ denotes the conclusion derived using $\pi$ .

Armed with this definition of a typed $\vdash_{\mathit{dy}}$ proof, we can show that any proof $\sigma(T_{i})\vdash_{\mathit{dy}}t$ can be transformed into a typed normal equivalent witnessing the same. This transformation crucially uses the following fact about how non-typed terms are generated: any non-typed term $u$ occurring in a $\vdash_{\mathit{dy}}$ proof from $\sigma(T_{i})$ obeys the following:

•

appears first as part of a received assertion $\sigma(\beta)$ , and
•

is generated by the intruder by putting information together, i.e. via a normal proof ending in a constructor.

The intuition behind this is easy to see – honest agents follow the protocol, and will only communicate terms that follow the protocol specification, modulo any insertions by the intruder. Terms that correspond to ones in the protocol specification are always typed, so any non-typed term must have been initially sent out by the intruder, i.e. in a $\beta$ received by an honest agent. In particular, such a term must have been constructed by the intruder by putting information together, since up till that point, the intruder’s knowledge state would have only consisted of typed terms, and destructor rules would preserve “typability”. Thus, for any non-typed term $t$ such that $t\in{\sf st}(\sigma(T_{i}))$ , we can always “chase back” to an index $j<i$ at which it was not in the subterms of $\sigma(T_{j})$ , but still derivable, i.e. $\sigma(T_{j})\vdash_{\mathit{dy}}t$ via a normal proof ending in a constructor rule. This reasoning closely follows the ideas in [38], and is formalized below.

Observation 26.

Since agent variables are mapped to names, the only free variables in sessions are intruder variables. Thus, for any $i\leq\ell$ and any $x\in{\sf fv}(\alpha_{i})$ , there is $j<i$ s.t. $x\in{\sf fv}(\beta_{j})$ .

We define $\mathit{IT}_{i}\coloneqq{\sf pubs}(\beta_{i})$ and $\mathit{HT}_{i}\coloneqq{\sf pubs}(\alpha_{i})$ . ⁵⁵5These stand for intruder terms and honest agent terms respectively.

Lemma 27.

Suppose $t\notin\sigma(\mathscr{D})\cup\mathscr{V}_{q}$ . For any $i\leq n$ , if $t\in{\sf st}(\sigma(T_{i}))$ , then there is a $k<i$ such that $t\in{\sf st}(\sigma(\mathit{IT}_{k}))$ .

Proof.

Consider $t\in{\sf st}(\sigma(u))\setminus(\sigma(\mathscr{D})\cup\mathscr{V}_{q})$ for some $u\in T_{i}$ . Then, $t\in{\sf st}(\sigma(y))$ for some $y\in{\sf vars}(u)$ . Since $u\in T_{i}$ , there is a $j<i$ such that $u\in\mathit{HT}_{j}\cup\mathscr{V}_{q}$ . If $u\in\mathscr{V}_{q}$ , then $u=y=\sigma(y)$ and $t=y$ , but we know that $t\not\in\mathscr{V}_{q}$ . Thus $u\not\in\mathscr{V}_{q}$ and $u\in\mathit{HT}_{j}$ , i.e. $y\in{\sf vars}(\mathit{HT}_{j})$ . Now $\xi$ is an interleaving of sessions of $\mathit{Pr}$ , and $y\in{\sf vars}(u)$ where $u$ occurs in an honest agent send in a session. Thus by Observation 26, there is an earlier intruder send in the same session in which $y$ occurs. This send occurs before $\alpha_{j}$ in $\xi$ . Thus there is a $k\leq j$ such that $y\in{\sf vars}({\sf pubs}(\beta_{k}))={\sf vars}(\mathit{IT}_{k})$ . Thus, $t\in{\sf st}(\sigma(\mathit{IT}_{k}))$ . ∎

Lemma 28.

Suppose $i\leq n$ , $t\notin\sigma(\mathscr{D})\cup\mathscr{V}_{q}$ and $\sigma(T_{i})\vdash_{\mathit{dy}}t$ via a normal proof $\pi$ ending in a destructor rule. Then there is an $\ell<i$ such that $\sigma(T_{\ell})\vdash_{\mathit{dy}}t$ .

Proof.

Since $\pi$ ends in a destructor rule, $t\in{\sf st}(\sigma(T_{i}))$ . By Lemma 27, there is an $i^{\prime}<i$ such that $t\in{\sf st}(\sigma(\mathit{IT}_{i^{\prime}}))$ . Let $j$ be the earliest such index, and let $a\in\mathit{IT}_{j}$ such that $t\in{\sf st}(\sigma(a))$ . Since $\sigma(T_{j-1};E_{j-1})\vdash_{\mathit{a}}\sigma\mu_{j}(\beta_{j})$ , and $a\in\mathit{IT}_{j}={\sf pubs}(\beta_{j})$ , it follows by Lemma 15 that $\sigma(T_{j-1})\vdash_{\mathit{dy}}\sigma\mu_{j}(a)$ . But ${\sf vars}(a)\cap{\sf dom}(\mu_{j})=\emptyset$ , so $\sigma(T_{j-1})\vdash_{\mathit{dy}}\sigma(a)$ , via a normal proof $\rho$ . Consider a minimal subproof $\chi$ of $\rho$ such that $t\in{\sf st}({\sf conc}(\chi))$ . (There is at least one such subproof, namely $\rho$ .) If $\chi$ ends in a destructor, then ${\sf conc}(\chi)\in{\sf st}(\sigma(T_{j-1}))$ , and hence $t\in{\sf st}(\sigma(T_{j-1}))$ . But by Lemma 27, there must be a $k<j-1$ such that $t\in{\sf st}(\sigma(\mathit{IT}_{k}))$ , contradicting the fact that $j$ is the earliest such index. So $\chi$ ends in a constructor rule. If $t\neq{\sf conc}(\chi)$ , then $t\in{\sf st}({\sf conc}(\chi^{\prime}))$ , for some proper subproof of $\chi$ . But this cannot be, since $\chi$ is a minimal proof with this property. Thus, $t={\sf conc}(\chi)$ and $\chi$ is a proof of $\sigma(T_{j-1})\vdash t$ (and we choose our $\ell$ to be $j-1$ ). ∎

Theorem 29.

For all $t$ and all $i\in\{0,\ldots,n\}$ , if $\sigma(T_{i})\vdash_{\mathit{dy}}t$ , then there is a typed normal proof $\pi^{*}$ of the same.

Proof.

Assume the theorem holds for all $j<i$ . We show how to transform any proof $\pi$ of $\sigma(T_{i})\vdash t$ ending in rule ${\sf r}$ into a typed normal proof $\pi^{*}$ of the same by induction on the structure of $\pi$ .

•

$r$ is ax: $t\in\sigma(T_{i})\subseteq\sigma(\mathscr{C})$ . If $t\in\sigma(\mathscr{D})\cup\mathscr{V}_{q}$ , we take $\pi^{*}$ to be $\pi$ itself. Otherwise, there is a $j<i$ such that $\sigma(T_{j})\vdash_{\mathit{dy}}t$ . We can get a typed normal proof $\pi^{*}$ of $\sigma(T_{j})\vdash t$ and obtain the required result by weakening the LHS.
•

$r$ is a constructor: We can find typed normal equivalents for all immediate subproofs, and apply the same constructor rule to get the desired $\pi^{*}$ .
•

$r$ is a destructor: Let $\pi_{1}$ and $\pi_{2}$ be immediate subproofs of $\pi$ , with ${\sf conc}(\pi_{1})=s$ , and $t$ an immediate subterm of $s$ . We can find typed normal equivalents $\pi^{*}_{1}$ and $\pi^{*}_{2}$ . If $\pi^{*}_{1}$ ends in a constructor, then we choose $\pi^{*}$ to be the immediate subproof of $\pi^{*}_{1}$ s.t. ${\sf conc}(\pi^{*})=t$ .

If $\pi^{*}_{1}$ does not end in a constructor, $s\in\sigma(\mathscr{D})\cup\mathscr{V}_{q}$ . Since a destructor rule ${\sf r}$ was applied on $s$ , $s\notin\mathscr{V}_{q}$ . So $s\in\sigma(\mathscr{D})$ , and hence $t\in\sigma(\mathscr{C})$ . If $t\in\sigma(\mathscr{D})\cup\mathscr{V}_{q}$ , we obtain a typed normal $\pi^{*}$ by applying ${\sf r}$ on $\pi^{*}_{1}$ . Otherwise, as with ${\sf ax}$ , we get a typed and normal proof $\pi^{*}$ of $\sigma(T_{j})\vdash t$ for some $j<i$ and apply weakening. ∎

Having shown that we can always obtain a typed $\vdash_{\mathit{dy}}$ proof, we now consider $\vdash_{\mathit{eq}}$ . We present below an example which will motivate our choices for the definition of a typed $\vdash_{\mathit{eq}}$ proof.

Suppose $\sigma(x)=(t_{1},t_{2})$ for some minimal $x$ , and $\sigma(u)=(u_{1},u_{2})$ for some term $u$ . Suppose we also have a proof of ${{t_{1}}\bowtie{u_{1}}}$ obtained by applying ${\sf proj}_{1}$ to a proof of ${{\sigma(x)}\bowtie{\sigma(u)}}$ , and we want a “corresponding” proof, even after zapping. However, $x$ would be zapped to a name, and we cannot apply ${\sf proj}$ to an atomic value. We would prefer a proof which allows us to preserve its structure even after zapping. To this end, we define a typed $\vdash_{\mathit{eq}}$ proof as follows.

Definition 30.

[Typed $\vdash_{\mathit{eq}}$ proof] A proof $\pi$ of $X;A\vdash{{r}\bowtie{s}}$ is typed if for every subproof $\pi^{\prime}$ with conclusion $X;A\vdash{{t}\bowtie{u}}$ ,

•

$\pi^{\prime}$ contains an occurrence of the ${\sf cons}$ rule, or
•

$t=u$ , or
•

$t$ and $u$ are typed terms.

Intuitively, this definition disallows “asymmetric” zapping of the above kind, and allows us to prove the equivalent of Theorem 29 for $\vdash_{\mathit{eq}}$ proofs.

Theorem 31.

For $i\leq n$ and $a,b\in\mathscr{T}$ , if $\sigma(T_{i};E_{i})\vdash_{\mathit{eq}}{{a}\bowtie{b}}$ , then there is a typed normal proof of $\sigma(T_{i};E_{i})\vdash{{a}\bowtie{b}}$ .

Proof of Theorem 31.

By Theorem 10, we know that every $\vdash_{\mathit{eq}}$ proof can be converted to an equivalent normal proof. We can show that every normal $\vdash_{\mathit{eq}}$ proof is typed. The only non-trivial case is when the last rule is ${\sf proj}$ . Consider a normal proof $\pi$ of $\sigma(T_{i};E_{i})\vdash{{a}\bowtie{b}}$ , whose last rule is ${\sf proj}$ , and whose immediate (typed normal, by IH) subproof is $\pi^{\prime}$ deriving ${{{\sf f}(a,c)}\bowtie{{\sf f}(b,d)}}$ . Since $\pi$ is a normal proof ending in ${\sf proj}$ , the ${\sf cons}$ rule does not occur in $\pi$ or $\pi^{\prime}$ . Two cases arise:

•

${\sf f}(a,c)={\sf f}(b,d)$ , in which case $a=b$ and $\pi$ is typed.
•

${\sf f}(a,c)$ and ${\sf f}(b,d)$ are both typed terms. By Lemma 24, either ${\sf f}(a,c)={\sf f}(b,d)$ (whence $a=b$ ), or $a,b,c,d$ are all typed, and thus $\pi$ is typed. ∎

4.2 Small substitutions $\sigma^{\!},\omega^{\!}$ , and $\mu^{\!*}_{i}$

Assume that there is an ${\sf m}\in T_{0}\cap\mathscr{N}$ s.t. ${\sf m}\notin{\sf st}(\{\alpha_{i},\beta_{i}\})\cup{\sf st}({\sf rng}(\theta_{i})\cup{\sf rng}(\mu_{i}))$ for all $i$ . This can be thought of as a fixed “spare name” that does not appear in the run. We will use this name to formally define a zap operation, as below.

Definition 32.

For any term $t$ , we inductively define the zap of $t$ , denoted $\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}$ , as follows:

	$\displaystyle\overline{\mspace{1.0mu}{x}\mspace{1.0mu}}$	$\displaystyle\coloneqq x$
	$\displaystyle\overline{\mspace{1.0mu}{n}\mspace{1.0mu}}$	$\displaystyle\coloneqq\begin{cases}{\sf m}&\qquad\hskip 5.69054pt\mbox{if $n$ is zappable}\\ n&\qquad\hskip 5.69054pt\mbox{otherwise}\end{cases}$
	$\displaystyle\overline{\mspace{1.0mu}{{\sf f}(t_{1},t_{2})}\mspace{1.0mu}}$	$\displaystyle\coloneqq\begin{cases}{\sf m}&\mbox{if ${\sf f}(t_{1},t_{2})$ is zappable}\\ {\sf f}(\overline{\mspace{1.0mu}{t_{1}}\mspace{1.0mu}},\overline{\mspace{1.0mu}{t_{2}}\mspace{1.0mu}})&\mbox{otherwise}\end{cases}$

For a set of terms $X$ , $\overline{\mspace{1.0mu}{X}\mspace{1.0mu}}\coloneqq\{\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}\mid t\in X\}$ . For a set of equalities $E$ , $\overline{\mspace{1.0mu}{E}\mspace{1.0mu}}\coloneqq\{{{\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}}\bowtie{\overline{\mspace{1.0mu}{u}\mspace{1.0mu}}}}\mid{{t}\bowtie{u}}\in E\}$ .

Definition 33.

For $\lambda\in\{\sigma,\omega,\mu_{i}\mid i\leq n\}$ , the small substitution $\lambda^{\!*}$ corresponding to $\lambda$ is defined as $\lambda^{\!*}(x)\coloneqq\overline{\mspace{1.0mu}{\lambda(x)}\mspace{1.0mu}}$ for all $x\in\mathscr{V}$ .

Here are a few examples that illustrate the above definition, for different choices of $\lambda$ and $\mathscr{C}$ .

Example 34.

1.

Suppose $\mathscr{C}={\sf st}(\{{\sf m},y,(y_{1},\{y_{2}\}_{k})\})$ , where $y_{1},y_{2}$ are minimal, and $\mu_{2}(y)=(y_{1},\{y_{2}\}_{k})$ . Then $\mu^{\!*}_{2}(y)=(y_{1},\{y_{2}\}_{k})$ and $\omega^{\!*}(y)=({\sf m},\{{\sf m}\}_{k})$ .
2.

Suppose $\mathscr{C}={\sf st}(\{{\sf m},y,y_{2},(y_{1},x)\})$ and $\mu_{2}$ is the same as above, with $x$ minimal and $\sigma(x)=\mu_{2}(\{y_{2}\}_{k})$ . Then $\mu^{\!*}_{2}(y)=(y_{1},{\sf m})$ and $\omega^{\!*}(y)=({\sf m},{\sf m})$ .

Following Definition 33, we can see that $\sigma^{\!*}\mu^{\!*}_{i}(x)=\overline{\mspace{1.0mu}{\sigma\mu_{i}(x)}\mspace{1.0mu}}$ for any $i\leq n$ and $x\in\mathscr{V}$ , but this equality need not lift to bigger terms in general. Consider a minimal $x\in{\sf dom}(\sigma)$ with $\sigma(x)=t$ . So $t$ is ground, and hence ${\sf vars}(t)=\emptyset$ . So $\sigma^{\!*}\mu^{\!*}_{i}(t)=t$ . However, $\overline{\mspace{1.0mu}{\sigma\mu_{i}(t)}\mspace{1.0mu}}=\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}={\sf m}$ , since $t$ is zappable. Thus, it is not true that $\sigma^{\!*}\mu^{\!*}_{i}(t)=\overline{\mspace{1.0mu}{\sigma\mu_{i}(t)}\mspace{1.0mu}}$ for all possible terms $t$ . However, we can show that this holds for all $t\in\mathscr{C}$ .

Lemma 35.

For $i\leq n$ and $t\in\mathscr{C}$ , $\sigma^{\!*}\mu^{\!*}_{i}(t)=\overline{\mspace{1.0mu}{\sigma\mu_{i}(t)}\mspace{1.0mu}}$ .

We now show, via Lemmas 36 and 37, that small substitutions preserve derivabilities of both terms and equalities.

Lemma 36.

For $i\leq n$ and any term $t$ , if $\sigma(T_{i})\vdash_{\mathit{dy}}t$ then $\sigma^{\!*}(T_{i})\vdash_{\mathit{dy}}\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}$ .

Proof.

Let $X$ and $Y$ stand for $\sigma(T_{i})$ and $\sigma^{\!*}(T_{i})$ . Since $X\subseteq\mathscr{C}$ , by Lemma 35, $\overline{\mspace{1.0mu}{X}\mspace{1.0mu}}=Y$ . Let $\pi$ be a typed normal $\vdash_{\mathit{dy}}$ proof of $X\vdash t$ (ensured by Theorem 29). We prove that $Y\vdash_{\mathit{dy}}\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}$ . Consider the last rule ${\sf r}$ of $\pi$ . The following cases arise.

•

${\sf r}=\textsf{ax}$ : $t\in X$ , and therefore $\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}\in Y$ . Thus $Y\vdash_{\mathit{dy}}\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}$ by ax.
•

${\sf r}$ is a constructor: Let $t={\sf f}(t_{1},t_{2})$ and let the immediate subproofs of $\pi$ be $\pi_{1},\pi_{2}$ , with ${\sf conc}(\pi_{i})=t_{i}$ for $i\leq 2$ . By IH, there is a proof $\varpi_{i}$ of $Y\vdash\overline{\mspace{1.0mu}{t_{i}}\mspace{1.0mu}}$ for each $i\leq 2$ . If $t$ is zappable, then $\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}={\sf m}\in Y$ ( ${\sf m}\in T_{i}$ for all $i$ , so ${\sf m}\in X$ and ${\sf m}\in Y$ ), and we have $Y\vdash_{\mathit{dy}}\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}$ using ax. If $t$ is not zappable, then $\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}=\overline{\mspace{1.0mu}{{\sf f}(t_{1},t_{2})}\mspace{1.0mu}}={\sf f}(\overline{\mspace{1.0mu}{t_{1}}\mspace{1.0mu}},\overline{\mspace{1.0mu}{t_{2}}\mspace{1.0mu}})$ , and we can apply ${\sf r}$ on the $\varpi_{i}$ s to get $Y\vdash_{\mathit{dy}}\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}$ .
•

${\sf r}$ is a destructor: Let the immediate subproofs of $\pi$ be $\pi_{1},\pi_{2}$ , deriving $t_{1},t_{2}$ respectively, with $t_{1}$ being the major premise, and $t$ an immediate subterm of $t_{1}$ . Since $\pi$ is typed normal, $\pi_{1}$ is also typed and ends in a destructor, so by Definition 25, $t_{1}\in\sigma(\mathscr{D})\cup\mathscr{V}_{q}$ . Since we applied a destructor on $t_{1}$ , it is not in $\mathscr{V}_{q}$ . Thus, there is some $u_{1}\in\mathscr{D}$ , with the same outermost operator as $t_{1}$ , such that $t_{1}=\sigma(u_{1})$ . Hence, $\omega(t_{1})=\omega(u_{1})$ .

If $t_{1}$ were zappable, there would be a minimal $x$ such that $\omega(x)=\omega(t_{1})=\omega(u_{1})\in\omega(\mathscr{D})$ , which contradicts the minimality of $x$ . Thus, $t_{1}$ is not zappable, and $\overline{\mspace{1.0mu}{t_{1}}\mspace{1.0mu}}$ has the same outermost structure as $t_{1}$ . By IH, there is a proof $\varpi_{i}$ of $Y\vdash\overline{\mspace{1.0mu}{t_{i}}\mspace{1.0mu}}$ for each $i\leq 2$ . Since $\overline{\mspace{1.0mu}{t_{1}}\mspace{1.0mu}}$ is not atomic, we can apply the destructor ${\sf r}$ on the $\varpi_{i}$ s to get $Y\vdash_{\mathit{dy}}\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}$ . ∎

Lemma 37.

For $i\leq n$ and terms $t,u$ , if $\sigma(T_{i};E_{i})\vdash_{\mathit{eq}}{{t}\bowtie{u}}$ then $\sigma^{\!*}(T_{i};E_{i})\vdash_{\mathit{eq}}{{\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}}\bowtie{\overline{\mspace{1.0mu}{u}\mspace{1.0mu}}}}$ .

Proof.

Let $(X;A)$ and $(Y;B)$ denote $\sigma(T_{i};E_{i})$ and $\sigma^{\!*}(T_{i};E_{i})$ respectively. As earlier, using Lemma 35, $\overline{\mspace{1.0mu}{X}\mspace{1.0mu}}=Y$ and $\overline{\mspace{1.0mu}{A}\mspace{1.0mu}}=B$ . Let $\pi$ be a typed normal $\vdash_{\mathit{eq}}$ proof of $X;A\vdash{{t}\bowtie{u}}$ (guaranteed by Theorem 31). We prove that $Y;B\vdash_{\mathit{eq}}{{\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}}\bowtie{\overline{\mspace{1.0mu}{u}\mspace{1.0mu}}}}$ . Most of the cases are straightforward, so here we only consider the cases when $\pi$ ends in ${\sf proj}$ or ${\sf cons}$ .

•
$\pi$ ends in ${\sf proj}$ : Let the immediate subproof of $\pi$ be $\pi^{\prime}$ deriving $X;A\vdash{{a}\bowtie{b}}$ where $a={\sf f}(a_{0},a_{1})$ , $b={\sf f}(b_{0},b_{1})$ , and $t=a_{0}$ and $u=b_{0}$ . By IH, there is a proof $\varpi^{\prime}$ of $Y;B\vdash{{\overline{\mspace{1.0mu}{a}\mspace{1.0mu}}}\bowtie{\overline{\mspace{1.0mu}{b}\mspace{1.0mu}}}}$ . For ${\sf proj}$ , we need $X\vdash_{\mathit{dy}}\{a_{0},a_{1},b_{0},b_{1}\}$ . By Lemma 36, $Y\vdash_{\mathit{dy}}\{\overline{\mspace{1.0mu}{a_{0}}\mspace{1.0mu}},\overline{\mspace{1.0mu}{a_{1}}\mspace{1.0mu}},\overline{\mspace{1.0mu}{b_{0}}\mspace{1.0mu}},\overline{\mspace{1.0mu}{b_{1}}\mspace{1.0mu}}\}$ . By Lemma 20, $\omega(a)=\omega(b)$ . By normality, ${\sf cons}$ cannot occur in $\pi$ . $\pi$ is also typed, so either $a=b$ or $a$ and $b$ are typed. If $a=b$ , then $t=u$ , and we have a proof of $Y;B\vdash{{\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}}\bowtie{\overline{\mspace{1.0mu}{u}\mspace{1.0mu}}}}$ ending in ${\sf eq}$ . If $a$ and $b$ are typed, we apply Lemma 24 and the following two cases arise.
- –
  
  $a$ and $b$ not zappable: Then $\overline{\mspace{1.0mu}{a}\mspace{1.0mu}}$ and $\overline{\mspace{1.0mu}{b}\mspace{1.0mu}}$ have the same outermost structure as $a$ and $b$ , and $\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}=\overline{\mspace{1.0mu}{a_{0}}\mspace{1.0mu}}$ and $\overline{\mspace{1.0mu}{u}\mspace{1.0mu}}=\overline{\mspace{1.0mu}{b_{0}}\mspace{1.0mu}}$ . So we can apply ${\sf proj}$ on $\varpi^{\prime}$ to get $Y;B\vdash_{\mathit{eq}}{{\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}}\bowtie{\overline{\mspace{1.0mu}{u}\mspace{1.0mu}}}}$ .
- –
  
  $a=b$ : Then $t=u$ as well, and hence $\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}=\overline{\mspace{1.0mu}{u}\mspace{1.0mu}}$ . Since $Y\vdash_{\mathit{dy}}\{\overline{\mspace{1.0mu}{t}\mspace{1.0mu}},\overline{\mspace{1.0mu}{u}\mspace{1.0mu}}\}$ , $Y;B\vdash_{\mathit{eq}}{{\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}}\bowtie{\overline{\mspace{1.0mu}{u}\mspace{1.0mu}}}}$ with last rule ${\sf eq}$ .
•
$\pi$ ends in ${\sf cons}$ : Let $t={\sf f}(t_{0},t_{1})$ and $u={\sf f}(u_{0},u_{1})$ . Let $\pi$ have immediate subproofs $\pi_{0}$ and $\pi_{1}$ , each $\pi_{i}$ proving $X;A\vdash{{t_{i}}\bowtie{u_{i}}}$ . By IH, there are proofs $\varpi_{1},\varpi_{2}$ , each $\varpi_{i}$ proving $Y;B\vdash{{\overline{\mspace{1.0mu}{t_{i}}\mspace{1.0mu}}}\bowtie{\overline{\mspace{1.0mu}{u_{i}}\mspace{1.0mu}}}}$ . By Lemma 24, two cases arise.
- –
  
  $t$ and $u$ not zappable: Then $\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}={\sf f}(\overline{\mspace{1.0mu}{t_{1}}\mspace{1.0mu}},\overline{\mspace{1.0mu}{t_{2}}\mspace{1.0mu}})$ and $\overline{\mspace{1.0mu}{u}\mspace{1.0mu}}={\sf f}(\overline{\mspace{1.0mu}{u_{1}}\mspace{1.0mu}},\overline{\mspace{1.0mu}{u_{2}}\mspace{1.0mu}})$ . So $Y;B\vdash_{\mathit{eq}}{{\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}}\bowtie{\overline{\mspace{1.0mu}{u}\mspace{1.0mu}}}}$ using ${\sf cons}$ on the $\varpi_{i}$ s.
- –
  
  $t$ and $u$ zappable: Then, $\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}=\overline{\mspace{1.0mu}{u}\mspace{1.0mu}}={\sf m}\in Y$ , so we have a proof of $Y;B\vdash{{\overline{\mspace{1.0mu}{t}\mspace{1.0mu}}}\bowtie{\overline{\mspace{1.0mu}{u}\mspace{1.0mu}}}}$ ending in ${\sf eq}$ . ∎

Putting Lemmas 35, 36 and 37 together, we get:

Theorem 38.

Let $t,u\in\mathscr{C}$ and $i\leq n$ .

•

If $\sigma(T_{i-1})\vdash_{\mathit{dy}}\sigma\mu_{i}(t)$ then $\sigma^{\!*}(T_{i-1})\vdash_{\mathit{dy}}\sigma^{\!*}\mu^{\!*}_{i}(t)$ .
•

If $\sigma(T_{i-1};E_{i-1})\vdash_{\mathit{eq}}\sigma\mu_{i}({{t}\bowtie{u}})$ then $\sigma^{\!*}(T_{i-1};E_{i-1})\vdash_{\mathit{eq}}\sigma^{\!*}\mu^{\!*}_{i}({{t}\bowtie{u}})$ .

Having shown that the $\lambda^{\!*}$ s simulate the $\lambda$ s, we next show that they allow us a bound on the size of terms therein.

Theorem 39.

For $\lambda\in\{\sigma,\omega,\mu_{i}\mid i\leq n\}$ , $\lambda^{\!*}$ is such that $|{\sf st}({\lambda^{\!*}(x)})|\leq|\mathscr{D}|$ for all $x\in{\sf dom}(\lambda^{\!*})$ .

Proof.

For each $\lambda$ and any $x$ , $\omega^{\!*}(\lambda^{\!*}(x))=\omega^{\!*}(x)=\overline{\mspace{1.0mu}{\omega(x)}\mspace{1.0mu}}$ (by Definition 33) and thus, $|{\sf st}({\lambda^{\!*}(x)})|\leq|{\sf st}({\omega^{\!*}(x)})|$ . So it suffices to prove a bound on $|{\sf st}({\omega^{\!*}(x)})|$ . We show that for $t\in\mathscr{C}$ , ${\sf st}(\omega^{\!*}(t))\subseteq\omega^{\!*}(\mathscr{D})$ . Note that if $t=x$ is non-minimal, there is an $r\in\mathscr{D}$ s.t. $\omega^{\!*}(t)=\omega^{\!*}(r)$ . Thus it suffices to prove the statement for $t$ which is either a minimal variable or in $\mathscr{D}$ .

The proof is by induction on $|\omega^{\!*}(t)|$ .

•

$|\omega^{\!*}(t)|=1:$ $\omega^{\!*}(t)\in\mathscr{N}$ . So $t\in\mathscr{N}$ or $t$ is a minimal variable. If $t\in\mathscr{N}$ , $\omega^{\!*}(t)=t\in\mathscr{N}$ . Otherwise, $\omega^{\!*}(t)={\sf m}$ . In both these cases, ${\sf st}(\omega^{\!*}(t))\subseteq\omega^{\!*}(\mathscr{D})$ .
•

$|\omega^{\!*}(t)|>1:$ Let $a\in{\sf st}(\omega^{\!*}(t))$ . If $a=\omega^{\!*}(u)$ for some $u\in{\sf st}(t)\setminus{\sf vars}(t)$ , then $a\in\omega^{\!*}(\mathscr{D})$ . If $a=\omega^{\!*}(x)$ for some minimal $x\in{\sf vars}(t)$ , then $a={\sf m}=\omega^{\!*}({\sf m})\in\omega^{\!*}(\mathscr{D})$ . If $a\in{\sf st}(\omega^{\!*}(x))$ for non-minimal $x\in{\sf vars}(t)$ , then $x\neq t$ , and there is an $r\in\mathscr{D}$ s.t. $\omega^{\!*}(x)=\omega^{\!*}(r)$ , and $a\in{\sf st}(\omega^{\!*}(r))$ . Since $|\omega^{\!*}(r)|<|\omega^{\!*}(t)|$ , by IH, ${\sf st}(\omega^{\!*}(r))\subseteq\omega^{\!*}(\mathscr{D})$ . Thus $a\in\omega^{\!*}(\mathscr{D})$ .

Hence, $|{\sf st}({\omega^{\!*}(t)})|\leq|\omega^{\!*}(\mathscr{D})|\leq|\mathscr{D}|$ , for $t\in\mathscr{C}$ . ∎

4.3 NP algorithm for Insecurity: Sketch

After guessing a coherent set of sessions and an interleaving of these sessions of length $n$ , we guess a small substitution $\sigma^{\!*}$ , for each intruder send $\beta_{i}$ a set $X_{i}\subseteq{\sf hat}(\beta_{i})$ and a small substitution $\mu^{\!*}_{i}$ whose domain is ${\sf bv}(\beta_{i})\setminus{\sf bv}(X_{i})$ . We also guess a sequence of knowledge functions such that the relevant atomic assertions and terms (communicated in the $\sigma^{\!*}(\beta_{i})$ s) are derivable from $\sigma^{\!*}(\mathit{ker}({\sf k}_{i-1}(I)))$ . These derivability checks in the $\vdash_{\mathit{eq}}$ system can be carried out in time polynomial in the size of the protocol description (using the procedure described in Algorithm 1).

For honest agent derivations, we only deal with derivations of the form ${\sf k}_{i}(u_{i})\vdash_{\mathit{a}}\alpha_{i}$ (without the $\sigma$ ). This is, in fact, a version of the passive intruder problem for assertions. Applying Theorem 16, we reduce this to checks of the form $(U_{i};F_{i})\vdash_{\mathit{eq}}\theta_{i}({{r}\bowtie{s}})$ . It is much simpler to ensure that we can obtain $\theta_{i}$ s of bounded size, because of the absence of $\sigma$ . We can think of this as a version of the passive intruder problem for the system with assertions. The following theorem, the proof of which can be found in the Appendix, will help us obtain small $\theta_{i}$ s.

Theorem 40.

If there is a $\mu$ satisfying Theorem 16, there is a “small” $\nu$ satisfying the same conditions, such that $|{\sf st}({\nu(x)})|\leq|{\sf st}(S)\cup{\sf st}(A\cup\{\alpha\})|$ for all $x\in{\sf dom}(\nu)$ .

In order to check whether ${\sf k}_{i}(u_{i})\vdash_{\mathit{a}}\alpha_{i}$ , we need to guess $X\subseteq{\sf hat}(\alpha_{i})$ and a small substitution $\theta_{i}$ such that the conditions of Theorem 16 are satisfied. (The smallness of $\theta_{i}$ is guaranteed by Theorem 40.) Each of those conditions can be checked in polynomial time because they only involve $\vdash_{\mathit{dy}}$ proofs (checkable in PTIME), $\vdash_{\mathit{eq}}$ proofs (also checkable in PTIME), and proofs involving only $\{{\sf ax},\wedge\sf i,\exists\sf i,{\sf say}\}$ (also checkable in PTIME). Thus, honest agent derivability checks are in NP.

5 Discussion and Future Work

5.1 Intruder theories for terms

For terms, we assumed that every operator had constructor and destructor rules, as specified in Figure 1. Such systems are called constructor-destructor theories. While the initial results for the active intruder problem were proved for simple theories by [38], that work has been extended to much richer theories [15, 2, 20, 16, 9, 13, 14]. As mentioned in Section 1.4, the extension with assertions that we consider is not subsumed by any known intruder theories.

Can one generalize the results of this paper to richer intruder theories? We believe that one can, but one needs to modify a few fundamental notions used so far. We list these considerations below.

•

In the main text, we used ${\sf st}(t)$ to mean the syntactic subterms of $t$ . For a general intruder theory, we will need to assume a function ${\cal S}$ which maps finite sets of terms to finite sets, and satisfies ${\sf st}(X)\subseteq{\cal S}(X)$ for any set $X$ .
•

To handle the general case, we modify the form of constructors and destructors as follows. In a constructor rule, each immediate subterm of the conclusion is a subterm of one of the premises. In a destructor rule, the conclusion is a subterm of one of the premises.
•

We can assume that the intruder theory we consider is local w.r.t. ${\cal S}$ . That is, whenever $X$ derives $t$ , we have a proof $\pi$ of $X\vdash t$ such that ${\sf terms}(\pi)\subseteq{\cal S}(X\cup\{t\})$ , and further, if $\pi$ ends in a destructor rule, ${\sf terms}(\pi)\subseteq{\cal S}(X)$ .
•

We modify Definition 21 to use ${\cal S}$ instead of ${\sf st}$ . Definitions 22, 25, 30, 32, and 33, on which the proofs in Section 4 hinge, will stay unchanged, since they only refer to $\mathscr{C}$ and $\mathscr{D}$ .
•

We need to prove Theorem 29 for the extended theory before moving onto the $\vdash_{\mathit{eq}}$ system. Determining the conditions on the intruder theory which would guarantee this theorem is left for future work.

•

Now, for proofs in the $\vdash_{\mathit{eq}}$ system, there is the following subtlety, which we illustrate by considering the $\vdash_{\mathit{eq}}$ theory built on top of the theory for xor as presented in [15]. In this intruder theory, there are implicit rewrites in the rules for xor. For instance, from $a\oplus b$ and $b\oplus c$ , we can obtain $a\oplus c$ . We would need to carry over these rewrites into the equality rules as well, and in the presence of such rewrites, show that normalization and subterm property hold for the new $\vdash_{\mathit{eq}}$ system.

In particular, for normalization, we need to eliminate subproofs where an instance of ${\sf cons}$ appears as the premise for ${\sf proj}$ . For the basic $\vdash_{\mathit{eq}}$ system, one can do this by picking the appropriate subproof of ${\sf cons}$ . However, in this new system with xor, consider a proof of the following form.

{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1\hskip 5.0pt plus 1.0fil{tensy\vbox{\hbox spread0.0pt{\hskip 0.0pt plus 0.0001fil\hbox{$\displaystyle\penalty 1T;E\vdash{{x}\bowtie{a\oplus b}}\quad T;E\vdash{{y}\bowtie{b\oplus c}}$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=146.77716pt\hbox{\kern 3.00003pt${\sf cons}$}}}\hbox{\kern 30.08148pt\hbox{$\displaystyle T;E\vdash{{x\oplus y}\bowtie{a\oplus c}}$}}}}\hskip 5.0pt plus 1.0fil\penalty 2$}\hskip 0.0pt plus 0.0001fil}\hbox{\hbox{\kern 0.0pt\vrule height=0.25002pt,depth=0.25002pt,width=199.94046pt\hbox{\kern 3.00003pt${\sf proj}_{1}$}}}\hbox{\kern 73.67984pt\hbox{$\displaystyle T;E\vdash{{x}\bowtie{a}}$}}}}

Such a proof cannot easily be normalized, since none of these subproofs has the same conclusion. But such a ${\sf proj}$ rule should not be allowed to begin with, since implicit rewrites are not injective.⁶⁶6In the constructor-destructor theories as in Figure 1, we can see that such implicit rewrites do not occur, and all ${\sf f}$ s considered are injective. Thus, proving normalization and the subterm property for any modified $\vdash_{\mathit{eq}}$ system built on top of a general intruder theory seems feasible, provided one appropriately tailors the rules – especially ${\sf proj}$ – to avoid any unsound behaviour. This is left for future work.

Thus, we can see that the main change in lifting this result to richer intruder theories lies in showing that Theorem 29 holds. One might also need to restrict the new rules one might introduce to the $\vdash_{\mathit{eq}}$ system, and hence mildly modify the proofs of the normalization theorem and Theorem 31.

5.2 Constraint solving approach

An algorithmic approach to the active intruder problem is constraint solving [34, 16]. Rather than merely proving a bound on the substitution size, these papers present the problem as a series of deducibility constraints (involving variables), the solution to which is a substitution under which all the deducibilities actually hold. They also provide rules for constructing such a substitution.

In Section 4, for a run, we defined the sequence of sets $(T_{i};E_{i})$ , and sets of atomic formulas $X_{i}$ , for $i\leq n$ . This can be viewed as a generalized constraint system, where we want to find substitutions under which $(T_{i};E_{i})$ can derive the equality assertions in $X_{i}$ , and $T_{i}$ can derive the public terms of $X_{i}$ . It is a worthwhile exercise to adapt the existing constraint solving approaches to solve such generalized constraint systems. We leave this for future work.

5.3 Full disjunction

An interesting feature of the language in [35] is the use of disjunction. While our syntax here uses list membership to express a limited form of disjunction that seems to suffice for many protocols, it would be worthwhile to explore the utility of full disjunction and its effect on the active intruder problem.

In fact, with disjunction, we know that even the derivability problem becomes more involved. To check if $(S;A)\vdash_{\mathit{a}}\gamma$ , one can no longer work with a single kernel of $(S;A)$ . One can define a notion of “down-closure”. For each disjunctive formula $\alpha\vee\beta$ , one obtains two down-closures – one containing $\alpha$ , and the other $\beta$ . In general, many disjunctions could occur in $A$ , and there are exponentially many down-closures for any $(S;A)$ . Using a left disjunction property similar to those in Lemma 13 ( $\alpha\vee\beta$ derives $\gamma$ iff $\gamma$ is derivable from $\alpha$ and from $\beta$ ), we check if the kernels of all down-closures of $(S;A)$ derive $\gamma$ . Thus, the derivability problem is in $\Pi_{2}$ . Some of these down-closures might even contain contradictory assertions, and hence our techniques for the insecurity problem do not seem to directly apply. Exploring these issues is an interesting direction of research and is left for future work.

5.4 Adding if-then-else branching to protocols

As mentioned earlier, we can add an $A:{\sf assert}~{}\alpha$ action that allows the role to proceed only if $\alpha$ can be derived using the information that $A$ has at the time. Similarly, we can add an action of the form $A:{\sf deny}~{}\alpha$ , which lets the role proceed only if $\alpha$ cannot be derived using $A$ ’s current knowledge. To simulate an if-then-else branch (by specifying a condition $\alpha$ to be checked and an agent $A$ who will check it), we create two roles, one containing $A:{\sf assert}~{}\alpha$ followed by the actions in the then branch, and the other containing $A:{\sf deny}~{}\alpha$ followed by the actions in the else branch. We can easily extend our results to protocols involving such assert and deny actions where the condition being checked is whether or not a predicate holds about some atomic terms (for example, ${\sf el}(V)$ in Section 2.3).

The fact that a predicate $P$ holds about some terms $\vec{t}$ can be modelled as the presence of $\vec{t}$ in a global list. We can also extend the model to allow agents (with appropriate access privileges) to add and delete entries from global lists, as considered in tools like Proverif [11] and in some versions of applied-pi [5, 28]. The technical proofs in our work continue to hold for these extensions.

5.5 Adding assertions to other models and tools

It is also useful to add communicable assertions to the widely-used applied pi calculus [1]. It would be especially interesting to see how this impacts the notion of static equivalence, and then study expressibility and decidability. As mentioned earlier, one can express certain “equivalence” properties in a more natural manner with assertions as compared to the terms-only model. Another promising extension is to study which equivalence properties can be expressed as reachability properties in this manner, like in [25]. These would also help us to extend existing tools [21, 33, 11, 13] with assertions.

References

[1] Martín Abadi, Bruno Blanchet, and Cédric Fournet. The applied pi calculus: mobile values, new names, and secure communication. Journal of the ACM, 65(1):1:1–1:41, 2017.
[2] Martín Abadi and Véronique Cortier. Deciding knowledge in security protocols under equational theories. Theoretical Computer Science, 367(1–2):2–32, 2006.
[3] Ben Adida. Helios: web-based open-audit voting. In 17th Conference on Security Symposium, pages 335–348, 2008.
[4] Roberto M. Amadio, Denis Lugiez, and Vincent Vanackére. On the symbolic reduction of processes with cryptographic functions. Theoretical Computer Science, 290(1):695–740, 2003.
[5] Myrto Arapinis, Jia Liu, Eike Ritter, and Mark Ryan. Stateful applied pi calculus: observational equivalence and labelled bisimilarity. Journal of Logical and Algebraic Methods in Programming, 89:95–149, 2017.
[6] Michael Backes, Cătălin Hritçu, and Matteo Maffei. Automated verification of remote electronic voting protocols in the applied pi-calculus. In 21st IEEE Computer Security Foundations Symposium, pages 195–209, 2008.
[7] Michael Backes, Matteo Maffei, and Dominique Unruh. Zero-knowledge in the applied pi-calculus and automated verification of the Direct Anonymous Attestation protocol. In 29th IEEE Symposium on Security and Privacy, pages 202–215, 2008.
[8] A. Baskar, R. Ramanujam, and S. P. Suresh. A dexptime-complete Dolev-Yao theory with distributive encryption. In 35th International Symposium on Mathematical Foundations of Computer Science, volume 6281 of Lecture Notes in Computer Science, pages 102–113, 2010.
[9] Mathieu Baudet. Deciding security of protocols against off-line guessing attacks. In 12th ACM Conference on Computer and Communications Security, pages 16–25, 2005.
[10] Bruno Blanchet. An efficient cryptographic protocol verifier based on Prolog rules. In 14th IEEE Computer Security Foundations Workshop, pages 82–96, 2001.
[11] Bruno Blanchet. Modeling and verifying security protocols with the applied pi calculus and ProVerif. Foundations and Trends in Privacy and Security, 1(1):1–135, 2016.
[12] Bruno Blanchet and Andreas Podelski. Verification of cryptographic protocols: tagging enforces termination. Theoretical Computer Science, 333(1–2):67–90, 2005.
[13] Vincent Cheval, Steve Kremer, and Itsaka Rakotonirina. The DEEPSEC prover. In Computer Aided Verification, volume 10982 of Lecture Notes in Computer Science, pages 28–36, 2018.
[14] Vincent Cheval, Steve Kremer, and Itsaka Rakotonirina. The hitchhiker’s guide to decidability and complexity of equivalence properties in security protocols. In Logic, Language, and Security: Essays Dedicated to Andre Scedrov on the Occasion of his 65th Birthday, volume 12300 of Lecture Notes in Computer Science, pages 127–145, 2020.
[15] Yannick Chevalier, Ralf Küsters, Michaël Rusinowitch, and Mathieu Turuani. An NP decision procedure for protocol insecurity with XOR. Theoretical Computer Science, 338(1–3):247–274, 2005.
[16] Hubert Comon-Lundh and Vitaly Shmatikov. Intruder deductions, constraint solving and insecurity decisions in presence of exclusive or. In 18th IEEE Symposium on Logic in Computer Science, pages 271–280, 2003.
[17] Véronique Cortier, Stéphanie Delaune, and Pascal Lafourcade. A survey of algebraic properties used in cryptographic protocols. Journal of Computer Security, 14(1):1–43, 2006.
[18] Véronique Cortier, Stéphanie Delaune, and Vaishnavi Sundararajan. A decidable class of security protocols for both reachability and equivalence properties. Journal of Automated Reasoning, 65(4):479–520, 2021.
[19] Véronique Cortier and Steve Kremer. Formal models and techniques for analyzing security protocols: a tutorial. Foundations and Trends in Programming Languages, 1(3):151–267, 2014.
[20] Véronique Cortier, Michaël Rusinowitch, and Eugen Zălinescu. A resolution strategy for verifying cryptographic protocols with CBC encryption and blind signatures. In 7th ACM SIGPLAN International Conference on Principles and Practice of Declarative Programming, pages 12–22, 2005.
[21] Cas J. F. Cremers. The Scyther tool: verification, falsification, and analysis of security protocols. In 20th International Conference on Computer Aided Verification, volume 5123 of Lecture Notes in Computer Science, pages 414–418, 2008.
[22] Danny Dolev and Andrew Yao. On the security of public-key protocols. IEEE Transactions on Information Theory, 29(2):198–208, 1983.
[23] Nancy Durgin, Patrick Lincoln, John Mitchell, and Andre Scedrov. Multiset rewriting and the complexity of bounded security protocols. Journal of Computer Security, 12(2):247–311, 2004.
[24] Atsushi Fujioka, Tatsuaki Okamoto, and Kazuo Ohta. A practical secret voting scheme for large scale elections. In Advances in Cryptology – AUSCRYPT, volume 718 of Lecture Notes in Computer Science, pages 244–251, 1992.
[25] Sébastien Gondron, Sebastian Mödersheim, and Luca Viganò. Privacy as reachability. In 35th IEEE Computer Security Foundations Symposium, pages 130–146, 2022.
[26] Jens Groth and Amit Sahai. Efficient non-interactive proof systems for bilinear groups. In Advances in Cryptology – EUROCRYPT, volume 4965 of Lecture Notes in Computer Science, pages 415–432, 2008.
[27] Nevin Heintze and Doug Tygar. A model for secure protocols and their compositions. IEEE Transactions on Software Engineering, 22(1):16–30, 1996.
[28] Steve Kremer and Robert Künnemann. Automated analysis of security protocols with global state. Journal of Computer Security, 24(5):583–616, 2016.
[29] Steve Kremer and Mark Ryan. Analysis of an electronic voting protocol in the applied pi calculus. In Programming Languages and Systems – ESOP 2005, volume 3444 of Lecture Notes in Computer Science, pages 186–200, 2005.
[30] Pascal Lafourcade, Denis Lugiez, and Ralf Treinen. Intruder deduction for the equational theory of abelian groups with distributive encryption. Information and Computation, 205(4):581–623, 2007.
[31] Matteo Maffei, Kim Pecina, and Mathieu Reinert. Security and privacy by declarative design. In 26th IEEE Computer Security Foundations Symposium, pages 81–96, 2003.
[32] David A. McAllester. Automatic recognition of tractability in inference relations. Journal of the ACM, 40(2):284–303, 1993.
[33] Simon Meier, Benedikt Schmidt, Cas Cremers, and David Basin. The TAMARIN prover for the symbolic analysis of security protocols. In 25th International Conference on Computer Aided Verification, volume 8044 of Lecture Notes in Computer Science, pages 696–701, 2013.
[34] Jonathan K. Millen and Vitaly Shmatikov. Constraint solving for bounded-process cryptographic protocol analysis. In 8th ACM Conference on Computer and Communications Security, pages 166–175, 2001.
[35] R. Ramanujam, Vaishnavi Sundararajan, and S. P. Suresh. Existential assertions for voting protocols. In Financial Cryptography and Data Security, volume 10323 of Lecture Notes in Computer Science, pages 337–352, 2017.
[36] R. Ramanujam and S. P. Suresh. Decidability of context-explicit security protocols. Journal of Computer Security, 13(1):135–165, 2005.
[37] R. Ramanujam and S. P. Suresh. A (restricted) quantifier elimination for security protocols. Theoretical Computer Science, 367(1–2):228–256, 2006.
[38] Michaël Rusinowitch and Mathieu Turuani. Protocol insecurity with finite number of sessions and composed keys is NP-complete. Theoretical Computer Science, 299(1–3):451–475, 2003.

Appendix A Proof of Theorem 40

We want to check if $(S;A)\vdash_{\mathit{a}}\alpha$ , where ${\sf bv}(\alpha)\cap{\sf vars}(S;A)=\emptyset$ . Let $(T;E)=\mathit{ker}(S;A)$ . By Theorem 16, this reduces to checking if there is a substitution $\mu$ with ${\sf dom}(\mu)={\sf bv}(\alpha)$ s.t. and $X\subseteq{\sf hat}(\alpha)$ s.t. $\forall{}x\in{\sf bv}(\alpha):T\vdash_{\mathit{dy}}\mu(x)$ and for all $\beta\in X$ , $(T;E)\vdash_{\mathit{a}}\mu(\beta)$ . For formulas in $X$ that are not of the form ${{t}\bowtie{u}}$ , all terms occurring in them are variables or names, so $\mu$ is atomic on variables occurring in them. It therefore suffices to only consider assertions of the form ${{t}\bowtie{u}}$ .

So the problem is as follows. There is a set of terms $\mathscr{C}$ and $(T;E)$ with ${\sf st}(T)\cup{\sf st}(E)\subseteq\mathscr{C}$ , and a substitution $\mu$ with ${\sf dom}(\mu)\cap{\sf vars}(T;E)=\emptyset$ , which satisfies some derivabilities of the form $T\vdash_{\mathit{dy}}t$ and $T;E\vdash_{\mathit{eq}}{{t}\bowtie{u}}$ , where $t,u\in\mathscr{C}$ . We seek a small $\nu$ that preserves the above derivabilities. To reduce clutter, we use $Z$ to refer to ${\sf dom}(\mu)$ . Let $\mathscr{D}=\mathscr{C}\setminus Z$ . Since $T\vdash_{\mathit{dy}}\mu(x)$ , all variables occurring in $\mu(x)$ must also be in ${\sf vars}(T)$ . But ${\sf vars}(T;E)\cap Z=\emptyset$ , so ${\sf vars}(\mu(x))\cap Z=\emptyset$ .

Define $t\approx u$ iff $T;E\vdash_{\mathit{eq}}\mu({{t}\bowtie{u}})$ . It is easy to see that $\approx$ is a partial equivalence relation (on the subset of terms $t$ such that $T\vdash_{\mathit{dy}}\mu(t)$ ).

We say that $x\in Z$ is minimal if there is no $t\in\mathscr{D}$ with $x\approx t$ . Let $\mathscr{V}_{m}$ denote the set of all minimal variables. Our strategy for finding a small $\nu$ is to “zap” minimal variables, and propagate the change to (interpretations of) non-minimal variables. To this end, it is convenient to translate every term to an “equivalent” one with only minimal variables. The notion of equivalence is based on unifiability under $\mu$ . The set of all such terms that are equivalent to terms in $\mathscr{C}$ is defined as follows.

Definition 41.

$\widehat{\mathscr{C}}\coloneqq\{t\mid{\sf vars}(t)\cap Z\subseteq\mathscr{V}_{m},\text{ either }t\in\mathscr{V}_{m}\text{ or }\exists{u}\in\mathscr{D}:t\approx u\}$ .

Lemma 42.

For every $t\in\mathscr{C}$ with $T\vdash_{\mathit{dy}}\mu(t)$ , there is ${t}^{*}\in\widehat{\mathscr{C}}$ such that: $T\vdash_{\mathit{dy}}\mu({t}^{*})$ ; $t\approx{t}^{*}$ ; and for all $x\in\mathscr{V}_{m}$ , $\mathbb{P}_{x}({{t}^{*}})\subseteq\mathbb{A}(T\cup Z,{t}^{*})$ .

Proof.

For $x,y\in Z$ , $x\prec y$ iff $\exists{r}\in\mathscr{D}[x\in{\sf st}(r)\text{ and }r\approx y]$ .

We now show that $\prec$ is acyclic. Towards this, we claim that if $x\prec y$ and $y\prec z$ , then there is some term $a$ (not necessarily in $\mathscr{C}$ ) s.t. $\mu(x)$ is a proper subterm of $\mu(a)$ and $a\approx z$ . Extending this reasoning, we see that if $x\prec^{+}x$ , we have some term $a$ such that $\mu(x)$ is a proper subterm of $\mu(a)$ and $(T;E)\vdash_{\mathit{eq}}{{\mu(a)}\bowtie{\mu(x)}}$ . But $E$ is consistent, which means that there is some $\lambda$ s.t. $\lambda(\mu(a))=\lambda(\mu(x))$ . But this is incompatible with $\mu(x)$ being a proper subterm of $\mu(a)$ . Thus $\prec$ is acyclic.

We now prove the claim. Suppose $x\prec y$ and $y\prec z$ . Then there exists $r,s\in\mathscr{D}$ such that $x\in{\sf st}(r)$ , $(T;E)\vdash_{\mathit{eq}}{{\mu(r)}\bowtie{\mu(y)}}$ , $y\in{\sf st}(s)$ , and $(T;E)\vdash_{\mathit{eq}}{{\mu(s)}\bowtie{\mu(z)}}$ . Let $a={s}[{r}]_{\mathbb{P}_{y}({s})}$ . We see that $\mu(x)$ is a proper subterm of $\mu(a)$ . From the abstractability conditions satisfied by $\mu$ and the derivability of $\mu(x)$ for all $x\in Z$ , we can justify the applications of ${\sf subst}$ necessary to obtain $(T;E)\vdash_{\mathit{eq}}{{\mu(a)}\bowtie{\mu(z)}}$ and thus $a\approx z$ .

Since $\prec$ is acyclic, we can define a notion of rank of variables: $\mathit{rank}(x)=\max\{\mathit{rank}(y)\mid y\prec^{+}x\}+1$ . For a term $u\in\mathscr{D}$ , we define $\mathit{rank}(u)=\max\{\mathit{rank}(x)\mid x\in{\sf vars}(u)\cap Z\}$ . It is easy to verify that if $u\in\mathscr{D}$ and $x\approx u$ , then $\mathit{rank}(x)>\mathit{rank}(u)$ . It is also easy to see that if $x\in\mathscr{V}_{m}$ , then $x\in Z$ has rank $0$ .

Having set up this machinery, we prove the lemma by induction on $\delta(t)=(\mathit{rank}(t),|t|)$ . First fix an ordering on $\widehat{\mathscr{C}}$ . For $\delta(t)=(0,0)$ , we have that $t$ is a variable $x$ and $\mathit{rank}(x)=0$ . We have two cases to consider.

•

$x\in\mathscr{V}_{m}$ : Choose ${x}^{*}=x$ .
•

$x\notin\mathscr{V}_{m}$ : This means that there is some $u\in\mathscr{D}$ s.t. $x\approx u$ . But since $\mathit{rank}(x)=0$ , ${\sf vars}(u)\cap Z=\emptyset$ for each such $u$ . Choose ${x}^{*}$ to be the earliest such $u$ (according to the ordering on $\widehat{\mathscr{C}}$ ). Clearly $(T;E)\vdash{{\mu(x)}\bowtie{\mu({x}^{*})}}$ , and by Lemma 15, $T\vdash_{\mathit{dy}}\mu({x}^{*})$ . Finally ${\sf vars}({x}^{*})\cap Z=\emptyset$ , so it is vacuously true that $\mathbb{P}_{y}({{x}^{*}})\subseteq\mathbb{A}(T\cup Z,{x}^{*})$ for all $y\in\mathscr{V}_{m}$ .

So suppose $\delta(t)>(0,0)$ and that the theorem is true for all $u$ such that $\delta(u)<\delta(t)$ . There are two cases to consider:

•

$t$ is a variable, say $x$ : Then $\mathit{rank}(x)>0$ , and there is $u\in\mathscr{D}$ s.t. $x\approx u$ , whence $\mathit{rank}(u)<\mathit{rank}(x)$ . Pick the earliest such $u\in\widehat{\mathscr{C}}$ . By IH there is ${u}^{*}$ , and we define ${x}^{*}={u}^{*}$ . Since $x\approx u$ and $u\approx{u}^{*}$ , we have $x\approx{x}^{*}$ , by transitivity.
•

$t$ is not a variable: For each $y\in{\sf vars}(t)\cap Z$ , there is ${y}^{*}$ . We obtain ${t}^{*}$ by replacing each $y$ by ${y}^{*}$ . Clearly ${\sf vars}({t}^{*})\cap Z\subseteq\mathscr{V}_{m}$ . Also since all variables appear in abstractable positions of $t$ , we can justify the relevant applications of ${\sf subst}$ to justify $t\approx{t}^{*}$ . Finally, if $z$ appears in an abstractable position in $r$ and $y$ appears in an abstractable position in $s$ , then $z$ appears in an abstractable position in ${s}[{r}]_{\mathbb{P}_{y}({s})}$ . Thus the abstractability part of the statement is also fulfilled. ∎

We now define the substitution $\nu$ as follows. Assume that there is some ${\sf m}\in T\cap\mathscr{N}$ such that ${\sf m}\notin{\sf st}(E\cup\{\alpha\})\cup{\sf st}({\sf rng}(\mu))$ .⁷⁷7Thus ${\sf m}$ is a “spare name” that does not occur in any of the derivations under consideration. Let $\nu_{m}$ be the substitution that maps each $x\in\mathscr{V}_{m}$ to ${\sf m}$ . For all $x\in Z:\nu(x)=\nu_{m}({x}^{*})$ . Notice that for all $x\in{\sf dom}(\nu)$ , either $\nu(x)={\sf m}$ or there is $u\in\mathscr{D}$ s.t. $\nu(x)=\nu(u)$ . Thus we can show that $\nu$ is $|\mathscr{C}|$ -bounded following the proof of Theorem 39. To complete the proof of Theorem 40, we just need to show that $\nu$ preserves derivability. This is proved in Theorem 44, the main result of this section. But first we state a useful observation.

Observation 43.

1.

For $x\in Z$ , if $\mu(x)\in\mathscr{C}$ then $x\notin\mathscr{V}_{m}$ .
2.

If $t\in\widehat{\mathscr{C}}$ and $\mu(t)\in\mathscr{C}$ , then ${\sf vars}(t)\cap Z=\emptyset$ and $\mu(t)=t$ .

Proof.

1.

Let $\mu(x)=t\in\mathscr{C}$ . Since ${\sf vars}(t)\cap Z=\emptyset$ , we have that $t\notin Z$ and $\mu(t)=t$ . Thus $t\in\mathscr{D}$ , and ${{\mu(x)}\bowtie{\mu(t)}}$ is derivable using the ${\sf eq}$ rule, i.e., $x\approx t$ . Therefore $x\notin\mathscr{V}_{m}$ .
2.

For every $x\in{\sf vars}(t)\cap Z$ , $\mu(x)\in\mathscr{C}$ . Thus we have $x\notin\mathscr{V}_{m}$ , by the previous part. But since $t\in\widehat{\mathscr{C}}$ , we have that ${\sf vars}(t)\cap Z\subseteq\mathscr{V}_{m}$ . The only conclusion is that ${\sf vars}(t)\cap Z=\emptyset$ , and thus $\mu(t)=t$ . ∎

Theorem 44.

1.

For any $t\in\mathscr{C}$ , if $T\vdash_{\mathit{dy}}\mu(t)$ then $T\vdash_{\mathit{dy}}\nu(t)$ .
2.

For any $t,u\in\mathscr{C}$ , if $T;E\vdash_{\mathit{eq}}{{\mu(t)}\bowtie{\mu(u)}}$ then $T;E\vdash_{\mathit{eq}}{{\nu(t)}\bowtie{\nu(u)}}$ .

Proof.

By Lemma 42, it suffices to prove the following. Let $r,s\in\widehat{\mathscr{C}}$ such that $\forall{x}\in\mathscr{V}_{m}$ , $\mathbb{P}_{x}({(r,s)})\subseteq\mathbb{A}(T\cup Z,(r,s))$ . If $T\vdash_{\mathit{dy}}\mu(r)$ then $T\vdash_{\mathit{dy}}\nu_{m}(r)$ ; and if $T;E\vdash_{\mathit{eq}}{{\mu(r)}\bowtie{\mu(s)}}$ then $T;E\vdash{{\nu_{m}(r)}\bowtie{\nu_{m}(s)}}$ .

1.

Suppose $T\vdash_{\mathit{dy}}r$ for $r$ as above. Since all positions of variables from $Z$ occurring in $r$ are abstractable w.r.t. $T\cup Z$ , and since $T\cup\{{\sf m}\}\vdash_{\mathit{dy}}{\sf m}$ , we can easily prove by induction on the size of terms that $T\cup{\sf m}\vdash_{\mathit{dy}}\nu_{m}(r)$ .
2.
Suppose $T;E\vdash_{\mathit{eq}}{{\mu(r)}\bowtie{\mu(s)}}$ for $r,s$ as above. Let $\pi$ be a normal proof of $T;E\vdash{{\mu(r)}\bowtie{\mu(s)}}$ with last rule ${\sf r}$ . We prove the desired statement by induction on the structure of $\pi$ . There are the following cases to consider.
- •
  
  ${\sf r}\in\{{\sf ax},{\sf eq},{\sf proj}\}$ : Three cases arise: ${{\mu(r)}\bowtie{\mu(s)}}\in E$ , and thus $\mu(r),\mu(s)\in\mathscr{C}$ . Or $\mu(r)=\mu(s)$ and $T\vdash_{\mathit{dy}}\mu(r)$ via a proof ending in ${\sf ax}$ or a destructor rule, and thus $\mu(r),\mu(s)\in{\sf st}(T)\subseteq\mathscr{C}$ . Or by subterm property for normal $\vdash_{\mathit{eq}}$ -proofs $\mu(r),\mu(s)\in{\sf st}(T;E)\subseteq\mathscr{C}$ . Thus $\mu(r),\mu(s)\in\mathscr{C}$ in all three cases. By Observation 43, ${\sf vars}(r,s)\cap Z=\emptyset$ . Thus $\nu_{m}(r)=r=\mu(r)$ and $\nu_{m}(s)=s=\mu(s)$ . Therefore $\pi$ itself is a proof of ${{\nu_{m}(r)}\bowtie{\nu_{m}(s)}}$ .
- •
  
  ${\sf r}={\sf trans}$ : Suppose the immediate subproofs are $\pi_{1},\ldots,\pi_{n}$ , with each $\pi_{i}$ deriving ${{v_{i-1}}\bowtie{v_{i}}}$ . Let $\mu(r)=v_{0}$ and $\mu(s)=v_{n}$ . Since no $\pi_{i}$ ends in ${\sf trans}$ and no two adjacent $\pi_{i}$ ’s end in ${\sf cons}$ , each $v_{i}$ (for $0<i<n$ ) appears in at least one proof ending in ${\sf ax}$ , ${\sf eq}$ or ${\sf proj}$ . Thus, by the subterm property, $v_{i}\in{\sf st}(T;E)\subseteq\mathscr{C}$ for $0<i<n$ . Since ${\sf vars}(T;E)\cap Z=\emptyset$ , it follows that $v_{i}\in\widehat{\mathscr{C}}$ and $\mu(v_{i})=v_{i}$ . Thus we can view each $\pi_{i}$ as deriving ${{\mu(r_{i-1})}\bowtie{\mu(r_{i})}}$ , where $r_{i-1},r_{i}\in\widehat{\mathscr{C}}$ (taking $r_{0}$ and $r_{n}$ to be $r$ and $s$ ). By IH, there are proofs $\varpi_{1},\ldots,\varpi_{n}$ , with each $\varpi_{i}$ deriving ${{\nu_{m}(r_{i-1})}\bowtie{\nu_{m}(r_{i})}}$ . By composing them using ${\sf trans}$ , we get a proof of $T;E\vdash{{\nu_{m}(r)}\bowtie{\nu_{m}(s)}}$ , as desired.
- •
  
  ${\sf r}={\sf cons}$ : Suppose $r={\sf f}(r_{1},\ldots,r_{n})$ and $s={\sf f}(s_{1},\ldots,s_{n})$ . Each $r_{i},s_{i}\in\widehat{\mathscr{C}}$ , and the immediate subproofs are $\pi_{1},\ldots,\pi_{n}$ , with each $\pi_{i}$ deriving ${{\mu(r_{i})}\bowtie{\mu(s_{i})}}$ . By IH we have proofs $\varpi_{1},\ldots,\varpi_{n}$ , with each $\varpi_{i}$ proving ${{\nu_{m}(r_{1})}\bowtie{\nu_{m}(s_{1})}}$ . We can compose them with the ${\sf cons}$ rule to get the desired proof of ${{\nu_{m}(r)}\bowtie{\nu_{m}(s)}}$ .
  
  Suppose, on the other hand, that $r$ is a variable. Since $r\in\widehat{\mathscr{C}}$ , $r\in\mathscr{V}_{m}$ . Now $s\in\widehat{\mathscr{C}}$ , so either $s\in\mathscr{V}_{m}$ or there is $a\in\mathscr{D}$ with $s\approx a$ . But in the second case, $r\approx a$ (by symmetry and transitivity), which cannot happen for a minimal variable $r$ . Therefore $s\in\mathscr{V}_{m}$ . And we have $\nu_{m}(r)=\nu_{m}(s)={\sf m}\in T$ , so there is a proof of $T,E\vdash_{\mathit{eq}}{{\nu_{m}(r)}\bowtie{\nu_{m}(s)}}$ ending in ${\sf eq}$ .
  
  We have a similar argument in case $s$ is a variable, thereby proving the theorem. ∎

Appendix B Normalization and subterm property for $\vdash_{\mathit{eq}}$

Suppose $E\cup\{\alpha\}$ consist only of atomic formulas and $\pi$ is a proof of $T;E\vdash_{\mathit{eq}}\alpha$ . We say that $\pi$ is normal if the following hold.

1.

All $\vdash_{\mathit{dy}}$ subproofs are normal.
2.

The premise of ${\sf sym}$ can only be the conclusion of ${\sf ax}$ or ${\sf prom}$ .
3.

The premise of ${\sf eq}$ can only be the conclusion of a destructor rule.
4.

No premise of a ${\sf trans}$ is of the form ${{a}\bowtie{a}}$ , or the conclusion of a ${\sf trans}$ .
5.

Adjacent premises of a ${\sf trans}$ are not conclusions of ${\sf cons}$ .
6.

No premise of ${\sf int}$ is the conclusion of ${\sf int}$ or ${\sf wk}$ .
7.

No subproof ending in ${\sf proj}$ contains ${\sf cons}$ .

A set $E$ of atomic formulas is said to be consistent if there is a $\lambda$ s.t. $\lambda(t)=\lambda(u)$ for each ${{t}\bowtie{u}}\in E$ , and $\lambda(t)\in\{t_{1},\ldots,t_{n}\}$ for each $t\twoheadleftarrow{[t_{1},\ldots,t_{n}]}\in E$ .

R1	${\sf eq}({\sf f}(\pi_{1},\pi_{2}))$
R1	${\sf cons}_{{\sf f}}({\sf eq}(\pi_{1}),{\sf eq}(\pi_{2}))$
R2	${\sf sym}({\sf eq}(\pi))$
R2	${\sf eq}(\pi)$
R3	${\sf sym}({\sf sym}(\pi))$
R3	$\pi$
R4	${\sf sym}({\sf r}(\pi_{1},\ldots,\pi_{k}))$
R4	${\sf r}({\sf sym}(\pi_{1}),\ldots,{\sf sym}(\pi_{k}))$
R5	${\sf trans}(\pi_{1},\ldots,\pi_{i-1},\varpi,\pi_{i},\ldots,\pi_{r-1})$
R5	${\sf trans}(\pi_{1},\ldots,\pi_{i-1},\pi_{i},\ldots,\pi_{r-1})$
R6	${\sf trans}(\pi_{1},\ldots,{\sf trans}(\pi^{1}_{i},\ldots,\pi^{k}_{i}),\ldots,\pi_{r-1})$
R6	${\sf trans}(\pi_{1},\ldots,\pi^{1}_{i},\ldots,\pi^{k}_{i},\ldots,\pi_{r-1})$
R7	${\sf trans}(\pi_{1},\ldots,{\sf cons}(\pi^{1}_{i-1},\pi^{2}_{i-1}),{\sf cons}(\pi^{1}_{i},\pi^{2}_{i}),\ldots,\pi_{r-1})$
R7	${\sf trans}(\pi_{1},\ldots,{\sf cons}({\sf trans}(\pi^{1}_{i-1},\pi^{1}_{i}),{\sf trans}(\pi^{2}_{i-1},\pi^{2}_{i})),\ldots,\pi_{r-1})$
R8	${\sf proj}_{j}({\sf cons}(\pi_{1},\pi_{2}))$
R8	$\pi_{j}$
R9	${\sf proj}_{j}({\sf trans}(\pi_{1},\ldots,\pi_{i-1},{\sf cons}_{{\sf f}}(\pi^{1}_{i},\pi^{2}_{i}),\pi_{i+1},\ldots,\pi_{r-1}))$
R9	${\sf trans}({\sf proj}_{j}({\sf trans}(\pi_{1},\ldots,\pi_{i-1})),\pi^{j}_{i},{\sf proj}_{j}({\sf trans}(\pi_{i+1},\ldots,\pi_{r-1})))$
R10	${\sf int}(\pi_{1},\ldots,\pi_{k-1},{\sf int}(\pi_{k},\ldots,\pi_{m}),\pi_{m+1},\ldots,\pi_{n})$
R10	${\sf int}(\pi_{1},\ldots,\pi_{k-1},\pi_{k},\ldots,\pi_{m},\pi_{m+1},\ldots,\pi_{n})$
R11	${\sf int}(\pi_{1},\ldots,{\sf wk}(\pi_{i}),\ldots,\pi_{n})$
R11	${\sf wk}(\pi_{i})$

Table 3: Proof transformation rules. The proof represented by the first line in each row is transformed to the proof represented by the second line. In R4,

{\sf r}\in\{{\sf trans},{\sf proj},{\sf cons}\}

. In R5,

{\sf conc}(\varpi)

is assumed to be of the form

{{a}\bowtie{a}}

We next prove normalization for $\vdash_{\mathit{eq}}$ proofs (with a consistent LHS). We present proof transformation rules in Table 3. To save space, we use proof terms – ${\sf r}(\pi_{1},\ldots,\pi_{n})$ denotes a proof $\pi$ with last rule ${\sf r}$ and immediate subproofs $\pi_{1},\ldots,\pi_{n}$ . It is assumed that the derivations are from a consistent $(T;E)$ . R1 is applicable when ${\sf f}$ is a constructor rule, and ensures that $\vdash_{\mathit{dy}}$ subproofs do not end in a constructor rule. R2 and R3 eliminate some occurrences of ${\sf sym}$ , while R4 pushes ${\sf sym}$ up towards the axioms. R5 and R6 ensure that no premise of ${\sf trans}$ is the conclusion of ${\sf eq}$ or ${\sf trans}$ . R7 ensures that adjacent premises of ${\sf trans}$ are not the result of ${\sf cons}$ . R8 simplifies proofs where ${\sf proj}$ follows ${\sf cons}$ . We will discuss R9 later. R10 ensures that the conclusion of ${\sf int}$ is not a premise of ${\sf int}$ . In R11, $\pi_{i}$ proves an equality ${{v}\bowtie{n}}$ , and it is weakened to a list membership of the form $v\twoheadleftarrow\ell^{\prime}$ , but by consistency, even after intersection, the conclusion must be of the form $v\twoheadleftarrow{\ell}$ where $\lambda(v)$ is an element of $\ell$ for some $\lambda$ . Thus we can directly apply weakening to $\pi_{i}$ to get the same conclusion.

R9 requires some explanation. Let $\pi_{i}$ be the proof ${\sf cons}_{{\sf f}}(\pi^{1}_{i},\pi^{2}_{i})$ , and let ${\sf conc}(\pi_{j})$ be ${{t_{j}}\bowtie{t_{j+1}}}$ , for $1\leq j<r$ . We see that ${\sf conc}({\sf trans}(\pi_{1},\ldots,\pi_{r-1}))$ is ${{t_{1}}\bowtie{t_{r}}}$ . Since ${\sf proj}$ is applied on this, there is some constructor ${\sf g}$ such that $t_{e}={\sf g}(t^{1}_{e},t^{2}_{e})$ for $e\in\{1,r\}$ . Since $\pi_{i}$ ends in ${\sf cons}_{{\sf f}}$ , we see that $t_{e}={\sf f}(t^{1}_{e},t^{2}_{e})$ for $e\in\{i,i+1\}$ . But ${{t_{1}}\bowtie{t_{i}}}$ is provable from $(T;E)$ , which is consistent. Therefore it has to be the case that ${\sf f}={\sf g}$ . Thus we see that for all $e\in\{1,i,i+1,r\}$ , $t_{e}={\sf f}(t^{1}_{e},t^{2}_{e})$ . So we can rewrite the LHS of R9 to the RHS to get a valid proof. Note that we can apply ${\sf proj}$ on ${{t_{1}}\bowtie{t_{i}}}$ in the transformed proof since all components of $t_{1}$ and $t_{i}$ are abstractable – for $t_{1}$ this is true because the ${\sf proj}$ rule was applied to ${{t_{1}}\bowtie{t_{r}}}$ in the proof on the LHS; and for $t_{i}$ this follows from the fact that $\pi^{1}_{i}$ (resp. $\pi^{2}_{i}$ ) derives ${{t^{1}_{i}}\bowtie{t^{1}_{i+1}}}$ (resp. ${{t^{2}_{i}}\bowtie{t^{2}_{i+1}}}$ ), and so by Lemma 15, $T\vdash_{\mathit{dy}}\{t^{1}_{i},t^{2}_{i}\}$ . For a similar reason, we can apply ${\sf proj}$ on ${{t_{i+1}}\bowtie{t_{r}}}$ .

Theorem 45.

If $(T;E)\vdash_{\mathit{eq}}\alpha$ then there is a normal proof of $(T;E)\vdash\alpha$ in the $\vdash_{\mathit{eq}}$ system.

Proof.

Let $\pi$ be any proof of $(T;E)\vdash\alpha$ such that all DY subproofs of $\pi$ are normal. Suppose we repeatedly apply the transformations of Table 3 starting with $\pi$ and reach a proof $\varpi$ on which we can no longer apply any of the rules. Then $\varpi$ satisfies clauses 1 to 6 in the definition of normal proofs (since none of the rewrite rules, in particular R1–R7 and R10–R11, apply to $\varpi$ ).

Clause 7 is also satisfied by $\varpi$ , for the following reason. Suppose a subproof $\varpi_{1}$ ends in ${\sf proj}$ and $\varpi_{2}$ is a maximal subproof of $\varpi_{1}$ ending in ${\sf cons}$ . $\varpi_{2}$ is a proper subproof of $\varpi_{1}$ , so there has to be a subproof of $\varpi_{1}$ of the form $\rho={\sf r}(\cdots\varpi_{2}\cdots)$ . Since ${\sf cons}$ appears as the rule above ${\sf r}$ , a priori, ${\sf r}$ can only be one of $\{{\sf sym},{\sf trans},{\sf proj},{\sf cons}\}$ . But since $\varpi_{2}$ is a maximal subproof of $\varpi_{1}$ ending in ${\sf cons}$ , ${\sf r}\neq{\sf cons}$ . Since R4 and R8 cannot be applied on $\varpi$ , ${\sf r}\notin\{{\sf sym},{\sf proj}\}$ . But if ${\sf r}={\sf trans}$ , then $\rho$ is a proper subproof of $\varpi_{1}$ . In particular, it is the immediate subproof of some $\rho^{\prime}={\sf r}^{\prime}(\cdots\rho\cdots)$ . Now ${\sf r}^{\prime}$ cannot be ${\sf subst}$ , since then ${\sf conc}(\rho^{\prime})$ is a list membership assertion, which cannot occur in a proof ending in ${\sf proj}$ . ${\sf r}^{\prime}\neq{\sf cons}$ , as that would violate the maximality of $\varpi_{2}$ . ${\sf r}^{\prime}\notin\{{\sf sym},{\sf trans},{\sf proj}\}$ , since then one of the rewrite rules R4, R6, R8 would apply to $\varpi$ . We have ruled out all possible cases for ${\sf r}^{\prime}$ , and thus we are forced to conclude that $\varpi_{2}$ cannot be a subproof of $\varpi_{1}$ . Thus, ${\sf cons}$ does not occur in any subproof of $\varpi$ ending in ${\sf proj}$ , and $\varpi$ satisfies all the clauses in the definition of normal proofs.

We next show that we can always reach a stage where no transformation is enabled. To begin with, apply the rules R2–R4 until the premise of each occurrence of ${\sf sym}$ is the conclusion of an ${\sf ax}$ or a ${\sf prom}$ . None of the other rules converts a proof ending in ${\sf ax}$ or ${\sf prom}$ to one which does not, so the above property is preserved even if we apply the other rules in any order.

Associate three sizes to an $\vdash_{\mathit{eq}}$ -proof $\pi$ :

•

$\delta_{1}(\pi)$ is the sum of the sizes of the $\vdash_{\mathit{dy}}$ subproofs of $\pi$ ,
•

$\delta_{2}(\pi)$ is the number of ${\sf cons}$ rules that occur in $\pi$ , and
•

$\delta_{3}(\pi)$ is the size of the proof $\pi$ (number of nodes in the proof tree).

We also define $\delta(\pi)\coloneqq(\delta_{1}(\pi),\delta_{2}(\pi),\delta_{3}(\pi))$ .

We now show that if $\pi^{\prime}$ is obtained from $\pi$ by one application of any of the transformation rules other than R2–R4, $\delta(\pi^{\prime})<\delta(\pi)$ .

•

If R1 is applied, $\delta_{1}(\pi^{\prime})<\delta_{1}(\pi)$ and so $\delta(\pi^{\prime})<\delta(\pi)$ .
•

If R7 or R9 is applied, we have $\delta_{1}(\pi^{\prime})\leq\delta_{1}(\pi)$ and $\delta_{2}(\pi^{\prime})<\delta_{2}(\pi)$ . Therefore, $\delta(\pi^{\prime})<\delta(\pi)$ .
•

If R5, R6, R8, R10 or R11 is applied, we have that $\delta_{i}(\pi^{\prime})\leq\delta_{i}(\pi)$ for $i\in\{1,2\}$ and $\delta_{3}(\pi^{\prime})<\delta_{3}(\pi)$ . So $\delta(\pi^{\prime})<\delta(\pi)$ .

Thus, once we apply R2–R4 till they can no longer be applied, we cannot have an infinite sequence of transformations starting from any $\pi$ . Hence, every proof $\pi$ can be transformed into a normal proof $\varpi$ with the same conclusion. ∎

We state and prove the subterm property next.

Theorem 46.

For any normal proof $\pi$ of $T;E\vdash_{\mathit{eq}}\alpha$ ,
${\sf terms}(\pi)\subseteq{\sf st}(T)\cup{\sf st}(E\cup\{\alpha\})$ , and
${\sf lists}(\pi)\subseteq{\sf lists}(E\cup\{\alpha\})\cup\{[n]\mid n\in{\sf st}(T)\cup{\sf st}(E\cup\{\alpha\})\}$ . If $\pi$ does not contain ${\sf cons}$ , then ${\sf terms}(\pi)\subseteq{\sf st}(T)\cup{\sf st}(E)$ . Also, if $\pi$ does not end in ${\sf wk}$ and does not end in ${\sf int}$ , then ${\sf lists}(\pi)\subseteq{\sf lists}(E)\cup\{[n]\mid n\in{\sf st}(T)\cup{\sf st}(E)\}$ .

We implicitly use the following easily provable facts.

(F1)

If a normal proof $\pi$ ends in ${\sf trans}$ and an immediate subproof $\varpi$ does not end in ${\sf cons}$ , then ${\sf cons}$ does not occur in $\varpi$ .
(F2)

If a normal proof $\pi$ derives a list membership assertion, ${\sf cons}$ does not occur in $\pi$ .

Proof.

Let ${\sf r}$ be the last rule of $\pi$ . We have the following cases. We mention ${\sf lists}(\pi)$ only in cases where the rules involve lists.

•

${\sf r}={\sf ax}$ : $\alpha\in E$ , so ${\sf terms}(\pi)\subseteq{\sf st}(E)$ and ${\sf lists}(\pi)\subseteq{\sf lists}(E)$ .
•

${\sf r}={\sf eq}$ : $\alpha$ is ${{t}\bowtie{t}}$ and $T\vdash_{\mathit{dy}}t$ . Since $\pi$ is a normal proof whose $\vdash_{\mathit{dy}}$ subproofs are also normal, $T\vdash_{\mathit{dy}}t$ via a proof ending in a destructor rule, and by subterm property for $\vdash_{\mathit{dy}}$ , it follows that $t\in{\sf st}(T)$ . Thus ${\sf terms}(\pi)=\{t\}\subseteq{\sf st}(T)$ .
•

${\sf r}={\sf sym}$ : ${\sf terms}(\pi)={\sf terms}(\pi^{\prime})$ , where $\pi^{\prime}$ is the immediate subproof, and the statement follows by IH.
•

${\sf r}={\sf cons}$ : $\alpha$ is ${{{\sf f}(t_{1},t_{2})}\bowtie{{\sf f}(u_{1},u_{2})}}$ , and for $i\in\{1,2\}$ , there is a subproof $\pi_{i}$ with conclusion ${{t_{i}}\bowtie{u_{i}}}$ . By IH, ${\sf terms}(\pi_{i})\subseteq{\sf st}(T\cup\{t_{i},u_{i}\})\cup{\sf st}(E)\subseteq{\sf st}(T)\cup{\sf st}(E\cup\{\alpha\})$ for $i\in\{1,2\}$ . Thus ${\sf terms}(\pi)\subseteq{\sf st}(T)\cup{\sf st}(E\cup\{\alpha\})$ .
•
${\sf r}={\sf trans}$ : Suppose the subproofs of $\pi$ are $\pi_{1}$ through $\pi_{k-1}$ with conclusions ${{t_{1}}\bowtie{t_{2}}}$ through ${{t_{k-1}}\bowtie{t_{k}}}$ respectively, and $\alpha={{t_{1}}\bowtie{t_{k}}}$ . Since $\pi$ is a normal proof, no two adjacent premises of ${\sf r}$ are obtained by ${\sf cons}$ , and no premise of ${\sf r}$ is obtained by ${\sf trans}$ . The following cases arise.
- –
  
  $r\in\{t_{1},t_{k}\}$ . In this case, $r\in{\sf st}(\alpha)$ .
- –
  
  $r\in{\sf terms}(\pi_{i})$ , where $\pi_{i}$ does not end in ${\sf cons}$ . By (F1), ${\sf cons}$ does not occur in $\pi_{i}$ . By IH, $r\in{\sf st}(T)\cup{\sf st}(E)$ .
- –
  
  $r\in{\sf terms}(\pi_{i})$ , where $\pi_{i}$ ends in ${\sf cons}$ , and $1<i<k-1$ . Both $\pi_{i-1}$ and $\pi_{i+1}$ end in a rule other than ${\sf cons}$ , by normality of $\pi$ . So, by (F1), ${\sf cons}$ does not occur in $\pi_{i-1}$ and $\pi_{i+1}$ , and $t_{i},t_{i+1}\in{\sf terms}(\pi_{i-1})\cup{\sf terms}(\pi_{i+1})\subseteq{\sf st}(T)\cup{\sf st}(E)$ (by IH on $\pi_{i-1}$ and $\pi_{i+1}$ ). So, by applying IH on $\pi_{i}$ , we get $r\in{\sf st}(T)\cup{\sf st}(E\cup\{{{t_{i}}\bowtie{t_{i+1}}}\})\subseteq{\sf st}(T)\cup{\sf st}(E)$ .
- –
  
  $r\in{\sf terms}(\pi_{1})$ , where $\pi_{1}$ ends in ${\sf cons}$ . By normality of $\pi$ , we see that $\pi_{2}$ ends in a rule other than ${\sf cons}$ . So ${\sf cons}$ does not occur in $\pi_{2}$ . By IH on $\pi_{2}$ , $t_{2}\in{\sf terms}(\pi_{2})\subseteq{\sf st}(T)\cup{\sf st}(E)$ . By IH on $\pi_{1}$ , $r\in{\sf st}(T\cup\{t_{1},t_{2}\})\cup{\sf st}(E)\subseteq{\sf st}(T)\cup{\sf st}(E\cup\{\alpha\})$ .
- –
  
  $r\in{\sf terms}(\pi_{k-1})$ , where $\pi_{k-1}$ ends in ${\sf cons}$ . The proof is similar to the above.
•

${\sf r}={\sf proj}$ : Let $\alpha={{t}\bowtie{u}}$ , got from a proof $\pi^{\prime}$ with conclusion ${{a}\bowtie{b}}$ . Since $\pi$ is normal, ${\sf cons}$ does not occur in $\pi$ (or in $\pi^{\prime}$ ). By IH, $a,b\in{\sf terms}(\pi^{\prime})\subseteq{\sf st}(T)\cup{\sf st}(E)$ . Since $t,u\in{\sf st}(\{a,b\})$ , we have ${\sf terms}(\pi)\subseteq{\sf st}(T)\cup{\sf st}(E)$ .
•

${\sf r}={\sf prom}$ : $\alpha$ is ${{t}\bowtie{u}}$ , and the immediate subproof $\pi^{\prime}$ proves $t\twoheadleftarrow{[u]}$ . $\pi^{\prime}$ does not contain ${\sf cons}$ , and so by IH, ${\sf terms}(\pi)={\sf terms}(\pi^{\prime})\subseteq{\sf st}(T)\cup{\sf st}(E)$ . Note that ${\sf lists}(\pi)\subseteq{\sf lists}(\pi^{\prime})\cup\{[u]\}$ , so the statement about lists is also true.
•

${\sf r}={\sf wk}$ : Let $\pi^{\prime}$ be the immediate subproof. The result follows from IH and the fact that ${\sf lists}(\pi)={\sf lists}(\pi^{\prime})\cup{\sf lists}(\alpha)$ .
•

${\sf r}={\sf int}$ : All terms in the conclusion appear in some proper subproof, so the statement on terms follows by IH. None of the subproofs ends in ${\sf int}$ or ${\sf wk}$ (and does not contain ${\sf cons}$ ). Thus ${\sf lists}(\pi^{\prime})\subseteq{\sf lists}(E)\cup\{[n]\mid n\in{\sf st}(T)\cup{\sf st}(E)]$ , for every subproof $\pi^{\prime}$ . It follows that ${\sf lists}(\pi)\subseteq{\sf lists}(E\cup\{\alpha\})\cup\{[n]\mid n\in{\sf st}(T)\cup{\sf st}(E\cup\{\alpha\})\}$ .
•

${\sf r}={\sf subst}$ : Let the major premise be $t\twoheadleftarrow{\ell}$ and the minor premise be ${{t}\bowtie{u}}$ . Both $t,u$ are from $\mathscr{V}\cup\mathscr{N}$ , and thus are in ${\sf st}(T)\cup{\sf st}(E)$ . The result follows from IH.
•

${\sf r}={\sf say}$ : Let the major premise be $\beta$ and the minor premise be $\mathit{sk}_{a}$ . Since $T\vdash_{\mathit{dy}}\mathit{sk}_{a}$ , $\mathit{sk}_{a}\in{\sf st}(T)$ . And ${\sf terms}(\pi)\subseteq{\sf st}(T)\cup{\sf st}(E)\cup{\sf st}(\beta)\cup\{\mathit{pk}_{a}\}\subseteq{\sf st}(T)\cup{\sf st}(E\cup\{\alpha\})$ . ∎

Solving the insecurity problem for assertions

Abstract

1 Introduction

1.1 Symbolic analysis of cryptographic protocols

Example 1.

1.2 Communicating “assertions”

1.3 The insecurity problem for finitely many sessions

1.4 Related work

1.5 Organization of the paper

2 Modeling security protocols

2.1 Terms: Syntax and Derivation System

Example 2.

2.2 Assertions

Example 3.

2.3 Example: FOO e-voting Protocol

Example 4.

2.4 Abstractability and Proof System

Definition 5 (Term positions of an assertion).

Definition 6 (Abstractable positions of a term).

Definition 7 (Abstractable positions of an assertion).

Lemma 8.

Proof.

Definition 9.

Theorem 10 (Normalization & Subterm Property for ⊢𝑒𝑞\vdash_{\mathit{eq}}).

2.5 Protocols and runs

Definition 11.

Definition 12 (KK-bounded insecurity problem).

3 Proof strategy for the insecurity problem

4 Solving the insecurity problem for ⊢a\vdash_{\mathit{a}}

Lemma 13.

Proof.

Definition 14.

Lemma 15.

Proof.

Theorem 16.

Proof.

Example 17.

Definition 18.

Lemma 19.

Proof.

Lemma 20.

Proof.

4.1 Typed proofs for ⊢𝑑𝑦\vdash_{\mathit{dy}} and ⊢𝑒𝑞\vdash_{\mathit{eq}}

Definition 21 (Types and typed terms).

Definition 22 (Zappable terms).

Observation 23.

Lemma 24.

Proof.

Definition 25.

Observation 26.

Lemma 27.

Proof.

Lemma 28.

Proof.

Theorem 29.

Proof.

Definition 30.

Theorem 31.

Proof of Theorem 31.

4.2 Small substitutions σ∗,ω∗\sigma^{\!*},\omega^{\!*}, and μi∗\mu^{\!*}_{i}

Definition 32.

Definition 33.

Example 34.

Lemma 35.

Lemma 36.

Proof.

Lemma 37.

Proof.

Theorem 38.

Theorem 39.

Proof.

4.3 NP algorithm for Insecurity: Sketch

Theorem 40.

5 Discussion and Future Work

5.1 Intruder theories for terms

5.2 Constraint solving approach

5.3 Full disjunction

5.4 Adding if-then-else branching to protocols

5.5 Adding assertions to other models and tools

References

Theorem 10 (Normalization & Subterm Property for $\vdash_{\mathit{eq}}$ ).

Definition 12 ( $K$ -bounded insecurity problem).

4 Solving the insecurity problem for $\vdash_{\mathit{a}}$

4.1 Typed proofs for $\vdash_{\mathit{dy}}$ and $\vdash_{\mathit{eq}}$

4.2 Small substitutions $\sigma^{\!},\omega^{\!}$ , and $\mu^{\!*}_{i}$

Appendix B Normalization and subterm property for $\vdash_{\mathit{eq}}$