7.
Chapter 1Introduction Anu granted him the totality of knowledge of all. He saw the Secret, discovered the Hidden, he brought information of (the time) before the Flood. (Epic of Gilgamesh) The best things in life aren’t things. (3:26 PM Jul 21st via UberTwitter, P. Hilton)1.1 Information ManagementIn what is often considered as the oldest written story, the main character isﬁrst described as a man of knowledge. The mysteries in ancient Greece alsoconsidered the possession of secret knowledge as a source of enlightenment.More prosaically, priests, astrologers, physicists and so on formed congregationsbased on their possession of unique knowledge, and the preservation of thesecongregations depended upon their monopoly on these pieces of useful knowl-edge, e.g. the computation of the areas allocated to peasants after each ﬂood ofthe Nile. In ancient societies being able to retain and control secrets was thusa self-preservation issue for organizations. These ancient origins of information retention are in contrast with nowa-days society which emphasizes the instantaneous diﬀusion of information viaplatforms such as twitter.com or facebook.com. CEOs have their own blogon their company’s strategy1 and facing a crisis situation corporations try to beas open as possible to gain or recover citizens, consumers and peers conﬁdence.In nowadays societies, being able to disseminate as much as possible informationis now a survival issue for corporations and individuals. Of course the delineation between the necessity of preserving secrecy of someinformation and dissemination of information is not as coarse, and both aspectsget along at the same time in almost every society, think e.g. of advertising and 1 See http://www.wired.com/wired/archive/15.04/wired40_ceo.html for more context,the blog itself being at http://blog.redfin.com. 7
8.
8 CHAPTER 1. INTRODUCTIONpatents. This is particularly visible in nowadays complex industrial projectssuch as the development of a new plane, as demonstrated by Boeing with the787 dreamliner, which relies on contractors disseminated all over the world,some of whom being also contractors for its competitor Airbus. Thus the contrast between ancient and nowadays societies also routinely oc-curs as everyone, from the manager of a complex program involving contractorsto the facebook website member, has to manage, i.e. share information withpartners or withhold it. One particular diﬃculty in the management of infor-mation is the lack of reliability of electronic systems. Facebook members havediﬃculties in adapting to the latest changes in Facebook access control policies,while information system specialists fear the possible computer attacks on theirinformation systems.1.2 Information Management in Computer Sys- temsChoosing to share or disclose information in a face-to-face meeting is relativelyeasy, as it suﬃces to express it or not. When in a discussion one wants someinformation to be passed to some partners but not to others, it is still possibleto skillfully resort to some common knowledge, ambiguities, or any type of non-verbal communication to precisely disclose the information to the intend person. The variety of possibilities oﬀered to human for direct communications isbeyond the capacity of modern days computers. Computer systems conversa-tions are message exchanges, and the lack of ambiguity in these is crucial totheir proper functioning. When accounting for the fact that anyone who is will-ing to may participate, even passively and without the other participants beingaware of it, in any conversation occurring over a medium such as the Internet,it would seem that computer users only have the choice of disclosing a piece ofinformation to everyone or to no one, as were groups thousands of years ago. The role of cryptography is to provide to computer systems the ability hu-mans naturally have to alter how information is expressed to guarantee theidentity of the participants who can extract meaningful information from themessages, or of the possible source of the message. Cryptographic protocols arepredeﬁned conversations in which the messages exchanged by the participantsare protected by cryptographic operations. Most of my research work has con-sisted in determining whether a cryptographic protocol satisﬁes the guaranteesit claims to achieve, and more precisely in trying to determine in a ﬁxed settingwhether the protocol fails to provide its users with its claimed guarantees. But as presented above, an intelligent information management requires notonly the control over some pieces of information but also the proper dissemina-tion of other pieces of information. For example the Web Services frameworkaims at maximizing the availability of information by making it accessible viaon-line services. Here the notion of information is taken in the broad sense anddenotes data as well as processes. A continuation of my research on crypto-
9.
1.3. DOCUMENT OUTLINE 9graphic protocols has been the extension of some results into the Web Serviceframework and consists in deciding, given the messages the putative Web Ser-vices are willing to exchange one with another, whether there exists an elec-tronic conversation that satisﬁes everyone’s information management policy. Ihave considered this problem under two diﬀerent angles, depending on whetherone is interested in the how, i.e. considers the structure of the exchangeablemessages, or in the what, i.e. considers the conditions under which a participantagrees to disclose a piece of information to someone else.1.3 Document OutlineIn the rest of this section I describe more precisely the four parts that composethis document, namely: a) the domain of application of my researchs that con-tains a short description of crpytographic protocols and Web Services, b) theﬁrst-order logic tools that I rely upon to solve problems in the aforementioneddomain, c) a description of the formal modelling in ﬁrst-order logic based frame-works of cryptographic protocols and Web Services, and d) a summary of theresults achieved.Domain. The ﬁrst part contains the description of the two application do-mains of my work. The ﬁrst one is the analysis of cryptographic protocols, onwhich I have begun to work under the supervision of Laurent Vigneron andMicha¨l Rusinowitch during my PhD. I present in Chapter 2 cryptographic pro- etocols, and surveys the existing analysis methods. Chapter 3 is an introductionto Web Services biased towards our purpose, which is the analysis of their com-munications under security constraints.Tools. Both out of didactical purpose and to serve as a reference for the latterparts of this document, I begin Chapter 4 with an introduction to the basicsof ﬁrst-order logic byb surveying the classical skolemization, compacity prop-erty, and resolution. The latter is of special importance to us as it permitsone to prove automatically that a ﬁrst-order theory is unsatisﬁable—one saysthat resolution is refutationally complete—, and thus by contradiction that aproperty is a logical consequence of other properties. This chapter ends withmore advanced materials on reasoning modulo an equational theory that endswith the replacement properties that underlies a large part of my work on theanalysis of cryptographic protocols. The refutational completeness of resolu-tion is insuﬃcient for the practical purpose of automated deduction as it relieson non-determinism, and the amount of computation required even for simpletheories is too large even for modern days computer. Reﬁnements of resolutionaim at reducing the non-determinism to turn this procedure into one suited toautomated deduction, and in some cases permits one to obtain a decision proce-dure. We ﬁrst present in Chapter 5 the classical result of Basin and Ganzingerthat proves that for ﬁrst-order theories in which all permitted resolution steps
10.
10 CHAPTER 1. INTRODUCTIONhave been performed, the logical consequence problem is decidable. This re-sult is based on a reﬁnement of resolution based on an ordering in which everyatom without variables is greater than only a bounded number of other atoms.This presentation is followed by its (unpublished) extension to well-foundedorderings I have obtained with Mounira Kourjieh when solving cryptographicprotocol analysis problems.Modelling. Now that the reader is equipped with a “survival toolkit” in ﬁrst-order logic I present the formal models on which the analysis is performed.Chapter 6 includes an article written in collaboration with M. Rusinowitch onthe compilation of standard cryptographic protocol speciﬁcations into activeframes. These are a simpliﬁed formal model of protocol participants in whichonly the global eﬀects, not the individual operations, of the participant are takeninto account. Also in this chapter I introduce symbolic derivations in which alloperations must be atomic. In contrast with active frames, which have an in-tuitive semantics, and with process calculi, that rely on standard programmingconstructions, symbolic derivations are designed to ease the reasoning on pro-tocol participants and on the intruder, at the cost of a diﬃculty to relate thismodel of computation to standard constructions. In contrast with cryptographic protocols in which entities usually terminatetheir participation to the protocol after a few execution steps, Web Servicesmay exhibit a rich behavior. Trust negotiation in particular usually ends once aﬁxpoint is reached. Thus in order to take into account the access control part ofthe Web Service speciﬁcations we need to consider a framework in which loopsare allowed. In collaboration with Philippe Balbiani and Marwa ElHouri I haveproposed one such framework in [21, 22], from which Chapter 7 is extracted.Results obtained. The last part of this document presents the decidabilityor combination results I have obtained since I obtained my Ph.D. In a ﬁrstchapter I present a synthesis of several results obtained around the decidabilityof the insecurity problem of cryptographic protocols when only a ﬁnite number ofmessage exchanges by honest agents are allowed. Instead of focusing on each ofthe settings considered, I have tried to how these diﬀerent results are connectedone with another. In doing so I have assumed that the reader is already familiarwith the proofs and techniques employed in the articles [61, 67, 62]. Then in Chapter 9 I present the results obtained while I was invited in theCassis project at INRIA Nancy Grand Est. I have worked there in collaborationwith M. Rusinowitch, M. Turuani, and with two Ph.D. students, MohammedAnis Mekki and Tigran Avanesov. We have worked on the application of thetechniques developped primarily for cryptographic protocol analysis to solve ba-sic orchestration problems, which are both special reachability problems. WithM.A. Mekki the study was focused on building a complete tool that takes in itsinput a description of the available services in an Alice&Bob-like notation anda description of the goal of the orchestration, and produces a deployment-readyvalidated orchestrator service. At the time of writing, that service is deployed
11.
1.3. DOCUMENT OUTLINE 11as a tomcat servlet, but all the cryptography is implemented within the bodyof the SOAP messages. With T. Avanesov we have considered a multi-intruderextension of the standard cryptographic protocol analysis setting. When per-forming security analysis, this setting permits us to model situations in whichseveral intruders are willing to collaborate one with another, but cannot com-municate directly, and thus have to pass the information they want to exchangethrough honest agents. When composing Web Services, we look at a distributedorchestration problem: several partners are willing to collaborate, but they donot wish to share all the information they have. The problem then is to decidewhether the participants’ security policies are ﬂexible enough to allow themto collectively implement the goal service. Generally speaking, this problemis strictly more diﬃcult than standard orchestration (or cryptographic protocolanalysis) given that in addition to a decision procedure for the case of Dolev-Yaolike message manipulations, we have obtained an undecidability result when theequational theory that deﬁnes the operations is subterm and convergent. Finally in Chapter 10 I present some work on the equivalence of symbolicderivations. The problem is to determine whether an intruder can observe dif-ferences in the execution of two diﬀerent protocols. A preliminary result ob-tained in collaboration with M. Rusinowitch was published in [75]. In thatpaper we have provided a more succinct proof of the decidability of this prob-lem for subterm convergent equational theories, a result originally obtained byM. Baudet [27]. In this chapter I present a criterion that actually permits oneto reduce this equivalence problem to the reachability analysis performed whenconsidered the usual trace properties. I believe that the reduction can easily beimplemented in reachability analysis tools such as CL-AtSe or OFMC, and thusmay be of practical interest.Epilogue. This document ends with a last chapter on the future research di-rections stemming from the results obtained so far. A one-sentence summarywould be more of the same, but diﬀerently. While I plan to continue the workaround reachability analysis problems, I also plan to explore further the side-ways, namely: • to work on the potential applications to safety analysis; • to explore further the relation between reachability analysis and ﬁrst-order automated reasoning techniques; • to obtain a comprehensive framework for service composition that also takes into account trust negotiation, and as a consequence to relate more formally the models for protocols and Web Services presented in this doc- ument; • to extend the modularity results obtained to address the modular veriﬁ- cation of aspect-based programs.
14.
Chapter 2Cryptographic Protocols The starting point of the work presented in this document is the security analysis of cryptographic protocols. We describe in this chapter what these communicating programs are, which properties they guarantee, and how they are speciﬁed. We also present a short survey on the analyzes they may be subject to with an emphasis on our domain of research.2.1 Cryptographic ProtocolsWe present in this section the cryptographic protocols. In Subsection 2.1.1 wepresent the setting in which they are speciﬁed: the participants, the electroniccommunications, and the cryptographic operations. Then in Subsection 2.1.2we brieﬂy present a short speciﬁcation of a cryptographic protocol in a Re-quest for Comments document issued by the Internet Engineering Task Force(IETF), a standardization body. Though we do not consider exclusively cryp-tographic protocols speciﬁed in such documents, this serves as the basis for ourﬁrst formal model of cryptographic protocols, in which the participants and thediscussion they are intended to have is speciﬁed by a narration, presented inSubsection 2.1.3. Then we present some of the standard properties they canguarantee in Subsection 2.1.4. Finally we explain in Subsection 2.1.5 how thecorrespondence between the narrations and their properties can be established.2.1.1 Secured CommunicationsA cryptographic protocol deﬁnes which messages can be exchanged betweenparticipants. The advantage gained by reducing one’s possible actions to thosedescribed in the protocol is the implicit guarantee that each participant behavingas prescribed is provided with security guarantees on the data he has exchanged.This guarantee is obtained via the clever use of cryptographic primitives. These are algorithms that rely on the asymmetry of information betweenindividuals, and are classiﬁed according to the assumptions on this asymmetry. 15
15.
16 CHAPTER 2. CRYPTOGRAPHIC PROTOCOLSThe most common types are:Secret key cryptosystems: this type of cryptography has been the only type of cryptography until the 1970s. It relies on a secret piece of information, called a secret key, known only within a small group. Every member of this group can both cipher and decipher messages with the key, while agents outside of it can neither cipher nor decipher the encoded message. Instances of secret key cryptosystems are the Enigma [214], DES [165], 3DES [169], and the current AES [170]. Given a message M , and a secret key sk(k) we denote: encs (M, sk(k)):the encryption of M with the key sk(k) decs (M, sk(k)):the decryption of M with the key sk(k)Public key cryptosystems: the ﬁrst (tentative) publication [158] on public key cryptography was met with skepticism, as in the words of a reviewer: “Experience shows that it is extremely dangerous to transmit key information in the clear.” 1 The ﬁrst accepted paper on the topic was the presentation by Diﬃe and Hellman [104] of a clever usage of exponentiation in modular arithmetic. The result of their analysis was the possibility to compute a couple of keys (pk(k), sk(k)) such that the messages encrypted with the key pk(k) can be decrypted only with the key sk(k), and such that sk(k) cannot feasibly be computed from pk(k). Thus the key pk(k) can be published as a phone number would be, and any participant can send information only to the agent knowing the key sk(k), given that only that agent can decrypt, i.e. understand. Examples of public-key cryptosystems include RSA [186, 31, 179, 180], ElGamal [116]. Given a message M , a public key pk(k) and a secret key sk(k) we denote: encp (M, pk(k)) the encryption of M with the key pk(k) decp (M, sk(k)) the decryption of M with the key sk(k)Signature cryptosystems: the asymmetry of public key cryptosystems can also be employed to authenticate the creator of a message. The sender signs the message he wants to send with a secret key sk(k). Anybody knowing the public key pk(k) can then verify that the signature was com- posed with the key sk(k), and thus originates from the possessor of that key. Given a message M , a public key pk(k) and a secret key sk(k) we denote: sign(M, sk(k)) the signature of M with the key sk(k) verif (M , M, pk(k)) the check that M is the signature of M with the inverse of the key pk(k) 1 http://www.merkle.com/1974/
16.
2.1. CRYPTOGRAPHIC PROTOCOLS 17 Other functions are employed to construct messages such as the concatena-tion M1 , M2 of two messages. We also consider the modeling of mathematicsfunctions such that the bitwise exclusive-or or the modular exponentiation, andwill add the corresponding symbols as necessary.2.1.2 RFCsCryptographic protocols are published and endorsed by various governmentalor private organizations. These organizations can be formed to support one spe-ciﬁc (set of) protocols, such as the “Liberty Alliance”, or have a more generalinterest in one domain, such as the “Oasis Open consortium” or the “WorldWide Web Consortium”, for respectively the transmission and representationof information in the XML format or the Web. The Internet Engineering TaskForce (IETF) is particularly important as an organization focusing on the basicprotocols employed in the computer-to-computer communications, and on theinteroperability of their implementations. Transport Layer Security [102, 103](TLS) is speciﬁed by a Request for Comments (RFC) document, as are someprotocol proposals in early stages, such as RFC 2945 that describes the SRPAuthentication and Key Exchange System. In the latter case implementationissues are not discussed, but the principle of the protocol is presented. Oftensuch documents contain a ﬁnite state automaton describing the diﬀerent statesin which a program implementing the protocol can be as well as the possibleactions in each state, and/or the intended sequence of messages between par-ticipants in the protocol, as in Figure 2.1. Client Host U =<username> → ← s =<salt from passwd file> Upon identifying himself to the host, the client will receive the salt stored on the host under his username. a =random() A = g a %N → v =<stored password verifier> b =random() ← B = (v + g b )%N p =<raw password> x = SHA(s|SHA(U |” : ”|p)) S = (B − g x )(a+u∗x) %N S = (A ∗ v u )b %N K =SHA Interleave(S) K =SHA Interleave(S)Figure 2.1: Annotated message sequence chart extracted from the RFC 2945(SRP Authentication and Key Exchange System)
17.
18 CHAPTER 2. CRYPTOGRAPHIC PROTOCOLS2.1.3 NarrationsThough in the Avispa and Avantssar we have worked on the deﬁnition of morecomplex protocol speciﬁcation languages, the speciﬁcation of a protocol by asingle sequence of messages as in [98, 148, 126, 162] is suﬃcient for most cryp-tographic protocols even though the internal computations of the agents is notspeciﬁed. In its simplest form, a narration is a sequence of message exchangesfollowed by the initial knowledge each participant must have to engage in theprotocol (Needham-Schroeder Public Key protocol, [166]): A→B:encp ( A, Na , KB ) B→A:encp ( Na , Nb , KA ) A→B:encp (Nb , KB ) where −1 A knows A, B, KA , KB , KA −1 B knows A, B, KA , KB , KBThe names A and B in this sequence do not refer to any particular individualbut to roles in the narration: common names instead of A and B are Client,Server, Initiator,. . . Actual participants in an instance (also called session) ofthe protocol play each one of the roles deﬁned by the message exchange. We note that the messages Na and Nb are not in the knowledge of A norof B. These are nonces, i.e. random values created at the beginning of eachinstance of the protocol. Personal work: We present in Chapter 6 how these narrations can be given an operational semantics. The languages we have developed in the course of the Avispa and Avantssar projects did not need such developments given that the modeler of a protocol in HSPSL [64] or ASLan V.2 has to specify also the internal actions of the roles. Though it is often tedious to write such speciﬁcations, the language aims at a greater accuracy of the protocol model. We note that latest works such as [163] step back on this choice and return to simpler models.2.1.4 Security PropertiesGenerally speaking [83] one can distinguish two kinds of properties for programssuch as protocols: • Properties that are deﬁned by a set of possible executions of the protocol; • Hyper-properties that are deﬁned by the set of the sets of possible execu- tions of the protocol.Our work principally focuses on the properties of protocols such as: • Secrecy, i.e. determining whether one of the messages exchanged can be constructed by an attacker;
18.
2.1. CRYPTOGRAPHIC PROTOCOLS 19 • Authentication, i.e. determining whether the principals accept only the messages originating from the participants listed in the narration.Example 1. The simpliﬁed [147] version of the Needham-Schroeder Public Keyprotocol (NSPK) [166] exhibits vulnerabilities to both secrecy and authentica-tion. Whereas at the end of their respective execution A and B shall be assuredto have engaged in a conversation one with another and that the nonces Na andNb are kept secret, Lowe [147] found the following attack: A → I :encp ( A, Na , KI ) I(A)→ B :encp ( A, Na , KB ) B →I(A):encp ( Na , Nb , KA ) I → A :encp ( Na , Nb , KA ) A → I :encp (Nb , KI ) I(A)→ B :encp (Nb , KB )In this attack A starts a legitimate instance of the protocol with an intruder, i.e.a dishonest agent I. This intruder then masquerades as A—the correspondingevents are denoted I(A)—and initiates a session with B. B responds as if hewere talking to A, and ends successfully his part of the protocol. However, inthe course of his protocol instance B has accepted messages issued by I insteadof A, hence an authenticity failure. Furthermore, the nonces Na and Nb , whichare believed by B to be a common secret shared with A, are actually known byI, hence a secrecy breach. Personal work: Until recently I have worked only on the security analysis of properties such as secrecy and authentication. However in a debuting series of work I also consider the problem of the security analysis w.r.t. the equivalence of protocols. This notion is employed to reason about anonymity, e-voting protocols, abstraction of a perfect primitive by a concrete one, and so on. Chapter 10 includes these results, which are related to the refutation of cryptographic protocols.2.1.5 Formal methodsWe have worked on the formal analysis of cryptographic protocols. This meansthat given a speciﬁcation such as a narration we built a logical model of theprotocol and its environment consisting in three parts describing respectively: • the possible actions of agents behaving as prescribed by the roles in the protocol; • the possible actions of an attacker in the setting considered; • the property we want to verify.The parallel execution of roles and of the intruder is interpreted by a conjunc-tion. Two types of logical analysis can then be performed:
19.
20 CHAPTER 2. CRYPTOGRAPHIC PROTOCOLSValidation: one proves that the property is logically implied by the speciﬁca- tions of the protocol and of the intruder;Refutation: one constrains the logical speciﬁcations e.g. by imposing an ini- tial state, bounds the number of possible instances of the protocol,. . . and proves that under these restrictions the property is not logically implied by the speciﬁcations of the protocol and of the intruder.When failing in refuting a protocol, we can only conclude that under the con-straints imposed there is no attack. Of course this does not mean that there isno attack when weaker constraints, or none, are imposed. Let us review someof the constraints routinely imposed:Isolation: no protocol is executed concurrently with the one under scrutiny. While unrealistic, this assumption, or some weaker version of it, is needed given that for any protocol P one can construct a protocol P’ [132] such that, when P’ is executed concurrently with P the attacker can discover a secret message exchanged in P. While this result is theoretical as the second protocol has to be constructed from the ﬁrst one, such attacks also often occur in practice [91]. In [50, 19] the isolation assumption is weakened into assuming, in some form or another, that no other protocol executed concurrently uses the same cryptographic data. Concerning symbolic analysis of protocols, one can ﬁnd in [163] similar assumptions employed to obtain the soundness of the composition of transport protocols. Other similar conditions for the sequential or parallel composability can also be found in [10, 88] and others that can be traced back to the non-uniﬁability condition initially introduced for the decidability of secrecy in [185].Soundness: the properties of cryptographic primitives are usually [119, 115, 184] expressed by games in which an intruder, modeled by a probabilistic Turing machine, cannot in a reasonable amount of time have a signiﬁcant gain over a toss of coin. For instance in IND-CPA games the intruder is given a public key. He then chooses two messages m0 and m1 , and is then presented with the encryption of either m0 or m1 . He wins the game if he can choose m0 and m1 such that he has strictly2 more than 50% chances of guessing the right answer. While there are some attempts [23, 24] to directly interpret the construc- tions on messages in terms of probability distributions, the usual lifting of these properties into a symbolic world is problematic given that they express what the intruder cannot do, whereas the symbolic analysis rests on the description of what the intruder can do. We present how the trans- lation from the concrete cryptographic setting to the symbolic world can be justiﬁed in Subsection 2.2.2. 2 The actual condition is actually even more restrictive, and depends on the length of thekey
20.
2.2. VALIDATION OF CRYPTOGRAPHIC PROTOCOLS 21Bounds on the instances of the protocol: though in practice the number of distinct agents that can engage in an unbounded number of sessions of a cryptographic protocol is a priori unbounded, it has been proved [85] that if there is a secrecy (resp. authentication) failure in an arbitrary (w.r.t. the number of sessions and the agents participating in each session) instance of the protocol then there is a secrecy (resp. authentication) failure with the same number of sessions but only 1 (resp. 2) distinct honest agents, in addition to the intruder, instantiating the roles of the protocol. Furthermore Stoller [200, 201] remarked that essentially all “standard” protocols either had a ﬂaw found when examining a couple of sessions or were safe. While this cannot be argued for cryptographic protocols in general [160] this remark lead to the refutation-based methods in which one only tries to ﬁnd an attack involving a couple of distinct instances of the protocol. We present more in details in Section 2.3 the history of refutation with a bounded number of instances of the protocol.2.2 Validation of Cryptographic Protocols2.2.1 Validation in a symbolic modelValidation of cryptographic protocols is usually performed under the assumptionthat the protocol is executed in isolation, this assumption being justiﬁed by thework on the soundness w.r.t. the concrete cryptographic setting described inSection 2.2.2. Under this isolation hypothesis, validation of a protocol amountsto proving that for any number of parallel instances of the protocol, each instanceprovides the guarantees claimed by the protocol. This problem is usually treatedby translating the descriptions of the intruder and of the honest agents into setsof (usually Horn) clauses, and by reducing the problem of the existence of anattack to a satisﬁability problem. This approach is successful in practice, see for example the ProVerif toolby B. Blanchet [38], and some decision procedures were also obtained. Thesatisﬁability of sets of clauses in which each clause either has at most one variableor one function symbol is decidable [84], a NEXPTIME bound is given in [194,195]. This problem is DEXPTIME-complete if all the clauses are furthermoreHorn clauses. The class of sets of clauses was later extended to take into accountblind copy [90] while preserving decidability. It was also extended to take into account the properties of an exclusiveor [196]. While in this article it is also proven that adding an abelian group ad-dition operation leads to undecidability, it was implemented in ProVerif in [137],and the decidability of some particular case, including some group protocols,was proven.2.2.2 Soundness w.r.t. a concrete modelValidation of a cryptographic protocol is done w.r.t. a given attacker model.However there is no assurance that the modeled attacker is as strong as an at-tacker who can take advantage of the precise arithmetic relations between the
21.
22 CHAPTER 2. CRYPTOGRAPHIC PROTOCOLSmessages, the keys, and so on. For example the Pollard ρ method [182] is basedon the computation of collisions (diﬀerent products having the same result) ina ﬁnite group and speeds-up signiﬁcantly the factorization of some integers. Wethus have a discrepancy between the symbolic analysis of cryptographic primi-tives, which is conducted independently from the actual values of the messagesexchanged and the keys, and the analysis in the concrete setting in which theattacker has access to the actual values of the messages and the keys, withthis additional information opening the possibility of additional attacks on aprotocol. There has been a lot of work trying to relate concrete settings to symbolicones, starting with [177]. As demonstrated by e.g. [50] ﬁnding a good setting is adiﬃcult and error-prone task. However more recent works such as [19, 138, 139]have provided sound and usable deﬁnitions and cryptographic settings. If oneagrees on the restriction on the usage of cryptographic protocols and of keysimposed by these settings there exists a cryptographic library that hides theconcrete values of the keys by imposing the use of pointers instead of real dataand such that every useful manipulation on message can be performed by callsto this library.2.3 Refutation of Cryptographic Protocols2.3.1 Advantages over validationValidation of cryptographic protocols is undecidable even in the simplest settingsin which perfect cryptography is employed, the protocol is executed in isolationfrom other protocols, and either only a ﬁnite number of distinct values areexchanged or some typing systems ensures that the complexity of the messagesis bounded. Furthermore the soundness of a validation procedure is hard toestablish: though one can prove that in a given symbolic model there is noattack on a protocol, this result does not necessarily translate into the validationof a concrete version of the protocol as was described in 2.2.2. However, when trying to refute a protocol, the translation to the concretelevel is simpler as it suﬃces to prove that any action performed by the attackerin the symbolic model can be translated into an action of an attacker in theconcrete model. Also the restrictions imposed on the protocols to ensure thedecidability of their validation are usually too strong for real-life case studies. These reasons motivated the refutation of cryptographic protocols underconstraints: instead of trying to prove that a protocol is valid one tries to dis-cover an attack when additional constraints on the protocol are imposed. Inaccordance with the observations by Stoller [200, 201] the most common con-straint consists in: a) bounding the number of messages the honest participantscan receive; and b) forcing the participant either to accept a message or abortshis execution of the protocol. These assumptions can be translated in termsof processes by imposing that the honest participants are modeled by processeswithout loop and in which the “else” branch of the conditional is always an
22.
2.3. REFUTATION OF CRYPTOGRAPHIC PROTOCOLS 23abort. Usually one further imposes that the tests in the conditional must be(conjunctions of) positive equality tests. Another common restriction consistsin bounding the complexity of the terms representing the messages. Under these assumptions it is possible to devise decision procedures for therefutation of cryptographic protocols w.r.t. a model of the attacker. Whenconducting such an analysis one ﬁrst has to provide the reader with a messageand deduction model, and then only can one present a decision procedure w.r.t.these models. In more details we have:Message model: Messages are modeled by ﬁrst-order terms, i.e. ﬁnite recur- sive structures deﬁned by the applications of some functions on terms and by constants. The ﬁrst task in protocol refutation consists in deﬁning the properties of these functions. For instance one should model that a bitwise exclusive-or operation ⊕ is commutative, i.e. for every messages x and y the equality x ⊕ y = y ⊕ x holds;Deduction model: Then one has to model how the attacker can use messages at his disposal to create new ones. This is usually done by assuming that the intruder can apply (a subset of) the symbols employed to deﬁne the messages to construct new messages. For example an asymmetric encryption algorithm can be employed by the intruder to construct new messages, but the sk( ), pk( ) symbols, employed to denote the public and private keys, cannot be employed by the intruder to construct new keys;Decision procedure: Finally one searches a decision procedure applicable to all ﬁnite message exchanges where the messages are as deﬁned in the ﬁrst point when attacked by an intruder having the deduction power as deﬁned in the second point.Since we attempt to refute protocols the soundness of the message and de-duction models is more important than their completeness. Forgetting somepossible equalities or deductions may lead to inconclusive analysis (stating thatno attack is found under the current hypotheses), but having unsound equal-ities or deductions could lead to false positives, i.e. a valid protocol could bedeclared as ﬂawed.2.3.2 Personal Work on the Refutation of Cryptographic ProtocolsDuring my PhD I have worked on the refutation of cryptographic protocolswhen the number of messages exchanged among the honest agents is bounded.In collaboration with Laurent Vigneron, I ﬁrst extended Amadio and Lugiez’sdecision procedure [8] to take into account the case of non-atomic secret keysand implemented it in daTac [78]. Then we have presented an abstraction ofthe parallel sessions of a cryptographic protocol [77, 79] in which it is possibleto validate strong authentication, in contrast with other existing abstractions(e.g. [41]) in which replay attacks cannot be detected. This abstraction is based
23.
24 CHAPTER 2. CRYPTOGRAPHIC PROTOCOLSon a saturation of the protocol rules modeled as clauses, and on the extension ofthe intruder’s deduction capacities with these so-called “oracle” rules, insteadof simply checking the property in the saturated set of rules. Then, and beforeI ﬁnished my PhD, I have worked with R. K¨sters, M. Rusinowitch, and M. Tu- uruani on the extension of the complexity result obtained in the case of perfectcryptography [190, 144] to the cases in which an exclusive-or [68, 61], an expo-nential for Diﬃe-Hellman [69, 62], commutative asymmetric encryption [60, 62],or oracle rules [63] were added to the standard set of intruder deduction rules.I ﬁnally presented a lazy constraint solving procedure [56] that extends the onein [78] to protocols in which an exclusive-or symbol appears. This procedurewas implemented in CL-AtSe [208] by M. Turuani and M. T¨ngerthal with some ufurther optimization on the exclusive-or uniﬁcation algorithm [207]. This serie of results was however non-satisfactory given that there was noresult on the decidability of refutation when e.g. both an exponential and anexclusive-or appear in the protocol. In collaboration with M. Rusinowitch wehave considered the problem of the combination of decision procedures for refu-tation, and presented a solution [70, 76] that reduces the refutation of protocolsexpressed over the union of two disjoint sets of operators and with ordering re-strictions to problems of refutation in individual signatures with the same kindof ordering constraints. We later extended this result to well-moded but non-disjoint union of signatures in [71, 72]. In [11] the authors build upon the ﬁrstcombination result to obtain a similar one on the combination of static equiv-alence decision procedures, while [157, 136] obtain similar conditions for thecombination on non-disjoint signatures, and [47] extends it to take into accountsome speciﬁc properties of homomorphisms. Finally let me mention that thewell-moded constraint is rather general and intuitive, given that it was deﬁnedto model the properties of exponential w.r.t. the abelian group of its exponents,but was also employed in [97] to model the relationship between access controland deductions on messages in PKCS#11. When Mounira Kourjieh began her PhD under my supervision, we startedto work on a novel research direction. As explained above, the traditionalresearch on the relation between concrete and symbolic models of cryptographicprimitives is based on the establishment of a set of assumptions on the use ofthese primitives and on the management of the keys, and in proving that underthese assumptions one can build a complete symbolic model such that, if thereis no ﬂaw on the symbolic level then there is no ﬂaw on the concrete level. Weremark that: • the approach may be too restrictive for real-life protocols, as it requires e.g. that the keys are created and managed by a trusted entity—the cryptographic library; • the soundness of validation in the symbolic model is hard to establish given that one has to account for all the possible actions of the attackers. This is in contrast with the soundness of refutation for which one only has to prove that the actions described in the symbolic setting are feasible in the concrete setting.
24.
2.3. REFUTATION OF CRYPTOGRAPHIC PROTOCOLS 25For these two reasons we have tried to model the weaknesses of the cryptographicprimitives when no assumption is made on the keys creation and management:instead of restricting the concrete level to make it ﬁt a symbolic model wehave instead augmented the symbolic model to take into account the knownattacks on the concrete primitives. We have achieved decidability results forsignatures in the multi-user setting [58] and the decidability3 of the refutationfor hash functions for which it is feasible to compute collisions [57]. This workis presented in more details in Chapter 8. 3 Under the assumption that the combination result of [71] on deduction systems also holdson extended deduction systems.
26.
Chapter 3Web Services As a continuation of my work on cryptographic protocols I have begun research on Web Services when I arrived in Toulouse in 2004. While at ﬁrst they were simply viewed as crypto- graphic protocols exchanging XML messages, this very active area turned out to be the source of a variety of research prob- lems related to the modeling of the access control policy and of the workﬂow of Business Processes. Also of interest is the emerging development of modular methods for the validation of Web Services. We introduce in this chapter Web Services with a short historical introduction, followed by a description of the aspects of concern to my research. I conclude it with a summary of my research on this topic.3.1 Web Services3.1.1 Basic services1 The usual characterization of Web Service deﬁnes a Web Service as an appli-cation that communicates with remote clients using the HTTP [114] transportprotocol. The principle of having applications executed on a server computerand used by remote clients is not an original one, as was already present in Sun’smid-90’s motto “Network is the computer”. However the ﬁrst implementationswere impractical, for several reasons: • Sun’s proposal was to code all the applications in Java to ensure inter- operability. • The Corba2 framework aimed at the independence from Java, but suﬀered from the choice of a binary encoding of data (which implies the diﬃculty 1 This historical discussion is based, among other sources, on http://www.ibm.com/developerworks/webservices/library/ws-arc3/. 2 Common Object Request Broker Architecture. 27
27.
28 CHAPTER 3. WEB SERVICES for diﬀerent vendors to provide interoperable solutions) and of a dedicated transport protocol called IIOP [159] that imposes constraints on the pro- grammer and limits interoperability to platforms understanding it;These limitations have not prevented both Java and Corba to be successfulin a closed environment, but were too strong for the overall adoption of thesesolutions for client/server communications. Given the workforce needed to specify, standardize, and implement inter-operatively a protocol on a variety of platform, a natural choice for the transportprotocol was to rely on an oﬀ-the-shelf widely implemented protocol. HTTPstood out among other possibilities because a) it is an open protocol, andb) client interfaces are already provided by existing Web browsers, and c) theseWeb browsers also already support scripting languages, and d) its traﬃc is inmost cases not blocked by ﬁrewalls. Furthermore, when employed in combina-tion with the TLS [102, 103] protocol it provides the basic security guaranteesof server authentication and conﬁdentiality. One usually diﬀerentiate betweenSOAP and REST Web Services. The former are based on SOAP, an application-level transport protocol that relies on post/get HTTP verbs. In addition tothese verbs the REST Web Services also use the update/delete ones, but donot need the extra abstraction provided by the SOAP protocol. Another characterization of Web Services (starting from WSDL 2.0 [187]) isthe description of an available service in the Web Service Description Language.This is a language in which the individual functionalities, called operations, areadvertised together with a description of their in- and output messages, as wellas a description of how one can connect to the service. An important pointis that for Web Services described in WSDL, HTTP is not the only possibletransport protocol. Originally WSDL [81] was designed to describe Web Servicescommunicating using the SOAP [120] protocol, an application-level protocoloriginally running on top of HTTP. Bindings of SOAP to other protocols suchas JMS or smtp have since been deﬁned, and with WSDL 2.0 the application-level transport protocol is not necessarily SOAP anymore.Example 2. The Amazon S33 (Simple Storage Service) provides users with astorage space as well as with operations enabling the user to set an access controlpolicy to her ﬁles and add, view, remove ﬁles from the store. It is available bothin the REST style and in the SOAP style.Model. In the rest of this document we consider an abstraction of Web Ser-vices in which the exact transport protocol employed is irrelevant, assumingthat one could describe more precisely the messages whenever one wants toconsider the exact binding employed. As a result, a Web Service is akin to arole speciﬁcation in which request/response pairs of messages are deﬁned, butwithout necessarily constraints on the order in which the requests are received. 3 API description available at url http://docs.amazonwebservices.com/AmazonS3/latest/API/.
28.
3.1. WEB SERVICES 293.1.2 Software as a ServiceWSDL deﬁnes which functionalities a service oﬀers as well as how one com-municates with the service. However, since their inception, Web services havegradually turned from remotely accessible libraries to full-ﬂedged applications.The general idea is to transform existing applications, or create new ones, bywriting independent software components and by establishing communicationsequences between these components. The goal is to: • ease the deployment of new applications and the development of new com- ponents; • ease the changes in an application by containing each one in a single component; • rely on the fact that each component is remotely accessible to gain ﬂexi- bility on the hardware infrastructure, i.e. the actual computers running the components, for example by relying on a Web server to dispatch a request to the computer on which the application is deployed.The separation into atomic components necessitates a way to glue these com-ponents into applications. This glue is called a business process, and is writtenin a language in which, besides the usual assignments, conditionals, and loopsconstructs, there exists basic constructs to invoke a remote service. Some ofthese languages are scripting languages such as python or Ruby, but we havechosen to focus on BPEL [128] Business Process Execution Language becauseof its natural integration in the WSDL description of a service: services in-voked are referenced using their WSDL description, and the process itself canbe advertised by publishing a WSDL description of it. A current trend is also to employ Web Services to outsource the computers inwhich a corporation’s applications are executed. I.e. the services are not hostedon a computer belonging to the corporation but on computers provided by athird party, who in returns perceives some payment according to the resourcesused by the applications. A merit of this cloud computing approach is thelow initial cost of deployment of services as well as the reduced uncertaintyon the running cost/customer ratio, a crucial beneﬁt in nowadays economicenvironment.Model. When analyzing the security of a Web Service, we simply model Busi-ness Processes with an ordering on the possible input and output messages. Butwhen considering the access control policy of services we introduce a process de-scription language which is a simpliﬁed version of BPEL, see Chapter 7.3.1.3 Security PoliciesIn general terms, a policy controls the possible invocation of the operations ofa service, such as its Quality of Service, or its business logic. In a frameworksuch as JBOSS, even the business process can be encoded as a policy over the
29.
30 CHAPTER 3. WEB SERVICESacceptable requests. Instead of analyzing policies in general, we focus on twotypes of security-related policies: • the message-level security policy, which expresses how the data transmit- ted to and from the service has to be cryptographically secured; • the access control policy, which is expressed at the level of the application and expresses when an invocation is legitimate.Message ProtectionThere are two main ways to secure the communications of a service with itspartners: a) to impose that the transport protocol must be secured, and b) toimpose the usage of cryptographic primitives to protect the sensitive parts ofthe transmitted messages. Given that there exists secure transport protocols such as TLS, one couldwonder why one would need to further protect the messages. The main moti-vation for this extra protection is the fact that the protection provided by TLSis a point-to-point one, whereas complex service interactions depend upon end-to-end security. A simple example would be the payment of an item purchasedon Internet. One does not necessarily trust the e-commerce web site enough tosend it one’s credit card information, even though they have to be transmittedto the bank to complete the transaction. Thus the client has to send to thee-commerce web site her credit card information cryptographically protected insuch a way that: a) this web site will be able to employ the protected data tocomplete the transaction with the bank, but also b) this web site will not beable to derive the credit information from the data. Other applications includedigital contract signing, electronics bidding, etc.Model. Cryptographically protected messages are simply cryptographic pro-tocol messages. When analyzing access control policies, which rely on the pay-load of messages rather than on the cryptography employed to secure the mes-sages, we partially abstract the message layer by simply assuming that thepayload is either signed, encrypted, or both, or none, by a user and that thetransport protocol is either secured or not. See Chapter 7.Authentication–Assertion–AuthorizationAccess control consists in determining whether a given entity has the right,under the actual known circumstances, to perform a given action on a protectedobject. Access control rules emit opinions on whether the access should begranted or denied, and an access control policy gathers these opinions and usesa policy combination algorithm to grant or deny the access to the resource. Arule is said to be applicable on a request if it emits a grant or deny opinion.In the most simple form rules are totally ordered, and the opinion of the ﬁrstapplicable rule is the resulting opinion of the set of rules, but other combinationsalgorithms can be found e.g. in [173].
30.
3.1. WEB SERVICES 31Expressibility. Just as Object Oriented programming simpliﬁes the manage-ment of objects by organizing them in a hierarchy, a lot of research on accesscontrol is focused on the simplest ways to write rules that are both sound w.r.t.desired policies and easily writable and understandable. In this line we notethe RBAC (Role Based Access Control ) framework proposed by Ferraiolo andKuhn [113] that organizes individuals according to the administrative role theyhave (doctor, visitor, etc.) together with a role hierarchy that deﬁnes the inher-itance of permissions of junior role r to a senior role r . Access control decisionsare based uniquely on the role played by the requester, on the action, and onthe object in the request. OrBAC [129] reﬁnes this model by introducing a hi-erarchy of contexts in which a request has to be analyzed as well as a hierarchyon objects. These models often yield very simple policies but at the expense ofexpressibility. For example in pure RBAC it is not possible to express that thesame individual, regardless of her role, shall not perform two diﬀerent actions inthe same execution context (this is called dynamic separation of duty). On theother side of the spectrum, ABAC (Attribute-Based Access Control ) providesno hierarchy, and the decision is based solely on the values of a set of attributesextracted from the request and from the environment. This implies that everyaspect that can inﬂuence an access control decision has to be modeled by avalued attribute, and thus that this type of access control system, while beingable to express any kind of policy, is hard to deploy and manage. Its versa-tility nonetheless made it the system of choice for Web Service access controlsystems such as XACML [173], especially in the currently developed XACML3.0 version, with its WS proﬁle [9].Layered model of Access Control. A layered model has emerged over theyears from the industry best practices as well as from the availability of dedicatedsystems. Access control in distributed systems is now viewed as consisting inthree interacting components:Authentication: the ﬁrst phase is implemented in applications such as Shib- boleth and consists in the authentication of users. I.e., a user has to authenticate to one such server using e.g. his login and password or a more complex authentication protocol, and once the authentication con- straints imposed on the server are satisﬁed (e.g. the user has provided a valid certiﬁcate authenticating his signature veriﬁcation key and has re- sponded successfully to a challenge-response protocol) the server issues a token that can be employed by the user to prove his identity to other services. Alternatively, in the case of SAML Single Sign-On, the server will authenticate the user to other services.Assertions: once the user is identiﬁed he can negotiate with security services to obtain assertions that qualify him. For example a user can use his identity to activate a role and thereby obtain a role membership credential. This credential can then be employed to gain new ones expressing permissions associated with this role.
31.
32 CHAPTER 3. WEB SERVICESAuthorization: Finally, when trying to execute an action on a resource, the user decorates his request with the necessary credentials, and an autho- rization decision is taken based on the value and origin of the provided attributes.Model. Given that we are less interested in a user-friendly access controlsystem than in the analysis of the access control policy of a set of Web Serviceswe have adopted a formal model of attribute-based access control. We haveabstracted away the authentication phase by using secure channels providingauthentication, and are left with the modeling of the assertion collection partand of the authorization part of access control. We present in Chapter 7 acomprehensive model of a distributed access control system for Web Serviceswhere the rules are furthermore modeled as Horn clauses.3.2 Results achieved in the domain of Web Ser- vicesI have collaborated with Marwa El Houri, a PhD student I supervised, andPhilippe Balbiani on the deﬁnition of a formal model for the analysis of WebServices [110]. Our ﬁnal proposal consists in modeling each component in aWeb Service infrastructure by a communicating entity, i.e. an agent that has: • a store that permits to model a memory, a database, the history of the service, etc.; • a trust negotiation policy that indicates which credentials the entity is ready to share with which other entities on which kind of channel; • A workﬂow which consists in a set of tasks. Tasks are recursively deﬁned, and an authorization rule controls each invocation of a task.Given the part of an infrastructure (a database system, a human agent, a trustnegotiation engine or a Business Process Engine) modeled by an entity some ofthe above parts may be empty. This model permits us to seamlessly encode Role Based Access Control with(dynamic) separation or binding of duties constraints as well as advanced fea-tures such as all surveyed kinds of delegation [110]. We have also enriched itwith cryptographic primitives and secure channels to enable the validation of agiven set of entities w.r.t. untrusted users [110]. In collaboration with Mohammed Anis Mekki—a PhD student I co-supervisewith M. Rusinowitch—and M. Rusinowitch we have considered the choreogra-phy problem for a set of services. This problem consists in building, given aﬁnite set of available services, an orchestrator that communicates with theseservices to achieve a given goal. I detail this work in Chapter 9. Also presentedin that chapter is the work in collaboration with Tigran Avanesov, M. Rusi-nowitch and Mathieu Turuani on the choreography problem for services which
32.
3.2. RESULTS ACHIEVED IN THE DOMAIN OF WEB SERVICES 33consists in, again given a set of available services and a goal, to compute se-quences of communication for each of the available services such that the goalis satisﬁed at the end once every participating service has ended its sequence ofcommunication.
35.
Chapter 4Fundamentals ofFirst-Order Logic We introduce in this chapter the formalism and notions that will be employed in the rest of this document. This chapter is aimed at presenting ﬁrst-order logic with an emphasis on resolution, and should be read as a basis for a course on ﬁrst-order logic ori- ented towards resolution and its applications. This focus means that signiﬁcant though unrelated notions are lacking. The in- terested reader can ﬁnd in particular complements on sequent calculus and semantic tableaux in [94]. This chapter ends with the deﬁnition of equational theories, a more advanced concept that we need to analyze cryptographic protocols. In particular we extend the uniﬁcation notions intro- duced together with resolution to uniﬁcation modulo an equa- tional theory. We also prove a few important facts on equational uniﬁcation.4.1 Facts, sentences, and truth4.1.1 Reasoning on factsConsider the following sentences: • It is summer or the temperature is cold; • It is not summer or the weather is rainy.We rely on the excluded-middle law 1 which states that a fact can only be true orfalse. As a consequence we can reason on the possible truth value of the fact “It 1 In Scottish courts the result of a criminal prosecution can be either proven (meaningguilty), not proven, or not guilty. In this case we can have at the same time that the resultof the prosecution is not “proven” and is not “not proven”. Beyond the anecdote logic withno excluded-middle law (intuitionistic logic, linear logic, . . . ) have been employed fruitfully 37
36.
38 CHAPTER 4. FUNDAMENTALS OF FIRST-ORDER LOGICis summer”. If it is true then the fact “It is not summer” must be false. Sincethe second sentence is true one can deduce that the weather is rainy. But it mayalso be the case that the fact “It is summer” is false. Since the ﬁrst sentence istrue we must then have that the temperature is cold. As a conclusion of thesetwo sentences, either the temperature is cold or the weather is rainy. Generally speaking, if A, B1 , . . . , Bn , C1 , . . . , Ck are facts, and the sentences: • A or B1 or . . . or Bn ; • not(A) or C1 or . . . or Ck .are true, then if A is true, not(A) must be false, and thus C1 or . . . or Ck istrue since the second sentence is. Symmetrically if A is false we must have B1or . . . or Bn because the ﬁrst sentence is true. This reasoning is sound since ifthe assumptions are true then the conclusion must be true. This reasoning can also be conducted if there is no alternative in one of thesentences. Assume the following two sentences are true: • It is day or it is night; • It is not day.One ought to conclude that it is night. Another special case is when there is noalternative in both sentences. For instance assume the following two sentencesare true: • It is day; • It is not day.By following the general scheme given above we deduce that a sentence withno facts must be true. But the common sense also tells us that the assumptionthat both sentences are true does not hold: a fact and its negation cannot beboth true. We reconcile these two conclusions by imposing that a sentencewith no facts must always be false, and rely on the soundness of our deductionmechanism to deduce (by contrapositive reasoning) that if the conclusion isfalse then one of the premises must be false. In this case, i.e. when in a set ofsentences at least one must be false whatever truth value is chosen on the facts,we say that this set is inconsistent. The case-based reasoning on sentences illustrated above is called resolution.It was introduced by Robinson [3] as a reasoning mechanism for the whole ofﬁrst-order logic, in which one can e.g. axiomatize Zermelo-Fraenkel set theory.Outline of this chapter. We begin this chapter with a section on orders,and review some deﬁnitions and properties. Then we deﬁne in Section 4.3 thelanguage employed to describe sentences. We give a semantics to ﬁrst-orderto reason about the existence of a proof of a theorem, a proof of the negation of a theorem,and the absence of proof for both a theorem and its negation.
37.
4.2. ORDERS 39logic sentences by deﬁning how the language constructs are interpreted. Wepresent in Section 4.5 some of the mathematical properties of ﬁrst-order logic,namely that it suﬃces to consider ﬁnite sets of universally quantiﬁed clauses,where each clause is a disjunction of facts, and that it suﬃces to consider thetruth in particular interpretations called Herbrand’s interpretations. Then wepresent in Section 4.6 a calculus on ﬁnite sets of clauses that recognizes theﬁnite sets of clauses that are always false. We present in Section 4.7 how tointegrate an equality predicate in this setting.4.2 Orders4.2.1 Deﬁnitions and ﬁrst propertiesOrderings and pre-orderings. A strict ordering < on a set S is a transitive,anti-reﬂexive, and anti-symmetric relation on elements of this set. An ordering≤ is the union of a strict ordering and of the equality relation. An equivalence isa transitive, symmetric and reﬂexive relation. A pre-ordering is the transitiveclosure of the union of an equivalence relation with a strict ordering. A strict ordering < on a set S is said to be total whenever for two elementse1 , e2 ∈ S we have either e1 = e2 , or e1 < e2 , or e2 < e1 . It is said to be well-founded whenever there is no inﬁnite strictly decreasing sequence e1 > . . . >en > . . .. These deﬁnitions are extended as usual to orderings and pre-orderings.We call an element e maximal (respectively strictly maximal ) with respect to aset η of elements, if for any element e in η we have e e (respectively e e).Extension to sets and multisets. Any ordering on a set E can be ex-tended to an ordering set on ﬁnite subsets of E as follows: given two ﬁnitesubsets η1 and η2 of E we deﬁne η1 set η2 if (i) η1 = η2 , and (ii) for everye ∈ η2 η1 there exists e ∈ η1 η2 such that e e. Given a set, any smaller setis obtained by replacing an element by a (possibly empty) set of strictly smallerelements. Similarly, any ordering on a set E can be extended to an ordering mulon ﬁnite multisets over E as follows: let ξ1 and ξ2 be two ﬁnite multisets overE. As usual we denote ξ(e) the number of occurrences of e in the multisetξ, and we let > denote the standard “greater-than” relation on the naturalnumbers. We deﬁne ξ1 mul ξ2 if (i) ξ1 = ξ2 and (ii) whenever ξ2 (e) > ξ1 (e)then ξ1 (e ) > ξ2 (e ), for some e such that e e. Given a multiset, any smaller multiset is obtained by replacing an occurrenceof element by occurrences of smaller elements. We call an element e maximal(respectively strictly maximal ) with respect to a multiset ξ of elements, if forany element e in ξ we have e e (respectively e e). If the ordering is total (resp. well-founded), so is its multiset extension.It is easy to see that in turn this implies that if the ordering is total (resp.well-founded), so is its set extension.
38.
40 CHAPTER 4. FUNDAMENTALS OF FIRST-ORDER LOGIC4.2.2 Orderings on terms and atomsLemma 4.1. Let t be a complete simpliﬁcation ordering over terms, andassume that a is compatible with t . Then a is: 1. well-founded; 2. monotone; 3. B a A implies Var(B) ⊆ Var(A).Proof. We recall that the ordering a is compatible with the complete simpli-ﬁcation ordering t and a is total on ground atoms. 1. Let us prove that a is well-founded. By contradiction there otherwise exists an inﬁnite descending chain of atoms A0 a A1 a . . .. Since the ordering is total on terms the compatibility of a with t , we deduce that there is an inﬁnite descending chain of terms t0 t t1 t . . . where ti is a term occurring in the atom Ai . Thus t is not well-founded, a contradiction with the assumption that t is a complete simpliﬁcation ordering. 2. Let A, B be two atoms such that B a A. Suppose that A = I(t1 , . . . , tn ) and B = I (s1 , . . . , sm ). By the compatibility of a with t , for all i ∈ {1, . . . , m}, there is j ∈ {1, . . . , n} such that si t tj , and then, by monotonicity of t , si σ t tj σ for any substitution σ. Again by the compatibility of a with t , we deduce that Bσ a Aσ for any σ and then the monotonicity of a . 3. Let A, B be two atoms such that B a A. The compatibility of a with t implies that for each term tB occurring in B there exists a term tA occurring in A such that tB t tA . Since t is subterm, this implies Var(t) ⊆ Var(t ). We conclude that Var(B) ⊆ Var(A).4.3 SyntaxWe have adopted a bottom-up presentation of the constructions employed to de-ﬁne the language ﬁrst-order logic. We ﬁrst deﬁne the terms in Subsection 4.3.1.Then we introduce the predicate symbols in Subsection 4.3.3. At this point wehave deﬁned the atoms (called facts in the introduction of this chapter) that arethe basic elements of ﬁrst-order logic. A formula is the arrangement of atomsusing the logical connectives deﬁned in Subsection 4.3.4. Quantiﬁers are thenintroduced to precise the meaning of formulas in Subsection 4.3.5. Finally weintroduce clauses which are formulas of a special form and correspond to thesentences in the introduction.
39.
4.3. SYNTAX 414.3.1 TermsDeﬁnition 1. (Signature) Let F be a ﬁnite or denumerable set. A signature αis a mapping from F to the set of natural numbers I The image α(f ) of an N.element f ∈ F is called its arity. A signature α employed to deﬁne terms is called a functional signature. Itsdomain is then called a set of function symbols. Given a functional signature αthe constants are the elements e ∈ F of arity 0. We denote T (α, X ) the set of terms built on a functional signature α anda denumerable set of variables X . A term is an expression built in ﬁnite timesuch that: • constants and variables are terms; • If t1 , . . . , tn are terms and α(f ) = n then f (t1 , . . . , tn ) is a term.Given a term t we denote Var(t) (resp. Const(t)) the set of variables (resp.constants) occurring in t. A term t is ground if Var(t) = ∅Example 3. For instance we can choose a functional signature mapping ev-ery rational number to 0, the symbol “minus” to 2, the symbol “abs” to 1,and the symbol f to 1. A term in this signature is an expression t such asabs(minus(x, f ( 1 ))). 24.3.2 SubstitutionsA substitution is a function that replaces the variables occurring in a term byother terms. It can be thought of as similar to an assignment in imperativelanguages, since the eﬀect of an instruction: x := 1is to replace the value of the variable x with the term 1. However some careneeds to be taken when considering assignments such as: x := x + 1since one needs to distinguish the current value of x, employed to computeexpression on the left-hand side, and the next value of x that will be the resultof the sum. We avoid such intricacies by imposing that a variable changed by a substi-tution does not occur in a term in the image of the same substitution. A simpleway to obtain this is to mandate that a substitution must be an idempotentfunction, i.e. that applying it twice yields the same result as applying it onlyonce. Another point is that we want the application of a substitution to be eﬀec-tively applicable in ﬁnite time. Accordingly we impose on substitutions to befunctions that change only a ﬁnite number of variables. There are two ways tomandate this:
40.
42 CHAPTER 4. FUNDAMENTALS OF FIRST-ORDER LOGIC • The ﬁrst one is to deﬁne substitutions as partial functions from variables to terms, and to impose that they have a ﬁnite domain; • The second possibility is to say that substitutions are total functions but with a ﬁnite support set, i.e. there exists only a ﬁnite set of variables x such that σ(x) = x.Deﬁnition 2. (Substitutions) A substitution σ : X → T (F, X ) is an idempo-tent function such that the set {x ∈ X | x = σ(x)} is ﬁnite. A substitution σ is ground is σ(x) = x implies that σ(x) is a ground term. We extend substitutions homomorphically to terms in T (F, X ) by deﬁning: σ(t) If t ∈ X σ(t) = f (σ(t1 ), . . . , σ(tn )) If t = f (t1 , . . . , tn )Finally we improve the readability of this document by writing the applicationof a substitution σ on a term t in the postﬁx notation tσ. The application of ﬁrstthe substitution σ and then the substitution τ on t is thus written tστ insteadof τ (σ(t)). Since substitutions are endomorphisms on the algebra of terms, theycan be composed, and the composition is associative.Positions. It is often convenient to refer to a speciﬁc subterm in a term t. Thisis achieved by using positions which can be viewed as pointers to the subtermsof t and are ﬁnite sequences of integers. They are deﬁned as follows: • the set of positions of constants and variables contains only one position which is denoted ε, and is an empty sequence of integers; • If t1 , . . . , tn are terms with respective sets of positions P1 , . . . , Pn , then the set of positions of the term f (t1 , . . . , tn ) is: n {ε} ∪ {i · p | p ∈ Pi } i=1The set of the positions in a term t is denoted Pos(t). Let t be a term, and p ∈ Pos(t) be a position. We deﬁne recursively thesubterm of t at position p, denoted t|p , and the symbol at position p, denotedSymb(t, p), as follows: • t|ε = t and Symb(f (t1 , . . . , tn ), ε) = f ; • f (t1 , . . . , tn )|i·p = ti|p and Symb(f (t1 , . . . , tn ), i · p) = Symb(ti , p);
41.
4.3. SYNTAX 434.3.3 PredicatesThe terms on a signature α are related one with another with relations. Whilethe usual examples of relations are “. . . is smaller than. . . ” or “. . . is equalto. . . ”, the principle of relational database systems is to model each aspect ofa problem by a relation called table. A signature employed to deﬁne predicate symbol is called a relational signa-ture. Given a relational signature β and a functional signature α a (β, α)-atomis an expression p(t1 , . . . , tn ) where β(p) = n and t1 , . . . , tn ∈ T (α, X ).Example 4. Beside the functional signature of Example 3 let us consider thefollowing predicate signature: β = inf → 2Under this choice the expressions inf(abs(minus(x, x )), λ) inf(abs(minus(f (x), f (x ))), ε)are (β, α)-atoms. Given an atom a = p(t1 , . . . , tn ) we denote Var(a) (resp. Const(a)) the set∪n Var(ti ) (resp. ∪n Const(ti )). i=1 i=14.3.4 Logical connectives and formulasLet α be a functional signature and β be a relational signature. Formulasexpress truth relations between (β, α)-atoms. One may for instance write thattwo atoms must be both true, or that at least one must be true, etc. We callthe functions that relate the atom one with another logical connectives. If onedenotes true with the symbol and false with the symbol ⊥, these connectivescan be a priori any function f : {⊥, }n → {⊥, } where n is the numberof connected atoms. However, deﬁning one function for each arrangement ofatoms one wishes to express would be tedious. Hopefully it has long been notedthat every such function can be written as the composition of three logicalconnectives: • a ∨ b: is false iﬀ a and b are false; • a ∧ b: is true iﬀ a and b are true; • ¬a: is true iﬀ a is false.For example the logical implication a ⇒ b which is read “a implies b” can bewritten ¬a ∨ b. Note that this implication does not have the causation meaningassociated to the implication in natural languages. It simply means that eitherthe value of the atom a is false (an implication with a false premise is alwaystrue) or else that the value of the atom b must be true. The (β, α)-formulas are the expressions built in ﬁnite time such that:
42.
44 CHAPTER 4. FUNDAMENTALS OF FIRST-ORDER LOGIC • a (β, α)-atom is a (β, α)-formula; • if f1 , f2 are (β, α)-formulas then f1 ∨ f2 and f1 ∧ f2 are (β, α)-formulas; • if f is a (β, α)-formula then ¬f is a (β, α)-formula.Example 5. Continuing the examples 3 and 4 a formula is an expression like: ¬(inf(abs(minus(x, x )), λ)) ∨ inf(abs(minus(f (x), f (x ))), ε) Given a formula ϕ where the atoms a1 , . . . , an occur we denote Var(ϕ) (resp.Const(ϕ)) the set ∪n Var(ai ) (resp. ∪n Const(ai )). i=1 i=14.3.5 QuantiﬁersThe deﬁnition of (β, α)-formulas is still ambiguous. When one writes a(x) ∨ b(x)it is not clear one means that for some value c of x it is true that a(c) ∨ b(c),or one means that whatever the value c of x is it is true that a(c) ∨ b(c). Inorder to precise the meaning of the variables in the formulas one introducesexistential (for some value of) and universal (for all values of) quantiﬁers denotedrespectively ∃ and ∀. Formally, • A (β, α)-formula is a (β, α)-quantiﬁed formula with an empty set of quan- tiﬁed variable; • If ϕ is a (β, α)-quantiﬁed formula with a set of quantiﬁed variables Q and x ∈ Var(ϕ) Q then ∃xϕ is a (β, α)-quantiﬁed formula with a set of quantiﬁed variables Q ∪ {x}; • If ϕ is a (β, α)-quantiﬁed formula with a set of quantiﬁed variables Q and x ∈ Var(ϕ) Q then ∀xϕ is a (β, α)-quantiﬁed formula with a set of quantiﬁed variables Q ∪ {x}.A (β, α)-quantiﬁed formula in which every variable is quantiﬁed is called a(β, α)-sentence. Note that in the traditional presentation of sentences in ﬁrst-order logic the quantiﬁers may be interleaved with the logical connectives. Theprice of the added complexity (in terms of deﬁning the semantics, the quantiﬁedvariables, the handling of variable names clash, etc.) is however paid for nothing:any (β, α)-sentence in the standard setting is logically equivalent to a formula inthe simpler language described above. An equivalent formula can be eﬀectivelycomputed by algorithms that rewrite sentences in prenex normal form (see [146,151, 94], for example).Example 6. We complete the formula in the preceding example by quantifyingthe variables occurring in two diﬀerent ways, thereby obtaining two diﬀerentsentences: ∀x∀ε∃λ∀x , ¬(inf(abs(minus(x, x )), λ)) ∨ inf(abs(minus(f (x), f (x ))), ε) ∀ε∃λ∀x∀x , ¬(inf(abs(minus(x, x )), λ)) ∨ inf(abs(minus(f (x), f (x ))), ε)
Be the first to comment