Alternation in Equational Tree Automata Modulo XOR

Equational tree automata accept terms modulo equational theories, and have been used to model algebraic properties of cryptographic primitives in security protocols. A serious limitation is posed by the fact that alternation leads to undecidability in case of theories like ACU and that of Abelian groups, whereas for other theories like XOR, the decidability question has remained open. In this paper, we give a positive answer to this open question by giving effective reductions of alternating general two-way XOR automata to equivalent one-way XOR automata in 3EXPTIME, which also means that they are closed under intersection but not under complementation. We also show that emptiness of these automata, which is needed for deciding secrecy, can be decided directly in 2EXPTIME, without translating them to one-way automata. A key technique we use is the study of Branching Vector Plus-Minimum Systems (BVPMS), which are a variant of VASS (Vector Addition Systems with States), and for which we prove a pumping lemma allowing us to compute their coverability set in EXPTIME.

[1]  Hubert Comon,et al.  Tree automata techniques and applications , 1997 .

[2]  Jean Goubault-Larrecq,et al.  A Method for Automatic Cryptographic Protocol Verification , 2000, IPDPS Workshops.

[3]  Kumar Neeraj Verma,et al.  Two-Way Equational Tree Automata for AC-Like Theories: Decidability and Closure Properties , 2003, RTA.

[4]  Peter Y. A. Ryan,et al.  An Attack on a Recursive Authentication Protocol. A Cautionary Tale , 1998, Inf. Process. Lett..

[5]  Denis Lugiez,et al.  Counting and Equality Constraints for Multitree Automata , 2003, FoSSaCS.

[6]  David Monniaux Abstracting cryptographic protocols with tree automata , 2003, Sci. Comput. Program..

[7]  Yannick Chevalier,et al.  Deciding the Security of Protocols with Diffie-Hellman Exponentiation and Products in Exponents , 2003, FSTTCS.

[8]  Ferenc Gécseg,et al.  Tree Languages , 1997, Handbook of Formal Languages.

[9]  Jean Goubault-Larrecq,et al.  Karp-Miller Trees for a Branching Extension of VASS , 2005, Discret. Math. Theor. Comput. Sci..

[10]  John E. Hopcroft,et al.  On the Reachability Problem for 5-Dimensional Vector Addition Systems , 1976, Theor. Comput. Sci..

[11]  Kumar Neeraj Verma Automates d'arbres bidirectionnels modulo théories équationnelles , 2003 .

[12]  Hitoshi Ohsaki,et al.  Beyond Regularity: Equational Tree Automata for Associative and Commutative Theories , 2001, CSL.

[13]  Richard M. Karp,et al.  Parallel Program Schemata , 1969, J. Comput. Syst. Sci..

[14]  Kumar Neeraj Verma On Closure under Complementation of Equational Tree Automata for Theories Extending AC , 2003, LPAR.

[15]  Véronique Cortier,et al.  Tree automata with one memory set constraints and cryptographic protocols , 2005, Theor. Comput. Sci..

[16]  Véronique Cortier,et al.  New Decidability Results for Fragments of First-Order Logic and Application to Cryptographic Protocols , 2003, RTA.

[17]  Lawrence C. Paulson,et al.  Mechanized proofs for a recursive authentication protocol , 1997, Proceedings 10th Computer Security Foundations Workshop.

[18]  Giora Slutzki,et al.  Alternating Tree Automata , 1983, Theor. Comput. Sci..

[19]  Véronique Cortier Vérification automatique des protocoles cryptographiques , 2003 .

[20]  Yannick Chevalier,et al.  An NP decision procedure for protocol insecurity with XOR , 2005, Theor. Comput. Sci..

[21]  Jean Goubault-Larrecq,et al.  Abstraction and resolution modulo AC: How to verify Diffie-Hellman-like protocols automatically , 2005, J. Log. Algebraic Methods Program..

[22]  Gene Tsudik,et al.  Key Agreement in Dynamic Peer Groups , 2000, IEEE Trans. Parallel Distributed Syst..