On Asymmetric Unification for the Theory of XOR with a Homomorphism
Christopher Lynch, Andrew M. Marshall, Catherine Meadows, Paliath, Narendran, and Veena Ravishankar

TL;DR
This paper develops a new automata-based decision procedure for asymmetric unification in the XOR theory with a homomorphism, addressing a gap in algorithms for cryptographic protocol analysis.
Contribution
It introduces a novel automata-based decision procedure for asymmetric unification in ACUNh and adapts existing methods to improve analysis capabilities.
Findings
Developed a new automata-based decision procedure for asymmetric-ACUNh.
Adapted asymmetric combination procedures for improved unification.
Compared new approach with variant unification methods.
Abstract
Asymmetric unification, or unification with irreducibility constraints, is a newly developed paradigm that arose out of the automated analysis of cryptographic protocols. However, there are still relatively few asymmetric unification algorithms. In this paper we address this lack by exploring the application of automata-based unification methods. We examine the theory of xor with a homomorphism, ACUNh, from the point of view of asymmetric unification, and develop a new automata-based decision procedure. Then, we adapt a recently developed asymmetric combination procedure to produce a general asymmetric- ACUNh decision procedure. Finally, we present a new approach for obtaining a solution-generating asymmetric-ACUNh unification automaton. We also compare our approach to the most commonly used form of asymmetric unification available today, variant unification.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
11institutetext: Clarkson University, Potsdam, NY, U.S.A.
11email: [email protected] 22institutetext: University of Mary Washington, Fredericksburg, VA, U.S.A.
22email: [email protected], [email protected] 33institutetext: Naval Research Laboratory, Washington, D.C., U.S.A.
33email: [email protected] 44institutetext: University at Albany-SUNY, Albany, NY, U.S.A.
44email: [email protected]
On Asymmetric Unification for the Theory of XOR with a Homomorphism
Christopher Lynch
11
Andrew M. Marshall
22
Catherine Meadows
33
Paliath Narendran
44
Veena Ravishankar
22
Abstract
Asymmetric unification, or unification with irreducibility constraints, is a newly developed paradigm that arose out of the automated analysis of cryptographic protocols. However, there are still relatively few asymmetric unification algorithms. In this paper we address this lack by exploring the application of automata-based unification methods. We examine the theory of xor with a homomorphism, ACUNh, from the point of view of asymmetric unification, and develop a new automata-based decision procedure. Then, we adapt a recently developed asymmetric combination procedure to produce a general asymmetric-ACUNh decision procedure. Finally, we present a new approach for obtaining a solution-generating asymmetric-ACUNh unification automaton. We also compare our approach to the most commonly used form of asymmetric unification available today, variant unification.
1 Introduction
We examine the newly developed paradigm of asymmetric unification in the theory of xor with a homomorphism. Asymmetric unification is motivated by requirements arising from symbolic cryptographic protocol analysis [6]. These symbolic analysis methods require unification-based exploration of a space in which the states obey rich equational theories that can be expressed as a decomposition , where is a set of rewrite rules that is confluent, terminating, and coherent modulo . However, in order to apply state space reduction techniques, it is usually necessary for at least part of this state to be in normal form, and to remain in normal form even after unification is performed. This requirement can be expressed as an asymmetric unification problem where the denotes a unification problem with the restriction that any unifier leaves the right-hand side of each equation irreducible.
At this point there are relatively few such algorithms. Thus in most cases when asymmetric unification is needed, an algorithm based on variant unification [8] is used. Variant unification turns an -problem into a set of -problems. Application of variant unification requires that a number of conditions on the decomposition be satisfied. In particular, the set of -problems produced must always be finite (this is equivalent to the finite variant property [4]) and -unification must be decidable and finitary. Unfortunately, there is a class of theories commonly occurring in cryptographic protocols that do not have decompositions satisfying these necessary conditions: theories including an operator that is homomorphic over an Abelian group operator , that is . There are a number of cryptosystems that include an operation that is homomorphic over an Abelian group operator, and a number of constructions that rely on this homomorphic property. These include for example RSA [12], whose homomorphic property is used in Chaum’s blind signatures [3], and Pallier cryptosystems [11], used in electronic voting and digital cash protocols. Thus an alternative approach is called for.
In this paper we concentrate on asymmetric unification for a special case of : the theory of xor with homomorphism, or . We first develop an automata-based -asymmetric decision procedure. We then apply a recently developed combination procedure for asymmetric unification algorithms to obtain a general asymmetric decision procedure allowing for free function symbols. This requires a non-trivial adaptation of the combination procedure, which originally required that the algorithms combined were not only decision procedures but produced complete sets of unifiers. In addition, the decomposition of we use is . It is known that unification modulo is undecidable [10], so our result also yields the first asymmetric decision procedure for which does not have a decidable finitary unification algorithm.
We then consider the problem of producing complete sets of asymmetric unifiers for . We show how the decision procedure developed in this paper can be adapted to produce an automaton that generates a (possibly infinite) complete set of solutions. We then show, via an example, that asymmetric unification modulo is not finitary.
1.1 Outline
Section 2 provides a brief description of preliminaries. Section 3 develops an automaton based decision procedure for the -theory. In Section 4 an automaton approach that produces substitutions is outlined. Section 5 develops the modified combination method needed to obtain general asymmetric algorithms. In Section 6 we conclude the paper and discuss further work.
2 Preliminaries
We use the standard notation of equational unification [1] and term rewriting systems [1].-terms, denoted by , are built over the signature and the (countably infinite) set of variables . The terms and denote respectively the subterm of at the position , and the term having as subterm at position . The symbol of occurring at the position (resp. the top symbol of ) is written (resp. ). The set of positions of a term is denoted by , the set of non variable positions for a term over a signature is denoted by . A -rooted term is a term whose top symbol is in . The set of variables of a term is denoted by . A term is ground if it contains no variables.
Definition 1
Let be an -unification problem, let denote the set of variables occurring in and the set of free constants occurring in . For a given linear ordering on , and for each define the set as . An -unification problem with linear constant restriction (LCR) is an -unification problem with constants, , where each constant in is equipped with a set of variables. A solution of the problem is an -unifier of such that for all with , the constant does not occur in . We call an -unifier with LCR.
A rewrite rule is an ordered pair such that and . We use to denote a term rewrite system which is defined as a set of rewrite rules. The rewrite relation on , written , hold between and iff there exists a non-variable , and a substitution , such that and . The relation on is . The relation on is defined as: if there exists a position , a rule and a substitution such that and . The transitive (resp. transitive and reflexive) closure of is denoted by (resp. ). A term is irreducible (or in -normal form) if there is no term such that . If is confluent and terminating we denote the irreducible version of a term, , by .
Definition 2
We call a weak decomposition of an equational theory over a signature if and and satisfy the following conditions:
Matching modulo is decidable. 2. 2.
is terminating modulo , i.e., the relation is terminating. 3. 3.
The relation is confluent and -coherent, i.e., if and then such that , , and .
This definition is a modification of the definition in [6]. where asymmetric unification and the corresponding theory decomposition are first defined. The last restrictions ensure that iff (see [8, 6]).
Definition 3 (Asymmetric Unification)
Given a weak decomposition of an equational theory, a substitution is an asymmetric -unifier of a set of asymmetric equations iff for each asymmetric equations , is an -unifier of the equation and is in -normal form. A set of substitutions is a complete set of asymmetric -unifiers of (denoted or just if the background theory is clear) iff: (i) every member of is an asymmetric -unifier of , and (ii) for every asymmetric -unifier of there exists a such that .
Example 1
Let and be the theory for . Consider the equation , the substitution is an asymmetric solution but, is not.
Definition 4 (Asymmetric Unification with Linear Constant Restriction)
Let be a set of asymmetric equations with some LCR. A substitution is an asymmetric -unifier of with LCR iff is an asymmetric solution to and satisfies the LCR.
Definition 5
Let be a term rewriting system and be a set of identities. We say is -convergent if and only if
- (a)
is terminating, and
- (b)
for all terms , , if , there exist terms , such that
Definition 6
A term is an -normal form of a term if and only if . This is often represented as t\,=\,s\!\big{\downarrow}_{R,\Delta}.
3 An Asymmetric -unification Decision Procedure via an Automata
Approach
In this section we develop a new asymmetric unification algorithm for the theory . The theory consists of the following identities:
Following the definition of asymmetric unification, we first decompose the theory into a set of rewrite rules, , modulo a set of equations, . Actually, there are two such decompositions possible. The first decomposition keeps and as identities and the rest as rewrite rules. This decomposition has the following -convergent term rewriting system : , as well as : (when is given a higher precedence over ).
The second decomposition has , and the distributive homomorphism identity as 111This is the background theory., i.e., . Our goal here is to prove that the following term rewriting system : is -convergent. The proof for convergence of is provided in Appendix .
Decidability of asymmetric unification for the theory , can be shown by automata -theoretic methods analogous to the method used for deciding the Weak Second Order Theory of One successor (WS1S) [5, 2]. In WS1S we consider quantification over finite sets of natural numbers, along with one successor function. All equations or formulas are transformed into finite-state automata which accepts the strings that correspond to a model of the formula [9, 13]. This automata-based approach is key to showing decidability of WS1S, since the satisfiability of WS1S formulas reduces to the automata intersection-emptiness problem. We follow the same approach here.
To be precise, what we show here is that ground solvability of asymmetric unification, for a given set of constants, is decidable. We explain at the end of this section why this is equivalent to solvability in general, in Lemma 3.1 and Lemma 3.2.
Problems with one constant
: For ease of exposition, let us consider the case where there is only one constant . Thus every ground term can be represented as a set of natural numbers. The homomorphism is treated as a successor function. Just as in WS1S, the input to the automata are column vectors of bits. The length of each column vector is the number of variables in the problem. . The deterministic finite automata (DFA) are illustrated here. The operator behaves like the symmetric set difference operator.
We illustrate how an automaton is constructed for each equation in standard form. In order to avoid cluttering up the diagrams the dead state has been included only for the first automaton. The missing transitions lead to the dead state by default for the others. Recall that we are considering the case of one constant .
: Let denote the bits of . has a value 1, when either or has a value 1. We need 3-bit alphabet symbols for this equation. The input for this automaton are column vectors of 3-bits each, i.e., . For example, if = 0, = 1, then = 1. The corresponding alphabet symbol is = . Hence, only strings with the alphabet symbols are accepted by this automaton. The rest of the input symbols go to the dead state , as they violate the XOR property. Note that the string is accepted by this automaton. This corresponds to , and .
: To preserve asymmetry on the right-hand side of this equation, should be irreducible. If either or is empty, or if they have any term in common, then a reduction will occur. For example, if = and = , there is a reduction, whereas if = and = , irreducibility is preserved, since there is no common term and neither one is empty. Since neither nor can be empty, any accepted string should have one occurrence of and one occurrence of .
: We need 2-bit vectors as alphabet symbols since we have two unknowns and . Remember that acts like the successor function. is the only accepting state. A state transition occurs with bit vectors . If =1 in current state, then =1 in the next state, hence a transition occurs from to , and vice versa. The ordering of variables is .
: In this equation, should be in normal form. So cannot be 0, but can contain terms of the form . is the ordering of variables. Therefore the bit vector should be succeeded by , with possible occurrences of the bit vector in between. Thus the string either ends with or . For example, if = , then = , which results in the string \begin{pmatrix}1\\ 0\end{pmatrix}$$\begin{pmatrix}1\\ 1\end{pmatrix}$$\begin{pmatrix}0\\ 1\end{pmatrix} is accepted by this automaton.
: This automaton represents the disequality . In general, if there are two or more constants, we have to guess which components are not equal. This enables us to handle the disequality constraints mentioned in the next section.
: This automaton represents the disequality , where is a constant.
Example 2
Let \Big{\{}U=_{\downarrow}V+Y,\;W=h(V),\;Y=_{\downarrow}h(W)\Big{\}} be an asymmetric unification problem. We need 4-bit vectors and 3 automata since we have 4 unknowns in 3 equations, with bit-vectors represented in this ordering of set variables: . We include the (“don’t-care”) symbol in state transitions to indicate that the values can be either [math] or . This is done to avoid cluttering the diagrams. Note that here this symbol is a placeholder for the variables which do not have any significance in a given automaton. The automata constructed for this example are indicated in , and . The string \begin{pmatrix}1\\ 0\\ 0\\ 1\end{pmatrix}$$\begin{pmatrix}0\\ 1\\ 0\\ 0\end{pmatrix}$$\begin{pmatrix}0\\ 0\\ 1\\ 1\end{pmatrix}$$\begin{pmatrix}0\\ 0\\ 0\\ 0\end{pmatrix} is accepted by all the three automata. The corresponding asymmetric unifier is
Once we have automata constructed for all the formulas, we take the intersection and check if there exists a string accepted by all the automata. If the intersection is not empty, then we have a solution or an asymmetric unifier for the given problem.
Problems with more than one constant
: This technique can be extended to the case where we have more than one constant. Suppose we have constants, say . We express each variable in terms of the constants as follows: . For example, if is a variable and are the constants in the problem, then we create the equation = .
If we have an equation with constants , then we have equations , and . However, if it is an asymmetric equation all , and cannot be zeros simultaneously.
Similarly, if the equation to be solved is , with as constants, we form the equations , and and solve the eq-uations. But if it is an asymmetric equation then we cannot have , , to be all zero simultaneously, and similarly with , , .
Our approach is to design a nondeterministic algorithm by guessing which constant component in each variable has to be [math], i.e., for each variable and each constant , we “flip a coin” as to whether will be set equal to [math] by the target solution222The linear constant restrictions in Section 5 can also be handled this way: a constant restriction of the form can be taken care of by setting . Now for the case , we do the following:
[TABLE]
Similarly, for the case we follow these steps:
[TABLE]
This is summarized in Algorithm 2. Thus, it follows that
Theorem 3.1
Algorithm 2 is a decision procedure for ground asymmetric unification modulo .
Proof
This holds by construction, as outlined in “Problems with only one constant” and “Problems with more than one constant”.
We now show that general asymmetric unification modulo , where the solutions need not be ground solutions over the current set of constants, is decidable by showing that a general solution exists if and only if there is a ground solution in the extended signature where we add an extra constant.
We represent each term as a sum of terms of the form where is either a constant or variable. The superscript (power) is referred to as the degree of the simple term . The degree of a term is the maximum degree of its summands.
Lemma 3.1
Let be an irreducible term and be its degree. Let …, . Suppose is a constant that does not appear in . Then for any , is irreducible, where \theta\;=\;\big{\{}X_{1}\mapsto c,\;X_{2}\mapsto h^{D}(c),\;X_{3}\mapsto h^{2D}(c),\;\ldots,\;X_{n}\mapsto h^{(n-1)(D)}(c)\big{\}}.
Lemma 3.2
Let \,\Gamma~{}=~{}\big{\{}s_{1}\,{\approx}_{\downarrow}^{?}\,t_{1},\ldots,s_{n}\,{\approx}_{\downarrow}^{?}\,t_{n}\big{\}} be an asymmetric unification problem. Let be an asymmetric unifier of and . Let , and be a constant that does not appear in . Then \theta=\big{\{}X_{1}\mapsto c,\;X_{2}\mapsto h^{D}(c),\;\ldots,\;X_{m}\mapsto h^{(n-1)D}(c)\big{\}} is an asymmetric unifier of .
General solutions over variables, without this extra constant , can be enumerated by back-substituting (abstracting) terms of the form and checking whether the obtained substitutions are indeed solutions to the problem.
The exact complexity of this problem is open.
4 Automaton to find a complete set of unifiers
In this section we create automata to find all solutions of an ACUNh asymmetric unification problem with constants. We also have linear constant restrictions and disequalities for combination. Our terms will be built from elements in the set described below.
Definition 7
Let be a set of constants and be a set of variables. Define as the set . We also define as . For any object we define to be the set of constants in , except for 0. For an object , define and .
Terms are sums. We often need to talk about the multiset of terms in a sum.
Definition 8
Let be a term whose normal form is . Then we define . Inversely, if then .
A term in normal form modulo can be described as a sum in the following way.
Theorem 4.1
Let be a term in normal form. Then there exists an such that .
Proof
Since is reduced by , it cannot have an symbol above a symbol. So it must be a sum of terms of the form where and is a constant. Since is also reduced by , there can be no duplicates in the sum.
We show that every substitution that is irreducible with respect to , can be represented as a sequence of smaller substitutions, which we will later use to construct an automaton.
Definition 9
Let be a substitution and be a set of variables. Then is a zero substitution on if and for all .
Theorem 4.2
*Let be an object and be a ground substitution in normal form, such that . Let be the maximum degree in Then there are substitutions , such that *
* is a zero substitution on ,* 2. 2.
*, * 3. 3.
** 4. 4.
for all and all variables in , for some nonempty Ran(*. *
Proof
By the previous theorem, we know that each is a sum of -terms or is 0. Then and can be defined as follows, where and is the set of terms in with degree :
- •
If then else .
- •
For all
- –
If the maximum degree of is then .
- –
If no terms in have degree then .
- –
If has terms of degree and also terms of degree greater than then .
In the rest of this section we will be considering the ACUNh asymmetric equation , where and are in normal form, and we will build an automaton to represent all the solutions of . We will need the following definitions.
Definition 10
Let be an object. Define .
In the next four automata definitions we will use the following notation: Let be a set of ACUNh asymmetric equations. Let be the maximum degree of terms in . Let be the set of all substitutions such that and for all , where is a nonempty subset of . Let be an ACUNh asymmetric equation.
First we define an automaton to solve the asymmetric unification problem with constants.
Definition 11
The automaton consists of the quintuple , where is the set of states, is the start state, is the set of accepting states, is the alphabet, and is the transition function, defined as follows:
- •
is a set of states of the form , where and , for some and subsets of .
- •
- •
such that if (, , and contains no duplicates.
Next we define an automaton to solve linear constant restrictions.
Definition 12
Let be a set of linear constant restrictions of the form . where if for all variables and all , .
Next we define an automaton to solve disequalities between a variable and a constant.
Definition 13
Let be a set of disequalities of the form where is a variable and is a constant. where if for all variables and all , . Also .
Finally we define automata for solving disequalities between variables
Definition 14
Let and be variables. Then where if and for some . Also if and .
These are all valid automata. In particular, the first automaton described has a finite number of states, and each transition yields a state in the automaton. Now we show that these automata can be used to find all asymmetric ACUNh unifiers.
We need a few properties before we show our main theorem, that the constructed automaton finds all solutions.
Lemma 4.1
Let be an object and be a substitution, such that, for all , does not contain a variable. Then does not contain a variable.
Proof
Consider . If is not a variable then is not a variable. If is a variable, then, by our hypothesis, is not a variable.
Lemma 4.2
Let be an ACUNh asymmetric unification equation in , where and contain no variables and . Then for all substitutions , and are not unifiable.
Proof
and are not unifiable, because, wlog, the multiplicity of some constant in is not in . When we apply a substitution, that same constant will appear in but not , since and contain no variables. So and are not unifiable.
Lemma 4.3
Let be such that contains a duplicate. Then , is reducible by .
Proof
We know is reducible by because contains a duplicate. But then also contains a duplicate.
Lemma 4.4
Let be an ACUNh asymmetric unification equation in , such that and contain no variables. Suppose also that and contains no duplicates. Then is an ACUNh asymmetric unifier of if and only if is an ACUNh asymmetric unifier of .
Proof
Let and . If and contain no constants, then and have the same solutions. Since and contain no variables, the multiset of constants in is the same as the multiset of constants in . Similarly for and . Therefore has the same solutions as .
Theorem 4.3
Let be a set of asymmetric ACUNh equations, such that all terms in are reduced by . Let be a substitution which is reduced by . Let be a set of linear constant restrictions. Let be a set of variable/constant disequalities. Let be a set of variable/variable disequalities.
Then is a solution to if and only if there exists a zero substitution on where all right hand sides in are irreducible, and a sequence of substitutions such that and
The string is accepted by for all . 2. 2.
The string is accepted by . 3. 3.
The string is accepted by . 4. 4.
The string is accepted by for all .
where for a fresh constant .
Proof
First we show that Item 1 holds for a ground substitution reduced by . By the previous theorem, can be represented as .
We show by induction that, for all , if and then is an asymmetric ACUNh unifier of if and only if is an asymmetric ACUNh unifier of . In the base case, and , so it is true.
For the inductive step, we assume the statement is true for and prove it for . Then let be an arbitrary substitution, and instantiate in the inductive assumption, where . Our assumption implies that is an asymmetric ACUNh unifier of if and only if is an asymmetric ACUNh unifier of (i.e., is an asymmetric ACUNh unifier of ). If we can now show that is an asymmetric ACUNh unifier of if and only if is an ACUNh unifier of . and and contains no duplicates, then we are done. By Lemma 4.1, we know that contains no variables. Then we apply Lemma 4.4 to prove the induction step.
This proves our inductive statement. If is not an asymmetric ACUNh unifier of , then Lemmas 4.2 and 4.3 imply that the transition function will not be applicable at some point. Our inductive statement shows that is an asymmetric ACUNh unifier of if and only if there is a final state with as an asymmetric ACUNh unifier, which will be an accepting state.
This concludes the case for a ground substitution . It is not ground, then the fact that contains a fresh constant means that we create substitutions with an additional constant. We have already shown in this paper that nonground solutions are generalizations of solutions involving one additional constant.
It is straightforward to see that the other automata only accept valid solutions of linear constant restrictions and disequations.
If desired, we could intersect all the automata, yielding an automaton representing all the solutions of the problem (think of the results after applying as a set of initial states). This shows that the set of solutions can be represented by a regular language, with or without and disequalities. If we only want to decide asymmetric unification, we just check if there is an accepting state reachable from an initial state. We could enumerate all the solutions by finding all accepting states reachable in 1 step, 2 steps, etc. If there is a cycle on a path to an accepting state, then there are an infinite number of solutions, otherwise there are only a finite number of solutions. This will find all the ground substitutions. To find all solutions, we generalize the solutions we find and check them. Indeed, the only terms that need to be generalized are those containing . This is decidable because there are only a finite number of generalizations.
In Figure (5(b)), we show the automaton created for the problem , without linear constant restrictions and disequality constraints. In this example, the only zero substitution that works is the identity. Notice that never appears in the domain of a substitution, because no such substitution satisfies the conditions for the transition function. This leads to the following theorem.
Theorem 4.4
Asymmetric ACUNh unification with constants is not finitary.
Proof
The automaton constructed for has a cycle on a path to an accepting state. Therefore there are an infinite number of solutions. Since there is no in the range of the solution, all the solutions are ground. So no solution can be more general than another one, which means this infinite set of solutions is also a minimal complete set of solutions.
5 Combining Automata based Asymmetric Algorithms with the Free Theory
In order to obtain a general asymmetric ACUNh-unification decision procedure we need to add free function symbols. We can do this by using disjoint combination. The problem of asymmetric unification in the combination of disjoint theories was studied in [7] where an algorithm is developed for the problem. However, the algorithm of [7] does not immediately apply to the two methods developed in this paper. This is due to the nature of the two automata based approaches. More formally, let and denote two equational theories with disjoint signatures and . Let be the combination, , of the two theories having signature . The algorithm of [7] solves the asymmetric -unification problem. It assumes that there exists a finitary complete asymmetric -unification algorithm with linear constant restrictions, . Based on this assumption the algorithm is able to check solutions produced by the and algorithms for theory-preserving and injective properties, discarding those that are not. A substitution is injective modulo if iff , and is theory preserving if for any variable of index , is not a variable of index . For the automaton it is not always possible to check solutions, however, it is possible to build constraints into the automaton that enforce these conditions. Algorithm 3 is a modification of the algorithm from [7] with the following properties:
- •
and , for some free theory with symbols .
- •
For each -pure problem, partition, and theory index, an automaton is constructed enforcing the injective and theory preserving restrictions. Since these restrictions are built into the automata, the only solutions produced will be both theory preserving and injective.
- •
The solution produced by the algorithm is checked as in the original algorithm. If the solution is found not to be injective or theory preserving it is discarded.
The new modified version is presented in Algorithm 3 (included in the appendix due to space). Given the decision procedure of Section 3 we obtain the following.
Theorem 5.1
Assume there exists an asymmetric decision procedure that enforces linear constant restrictions, theory indexes, and injectivity. Then Algorithm 3 is a general asymmetric decision procedure.
Proof
The result follows directly from the proof contained in [7]. There it is shown that Algorithm 3 is both sound and complete. The only modification is that in [7] the combination algorithm checks the solutions for the properties of being injective and theory preserving, while in Algorithm 3 it is assumed that the algorithm itself will enforce these restrictions.
If instead of a decision procedure we want to obtain a general asymmetric unification algorithm we can use the automata based algorithm from Section 4 and again a modification of the asymmetric combination algorithm of [7]. Here, the modification to the combination algorithm is even smaller. We just remove the check on injective and theory preserving substitutions. Again these restrictions are enforced by the automata. The solutions to the and the free theory are combined as is done in [7] since they obey the same linear constant restrictions. Since asymmetric unification with constants is not finitary (Theorem 4.4), the general asymmetric unification algorithm will not in general produce a finite set of solutions. However, based on the algorithm of Section 4 we easily obtain the following result.
Theorem 5.2
Assume there exists an asymmetric algorithm that enforces linear constant restrictions, theory indexes and injectivity, and produces a complete set of unifiers. Then there exists a general asymmetric algorithm producing a complete set of unifiers.
6 Conclusion
We have provided a decision procedure and an algorithm for asymmetric unification modulo using a decomposition . This is the first example of an asymmetric unification algorithm for a theory in which unification modulo the set of axioms is undecidable. It also has some practical advantages: it is possible to tell by inspection of the automaton used to construct unifiers whether or not a problem has a finitary solution. Moreover, the construction of the automaton gives us a natural way of enumerating solutions; simply traverse one of the loops one more time to get the next unifier.
There are a number of ways in which we could extend this work. For example, the logical next step is to consider the decidability of asymmetric unification of with a . If the methods we used for extend to , then we have an asymmetric unification algorithm for , although with instead of . On the other hand, if we can prove undecidability of asymmetric unification for with as well as with , this could give us new understanding of the problem that might allow us to obtain more general results. Either way, we expect the results to give increased understanding of asymmetric unification when homomorphic encryption is involved.
Appendix 0.A Proof of convergence
0.A.1 is -convergent
To begin with let us show that the theory, , is terminating.
Lemma 0.A.1
* is terminating.*
Proof
We use a polynomial interpretation. The signature of is . We take the polynomial interpretation . It is not hard to see that the rewrite rules are decreasing and the identities are preserved under this interpretation. Hence is terminating.
The identities in can be further decomposed, retaining associativity and commutativity as identities and viewing the other identity as a rewrite rule .
Thus is the term rewriting system: with the identities : Note that . Thus . All these term rewriting systems, , and , are -convergent.
We define some terms which will be used later:
Definition 15
A term is a -term if and only if it has only variables and constants, and no occurrences of .
Definition 16
A term is a pure -term if and only if it is a -term with no constants (i.e., it belongs to ).
In order to prove that is -convergent we first prove the following lemmas:
Lemma 0.A.2
If and are irreducible by , then so is .
Proof
The only rule in has as the root of its left-hand side. Hence for the term there is no reduction possible.
Corollary 0.A.2.1
(s+t)\!\big{\downarrow}_{R_{h},AC}~{}=~{}s\!\big{\downarrow}_{R_{h},AC}\;+\;t\!\big{\downarrow}_{R_{h},AC}**
Lemma 0.A.3
If s is a -term, then if and only if s\;\lesssim_{AC}\;t\!\big{\downarrow}_{R_{h},AC}.
Proof
Since is a -term, is of the form , where the ’s need not be distinct. Let be the normal form of modulo , i.e., t^{\prime}=t\!\big{\downarrow}_{R_{h},AC}.
“if” part: If matches with , then is matchable with .
Let be a matching substitution such that . The substitution also matches with , i.e., , because is a subset of .
“only if” part: If matches with , then matches with .
Suppose , where is substitution. Let be a substitution defined as z\sigma^{\prime}~{}=~{}z\sigma\!\big{\downarrow}_{R_{h},AC} for all . We now show that .
We have and by Corollary 0.A.2.1, s\sigma^{\prime}\;=\;s\sigma\!\big{\downarrow}_{R_{h},AC}, i.e., . Thus .
Corollary 0.A.3.1
A term is reducible at the root (i.e., at position ) by if and only if s\!\big{\downarrow}_{R_{h},AC} is reducible at the root by .
Lemma 0.A.4
If is a pure -term, then if and only if .
Proof
For the “if” part, let be the matching substitution. Then the substitution , defined as matches with .
For the “only if” part, suppose is a substitution that -matches with . We can assume without loss of generality that is a ground term. Since is -convergent, we can also assume that the normal form of , modulo , is of the form where the ’s are constants and each exponent is a positive integer greater than zero. Therefore for each variable , for some ground term . Thus , defined as will match with .
Lemma 0.A.5
If is a -term and then .
Proof
Since is a -term, must be of the form where some of the ’s can be equal (i.e., variables can be repeated). However, clearly cannot have constants and thus must be a pure -term. The rest of the proof follows from the “only if” part of the previous lemma.
Lemma 0.A.6
For all : if is reducible at the root (i.e., at position ) by and then is also reducible by .
Proof
Suppose where is a substitution and . The case where is trivial.
Suppose is the left-hand side of one of the other rules. Then is a -term. Let t_{1}=t\!\big{\downarrow}_{R_{h},AC}. By the proof of Lemma 0.A.3, , where is defined as y\sigma^{\prime}=y\sigma\!\big{\downarrow}_{R_{h},AC} for all . From this we have l\sigma^{\prime}\;=\;l\sigma\!\big{\downarrow}_{R_{h},AC}, i.e., .
Let . By Corollary 0.A.2.1, where \widehat{s}\,=\,s\!\big{\downarrow}_{R_{h},AC}. Since is reducible at the root by , so is , as can be seen from an examination of the rules. Thus for some rule in . This implies that .
Lemma 0.A.7
For all , if is reducible by then or is reducible by .
Proof
Suppose and that is not reducible by . Then there must be some left-hand side in such that . Since , cannot be , so must be a -term. If , by Lemma 0.A.5 we know that , which is a contradiction.
Lemma 0.A.8
For all , if is reducible by and , then is reducible by .
Proof
Assume the contrary. Let be the smallest term such that is reducible by and there is another term , AC-equivalent to , such that is irreducible by . Clearly cannot be reducible at the root. Let be an outermost position in such that is a redex. Let . Obviously, cannot be . The parent of node cannot have a -symbol because then that subterm, i.e., , will be a redex too, by the proof of Lemma 0.A.6. Thus it has to be an : in other words, is a subterm of . Since , should have a subterm where . If is reducible then so is ; if not, then is a smaller counterexample.
Corollary 0.A.8.1
For all : if is reducible by and then is also reducible by .
Lemma 0.A.9
For all : if , and , then is also reducible by .
Proof
Suppose reduces to at some position and reduces to at some position , i.e., and . Thus there is a substitution such that and .
Two cases have to be considered:
Either or is reducible by . Assume, without loss of generality, that is reducible by . By Lemma 0.A.7, is either 0 or reducible by . If is reducible by , then is also reducible by , by Corollary 0.A.8.1. If , then clearly is reducible by .
Let . Let and . Thus and is reducible at the root by . By Corollary 0.A.3.1, s_{5}\!\big{\downarrow}_{R_{h},AC} is reducible at the root by , i.e., s_{5}\!\big{\downarrow}_{R_{h},AC}\;\approx_{AC}\;l\beta for some left-hand side . Thus (putting it all together), s_{1}|_{q}\;\longrightarrow_{R_{h},AC}^{!}\;s_{5}\!\big{\downarrow}_{R_{h},AC}\;\approx_{AC}\;l\beta. Thus, again by Corollary 0.A.3.1, is reducible by .
Finally, we can prove the convergence.
Lemma 0.A.10
* is -convergent.*
Proof
We prove by contradiction. Suppose is not -convergent. Since is terminating, there must be terms and such that and are in normal form modulo and . Since is AC-convergent, the normal forms of and modulo cannot be -equal. Let and be respectively the normal forms of and modulo . If either or is reducible by , then, by Lemma 0.A.9, either or will be reducible by . But since is AC-convergent, either or must be reducible by . This also leads to a contradiction, since .
Appendix 0.B Asymmetric Combination Algorithm
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Baader, F., Snyder, W.: Unification theory. Handbook of Automated Reasoning 1, 445–532 (2001)
- 2[2] Büchi, J.R.: Weak second-order arithmetic and finite automata. Mathematical Logic Quarterly 6(1-6), 66–92 (1960)
- 3[3] Chaum, D.: Blind signature system. In: Proceedings of CRYPTO ’83. p. 153 (1983)
- 4[4] Comon-Lundth, H., Delaune, S.: The finite variant property: how to get rid of some algebraic properties, in Proc RTA’05 , Springer LNCS 3467, 294–307, 2005
- 5[5] Elgot, C.C.: Decision problems of finite automata design and related arithmetics. Transactions of the American Mathematical Society 98(1), 21–51 (1961)
- 6[6] Erbatur, S., Escobar, S., Kapur, D., Liu, Z., Lynch, C.A., Meadows, C., Meseguer, J., Narendran, P., Santiago, S., Sasse, R.: Asymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis. In: Automated Deduction, (CADE-24), LNCS, vol. 7898, pp. 231–248 (2013)
- 7[7] Erbatur, S., Kapur, D., Marshall, A.M., Meadows, C.A., Narendran, P., Ringeissen, C.: On asymmetric unification and the combination problem in disjoint theories. In: Foundations of Software Science and Computation (FOSSACS-17), volume 8412 LNCS. pp. 274–288 (2014)
- 8[8] Escobar, S., Meseguer, J., Sasse, R.: Variant narrowing and equational unification. Electr. Notes in Theoretical Computer Science 238(3), 103–119 (2009)
