A proof theoretic analysis of intruder theories

We consider the problem of intruder deduction in security protocol analysis: that is, deciding whether a given message $M$ can be deduced from a set of messages $\Gamma$ under the theory of blind signatures and arbitrary convergent equational theories modulo associativity and commutativity (AC) of certain binary operators. The traditional formulations of intruder deduction are usually given in natural-deduction-like systems and proving decidability requires significant effort in showing that the rules are “local” in some sense. By using the well-known translation between natural deduction and sequent calculus, we recast the intruder deduction problem as proof search in sequent calculus, in which locality is immediate. Using standard proof theoretic methods, such as permutability of rules and cut elimination, we show that the intruder deduction problem can be reduced, in polynomial time, to the elementary deduction problems, which amounts to solving certain equations in the underlying individual equational theories. We further show that this result extends to combinations of disjoint AC-convergent theories whereby the decidability of intruder deduction under the combined theory reduces to the decidability of elementary deduction in each constituent theory. Although various researchers have reported similar results for individual cases, our work shows that these results can be obtained using a systematic and uniform methodology based on the sequent calculus.

💡 Research Summary

The paper addresses the intruder deduction problem that lies at the heart of security protocol analysis: given a set of messages Γ and a target message M, decide whether M can be constructed from Γ under a theory that combines blind signatures with arbitrary convergent equational theories modulo associativity and commutativity (AC) of certain binary operators. Traditional treatments formulate intruder capabilities in a natural‑deduction style system. Proving decidability for such systems is cumbersome because one must establish a “locality” property: during proof search only subterms of Γ and M need to be considered. Moreover, the presence of algebraic operators (e.g., XOR, group operations) complicates the search.

The authors propose a different viewpoint: translate the natural‑deduction system N into a sequent calculus S, exploiting the well‑known correspondence between introduction rules (right‑hand side) and elimination rules (left‑hand side). In S, locality is immediate because every rule satisfies the subformula property. The sequent system contains left‑introduction rules for public‑key encryption, symmetric encryption, signing, and blind signing, as well as right‑introduction rules for the same constructors. An additional rule gs (analytic cut) is introduced to handle terms built from the equational theory E, since the natural‑deduction system lacks introduction rules for symbols belonging to E. The rule gs allows the abstraction of a subterm A that appears as a guarded subterm of the antecedent or the conclusion, effectively simulating a cut without violating the subformula property.

The core technical contribution is a cut‑elimination theorem for S. Using variable abstraction techniques and properties of AC‑compatible rewrite systems, the authors show that any proof containing a cut can be transformed into a cut‑free proof whose size grows only polynomially. This result yields two important consequences.

First, any intruder deduction problem under a single AC‑convergent theory E can be reduced in polynomial time to an “elementary deduction” problem: given Γ and M, normalize all terms modulo the rewrite rules of E (including AC for ⊕) and then check equality modulo E. Since elementary deduction for many concrete theories (XOR, Abelian groups, monoidal theories) is already known to be decidable in polynomial time, the intruder deduction problem inherits this complexity.

Second, the authors extend the reduction to the combination of several disjoint AC‑convergent theories E₁,…,Eₙ. By constructing a combined sequent system that treats each theory independently on the left‑hand side, they prove that the overall intruder deduction problem reduces to the elementary deduction problems for each constituent theory, again in polynomial time. Consequently, decidability of elementary deduction for each Eᵢ implies decidability of the combined intruder deduction problem.

The paper also discusses concrete examples: theories for exclusive‑or, Abelian groups, and more general monoidal structures all fall within the considered class. The authors note that while similar decidability results have appeared in the literature for individual theories, their contribution is methodological: they provide a uniform proof‑theoretic framework based on sequent calculus, cut elimination, and rule permutability, which automatically yields locality and polynomial‑time reductions without ad‑hoc arguments.

Finally, the work is limited to passive intruders (who only collect and combine messages). The authors outline future work to extend the approach to active intruders, where the intruder can also influence the protocol execution. Nonetheless, the current results already demonstrate that sequent‑calculus techniques, long used in proof theory, can be fruitfully applied to security protocol analysis, offering a clean, systematic, and extensible method for establishing decidability of intruder deduction across a wide range of algebraic theories.