Zero-Knowledge in the Applied Pi-calculus and Automated Verification of the Direct Anonymous Attestation Protocol

Verication of the Direct Anonymous Attestation Protocol

Michael Backes, Matteo Maei,and Dominique Unruh

Saarland University,Saarbrücken, Germany

{backes,maffei,unruh}@cs.uni-sb.de

Abstract

Wedeviseanabstractionofzero-knowledgeprotocolsthatisaccessibletoafully

mechanized analysis. The abstraction is formalized within the applied pi-calculus

using anovelequationaltheory that abstractlycharacterizesthecryptographic

se-mantics of zero-knowledge proofs. We present an encoding from the equational

theoryintoaconvergentrewritingsystemthatissuitablefortheautomated

proto-col verierProVerif. The encoding is sound andfully automated. We successfully

usedProVeriftoobtaintherstmechanizedanalysisoftheDirectAnonymous

At-testation (DAA) protocol. The analysis in particular required us to devise novel

abstractionsofsophisticatedcryptographicsecuritydenitionsbasedoninteractive

games.

1 Introduction

Proofsof security protocols areknown to be error-prone and, owing to the

distributed-systemaspects of multiple interleaved protocol runs, awkward to make for humans. In

fact, vulnerabilities have accompanied the design of such protocols ever since early

au-thentication protocols like Needham-Schroeder [11 , 24 ], over carefully designed de-facto

standards like SSL and PKCS [28, 8 ], up to current widely deployed products like

Mi-crosoft Passport [13 ] and Kerberos [10]. Hence work towards the automation of such

proofs hasstarted soon after the rst protocols were developed; some important

exam-ples of automated security proofs are [23 , 22 , 18 , 21 , 25, 27, 3, 5]. Language-based

techniquesarenowwidelyconsideredaparticularly salientapproachforformally

analyz-ingsecurityprotocols,datingbacktoAbadi'sseminalworkonsecrecybytyping[1]. The

abilityto reasonaboutsecurityatthelanguageleveloftenallowsfor conciselyclarifying

whycertain message components are included in a protocol, how their entirety suces

for establishing desired security guarantees, and for identifying ambiguities in protocol

messages that could be exploited by an adversary to mount a successful attack on the

protocol.

One ofthe central challenges intheanalysisofcomplex andindustrial-size protocols

is the expressiveness of the formalism used inthe formal analysis and its capability to

Cryptography has invented more sophisticated primitives withunique securityfeatures

thatgo far beyond the traditional understanding ofcryptography tosolely oer secrecy

andauthenticityofa communication. Zero-knowledge proofsconstitute themost

promi-nent and arguably most amazing such primitive. A zero-knowledge proof consistsof a

messageor asequenceofmessagesthatcombinestwoseeminglycontradictoryproperties:

First,itconstitutesaproofofastatement

x

(e.g,

x

=

themessagewithinthisciphertext begins with

0

) that cannot be forged, i.e., it isimpossible, or at leastcomputationally infeasible,toproduceazero-knowledgeproofofawrongstatement. Ontheotherhand,a

zero-knowledgeproofdoesnotrevealanyinformationbesidesthebarefactthat

x

consti-tutesa valid statement. Inparticular,aproofabout someciphertextwouldnot leakthe

decryptionkeyor theplaintext. Zero-knowledgeproofswereintroduced in[17] andwere

provento existforvirtually allstatements[16 ]. Zero-knowledgeproofshave sinceshown

to constitute very powerful building blocksfor theconstruction of sophisticated

crypto-graphicprotocolstosolve demandingprotocoltask: theyallowfor commonlyevaluating

a function ondistributed inputs withoutrevealing anyinputs to theother protocol

par-ticipants [15], they allow for developing encryption schemes that are secure under very

strong active attacks [12],and manymore.

Earlygeneral-purposezero-knowledge proofsweremainlyinventedto showthemere

existence of such proofs for the class of statements under consideration. These proofs

werevery inecient and consequently of only limiteduseinpractical applications. The

recent adventof ecientzero-knowledgeproofsfor specialclasses ofstatements changed

this. The unique security features that zero-knowledge proofs oer combined with the

possibilityto ecientlyimplement someof theseproofshavepaved theseproofstheway

intomoderncryptographicprotocolssuchase-votingprotocolsandanonymityprotocols.

The best known representative of these protocols is the widely-deployed Direct

Anony-mous Attestation (DAA) protocol [9 ]. DAA constitutes a cryptographic protocol that

enables the remote authentication of a Trusted Platform Module (TPM) while

preserv-ing the user's privacy. More precisely, if the user talks to the same verier twice, the

verierisnot able totell ifhe communicates withthesame userasbeforeor witha

dif-ferent one. DAAachievesits anonymitypropertiesbyheavily relyingon non-interactive

zero-knowledgeproofs. Intuitively,theseallowtheTPMtoauthenticatewiththeverier

without revealing theTPM'ssecretidentier.

1.1 Our Contributions

The contribution of the paper is threefold: First, we present an abstraction of

non-interactivezero-knowledgeproofswithintheapplied pi-calculususinganovelequational

theory that abstractly characterizes the cryptographic semantics of these proofs.

Sec-ond, we transform our abstraction into an equivalent formalization that is accessibleto

ProVerif[6],awell-established toolforthemechanizedanalysisofdierentsecurity

prop-erties. Third,weapplyour theorytotheDirectAnonymousAttestation(DAA)protocol

[9], the widely deployed authentication scheme for Trusted Platform Modules (TPMs),

calculuswithfunctions,thathasproventoconstituteasalientfoundationfortheanalysis

of cryptographic protocols, see [2 , 20 , 6, 7, 14]. We devise a novel equational theory

thatconciselyandelegantlycharacterizesthesemanticpropertiesofnon-interactive

zero-knowledgeproofs,andthatallowsforabstractlyreasoningaboutsuchproofs. Thedesign

of the theory in particular requires to carefully address the important principles that

zero-knowledge proofsarebased upon: thesoundnessandthecompleteness oftheproof

vericationaswellastheactualzero-knowledgeproperty,i.e., averiermustnot beable

to learn any newinformation from azero-knowledgeproof exceptfor thevalidity ofthe

proven statement. The only prior work on abstracting zero-knowledge proofs aims at

formalizing in modal logic the informal prose used to describe the properties of these

proofs[19 ]. Incontrast to our abstraction, the abstraction in [19] hasnot been applied

to anyexample protocols,and nomechanizationof security proofsis consideredthere.

Themechanizationoflanguage-basedsecurityproofshasrecentlyenjoyedsubstantial

improvements thathave further strengthened theposition oflanguage-based techniques

as a promising approach for the analysis of complex and industrial-size cryptographic

protocols. ProVerif [6] constitutes a well-established automated protocol verier based

onHornclausesresolutionthatallowsforthevericationofobservationalequivalenceand

ofdierenttrace-basedsecuritypropertiessuchasauthenticity. Wepresentamechanized

encodingof our equational theoryinto a nitespecication thatis suitablefor ProVerif.

Moreprecisely,theequationaltheoryiscompiledintoaconvergentrewritingsystemthat

ProVerif can eciently cope with. We prove that the encoding preserves observational

equivalence anda large classoftrace-based securityproperties.

Finally, we exemplify the applicability of our theory to real-world protocols by

an-alyzing the security properties of the Direct Anonymous Attestation (DAA) protocol

[9]. DAA constitutes a cryptographic protocol that enables the remote authentication

ofa hardwaremodulecalledtheTrusted Platform Module(TPM), whilepreservingthe

anonymity ofthe userowning the module. Such TPMs arenowwidely included in

end-user hardware such as desktop PCs and notebooks. The DAA protocol relies heavily

on zero-knowledge proofsto achieve its anonymityguarantees. The occurrence of these

proofsinparticularpreventedapreviousanalysisoftheprotocolusingabstractionorany

formofproofmechanization. AnalyzingDAArstrequirestodevisenovelabstractionsof

sophisticatedcryptographicsecuritydenitionsbasedoninteractivegames between

hon-estparticipantsand theadversary;comprehensive anonymitypropertiesareofthis form.

We formulate the intended anonymity properties in terms of observational equivalence,

weformulateauthenticityasatrace-basedproperty,andweprovethesepropertiesinthe

presenceof external active adversariesaswell ascorrupted participants. Theproofsare

fullyautomatedusing ProVerif.

Wearecondentthatthemethodologypresentedinthispaperisgeneralandthatthe

principlesfollowedintheanalysisofDAAcanbesuccessfullyexploitedfortheverication

Terms

M, N, F, Z

::=

s, k, . . . , a, b, . . . , n, m

names

x, y, z

vars

f(M

1

, . . . , M

k

)

function where

f

∈

Σ

and

k

isthearityof

f

.

Processes

P, Q

::=

0 nil

νn.P

res

if

M

=

N

then

P

else

Q

cond

a(x).P

input

a

h

N

i

.P

output

P

|

Q

par

!P

repl

ExtendedProcesses

A

::=

P

plain

A

1

|

A

2

par

νn.A

nameres

νx.A

varres

{

M/x

}

subst

1.2 Outline of the Paper

We start byreviewing the applied pi-calculus inSection 2. Section 3 contains the

equa-tionaltheoryforabstractlyreasoningaboutnon-interactive zero-knowledgeproofsinthe

applied pi-calculus. This equational theory is rewritten into an equivalent nite theory

intermsofaconvergent rewriting systeminSection 4. Section5 and6elaborateonthe

analysis of DAA, the description of its security properties, and the use of ProVerif for

mechanizing the analysis. Section 7 concludesand outlinesfuture work.

2 Review of the Applied Pi-calculus

Thesyntaxofthe calculusisgiveninTable1. Termsaredenedbymeansofasignature

Σ

, which consists of a set of function symbols, each with an arity. The set of terms

T

Σ

is the free algebra built from names, variables, and function symbols in

Σ

applied to arguments. We partition each signature into public and private function symbols.

The only dierence is that private symbols are not available to the adversary. In the

following, functions symbols are public unless stated otherwise. We presuppose a sort

with an equational theory

E

, i.e., an equivalence relation on terms that is closed under substitution of terms and under application of term contexts (terms with a hole). We

write

E

`

M

=

N

and

E

6`

M

=

N

for an equality and an inequality, respectively, modulo

E

.

The grammar of processes (or plain processes) is dened as follows. The null

process 0 does nothing;

νn.P

generates a fresh name

n

and then behaves as

P

;

if

M

=

N

then

P

else

Q

behaves as

P

if

E

`

M

=

N

, and as

Q

otherwise;

a(x).P

receivesamessage

N

fromthechannel

a

andthenbehavesas

P

{

N/x

}

;

a

h

N

i

.P

outputs the message

N

on the channel

a

and then behaves as

P

;

P

|

Q

executes

P

and

Q

in parallel;

!P

generates anunbounded numberof copies of

P

.

Extended processes areplain processesextendedwith activesubstitutions. Anactive

substitution

{

M/x

}

isaoatingsubstitutionthatmayapplytoanyprocessthatitcomes intocontactwith. Tocontrolthescopeofactivesubstitutions,wecanrestrictthevariable

x

. Intuitively,

νx.(P

| {

M/x

}

)

constrainsthescopeofthesubstitution

{

M/x

}

toprocess

P

. If thevariable

x

isnot restricted, asit isthe casein theprocess

(P

| {

M/x

}

)

,then

thesubstitutionisexportedbytheprocessandtheenvironmenthasimmediateaccessto

M

. Asusual,thescopeofnames andvariablesisdelimitedbyrestrictionsandbyinputs.

Wewrite

f v(A)

and

f n(A)

(resp.

bv(A)

and

bn(A)

)todenotethefree(bound)variables andnames inanextendedprocess

A

,respectively. We let

free(A) :=

f v(A)

∪

f n(A)

and

bound(A) :=

bv(A)

∪

bn(A)

. For sequences

M

f

=

M

1

, . . . , M

k

and

x

e

=

x

1

, . . . , x

k

, we

let

{

M /

f

e

x

}

denote

{

M

1

/x

1

} |

. . .

| {

M

k

/x

k}

. We always assumethat substitutions are cycle-free, that extended processes contain at most one substitution for each variable,

andthatextendedprocessescontainexactlyonesubstitutionforeachrestrictedvariable.

A context is a process or an extended process with a hole. An evaluation context

is a context without private function symbols whose hole is not under a replication, a

conditional,aninput, oranoutput. Acontext

C[

_

]

closes

A

if

C[A]

isclosed. Aframe is anextendedprocessbuiltupfrom0andactivesubstitutionsbyparallelcompositionand

restriction. We let

φ

and

ψ

rangeoverframes. Thedomain

dom(φ)

ofa frame

φ

isthe setofvariablesthat

φ

exports,i.e.,thosevariables

x

for which

φ

contains asubstitution

{

M/x

}

not under a restriction on

x

. Every extended process

A

can be mapped to a

frame

φ(A)

byreplacing everyplainprocessembeddedin

A

with0. Theframe

φ(A)

can be viewed asanapproximationof

A

thataccounts forthestaticknowledge

A

exposesto its environment, but not for

A

'sdynamic behavior.

The semantics is inherited from the applied pi-calculus and is dened in terms of

structural equivalence (

≡

) and internal reduction (

→

). Structural equivalence states

which processesshould be considered equivalent upto syntacticre-arrangement.

Denition 1 (Structural Equivalence) Structural equivalence (

≡

) is the smallest

equivalence relation on extended processes that satises the rules in Table 2 and that

is closed under

α

-renaming, i.e., renaming of bound names and variables, and under application of evaluation contexts.

Internal reduction denesthesemantics for extendedprocesses.

Par-0

A

≡

A

|

0

Par-A

A

1

|

(A

2

|

A

3

)

≡

(A

1

|

A

2

)

|

A

3

Par-C

A

1

|

A

2

≡

A

2

|

A

1

Repl

!P

≡

P

|

!P

Res-0

νn.0

≡

0

Res-C

νu.νu

0

_.A

_≡

_νu

0

_.νu.A

Res-Par

A

1

|

νu.A

2

≡

νu.(A

1

|

A

2

)

if

u /

∈

free(A

1

)

Alias

νx.

{

M/x

} ≡

0

Subst

{

M/x

} |

A

≡ {

M/x

} |

A

{

M/x

}

Rewrite

{

M/x

} ≡ {

N/x

}

if

Σ

`

M

=

N

Table 3 Internal reduction

Comm

a

h

x

i

.P

|

a(x).Q

→

P

|

Q

Then

M

ground

if

M

=

M

then

P

else

Q

→

P

Else

E

6`

M

=

N

M, N

ground

if

M

=

N

then

P

else

Q

→

Q

extended processes that satises the rules in Table 3 and that is closed under structural

equivalence and under application of evaluation contexts.

We write

A

⇓

a

to denote that

A

can send a message on

a

, i.e.,

A

→

∗

_C[a

_h

_M

_i

_.P

_]

for

someevaluationcontext

C[

_

]

thatdoesnotbind

a

. Observationalequivalence constitutes an equivalence relation that captures the equivalence of processes with respect to their

dynamicbehavior.

Denition 3 (Observational Equivalence) Observational equivalence (

≈

) is the

largest symmetric relation

R

between closed extended processes with the same domain

such that

A

R

B

implies: 1. if

A

⇓

a

,then

B

⇓

a

; 2. If

A

→

∗

_A

0

, then

B

→

∗

_B

0

and

A

0

_R

_B

0

for some

B

0

;

3.

C[A]

R

C[B

]

for all closing evalution contexts

C[

_

]

.

3 An Equational Theory of Zero-Knowledge

In this section we dene a signature and an equational theory for abstractly reasoning

aboutnon-interactivezero-knowledgeproofs. Ourequationaltheoryisparametricinthat

The base equational theory we consider in this paper is given in Table 4. (Note again

though that any other base theory would work as well.) First, it consists of functions

for constructing anddestructing pairs,encrypting anddecrypting messagesby

symmet-ric and asymmetric cryptography, signing messages and verifying signatures, modelling

public and private keys, hashing, and constructing and verifying blind signatures. In

blind signature schemes, the content of a message is disguised before it is signed while

stillensuringpublic veriabilityof thesignature againsttheunmodied message. These

functionshavereceivedpriorinvestigationwithintheappliedPi-calculus, e.g.,toanalyze

theJFKprotocol[2 ]andthe electronicvotingprotocolFOO 92[20]. Second,thetheory

containsthreebinaryfunctions

eq

,

∧

,and

∨

formodellingequalitytest,conjunction,and disjunction, respectively; these functions allow for modelling monotone Boolean

formu-las. In our example theory, we do not consider additional functions for, e.g., negation

or specifying explicit inequalities. We shall often write

=

instead of

eq

and use inx notation for the functions

eq

,

∧

,and

∨

.

3.2 The Equational Theory for Zero-Knowledge

Our equational theory for abstractly reasoning about non-interactive zero-knowledge

proofsisgiveninTable5;itscomponentsareexplainedinthefollowing. Anon-interactive

zero-knowledge proofisrepresentedasaterm oftheform

ZK

i,j

(

M ,

f

N , F)

e

,where

M

f

and

e

N

denotesequences

M

1

, . . . , M

i

and

N

1

, . . . , N

j

ofterms, respectively,andwhere

F

con-stitutesaformulaoverthoseterms,seebelow. Hence

ZK

i,j

isafunctionofarity

i

+

j

+ 1

. We shalloftenomit arities and write this statement as

ZK(

M;

f

N

e

;

F

)

,letting semicolons separatethe respectivecomponents. Thestatement will keepsecrettheterms

M

f

,called thestatement'sprivatecomponent,whiletheterms

N

e

,calledthestatement's public com-ponent, will be revealed to the verier andto the adversary. The formula

F

constitutes a term without names and variables but additionally built upon distinguished nullary

functions

α

i

and

β

i

with

i

∈

N

.

Denition 4 (

(i, j)

-formulas) We call a term an

(i, j)

-formula if the term contains neither names nor variables, and if for every

α

k

and

β

l

occurring therein, we have

k

∈

[1, i]

and

l

∈

[1, j]

.

The values

α

i

and

β

j

in

F

constitute placeholdersfortheterms

M

i

and

N

j

,respectively. For instance, the term

ZK(

k

;

m,

enc

sym

(m, k) ;

β

2

=

enc

sym

(β

1

, α

1

))

denotes a zero-knowledge proof that the term

enc

sym

(m, k)

is an encryption of

m

with

k

. More precisely, the statement reads: There exists a key such that the ciphertext

operators

Σ

base

=















pair,

enc

sym

,

dec

sym

,

enc

asym

,

dec

asym

,

sign,

ver,

msg,

pk,

sk,

hash,

blind,

unblind,

blindsign,

blindver,

blindmsg,

∧

,

∨

,

eq,

first,

snd,

true,

false















ver

and

blindver

of arity

3

,

pair

,

enc

sym

,

dec

sym

,

enc

asym

,

dec

asym

,

sign

,

blind

,

unblind

,

blindsign

,

∧

,

∨

and

eq

of arity

2

,

msg

,

pk

,

sk

,

hash

,

blindmsg

,

first

and

snd

ofarity

1

,

true

and

false

of arity 0.

E

base

isthesmallestequational theorysatisfyingthe following equations denedoverall

x, y, z

:

first(pair(x, y))

=

x

snd(pair(x, y))

=

y

dec

sym

(enc

sym

(x, y), y)

=

x

dec

asym

(enc

asym

(x,

pk(y)),

sk(y))

=

x

msg(sign(x, y))

=

x

ver(sign(x,

sk(y)), x,

pk(y))

=

true

blindver(unblind(blindsign(blind(x, z),

sk(y)), z), x,

pk(y))

=

true

blindmsg(unblind(blindsign(blind(x, z), y), z)) =

x

eq(x, x)

=

true

∧

(true,

true)

=

true

∨

(true, x)

=

true

∨

(x,

true)

=

true

Public

p

(ZK

i,j

(

M ,

f

N , F

e

))

=

N

p

with

p

∈

[1, j]

Formula(ZK

i,j

(

M ,

f

N , F

e

)) =

F

where

Public

p

and

Formula

constitute functions of arity

1

. Since there is no destructor

associated to the statement's private component, the terms

M

f

are kept secret. This models the zero-knowledge property discussed in the introduction. We dene a

state-ment

ZK

i,j

(

M ,

f

N , F

e

)

to hold true if

F

is an

(i, j)

-formula and the formula obtained by substitutingall

α

k

'sand

β

l

'sin

F

withthecorrespondingvalues

M

k

and

N

l

isvalid. Ver-ication of a statement

ZK

i,j

withrespectto a formula is modelled as a function

Ver

i,j

ofarity

2

thatisdened bythe following equational rule:

Ver

i,j

(F,

ZK

i,j

(

M ,

f

N , F

e

)) =

true

i

1)

E

ZK

`

F

{

M /

f

α

e

}{

N /

e

β

e

}

=

true

2)

F

isan

(i, j)

-formula

Table 5 Theequational theoryforzero-knowledge, givena basetheory

(Σ

base

, E

base

)

Σ

ZK

= Σ

base

∪

ZK

i,j

,

Ver

i,j

,

Public

i

,

Formula,

α

i

, β

i

,

true

|

i, j

∈

N

ZK

i,j

ofarity

i

+

j

+ 1

,

Ver

i,j

ofarity2,

Public

i

and

Formula

ofarity1,

α

i

, β

i

and

true

of arity0.

E

ZK

is thesmallest equational theorysatisfying theequations of

E

base

and thefollowing equations dened over allterms

M ,

f

N , F

e

:

Public

p

(ZK

i,j

(

M ,

f

N , F

e

))

=

N

p

with

p

∈

[1, j]

Formula(ZK

i,j

(

M ,

f

N , F

e

)) =

F

Ver

i,j

(F,

ZK

i,j

(

M ,

f

N , F

e

)) =

true

i

1)

E

ZK

`

F

{

M /

f

α

e

}{

N /

e

β

e

}

=

true

2)

F

is an

(i, j)

-formula

N

l

. This rule guarantees in the abstract model the soundness and correctness of zero-knowledge protocols.

3.3 An Illustrating Example

We illustrate the zero-knowledge abstraction by means of the following example

proto-col. We keep the protocol simplistic in order to focus on the usage of zero-knowledge

proofs; in particular, we ignore vulnerabilities due to replay attacks and corresponding

countermeasures suchasnonces andtimestamps.

A

B

S

i

A,B

/

/

o

o

{

A,B

}

_kS

i

o

o

_ZK

Party

B

receivesasignedmessage

{

A, B

}

fromsomeserver

S

i

∈ {

S

1

, . . . , S

n}

. (This signedmessagemight,e.g.,serveasacerticate thatallows

B

toprovethathe hasbeen authorizedtocontact

A

.) While

B

shouldbeabletoconvince

A

thatheownsasignature onthismessageissuedbyoneofthepossible

n

servers,theprotocolshouldensurethat

A

doesnot learnwhichserver

S

i

infactissuedthesignature. Thisprevents

B

fromsimply forwardingthesigned messageto

A

. Instead,

B

provesknowledgeofsuchasignatureby anon-interactive zero-knowledgeproof

ZK

.

We now carefully examine the proof of knowledge

ZK

. We aim at formalizing the following statement: There exists

α

such that

α

is a signature of

A

and

B

, and this signature was created using one of the signature keys

k

S1

, . . . , k

S

n

. Coming up with a

formalization of this statement rst requires us to tell the secret terms from the terms

itself and the corresponding verication key

pk(k

S

i

)

,however, have to bekept secretto preservetheanonymityof

S

i

. Theserequirementsarecastinourzero-knowledgenotation asfollows:

ZK

=

ZK

2

,n

+1









sign(pair(A, B),

sk(k

S

i

)),

pk(k

S

i

);

pk(k

S1

), . . . ,

pk(k

S

n

),

pair(A, B);

W

i

=1

,n

α

2

=

β

i

∧

ver(α

1

, β

n

+1

, α

2

))









This statement captures that the signature

sign(pair(A, B),

sk(k

S

i

))

and the public key

pk(k

S

i

)

used in the verication are kept secret (i.e., the identity of

S

i

is not revealed) while the proof reveals the public keys of all servers (thisincludes

pk(k

S

i

)

but does not tellitfromtheremaining publickeys)aswell astheidentiersof

A

and

B

. Theformula statesthatthe vericationkeyofthesignaturebelongsto theset

{

pk(k

S1

), . . . ,

pk(k

S

n

)

}

, and that the signed message consistsof a pair composed of theidentiers of

A

and

B

. We obtain the following descriptionofa singleprotocol run:

A

,

a(y).

if

Test

then

b

h

ok

i

else

b

h

error

Ai

B

,

a(x).

if

(ver(x,

pair(A, B),

pk(k

S

i

)))

then

a

h

ZK

i

else

b

h

error

Bi

S

i

,

a

h

sign(pair(A, B),

sk(k

S

i

))

i

Prot

,

νk

A

.νk

B

.νk

S1

. . . . .νk

S

n

.

a

h

pk(k

S1

)

i

. . . . .a

h

pk(k

S

n

)

i

.(A

|

B

|

S

i

)

where Test constitutes thefollowing condition:

Ver

₂

,n

+1

W

i

=1

,n

α

2

=

β

i

∧

ver(α

1

, β

n

+1

, α

2

), y

=

true

V

i

=1

,n

Public

i

(y) =

pk(k

S

i

)

∧

Public

n

+1

(y) =

pair(A, B)

We wrote Test using conjunctions only to increase readability; Test can be

straightfor-wardlyencodedin thesyntax ofthecalculus bya sequenceof conditionals.

4 Towards a Mechanized Analysis of Zero-Knowledge

Theequationaltheory

Σ

ZK

denedintheprevioussectionisnotsuitableforexistingtools for mechanized security protocol analysis. The reason is that the signature

Σ

ZK

, and consequently the number of equations inthe specication,is innite since, for instance,

weassumeadierent

ZK

i,j

constructor foreachpossiblearity. Inthissection, wespecify an equivalent equational theoryin terms ofa convergent rewriting system. This theory

turnsouttobesuitableforProVerif[6],awell-establishedtoolformechanizedverication

of dierent security properties of cryptographic protocols specied in a variant of the

The central ideaof our equivalent nite theoryis to focus onthezero-knowledgeproofs

usedwithinthe processspecicationand toabstractaway fromtheadditional onesthat

arepossiblygenerated bytheenvironment. Thismakesniteboththesignatureandthe

specication ofthe equational theory.

Pinningdownthisconceptuallyelegantandappealingidearequirestoformally

charac-terizethezero-knowledgeproofsgenerated,veried,andreadintheprocessspecication.

First,wetrackthezero-knowledgeproofsgeneratedorveriedintheprocessspecication

by a set

F

of triples of theform

(i, j, F

)

, where

i

is thearity of theprivate component,

j

the arityof the public component, and

F

the formula. Second, we record thearity

h

(resp.

l

) of the largest private component (resp. public component) of zero-knowledge proofsusedintheprocessspecication. For terms

M

and processes

P

,welet terms

(M)

denotethesetofsubtermsof

M

andterms

(P

)

denotethesetoftermsin

P

. Wecannow formallydene the notion of

(

F

, h, l)

-validityof termsand processes.

Denition5(ProcessValidity) Aterm

Z

is

(

F

, h, l)

-validifandonlyifthefollowing conditions hold:

1. for every

ZK

i,j

(

M ,

f

N , F

e

)

∈

terms

(Z

)

and

Ver

i,j

(F, M

)

∈

terms

(Z)

,

(a)

F

isan

(i, j)

-formula and

(i, j, F

)

∈ F

, (b)

F

∈

T

Σ

base

∪{

α

k

,β

l

|

k

∈

[1

,i

]

,l

∈

[1

,j

]

}

,

(c) andfor every

(i, j, F

0

₎

_{∈ F}

such that

E

ZK

`

F

=

F

0

, we have

F

=

F

0

.

2. For every

k

∈

N

,

α

k

and

β

k

occur in

Z

only inside of the last argument of some

ZK

i,j

or

Ver

i,j

function.

3. for every

(i, j, F

)

∈ F

,we have

i

∈

[0, h]

and

j

∈

[0, l]

.

4. for every

Public

p

(M)

∈

terms

(Z)

, we have

p

∈

[1, l]

.

A process

P

is

(

F

, h, l)

-valid if andonly if

M

is

(

F

, h, l)

-valid for every

M

∈

terms

(P

)

, the private arity of

P

is less or equal than

h

, and the public arity of

P

is less or equal than

l

.

We check that each zero-knowledge proof generation and verication is tracked in

F

(condition 1a). For the sake of simplicity, we prevent the occurrence of zero-knowledge

operators within formulas in the process specication (condition 1b). Without loss of

generality, we also require that equivalent formulas occurring in zero-knowledge proofs

of the same arity aresyntactically equal (condition 1c ) and that the

α

i

's and

β

j

's only occur within formulas (condition 2 ). Finally, we check that the arity of private and

public components of zero-knowledge proofs used in the process specication is less or

equal than

h

and

l

,respectively (conditions 3 and4 ).

Givenan

(

F

, h, l)

-valid process,wecan easilydene aniteequational theory

E

F

,h,l

FZK

Table6Theniteequationaltheoryforzero-knowledgewithrespecttoan

(

F

, h, l)

-valid process,given abasetheory

(Σ

base

, E

base

)

Σ

F

_FZK

,h,l

= Σ

base

∪







ZK

F

_i,j

,

PZK

F

_i,j

,

Ver

F

_i,j

,

FakeZK

k

,

Public

p

,

Formula,

FakeCollect,

FakePublic,

FakeVer, α

g

, β

p

|

(i, j, F

)

∈ F

, g

∈

[1, h],

k

∈

[0, l], p

∈

[1, l]







PZK

F

_i,j

ofarity

i

+

j

+ 1

,

ZK

F

i,j

of arity

i

+

j

,

FakeZK

k

ofarity

k

+ 2

,

FakeVer

of arity

4

,

FakePublic

and

FakeCollect

of arity

2

,

Ver

F

i,j

,

Public

p

,and

Formula

of arity

1

,

α

g

and

β

p

ofarity

0

.

PZK

F

i,j

isprivate.

E

_FZK

F

,h,l

isthesmallestequationaltheorysatisfyingtheequationsof

E

base

andthefollowing

equations for every

(i, j, F

)

∈ F

:

ZK

F

_i,j

(

x,

_e

y)

_e

=

PZK

F

_i,j

(

x,

_e

y, F

_e

{

e

x/

α

_e

}{

y/

e

β

e

}

)

Ver

F

_i,j

(PZK

F

i,j

(

x,

e

e

y,

true))

=

true

Public

_p

(PZK

F

_i,j

(

x,

_e

y, z))

_e

=

y

p

p

∈

[1, j]

Formula(PZK

F

_i,j

(

x,

_e

y, z))

_e

=

F

Public

_p

(FakeZK

k

(x,

y, z

e

))

=

y

k

p

∈

[1, k], k

∈

[0, l]

Formula(FakeZK

k

(x,

y, z)) =

e

z

k

∈

[0, l]

include in the signature

Σ

F

,h,l

FZK

the function symbols

ZK

F

i,j

and

Ver

F

i,j

of arity

i

+

j

and

1

, respectively. We then replace every term

ZK

i,j

(

M ,

f

N , F

e

)

and

Ver

i,j

(F, M

)

in the

process specication by

ZK

F

i,j

(

M ,

f

N

e

)

and

Ver

F

i,j

(M

)

, respectively. Since formulas are

uniquelydeterminedbythe

ZK

F

i,j

functionsymbol,theycanbeomittedfromtheprotocol

specication. Furthermore,weneedintheequational theoryonlythosefunctions

α

i

and

β

j

that satisfy

i

∈

[1, h]

and

j

∈

[1, l]

; the remaining ones can be safely omitted since they do not oer the adversary any additional capabilities. For nitely modelling the

vericationofzero-knowledgeproofs,weinclude in

Σ

F

,h,l

FZK

thefunctionsymbols

PZK

F

i,j

of

arity

i+

j

+ 1

. Aterm

ZK

F

i,j

(

M ,

f

N

e

)

isequivalentto

PZK

F

i,j

(

M ,

f

N , F

e

{

M /

f

α

e

}{

N /

e

β

e

}

)

. This can be captured using a nite description, since the numberof formulas in the process

specication isnite:

ZK

_i,j

F

(

x,

_e

y) =

_e

PZK

F

_i,j

(

x,

_e

y, F

_e

{

_e

x/

α

_e

}{

y/

_e

β

e

}

)

For verifyinga zero-knowledgeproof,itthus sucestocheckwhetherthelastargument

ofthe

PZK

F

i,j

is

true

or not:

Ver

F

_i,j

(PZK

F

_i,j

(

_e

x,

y,

_e

true)) =

true

Theruleforextractingthepubliccomponentisdenedintheexpectedmanner.

Extract-ing the formula from a zero-knowledge proof

PZK

F

Formula

yields the formula

F

(without the substitution

{

M /

f

α

e

}{

N /

e

β

e

}

) inorder to pre-vent theadversary fromderiving theformulainstantiated withprivateterms.

Public

_p

(PZK

F

i,j

(

x,

e

y, z))

e

=

y

p

p

∈

[1, j]

Formula(PZK

F

i,j

(

x,

e

e

y, z)) =

F

We obtain a nite set of rules since the number of

ZK

F

i,j

and

Ver

F

i,j

constructors

corre-sponds to the (nite) number of formulas occurring in the process specication. The

PZK

F

_i,j

functionsareprivate;hencetheycannotbeusedbytheadversarytoderiveterms

of the form

ZK

F

i,j

(

M ,

f

N ,

e

true)

, which would be successfully veried by trusted partici-pantsregardlessofthevalueof

F

{

M /

f

α

e

}{

N /

e

β

e

}

. Thepossibilitytoconstructsuchterms wouldbreak the soundnesspropertyof zero-knowledge proofs.

It now remains to encode the zero-knowledge proofs generated by theenvironment.

These proofs possiblycontain formulas or have arities dierent from the ones specied

in the process. We include in

Σ

F

,h,l

FZK

a nite set of symbols

FakeZK

k

of arity

k

+ 2

, where

k

∈

[0, l]

. The term

FakeZK

k

(M,

N , F

e

)

never occurs in process specications andrepresentszero-knowledgestatementsforgedbytheadversary;here

M

constitutesa distinguishedtermthatuniquelyreferstothe zero-knowledgeproofandthatplaysarole

only inthe proof of soundness,

N

e

denotes the rst

k

elements of thepublic component, and

F

istheformula. Theequationalrulesfor extractingthepubliccomponentsandthe formula from

FakeZK

k

termsarespecied asfollows:

Public

_p

(FakeZK

k

(x,

y, z))

e

=

y

k

Formula(FakeZK

k

(x,

y, z

e

)) =

z

for any

p

∈

[1, k]

and

k

∈

[0, l]

. We additionally include in

Σ

F

,h,l

FZK

functions

FakeCollect

,

FakePublic

, and

FakeVer

. These functions are only used for proving the nite theory

equivalent to the innite one inthe next section; the functionsare freein that they do

not occurinanyequations.

4.2 Compilation into Finite Form

We nowdene the staticcompilation of termsandprocesses.

Denition6(StaticCompilation) The

(

F

, h, l)

-staticcompilationisthepartial func-tion

σ

:

T

Σ

ZK

→

T

_Σ

F

,h,l

FZK

recursively dened as follows:

ZK

i,j

(

M ,

f

N , F

e

)σ

=

ZK

F

i,j

(

M σ,

f

N σ)

e

∀

(i, j, F

)

∈ F

Ver

i,j

(F, M

)σ

=

Ver

F

i,j

(M σ)

∀

(i, j, F

)

∈ F

Public

p

(M)σ

=

Public

p

(M σ)

∀

p

∈

[1, l]

Formula(M)σ

=

Formula(M σ)

f(M

1

, . . . , M

i

)σ

=

f(M

1

σ, . . . , M

i

σ)

∀

f

∈

Σ

base

xσ

=

x

∀

x

In

M

∈

T

Σ

+

a(x).P

a

(

→

M

)

P

{

M/x

}

Out-Atom

a

h

u

i

.P

a

→

h

u

i

P

Open-Atom

A

a

→

h

u

i

A

0

u

6

=

a

νu.A

νu.a

→

h

u

i

A

0

Scope

A

→

µ

A

0

u

doesnot occurin

µ

νu.A

→

µ

νu.A

0

Par

A

→

µ

A

0

bound(µ)

∩

free(B) =

∅

A

|

B

→

µ

A

0

|

B

Struct

A

≡

B

B

→

µ

B

0

B

0

≡

A

0

A

→

µ

A

0

Notation:

Σ

+

contains the public function symbols in

Σ

. In Out-Atom,

u

is eithera channelname ora variable.

The

(

F

, h, l)

- static compilationconstitutes a total function whenrestricted to

(

F

, h, l)

-valid terms. The rstequations deal withthecompilationof zero-knowledge proofsand

operatorsacting onthem. Thestaticcompilationactscomponent-wiseontheremaining

termsand behavesastheidentity function onnames and variables. Thecompilation of

aprocess

P

,written

P σ

,is dened bythe compilationof thetermsoccurringtherein. Thefollowingtheoremnallystatesthatobservationalequivalenceispreservedunder

static compilation and hence asserts the soundness of the encoding from the innite

specication into the nitespecication. Its proof isgiven inthenextsection.

Theorem 1 (Preservation of Observational Equivalence) Let

P

and

Q

be

(

F

, h, l)

-valid processes and

σ

be the

(

F

, h, l)

-static compilation. If

P

≈E

ZK

Q

, then

P σ

≈

_E

F

,h,l

FZK

Qσ

.

We additionally prove that a comprehensive class of trace-based properties is preserved

understaticcompilation. We rstdene thenotion ofan executiontrace. Thisrequires

to review the labelled operational semantics that extends the semantics given in Table

3 by allowing us to reason about processes that interact with their environment. The

labelled transitionsystemis given inTable 7 .

Denition 7 (Execution Traces) The set of execution traces of an extended process

A

, written traces

(A)

, is dened as follows:

traces

(A) =

{

µ

1

φ(A

1

), . . . , µ

n

φ(A

n

)

|

A

→

∗

_→

µ1

_A

1

. . .

→

∗

µ

n

→

A

n}

boolean formula over the terms

M

1

, . . . , M

n

: such terms are meant to express trace-based security properties. For instance, thenotion of authenticity can be formalized as

pair(

end

, x)

⇒

pair(

begin

, x)

,where end andbeginarespecialnullaryfunctions.

Denition 8 (Trace-based SecurityProperty) Atrace

s

satises theevent

M

with substitution

ξ

, written

s

`ξ

M

if and only if there exist

s

1

, s

2

, N, ξ

such that

s

`

s

1

::

c

h

N

i

::

s

2

and

E

ZK

`

N

=

M ξ

.

A trace

s

satises the property

B(M

1

, . . . , M

n

)

with substitution

ξ

, written

s

`ξ

B(M

1

, . . . , M

n

)

,if and onlyif

B(s

`ξ

M

1

, . . . , s

`ξ

M

n

)

.

A process satises the property

B(M

1

, . . . , M

n

)

, written

P

`ξ

B

(M

1

, . . . , M

n

)

, ifand onlyif for every trace

s

∈

traces

(P

)

, there exists

ξ

such that

s

`ξ

B(M

1

, . . . , M

n

)

Finally,wecan state thetheoremof preservation for trace-based securityproperties.

Theorem 2 (Trace-based Security Property Preservation) Let

P

be a

(

F

, h, l)

-validprocess,

σ

bethe

(

F

, h, l)

-staticcompilation,and

M

1

, . . . , M

n

be

(

F

, h, l)

-validterms. If

P σ

`

B

(M

1

σ, . . . , M

n

σ)

, then

P

`

B(M

1

, . . . , M

n

)

.

4.3 Preservation of Observational Equivalence and Trace-based

Secu-rity Properties

Instead of proving that observational equivalence is preserved under static compilation,

weshowpreservation ofanequivalentformulation ofobservationalequivalence basedon

staticequivalence and labelled bisimilarity. We rst reviewthesenotions.

Denition9(TermEqualityinFrames) Twoterms

M

and

N

areequalinaframe

φ

, written

(M

=

N

)φ

,ifandonlyif

φ

≡

ν

e

n.σ

,

M σ

=

N σ

, and

{

e

n

} ∩

(f n(M

)

∪

f n(N

)) =

∅

for somenames

e

n

andsubstitution

σ

.

Denition 10 (Static Equivalence) Two closed frames

φ

and

ψ

are statically equiv-alent, written

φ

≈

s

_ψ

if and only if

dom(φ) =

dom(ψ)

and for all terms

M

and

N

, it holdsthat

(M

=

N)φ

if and onlyif

(M

=

N

)ψ

.

We saythat two closed extended processes are staticallyequivalent,written

A

≈

s

_B

if

andonly if theirframes are statically equivalent.

We now dene the notion of labelled bisimilarity, which constitutes an equivalent

no-tion of observational equivalence. Labelled bisimilarity does not rely on the universal

quantication overevalutioncontextsusedinthedenitionofobservationalequivalence.

Denition 11 (Labelled Bisimilarity) Labelled bisimilarity (

≈

l

) is the largest

sym-metric relation

R

on closed extended processes such that

A

R

B

implies: 1.

A

≈

s

_B

;

2. if

A

→

A

0

, then

B

→

∗

_B

0

and

A

0

_R

_B

0

for some

B

0

;

3. if

A

µ

→

A

0

and

f v(µ)

⊆

dom(A)

and

bn(µ)

∩

f n(B

) =

∅

, then

B

→

∗

_→→

µ

∗

_B

0

and

A

0

_R

_B

0

for some

B

0

belled bisimilarity.

Theorem 3 (Observational Equivalence and Labelled Bisimilarity)

Observa-tional equivalence coincides withlabelled bisimilarity:

≈

=

≈

l

.

It henceremains to be shown thatlabelled bisimilarityis preserved understatic

compi-lation. In the following, we write

P

≡E

Q

to emphasize that

P

and

Q

are structurally equivalent with respect to an equational theory

E

. Furthermore, we write

M φ

for the ground term obtained byrepeated application of thesubstitution in

φ

to

M

, where we assume that

f v(M

)

⊆

f v(φ)

∪

bv(φ)

. This notation is well-dened since frames do not containsubstitutions withcyclic dependencies. Thenext denitionintroduces anormal

form for terms. Intuitively, a term isin

(

F

, h, l)

-normal form ifthesubterms generated bytheenvironment cannotbe furthersimplied(conditions 1 and2) and,inthecaseof

zero-knowledge proofs, they either comply withthe process specication or belong to a

dierent equivalence class(condition 3).

Denition 12 (Normal Form) A term

M

∈

T

Σ

ZK

is in

(

F

, h, l)

-normal form with respect toa frame

φ

if andonly ifthe followingconditions hold:

1. for every

Public

j

(Z

)

∈

terms

(M

)

,

i, j

0

_,

_{M ,}

_f

_{N , F}

_e

such that

j > l

and

E

ZK

`

Zφ

=

ZK

i,j

0

(

M ,

f

N , F

e

)

, we have

j

0

_{< j}

.

2. for every

Ver

i,j

(F, Z)

∈

terms

(M

)

,

M ,

f

N

e

such that

E

ZK

`

Zφ

=

ZK

i,j

(

M ,

f

N , F

e

)

, we have that

(i, j, F

)

∈ F

.

3. for every

ZK

i,j

(

M ,

f

N , F

e

)

∈

terms

(M

), F

0

such that

(i, j, F

0

₎

_{∈ F}

and

Σ

ZK

`

F

=

F

0

, we have

F

=

F

0

.

For anyterm thereexistsan equivalent term innormal form.

Proposition 1 (Normal Form) For any term

M

∈

T

Σ

ZK

and frame

φ

, there exists a term

N

∈

T

Σ

ZK

in

(

F

, h, l)

-normal form withrespect to

φ

such that

E

ZK

`

(M

=

N

)φ

.

Proof. Byan inspection of theequational rules inTable 5and Denition 12.

Wenowcharacterizethenotionofvalidityofextendedprocesses. Intuitively,anextended

processis

(

F

, h, l)

-valid ifitcan beseparatedinto an

(

F

, h, l)

-validprocess anda frame where freevariables,referringtooutputmessages, areassociated to

(

F

, h, l)

-valid terms, and bound variables, referring to input messages, are associated to terms in

(

F

, h, l)

-normalform thatonlycontain freenames and freevariables.

Denition 13 (Extended ProcessValidity) A frame

φ

is

(

F

, h, l)

-valid if and only if there exist

e

n,

y,

e

{

Z/

e

x

e

}

, with

y

e

⊆

e

x

, such that the following conditions hold:

1.

φ

=

ν

e

n.ν

y.

e

{

Z/

e

e

x

}

.

3. for every

x

k

∈

bv(φ)

, we have that

Z

k

is in

(

F

, h, l)

-normal form withrespect to

φ

and

free(Z

k

)

∩

bound(φ) =

∅

.

An extended process

A

is

(

F

, h, l)

-valid ifand onlyif there exist

n,

e

y,

e

{

M /

f

e

x

}

, with

e

y

⊆

x

e

, such that the following conditions hold:

1.

A

=

ν

n.ν

e

e

y.(

{

Z/

e

e

x

}|

P

)

.

2.

ν

e

n.ν

e

y.

{

Z/

e

x

e

}

is

(

F

, h, l)

-valid.

3.

P

is

(

F

, h, l)

-valid.

Inthe following,weuse

FakeCollect(

M

f

)

for

M

f

=

M

1

, . . . , M

n

asanabbreviation forthe term

FakeCollect(M

1

,

FakeCollect(M

2

, . . . ,

FakeCollect(M

n

−

1

, M

n

)))

. Wefurtherconsider acountable setofnames thataremeant torepresentnatural numbers, denoted

i, j

,and nullary functions

α

i

and

β

j

with

i > h

and

j > l

, denoted

f

α

i

and

f

β

j

, respectively.

Without lossof generality, we discipline

α

-renaming to guarantee that such names are neverrestricted inthe process.

Wenowintroduce the dynamiccompilation ofterms atrun-time.

Denition 14 (Dynamic Compilation) The

(

F

, h, l)

-dynamic compilation is the function

ρ

:

T

Σ

ZK

→

T

_Σ

F

,h,l

FZK

recursively dened asfollows:

Public

j

(M)ρ

=

Public

j

(M ρ)

if

j

∈

[1, l]

FakePublic(j, M ρ)

otherwise

ZK

i,j

(

M ,

f

N , F

e

)ρ

=

ZK

F

i,j

(

M ρ,

f

N ρ)

e

if

(i, j, F

)

∈ F

FakeZK

k

(g,

N

e

k

ρ, F ρ)

otherwise

(k

=

min

(j, l),

g

=

FakeCollect(i, j,

M ρ,

f

N ρ))

e

Formula(M

)ρ

=

Formula(M ρ)

α

i

ρ

=

α

i

if

i

∈

[1, h]

f

_α

_i

otherwise

β

j

ρ

=

β

j

if

j

∈

[1, l]

f

_β

_j

otherwise

Ver

i,j

(F, M

)ρ

=

Ver

F

i,j

(F ρ, M ρ)

if

(i, j, F

)

∈ F

FakeVer(i, j, F ρ, M ρ)

otherwise

f

(M

1

, . . . , M

i

)ρ

=

f(M

1

ρ, . . . , M

i

ρ)

∀

f

∈

Σ

base

xρ

=

x

∀

x

nρ

=

n

∀

n

Proposition 2 (Closure of Dynamic Compilation) Let

ρ

be the

(

F

, h, l)

-dynamic compilation. For every frame

φ

and every term

M

in

(

F

, h, l)

-normal form withrespect to

φ

, we have

(M ρ)φρ

= (M φ)ρ

Proof. Byan inspection of Denition 14and Denition 12.

We next lemmastatesthat term equality ispreserved bydynamiccompilation.

Lemma 1 (Preservation of Term Equality) Let

φ

be an

(

F

, h, l)

-valid frame and

ρ

be the

(

F

, h, l)

-dynamic compilation. Then for any ground terms

M

1

, M

2

∈

T

Σ

ZK

in

(

F

, h, l)

-normalformwithrespectto

φ

,wehave

E

ZK

`

M

1

=

M

2

⇔

E

F

,h,l

FZK

`

M

1

ρ

=

M

2

ρ

.

Proof. We prove the

⇒

implication by induction on thelength of the derivation of

M

1

. We rst discussthe interesting basecases:

M

1

=

Public

k

(ZK

i,j

(

M ,

f

N , F

e

))

,

M

2

=

N

k

We havetwo cases:

1.

(i, j, F

)

∈ F

: By denition of

ρ

(cf. Denition 14), we get

M

1

ρ

=

Public

k

(ZK

F

i,j

(

M ρ,

f

N ρ))

e

. By denition of

E

F

,h,l

FZK

(cf. Table 6), we get

E

_FZK

F

,h,l

`

Public

k

(ZK

F

i,j

(

M ρ,

f

N ρ)) =

e

N

k

ρ

,asdesired.

2.

(i, j, F

)

∈

/

F

: By denition of

ρ

, we can derive that

M

1

ρ

=

Public

k

(FakeZK

min

(

j,l

)

(FakeCollect(i, j,

f

M ρ,

N ρ),

e

N

e

₁

min

(

j,l

)

, F ρ)

. By denition

of

E

F

,h,l

FZK

,

E

F

,h,l

FZK

`

M

1

ρ

=

N

k

ρ

,asdesired.

M

1

=

Formula(ZK

i,j

(

M ,

f

N , F

e

))

,

M

2

=

F

We have twocases:

1.

(i, j, F

)

∈ F

: Bydenitionof

ρ

,we get

M

1

ρ

=

Formula(

ZK

F

i,j

(

M ρ,

f

N ρ))

e

. By denition of

E

F

,h,l

FZK

, we get

E

F

,h,l

FZK

`

Formula(ZK

F

i,j

(

M ρ,

f

N ρ)) =

e

F

and, since

M

1

is in

(

F

, h, l)

-normal form with respect to

φ

, by denition of

ρ

we have that

F ρ

=

F

,asdesired.

2.

(i, j, F

)

∈

/

F

: By Denition 14, we obtain

M

1

ρ

=

Formula(

FakeZK

min

(

j,l

)

(FakeCollect(i, j,

f

M ρ,

N ρ),

e

N

e

₁

min

(

j,l

)

, F ρ)

. By an inspection of

Table 6,we have

E

F

,h,l

FZK

`

M

1

ρ

=

F ρ

,asdesired.

M

1

=

Ver(F,

ZK

i,j

(

M ,

f

N , F

e

))

and

M

2

=

true

It mustbe thecase that

(i, j, F

)

∈ F

,

oth-erwise

M

1

is not in

(

F

, h, l)

-normal form with respect to

φ

. By denition of

ρ

,

M

1

ρ

=

Ver

F

i,j

(ZK

F

i,j

(

M ρ,

f

N ρ))

e

. By the equational theory of Table 6,

E

F

,h,l

FZK

`

M

1

ρ

=

true

,asdesired.

We prove the inductionstep bycases:

Symmetry Wehavethat

E

ZK

`

M

1

=

M

2

isprovedbysymmetryfrom

E

ZK

`

M

2

=

M

1

. Byinduction hypothesis,

E

F

,h,l

FZK

`

M

2

ρ

=

M

1

ρ

. The resultfollowsbysymmetryof