Equational Tree Automata: Towards Automated Verification of Network Protocols

An extension of tree automata framework, called equational tree automata, is presented. This theory is useful to deal with unification modulo equational rewriting. In the manuscript, we demonstrate how equational tree automata can be applied to several realistic unification examples, e.g. including a security problem of network protocols. 1 Equational Tree Languages Unification modulo equational theory is a central topic in automated reasoning. Tree automata are the powerful technique for handling unification modulo rewriting [2]. On the other hand, to model some network security problems like Diffie-Hellman key exchange algorithm, rewrite rules and equations (e.g. associativity and commutativity axioms) have to be separately dealt with in the underlying theory, but it causes the situation where the standard tree automata technique is useless. In our recent papers [5, 7], we have proposed an extension of tree automata, which is called equational tree automata. This framework subsumes Petri nets (Example 1). In a practical example, equational tree automata can be used to verify a security problem of Diffie-Hellman protocol (Example 2). We start this section with basics of tree automata and the equational extension. A tree automaton (TA for short) A is defined by the 4-tuple (F ,Q,Qfin ,∆): each of those components is a signature F (a finite set of function symbols with fixed arities), a finite set Q of states (special constants with F∩Q = ∅), a subset Qfin of Q consisting of so-called final states and a finite set ∆ of transition rules in the following form: – f(p1, . . . , pn) → t for some f ∈ F with arity(f) = n and p1, . . . , pn ∈ Q. The right-hand side t is a term consisting of f and state symbols. A function symbol f in the right-hand side must be the same as one in the left-hand side. Each of FA and FC consists of some binary function symbols of the signature F . The intersection of FA and FC is denoted by FAC. A set of associativity axioms f(f(x, y), z) ≈ f(x, f(y, z)) for all f ∈ FA is denoted by A(FA). Likewise, a set of commutativity axioms f(x, y) ≈ f(y, x) for all f ∈ FC is C(FC). The union of of A(FAC) and C(FAC) is represented by AC(FAC). If unnecessary to be explicit, This paper is a modified version of the authors’ UNIF2002 paper [6]. we write A, C and AC, respectively. An equational tree automaton (ETA for short) A/E is the combination of a TA A and a set E of equations over the same signature F . An ETA A/E is called – regular if the right-hand side t is a single state q, – monotone if the right-hand side t is a single state q or a term f(q1, . . . , qn) for every transition rule f(p1, . . . , pn) → t in ∆. Equational tree automata defined in [4, 5, 7] are in the above monotone case. A term t in T (F) is accepted by A/E if t →A/E q for some q ∈ Qfin . The set of terms accepted by A/E is denoted by L(A/E). A tree language (TL for short) L over F is some subset of T (F). A TL L is E-recognizable if there exists A/E such that L = L(A/E). Similarly, L is called E-monotone (E-regular) if A/E is monotone (regular). If L is E-recognizable with E = ∅, we say L is recognizable. Likewise, we say L is monotone (regular) if L is ∅-monotone (∅-regular). We say A/E is a C-TA (A-TA, AC-TA) if E = C (E = A, E = AC, respectively). Lemma 1. Every C-recognizable tree language is regular. Proof. We suppose a tree language is recognizable with a C-TA A/C, where A = (F ,Q,Qfin ,∆). Define B = (F ,Q,Qfin ,∆′) with ∆′ = {f(p1, . . . , pn) → q | f(q1, . . . , qn) → r ∈ ∆ such that f(p1, . . . , pn) ∼C f(q1, . . . , qn) and r →A/C q}. Then it can be proved that the regular TA B recognizes L(A/C). Lemma 2. The following language hierarchy holds if E = A: E-regular TL E-monotone TL E-recognizable TL However, the classes of regular TL and E-recognizable TL are incomparable. Proof. The first inclusion relation is proved in [7]. For the second inclusion, we suppose F = F0∪{f} with FA = {f}. Here F0 denotes a set of constant symbols. Then, a (word) language W over F0 is context-sensitive if and only if an Amonotone TL is maximal for W . A TL L is called maximal for a language W if for all terms t in T (F), leaf(t) ∈ W if and only if t ∈ L. Similarly, it holds that a language W is recursively enumerable if and only if an A-recognizable TL is maximal for W . It is known that recursively enumerable languages strictly include context-sensitive languages. The difference of the classes of regular TL and E-recognizable TL are proved by taking the TL L1 = {f(f(a, a), a)} under the assumption of FA = {f}. The TL L1 is regular (as it is finite), but it not recognizable with A-TA, because an A-TA which accepts f(f(a, a), a) also accepts f(a, f(a, a)). On the other hand, we take the TL L2 = {t | |t|a = |t|b} over the signature F = {f, a, b}, where arity(f) = 2 and a, b are constant symbols. If FA = {f} then L is A-regular (Lemma 8, [5]), but is not regular. Remark 1. We know the same hierarchy holds also for E = AC, except E-monotone TL E-recognizable TL. The above relation remains as an open question.