A proof theoretic analysis of intruder theories

We consider the problem of intruder deduction in security protocol analysis: that is, deciding whether a given message $M$ can be deduced from a set of messages $\Gamma$ under the theory of blind signatures and arbitrary convergent equational theories modulo associativity and commutativity (AC) of certain binary operators. The traditional formulations of intruder deduction are usually given in natural-deduction-like systems and proving decidability requires significant effort in showing that the rules are “local” in some sense. By using the well-known translation between natural deduction and sequent calculus, we recast the intruder deduction problem as proof search in sequent calculus, in which locality is immediate. Using standard proof theoretic methods, such as permutability of rules and cut elimination, we show that the intruder deduction problem can be reduced, in polynomial time, to the elementary deduction problems, which amounts to solving certain equations in the underlying individual equational theories. We further show that this result extends to combinations of disjoint AC-convergent theories whereby the decidability of intruder deduction under the combined theory reduces to the decidability of elementary deduction in each constituent theory. Although various researchers have reported similar results for individual cases, our work shows that these results can be obtained using a systematic and uniform methodology based on the sequent calculus.

💡 Research Summary

The paper tackles the intruder deduction problem, a central decision problem in the formal analysis of security protocols. Given a set of messages Γ and a target message M, the question is whether an adversary modeled by the Dolev‑Yao intruder can construct M from Γ when the underlying algebra includes blind signatures and arbitrary convergent equational theories whose binary operators obey associativity and commutativity (AC). Traditional treatments formulate intruder deduction in a natural‑deduction style. Proving decidability in that setting is technically demanding because one must show that the inference rules are “local” – that is, each rule’s applicability depends only on a bounded fragment of the current context. Establishing locality often requires intricate syntactic lemmas and ad‑hoc arguments for each concrete theory.

The authors propose a uniform proof‑theoretic approach based on the sequent calculus. By translating the natural‑deduction system into a sequent system, the inference rules become inherently local: the left‑hand side of a sequent lists exactly the messages available to the intruder, while the right‑hand side contains the goal to be derived. This structural separation makes the locality of rules immediate, eliminating the need for separate locality proofs.

The technical core consists of two standard proof‑theoretic properties. First, the authors prove permutability of the sequent rules, showing that any interleaving of rule applications can be rearranged without affecting provability. This permits the construction of a normal form for proofs in which rules are applied in a disciplined order. Second, they establish a full cut‑elimination theorem for the calculus. The cut rule, which allows the introduction of intermediate lemmas, is shown to be admissible; any proof using cuts can be transformed into a cut‑free proof whose size is polynomially related to the original. Together, permutability and cut‑elimination guarantee that proof search can be performed in a deterministic, bounded‑space manner.

With a cut‑free, normalised sequent system in hand, the authors reduce the general intruder deduction problem to a collection of “elementary deduction” sub‑problems. An elementary deduction problem asks whether a particular equation holds in one of the underlying equational theories, typically after normalising terms modulo AC. Because each individual theory is assumed to be convergent, such equations can be decided by standard term‑rewriting techniques in polynomial time. The reduction works as follows: each sequent rule application corresponds to a bounded number of elementary deductions, and the overall proof tree has depth and branching factor bounded by a polynomial in the size of Γ and M. Consequently, the intruder deduction problem can be solved in polynomial time relative to the cost of solving the elementary deductions.

The paper further extends the result to combinations of disjoint AC‑convergent theories. When the signature of each component theory is disjoint (i.e., they use different function symbols) and each satisfies AC for its designated binary operators, the combined theory inherits convergence. The authors show that the reduction to elementary deductions still holds component‑wise: the intruder’s ability to manipulate messages in the combined theory is equivalent to independently solving elementary deductions in each component. Hence, decidability (and the polynomial‑time reduction) for the combined theory follows directly from the decidability of each constituent theory.

In summary, the contribution is threefold: (1) a clean translation of intruder deduction into a sequent calculus that makes rule locality trivial; (2) a systematic proof‑theoretic analysis (permutability, cut‑elimination) that yields a polynomial‑time reduction to elementary deduction; and (3) an elegant extension to arbitrary disjoint combinations of AC‑convergent theories. While similar decidability results have been reported for specific theories (e.g., exclusive‑or, blind signatures alone), this work demonstrates that a single, uniform methodology suffices for a broad class of equational theories. The approach not only simplifies existing proofs but also provides a solid foundation for implementing efficient, theory‑modular automated tools for security protocol verification.