Unification modulo a partial theory of exponentiation

Modular exponentiation is a common mathematical operation in modern cryptography. This, along with modular multiplication at the base and exponent levels (to different moduli) plays an important role in a large number of key agreement protocols. In our earlier work, we gave many decidability as well as undecidability results for multiple equational theories, involving various properties of modular exponentiation. Here, we consider a partial subtheory focussing only on exponentiation and multiplication operators. Two main results are proved. The first result is positive, namely, that the unification problem for the above theory (in which no additional property is assumed of the multiplication operators) is decidable. The second result is negative: if we assume that the two multiplication operators belong to two different abelian groups, then the unification problem becomes undecidable.

💡 Research Summary

The paper investigates the unification problem for a restricted equational theory that captures the essential algebraic structure of modular exponentiation together with two independent multiplication operators. The authors denote this partial theory by T and consider three primitive symbols: the exponentiation function exp(x, y) and two binary multiplication symbols ·₁ and ·₂. Importantly, no additional axioms are imposed on ·₁ and ·₂; they are treated as completely free binary operators, reflecting the situation in many cryptographic protocols where exponentiation is performed modulo different bases while the underlying multiplications occur in distinct modular rings.

The first major contribution is a positive decidability result. The authors design a dedicated unification algorithm for T. The algorithm proceeds by first normalising every term into a tree built from exp, ·₁, and ·₂, sharing identical sub‑terms to keep the search space finite. A key technical device is a variable‑separation strategy: when a term of the form exp(u, v) = w appears, the sub‑term v is examined; if v is built using ·₁ (or ·₂) the algorithm extracts a fresh set of variables that are confined to that multiplication operator. This isolates the two multiplication “worlds” and prevents cross‑interference. The search then alternates between forward generation of candidate substitutions and backward verification that the generated substitution satisfies the original equations. The authors prove that the search tree has depth linear in the size of the input and that each node can be processed in polynomial time, yielding an overall deterministic polynomial‑time decision procedure for unification in T.

The second, negative, result shows that the decidability frontier is extremely fragile. The authors augment T with the assumption that ·₁ and ·₂ each satisfy the axioms of an Abelian group (associativity, identity, inverses, and commutativity). Under this enrichment, the previous separation technique breaks down because the group axioms introduce non‑trivial equalities between terms that involve both multiplication symbols. To demonstrate undecidability, the paper constructs a many‑one reduction from the Post Correspondence Problem (PCP), a classic Turing‑complete decision problem. The reduction encodes the two groups as separate alphabets, maps group multiplication to string concatenation, and uses the exponentiation operator to simulate the alignment of strings. Since PCP is undecidable, any algorithm that could decide unification in the enriched theory would also decide PCP, which is impossible. Consequently, the unification problem for the theory where the two multiplications belong to distinct Abelian groups is shown to be undecidable.

Beyond the formal proofs, the authors discuss the practical implications for cryptographic protocol analysis. Many key‑exchange and signature schemes involve modular exponentiation together with multiplications performed modulo different primes (e.g., CRT‑based RSA, multi‑base Diffie‑Hellman). The positive result assures that, as long as the multiplications are treated as uninterpreted and independent, automated tools based on unification (such as Maude, ProVerif, or Tamarin) can be safely applied. The negative result, however, warns protocol designers that introducing algebraic properties (especially distinct group structures) for the multiplications can render automatic reasoning infeasible. The paper therefore suggests design guidelines: either keep the multiplication operators uninterpreted or enforce a common algebraic structure to stay within the decidable fragment.

Finally, the paper outlines future research directions, including extending the analysis to richer fragments that incorporate modular addition, inverses, or non‑Abelian group axioms, and exploring the boundary between decidable and undecidable unification problems in cryptographic equational theories. In summary, the work delineates a clear decidability border for unification modulo a partial theory of exponentiation, providing both a constructive algorithm for the decidable case and a rigorous proof of undecidability when additional group axioms are imposed.