A Proof Theoretic Analysis of Intruder Theories

We consider the problem of intruder deduction in security protocol analysis: that is, deciding whether a given message M can be deduced from a set of messages Gamma under the theory of blind signatures and arbitrary convergent equational theories modulo associativity and commutativity (AC) of certain binary operators. The traditional formulations of intruder deduction are usually given in natural-deduction-like systems and proving decidability requires significant effort in showing that the rules are “local” in some sense. By using the well-known translation between natural deduction and sequent calculus, we recast the intruder deduction problem as proof search in sequent calculus, in which locality is immediate. Using standard proof theoretic methods, such as permutability of rules and cut elimination, we show that the intruder deduction problem can be reduced, in polynomial time, to the elementary deduction problem, which amounts to solving certain equations in the underlying individual equational theories. We show that this result extends to combinations of disjoint AC-convergent theories whereby the decidability of intruder deduction under the combined theory reduces to the decidability of elementary deduction in each constituent theory. To further demonstrate the utility of the sequent-based approach, we show that, for Dolev-Yao intruders, our sequent-based techniques can be used to solve the more difficult problem of solving deducibility constraints, where the sequents to be deduced may contain gaps (or variables) representing possible messages the intruder may produce.

💡 Research Summary

The paper addresses the intruder deduction problem that lies at the heart of security protocol analysis: given a set of messages Γ and a target message M, decide whether an adversary modeled as an intruder can derive M from Γ under a theory that includes blind signatures and arbitrary convergent equational theories modulo associativity and commutativity (AC) for certain binary operators. Traditional formulations present intruder deduction in a natural‑deduction style. Proving decidability in that setting requires a non‑trivial demonstration that the inference rules are “local”, i.e., that rule applications are confined to a bounded part of the proof.

The authors propose to translate the natural‑deduction system into a sequent calculus. In a sequent framework the left‑hand side (the antecedent) and the right‑hand side (the succedent) are clearly separated, and each inference rule manipulates only a bounded fragment of the sequent. Consequently, locality becomes immediate, and the proof‑theoretic machinery can be applied directly.

Two central proof‑theoretic properties are established for the sequent system: (1) permutability of inference rules, which guarantees that any ordering of rule applications can be rearranged without affecting provability, and (2) cut elimination, which shows that any proof containing cuts can be transformed into a cut‑free proof. The cut‑free proofs have a very regular shape: they consist solely of applications of the elementary deduction rules that correspond to solving equations in the underlying equational theories. Hence the original intruder deduction problem reduces, in polynomial time, to the elementary deduction problem—essentially the problem of checking whether a certain system of equations has a solution in each constituent theory.

The paper further shows that this reduction is robust under the combination of disjoint AC‑convergent theories. When the signatures of the component theories are pairwise disjoint, the combined sequent calculus is just the union of the individual calculi, and the decidability of intruder deduction for the combined theory follows directly from the decidability of elementary deduction for each component. This result dramatically simplifies the analysis of protocols that employ multiple cryptographic primitives (e.g., XOR, encryption, signatures) simultaneously.

Beyond plain deduction, the authors extend the sequent‑based approach to the more challenging problem of deducibility constraints, which arise in the Dolev‑Yao intruder model when the sequents to be proved contain variables (gaps) representing messages that the intruder may yet produce. By enriching the sequent calculus with rules for variable instantiation and by re‑using the permutability and cut‑elimination results, they show that constraint solving can also be reduced to elementary deduction. Consequently, the complexity of solving constraints does not exceed that of ordinary deduction.

Overall, the paper demonstrates that a sequent‑calculus formulation provides a clean, modular, and proof‑theoretically sound foundation for intruder deduction. It yields a polynomial‑time reduction to elementary equation solving, extends seamlessly to combinations of AC‑convergent theories, and supports the handling of deducibility constraints. These contributions not only clarify the theoretical landscape of protocol analysis but also pave the way for more efficient automated verification tools that can handle rich cryptographic theories with minimal overhead.