Knowledge Problems in Protocol Analysis: Extending the Notion of Subterm Convergent

We introduce a new form of restricted term rewrite system, the graph-embedded term rewrite system. These systems, and thus the name, are inspired by the graph minor relation and are more flexible extensions of the well-known homeomorphic-embedded property of term rewrite systems. As a motivating application area, we consider the symbolic analysis of security protocols, and more precisely the two knowledge problems defined by the deduction problem and the static equivalence problem. In this field restricted term rewrite systems, such as subterm convergent ones, have proven useful since the knowledge problems are decidable for such systems. Many of the same decision procedures still work for examples of systems which are “beyond subterm convergent”. However, the applicability of the corresponding decision procedures to these examples must often be proven on an individual basis. This is due to the problem that they don’t fit into an existing syntactic definition for which the procedures are known to work. Here we show that many of these systems belong to a particular subclass of graph-embedded convergent systems, called contracting convergent systems. On the one hand, we show that the knowledge problems are decidable for the subclass of contracting convergent systems. On the other hand, we show that the knowledge problems are undecidable for the class of graph-embedded systems. Going further, we compare and contrast these graph embedded systems with several notions and properties already known in the protocol analysis literature. Finally, we provide several combination results, both for the combination of multiple contracting convergent systems, and then for the combination of contracting convergent systems with particular permutative equational theories.

💡 Research Summary

The paper addresses two fundamental knowledge problems in symbolic cryptographic protocol analysis: the deduction problem (whether an attacker can derive a given term from a frame) and the static equivalence problem (whether two frames are indistinguishable to the attacker). Historically, decidability of these problems has been guaranteed for term rewrite systems (TRSs) that are subterm‑convergent, i.e., every rewrite rule’s right‑hand side is a strict subterm of its left‑hand side (or a constant). While many practical protocols fit this restriction, several important examples—most notably blind signatures—do not, because some rules produce right‑hand sides that are not subterms of the left‑hand side. Consequently, each such “beyond‑subterm” theory has required an ad‑hoc proof of applicability for existing decision procedures.

To overcome this limitation, the authors introduce graph‑embedded term rewrite systems (GEM‑TRS). The notion is inspired by graph‑minor theory: a rewrite rule l → r is allowed if the term graph of r can be embedded into the term graph of l via a graph‑minor embedding. This generalises the classic homeomorphic embedding (⊵emb) used in termination analysis, allowing more expressive rewrite rules while preserving a structural relationship between left‑ and right‑hand sides.

The authors first show that, in full generality, knowledge problems become undecidable for arbitrary GEM‑TRSs. This negative result is established by encoding a known undecidable problem (e.g., the halting problem for Turing machines) into the deduction process of a suitably constructed GEM‑TRS, thereby demonstrating that unrestricted graph‑embedding is too powerful for algorithmic analysis.

Recognising the need for a useful subclass, the paper defines contracting convergent systems (CCS), a syntactic restriction on GEM‑TRSs. A CCS satisfies two key conditions:

1. Size contraction: for every rule l → r, the size of r is strictly smaller than the size of l (|r| < |l|).
2. Graph‑embedding with a positive contraction factor: r must be a graph‑embedded subgraph of l, and the embedding must reduce a well‑defined measure (e.g., depth or number of function symbols) by at least one.

These constraints guarantee termination (no infinite rewrite sequences) and confluence, thus yielding a convergent system. Moreover, they ensure local stability, a property required by many existing protocol analysis procedures (e.g., the AC‑YAPA algorithm, the BCD13 framework). Local stability means that normal forms of terms derived from a frame remain within a finite, effectively computable set.

The main technical contributions concerning CCS are:

• Decidability of Deduction: By exploiting the strict size reduction, the authors construct a finite search space for derivations. They present an algorithm that computes the normal form of any term under the CCS and checks whether a target term appears in the closure of the attacker’s knowledge. The algorithm runs in exponential time in the size of the rewrite system but is guaranteed to terminate.

• Decidability of Static Equivalence: Using the same contraction property, the paper shows that the set of observable messages generated from a frame can be represented by a finite basis. Equality of two frames reduces to checking equivalence of these bases modulo the CCS, which is decidable via a variant of the classic bisimulation technique.

• Relation to Finite Variant Property (FVP): The authors prove that a restricted form of CCS—where each rule’s left‑hand side is linear and the embedding respects variable occurrences—always satisfies the FVP. Consequently, for such systems, every term has a finite set of most general variants, enabling efficient unification and simplifying many protocol analysis tools.

• Cap Problem: The cap problem asks whether an attacker can construct a term that, when applied to a given frame, yields a specific target. The paper extends existing decidability results to CCS under mild signature constraints (e.g., constructors must be free of algebraic equations). The proof adapts the cap‑construction technique by bounding the depth of candidate caps using the contraction factor.

• YAPA Procedure Compatibility: YAPA (Yapa) is a recent automated tool for static equivalence. The authors identify a layered property for CCS: the rewrite rules can be partitioned into layers such that rules in a higher layer only rewrite terms produced by lower layers. They prove that any layered CCS is compatible with YAPA, guaranteeing that YAPA’s completeness and termination proofs carry over unchanged.

• Combination Results: The paper investigates the modular combination of multiple CCSs and the combination of a CCS with a permutative equational theory (e.g., AC, C). By establishing sufficient conditions—namely, that each component is contracting and that the equational theory is permutative—the authors prove that the combined system remains convergent and that both knowledge problems stay decidable. This result is significant for modeling protocols that involve both algebraic operators (like exclusive‑or) and custom cryptographic primitives.

The paper also includes a thorough literature comparison, situating GEM‑TRSs and CCS alongside previously studied classes such as subterm‑convergent TRSs, homeomorphic‑embedded TRSs, and locally stable theories. It highlights that while subterm‑convergent systems are a strict subset of CCS, many “beyond‑subterm” examples from the protocol analysis literature (e.g., blind signatures, certain key‑exchange primitives) fall naturally into the CCS category without requiring bespoke proofs.

In the concluding sections, the authors discuss open problems, such as extending the contraction condition to allow limited non‑contracting rules while preserving decidability, and exploring automated synthesis of CCS from a given equational theory. They also suggest that the graph‑embedding perspective may be fruitful for other domains, such as program analysis and term‑graph rewriting.

Overall Impact: By introducing graph‑embedded rewrite systems and identifying the contracting convergent subclass, the paper provides a unifying syntactic framework that captures a broad spectrum of cryptographic theories previously considered “outside” the decidable realm. It bridges the gap between expressive power and algorithmic tractability, enabling existing automated tools to be applied to a wider array of protocols with minimal adaptation. This work is likely to become a reference point for future research on decidability boundaries in symbolic protocol verification.