Higher-Order and Symbolic Computation

, Volume 20, Issue 1, pp 123–160

Symbolic reachability analysis using narrowing and its application to verification of cryptographic protocols


DOI: 10.1007/s10990-007-9000-6

Cite this article as:
Meseguer, J. & Thati, P. Higher-Order Symb Comput (2007) 20: 123. doi:10.1007/s10990-007-9000-6


Narrowing was introduced, and has traditionally been used, to solve equations in initial and free algebras modulo a set of equations E. This paper proposes a generalization of narrowing which can be used to solve reachability goals in initial and free models of a rewrite theory ℛ. We show that narrowing is sound and weakly complete (i.e., complete for normalized solutions) under appropriate executability assumptions about ℛ. We also show that in general narrowing is not strongly complete, that is, not complete when some solutions can be further rewritten by ℛ. We then identify several large classes of rewrite theories, covering many practical applications, for which narrowing is strongly complete. Finally, we illustrate an application of narrowing to analysis of cryptographic protocols.


Rewrite theories Narrowing Reachability Security protocols 

Copyright information

© Springer Science+Business Media, LLC 2007

Authors and Affiliations

  1. 1.University of Illinois at Urbana-ChampaignUrbana-ChampaignUSA

Personalised recommendations