Distance Bounding Protocols: Authentication Logic Analysis and Collusion Attacks CatherineMeadows1,RadhaPoovendran2,DuskoPavlovic3,LiWuChang1,and PaulSyverson1 1 NavalResearchLaboratory,Code5543,Washington,DC20375{ meadows, lchang, syverson } @itd.nrl.navy.mil 2 UniversityofWashington,DepartmentofElectricalEngineering,SeattleWashington, [email protected] 3 KestrelInstitute,3260HillviewAvenue,PaloAlto,[email protected] Summary. In this paper we consider the problem of securely measuring distance between twonodesinawirelesssensornetwork.Theproblemofmeasuringdistancehasfundamental applications in both localization and time synchronization, and thus would be a prime can- didateforsubversionbyhostileattackers.Wegiveabriefoverviewandhistoryofprotocols for secure distance bounding. We also give the first full-scale formal analysis of a distance boundingprotocol,andwealsoshowhowthisanalysishelpsustoreducemessageandcrypto- graphiccomplexitywithoutreducingsecurity.Finally,weaddresstheimportantopenproblem ofcollusion.Weanalyzeexistingtechniquesforcollusionprevention,andshowhowtheyare inadequateforaddressingthecollusionproblemsinsensornetworks.Weconcludewithsome suggestionsforfurtherresearch. 1 Introduction Distance estimation, that is the estimate of the distance between two nodes, plays of a fundamental part in the setting up and maintenance of sensor networks. For example, a node trying to localize itself, can, if it learns its distance from three or morenodeswithknownlocations,usemultilaterationtodeterminewhereitsits.This computationisamajorpartofmanylocalizationalgorithms.Distanceestimationcan alsobeusefulinsynchronization:ifnodeAknowsitsdistancefromnodeB,itcan request a timestamp from node B and compute the clock skew by factoring in the roundtriptimeoftherequestandtheresponse. Oneofthemostaccuratemeansofdistanceestimationistousethetimeofflight ofasignal.Forexample,onecansendasignaltoaseatednode,haveitrespond,and thenusethetimeoftheroundtriptomeasurethedistance.Forexample,Multispec- tralSolutions[1]hasrecentlydevelopedanultrawidebandrangingradiobasedon suchtechnologythatmeasuresroundtriptimesofpacketstoproviderangeresolution ofbetterthanonefoot. Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 3. DATES COVERED 2006 2. REPORT TYPE 00-00-2006 to 00-00-2006 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER Distance Bounding Protocols: Authentication Logic Analysis and 5b. GRANT NUMBER Collusion Attacks 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION University of Washington,Department of Electrical REPORT NUMBER Engineering,Seattle,WA,98195 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE 20 unclassified unclassified unclassified Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 280 C.Meadows,R.Poovendran,D.Pavlovic,L.Chang,andP.Syverson Althoughsuchatechniquecanprovideaccuratemeasurements,itisnoteasyto figureouthowtomakeuseofitwhenanode(fromnowonreferredtoastheverifier) isattemptingtofinditsdistanceformanothernode(fromnowonreferredtoasthe prover)in thefaceofhostile attackers.If theproverisdishonest, itcanpretend to be closer to or further away from the verifier than it actually is by either jumping the gun and sending a response before the request, or pretend to be further away than it is by delaying its response. Even if the prover is honest, a hostile attacker couldattachitsownidentitytotheprover’sresponse,andpassoffhonestverifier’s location as its own. Finally, dishonest provers can conspire to mislead the verifier, oneproverlendingtheotherproveritsidentitysothatthesecondprovercanmake thefirstproverlookcloserthanitis. Probably the simplest secure distance measurement protocol is Sastry et al.’s Echoprotocol[14],inwhichtheverifiersendsanoncetotheprover,andtheprover returns it to the verifier. The use of a random nonce means that the prover can’t responduntilithasheardfromtheverifier,thuspreventingtheproverfromjumping thegun.However,withoutanykindofauthentication,itispossibleforanattackerto usurpanhonestprover’sresponseandattachitsownidentity. Theobviousdefenseistohavetheproverauthenticateitsresponse,andindeed, avariantofEchoprotocoloffersthiscapability.However,thetimeinvolvedincom- putingtheauthenticationfunctioncanbesolargewithrespecttothetraveltimeasto makeitdifficulttocomputethedistanceexceptforrelativelyslow(andlessaccurate) soundfrequencies. An approach that gets around this problem is to have the prover send a rapid, unauthenticated,responseandthensendtheauthenticatedresponselater.However, if this is not done carefully, it is again possible for an attacker to usurp an honest prover;hesimplypreventstheauthenticatedresponsefromreachingtheverifier,and substituteshisownauthenticatedresponse. Fortunately, a solution to this problem already exists. This is the notion of a secure distance bounding protocol. This idea was first introduced by Brands and Chaum[2]todefendagainstDesmedt’sMafiaattack[5]onzeroknowledgeproto- cols.Theideaisthattheproverfirstcommitstoanonceusingaone-wayfunction, theverifiersendsachallengeconsistingofanothernonce,theproverrespondswith theexclusive-orofitsandtheverifier’snonces,andthenfollowsupwiththeauthen- tication information. The verifier uses the time elapsed between sending its nonce and receiving the prover’s rapid response to compute its distance from the prover, and then verifies the authenticated response when it receives it. In the Brands and Chaum protocol, the challenge and the response are done as a bit-by-bit exchange, and the time of flight is taken as the average of the time of flight of each pair of bits.Otherprotocolsthattakeasimilarapproach,suchastheCˇapkun-Hubauxpro- tocol[16],relyonasingleexchangeofpackets.Itisalsopossibletoconsiderother variants, in which a single nonce is broken into k-bit chunks, and multiple packets areused. Another,butrelated,approachistakenbyHanckeandKuhnin[6].Inthisproto- coltheverifiersendstheproveranonce,andtheprovercomputestheacollision-free one-wayhashfunctionoverthenonceandakeysharedbetweentheproverandthe DistanceBoundingProtocols 281 verifier. The principals then perform a rapid bit-by-bit exchange in which the veri- fiersendsrandomchallengesandtheproverrespondswitharesponsebasedonthe challengeandthehash..Inthiscasetheauthenticationtakesplacepreviouslytothe rapidexchange. Assumingthatthereisnocollusionbetweenprovers,theCˇapkun-Hubauxproto- col,liketheBrands-Chaumprotocol,preventshijackingbecauseofthecommitment step, and also prevents the prover from lying about being any closer to the verifier thanitis,althoughitcanlieaboutbeingfartherawaysimplybydelayingitsresponse. Likewise, the authentication used in the Hancke-Kuhn protocol prevents hijacking, andtheverifier’srandomchallengepreventsaprematurereply. The problem of a delayed response can be dealt with in certain instances using multiple provers or verifiers. For example, in Cˇapkun and Hubaux’s SPINE proto- col [16] three verifiers forming a triangle around a prover use a distance bounding protocoltolocalizeit.Aproverwhowantstolieaboutitslocationmustpretendto beclosertooneoftheverifiersthanitis;thedistanceboundingprotocolmakesthis impossible. Running all through this is the issue of guaranteeing correctness of distance boundingprotocols.Thepresenceoftimeasafactorputsanextrasecurityrequire- mentontheprotocol:notonlymustmessageshavecomefromtheindicatedprinci- pal, but in the indicated amount of time. On the other hand, time may work for us as well. Certain types of message modification attacks will not be useful if a node istryingappearcloserthanitis,sinceinterceptingandmodifyingthemessagewill delayitsarrival. Inspiteofthis,verylittleworkexistsintheformalandmathematicalanalysisof distanceboundingprotocols.Sastryetal.includeasecurityprooffortheEchopro- tocol,but,sincenoauthenticationisinvolved,theproofislimitedtoshowingthata provercannotrespondbeforereceivingtheverifier’snonce.BrandsandChaumpro- videaproofthat theirprotocol iszero-knowledgebutdonot provideanyextended analysis of the timing properties. Thus there appear to be no analyzes of distance boundingprotocolsavailablethattakeintoaccountthesubtleinterplaybetweenau- thenticationandtiming. In this paper we address all of these above issues. We first give an outline of requirementsthatdistanceboundingprotocolsshouldsatisfy.Wethendescribeanew distanceboundingprotocol,similarinstructuretoBrands-Chaum,andageneralized versionoftheprotocolwepresentedin[12].Wethenextendtheauthenticationlogic weusedin[12]tosothatitcanbeusedtoreasondirectlyaboutdistancebounding protocols,andusethelogictogiveaformalanalysisoftheprotocol’ssecurity.This formal analysis allows us to simplify greatly the type of commitment used, and to omitonecryptographicoperation. We then address the issue of collusion. The problem of collusion in distance bounding,inwhichtwodishonestverifierspoolinformationtomakeoneoftheveri- fierslookcloserthanitis,wasfirstnoticedbyDesmedt[5]whodubbeditthe“terror- istattack.”TheBrands-Chaumprotocolisvulnerabletoacollusionattack,inwhich oneproversendstherapidresponseandthenpassestheinformationinitscommit- mentovertoanother,whosendstheauthenticatedresponse.BrandsandChaumwere 282 C.Meadows,R.Poovendran,D.Pavlovic,L.Chang,andP.Syverson awareofthisattackandleftitasaanopenproblem.Sincethen,othershavetackled it[3],buttheirsolutionsrequirecolluderstosharelongtermsecrets.Thisapproach, while possibly appropriate for the types of applications envisaged by Brands and Chaum,doesnotprovidemuchhelpforsensornetworks,inwhichcolludingnodes arelikelytobeundercontrolofthesameattacker,andsowouldnotbelikelytohave any objection to sharing any secret information. We study this problem in detail, showinghowattacksarepossibleevenonprotocolssuchasROPE[8]orSPINEthat usemultipleverifierstodetectcheatingnodes,andmakesomerecommendations. 2 RequirementsforDistanceBoundingProtocols In[14]Sastryetal.giveasetofrequirementsfordistanceboundingprotocols.They are: 1. Makefewresourcedemandsontheproverandverifier.Thismeanskeeping thenumberofcryptographicoperationsandmessageslow. 2. Noprevioussetuprequired.Inparticular,thereshouldbenoneedforprincipals tosharekeysbeforehand. 3. Guaranteesshouldbequantifiable. Althoughtheuseofauthenticationmeansthatwemustusesomeformofcryp- tographyintheauthenticatedresponse,wecanstillkeepcostsdownbyminimizing itsuseintherapidresponse.Notethathashfunctionsandnoncegenerationwillboth countascryptographicoperations. The second requirement seems completely at odds with any form of authenti- cateddistanceboundingprotocol,butitcanbepartiallysatisfiedbyhavingtherapid exchangetakeplacewithouttheuseofanycryptographickeys.Averifiercouldthen request to have a key distributed to it and the prover, which the prover could then use to authenticate its authenticated response. This would be helpful, example, if a verifier was only interested in finding its nearest neighbor. This feature is present intheBrands-ChaumandCˇapkun-Hubauxprotocol,aswellastheprotocolthatwe present in this paper. However, it is not true of some other protocols, such as the Hanck-Kuhnprotocol,whichrequirestheprover’sresponsetoincludeahashofits noncewithakeysharedwiththeverifier. As for quantitative guarantees, at present the Echo protocol is the only one of whichweknowthatsatisfiessuchquantitativeguarantees,andevenqualitativeguar- antees in the form of formal analyzes seem rare. However, we provide qualitative guaranteesinthispaperthatwebelievecouldultimatelybeextendedtoquantitative guaranteesinthemannerof[14]. Wenowconsiderthemainsecurityrequirementsthathavebeenidentifiedinthe literature. 1. Aprovershouldbeabletocorrectlydetermineitsdistancefromanhonestveri- fier,evenwhenhostileattackersarepresent. DistanceBoundingProtocols 283 2. Aprovershouldbeabletodetermineanupperboundforitsdistancefromeven adishonestverifier,aslongastheverifierdoesnotcolludewithotherverifiers. 3. A prover should be able to determine an upper bound for its distance from a dishonestverifierevenifitdoescollude. Inthispaper,weprovethesomewhatweakergoalthat,iftheproverishonestin the sense that it follows the rules of the protocol but may either delay its response (eitherduetodishonestyorprocessingtime),orattempttorespondearly,theverifier cancomputeanupperboundonthedistance.Finallyfor(3)wearguethattheknown techniquesfordetectingorpreventingfraudindistanceboundingprotocolsareeither insecureagainstcollusionorarenotapplicableinsensornetworks. 3 DistanceBoundingProtocolanditsAnalysis 3.1 Assumptions Weassumethatnodeshavetheabilitytogeneraterandomorpseudorandomnonces and compute collision-free one-way hash functions. We also assume that provers have a means of authenticating themselves to verifiers, e.g. by shared keys or dig- ital signatures. In this paper we use shared keys and message authentication codes (MACs),butthesameanalysiswillworkfordigitalsignatures. Wealsoassumethatprincipalshavetheabilitytocomputethetimethatanevent occurs with respect to their local clocks. The unit of time may or may not be of a finergranularitythenthesendingorreceiptofamessage.Ifthetimegranularityis finer, we let the time of a message denote the beginning of a send or receive. We will be particularly interested in timed sends and receives of individual packets. In this case we will assume that it is possible to predict the time of any subevent of a sendorreceive(suchastheend)fromthetimeofthebeginning,andviceversa.We willalsoassumethatallsubeventsofthesendofagivenpacketareengagedinby auniqueprincipal.Thatis,AcannotsendpartofapacketandB sendanother,and havethembothacceptedaspartofthesamepacket.Ourreasonfordoingsoisthe belief that this would need a degree of synchronization that would require, at very least,cooperationbetweenAandB,andinouranalysiswearenottryingtoruleout collusionattacks. 3.2 TheProtocolinDetail WefixanintervalI thatistheexpectedturnaroundtimebetweenreceivingachal- 0 lenge and sending a response. Our protocol proceeds in five steps, four of which involvethesendingofmessages. 1. TheproverP generatesanonceN .This,andanyothercomputationsthatdo P notinvolveinformationfromtheverifier,canbedoneinadvanceofP’spartici- patingintheprotocol. 284 C.Meadows,R.Poovendran,D.Pavlovic,L.Chang,andP.Syverson 2. TheverifierV requestsadistancemeasurement.ThisismainlytowarnP thata challengeisontheway,andtoletP knowV’sidentity. V sendsV,request 3. TheverifierV sendsanonceasachallenge: V sendsN V 4. The prover P sends a response, of the application of a function F to N , P, P andN .Werefertothismessageastherapidresponse.Theonlyconditionthat V we put on F is that the verifier be able to verify that F(N ,P,N ) was con- V P structedusingN ,P,andN .ExamplesofsuchfunctionsincludeN ,P,N , V P V P where,denotesconcatenation,N ,(P ⊕N ),assumingthatnamesareadis- V P tinct recognizable type, and N ⊕h(P,N ), where h is a collision-free hash V P function. P sendsF(N ,P,N ) V P The verifier, on receiving this message, calculates the time elapsed between sendingthechallengeandreceivingtherapidresponse. 5. Theproversendsamessageauthenticatedwithakeysharedbetweenitandthe verifier.Werefertothismessageastheauthenticatedresponse. P sendsP,Pos ,N ,N ,MAC (P,Pos ,N ,N ) P P V KPV P P V wherePos isP’sposition.V,onreceivingthemessage,verifiestheMAC.It P also computes F from the values it receives in the authenticated response, and compares it with the value it received in the rapid response. If the two are the same,andtheMACchecksout,itacceptsP’sresponseasvalid.V thensubtracts I fromthetimeelapsedbetweensendingthechallengeandreceivingtherapid 0 responseandusestheresulttocalculateitsdistancefromtheprover,thatis,the distanceiscalculatedtobev·(t −t −I )/2. 2 1 0 AnoverviewoftheprotocolisgiveninFigure1. 4 SecurityAnalysis 4.1 Overview In this section we give a formal analysis of the distance bounding protocol using the combined authentication and secrecy logics of [4] and [13]. Although we are interestedinauthentication,notsecrecy,wewillusesomeoftheconceptsintroduced inthesecrecylogic,andsowewillrefertothataswell.Wewillusethelogictoshow whataverifiercanconcludefrominteractingwithanhonestprover.Wethenshow howtheproofbreaksdowniftheproverisdishonest,inparticularifitisincollusion withanothernode. DistanceBoundingProtocols 285 V P (cid:81)NV (cid:81)NP V,request N V F(N ,P,N ) V P P,Pos ,N ,N ,MAC (P,Pos ,N ,N ) P P V KPV P P V Fig.1.DistanceBoundingProtocol 4.2 TheAuthenticationLogic BasicIdeasandNotation Webeginbysettingthestageforthelogic,andintroducingalittlenotation.Thein- terestedreadercanfindamorecompletediscussionin[4,13].Weconsideraprotocol asapartiallyorderedsetofactions,asinLamport[7],inwhicha<bmeansthatac- tionaoccursbeforeactionb.Welet(t) denotetbeingreceivedbyA,(cid:104)t(cid:105) denote A A amessagebeingreceivedbyA.Weletx ≺ y denotethestatement“ifanactionof theformyoccurs,thenanactionoftheformxmusthaveoccurredpreviously,”and weletνndenotethegenerationofafresh,unpredictablenonce,n. Forthepurposeofthederivationsinthispaper,wewilluseatermalgebraTcon- sisting of constants, variables, and the following operations:available to principals: concatenation,denotedby’,’,deconcatenation,computationof messageauthenti- cation codes, denoted by MAC (Z), collision-free hash functions, denoted by KXY h(Z),andexclusive-or,denotedby⊕.Tisprovidedwiththefollowingequational theory: 1. MAC (Z)=MAC (Z) KXY KYX 2. x⊕x=0 3. 0⊕x=x 4. x⊕y =y⊕x 5. (x⊕y)⊕z =x⊕(y⊕z) foradistinguishedterm0. Wesaythatg ≡tifgandtcanbemadeequalbyapplyingtheequationaltheory ofT.Werefertorules(2)and(3)asthecancellationrules.Wesaythatatermg is irreducible if no cancellation rules can be applied to g. We say that s (cid:118) t if s is a subtermoft. WesupplyTwithasimpletypetheory.Thereisageneraltype“term”andone subtype,“name”. A variable not of type name will often be referred to as untyped. 286 C.Meadows,R.Poovendran,D.Pavlovic,L.Chang,andP.Syverson Free untyped variables are used to refer to terms about which the recipient knows nothing. We say that a map from variables from to terms is a substitution if it is the identity on all but a finite number of variables and preserves types. If σ is a substitutionandtisaterm,welettσdenotetheimageoftunderσ. The logic also includes a number of predicates describing states of principals. A:standsfor“Aknows”,andHP meansthatP isanhonestprincipalwhofollows therulesoftheprotocol. Informally, a role is the set of actions that a principal performs to engage in a particularprotocol.Inthedistanceboundingprotocol,wehavetworoles:theverifier andtheprover.Arunisthetraceofa(possibly)partialexecutionofaprotocol,i.e., thesetofactionsexecutedbytheprincipalsandtheirpartialordering.Astateisacut ofthedirectedgraphinducedbytherun;eachactionintherunshouldoccureither beforeorafterthestate. StableSubterms In this section we will formalize the notion that a subterm s of a term t must have beenusedincomputingt.Inourearlierwork,wherenocancellationwasinvolved, thiscouldbeguaranteedbyrequiringthatswasasubtermoft,sincethetermstruc- tureoftgaveauniquehistoryofthewayinwhichtwasbuilt.However,whenwe allow cancellation rules, things become more complicated. For example, suppose thataprincipalreceivesatermx⊕swherexisafreeuntypedvariable.Ifxwere further instantiated to y ⊕s, then s would vanish after the cancellation rules were applied. Inordertoavoidthiswemakethefollowingdefinition. Definition1.Letsbeasubtermoft.Wesaythatsisastablesubtermoft,denoted by ss(s,t), if for all possible substitutions σ to the free variables in t and after all possible applications of the equations governing the term algebra T, we have sσ (cid:118)tσ.Wesaythatatermtissimplystable,denotedbyss(t),ifeverysubtermof tisstable. The motivation behind the use of stable subterms is that it makes it possible to ascertain that, whatever values the free variables in t turn out to have, the stable subtermmusthavebeenusedinthecomputationoft. Weusethisinsighttomakethefollowingdefinition: Definition2.Weusethenotation((s)) (respectively,(cid:104)(cid:104)s(cid:105)(cid:105) )todenoteA’sreceipt A A (respectivelysending)ofamessagemcontainingsasastablesubterm. We note that our definition subsumes the definition used in [4,11,13], which required s merely to be a subterm of t. For the term algebras used in those papers, subtermimpliesstablesubterm. WhenwewanttomakeitclearthatAisreceiving(respectivelysendingatermt withstablesubterms,wewillusethenotation((s(cid:118)t)) (respectively(cid:104)(cid:104)s(cid:118)t(cid:105)(cid:105) ). A A DistanceBoundingProtocols 287 WecannowformallydescribetheconditionsonthetermF usedinourdistance boundingprotocol.Wepresentthisasanaxiomthatmustbeverifiedforparticular choicesofF. ss((F(x ,x ,x )) (st) 1 2 3 We now consider the sorts of functions F that can be proved to satisfy st. For example (N ⊕N ),P) where N is a free untyped variable and P is a variable P V P of type name, and N is a nonce generated by V does not satisfy st. Since N is V P free and untyped, any substitution may be made to it. Thus, if N σ = X ⊕N , P V then((N ⊕N ),P) = (X ⊕N ⊕N ),P) = (X,P)whichcanbecomputed P V V V withoutN .However,(N ⊕P),N )doessatisfyst.ThetermN arandomvalue, V V P V sowecannotmakearbitrarysubstitutionstoit.ThesamegoesforP.Wecanmade arbitrarysubstitutionstoN ,butnoneofthemwillresultincancelingoutN ,P, P V orN , P Lemma1.LetTbethetermalgebradescribedinsection4.2,andletmbeanirre- ducibletermfromT.Everysubtermofmisstableifforeveryirreduciblesubstitution σtothevariablesofm,mσisalsoirreducible. Proof. (Sketch)Letmbeatermsatisfyingthehypothesisofthelemma.Wewantto showthatafteranypossiblesubstitutionσtothevariablesinm,tσisstillasubterm of mσ after all possible reductions have been made. For the case of an irreducible σthisfollowsdirectlyfromthehypothesis,sincenoreductionsarepossible.Forthe caseofareducibleσ itfollowsfromthefactthattherewritetheoryassociatedwith ourtermsystemisChurch-Rosser,modulotheassociativecommutativityaxiomsfor exclusve-or,which,inourcasemeans,thatwhenseveralapplicationsofthecancel- lationrulearepossible,itdoesnotmatterinwhatordertheyaretaken.Thus,wecan applythecancellationrulestothecancellationsinducedonthevariablesbyσ first. Oncethatisdone,thenσbecomesanirreduciblesubstitution,andwearebacktothe firstcase. Wealsogiveasacorollarythefollowingprocedureforstablesubterms: Corollary1.SupposethattcontainsnosubtermoftheformX ⊕Y,whereoneof X orY isafreeuntypedvariable.Thentissimplystable. Proof. The proof follows from Proposition 1 and the fact that the only irreducible terms that do not necessarily remain irreducible after irreducible substitutions are thosethatcontainZ⊕Y,whereeitherZ orY isanuntypedfreevariable. The corollaries below follow directly from the fact that none of the terms in questioncontainsubtermsoftheformX ⊕Y,whereoneofX orY isanuntyped freevariable.