Verification of Security Protocols in presence of Equational Theories with Homomorphism

Similar documents
An Undecidability Result for AGh

An undecidability result for AGh

Intruder Deduction for AC-like Equational Theories with Homomorphisms

Models and analysis of security protocols 1st Semester Security Protocols Lecture 6

Intruder Deduction for AC-like Equational Theories with Homomorphisms

Deducibility constraints, equational theory and electronic money

Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool

A process algebraic analysis of privacy-type properties in cryptographic protocols

Analysing privacy-type properties in cryptographic protocols

Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete

A Theory of Dictionary Attacks and its Complexity

The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability

Reduction of the Intruder Deduction Problem into Equational Elementary Deduction for Electronic Purse Protocols with Blind Signatures

Notes on BAN Logic CSG 399. March 7, 2006

Decidable Analysis of Cryptographic Protocols with Products and Modular Exponentiation

Asymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis

Algebraic Intruder Deductions

A Logic of Authentication

Time-Bounding Needham-Schroeder Public Key Exchange Protocol

Encoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania

A Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures

Deciding the Security of Protocols with Commuting Public Key Encryption

Symbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation

Reduction of the Intruder Deduction Problem into Equational Elementary Deduction for Electronic Purse Protocols with Blind Signatures

Combining Intruder Theories

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

Lecture 1: Introduction to Public key cryptography

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

CPSC 467: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL

Proving Properties of Security Protocols by Induction

Cryptographical Security in the Quantum Random Oracle Model

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Proving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory

On the Automatic Analysis of Recursive Security Protocols with XOR

Exam Security January 19, :30 11:30

Introduction to Cryptography. Lecture 8

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Cryptography and Security Final Exam

Public Key Cryptography

Introduction to Cryptography Lecture 13

Theory of Computation Chapter 12: Cryptography

Mathematical Foundations of Public-Key Cryptography

Lecture Notes, Week 6

Practice Assignment 2 Discussion 24/02/ /02/2018

Modeling and Verifying Ad Hoc Routing Protocols

A simple procedure for finding guessing attacks (Extended Abstract)

Complexity of automatic verification of cryptographic protocols

Lecture 28: Public-key Cryptography. Public-key Cryptography

Typed MSR: Syntax and Examples

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Control Flow Analysis of Security Protocols (I)

Deriving GDOI. Dusko Pavlovic and Cathy Meadows

CPSC 467b: Cryptography and Computer Security

Discrete Logarithm Problem

CPSC 467: Cryptography and Computer Security

Public-Key Cryptosystems CHAPTER 4

Extending Dolev-Yao with assertions

CPSC 467b: Cryptography and Computer Security

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

BAN Logic A Logic of Authentication

Other Public-Key Cryptosystems

Verification of the TLS Handshake protocol

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Lecture 15 - Zero Knowledge Proofs

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Satisfiability of General Intruder Constraints with and without a Set Constructor

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Elliptic Curve Cryptography

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

1 Secure two-party computation

A decidable subclass of unbounded security protocols

Introduction to Modern Cryptography. Benny Chor

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC

OWO Lecture: Modular Arithmetic with Algorithmic Applications

APPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.

Strand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Hierarchical Combination of Intruder Theories

8 Elliptic Curve Cryptography

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

Notes for Lecture 17

Asymmetric Encryption

MATH 158 FINAL EXAM 20 DECEMBER 2016

Equational Tree Automata: Towards Automated Verification of Network Protocols

NSL Verification and Attacks Agents Playing Both Roles

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Great Theoretical Ideas in Computer Science

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Benny Pinkas Bar Ilan University

Automata-based analysis of recursive cryptographic protocols

Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions

Complexity of Checking Freshness of Cryptographic Protocols

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.

Transcription:

Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 1 / 39

Cryptographic Protocols (1) Net Protocol: rules of message exchanges Goal: secure communications Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 2 / 39

Cryptographic Protocols (1) Protocol: rules of message exchanges Goal: secure communications Presence of an attacker may read every messages sent on the network may intercept and send new messages Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 2 / 39

Cryptographic Protocols (2) Credit Card Electronic Vote Electronic Purse Electronic Signature Secure Access Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 3 / 39

Goals Secrecy: May an intruder learn some secret message between two honest participants? Authentication: Is the agent Alice really talking to Bob? Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 4 / 39

Goals Secrecy: May an intruder learn some secret message between two honest participants? Authentication: Is the agent Alice really talking to Bob? Fairness: Alice and Bob want to sign a contract. Alice initiates the protocol. May Bob obtain some advantage? Privacy: Alice participate to an election. May a participant learn something about the vote of Alice? Receipt-Freeness: Alice participate to an election. Does Alice gain any information (a receipt) which can be used to prove to a coercer that she voted in a certain way?... Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 4 / 39

Encryption Symmetric Encryption encryption decryption Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 5 / 39

Encryption Symmetric Encryption encryption decryption Asymmetric Encryption encryption decryption public key private key Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 5 / 39

Dolev-Yao Intruder Model u, v terms T a finite set of terms (intruder s knowledge) Axiom (A) u T T u Pairing (P) T u T v T u, v Unpairing (UL) T u, v T u Unpairing (UR) T u, v T v Encryption (E) T u T v T {u} v Decryption (D) T {u} v T v 1 T u Perfect Cryptography Assumption No way to obtain knowledge about u from {u} v without knowing v 1 Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 6 / 39

Needham-Schroeder s Protocol (1978) A B : {A, N a } pub(b) B A : {N a, N b } pub(a) A B : {N b } pub(b) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 7 / 39

Needham-Schroeder s Protocol (1978) A B : {A, N a } pub(b) B A : {N a, N b } pub(a) A B : {N b } pub(b) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 7 / 39

Needham-Schroeder s Protocol (1978) A B : {A, N a } pub(b) B A : {N a, N b } pub(a) A B : {N b } pub(b) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 7 / 39

Needham-Schroeder s Protocol (1978) A B : {A, N a } pub(b) B A : {N a, N b } pub(a) A B : {N b } pub(b) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 7 / 39

Needham-Schroeder s Protocol (1978) A B : {A, N a } pub(b) B A : {N a, N b } pub(a) A B : {N b } pub(b) Questions Is N b secret between A and B? When B receives {N b } pub(b), does this message really comes from A? Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 7 / 39

Needham-Schroeder s Protocol (1978) A B : {A, N a } pub(b) B A : {N a, N b } pub(a) A B : {N b } pub(b) Questions Is N b secret between A and B? When B receives {N b } pub(b), does this message really comes from A? Attack An attack was found 17 years after its publication! [Lowe 96] Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 7 / 39

Man in the Middle Attack Agent A Intrus I Agent B Attack involving 2 sessions in parallel, an honest agent has to initiate a session with I. A B B A A B : {A, N a } pub(b) : {N a, N b } pub(a) : {N b } pub(b) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 8 / 39

Man in the Middle Attack {A, N a } pub(i) {A, N a } pub(b) Agent A Intrus I Agent B A B B A A B : {A, N a } pub(b) : {N a, N b } pub(a) : {N b } pub(b) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 8 / 39

Man in the Middle Attack {A, N a } pub(i) {N a, N b } pub(a) {A, N a } pub(b) {N a, N b } pub(a) Agent A Intrus I Agent B A B B A A B : {A, N a } pub(b) : {N a, N b } pub(a) : {N b } pub(b) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 8 / 39

Man in the Middle Attack {A, N a } pub(i) {N a, N b } pub(a) {A, N a } pub(b) {N a, N b } pub(a) {N b } pub(i) {N b } pub(b) Agent A Intrus I Agent B A B B A A B : {A, N a } pub(b) : {N a, N b } pub(a) : {N b } pub(b) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 8 / 39

Man in the Middle Attack {A, N a } pub(i) {N a, N b } pub(a) {A, N a } pub(b) {N a, N b } pub(a) {N b } pub(i) {N b } pub(b) Agent A Intrus I Agent B Attack the intruder knows N b, When B finishes his session (apparently with A), A has never talked with B. A B B A A B : {A, N a } pub(b) : {N a, N b } pub(a) : {N b } pub(b) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 8 / 39

Tatebayashi, Matsuzaki, Newman (TMN) Protocol Desciption A, B, S : principal Ka, Kb : fresh symkey pub, priv : principal key (keypair) A S : B, {Ka}pub(S) S B : A B S : A, {Kb}pub(S) S A : B, Kb Ka Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 9 / 39

Tatebayashi, Matsuzaki, Newman (TMN) Protocol Desciption A, B, S : principal Ka, Kb : fresh symkey pub, priv : principal key (keypair) A S : B, {Ka}pub(S) S B : A B S : A, {Kb}pub(S) S A : B, Kb Ka RSA Encryption: encryption m c = m e decryption mod n c d mod n = m public key: (n, e) private key: (n, d) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 9 / 39

Tatebayashi, Matsuzaki, Newman (TMN) Protocol Desciption A, B, S : principal Ka, Kb : fresh symkey pub, priv : principal key (keypair) A S : B, {Ka}pub(S) S B : A B S : A, {Kb}pub(S) S A : B, Kb Ka RSA Encryption: encryption m c = m e decryption mod n c d mod n = m public key: (n, e) private key: (n, d) Homomorphism property : {x y}pub(s) = {x}pub(s) {y}pub(s) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 9 / 39

Some Interesting Equational Theories homomorphism axiom (h): h(x + y) = h(x) + h(y) 1 Associativity, Commutativity (AC): 2 Exclusive or (ACUN): 3 Abelian groups (AG): (x + y) + z = x + (y + z), x + y = y + x x + 0 = x (U), x + x = 0 (N) x + 0 = x (U), x + I(x) = 0 (Inv) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 10 / 39

Outline of the talk 1 Introduction 2 Passive Intruder (may read every messages sent on the network) Intruder Deduction Problem Some Existing Results How to deal with Homomorphisms? 3 Active Intruder (may intercept and send new messages) Trace Reachability Problem Some Existing Results Equational Theories ACUNh and AGh 4 Conclusion and Future Works Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 11 / 39

Outline of the talk 1 Introduction 2 Passive Intruder (may read every messages sent on the network) Intruder Deduction Problem Some Existing Results How to deal with Homomorphisms? 3 Active Intruder (may intercept and send new messages) Trace Reachability Problem Some Existing Results Equational Theories ACUNh and AGh 4 Conclusion and Future Works Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 12 / 39

Intruder Deduction Problem Intruder Deduction Capabilities (A) u T T E u (C) T E u 1... T E u n with f F T E f (u 1,..., u n ) (UL) T E u, v T E u (D) T E {u} v T E u T E v (UR) T E u, v T E v (Eq) T E u u = E v T E v Intruder deduction problem (ID) INPUT: a finite set of terms T, a term s (the secret). OUTPUT: Does there exist an E-proof of T E s? Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 13 / 39

Intruder Deduction Problem Example: T = {a + b, {h(a)} k, k} s = h(b) E = ACUNh Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 14 / 39

Intruder Deduction Problem Example: T = {a + b, {h(a)} k, k} s = h(b) E = ACUNh P = a + b T {h(a)} k T k T (A) (A) (A) T E a + b T E {h(a)} k T E k (C) (D) T E h(a + b) T E h(a) (C) T E h(a + b) + h(a) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 14 / 39

Intruder Deduction Problem Example: T = {a + b, {h(a)} k, k} s = h(b) E = ACUNh P = a + b T {h(a)} k T k T (A) (A) (A) T E a + b T E {h(a)} k T E k (C) (D) T E h(a + b) T E h(a) (C) T E h(a + b) + h(a) P h(a + b) + h(a) = E h(b) (Eq) T E h(b) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 14 / 39

Some Existing Results Complexity of the Intruder Deduction Problem without any equational theory (Dolev-Yao model): PTIME-complete with an equational theory Results of Chevalier et al. 2003 AC ACUN AG NP PTIME Results of Lafourcade, Lugiez and Treinen 2005 ACh ACUNh AGh NP-complete EXPTIME PTIME in the binary case Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 15 / 39

Sketch of Proof Let T be a set of terms and u a term (in normal forms) 1 An effective inference system ( ) such that: T u is derivable T E u is derivable 2 A locality result (notion due to Mc Allester, 1993), i.e.: A minimal proof P of T u only contains terms in St E (T {u}). 3 A one-step deducibility result: to ensure that we can test that a deduction step is valid Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 16 / 39

Exclusive Or Example 1 Inference System: T u 1... T u n (ME ) T u 1 +... + u n Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 17 / 39

Exclusive Or Example T u 1... T u n 1 Inference System: (ME ) T u 1 +... + u n 2 Notion of Subterms: (no partial sum) Example: t = {a 1 + a 2 + a 3 } b St E (t) = {t, a 1 + a 2 + a 3, b, a 1, a 2, a 3 } Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 17 / 39

Exclusive Or Example T u 1... T u n 1 Inference System: (ME ) T u 1 +... + u n 2 Notion of Subterms: (no partial sum) Example: t = {a 1 + a 2 + a 3 } b St E (t) = {t, a 1 + a 2 + a 3, b, a 1, a 2, a 3 } 3 One-Step Deducibility of (M E ): solvability of a system of linear equations over Z/2Z: A Y = b. Example: T = {a 1 + a 2, a 2 + a 3 + a 4 } and s = a 1 + a 3 + a 4 1 0 1 1 1 0 A = 0 1 0 1 b = 1 1 Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 17 / 39

How to Deal with Homomorphism? h(x + y) h(x) + h(y) Approach of Lafourcade et al. 2005 T u T h(u) T u 1... T u n T u 1 +... + u n Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 18 / 39

How to Deal with Homomorphism? h(x + y) h(x) + h(y) Approach of Lafourcade et al. 2005 T u T h(u) T u 1... T u n T u 1 +... + u n advantage: one-step deducibilty, easy to prove drawback: locality, hard to prove for a good notion of subterms Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 18 / 39

How to Deal with Homomorphism? h(x + y) h(x) + h(y) Approach of Lafourcade et al. 2005 T u T h(u) T u 1... T u n T u 1 +... + u n advantage: one-step deducibilty, easy to prove drawback: locality, hard to prove for a good notion of subterms My approach T u 1... T u n with C an E-context T C[u 1,...,u n ] Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 18 / 39

How to Deal with Homomorphism? h(x + y) h(x) + h(y) Approach of Lafourcade et al. 2005 T u T h(u) T u 1... T u n T u 1 +... + u n advantage: one-step deducibilty, easy to prove drawback: locality, hard to prove for a good notion of subterms My approach T u 1... T u n with C an E-context T C[u 1,...,u n ] advantage: locality, easy to prove drawback: one-step deducibility seems difficult to prove Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 18 / 39

My Inference System Intruder Deduction Capabilities (A) u T T u (C ) T u 1... T u n with f F \ sig(e) T f (u 1,...,u n ) (UL) T u, v T u (D) T {u} v T u T v (UR) T u, v T v (M E ) T u 1... T u n with C an E-context T C[u 1,...,u n ] Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 19 / 39

My Inference System Intruder Deduction Capabilities (A) u T T u (C ) T u 1... T u n with f F \ sig(e) T f (u 1,...,u n ) (UL) T u, v T u (D) T {u} v T u T v (UR) T u, v T v (M E ) T u 1... T u n with C an E-context T C[u 1,...,u n ] Theorem Let T be a set of terms and u a term (in normal forms). We have: T u is derivable T E u is derivable Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 19 / 39

Locality Notion of Subterms Generalization of the notion used in the Exclusive Or case Examples: Let t 1 = h 2 (a) + b + c. St E (t 1 ) = {t 1, a, b, c} Let t 2 = h( a, b ) + c. St E (t 2 ) = {t 2, a, b, a, b, c} Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 20 / 39

Locality Notion of Subterms Generalization of the notion used in the Exclusive Or case Examples: Let t 1 = h 2 (a) + b + c. St E (t 1 ) = {t 1, a, b, c} Let t 2 = h( a, b ) + c. St E (t 2 ) = {t 2, a, b, a, b, c} Locality Result Lemma A minimal proof P of T u only contains terms in St E (T {u}). Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 20 / 39

One-Step-Deducibility (1/2) The only critical rule is (M E ). solvability of a system of linear equations over N[h], Z/2Z[h] or Z[h] (depending on E). Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 21 / 39

One-Step-Deducibility (1/2) The only critical rule is (M E ). solvability of a system of linear equations over N[h], Z/2Z[h] or Z[h] (depending on E). Example: (ACUNh) T = {t 1, t 2, t 3 } and s = a 1 + h 2 (a 1 ). t 1 = a 1 + h(a 1 ) + h 2 (a 1 ), t 2 = a 2 + h 2 (a 1 ), t 3 = h(a 2 ) + h 2 (a 1 ). ( ) ( ) 1 + h + h 2 h A = 2 h 2 1 + h 2 b = 0 1 h 0 The equation A Y = b has a solution over Z/2Z[h] : Y = (1 + h, h, 1). C = x 1 + h(x 1 ) + h(x 2 ) + x 3 Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 21 / 39

One-Step-Deducibility (2/2) Complexity of solving linear equations: over N[h]: NP-complete over Z/2Z[h]: PTIME [Kaltofen et al., 1987] over Z[h]: PTIME 1 thanks to [Aschenbrenner, 2004], A Y = b has a solution iff there is one such that each component of Y has a degree polynomially bounded by the degrees and the coefficients which appear in A and b. 2 reduce the problem to the solvability of an enormous (but polynomial) system of linear equations over Z (PTIME). Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 22 / 39

One-Step-Deducibility (2/2) Complexity of solving linear equations: over N[h]: NP-complete over Z/2Z[h]: PTIME [Kaltofen et al., 1987] over Z[h]: PTIME 1 thanks to [Aschenbrenner, 2004], A Y = b has a solution iff there is one such that each component of Y has a degree polynomially bounded by the degrees and the coefficients which appear in A and b. 2 reduce the problem to the solvability of an enormous (but polynomial) system of linear equations over Z (PTIME). Result [Delaune 05] (ID) is PTIME-complete for ACUNh and AGh. Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 22 / 39

Outline of the talk 1 Introduction 2 Passive Intruder (may read every messages sent on the network) Intruder Deduction Problem Some Existing Results How to deal with Homomorphisms? 3 Active Intruder (may intercept and send new messages) Trace Reachability Problem Some Existing Results Equational Theories ACUNh and AGh 4 Conclusion and Future Works Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 23 / 39

Trace Reachability Problem Trace Reachability Problem Given a protocol P, an intruder theory I, an equational theory E, a secret data s and an initial intruder s knowledge T 0, does there exist a running sequence of protocol rules such that: at the end, the intruder s knowledge is T, s is deducible from T Results in the Dolev-Yao Intruder Model unbounded number of sessions: undecidable bounded number of sessions: NP-complete [RT01] Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 24 / 39

Symbolic Constraint Solving Approach Definition A constraint is a sequent of the form T u where T is a finite set of terms and u is a term (T and u are not necessarily ground). A system of constraints is a sequence of constraints. A solution to a system C of constraints is a substitution σ such that: for every T u C there exists a proof of Tσ uσ Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 25 / 39

Symbolic Constraint Solving Approach Definition A constraint is a sequent of the form T u where T is a finite set of terms and u is a term (T and u are not necessarily ground). A system of constraints is a sequence of constraints. A solution to a system C of constraints is a substitution σ such that: for every T u C there exists a proof of Tσ uσ Which constraint systems are particularly interesting for us? Well-defined constraint systems: monotonicity origination property (satisfies by the class of deterministic protocols) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 25 / 39

Needham-Schroeder s Example (1) Protocol Role A (x a, x b ): νn a. {x a, n a } pub(xb ) {n a, x nb } pub(xa ) {x nb } pub(xb ) Role B (y b ): νn b. {y a, y na } pub(yb ) {y na, n b } pub(ya ) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 26 / 39

Needham-Schroeder s Example (1) Protocol Role A (x a, x b ): νn a. {x a, n a } pub(xb ) {n a, x nb } pub(xa ) {x nb } pub(xb ) Role B (y b ): νn b. {y a, y na } pub(yb ) {y na, n b } pub(ya ) We consider Role A (a, I) and Role B (b) (running in parallel). Instanciation {a, n a } pub(i) {n a, x nb } pub(a) {x nb } pub(i) {y a, y na } pub(b) {y na, n b } pub(ya ) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 26 / 39

Needham-Schroeder s Example (1) Protocol Role A (x a, x b ): νn a. {x a, n a } pub(xb ) {n a, x nb } pub(xa ) {x nb } pub(xb ) Role B (y b ): νn b. {y a, y na } pub(yb ) {y na, n b } pub(ya ) We consider Role A (a, I) and Role B (b) (running in parallel). Instanciation {a, n a } pub(i) {n a, x nb } pub(a) {x nb } pub(i) {y a, y na } pub(b) {y na, n b } pub(ya ) Initial intruder s knowledge: T 0 = {a, b, I, pub(a), pub(b), pub(i), priv(i)} Secret: n b Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 26 / 39

Needham-Schroeder s Example (1) Protocol Role A (x a, x b ): νn a. {x a, n a } pub(xb ) {n a, x nb } pub(xa ) {x nb } pub(xb ) Role B (y b ): νn b. {y a, y na } pub(yb ) {y na, n b } pub(ya ) We consider Role A (a, I) and Role B (b) (running in parallel). Instanciation 1 {a, n a } pub(i) 3 {n a, x nb } pub(a) {x nb } pub(i) 2 {y a, y na } pub(b) {y na, n b } pub(ya ) Initial intruder s knowledge: T 0 = {a, b, I, pub(a), pub(b), pub(i), priv(i)} Secret: n b Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 26 / 39

Needham-Schroeder s Example (2) Instanciation 1 {a, n a } pub(i) 2 {y a, y na } pub(b) {y na, n b } pub(ya ) 3 {n a, x nb } pub(a) {x nb } pub(i) Constraints System (well-defined) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 27 / 39

Needham-Schroeder s Example (2) Instanciation 1 {a, n a } pub(i) 2 {y a, y na } pub(b) {y na, n b } pub(ya ) 3 {n a, x nb } pub(a) {x nb } pub(i) Constraints System (well-defined) T 0, {a, n a } pub(i) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 27 / 39

Needham-Schroeder s Example (2) Instanciation 1 {a, n a } pub(i) 2 {y a, y na } pub(b) {y na, n b } pub(ya ) 3 {n a, x nb } pub(a) {x nb } pub(i) Constraints System (well-defined) T 0, {a, n a } pub(i) {y a, y na } pub(b) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 27 / 39

Needham-Schroeder s Example (2) Instanciation 1 {a, n a } pub(i) 2 {y a, y na } pub(b) {y na, n b } pub(ya ) 3 {n a, x nb } pub(a) {x nb } pub(i) Constraints System (well-defined) T 0, {a, n a } pub(i) {y a, y na } pub(b) T 0, {a, n a } pub(i), {y na, n b } pub(ya ) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 27 / 39

Needham-Schroeder s Example (2) Instanciation 1 {a, n a } pub(i) 2 {y a, y na } pub(b) {y na, n b } pub(ya ) 3 {n a, x nb } pub(a) {x nb } pub(i) Constraints System (well-defined) T 0, {a, n a } pub(i) {y a, y na } pub(b) T 0, {a, n a } pub(i), {y na, n b } pub(ya ) {n a, x nb } pub(a) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 27 / 39

Needham-Schroeder s Example (2) Instanciation 1 {a, n a } pub(i) 2 {y a, y na } pub(b) {y na, n b } pub(ya ) 3 {n a, x nb } pub(a) {x nb } pub(i) Constraints System (well-defined) T 0, {a, n a } pub(i) {y a, y na } pub(b) T 0, {a, n a } pub(i), {y na, n b } pub(ya ) {n a, x nb } pub(a) T 0, {a, n a } pub(i), {y na, n b } pub(ya ), {x nb } pub(i) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 27 / 39

Needham-Schroeder s Example (2) Instanciation 1 {a, n a } pub(i) 2 {y a, y na } pub(b) {y na, n b } pub(ya ) 3 {n a, x nb } pub(a) {x nb } pub(i) Constraints System (well-defined) T 0, {a, n a } pub(i) {y a, y na } pub(b) T 0, {a, n a } pub(i), {y na, n b } pub(ya ) {n a, x nb } pub(a) T 0, {a, n a } pub(i), {y na, n b } pub(ya ), {x nb } pub(i) n b Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 27 / 39

Needham-Schroeder s Example (2) Instanciation 1 {a, n a } pub(i) 2 {y a, y na } pub(b) {y na, n b } pub(ya ) 3 {n a, x nb } pub(a) {x nb } pub(i) Constraints System (well-defined) T 0, {a, n a } pub(i) {y a, y na } pub(b) T 0, {a, n a } pub(i), {y na, n b } pub(ya ) {n a, x nb } pub(a) T 0, {a, n a } pub(i), {y na, n b } pub(ya ), {x nb } pub(i) n b Solution σ = {y na n a, x nb n b, y a a} Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 27 / 39

What Happens by Adding an Equational Theory E? Unification Problem modulo E INPUT: Given 2 terms u[x 1,...,x n ] and v[x 1,...,x n ] OUTPUT: Yes iff there exists a substitution σ = {x 1 M 1,...,x n M n } such that uσ = E vσ. Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 28 / 39

What Happens by Adding an Equational Theory E? Unification Problem modulo E INPUT: Given 2 terms u[x 1,...,x n ] and v[x 1,...,x n ] OUTPUT: Yes iff there exists a substitution σ = {x 1 M 1,...,x n M n } such that uσ = E vσ. Protocol 1. x 1,...,x n {u[x 1,..., x n ], v[x 1,...,x n ]} Kab 2. {x, x} Kab secret secret is secret u and v have no E-unifier Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 28 / 39

What Happens by Adding an Equational Theory E? Unification Problem modulo E INPUT: Given 2 terms u[x 1,...,x n ] and v[x 1,...,x n ] OUTPUT: Yes iff there exists a substitution σ = {x 1 M 1,...,x n M n } such that uσ = E vσ. Protocol 1. x 1,...,x n {u[x 1,..., x n ], v[x 1,...,x n ]} Kab 2. {x, x} Kab secret Undecidability Result secret is secret u and v have no E-unifier Unification Problem undecidable in E Trace Reachability Problem undecidable in E (bounded nb of sessions) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 28 / 39

Some Existing Results Trace Reachability Problem (bounded number of sessions) without any equational theory (Dolev-Yao model): NP-complete with an equational theory AC-like theories AC ACUN AG? NP [CKRT03] Decidable [CLS03] Decidable [Shm04] with homomorphism ACh ACUNh AGh Undecidable?? Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 29 / 39

New Results Theorem [Delaune, Lafourcade, Lugiez and Treinen 05] The trace reachability problem is decidable for the theory ACUNh. Details Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 30 / 39

New Results Theorem [Delaune, Lafourcade, Lugiez and Treinen 05] The trace reachability problem is decidable for the theory ACUNh. Details Theorem [Delaune 06] The trace reachability problem is undecidable for the theory AGh. Details Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 30 / 39

Outline of the talk 1 Introduction 2 Passive Intruder (may read every messages sent on the network) Intruder Deduction Problem Some Existing Results How to deal with Homomorphisms? 3 Active Intruder (may intercept and send new messages) Trace Reachability Problem Some Existing Results Equational Theories ACUNh and AGh 4 Conclusion and Future Works Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 31 / 39

Conclusion A new approach to deal with Homomorphism allowing to: improve some existing complexity results obtain new decidability and undecidability results Passive Intruder [Delaune 05] ACh ACUNh AGh NP-complete PTIME-(complete) Active Intruder [Delaune,Lafourcade,Lugiez and Treinen 05] & [Delaune 06] ACh ACUNh AGh Undecidable Decidable Undecidable Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 32 / 39

Future Works Others kind of homomorphisms Lafourcade, Lugiez & Treinen homomorphic encryption commutating homomorphic encryption Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 33 / 39

Future Works Others kind of homomorphisms Lafourcade, Lugiez & Treinen homomorphic encryption commutating homomorphic encryption Towards a generic result Bernat, Comon-Lundh & Delaune Our problem is the satisfaisability of a constraint system C in (I, E) 1 Reduce the equational theory to a simpler one, i.e. or AC. Finite Variant Property C solvable in (I,E) C var(c). C solvable in (var(i), E ) 2 Find sufficient conditions on the inference system to ensure decidability of the problem in (var(i), E ). Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 33 / 39

Procedure in the case of ACUNh (1) First Part: Reduce the problem to the solvability of a (well-defined) system of ME constraints on the reduced signature ({0, h, } and constants). 1 From constraints to 1 (one-step) constraints Generalisation of the locality result to non-groun terms 2 From 1 constraints to ME constraints ACUNh-unification is decidable and finitary 3 Abstract subterms by constants this abstraction preserves the well-definedness of the system Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 34 / 39

Procedure in the case of ACUNh (1) First Part: Reduce the problem to the solvability of a (well-defined) system of ME constraints on the reduced signature ({0, h, } and constants). 1 From constraints to 1 (one-step) constraints Generalisation of the locality result to non-groun terms 2 From 1 constraints to ME constraints ACUNh-unification is decidable and finitary 3 Abstract subterms by constants this abstraction preserves the well-definedness of the system Now, we have to solve { ME constraint systems on a reduced signature: a + h(a) ME a + h Example : C = 3 (X 1 ) a + h(a); b + X 1 ME b + h 4 (a) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 34 / 39

Procedure in the case of ACUNh (2) Second Part: C = { a + h(a) ME a + h 3 (X 1 ) a + h(a); b + X 1 ME b + h 4 (a) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 35 / 39

Procedure in the case of ACUNh (2) Second Part: C = A Solution is: X 1 h 4 (a) { a + h(a) ME a + h 3 (X 1 ) a + h(a); b + X 1 ME b + h 4 (a) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 35 / 39

Procedure in the case of ACUNh (2) Second Part: C = A Solution is: X 1 h 4 (a) { a + h(a) ME a + h 3 (X 1 ) a + h(a); b + X 1 ME b + h 4 (a) Indeed, a + h(a) h(a) + h 2 (a) a + h 7 (a)... h 6 (a) + h 7 (a) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 35 / 39

Procedure in the case of ACUNh (2) Second Part: C = A Solution is: X 1 h 4 (a) { a + h(a) ME a + h 3 (X 1 ) a + h(a); b + X 1 ME b + h 4 (a) Contexts used to solve the both intruder deduction problems: 1 z[1, 1] = 1 + h + h 2 +... + h 6 2 z[2, 1] = 0 and z[2, 2] = 1 Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 35 / 39

Procedure in the case of ACUNh (2) Second Part: C = A Solution is: X 1 h 4 (a) { a + h(a) ME a + h 3 (X 1 ) a + h(a); b + X 1 ME b + h 4 (a) Contexts used to solve the both intruder deduction problems: 1 z[1, 1] = 1 + h + h 2 +... + h 6 2 z[2, 1] = 0 and z[2, 2] = 1 Lemma If such a constraint system has a solution, then there is one where defining context variables (in this example z[1, 1]) are bounded by Q max. Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 35 / 39

Procedure in the case of ACUNh (2) Second Part: C = A Solution is: X 1 h 4 (a) { a + h(a) ME a + h 3 (X 1 ) a + h(a); b + X 1 ME b + h 4 (a) Contexts used to solve the both intruder deduction problems: 1 z[1, 1] = 1 + h + h 2 +... + h 6 2 z[2, 1] = 0 and z[2, 2] = 1 Lemma If such a constraint system has a solution, then there is one where defining context variables (in this example z[1, 1]) are bounded by Q max. Example: Q max = h 3 Another solution is: z[1, 1] = 1 + h + h 2 and X 1 a. Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 35 / 39

Procedure in the case of ACUNh (2) Second Part: Reduce the problem to the satisfaisability of a set of intruder deduction problems (ground constraints) 4 From ME constaints to ground ME constraints solvable system admits small (< Q max ) defining contexts variables determine value of the variables (X 1,...X n ) from the values of the defining contexts variables 5 Check satisfaisability of ground ME constaints: PTIME. Back Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 36 / 39

Trace Reachability Problem for AGh Abelian groups + homomorphism (AGh): h(x + y) = h(x) + h(y) (x + y) + z = x + (y + z) x + 0 = x x + y = y + x x + (x) = 0 Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 37 / 39

Trace Reachability Problem for AGh Abelian groups + homomorphism (AGh): h(x + y) = h(x) + h(y) (x + y) + z = x + (y + z) x + 0 = x x + y = y + x x + (x) = 0 1 First Part: As in the ACUNh case, we can reduce the problem to the solvability of a (well-defined) system of ME constraints on the reduced signature. Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 37 / 39

Trace Reachability Problem for AGh Abelian groups + homomorphism (AGh): h(x + y) = h(x) + h(y) (x + y) + z = x + (y + z) x + 0 = x x + y = y + x x + (x) = 0 1 First Part: As in the ACUNh case, we can reduce the problem to the solvability of a (well-defined) system of ME constraints on the reduced signature. 2 Second Part: Contrary to the ACUNh case, satisfaisability of (well-defined) ME constraints on the reduced signature is undecidable for AGh. Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 37 / 39

Reduction of the Hilbert s 10 th problem Hilbert s 10 th problem Input: a set S of equations of the form: x i = m, x i + x i = x j, or xi 2 = x j. Output: Does S have a solution over Z? Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 38 / 39

Reduction of the Hilbert s 10 th problem Hilbert s 10 th problem Input: a set S of equations of the form: x i = m, x i + x i = x j, or xi 2 = x j. Output: Does S have a solution over Z? Example: Let t = 4a + 3h 2 (a) 3b. N(a, t) = 4 and N(b, t) = 3. Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 38 / 39

Reduction of the Hilbert s 10 th problem Hilbert s 10 th problem Input: a set S of equations of the form: x i = m, x i + x i = x j, or xi 2 = x j. Output: Does S have a solution over Z? Example: Let t = 4a + 3h 2 (a) 3b. N(a, t) = 4 and N(b, t) = 3. Let n is the number of variables and p the number of equations. 1 A first part C 1 ensures that: σ solution of C 1 N(a, X i σ) = N(a, X iσ) 2 All the terms in C 1 are of the form h k (..) with k p. Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 38 / 39

Reduction of the Hilbert s 10 th problem Hilbert s 10 th problem Input: a set S of equations of the form: x i = m, x i + x i = x j, or xi 2 = x j. Output: Does S have a solution over Z? Example: Let t = 4a + 3h 2 (a) 3b. N(a, t) = 4 and N(b, t) = 3. Let n is the number of variables and p the number of equations. 1 A first part C 1 ensures that: σ solution of C 1 N(a, X i σ) = N(a, X iσ) 2 All the terms in C 1 are of the form h k (..) with k p. 2 A second part C 2 (one constraint per equation) is built as follows: 1. x i = m..; h p 1 (X i ) + c 1 h p 1 (ma) + c 1 2. x i + x j = x k.. ; h p 2 (X i + X j ) + c 2 h p 2 (X k ) + c 2 3. x i = x 2 j =.. ; h p 3 (X i ) + c 3 h p 3 (X j ) + c 3 Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 38 / 39

Encoding Product X 1, X 1 and Y 1 are variables. h 3 (a) h 3 (X 1 ) h 3 (a) h 3 (X 1 ) C 1 := h 2 (b); h 3 (a) h 2 (Y 1 ) h(a + b); h 2 (b); h 3 (a) h(x 1 + Y 1 ) X 1 + b; h(a + b); h 2 (b); h 3 (a) X 1 + Y 1 Let σ be a solution of C 1. We have: Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 39 / 39

Encoding Product X 1, X 1 and Y 1 are variables. h 3 (a) h 3 (X 1 ) h 3 (a) h 3 (X 1 ) C 1 := h 2 (b); h 3 (a) h 2 (Y 1 ) h(a + b); h 2 (b); h 3 (a) h(x 1 + Y 1 ) X 1 + b; h(a + b); h 2 (b); h 3 (a) X 1 + Y 1 Let σ be a solution of C 1. We have: X 1 σ and X 1 σ contains no occurences of b, h(b), h2 (b),... Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 39 / 39

Encoding Product X 1, X 1 and Y 1 are variables. h 3 (a) h 3 (X 1 ) h 3 (a) h 3 (X 1 ) C 1 := h 2 (b); h 3 (a) h 2 (Y 1 ) h(a + b); h 2 (b); h 3 (a) h(x 1 + Y 1 ) X 1 + b; h(a + b); h 2 (b); h 3 (a) X 1 + Y 1 Let σ be a solution of C 1. We have: X 1 σ and X 1 σ contains no occurences of b, h(b), h2 (b),... N(a, Y 1 σ) = 0, Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 39 / 39

Encoding Product X 1, X 1 and Y 1 are variables. h 3 (a) h 3 (X 1 ) h 3 (a) h 3 (X 1 ) C 1 := h 2 (b); h 3 (a) h 2 (Y 1 ) h(a + b); h 2 (b); h 3 (a) h(x 1 + Y 1 ) X 1 + b; h(a + b); h 2 (b); h 3 (a) X 1 + Y 1 Let σ be a solution of C 1. We have: X 1 σ and X 1 σ contains no occurences of b, h(b), h2 (b),... N(a, Y 1 σ) = 0, N(a, X 1 σ) = N(b, Y 1 σ) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 39 / 39

Encoding Product X 1, X 1 and Y 1 are variables. h 3 (a) h 3 (X 1 ) h 3 (a) h 3 (X 1 ) C 1 := h 2 (b); h 3 (a) h 2 (Y 1 ) h(a + b); h 2 (b); h 3 (a) h(x 1 + Y 1 ) X 1 + b; h(a + b); h 2 (b); h 3 (a) X 1 + Y 1 Let σ be a solution of C 1. We have: X 1 σ and X 1 σ contains no occurences of b, h(b), h2 (b),... N(a, Y 1 σ) = 0, N(a, X 1 σ) = N(b, Y 1 σ) N(a, X 1 σ) = N(a, X 1σ) N(b, Y 1 σ) Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 39 / 39

Encoding Product X 1, X 1 and Y 1 are variables. h 3 (a) h 3 (X 1 ) h 3 (a) h 3 (X 1 ) C 1 := h 2 (b); h 3 (a) h 2 (Y 1 ) h(a + b); h 2 (b); h 3 (a) h(x 1 + Y 1 ) X 1 + b; h(a + b); h 2 (b); h 3 (a) X 1 + Y 1 Let σ be a solution of C 1. We have: X 1 σ and X 1 σ contains no occurences of b, h(b), h2 (b),... N(a, Y 1 σ) = 0, N(a, X 1 σ) = N(b, Y 1 σ) N(a, X 1 σ) = N(a, X 1σ) N(b, Y 1 σ) Hence, we have N(a, X 1 σ) = N(a, X 1σ) N(a, X 1 σ) Back Stéphanie Delaune (FT R&D, LSV) Verification of Security Protocols February, 13, 2006 39 / 39

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback