Abstract
In formal approaches, messages sent over a network are usually modeled by terms together with an equational theory, axiomatizing the properties of the cryptographic functions (encryption, exclusive or, ...). The analysis of cryptographic protocols requires a precise understanding of the attacker knowledge. Two standard notions are usually considered: deducibility and indistinguishability. Those notions are well-studied and several decidability results already exist to deal with a variety of equational theories. Most of the existing results are dedicated to specific equational theories and only few results, especially in the case of indistinguishability, have been obtained for equational theories with associative and commutative properties \((\textsf{AC})\). In this paper, we show that existing decidability results can be easily combined for any disjoint equational theories: if the deducibility and indistinguishability relations are decidable for two disjoint theories, they are also decidable for their union. We also propose a general setting for solving deducibility and indistinguishability for an important class (called monoidal) of equational theories involving \(\textsf{AC}\) operators. As a consequence of these two results, new decidability and complexity results can be obtained for many relevant equational theories.
Similar content being viewed by others
References
Abadi, M., Baudet, M., Warinschi, B.: Guessing attacks and the computational soundness of static equivalence. In: Proceedings of the 9th International Conference on Foundations of Software Science and Computation Structures (FOSSACS’06), pp. 398–412. Vienna, Austria (2006)
Abadi, M., Cortier, V.: Deciding knowledge in security protocols under equational theories. Theor. Comp. Sci. 387(1–2), 2–32 (2006)
Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: Proceedings of the 28th ACM Symposium on Principles of Programming Languages (POPL’01), pp. 104–115. London, UK (2001)
Baader, F.: Unification in commutative theories. J. Symb. Comput. 8(5), 479–497 (1989)
Baader, F.: Unification in commutative theories. Hilbert’s basis theorem, and Gröbner bases. J. ACM 40(3), 477–503 (1993)
Baader, F., Nutt, W.: Combination problems for commutative/monoidal theories or how algebra can help in equational unification. Appl. Algebra Eng. Commun. Comput. 7(4), 309–337 (1996)
Baader, F., Schulz, K.U.: Unification in the union of disjoint equational theories: combining decision procedures. J. Symb. Comput. 21(2), 211–243 (1996)
Baader, F., Schulz, K.U.: Combination of constraint solvers for free and quasi-free structures. Theor. Comp. Sci. 192(1), 107–161 (1998)
Baader, F., Tinelli, C.: Deciding the word problem in the union of equational theories. Inf. Comput. 178(2), 346–390 (2002)
Baudet, M.: Deciding security of protocols against off-line guessing attacks. In: Proc. 12th ACM Conference on Computer and Communications Security (CCS’05), pp. 16–25. Alexandria, VA, USA (2005)
Baudet, M., Cortier, V., Kremer, S.: Computationally sound implementations of equational theories against passive adversaries. In: Proceedings of the 32nd International Colloquium on Automata, Languages and Programming (ICALP’05). LNCS, vol. 3580, pp. 652–663. Lisboa, Portugal (2005)
Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: Deciding the security of protocols with Diffie–Hellman exponentiation and product in exponents. In: Proceedings of the 23rd Conference on Foundations of Software Technology and Theoretical Computer Science (FST&TCS’03). LNCS, vol. 2914, pp. 124–135. Mumbai, India (2003)
Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: An NP decision procedure for protocol insecurity with XOR. In: Proceedings of 18th Annual IEEE Symposium on Logic in Computer Science (LICS’03). Ottawa, Canada (2003)
Chevalier, Y., Rusinowitch, M.: Combining intruder theories. In: Proceedings of the 32nd International Colloquium on Automata, Languages and Programming (ICALP’05). LNCS, vol. 3580, pp. 639–651. Lisboa, Portugal (2005)
Chevalier, Y., Rusinowitch, M.: Combining Intruder Theories. Technical Report 5495, INRIA. http://www.inria.fr/rrrt/rr-5495.html (2005)
Chevalier, Y., Rusinowitch, M.: Hierarchical combination of intruder theories. In: Proceedings of the 17th International Conference on Rewriting Techniques and Applications, (RTA’06). LNCS, vol. 4098, pp. 108–122. Seattle, WA (2006)
Chevalier, Y., Rusinowitch, M.: Hierarchical combination of intruder theories. Inf. Comput. 206(2–4), 352–377 (2008)
Collins, D.J.: A simple presentation of a group with unsolvable word problem. Ill. J. Math. 30(2), 230–234 (1986)
Comon-Lundh, H., Shmatikov, V.: Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In: Proceedings of 18th Annual IEEE Symposium on Logic in Computer Science (LICS’03). Ottawa, Canada (2003)
Comon-Lundh, H., Treinen, R.: Easy intruder deductions. In: Verification: Theory & Practice. Essays Dedicated to Zohar Manna on the Occasion of His 64th Birthday. LNCS, vol. 2772, pp. 225–242 (2003)
Delaune, S.: Easy intruder deduction problems with homomorphisms. Inf. Process. Lett. 97(6), 213–218 (2006)
Delaune, S., Lafourcade, P., Lugiez, D., Treinen, R.: Symbolic protocol analysis for monoidal equational theories. Inf. Comput. 206(2–4), 312–351 (2008)
Dershowitz, N., Jouannaud, J.-P.: Rewrite systems. In: Handbook of Theoretical Computer Science, vol. B, Chapter 6. Elsevier (1990)
Kremer, S., Ryan, M.D.: Analysis of an electronic voting protocol in the applied pi-calculus’. In: Proceedings of the 14th European Symposium on Programming (ESOP’05). LNCS, vol. 3444, pp. 186–200. Edinburgh, UK (2005)
Lafourcade, P., Lugiez, D., Treinen, R.: Intruder deduction for AC-like equational theories with homomorphisms. In: Proceedings 16th International Conference on Rewriting Techniques and Applications (RTA’05). LNCS, vol. 3467, pp. 308–322. Nara, Japan (2005)
Lafourcade, P., Lugiez, D., Treinen, R.: ACUNh: unification and disunification using automata theory. In: Proc. 20th Int. Workshop on Unification (UNIF’06), pp. 6–20. Seattle, WA, USA (2006)
Lafourcade, P., Lugiez, D., Treinen, R.: Intruder deduction for the equational theory of abelian groups with distributive encryption. Inf. Comput. 205(4), 581–623 (2007)
Lakhnech, Y., Mazaré, L., Warinschi, B.: Soundness of symbolic equivalence for modular exponentiation. In: Proceedings of the 2nd Workshop on Formal and Computational Cryptography (FCC’06), pp. 19–23. Venice, Italy (2006)
Lowe, G.: Breaking and fixing the Needham–Schroeder public-key protocol using FDR. In: Proceedings of the 2nd International Workshop on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’96) LNCS, vol. 1055, pp. 147–166. Berlin, Germany (1996)
Millen, J., Shmatikov, V.: Constraint solving for bounded-process cryptographic protocol analysis. In: Proceedings of the 8th ACM Conference on Computer and Communications Security (CCS’01) (2001)
Nutt, W.: Unification in monoidal theories. In: Proc. 10th Int. Conference on Automated Deduction, (CADE’90). LNCS, vol. 449, pp. 618–632. Kaiserslautern, Germany (1990)
Paulson, L.C.: The inductive approach to verifying cryptographic protocols. J. Comput. Secur. 6(1–2), 85–128 (1998)
Rusinowitch, M., Turuani, M.: Protocol insecurity with a finite number of sessions, composed keys is NP-complete. Theor. Comp. Sci. 1–3(299), 451–475 (2003)
Schmidt-Schauß, M.: Unification in a combination of arbitrary disjoint equational theories. J. Symb. Comput. 8(1/2), 51–99 (1989)
Schrijver, A.: Theory of Linear and Integer Programming. Wiley, New York (1986)
Author information
Authors and Affiliations
Corresponding author
Additional information
This work has been partly supported by the ANR-07-SESU-002 project AVOTÉ.
Rights and permissions
About this article
Cite this article
Cortier, V., Delaune, S. Decidability and Combination Results for Two Notions of Knowledge in Security Protocols. J Autom Reasoning 48, 441–487 (2012). https://doi.org/10.1007/s10817-010-9208-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10817-010-9208-8