Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

The goal of security protocols is to protect communications against malicious behavior of third parties which may monitor or completely control the network, and sometimes even legitimately participate in the protocol. Typical properties that such protocols aim to achieve are confidentiality, authentication, as well as anonymity or unlinkability. To this end, security protocols employ cryptographic primitives. The most usual primitives are encryption and signatures, either symmetric or asymmetric, and cryptographic hash functions. Some security goals may however require more advanced primitives: digital cash may rely on blind signatures to ensure anonymity [21], e-voting protocols may use trapdoor commitments [26] or plaintext equivalence tests [23] to achieve receipt-freeness, and verifiability may rely on zero-knowledge proofs [1, 23].

Effective tools, e.g., [4, 9, 10, 15, 19, 22, 25], for automated analysis of security protocols exist, in particular in the case of simple authentication and confidentiality goals, standard cryptographic primitives, and protocols that do not rely on a global mutable state. There has been active research on extending the class of properties that can be verified, e.g., by considering complex forms of compromise [5], or the more expressive class of equivalence properties [6, 7, 10, 12, 28]. Many tools also support user-specified equational theories for modeling less usual cryptographic primitives [9, 10, 19, 25]. Finally, tool support has been devised for protocols that allow for different sessions to update a global, mutable state [3, 24].

The Tamarin prover [25] is a state-of-the-art cryptographic protocol verifier which allows the user at the same time to specify complex security properties (both trace and equivalence properties), to model cryptographic primitives by means of an equational theory, and allows protocols to maintain state information. The class of equational theories supported by the tool is the class of subterm-convergent equational theories, in addition to built-in theories for Diffie-Hellman exponentiations, bilinear pairings, and multisets. While the class of subterm-convergent theories includes many usual cryptographic primitives, it does not include primitives such as blind signatures or trapdoor commitment schemes.

Our contributions. In this paper we significantly extend the supported class of equational theories in the Tamarin prover. We remove the restriction of subterm-convergent theories, and now permit an arbitrary convergent theory which has the finite variant property. As the underlying problem is undecidable, we cannot guarantee termination of course. More technically, our extension generalizes (i) the underlying techniques used in the Tamarin prover to reason about adversary knowledge, (ii) the normal form conditions that the Tamarin prover imposes on traces to favor termination, and (iii) the correctness proof that the set of considered traces remains complete.

We have implemented these extensions in the Tamarin prover and demonstrate that, with our generalization, the tool succeeds to effectively analyze diverse protocols that were previously out of scope of automated verification in Tamarin.

  • We studied Chaum’s digital cash protocol [11] which uses blind signatures and whose modelling also requires the use of global state. We have verified anonymity, untraceability, as well as unforgeability, which states that no coins can be maliciously created. In previous work using ProVerif [18], the proof of unforgeability could not be completed due to ProVerif’s difficulties in handling state.

  • We also analyzed the FOO e-voting protocol [21] which relies on blind signatures. Vote privacy in this protocol could previously only be analyzed by the AKiSs tool [10] and a recent extension of ProVerif [8]. Using our new version of the Tamarin prover we have been able to also check vote privacy (modeled as an equivalence property) and furthermore eligibility (modeled as a trace property).

  • We also verified the Okamoto e-voting protocol [26] which relies on trapdoor commitments to achieve receipt-freeness. Voter anonymity of this protocol was previously analyzed using the AKiSs tool, but is out of the scope of ProVerif which does not support the equational theory for trapdoor commitments. We additionally provide the first automated proof of receipt-freeness for this protocol, which was previously only shown manually [16].

  • Finally, we analyzed the Denning-Sacco and Needham-Schroeder symmetric key protocols with an encryption scheme that has a prefix property, e.g., in CBC mode, as described in [14]. As expected we have found known attacks on these protocols when the prefix property is considered.

Related work. In terms of supported user-specified equational theories, our extension of the Tamarin prover is comparable to the AKiSs tool. While AKiSs additionally guarantees termination for subterm-convergent theories, it is limited to a bounded number of sessions and does not support protocols with else branches. There are only few tools for automated verification for an unbounded number of sessions: Maude-NPA [19], Scyther [15], CPSA [22] and ProVerif [9]. We will now discuss and compare our extension of Tamarin with each of them.

Scyther [15] is restricted to a fixed set of cryptographic primitives and does not allow for user-specified equational theories. Moreover, it neither supports global mutable state nor verification of equivalence properties.

CPSA [22] was designed for analyzing, essentially, authentication and secrecy properties. The tool was used, in combination with the theorem prover PVS, to analyze stateful protocols [27]. However, like Scyther, it does neither support user-defined equational theories nor the verification of equivalence properties.

Maude-NPA [19] offers support for many equational theories. Regarding convergent theories, the support offered by Maude-NPA is comparable to our extension of the Tamarin prover, as it also relies on the finite variant property. Maude-NPA treats algebraic properties, such as associative-commutative operators, in a more generic way than Tamarin, which only offers support for built-in Diffie-Hellman and bilinear pairing theories. However, Maude-NPA does not support global mutable state.

ProVerif is the reference tool in protocol verification. It offers support for user defined equational theories, and allows for the verification of a rich variety of security properties. Moreover, the abstractions (based on a translation of applied pi calculus processes into Horn clauses) underlying the theory of ProVerif make it extremely efficient. However, these abstractions may also cause false attacks, which make the tool unsuitable to analyze protocols with global state. An extension of ProVerif, called StatVerif [3], tries to overcome this shortcoming. However, the support for stateful protocols that can be effectively analyzed by StatVerif remains partial. For instance, only a fixed number of state cells may be declared and non-termination arises frequently. Moreover, only secrecy properties can be verified with StatVerif.

We also want to mention SAPiC [24], a front-end to Tamarin which permits to specify protocols in a stateful extension of the applied pi calculus and has been used successfully for stateful protocols. It will benefit from our extension of Tamarin.

Outline. We present necessary preliminaries in Sect. 2. Our extensions of the theory and tool are described in Sect. 3, and we evaluate them with the case studies shown in Sect. 4. We give concluding remarks in Sect. 5.

2 Preliminaries

We explain our model of protocols and their security properties and the adversary deduction after covering the representation of messages as terms.

2.1 Representing Messages as Terms

As usual in symbolic analysis of cryptographic protocols we model messages and operations on them by terms in an order-sorted term algebra, equipped with an equational theory. We assume given a signature \(\varSigma _{\textit{Op}}\) defining operators and their arity. Additionally, we use three sorts, a top sort \(\textit{msg}\) with two incomparable subsorts: terms of sort \(\textit{fr}\) model nonces, keys, and random values in general; terms of sort \(\textit{pub}\) model publicly known values. For each sort s there is a countable set of variables, \(\mathcal {V}_s\), and we call their union \(\mathcal {V}\). Similarly we suppose a countable set of names \(\mathcal {N}_s\) per sort, and denote their union by \(\mathcal {N}\). The set of terms \(T_{\varSigma _{\textit{Op}}}(\mathcal {V}, \mathcal {N})\) contains variables in \(\mathcal {V}\), names in \(\mathcal {N}\), and is closed under application of operators in \(\varSigma _{\textit{Op}}\). A term t is ground when it contains no variables and we denote the set of ground terms by \(T_{\varSigma _{\textit{Op}}}(\mathcal {N})\), or simply \(T_{\varSigma _{\textit{Op}}}\). We also use standard notations for positions: a position p in t is a finite sequence of integers, the empty sequence being denoted by [], and we write \(t|_p\) for the subterm of t at position p, where (1) if \(p=[]\), then \(t|_p=t\), (2) if \(p=[i]\cdot p'\), and \(t=f(t_1, \dots ,t_n)\) for \(f\in \varSigma _{\textit{Op}}\) and \(1\le i\le n\) then \(t|_p=t_i|_{p'}\), and (3) otherwise \(t|_p\) is not defined and p is not a valid position. A substitution \(\sigma \) is a function from variables to terms. As usual, we homomorphically lift \(\sigma \) to terms and use postfix notations, i.e., we write \(t\sigma \) for \(\sigma (t)\).

For a signature \(\varSigma _{\textit{Op}}\), an equation is an unordered pair of terms \(s,t \in T_{\varSigma _{\textit{Op}}}(\mathcal {V})\) written \(s=t\). For a set of equations E over \(\varSigma _{\textit{Op}}\) the resulting equational presentation is \(\mathcal {E} = (\varSigma _{\textit{Op}}, E)\). We call the smallest \(\varSigma _{\textit{Op}}\)-congruence closure containing all instances of E the corresponding equational theory, written \(=_{\mathcal {E}}\). When it is clear from the context we often drop the \(\varSigma _{\textit{Op}}\) and likewise write \(=_E\) for the equational theory \(=_{\mathcal {E}}\). Two terms s and t are equal modulo E iff \(s=_E t\). For all operations on sets, sequences and multisets we use the subscript E to denote that this is to be considered modulo E. We write \(\in _E\) for set membership modulo E for example.

We only consider equational theories that are convergent, i.e., confluent and terminating, when oriented left to right. This implies that every term t has a normal form denoted \(t\!\downarrow _E\). Such equational theories are additionally called subterm-convergent when the right-hand side is either a ground term or a strict subterm of the left-hand side.

Example 1

To model asymmetric signatures, let \(\varSigma _{\textit{Op}}\) be the signature consisting of the functions \(sign(\cdot , \cdot )\), \(checksign(\cdot , \cdot )\) and \(pk(\cdot )\) together with the equation \(checksign(sign(x, k), pk(k)) = x\). This theory, denoted \(T_{AS}\), is subterm-convergent.

We are also interested in equational theories with the finite variant property (FVP) [13] of which subterm-convergent theories are a special case. When a theory has the FVP, then for any term t we can compute a finite set \(t_1, \ldots , t_n\) of terms with the following property: for any substitution \(\sigma \) there exist \(i, \theta \) such that \(t\sigma \!\!\!\downarrow _E = t_i\theta \). This pre-computation offers a way to get rid of the equational theory and enables efficient symbolic protocol analysis. Tamarin uses this approach, which is also why our extension still requires the finite variant property. More precisely, the complete set of variants modulo E (which can be computed via folding variant narrowing [20]) for a term t is denoted \(\lceil t \rceil ^E\). By abuse of notation we extend this to the variants of all protocol rules (which will be defined in Sect. 2.2) for a protocol P and denote it \(\lceil P \rceil ^E\). Next we give an example that has the FVP, but is not subterm-convergent.

Example 2

To model blind signatures we extend \(T_{AS}\) from Example 1 with two operators \(unblind(\cdot , \cdot )\) and \(blind(\cdot , \cdot )\). To represent extracting an actual signature from a blinded signature, we add the equation \(unblind(sign(blind(m,r),k),r) = sign(m,k)\), with random r as blinding factor. Then, \(\{ t, ~ sign(y,k) \}\) is a complete set of variants for the term \(t= unblind(sign(x,k),r)\). The second variant corresponds to all instances of the term \(t [ x \mapsto blind(y,r) ]\). In this additional equation sign(mk) is not a subterm of unblind(sign(blind(mr), k), r), yielding a theory which is not subterm convergent.

2.2 Modeling Protocols and Adversaries Using Multiset Rewriting Rules

We model security protocols using multiset rewriting rules. These rules manipulate multisets of facts. Facts represent the current state of the system and are built by applying elements of the fact signature \(\varSigma _{\textit{Fact}}\) to terms. Formally, the set of facts is defined as \(\mathcal {F}= \{ F(t_1, \ldots , t_n) \mid t_i \in T_{\varSigma _{\textit{Op}}}(\mathcal {V},\mathcal {N}), F \in \varSigma _{\textit{Fact}}\text { of arity n}\}\). We partition \(\mathcal {F}\) into linear and persistent facts: during rewriting linear facts can only be consumed once; persistent facts can be consumed arbitrarily often. The set of multisets of facts is denoted by \(\mathcal {F}^\sharp \). The set of multisets of ground facts is written \(\mathcal {G}^\sharp \). The function \(set(\cdot )\) converts a multiset into a set.

The system’s state transitions are then given by a set of labeled multiset rewriting rules. Such rules are given as a tuple (idlar) where id is a unique identifier and l, a, and r are multisets of facts. The resulting rule ri is written: \(ri = id : l {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}a \mathrel {]\!\!\!\rightarrow }}} r\). We say its name is \(\textit{name}(ri) = id\), its premises are \(\textit{prems}(ri)=l\), its conclusions \(\textit{concs}(ri)=r\), and its actions \(\textit{acts}(ri)=a\). Given a set of multiset rewriting rules R its ground instances are represented as \(\textit{ginsts}(R)\). We denote by \(\textit{lfacts}(l)\) the multiset of linear facts and by \(\textit{pfacts}(l)\) the set of persistent facts in l.

The semantics of a set of multiset rewriting rules R are given by a labeled transition relation \(\rightarrow _{R} \;\subseteq \mathcal {G}^\sharp \times \mathcal {G}^\sharp \times \mathcal {G}^\sharp \), defined by the following step rule, where S is the current state (a multiset of facts):

Note that the initial state of a labeled transition system derived from multiset rewriting rules is the empty multiset of facts \(\emptyset \). Each transition transforms a multiset of facts (S) into a new multiset of facts, as described by the rewriting rule. Additionally, the actions a of the rule are the label of each transition. These labels are used in our definition of security properties below. We perform multiset rewriting modulo equations E, so we use \(\in _{E}\) for the rule instance modulo. Linear facts are consumed upon rewriting according to the multiplicity of their appearance, so we use multiset inclusion, written \(\subseteq ^{\sharp }\), to check that all facts in \(\textit{lfacts}(l)\) occur sufficiently often in S. For persistent facts, we only need to check that each fact in \(\textit{pfacts}(l)\) occurs in S. The successor state is derived by removing all consumed linear facts and adding the generated facts.

There is one distinguished (built-in) rule that generates fresh values, called the fresh rule: \(\textit{Fresh}: {\mathrel {\mathrel {-\!\!\!\!-\!\!\![} \mathrel {]\!\!\!\rightarrow }}} \textsf {Fr}(n)\). Note that the rule has no premise. This fresh rule is the only rule that can have a \(\textsf {Fr}\) fact in the conclusion. The argument n represents a fresh value and is unique. We enforce that the values generated by two separate instances of the fresh rule differ. For details see [30].

An execution e of a protocol, specified by a set of multiset rewriting rules P, is the alternating sequence of states (i.e., multisets of facts) and rule instances:

$$S_0, (l_1 {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}a_1 \mathrel {]\!\!\!\rightarrow }}} r_1), S_1, \ldots , S_{n-1}, (l_n {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}a_n \mathrel {]\!\!\!\rightarrow }}} r_n), S_n$$

such that \(S_0=\emptyset \), and that for all \(i \in \{1,\ldots ,n\}\) we have \((S_{i-1}, (l_i {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}a_i \mathrel {]\!\!\!\rightarrow }}} r_i), S_i)\) is a valid step according to the above step rule. The associated trace is the sequence of the set of the labels: \(trace(e) = [set(a_1), \ldots , set(a_n) ]\). We denote the set of executions of P as exec(P).

We consider a Dolev-Yao style adversary who has full control over the network and the ability to apply all cryptographic operators. It does so using the message deduction rules \(\textit{MD}\) below. All messages sent by participants are put into \(\textsf {Out}\) facts and stored in the adversary knowledge \(\textsf {K}\) facts, before being sent to participants as \(\textsf {In}\) facts. The adversary can create its own random values and knows all public values. It can also apply functions from the signature using the rules in the third line of \(\textit{MD}\).

$$\begin{aligned} \textit{MD}= \{\;&\textsf {Out}(x) {\mathrel {\mathrel {-\!\!\!\!-\!\!\![} \mathrel {]\!\!\!\rightarrow }}}\textsf {K}(x), \; \textsf {K}(x) {\mathrel {\mathrel {-\!\!\!\!-\!\!\![}\textsf {K}(x) \mathrel {]\!\!\!\rightarrow }}} \textsf {In}(x), \\&\textsf {Fr}(x{:}\textit{fr}) {\mathrel {\mathrel {-\!\!\!\!-\!\!\![} \mathrel {]\!\!\!\rightarrow }}}\textsf {K}(x{:}\textit{fr}),\; []{\mathrel {\mathrel {-\!\!\!\!-\!\!\![} \mathrel {]\!\!\!\rightarrow }}}\textsf {K}(x{:}\textit{pub})\;\} \\ {}\cup \{\;&\textsf {K}(x_1), \ldots , \textsf {K}(x_n) {\mathrel {\mathrel {-\!\!\!\!-\!\!\![} \mathrel {]\!\!\!\rightarrow }}}\textsf {K}(f(x_1,\ldots ,x_n)) \mid f \in \varSigma _{\textit{Op}}\text { with arity } n\; \} \end{aligned}$$

Note that in this message deduction we do not explicitly deal with the equations modeling the properties of cryptographic operators, as all terms are considered modulo the equational theory. Note that as an (efficient) representation of an execution, Tamarin uses (normal) dependency graphs to present and reason about the protocol and adversary deduction rules that have been applied, and their relation to each other. We will explain normal dependency graphs later in more detail.

Example 3

Consider a protocol \(P_{\textit{basic}}\) where agent A sends a nonce m on the network and then receives it, specified using the following rules:

$$P_{basic}=\left\{ \dfrac{\textsf {Fr}(m)}{\textsf {St}(A,m)~~~~\textsf {Out}(m)}[\textsf {Start}(m)] ,\dfrac{\textsf {St}(A,m)~~~~\textsf {In}(m)}{} [\textsf {End}(m)] \right\} $$

Figure 1 gives a sample execution of this protocol as a dependency graph. It also illustrates how the dependency graph represents the trace and intermediate states.

Fig. 1.
figure 1

Example execution of \((P_{\textit{basic}}\cup \textit{MD})\).

Full size image

2.3 Specifying Security Properties

We consider both trace and indistinguishability properties. Trace properties like secrecy and agreement are expressed as first-order logic formulas. Formulas introduce variables of an additional sort temp for reasoning about the ordering of actions and are evaluated on a trace. The atomic formulas and their informal semantics we consider are

  • \(\bot \): false;

  • \(t_1 \approx t_2\): \(t_1\) and \(t_2\) are equal in the equational theory;

  • F@i: fact \(F\in _E tr[i]\) where i is of sort \(\textit{temp}\) and tr[i] is the ith element of the trace tr on which we evaluate the formula;

  • \(i \doteq j\): timepoints i and j are equal;

  • \(i \lessdot j\): timepoints i occurs before timepoint j.

For a detailed definition of the semantics and the fragment of first order logic that the Tamarin prover accepts, we refer the reader to [30]. We write \(tr\,\models \,\varphi \) when \(\varphi \) holds on trace tr and lift the semantics to sets of traces: given a set of traces Tr we write \(Tr\,\models ^\forall \varphi \) if \(tr\,\models \,\varphi \) for any \(tr \in Tr\) and \(Tr\,\models ^\exists \varphi \) if \(tr\,\models \,\varphi \) for some \(tr \in Tr\).

We specify unlinkability, anonymity, and more generally equivalence properties by use of diff-terms (defining bi-systems, i.e., two systems differing only in some terms) and check their observational equivalence, see [6].

Example 4

([6], Ex. 10). An equational theory representing probabilistic encryption is \(pdec(penc(m,pk(k),r),k) = m\). This equation gives rise to the decryption rule for probabilistic encryption for the adversary which Tamarin automatically generates:

$$Dpenc: \textsf {K}(penc(m, pk(k),r)), \textsf {K}(k) {\mathrel {\mathrel {-\!\!\!\!-\!\!\![} \mathrel {]\!\!\!\rightarrow }}} \textsf {K}(m)\, .$$

Consider now the following bi-system:

$$ \begin{array}{rll} S = \{ &{} GEN : &{} \textsf {Fr}(k) {\mathrel {\mathrel {-\!\!\!\!-\!\!\![} \mathrel {]\!\!\!\rightarrow }}} \textsf {Key}(k), \textsf {Out}(pk(k)) \\ &{} ENC : &{} \textsf {Key}(k), \textsf {Fr}(r_1), \textsf {Fr}(r_2), \textsf {In}(x) {\mathrel {\mathrel {-\!\!\!\!-\!\!\![} \mathrel {]\!\!\!\rightarrow }}} \\ &{} &{} \textsf {Out}(\textit{diff}[r_1,penc(x, pk(k), r_2)]) \} \, .\\ \end{array} $$

Here Tamarin will compare the system where \(\textit{diff}[r_1,penc(x, pk(k), r_2)]\) is replaced by \(r_1\) to the system where it is replaced by \(penc(x, pk(k), r_2)\). If the adversary cannot distinguish both systems, they are said to be observationally equivalent. In this example, this means that he cannot distinguish a probabilistic encryption from a random value.

3 Beyond Subterm-Convergent Equational Theories

Example 2 illustrated that subterm-convergent theories are often insufficient to deal with the classical specifications of complex cryptographic operators. In this section we will explain how to extend the Tamarin prover to work with more than subterm-convergent equational theories. To do that, we need to explain the way that normal message deduction rules are computed for the extension. We start by recalling how the Tamarin prover handled the case of subterm-convergent equational theories before our extension.

3.1 Subterm-Convergent Equational Theories

Even for simple subterm-convergent theories containing only the pairing function \(\langle \cdot , \cdot \rangle \) and the \( fst \) and snd operators, we can see directly that non-normalized dependency graphs are not sufficient to automate the analysis of traces. For example, consider the case where the adversary deduces the first element a of a pair \(\langle a,b \rangle \) by applying the function \(\mathrm{fst\mathrm (\cdot )}\), then pairs it with an element c, and then deduces a from the new pair to next build the pair \(\langle a,d \rangle \) (visualized in the left-most graph of Fig. 2 – note that the topmost rule is actually an instance of the function application rule for \(\mathrm{fst\mathrm (\cdot )}\) where the conclusion fst\(({\langle a,d \rangle })\) reduced to a according to the equational theory). This is a legal dependency graph, but very much redundant, as the steps containing c could have been skipped. As this can be resolved in just one step we are in general interested in normal dependency graphs that exclude useless steps. Moreover, this kind of unnecessary derivation could continue indefinitely with arbitrary extra steps in between.

Construction and Deconstruction Rules. To improve efficiency and avoid the aforementioned redundancy, we make the equational theory explicit by dividing the adversary rules into two categories: construction rules and deconstruction rules. Deconstruction rules correspond to equations and are used by the adversary just after protocol rules to deduce messages from what has been sent on the network. Construction rules are, conversely, used to build messages from the knowledge of the adversary that are then sent on the network. To achieve this, we equip adversary knowledge \(\textsf {K}\) facts with an orientation, up and down, denoted \(\textsf {K}^{\uparrow }_{}\) and \(\textsf {K}^{\downarrow }_{}\). Deconstruction rules have premises with both \(\textsf {K}^{\downarrow }_{}\) and \(\textsf {K}^{\uparrow }_{}\) facts (as, e.g., decrypting a ciphertext that was received requires knowing the key) and a conclusion with a \(\textsf {K}^{\downarrow }_{}\) fact. Construction rules, conversely, have premises with only \(\textsf {K}^{\uparrow }_{}\) facts and their conclusion is a \(\textsf {K}^{\uparrow }_{}\) fact as well. To match the purpose of construction and deconstruction rules, the new \(\textsf {Out}\) rule has a \(\textsf {K}^{\downarrow }_{}\) fact as conclusion, while the \(\textsf {In}\) rule has \(\textsf {K}^{\uparrow }_{}\) facts as premise. The transition from \(\textsf {K}^{\downarrow }_{}\) to \(\textsf {K}^{\uparrow }_{}\) is achieved by a special rule with label “Coerce”, see below, but no direct conversion from \(\textsf {K}^{\uparrow }_{}\) to \(\textsf {K}^{\downarrow }_{}\) is possible to prevent loops. This enforces deconstruction rules to be used before construction rules.

In the context of a subterm-convergent theory \(\mathcal {ST}\), the idea is to consider a construction rule for every operator in \(\varSigma _\mathcal {ST}\), and deconstruction rules for each rewriting rule (induced by an ordered equality). The process for deriving deconstruction rules will be explained later. Additionally, we add construction rules for fresh and public name generation.

We give the minimal set of normal deduction rules (included in all subsequent normal deduction rule sets in this work) parametric on the set of operators \(\varSigma \), including the usual pairing and unpairing operators:

$$ \textit{ND}_{\varSigma }= \left\{ \begin{array}{c} \dfrac{\textsf {Out}(x)}{\textsf {K}^{\downarrow }(x)} \quad \dfrac{\textsf {K}^{\uparrow }(x)}{\textsf {In}(x)} [\textsf {K}{}(x)] \quad \mathsf{Coerce:~}\dfrac{\textsf {K}^{\downarrow }_{}(x)}{\textsf {K}^{\uparrow }_{}(x)} \quad \dfrac{\textsf {Fr}(x:fr)}{\textsf {K}^{\uparrow }_{}(x:fr)} \quad \dfrac{}{\textsf {K}^{\uparrow }_{}(x:pub)} \\ \\ \dfrac{\textsf {K}^{\downarrow }(\langle x,y\rangle )}{\textsf {K}^{\downarrow }(x)} \quad \dfrac{\textsf {K}^{\downarrow }(\langle x,y\rangle )}{\textsf {K}^{\downarrow }(y)} \quad \dfrac{\textsf {K}^{\uparrow }_{}(x_1)~~\dots ~~\textsf {K}^{\uparrow }_{}(x_k)}{\textsf {K}^{\uparrow }_{}(f(x_1,\dots ,x_k))} \text { for all } f\in \varSigma \\ \\ \end{array}\right\} $$

Example 5

Let us consider the theory for asymmetric encryption called \(\mathcal {ASE}\) which we define with the following subterm-convergent theory that includes an operator pk to derive the public key from a private key and equation: \(adec(aenc(m,pk(k)), k) = m\).

The resulting set of normal message deduction rules is

$$\textit{ND}_\mathcal {ASE} = \left\{ \dfrac{\textsf {K}^{\downarrow }(aenc(m,pk(k)))~~~~\textsf {K}^{\uparrow }(k)}{\textsf {K}^{\downarrow }(m)} \right\} \cup \textit{ND}_{\varSigma _{\mathcal {ASE}}}.$$

We see that the deconstruction rule for decryption has \(\textsf {K}^{\uparrow }_{}\) and \(\textsf {K}^{\downarrow }_{}\) facts in its premises.

With such rules, the adversary avoids cases of redundancy as shown in Fig. 2. For the full detail of computing the normal deduction rules we refer the reader to [29] but present its high-level motivation here. For a subterm-convergent rewriting system, a method to compute deconstruction rules is the following. Consider a subterm rewriting rule \( l \rightarrow r\) where r is not a ground term. Since it is a subterm rewriting rule, there is a position p in l such that \(l|_p=r\). Then, for each position \(p'\ne []\) strictly above p, we compute a deconstruction rule for which the term \(l|_{p'}\) is in a \(\textsf {K}^{\downarrow }_{}\) fact and the terms \(l|_{\tilde{p}}\), where \(\tilde{p}\) has a sibling equal or above \(p'\), are required in a \(\textsf {K}^{\uparrow }_{}\) fact.

Fig. 2.
figure 2

Message deduction graphs for pairing: the left represents a redundant dependency graph, the middle an impossible deduction with ordered \(\textsf {K}\)-facts, and the right shows a shorter deduction with final conclusion equivalent to the left.

Full size image
Fig. 3.
figure 3

Different possible positions of \(\textsf {K}{}\)-facts for deconstruction rules associated with \(a(b(c(x,y),1),y)\rightarrow x\).

Full size image

Example 6

Consider the rewriting rule \(a(b(c(x,y),1),y)\rightarrow x\). The only position p of l such that \(l|_p=r\) is [1, 1, 1], so there are two positions strictly above p and different from [], namely \(p'_1=[1,1]\) and \(p'_2=[1]\). For \(p'_1\), we have \( \tilde{p}_1=[2]\) and \( \tilde{p}_2=[1,2]\) as positions which have a sibling above or equal to \(p_1'\). For \(p_2'\), we have only \( \tilde{p}_1=[2]\) as position which has a sibling above or equal to \(p_2'\). We visualize this in Fig. 3.

Thus, the two associated deconstruction rules are:

$$ [\textsf {K}^{\downarrow }(c(x,y)),~\textsf {K}^{\uparrow }(1),~\textsf {K}^{\uparrow }(y)] -\!\![{}]\!\!\!\rightarrow [\textsf {K}^{\downarrow }(x)] ~\mathsf {and}~ [\textsf {K}^{\downarrow }(b(c(x,y),1)),~\textsf {K}^{\uparrow }(y)] -\!\![{}]\!\!\!\rightarrow [\textsf {K}^{\downarrow }(x)].$$

Generally, for each position p such that \(l|_p=r\), we use the function ctxtdrules extended from the one in [29] to compute the corresponding deconstruction rules, where \(cprems(l,p')\) determines the sequence of \(\textsf {K}^{\uparrow }_{}\) premises:

$$\begin{aligned} \begin{array}{rl} ctxtdrules(l, p, r) = \\ \{[\textsf {K}^{\downarrow }(l|_{p'})] &{} \cdot \ cprems(l,p')-\!\![]\!\!\!\rightarrow [\textsf {K}^{\downarrow }(r)] |~ p' \text { strictly above} \, p \, \text {and }p'\ne []\}, \\ cprems(l,p') = &{} seq(\{\textsf {K}^{\uparrow }(l|_{\tilde{p}})|~ \tilde{p}\ne [] \wedge \tilde{p} \text { has a sibling above or equal to }p'\}) \end{array} \end{aligned}$$

where seq converts sets to sequences. Clearly the deconstruction rules from \(\textit{ND}_{\mathcal {ASE}}\) match this construction. We will relax the requirement that \(r = l|_p\) for this rule later.

Normal message deduction for non-orientable theories. We combine this with the built-in non-orientable (\(\mathcal {NO}\)) theory of bilinear pairing (\(\mathcal {BP}\)), which includes Diffie-Hellman (\(\mathcal {DH}\)) exponentiation (see [29] for details). We refer by \(\mathcal {ACC}\) to the underlying equational axioms of associativity and commutativity for multiplication, bilinear pairing, and multisets as used in \(\mathcal {DH}\) and \(\mathcal {BP}\). Note that we suppose that the user-defined theory is disjoint from \(\mathcal {DH}\), \(\mathcal {BP}\), and \(\mathcal {ACC}\). We denote by dgraphs(P) the set of all dependency graphs of P. For each dependency graph d we define its trace, called trace(d), as the list of the sets of the actions of the linearization of rule instances in d (see Fig. 1). We say that a fact is in a conclusion in a dependency graph if it appears in the conclusion of any rule instance in the dependency graph, similarly for the premises. As proven in [30] as Lemma 4 we have \(trace(exec(P)) =_E \{ trace(dg) | dg \in dgraphs_E(P \cup \textit{MD}) \}\).

Normal Dependency Graphs. We integrate the concept of normal message deduction with construction and deconstruction rules and dependency graphs. This yields eleven normal form conditions to be enforced on dependency graphs, called N1-N11, and detailed in the technical report [17]. We use \(\mathcal {R}_{\mathcal {BP}}\) to refer to the rules resulting from the built-in bilinear pairing theory.

Definition 1

A normal dependency graph for a set of protocol rules P is a dependency graph dg such that \(dg \in dgraphs(\lceil P \rceil _{insts}^{\mathcal {R}_{\mathcal {BP}}} \cup \textit{ND})\) and the conditions N1-N11 are satisfied. We denote the set of all normal dependency graphs for P with ndgraphs(P).

Let \(\overline{tr}\) denote the subsequence, called observable trace, of all actions in a trace tr that are not equal to \(\emptyset \). We have the following proposition which states that executions modulo the equational theory and normal dependency graphs have the same observable traces:

Proposition 1

[29, Corollary 3.20]. For all sets P of protocol rules,

$$ \overline{trace(execs(P\cup \textit{MD}))}\downarrow _{\mathcal {R}_{\mathcal {BP}}} \;\; =_\mathcal {ACC} \;\; \overline{trace(ndgraphs(P))}. $$

Note that by relying on the observable trace we hide the adversary’s deduction steps on both sides, but ensure that security properties (defined on actions) are carried over correctly. This proposition shows that by ordering the \(\textsf {K}\)-facts the adversary does not lose any power, and that we can simplify the deduction using the finite variant property.

3.2 Convergent Equational Theories

Now that we have shown that we can use normal dependency graphs for protocols involving a subterm-convergent theory, we will extend this for convergent theories with the FVP. Let \(\mathcal {CT}\) be such a theory, and \(\mathcal {R}_{\mathcal {CT}}\) the rules \(l\rightarrow r\) induced by its equations.

Remark 1

For all convergent rules \(l\rightarrow r\) there are k and \(p_1, \dots , p_k\) such that \(r \in \mathcal {T}_{\varSigma _\mathcal {CT}}(l|_{p_1},\dots ,l|_{p_k})\). This is due to the right-hand side not introducing new variables.

As running example, we take the blind signature theory \(\mathcal {BS}\) introduced in Example 2, which is used in Chaum’s online protocol for e-cash, and in the FOO and Okamoto protocols for e-voting that we will study in our case studies in Sect. 4.

Example 7

Continuing Example 2 we know that the blind signature permits to sign a blinded message with a secret key and then to unblind the signed blinded message to get the signed message without the blinding. This primitive can be modeled as follows:

$$\varSigma _\mathcal {BS}= \left\{ \begin{array}{c} blind(\_,\_),~~~unblind(\_,\_),~~~sign(\_,\_),~~~checksign(\_,\_),\\ fst (\_),~~~~~~snd(\_),~~~~~~ \langle \_,\_ \rangle , ~~~~~~pk(\_) \end{array} \right\} , and $$
$$ \mathcal {R}_\mathcal {BS}= \left\{ \begin{array}{c} unblind(blind(m,r),r)\rightarrow m,~checksign(sign(m,k),pk(k))\rightarrow m,\\ unblind(sign(blind(m,r),k),r)\rightarrow sign(m,k), \\ fst (\langle x,y \rangle ) \rightarrow x,~~~~~~~ snd (\langle x,y \rangle ) \rightarrow y \end{array} \right\} . $$

The first rule models that blinding and then unblinding a message with the same key gives back the initial message, similar to symmetric encryption. The second rule extracts and verifies the message under a signature, as the signature is not supposed to hide the message. The third one is not a subterm rule and has been explained previously. The last two rules are the usual ones for projection on pairs.

To be as general as possible, we consider the combination of the existing built-in Diffie-Hellman (\(\mathcal {DH}\)) and bilinear pairing (\(\mathcal {BP}\)) theories (note that \(\mathcal {DH}\) is included in \(\mathcal {BP}\)) and allow for disjoint user-defined extensions based on convergent rules. Previously, only subterm-convergent theories could be added to \(\mathcal {DH}\) and \(\mathcal {BP}\). So we consider \( \mathcal {R} _\mathcal {CT'}=\mathcal {R} _\mathcal {CT} \cup \mathcal {R}_\mathcal {BP} \) and the equational theory (where \((\cdot )^\simeq \) turns the rule into an equality)

$$ \mathcal {CT'}=(\varSigma _\mathcal {CT}\cup \varSigma _\mathcal {BP}, \mathcal {R}^\simeq _\mathcal {CT} \cup \mathcal {R}_\mathcal {BP}^\simeq ).$$

We observe that key lemmas for \(\mathcal {BP}\), namely [29, Lemmas 3.10 and 3.11], still hold for \(\mathcal {CT'}\) since the subterm convergence property is not needed in their respective proofs.

The set of message deduction rules \(\textit{MD}\) is defined as given in Sect. 2. To motivate why we derive normal deconstruction rules for convergent equational theories the way we do later, we use the following lemma adapted from [29]. It will also be helpful in the proof of our main theorem later. The lemma describes that the adversary can always convert a \(\textsf {K}^{\downarrow }_{}\) fact into a \(\textsf {K}^{\uparrow }_{}\) fact using the coerce rule. We call a deduction extension a dependency graph that has same the trace, state facts, and fresh values as the initial dependency graph, but can include additional intruder deduction rule instances (see the technical report [17] for details).

Lemma 1

[29, Lemma A.15]. For all \(ndg \in ndgraphs(P)\) and conclusion facts \(\textsf {K}^{\downarrow }_{}(m)\), there is a deduction extension \(ndg'\) with a conclusion fact \(\textsf {K}^{\uparrow }_{}(m')\) with \(m=_{ACC}m'\).

We now define common subterms for use in adversary deduction rule derivation.

Definition 2

A common subterm t of a rewriting rule \(l\rightarrow r\) is a term such that there are p and q such that \(t=l|_p=r|_q\).

A common maximal subterm t of a rewriting rule \(l\rightarrow r\) is a common subterm of \(l\rightarrow r\) such that there is no common subterm \(t' \ne t\) such that t is a subterm of \(t'\).

For a given rewriting rule \(l\rightarrow r\) where \(vars(r)\ne \emptyset \), and for which there is a common maximal subterm \(l|_p\), we use the function ctxtdrules to compute the corresponding deconstruction rules. The set of deconstruction rules is given by:

$$\begin{aligned} Ctxtdrules(l,r)=\bigcup _{p\in P(l,r)} ctxtdrules(l,p,r) \end{aligned}$$

where \(P(l,r)= \{ p \mid \exists q , l|_p = r|_q \textit{, and } l|_p = r|_q \textit{ is a maximal common subterm} \}\). The set \(DR_{\mathcal {CT}}\) of deconstruction rules for \(\mathcal {CT}\) is:

$$\begin{aligned} DR_{\mathcal {CT}}=\bigcup _{(l, r) \in \mathcal {R}_{\mathcal {CT}}} Ctxtdrules(l,r) \end{aligned}$$

Thus, we get the set of normal deduction rules \(\textit{ND}_{\mathcal {CT}} = \textit{ND}_{\varSigma _{\mathcal {CT}}} \cup DR_{\mathcal {CT}}.\)

Example 8

We apply this to the blind signature rewriting rule

$$\begin{aligned} unblind(sign(blind(m,r),k),r) \rightarrow sign(m,k). \end{aligned}$$

We have m and k as common maximal subterms on respective positions [1, 1, 1] and [1, 2]. Then we consider the following deconstruction rules:

$$\begin{aligned}&ctxtdrules(l,[1,1,1],r)=\\&\quad \quad \quad \quad \left\{ \begin{array}{l} \dfrac{\textsf {K}^{\downarrow }_{}(blind(m,r))~~\textsf {K}^{\uparrow }_{}(k)~~\textsf {K}^{\uparrow }_{}(r)}{\textsf {K}^{\downarrow }_{}(sign(m,k))}, \dfrac{\textsf {K}^{\downarrow }_{}(sign(blind(m,r),k))~~\textsf {K}^{\uparrow }_{}(r)}{\textsf {K}^{\downarrow }_{}(sign(m,k))} \end{array}\right\} , \\&ctxtdrules(l,[1,2],r)=\left\{ \begin{array}{c} \dfrac{\textsf {K}^{\downarrow }_{}(sign(blind(m,r),k))~~\textsf {K}^{\uparrow }_{}(r)}{\textsf {K}^{\downarrow }_{}(sign(m,k))} \end{array}\right\} . \end{aligned}$$

As two of the three deconstruction rules are identical, we thus get two rules, and \(Ctxtdrules(l,\{[1,1,1],[1,2]\},r)= ctxtdrules(l,[1,1,1],r)\). We show the set \(\textit{ND}_\mathcal {BS}\) of normal deduction message rules for \(\mathcal {BS}\), which contains \(\textit{ND}_{\varSigma _{\mathcal {BS}}}\) and these rules:

$$ \left\{ \begin{array}{c} \quad \dfrac{\textsf {K}^{\downarrow }_{}(blind(m,r))\quad \textsf {K}^{\uparrow }_{}(r)}{\textsf {K}^{\downarrow }_{}(m)} \quad ,\quad \dfrac{\textsf {K}^{\downarrow }_{}(sign(m,k))\quad \textsf {K}^{\uparrow }_{}(pk(k))}{\textsf {K}^{\downarrow }_{}(m)} \\ \\ \dfrac{\textsf {K}^{\downarrow }_{}(blind(m,r))\quad \textsf {K}^{\uparrow }_{}(k)\quad \textsf {K}^{\uparrow }_{}(r)}{\textsf {K}^{\downarrow }_{}(sign(m,k))} \quad ,\quad \dfrac{\textsf {K}^{\downarrow }_{}(sign(blind(m,r),k))\quad \textsf {K}^{\uparrow }_{}(r)}{\textsf {K}^{\downarrow }_{}(sign(m,k))}\\ \\ \end{array} \right\} $$

For an extended example, see the technical report [17].

3.3 Further Restrictions – Normal Form Conditions

The need for additional normal-form conditions will become apparent with the following example using the equational theory for trapdoor commitments, needed for instance in Okamoto’s voting protocol [26]. Trapdoor commitments are commitments that can be opened to return a different value than the one initially committed, using a special trapdoor. This is used to create fake receipts (see Sect. 4.3). To model the algebraic properties of trapdoor commitments, we use the equational presentation \(\mathcal {BSTDC}_0=(\varSigma _\mathcal {BSTDC},\mathcal {R}^\simeq _{\mathcal {BSTDC}_0})\) where

$$\begin{aligned} \varSigma _\mathcal {BSTDC}=\varSigma _\mathcal {BS}\cup \{tdcommit(\_,\_,\_), open(\_,\_), f(\_,\_,\_,\_)\} \end{aligned}$$

and the rules are

$$\mathcal {R}_{\mathcal {BSTDC}_0}=\mathcal {R}_\mathcal {BS}\cup \left\{ \begin{array}{c} open(tdcommit(m,r,td),r)\rightarrow m, \\ tdcommit( m_2,f(m_1,r,td,m_2), td ) \rightarrow tdcommit(m_1,r,td) \end{array} \right\} .$$

Note that the second equation is not subterm convergent as \(tdcommit(m_1,r,td)\) is not a subterm of \(tdcommit( m_2,f(m_1,r,td,m_2), td )\). Equations in \(\mathcal {R}^\simeq _{\mathcal {BSTDC}_0}\) model that the voter is able to replace \(m_2\) by \(m_1\) in his commitment, which is crucial to achieve the receipt-freeness property. Simply orienting the equations in \(\mathcal {R}^\simeq _{\mathcal {BSTDC}_0}\) yields a non confluent rewrite system though. Instead, we extend it to obtain a convergent system:

$$\mathcal {R}_\mathcal {BSTDC}=\mathcal {R}_{\mathcal {BSTDC}_0} \cup \left\{ \begin{array}{c} open(tdcommit(m_1,r,td),f(m_1,r,td,m_2))\rightarrow m_2, \\ f(m_1, f (m, r, td, m_1), td, m_2)\rightarrow f (m, r, td, m_2) \end{array} \right\} .$$

Again, the last equation is not subterm convergent. We then compute the normal deconstruction rules as specified before. One of the resulting normal deconstruction rules is as follows and essentially shows that when one knows the previous content \(m_1\) and the trapdoor td, one can replace the content by \(m_2\):

$$\begin{aligned} \dfrac{\textsf {K}^{\downarrow }_{}(f(m,r,td,m_1))~~\textsf {K}^{\uparrow }_{}(m_1)~~\textsf {K}^{\uparrow }_{}(td)~~\textsf {K}^{\uparrow }_{}(m_2)}{\textsf {K}^{\downarrow }_{}(f(m,r,td,m_2))} \end{aligned}$$

We see that applying this rule naively again and again can lead to an infinite loop, the start of which is shown in Fig. 4. Even though nothing changes except for the adversary-injected last argument, this leads to a looping behavior which we address next. The problem is that the conclusion \(\textsf {K}^{\downarrow }_{}\) term unifies with the premise \(\textsf {K}^{\downarrow }_{}\) term.

Fig. 4.
figure 4

Loop using f.

Full size image

Normal Form Conditions to Prevent Loops. As we have seen, convergent equational theories give rise to a special case where we need to add a new normal form condition to help termination. For an equation \(l=r\), the right-hand side r of the equation may be unifiable with a strict subterm \(l|_p\), \(p\ne []\) of the left-hand side. This can also occur in the subterm-convergent case, but there we have equality of \(l|_p = r\), and an existing normal-form condition forbidding to derive the same adversary knowledge more than once (N3, see the technical report [17]) effectively prevents this problem.

In terms of adversary deduction (i.e., deconstruction rules) the above example of the trapdoor commitment shows that the right-hand \(\textsf {K}^{\downarrow }_{}\) term is unifiable with the left-hand \(\textsf {K}^{\downarrow }_{}\) term. This then leads to the infinite chain illustrated in Fig. 4. The normal form condition to not derive the same term repeatedly does not apply, as the adversary adds in a different value each time. For the convergent theory case where such unification is possible the resulting derivation rule can thus be repeatedly applied as the derived knowledge does indeed change each time because \(l|_p \ne r\). As one can see in the example, one does not actually need to apply the rule repeatedly to its intermediate results, but can rather apply it to the original term with different premises to get the same final result in one step. Thus we will now explain and prove that no chain (beyond a certain length) of applications of this rule are needed in general.

As the given convergent equational theory is by definition required to be terminating, there is a limit n for how often one needs to apply this rule in general. A conservative bound for n is the number of subterms of \(l|_p\). Intuitively, with each application, some part of the original content of the term must be removed (due to termination), and if this has been done n times, no original subterm (of the initial term before applying this rule the first time) remains, and all the subterms are known to the adversary as \(\textsf {K}^{\uparrow }_{}\) terms. Thus, instead of using this deconstruction rule, the adversary can simply use the construction rule for the root symbol and apply it to all the known subterms in the result of the deconstruction rule chain.

Example 9

Let us show with a simple example that this bound is really needed. For the equational theory with two function symbols h/2 and f/3 and the single equation:

$$\begin{aligned} h(f(x_1, x_2, x_3), z) = f(x_2, x_3, z) \end{aligned}$$

we get one deconstruction rule:

$$\begin{aligned} \dfrac{\textsf {K}^{\downarrow }_{}(f(x_1,x_2,x_3))~~~~\textsf {K}^{\uparrow }_{}(z)}{\textsf {K}^{\downarrow }_{}(f(x_2,x_3,z))} \end{aligned}$$

For this rule the conclusion \(\textsf {K}^{\downarrow }_{}\)-term obviously unifies with that in the premises. Now if the adversary receives f(abc) intuitively it should be possible to derive f(cxy), for some x, y of the adversary’s choosing, but using just one application of the deconstruction rule this is not possible. If we permit two applications on the other hand, it can be derived as expected.

Note that in the previous example, we can give f an arbitrary number of arguments and the form of the deconstruction rule will stay the same, so we need to permit the use of the deconstruction rule up to \(n-1\) times, for n the number of strict subterms of the \(\textsf {K}^{\downarrow }_{}\)-term of the premises. Note that this number is of course fixed by the input equational theory and can thus be easily computed.Footnote 1

This leads us to define a new normal form condition:

Definition 3

N12. There is no chain of nodes repeatedly instantiating a rule of the form \(\textsf {K}^{\downarrow }(l|_p), \textsf {K}^{\uparrow }(t_1), \ldots ,\textsf {K}^{\uparrow }(t_i) {\mathrel {\mathrel {-\!\!\!\!-\!\!\![} \mathrel {]\!\!\!\rightarrow }}} \textsf {K}^{\downarrow }(r)\) of length at least equal to the number of subterms of \(l|_p\), if \(l|_p\) and r are unifiable.

This limits the length of chains of derivation with such rules as motivated above. Do note that for the case of equality, i.e., \(r = l|_p\), this does not add a restriction as there the condition “to not derive the same term more than once” is already in effect.

Note that in general we cannot guarantee termination for the intruder deduction as even for the class of optimally reducing convergent rewrite systems (which have the finite variant property) the deducibility problem is undecidable [2].

We next present the key theorem that states that the traces of dependency graphs modulo the equational theory and normal dependency graphs do actually coincide. This is an extension of the version for subterm-convergent theories [29, Lemma 3.19] to the convergent case:

Theorem 1

For all sets P of protocol rules,

$$\begin{aligned}&\{\overline{trace(dg)} \mid dg \in dgraphs(\lceil P \cup \textit{MD}\rceil _{insts}^{\mathcal {CT'}})\wedge dg \downarrow _\mathcal {CT'}\text {-}normal\} =\\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \overline{trace(ndgraphs(P))}. \end{aligned}$$

We give the full proof in the technical report [17], and present a short sketch highlighting the key points here.

Proof

(Sketch). We need to show that the traces of the normal and non-normal dependency graphs coincide. As protocol rules can be used for dependency graphs and normal dependency graphs, the interesting part is the message deduction. Moreover, send and receive rules are available in both, so we have to analyze the construction and deconstruction rules.

For construction rules, there is always a normal version available due to Lemma 1 which allows us to obtain all knowledge in \(\textsf {K}^{\uparrow }_{}\) format. The remaining case is the one where the output of the rule requires use of the equational theory, and here we focus on the deconstruction rules for convergent equations as all other rules are covered by the old proof from [29]. Here, generalizing the old proof, we can rely on a lemma stating that for any unknown subterm there is a position above, such that the subterm at that position appears as a \(\textsf {K}^\downarrow \)-fact, allowing us to apply our new deconstruction rules.

For the new restriction N12 the interesting case is when a derivation is possible in the regular dependency graph by using the deconstruction rule n times (n being the number of strict subterms), which is forbidden in the normal dependency graph. Our key observation is that the result of n derivations with such a deconstruction rule can be created by applying a construction rule for the operator as all subterms are known in \(\textsf {K}^{\uparrow }_{}\) by the deconstruction rule structure.

4 Case Studies

The new version of Tamarin together with the code used for the case studies is available on github [31, case studies in examples/post17/].

4.1 Chaum’s Online e-Cash Protocol

Chaum’s Online e-cash protocol allows a client to withdraw a coin blindly from the bank, and then spend it later in a payment without being traced even by the bank. The protocol is “on-line” in the sense that the seller does not accept the payment before contacting the bank to verify that the coin has not been deposited before, to prevent double spending [11].

We have three roles, the client C, the bank B and the seller S. In a first phase, the withdrawal phase, the client C blinds a coin x and sends it to the bank B. The bank deducts the money from the client’s account, signs blindly the coin and sends the signature to the client. Then, in a second phase, the client unblinds the signature, and sends the coin x and the signature of x to the seller S who checks if the signature is correct. Then it sends the coin to the bank, which responds on a private channel with payment approval if the coin had not been deposited. Then the seller accepts the coin.

$$\begin{aligned} \begin{array}{lcll} C &{} \longrightarrow &{} B &{} : blind(x,r)\\ B &{} \longrightarrow &{} C &{} : sign(blind(x,r),skB) \\ C &{} \longrightarrow &{} S &{} : \langle x, sign(x,skB)\rangle \\ S &{} \longrightarrow &{} B &{} : \langle x, sign(x,skB)\rangle \\ B &{} \xrightarrow [priv]{} &{} S &{} : x \end{array} \end{aligned}$$

We use the equational theory for blind signatures from Example 2.

Unforgeability. Unforgeability ensures that, in an e-cash protocol, a client is unable to create a coin without involving the bank, resulting in a fake coin, or to spend a valid coin he withdrew from the bank twice [18]. We express unforgeability as follows:

$$\begin{aligned} \forall j,&x . Spend (x)@j \Rightarrow ( \exists i . Withdraw (x)@i \wedge i \lessdot j \wedge \lnot (\exists l. Spend (x)@l \wedge l \not \doteq j )) \end{aligned}$$

When verifying the protocol Tamarin returns an attack that allows the client to withdraw multiple coins if the bank does not verify the correct format of the coin. This works as follows: the client submits \(blind(blind(x,r_1),r_2)\) to the bank, which signs it. The client obtains a first valid coin \(sign(blind(x,r_1),skB)\) by unblinding once, and a second coin sign(xskB) by unblinding again. He can spend both of them, although he should only have one valid coin. This attack can be prevented by the bank verifying the correct format of the coin before signing it. A similar problem arises when the seller receives a coin. After correcting both issues, Tamarin manages to prove unforgeability, which was previously not possible in ProVerif [18] due to problems in modeling the state of the bank, which needs to keep track of all previously spent coins.

Anonymity and Untraceability. Anonymity and untraceability (called Weak and Strong Anonymity in [18]) are defined as observational equivalence properties. To define anonymity, we consider two clients \(C_1\) and \(C_2\) and the case where both of them withdraw a coin from the same bank, but only one of them makes a purchase. Anonymity is the property guaranteeing that neither the bank nor the seller are able to distinguish the case where \(C_1\) makes the purchase from the case where it is \(C_2\) who makes it.

For untraceability, we also consider two clients \(C_1\) and \(C_2\) and the case where both of them withdraw two coins and both spend the first coin, but only one of them makes a second purchase. Untraceability guarantees that neither the bank nor the seller are able to know whether \(C_1\) or \(C_2\) makes the second purchase.

To ensure anonymity, we have to add a synchronization point to synchronize both clients after the coin withdrawal, as the adversary can otherwise trace one of them. In that case, Tamarin can prove both anonymity and untraceability.

4.2 The FOO Voting Protocol

The FOO (for Fujioka, Okamoto and Otha) voting protocol [21] allows a voter to publish a vote signed by the administration without being identified, even by the administrator. The protocol is designed to ensure that each published vote has been signed by the administrator guaranteeing eligibility, and at the same time ensuring anonymity of the voter even with respect to the administrator.

We consider three roles, the voter V, the administrator A, and the collector C. The protocol is split into three phases.

  • In the first phase the administrator signs the voter’s commitment to his vote: voter V chooses his vote v and computes a commitment \(x=commit(v,r)\) for a random key r. He blinds the commitment using a random value b and obtains \(e=blind(x,b)\). Then he signs e and sends the signature \(sb_V=sign(e,ltkV)\) together with e and his identity to the administrator. The administrator checks if V has the right to vote and has not yet voted, and if the signature \(sb_V\) is correct. If all tests succeed, he signs \(sb_A=sign(e,ltkA)\) and sends it back to V. V checks the signature, and unblinds it to obtain \(s_A=unblind(sb_A,b) =sign(x,ltkA)\).

  • In the second phase, the voter submits his ballot: voter V sends \((x,s_A)\) to the collector C through an anonymous channel. The collector checks the administrator’s signature and enters \((x,s_A)\) as the l-th entry into a list.

  • When all ballots are cast the counting phase begins: the collector publishes the list of correct ballots. V verifies that his commitment appears on the list and sends (lr) to C using an anonymous channel. The collector C opens the l-th ballot using r and publishes the vote.

To model commitments, we use the equational theory \(\mathcal {BSC}=(\varSigma _\mathcal {BSC},\mathcal {R}^\simeq _\mathcal {BSC})\) where \(\varSigma _\mathcal {BSC}=\varSigma _\mathcal {BS}\cup \{commit(\_,\_), open(\_,\_)\}\) and

$$\mathcal {R}_\mathcal {BSC}=\mathcal {R}_\mathcal {BS}\cup \{ open(commit(m,r),r)\rightarrow m\}.$$

Eligibility. Eligibility ensures that, if a vote is published by the collector, then its commitment has been signed by the administration, denoted by the \( Registered \) action. This is expressed as follows, and automatically verified by Tamarin:

$$\begin{aligned} \forall v, j .&VotePublished (v)@j \Rightarrow \\&( \exists b, r, i . Registered (blind(commit(v,r),b))@i \wedge i \lessdot j) \end{aligned}$$

Vote Privacy. Following [16], to define vote privacy, we consider two voters \(V_1\) and \(V_2\) and the case where both of them commit a different vote, for example yes and no. Vote privacy is the property guaranteeing that neither the administrator nor the collector can distinguish the case where \(V_1\) votes for yes from the case where he votes for no (and \(V_2\) votes no or yes, so that there is one vote for yes and one for no in both cases) [16]. Again, we need to add synchronization to prevent trivial attacks, but then Tamarin verifies observational equivalence for FOO.

4.3 The Okamoto Protocol

The Okamoto protocol [26] is similar to the FOO protocol, but it uses trapdoor commitments and it involves a timeliness member (i.e., a trusted third party) to achieve Receipt-Freeness. Receipt-Freeness means that a voter cannot construct a receipt proving to somebody else that he voted for a certain candidate, in order to prevent vote-buying.

The protocol works a follows. The first phase, during which the voter obtains a signature on his commitment x, is the same as for the FOO protocol, except that x is a trapdoor commitment.

  • In the second phase the vote is submitted; the voter V sends the signed trapdoor commitment to the collector through an anonymous channel. The collector checks the administrator’s signature and enters \(( x ,s_A )\) into a list. The voter sends (vrx) to the timeliness member T through a secure anonymous channel.

  • When all ballots are cast the counting phase begins: the collector publishes the list of correct ballots. V verifies that his commitment appears on the list. The timeliness member publishes the randomly shuffled list of votes.

To model the algebraic properties of trapdoor commitments, we use again the signature \(\mathcal {R}_{\mathcal {BSTDC}}\) defined in Sect. 3.3. We can show eligibility using the same property as for FOO, and Tamarin succeeds in proving the property. We can also show vote privacy using the same approach as for FOO.

Receipt-Freeness. Following [16], to model receipt-freeness, we compare a case where a voter \(V_1\) votes yes and honestly sends all his secret values (the blinding factor, the trapdoor, his secret keys, and so on) as a receipt, to the case where he votes no and sends fake values instead. If an adversary cannot distinguish both cases, then the voter cannot produce a meaningful receipt.

In case of the Okamoto protocol, the trapdoor allows the voter to open his commit differently to fool the adversary. In the first case, he reveals his vote yes, his blinding factor r, the trapdoor td and his secret signing key ltkV (used in his first message to the administrator). In the second case, he still reveals yes (although he voted no), a newly generated blinding factor f(nortdyes) (instead of r), the trapdoor td and his secret signing key ltkV. In both cases, we have that

$$\begin{aligned}&open(tdcommit(yes,r,td),r,td) = yes\\&\qquad \qquad \qquad \qquad \qquad = open(tdcommit(no,r,td),f(no, r, td, yes),td) \end{aligned}$$

thus to the adversary it looks like the voter voted yes in both cases.

With our extension and the new normal form condition, Tamarin proves that both cases are observationally equivalent, showing that the Okamoto protocol guarantees receipt-freeness.

4.4 Prefix Property: Denning-Sacco and Needham-Schroeder Protocols

The prefix property models the fact that in certain cryptographic schemes (like CBC) one can extract from encrypted messages their encrypted prefix: given the ciphertext \(enc(\langle x,y\rangle ,k)\), one can deduce its prefix enc(xk). For more details see [14].

Using this property, a confusion attack exists for the Denning-Sacco symmetric key protocol with CBC and the key secrecy is violated for the Needham-Schroeder symmetric key protocol with CBC. These are known attacks, but they can now be automatically exhibited with Tamarin. As the equational theory for prefix extraction (see Eq. (1)) is not subterm-convergent, these protocols could not have been analyzed without our new extension.

The equational theory under consideration is that of symmetric encryption (enc) and decryption (dec), permitting one to decrypt an encrypted message with the right key: \(dec(enc(m,k),k)=m\). We add an additional operator \( prefix \) to the signature which allows one to extract the first part of an encrypted message as encrypted ciphertext under the same key:

$$\begin{aligned} prefix (enc(\langle x,y\rangle ,k)) = enc(x,k) \end{aligned}$$
(1)

We use this theory to model and analyze the Denning-Sacco and Needham-Schroeder protocols. The results are reported in the table below and the details for both are available in the technical report [17].

4.5 Summary of Case Studies

Altogether, the set of case studies presented shows that the expansion of admissible equational theories for Tamarin prover is quite general and useful for many, very different protocols. Table 1 presents our verification results.

Table 1. Summary of case study results. Timings are done on a standard dual-core laptop (requiring less than 8 GB RAM) and include precomputations.
Full size table

5 Conclusion

In this paper, we significantly extend the scope of the protocols that can be handled by the Tamarin prover: we allow users to specify arbitrary convergent equational theories that have the finite variant property. This extension strictly generalizes the original theory underlying the Tamarin prover which is restricted to subterm convergent theories. From a more technical side, we generalize the theory for dealing with message deduction, introduce a new normal form condition on dependency graphs to avoid non-termination issues and prove the completeness of the generalized normal message deduction rules and additional normal form condition. All our results have been implemented in the Tamarin prover and their effective applicability is demonstrated on several, quite different case studies: Chaum’s digital cash protocol, the FOO and Okamoto e-voting protocols, and consideration of a prefix property for encryption in two classical authentication protocols.

An interesting line for future work is to add more support for equational theories that have associative-commutative operators, such as the built-in theory for Diffie-Hellman and bilinear pairings. Including support for exclusive or (xor) seems particularly challenging. Backward reasoning on the message deduction for xor leads easily to non-termination. We however believe that our new normal form condition may serve as a promising starting point for this extension.