Selecting Theories and Recursive Protocols

  • Tomasz Truderung
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3653)


Many decidability results are known for non-recursive cryptographic protocols, where the protocol steps can be expressed by simple rewriting rules. Recently, a tree transducer-based model was proposed for recursive protocols, where the protocol steps involve some kind of recursive computations. This model has, however, some limitations: (1) rules are assumed to have linear left-hand sides (so no equality tests can be performed), (2) only finite amount of information can be conveyed from one receive-send action to the next ones. It has been proven that, in this model, relaxing these assumptions leads to undecidability.

In this paper, we propose a formalism, called selecting theories, which extends the standard non-recursive term rewriting model and allows participants to compare and store arbitrary messages. This formalism can model recursive protocols, where participants, in each protocol step, are able to send a number of messages unbounded w.r.t. the size of the protocol. We prove that insecurity of protocols with selecting theories is decidable in nexptime.


Atomic Formula Predicate Symbol Cryptographic Protocol Stage Theory Protocol Step 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Amadio, R.M., Charatonik, W.: On name generation and set-based analysis in the Dolev-Yao model. In: Brim, L., Jančar, P., Křetínský, M., Kucera, A. (eds.) CONCUR 2002. LNCS, vol. 2421, pp. 499–514. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  2. 2.
    Ateniese, G., Steiner, M., Tsudik, G.: Authenticated group key agreement and friends. In: Proceedings of the 5th ACM Conference on Computer and Communication Serucity (CCS 1998). ACM Press, New York (1998)Google Scholar
  3. 3.
    Bryans, J., Schneider, S.A.: CSP, PVS, and a recursive authentication protocol. In: DIMACS Workshop on Formal Verification of Security Protocols (1997) Google Scholar
  4. 4.
    Bull, J.A., Otway, D.J.: The authentication protocol, Technical Report DRA/CIS3/PROJ/CORBA/SC/1/CSM/436-04/-03, Defence Research Agency, Malvern, UK (1997) Google Scholar
  5. 5.
    Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: Deciding the security of protocols with Diffie-Hellman exponentiation and products in exponents. In: Pandya, P.K., Radhakrishnan, J. (eds.) FSTTCS 2003. LNCS, vol. 2914, pp. 124–135. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: An NP decision procedure for protocol insecurity with XOR, LICS (2003) Google Scholar
  7. 7.
    Comon, H., Shmatikov, V.: Is it possible to decide whether a cryptographic protocol is secure or not? Journal of Telecommunications and Information Technology, special issue on cryptographic protocol verification 4, 5–15 (2002)Google Scholar
  8. 8.
    Comon-Lundh, H., Shmatikov, V.: Intruder deductions, constraint solving and indecurity decision in presence of exclusive or, LICS (2003) Google Scholar
  9. 9.
    Dolev, D., Yao, A.C.: On the security of public-key protocols. IEEE Transactions on Information Theory 29, 198–208 (1983)zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Durgin, N.A., Lincoln, P.D., Mitchell, J.C., Scedrov, A.: Undecidability of bounded security protocols. In: Workshop on Formal Methods and Security Protocols (FMSP 1999) (1999) Google Scholar
  11. 11.
    Even, S., Goldreich, O.: On the security of multi-party ping-pong protocols, Technical Report 285, Israel Institute of Technology (1983) Google Scholar
  12. 12.
    Küsters, R., Wilke, T.: Automata-based analysis of recursive cryptographic protocols, Technical Report IFI 0311, CAU Kiel (2003) Google Scholar
  13. 13.
    Küsters, R., Wilke, T.: Automata-based analysis of recursive cryptographic protocols. In: Diekert, V., Habib, M. (eds.) STACS 2004. LNCS, vol. 2996, pp. 382–393. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    Meadows, C.: Formal methods for cryptographic protocol analysis: Emerging issues and trends. IEEE Journal on Selected Areas in Communication 21(1), 44–54 (2003)CrossRefGoogle Scholar
  15. 15.
    Paulson, L.C.: Mechanized proofs for a recursive authentication protocol. In: 10th IEE Computer Security Foundations Workshop (CSFW-10). IEEE Press, Los Alamitos (1997)Google Scholar
  16. 16.
    Rusinowitch, M., Turuani, M.: Protocol insecurity with a finite number of sessions, composed keys is NP-complete. Theor. Comput. Sci. 1-3(299), 451–475 (2003)CrossRefMathSciNetGoogle Scholar
  17. 17.
    Truderung, T.: Regular protocols and attacks with regular knowledge. In: Nieuwenhuis, R. (ed.) CADE 2005. LNCS (LNAI), vol. 3632, pp. 377–391. Springer, Heidelberg (2005) (to appear)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Tomasz Truderung
    • 1
  1. 1.LORIA-INRIA-Lorraine, France, Institute of Computer ScienceWrocław UniversityPoland

Personalised recommendations