European Symposium on Research in Computer Security

Computer Security -- ESORICS 2015 pp 230-251 | Cite as

Checking Trace Equivalence: How to Get Rid of Nonces?

  • Rémy Chrétien
  • Véronique Cortier
  • Stéphanie Delaune
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9327)


Security protocols can be successfully analysed using formal methods. When proving security in symbolic settings for an unbounded number of sessions, a typical technique consists in abstracting away fresh nonces and keys by a bounded set of constants. While this abstraction is clearly sound in the context of secrecy properties (for protocols without else branches), this is no longer the case for equivalence properties.

In this paper, we study how to soundly get rid of nonces in the context of equivalence properties. We show that nonces can be replaced by constants provided that each nonce is associated to two constants (instead of typically one constant for secrecy properties). Our result holds for deterministic (simple) protocols and a large class of primitives that includes e.g. standard primitives, blind signatures, and zero-knowledge proofs.


  1. 1.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: 28th Symposium on Principles of Programming Languages (POPL 2001). ACM Press (2001)Google Scholar
  2. 2.
    Amadio, R.M., Charatonik, W.: On name generation and set-based analysis in the dolev-yao model. In: Brim, L., Jančar, P., Křetínský, M., Kučera, A. (eds.) CONCUR 2002. LNCS, vol. 2421, pp. 499–514. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  3. 3.
    Armando, A., et al.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  4. 4.
    Beurdouche, B., et al.: A messy state of the union: Taming the composite state machines of tls. In: IEEE Symposium on Security & Privacy 2015 (Oakland 2015). IEEE (2015)Google Scholar
  5. 5.
    Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: 14th Computer Security Foundations Workshop (CSFW 2001). IEEE Computer Society Press (2001)Google Scholar
  6. 6.
    Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. In: 20th Symposium on Logic in Computer Science (2005)Google Scholar
  7. 7.
    Blanchet, B., Podelski, A.: Verification of cryptographic protocols: tagging enforces termination. In: Gordon, A.D. (ed.) FOSSACS 2003. LNCS, vol. 2620, pp. 136–152. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  8. 8.
    Bruso, M., Chatzikokolakis, K., den Hartog, J.: Formal verification of privacy for RFID systems. In: 23rd Computer Security Foundations Symposium (CSF 2010) (2010)Google Scholar
  9. 9.
    Chrétien, R., Cortier, V., Delaune, S.: From security protocols to pushdown automata. In: Fomin, F.V., Freivalds, R., Kwiatkowska, M., Peleg, D. (eds.) ICALP 2013, Part II. LNCS, vol. 7966, pp. 137–149. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  10. 10.
    Delaune, S., Chrétien, R., Cortier, V.: Typing messages for free in security protocols: the case of equivalence properties. In: Baldan, P., Gorla, D. (eds.) CONCUR 2014. LNCS, vol. 8704, pp. 372–386. Springer, Heidelberg (2014) Google Scholar
  11. 11.
    Chrétien, R., Cortier, V., Delaune, S.: Checking trace equivalence: how to get rid of nonces? Research report LSV-15-07. Laboratoire Spécification et Vérification, ENS Cachan, France (2015)Google Scholar
  12. 12.
    Chrétien, R., Cortier, V., Delaune, S.: Decidability of trace equivalence for protocols with nonces. In: Proceedings of the 28th IEEE Computer Security Foundations Symposium (CSF 2015). IEEE Computer Society Press (June 2015, to appear)Google Scholar
  13. 13.
    Comon-Lundh, H., Cortier, V.: New decidability results for fragments of first-order logic and application to cryptographic protocols. In: Nieuwenhuis, R. (ed.) RTA 2003. LNCS, vol. 2706, pp. 148–164. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  14. 14.
    Comon-Lundh, H., Cortier, V.: Security properties: two agents are sufficient. In: Degano, P. (ed.) ESOP 2003. LNCS, vol. 2618, pp. 99–113. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  15. 15.
    Comon-Lundh, H., Cortier, V.: Computational soundness of observational equivalence. In: 15th ACM Conference on Computer and Communications Security (CCS 2008). ACM Press (2008)Google Scholar
  16. 16.
    Cortier, V., Smyth, B.: Attacking and fixing helios: an analysis of ballot secrecy. J. Comput. Secur. 21(1), 89–148 (2013)CrossRefGoogle Scholar
  17. 17.
    Cremers, C.J.F.: The scyther tool: verification, falsification, and analysis of security protocols. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 414–418. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  18. 18.
    Delaune, S., Kremer, S., Ryan, M.D.: Verifying privacy-type properties of electronic voting protocols. J. Comput. Secur. 4, 435–487 (2008)MATHGoogle Scholar
  19. 19.
    Dershowitz, N., Jouannaud, J.-P.: Rewrite systems. In: van Leeuwen, J. (ed.) Handbook of Theoretical Computer Science. Elsevier, The Netherlands (1990) Google Scholar
  20. 20.
    Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: Undecidability of bounded security protocols. In: Workshop on Formal Methods and Security Protocols, Trento, Italia (1999)Google Scholar
  21. 21.
    Escobar, S., Meadows, C., Meseguer, J.: A rewriting-based inference system for the NRL protocol analyzer and its meta-logical properties. Theor. Comput. Sci. 367(1–2), 162–202 (2006)MathSciNetCrossRefMATHGoogle Scholar
  22. 22.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998) CrossRefGoogle Scholar
  23. 23.
    SPORE: Security protocols open repository.

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Rémy Chrétien
    • 1
    • 2
  • Véronique Cortier
    • 1
  • Stéphanie Delaune
    • 2
  1. 1.LORIAINRIA Nancy - Grand-EstVillers-lès-NancyFrance
  2. 2.LSVENS Cachan & CNRSCachan CedexFrance

Personalised recommendations