Symbolic Protocol Analysis with Disequality Constraints Modulo Equational Theories

  • Santiago Escobar
  • Catherine Meadows
  • José Meseguer
  • Sonia Santiago
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9465)


Research in the formal analysis of cryptographic protocols has produced much good work in the solving of equality constraints, developing new methods for unification, matching, and deducibility. However, considerably less attention has been paid to disequality constraints. These also arise quite naturally in cryptographic protocol analysis, in particular for analysis of indistinguishability properties. Thus methods for deciding whether or not they are satisfiable could potentially be quite useful in reducing the size of the search space by protocol analysis tools. In this paper we develop a framework for reasoning about disequality constraints centered around the paradigm of the most discriminating Dolev-Yao attacker, who is able to detect a disequality if it is satisfied in some implementation of the crypto-algebra satisfying given equality properties. We develop several strategies for handling disequalities, prove their soundness and completeness, and demonstrate the result of experimental analyses using the various strategies. Finally, we discuss how disequality checking algorithms could be incorporated within symbolic reachability protocol analysis methods.


Equational Theory Cryptographic Protocol Attack State Reachability Analysis Attack Pattern 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work has been partially supported by NSF grant CNS 13-19109, by the EU (FEDER) and the Spanish MINECO under grant TIN 2013-45732-C4-1-P, and by Spanish Generalitat Valenciana under grant PROMETEOII/2015/013.


  1. 1.
    Baader, F., Schulz, K.U.: Combination techniques and decision problems for disunification. Theor. Comput. Sci. 142(2), 229–255 (1995)MathSciNetCrossRefMATHGoogle Scholar
  2. 2.
    Blanchet, B.: Using horn clauses for analyzing security protocols. In: Cortier, V., Kremer, S. (eds.) Formal Models and Techniques for Analyzing Security Protocols. Cryptology and Information Security Series, vol. 5, pp. 86–111. IOS Press, March 2011Google Scholar
  3. 3.
    Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. J. Log. Algebr. Program. 75(1), 3–51 (2008)MathSciNetCrossRefMATHGoogle Scholar
  4. 4.
    Comon, H., Lescanne, P.: Equational problems and disunification. J. Symb. Comput. 7, 371–425 (1989)MathSciNetCrossRefMATHGoogle Scholar
  5. 5.
    Comon, H.: Complete axiomatizations of some quotient term algebras. In: Albert, J.L., Monien, B., Artalejo, M.R. (eds.) Automata, Languages and Programming. LNCS, vol. 510, pp. 469–480. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  6. 6.
    Comon, H.: Disunification: a survey. In: Computational Logic - Essays in Honor of Alan Robinson, pp. 322–359 (1991)Google Scholar
  7. 7.
    Comon-Lundh, H., Delaune, S.: The finite variant property: how to get rid of some algebraic properties. In: Giesl, J. (ed.) RTA 2005. LNCS, vol. 3467, pp. 294–307. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Cortier, V., Delaune, S., Lafourcade, P.: A survey of algebraic properties used in cryptographic protocols. J. Comput. Secur. 14(1), 1–43 (2006)CrossRefGoogle Scholar
  9. 9.
    Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)MathSciNetCrossRefMATHGoogle Scholar
  10. 10.
    Erbatur, S., et al.: Effective symbolic protocol analysis via equational irreducibility conditions. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 73–90. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  11. 11.
    Escobar, S., Hendrix, J., Meadows, C., Meseguer, J.: Diffie-Hellman cryptographic reasoning in the Maude-NRL protocol analyzer. In: Proceedings of the 2nd International Workshop on Security and Rewriting Techniques (SecReT 2007) (2007)Google Scholar
  12. 12.
    Escobar, S., Meadows, C., Meseguer, J.: A rewriting-based inference system for the NRL protocol analyzer and its meta-logical properties. Theor. Comput. Sci. 367(1–2), 162–202 (2006)MathSciNetCrossRefMATHGoogle Scholar
  13. 13.
    Escobar, S., Meadows, C., Meseguer, J.: Equational cryptographic reasoning in the Maude-NRL protocol analyzer. In: Proceedings of the 1st International Workshop on Security and Rewriting Techniques (SecReT 2006). ENTCS, vol. 171, no. 4, pp. 23–36. Elsevier (2007)Google Scholar
  14. 14.
    Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: cryptographic protocol analysis modulo equational properties. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007/2008/2009. LNCS, vol. 5705, pp. 1–50. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Escobar, S., Sasse, R., Meseguer, J.: Folding variant narrowing and optimal variant termination. J. Log. Algebr. Program. 81(7–8), 898–928 (2012)MathSciNetCrossRefMATHGoogle Scholar
  16. 16.
    Thayer Fabrega, F.J., Herzog, J., Guttman, J.: Strand spaces: what makes a security protocol correct? J. Comput. Secur. 7, 191–230 (1999)CrossRefGoogle Scholar
  17. 17.
    Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  18. 18.
    Meseguer, J.: Conditional rewriting logic as a unified model of concurrency. Theor. Comput. Sci. 96(1), 73–155 (1992)MathSciNetCrossRefMATHGoogle Scholar
  19. 19.
    Meseguer, J.: Membership algebra as a logical framework for equational specification. In: Presicce, F.P. (ed.) Recent Trends in Algebraic Development Techniques. LNCS, vol. 1376, pp. 18–61. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  20. 20.
    Mödersheim, S., Viganò, L., Basin, D.A.: Constraint differentiation: Search-space reduction for the constraint-based analysis of security protocols. J. Comput. Secur. 18(4), 575–618 (2010)CrossRefGoogle Scholar
  21. 21.
    Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM 21(12), 993–999 (1978)CrossRefMATHGoogle Scholar
  22. 22.
    Santiago, S., Escobar, S., Meadows, C., Meseguer, J.: A formal definition of protocol indistinguishability and its verification using Maude-NPA. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 162–177. Springer, Heidelberg (2014)Google Scholar
  23. 23.
    Sasse, R., Escobar, S., Meadows, C., Meseguer, J.: Protocol analysis modulo combination of theories: a case study in Maude-NPA. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 163–178. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  24. 24.
    TeReSe: Term Rewriting Systems. Cambridge University Press, Cambridge (2003)Google Scholar
  25. 25.
    Thati, P., Meseguer, J.: Symbolic reachability analysis using narrowing and its application verification of cryptographic protocols. J. Higher-Order Symb. Comput. 20(1–2), 123–160 (2007)MATHGoogle Scholar

Copyright information

© Springer International Publishing Switzerland (outside the US) 2015

Authors and Affiliations

  • Santiago Escobar
    • 1
  • Catherine Meadows
    • 2
  • José Meseguer
    • 3
  • Sonia Santiago
    • 3
  1. 1.DSIC-ELPUniversitat Politècnica de ValènciaValenciaSpain
  2. 2.Naval Research LaboratoryWashington, D.C.USA
  3. 3.University of Illinois at Urbana-ChampaignChampaignUSA

Personalised recommendations