Cryptographic Protocol Verification Using Tractable Classes of Horn Clauses

  • Helmut Seidl
  • Kumar Neeraj Verma
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4444)


We consider secrecy problems for cryptographic protocols modeled using Horn clauses and present general classes of Horn clauses which can be efficiently decided. Besides simplifying the methods for the class of flat and one-variable clauses introduced for modeling of protocols with single blind copying [7,25], we also generalize this class by considering k-variable clauses instead of one-variable clauses with suitable restrictions similar to those for the class \(\mathcal{S^{+}}\). This class allows to conveniently model protocols with joint blind copying. We show that for a fixed k, our new class can be decided in DEXPTIME, as in the case of one variable.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Spore: Security protocol open repository. Available at
  2. 2.
    Blanchet, B.: An efficient cryptographic protocol verifier based on Prolog rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW’01), Cape Breton, Nouvelle-Écosse, Canada, pp. 82–96. IEEE Computer Society Press, Los Alamitos (2001)CrossRefGoogle Scholar
  3. 3.
    Blanchet, B.: Security protocols: From linear to classical logic by abstract interpretation. Information Processing Letters 95(5), 473–479 (2005)CrossRefMathSciNetGoogle Scholar
  4. 4.
    Blanchet, B., Podelski, A.: Verification of cryptographic protocols: Tagging enforces termination. Theoretical Computer Science 333(1-2), 67–90 (2005)zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Comon, H., Cortier, V.: Tree automata with one memory, set constraints and cryptographic protocols. Theoretical Computer Science 331(1), 143–214 (2005)zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Comon, H., et al.: Tree automata techniques and applications (1997),
  7. 7.
    Comon-Lundh, H., Cortier, V.: New decidability results for fragments of first-order logic and application to cryptographic protocols. In: Nieuwenhuis, R. (ed.) RTA 2003. LNCS, vol. 2706, pp. 148–164. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Comon-Lundh, H., Cortier, V.: Security properties: Two agents are sufficient. In: Degano, P. (ed.) ESOP 2003 and ETAPS 2003. LNCS, vol. 2618, pp. 99–113. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Cortier, V.: Vérification Automatique des Protocoles Cryptographiques. PhD thesis, ENS Cachan, France (2003)Google Scholar
  10. 10.
    Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–208 (1983)zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Fermüller, C., et al.: Resolution Decision Procedures. In: Robinson, J.A., Voronkov, A. (eds.) Handbook of Automated Reasoning, pp. 1791–1849. North-Holland, Amsterdam (2001)CrossRefGoogle Scholar
  12. 12.
    Frühwirth, T., et al.: Logic programs as types for logic programs. In: 6th Annual IEEE Symposium on Logic in Computer Science (LICS’91), Amsterdam, The Netherlands, July 1991, IEEE Computer Society Press, Los Alamitos (1991)Google Scholar
  13. 13.
    Goubault-Larrecq, J.: Une fois qu’on n’a pas trouvé de preuve, comment le faire comprendre à un assistant de preuve? In: Ménissier-Morain, V. (ed.) Actes des 12èmes Journées Francophones des Langages Applicatifs (JFLA’04). INRIA, collection didactique (2004)Google Scholar
  14. 14.
    Goubault-Larrecq, J.: Deciding \(\mathcal{H}_1\) by resolution. Information Processing Letters 95(3), 401–408 (2005)CrossRefMathSciNetGoogle Scholar
  15. 15.
    Goubault-Larrecq, J., Parrennes, F.: Cryptographic protocol analysis on real C code. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 363–379. Springer, Heidelberg (2005)Google Scholar
  16. 16.
    Goubault-Larrecq, J., Roger, M., Verma, K.N.: Abstraction and resolution modulo AC: How to verify Diffie-Hellman-like protocols automatically. Journal of Logic and Algebraic Programming 64(2), 219–251 (2005)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Lowe, G.: An attack on the Needham-Schroeder public-key protocol. Information Processing Letters 56(3), 131–133 (1995)zbMATHCrossRefGoogle Scholar
  18. 18.
    Monniaux, D.: Abstracting cryptographic protocols with tree automata. In: Cortesi, A., Filé, G. (eds.) SAS 1999. LNCS, vol. 1694, pp. 149–163. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  19. 19.
    Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Communications of the ACM 21(12), 993–999 (1978)zbMATHCrossRefGoogle Scholar
  20. 20.
    Nielson, F., Nielson, H.R., Seidl, H.: Normalizable Horn clauses, strongly recognizable relations and Spi. In: Hermenegildo, M.V., Puebla, G. (eds.) SAS 2002. LNCS, vol. 2477, pp. 20–35. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  21. 21.
    Ramanujam, R., Suresh, S.P.: A decidable subclass of unbounded security protocols. In: Workshop on Issues in the Theory of Security (WITS’03) (2003)Google Scholar
  22. 22.
    Ramanujam, R., Suresh, S.P.: Tagging makes secrecy decidable with unbounded nonces as well. In: Pandya, P.K., Radhakrishnan, J. (eds.) FSTTCS 2003. LNCS, vol. 2914, pp. 363–374. Springer, Heidelberg (2003)Google Scholar
  23. 23.
    Robinson, J.A., Voronkov, A. (eds.): Handbook of Automated Reasoning. North-Holland, Amsterdam (2001)zbMATHGoogle Scholar
  24. 24.
    Rusinowitch, M., Turuani, M.: Protocol insecurity with finite number of sessions is NP-complete. In: Pandya, P., Radhakrishnan, J. (eds.) 14th IEEE Computer Security Foundations Workshop (CSFW’01), Nova-Scotia, Canada, June 2001, IEEE Computer Society Press, Cape Breton (2001)Google Scholar
  25. 25.
    Seidl, H., Verma, K.N.: Flat and one-variable clauses: Complexity of verifying cryptographic protocols with single blind copying. In: Baader, F., Voronkov, A. (eds.) LPAR 2004. LNCS (LNAI), vol. 3452, pp. 79–94. Springer, Heidelberg (2005)Google Scholar
  26. 26.
    Weidenbach, C.: Towards an automatic analysis of security protocols. In: Ganzinger, H. (ed.) CADE 1999. LNCS (LNAI), vol. 1632, pp. 378–382. Springer, Heidelberg (1999)CrossRefGoogle Scholar

Copyright information

© Springer Berlin Heidelberg 2007

Authors and Affiliations

  • Helmut Seidl
    • 1
  • Kumar Neeraj Verma
    • 1
  1. 1.Institut für Informatik, TU MünchenGermany

Personalised recommendations