Flat and One-Variable Clauses for Single Blind Copying Protocols: The XOR Case

  • Helmut Seidl
  • Kumar Neeraj Verma
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5595)


In cryptographic protocols with the single blind copying restriction, at most one piece of unknown data is allowed to be copied in each step of the protocol. The secrecy problem for such protocols can be modeled as the satisfiability problem for the class of first-order Horn clauses called flat and one-variable Horn clauses, and is known to be DEXPTIME-complete. We show that when an XOR operator is additionally present, then the secrecy problem is decidable in 3-EXPTIME. We also note that replacing XOR by the theory of associativity-commutativity or by the theory of Abelian groups, or removing some of the syntactic restrictions on the clauses, leads to undecidability.


Horn Clause Cryptographic Protocol Tree Automaton Secrecy Problem Negative Clause 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Blanchet, B.: An efficient cryptographic protocol verifier based on Prolog rules. In: CSFW 2001, pp. 82–96. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  2. 2.
    Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: Deciding the security of protocols with Diffie-Hellman exponentiation and products in exponents. In: Pandya, P.K., Radhakrishnan, J. (eds.) FSTTCS 2003. LNCS, vol. 2914, pp. 124–135. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: An NP decision procedure for protocol insecurity with XOR. In: LICS 2003, pp. 261–270 (2003)Google Scholar
  4. 4.
    Comon, H., Dauchet, M., Gilleron, R., Löding, C., Jacquemard, F., Lugiez, D., Tison, S., Tommasi, M.: Tree automata techniques and applications (2007),
  5. 5.
    Comon-Lundh, H., Cortier, V.: New decidability results for fragments of first-order logic and application to cryptographic protocols. In: Nieuwenhuis, R. (ed.) RTA 2003. LNCS, vol. 2706, pp. 148–164. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Comon-Lundh, H., Cortier, V.: Security properties: Two agents are sufficient. In: Degano, P. (ed.) ESOP 2003. LNCS, vol. 2618, pp. 99–113. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Comon-Lundh, H., Shmatikov, V.: Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In: LICS 2003, pp. 271–280. IEEE Computer Society Press, Los Alamitos (2003)Google Scholar
  8. 8.
    Cortier, V.: Vérification Automatique des Protocoles Cryptographiques. PhD thesis, ENS Cachan, France (2003)Google Scholar
  9. 9.
    Cortier, V.: Private communication (May 2008)Google Scholar
  10. 10.
    Cortier, V., Delaune, S., Lafourcade, P.: A survey of algebraic properties used in cryptographic protocols. Journal of Computer Security 14(1), 1–43 (2006)CrossRefGoogle Scholar
  11. 11.
    Cortier, V., Keighren, G., Steel, G.: Automatic analysis of the security of XOR-based key management schemes. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 538–552. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Transactions on Information Theory IT-29(2), 198–208 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Durgin, N.A., Lincoln, P., Mitchell, J., Scedrov, A.: Undecidability of bounded security protocols. In: FMSP 1999, Trento, Italy (1999)Google Scholar
  14. 14.
    Küsters, R., Truderung, T.: Reducing protocol analysis with XOR to the XOR-free case in the Horn theory based approach. In: CCS 2008, pp. 129–138. ACM Press, New York (2008)Google Scholar
  15. 15.
    Rusinowitch, M., Turuani, M.: Protocol insecurity with finite number of sessions is NP-complete. In: CSFW 2001. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  16. 16.
    Seidl, H., Verma, K.N.: Flat and one-variable clauses: Complexity of verifying cryptographic protocols with single blind copying. ACM Transactions on Computational Logic 9(4) (2008)Google Scholar
  17. 17.
    Verma, K.N.: Two-way equational tree automata for AC-like theories: Decidability and closure properties. In: Nieuwenhuis, R. (ed.) RTA 2003. LNCS, vol. 2706, pp. 180–196. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. 18.
    Verma, K.N.: Alternation in equational tree automata modulo XOR. In: Lodaya, K., Mahajan, M. (eds.) FSTTCS 2004. LNCS, vol. 3328, pp. 518–530. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  19. 19.
    Verma, K.N., Seidl, H., Schwentick, T.: On the complexity of equational Horn clauses. In: Nieuwenhuis, R. (ed.) CADE 2005. LNCS, vol. 3632, pp. 337–352. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Helmut Seidl
    • 1
  • Kumar Neeraj Verma
    • 1
  1. 1.Institut für InformatikTechnische Universität MünchenGarchingGermany

Personalised recommendations