Monotonic Set-Extended Prefix Rewriting and Verification of Recursive Ping-Pong Protocols

  • Giorgio Delzanno
  • Javier Esparza
  • Jiří Srba
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4218)


Ping-pong protocols with recursive definitions of agents, but without any active intruder, are a Turing powerful model. We show that under the environment sensitive semantics (i.e. by adding an active intruder capable of storing all exchanged messages including full analysis and synthesis of messages) some verification problems become decidable. In particular we give an algorithm to decide control state reachability, a problem related to security properties like secrecy and authenticity. The proof is via a reduction to a new prefix rewriting model called Monotonic Set-extended Prefix rewriting (MSP). We demonstrate further applicability of the introduced model by encoding a fragment of the ccp (concurrent constraint programming) language into MSP.


Regular Language Parallel Composition Cryptographic Protocol Process Constant Control Path 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Gordon, A.D.: A bisimulation method for cryptographic protocols. Nordic Journal of Computing 5(4), 267–303 (1998)MATHMathSciNetGoogle Scholar
  2. 2.
    Abdulla, P.A., Jonsson, B.: Verifying programs with unreliable channels. Information and Computation 127(2), 91–101 (1996)MATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Amadio, R.M., Charatonik, W.: On name generation and set-based analysis in the Dolev-Yao model. In: Brim, L., Jančar, P., Křetínský, M., Kucera, A. (eds.) CONCUR 2002. LNCS, vol. 2421, pp. 499–514. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Amadio, R.M., Lugiez, D., Vanackère, V.: On the symbolic reduction of processes with cryptographic functions. Theoretical Computer Science 290(1), 695–740 (2002)CrossRefGoogle Scholar
  5. 5.
    Bouajjani, A., Esparza, J., Maler, O.: Reachability analysis of pushdown automata: Application to model-checking. In: Mazurkiewicz, A., Winkowski, J. (eds.) CONCUR 1997. LNCS, vol. 1243, pp. 135–150. Springer, Heidelberg (1997)Google Scholar
  6. 6.
    Büchi, J.R.: Regular canonical systems. Arch. Math. Logik u. Grundlagenforschung 6, 91–111 (1964)MATHCrossRefGoogle Scholar
  7. 7.
    Cécé, G., Finkel, A., Purushothaman Iyer, S.: Unreliable channels are easier to verify than perfect channels. Information and Computation 124(1), 20–31 (1996)MATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Comon, H., Cortier, V., Mitchell, J.: Tree automata with one memory, set constraints, and ping-pong protocols. In: Orejas, F., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 682–693. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Dolev, D., Even, S., Karp, R.M.: On the security of ping-pong protocols. Information and Control 55(1–3), 57–68 (1982)MATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Dolev, D., Yao, A.C.: On the security of public key protocols. Transactions on Information Theory IT-29(2), 198–208 (1983)CrossRefMathSciNetGoogle Scholar
  11. 11.
    Esparza, J., Hansel, D., Rossmanith, P., Schwoon, S.: Efficient algorithms for model checking pushdown systems. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 232–247. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  12. 12.
    Hüttel, H., Srba, J.: Recursive ping-pong protocols. In: Proceedings of the 4th International Workshop on Issues in the Theory of Security (WITS 2004), pp. 129–140 (2004)Google Scholar
  13. 13.
    Hüttel, H., Srba, J.: Recursion vs. replication in simple cryptographic protocols. In: Vojtáš, P., Bieliková, M., Charron-Bost, B., Sýkora, O. (eds.) SOFSEM 2005. LNCS, vol. 3381, pp. 175–184. Springer, Heidelberg (2005)Google Scholar
  14. 14.
    Kupferman, O., Vardi, M.: Weak alternating automata are not that weak. ACM Transactions on Computational Logic 2(3), 408–429 (2001)MATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    Küsters, R.: On the decidability of cryptographic protocols with open-ended data structures. In: Brim, L., Jančar, P., Křetínský, M., Kucera, A. (eds.) CONCUR 2002. LNCS, vol. 2421, pp. 515–530. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  16. 16.
    Křetínský, M., Řehák, V., Strejček, J.: Extended process rewrite systems: Expressiveness and reachability. In: Gardner, P., Yoshida, N. (eds.) CONCUR 2004. LNCS, vol. 3170, pp. 355–370. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Muller, D.E., Saoudi, A., Schupp, P.E.: Weak alternating automata give a simple explanation of why most temporal and dynamic logics are decidable in exponential time. In: Proceedings of the 3rd Annual IEEE Symposium on Logic in Computer Science (LICS 1988), pp. 422–427. IEEE Computer Society Press, Los Alamitos (1988)Google Scholar
  18. 18.
    Rusinowitch, M., Turuani, M.: Protocol insecurity with a finite number of sessions and composed keys is NP-complete. TCS: Theoretical Computer Science 299 (2003)Google Scholar
  19. 19.
    Saraswat, V.A.: Concurrent Constraint Programming. MIT Press, Cambridge (1993)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Giorgio Delzanno
    • 1
  • Javier Esparza
    • 2
  • Jiří Srba
    • 3
  1. 1.Dipartimento di Informatica e Scienze dell’InformazioneUniversità di GenovaItaly
  2. 2.Institut für Formale Methoden der InformatikUniversität StuttgartGermany
  3. 3.BRICS, Department of Computer ScienceAalborg UniversityDenmark

Personalised recommendations