Tree Automata with One Memory, Set Constraints, and Ping-Pong Protocols

  • Hubert Comon
  • Véronique Cortier
  • John Mitchell
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2076)


We introduce a class of tree automata that perform tests on a memory that is updated using function symbol application and projection. The language emptiness problem for this class of tree automata is shown to be in DEXPTIME. We also introduce a class of set constraints with equality tests and prove its decidability by completion techniques and a reduction to tree automata with one memory. Set constraints with equality tests may be used to decide secrecy for a class of cryptographic protocols that properly contains a class of memoryless “ping-pong protocols” introduced by Dolev and Yao.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    M. Abadi and A. Gordon. A calculus for cryptographic protocols: the spi calculus. Information and Computation, 148(1), 1999.Google Scholar
  2. 2.
    A. Aiken. Introduction to set constraint-based program analysis. Science of Computer Programming, 35:79–111, 1999.zbMATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    R. Amadio and D. Lugiez. On the reachability problem in cryptographic protocols. In Proc. CONCUR’00, volume 1877 of Lecture Notes in Computer Science, 2000.Google Scholar
  4. 4.
    B. Bogaert and S. Tison. Equality and disequality constraints on brother terms in tree automata. In A. Finkel, editor, Proc. 9th. Symposium on Theoretical Aspects of Comp. Science, Cachan, France, 1992.Google Scholar
  5. 5.
    I. Cervesato, N. Durgin, P. Lincoln, J. Mitchell, and A. Scedrov. A meta-notation for protocol analysis. In P. Syverson, editor, 12-th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, 1999.Google Scholar
  6. 6.
    W. Charatonik and L. Pacholski. Negative set constraints with equality. In Proc. IEEE Symp. on Logic in Computer Science, pages 128–136, Paris, 1994.Google Scholar
  7. 7.
    W. Charatonik and A. Podelski. Set constraints with intersection. In Proc. IEEE Symposium on Logic in Computer Science, Varsaw, 1997.Google Scholar
  8. 8.
    J. Clarke and J. Jacobs. A survey of authentication protocol. literature: Version 1.0. Draft paper, 1997.Google Scholar
  9. 9.
    H. Comon, M. Dauchet, R. Gilleron, F. Jacquemard, D. Lugiez, S. Tison, and M. Tommasi. Tree automata techniques and applications. Available on:, 1997.
  10. 10.
    D. Dolev, S. Even, and R. Karp. On the security of ping pong protocols. Information and Control, 55:57–68, 1982.zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    D. Dolev and A. Yao. On the security of public key protocols. In Proc. IEEE Symp. on Foundations of Computer Science, pages 350–357, 1981.Google Scholar
  12. 12.
    N. Durgin, P. Lincoln, J. Mitchell, and A. Scedrov. Undecidability of bounded security protocols. In Proc. Workshop on formal methods in security protocols, Trento, Italy, 1999.Google Scholar
  13. 13.
    S. Even and O. Goldreich. On the security of multi-party ping-pong protocols. Technical Report 285, Technion, Haifa, Israel, 1983. Extended abstract appeared in IEEE Symp. Foundations of Computer Science, 1983.Google Scholar
  14. 14.
    N. Heintze and J. Tygar. A model for secure protocols and their compositions. IEEE transactions on software engineering, 22(1), 1996.Google Scholar
  15. 15.
    N. Heinze and J. Jaffar. A decision procedure for a class of set constraints. In Proc. IEEE Symp. on Logic in Computer Science, Philadelphia, 1990.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Hubert Comon
    • 1
    • 2
  • Véronique Cortier
    • 2
  • John Mitchell
    • 1
  1. 1.Department of Computer ScienceStanford University
  2. 2.Laboratoire Spécification et VérificationCNRS and Ecole Normale Supérieure de CachanFrance

Personalised recommendations