Symbolic Verification of Distance Bounding Protocols
Abstract
With the proliferation of contactless applications, obtaining reliable information about distance is becoming an important security goal, and specific protocols have been designed for that purpose. These protocols typically measure the round trip time of messages and use this information to infer a distance. Formal methods have proved their usefulness when analysing standard security protocols such as confidentiality or authentication protocols. However, due to their abstract communication model, existing results and tools do not apply to distance bounding protocols.
In this paper, we consider a symbolic model suitable to analyse distance bounding protocols, and we propose a new procedure for analysing (a bounded number of sessions of) protocols in this model. The procedure has been integrated in the Akiss tool and tested on various distance bounding and payment protocols (e.g. MasterCard, NXP).
1 Introduction
In recent years, contactless communications have become ubiquitous. They are used in various applications such as access control cards, keyless car entry systems, payments, and many other applications which often require some form of authentication, and rely for this on security protocols. In addition, contactless systems aims to prevent against relay attacks in which an adversary mount an attack by simply forwarding messages he receives: ensuring physical proximity is a new security concern for all these applications.
Formal modelling and analysis techniques are welladapted for verifying security protocols, and nowadays several verification tools exist, e.g. ProVerif [8], Tamarin [28]. They aim at discovering logical attacks, and therefore consider a symbolic model in which cryptographic primitives are abstracted by function symbols. Since its beginning in 80s, a lot of progress has been done in this area, and it is now a common good practice to formally analyse protocols using symbolic techniques in order to spot flaws possibly before their deployment, as it was recently done e.g. in TLS 1.3 [7, 17], or for an avionic protocol [9].

network topology: any pair of nodes can communicate but depending on their distance, exchanging messages take more or less time. We will simply assume that the time needed is proportional to the distance between the two agents, and that messages can not travel faster than the speed of the light.

timing constraints: protocols that aim to prevent against relay attacks typically rely on a rapid phase in which time measurements are performed. Our framework will allow us to model these time measurements through the use of timestamps put on each action.
There are some implications on the attacker model. Since communications take time, it may be interesting to consider several malicious nodes. We will assume that malicious nodes collaborate but again messages can not travel (even between malicious nodes) faster than the speed of the light.
Akiss in a Nutshell. The procedure we present in this paper builds on previous work by Chadha et al. [12], and its implementation in the tool Akiss. Akiss allows automated analysis of privacytype properties (modelling as equivalences) when restricted to a bounded number of sessions. Cryptographic primitives may be defined through arbitrary convergent equational theories that have the finite variant property. This class includes standard cryptographic primitives as well as less commonly supported primitives such as blind signatures and zero knowledge proofs. Termination of the procedure is guaranteed for subterm convergent theories, but also achieved in practice on several examples outside this class.
The procedure behind Akiss is based on an abstract modelling of symbolic traces into firstorder Horn clauses: each symbolic trace is translated into a set of Horn clauses called seed statements, and a dedicated resolution procedure is applied on this set to construct a set of statements which have a simple form: the socalled solved statements. Once the saturation of the set of seed statements is done, it is possible to decide, based solely on those solved statements, whether processes under study are equivalent or not.
Even if we are considering reachability properties (here authentication with physical proximity), in order to satisfy timing constraints, we may need to consider recipes that are discarded when performing a classical reachability analysis. Typically, in a classical reachability analysis, there is no need to consider two recipes that deduce the same message. The main advantage of Akiss is the fact that, since its original goal is to deal with equivalence, it considers more (actually almost all possible) recipes when performing the security analysis. Moreover, even if the tool has been designed to deal with equivalencebased properties, the first part of the Akiss procedure consists in computing a knowledge base which is in fact a finite representation of all possible traces (including recipes) executable by the process under study. We build on this saturation procedure in this work.
Our Contributions. We design a new procedure for verifying reachability properties for protocols written in a calculus sharing many similarities with the one introduced in [19], and that gives us a way to model faithfully distance bounding protocols. Our procedure follows the general structure of the original one described in [12]. We first model protocols as traces (see Sect. 3), and then translate them into Horn clauses (see Sect. 4). A direct generalisation would consist of keeping the saturation procedure unchanged, and simply modifying the algorithm to check the satisfiability of our additional timing constraints at the end. However, as discussed in Sect. 5, such a procedure would not be complete for our purposes. We therefore completely redesign the update function used during the saturation procedure using a new strategy to forbid certain steps that would otherwise systematically yield to nontermination in our final algorithm. Showing these statements are indeed unnecessary requires essential changes in the proofs of completeness of the original procedure.
This new saturation procedure yields an effective method for checking reachability properties in our calculus (see Sect. 6). Although termination of saturation is not guaranteed in theory, we have implemented our procedure and we have demonstrated its effectiveness on various examples. We report on our implementation and the various case studies we have performed in Sect. 7.
As we were unable to formally establish completeness of the procedure as implemented in the original Akiss tool (due to some mismatches between the procedure described in [12] and its implementation), we decided to bring the theory closer to the practice, and this explains several differences between our seed statements and those described originally in [12].
A full version of this paper including proofs is available at [18].
2 Background
We start by providing some background regarding distance bounding protocols. For illustrative purposes, we present a slightly simplified version of the TREAD protocol [2] together with the attack discovered by [26] (relying on the Tamarin prover). This protocol will be used along the paper as a running example.
2.1 Distance Bounding Protocols
Distance bounding protocols are cryptographic protocols that enable a verifier V to establish an upper bound on the physical distance to a prover P. They are typically based on timing the delay between sending out a challenge and receiving back the corresponding response. The first distance bounding protocol was proposed by Brands and Chaum [10], and since then various protocols have been proposed. In general, distance bounding protocols are made of two or three phases, the second one being a rapid phase during which the time measurement is performed. To improve accuracy, this challenge/response exchange during which the measurement is performed is repeated several times, and often performed at the bit level. Symbolic analysis does not allow us to reason at this level, and thus the rapid phase will be abstracted by a single challenge/response exchange, and operations done at bit level will be abstracted too.
For illustration purposes, we consider the TREAD protocol. As explained before, we ignore several details that are irrelevant to our symbolic security analysis, and we obtain the protocol described in Fig. 1. First, the prover generates a nonce \(\gamma \), and computes the signature \(\sigma \) with his own key. This signature is sent to V encrypted with the public key of V. Upon reception, the verifier decrypts the message and checks the signature. Then, the verifier sends a nonce m, and starts the rapid phase during which he sends a challenge c to the prover. The protocol ends successfully if the answer given by the prover is correct and arrived before a predefined threshold.
2.2 Attacks on Distance Bounding Protocols
The TREAD protocol is vulnerable to a mafia fraud attack: an honest verifier v may end successfully a session with an honest prover p thinking that this prover p is in his vicinity whereas p is actually far away. The attack is described in Fig. 1. After learning \(\gamma \) and a signature \(\sigma =\mathsf {sign}(\gamma ,sk_p)\), the malicious agent i will be able to impersonate p. At the end, the verifier v will finish his session correctly thinking that he is playing with p (who is actually far away).
2.3 Symbolic Security Analysis
The first symbolic framework developed to analyse distance bounding protocols is probably the one proposed in [27]. Since then, several formal symbolic models have been proposed: e.g. a model based on multiset rewriting rules has been proposed in [5], another one based on strand spaces is available in [31]. However, these models do not come with a procedure allowing one to analyse distance bounding protocols in an automatic way. Recently, some attempts have been done to rely on existing automatic verification tools, e.g. ProVerif [13, 19] or Tamarin [26]. Those tools typically consider an unbounded number of sessions, and some approximations are therefore performed to tackle this problem wellknown to be undecidable [21].
Here, following the long line of research on symbolic verification for a bounded number of sessions which is a problem wellknown to be decidable [29, 32] and for which automatic verification tools have been developed (e.g. OFMC [6], Akiss [12]), we aim to extend this approach to distance bounding protocols.
3 A Security Model Dealing with Time and Location
We assume that our cryptographic protocols are modelled using a simple process calculus sharing some similarities with the appliedpi calculus [1], and strongly inspired by the calculus introduced in [19].
3.1 Term Algebra
As usual in symbolic models, we represent messages using a term algebra. We consider a set \(\mathcal {N}\) of names split into two disjoint sets: the set \(\mathcal {N}_\mathsf {pub}\) of public names which contains the set \(\mathcal {A}\) of agent names, and the set \(\mathcal {N}_\mathsf {priv}\) of private names. We consider the set \(\mathcal {X}\) of message variables, denoted \(x, y, \ldots \), as well as a set \(\mathcal {W}\) of handles: \(\mathcal {W}= \{\mathsf {w}_1, \mathsf {w}_2, \ldots \}\). Variables in \(\mathcal {X}\) model arbitrary data expected by the protocol, while variables in \(\mathcal {W}\) are used to store messages learnt by the attacker. Given a signature \(\varSigma \), i.e. a finite set of function symbols together with their arity, and a set of atomic data \(\mathcal {A}t\), we denote \(\mathcal {T}(\varSigma ,\mathcal {A}t)\) the set of terms built from \(\mathcal {A}t\) using function symbols in \(\varSigma \). Given a term u, we denote \( st (u)\) the set of the subterms occurring in u, and \( vars (u)\) the set of variables occurring in u. A term u is ground when \( vars (u) = \emptyset \). Then, we associate an equational theory \(\mathsf {E}\) to the signature \(\varSigma \) which consists of a finite set of equations of the form \(u =v\) with \(u,v \in \mathcal {T}(\varSigma ,\mathcal {X})\), and induces an equivalence relation over terms denoted \(=_\mathsf {E}\).
Example 1
Moreover, this finite variant property implies the existence of a finite and complete set of unifiers and gives us a way to compute it effectively. Given a set \(\mathcal {U}\) of equations between terms, a unifier (modulo a rewrite system \(\mathcal {R}\)) is a substitution \(\sigma \) such that \(s\sigma \mathord {\downarrow }= s'\sigma \mathord {\downarrow }\) for any equation \(s = s'\) in \(\mathcal {U}\). A set S of unifiers is said to be complete for \(\mathcal {U}\) if for any unifier \(\sigma \), there exists \(\theta \in S\) and \(\tau \) such that \(\sigma = \tau \circ \theta \). We denote \(\mathsf {csu}_\mathcal {R}(\mathcal {U})\) such a set. We will rely on these notions of \(\mathsf {variants}\) and \(\mathsf {csu}\) in our procedure (see Sect. 4).
Example 2
The finite variant property is satisfied by the rewrite system \(\mathcal {R}_\mathsf {ex}\) obtained by orienting from left to right equations in \(\mathsf {E}_\mathsf {ex}\).
Let \(\mathcal {U} = \{\mathsf {check}(t_\sigma , \mathsf {pk}(sk_p)) = \mathsf {ok}\}\) with \(t_\sigma = \mathsf {proj}_2(\mathsf {adec}(x, sk_v))\). We have that \(\{\theta \}\) with \(\theta = \{x \rightarrow \mathsf {aenc}(\langle x_1, \mathsf {sign}(x_2,sk_p)\rangle , \mathsf {pk}(sk_v))\}\) is a complete set of unifiers for \(\mathcal {U}\) (modulo \(\mathcal {R}_\mathsf {ex}\)). Now, considering the variants, let \(\sigma _1 = \{x \rightarrow \mathsf {aenc}(x_1, \mathsf {pk}(sk_v))\}\), \(\sigma _2 = \{x \rightarrow \mathsf {aenc}(\langle x_1, x_2\rangle , \mathsf {pk}(sk_v))\}\) and \( id \) be the identity substitution, we have that \(\{ id , \sigma _1, \sigma _2\}\) is a finite and complete set of variants (modulo \(\mathcal {R}_\mathsf {ex}\)) for the sequence \((x, t_\sigma )\).
An attacker builds her own messages by applying function symbols to terms she already knows and which are available through variables in \(\mathcal {W}\). Formally, a computation done by the attacker is a recipe, i.e. a term in \(\mathcal {T}(\varSigma , \mathcal {W}\cup \mathcal {N}_\mathsf {pub}\cup \mathbb {R}^+)\).
3.2 Timing Constraints
To model time, we will use nonnegative real numbers \(\mathbb {R}^+\), and we may allow various operations (e.g. \(+\), −, \(\times \), ...). A time expression is constructed inductively by applying arithmetic symbols to time expressions starting with the initial set \(\mathbb {R}^+\) and an infinite set \(\mathcal {Z}\) of time variables. Then, a timing constraint is typically of the form \(t_1 \sim t_2\) with \(\sim \,\in \, \{<, \le , =\}\). We do not constraint the operators since our procedure is generic in this respect provided we have a way to decide whether a set of timing constraints is satisfiable or not. In practice, our tool (see Sect. 7) will only be able to consider simple linear timing constraints.
Example 3
When modelling distance bounding protocols, we will typically consider a timing constraint of the form \(z_2  z_1 <t\) with \(z_1, z_2 \in \mathcal {Z}\) and \(t \in \mathbb {R}^+\). This constraint expresses that the time elapsed between the emission of a challenge and the receipt of the corresponding answer is at most t.
3.3 Process Algebra
We assume that cryptographic protocols are modelled using a simple process algebra. Following [12], we only consider a minimalistic core calculus. In particular, we do not introduce the new operator and we do not explicitly model the parallel operator. Since we only consider a bounded number of sessions (i.e. a calculus with no replication), this is at no loss of expressivity. We can simply assume that fresh names are generated from the beginning and parallel composition can be added as syntactic sugar to denote the set of all interleavings.
As usual, we have output and input actions. An input action acts as a binding construct for both x and z, whereas an output action acts as a binding construct for z only. For sake of clarity, we will omit the time variable z when we do not care of the precise time at which the input (resp. output) action has been performed. As usual, our calculus allows one to perform some tests on received messages, and it is also possible to extract a timestamp from a received message and perform some tests on this extracted value using timing constraints. Typically, this will allow us to model an agent that will stop executing the protocol in case an answer arrives too late.
We assume the usual definitions of free and bound variables for traces, and we assume that each variable is at most bound once. Note that, in the constructs presented above, the variables z, x are bound. Given a set \(\mathcal {V}\) of variables, a trace is locally closed w.r.t. \(\mathcal {V}\) if for any agent a, the trace obtained by considering actions executed by agent a does not contain free variables among those in \(\mathcal {V}\). Such an assumption, sometimes called origination [6, 15], is always satisfied when considering traces obtained by interleaving actions of a protocol. Therefore, we will only consider traces that are locally closed w.r.t. both \(\mathcal {X}\) and \(\mathcal {Z}\).
Contrary to the calculus introduced in [19] which assumes that there is at most one timer per thread, we are more flexible. This generalisation is not mandatory to analyse our case studies but it allows us to present our result on traces and greatly simplifies the theoretical development.
Example 4
Of course, when performing a security analysis, other traces have to be considered. Typically, we may want to consider several instances of each role, and we will have to generate traces corresponding to all the possible interleavings of the actions composing these roles.
Semantics. The semantics of a trace is given in terms of a labeled transition system over configurations of the form \((T;\varPhi ;t)\), and is parametrised by a topology reflecting the fact that interactions between agents depend on their location.
Definition 1
A topology is a tuple \(\mathcal {T}_0 = (\mathcal {A}_0,\mathcal {M}_0,\mathsf {Loc}_0)\) where \(\mathcal {A}_0 \subseteq \mathcal {A}\) is the finite set of agents composing the system, \(\mathcal {M}_0 \subseteq \mathcal {A}_0\) represents those that are malicious, and \(\mathsf {Loc}_0: \mathcal {A}_0 \rightarrow \mathbb {R}^3\) defines the position of each agent in the space.
Definition 2
Given a topology \(\mathcal {T}_0 = (\mathcal {A}_0, \mathcal {M}_0, \mathsf {Loc}_0)\), a configuration over \(\mathcal {T}_0\) is a tuple \((T;\varPhi ;t)\) where T is a trace locally closed w.r.t. \(\mathcal {X}\) and \(\mathcal {Z}\) composed of actions \((a, \mathsf {a})\) with \(a \in \mathcal {A}_0\), \(t \in \mathbb {R}^+\), and \(\varPhi =\{\mathsf {w}_1\xrightarrow {a_1,t_1}u_1, \ldots , \mathsf {w}_n\xrightarrow {a_n,t_n}u_n\}\) is an extended frame, i.e. a substitution such that \(\mathsf {w}_i\in \mathcal {W}\), \(u_i\in \mathcal {T}(\varSigma ,\mathcal {N}\cup \mathbb {R}^+)\), \(a_i\in \mathcal {A}_0\) and \(t_i\in \mathbb {R}^+\) for \(1 \le i \le n\).
Intuitively, T represents the trace that still remains to be executed; \(\varPhi \) represents the messages that have been outputted so far; and t is the global time.
Example 5
Continuing Example 4, we consider the topology \(\mathcal {T}_0 = (\mathcal {A}_0,\mathcal {M}_0,\mathsf {Loc}_0)\) depicted on the right where \(\mathcal {A}_0 = \{p, v, i\}\), and \(\mathcal {M}_0 = \{i\}\).
The precise location of each agent is not relevant, only the distance between them matters. Here \({\textsf {Dist}_{\mathcal {T}_0}(v,i) < t_0}\) whereas \({\textsf {Dist}_{\mathcal {T}_0}(v,p) \ge t_0}\).
Example 6

\(T_\mathsf {rapid}= (v,\mathsf {out}^{z_1}(c)). (v,\mathsf {in}^{z_2}(y)). (v, [y=\mathsf {h}(c,m,\gamma )]).(v,[\![z_2  z_1 < 2t_0]\!])\), and

\(\varPhi _\mathsf {rapid}= \varPhi _0 \uplus \{\mathsf {w}_4 \xrightarrow {v,\delta _0} m\}\).

Input: A trace T locally closed w.r.t. \(\mathcal {X}\) and \(\mathcal {Z}\), \(t_0 \in \mathbb {R}^+\), and a topology \(\mathcal {T}_0\).

Output: Do there exist \(\ell _1, \ldots , \ell _n\), \(\varPhi \), and t such that \((T;\emptyset ;t_0) \xrightarrow {\ell _1 \ldots , \ell _n}_{\mathcal {T}_0} (\epsilon ;\varPhi ;t)\)?
4 Modelling Using Horn Clauses
Following the approach developed in Akiss [12], our procedure is based on an abstract modelling of a trace in firstorder Horn clauses. Our set of seed statements is more in line with what has been implemented in Akiss for optimisation purposes rather than what is presented in [12].
4.1 Preliminaries
We also consider symbolic recipes which are terms in \(\mathcal {T}(\varSigma , \mathcal {W}\cup \mathcal {N}_\mathsf {pub}\cup \mathcal {Y})\) where \(\mathcal {Y}\) is a set of recipe variables disjoint from \(\mathcal {X}\) and \(\mathcal {W}\). We use capital letters X, Y, and Z to range over \(\mathcal {Y}\).
Example 7

a reachability predicate: \(\mathsf {r}_{w}\) holds when the run w is executable.

a deduction predicate: \(\mathsf {k}_{w} (R, u)\) holds if the message u can be built using the recipe \(R \in \mathcal {T}(\varSigma , \mathcal {N}_\mathsf {pub}\cup \mathbb {R}^+\cup \mathcal {W})\) by an attacker using the outputs available after the execution of w (if this execution is possible).

Open image in new window if there exists \((T_n;\phi _n)\) such that Open image in new window

Open image in new window if for all \((T_n;\phi _n)\) such that Open image in new window we have that \(R\phi _n\mathord {\downarrow }= u\).
This semantics is extended as usual to firstorder formulas built using the usual connectives (e.g. conjunction, quantification, ...)
Example 8
4.2 Seed Statements
We consider particular Horn clauses which we call statements.
Definition 3

\(w_0,\ldots , w_n\) are symbolic runs locally closed, \(w_i \sqsubseteq w_0\) for any \(i \in \{1,\ldots , n\}\);

\(u, u_1, \ldots , u_n\) are terms in \(\mathcal {T}(\varSigma ,\mathcal {N}\cup \mathbb {R}^+\cup \mathcal {X})\);

\(R \in \mathcal {T}(\varSigma ,\mathcal {N}_\mathsf {pub}\cup \mathbb {R}^+\cup \mathcal {W}\cup \{X_1,\ldots , X_n\}) \smallsetminus \mathcal {Y}\), and \(X_1, \dots , X_n\) are distinct variables from \(\mathcal {Y}\).
When \({H = \mathsf {k}_{w_0}(R, u)}\), we assume in addition that \( vars (u) \subseteq vars (u_1, \ldots , u_n)\) and \(R (\{X_i \rightarrow u_i\} \uplus \phi (w_0)) \mathord {\downarrow }= u\).
In the above definition, we implicitly assume that all variables are universally quantified, i.e., all statements are ground. By abuse of language we sometimes call \(\sigma \) a grounding substitution for a statement \(H \Leftarrow ( B_1, \ldots , B_n)\) when \(\sigma \) is grounding for each of the atomic formulas \(H, B_1, \ldots , B_n\). The skeleton of a statement f, denoted \(\mathsf {skl}(f)\), is the statement where recipes are removed. Our definition of statement is in line with the original one proposed in [12] but we state an additional invariant used to establish the completeness of our procedure.
 1.
if \(\mathsf {a}_i\) is a receive action, then \(\mathsf {a}_i = \mathsf {in}^{z_i}(x_i)\), and \(\ell _i =(a_i, \mathsf {in}(x_i))\);
 2.
if \(\mathsf {a}_i\) is a send action, then \(\mathsf {a}_i= \mathsf {out}^{z_i}(u_i)\), and \(\ell _i = (a_i,\mathsf {out}(u_i))\);
 3.
if \(\mathsf {a}_i\) is a test action, then \(\mathsf {a}_i = [v_i = v'_i]\), and \(\ell _i = (a_i,\mathsf {eq})\);
 4.
if \(\mathsf {a}_i\) is a let action, then \(\mathsf {a}_i = [z'_i := v_i]\), and \(\ell _i = (a_i,\mathsf {let}(v_i))\).
 5.
if \(\mathsf {a}_i\) is a timing constraint then \(\mathsf {a}_i = [\![t_i \sim t'_i]\!]\), and \(\ell _i = (a_i, \mathsf {test})\).
For each \(m \in \{0, \ldots , n\}\), the sets \(\mathsf {Rcv}(m)\), \(\mathsf {Snd}(m)\), \(\mathsf {Eq}(m)\), \(\mathsf {Let}(m)\), and \(\mathsf {Test}(m)\) respectively denote the set of indexes of the receive, send, equality, let, and test actions amongst \(\mathsf {a}_1, \ldots , \mathsf {a}_m\). We denote by S the cardinality of S.
Given a set \(\mathcal {C} \subseteq \mathcal {N}_\mathsf {pub}\cup \mathbb {R}^+\), the set of seed statements associated to T and \(\mathcal {C}\), denoted \(\mathsf {seed}(T,\mathcal {C})\), is defined in Fig. 4. If \(\mathcal {C} = \mathcal {N}_\mathsf {pub}\cup \mathbb {R}^+\), then \(\mathsf {seed}(T,\mathcal {C})\) is said to be the set of seed statements associated to T and in this case we write \(\mathsf {seed}(T)\) as a shortcut for \(\mathsf {seed}(T,\mathcal {N}_\mathsf {pub}\cup \mathbb {R}^+)\). When computing seed statements, we compute complete sets of unifiers and complete sets of variants modulo \(\mathcal {R}\). This allows us to get rid of the rewrite system in the remainder of our procedure and then only consider unification modulo the empty equational theory. In this case, it is wellknown that (when it exists) \(\mathsf {csu}_\emptyset (\mathcal {U})\) is uniquely defined up to some variable renaming, and we write \(\mathsf {mgu}(u_1,u_2)\) instead of \(\mathsf {csu}_{\emptyset }(\{u_1 = u_2\})\).
Example 9
Statement \(f_1\) expresses that the trace is executable (in the relaxed semantics) as soon as we are able to deduce the two terms requested in input, \(f_2\) says that the attacker knows the term u as soon as \(T_0\) has been executed. The two remaining statements model the fact that an attacker can apply the decryption algorithm on any terms he knows (statement \(f_3\)), and this will give him access to the plaintext when the right key is used (statement \(f_4\)).
4.3 Soundness and Completeness
We now show that as far as the timing constraints are ignored, the set \(\mathsf {seed}(T)\) is a sound and complete abstraction of a trace. Moreover, we have to ensure that the proof tree witnessing the existence of a given predicate in \(\mathcal {H}(\mathsf {seed}(T))\) matches with the relaxed execution we have considered. This is mandatory to establish the completeness of our procedure.
Definition 4

\(\hat{R}_j(\{X_i \rightarrow u_i~~1 \le i\le n\} \uplus \phi (w_0))\mathord {\downarrow }= v_j\) for \(j \in \{1, \ldots , k'\}\); and

\(\hat{R}_j\sigma = R_i\) for \(j \in \{1, \ldots , k'\}\).
This notion of matching is extended to a proof tree \(\pi \) as expected, meaning that all the instances of Conseq used in \(\pi \) satisfy the property.
Actually, the completeness of our procedure will be established w.r.t. a subset of recipes, namely uniform recipes. We establish that an execution of a trace \(T_0\) which only involves uniform recipes has a counterpart in \(\mathcal {H}(\mathsf {seed}(T_0))\) which is uniform too.
Definition 5
Given a frame \(\phi \), a recipe R is uniform w.r.t. \(\phi \) if for any \(R_1, R_2 \in st (R)\) such that \(R_1\phi \mathord {\downarrow }= R_2\phi \mathord {\downarrow }\), we have that \(R_1 = R_2\).
Given a set K of statements, we say that a set \(\{\pi _1,\ldots ,\pi _n\}\) of proof trees in \(\mathcal {H}(K)\) is uniform if for any \(\mathsf {k}_{w}(R_1,t)\) and \(\mathsf {k}_{w}(R_2,t)\) that occur in \(\{\pi _1, \ldots , \pi _n\}\), we have that \(R_1 = R_2\).
We are now able to state our soundness and completeness result.
Theorem 1
Let \(T_0\) be a trace locally closed w.r.t. \(\mathcal {X}\).

Open image in new window for any \(g\in \mathsf {seed}(T_0) \cup \mathcal {H}(\mathsf {seed}(T_0))\);
 If Open image in new window with input recipes \(R_1, \ldots , R_k\) that are uniform w.r.t. \(\phi \) then
 1.
\(\mathsf {r}_{\ell _1, \ldots , \ell _p} \in \mathcal {H}(\mathsf {seed}(T_0))\); and
 2.
if \(R\phi \mathord {\downarrow }= u\) for some recipe R uniform w.r.t. \(\phi \) then \(\mathsf {k}_{\ell _1, \ldots , \ell _p}(R, u) \in \mathcal {H}(\mathsf {seed}(T_0))\).
Moreover, we may assume that the proof tree witnessing these facts are uniform and match with \(\mathsf {exec}\) using \(R_1, \ldots , R_k\) as input recipes.
 1.
5 Saturation
 1.
a saturation procedure which constructs a set of solved statements from the set \(\mathsf {seed}(T)\); and
 2.
an algorithm which uses the solved statements obtained by saturation to check whether timing constraints are satisfied. This is needed to ensure that the execution obtained at step 1 is truly executable in our timed model.
5.1 Saturation Procedure
We start by describing our saturation procedure. It manipulates a set of statements called a knowledge base.
Definition 6

f is said to be solved if \(B_i = \mathsf {k}_{w_i}(X_i, x_i)\) with \(x_i \in \mathcal {X}\) for all \(i \in \{1, \ldots , n\}\).

f is said to be wellformed if whenever it is solved and \(H = \mathsf {k}_{w}(R, u)\), we have that \(u \not \in \mathcal {X}\).
A set of wellformed statements is called a knowledge base. If K is a knowledge base, \(\mathsf {solved}(K) = \{ f \in K \mid f \, is\, solved \}\).
We restrict the use of the resolution rule and we only apply it on a selected atom. To formalise this, we assume a selection function \(\mathsf {sel}\) which returns \(\bot \) when applied on a solved statement, and an atom \(\mathsf {k}_w(X,t)\) with \(t \not \in \mathcal {X}\) when applied on an unsolved statement. Resolution must be performed on this selected atom.
Example 10
During saturation, the statement obtained by resolution is given to an update function which decides whether it has to be added or not into the knowledge base (possibly after some transformations). In original Akiss, many deduction statements are discarded during the saturation procedure. This is useful to avoid nontermination issues and it is not a problem since there is no need to derive the same term (from the deduction point of view) in more than one way. Now, considering that messages need time to reach a destination, a same message emitted twice at two different locations deserves more attention.
Example 11
Let \(T= (a_1,\mathsf {out}(k)).(a_2,\mathsf {out}(k)).(b,\mathsf {in}^{z}(x)).(b,[x = k]).(b, z < 2)\), and \(\mathcal {T}_0\) be a topology such that \(\textsf {Dist}_{\mathcal {T}_0}(a_1,b) = 10\) while \(\textsf {Dist}_{\mathcal {T}_0}(a_2,b) = 1\). The configuration \((T;\emptyset ;0)\) is executable but only considering \(\mathsf {w}_2\) as an input recipe for x. The recipe \(\mathsf {w}_1\) that produces the exact same term k is not an option (even if it is outputted before \(\mathsf {w}_2\)) since the agent \(a_1\) who outputs it is far away from b.
Whereas the original Akiss procedure will typically discard the statement \(\mathsf {k}(\mathsf {w}_2,k) \Leftarrow \;\) (by replacing it with an identical statement), we will keep it.
As illustrated by Example 11, we therefore need to consider more recipes (even if they deduce the same message) to accommodate timing constraints, but we have to do this in a way that does not break termination (in practice). To tackle this issue, we modified the canonicalization rule, as well as the update function to allow more deduction statements to be added in the knowledge base.
Definition 7
The intuition is that there is no need to consider several recipes (here X and Y) to deduce the same term t when such a recipe does not occur in the head of the statement.
Then, the update of K by f denoted \(K \Cup \{f\}\), is defined to be K if either \(\mathsf {skl}(f\mathord {\Downarrow })\) is not in normal form; or \(f\mathord {\Downarrow }\) is solved but not wellformed. Otherwise, \(K \Cup \{f\} = K \cup \{f\mathord {\Downarrow }\}\). To initiate our saturation procedure, we start with the initial knowledge base \(K_{\mathsf {init}}(S)\) associated to a set S of statements (typically \(\mathsf {seed}(T,\mathcal {C})\) for some wellchosen \(\mathcal {C}\)). Given a set S of statements, the initial knowledge base associated to S, denoted \(K_\mathsf {init}(S)\), is defined to be the empty knowledge base updated by the set S, i.e. \(K_\mathsf {init}(S) = (((\emptyset \Cup f_1) \Cup f_2) \Cup \ldots f_n\) where \(f_1, \ldots , f_n\) is an enumeration of the statements in S. In return, the saturation procedure produces a set \(\mathsf {sat}(K)\) which is actually a knowledge base.
Then, we can establish the soundness of our saturation procedure. This is relatively straightforward and follows the same lines as the original proof.
Proposition 1
Let \(T_0\) be a trace locally closed w.r.t. \(\mathcal {X}\), \(K = \mathsf {sat}(K_\mathsf {init}(T_0))\). We have that \((T_0;\emptyset ) \models g\) for any \(g\in \mathsf {solved}(K) \cup \mathcal {H}(\mathsf {solved}(K))\).
5.2 Completeness
Completeness is more involved. Indeed, we can not expect to retrieve all the recipes associated to a given term. To ensure termination (in practice) of our procedure, we discard some statements when updating the knowledge base, and we have to justify that those statements are indeed useless. Actually, we show that considering uniform recipes is sufficient when looking for an attack trace.
However, the notion of uniform recipe does not allow one to do the proof by induction. We therefore consider a more restricted notion that we call asap recipes. The idea is to deduce a term as soon as possible but this may depend on the agent who is performing the computation. We also rely on an ordering relation which is independent of the agent who is performing the computation, and which is compatible with our notion of asap w.r.t. any agent.

\(R <^{\mathsf {in}}_\mathsf {exec}\mathsf {w}\) when \(\ell _i = a, \mathsf {in}(u)\) with input recipe R and \(\ell _j = a, \mathsf {out}(u_j)\) with output recipe \(\mathsf {w}\) for some agent a with \(i < j\);

\(R' <^{\mathsf {sub}}_\mathsf {exec}R\) when \(R'\) is a strict subterm of R.
Then, \(<_{\mathsf {exec}}\) is the smallest transitive relation over recipes built on \( dom (\phi )\) that contains \(<^{\mathsf {in}}_\mathsf {exec}\) and \(<^{\mathsf {sub}}_\mathsf {exec}\). As usual, we denote \(\le _\mathsf {exec}\) the reflexive closure of \(<_\mathsf {exec}\).

either \(\mathsf {time}(\mathsf {w}) + \textsf {Dist}_{\mathcal {T}}(\mathsf {agent}(\mathsf {w}),a) < \mathsf {time}(\mathsf {w}') + \textsf {Dist}_{\mathcal {T}}(\mathsf {agent}(\mathsf {w}'),a)\);

or \(\mathsf {time}(\mathsf {w}) + \textsf {Dist}_{\mathcal {T}}(\mathsf {agent}(\mathsf {w}),a) = \mathsf {time}(\mathsf {w}') + \textsf {Dist}_{\mathcal {T}}(\mathsf {agent}(\mathsf {w}'),a)\), and the output \(\mathsf {w}\) occurs before \(\mathsf {w}'\) in the execution \(\mathsf {exec}\).
 1.
either \(\mathsf {multi}_\mathcal {W}(R) <^a_\mathsf {exec}\mathsf {multi}_\mathcal {W}(R')\) where \(\mathsf {multi}_\mathcal {W}(R)\) is the multiset of variables \(\mathcal {W}\) occurring in R ordered using the multiset extension of \(<^a_\mathsf {exec}\) on variables;
 2.
or \(\mathsf {multi}_\mathcal {W}(R) = \mathsf {multi}_\mathcal {W}(R')\) and \(R < R'\) where R is the size (number of symbols) occurring in R;
 3.
or \(\mathsf {multi}_\mathcal {W}(R) = \mathsf {multi}_\mathcal {W}(R')\), \(R = R'\), and \( st _\mathsf {eq}(R) <  st _\mathsf {eq}(R')\) where \( st _\mathsf {eq}(R)=\{(S,S')\in st (R) \times st (R) ~~ S \ne S'\, \text { and }\, S\varPhi \mathord {\downarrow }= S'\varPhi \mathord {\downarrow }\}\) is the set of pairs of distinct syntactic subterms of R that deduce the same term.
We have that \(<_\mathsf {exec}^a\) is a wellfounded order for any \(a\in \mathcal {A}\) which is compatible with \(<_\mathsf {exec}\), i.e. \(R <_\mathsf {exec}R'\) implies \(R <^a_\mathsf {exec}R'\) for any agent a.
We are now able to introduce our notion of asap recipe.
Definition 8

either \(R \in \mathcal {N}_\mathsf {pub}\cup \mathbb {R}^+\cup \mathcal {W}\) and \(\not \exists R'\) such that \(R'<_\mathsf {exec}R\) and \(R'\varPhi \mathord {\downarrow }= R\varPhi \mathord {\downarrow }\);

or \(R = \mathsf {f}(R_1,\ldots , R_k)\) with \(\mathsf {f}\in \varSigma \) and \(\not \exists R'\) such that \(R' <^a_\mathsf {exec}R\) and \({R'\varPhi \mathord {\downarrow }= R\varPhi \mathord {\downarrow }}\).
We may note that our definition of being asap takes care about honest agents who are not allowed to forge messages from their knowledge using recipes not in \(\mathcal {W}\cup \mathcal {N}_\mathsf {pub}\cup \mathbb {R}^+\). Hence, a recipe \(R \in \mathcal {W}\) is not necessarily replaced by a recipe \(R'\) even if \(R <^a_\mathsf {exec}R'\) and \({R'\varPhi \mathord {\downarrow }= R\varPhi \mathord {\downarrow }}\). Actually, such a recipe \(R'\) is not necessarily an alternative to R when \(a \not \in \mathcal {M}_0\).
Then, we can establish completeness of our saturation procedure w.r.t. these asap recipes.
Theorem 2

\(\mathsf {r}_{\ell _1, \ldots , \ell _p} \in \mathcal {H}(K)\) with a proof tree matching \(\mathsf {exec}\) and \(R_1, \ldots , R_k\);

\(\mathsf {k}_{u_0}(R, R\phi \mathord {\downarrow }) \in \mathcal {H}(K)\) with a proof tree matching \(\mathsf {exec}\) and \(R_1, \ldots , R_k\) whenever \(u_0 = \ell _1,\ldots , \ell _{q1}\) for some \(q\in \mathsf {Rcv}(p)\) and R is asap w.r.t. \(b_{\mathsf {Rcv}(q)}\) and \(\mathsf {exec}\).
Proof
(sketch). We have that asap recipes are uniform and we can therefore apply Theorem 1. This allows us to obtain a proof tree in \(\mathcal {H}(\mathsf {seed}(T_0))\). Then, by induction on the proof tree, we lift it from \(\mathcal {H}(\mathsf {seed}(T_0))\) to \(\mathcal {H}(K)\). The difficult part is when the statement obtained by resolution is not directly added in the knowledge base. It may have been modified by the rule Remove or even discarded by the update operator. In both cases, we derive a contradiction with the fact that we are considering asap recipes. \(\square \)
Example 12
Considering the relaxed execution starting from \((T_0 \cdot T_\mathsf {ex}, \emptyset )\) by performing the three outputs followed by the untimed version of the execution described in Example 6, we reach \((\epsilon ,\phi )\) using recipes \(R_1 = \mathsf {aenc}(\mathsf {adec}(\mathsf {w}_3,\mathsf {w}_2), \mathsf {w}_1)\) and \(R_2 = \mathsf {h}(\mathsf {w}_5,\mathsf {w}_4,\mathsf {proj}_1(\mathsf {adec}(\mathsf {w}_3,\mathsf {w}_2)))\). Let K be the set of solved statements obtained by saturation, we have that \(\mathsf {r}_{T_0 \cdot w_0\sigma ' \cdot (v,\mathsf {test})} \in \mathcal {H}(K)\) (see Example 10). Note that the symbolic run \(T_0 \cdot w_0\sigma ' \cdot (v,\mathsf {test})\) coincides with the labels used in the execution trace. Here, the proof tree is reduced to a leaf, and choosing \(\hat{R}_1 = R_1\), \(\hat{R}_2 = R_2\), gives us the matching we are looking for.
6 Algorithm
In this section, we first present our algorithm to verify whether a given timed configuration can be fully executed, and then discuss its correctness.
6.1 Description
 1.
\(z_1= t_0\), and \(z_i \le z_{i+1}\) for any \(1 \le i < n\);
 2.
\(t_i \sim t'_i\) for any \(i \in \mathsf {Test}(n)\) with \(\mathsf {a}_i = [\![t_i \sim t'_i]\!]\);
 3.
\(z'_i = v_i\{x_j \rightarrow u_j \mid j \in \mathsf {Rcv}(i)\}\mathord {\downarrow }\) for any \(i \in \mathsf {Let}(n)\);
 4.For any \(i \in \mathsf {Rcv}(n)\), we consider the formula:

\(z_{\mathsf {orig}(j)} + \textsf {Dist}_{\mathcal {T}_0}(a_{\mathsf {orig}(j)},a_i) \le z_i\) if \(R_i = \mathsf {w}_j\);
 otherwise, we consider:$$\begin{aligned} \bigvee \nolimits _{b \in \mathcal {M}_0} \big (\bigwedge \nolimits _{\{j \mid \mathsf {w}_j \in vars (R_i)\}} z_{\mathsf {orig}(j)} + \textsf {Dist}_{\mathcal {T}_0}(a_{\mathsf {orig}(j)},b) \le z_i  \textsf {Dist}_{\mathcal {T}_0}(b,a_i) \;\big ) \end{aligned}$$

The last step of our algorithm consists in checking whether the resulting formula \(\psi \) is satisfiable or not, i.e. whether there exists a mapping from \( vars (\psi )\) to \(\mathbb {R}^+\) such that the formula \(\psi \) is true. Of course, even if our procedure is generic w.r.t. to timing constraints, the procedure to check the satisfiability of \(\psi \) will depend on the constraints we consider. Actually, all the formulas encountered during our case studies are quite simple: they are expressed by equations of the form \(z'  z \le t\), and we therefore rely on the wellknown FloydWarshall algorithm to solve them. When needed, we may rely on the simplex algorithm to solve more general linear constraints.
6.2 Termination Issues
First, we may note that to obtain an effective saturation procedure, it is important to start with a finite set of seed statements. Our set \(\mathsf {seed}(T)\) is infinite but as it was proved in [12], we can restrict ourselves to perform saturation using the finite set \(\mathsf {seed}(T,\mathcal {C}_T)\) where \(\mathcal {C}_T\) contains the public names and the real numbers occurring in the trace T. More formally, we have that:
Lemma 1
Nevertheless, the saturation may not terminate. We could probably avoid some nontermination issues by improving our update operator. However, ensuring termination in theory is a rather difficult problem (the proof of termination for the original Akiss procedure for subterm convergent theories is quite complex [12] – more than 20 pages). We would like to mention that we never encountered nontermination issues in practice on our case studies.
Another issue is that, when computing the set \(\overline{L_i}\), we need to compute all the recipes R such that \(\mathsf {k}_w(R,u) \in \mathcal {H}(K)\) for a given term u. This can be achieved using a simple backward search and will terminate since K only contains solved statements that are wellformed. The naive recursive algorithm will therefore consider terms \(u_1, \ldots , u_n\) that are strict subterms of the initial term u. Note that statements that are not wellformed are discarded by our update operator: ensuring completeness of our saturation procedure when discarding statements that are not wellformed is the challenging part of our completeness proof.
6.3 Correctness of Our Algorithm
We consider a topology \(\mathcal {T}_0\) and a configuration \((T;\emptyset ;t_0)\) built on top of \(\mathcal {T}_0\) and such that T is locally closed w.r.t. both \(\mathcal {X}\) and \(\mathcal {Z}\).
Theorem 3

if Reachability\((K,t_0,\mathcal {T}_0)\) holds then \((T;\emptyset ;t)\) is executable in \(\mathcal {T}_0\);

if \((T;\emptyset ;t_0)\) is executable in \(\mathcal {T}_0\) then Reachability\((K,t_0,\mathcal {T}_0)\) holds.
Soundness (item 1 above) is relatively straightforward. Item 2 is more involved. Of course, our algorithm does not consider all the possible recipes for inputs. Some recipes are discarded from our analysis. Actually, it is sufficient to focus our attention on asap recipes. To justify that this is not an issue regarding completeness, we first establish the following result.
Lemma 2
Let \(\mathsf {exec}= K_0 \xrightarrow {\ell _1, \ldots , \ell _n}_{\mathcal {T}_0} (S; \varPhi ;t)\) be an execution. We may assume w.l.o.g. that \(\mathsf {exec}\) involves input recipes \(R_1,\ldots , R_k\) forged by agents \(b_1,\ldots , b_k\) and \(R_i\) is asap w.r.t. \(b_i\) and \(\mathsf {exec}\) for each \(i \in \{1, \ldots , k\}\).
Then, we may apply Theorem 2 (item 1) on this “asap execution” and deduce the existence of \(f = \mathsf {r}_{\ell '_1, \ldots , \ell '_n} \Leftarrow \mathsf {k}_{w_1}(X_1, x_1), \ldots , \mathsf {k}_{w_m}(X_m,x_m)\) in K and a substitution \(\sigma \) witnessing the fact that \(\mathsf {r}_{\ell _1, \ldots , \ell _n} = \mathsf {r}_{\ell '_1\sigma , \ldots , \ell '_n\sigma }\in \mathcal {H}(K)\). Moreover, we know that f and \(\sigma \) match with \(\mathsf {exec}\) and \(R_1, \ldots , R_k\). Considering the symbolic recipes \(\hat{R}_1, \ldots , \hat{R}_k\) witnessing this matching, and instantiating their variables with adequate fresh constants (using \(\rho \)), we can show that \(\hat{R}_1\rho , \ldots , \hat{R}_k\rho \) are recipes that allow to perform the timed execution \(\ell '_1\rho , \ldots , \ell '_n\rho \). Note that thanks the strong relationship we have between \(R_1, \ldots , R_k\) and \(\hat{R_1}, \ldots , \hat{R_k}\) (by definition of matching, \(R_i = \hat{R_i}\sigma \)), we know that the resulting timing constraints gathered in the formula \(\psi \) due to inputs are less restrictive, and the other ones are essentially unchanged. This allows us to ensure that the formula \(\psi \) will be satisfiable. Now, applying Lemma 2, we can assume w.l.o.g. that recipes involved in such a trace are asap, and thus according to Theorem 2 will be considered by our procedure, and put in \(\overline{L_{i_1}}, \ldots , \overline{L_{i_p}}\) at line 6 of Algorithm 1.
7 Implementation and Case Studies
7.1 Integration in Akiss
Our syntax is very close to the one presented in Sect. 3. For sake of simplicity, we sometimes omit timestamps on input/output actions. Regarding our timing constraints, our syntax only allows linear expressions of the form \(z_1  z_2 \sim z_3\) with \(z_i\in \mathcal {Z}\cup \mathbb {R}^+\) and \(\sim \ \in \{=,<, \le \}\). These expressions are enough to model all our case studies. To ease the specification of protocols our tool support parallel composition of traces (\(T_1 \mid \mid T_2\)). This operator is syntactic sugar and can be translated to sets of traces in a straightforward way.
To mitigate the potential exponential blowup caused by this translation, we always favour let, equality, and test actions, as well as output actions when no timestamp occur on it. The second optimisation consists in executing input actions (without timestamps) in a raw. These optimisations will allow us to reduce the number of traces that have to be considered during our analysis, and are wellknown to be sound when verifying reachability properties [4, 30].
Example 13
Let \(P = (a, \mathsf {in}(x_1)).(a,\mathsf {in}(x_2).(a,\mathsf {out}(u)) \mid \mid (b, \mathsf {in}(x_3)).(b,\mathsf {out}(v))\). Computing naively all the possible interleavings will give us 10 traces to analyse. The first optimisation will allow us to reduce this number to 3, and together with the second optimisation, this number falls to 2.
7.2 Case Studies
In this section we demonstrate that our tool can be effectively used to analyse distance bounding protocols and payment protocols. Our experiments have been done on a standard laptop and the results obtained confirm termination of the saturation procedure when analysing various protocols (\(\times \) stands for attack, Open image in new window means that the protocol has been proved secure). We indicate the number of roles (running in parallel) we consider and the number of traces (due to all the possible interleaving of the roles) that have been analysed by the tool in order to conclude. Our algorithm stops as soon as an attack is found, and thus the number of possible interleavings is not relevant in this case.
We only consider two distinct topologies: one to analyse mafia fraud scenarios (2 honest agents far away with a malicious agent close to each honest agent) and one to analyse distance hijacking for which 3 agents are considered (malicious agent in the neighbourhood of the verifier on which the security property is encoded is not allowed). This may seem restrictive but it has been shown to be sufficient to capture all the possible attacks [19]. Our results are consistent with the ones obtained in [13, 14, 19, 26].
Distance Bounding Protocols. As explained in Sect. 2 on the TREAD protocol, we ignore several details that are irrelevant to a security analysis performed in the symbolic model. Moreover, our procedure is not yet able to support the exclusiveor operator and thus it has been modelled in an abstract way when analysing the protocols BC and SwissKnife. When no attack was found for 2 roles, we consider more roles (and thus more traces). The fact that the performances degrade when considering additional roles is not surprising and is clearly correlated with the number of traces that have to be considered.
Protocol  Mafia fraud  Distance hijacking  

roles/tr  time  status  roles/tr  time  status  
TREADAsym [2]  2/−  1 s  \(\times \)  2/−  1 s  \(\times \) 
SPADE [11]  2/−  2 s  \(\times \)  2/−  4 s  \(\times \) 
TREADSym [2]  4/7500  18 min  2/−  1 s  \(\times \)  
BC [10]  4/5635  37 min  2/−  1 s  \(\times \)  
SwissKnife [25]  3/1080  25 s  3/7470  4 min  
HK [23]  3/20  1 s  3/20  1 s  
4/3360  58 s  4/3360  47 s  
5/30240  14 min  5/30240  12 min 
8 Conclusion
We presented a novel procedure for reasoning about distance bounding protocols which has been integrated in the Akiss tool. Even though termination is not guaranteed, the tool did terminate on all practical examples that we have tested.
Directions for future work include improving performances of our tool and this can be achieved by parallelising our algorithm (each trace can actually be analysed independently) and/or proposing new techniques to reduce the number of interleavings. Another interesting direction would be to add the exclusiveor operator which is often used in distance bounding protocols. This will require a careful analysis of the completeness proof developed in [3] to check whether their resolution strategy is compatible with the changes done here to accommodate timing constraints.
References
 1.Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: Proceedings of the 28th Symposium on Principles of Programming Languages (POPL 2001), pp. 104–115. ACM Press (2001)Google Scholar
 2.Avoine, G., et al.: A terroristfraud resistant and extractorfree anonymous distancebounding protocol. In: Proceedings of the 12th ACM Asia Conference on Computer and Communications Security (AsiaCCS 2017), pp. 800–814. ACM (2017)Google Scholar
 3.Baelde, D., Delaune, S., Gazeau, I., Kremer, S.: Symbolic verification of privacytype properties for security protocols with XOR. In: 2017 IEEE 30th Computer Security Foundations Symposium (CSF), pp. 234–248. IEEE (2017)Google Scholar
 4.Baelde, D., Delaune, S., Hirschi, L.: A reduced semantics for deciding trace equivalence. Log. Methods Comput. Sci. 13(2), 1–48 (2017)MathSciNetzbMATHGoogle Scholar
 5.Basin, D., Capkun, S., Schaller, P., Schmidt, B.: Formal reasoning about physical properties of security protocols. ACM Trans. Inf. Syst. Secur. (TISSEC) 14(2), 16 (2011)CrossRefGoogle Scholar
 6.Basin, D.A., Mödersheim, S., Viganò, L.: OFMC: a symbolic model checker for security protocols. Int. J. Inf. Secur. 4(3), 181–208 (2005)CrossRefGoogle Scholar
 7.Bhargavan, K., Blanchet, B., Kobeissi, N.: Verified models and reference implementations for the TLS 1.3 standard candidate. In: Proceedings of the 38th IEEE Symposium on Security and Privacy (S&P 2017), pp. 483–502 (2017)Google Scholar
 8.Blanchet, B.: Modeling and verifying security protocols with the applied pi calculus and ProVerif. Found. Trends Priv. Secur. 1(1–2), 1–135 (2016)Google Scholar
 9.Blanchet, B.: Symbolic and computational mechanized verification of the ARINC823 avionic protocols. In: Proceedings of the 30th IEEE Computer Security Foundations Symposium (CSF 2017), pp. 68–82. IEEE (2017)Google Scholar
 10.Brands, S., Chaum, D.: Distancebounding protocols. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 344–359. Springer, Heidelberg (1994). https://doi.org/10.1007/3540482857_30CrossRefGoogle Scholar
 11.Bultel, X., Gambs, S., Gerault, D., Lafourcade, P., Onete, C., Robert, J.: A proveranonymous and terroristfraud resistant distancebounding protocol. In: Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks, WISEC 2016, Darmstadt, Germany, 18–22 July 2016, pp. 121–133. ACM (2016)Google Scholar
 12.Chadha, R., Cheval, V., Ciobâcă, Ş., Kremer, S.: Automated verification of equivalence properties of cryptographic protocol. ACM Trans. Comput. Logic 23(4), 23:1–23:32 (2016)Google Scholar
 13.Chothia, T., de Ruiter, J., Smyth, B.: Modelling and analysis of a hierarchy of distance bounding attacks. In: Proceedings of the 27th USENIX Security Symposium (USENIX 2018), pp. 1563–1580. USENIX Association (2018)Google Scholar
 14.Chothia, T., Garcia, F.D., de Ruiter, J., van den Breekel, J., Thompson, M.: Relay cost bounding for contactless EMV payments. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 189–206. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662478547_11CrossRefGoogle Scholar
 15.ComonLundh, H., Cortier, V., Zălinescu, E.: Deciding security properties for cryptographic protocols. Application to key cycles. ACM Trans. Comput. Logic 11(2), 9 (2010)MathSciNetCrossRefGoogle Scholar
 16.ComonLundh, H., Delaune, S.: The finite variant property: how to get rid of some algebraic properties. In: Giesl, J. (ed.) RTA 2005. LNCS, vol. 3467, pp. 294–307. Springer, Heidelberg (2005). https://doi.org/10.1007/9783540320333_22CrossRefGoogle Scholar
 17.Cremers, C., Horvat, M., Hoyland, J., Scott, S., van der Merwe, T.: A comprehensive symbolic analysis of TLS 1.3. In: Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS 2017), pp. 1773–1788 (2017)Google Scholar
 18.Debant, A., Delaune, S.: Symbolic verification of distance bounding protocols. Research report, Univ Rennes, CNRS, IRISA, France, February 2019Google Scholar
 19.Debant, A., Delaune, S., Wiedling, C.: A symbolic framework to analyse physical proximity in security protocols. In: Proceedings of the 38th IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS 2018). LIPICS (2018)Google Scholar
 20.Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. theory 29(2), 198–208 (1983)MathSciNetCrossRefGoogle Scholar
 21.Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: Undecidability of bounded security protocols. In: Proceedings of the Workshop on Formal Methods and Security Protocols (FMSP 1999), Trento, Italy (1999)Google Scholar
 22.EMVCo: EMV contactless specifications for payment systems, version 2.6 (2016)Google Scholar
 23.Hancke, G.P., Kuhn, M.G.: An RFID distance bounding protocol. In: Proceedings of the 1st International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM 2005), pp. 67–73. IEEE (2005)Google Scholar
 24.Janssens, P.: Proximity check for communication devices. US Patent 9,805,228, 31 October 2017Google Scholar
 25.Kim, C.H., Avoine, G., Koeune, F., Standaert, F.X., Pereira, O.: The SwissKnife RFID distance bounding protocol. In: Lee, P.J., Cheon, J.H. (eds.) ICISC 2008. LNCS, vol. 5461, pp. 98–115. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642007309_7CrossRefGoogle Scholar
 26.Mauw, S., Smith, Z., ToroPozo, J., TrujilloRasua, R.: Distancebounding protocols: verification without time and location. In: Proceedings of the 39th IEEE Symposium on Security and Privacy (S&P 2018), pp. 152–169 (2018)Google Scholar
 27.Meadows, C., Poovendran, R., Pavlovic, D., Chang, L., Syverson, P.: Distance bounding protocols: authentication logic analysis and collusion attacks. In: Poovendran, R., Roy, S., Wang, C. (eds.) Secure Localization and Time Synchronization for Wireless Sensor and Ad Hoc Networks. ADIS, vol. 30, pp. 279–298. Springer, Boston (2007). https://doi.org/10.1007/9780387462769_12CrossRefGoogle Scholar
 28.Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642397998_48CrossRefGoogle Scholar
 29.Millen, J., Shmatikov, V.: Constraint solving for boundedprocess cryptographic protocol analysis. In: Proceedings of the 8th ACM Conference on Computer and Communications Security (CCS 2001). ACM Press (2001)Google Scholar
 30.Mödersheim, S., Viganò, L., Basin, D.A.: Constraint differentiation: searchspace reduction for the constraintbased analysis of security protocols. J. Comput. Secur. 18(4), 575–618 (2010)CrossRefGoogle Scholar
 31.Nigam, V., Talcott, C., Aires Urquiza, A.: Towards the automated verification of cyberphysical security protocols: bounding the number of timed intruders. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 450–470. Springer, Cham (2016). https://doi.org/10.1007/9783319457413_23CrossRefGoogle Scholar
 32.Rusinowitch, M., Turuani, M.: Protocol insecurity with a finite number of sessions and composed keys is NPcomplete. Theoret. Comput. Sci. 299(1–3), 451–475 (2003)MathSciNetCrossRefGoogle Scholar
Copyright information
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.