A Formal Definition of Protocol Indistinguishability and Its Verification Using Maude-NPA

  • Sonia Santiago
  • Santiago Escobar
  • Catherine Meadows
  • José Meseguer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8743)


Intuitively, two protocols \({\mathcal P}_1\) and \({\mathcal P}_2\) are indistinguishable if an attacker cannot tell the difference between interactions with \({\mathcal P}_1\) and with \({\mathcal P}_2\). In this paper we: (i) propose an intuitive notion of indistinguishability in Maude-NPA; (ii) formalize such a notion in terms of state unreachability conditions on their synchronous product; (iii) prove theorems showing how —assuming the protocol’s algebraic theory has a finite variant (FV) decomposition– these conditions can be checked by the Maude-NPA tool; and (iv) illustrate our approach with concrete examples. This provides for the first time a framework for automatic analysis of indistinguishability modulo as wide a class of algebraic properties as FV, which includes many associative-commutative theories of interest to cryptographic protocol analysis.


Equational Theory Operational Semantic Variant Decomposition Cryptographic Protocol Attack State 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: POPL, pp. 104–115 (2001)Google Scholar
  2. 2.
    Arapinis, M., Bursuc, S., Ryan, M.D.: Reduction of equational theories for verification of trace equivalence: Re-encryption, associativity and commutativity. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 169–188. Springer, Heidelberg (2012)Google Scholar
  3. 3.
    Barthe, G.B., Crespo, J.M., Grégoire, B., Kunz, C., Lakhnech, Y., Schmidt, B., Béguelin, S.Z.: Fully automated analysis of padding-based encryption in the computational model. In: ACM Conference on Computer and Communications Security, pp. 1247–1260 (2013)Google Scholar
  4. 4.
    Baudet, M.: Deciding security of protocols against off-line guessing attacks. In: Proc. ACM CCS 2005, pp. 16–25. ACM (2005)Google Scholar
  5. 5.
    Bellovin, S., Merritt, M.: Encrypted key exchange: Password-based protocols secure against dictionary attacks. In: Proceedings of the 1992 Symposium on Research in Security and Privacy, pp. 72–84. IEEE (1992)Google Scholar
  6. 6.
    Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. J. Log. Algebr. Program. 75(1), 3–51 (2008)CrossRefMATHMathSciNetGoogle Scholar
  7. 7.
    Chadha, R., Ciobâcă, Ş., Kremer, S.: Automated verification of equivalence properties of cryptographic protocols. In: Seidl, H. (ed.) ESOP 2012. LNCS, vol. 7211, pp. 108–127. Springer, Heidelberg (2012)Google Scholar
  8. 8.
    Cheval, V., Comon-Lundh, H., Delaune, S.: Automating security analysis: symbolic equivalence of constraint systems. In: Giesl, J., Hähnle, R. (eds.) IJCAR 2010. LNCS, vol. 6173, pp. 412–426. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  9. 9.
    Cheval, V., Comon-Lundh, H., Delaune, S.: Trace equivalence decision: negative tests and non-determinism. In: Proc. ACM CCS 2011, pp. 321–330 (2011)Google Scholar
  10. 10.
    Cheval, V., Cortier, V., Plet, A.: Lengths may break privacy – or how to check for equivalences with length. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 708–723. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. 11.
    Clarkson, M., Schneider, F.: Hyperproperties. J. Computer Security 18(6), 1157–1210 (2010)Google Scholar
  12. 12.
    Cortier, V., Delaune, S.: A method for proving observational equivalence. In: CSF, pp. 266–276. IEEE Computer Society (2009)Google Scholar
  13. 13.
    Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: Cryptographic protocol analysis modulo equational properties. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007/2008/2009. LNCS, vol. 5705, pp. 1–50. Springer, Heidelberg (2009)Google Scholar
  14. 14.
    Escobar, S., Meadows, C., Meseguer, J., Santiago, S.: A rewriting-based forwards semantics for Maude-NPA. In: Proc. HotSoS (to appear, 2014), Preliminary version available at:
  15. 15.
    Escobar, S., Sasse, R., Meseguer, J.: Folding variant narrowing and optimal variant termination. J. Log. Algebr. Program. 81(7-8), 898–928 (2012)CrossRefMATHMathSciNetGoogle Scholar
  16. 16.
    Thayer Fabrega, F.J., Herzog, J., Guttman, J.: Strand Spaces: What Makes a Security Protocol Correct? Journal of Computer Security 7, 191–230 (1999)Google Scholar
  17. 17.
    Gutiérrez, R., Meseguer, J., Rocha, C.: Order-sorted equality enrichments modulo axioms. In: Durán, F. (ed.) WRLA 2012. LNCS, vol. 7571, pp. 162–181. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  18. 18.
    Lowe, G.: Analysings protocol subject to guessing attacks. Journal of Computer Security 12(1), 83–98 (2004)Google Scholar
  19. 19.
    Merritt, M.: Cryptographic Protocols. PhD thesis, Georgia Inst. of Technology (1984)Google Scholar
  20. 20.
    Meseguer, J.: Conditional rewriting logic as a united model of concurrency. Theor. Comput. Sci. 96(1), 73–155 (1992)CrossRefMATHMathSciNetGoogle Scholar
  21. 21.
    Meseguer, J.: Membership algebra as a logical framework for equational specification. In: Parisi-Presicce, F. (ed.) WADT 1997. LNCS, vol. 1376, pp. 18–61. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  22. 22.
    Newcomb, T., Lowe, G.: A computational justification for guessing attack formalisms. Technical report No. RR-05-05. Oxford University Computing Laboratory (October 2005)Google Scholar
  23. 23.
    TeReSe (ed.): Term Rewriting Systems. Cambridge Univ. Press, Cambridge (2003)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Sonia Santiago
    • 1
  • Santiago Escobar
    • 1
  • Catherine Meadows
    • 2
  • José Meseguer
    • 3
  1. 1.DSIC-ELPUniversitat Politècnica de ValènciaSpain
  2. 2.Naval Research LaboratoryWashingtonUSA
  3. 3.University of Illinois at Urbana-ChampaignUSA

Personalised recommendations