A Formal Definition of Protocol Indistinguishability and Its Verification Using Maude-NPA

  • Sonia Santiago
  • Santiago Escobar
  • Catherine Meadows
  • José Meseguer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8743)


Intuitively, two protocols \({\mathcal P}_1\) and \({\mathcal P}_2\) are indistinguishable if an attacker cannot tell the difference between interactions with \({\mathcal P}_1\) and with \({\mathcal P}_2\). In this paper we: (i) propose an intuitive notion of indistinguishability in Maude-NPA; (ii) formalize such a notion in terms of state unreachability conditions on their synchronous product; (iii) prove theorems showing how —assuming the protocol’s algebraic theory has a finite variant (FV) decomposition– these conditions can be checked by the Maude-NPA tool; and (iv) illustrate our approach with concrete examples. This provides for the first time a framework for automatic analysis of indistinguishability modulo as wide a class of algebraic properties as FV, which includes many associative-commutative theories of interest to cryptographic protocol analysis.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: POPL, pp. 104–115 (2001)Google Scholar
  2. 2.
    Arapinis, M., Bursuc, S., Ryan, M.D.: Reduction of equational theories for verification of trace equivalence: Re-encryption, associativity and commutativity. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 169–188. Springer, Heidelberg (2012)Google Scholar
  3. 3.
    Barthe, G.B., Crespo, J.M., Grégoire, B., Kunz, C., Lakhnech, Y., Schmidt, B., Béguelin, S.Z.: Fully automated analysis of padding-based encryption in the computational model. In: ACM Conference on Computer and Communications Security, pp. 1247–1260 (2013)Google Scholar
  4. 4.
    Baudet, M.: Deciding security of protocols against off-line guessing attacks. In: Proc. ACM CCS 2005, pp. 16–25. ACM (2005)Google Scholar
  5. 5.
    Bellovin, S., Merritt, M.: Encrypted key exchange: Password-based protocols secure against dictionary attacks. In: Proceedings of the 1992 Symposium on Research in Security and Privacy, pp. 72–84. IEEE (1992)Google Scholar
  6. 6.
    Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. J. Log. Algebr. Program. 75(1), 3–51 (2008)CrossRefMATHMathSciNetGoogle Scholar
  7. 7.
    Chadha, R., Ciobâcă, Ş., Kremer, S.: Automated verification of equivalence properties of cryptographic protocols. In: Seidl, H. (ed.) ESOP 2012. LNCS, vol. 7211, pp. 108–127. Springer, Heidelberg (2012)Google Scholar
  8. 8.
    Cheval, V., Comon-Lundh, H., Delaune, S.: Automating security analysis: symbolic equivalence of constraint systems. In: Giesl, J., Hähnle, R. (eds.) IJCAR 2010. LNCS, vol. 6173, pp. 412–426. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  9. 9.
    Cheval, V., Comon-Lundh, H., Delaune, S.: Trace equivalence decision: negative tests and non-determinism. In: Proc. ACM CCS 2011, pp. 321–330 (2011)Google Scholar
  10. 10.
    Cheval, V., Cortier, V., Plet, A.: Lengths may break privacy – or how to check for equivalences with length. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 708–723. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. 11.
    Clarkson, M., Schneider, F.: Hyperproperties. J. Computer Security 18(6), 1157–1210 (2010)Google Scholar
  12. 12.
    Cortier, V., Delaune, S.: A method for proving observational equivalence. In: CSF, pp. 266–276. IEEE Computer Society (2009)Google Scholar
  13. 13.
    Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: Cryptographic protocol analysis modulo equational properties. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007/2008/2009. LNCS, vol. 5705, pp. 1–50. Springer, Heidelberg (2009)Google Scholar
  14. 14.
    Escobar, S., Meadows, C., Meseguer, J., Santiago, S.: A rewriting-based forwards semantics for Maude-NPA. In: Proc. HotSoS (to appear, 2014), Preliminary version available at: http://www.dsic.upv.es/~sescobar/papers/HotSoS2014.pdf
  15. 15.
    Escobar, S., Sasse, R., Meseguer, J.: Folding variant narrowing and optimal variant termination. J. Log. Algebr. Program. 81(7-8), 898–928 (2012)CrossRefMATHMathSciNetGoogle Scholar
  16. 16.
    Thayer Fabrega, F.J., Herzog, J., Guttman, J.: Strand Spaces: What Makes a Security Protocol Correct? Journal of Computer Security 7, 191–230 (1999)Google Scholar
  17. 17.
    Gutiérrez, R., Meseguer, J., Rocha, C.: Order-sorted equality enrichments modulo axioms. In: Durán, F. (ed.) WRLA 2012. LNCS, vol. 7571, pp. 162–181. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  18. 18.
    Lowe, G.: Analysings protocol subject to guessing attacks. Journal of Computer Security 12(1), 83–98 (2004)Google Scholar
  19. 19.
    Merritt, M.: Cryptographic Protocols. PhD thesis, Georgia Inst. of Technology (1984)Google Scholar
  20. 20.
    Meseguer, J.: Conditional rewriting logic as a united model of concurrency. Theor. Comput. Sci. 96(1), 73–155 (1992)CrossRefMATHMathSciNetGoogle Scholar
  21. 21.
    Meseguer, J.: Membership algebra as a logical framework for equational specification. In: Parisi-Presicce, F. (ed.) WADT 1997. LNCS, vol. 1376, pp. 18–61. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  22. 22.
    Newcomb, T., Lowe, G.: A computational justification for guessing attack formalisms. Technical report No. RR-05-05. Oxford University Computing Laboratory (October 2005)Google Scholar
  23. 23.
    TeReSe (ed.): Term Rewriting Systems. Cambridge Univ. Press, Cambridge (2003)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Sonia Santiago
    • 1
  • Santiago Escobar
    • 1
  • Catherine Meadows
    • 2
  • José Meseguer
    • 3
  1. 1.DSIC-ELPUniversitat Politècnica de ValènciaSpain
  2. 2.Naval Research LaboratoryWashingtonUSA
  3. 3.University of Illinois at Urbana-ChampaignUSA

Personalised recommendations