Soundness of Removing Cancellation Identities in Protocol Analysis under Exclusive-OR

  • Sreekanth Malladi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6993)


In [Mil03,LM05], Millen-Lynch-Meadows proved that, under some restrictions on messages, including identities for canceling an encryption and a decryption within the same term during analysis will be redundant. i.e., they will not lead to any new attacks that were not found without them. In this paper, we prove that slightly modified restrictions are sufficient to safely remove those identities, even when protocols contain operators such as the notorious Exclusive-OR operator that break the free algebra assumption with their own identities, in addition to the identities considered by Millen-Lynch-Meadows.


Cryptographic protocol analysis Free algebras Equational theories Constraint solving Exclusive-OR 


  1. [AN94]
    Abadi, M., Needham, R.: Prudent Engineering Practice for Cryptographic Protocols. In: Proc. IEEE Symposium on Research in Security and Privacy, pp. 122–136. IEEE Computer Society Press, Los Alamitos (1994)Google Scholar
  2. [BMV05]
    Basin, D., Mödersheim, S., Viganò, L.: Algebraic intruder deductions. In: Sutcliffe, G., Voronkov, A. (eds.) LPAR 2005. LNCS (LNAI), vol. 3835, pp. 549–564. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  3. [CD05]
    Comon-Lundh, H., Delaune, S.: The finite variant property: How to get rid of some algebraic properties. In: Giesl, J. (ed.) RTA 2005. LNCS, vol. 3467, pp. 294–307. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. [CDL06]
    Cortier, V., Delaune, S., Lafourcade, P.: A of algebraic properties used in cryptographic protocols. Journal of Computer Security 14(1), 1–43 (2006)CrossRefGoogle Scholar
  5. [GT00]
    Guttman, J.D., Thayer, F.J.: Protocol Independence through Disjoint Encryption. In: 13th IEEE Computer Security Foundations Workshop, pp. 24–34 (July 2000)Google Scholar
  6. [HLS03]
    Heather, J., Lowe, G., Schneider, S.: How to prevent type flaw attacks on security protocols. Journal of Computer Security 11(2), 217–244 (2003)CrossRefGoogle Scholar
  7. [HS02]
    Heather, J., Schneider, S.: Equal to the task? In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 162–177. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. [KT08]
    Küsters, R., Truderung, T.: Reducing protocol analysis with xor to the xor-free case in the horn theory based approach. In: ACM Conference on Computer and Communications Security, pp. 129–138 (2008)Google Scholar
  9. [LM05]
    Lynch, C., Meadows, C.: On the relative soundness of the free algebra model for public key encryption. Electr. Notes Theor. Comput. Sci. 125(1), 43–54 (2005)CrossRefzbMATHGoogle Scholar
  10. [Low99]
    Lowe, G.: Towards a completeness result for model checking of security protocols. Journal of Computer Security 7(2-3), 89–146 (1999)CrossRefGoogle Scholar
  11. [Low04]
    Lowe, G.: Analysing protocols subject to guessing attacks. Journal of Computer Security 12, 83–98 (2004)CrossRefGoogle Scholar
  12. [Mal10]
    Malladi, S.: Protocol independence through disjoint encryption under exclusive-or. In: Workshop on Foundations of Computer Security and Privacy, FCSPrivMod (2010)Google Scholar
  13. [Mea92]
    Meadows, C.: Applying formal methods to the analysis of a key management protocol. Journal of Computer Security 1(1), 5–36 (1992)CrossRefGoogle Scholar
  14. [Mea96]
    Meadows, C.: Analyzing the Needham-Schroeder public-key protocol: A comparison of two approaches. In: Bertino, E., Kurth, H., Martella, G., Montolivo, E. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 351–364. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  15. [Mea03]
    Meadows, C.: Towards a hierarchy of cryptographic protocol specifications. In: FMSE 2003: Formal Methods in Security Engineering. ACM Press, New York (2003)Google Scholar
  16. [Mil03]
    Millen, J.: On the Freedom of Decryption. Information Processing Letters 86(6), 329–333 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  17. [ML09]
    Malladi, S., Lafourcade, P.: How to prevent type-flaw attacks under algebraic properties. In: Workshop on Security and Rewriting Techniques, Affiliated to CSF 2009 (July 2009)Google Scholar
  18. [MS01]
    Millen, J., Shmatikov, V.: Constraint solving for bounded-process cryptographic protocol analysis. In: Proc. ACM Conference on Computer and Communication Security, pp. 166–175. ACM Press, New York (2001)Google Scholar
  19. [RS98]
    Ryan, P.Y.A., Schneider, S.A.: An attack on a recursive authentication protocol. a cautionary tale. Inf. Process. Lett. 65(1), 7–10 (1998)CrossRefzbMATHGoogle Scholar
  20. [RS05]
    Ramanujam, R., Suresh, S.P.: Decidability of context-explicit security protocols. Journal of Computer Security 13, 135–165 (2005)CrossRefGoogle Scholar
  21. [SEMM10]
    Sasse, R., Escobar, S., Meadows, C., Meseguer, J.: Protocol analysis modulo combination of theories: A case study in maude-npa. To Appear, Sixth International Workshop on Security and Trust Management (STM). ERCIM (European Research Consortium in Informatics and Mathematics) (2010)Google Scholar
  22. [THG98]
    Thayer, F.J., Herzog, J.C., Guttman, J.D.: Strand spaces: Why is a security protocol correct? In: Proc. IEEE Symposium on Research in Security and Privacy, pp. 160–171. IEEE Computer Society Press, Los Alamitos (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Sreekanth Malladi
    • 1
  1. 1.Dakota State UniversityMadisonUSA

Personalised recommendations