Verification of Security Protocols with Lists: From Length One to Unbounded Length

  • Miriam Paiola
  • Bruno Blanchet
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7215)


We present a novel, simple technique for proving secrecy properties for security protocols that manipulate lists of unbounded length, for an unbounded number of sessions. More specifically, our technique relies on the Horn clause approach used in the automatic verifier ProVerif: we show that if a protocol is proven secure by our technique with lists of length one, then it is secure for lists of unbounded length. Interestingly, this theorem relies on approximations made by our verification technique: in general, secrecy for lists of length one does not imply secrecy for lists of unbounded length. Our result can be used in particular to prove secrecy properties for group protocols with an unbounded number of participants and for some XML protocols (web services) with ProVerif.


Security Property Horn Clause Group Protocol Cryptographic Primitive Unbounded Number 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., Blanchet, B.: Analyzing Security Protocols with Secrecy Types and Logic Programs. Journal of the ACM 52(1), 102–146 (2005)MathSciNetzbMATHCrossRefGoogle Scholar
  2. 2.
    Asokan, N., Ginzboorg, P.: Key agreement in ad hoc networks. Computer Communications 23(17), 1627–1637 (2000)CrossRefGoogle Scholar
  3. 3.
    Bachmair, L., Ganzinger, H.: Resolution theorem proving. In: Handbook of Automated Reasoning, vol. 1, ch. 2, pp. 19–100. North Holland (2001)Google Scholar
  4. 4.
    Blanchet, B.: Using Horn clauses for analyzing security protocols. In: Cortier, V., Kremer, S. (eds.) Formal Models and Techniques for Analyzing Security Protocols. Cryptology and Information Security Series, vol. 5, pp. 86–111. IOS Press, Amsterdam (2011)Google Scholar
  5. 5.
    Bryans, J., Schneider, S.: CSP, PVS and recursive authentication protocol. In: DIMACS Workshop on Formal Verification of Security Protocols (1997)Google Scholar
  6. 6.
    Chridi, N., Turuani, M., Rusinowitch, M.: Constraints-based Verification of Parameterized Cryptographic Protocols. Research Report RR-6712, INRIA (2008),
  7. 7.
    Chridi, N., Turuani, M., Rusinowitch, M.: Decidable analysis for a class of cryptographic group protocols with unbounded lists. In: CSF 2009, pp. 277–289. IEEE, Los Alamitos (2009)Google Scholar
  8. 8.
    Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Transactions on Information Theory IT-29(12), 198–208 (1983)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Eastlake, D., Reagle, J.: XML encryption syntax and processing. W3C Candidate Recommendation (2002),
  10. 10.
    Goubault-Larrecq, J.: Une fois qu’on n’a pas trouvé de preuve, comment le faire comprendre à un assistant de preuve? In: JFLA 2004, pp. 1–20. INRIA (2004)Google Scholar
  11. 11.
    Kremer, S., Mercier, A., Treinen, R.: Proving Group Protocols Secure Against Eavesdroppers. In: Armando, A., Baumgartner, P., Dowek, G. (eds.) IJCAR 2008. LNCS (LNAI), vol. 5195, pp. 116–131. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Küsters, R., Truderung, T.: Using ProVerif to analyze protocols with Diffie-Hellman exponentiation. In: CSF 2009, pp. 157–171. IEEE, Los Alamitos (2009)Google Scholar
  13. 13.
    Küsters, R., Truderung, T.: On the Automatic Analysis of Recursive Security Protocols with XOR. In: Thomas, W., Weil, P. (eds.) STACS 2007. LNCS, vol. 4393, pp. 646–657. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  14. 14.
    Meadows, C.: Extending formal cryptographic protocol analysis techniques for group protocols and low-level cryptographic primitives. In: WITS 2000 (2000)Google Scholar
  15. 15.
    Meadows, C., Syverson, P., Cervesato, I.: Formal specification and analysis of the Group Domain of Interpretation protocol using NPATRL and the NRL protocol analyzer. Journal of Computer Security 12(6), 893–931 (2004)Google Scholar
  16. 16.
    Meadows, C., Narendran, P.: A unification algorithm for the group Diffie-Hellman protocol. In: WITS 2002 (2002)Google Scholar
  17. 17.
    Paulson, L.C.: Mechanized proofs for a recursive authentication protocol. In: CSFW 1997, pp. 84–95. IEEE, Los Alamitos (1997)Google Scholar
  18. 18.
    Pereira, O., Quisquater, J.J.: Some attacks upon authenticated group key agreement protocols. Journal of Computer Security 11(4), 555–580 (2003)Google Scholar
  19. 19.
    Pereira, O., Quisquater, J.J.: Generic insecurity of cliques-type authenticated group key agreement protocols. In: CSFW 2004, pp. 16–19. IEEE, Los Alamitos (2004)Google Scholar
  20. 20.
    Steel, G., Bundy, A.: Attacking group protocols by refuting incorrect inductive conjectures. Journal of Automated Reasoning 36(1-2), 149–176 (2006)zbMATHCrossRefGoogle Scholar
  21. 21.
    Steiner, M., Tsudik, G., Waidner, M.: CLIQUES: A new approach to group key agreement. In: ICDCS 1998, pp. 380–387. IEEE, Los Alamitos (1998)Google Scholar
  22. 22.
    Truderung, T.: Selecting Theories and Recursive Protocols. In: Abadi, M., de Alfaro, L. (eds.) CONCUR 2005. LNCS, vol. 3653, pp. 217–232. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Miriam Paiola
    • 1
  • Bruno Blanchet
    • 1
  1. 1.INRIA, École Normale Supérieure, CNRSParisFrance

Personalised recommendations