Automated Verification of Equivalence Properties of Cryptographic Protocols

  • Rohit Chadha
  • Ştefan Ciobâcă
  • Steve Kremer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7211)


Indistinguishability properties are essential in formal verification of cryptographic protocols. They are needed to model anonymity properties, strong versions of confidentiality and resistance to offline guessing attacks, and can be conveniently modeled using process equivalences. We present a novel procedure to verify equivalence properties for bounded number of sessions. Our procedure is able to verify trace equivalence for determinate cryptographic protocols. On determinate protocols, trace equivalence coincides with observational equivalence which can therefore be automatically verified for such processes. When protocols are not determinate our procedure can be used for both under- and over-approximations of trace equivalence, which proved successful on examples. The procedure can handle a large set of cryptographic primitives, namely those which can be modeled by an optimally reducing convergent rewrite system. Although, we were unable to prove its termination, it has been implemented in a prototype tool and has been effectively tested on examples, some of which were outside the scope of existing tools.


Security Protocol Label Transition System Equivalence Property Determinate Process Horn Clause 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., Cortier, V.: Deciding knowledge in security protocols under equational theories. Theoretical Computer Science 387(1-2), 2–32 (2006)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: 28th Symposium on Principles of Programming Languages (POPL 2001), pp. 104–115. ACM Press (2001)Google Scholar
  3. 3.
    Abadi, M., Fournet, C.: Private authentication. Theoretical Computer Science 322(3), 427–476 (2004)MathSciNetzbMATHCrossRefGoogle Scholar
  4. 4.
    Abadi, M., Gordon, A.D.: A calculus for cryptographic protocols: The spi calculus. Inf. Comput. 148(1), 1–70 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  5. 5.
    Arapinis, M., Chothia, T., Ritter, E., Ryan, M.D.: Analysing unlinkability and anonymity using the applied pi calculus. In: 23rd Computer Security Foundations Symposium (CSF 2010), pp. 107–121. IEEE Comp. Soc. Press (2010)Google Scholar
  6. 6.
    Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P.H., Heám, P.C., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Backes, M., Hritcu, C., Maffei, M.: Automated verification of remote electronic voting protocols in the applied pi-calculus. In: 21st Computer Security Foundations Symposium (CSF 2008). IEEE Comp. Soc. Press (2008)Google Scholar
  8. 8.
    Baudet, M.: Deciding security of protocols against off-line guessing attacks. In: 12th Conference on Computer and Communications Security (CCS 2005), pp. 16–25. ACM Press (2005)Google Scholar
  9. 9.
    Bellovin, S.M., Merritt, M.: Encrypted key exchange: Password-based protocols secure against dictionary attacks. In: Symposium on Security and Privacy (S&P 1992), pp. 72–84. IEEE Comp. Soc. Press (1992)Google Scholar
  10. 10.
    Blanchet, B.: An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In: 14th Computer Security Foundations Workshop (CSFW 2001), pp. 82–96. IEEE Comp. Soc. Press (2001)Google Scholar
  11. 11.
    Blanchet, B.: Automatic proof of strong secrecy for security protocols. In: Symposium on Security and Privacy (S&P 2004), pp. 86–100 (2004)Google Scholar
  12. 12.
    Blanchet, B., Abadi, M., Fournet, C.: Automated Verification of Selected Equivalences for Security Protocols. In: Symposium on Logic in Computer Science, pp. 331–340. IEEE Comp. Soc. Press (2005)Google Scholar
  13. 13.
    Borgström, J.: Equivalences and Calculi for Formal Verifiation of Cryptographic Protocols. Phd thesis, EPFL, Switzerland (2008)Google Scholar
  14. 14.
    Borgström, J., Briais, S., Nestmann, U.: Symbolic Bisimulation in the Spi Calculus. In: Gardner, P., Yoshida, N. (eds.) CONCUR 2004. LNCS, vol. 3170, pp. 161–176. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Bruso, M., Chatzikokolakis, K., den Hartog, J.: Analysing unlinkability and anonymity using the applied pi calculus. In: 23rd Computer Security Foundations Symposium (CSF 2010), pp. 107–121. IEEE Comp. Soc. Press (2010)Google Scholar
  16. 16.
    Chadha, R., Ciobâcă, Ş., Kremer, S.: Automated verification of equivalence properties of cryptographic protocols. Technical report (October 2011),
  17. 17.
    Cheval, V., Comon-Lundh, H., Delaune, S.: Automating Security Analysis: Symbolic Equivalence of Constraint Systems. In: Giesl, J., Hähnle, R. (eds.) IJCAR 2010. LNCS (LNAI), vol. 6173, pp. 412–426. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  18. 18.
    Cheval, V., Comon-Lundh, H., Delaune, S.: Trace equivalence decision: Negative tests and non-determinism. In: 18th Conference on Computer and Communications Security (CCS 2011), pp. 321–330. ACM Press (2011)Google Scholar
  19. 19.
    Chevalier, Y., Rusinowitch, M.: Decidability of equivalence of symbolic derivations. Journal of Automated Reasoning (2010)Google Scholar
  20. 20.
    Chothia, T., Orzan, S., Pang, J., Torabi Dashti, M.: A Framework for Automatically Checking Anonymity with μCRL. In: Montanari, U., Sannella, D., Bruni, R. (eds.) TGC 2006. LNCS, vol. 4661, pp. 301–318. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Ciobâcă, Ş.: Computing finite variants for subterm convergent rewrite systems. Research Report LSV-11-06, LSV, ENS Cachan, France (2011)Google Scholar
  22. 22.
    Comon-Lundh, H., Delaune, S.: The Finite Variant Property: How to Get Rid of Some Algebraic Properties. In: Giesl, J. (ed.) RTA 2005. LNCS, vol. 3467, pp. 294–307. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  23. 23.
    Cortier, V., Delaune, S.: A method for proving observational equivalence. In: 22nd Computer Security Foundations Symposium (CSF 2009), pp. 266–276. IEEE Comp. Soc. Press (2009)Google Scholar
  24. 24.
    Dahl, M., Delaune, S., Steel, G.: Formal Analysis of Privacy for Vehicular Mix-Zones. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 55–70. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  25. 25.
    Delaune, S., Kremer, S., Pereira, O.: Simulation based security in the applied pi calculus. In: 29th Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS 2009). Leibniz International Proceedings in Informatics, vol. 4, pp. 169–180. Leibniz-Zentrum für Informatik (2009)Google Scholar
  26. 26.
    Delaune, S., Kremer, S., Ryan, M.D.: Verifying privacy-type properties of electronic voting protocols. Journal of Computer Security 17(4), 435–487 (2009)Google Scholar
  27. 27.
    Delaune, S., Kremer, S., Ryan, M.D.: Symbolic bisimulation for the applied pi calculus. Journal of Computer Security 18(2), 317–377 (2010)Google Scholar
  28. 28.
    Delaune, S., Ryan, M.D., Smyth, B.: Automatic verification of privacy properties in the applied pi-calculus. In: 2nd Joint iTrust and PST Conferences on Privacy, Trust Management and Security (IFIPTM 2008). IFIP Conference Proceedings, vol. 263, pp. 263–278. Springer, Heidelberg (2008)Google Scholar
  29. 29.
    Dolev, D., Yao, A.: On the security of public key protocols. In: 22nd Symposium on Foundations of Computer Science (FOCS 1981), pp. 350–357. IEEE Comp. Soc. Press (1981)Google Scholar
  30. 30.
    Durante, L., Sisto, R., Valenzano, A.: Automatic testing equivalence verification of spi calculus specifications. ACM Transactions on Software Engineering and Methodology 12(2), 222–284 (2003)CrossRefGoogle Scholar
  31. 31.
    Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007/2008/2009. LNCS, vol. 5705, pp. 1–50. Springer, Heidelberg (2009)Google Scholar
  32. 32.
    Fujioka, A., Okamoto, T., Ohta, K.: A Practical Secret Voting Scheme for Large Scale Elections. In: Zheng, Y., Seberry, J. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 244–251. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  33. 33.
    Goubault-Larrecq, J.: Deciding \(\mathcal{\MakeUppercase{h}}_1\) by resolution. Information Processing Letters 95(3), 401–408 (2005)MathSciNetzbMATHCrossRefGoogle Scholar
  34. 34.
    Hüttel, H.: Deciding framed bisimilarity. In: 4th International Workshop on Verification of Infinite-State Systems (INFINITY 2002), pp. 1–20 (2002)Google Scholar
  35. 35.
    Liu, J., Lin, H.: A Complete Symbolic Bisimulation for Full Applied Pi Calculus. In: van Leeuwen, J., Muscholl, A., Peleg, D., Pokorný, J., Rumpe, B. (eds.) SOFSEM 2010. LNCS, vol. 5901, pp. 552–563. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  36. 36.
    Lowe, G.: Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  37. 37.
    Narendran, P., Pfenning, F., Statman, R.: On the unification problem for cartesian closed categories. J. Symb. Log. 62(2), 636–647 (1997)MathSciNetzbMATHCrossRefGoogle Scholar
  38. 38.
    Okamoto, T.: Receipt-Free Electronic Voting Schemes for Large Scale Elections. In: Christianson, B., Lomas, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 25–35. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  39. 39.
    Tiu, A., Dawson, J.: Automating open bisimulation checking for the spi-calculus. In: 23rd Computer Security Foundations Symposium (CSF 2010), pp. 307–321. IEEE Comp. Soc. Press (2010)Google Scholar
  40. 40.
    Weidenbach, C.: Towards an Automatic Analysis of Security Protocols in First-Order Logic. In: Ganzinger, H. (ed.) CADE 1999. LNCS (LNAI), vol. 1632, pp. 314–328. Springer, Heidelberg (1999)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Rohit Chadha
    • 1
  • Ştefan Ciobâcă
    • 1
  • Steve Kremer
    • 1
    • 2
  1. 1.LSV, ENS Cachan & CNRS & INRIAFrance
  2. 2.INRIA Nancy - Grand-EstFrance

Personalised recommendations