Symbolic verification of distance bounding protocols

. With the proliferation of contactless applications, obtaining reliable information about distance is becoming an important security goal, and speciﬁc protocols have been designed for that purpose. These protocols typically measure the round trip time of messages and use this information to infer a distance. Formal methods have proved their usefulness when analysing standard security protocols such as conﬁdentiality or authentication protocols. However, due to their abstract communication model, existing results and tools do not apply to distance bounding protocols. In this paper, we consider a symbolic model suitable to analyse distance bounding protocols, and we propose a new procedure for analysing (a bounded number of sessions of) protocols in this model. The procedure has been integrated in the Akiss tool and tested on various distance bounding and payment protocols (e.g. MasterCard, NXP).


Introduction
In recent years, contactless communications have become ubiquitous.They are used in various applications such as access control cards, keyless car entry systems, payments, and many other applications which often require some form of authentication, and rely for this on security protocols.In addition, contactless systems aims to prevent against relay attacks in which an adversary mount an attack by simply forwarding messages he receives: ensuring physical proximity is a new security concern for all these applications.Formal modelling and analysis techniques are well-adapted for verifying security protocols, and nowadays several verification tools exist, e.g.ProVerif [8], Tamarin [27].They aim at discovering logical attacks, and therefore consider a symbolic model in which cryptographic primitives are abstracted by function symbols.Since its beginning in 80s, a lot of progress has been done in this area, and it is now a common good practice to formally analyse protocols using symbolic techniques in order to spot flaws possibly before their deployment, as it was recently done e.g. in TLS 1.3 [17,7], or for an avionic protocol [9].These symbolic techniques are based on the so-called Dolev Yao model [19].In such a model, the attacker is supposed to control the entire network.He can send any message he is able to build using his current knowledge, and this message will reach its final destination instantaneously.This model is accurate enough to analyse many security protocols, e.g.authentication protocols, e-voting protocols, . . .However, to analyse protocols that aim to prevent against relay attacks, some features need to be modelled in a more faithful way.Among them: network topology: any pair of nodes can communicate but depending on their distance, exchanging messages take more or less time.We will simply assume that the time needed is proportional to the distance between the two agents, and that messages can not travel faster than the speed of the light.-timing constraints: protocols that aim to prevent against relay attacks typically rely on a rapid phase in which time measurements are performed.Our framework will allow us to model these time measurements through the use of timestamps put on each action.
There are some implications on the attacker model.Since communications take time, it may be interesting to consider several malicious nodes.We will assume that malicious nodes collaborate but again messages can not travel (even between malicious nodes) faster than the speed of the light.
Akiss in a nutshell.The procedure we present in this paper builds on previous work by Chadha et al. [12], and its implementation in the tool Akiss.Akiss allows automated analysis of privacy-type properties (modelling as equivalences) when restricted to a bounded number of sessions.Cryptographic primitives may be defined through arbitrary convergent equational theories that have the finite variant property.This class includes standard cryptographic primitives as well as less commonly supported primitives such as blind signatures and zero knowledge proofs.Termination of the procedure is guaranteed for subterm convergent theories, but also achieved in practice on several examples outside this class.
The procedure behind Akiss is based on an abstract modelling of symbolic traces into first-order Horn clauses: each symbolic trace is translated into a set of Horn clauses called seed statements, and a dedicated resolution procedure is applied on this set to construct a set of statements which have a simple form: the so-called solved statements.Once the saturation of the set of seed statements is done, it is possible to decide, based solely on those solved statements, whether processes under study are equivalent or not.
Even if we are considering reachability properties (here authentication with physical proximity), in order to satisfy timing constraints, we may need to consider recipes that are discarded when performing a classical reachability analysis.Typically, in a classical reachability analysis, there is no need to consider two recipes that deduce the same message.The main advantage of Akiss is the fact that, since its original goal is to deal with equivalence, it considers more (actually almost all possible) recipes when performing the security analysis.Moreover, even if the tool has been designed to deal with equivalence-based properties, the first part of the Akiss procedure consists in computing a knowledge base which is in fact a finite representation of all possible traces (including recipes) executable by the process under study.We build on this saturation procedure in this work.
Our contributions.We design a new procedure for verifying reachability properties for protocols written in a calculus sharing many similarities with the one introduced in [18], and that gives us a way to model faithfully distance bounding protocols.Our procedure follows the general structure of the original one described in [12].We first model protocols as traces (see Section 3), and then translate them into Horn clauses (see Section 4).A direct generalisation would consist of keeping the saturation procedure unchanged, and simply modifying the algorithm to check the satisfiability of our additional timing constraints at the end.However, as discussed in Section 5, such a procedure would not be complete for our purposes.We therefore completely redesign the update function used during the saturation procedure using a new strategy to forbid certain steps that would otherwise systematically yield to non-termination in our final algorithm.Showing these statements are indeed unnecessary requires essential changes in the proofs of completeness of the original procedure.
This new saturation procedure yields an effective method for checking reachability properties in our calculus (see Section 6).Although termination of saturation is not guaranteed in theory, we have implemented our procedure and we have demonstrated its effectiveness on various examples.We report on our implementation and the various case studies we have performed in Section 7.
As we were unable to formally establish completeness of the procedure as implemented in the original Akiss tool (due to some mismatches between the procedure described in [12] and its implementation), we decided to bring the theory closer to the practice, and this explains several differences between our seed statements and those described originally in [12].

Background
We start by providing some background regarding distance bounding protocols.For illustrative purposes, we present a slightly simplified version of the TREAD protocol [2] together with the attack discovered by [25] (relying on the Tamarin prover).This protocol will be used along the paper as a running example.

Distance bounding protocols
Distance bounding protocols are cryptographic protocols that enable a verifier V to establish an upper bound on the physical distance to a prover P .They are typically based on timing the delay between sending out a challenge and receiving back the corresponding response.The first distance bounding protocol was proposed by Brands and Chaum [10], and since then various protocols have been proposed.In general, distance bounding protocols are made of two or three phases, the second one being a rapid phase during which the time measurement is performed.To improve accuracy, this challenge/response exchange during which the measurement is performed is repeated several times, and often performed at the bit level.Symbolic analysis does not allow us to reason at this level, and thus the rapid phase will be abstracted by a single challenge/response exchange, and operations done at bit level will be abstracted too.
For illustration purposes, we consider the TREAD protocol.As explained before, we ignore several details that are irrelevant to our symbolic security analysis, and we obtain the protocol described in Figure 1.First, the prover generates a nonce γ, and computes the signature σ with his own key.This signature is sent to V encrypted with the public key of V .Upon reception, the verifier decrypts the message and checks the signature.Then, the verifier sends a nonce m, and starts the rapid phase during which he sends a challenge c to the prover.The protocol ends successfully if the answer given by the prover is correct and arrived before a predefined threshold.

Attacks on distance bounding protocols
Typically, an attack occurs when a verifier is deceived into believing it is colocated with a given prover whereas it is not.Attacker may replay, relay and build new messages, as well as predict some timed challenges.Since the introduction of distance bounding protocols, various kinds of attacks have emerged, e.g.distance fraud, mafia fraud, distance hijacking attack, . . .For instance, a distance fraud only consider a dishonest prover who tries to authenticate remotely, whereas a distance hijacking scenario allows the dishonest prover to take advantage of honest agents in the neighbourhood of the verifier.
The TREAD protocol is vulnerable to a mafia fraud attack: an honest verifier v may end successfully a session with an honest prover p thinking that this prover p is in his vicinity whereas p is actually far away.The attack is described in Figure 1.After learning γ and a signature σ = sign(γ, sk p ), the malicious agent i will be able to impersonate p.At the end, the verifier v will finish his session correctly thinking that he is playing with p (who is actually far away).

Symbolic security analysis
The first symbolic framework developed to analyse distance bounding protocols is probably the one proposed in [26].Since then, several formal symbolic models have been proposed: e.g. a model based on multiset rewriting rules has been proposed in [5], another one based on strand spaces is available in [30].However, these models do not come with a procedure allowing one to analyse distance bounding protocols in an automatic way.Recently, some attempts have been done to rely on existing automatic verification tools, e.g.ProVerif [18,13] or Tamarin [25].Those tools typically consider an unbounded number of sessions, and some approximations are therefore performed to tackle this problem wellknown to be undecidable [20].
Here, following the long line of research on symbolic verification for a bounded number of sessions which is a problem well-known to be decidable [31,28] and for which automatic verification tools have been developed (e.g.OFMC [6], Akiss [12]), we aim to extend this approach to distance bounding protocols.

A security model dealing with time and location
We assume that our cryptographic protocols are modelled using a simple process calculus sharing some similarities with the applied-pi calculus [1], and strongly inspired by the calculus introduced in [18].

Term algebra
As usual in symbolic models, we represent messages using a term algebra.We consider a set N of names split into two disjoint sets: the set N pub of public names which contains the set A of agent names, and the set N priv of private names.We consider the set X of message variables, denoted x, y, . .., as well as a set W of handles: W = {w 1 , w 2 , . ..}. Variables in X model arbitrary data expected by the protocol, while variables in W are used to store messages learnt by the attacker.Given a signature Σ, i.e. a finite set of function symbols together with their arity, and a set of atomic data At, we denote T (Σ, At) the set of terms built from At using function symbols in Σ.Given a term u, we denote st(u) the set of the subterms occurring in u, and vars(u) the set of variables occurring in u.A term u is ground when vars(u) = ∅.Then, we associate an equational theory E to the signature Σ which consists of a finite set of equations of the form u = v with u, v ∈ T (Σ, X ), and induces an equivalence relation over terms denoted = E .
Example 1. Σ ex = {aenc, adec, pk, sign, getmsg, check, ok, , proj 1 , proj 2 , h} allows us to model the cryptographic primitives used in the TREAD protocol presented in Section 2. The function symbols aenc and adec of arity 2 model asymmetric encryption, whereas sign, getmsg, check, and ok are used to model signature.The term pk(sk) represents the public key associated to the private key sk.We have function symbols to model pairs and projections, as well as a function h of arity 3 to model hashes.The equational theory E ex associated to the signature Σ ex is the relation induced by: check(sign(x, y), pk(y)) = ok proj 1 ( x, y ) = x adec(aenc(x, pk(y)), y) = x getmsg(sign(x, y)) = x proj 2 ( x, y ) = y We consider equational theories that can be represented by a convergent rewrite system, i.e. we assume that there is a confluent and terminating rewrite system such that: u = E v ⇔ u↓ = v↓ for any terms u and v where t↓ denotes the normal form of t.Moreover, we assume that such a rewrite system has the finite variant property as introduced in [16].This means that given a sequence t 1 , . . ., t n of terms, it is possible to compute a finite set of substitutions, denoted variants(t 1 , . . ., t n ), such that for any substitution ω, there exist σ ∈ variants(t 1 , . . ., t n ) and τ such that: t 1 ω↓, . . ., t n ω↓ = (t 1 σ)↓τ, . . ., (t n σ)↓τ .Many equational theories enjoy this property, e.g.symmetric/asymmetric encryptions, signatures and blind signatures, as well as zero-knowledge proofs.
Moreover, this finite variant property implies the existence of a finite and complete set of unifiers and gives us a way to compute it effectively.Given a set U of equations between terms, a unifier (modulo a rewrite system R) is a substitution σ such that sσ↓ = s ′ σ↓ for any equation s = s ′ in U .A set S of unifiers is said to be complete for U if for any unifier σ, there exists θ ∈ S and τ such that σ = τ • θ.We denote csu R (U ) such a set.We will rely on these notions of variants and csu in our procedure (see Section 4).
Example 2. The finite variant property is satisfied by the rewrite system R ex obtained by orienting from left to right equations in E ex .
An attacker builds her own messages by applying function symbols to terms she already knows and which are available through variables in W. Formally, a computation done by the attacker is a recipe, i.e. a term in T (Σ, W ∪N pub ∪R + ).

Timing constraints
To model time, we will use non-negative real numbers R + , and we may allow various operations (e.g.+, −, ×, . . .).A time expression is constructed in-ductively by applying arithmetic symbols to time expressions starting with the initial set R + and an infinite set Z of time variables.Then, a timing constraint is typically of the form t 1 ∼ t 2 with ∼ ∈ {<, ≤, =}.We do not constraint the operators since our procedure is generic in this respect provided we have a way to decide whether a set of timing constraints is satisfiable or not.In practice, our tool (see Section 7) will only be able to consider simple linear timing constraints.
Example 3. When modelling distance bounding protocols, we will typically consider a timing constraint of the form z 2 −z 1 < t with z 1 , z 2 ∈ Z and t ∈ R + .This constraint expresses that the time elapsed between the emission of a challenge and the receipt of the corresponding answer is at most t.

Process algebra
We assume that cryptographic protocols are modelled using a simple process algebra.Following [12], we only consider a minimalistic core calculus.In particular, we do not introduce the new operator and we do not explicitly model the parallel operator.Since we only consider a bounded number of sessions (i.e. a calculus with no replication), this is at no loss of expressivity.We can simply assume that fresh names are generated from the beginning and parallel composition can be added as syntactic sugar to denote the set of all interleavings.
Syntax.We model a protocol as a finite set of traces.A trace T is a finite sequence (possibly empty and denoted ǫ in this case) of pairs, i.e.T = (a 1 , a 1 ). . . ..(a n , a n ) where each a i ∈ A, and a i is an action of the form: As usual, we have output and input actions.An input action acts as a binding construct for both x and z, whereas an output action acts as a binding construct for z only.For sake of clarity, we will omit the time variable z when we do not care of the precise time at which the input (resp.output) action has been performed.As usual, our calculus allows one to perform some tests on received messages, and it is also possible to extract a timestamp from a received message and perform some tests on this extracted value using timing constraints.Typically, this will allow us to model an agent that will stop executing the protocol in case an answer arrives too late.
We assume the usual definitions of free and bound variables for traces, and we assume that each variable is at most bound once.Note that, in the constructs presented above, the variables z, x are bound.Given a set V of variables, a trace is locally closed w.r.t.V if for any agent a, the trace obtained by considering actions executed by agent a does not contain free variables among those in V.Such an assumption, sometimes called origination [15,6], is always satisfied when considering traces obtained by interleaving actions of a protocol.Therefore, we will only consider traces that are locally closed w.r.t.both X and Z.
Contrary to the calculus introduced in [18] which assumes that there is at most one timer per thread, we are more flexible.This generalisation is not mandatory to analyse our case studies but it allows us to present our result on traces and greatly simplifies the theoretical development.
Example 4. Following our syntax, the trace corresponding to the role of the verifier played by v with p is modelled as follows: where Of course, when performing a security analysis, other traces have to be considered.Typically, we may want to consider several instances of each role, and we will have to generate traces corresponding to all the possible interleavings of the actions composing these roles.
Semantics.The semantics of a trace is given in terms of a labeled transition system over configurations of the form (T ; Φ; t), and is parametrised by a topology reflecting the fact that interactions between agents depend on their location.Definition 1.A topology is a tuple T 0 = (A 0 , M 0 , Loc 0 ) where A 0 ⊆ A is the finite set of agents composing the system, M 0 ⊆ A 0 represents those that are malicious, and Loc 0 : A 0 → R 3 defines the position of each agent in the space.
In our model, the distance between two agents is given by the time it takes for a message to travel from one to another.We have that: for any a, b ∈ A 0 with • : R 3 → R the Euclidean norm and c 0 the transmission speed.We suppose, from now on, that c 0 is a constant for all agents, and thus an agent a can recover, at time t + Dist T0 (a, b), any message emitted by the agent b before t ∈ R + .Definition 2. Given a topology T 0 = (A 0 , M 0 , Loc 0 ), a configuration over T 0 is a tuple (T ; Φ; t) where T is a trace locally closed w.r.t.X and Z composed of actions (a, a) with a ∈ A 0 , t ∈ R + , and Intuitively, T represents the trace that still remains to be executed; Φ represents the messages that have been outputted so far; and t is the global time.The precise location of each agent is not relevant, only the distance between them matters.Here Dist T0 (v, i) < t 0 whereas Dist T0 (v, p) ≥ t 0 .
We have that v is playing the verifier's role with p (who is far away).We do not consider any prover's role but we assume that p (acting as a prover) has started a session with i and thus the corresponding encryption (here γ ∈ N priv ) has been added to the knowledge of the attacker (handle w 3 ).We also assume that sk i ∈ N priv , the private key of the agent i ∈ M 0 , is known by the attacker.A more realistic configuration would include other instances of the prover and the verifier roles and will probably give more knowledge to the attacker.This simple configuration is actually sufficient to retrieve the attack presented in Section 2.2.
We write ⌊Φ⌋ t a for the restriction of Φ to the agent a at time t, i.e.: ⌊Φ⌋ Our labeled transition system is given in Figure 2 and relies on labels ℓ which can be either equal to the unobservable τ action or of the form (a, a) with a ∈ A, and a ∈ {test, eq} ∪ {in(u), out(u The TIM rule allows time to elapse and is labeled with τ (often omitted for sake of simplicity).The OUT rule allows an output action to be executed, and the outputted term will be added to the frame.Rule EQ is used to perform some tests, and those tests are evaluated modulo the equational theory.Then, the LET rule allows us to evaluate a term that is supposed to contain a real number, and could then be used in a timing constraint through the variable z.Then, we have a rule to evaluate a timing constraint.The IN rule allows an agent a to execute an input: the received message u has been sent at time t b by an agent b who was in possession of the message at that time.In case b is a malicious agent, i.e. b ∈ M 0 , the message u may have been forged through a recipe R, and b has to be in possession of all the necessary information at that time.The variable z is used to store the time at which this action has been executed.Example 6. Continuing Example 5, we may consider the following execution which aims to mimic the trace developed in Section 2: The first arrow corresponds to an application of the rule TIM with delay δ 0 ≥ Dist T0 (p, i) + Dist T0 (i, v).Then, the IN rule is triggered considering that the message t aenc = aenc( γ, sign(γ, sk p ) , pk(sk v )) is sent by i at time t i such that Dist T0 (p, i) ≤ t i ≤ δ 0 − Dist T0 (i, v).Such a message t aenc can indeed be forged by i at time t i (using recipe R = aenc(adec(w 3 , w 2 ), w 1 )) and thus be ).

Fig. 2: Semantics of our calculus
received by v at time δ 0 .Then, tests performed by v are evaluated successfully, v outputs m, and we reach the configuration K rapid = (T rapid ; Φ rapid ; δ 0 ) where: - We can pursue this execution as follows: The second arrow is an application of the rule TIM with delay 2Dist T0 (v, i) so that h(c, m, γ) can be received by v at time δ 0 +2Dist T0 (v, i).Since Dist T0 (v, i) < t 0 , the timing constraint is true and the last action can be executed.
The goal of this paper is to propose a new procedure for analysing a bounded number of sessions of distance bounding protocols.Once the topology is fixed, the existence of an attack can be directly encoded as a reachability property considering a finite set of traces.The following sections are thus dedicated to the study of the following problem: Input: A trace T locally closed w.r.t.X and Z, t 0 ∈ R + , and a topology T 0 .Output: Do there exist ℓ 1 , . . ., ℓ n , Φ, and t such that (T ; ∅; t 0 ) ℓ1...,ℓn −−−−→ T0 (ǫ; Φ; t)?

Modelling using Horn clauses
Following the approach developed in Akiss [12], our procedure is based on an abstract modelling of a trace in first-order Horn clauses.Our set of seed statements is more in line with what has been implemented in Akiss for optimisation purposes rather than what is presented in [12].

Preliminaries
We consider symbolic runs which are finite sequences of pairs with possibly a run variable typically denoted y at its ends.We have that each pair (a, a) is such that a ∈ A and a is an action of the form (with u ∈ T (Σ, N ∪ R + ∪ X )): Excluding the special variable y, a symbolic run (a 1 , a 1 ). . . ..(a n , a n ), only contains variables from the set X .We say that it is locally closed if whenever a variable x occurs in an output action (resp.let action) a j , then there exists an input action a i occurring before (i.e.i < j) such that a i = a j and x ∈ vars(a i ).Symbolic runs are often denoted w, w ′ , . .., and we write w ⊑ w ′ when the sequence w is a prefix of w ′ .Given a symbolic run w 0 whose sequence of outputs is out(u 1 ) We also consider symbolic recipes which are terms in T (Σ, W ∪ N pub ∪ Y) where Y is a set of recipe variables disjoint from X and W. We use capital letters X, Y , and Z to range over Y.
Example 7. We consider the following symbolic run: Our logic is based on two predicates expressing deduction and reachability without taking into account timing constraints.More formally, given a configuration (T ; Φ; t), its untimed counterpart is (T ; φ) where φ is the untimed counterpart of Φ, i.e. a frame of the form: φ = {w 1 → u 1 , . . ., w n → u n }.The relaxed semantics over untimed configurations is given in Figure 3. Since time variables (from Z) are not instantiated during a relaxed execution, in an untimed configuration (T ; φ), the trace T is only locally closed w.r.t.X .Our predicates are: a reachability predicate: r w holds when the run w is executable.
a deduction predicate: k w (R, u) holds if the message u can be built using the recipe R ∈ T (Σ, N pub ∪ R + ∪ W) by an attacker using the outputs available after the execution of w (if this execution is possible).
Formally, we have that: This semantics is extended as usual to first-order formulas built using the usual connectives (e.g.conjunction, quantification, ...) Example 8.The frame φ 0 below is the untimed counterpart of Φ 0 : We have that (T ex ; φ 0 ) tr (ǫ; φ final ) where φ final is the untimed counterpart −−→ c}, and tr is the same sequence of labels as the one developed in Example 6, i.e.

Seed statements
We consider particular Horn clauses which we call statements.Definition 3. A statement is a Horn clause: H ⇐ k w1 (X 1 , u 1 ), . . ., k wn (X n , u n ) with H ∈ {r w0 , k w0 (R, u)} and such that: w 0 , . . ., w n are symbolic runs locally closed, w i ⊑ w 0 for any i ∈ {1, . . ., n}; In the above definition, we implicitly assume that all variables are universally quantified, i.e., all statements are ground.By abuse of language we sometimes call σ a grounding substitution for a statement H ⇐ (B 1 , . . ., B n ) when σ is grounding for each of the atomic formulas H, B 1 , . . ., B n .The skeleton of a statement f , denoted skl(f ), is the statement where recipes are removed.Our definition of statement is in line with the original one proposed in [12] but we state an additional invariant used to establish the completeness of our procedure.
In order to define our set of seed statements, we have to fix some naming conventions.Given a trace T of the form (a 1 , a 1 ).(a 2 , a 2 ). . . ..(a n , a n ), we assume w.l.o.g. the following naming conventions: ) for all τ ∈ variantsR(ℓ1σ, . . ., ℓmσ) 1. if a i is a receive action, then a i = in zi (x i ), and ℓ i = (a i , in(x i )); 2. if a i is a send action, then a i = out zi (u i ), and and and i , and ℓ i = (a i , test).For each m ∈ {0, . . ., n}, the sets Rcv(m), Snd(m), Eq(m), Let(m), and Test(m) respectively denote the set of indexes of the receive, send, equality, let, and test actions amongst a 1 , . . ., a m .We denote by |S| the cardinality of S.
Given a set C ⊆ N pub ∪ R + , the set of seed statements associated to T and C, denoted seed(T, C), is defined in Figure 4.If C = N pub ∪ R + , then seed(T, C) is said to be the set of seed statements associated to T and in this case we write seed(T ) as a shortcut for seed(T, N pub ∪ R + ).When computing seed statements, we compute complete sets of unifiers and complete sets of variants modulo R.This allows us to get rid of the rewrite system in the remainder of our procedure and then only consider unification modulo the empty equational theory.In this case, it is well-known that (when it exists) csu ∅ (U ) is uniquely defined up to some variable renaming, and we write mgu(u .(p, out(u)) and u = aenc( γ, sign(γ, sk p ) , pk(sk i )).The set seed(T + ex , ∅) contains among others the statement f 1 , f 2 , f 3 , and f 4 given below: where w 0 is given in Example 7, and w 5 0 is the prefix of w 0 of size 5. Statement f 1 expresses that the trace is executable (in the relaxed semantics) as soon as we are able to deduce the two terms requested in input, f 2 says that the attacker knows the term u as soon asT 0 has been executed.The two remaining statements model the fact that an attacker can apply the decryption algorithm on any terms he knows (statement f 3 ), and this will give him access to the plaintext when the right key is used (statement f 4 ).

Soundness and completeness
We now show that as far as the timing constraints are ignored, the set seed(T ) is a sound and complete abstraction of a trace.Moreover, we have to ensure that the proof tree witnessing the existence of a given predicate in H(seed(T )) matches with the relaxed execution we have considered.This is mandatory to establish the completeness of our procedure.Definition 4. Given a set K of statements, H(K) is the smallest set of ground facts such that: . ., n}, and w 0 the world associated to H with v 1 , . . ., v k ′ the terms occurring in input in w 0 .We say that such an instance of Conseq matches with exec = (T ; ∅) ℓ1,...,ℓp (S; φ) using R 1 , . . ., R k as input recipes if w 0 σ ⊑ ℓ 1 , . . ., ℓ p , and there exist R1 , . . ., Rk ′ such that: This notion of matching is extended to a proof tree π as expected, meaning that all the instances of Conseq used in π satisfy the property.
Actually, the completeness of our procedure will be established w.r.t. a subset of recipes, namely uniform recipes.We establish that an execution of a trace T 0 which only involves uniform recipes has a counterpart in H(seed(T 0 )) which is uniform too.
Given a set K of statements, we say that a set {π 1 , . . ., π n } of proof trees in We are now able to state our soundness and completeness result.
Theorem 1.Let T 0 be a trace locally closed w.r.t.X .).Moreover, we may assume that the proof tree witnessing these facts are uniform and match with exec using R 1 , . . ., R k as input recipes.

Saturation
At a high level, our procedure consists of two steps: 1. a saturation procedure which constructs a set of solved statements from the set seed(T ); and 2. an algorithm which uses the solved statements obtained by saturation to check whether timing constraints are satisfied.This is needed to ensure that the execution obtained at step 1 is truly executable in our timed model.

Saturation procedure
We start by describing our saturation procedure.It manipulates a set of statements called a knowledge base.
f is said to be well-formed if whenever it is solved and H = k w (R, u), we have that u ∈ X .
A set of well-formed statements is called a knowledge base.
We restrict the use of the resolution rule and we only apply it on a selected atom.To formalise this, we assume a selection function sel which returns ⊥ when applied on a solved statement, and an atom k w (X, t) with t ∈ X when applied on an unsolved statement.Resolution must be performed on this selected atom.

Res
Example 10.Applying resolution between f 4 and f 2 (see Example 9), we obtain: Then, we will derive k T0•y (adec(w 3 , w 2 ), γ, sign(γ, sk p ) ) ⇐ and this solved statement (with others) will be used to perform resolution on f 1 leading (after several resolution steps) to the statement: During saturation, the statement obtained by resolution is given to an update function which decides whether it has to be added or not into the knowledge base (possibly after some transformations).In original Akiss, many deduction statements are discarded during the saturation procedure.This is useful to avoid non-termination issues and it is not a problem since there is no need to derive the same term (from the deduction point of view) in more than one way.Now, considering that messages need time to reach a destination, a same message emitted twice at two different locations deserves more attention.
and T 0 be a topology such that Dist T0 (a 1 , b) = 10 while Dist T0 (a 2 , b) = 1.The configuration (T ; ∅; 0) is executable but only considering w 2 as an input recipe for x.The recipe w 1 that produces the exact same term k is not an option (even if it is outputted before w 2 ) since the agent a 1 who outputs it is far away from b.
Whereas the original Akiss procedure will typically discard the statement k(w 2 , k) ⇐ (by replacing it with an identical statement), we will keep it.
As illustrated by Example 11, we therefore need to consider more recipes (even if they deduce the same message) to accommodate timing constraints, but we have to do this in a way that does not break termination (in practice).To tackle this issue, we modified the canonicalization rule, as well as the update function to allow more deduction statements to be added in the knowledge base.
The intuition is that there is no need to consider several recipes (here X and Y ) to deduce the same term t when such a recipe does not occur in the head of the statement.
Then, the update of K by f denoted K ⋒ {f }, is defined to be K if either skl(f ⇓) is not in normal form; or f ⇓ is solved but not well-formed.Otherwise, K⋒{f } = K∪{f ⇓}.To initiate our saturation procedure, we start with the initial knowledge base K init (S) associated to a set S of statements (typically seed(T, C) for some well-chosen C).Given a set S of statements, the initial knowledge base associated to S, denoted K init (S), is defined to be the empty knowledge base updated by the set S, i.e.K init (S) = (((∅ ⋒ f 1 ) ⋒ f 2 ) ⋒ . . .f n where f 1 , . . ., f n is an enumeration of the statements in S. In return, the saturation procedure produces a set sat(K) which is actually a knowledge base.
Then, we can establish the soundness of our saturation procedure.This is relatively straightforward and follows the same lines as the original proof.

Completeness
Completeness is more involved.Indeed, we can not expect to retrieve all the recipes associated to a given term.To ensure termination (in practice) of our procedure, we discard some statements when updating the knowledge base, and we have to justify that those statements are indeed useless.Actually, we show that considering uniform recipes is sufficient when looking for an attack trace.
However, the notion of uniform recipe does not allow one to do the proof by induction.We therefore consider a more restricted notion that we call asap recipes.The idea is to deduce a term as soon as possible but this may depend on the agent who is performing the computation.We also rely on an ordering relation which is independent of the agent who is performing the computation, and which is compatible with our notion of asap w.r.t.any agent.
Given a relaxed execution exec = (T ; ∅) ℓ1,...,ℓn (S; φ) with input recipes R 1 , . . ., R k , we define the following relations: -R < in exec w when ℓ i = a, in(u) with input recipe R and ℓ j = a, out(u j ) with output recipe w for some agent a with i < j; -R ′ < sub exec R when R ′ is a strict subterm of R.Then, < exec is the smallest transitive relation over recipes built on dom(φ) that contains < in exec and < sub exec .As usual, we denote ≤ exec the reflexive closure of < exec .Given a timed execution exec = (T 0 ; ∅; t 0 ) This order is extended on recipes as follows: R < a exec R ′ when: 1. either multi W (R) < a exec multi W (R ′ ) where multi W (R) is the multiset of variables W occurring in R ordered using the multiset extension of < a exec on variables; 2. or multi and SΦ↓ = S ′ Φ↓} is the set of pairs of distinct syntactic subterms of R that deduce the same term.
We have that < a exec is a well-founded order for any a ∈ A which is compatible with < exec , i.e.R < exec R ′ implies R < a exec R ′ for any agent a.We are now able to introduce our notion of asap recipe.
We may note that our definition of being asap takes care about honest agents who are not allowed to forge messages from their knowledge using recipes not in W ∪ N pub ∪ R + .Hence, a recipe R ∈ W is not necessarily replaced by a recipe R ′ even if R < a exec R ′ and R ′ Φ↓ = RΦ↓.Actually, such a recipe R ′ is not necessarily an alternative to R when a ∈ M 0 .

Proof. (sketch)
We have that asap recipes are uniform and we can therefore apply Theorem 1.This allows us to obtain a proof tree in H(seed(T 0 )).Then, by induction on the proof tree, we lift it from H(seed(T 0 )) to H(K).The difficult part is when the statement obtained by resolution is not directly added in the knowledge base.It may have been modified by the rule Remove or even discarded by the update operator.In both cases, we derive a contradiction with the fact that we are considering asap recipes.⊓ ⊔ Example 12. Considering the relaxed execution starting from (T 0 • T ex , ∅) by performing the three outputs followed by the untimed version of the execution described in Example 6, we reach (ǫ, φ) using recipes R 1 = aenc(adec(w 3 , w 2 ), w 1 ) and R 2 = h(w 5 , w 4 , proj 1 (adec(w 3 , w 2 ))).Let K be the set of solved statements obtained by saturation, we have that r T0•w0σ ′ •(v,test) ∈ H(K) (see Example 10).Note that the symbolic run T 0 • w 0 σ ′ • (v, test) coincides with the labels used in the execution trace.Here, the proof tree is reduced to a leaf, and choosing R1 = R 1 , R2 = R 2 , gives us the matching we are looking for.

Algorithm
In this section, we first present our algorithm to verify whether a given timed configuration can be fully executed, and then discuss its correctness.
We consider a trace T of the form (a 1 , a 1 ).(a 2 , a 2 ). . . ..(a n , a n ) locally closed w.r.t.X and Z and we assume the naming convention given in Section 4.2.Moreover, we denote by orig(j) the index of the action in the trace T that performed the j th output, i.e. orig(j) is the minimal k such that |Snd(k)| = j.The function Timing takes as inputs the initial configuration, the recipes used to feed the inputs occurring in the trace, and the terms corresponding to these inputs.Note that all these terms may still contain variables from Z.This function computes a formula that represents all the timing constraints that have to be satisfied to ensure the executability of the trace in our timed model.More formally, Timing((T ; ∅; t 0 )), R i1 . . .R ip , u i1 . . .u ip ) is the conjunction of the formulas: 1. z 1 = t 0 , and z i ≤ z i+1 for any 1 ≤ i < n; For any i ∈ Rcv(n), we consider the formula: - otherwise, we consider: b∈M0 {j|wj ∈vars(Ri)} z orig(j) + Dist T0 (a orig (j), b) ≤ z i − Dist T0 (b, a i ) The last step of our algorithm consists in checking whether the resulting formula ψ is satisfiable or not, i.e. whether there exists a mapping from vars(ψ) to R + such that the formula ψ is true.Of course, even if our procedure is generic w.r.t. to timing constraints, the procedure to check the satisfiability of ψ will depend on the constraints we consider.Actually, all the formulas encountered during our case studies are quite simple: they are expressed by equations of the form z ′ − z ≤ t, and we therefore rely on the well-known Floyd-Warshall algorithm to solve them.When needed, we may rely on the simplex algorithm to solve more general linear constraints.

Termination issues
First, we may note that to obtain an effective saturation procedure, it is important to start with a finite set of seed statements.Our set seed(T ) is infinite but as it was proved in [12], we can restrict ourselves to perform saturation using the finite set seed(T, C T ) where C T contains the public names and the real numbers occurring in the trace T .More formally, we have that: Lemma 1.Let C T be the finite set of public names and real numbers occurring in T , and C all = N pub ∪ R + .We have that: Nevertheless, the saturation may not terminate.We could probably avoid some non-termination issues by improving our update operator.However, ensuring termination in theory is a rather difficult problem (the proof of termination for the original Akiss procedure for subterm convergent theories is quite complex [12] -more than 20 pages).We would like to mention that we never encountered non-termination issues in practice on our case studies.
Another issue is that, when computing the set L i , we need to compute all the recipes R such that k w (R, u) ∈ H(K) for a given term u.This can be achieved using a simple backward search and will terminate since K only contains solved statements that are well-formed.The naive recursive algorithm will therefore consider terms u 1 , . . ., u n that are strict subterms of the initial term u.Note that statements that are not well-formed are discarded by our update operator: ensuring completeness of our saturation procedure when discarding statements that are not well-formed is the challenging part of our completeness proof.

Correctness of our algorithm
We consider a topology T 0 and a configuration (T ; ∅; t 0 ) built on top of T 0 and such that T is locally closed w.r.t.both X and Z. Theorem 3. Let C T ⊆ N pub ⊎ R + be the finite set of public names and real numbers occurring in T .Let K = solved(sat(K init (seed(T, C T )))).We have that: Soundness (item 1 above) is relatively straightforward.Item 2 is more involved.Of course, our algorithm does not consider all the possible recipes for inputs.Some recipes are discarded from our analysis.Actually, it is sufficient to focus our attention on asap recipes.To justify that this is not an issue regarding completeness, we first establish the following result.Then, we may apply Theorem 2 (item 1) on this "asap execution" and deduce the existence of f = r ℓ ′ 1 ,...,ℓ ′ n ⇐ k w1 (X 1 , x 1 ), . . ., k wm (X m , x m ) in K and a substitution σ witnessing the fact that r ℓ1,...,ℓn = r ℓ ′ 1 σ,...,ℓ ′ n σ ∈ H(K).Moreover, we know that f and σ match with exec and R 1 , . . ., R k .Considering the symbolic recipes R1 , . . ., Rk witnessing this matching, and instantiating their variables with adequate fresh constants (using ρ), we can show that R1 ρ, . . ., Rk ρ are recipes that allow to perform the timed execution ℓ ′ 1 ρ, . . ., ℓ ′ n ρ.Note that thanks the strong relationship we have between R 1 , . . ., R k and R1 , . . ., Rk (by definition of matching, R i = Ri σ), we know that the resulting timing constraints gathered in the formula ψ due to inputs are less restrictive, and the other ones are essentially unchanged.This allows us to ensure that the formula ψ will be satisfiable.Now, applying Lemma 2, we can assume w.l.o.g. that recipes involved in such a trace are asap, and thus according to Theorem 2 will be considered by our procedure, and put in L i1 , . . ., L ip at line 6 of Algorithm 1.

Implementation and case studies
We validate our approach by integrating our procedure in Akiss [12], and successfully used it on several case studies.All files related to the tool implementation and case studies are available at http://people.irisa.fr/Alexandre.Debant/akiss-db.html.

Integration in Akiss
Our syntax is very close to the one presented in Section 3.For sake of simplicity, we sometimes omit timestamps on input/output actions.Regarding our timing constraints, our syntax only allows linear expressions of the form z 1 − z 2 ∼ z 3 with z i ∈ Z ∪ R + and ∼ ∈ {=, <, ≤}.These expressions are enough to model all our case studies.To ease the specification of protocols our tool support parallel composition of traces (T 1 || T 2 ).This operator is syntactic sugar and can be translated to sets of traces in a straightforward way.
To mitigate the potential exponential blowup caused by this translation, we always favour let, equality, and test actions, as well as output actions when no timestamp occur on it.The second optimisation consists in executing input actions (without timestamps) in a raw.These optimisations will allow us to reduce the number of traces that have to be considered during our analysis, and are well-known to be sound when verifying reachability properties [29,4].
Example 13.Let P = (a, in(x 1 )).(a, in(x 2 ).(a, out(u)) || (b, in(x 3 )).(b,out(v)).Computing naively all the possible interleavings will give us 10 traces to analyse.The first optimisation will allow us to reduce this number to 3, and together with the second optimisation, this number falls to 2.

Case studies
In this section we demonstrate that our tool can be effectively used to analyse distance bounding protocols and payment protocols.Our experiments have been done on a standard laptop and the results obtained confirm termination of the saturation procedure when analysing various protocols (× stands for attack, means that the protocol has been proved secure).We indicate the number of roles (running in parallel) we consider and the number of traces (due to all the possible interleaving of the roles) that have been analysed by the tool in order to conclude.Our algorithm stops as soon as an attack is found, and thus the number of possible interleavings is not relevant in this case.
We only consider two distinct topologies: one to analyse mafia fraud scenarios (2 honest agents far away with a malicious agent close to each honest agent) and one to analyse distance hijacking for which 3 agents are considered (malicious agent in the neighbourhood of the verifier on which the security property is encoded is not allowed).This may seem restrictive but it has been shown to be sufficient to capture all the possible attacks [18].Our results are consistent with the ones obtained in [14,25,18,13].
Distance bounding protocols.As explained in Section 2 on the TREAD protocol, we ignore several details that are irrelevant to a security analysis performed in the symbolic model.Moreover, our procedure is not yet able to support the exclusive-or operator and thus it has been modelled in an abstract way when analysing the protocols BC and Swiss-Knife.When no attack was found for 2 roles, we consider more roles (and thus more traces).The fact that the performances degrade when considering additional roles is not surprising and is clearly correlated with the number of traces that have to be considered.Payment protocols.We have also analysed three payment protocols (and some of their variants) w.r.t.mafia fraud -the only relevant scenario for this kind of application (see [13]).It happens that these protocols are more complex to analyse than traditional distance bounding protocols.They often involve more complex messages, and a larger number of message exchanges.Moreover, in protocols MasterCard RRP and NXP, the threshold is not fixed in advance but received during the protocol execution.Due to this, these protocols fall outside the class of protocols that can be analysed by [18,25].To our knowledge only [13] copes with this issue by proposing a security analysis in two steps: they first establish that the value of the threshold can not be manipulated by the attacker, and then analyse the protocol considering a fixed threshold.Such a protocol can be encoded in a natural way in our calculus using the let instruction [z := v] that allows one to extract a timing information from a message.We analysed these protocols considering one instance of each role.

Conclusion
We presented a novel procedure for reasoning about distance bounding protocols which has been integrated in the Akiss tool.Even though termination is not guaranteed, the tool did terminate on all practical examples that we have tested.Directions for future work include improving performances of our tool and this can be achieved by parallelising our algorithm (each trace can actually be analysed independently) and/or proposing new techniques to reduce the number of interleavings.Another interesting direction would be to add the exclusive-or operator which is often used in distance bounding protocols.This will require a careful analysis of the completeness proof developed in [3] to check whether their resolution strategy is compatible with the changes done here to accommodate timing constraints.

A Proof of Theorem 1
In this section, we consider a trace T 0 which is locally closed w.r.t.X .Proposition 2. We have that seed(T 0 ) is a set of statements.
Proof.We consider each type of statement separately and show that each item of the definition of being a statement is satisfied.Note that T 0 is locally closed w.r.t.X , and thus we have that the symbolic run ℓ 1 • . . .• ℓ m with 0 ≤ m ≤ n is locally closed.Input actions are of the form in(x i ), and thus the property of being locally closed is still satisfied by ℓ 1 στ ↓ • . . .• ℓ m στ ↓.Hence, the result.⊓ ⊔ As the construction of the seed is rather similar to the one in [12], the proof of Theorem 1 closely follows the original proof.However, some adaptations have been done in the completeness part.In our setting, completeness is more involved.First, it only holds when considering uniform recipes and we have to ensure an additional property (match with exec) to be able to lift it later on from H(seed(T 0 )) to H(solved(sat(seed(T 0 )))) The soundness part of Theorem 1 is a direct consequence of Lemma 3 and Lemma 4 that can be proved following the original proofs.
Lemma 3. We have that (T 0 ; ∅)) |= g for any statement g ∈ seed(T 0 ).Lemma 4. Let S be a set of statements such that for all g ∈ S we have that (T 0 ; ∅) |= g.We have that (T 0 ; ∅) |= g for any g ∈ H(S).
The completeness part of Theorem 1 is a direct consequence of Lemma 5.
Moreover, we may assume that the proof trees witnessing these facts are uniform and match with exec with input recipes R 1 , . . ., R k .
Proof.We follow the original proof but it remains to show that the proof tree witnessing these facts are uniform and match with exec using input recipes R 1 , . . ., R k .We first explain how we construct a proof tree that is matching exec and then we show that it is uniform too.When using an instance of a statement of type 3 (resp.type 4), the proof tree trivially matches with exec with input recipes R 1 , . . ., R k since k ′ = 0.When considering an instance of a statement of type 1 (resp.type 2) it is sufficient to consider X 1 , . . ., X k ′ for R1 , . . ., Rk ′ to obtain a proof tree matching exec with R 1 , . . ., R k .
Actually, the resulting proof tree is uniform.Indeed, when considering a statement of type 4 we will always have that the recipe in the head is uniform w.r.t.φ (either a subterm of the initial recipe R or a subterm of an input recipe) and thus the premises will respect the uniformity.In addition, we will always construct the same proof tree when considering a deduction fact corresponding to an input of the execution.

B Proof of Theorem 2 (soundness part)
First, we need to establish that our resolution procedure only produces statement.In particular, we have to establish the invariant we added in the definition of statement.
Lemma 6.Let f and g be two statements, and h be defined as in the RES rule.If skl(hσ) is in normal form then hσ is a statement.
Proof.Let H = k w0 (R 0 , t 0 ), and B i = k ui (X i , t i ) for i ∈ {1, . . ., m}.The only non trivial point is to establish that hσ = H ⇐ B 1 , . . ., B n , B n+1 , . . ., B m σ satisfies the following property: We first consider the RES rule.Since f and g are two statements we know that: Therefore, we have that: We denote B i = k wi (X i , t i ) for all i ∈ {1, . . ., n} and H ∈ {r w0 , k w0 (R 0 , t 0 )}.We have that: w 0 , . . ., w n , w are symbolic runs locally closed, w i ⊑ w 0 for any i ∈ {1, . . ., n} and w ⊑ w 0 ; -t, t 0 , . . ., t n are terms in Let g = (H ⇐ k w (Y, t), B 1 , . . ., B n ) the resulting formula after one application of the rule Remove on the statement f .Since X ∈ vars(H), it is easy to see that g is also a statement.
⊓ ⊔ Proposition 3. Given a set S of statements, K init (S) (resp.sat(K init (S))) is a knowledge base.
Proof.Lemma 6 ensures that Horn clauses generated during the saturation procedure are statements as soon as their skeleton is in normal form.Actually, the update function will discard a statement when its skeleton is not in normal form, thus during saturation we only consider statements.Now, it is easy to see that those statements are well-formed since the update function discard those that are not.Finally, Lemma 7 ensures that the canonised form of a statement is a statement too.

⊓ ⊔
The following lemma allows us to establish the soundness of the statement resulting from an application of the Res rule.We consider a trace T 0 locally closed w.r.t.X .
⊓ ⊔ Now, we can establish the soundness of our saturation procedure.
Proof.We first establish that (T 0 ; ∅) |= g for any g ∈ K by induction on the number of resolution step needed to produce g.If g ∈ K init (T 0 ) then g ∈ seed(T 0 ) and thus applying Theorem 1 (soundness), we conclude that (T 0 ; ∅) |= g (seed statements are already in canonical form).Otherwise, such a statement g = g ′ ⇓ with g ′ a statement obtained through the Res rule.We therefore conclude by applying Lemma 8 and Lemma 9 on g ′ .Now, let g ∈ H(solved(K)).The fact that (T 0 ; ∅) |= g is a direct consequence of Lemma 4.

C Proof of Theorem 2 (completeness part)
In this section, we consider a trace T 0 which is locally closed w.r.t.X .
Proof.Let a ∈ A and R, R ′ be two recipes such that R < exec R ′ .There exists a chain R = R 0 < exec . . .< exec R n = R ′ such that each step corresponds to a step of < in exec or < sub exec .We proof this lemma by induction on the length of this chain, and we therefore show that the property holds for one step.We distinguish two cases depending if < in exec or < sub exec has been applied: We know that R ′ = w and R is a recipe used to feed an input performed by agent(w).Observing that for all w ′ ∈ vars(R), we have that time(w ′ ) + Dist T (agent(w ′ ), agent(w)) ≤ time(w) we deduce that for all w ′ ∈ vars(R), we have that: ≤ time(w) + Dist T (agent(w), a).
Thus, we have that time(w ′ )+Dist T (agent(w ′ ), a) ≤ time(w)+Dist T (agent(w), a) i.e. w ′ < a exec w, and thus R < a exec R ′ .-Case R < sub exec R ′ .We know that R is a strict subterm of and R ′ .Thus, we have that R < a exec R ′ .⊓ ⊔ Note that < a exec is a well-founded relation, and thus we deduce that < exec is also a well-founded relation.
Proof.We have that skl(gσ) is in normal form, and since g and σ match with exec and R 1 , . . ., R k , we know that u 0 σ ⊑ ℓ 1 , . . ., ℓ p and there exist R1 , . . ., Rk ′ such that: We show this result by induction on j.
Base case: j = 1, i.e. v j is the first input occurring in u 0 .We have that R1 σ = R 1 and since R 1 only uses frame elements occurring before the first input, this is the same for R1 and thus φ(u 0 ) will not introduce any variable.Therefore, if x ∈ vars(v 1 ), we know that x has been introduced by X i0 → x i0 for some i 0 ∈ {1, . . ., n}, i.e. x = x i0 for some i 0 ∈ {1, . . ., n} such that X i0 ∈ vars( R1 ), and therefore X i0 σ ≤ exec R1 σ (subterm relation).
Induction step: j > 1.Let x ∈ vars(v j ) with j > 1.We have that Rj σ = R j and since R j only uses frame elements occurring before the j th input, this is the same for Rj , and thus either x has been introduced by X i0 → x i0 for some i 0 ∈ {1, . . ., n}, and we conclude as in the previous case.Otherwise, the variable x is introduced through a frame element {w → t} with x in t, and w ∈ vars( Rj ), and thus w ≤ exec R j = Rj σ (subterm relation).Because u 0 is locally closed, x occurs before in an input v i performed by the same agent, thus R i = Ri σ ≤ in exec w.Applying our induction hypothesis on i < j, there exists i 0 such that x i0 = x and X i0 σ ≤ Ri σ.Relying on transitivity, we easily conclude.
⊓ ⊔ Lemma 14.Let K be a set of statements.Let g = (H ⇐ B 1 , . . ., B n ) be a statement and σ be a substitution such that for all i ∈ {1, . . ., n}, B i σ ∈ H(K) with a proof tree π i such that {π 1 , . . ., π n } is uniform.If g and σ match with exec and R 1 , . . ., R k then g⇓ and σ match with exec and R 1 , . . ., R k .
where v 1 , . . ., v k ′ are the terms occurring in input in u 0 (the world of H).
Proof.We prove this result by induction on the sum of the sizes of the proof trees witnessing that B 1 σ, . . ., B n σ ∈ H(solved(K)).If g is solved, then since g ∈ K, we conclude by choosing π ′ to be π 1 , . . ., π n on which we apply Conseq with g and σ.
Otherwise, i.e. g is not solved.Let B j = sel(g) = k uj (X j , t j ).By hypothesis, we have that B j σ ∈ H(solved(K)) with a proof tree π j matching with exec and R 1 , . . ., R k as input recipes.Therefore, π j is ending with a statement and a substitution σ ′ grounding for h such that k u ′ 0 (R 0 , t 0 )σ ′ = k uj (X j , t j )σ and B ′ i σ ′ ∈ solved(K) for i ∈ {1, . . ., m} with a proof tree π ′ i (subtree of π j ) matching with exec and R 1 , . . ., R k .
Moreover, we have that the sum of the size of the proof tree witnessing that B ′ i σ ′ ∈ solved(K) for i ∈ {1, . . ., m} is smaller than the size of the proof tree π j .Let H 0 = k u ′ 0 (R 0 , t 0 ).We apply the Resolution rule between g and h.Since σ ⊎ σ ′ unifies H 0 and k uj (X j , t j ), there is ω = mgu(H 0 , k uj (X j , t j )) and τ such that σ ⊎ σ ′ = ωτ .Let g ′ be the resulting statement.We have that In order to conclude relying on our induction hypothesis, we distinguish two cases.
Case 1: g ′ ⇓ is added to the knowledge base by the update function.We conclude relying on our induction hypothesis considering g ′ ⇓ and τ .We have that u 0 ω is locally closed.We have that skl(g ′ ⇓τ ) is in normal form since skl(gσ) and skl(hσ ′ ) are in normal form.The recipe occurring in Hωτ = Hσ (if any) is asap w.r.t.b |Rcv(q)| and exec and all the antecedents of g ′ ⇓τ are in H(solved(K)) with a proof tree matching with exec and R 1 , . . ., R k .Finally we have that {π 1 , . . ., π j−1 , π j+1 , . . ., π n , π ′ 1 , . . ., π ′ m } is uniform.It remains to show that g ′ ⇓ and τ match exec and R 1 , . . ., R k .To do so we first show that g ′ and τ match exec and R 1 , . . ., R k to be able to apply Lemma 14.
Given a world u, i.e. a sequence of actions possibly followed by a variable, we denote by |u| the number of actions in the sequence u.By definition of the RES rule and the form of the statement, we have that : either |u j ω| = |u j |, thus |u 0 ω| = |u 0 |; -or |u j ω| > |u j |, and in such a case, we have that u 0 ω = u j ω = u ′ 0 ω.
Let us distinguish two cases depending on the type of the statement f : 1. f is added in the knowledge base, i.e. f ∈ K.Then, we conclude that Hσ ∈ H(solved(K)) thanks to Lemma 15 applied on f and σ, because f and σ match with exec and R 1 , . . ., R k using recipes Rj = X j for all i ∈ {1, . . ., |w|} with w is the underlying world of H.In addition we have that {π ′ 1 , . . ., π ′ n } is uniform.2. f is not added in the knowledge base by the update function.Note that skl(f ) is in normal form since skl(f σ) is in normal form.Thus, we have that f is solved but not well-formed.Let H = k w (R 0 , u 0 ).Since f is not wellformed, we know that u 0 = x, and by definition of being a statement, we have that R Either there exists i 0 ∈ {1, . . ., n} such that x = x i0 , and X i occurs in R 0 (which is not a variable).Thus, by soundness of the saturation (Proposition 1), we have that (X i0 σ)φ↓ = x i0 σ = xσ and X i0 σ < exec R 0 σ = R. Otherwise, x is introduced by {w → u} ∈ φ(w) with w occurring in R 0 , i.e.R 0 = w since f is a seed statement.In such a case, the variable x occurs in an input before, thus we apply Lemma 13.Note that, similarly to the previous case, the hypotheses are satisfied.We obtain that there exists i 0 ∈ {1, . . ., n} such that x i0 = x and X i0 σ ≤ exec Rj σ = R j where R j is the recipe used to fill the j th action which is an input.Thus because R j < exec w, we have that X i0 σ < exec w = R 0 .Finally in both cases we have that there exists i 0 such that X i0 σ < exec R 0 σ = R.If R ∈ W we immediately contradict that R is asap w.r.t.b m and exec.Otherwise we apply Lemma 10 to obtain that X i0 σ < bm exec R which is a contradiction too.This conclude the proof.
⊓ ⊔ with input recipes R 1 , . . ., R k such that R i is asap w.r.t.b i and exec 0 for any i ∈ {1, . . ., k}.It remains to show that R 1 , . . ., R k are still asap when considering the full execution exec. .Let us distinguish two cases: If R i ∈ W: Since the relation < exec0 induced by exec 0 is the same as the one induced by exec on recipes built using dom(Φ ′ ), we have that R i is still asap w.r.t.b i and exec.
If R i / ∈ W: for all recipe R such that Rφ↓ = R i Φ↓ we have that if vars(R) ⊆ dom(Φ ′ ) then R i ≤ bi exec0 R and thus R i ≤ bi exec R. Otherwise, we have that there exists a unique w ∈ vars(R) ∩ (dom(Φ) \ dom(Φ ′ )) and time(w) = t ′ .Such a w corresponds to the handle bound by ℓ n when ℓ n is an output action.For any w ′ ∈ vars(R i ), we have that: time(w ′ ) + Dist T0 (agent(w), b i ) ≤ time(w), and thus time(w ′ ) + Dist T0 (agent(w), b i ) ≤ time(w) + Dist T0 (agent(w ′ ), b i ).To conclude it is sufficient to notice that either it is a strict inequality and thus we immediately have that w ′ < bi exec w or we have an equality but since w ′ has been outputted before w in exec we have that w ′ < bi exec w too.Finally we have that such a recipe R which contains w can not be smaller than R i , i.e.R ≮ bi exec R i .Note that, we do not change the configurations involved in the execution but only the underlying recipes, thus timing constraints trivially hold for the new execution.Case ℓ n is an input, i.e. ℓ n = (a, in z (u)).Thanks to our induction hypothesis, we know that R i (1 ≤ i ≤ k − 1) is asap w.r.t.b i and exec 0 .Then, we complete this execution exec 0 performing the action ℓ n = (a, in z ).
Let us assume that R k is not asap w.r.t.b k and exec.
-Case b k ∈ M 0 .We have that R k / ∈ N pub ∪ R + and there exists R ′ k such that -Case b k ∈ A 0 M 0 .In that case, R k ∈ W ∪ N pub ∪ R + and since R k is not asap, we know that there exists We consider the chain R ′ k < exec . . .< exec R k (each step corresponding to a step of < in exec or < sub exec under a context) witnessing the fact that R ′ k < exec R k .Let w ′ ∈ W be the smallest variable w.r.t.< in exec such that w ′ < in exec . . .w ′′ < in exec w.In case such a w ′ does not exist, we consider that w ′ = w.We show, by induction on the length l of w ′ < in exec . . .w ′′ < in exec w that if w ∈ dom( ⌊Φ ′ ⌋ ).We apply the induction hypothesis using t This contradicts the assumption on R k because R ′ k < exec R k .In conclusion, in all cases we obtain a contradiction with the initial assumption.Therefore we conclude that R k is asap w.r.t.b k and exec.

D.2 Main theorem
We consider a trace T locally closed w.r.t.X and Z.Before proving the main result, we establish the following lemma allowing us to apply saturation on a finite set of seed statements.We have that K init (seed(T, N pub ∪ R + )) = K init (seed(T, C T )) ⊎ K ext .Then, it is quite easy to see that the resolution steps performed starting with the set K init (seed(T, N pub ∪ R + )) do not involved statements in K ext , and thus all these steps can also be performed starting with K init (seed(T, C T )) leading to the expected result.
⊓ ⊔ Theorem 3. Let C T ⊆ N pub ⊎ R + be the finite set of public names and real numbers occurring in T .Let K = solved(sat(K init (seed(T, C T )))).We have that: if Reachability(K, t 0 , T 0 ) holds then (T ; ∅; t) is executable in T 0 ; -if (T ; ∅; t 0 ) is executable in T 0 then Reachability(K, t 0 , T 0 ) holds.
Proof.We prove each item separately.First, we assume that our algorithm returns true when considering ℓ ′ 1 . . .ℓ ′ n and recipes L i1 , . . ., L in .Actually, soundness of our saturation procedure (Proposition 1) gives us that (T ; ∅) ℓ ′ 1 ρ...ℓ ′ n ρ (ǫ; φ) (relaxed semantics) using recipes L i1 , . . ., L in .Then, the formula ψ will gather all the timing constraints that have to be satisfied, in particular those to ensure that messages needed when performing the computation L ij are available in time.Thus, satisfiability of ψ gives us that (T ; ∅; t 0 ) is executable in T 0 .This concludes the proof for the first item.
(u)) with recipe R k forged by b k , and we obtain exec = (T ; ∅; t 0 ) ℓ1,...,ℓn − −−−− → T0 (S; Φ; t)with input recipes R 1 , . . ., R k−1 , R k .First because Φ = Φ ′ we have that < exec0 and < a exec0 for any a ∈ A, the relations induced by exec 0 , are the same as the ones induced by exec.Therefore we have that R i (1 ≤ i ≤ k − 1) is still asap w.r.t.b i and exec.To conclude, it remains to establish that R k is asap w.r.t.b k and exec.Following the semantics of the IN rule, we know that there existst b ∈ R + such that t b ≤ t − Dist T0 (b k , a) and if b k ∈ A 0 M 0 then R k ∈ W ⊎ N pub ⊎ R + .In addition, if R k = w then w ∈ dom( ⌊Φ ′ ⌋ t b b k ); -if b k ∈ M 0 then for all w ∈ vars(R k ),there exists c ∈ A 0 such that w ∈ dom( ⌊Φ ′ ⌋ t b −DistT 0 (c,b k ) c Lemma 10   we obtain that in both casesR ′ k < b k exec R k and thus multi W (R ′ k ) ≤ b k exec multi W (R k ).By definition of the multiset order, we know that for all w ′ ∈ vars(R ′ k ), there exists w ∈ vars(R k ) such that w ′ ≤ b k exec w, and thus time(w′ ) + Dist T0 (agent(w ′ ), b k ) ≤ time(w) + Dist T0 (agent(w), b k ).Since we have that w ∈ dom( ⌊Φ ′ ⌋ t b −DistT 0 (agent(w),b k ) agent(w)), we know that time(w) ≤ t b − Dist T0 (agent(w), b k ).Therefore, we have that for all w ′ ∈ vars(R ′ k ), there exists w ∈ vars(R k ) such that:time(w ′ ) + Dist T0 (agent(w ′ ), b k ) ≤ t b − Dist T0 (agent(w), b k ) + Dist T0 (agent(w), b k ) ⇒ time(w ′ ) ≤ t b − Dist T0 (agent(w ′ ), b k )and hence the IN rule can be executed using R ′ k forged by b k at time t b .This contradicts the assumption on R k .

Lemma 1 .
Let C T be the finite set of public names and real numbers occurring in T , and C all = N pub ∪ R + .We have that:sat(K init (seed(T, C all ))) = sat(K init (seed(T, C T ))) ∪ {k y (c, c) ⇐ | c ∈ C all }.Proof.Let K ext = {k y (c, c) ⇐ | c ∈ (N pub ∪ R + ) C T }.
type 1 or 2 then for all i ∈ {1, ..., n}, there exists j ∈ Rcv(p) such that B i σ = k ℓ1,...,ℓj−1 (R |Rcv(j)| , u i ) for some term u i .Therefore, by hypothesis we have that R |Rcv(j)| is asap w.r.t.b |Rcv(j)| and exec.Moreover π i (the proof of B i σ ∈ H(seed(T 0 ))) is uniform (as a subtree of π).Our induction hypothesis applies withB i σ. -if f is a statement of type 4 then for all i ∈ {1, ..., n}, B i σ = k ℓ1,...,ℓj−1 (S i , u i )for some term u i , with S i a strict subterm of R. Since R is asap w.r.t.b |Rcv(j)| and exec, we deduce that S i is asap w.r.t.b |Rcv(j)| and exec (byLemma 12).We still have that π i (the proof of B i σ ∈ H(seed(T 0 ))) is uniform (as a subtree of π).Our induction hypothesis applies with B i σ.Therefore in both cases, we have that for all i ∈ {1, . . ., n}, B i σ ∈ H(K) with a proof tree π ′ i matching with exec and R 1 , . . ., R k , and nodes(π ′ i ) ⊆ nodes(π i ).Because {π 1 , . . ., π n } is uniform, we have that {π ′ 1 , . . ., π ′ n } is uniform too.Since the rule Remove cannot be applied on seed statement, we can distinguish two cases: