360 research outputs found
Unification modulo a partial theory of exponentiation
Modular exponentiation is a common mathematical operation in modern
cryptography. This, along with modular multiplication at the base and exponent
levels (to different moduli) plays an important role in a large number of key
agreement protocols. In our earlier work, we gave many decidability as well as
undecidability results for multiple equational theories, involving various
properties of modular exponentiation. Here, we consider a partial subtheory
focussing only on exponentiation and multiplication operators. Two main results
are proved. The first result is positive, namely, that the unification problem
for the above theory (in which no additional property is assumed of the
multiplication operators) is decidable. The second result is negative: if we
assume that the two multiplication operators belong to two different abelian
groups, then the unification problem becomes undecidable.Comment: In Proceedings UNIF 2010, arXiv:1012.455
On the Complexity of the Tiden-Arnborg Algorithm for Unification modulo One-Sided Distributivity
We prove that the Tiden and Arnborg algorithm for equational unification
modulo one-sided distributivity is not polynomial time bounded as previously
thought. A set of counterexamples is developed that demonstrates that the
algorithm goes through exponentially many steps.Comment: In Proceedings UNIF 2010, arXiv:1012.455
Implementing a Unification Algorithm for Protocol Analysis with XOR
In this paper, we propose a unification algorithm for the theory which
combines unification algorithms for E\_{\std} and E\_{\ACUN} (ACUN
properties, like XOR) but compared to the more general combination methods uses
specific properties of the equational theories for further optimizations. Our
optimizations drastically reduce the number of non-deterministic choices, in
particular those for variable identification and linear orderings. This is
important for reducing both the runtime of the unification algorithm and the
number of unifiers in the complete set of unifiers. We emphasize that obtaining
a ``small'' set of unifiers is essential for the efficiency of the constraint
solving procedure within which the unification algorithm is used. The method is
implemented in the CL-Atse tool for security protocol analysis
Hierarchical combination of intruder theories
International audienceRecently automated deduction tools have proved to be very effective for detecting attacks on cryptographic protocols. These analysis can be improved, for finding more subtle weaknesses, by a more accurate modelling of operators employed by protocols. Several works have shown how to handle a single algebraic operator (associated with a fixed intruder theory) or how to combine several operators satisfying disjoint theories. However several interesting equational theories, such as exponentiation with an abelian group law for exponents remain out of the scope of these techniques. This has motivated us to introduce a new notion of hierarchical combination for non-disjoint intruder theories and to show decidability results for the deduction problem in these theories. We have also shown that under natural hypotheses hierarchical intruder constraints can be decided. This result applies to an exponentiation theory that appears to be more general than the one considered before
State space reduction in the Maude-NRL Protocol Analyzer
The Maude-NRL Protocol Analyzer (Maude-NPA) is a tool and inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It both extends and provides a formal framework for the original NRL Protocol Analyzer, which supported equational reasoning in a more limited way. Maude-NPA supports a wide variety of algebraic properties that includes many crypto-systems of interest such as, for example, one-time pads and Diffie–Hellman. Maude-NPA, like the original NPA, looks for attacks by searching backwards from an insecure attack state, and assumes an unbounded number of sessions. Because of the unbounded number of sessions and the support for different equational theories, it is necessary to develop ways of reducing the search space and avoiding infinite search paths. In order for the techniques to prove useful, they need not only to speed up the search, but should not violate completeness, so that failure to find attacks still guarantees security. In this paper we describe some state space reduction techniques that we have implemented in Maude-NPA. We also provide completeness proofs, and experimental evaluations of their effect on the performance of Maude-NPA.We would like to thank Antonio Gonzalez for his help in providing several protocol specifications in Maude-NPA. S. Escobar and S. Santiago have been partially supported by the EU (FEDER) and the Spanish MEC/MICINN under grant TIN 2010-21062-C02-02, and by Generalitat Valenciana PROMETEO2011/052. J. Meseguer and S. Escobar have been partially supported by NSF grants CNS 09-04749, and CCF 09-05584.Escobar Román, S.; Meadows, C.; Meseguer, J.; Santiago Pinazo, S. (2014). State space reduction in the Maude-NRL Protocol Analyzer. Information and Computation. 238:157-186. https://doi.org/10.1016/j.ic.2014.07.007S15718623
Memoization for Unary Logic Programming: Characterizing PTIME
We give a characterization of deterministic polynomial time computation based
on an algebraic structure called the resolution semiring, whose elements can be
understood as logic programs or sets of rewriting rules over first-order terms.
More precisely, we study the restriction of this framework to terms (and logic
programs, rewriting rules) using only unary symbols. We prove it is complete
for polynomial time computation, using an encoding of pushdown automata. We
then introduce an algebraic counterpart of the memoization technique in order
to show its PTIME soundness. We finally relate our approach and complexity
results to complexity of logic programming. As an application of our
techniques, we show a PTIME-completeness result for a class of logic
programming queries which use only unary function symbols.Comment: Soumis {\`a} LICS 201
Advanced Features in Protocol Verification: Theory, Properties, and Efficiency in Maude-NPA
The area of formal analysis of cryptographic protocols has been an active
one since the mid 80’s. The idea is to verify communication protocols
that use encryption to guarantee secrecy and that use authentication of
data to ensure security. Formal methods are used in protocol analysis to
provide formal proofs of security, and to uncover bugs and security flaws
that in some cases had remained unknown long after the original protocol
publication, such as the case of the well known Needham-Schroeder
Public Key (NSPK) protocol. In this thesis we tackle problems regarding
the three main pillars of protocol verification: modelling capabilities,
verifiable properties, and efficiency.
This thesis is devoted to investigate advanced features in the analysis
of cryptographic protocols tailored to the Maude-NPA tool. This tool
is a model-checker for cryptographic protocol analysis that allows for
the incorporation of different equational theories and operates in the
unbounded session model without the use of data or control abstraction.
An important contribution of this thesis is relative to theoretical aspects
of protocol verification in Maude-NPA. First, we define a forwards
operational semantics, using rewriting logic as the theoretical framework
and the Maude programming language as tool support. This is the first
time that a forwards rewriting-based semantics is given for Maude-NPA.
Second, we also study the problem that arises in cryptographic protocol
analysis when it is necessary to guarantee that certain terms generated
during a state exploration are in normal form with respect to the protocol
equational theory.
We also study techniques to extend Maude-NPA capabilities to support
the verification of a wider class of protocols and security properties.
First, we present a framework to specify and verify sequential protocol
compositions in which one or more child protocols make use of information obtained from running a parent protocol. Second, we present a
theoretical framework to specify and verify protocol indistinguishability
in Maude-NPA. This kind of properties aim to verify that an attacker
cannot distinguish between two versions of a protocol: for example, one
using one secret and one using another, as it happens in electronic voting
protocols.
Finally, this thesis contributes to improve the efficiency of protocol
verification in Maude-NPA. We define several techniques which drastically
reduce the state space, and can often yield a finite state space,
so that whether the desired security property holds or not can in fact
be decided automatically, in spite of the general undecidability of such
problems.Santiago Pinazo, S. (2015). Advanced Features in Protocol Verification: Theory, Properties, and Efficiency in Maude-NPA [Tesis doctoral no publicada]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/4852
Hierarchical Combination of Unification Algorithms
International audienceA critical question in unification theory is how to obtain a unification algorithm for the combination of non-disjoint equational theories when there exists unification algorithms for the constituent theories. The problem is known to be difficult and can easily be seen to be undecidable in the general case. Therefore, previous work has focused on identifying specific conditions and methods in which the problem is decidable. We continue the investigation in this paper, building on previous combination results. We are able to develop a novel approach to the non-disjoint combination problem. The approach is based on a new set of restrictions and combination method such that if the restrictions are satisfied the method produces an algorithm for the unification problem in the union of non-disjoint equational theories
- …