Formal Computational Unlinkability Proofs of RFID Protocols

We set up a framework for the formal proofs of RFID protocols in the computational model. We rely on the so-called computationally complete symbolic attacker model. Our contributions are: i) To design (and prove sound) axioms reflecting the properties of hash functions (Collision-Resistance, PRF); ii) To formalize computational unlinkability in the model; iii) To illustrate the method, providing the first formal proofs of unlinkability of RFID protocols, in the computational model

Trace Equivalence Decision: Negative Tests and Non-determinism

We consider security properties of cryptographic protocols that can be modeled using the notion of trace equivalence. The notion of equivalence is crucial when specifying privacy-type properties, like anonymity, vote-privacy, and unlinkability. In this paper, we give a calculus that is close to the applied pi calculus and that allows one to capture most existing protocols that rely on classical cryptographic primitives. First, we propose a symbolic semantics for our calculus relying on constraint systems to represent infinite sets of possible traces, and we reduce the decidability of trace equivalence to deciding a notion of symbolic equivalence between sets of constraint systems. Second, we develop an algorithm allowing us to decide whether two sets of constraint systems are in symbolic equivalence or not. Altogether, this yields the first decidability result of trace equivalence for a general class of processes that may involve else branches and/or private channels (for a bounded number of sessions)

About models of security protocols

In this paper, mostly consisting of definitions, we revisit the models of security protocols: we show that the symbolic and the computational models (as well as others) are instances of a same generic model. Our definitions are also parametrized by the security primitives, the notion of attacker and, to some extent, the process calculus

How to prove security of communication protocols? A discussion on the soundness of formal models w.r.t. computational ones.

Security protocols are short programs that aim at securing communication over a public network. Their design is known to be error-prone with flaws found years later. That is why they deserve a careful security analysis, with rigorous proofs. Two main lines of research have been (independently) developed to analyse the security of protocols. On the one hand, formal methods provide with symbolic models and often automatic proofs. On the other hand, cryptographic models propose a tighter modeling but proofs are more difficult to write and to check. An approach developed during the last decade consists in bridging the two approaches, showing that symbolic models are sound w.r.t. symbolic ones, yielding strong security guarantees using automatic tools. These results have been developed for several cryptographic primitives (e.g. symmetric and asymmetric encryption, signatures, hash) and security properties. While proving soundness of symbolic models is a very promising approach, several technical details are often not satisfactory. Focusing on symmetric encryption, we describe the difficulties and limitations of the available results

The first-order theory of lexicographic path orderings is undecidable

We show, under some assumption on the signature, that the *This formula not viewable on a Text-Browser* fragment of the theory of any lexicographic path ordering is undecidable. This applies to partial and to total precedences. Our result implies in particular that the simplification rule of ordered completion is undecidable

Tree automata with one memory set constraints and cryptographic protocols

AbstractWe introduce a class of tree automata that perform tests on a memory that is updated using function symbol application and projection. The language emptiness problem for this class of tree automata is shown to be in DEXPTIME.We also introduce a class of set constraints with equality tests and prove its decidability by completion techniques and a reduction to tree automata with one memory.Finally, we show how to apply these results to cryptographic protocols. We introduce a class of cryptographic protocols and show the decidability of secrecy for an arbitrary number of agents and an arbitrary number of (concurrent or successive) sessions, provided that only a bounded number of new data is generated. The hypothesis on the protocol (a restricted copying ability) is shown to be necessary: without this hypothesis, we prove that secrecy is undecidable, even for protocols without nonces

Ordering constraints on trees

We survey recent results about ordering constraints on trees and discuss their applications. Our main interest lies in the family of recursive path orderings which enjoy the properties of being total, well-founded and compatible with the tree constructors. The paper includes some new results, in particular the undecidability of the theory of lexicographic path orderings in case of a non-unary signature

Ground Reducibility is EXPTIME-complete

We prove that ground reducibility is EXPTIME-complete in the general case. EXPTIME-hardness is proved by encoding the emptiness problem for the intersection of recognizable tree languages. It is more difficult to show that ground reducibility belongs to DEXPTIME. We associate first a tree automaton with disequality constraints to a rewrite system and a term. This automaton is deterministic and accepts a non-empty tree language iff the given term is not ground reducible by the system. The number of states of the automaton is exponential in the size of the term and the system, and the size of its constraints is polynomial in the size of the term and the system. Then we prove some new pumping lemmas, using a total ordering on the computations of the automaton. Thanks to these lemmas, we can show that emptiness for a tree automaton with disequality constraints can be decided in a time which is polynomial in the number of states and exponential in the size of the constraints. Altogether, we get a simply exponential time deterministic algorithm for ground reducibility decision

Is it possible to decide whether a cryptographic protocol is secure or not?, Journal of Telecommunications and Information Technology, 2002, nr 4

We consider the so called “cryptographic protocols” whose aim is to ensure some security properties when communication channels are not reliable. Such protocols usually rely on cryptographic primitives. Even if it is assumed that the cryptographic primitives are perfect, the security goals may not be achieved: the protocol itself may have weaknesses which can be exploited by an attacker. We survey recent work on decision techniques for the cryptographic protocol analysis

Ground Reducibility is EXPTIME-complete

International audienceWe prove that ground reducibility is EXPTIME-complete in the general case. EXPTIME-hardness is proved by encoding the emptiness problem for the intersection of recognizable tree languages. It is more difficult to show that ground reducibility belongs to DEXPTIME. We associate first an automaton with disequality constraints A(R,t) to a rewrite system R and a term t. This automaton is deterministic and accepts at least one term iff t is not ground reducible by R. The number of states of A(R,t) is O(2^|R|x|t|) and the size of its constraints is polynomial in the size of R, t. Then we prove some new pumping lemmas, using a total ordering on the computations of the automaton. Thanks to these lemmas, we can show that emptiness for an automaton with disequality constraints can be decided in a time which is polynomial in the number of states and exponential in the size of the constraints. Altogether, we get a simply exponential time deterministic algorithm for ground reducibility decision