The game of the name in cryptographic tables

a p p o r t

d e r e c h e r c h e

THÈME 1

The game of the name in cryptographic tables

Roberto M. Amadio Sanjiva Prasad

N° 3733

Juillet 1999

Roberto M. Amadio Sanjiva Prasad

Thème 1 Réseaux et systèmes Projet Meije

Rapport de recherche n^°3733 Juillet 1999 17 pages

Abstract:

We present a name-passing calculus that can be regarded as a simplied - calculus equipped with a cryptographic table. The latter is a data structure representing the relationships among names. We apply the calculus to the modelling and verication of secrecy and authenticity properties in cryptographic protocols relying on symmetric shared keys. Following classical approaches [8], we formulate the verication task as a reachability problem and prove its decidability assuming nite principals and bounds on the sorts of the messages synthesized by the attacker.

Key-words:

Cryptographic protocols,-calculus, verication

The rst author works at^{UniversitédeProvence}, Marseille. and he is an external collaborator of the INRIA-Ecole des Mines Project^Meije. He can be contacted at the following address: CMI, 39 rue Joliot- Curie, F-13453, Marseille, France. mailto: amadio@gyptis.univ-mrs.fr. He work was partly supported by^{ActionCoopérativePRESYSA},^IFCPAR1502-1, LIM (CNRS ES-A6077), and^WGConfer. The second author works at the Indian Institute of Technology, Delhi. mailto: sanjiva@cse.iitd.ernet.in. He was partly supported by^IFCPAR1502-1and^AICTE1-52/CD/CA(08)/96-97and BRICS, Centre of the Danish National Research Foundation.

un-calcul simplié equipé avec une table cryptographique. Il s'agit d'une structure de don- nées qui représente les relations entre les noms. Nous appliquons le calcul à la modelisation et vérication de proprietés de securité et authenticité dans les protocoles cryptographiques à clef symétrique. Suivant des approches classiques [8], nous formulons le problème de vérication comme une proprieté d'accessibilité et nous prouvons sa decidabilité en suppo- sant un nombre ni de principaux et une borne sur les sortes des messages synthétisés par l'attaquant.

Mots-clés :

Protocoles cryptographiques,-calcul, vérication.

1 Introduction

Cryptographic protocols are commonly used to establish secure communication channels between distributed principals. Cryptographic protocols seem good candidates for formal verication and several frameworks have been proposed for making possible formal and automatable analyses. We do not attempt to survey here all the various approaches, but conne our remarks to some which assume `perfect encryption' and model a protocol as a collection of interacting processes competing against a hostile environment.

One class of approaches involves state exploration using model-checking techniques [11, 6, 13]. Lowe [11], Schneider [15] and several others have used CSP to specify authentica- tion protocols, analysing them with the FDR model-checking tool. Other state exploration approaches are based on logic programming techniques [12]. The main benet of these ap- proaches is their automation and ecacy in uncovering subtle bugs in protocols (e.g., Lowe's

`man-in-the-middle' attack on the Needham-Schroeder symmetric key protocol). However, their applicability is limited by the quickly growing size of the state space to be examined;

simplifying hypotheses on the behaviour of the environment necessary to bound the state space may drastically curtail the ability to nd errors.

A second class of approaches relies on general-purpose proof assistant tools. Paulson [14]

uses induction on traces to formally prove protocol correctness using Isabelle. Bolignano [4]

uses a state-based analysis of the protocols, proving invariant properties, with the proofs subsequently mechanized in Coq. Although these approaches are not automatic, recent work [10, 16] suggests that certain authentication protocols can be modelled in decidable fragments of rst-order logic.

In all the approaches mentioned above the attacker must be explicitly modelled. A more recent trend has been the use of name-passing process calculi for studying cryptographic authentication protocols. Abadi and Gordon have presented the spi-calculus [1], an exten- sion of the -calculus with cryptographic primitives (see [7] for a related approach using a

`second-order' calculus). Principals of a protocol are expressed in a-calculus-like notation, whereas the attacker is represented implicitly by the process calculus notion of `environ- ment'. Security properties are modelled in terms of contextual equivalences, in contrast to the previous approaches. The spi-calculus provides a precise notation with a formal opera- tional semantics, particularly for expressing the generation of fresh names, for the scope of names, and for identifying the dierent threads in a protocol and the order of events in each thread. These features are important: in the various notations found in the literature, the issues of name generation, scoping, data sorts, and synthesis capabilities of the adversary were often treated in an ad hoc and/or approximate manner.

Unfortunately, the addition of the cryptographic primitives to the-calculus considerably complicates reasoning about the behaviour of processes. Although there have been some attempts to simplify this reasoning (see [2, 9, 5]), the developed theory has not yet led to automatic or semi-automatic verication methods.

In this paper, we describe an approach that combines the analyses found in the model- checking and theorem-proving approaches with the benets of using a process notation. Fo- cussing on symmetric shared-key cryptosystems, we propose a name-passing calculus based

on a variety of -calculus and use it for modelling and verifying secrecy and authenticity properties in cryptographic protocols. Our approach departs from that of Abadi and Gordon in three major ways.

First, we insist on considering every transmissible value as a name, thus eliminating com- plications to the theory arising from structured values. We keep track of the relationships amongst names (what name is a ciphertext of what plaintext) by means of a cryptographic table. Secondly, we model secrecy and authenticity properties as reachability properties that are largely insensitive to the ordering of the actions and to their branching structure. Intu- itively, we designate congurations reached after a successful attack as erroneous. Protocol verication then involves showing invariance of the property that such error congurations are not reachable. Thirdly, we eliminate named communication channels and, as in e.g., [4], let all communications between principals and the environment transit on a public medium.

This paper is organized as follows. In section 2, we dene a simple name-passing cal- culus equipped with a cryptographic table, present some derived operators, and relate our formalism to the -calculus. In section 3, we apply the calculus for modelling a concrete example: the Yahalom protocol. Finally, in section 4 relying on simple rewriting techniques we show that the reachability problem is decidable assuming nite principals and bounds on the sorts of the messages synthesized by the attacker.

2 The calculus

We dene a process calculus enriched with a `cryptographic table' to model and analyse symmetric key cryptographic protocols. We use a;b;:::for names and ^a;^b;::: for vectors of names. N denotes the set of names. The principals' behaviour as well as secrecy and authenticity properties are represented as processes.

Denition 2.1 (processes)

A process (typically p;q) is dened by the following grammar:

p^{::= 0jjerr j!j}a:p^j?j a:p^jj(a⁾p^jj[a⁼b^]p;q^jjp^jq^jjA^(a)

j

jleta^{=fbgc in} p^{jjcase fbgc=}aⁱⁿ p :

As usual, ⁰is the terminated process;^err is a distinguished `error' process;^!a:psendsato the environment and becomesp; ^?a:preceives a name from the environment, binds it to a and becomesp; ⁽a⁾pcreates a new restricted nameaand becomesp;^[a⁼b^]p;qtests the equality ofa and b and accordingly executesp orq; p ^j q is the parallel composition of p andq;A^(a)is a recursively dened process;^leta^{=fbgc in}pdenesato be the encryption of^bwith keyc inp; nally^casefbgc=aⁱⁿpdenes^bto be the decryption ofawith key c in p. The input and restriction operators act as name binders. Moreover, ais bound in

leta^{=fbgc in} pand the names^bare bound in ^casefbgc=aⁱⁿp. We denote with ^fn(p⁾ the set of names free inp. We assume that for every process identierA^(a)there is a unique recursive equationA^(a)=psuch that^fn(p^)fag.

LetT be a relation in^{(Sk 1}N^k)NN. We writea²ⁿ⁽T⁾if the nameaoccurs in a tuple of the relationT. We write^(b;c;a⁾²T as^{fbgc =}a²T. This notation is supposed

to suggest that c is a key,^bis a tuple of plaintext, anda is the corresponding ciphertext.

The relationT induces an order<^T onⁿ⁽T⁾which we dene as the least transitive relation such that: ^fb¹;:::;b^ngc=a²T ⁾ b¹;:::;bⁿ;c <^T a.

Denition 2.2 (cryptographic table)

A cryptographic tableT is a relation in^{(Sk 1}N^k) NN which satises the following properties:

T is nite.

<^T is acyclic.

fbg

c

=a²T and^fbgc=a⁰²T ⁾a⁼a⁰ (single valued)

fbg

c

=a²T and^{fb0gc0 =}a²T ^)b=b0 andc⁼c⁰ (injectivity) . We introduce a notion of sort for the names in a cryptographic table.

Denition 2.3 (sorts)

The collection of sorts^Srt is the least set that contains the ground sort⁰and such that⁽s¹;:::;s^n)2Srt if s^i2Srt for i⁼¹;:::;nwithn².

Every name occurring in a cryptographic table can be assigned a unique sort as follows.

Denition 2.4 (sorting)

Let T be a cryptographic table. We dene a function ^{srtT :}

n(T^)!Srt as follows:

srt

T

(a^{)= 0 if} ais minimal in <^T

(s¹;:::;sⁿ⁾ if ^fb¹;:::;b^n,1gbn=a²T and^srtT(bⁱ⁾⁼sⁱ;i⁼¹;:::;n :

Denition 2.5 (conguration)

A conguration r is a triple ^(fag)(p^jT⁾ where^fag is aset of restricted names, pis a process, and T is a cryptographic table.

We writerr⁰ifrandr⁰ are identical congurations up to-renaming of bound names and associativity-commutativity of parallel composition.

In gure 1, we dene a reduction relation on congurations. The rst ve rules describe the computation performed by the principals or by `observer processes' needed in the ver- ication of secrecy or authenticity properties.Rules ^(out)and ⁽ⁱⁿ⁾ concern the sending of a name to the environment and the reception of a name from the environment. Rules⁽⁾,

(m⁾, and^(rec)describe internal computation performed by the principals: generation of new names, conditional, and unfolding of recursive denitions. The cryptographic table plays a role in the next three rules. In particular, it allows sharing of information between prin- cipals and environments. The rules ^(let1) and ^(let2) compute the ciphertexta⁰ associated with^fbgc inT while adding^fbgc=a⁰ to T if it is not already there. The rule^(case)tries to decode the ciphertexta with key c. In the rule ^(case), a deadlock occurs (specied by the absence of a transition) if either the vectors^band^b0 do not have the same length or an incorrect key is used for decoding.

Finally, the last three rules^(let1e),^(let2e), and^(casee)describe the encoding/synthesis and decoding/analysis performed by the environment: in the rule^(let1e)the environment learns

(out) (^fag)(!a:p^jq^jT^)!(fagna⁾⁽p^jq^jT⁾

(in) (^fag)(?a:p^jq^jT^)!(fag)([b=a^]p^jq^jT⁾ ifb =^2fag

(^{) (fag)((}a⁾p^jq^jT^)!(fag[fa^g)(p^jq^jT⁾ a =^2fn(q^)[n(T⁾

(m^{) (fag)([}a⁼b^]p¹;p^2jq^jT^{)! (fag)(}p^1jq^jT⁾ ifa⁼b

(^fag)(p^2jq^jT⁾ ifa⁶⁼b

(rec) (^fag)(A^(b)jq^jT^)!(fag)([b=^c]p^jq^jT⁾ ifA^(c)=p

(let 1

) (^fag)(let a^{=fbgc in}p^jq^jT^)!(fag)([a⁰=a^]p^jq^jT⁾ if^fbgc=a⁰²T

(let 2

) (^fag)(let a^{=fbgc in}p^jq^jT^)!(fag[fa^0g)([a⁰=a^]p^jq^jT^[ffbgc=a^0g) if ⁶⁹a^{0 (fbgc=}a⁰²T⁾anda⁰ is fresh.

(case) (^{fag)(casefbgc=}aⁱⁿp^jq^jT^)!(fag)([b0=^b]p^jq^jT⁾ if^fb0gc=a²T

(let 1

e

) (^fa;a^g)(p^jT^[ffbgc=a^g)!(fag)(p^jT^[ffbgc=a^g) if^fb;c^g\fa;a^g=;anda =^2fag

(let 2

e

) (^fag)(p^jT^)!(fag)(p^jT^[ffbgc=a^g)

if^fb;c^g\fag=;;⁶⁹a ^{(fbgc =}a²T⁾; andais fresh

(case

e

) (^fag)(p^jT^[ffbgc=a^{g)!(fagnfbg)(}p^jT^[ffbgc=a^g) if^fa;c^g\fag=;and^fbg\fag6=;

Figure 1: Reduction rules

a private name by encoding, in the rule ^(let2e) the environment creates a new ciphertext, and in the rule^(casee)the environment learns new names by decoding.

We write r ^!R r⁰ to make explicit the reduction rule R being applied. We note that encoding a new tuple (plaintext,key) generates a new ciphertext. It follows that the acyclicity and injective function properties of the cryptographic table are preserved by reduction.

Lemma 2.6

The set of congurations is closed under reduction.

Denition 2.7 (error)

A conguration with error is a conguration having the shape:

(^{fag)(err j}p^jT⁾.

We writer^#err ifr is a conguration with error (readrcommits on^err) andr^#err if r ^! r⁰ and r^{0 #err}. Note that congurations with errors are closed under reduction.

In general, we are interested in deciding whether r^{# err}, that is, whether r can reach a conguration with error.

The process calculus presented diers from the -calculus in two main respects: (i) We let all communications go through a unique (unnamed) channel that connects the principals to the environment. (ii) We add cryptographic primitives, which aect the contents of the cryptographic table.

In principle, we can code this process calculus in a variety of-calculus. This amounts to: (i) Decorating all input-output actions with fresh global channels thus replacing

!b:p with ab:p and likewise ^?b:p with a⁽b⁾:p, where a is a fresh name. (ii) Representing the cryptographic table as a process that receives messages on a global channel, say c. The coding and decoding operations are represented as remote procedure calls from the principals and the environment to the cryptographic process. To make sure that messages are not intercepted, we assume that the cryptographic process is the unique receiver on the channelc (syntactic conditions that guarantee this property are presented in [3]).

We refrain from going into this development because it seems much more eective, both in the mathematical development and in the practical applications, to expose directly the structure of the cryptographic table rather than hiding it behind a process algebraic veil.

Finally, we remark that the reduction rules in gure 1 can be easily turned into a labelled transition system whose actions (internal reduction, input, free and bound output) are inherited from the-calculus. We can then rely on the-calculus notion of bisimulation to reason about the equivalence of congurations. Thus our approach does not preclude the expression of security properties based on process equivalence [1].

Some syntactic sugar

We now describe how several concepts may be encoded in the core calculus given above. We rst describe several abbreviations that improve readability.

We then describe annotations with which we decorate the protocols when analyzing their secrecy and integrity properties. We sometimes use multiple abbreviations if the order of expanding them out is apparent from the context.

Sending or receiving a tuple of names can be encoded in the calculus with monadic communication by considering tuples as ciphertexts encoded with a distinguished globally- known keyg:

!(~b⁾:p ^let a^=f~b^{gg in!}a:p ^?(~b⁾:p ^?a:^casef~b^gg=aⁱⁿ p :

A ciphertext^f~b^gcmay appear as a component of the output tuple, or as a value in a match, in an encoding or as a parameter. In all these cases it is intended that^f~b^gc stands for the namearesulting from the encoding^leta^=f~b^{gc in}:::For instance:

!(~b⁰;^f~b^gc;:::⁾:p ^let b^=f~b^{gc in !(}~b⁰;b;:::⁾:p

[a^=f~b^gc]p;q ^let b^=f~b^{gc in [}a⁼b^]p;q

letb^=f~b⁰;^f~b^gc;:::^{gc0 in} p ^let a^=f~b^{gc inlet} b^=f~b⁰;a;:::^{gc0 in} p A⁽~a⁰;^f~b^gc;:::^{) let} a^=f~b^{gc in}A⁽~a⁰;a;:::⁾:

In a ltered input, we check that the input has a component that is equal to a certain value (marked asb) or that has a certain shape, e.g. ^f~b^gc, and we stop otherwise.

?(~b⁰;b;:::⁾:p ^?(~b⁰;c;:::⁾:^[c⁼b^]p;⁰

?(~b⁰;^f~b^gc;:::⁾:p ^?(~b⁰;b;:::⁾:^casef~b^gc=bⁱⁿp :

As in the ltered input, we check that the decryption of the ciphertext yields a certain component.

casef~b⁰;b;:::^gc=aⁱⁿp ^casef~b⁰;x;:::^gc=a^in[x⁼b^]p;⁰

casef~b⁰;^f~c^gd;:::^{gc0 =}a^{0 in}p ^casef~b⁰;a;:::^{gc0 =}a^{0 incasef}~c^gd=aⁱⁿ p : We mark the generation of a namea intended to remain secret in a protocol conguration with the annotation ⁽a^)secp. We can easily program an observerW⁽a⁾ such that if the environment ever discovers the namea, then an error conguration is reachable:

W⁽a^)?a^0[a⁼a^0]err;⁰ (secrecy observer). (1) Secrecy annotations are then translated as follows:

(a^)secp⁽a⁾⁽p^jW⁽a⁾⁾ (secrecy annotation): (2) In order to program an observer for authenticity properties we need a limited form of private channel. Fortunately, a private keyaalready allows the encoding of a private use-at-most- once channelaas follows:

a~b:p ^!f~b^ga:p a⁽~b⁾:p ^?f~b^ga:p :

We note that this encoding does not work for arbitrary (multiple-use) channels, since the environment may replay messages, and without mechanisms like time-stamping, it would

not be possible to dierentiate replayed messages from genuine fresh messages. However, the encoding can be generalized to a bounded use channel, if each message instance contains distinguished components that uniquely index each distinct use of the channel.

To specify authenticity properties we mark certain send and receive actions in the princi- pals with authenticity annotations. The idea is as follows: let us assume that after executing its part of the protocol, principalyreceives a message⁽f⁰;t⁰;m⁰⁾, wheref⁰;t⁰ name the pur- ported sender and receiver of the message. Supposeybelieves that this message is authentic, i.e., has been sent to it (thus, t^{0 =}y) by the principalx whom it has presumably authen- ticated. An all-knowing `session' judge can detect an authenticity aw if this particular message had not actually been sent by x. The judge only rules on messages purportedly sent byx ify presumes to have authenticated another principal, the judge reports no er- ror. Following this intuition, we introduce authenticity annotations^auth_^o(_⁾;^auth_ⁱ⁽_⁾ which represent, respectively,xregistering a message with a judge process prior to sending a message toy, andy claiming authenticity of the message received.

auth_^o((x;y;m⁾⁾:p ⁽n⁾j^(o;⁽x;y;m⁾;n⁾:j⁰⁽n⁾:p

auth_ⁱ⁽⁽x;y;m⁾⁾:p j⁽ⁱ;⁽x;y;m⁾;_⁾:p

J

x;y

j⁽d;⁽x;t;m⁾;n^)[d^=o](j⁰n:^J0x;y(m⁾⁾;^([d^=i](err;⁰⁾⁾

J 0

x;y

(m⁾ j⁽d;⁽x;t⁰;m⁰⁾;_⁾:^[d^=i]([m^{0 =}m^]0;^err);^J0x;y(m⁾:

Here we assume two distinguished names^oandⁱ, which indicate whether the authenticity of a message is being registered or claimed. Communication with the judge is over restricted channelsj;j⁰ to disallow the environment from making bogus assertions of authenticity. We will require the channelj appears in the principals to whichx;yare instanced, andj⁰ only in the principal corresponding to x. Note that althoughj is used twice, the dierent uses are distinguishable by the names^oandⁱ, and so replays can be recognized.

Relying on these encodings we translate authenticity annotations as follows:

!(~b^)auth:p ^auth_^o(~b⁾:^!(~b⁾:p ^?(~b^)auth:p ^?(~b⁾:^auth_ⁱ⁽~b⁾:p :

We observe that in an authenticated output, the principal receives an acknowledgement from the judge process on channelj⁰ before actually outputting the message.

3 Modelling cryptographic protocols

We now illustrate how a protocol specied informally in a notation common in the security community can be transformed into an annotated process in the enriched notation of Ÿ2.

We consider a symmetric key protocol due to Yahalom. This protocol concerns principals a, b, and a trusted server c running in a possibly hostile environment that can intercept all communications. Initially, principal a and principal b each share a symmetric secret key with c. At the end of the protocol, principals a, b (and c) share a third symmetric secret key, a `session key', which can be used by principals a and b to exchange information. A

particular run of the protocol is informally described by the following list of events:

event¹ a^!b^: a;b; n^a

event² b^!c^: b; ^fa;n^a;n^bgkbc

event³ c^!a^: a;^fb;k^ab;n^a;n^bgkac; ^fa;k^abgkbc event⁴ a^!b^: b;^fa;k^abgkbc; ^fn^bgkab

event⁵ a^!b^: a;b;^fd^{gkab post,protocol} event⁵⁰ b^!a^: b;a;^fd^{gkab alt,post,protocol} :

Principal a sends a clear-text message containing a nonce challenge to b. Instead of respond- ing directly to a, b generates a new noncen^b, its response to a's challenge, which, added to components of the original message, is sent encrypted to c. Server c creates a secret keyk^ab, which is placed in two separately encrypted message pieces that are sent to a: the rst part, readable by a, contains a's original challenge, b's retortn^b and the shared secretk^ab. The other part, not readable by a but by b, contains the same shared secret and a's identity; it is forwarded by a in event⁴to b, together with b's challenge encrypted with this new shared secret. For parametricity in the modelling, we have explicitly added redundant information in some of the messages b in event¹, a in event³, and b in event⁴. We have also shown (two possibilities of) the rst post-protocol message in which datum d is sent encrypted using the new session keyk^ab.

The secrecy property we would like to verify is that the keys k^ac, k^bc, and k^ab remain secret. The authenticity property that we would like to verify is that the message successfully received by b at the second part of event⁵(alternatively⁵⁰) of the protocol is `authentic', i.e., it is equal to the message emitted by a in the rst part of the same event. Following event³, principal a will believe it is interacting with principal b if the third element of the message component encrypted with k^ac is the same as the nonce n^a that it had generated in event¹. Following event⁴, principal b will believe it has authenticated and established a secure channel with principal a, provided the noncen^b encrypted with the received keyk^ab is equal to the nonce generated at event².

We will model a system q(a,b,c) consisting of principals a, b and c, which are assumed to follow the protocol honestly. Our goal is to verify that a session between a and b cannot be attacked by showing that the system q(a,b,c) can never evolve into a conguration with error.

From the message sequence chart above we can extract the sequence of events where a principal acts as a sender or a receiver, as well as the name generation, cryptographic and matching operations that it performs.

Letp^a,p^b, andp^c be the processes corresponding to instances of principals a,b,c involved in one protocol session. The process p^a, for the rst alternative of the rst post-protocol

event, is then specied as follows:

event^{1 (}n^a)(!(a;b; n^a): event^{3 ?(}a;^fb;k;n^a;n^gkac;y⁾: event^{4 !(}b;y;^fn^gk):

event^{5 !(}a;b;^fd^gk)auth:⁰⁾ :

The behaviours associated with principals b and c are dened in a similar way.

p^{b = ?(}a⁰;b;n⁰⁾:

(n^b)(!(b;^fa⁰;n⁰;n^bgkbc):

?(b;^fa⁰;k^0gkbc;x⁰⁾:

casefn^{bgk0 =}x^{0 in}

?(a⁰;b;^fz^gk0)auth:⁰⁾:

p^{c =?(}b;^fa;n¹;n^2gkbc):

(k^ab)sec!(a;^fb;k^ab;n¹;n^2gkac;^fa;k^abgkbc):⁰: The process we consider for analysis is:

q⁽a;b;c⁾⁽k^ac)sec(k^bc)sec(j⁾⁽j⁰⁾⁽p^{a j}p^bjp^{cjJa;b j;)}

where ^; is the empty cryptographic table. Keys k^ac and k^bc being long-term secrets, we restrict these names at the top-level. To indicate that the authenticity judge is observing a session involving a and b, we place a judge process^Ja;b in parallel with the principals and restrict the namesj;j⁰. What we have presented is only illustrative: we also have to consider a similar process with event⁵⁰ instead of event⁵, and with the judge ^Jb;a. In general, to consider the protocol operating in more complicated scenarios, we can emendqby enriching the contexts in which the principals are placed.

4 Reachability

In the previous sections, we expressed secrecy and authenticity properties as reachability properties. We now present some results on the problem of determining whether a congu- ration can reach one with error.

Denition 4.1 (substitution)

A name substitution is a function on names that is the identity almost everywhere.

Denition 4.2 (injective renaming)

Let r andr⁰ be congurations. We write r⁼r⁰ if there is an injective substitution such thatrr⁰.

We study reachability modulo injective renaming.

Lemma 4.3

⁽¹⁾ The relation⁼is reexive, symmetric, and transitive.

(2) If r⁼r⁰ thenr^#err ir^0#err.

(3) If r⁼r⁰ andr^!Rr¹ then⁹r¹⁰ r^0!Rr⁰¹ andr¹⁼r⁰¹.

We consider rewriting modulo injective renaming.

Lemma 4.4

Letr be a conguration. Then the set^fr^{0 j}r^!Rr^0gwhere R is not^(let2e)is nite modulo injective renaming.

Lemma 4.5

Letr^(fag)(p^jT⁾be a conguration. Given a sorts, the set of congura- tions to whichrmay reduce by^(let2e), while introducing a name of sortsin the cryptographic table, is nite modulo injective renaming.

Therefore, if we can bound the sorts in the cryptographic table then the reduction relation dened in gure 1 is nitely branching modulo injective renaming.

A second important result is that all reduction rules except input are strongly conuent modulo injective renaming.

Lemma 4.6

Letr be a conguration and supposer^!R1r¹ andr^!R2r² where R¹ is not the input rule. Then

9r⁰¹;r^{02 (}r^1!0;1R0

1

r¹⁰;r^2!0;1R0

2

r²⁰; andr⁰¹⁼r²⁰⁾

whereR²⁰ in not the input rule and ^!0;1R indicates reduction in⁰or ¹steps.

The rule^(let2e)can be postponed except in certain particular cases.

Lemma 4.7

Suppose r is a conguration and

r^(a)(p^jT^)!let2er^{0 (a)(}p^jT^[ffbgc=a^0g)!Rr⁰⁰

where ^{fbgc =}a⁰ is the tuple introduced by the rst reduction. Then in the following cases the rst reduction^(let2e)can be postponed or eliminated:

(1) If R⁼⁽ⁱⁿ⁾ and the name taken in input is nota⁰ then

9r¹;r^{2 (}r^!inr^1!let2e r²⁾andr⁰⁰⁼r² :

(2) If R ^{= (let2e)} and r^{00 (a)(}p ^j T ^{[ffbgc =} a⁰;^{fb1gc1 =} a^01g) where ^{fb1gc1 =} a⁰¹ is the tuple introduced by the second reduction and this tuple does not depend on a⁰, i.e., a⁰²=^fb1;c^1g. Then the two^(let2e)reductions can be permuted:

r^!(a)(p^jT^{[ffb1gc1 =}a^01g)!r⁰⁰ :

(3) If R^=(let1)and we have

r^{0 (a)(}p^00jlet a^{=fbgc in} p^{0 j}T^[ffbgc=a^0g)!let1 r^{00 (a)(}p^00j[a⁰=a^]p^0jT^[ffbgc=a^0g):

Then the ^(let2e)reduction can be eliminated as follows:

r^{!let2 (a};a^0)([a⁰=a^]p^0jp^00jT^[ffbgc=a^0g)!let1er⁰⁰

(4) In all other cases: ⁹r¹;r^{2 (}r^!Rr^1!let2er²⁾andr⁰⁰⁼r².

Next we introduce a measure d⁽s⁾ of a sort s which will provide an upper bound on the number of^(let2e)reductions that might be needed for the synthesis of a name.

Denition 4.8 (sort measure)

We dene a measure don sorts as follows:

d⁽⁰⁾⁼⁰ d⁽s¹;:::;sⁿ⁾⁼¹⁺d⁽s¹⁾⁺:::⁺d⁽sⁿ⁾:

Lemma 4.9

Suppose r^{1 !let2}e !

let 2

e r^{n+1 !in} rⁿ⁺² where the name received in input in the last reduction has sort sand nd⁽s⁾. Then at least n^,d⁽s^{) (let2e)}reductions can be postponed modulo injective renaming,i.e.

r¹r^{10 !let2}e !

let 2

er^0d(s)+1!in r^{d(s)+20 !let2}e !

let 2

e rⁿ⁺²⁰ andr⁰ⁿ⁺²⁼rⁿ⁺².

Proofhint. We apply lemma 4.7(1) to shift the input reduction to the left till the point where the^(let2e)reduction introduces a tuple^fbgc=aandais the name of sortstaken in input. The construction of the nameaneeds at mostd⁽s^{) (let2e)} reductions. All the other

(let 2

e

)reductions can be moved to the right of the input by iterated application of the lemma

4.7(1-2). ^qed

To summarize,^(let2e)reductions can be postponed except when they are needed in the construction of a name to be input. In this case, the number of needed^(let2e)reductions is bounded byd⁽s⁾ifsis the sort of the input name.

Next, let us concentrate on the reachability problem in the case where all principals are nite processes (in practical applications this is often the case). We note that the secrecy and authenticity annotations compile to nite processes.

Denition 4.10 (conguration measure)

We dene the measure of a congurationr

(^fag)(p^jT⁾as the pair^(jp^j;^jaj)where^jp^jis the size of the process and^jajis the cardinality of^fag.

Lemma 4.11

⁽¹⁾ Rules^(out),⁽ⁱⁿ⁾,⁽⁾,⁽m⁾,^(let1),^(let2), and^(case)decrease the size of the process^jp^j.

(2) Rules ^(let1e) and ^(casee) decrease the size of the restricted names ^jaj while leaving unchanged the size of the processes.

(3) Rule ^(let2e)leaves the measure^(jp^j;^jaj) unchanged.

(4) If r^!let2e r⁰ andr^0#err then r^#err.

In the following, we concentrate on the issue of deciding reachability of a conguration with error assuming that for every input we can compute a nite and complete set of sorts which is dened as follows.

let in 2. Analyse the current conguration:

(a) errhas been reached: stop and report thaterr is reachable.

(b) err has not been reached and no (in) reductions are possible: backtrack if possible, otherwise report thaterris not reachable and stop.

(c) Otherwise:

i. Non-deterministically select an input action and compute a nite complete set of sorts for it, say^fs1;:::;sng.

ii. Non-deterministically perform a sequence of ⁽let^2e) reductions of length at most max^{fd(s1);:::;d(sn)g}.

iii. Non-deterministically select an input for the input action. Goto step 1.

Figure 2: Complete strategy for checking error reachability

Denition 4.12 (complete set of sorts)

Given a conguration r ^(a)(?a:p ^j q ^j T⁾ we say that a set of sortsS iscomplete for the input ^?a:pif whenever there is a reduction sequence starting fromrleading to ^err and whose rst reduction is performed by^?a:p, there is a reduction sequence leading to^err where the name taken in input has a sort in S.

Example 4.13

The problem of determining tight bounds on a complete set of sorts is not trivial. Consider p⁽k^)(?a:^!fa^{gk j?ff}c^gk0gkerr). It is easily checked that the set ^f0gis not complete for the input^?a:^!fa^gk, but the set^f(0;^0)gis.

If a nite complete set of sorts can be computed then the strategy in gure 2 decides ifrcan reach^err. We remark that sort constraints are usually assumed in the verication methods described, e.g., in [11, 14].

Theorem 4.14

Starting from a conguration r the strategy in gure 2 terminates and it will report an error ir^#err.

Proofhint. Concerning termination, we note that we can perform the loop from step¹to step²⁽c⁾⁽ⁱⁱⁱ⁾a nite number of times since at every iteration we perform at least one input action and this decreases the well-founded measure of denition 4.10. We will argue next that the non-deterministic choices in steps (i), (ii), and (iii) are nitely branching (modulo injective renaming). This entails the termination of the strategy.

()) The strategy examines a subset of the reachable congurations and therefore it is obviously sound.

(() Letrbe the initial conguration. The rewriting in step¹terminates in a conguration r⁰ by lemma 4.11. By iterated application of lemma 4.6 and lemma 4.3, if r ^{# err} then r^0#err.

In step²⁽b⁾, if we have not reached^err then we can safely claim by lemma 4.11(4) that

err is not reachable.