Results 1  10
of
10
Intruder deduction for aclike equational theories with homomorphisms
 Research Report LSV0416, LSV, ENS de Cachan
, 2004
"... Abstract. Cryptographic protocols are small programs which involve a high level of concurrency and which are difficult to analyze by hand. The most successful methods to verify such protocols rely on rewriting techniques and automated deduction in order to implement or mimic the process calculus des ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Cryptographic protocols are small programs which involve a high level of concurrency and which are difficult to analyze by hand. The most successful methods to verify such protocols rely on rewriting techniques and automated deduction in order to implement or mimic the process calculus describing the protocol execution. We focus on the intruder deduction problem, that is the vulnerability to passive attacks, in presence of several variants of AClike axioms (from AC to Abelian groups, including the theory of exclusive or) and homomorphism which are the most frequent axioms arising in cryptographic protocols. Solutions are known for the cases of exclusive or, of Abelian groups, and of homomorphism alone. In this paper we address the combination of these AClike theories with the law of homomorphism which leads to much more complex decision problems. We prove decidability of the intruder deduction problem in all cases considered. Our decision procedure is in EXPTIME, except for a restricted case in which we have been able to get a PTIME decision procedure using a property of onecounter and pushdown automata. 1
An undecidability result for AGh
 THEORETICAL COMPUTER SCIENCE
, 2006
"... We present an undecidability result for the verification of security protocols. Since the perfect cryptography assumption is unrealistic for cryptographic primitives with visible algebraic properties, several recent works relax this assumption, allowing the intruder to exploit these properties. We ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We present an undecidability result for the verification of security protocols. Since the perfect cryptography assumption is unrealistic for cryptographic primitives with visible algebraic properties, several recent works relax this assumption, allowing the intruder to exploit these properties. We are interested in the Abelian groups theory in combination with the homomorphism axiom. We show that the security problem for a bounded number of sessions (expressed by satisfaisability of symbolic deducibility constraints) is undecidable, obtaining in this way the first undecidability result concerning a theory for which unification is known to be decidable.
Unification modulo ACUI plus Homomorphisms/Distributivity
, 2003
"... Eunification problems are central in automated deduction. In this paper, we consider theories that are extensions of the wellknown ACI or ACUI, obtained by adding finitely many homomorphism symbols, or a symbol `#' that distributes over the ACUI symbol denoted `+'. We first show that ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Eunification problems are central in automated deduction. In this paper, we consider theories that are extensions of the wellknown ACI or ACUI, obtained by adding finitely many homomorphism symbols, or a symbol `#' that distributes over the ACUI symbol denoted `+'. We first show that when we adjoin a set of commuting homomorphisms to ACUI, unification is undecidable. We then consider the ACUID l unification problem, i.e., unification modulo ACUI plus leftdistributivity of a given `#' w.r.t. `+', and prove its NEXPTIMEdecidability. When we assume the symbol `#' to be 2sided distributive w.r.t.
Unification of Concept Terms in Description Logics: Revised Version
, 1998
"... Unification of concept terms is a new kind of inference problem for Description Logics, which extends the equivalence problem by allowing to replace certain concept names by concept terms before testing for equivalence. We show that this inference problem is of interest for applications, and pre ..."
Abstract
 Add to MetaCart
(Show Context)
Unification of concept terms is a new kind of inference problem for Description Logics, which extends the equivalence problem by allowing to replace certain concept names by concept terms before testing for equivalence. We show that this inference problem is of interest for applications, and present first decidability and complexity results for a small concept description language. 1 Introduction Knowledge representation languages based on Description Logics (DL languages) can be used to represent the terminological knowledge of an application domain in a structured and formally wellunderstood way [8, 3]. With the help of these languages, the important notions of the domain can be described by concept terms, i.e., expressions that are built from atomic concepts (unary predicates) and atomic roles (binary predicates) using the concept constructors provided Partially supported by the EC Working Group CCL II. y Partially supported by the NSF grants CCR9404930 and INT9401087. ...
Unification of Concept Terms (Extended Abstract)
, 1997
"... Knowledge representation languages based on Description Logics (DL languages) can be used to represent the terminological knowledge of an application domain in a structured and formally wellunderstood way [7, 3]. With the help of these languages, the important notions of the domain can be described ..."
Abstract
 Add to MetaCart
(Show Context)
Knowledge representation languages based on Description Logics (DL languages) can be used to represent the terminological knowledge of an application domain in a structured and formally wellunderstood way [7, 3]. With the help of these languages, the important notions of the domain can be described by concept terms, i.e., expressions that are built from atomic concepts (unary predicates) and atomic roles (binary predicates) using the concept constructors provided by the DL language. The atomic concepts and concept terms represent sets of individuals, whereas roles represent binary relations between individuals. For example, using the atomic conceptWoman and the atomic role child, the co...
Cryptographic p...
, 2006
"... We consider the design of automated procedures for analyzing the (in)security of cryptographic protocols in the DolevYao model for a bounded number of sessions when we take into account some algebraic properties satisfied by the operators involved in the protocol. This leads to a more realistic mod ..."
Abstract
 Add to MetaCart
We consider the design of automated procedures for analyzing the (in)security of cryptographic protocols in the DolevYao model for a bounded number of sessions when we take into account some algebraic properties satisfied by the operators involved in the protocol. This leads to a more realistic model than what we get under the perfect cryptography assumption, but it implies that protocol analysis deals with terms modulo some equational theory instead of terms in a free algebra. The main goal of this paper is to set up a general approach that works for a whole class of monoidal theories which contains many of the specific cases that have been considered so far in an adhoc way (e.g. exclusive or, Abelian groups, exclusive or in combination with the homomorphism axiom). We follow a classical schema for cryptographic protocol analysis which proves first a locality result and then reduces the insecurity problem to a symbolic constraint solving problem. This approach strongly relies on the correspondence between a monoidal theory E and a semiring SE which we use to deal with the symbolic constraints. We show that the welldefined symbolic constraints that are generated by reasonable protocols
Abstract An Undecidability Result for AGh
"... We present an undecidability result for the verification of security protocols. Since the perfect cryptography assumption is unrealistic for cryptographic primitives with visible algebraic properties, several recent works relax this assumption, allowing the intruder to exploit these properties. We a ..."
Abstract
 Add to MetaCart
(Show Context)
We present an undecidability result for the verification of security protocols. Since the perfect cryptography assumption is unrealistic for cryptographic primitives with visible algebraic properties, several recent works relax this assumption, allowing the intruder to exploit these properties. We are interested in the Abelian groups theory in combination with the homomorphism axiom. We show that the security problem for a bounded number of sessions (expressed by satisfiability of symbolic deductibility constraints) is undecidable, obtaining in this way the first undecidability result concerning a theory for which unification is known to be decidable [2]. Key words: formal methods, security protocols, constraint solving 1
Symbolic Protocol Analysis for Monoidal Equational Theories ⋆
"... We are interested in the design of automated procedures for analyzing the (in)security of cryptographic protocols in the DolevYao model for a bounded number of sessions when we take into account some algebraic properties satisfied by the operators involved in the protocol. This leads to a more real ..."
Abstract
 Add to MetaCart
We are interested in the design of automated procedures for analyzing the (in)security of cryptographic protocols in the DolevYao model for a bounded number of sessions when we take into account some algebraic properties satisfied by the operators involved in the protocol. This leads to a more realistic model than what we get under the perfect cryptography assumption, but it implies that protocol analysis deals with terms modulo some equational theory instead of terms in a free algebra. The main goal of this paper is to set up a general approach that works for a whole class of monoidal theories which contains many of the specific cases that have been considered so far in an adhoc way (e.g. exclusive or, Abelian groups, exclusive or in combination with the homomorphism axiom). We follow a classical schema for cryptographic protocol analysis which proves first a locality result and then reduces the insecurity problem to a symbolic constraint solving problem. This approach strongly relies on the correspondence between a monoidal theory E and a semiring SE which we use to deal with the symbolic constraints. We show that the welldefined symbolic constraints that are generated by reasonable protocols can be solved provided that unification in the monoidal theory satisfies some additional properties. The resolution process boils down to solving particular quadratic Diophantine equations that are reduced to linear Diophantine equations, thanks to linear algebra results and the welldefinedness of the problem. Examples of theories that do not satisfy our additional properties appear to be undecidable, which suggests that our characterization is reasonably tight.