## Symbolic protocol analysis with products and Diffie-Hellman exponentiation (2003)

### Cached

### Download Links

- [www.csl.sri.com]
- [www.csl.sri.com]
- [www.csl.sri.com]
- [www.csl.sri.com]
- DBLP

### Other Repositories/Bibliography

Citations: | 36 - 0 self |

### BibTeX

@INPROCEEDINGS{Millen03symbolicprotocol,

author = {Jonathan Millen and Vitaly Shmatikov},

title = {Symbolic protocol analysis with products and Diffie-Hellman exponentiation},

booktitle = {},

year = {2003},

pages = {47--61},

publisher = {IEEE Computer Society Press}

}

### Years of Citing Articles

### OpenURL

### Abstract

We demonstrate that for any well-defined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully automated formal analysis of protocols that employ primitives such as Diffie-Hellman exponentiation, multiplication, andxor, with a bounded number of role instances, but without imposing any bounds on the size of terms created by the attacker. 1

### Citations

2467 | Time, clocks, and the ordering of events in a distributed system
- Lamport
- 1977
(Show Context)
Citation Context ...ckward complete in the sense that the strand predecessor of each (non-initial) node must be present, and the send node for each receive node must be present. A bundle is essentially a Lamport diagram =-=[Lam78]-=- in which the processes are strands. (Lamport called this a space-time diagram, but others renamed it in the context of distributed systems.) 2.1 Overview of constraint solving It is shown in [THG99] ... |

1132 | On the security of public-key protocols
- Dolev, Yao
- 1983
(Show Context)
Citation Context ... our term algebra and the bitstrings they are mapped to in the protocol implementation. This is not an easy question to answer because of the level of abstraction of our model (and all Dolev-Yaostyle =-=[DY83]-=- models in general). For example, regarding encryption as a free operator means that the infinite sequence of termsØ��Ø�����Ø��������are all distinct, whereas in practice the bitstring values would al... |

433 | The inductive approach to verifying cryptographic protocols - Paulson - 1998 |

238 | Unification theory
- Baader, Snyder
- 2001
(Show Context)
Citation Context ...vation problems is naturally reduced to a system of quadratic Diophantine equations, as shown in Section 6. One of the steps along the way is Abelian group unification, which is known to be decidable =-=[BS01]-=-. We then proceed to demonstrate that the quadratic system has a solution if and only if a particular linear subsystem has a solution. Since linear Diophantine equations are decidable (e.g., [CD94]), ... |

225 | Key Distribution Extended to Groups
- Steiner, Tsudik, et al.
(Show Context)
Citation Context ... protocol analysis in the presence of associative and commutative operators. The algebraic theory considered in this paper is significantly more complicated. In protocols such as group Diffie-Hellman =-=[STW96]-=-, the exponents form an Abelian group. In particular, the attacker can easily compute multiplicative inverses. To discover attacks such as that found by Pereira and Quisquater [PQ01], the algebraic th... |

156 | Protocol insecurity with finite number of sessions in NP-complete, Theoret
- Rusinowitch, Turuani
- 2003
(Show Context)
Citation Context ...ppears in the trace as an unencrypted received message (i.e., is announced by the attacker). For a bounded number of sessions, the symbolic trace reachability problem has been shown to be NP-complete =-=[RT01]-=-, assuming a free term algebra. Our main contribution is to extend the constraint solving approach, first proposed in [MS01], to handle the algebraic properties of Abelian group operators. For any wel... |

132 | Undecidability of bounded security protocols, in - Durgin, Lincoln, et al. - 1999 |

127 |
spaces: Proving security protocols correct
- Strand
- 1999
(Show Context)
Citation Context ...ility in the presence of an Abelian group operator (rather than mere associativity and commutativity) is the main technical contribution of this paper. 2 Model We begin with the strand space model of =-=[THG99]-=-. A strand is a sequence of nodes representing the activity of one party executing the protocol. Strands are finite and do not have branching or loops. Associated with each node is a message term with... |

95 | spaces: proving security protocols correct - Thayer, Herzog, et al. - 1999 |

91 | Symbolic trace analysis of cryptographic protocols, in - Boreale - 2001 |

90 | On the reachability problem in cryptographic protocols, in - Amadio, Lugiez - 2000 |

89 | An NP decision procedure for protocol insecurity with Xor, in
- Chevalier, Kuesters, et al.
- 2003
(Show Context)
Citation Context ...nsufficient to decide whether a particular symbolic attack trace is feasible. 3sDecidability of symbolic protocol analysis in the presence of xor has been proved in [CKRT03b, CLS03]. Chevalier et al. =-=[CKRT03b]-=- showed that the problem is NPcomplete in a restricted protocol model which is very similar to the one proposed in this paper. Independently, Comon-Lundh and Shmatikov [CLS03] demonstrated decidabilit... |

81 | Intruder deductions, constraint solving and insecurity decision in presence of exclusive or
- Comon-Lundh, Shmatikov
- 2003
(Show Context)
Citation Context ... is a necessary property of any well-defined protocol. In Section 4, we summarize the theory of ground term derivability in the presence of an Abelian group operator, due to Comon-Lundh and Shmatikov =-=[CLS03]-=-. The main technical result of the paper appears in Section 5. If the constraint sequence has a solution, we prove that it has a conservative solution. Intuitively, the conservative solution uses only... |

80 | Athena: a new efficient automatic checker for security protocol analysis
- Song
- 1999
(Show Context)
Citation Context ...g with a semibundle 4sconsisting of partially instantiated role instances, in which the sources of received messages are not necessarily determined. (The term “semibundle” comes from the Athena paper =-=[Son99]-=-.) In a semibundle to be analyzed, the number of instances of each role has been chosen, and variables representing nonces (or session keys) have been instantiated to symbolic constants in the roles t... |

71 | Mechanized proofs for a recursive authentication protocol - Paulson - 1997 |

70 | Tree automata with one memory, set constraints and ping-pong protocols, in - Comon, Cortier, et al. - 2001 |

62 | Computing symbolic models for verifying cryptographic protocols, in - Fiore, Abadi - 2001 |

60 | A security analysis of the cliques protocols suites, in
- Pereira, Quisquater
- 2001
(Show Context)
Citation Context ...nly constant-base exponentiation is considered in this paper. See [Shm04] for an extension of our constraint solving technique to modular exponentiation from an arbitrary base. Pereira and Quisquater =-=[PQ01]-=- discovered an attack on a group Diffie-Hellman (GDH) protocol that exploits algebraic properties of Diffie-Hellman exponents. Their approach is specific to GDH-based protocols, and the attacker model... |

58 | Verifying security protocols with Brutus - Clarke, Jha, et al. |

58 | Deciding the security of protocols with Diffie–Hellman exponentiation and product in exponents
- Chevalier, Kuesters, et al.
- 2003
(Show Context)
Citation Context ... for such protocols to the solvability of a symbolic constraint sequence with an Abelian group operator. Conclusions are in Section 8. 1.2 Related work Boreale and Buscemi [BB03] and Chevalier et al. =-=[CKRT03a]-=- recently developed decision procedures for protocol analysis in the presence of Diffie-Hellman exponentiation. Neither addresses decidability in the presence of an Abelian group operator. The decisio... |

54 | An improved constraint-based system for the verification of security protocols
- Corin, Etalle
- 2002
(Show Context)
Citation Context ...ations such as concatenation, encryption, and hashing. Some work was done subsequently to improve the efficiency of constraint generation and solving. Corin and Etalle devised an incremental approach =-=[CE02]-=- that has been adopted and incorporated into our own software tool. Recently, the AVISPA project made further improvements with a “constraint differentiation” approach [BMV03]. This paper focuses on t... |

36 | An attack on a recursive authentication protocol: A cautionary tale - Ryan, Schneider - 1998 |

27 | A unification algorithm for the group Diffie-Hellman protocol
- Meadows, Narendran
- 2002
(Show Context)
Citation Context ...ge term constructors of Figure 1 with termsØÙrepresenting exponentials. We also extend the rules of Figure 2 with the rules for exponentials, as shown in Figure 4. The rules of Figure 4 were shown in =-=[MN02]-=- to lead to unique normal forms up to associativity and commutativity of the¡operator. In this paper, we consider only protocols in which all exponentiation is ultimately from a constant base, that is... |

24 | Constraint Differentiation: A New Reduction Technique for Constraint-Based Analysis of Security Protocols
- Basin, Mödersheim, et al.
- 2003
(Show Context)
Citation Context ...d an incremental approach [CE02] that has been adopted and incorporated into our own software tool. Recently, the AVISPA project made further improvements with a “constraint differentiation” approach =-=[BMV03]-=-. This paper focuses on the decidability of constraint solving in the extended model with Abelian group operations. The constraint solving step is different from that of [MS01], and consists mainly in... |

22 |
Reconciling two views of cryptography
- Abadi, Rogaway
- 2002
(Show Context)
Citation Context ...attacks on the real protocol than on the abstract version. Such concerns are addressed in work on computationally sound formal models, which is beyond the scope of this paper. The Abadi-Rogaway paper =-=[AR02]-=- is a good introduction to this issue. We describe an extension with exponentials in Section 7, for application to protocols using Diffie-Hellman key agreement. Other extensions are possible with no c... |

20 | An E-unification Algorithm for Analyzing Protocols that Use Modular Exponentiation - Kapur, Narendran, et al. - 2003 |

17 | Decidable analysis of cryptographic protocols with products and modular exponentiation, in
- Shmatikov
- 2004
(Show Context)
Citation Context ...T03a] is more general in its treatment of Diffie-Hellman exponentiation since it allows exponentiation from an arbitrary base, while only constant-base exponentiation is considered in this paper. See =-=[Shm04]-=- for an extension of our constraint solving technique to modular exponentiation from an arbitrary base. Pereira and Quisquater [PQ01] discovered an attack on a group Diffie-Hellman (GDH) protocol that... |

10 |
On the freedom of decryption
- Millen
(Show Context)
Citation Context ...sponding private key for public-key encryption. Sometimes even less is assumed: for example, in the free algebra modeldec is not used explicitly (the consequences of this restriction are discussed in =-=[Mil03]-=-). This rudimentary treatment of encryption is not adequate to deal with primitives such as xor (exclusive or), multiplication, and Diffie-Hellman exponentiation, which are widely used in security pro... |

10 |
Unification in a combination of arbitrary disjoint equational theories
- Schmidt-Schauss
- 1989
(Show Context)
Citation Context ...eparate attacker inference rules, which are discussed in Section 2.4. The overall algebraic structure is described as the disjoint combination of a free theory and the Abelian group theory, following =-=[SS89]-=-. In this context, “disjoint” means that each relation involves only functions (and constants) from one theory at a time, in this case the group theory. However, any term is acceptable as an argument ... |

8 |
Constraint solving for bounded process cryptographic protocol analysis
- Millen, Shmatikov
- 2001
(Show Context)
Citation Context ...s, the symbolic trace reachability problem has been shown to be NP-complete [RT01], assuming a free term algebra. Our main contribution is to extend the constraint solving approach, first proposed in =-=[MS01]-=-, to handle the algebraic properties of Abelian group operators. For any welldefined cryptographic protocol, we show that symbolic trace reachability is equivalent to solvability in integers of a cert... |

7 |
An efficient algorithm for solving systems of Diophantine equations
- Contejean, Devie
- 1994
(Show Context)
Citation Context ...le [BS01]. We then proceed to demonstrate that the quadratic system has a solution if and only if a particular linear subsystem has a solution. Since linear Diophantine equations are decidable (e.g., =-=[CD94]-=-), this establishes decidability of the protocol analysis problem in the presence of an Abelian group operator. 2sIn Section 7, we extend our approach to protocols with Diffie-Hellman exponentiation, ... |

7 | On the Symbolic Analysis of Low-Level Cryptographic Primitives: Modular Exponentiation and the Diffie-Hellman Protocol
- Boreale, Buscemi
- 2003
(Show Context)
Citation Context ...he symbolic analysis problem for such protocols to the solvability of a symbolic constraint sequence with an Abelian group operator. Conclusions are in Section 8. 1.2 Related work Boreale and Buscemi =-=[BB03]-=- and Chevalier et al. [CKRT03a] recently developed decision procedures for protocol analysis in the presence of Diffie-Hellman exponentiation. Neither addresses decidability in the presence of an Abel... |

4 | Analyzing protocols that use modular exponentiation: Semantic unification techniques - Kapur, Narendran, et al. - 2003 |

3 | A unification algorithm for analysis of protocols with blinded signatures - Kapur, Narendran, et al. - 2002 |

2 |
Introducing commutative and associative operators in cryptographic protocol analysis
- Bertolotti, Durante, et al.
- 2003
(Show Context)
Citation Context ... more complicated theory than in the xor case. In contrast, [CLS03] only considers Abelian group operators in the ground case, and obtains symbolic decidability results forxor only. Bertolotti et al. =-=[BDSV03]-=- investigated cryptographic protocol analysis in the presence of associative and commutative operators. The algebraic theory considered in this paper is significantly more complicated. In protocols su... |

2 |
Adventures in associative-communtative unification
- Lincoln, Christian
- 1989
(Show Context)
Citation Context ...ed by solving a system of linear Diophantine equations. Practical techniques for solving linear Diophantine equations have already been developed in the context of associative-commutative unification =-=[LC89]-=-. 2.2 Term algebra To focus on decidability in the presence of an Abelian group operator, we use a simplified term algebra that includes only pairing, symmetric encryption (but not decryption), a onea... |

1 | Encyclopedic Dictionary of Mathematics. Springer-Verlag, 2nd edition - Wang - 1994 |

1 | On the reachability problem incryptographic protocols - Amadio, Lugiez - 2001 |