Results 1  10
of
12
Intruder deductions, constraint solving and insecurity decision in presence of exclusive or
, 2003
"... We present decidability results for the verification of cryptographic protocols in the presence of equational theories corresponding to xor and Abelian groups. Since the perfect cryptography assumption is unrealistic for cryptographic primitives with visible algebraic properties such as xor, we exte ..."
Abstract

Cited by 91 (12 self)
 Add to MetaCart
(Show Context)
We present decidability results for the verification of cryptographic protocols in the presence of equational theories corresponding to xor and Abelian groups. Since the perfect cryptography assumption is unrealistic for cryptographic primitives with visible algebraic properties such as xor, we extend the conventional DolevYao model by permitting the intruder to exploit these properties. We show that the ground reachability problem in NP for the extended intruder theories in the cases of xor and Abelian groups. This result follows from a normal proof theorem. Then, we show how to lift this result in the xor case: we consider a symbolic constraint system expressing the reachability (e.g., secrecy) problem for a finite number of sessions. We prove that such constraint system is decidable, relying in particular on an extension of combination algorithms for unification procedures. As a corollary, this enables automatic symbolic verification of cryptographic protocols employing xor for a fixed number of sessions.
New Decidability Results for Fragments of FirstOrder Logic and Application to Cryptographic Protocols
, 2003
"... We consider a new extension of the Skolem class for firstorder logic and prove its decidability by resolution techniques. We then extend this class including the builtin equational theory of exclusive or. Again, we prove the decidability of the class by resolution techniques. ..."
Abstract

Cited by 54 (18 self)
 Add to MetaCart
We consider a new extension of the Skolem class for firstorder logic and prove its decidability by resolution techniques. We then extend this class including the builtin equational theory of exclusive or. Again, we prove the decidability of the class by resolution techniques.
The finite variant property: How to get rid of some algebraic properties
 In Proceedings of RTA’05, LNCS 3467
, 2005
"... Abstract. We consider the following problem: Given a term t, a rewrite system R, a finite set of equations E ′ such that R is E ′convergent, compute finitely many instances of t: t1,..., tn such that, for every substitution σ, there is an index i and a substitution θ such that tσ ↓ =E ′ tiθ (wher ..."
Abstract

Cited by 46 (8 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the following problem: Given a term t, a rewrite system R, a finite set of equations E ′ such that R is E ′convergent, compute finitely many instances of t: t1,..., tn such that, for every substitution σ, there is an index i and a substitution θ such that tσ ↓ =E ′ tiθ (where tσ ↓ is the normal form of tσ w.r.t. →E ′ \R). The goal of this paper is to give equivalent (resp. sufficient) conditions for the finite variant property and to systematically investigate this property for equational theories, which are relevant to security protocols verification. For instance, we prove that the finite variant property holds for Abelian Groups, and a theory of modular exponentiation and does not hold for the theory ACUNh (Associativity, Commutativity, Unit, Nilpotence, homomorphism).
Basic Syntactic Mutation
"... We give a set of inference rules for Eunification, similar to the inference rules for Syntactic Mutation. If the E is finitely saturated by paramodulation, then we can block certain terms from further inferences. Therefore, ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
We give a set of inference rules for Eunification, similar to the inference rules for Syntactic Mutation. If the E is finitely saturated by paramodulation, then we can block certain terms from further inferences. Therefore,
A Simple Constraintsolving Decision Procedure for Protocols with Exclusive or
 In UNIF 2004
, 2004
"... ap por t de r ech er ch e ..."
Complexity of Constraint Satisfaction Problems
, 2001
"... This document is an overview, from a computational complexity standpoint, of several constraint satisfaction problems. We assume that the reader is familiar with the usual notions and definitions used in the complexity theory, like polynomial time, NPcomplete or coNPcomplete problems. We also use ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
This document is an overview, from a computational complexity standpoint, of several constraint satisfaction problems. We assume that the reader is familiar with the usual notions and definitions used in the complexity theory, like polynomial time, NPcomplete or coNPcomplete problems. We also use some necessary notions from counting complexity, like the classes FP or #P, or from approximation theory, that became largely known in the recent years. Therefore we do not recall the definitions of these notions in this document. However, a reader who is not familiar with these concepts can find more information in the book [Pap94] or in the survey [Joh90]
Protocol Analysis Modulo Combination of Theories: A Case Study in MaudeNPA
"... There is a growing interest in formal methods and tools to analyze cryptographic protocols modulo algebraic properties of their underlying cryptographic functions. It is wellknown that an intruder who uses algebraic equivalences of such functions can mount attacks that would be impossible if the c ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
There is a growing interest in formal methods and tools to analyze cryptographic protocols modulo algebraic properties of their underlying cryptographic functions. It is wellknown that an intruder who uses algebraic equivalences of such functions can mount attacks that would be impossible if the cryptographic functions did not satisfy such equivalences. In practice, however, protocols use a collection of wellknown functions, whose algebraic properties can naturally be grouped together as a union of theories E1∪...∪En. Reasoning symbolically modulo the algebraic properties E1 ∪...∪En requires performing (E1 ∪...∪En)unification. However, even if a unification algorithm for each individual Ei is available, this requires combining the existing algorithms by methods that are highly nondeterministic and have high computational cost. In this work we present an alternative method to obtain unification algorithms for combined theories based on variant narrowing. Although variant narrowing is less efficient at the level of a single theory Ei, it does not use any costly combination method. Furthermore, it does not require that each Ei has a dedicated unification algorithm in a tool implementation. We illustrate the use of this method in the MaudeNPA tool by means of a wellknown protocol requiring the combination of three distinct equational theories.
Implementing a unification algorithm for protocol analysis with XOR
 Institut für Informatik, CAU
, 2006
"... Many methods and tools for the fully automatic analysis of security protocols are based on a technique called constraint solving (see, e.g., [11,7]), which as a central component involves a unification algorithm. The first methods and tools for the analysis of security protocols assumed the message ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Many methods and tools for the fully automatic analysis of security protocols are based on a technique called constraint solving (see, e.g., [11,7]), which as a central component involves a unification algorithm. The first methods and tools for the analysis of security protocols assumed the message space to be a free term algebra.
UNIFICATION MODULO A 2SORTED EQUATIONAL THEORY FOR CIPHERDECIPHER BLOCK CHAINING SIVA ANANTHARAMAN ⋆ , CHRISTOPHER BOUCHARD † , PALIATH NARENDRAN ‡, AND MICHAËL RUSINOWITCH♯
, 2013
"... Abstract. We investigate unification problems related to the Cipher Block Chaining (CBC) mode of encryption. We first model chaining in terms of a simple, convergent, rewrite system over a signature with two disjoint sorts: list and element. By interpreting a particular symbol of this signature suit ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We investigate unification problems related to the Cipher Block Chaining (CBC) mode of encryption. We first model chaining in terms of a simple, convergent, rewrite system over a signature with two disjoint sorts: list and element. By interpreting a particular symbol of this signature suitably, the rewrite system can model several practical situations of interest. An inference procedure is presented for deciding the unification problem modulo this rewrite system. The procedure is modular in the following sense: any given problem is handled by a system of ‘listinferences’, and the set of equations thus derived between the elementterms of the problem is then handed over to any (‘blackbox’) procedure which is complete for solving these elementequations. An example of application of this unification procedure is given, as attack detection on a NeedhamSchroeder like protocol, employing the CBC encryption mode based on the associativecommutative (AC) operator XOR. The 2sorted convergent rewrite system is then extended into one that fully captures a block chaining encryptiondecryption mode at an abstract level, using no ACsymbols; and unification modulo this extended system is also shown to be decidable. 1.
AND MICHAËL RUSINOWITCH d
, 2013
"... Vol. 10(1:5)2014, pp. 1–26 www.lmcsonline.org ..."
(Show Context)