### BibTeX

@MISC{06anundecidability,

author = {},

title = {An Undecidability Result for AGh?},

year = {2006}

}

### OpenURL

### Abstract

Abstract. We present an undecidability result for the verification of security protocols. Since the perfect cryptography assumption is unrealistic for cryptographic primitives with visible algebraic properties, several recent works relax this assumption, allowing the intruder to exploit these properties. We are interested in the Abelian groups theory in combination with the homomorphism axiom. We show that the security problem for a bounded number of sessions (expressed by satisfaisability of symbolic deducibility constraints) is undecidable, obtaining in this way the first undecidability result concerning a theory for which unification is known to be decidable. 1 Introduction Cryptographic protocols are small programs designed to ensure secure communi-cation via a public channel. Many works have been devoted to the use of formal methods in order to automate the proof or the absence of logical attacks onsuch protocols (e.g. [7]). The problem of deciding whether a protocol is secure or not is known to be undecidable in general, even under several restrictions [1,5, 13]. An interesting decidability result has been obtained by Rusinowitch and Turuani [19], under the assumption that the number of sessions (i.e. the numberof parallel role instances) is bounded. In their setting, logical attacks can be characterized by sequences of abstractmessages exchanged by honest agents executing the protocol, and by the intruder. Since we consider a bounded number of sessions, there is only a boundednumber of symbolic traces. The idea of the algorithm is to guess a symbolic trace in which the messages are represented by terms containing variables. Thissymbolic trace corresponds to a concrete execution trace if the variables can be instantiated in such a way that, at every moment, a message received by an agentcan be deduced by the intruder from the messages seen before. Hence, verifying security of a protocol amounts to a non-deterministic guessing of the symbolictrace plus the resolution of a system of symbolic deducibility constraints.

### Keyphrases

undecidability result symbolic deducibility constraint bounded number symbolic trace cryptographic primitive several restriction formal method numberof parallel role instance security protocol perfect cryptography assumption abelian group theory non-deterministic guessing security problem first undecidability result logical attack introduction cryptographic protocol many work public channel visible algebraic property small program interesting decidability result concrete execution trace secure communi-cation logical attack onsuch protocol homomorphism axiom several recent work thissymbolic trace