Recursive Ping-Pong Protocols

This paper introduces a process calculus with recursion which allows us to express an unbounded number of runs of the ping-pong protocols introduced by Dolev and Yao. We study the decidability issues associated with two common approaches to checking security properties, namely reachability analysis and bisimulation checking. Our main result is that our channel-free and memory-less calculus is Turing powerful, assuming that at least three principals are involved. We also investigate the expressive power of the calculus in the case of two participants. Here, our main results are that reachability and, under certain conditions, also strong bisimilarity become decidable.

[1]  Roberto M. Amadio,et al.  On the Reachability Problem in Cryptographic Protocols , 2000, CONCUR.

[2]  Witold Charatonik,et al.  On Name Generation and Set-Based Analysis in the Dolev-Yao Model , 2002, CONCUR.

[3]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[4]  Martín Abadi,et al.  A Bisimulation Method for Cryptographic Protocols , 1998, Nord. J. Comput..

[5]  Roberto Gorrieri,et al.  Non Interference for the Analysis of Cryptographic Protocols , 2000, ICALP.

[6]  Roberto M. Amadio,et al.  On the symbolic reduction of processes with cryptographic functions , 2003, Theor. Comput. Sci..

[7]  J. Richard Büchi Regular canonical systems , 1964 .

[8]  Colin Stirling,et al.  Lokal Model Checking Games , 1995, CONCUR.

[9]  Javier Esparza,et al.  Reachability Analysis of Pushdown Automata: Application to Model-Checking , 1997, CONCUR.

[10]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[11]  Véronique Cortier,et al.  New Decidability Results for Fragments of First-Order Logic and Application to Cryptographic Protocols , 2003, RTA.

[12]  Javier Esparza,et al.  Efficient Algorithms for Model Checking Pushdown Systems , 2000, CAV.

[13]  A. N.A.DurginP.D.LincolnJ.C.Mitchell,et al.  Undecidability of bounded security protocols , 1999 .

[14]  Philipp Gerhardy The Role of Quantifier Alternations in Cut Elimination , 2005, Notre Dame J. Formal Log..

[15]  Glynn Winskel,et al.  Domain theory for concurrency , 2003, Theor. Comput. Sci..

[16]  Géraud Sénizergues,et al.  Decidability of bisimulation equivalence for equational graphs of finite out-degree , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[17]  Michaël Rusinowitch,et al.  Protocol insecurity with a finite number of sessions, composed keys is NP-complete , 2003, Theor. Comput. Sci..

[18]  Richard M. Karp,et al.  On the Security of Ping-Pong Protocols , 1982, Inf. Control..

[19]  O. Danvy,et al.  An Operational Foundation for Delimited Continuations , 2003 .

[20]  Michele Boreale,et al.  Symbolic Trace Analysis of Cryptographic Protocols , 2001, ICALP.

[21]  Martín Abadi,et al.  Computing symbolic models for verifying cryptographic protocols , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[22]  Andrzej Filinski,et al.  A Denotational Account of Untyped Normalization by Evaluation , 2004, FoSSaCS.