A reduced semantics for deciding trace equivalence using constraint systems

Many privacy-type properties of security protocols can be modelled using trace equivalence properties in suitable process algebras. It has been shown that such properties can be decided for interesting classes of finite processes (i.e. without replication) by means of symbolic execution and constraint solving. However, this does not suffice to obtain practical tools. Current prototypes suffer from a classical combinatorial explosion problem caused by the exploration of many interleavings in the behaviour of processes. Modersheim et al. [18] have tackled this problem for reachability properties using partial order reduction techniques. We revisit their work, generalize it and adapt it for equivalence checking. We obtain an optimization in the form of a reduced symbolic semantics that eliminates redundant interleavings on the fly.

[1]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[2]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[3]  Yannick Chevalier,et al.  Decidability of Equivalence of Symbolic Derivations , 2012, Journal of Automated Reasoning.

[4]  Vitaly Shmatikov,et al.  Constraint solving for bounded-process cryptographic protocol analysis , 2001, CCS '01.

[5]  Vincent Cheval,et al.  Deciding equivalence-based properties using constraint solving , 2013, Theor. Comput. Sci..

[6]  Alwen Tiu,et al.  Automating Open Bisimulation Checking for the Spi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[7]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[8]  Vincent Cheval,et al.  Trace equivalence decision: negative tests and non-determinism , 2011, CCS '11.

[9]  Michaël Rusinowitch,et al.  Protocol insecurity with finite number of sessions is NP-complete , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[10]  Rohit Chadha,et al.  Automated Verification of Equivalence Properties of Cryptographic Protocols , 2012, ACM Trans. Comput. Log..

[11]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[12]  Sebastian Mödersheim,et al.  Constraint differentiation: Search-space reduction for the constraint-based analysis of security protocols , 2010, J. Comput. Secur..

[13]  Mark Ryan,et al.  Analysing Unlinkability and Anonymity Using the Applied Pi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[14]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[15]  Donald E. Knuth,et al.  Inhomogeneous sorting , 1979, International Journal of Computer & Information Sciences.

[16]  Cas J. F. Cremers,et al.  The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols , 2008, CAV.

[17]  Mathieu Baudet,et al.  Deciding security of protocols against off-line guessing attacks , 2005, CCS '05.

[18]  Doron A. Peled,et al.  Ten Years of Partial Order Reduction , 1998, CAV.

[19]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.