An Algebraic Characterization of Security of Cryptographic Protocols

An Algebraic Characterization of S ecurit y of Cryptographic Proto cols Manas K. Patra and Y an Zhang Department of Computing and Mathematics, Un ivers ity of W estern S ydney , Locked Bag 1797, P en rith South DC, N SW 1797 Australia Abstract. Several of the basic cry p tographic constructs hav e associated algebraic structures. F ormal mo dels prop osed by Dolev and Y ao to study the (unconditional) security of pub lic k ey proto cols form a group. The securit y of some t yp es of proto cols can b e neatly formulated in this al- gebraic setting. W e inv estigate classes of tw o-party p rotocols. W e t h en consider extension of th e formal algebraic framew ork to priv ate-key pro- tocols. W e also discuss concrete realization of t he formal mod els. In th is case, we prop ose a definition in terms of pseudo-free groups. Keywor ds/T opics : security , pub lic key cryptosystem, free and pseud o-free groups and monoids. 1 In tro duction and Background The present pap e r explores some a lgebraic structures inherent in several classes of security proto co ls. Suc h structures hav e been known to exist. F o r exa mple, the set of p ossible messag es over some alphab et A constitute a fr e e monoid A ∗ . The encryption and decryptio n op e rations m ust be inv ers e of eac h o ther. If we consider them as mappings A ∗ → A ∗ they form a group. Moreov er, man y encryption s chemes are bas e d on some well-kno wn alg ebraic structures. The RSA encryption is a bijective map Z n → Z n , where Z n is the ring of integers modulo n . So we hav e, on the o ne hand, formal mo dels of clas ses o f proto cols which car ry algebraic str uctures and on the other concrete realiza tions of these mo dels based on some sets with inherent alge braic s tructures. O ne of the basic issues addressed in this pap er is the notion o f se curity of proto co ls in the a lg ebraic s etting. In the formal model where we assume p erfect encryption the s ecurity is unconditiona l. Hence, it can b e breached due to a fault y design of proto cols . In the concrete mo del how e ver the encryption is based on the assumption that cer tain tasks are c o mputationally infea sible. In this ca se, the security can be compr o mised due to a faulty design or some hidden r elations amo ng the basic o pe rators . Although proto cols bas ed on PKC a re b elieved to be secure aga inst passive attacks, an impro p e rly designed pr oto cols may be co mpromised by an active adversary , a s first p ointed o ut by Needha m and Schroede r [NS78]. The a nalysis of all p oss ible suc h attacks requir e s so me level of abstrac tio n and formalizatio n. Such a formaliza tion was first given in the seminal work o f Dolev and Y ao [DY82] (referred to a s D Y). The clas s of proto co ls discusse d in DY are tw o -party ca scade proto cols in which tw o users exchange messages back and forth. Other notable early works dealing with the formal approa ch to security include [BAN89,Low96]. An alter native approach to security is the co mputational a pproach. Infor- mally , a pro to col is considered secur e if it is computatio na lly infeasible for the adversary to acquire any useful information [Gol01,AR02]. The computational approach is more difficult in proving security of proto cols. Starting with the work of [AR02] there has b een extensive work to r elate the tw o v iews of cryptogr aphy . In [AR02] the a utho r s first giv e the formal framework for some cryptographic primitives. In terms o f security , their main r esult roughly translates to the fol- lowing: if we can show that a pro to col, forma lly an expres sion, is equiv a lent to a nother expr ession ov er a fixed string then the proto c ol is s e cure since it is infeasible for the adv e r sary to distinguish b etw een the actual plaintext and an arbitrar y bit string. Thus a formal system is sound if formal indistinguishabil- it y ( FI ) implies computational indistinguishabilit y ( CI ). The con verse ( CI ⇒ FI ) is called the c ompleteness of the formal system. It has bee n proved for the Abadi-Rogaw ay formal system under some extra assumptions [MW04a]. The works [AR02,MW04a] dealt with symmetric (priv ate) k ey encryptions a nd pas- sive adversar ie s and in [MW04 b] the authors prov e soundness of a formal s ystem similar to [AR02] for public key cr yptosystem with active adversaries. The w o rk [MW04b] deals with issues that are close st to the current w o rk. In this w o rk we take a fresh lo o k at the D Y mo del. W e inv es tigate algebraic structures ass o ciated with a class of pro to cols based o n public key cryptosys- tems. W e obse rve that the mo del defined by s trings of op erato r s can be given the str ucture of gr oup called the Dolev- Y a o (DY) group. The main res ults of this pap er ar e c har acterizatio n of the security of the proto cols in these gro up structures. Sp ecifica lly , we show that a set of elements (strings) defining the pro- to col is insecure if a nd only if they contain a subgroup. This is strictly true in the abstract se tting when we ass ume that there are no specia l relations among the elements- the DY gr o up is fr e e . In a concrete realization ther e will be some relations among the gr oup elements. W e propo se extensions of the notion o f se- curity in terms of pseudo-fr e e gro ups ra ther than free groups. W e a lso co nsider extension to pr iv ate key cr yptosystems. W e first re view the Dolev- Y ao mo del. O ne defines the abstract setting of a proto col in ter ms o f some basic op erations (encryption, decryption, nonces etc.). These op eratio ns form a monoid. Then a pro to col is simply a sequence of words, the elements of the monoid. The sec urity o f a proto co l is defined in terms of these words. Sp ecifica lly , we show that a set of elements (strings) defining the proto col is insecure if and only if they contain a subgr oup. W e consider fir st the simple c ascade proto cols where the mess age texts are encrypted and decrypted straight witho ut further o p e rations lik e no nc e s. In this case the monoid turns out to be a gr oup a nd a proto col is insecur e if and only the elements defining it form a subg roup. Next, we consider proto c o ls with nonces (name- stamps, date- stamps etc.). The alg ebraic characteriza tion is tric kier he r e b ecaus e some o f the op erations are undefined in a real implementation. W e s how that even in this case we can sensibly define a mo noid of o per ations and characterize pr oto col security in terms o f so me algebraic condition. W e use the alg e braic character iz a tions to prov e some general theo rems on secure and insecur e proto cols. W e a pply these results to some w ell-known pro to cols. W e also discuss the co ncrete realization of the crypto systems. W e analyz e the implication on se c urity in this situation. The problem of security in an a rbitrary r e a lization is undecidable since it can be reduced to the wor d pr oblem [Rot9 5]. The final section discusses po ssible extensions of the definitions and metho ds. 2 The Dolev-Y ao mo del In this sectio n we revie w the essentials of the mo de l prop osed by Dole v and Y ao. The first ass umption is that w e do not co ncern ourselves with the details of the public key cry ptographic sys tem. F urther, we a ssume that we hav e a fi- nite set of symbols E = { E 1 , E 2 , . . . , E n } where n is an integer. Informally , n denotes the num b er of user s in the netw ork and E i represents the public encryp- tion function of the i th user. Similar ly we hav e another set D = { D 1 , . . . , D n } representing the private decr yption function of the users. F or example, if K i and K ′ i are the public and priv ate keys of user i then E i ( M ) = E ( M , K i ) and D i ( M ) = D ( M , K ′ i ), where E and D are the r esp ective encr yption and decryp- tion functions and M is the message text. W e a lso add a nother o p e r ator, I the “identit y” opera tor. In general the encr yption and decryption schemes need not be sa me fo r all users but they must sa tisfy E i D i = D i E i = I . W e simply tr eat them as letters from so me alphab et. F or each pair of users ( i, j ) define the sets A ij = { E i , E j , D i } Informally , A ij represents the s et of opera tors a v aila ble to user i in a t wo-party exchange b etw een itself and user j . A t wo party cascade proto col is finite s equence of strings { α 1 , α 2 , . . . , α r } and { β 1 , β 2 , . . . , β r ′ } where α i ∈ A ∗ ij and β i ∈ A ∗ j i , 1 ≤ i, j ≤ n a nd r ′ = r − 1 or r . Intuitiv ely , users i and j can use any num b er of layers of encryption and decryption and th us the set of op erations av ailable are included in E ∪ D . The definition o f casca de proto cols is a consequence o f the following assumption on the proto c o ls [D Y82]. 1. It is a per fect public key system. Hence: 1. the functions E i are strictly one wa y: they are un brea k able, 2. the public directory is secur e: the E i are fixed once for a ll, 3 . everyone ha s acc ess to all the encryption functions E i , 4. only user i knows D i . 2. In the tw o- party proto co l only the t wo parties concerned are inv olved in the communication; the assistance of a third party is not needed. 3. The protoco ls are uniform, that is, the same forma t is used by any pair of legitimate user s. 4. Next we mo del the be havior of the adversary . W e assume that the adversary is capable of active attac ks. Sp ecifically : 1. the adversary can int ercept an y message passing through the communication channels;2. he is a legitimate user and thus can initiate a dialog with other users; 3. he can successfully imper sonate ano ther user when necessary . W e ass ume that the ab ove assumptions are v alid for any proto co l (not just cascade proto cols ) unless stated other wise. Next w e describ e the for ma l model for the pro to cols. Let x, y b e v aria bles ranging through the set J n ≡ { 0 , 1 , . . . , n } . A tw o -party ca scade pr oto col is given by a pair of sequences { α 1 ( x, y ) , α 2 ( x, y ) , α r ( x, y ) } a nd { β 1 ( x, y ) , β 2 ( x, y ) , β r ′ ( x, y ) } (1) α i ( x, y ) ∈ A xy and β i ( x, y ) ∈ A y x (2) F urther, define the sequences N 1 ( x, y ) = α 1 ( x, y ) N 2 ( x, y ) = β 1 ( x, y ) α 1 ( x, y ) N 2 k − 1 ( x, y ) = α k ( x, y ) N 2 k − 2 ( x, y ) N 2 k ( x, y ) = β k N 2 k − 1 ( x, y ) (3) The intuition b ehind this abstr act definition is the following. User x initiates the dialog with y by applying α 1 ( x, y ) to the messag e M ∈ { 0 , 1 } ∗ . Then, y resp onds with the application of β 1 ( x, y ), x follows with α 2 ( x, y ) and so on. In round k ( k ≥ 1 ) user x s e nds the message N 2 k − 1 M and in tur n, receives the message N 2 k M . F or example, in the simple pr oto col discuss ed later we hav e α 1 (1 , 2) = E 2 , and β 1 (1 , 2) = E 1 D 2 Let P b e a tw o-pa r ty cascade proto col. Le t s b e a n y user name (the a dversar y) and Γ 1 ( s ) = E ∪ { D s } , Γ 2 = { α i ( x, y ) | for all x 6 = y and i ≥ 2 } and Γ 3 = { β i ( x, y ) | for a ll x 6 = y and i ≥ 1 } (4) Next we de fine the security of a proto col. Definition 1 A pr oto c ol P is insecure if ther e is some string λ ∈ Γ 1 ( s ) ∪ Γ 2 ∪ Γ 3 such that λN k ( i, j ) = ǫ for some k ( ǫ denotes the empty string). See [DY82] for the motiv ation for this definition is as follo ws . If the pr oto col is insecure then the secret message can even tually b e obtained b y the adversary . 3 The Dolev-Y ao group for cascade proto cols W e sta rt this section with some standa rd algebra ic definitions [Rot95]. A se mi- group is set S with a binary o pe r ation or pro duct ◦ that is asso cia tive ( a ◦ ( b ◦ c ) = ( a ◦ b )). A mo noid is a semig roup { S, ◦} with an iden tity element e ( e ◦ a = a ◦ e = a ). A gro up is a monoid M such that ev er y a ∈ M has an inverse a − 1 ( a ◦ a − 1 = a − 1 ◦ a = e ). Below w e suppr e ss the symbol ◦ for the product. W e have see n ab ov e that for casca de proto cols the a v ailable op erator s are from E ∪ D . The set E ∗ (the Kleene clo sure of E ) is the set of words, including the empt y word, formed by the alphabet E . Now consider the fr e e gr oup gener ated by the set E [MKS76]. W e rec a ll the free g roup construction. Let A be a set (the alphab et). Let A − 1 be another set, disjoint from A such that there is a bijective corres p o ndence a ↔ a betw een the tw o. W e write A − 1 = { a − 1 | a ∈ A } . Let ǫ be the empt y string. Then w e define a pr o duct o n the set S A ≡ ( A ∪ A − 1 ) ∗ by concatenation ( σ · µ = σ µ ) along with the relations aa − 1 = a − 1 a = ǫ . That is, we replace aa − 1 and a − 1 a by ǫ in a ny string. Mo re for mally , define an equiv alence relation ∼ b etw een t wo strings σ and µ as: σ ∼ µ if µ ca n be obtained from σ by insertion or deletion of s trings of the form aa − 1 , a − 1 a and ǫ . Then the se t F ( A ) = S A / ∼ , the set of equiv alence clas s es is a g roup. F o r details see [MKS76]. F or conv enience, we co ntin ue to write the mem b ers of F ( A ) a s ele ments of S A rather than the equiv alence class. F o r a free monoid w e ha ve only the set A and the relation ǫ . The ess e n tial prop erty of a free gr oup or mono id F ( A ) ov er the set A is tha t a n y mapping of the set A into a gr o up G can b e uniq uely extended to a gr oup homomor phism (see [MK S7 6] for details). Reca ll that a homomor phism betw een t wo mo noids is a mapping that preser ves the identit y and pr o ducts. A homomor phism betw een tw o gro ups is a homomorphism of the underlying monoids that preserves in verses. A submonoid A of a monoid M is a s ubset with ident ity that is closed under products. W e ca ll F ( E ) the D Y gro up. F urther, we use D i and E − 1 i int e r changeably . A concrete realizatio n of the DY gro up is given by the action of encryption a nd decryption o p erators o n { 0 , 1 } ∗ , the set of bi- nary strings. T hus, if K i , and P i are i ’s public and pr iv ate key re s pe c tively then E i ( m ) = E ( m, K i ) and D i ( m ) = D ( m, P i ). W e note that a concrete realizatio n of a free gro up may r esult in more relatio ns. F or example, for a commutativ e group we hav e the relations ab ∼ ba . W e further mention that a particular re- alization realization of the D Y g roup in the RSA encr yption scheme is distinct from the RSA group [Riv04]. In genera l, the latter is commutativ e w hile the former is not. Let us consider an example disc us sed in [D Y82]. User i sends j a messag e m ( i, E j ( m ) , j ) and then j sends back the messag e ( j, E i ( m ) , i ). This proto col is very easily br oken. The a dversary , henceforth denoted by s , intercepts the first message from i and sends it to j . Then j sends the messa ge ( j, E s ( m ) , s ). The adversary decrypts the message using D s . It is easy to verify that in this case the the mono id g enerated sets Γ 1 = { D s } and Γ 2 = { E s D j E j } a sub gr oup o f D Y. W e will see that this is a gener al phenomenon for insecure pro to cols. 3.1 An algeb raic c haracterization of securit y In this section we c o me to the main theme of this work. Dolev and Y ao gav e a characterization o f the secure ca s cade proto cols in terms of pro p er ties of the strings α i ( x, y ) a nd β j ( x, y ). W e pr ov e an equiv alent characterization in the algebraic setting o f the DY gr oup . W e can then deduce their c ha racteriza tion. In the following, the w ord generate will alw ays imply the multiplicativ e set (a monoid). Theorem 1 L et P b e a t wo-p arty c asc ade pr oto c ol. Assume that the p arties involve d have names 1 and 2 and the adversary is s . Then, with the notation as ab ove, P is inse cur e if and only if ther e is a set T ⊆ { E 1 , E 2 , E s , D s } ⊂ Γ 1 ( s ) such that one of the fol lowing c ondition holds. 1. The set { α 1 ( x, y ) } ∪ T gener ates a su b gr oup of DY multiplic atively. 2. The set T ∪ Γ 2 ( x, y ) ∪ Γ 3 ( x, y ); x, y ∈ { 1 , 2 , s } gener ates a nontrivial sub gr oup of DY. wher e Γ j ( x, y ) denotes t he set Γ 2 with sp e cific users x and y . Pr o of. Let us firs t no te that the first condition takes care of a ra ther trivial situation. It can only come ab out if the user x initiates the conv e rsation by sending the messa ge without an encryption o r if s he applies her own decryption op erator ! In any case, it is clear tha t the proto col is insecure. Next, supp ose the second condition holds. Then the s et T ∪ Γ 2 ( x, y ) ∪ Γ 3 ( x, y ) a subgroup S . In particular, E − 1 1 , E − 1 2 ∈ S . Hence, there is a s tring λ ∈ S suc h that λN i = ǫ since the latter is the identit y elemen t of the group. It follows from the definition 1 that the pro to col is insecure. This pr ov es the sufficiency o f the condition. T o prove necessity o f the condition ass ume tha t the proto co l is insecure . Then there is s ome string λ suc h that λN i = ǫ, i ≥ 1 First, supp ose that i = 1 and N 1 = α 1 do es no t contain E 1 or E 2 . Then we must hav e α 1 = ǫ or D k x , for some int e g er k . In the first c a se, we obtain the trivial subgro up b y choo sing T to b e empt y se t and in the second case we choose T = { E 1 } . In either case, the fir st condition of the theorem is satisfied. Now let N i , i ≥ 1 satisfy the ab ove equatio n. Supp ose i = 2 j is even (the pro of for the o dd case is similar ). Then N 2 j (1 , 2) = ( β j (1 , 2) α j (1 , 2) · · · α 2 (1 , 2) β 1 (1 , 2)) α 1 (1 , 2) ≡ φ j (1 , 2) α 1 (1 , 2) and λ = α − 1 1 (1 , 2) φ − 1 j (1 , 2) By assumption, λ ∈ ( Γ 1 ( s ) ∪ Γ 2 ( x, y ) ∪ Γ 3 ( x, y )) ∗ ≡ H . Let H ′ = H ∪ { α 1 (1 , 2) } . Clearly we may r estrict to the set { 1 , 2 , s } of users . Observe first that a ny N i ( x, y ) is o f the form E i 1 x E j 1 y E i 2 x E j 2 y · · · E x i m E j m where i r and j r are inte- gers. Recall that we identify E − 1 x = D x . Supp ose that all the ex p o nent s of E 1 , and E 2 in the e xpansion of N 2 j (1 , 2) a re non-negative. W e may assume that at least one of them, say that o f E 1 , is p ositive (otherwise there is noth- ing to prove). Then by successive application of E 1 or E 2 we conclude that E − 1 1 is in H . F rom the definition of the sets Γ 2 and Γ 3 we can interc ha nge the role of E 1 and E 2 and we conclude that E − 1 2 is also a member of H . Choose T = { E s , E 1 , E 2 , D s } . Then, T ∪ Γ 2 1 , 2 ∪ Γ 3 1 , 2 gener ates a subgr oup. Hence, we may a s sume that N 2 j (1 , 2) contains neg a tive p ow e r s of E i , i = 1 , 2. In any case we have N 2 j (1 , 2) = φ j (1 , 2) α 1 (1 , 2) a nd λ = α − 1 1 (1 , 2) φ − 1 j (1 , 2). As φ j (1 , 2) ∈ H we conclude that α − 1 1 ∈ H . Let α − 1 1 = E − i 1 1 E − j 1 2 E − i 2 1 E − j 2 2 · · · E − i m 1 E − j m 2 ∈ H Where i k , j k are integers. W e reca ll that α 1 may cont a in only E 1 , E 2 , or D 1 . Thu s, no j k can b e ne g ative. W e hav e assumed that not all of them ar e zero for otherwise we are back to the first condition. Therefore, w e may write α − 1 1 = E i 1 1 D j 1 2 E i 2 1 D 2 j 2 · · · E i m 1 D j m 2 W e assume that none of the exp onents in the middle (that is, j 1 , i 2 , · · · , i m ) are zero and co nsider sev er al cases. As α − 1 1 belo ngs to the set H , it m ust b e of the form α − 1 1 (1 , 2) = α ( a 1 1 ,...,a k 1 ) (1 , 2) β ( b 1 1 ,...,b s 1 ) (1 , 2) E c 1 1 E d 1 2 α ( a 1 2 ,...,a k 2 ) (1 , 2) β ( b 1 2 ,...,b s 2 ) (1 , 2) E c 2 1 E d 2 2 · · · where α ( a 1 1 ,...,a k 1 ) (1 , 2) ≡ α a 1 1 2 (1 , 2) · α a k 1 k +1 (1 , 2) and β ( b 1 1 ,...,b s 1 ) (1 , 2) ≡ β b 1 1 1 (1 , 2) · · · β b s 1 l (1 , 2) etc.. No w, the set H contains α i ( x, y ) , i ≥ 2 and β j ( x, y ) for al l x 6 = y and a ll E i . Hence we may replace α i (1 , 2) with α ( s, 2), β j (1 , 2) with β j ( s, 2) and E 1 with E s . This substitution will replace all E 1 and D 1 by E s and D s resp ectively . Now we may apply E s , D s and E 2 in appropria te order to obtain D 2 in H . W e next consider α − 1 1 (2 , 1) and a rguing as ab ove we conclude that D 1 ∈ H a nd that the semig roup generated by H is a subgro up. W e note that in case of insecure proto co ls the subgro up generated b y H is the full group generated by the encryption o p er ators { E 1 , E 2 , E s } of the three parties concerned : the initiator, the in tended receiver and the adversar y . The theorem gives an abstr act alg ebraic characterizatio n of security . F or practica l purp oses we w o uld wan t a sy n tactic characterization in terms of the s tr ings of op erator s . F or this we s tart with a definition. Definition 2 L et S = E i 1 j 1 E i 2 j 2 · · · E i k j k b e a string with i 1 , . . . , i k inte gers and j 1 , . . . , j k ∈ { 1 , . . . , n } in r e duc e d form. F or an inte ger r in the set { 1 , . . . , n } define t he r -index of S to b e the se quenc e of int e gers ( r (1) , r (2) , . . . , r ( m )) which app e ar as no nzero exp onents of E r in S . We say that the r -index of S is ne gative if the lar gest inte ger in the se qu en c e is n e gative. If the r index of a string S is negative then all the ex po nents of E r (there m ust b e at leas t one) a re negative. That is , only D r app ears in S . Such strings are unbalanced as per [DY82]. Let us also sa y that r − index is zero if no p owers of E r app ears in the string. Now we can s tate the second characteriz a tion of insecure proto co ls. Theorem 2 L et P a two-p arty c asc ade pr oto c ol. Assume that the le gitimate p arties have names 1 and 2 and the former initiates the c onversation. Then P is inse cur e if and only if one of the fol lowing ho lds: 1. The 2-index of α 1 (1 , 2) is zer o and t he 1-index of α 1 (1 , 2) is zer o or ne gative. 2. Ther e exists some α i , i ≥ 2 whose 1-index is ne gative. 3. Ther e exists some β i , i ≥ 1 whose 2-index is ne gative. Pr o of. S u fficiency . If the first condition ab ove is satisfied then it is easy to see that the fir st conditio n in Theorem 1 holds . Supp ose now that the second or the third c o ndition holds. W e can use arg umen ts s imilar to those in the prev ious theorem to show that E 1 and E 2 are in S the se migroup genera ted by H = Γ 1 ( s ) ∪ Γ 2 ( x, y ) ∪ Γ 3 ( x, y ) , x, y ∈ { 1 , 2 , s } . Ne c essity . The pro o f o f necessity is r ather long. W e only outline the steps . Sup- po se P is insecur e. F ro m Theo r em 1 we infer that either the first co ndition ho lds or S is a subgro up. If the fir st condition ho lds then clea rly the 2- index of α 1 (1 , 2) is zero and the 1-index o f α 1 (1 , 2) must b e zero or neg ative. W e may th us assume that S is a s ubgroup. Then E − 1 1 ∈ S . W rite E − 1 1 is a pro duct of α i ( x, y ) , i ≥ 2, β i ( x, y ) , i ≥ 1 a nd the E i ’s. W e use induction on the length l of such pro duct. The case l = 1 is clear. Let l = k . That is, E − 1 1 = γ Φ where γ ∈ H and Φ is in S . By assumption, none of the factor s in Φ ha ve negative r -index for r ∈ { 1 , 2 , s } . Now α k ( i, j ) (res p. β k ( i, j )) canno t ha ve negative j (re sp. i ) index. Next s how that if γ 1 , γ 2 ∈ H hav e nonnegative r -index ( r = 1 , 2 ) then their pro duct γ 1 γ 2 also ha s nonnega tive r -index. This is straig ht fo rward but length y . By as sump- tion ea ch of the genera tors of S hav e nonnegativ e r − index r ∈ { 1 , 2 } . Hence, as γ and Φ hav e p o sitive r -index for r = 1 , 2 a nd so do es γ Φ , a co ntradiction. The theorem yields the following cor ollary in some concrete realization of the cryptosystem. W e r e c all that there may extr a r elations among the generators in any such realization. Let these relations be given b y the set R ⊂ F ( E ) where we put any x ∈ R equal to ǫ . Two strings in F ( E ) are e quiv alent if they can be reduced to each other by insertion or deletion o f elements from R . Then we hav e Corollary 1 A c oncr ete r e alization of a two-p arty pr oto c ol is inse cu r e if and only if e ach string in the e quivalenc e classes of α i , i > 1 and β j , j ≥ 1 has nonne gative 1 and 2 index. 3.2 Algebraic c haracterization of s ecurit y of general proto cols In this section we will co nsider proto cols with nonces (e.g. name-stamp). In the ca scade proto co ls the s tructure o f the plain text messag e itself played no role in the proto col. A name-sta mp proto c o l uses the str uc tur e of the mes - sage to improve security . W e use the nota tion as ab ov e. Now eac h user has more op er ations av aila ble. W e have first the op e r ation o f nonce A x for user x : A x ( M ) = M x . W e also hav e the partial inv er s e δ x , the deletion op era tor, that is, δ x A x ( M ) = M . The problem is tha t it only makes sense to apply δ x imme- diately after A x (after reduction in E i s and D i s). In fact, in [D Y82] and other treatments [DEK 82,EG83] the application of δ x is undefined in all other cases. How ever, for the algebr aic s tr uctures we requir e that a ll pro ducts b e well-defined. Let O x = { E y , D x , A y , δ y | y any user } be the set of opera tors av ailable to user x . Let A be the set of o p e rators A x and ∆ , the s et o f δ x s. W e p o stulate the following relations:. E x D x = D x E x = ǫ a nd δ x A x = ǫ . Note that in this ca se we no longer have gro up since A x δ x 6 = ǫ . Definition 3 A two-p arty name-st amp pr oto c ol is given by the fol lowing se- quenc es of st rings: α i ( x, y ) ∈ ( { E x , E y , D x }∪ A ∪ ∆ ) ∗ , β i ( x, y ) ∈ ( { E x , E y , D y }∪ A ∪ ∆ ) ∗ W e will ass ume that the proto col is well-defined, that is, there are no illegal op er- ations o f δ x . Let O = ∪ x O x be the set of op er ators of all users. Le t G O be the fr e e monoid g enerated by O . W e are identifying E − 1 x with D x . W e de fine N 0 ( x, y ) = ǫ, N 1 ( x, y ) = α 1 ( x, y ) , N 2 ( x, y ) = β 1 ( x, y ) α 1 ( x, y ) , . . . , N 2 j − 1 ( x, y ) = α j ( x, y ) N 2 j − 2 ( x, y ) and N 2 j ( x, y ) = β j ( x, y ) N 2 j − 1 ( x, y ) a s b efore. W e define a proto col to be inse- cur e if there is a string γ ∈ ( Γ ′ 1 ∪ Γ ′ 2 ∪ Γ ′ 3 ) ∗ such that γ N i ( x, y ) = ǫ for some i ≥ 1 wher e Γ ′ 1 ( s ) = { E x , E s , D s , A x , δ x | x ∈ { a, b, s }} Γ ′ 2 = { α i ( x, y ) | x, y ∈ { a, b, s } and i ≥ 2 } Γ ′ 2 = { β i ( x, y ) | x, y ∈ { a, b, s } and i ≥ 1 } The mo tiv ation for the ab ove de finitio n of insecurity is similar to the case o f cascade pr oto cols. Excluding the trivia l ca se (when the initiator a sends the first string without encryption!) we sta te the algebr aic characterizatio n of sec urity of these gener al proto cols. Theorem 3 A name-stamp pr oto c ol is inse cure if and only if ( Γ ′ 1 ∪ Γ ′ 2 ∪ Γ ′ 3 ) ∗ c ontains the sub gr oup of G 0 fr e ely gener ate d by { E a , E b , E s } . Pr o of. ( Sketch ) W e observe first that, as in Theor em 1 the condition for inse- curity is equiv alent to requiring that the string α 1 ( a, b ) ha s an inv erse. Clea rly , the condition is sufficien t since we can generate D a = E − 1 a and D b = E − 1 b and hence the inverse of any string. The necessity of the condition can pro ved using a rguments s imilar to Theo- rem 1. W e write α 1 ( a, b ) − 1 as a pro duct of ele ments fr om Γ ′ 1 ∪ Γ ′ 2 ∪ Γ ′ 3 . Then by appropria te c hange s a → s or b → s w e ca n obtain D a and D b . The theorem implies, in par ticular, that the empt y string ǫ is in ( Γ ′ 1 ∪ Γ ′ 2 ∪ Γ ′ 3 ) + , where for any set of strings S , S + = S ∗ −{ ǫ } . The security of tw o -party ping-p ong proto col is therefor e equiv alent to a decision pr oblem for a regular language: is the empty str ing a member of the lang ua ge. F o r our case the pro blem is tracta ble. It is fairly straightforward to write an algor ithm for the decision problem for the language ( Γ ′ 1 ∪ Γ ′ 2 ∪ Γ ′ 3 ) + whose time complexit y is bo unded by p olynomia l in the length o f the proto col. An efficien t algo rithm is given in [DEK82]. Let us consider some s pec ia l pro to c ols. Prop ositi o n 1 L et a pr oto c ol P b e given by t he fol lowing strings. α 1 , β 1 = γ 1 α − 1 1 , α 2 = µ 2 γ − 1 1 , β 2 = γ 2 µ − 1 2 · · · such that α 1 , γ i and µ i have n onne gative 1 and 2 index, ar e not empty, do not c ontain any δ x and have t heir left-most symb ol appr opriate name-st amp A x . Her e σ − 1 denotes the left inverse of σ . Then P is s e cur e. Pr o of. ( Sketch ) Supp ose P is insecure. Then there exist v 1 , v 2 , . . . , v k ∈ ( Γ ′ 1 ∪ Γ ′ 2 ∪ Γ ′ 3 ) suc h that D 1 = v 1 · · · v k . Then one of the v i ’s must b e some α i = µ i γ − 1 i − 1 . But the right-most symbol of γ − 1 i − 1 is a δ x . Hence, it must cancel. I n fact, a ll the inv erses m ust cancel. W e are left with strings γ i ’s and µ j ’s. But these ha ve nonnegative 1-index and fro m the pr evious section o ne cannot obtain D 1 with these gener ators. W e can similarly show that if in some proto col P we have some α i (1 , 2) , i > 1( β j (1 , 2) , j ≥ 1) such that the s ubstrings on the le ft and right o f the left-mos t δ 2 ( δ 1 ) have nega tive 1- index(2-index) then the pro to col is insecure. W e only have to consider α i (1 , s ) and cance l a ppropriate symbols using D s , A s , and E 1 . 3.3 Examples, Extensi ons, and Concrete Realizations Consider now a simplified v ar iant of Needham-Schroeder authent ication pr o to col [Low96 ]. W e ha ve α 1 (1 , 2) = E 2 A 1 , β ( 1 , 2) = E 1 δ 2 D 2 and α 2 (1 , 2) = E 2 D 1 . In detail, user 1 s tamps its nonce and sends the s tring to 2 using the latter’s public key encryption E 2 . User 2 then decrypts the message and sends it back to 1 using its public encryption and 1 decrypts the message and sends it to 2 after encryption. W e see at o nce that the pr oto col is inse c ure bec ause α 2 (1 , 2) = E 2 D 1 has neg a tive 1- index. W e o bserve that the r eason it is insecure is beca use there is no nonce in stag e 2. Hence, if w e modify the proto col [Low96] with α 1 (1 , 2) = E 2 A 1 , β ′ ( 1 , 2) = E 1 A 2 δ 1 D 2 and α ′ 2 (1 , 2) = E 2 δ 2 D 1 from the ab ov e prop os ition it follows that the proto co l is secure. On the other hand, following proto col [DY82] is insecure: α 1 (1 , 2) = E 2 A 1 E 2 , β 1 (1 , 2) = E 1 A 2 D 2 δ 1 D 2 , since in β 1 (1 , 2) the substrings to left and right of δ 1 hav e negative 2-index. W e therefor e obser ve that with the use of ab ove prop o sitions w e ca n eliminate large classes of pro to c ols as insecure. Although w e do no t hav e a necessa ry and sufficient cr iterion for security (as in the case of ping -p ong proto c ols) we can write efficient algor ithms to verify s ecurity . The s e ar e essentially rewriting algor ithms in groups [Sim94]. W e inv estigated the alge br aic str uctures a r ising o ut o f pro to cols ba sed on public or as y mmetric key cr yptosystem. C a n we extend this to priv ate or sym- metric key cryptogra phy . In ca se of, tw o par ty pr oto cols the answer is yes. If users 1 and 2 share a pr iv ate key then w e set E 1 = E 2 and remove E 1 from adversary’s set of op erations Γ (se e the previous section). The securit y of the proto cols is defined as ab ov e. A (concrete) r e alization of an abstract proto co l is a map φ : G O → G which is monoid homomo rphism. Here G O is the free monoid o n the set O of op- erations av ailable to all us ers and G is some mono id. An y ma p from O to G can b e uniquely extended to a homomorphism φ : G O → G . In gene r al, G will satisfy some extra relations. F or ex ample, if G is finite then for a ny x ∈ G, x | G | = e Then, the security criteria of Theorem 3 is inadequate since any subset of G will g e ne r ate nontrivial subgroups. An example is the cyclic subgroup { E 1 , E 2 1 , . . . , E | G | 1 = e } . Hence, we m us t mo dify the security condition. Our prop osal is to r equire the relev ant gro ups b e only pseudo-fr e e [Riv04,Mic05] instead o f free. Informally , a group G is pseudo -free if any p olyno mial time pr ob- abilistic algorithm designed to find relations in G that are no t satisfied in a free group will succeed with only neglig ible probability . Let P be a tw o-par ty proto- col and let Γ be the set of op erator s (in reduced form) av ailable to a n adversary as in the preceding sections . Then φ ( Γ ) may contain non-trivial gr oups. Suppo se all these gro ups are pseudo-free. Then any specia l relations that the a dversary may try to explo it can only be found with negligible probability by any feasi- ble algorithm. W e note that the securit y o f a pr o to col ma y be compr omised in t wo w ays. First, the adversary may br eak the cryptosystem itself, fo r example, by finding an efficient alg orithm to factorize in tege r s in RSA-based cryptosys- tem. The s e cond w ay is to exploit some w e akness in the proto co l itself as in the Needham-Schroeder pr oto col. Bo th case s are cov ered by the following definition. Definition 4 A pr oto c ol P is inse cur e if and only if one of t he fol lowing holds. 1. In the fr e e gr oup Γ , the set of op er ations available to t he adversary gener ate a nontrivial sub gr oup. 2. The maximal sub gr oup c ontaine d in the monoid gener ate d by Γ ′ 1 S Γ ′ 2 S Γ ′ 3 in a family of c oncr et e r e alizations of t he encryption and de cryption op er ators is not pseudo-fr e e. If the basic public k e y cryptosystem is RSA then in gene r al the e nc r yption op erator s E i are ba sed on different mo duli and the mess ages may have to be split int o blo cks of appr opriate size b efore ea ch encry ption. The o pe r ators E i are q uite complicated and form a no n-ab elian group. In the ElGamal encryption scheme [ElG85] the e nc r yption op erato r is a map E a : Z ∗ p → Z ∗ p where E a ( m ) = mg x a k . All op erations ar e mo dulo p , g is a primitive generator of Z ∗ p , g and g x a are publicly k nown. The num b er k is r andomly chosen by b and g k is publicly known. The adversar y do es no t know k or x a and hence E a . This is simila r to the case o f priv ate key cry pto system since we have to remov e E a from the set of op eratio ns av ailable to adversary . If all users use the same p the group is ab elian. Ho wever, if they choo se different primes the messages have to be blo ck and the r esulting realization of the D Y g roup is non-ab elia n in general. 4 Discussion In this work we pr esented a n alg ebraic characterizatio n of security o f public key proto cols. W e ma y question the adv antages of the alg ebraic characterization. First, there ar e theoretica l adv an ta ges. W e ha ve at our dispo sal p ow erful tech- niques of gr o up theory . T o prove so me fa c t in the setting of free groups w e can define a homomor phism from the free group to another (not nece ssarily free ) group whic h has a simpler structure. F o r example, in Theor em 2 we defined the notion of r -index and stated that it is p ositive for the pro duct of t wo strings whose r -index is p ositive. The pro of is given by inductio n and a tedious c a se by case consider ation on the structure of the tw o strings . It is p ossible to give a group theoretic proo f b y defining a homomorphism to a nother gr oup via some defining relations. Secondly , there ar e practical adv a n tages too . Sometimes, of- ten computations and rewriting in gr o ups is simpler and we hav e at o ur dispo sal several co mputational to ols [Sim94]. This work is an a ttempt to give a new, alg ebraic p ersp ective on se curity and there is still a lot o f g round to b e cov ered. Ca n we ex tend the formal algebr aic characterization to o ther pro to cols? An essential r equirement fo r group structure is that a ll the op eratio ns be inv ertible. F or ex ample, could als o include op erations like pair ing . W e then just hav e the structure of a monoid, as in the ca se of name- stamp proto cols and we ha ve seen that these can be dealt with in an algebraic setting. W e a im to deal with these issues in the future. References AR02. M. Abadi and P . R oga wa y . Reconciling t wo views of cryptography . J. of Cryptolo gy , 15(2):103–127, 2002. BAN89. M. Burrows , M. Abadi, and R . Needh am. A logic of auth enticati on. In Pr o c. R oyal. So c. L ond. A. , pages 426:233– 271, 1989. DEK82. D. Dolev, S. Even, and R. M. Karp. On the security of ping-p ong protocols. Inform. and Contr ol , 55:57– 68, 1982. DY82. D. Dolev and A . C. Y ao. On the securit y of pub lic k ey protocols. IEEE T r ans. I nform. The ory , I T-30(2):198–2 06, 1982. EG83. S. Even an d O. Goldreic h . On the security of multipart y pin g- p ong proto cols. Researc h Rep ort TR-04-02, Comp Sc. Dept ., T ecnicion, Haifa, 1983. ElG85. T. ElGamal. A public key encryption and signature scheme b ased on discreet logarithm. In Pr o c. of Crypto 84, LNCS 196 , pages 10–18. Springer, 1985. Gol01. O. Goldreich. F oundations of crypto gr aphy: b asic to ols . Cam b ridge U n iversi ty Press, 2001. Lo w96. G. Low e. Breaking and fixing the need h am-schroeder public-key protocol using fdr. In L e ct. Notes. Comp. Sc., 1055 , pages 147–166. Springer, 1996. Mic05. D. Micciancio. The rsa group is pseudo-free. In Pr o c. of Eur o crypt 2005, LNCS 3494 , pages 387–403. Springer, 2005. MKS76. W. Magn us, A . K arras, and D. Solitar. Combinatorial gr oup the ory . Do ver, 1976. MW04a. D. Micciancio and B. W arinsc hi. Completeness theorems for abadi-rogaw a y logic of encrypted expressions. J. of Comp. Se curity , 15:99–1 21, 2004. MW04b. D. Micciancio and B. W arinsc h i. Soun dness of formal encryption in the presence of active advers aries. I n Pr o c. of TCC (The ory of Crypto gr aphy Confer eb c e) 2004, LNCS 2951 , pages 133–15 1. Sprin ger, 2004. NS78. R. M. Needham and M. D. S c hroed er. Using encrypt ion for authentica t ion in large netw ork computers. Comm. of the ACM , 21(2):993–9 99, 1978. Riv04. R. L. R ives t . The notion of pseudo-free groups. In Pr o c. of TCC 2004, LNCS 2951 , pages 505–521. Springer, 2004. Rot95. Joseph J. Rotman. A n i ntr o duction to the the ory of gr oups . Springer-V erlag, 1995. Sim94. C. C. S ims. Computations wi th finitely pr esente d gr oups . Cam bridge Un iver- sit y Press, 199 4.