Automatic Verification of Correspondences for Security Protocols

Automatic V eriﬁcation of Correspo ndences for Security Protocols ∗ Bruno Blanchet CNRS, ´ Ecole Normale Sup ´ erieure, INRIA † Bruno.Blan chet@ens. fr November 26, 2024 Abstract W e present a ne w technique for verifying corresponden ces in security proto- cols. In parti cular , correspond ences can be used to formalize authentication. Our technique is fully au tomatic, it ca n hand le an unbo unded number of sessions o f the protocol, and it is ef ﬁcient in practice. It sign iﬁcantly ex tends a prev ious technique for the veriﬁcation of secrec y . The protocol is represented in an extension of the pi calculus wi th f airly arbitrary cryp tographic primitiv es. This protoc ol represen- tation inclu des the speciﬁcation of the correspondence to be veriﬁed, but no other annotation. This representation is the n translated into an abstract represen tation by Horn clauses, which i s used to prove the desired correspond ence. Our technique has been proved correct and implemented. W e have tested it on various proto- cols from the literature. The experimental results sho w that these protoc ols can be veriﬁed by our technique in less than 1 s. 1 Introd uction The veriﬁcation o f security protocols has already been the s ubje ct of numerous re- search works. It is particular ly impor tant sinc e th e design of pro tocols is error-prone, and err ors cannot be detec ted by testing, since they appear only in the presen ce of a malicious adversary . An impo rtant tren d in this ar ea aims to verify pro tocols in the so-called Dolev-Y ao model [39], with a n unbound ed number of sessions, while relying as little as p ossible on human interventio n. While proto col in security is NP- complete for a bounde d n umber of sessions [6 5], it is undecid able for an unbo unded n umber of sessions [4 1]. Hence, autom atic veriﬁcation for an unb ound ed numbe r of sessions cannot b e achie ved for all pro tocols. I t is typically achiev ed u sing lan guage- based tech- niques such as typing or abstract interpretation , which can ha ndle inﬁnite-state systems thanks to safe ap proxim ations. These techniques are n ot com plete ( a co rrect pro tocol ∗ This paper is an update d and exte nded version of [13] and [14]. † This resea rch has been done within the INRIA AB STRAC TION project-te am (common with the CNRS and the ´ ENS). 1 can f ail to typecheck , or f alse attacks can be found by abstract interpre tation tools), b ut they are sound (whe n they do not ﬁnd attack s, the pro tocol is guaran teed to satisfy the considered property ). Th is is important for the certiﬁcation of protocols. Our go al in this pape r is to extend previous work in this line o f researc h by pr o- viding a fully automatic technique for verifying corresponden ces in security protocols, without b ound ing the number of sessions o f th e p rotoco l. Corr esponden ces are prop- erties of the form: if th e protocol executes s ome ev ent, then it must have executed some other events before 1 . W e co nsider a rich lan guage of corresp onden ces, in which the events that must have been executed can be describe d by a logical for mula con - taining conjunctions and disjunctions. Furthermo re, we co nsider both non -injective correspo ndences (if the protoco l executes some event, th en it must ha ve ex ecuted some other e vents at le ast once) and injecti ve correspo ndenc es (if the p rotocol executes some ev ent n times, then it mu st h av e executed some other events at least n times). Corre- sponden ces, initially named corr esponde nce assertions [71 ], and the similar notion of agreemen t [54] were ﬁrst introd uced to model auth entication. Intuiti vely , a proto col authenticates A to B if, when B thinks he talks to A , then h e actually talks to A . When B thin ks h e has run the p rotocol with A , he executes an ev ent e ( A, B ) . When A think s she runs the protoco l with B , she executes ano ther event e ′ ( A, B ) . Authen - tication is satisﬁed when, if B executes his event e ( A, B ) , th en A h as executed h er ev ent e ′ ( A, B ) . Several variants along this sch eme app ear in the literature and , as we show below , our te chnique can handle most of them . Our cor respond ences can also encode secrecy , as follows. A protocol preserves th e secrecy of some value M when the ad versary cannot obtain M . W e associate an “ ev ent” a ttack e r( M ) to the fact tha t the adversary obtain s M , and r epresent the secr ecy of M as “ attack er( M ) cannot be executed”, that is, “if attacker ( M ) has been e xecuted, then false. ” More complex proper ties can also be s peciﬁed by our correspo ndence s, f or example that all messages of the protoco l hav e been sent in order; this feature was used in [3]. Our techn ique is based on a substantial extension of a previous veriﬁcation tec h- nique for secrecy [1, 13, 69 ]. More precisely , the proto col is represented in the process calculus intro duced in [ 1], which is an extension of the pi calcu lus with f airly ar bi- trary cryp tograph ic primitives. This process calculus is extend ed with ev ents, used in the stateme nt o f corre sponden ces. The se events are the only req uired anno tation of the pro tocol; no an notation is needed to help the tool provin g correspond ences. The protoco l is then autom atically translated into a set of Horn clau ses. This translation requires signiﬁcant extensions with respect to th e tran slation fo r secrecy giv en in [1], and can be seen as an implementation of a type system , as in [1]. Som e o f these ex- tensions impr ove the p recision of the an alysis, in pa rticular to av oid mergin g dif feren t nonces. Other extensions deﬁne the tr anslation of events. Finally , this set o f Ho rn clauses is passed to a r esolution-b ased s olver, s imilar to th at of [13, 20 , 69]. Som e mi- nor extensio ns of this solver ar e r equired to prove corr espond ences. T his solver does not always termina te, but we show in Section 8 .1 that it term inates for a large c lass o f well-designed protocols, nam ed tagged p r o to cols . Our experiments also d emonstrate that, in practice, it terminates on many examples of protoco ls. The main advantages of our method can be summarized as follo ws. It is fully auto- 1 In the CSP terminology , our ev ents correspond to CSP signal e vents. 2 matic; the user on ly has to code the pr otocol and the correspo ndences to prove. It p uts no bounds on the number of sessions of the protoco l or the size of terms that the adver - sary can man ipulate. It can han dle fairly general cry ptograp hic primitives, including shared-key en cryptio n, p ublic-key en cryption , sign atures, one-way ha sh function s, and Difﬁe-Hellman key agr eements. It relies on a p recise semantic foundation . One limi- tation of th e techniq ue is that, in rare cases, the solving algorithm do es not te rminate. The technique is also not complete: the translation into Horn clauses introduces an ab- straction, which forgets the number of repetitions of each action [17]. This abstraction is key to the treatmen t of an unbou nded num ber of ses sions. Due to th is ab straction, the tool provides suf ﬁcient conditions for proving correspo ndences, b ut can fail on correct protoco ls. Basically , it fails to prove pro tocols that ﬁ rst need to keep some v alue s ecret and later reveal it (see Section 5.2.2 ). In pr actice, the too l is still very precise and, in our experiments, it al ways succeeded in proving protocols that were correct. Our technique is i mplem ented in t he protoco l veriﬁer ProV erif , av ailable at http: //www.prover if.ens.fr/ . Comparison with Other Papers o n ProV erif As mentioned above, this paper ex- tends previous w ork on the veriﬁcation of s ecrecy [1] in order to prove co rrespon - dences. Secrecy ( deﬁned a s th e impo ssibility fo r the ad versary to com pute the secret) and co rrespon dences are trace properties. O ther papers deal with the pro of of certain classes of observational e quiv alences, i.e. , that the adversary cannot distinguish certain processes: [15 , 16] deal with the pr oof o f strong secrecy , i.e. , tha t the adversary can- not see when the value of a secr et changes; [18] deals with the proof o f equ iv alences between p rocesses that differ only by the term s that they co ntain. Moreover , [18 ] also explains how to h andle cry ptogra phic pr imitiv es d eﬁned by equationa l theo ries (instead of rewrite rules) and how to deal with guessing attacks against weak secrets. As shown in [2 0], the resolu tion algo rithm ter minates for tagged pr otocols. The present pap er extends this result in Section 8.1, by p roviding a char acterization of tagged protoco ls at the le vel of processes instead of at the lev el of Horn clauses. ProV erif can also reco nstruct an attack u sing a derivation from the Horn clauses, when the proof of a secrecy p roperty fails [6]. Although the present paper does not de- tail this point, this work has also been e xtend ed to t he reconstru ction of attacks against non-in jectiv e correspon dences. Finally , [2], [3] , and [1 9] p resent thr ee case studies done at least par tly using ProV erif: [2] studies a certiﬁed email protoc ol, [3] studies the Just Fast Keying pro- tocol, and [1 9] studies th e Plutus secure ﬁle system . These case studies rely par tly o n the results presented in this paper . Related W ork W e mainly focus on th e work s that automatically verify corresp on- dences and au thentication for security proto cols, without boun ding the number of ses- sions. The NRL pr otocol analyzer [42, 57], based o n narrowing in re writing systems, can verify correspond ences deﬁned in a rich lang uage of logical formu lae [68]. It is soun d and comp lete, but doe s not always term inate. Our Hor n clause representation is more abstract than t he representation of NRL, wh ich s hou ld enable us to terminate more 3 often and be more efﬁcient, while remaining precise enough to pr ove most desired proper ties. Gordon and Jef frey designe d a system n amed Cryptic for verif ying au thentication by typ ing in security proto cols [45–47 ]. Th ey handle shared-key and public-key cryp- tograph y . Our system allo ws mor e g eneral crypto graph ic p rimitives (including hash function s and Difﬁe-Hellman key ag reements). Moreover , in ou r system, no ann ota- tion is need ed, whereas, in Cryp tic, explicit type casts and check s have to b e m anu- ally added . H owe ver , Cryptic has the advantage that typ e checking always terminates, whereas, in some rare cases, our analyzer does not. Bugliesi et al. [25] deﬁne an other typ e system for proving auth entication in security protoco ls. T he main advantage of th eir sy stem is that it is comp ositional: it allows one to p rove indepen dently the c orrectne ss of th e code of each role of the protocol. Howe ver , the f orm of messages is restricted to certain tagge d terms. This appr oach is compare d with Cryptic in [24]. Backes et al. [10 ] prove secrecy and authentication for secu rity pro tocols, using an a bstract-interp retation-b ased ana lysis. This analysis builds a causal graph, which captures the causality among program e vents; the security properties are proved by trav ersing th is grap h. This analysis can h andle an unb ounde d num ber of session s of the p rotocol; it al ways ter minates, at the cost of ad ditional ab stractions, which may cause false attacks. It han dles shared-key and public-key cryptography , but not Difﬁe- Hellman key ag reements. It assumes that the messages are typed, s o that names can be distinguished from other terms. Bodei et al. [2 1] show message authen tication via a co ntrol ﬂow analysis o n a process calculus n amed L y sa. Like [10], they h andle sha red-key and p ublic-key cryp- tograph y , and their analysis always terminates, at the cost of addition al abstraction s. The notion of au thentication they p rove is different f rom ours: they show message authenticatio n rather than entity authenticatio n. Debbabi et al. [3 6] also verify authentication thanks to a representatio n of protoc ols by inf erence rules, very similar to our Ho rn clau ses. However , they verify a weaker notion of au thentication (correspond ing to ali veness: if B terminates the p rotoco l, then A must ha ve been ali ve at some poin t before), and handle only s hare d-key encryptio n. A few other meth ods req uire little human effort, while suppo rting an u nbou nded number of runs: the v eriﬁer of [51], based on rank functions, can prove the cor rectness of or ﬁnd attack s again st protoco ls with atomic symmetric or asym metric keys. Theo- rem pr oving [6 3] often requires man ual in tervention o f the user . An exception to this is [32], but it deals only with secrecy . T he theo rem pr over T APS [30] often succeed s without or with little human intervention. Model ch ecking [53, 59] in general im plies a limit on the nu mber o f sessions o f the p rotoco l. This problem has been tackled b y [22, 23 , 64]. T hey re cycle no nces, to use on ly a ﬁnite num ber of them in an inﬁnite n umber of ru ns. Th e techniq ue was ﬁrst u sed f or s equ ential r uns, then generalized to parallel ru ns in [23], but with the additional restriction th at the agents mu st be “factorisable”. (Basically , a sin gle run of the agen t has to be split into several runs such that e ach ru n con tains only on e fresh value.) Strand spaces [44] are a fo rmalism fo r r easoning ab out secur ity p rotoco ls. T hey have be en used for elegant manual proofs of authentica tion [4 9]. Th e automatic tool 4 Athena [66] combines model checking and theorem proving, and uses strand spaces to reduce the state space. Scyther [33 ] uses an extension o f A thena’ s method with trace patterns to a nalyze simultaneo usly a gr oup of traces. These tools still so metimes limit the number of sessions to guarantee termination. Amadio and Prasad [7] note th at authentication can b e translated into secrecy , by using a judge process. The translation is limited in that on ly one message can be registered by the jud ge, so the veriﬁed auth entication prop erty is not exactly the same as ours. Outline S ection 2 intr oduces our pro cess c alculus. Section 3 deﬁnes the correspon - dences that we verify , inclu ding secr ecy and various notion s o f au thentication . Sec- tion 4 ou tlines the main ideas be hind our techniq ue for verifying correspo ndences. Section 5 expla ins the construction of Horn clauses and shows its correctness, Sec- tion 6 describes our solving algorithm and sho ws its correctness, and Section 7 applies these results to the pro of of corr esponde nces. Section 8 discusses the termination of our algorithm : it sho ws termination for tagged p rotoco ls and how to obtain termination more o ften in the gener al case. Section 9 presents some extensions to our fr amew ork . Section 10 gives ou r experimental r esults on a selection of security protocols o f the literature, and Section 11 concludes. T he pro ofs of our re sults are g roup ed in the ap- pendices. 2 The Process C alculus In this section, we presen t the process calculus that we use to represent security proto - cols: we give its syntax, semantics, and illustrate it on an e xamp le protocol. 2.1 Syntax and I nf ormal Semantics Figure 1 giv es the sy ntax of terms (data) and pro cesses (pro grams) of our calculus. The identiﬁers a , b , c , k , and similar ones range over names, and x , y , and z range over variables. The syntax also assume s a set of symb ols for constructor s and destructo rs; we often use f for a c onstructor and g for a destructo r . Constructors are u sed to build terms. Th erefor e, th e terms are variables, n ames, and constructor applications o f the form f ( M 1 , . . . , M n ) ; th e terms are untyped . On the other h and, destru ctors do n ot appear in ter ms, but only manipulate ter ms in pro- cesses. Th ey ar e partial functio ns on terms that p rocesses can app ly . The pro cess let x = g ( M 1 , . . . , M n ) in P else Q trie s to evaluate g ( M 1 , . . . , M n ) ; if this suc- ceeds, then x is boun d to the r esult an d P is executed, else Q is executed. More precisely , the seman tics of a destructor g of arity n is giv en b y a set def ( g ) of rewrite rules of the fo rm g ( M 1 , . . . , M n ) → M wher e M 1 , . . . , M n , M ar e term s without names, an d the variables of M also oc cur in M 1 , . . . , M n . W e extend these rules by g ( M ′ 1 , . . . , M ′ n ) → M ′ if an d o nly if th ere exist a su bstitution σ and a r ewrite rule g ( M 1 , . . . , M n ) → M in def ( g ) such that M ′ i = σ M i for all i ∈ { 1 , . . . , n } , an d M ′ = σ M . W e assume that the set def ( g ) is ﬁnite. (It u sually co ntains on e or two rules in examples.) W e deﬁne destru ctors by rewrite ru les in stead o f the equalities 5 M , N ::= terms x, y , z variable a, b, c, k name f ( M 1 , . . . , M n ) constructo r application P, Q ::= processes M h N i .P output M ( x ) .P input 0 nil P | Q parallel composition ! P replication ( ν a ) P restriction let x = g ( M 1 , . . . , M n ) i n P else Q destructor application if M = N then P else Q condition al event ( M ) .P ev ent Figure 1: Syntax of the pro cess calculus used in [1]. This deﬁn ition allows d estructors to yield several d ifferent results non - deterministically . (Non- determin istic re write ru les are used in ou r mod eling of Difﬁe- Hellman key agreem ents; see Section 9.1). Using constru ctors and destru ctors, we can repr esent data structur es and crypto graph ic operations as summ arized in Figure 2 . (W e p resent o nly prob abilistic public-key encr yption beca use, in the c omputatio nal model, a secure p ublic-key encr yption algorith m must b e pro babilistic. W e have cho- sen to present d eterministic sign atures; we could easily mo del pro babilistic signatures by adding a third argument r containing the random coins, as for encryption . The coins should be chosen using a restriction ( ν a ) which creates a fresh name a , r epresenting a fresh random number .) Constructors and destru ctors can be public or priv ate. The public one s can be used by the adversary , wh ich is the case when n ot stated o therwise. The pr iv a te ones can be u sed o nly by honest p articipants. They a re u seful in practice to model tables of keys stored in a server, for instance. A pu blic c onstructo r host com putes a h ost n ame from a long-term secre t key , an d a priv ate destru ctor getkey r eturns the key f rom the host name, an d simulates a look up in a tab le of pair s (ho st name, key). Using a pu blic constructo r ho st allows the adversary to create and register any number of host names and keys. Howe ver , since getkey is pri vate, the adversar y canno t comp ute a key f rom the h ost nam e, wh ich would b reak all proto cols: ho st na mes ar e pub lic while keys o f honest participants are secret. The process calculus provides ad ditional instructions for executing e vents, which will be used fo r specifying co rrespon dences. T he process ev ent ( M ) .P executes the ev ent event ( M ) , then e xecutes P . The othe r constru cts in the syntax o f Figure 1 are standard ; mo st of them com e from the p i calculu s. Th e inpu t process M ( x ) .P in puts a message on chan nel M , and executes P with x bo und to the inp ut message . The outp ut p rocess M h N i .P outputs 6 T uples: Constructor: tuple n tuple ( x 1 , . . . , x n ) Destructors: projections i th n ( n tuple ( x 1 , . . . , x n )) → x i Shared-key encryption: Constructor: encryp tion of x under the ke y y , sencrypt ( x, y ) Destructor: decryptio n sd e crypt ( sencry pt ( x, y ) , y ) → x Probabilistic shared-key encrypt ion: Constructor: encryp tion of x under the ke y y with rand om coins r , sencrypt p ( x, y , r ) Destructor: decryptio n sd e crypt p ( sencrypt p ( x, y , r ) , y ) → x Probabilistic public-key encryption: Constructors: encryption o f x un der the key y with random coins r , p encrypt p ( x, y , r ) public key generation from a secret key y , pk ( y ) Destructor: decryptio n p de crypt p ( p encrypt p ( x, pk ( y ) , r ) , y ) → x Signatures: Constructors: signature of x with the secret key y , sign ( x, y ) public key generation from a secret key y , pk ( y ) Destructors: signature veriﬁcation che cksignatur e ( sign ( x , y ) , pk ( y )) → x message without signature getmessage ( sign ( x, y )) → x Non-message-revealing signatures: Constructors: signature of x with the secret key y , nmrsign ( x, y ) public key generation from a secret key y , pk ( y ) constant true Destructor: veriﬁcation nmr che cksign ( nmrsign ( x, y ) , pk ( y ) , x ) → true One-way hash functions: Constructor: hash functio n h ( x ) T able of host names and keys Constructor: host name from key host ( x ) Priv ate destructor: key from host name getkey ( host ( x )) → x Figure 2: Constructor s and destructors the m essage N on the chann el M and then executes P . W e allow commu nication on chan nels that can be arbitrar y ter ms. (W e cou ld ad apt our work to the case in which channe ls are only n ames.) Our calculus is mon adic (in that the messages are terms rather than tuples of terms), b ut a p olyadic calculus can be simulated since tuples are terms. It is also synchr onou s (in th at a proce ss P is executed afte r the outp ut of a message) . The nil proce ss 0 do es nothing . The pr ocess P | Q is the par allel composition of P and Q . The r eplication ! P r epresents an unboun ded numb er o f co pies of P in parallel. The restriction ( ν a ) P creates a new name a an d then ex ecutes P . The condition al if M = N then P else Q executes P if M and N r educe to the same term at runtime; oth erwise, it executes Q . W e deﬁn e let x = M in P as syntac tic sugar for P { M /x } . As usual, we may om it an else clause when it consists of 0 . The nam e a is boun d in the pro cess ( ν a ) P . The variable x is b ound in P in the processes M ( x ) .P and let x = g ( M 1 , . . . , M n ) in P else Q . W e write fn ( P ) and fv ( P ) fo r the sets of names and v ariables free in P , respectiv ely . A process is closed if 7 E , P ∪ { 0 } → E , P (Red Nil) E , P ∪ { ! P } → E , P ∪ { P , ! P } (Red Repl) E , P ∪ { P | Q } → E , P ∪ { P , Q } (Red Par) E , P ∪ { ( ν a ) P } → E ∪ { a ′ } , P ∪ { P { a ′ /a } } (Red Res) where a ′ / ∈ E . E , P ∪ { N h M i .Q, N ( x ) .P } → E , P ∪ { Q, P { M /x } } (Red I/O) E , P ∪ { let x = g ( M 1 , . . . , M n ) in P else Q } → E , P ∪ { P { M ′ /x } } if g ( M 1 , . . . , M n ) → M ′ (Red Destr 1) E , P ∪ { let x = g ( M 1 , . . . , M n ) in P else Q } → E , P ∪ { Q } (Red Destr 2) if there exists no M ′ such that g ( M 1 , . . . , M n ) → M ′ E , P ∪ { if M = M t hen P else Q } → E , P ∪ { P } (Red Cond 1) E , P ∪ { if M = N t hen P else Q } → E , P ∪ { Q } (Red Cond 2) if M 6 = N E , P ∪ { even t ( M ) .P } → E , P ∪ { P } (Red Event) Figure 3: Operation al semantics it has no free variables; it may have free names. W e identif y processes up to renaming of bound names and variables. W e write { M 1 /x 1 , . . . , M n /x n } for the substitution that replaces x 1 , . . . , x n with M 1 , . . . , M n , respectively . 2.2 Operational Semantics A semantic conﬁgur ation is a pa ir E , P wh ere the environment E is a ﬁn ite set o f names and P is a ﬁnite multiset of closed p rocesses. The environment E must con tain at least all fr ee names o f p rocesses in P . Th e conﬁg uration { a 1 , . . . , a n } , { P 1 , . . . , P n } correspond s intuitiv ely to the process ( ν a 1 ) . . . ( ν a n )( P 1 | . . . | P n ) . The seman- tics of the c alculus is deﬁned by a reductio n relation → on semantic con ﬁguration s, shown in Figure 3 . The rule (Red Res) is the o nly on e th at uses renamin g. This is importan t so that the parameters of events are not renam ed after the execution of the ev ent, to be able to comp are the m with the parameters of ev ents executed la ter . Th is semantics is su perﬁcially different from those o f [1, 14], which were deﬁned using a structural co ngrue nce relation and a reduction relation o n p rocesses. The new seman - tics (in p articular the r enaming point m entioned above) provides s impliﬁcatio ns in the deﬁnitions of corresp onden ces (Deﬁn itions 2 , 3, 6, 7, and 9) and in the p roofs th at correspo ndences hold. 8 2.3 Example As a runnin g example, we co nsider a simpliﬁed version of the N eedham- Schroede r public-key pr otocol [60], with the correction by Lowe [53], in wh ich host names ar e replaced by pub lic keys, which m akes interac tion with a server useless. (The version tested in the ben chmarks is the full version. Obvio usly , our tool can verify much more complex protoco ls; we use this s imple example for illustrati ve purpo ses.) The protocol contains the following messages: Message 1. A → B : { a, pk A } pk B Message 2. B → A : { a, b, pk B } pk A Message 3. A → B : { b } pk B A ﬁrst sen ds to B a non ce ( fresh name) a encry pted un der th e pu blic key of B . B decryp ts this message using his secret key sk B and replies with the no nce a , a fr esh nonce he cho oses b , an d its own public key pk B , all encry pted u nder pk A . When A receives this message, she decr ypts it. When A sees the non ce a , she is co n vinced that B answered since only B can decry pt the ﬁrst message and ob tain a . Then A replies with the nonce b encrypted under p k B . B decryp ts t his messag e. When B sees the n once b , he is convinced that A re plied, since o nly A could d ecrypt the seco nd message and obtain b . The presence of pk A in the ﬁrst message and pk B in the second message makes explicit that th ese messages are f or sessions between A and B , an d so av oids man- in-the-m iddle attacks, such as the well- known attack found by Lowe [53]. This protocol can be represented in our calculus by the process P , explain ed belo w: P A ( sk A , pk A , pk B ) = ! c ( x pk B ) . ( ν a ) event ( e 1 ( pk A , x pk B , a )) . ( ν r 1 ) c h p encrypt p (( a, pk A ) , x pk B , r 1 ) i . c ( m ) . let (= a, x b, = x pk B ) = p de crypt p ( m, sk A ) i n event ( e 3 ( pk A , x pk B , a, x b )) . ( ν r 3 ) c h p encrypt p ( x b, x pk B , r 3 ) i if x pk B = pk B then event ( e A ( pk A , x pk B , a, x b )) .c h sencrypt ( sA a , a ) i .c h sencrypt ( sA b , x b ) i P B ( sk B , pk B , pk A ) = ! c ( m ′ ) . let ( x a, x pk A ) = p de crypt p ( m ′ , sk B ) i n ( ν b ) event ( e 2 ( x pk A , pk B , x a, b )) . ( ν r 2 ) c h p encrypt p (( x a, b, pk B ) , x pk A , r 2 ) i . c ( m ′′ ) . let (= b ) = p de crypt p ( m ′′ , sk B ) i n if x pk A = pk A then event ( e B ( x pk A , pk B , x a, b )) .c h sencrypt ( sBa , x a ) i .c h sencrypt ( sBb , b ) i P = ( ν sk A )( ν sk B ) let pk A = pk ( sk A ) i n let pk B = pk ( sk B ) i n c h pk A i c h pk B i . ( P A ( sk A , pk A , pk B ) | P B ( sk B , pk B , pk A )) The channel c is public: the adversary can send and listen on it. W e use a single public channel an d n ot two or m ore c hannels be cause the adversary could take a message from one channel and relay it on another channel, thus removing a ny difference between the channels. The pr ocess P begins with the creation of the secr et and public keys of A and B . The p ublic keys are outp ut o n ch annel c to model that the ad versary has th em 9 in its initial knowledge. Then the protoco l itself starts: P A represents A , P B represents B . Both princip als can run an unbou nded n umber of sessions, so P A and P B start with replications. W e con sider that A and B ar e bo th willing to talk to any princip al. So, to de- termine to w hom A will talk, we consider that A ﬁrst inputs a message co ntaining the p ublic key x pk B of its interlocu tor . (This inter locutor is therefore cho sen by the ad versary .) Then A starts a pr otocol run by ch oosing a non ce a , and executing the event e 1 ( pk A , x pk B , a ) . Intuitively , th is event record s that A sent Message 1 of the pro tocol, fo r a run with the participan t of pu blic key x pk B , using the no nce a . Event e 1 is placed before the actual ou tput of Message 1 ; this is necessary for the d esired correspo ndences to h old: if ev ent e 1 followed the o utput o f Me ssage 1, one would no t be able to prove that ev ent e 1 must h ave been executed, even though Message 1 must have been sent, because Message 1 could be sent without execut- ing event e 1 . The situa tion is similar for events e 2 and e 3 below . Th en A sends the ﬁrst message of the protocol p encrypt p (( a, pk A ) , x pk B , r 1 ) , wher e r 1 are fresh coins, used to model that public- key encryp tion is pro babilistic. A waits fo r th e second message and d ecrypts it using her secret key sk A . If decry ption succ eeds, A ch ecks th at the message has the right for m u sing th e patter n-match ing construct let (= a, x b , = x pk B ) = p de crypt p ( m, sk A ) i n . . . This construct is syntactic sugar for let y = p de crypt p ( m, sk A ) in let x 1 = 1 th 3 ( y ) in let x b = 2 th 3 ( y ) in let x 3 = 3 th 3 ( y ) in if x 1 = a then if x 3 = x pk B then . . . T hen A ex ecutes th e event e 3 ( pk A , x pk B , a, x b ) , to record that she has received M essage 2 and sent Message 3 of the protoco l, in a session with the participan t of public ke y x pk B , and nonces a an d x b . Finally , she send s the la st message o f the proto col p encrypt p ( x b, x pk B , r 3 ) . After sending this message, A executes some actions needed only for specifying prop- erties of the protocol. When x pk B = pk B , that is, when the session is between A an d B , A executes th e ev ent e A ( pk A , x pk B , a, x b ) , to record that A ended a session of the protoco l, with th e participant of public ke y x pk B and nonc es a and x b . A also outputs th e secret name sA a encry pted under the no nce a and the secret n ame sAb encryp ted under the non ce x b . T hese outp uts are helpfu l in ord er to fo rmalize the se- crecy of the n onces. Our tool can prove the secrecy o f free names, but not the secrecy of bo und nam es (such as a ) o r of variables (such as x b ). In order to overcome this limitation, we publish the encryption of a free name sA a und er a ; then sA a is secret if and only if t he nonce a chosen by A is secret. Similarly , sA b is secret if and only if the nonce x b received by A is secret. The pro cess P B proceed s similarly: it executes the proto col, with the addition al ev ent e 2 ( x pk A , pk B , x a, b ) to record tha t Message 1 has been received and Mes- sage 2 has been sent by B , in a session with the participant of public key x pk A and nonces x a and b . After ﬁn ishing the pro tocol itself, wh en x pk A = pk A , that is, when the session is be tween A and B , P B executes the e vent e B ( x pk A , pk B , x a, b ) , to recor d th at B ﬁnished the protocol, an d ou tputs sBa encryp ted und er x a and sBb encryp ted under b , to model the secrecy of x a and b re spectiv ely . The events w ill b e u sed in ord er to for malize auth entication. For example, we formalize that, if A ends a session of the protoco l, the n B h as started a session of the proto col with the same nonc es by req uiring that, if e A ( x 1 , x 2 , x 3 , x 4 ) has been 10 executed, then e 2 ( x 1 , x 2 , x 3 , x 4 ) has been executed. 2 3 Deﬁnition of Correspondences In this sectio n, we formally deﬁne the c orrespon dences that we verify . W e prove cor- respond ences of the fo rm “if an event e has be en ex ecuted , then events e 11 , . . . , e 1 l 1 have been ex ecuted , or . . . , or e m 1 , . . . , e ml m have been executed”. These events may include argu ments, which allows one to relate the values o f variables at the various ev ents. Furthermo re, we can replace the event e with the fact that the adversary knows some term (which allows us to prove secrecy properties), or that a certain message has been sent on a certain ch annel. W e can p rove that each execution of e co rrespon ds to a distinct execution of some events e j k (injective correspon dences, deﬁne d in Sec- tion 3.2), an d we can prove th at the events e j k have be en executed in a certain or der (genera l correspon dences, deﬁned in Section 3.3 ). W e assume that the pro tocol is executed in the pre sence of an adversary that can listen to all messages, comp ute, and send all messages it has, following the so-called Dolev-Y ao model [39]. Thus, an adversar y can be re presented by any proc ess that has a set of public nam es Init in its initial knowledge and that d oes not con tain events. (Althoug h the initial kn owledge of the adversary contains only names in Init , one can giv e any terms to the adversary by sending them on a channel in Init .) Deﬁnition 1 Le t Init be a ﬁnite set of names. The closed pro cess Q is an Init - adversary if and on ly if fn ( Q ) ⊆ Init and Q d oes not contain e vents. 3.1 Non-injectiv e Correspond ences Next, we deﬁne when a trace satisﬁes an atom α , generated by the following grammar: α ::= atom attack er( M ) attacker knowledge message( M , M ′ ) message on a channel even t( M ) ev ent Intuitively , a trace satisﬁes attack er( M ) when the attacker has M , o r equivalently , when M has been sent on a pu blic channel in Init . It satisﬁes message( M , M ′ ) when the m essage M ′ has be en sen t on ch annel M . Fina lly , it satisﬁes even t( M ) whe n th e ev ent event ( M ) ha s been executed. Deﬁnition 2 W e say th at a tra ce T = E 0 , P 0 → ∗ E ′ , P ′ satisﬁes attack er( M ) if and only if T contains a redu ction E , P ∪ { c h M i .Q, c ( x ) .P } → E , P ∪ { Q, P { M /x } } for some E , P , x , P , Q , and c ∈ Init . W e say tha t a tr ace T = E 0 , P 0 → ∗ E ′ , P ′ satisﬁes message( M , M ′ ) if an d only if T con tains a redu ction E , P ∪ { M h M ′ i .Q, M ( x ) .P } → E , P ∪ { Q, P { M ′ /x } } for some E , P , x , P , Q . 2 For this purpose, the e vent e A must not be exe cuted when A thinks she talks to the adversary . Indeed, in this case, it is correct that no eve nt has been execut ed by the interlo cutor of A , since the adversa ry ne ver ex ecutes ev ents. 11 W e say that a trace T = E 0 , P 0 → ∗ E ′ , P ′ satisﬁes even t( M ) if an d on ly if T contains a reduction E , P ∪ { ev ent ( M ) .P } → E , P ∪ { P } for some E , P , P . The co rrespon dence α ⇒ W m j =1  α j V l j k =1 even t( M j k )  , for mally deﬁned below , means in tuitiv ely th at, if an instance of α is satisﬁed, th en for some j ∈ { 1 , . . . , m } , th e co nsidered instance of α is an instanc e of α j and a cor respond ing instance of the each of the ev ents event ( M j 1 ) , . . . , e vent ( M j l j ) has been executed. 3 Deﬁnition 3 Th e closed process P 0 satisﬁes the corr espon dence α ⇒ m _ j =1   α j l j ^ k =1 even t( M j k )   against Init - adversaries if and only if, for any Init -ad versary Q , for any E 0 containing fn ( P 0 ) ∪ Init ∪ fn ( α ) ∪ S j fn ( α j ) ∪ S j,k fn ( M j k ) , for any substitution σ , for any trace T = E 0 , { P 0 , Q } → ∗ E ′ , P ′ , if T satisﬁes σ α , then there e xist σ ′ and j ∈ { 1 , . . . , m } such that σ ′ α j = σ α and, for all k ∈ { 1 , . . . , l j } , T satisﬁes even t( σ ′ M j k ) as well. This deﬁnition is very gene ral; we de tail some interesting pa rticular cases below . When m = 0 , the disjunction W m j =1 . . . is denoted by f alse . When α = α j for all j , we abbreviate the corresponden ce b y α W m j =1 V l j k =1 even t( M j k ) . This correspond ence means that, if an instance o f α is satisﬁed, th en f or some j ≤ m , a corre sponding instance of e vent ( M j 1 ) , . . . , even t ( M j l j ) h as been executed. The variables in α are universally q uantiﬁed (because, in Deﬁnition 3, σ is universally quan tiﬁed). The variables in M j k that do not occu r in α are existentially quantiﬁed (becau se σ ′ is exis- tentially quantiﬁed) . Example 1 In the p rocess of Sec tion 2 .3, the correspo ndence even t( e B ( x 1 , x 2 , x 3 , x 4 )) even t( e 1 ( x 1 , x 2 , x 3 )) ∧ even t( e 2 ( x 1 , x 2 , x 3 , x 4 )) ∧ even t( e 3 ( x 1 , x 2 , x 3 , x 4 )) means that, if the event e B ( x 1 , x 2 , x 3 , x 4 ) has been executed, then the events e 1 ( x 1 , x 2 , x 3 ) , e 2 ( x 1 , x 2 , x 3 , x 4 ) , and e 3 ( x 1 , x 2 , x 3 , x 4 ) ha ve been executed, with the same value of the arguments x 1 , x 2 , x 3 , x 4 . The correspo ndence even t( R r e c eive d ( msg ( x, z ))) ⇒ (even t( R r e c eive d ( msg ( x, ( z ′ , Auth )))) even t( S has ( k , msg ( x, ( z ′ , Auth )))) ∧ even t( TTP send ( sign (( sencrypt ( msg ( x, ( z ′ , Auth )) , k ) , x ) , sk TTP )))) ∨ (even t( R r e c eive d ( msg ( x, ( z ′ , NoAuth )))) even t( S has ( k , msg ( x, ( z ′ , NoAuth )))) ∧ even t( TTP send ( sign ( sencrypt ( msg ( x, ( z ′ , NoAuth )) , k ) , sk TTP )))) 3 The implementat ion in ProV erif uses a slight ly dif ferent not ation: α j is omitted, b ut ad ditionnal ly equal- ity tests are allo wed on the right-hand side of , so that one can check that α is actual ly an instanc e of α j . 12 means that, if the event R r e c eive d ( msg ( x , z )) h as been executed, then two cases can happen : either z = ( z ′ , Auth ) or z = ( z ′ , NoAuth ) for some z ′ . In both cases, the events TTP send ( c ertiﬁc ate ) and S has ( k , msg ( x, z )) h ave been executed for some k , but with a different value of c ertiﬁc ate : c ertiﬁc ate = sign (( S2TTP , x ) , sk TTP ) when z = ( z ′ , Auth ) , and c ertiﬁc ate = sign ( S2TTP , sk TTP ) when z = ( z ′ , NoAuth ) , with S2TTP = sencrypt ( msg ( x, z ) , k ) . A similar corresp onden ce was used in our study of a c ertiﬁed ema il proto col, in c ollaboratio n with Mart´ ın Abad i [2, Section 5, Proposition 4]. W e ref er to that paper for additional details. The following deﬁnitions are particular cases of Deﬁnition 3. Deﬁnition 4 Th e closed process P preserves th e secr ecy of all instances of M from Init if and o nly if it satisﬁes th e c orrespo ndence attack er( M ) false against Init - adversaries. When M is a f ree name, this deﬁnition is equiv alent to that of [1]. Example 2 Th e pr ocess P o f Section 2 .3 preserves the secrecy of sA a wh en the cor- respond ence attack er( sA a ) false is satisﬁed. In this case, in tuitiv ely , P pr eserves the secrecy o f the n once a that A c hooses. The situatio n is similar for sAb , sBa , and sBb . Deﬁnition 5 Non -injective agreement is a c orrespon dence of the fo rm even t( e ( x 1 , . . . , x n )) even t( e ′ ( x 1 , . . . , x n )) . Intuitively , the correspon dence even t( e ( x 1 , . . . , x n )) ev ent( e ′ ( x 1 , . . . , x n )) mean s that, if an ev ent e ( M 1 , . . . , M n ) is executed, then the event e ′ ( M 1 , . . . , M n ) has also been executed. This deﬁnition can be used to rep resent Lowe’ s notio n of non-injective agreemen t [54]. Example 3 In the example of Section 2.3, th e corre sponden ce ev ent( e A ( x 1 , x 2 , x 3 , x 4 )) even t( e 2 ( x 1 , x 2 , x 3 , x 4 )) means that, if A executes an event e A ( x 1 , x 2 , x 3 , x 4 ) , then B has executed the e vent e 2 ( x 1 , x 2 , x 3 , x 4 ) . So, if A te rminates the protoco l thinking she talk s to B , then B is actually inv olved in the protoco l. Mor eover , the agreemen t o n the p arameter of the events, pk A = x pk A , x pk B = pk B , a = x a , and x b = b im plies that B actua lly thinks he ta lks to A , and that A and B agree on the values of the nonce s. The corr espond ence even t( e B ( x 1 , x 2 , x 3 , x 4 )) even t( e 3 ( x 1 , x 2 , x 3 , x 4 )) is similar , after swapping the roles of A an d B . 3.2 Injectiv e Correspond ences Deﬁnition 6 W e say that the event even t ( M ) is executed at step τ in a trace T = E 0 , P 0 → ∗ E ′ , P ′ if and o nly if the τ -th reduction of T is o f the form E , P ∪ { e vent ( M ) .P } → E , P ∪ { P } for some E , P , P . 13 Intuitively , an injective correspon dence even t( M ) inj event ( M ′ ) req uires that e ach e vent eve nt ( σM ) is enab led by distinct ev ents ev ent ( σM ′ ) , while a n on- injective correspondenc e even t( M ) even t( M ′ ) allows several e vents event ( σ M ) to be enab led by the same event even t ( σM ′ ) . W e deno te by [inj ] an option al inj marker: it can be either inj or noth ing. When [inj] = inj , an inje ctiv e corr espond ence is required . When [inj] is no thing, the correspond ence does not need to be injecti ve. Deﬁnition 7 Th e closed process P 0 satisﬁes the corr espon dence even t( M ) ⇒ m _ j =1   even t( N j ) l j ^ k =1 [inj] j k even t( M j k )   against Init - adversaries if and only if, for any Init -ad versary Q , for any E 0 containing fn ( P 0 ) ∪ Init ∪ fn ( M ) ∪ S j fn ( N j ) ∪ S j,k fn ( M j k ) , f or any trace T = E 0 , { P 0 , Q } → ∗ E ′ , P ′ , there exist functions φ j k from a subset of steps in T to steps in T such that • For all τ , if the event eve nt ( σM ) is ex ecuted at step τ in T for some σ , then there exist σ ′ and j such that σ ′ N j = σ M and, for all k ∈ { 1 , . . . , l j } , φ j k ( τ ) is deﬁned and event ( σ ′ M j k ) is executed at step φ j k ( τ ) in T . • If [inj] j k = inj , then φ j k is injectiv e. The functions φ j k map e xecution s teps of e vents event ( σM ) to the e xecution steps of the ev ents event ( σ ′ M j k ) that enab le event ( σM ) . When [inj] j k = inj , the injectivity of φ j k guaran tees th at distinct execution s o f event ( σ M ) corre spond to distinct execu- tions o f event ( σ ′ M j k ) . When M = N j for all j , we abbreviate th e c orrespon dence by even t( M ) W m j =1 V l j k =1 [inj] j k even t( M j k ) , as in the non-injec ti ve case. W oo and La m’ s correspo ndenc e assertio ns [71] are a particu lar case of this d eﬁ- nition. In deed, they co nsider p roperties of the form: if γ 1 or . . . or γ k have been exe- cuted, the n µ 1 or . . . or µ m must have been executed, denoted by γ 1 | . . . | γ k ֒ → µ 1 | . . . | µ m . Such a correspo ndence assertion is formalized in our setting by for all i ∈ { 1 , . . . , k } , the process satisﬁes the corresponden ce even t( γ i ) W m j =1 inj even t( µ j ) . Remark 1 Cor respond ences α ⇒ W m j =1  α j V l j k =1 [inj] j k even t( M j k )  with α = attack er( M ) and at least on e inj marker would always be wrong: th e adversary can always re peat the outpu t of M o n one of his cha nnels any nu mber of times. W ith α = messa ge( M , M ′ ) and at least one inj m arker , the cor respond ence may b e true only when the adversary canno t execute th e co rrespon ding output. For simplicity , we focus on the case α = even t( M ) only . Deﬁnition 8 In jective agr eement is a c orrespon dence of the fo rm ev ent ( e ( x 1 , . . . , x n )) inj even t( e ′ ( x 1 , . . . , x n )) . Injective ag reement requires that the number of executions o f event ( e ( M 1 , . . . , M n )) is smaller than the number o f executions of event ( e ′ ( M 1 , . . . , M n )) : each execution of event ( e ( M 1 , . . . , M n )) corresponds to a distinct execution of event ( e ′ ( M 1 , . . . , M n )) . This corre sponds to Lo we’ s agreem ent speciﬁcation [54]. 14 Example 4 In the example of Section 2.3, th e corre sponden ce ev ent( e A ( x 1 , x 2 , x 3 , x 4 )) inj ev ent ( e 2 ( x 1 , x 2 , x 3 , x 4 )) m eans that each execution of even t( e A ( x 1 , x 2 , x 3 , x 4 )) correspond s to a distinct execution of even t( e 2 ( x 1 , x 2 , x 3 , x 4 )) . So each com- pleted session of A talkin g to B corr esponds to a d istinct session o f B talkin g to A , and A an d B agree on the v alues of the nonces. The corresp onden ce ev ent ( e B ( x 1 , x 2 , x 3 , x 4 )) inj even t( e 3 ( x 1 , x 2 , x 3 , x 4 )) is similar , after swapping the roles of A an d B . 3.3 General Corr espondences Correspon dences also give inform ation on the or der in which events are executed. In- deed, if we hav e the correspo ndence even t( M ) ⇒ m _ j =1   even t( N j ) l j ^ k =1 [inj] j k even t( M j k )   then the ev ents even t( M j k ) for k ≤ l j have been executed befor e even t( N j ) . For- mally , in the deﬁnitio n of injective c orrespon dences, we can d eﬁne φ j k such that φ j k ( τ ) ≤ τ when φ j k is deﬁned . (The inequality τ ′ ≤ τ means th at τ ′ occurs be- fore τ in the trace.) Inde ed, otherwise, by considerin g the preﬁx of the trace that stop s just after τ , we would co ntradict the correspo ndence . In this sectio n, we exp loit th is point to deﬁne more general proper ties in volving the ord ering of e vents. Let us ﬁrst co nsider som e examp les. Using the pr ocess of Section 2.3, we will denote by even t( e B ( x 1 , x 2 , x 3 , x 4 )) (inj even t( e 3 ( x 1 , x 2 , x 3 , x 4 )) (inj even t( e 2 ( x 1 , x 2 , x 3 , x 4 )) inj even t( e 1 ( x 1 , x 2 , x 3 )))) (1) the corresponden ce th at means that each ex ecution of the ev ent e B ( x 1 , x 2 , x 3 , x 4 ) cor- respond s to distinct execution s of th e events e 1 ( x 1 , x 2 , x 3 ) , e 2 ( x 1 , x 2 , x 3 , x 4 ) , and e 3 ( x 1 , x 2 , x 3 , x 4 ) in this or der: each execution o f e B ( x 1 , x 2 , x 3 , x 4 ) is preceded b y a distinct execution of e 3 ( x 1 , x 2 , x 3 , x 4 ) , which is itself preceded by a distinct execution of e 2 ( x 1 , x 2 , x 3 , x 4 ) , which is itself preceded by a distinct execution of e 1 ( x 1 , x 2 , x 3 ) . This correspond ence shows that, when B terminates the protocol talk ing with A , A and B have e xchang ed all messages of the proto col in the expected o rder . Th is corr espon- dence is not equiv alent to the co njunctio n o f the correspond ences even t( e B ( x 1 , x 2 , x 3 , x 4 )) inj ev ent ( e 3 ( x 1 , x 2 , x 3 , x 4 )) , even t( e 3 ( x 1 , x 2 , x 3 , x 4 )) inj ev en t( e 2 ( x 1 , x 2 , x 3 , x 4 )) , and even t( e 2 ( x 1 , x 2 , x 3 , x 4 )) inj ev ent ( e 1 ( x 1 , x 2 , x 3 )) , because (1) may be true even when, in order to prove that e 2 is executed, we n eed to kn ow that e B has been executed, and not o nly that e 3 has be en executed and, similarly , in o r- der to pr ove that e 1 has b een executed, we need to know th at e B has been executed, and not o nly that e 2 has b een executed. Using general cor respond ences such as (1 ) is therefor e strictly mo re expr essi ve th an using in jectiv e corr esponden ces. A correspon- dence similar to (1) has been used in our study of the Just F ast Ke ying protocol, one of the propo sed repla cements fo r I KE in IPSec, in co llaboratio n with Mar t´ ın Ab adi and C ´ edric Fournet [3, Appendix B.5]. 15 As a mor e gener ic example, the cor respond ence even t( M ) ⇒ W m j =1  even t( M j ) V l j k =1  [inj] j k even t( M j k ) W m jk j ′ =1 V l jk j ′ k ′ =1 [inj] j kj ′ k ′ even t( M j kj ′ k ′ )  means that, if an instan ce o f e vent ( M ) has been executed, then the re exists j such that this in- stance of ev ent ( M ) is an in stance of ev ent ( M j ) and for all k , a correspo nding in- stance of e vent ( M j k ) has been executed befo re event ( M j ) , and there exists j ′ k such that for all k ′ a correspon ding instance of e vent ( M j kj ′ k k ′ ) has been executed b efore event ( M j k ) . Let us now con sider the general deﬁnition. W e denote by k a sequence of indices k . The empty sequence is denoted ǫ . When j = j 1 . . . j n and k = k 1 . . . k n are sequences of th e same length , we deno te by j k the sequ ence ob tained by taking alter natively one index in e ach sequence j and k : j k = j 1 k 1 . . . j n k n . W e sometimes use j k as an id entiﬁer that d enotes a sequ ence ob tained in this way; for instan ce, “f or all j k , φ j k is in jectiv e” abbreviates “for all j a nd k of th e same length , φ j k is injective”. W e on ly co nsider seq uences j k that oc cur in th e co rrespon dence. For instanc e, fo r the corr esponden ce even t( M ) ⇒ W m j =1  even t( M j ) V l j k =1  [inj] j k even t( M j k ) W m jk j ′ =1 V l jk j ′ k ′ =1 [inj] j kj ′ k ′ even t( M j kj ′ k ′ )  , we consider the sequences j k = ǫ , j k = j k , and j k = j kj ′ k ′ where 1 ≤ j ≤ m , 1 ≤ k ≤ l j , 1 ≤ j ′ ≤ m j k , and 1 ≤ k ′ ≤ l j kj ′ . Giv en a family of in dices J = ( j k ) k indexed by sequences of ind ices k , we deﬁne makejk ( k , J ) b y ma kejk ( ǫ, J ) = ǫ and ma kejk( kk , J ) = makejk( k, J ) j k k . Less formally , if k = k 1 k 2 k 3 . . . , we ha ve makejk( k , J ) = j ǫ k 1 j k 1 k 2 j k 1 k 2 k 3 . . . I ntuitively , the corr esponden ce contains d isjunctions over indices j an d conju nctions over indices k , so we w ould like to express quantiﬁcatio ns of the fo rm ∃ j ǫ ∀ k 1 ∃ j k 1 ∀ k 2 ∃ j k 1 k 2 ∀ k 3 . . . on the s equ ence j ǫ k 1 j k 1 k 2 j k 1 k 2 k 3 . . . . The notation makejk ( k , J ) allows us to replace such a quantiﬁcation with the quantiﬁcation ∃ J ∀ k on the sequ ence mak ejk( k , J ) . Deﬁnition 9 Th e closed process P 0 satisﬁes the corr espon dence even t( M ) ⇒ m _ j =1   even t( M j ) l j ^ k =1 [inj] j k q j k   where q j k = e ven t( M j k ) m jk _ j =1 l jk j ^ k =1 [inj] j k j k q j k j k against Init - adversaries if and only if, for any Init -ad versary Q , for any E 0 containing fn ( P 0 ) ∪ Init ∪ fn ( M ) ∪ S j fn ( M j ) ∪ S j k fn ( M j k ) , f or any trace T = E 0 , { P 0 , Q } → ∗ E ′ , P ′ , ther e exists a functio n φ j k for each non -empty j k , such th at for a ll no n-empty j k , φ j k maps a subset of steps of T to steps of T a nd • For all τ , if the event eve nt ( σM ) is ex ecuted at step τ in T for some σ , then there exist σ ′ and J = ( j k ) k such that σ ′ M j ǫ = σ M and , fo r all non -empty k , φ makejk( k,J ) ( τ ) is deﬁne d an d e vent ( σ ′ M makejk ( k ,J ) ) is executed at step φ makejk( k,J ) ( τ ) in T . 16 • For all non -empty j k , if [inj] j k = inj , then φ j k is injectiv e. • For all non- empty j k , for all j and k , if φ j k j k ( τ ) is deﬁned, then φ j k ( τ ) is deﬁned and φ j k j k ( τ ) ≤ φ j k ( τ ) . For all j and k , if φ j k ( τ ) is deﬁned, then φ j k ( τ ) ≤ τ . W e ab breviate by q j k = even t( M j k ) the corr espond ence q j k = ev ent ( M j k ) W m jk j =1 V l jk j k =1 [inj] j k j k q j k j k when m j k = 1 and l j k 1 = 0 , th at is, the disjunction W m jk j =1 V l jk j k =1 [inj] j k j k q j k j k is true. In jectiv e cor respond ences are th en a particu lar case of general correspo ndences. The function φ j k maps t he execution steps of instances of event ( M ) to the execu- tion steps of th e correspo nding instance s o f event ( M j k ) . The ﬁrst item of Deﬁnition 9 guaran tees that the required events have b een executed. The secon d item mean s that, when the inj mar ker is pr esent, th e co rrespon dence is injective. Finally , th e thir d item guaran tees that the ev ents have been executed in the expected order . Example 5 Let u s consider again the correspon dence (1). Using the notation s o f Deﬁnition 9, th is corresp onden ce is written even t( e B ( x 1 , x 2 , x 3 , x 4 )) inj q 11 (or even t( e B ( x 1 , x 2 , x 3 , x 4 )) ⇒ ev ent ( e B ( x 1 , x 2 , x 3 , x 4 )) inj q 11 ), wher e q 11 = even t( e 3 ( x 1 , x 2 , x 3 , x 4 )) inj q 1111 , q 1111 = even t( e 2 ( x 1 , x 2 , x 3 , x 4 )) inj q 111111 , and q 111111 = even t( e 1 ( x 1 , x 2 , x 3 )) . By Deﬁnition 9, this corresponden ce means that there exist functions φ 11 , φ 1111 , and φ 111111 such that: • For all τ , if the ev ent event ( σe B ( x 1 , x 2 , x 3 , x 4 )) is ex ecuted at step τ for some σ , then φ 11 ( τ ) , φ 1111 ( τ ) , and φ 111111 ( τ ) are d eﬁned, an d e vent ( σ e 3 ( x 1 , x 2 , x 3 , x 4 )) is executed at step φ 11 ( τ ) , event ( σ e 2 ( x 1 , x 2 , x 3 , x 4 )) is executed at step φ 1111 ( τ ) , and eve nt ( σe 1 ( x 1 , x 2 , x 3 )) is executed at step φ 111111 ( τ ) . (Here, σ ′ = σ since all variables of the corr esponden ce occur in even t( e B ( x 1 , x 2 , x 3 , x 4 )) . Moreover , j k = 1 for all k an d th e non -empty sequen ces k are 1, 11, and 11 1, since all con junction s and disjunction s have a sing le element. The sequences makejk( k , J ) are then 11 , 1111, and 111111 .) • Th e fu nctions φ 11 , φ 1111 , and φ 111111 are in jectiv e, so distinc t executions of e B ( x 1 , x 2 , x 3 , x 4 ) co rrespon d to distinct executions of e 1 ( x 1 , x 2 , x 3 ) , e 2 ( x 1 , x 2 , x 3 , x 4 ) , and e 3 ( x 1 , x 2 , x 3 , x 4 ) . • When φ 111111 ( τ ) is deﬁne d, φ 111111 ( τ ) ≤ φ 1111 ( τ ) ≤ φ 11 ( τ ) ≤ τ , so the ev ents e 1 ( x 1 , x 2 , x 3 ) , e 2 ( x 1 , x 2 , x 3 , x 4 ) , and e 3 ( x 1 , x 2 , x 3 , x 4 ) are executed in this order, before e B ( x 1 , x 2 , x 3 , x 4 ) . Similarly , g eneral co rrespon dences allow us to express that, if a protoco l particip ant successfully terminates with ho nest in terlocuto rs, then the expecte d messages o f the protoco l have been exchanged between the protocol p articipants, in the e xpected order . This n otion is the f ormal co unterp art of th e notio n of matching conversations initially introdu ced in th e computatio nal m odel by Bellare and Rogaway [ 11]. Th is notion of authenticatio n is also used in [34]. W e ﬁrst focus on non- injective co rrespon dences, an d p ostpone th e treatment of general correspon dences to Section 7.2. 17 4 A utomatic V er iﬁcation: fr om Secr ecy to Correspon- dences Let us ﬁrst summarize our analysis for secrecy . Th e clau ses u se two p redicates: attack er an d message , whe re attack e r( M ) means that the attacker may have th e message M an d message( M , M ′ ) means that the message M ′ may be sent on ch an- nel M . The clauses relate atoms that use the se pre dicates as fo llows. A clause message( M 1 , M ′ 1 ) ∧ . . . ∧ message( M n , M ′ n ) ⇒ messag e( M , M ′ ) is generated when the process ou tputs M ′ on cha nnel M after receiving M ′ 1 , . . . , M ′ n on cha nnels M 1 , . . . , M n respectively . A clause attack er( M 1 ) ∧ . . . ∧ attack er( M n ) ⇒ a ttack er( M ) is gen erated when the attacker can co mpute M fro m M 1 , . . . , M n . The clause message( x, y ) ∧ attacker ( x ) ⇒ attack er( y ) means that the attacker can listen on channel x when he has x , and the clause attac ker ( x ) ∧ attack er( y ) ⇒ message( x, y ) means that the attacker can send any message y he has on any channel x he has. When attack er( M ) is de riv able f rom the clauses the attacker may have M , that is, when attack er( M ) is not d eriv able from th e clauses, we ar e sure that th e attacker cannot have M , but the converse is not true, b ecause th e Horn clauses can be app lied any number of times, which is not true in gener al for all actio ns of the process. Similarly , when message( M , M ′ ) is deriv able from the clau ses, the message M ′ may be sent on channel M . Hence our analysis ov erap proxim ates the execution of actions. Let us now consid er that we want to pr ove a corr esponden ce, fo r instance even t( e 1 ( x )) event ( e 2 ( x )) . In ord er to pr ove this cor respond ence, we can overapproxim ate the executions of ev ent e 1 : if we prove the correspon dence with this overappr oximation , it will also ho ld in the exact semantics. So we can eas- ily extend our an alysis f or secrecy with an add itional p redicate even t , such that even t( M ) means that event ( M ) may have been executed. W e gen erate clauses message( M 1 , M ′ 1 ) ∧ . . . ∧ message( M n , M ′ n ) ⇒ even t( M ) when the process exe- cutes event ( M ) after receiving M ′ 1 , . . . , M ′ n on channels M 1 , . . . , M n respectively . Howe ver , such an overappr oximation ca nnot be do ne for the event e 2 : if we prove the corresponden ce af ter overapproxima ting the e xecution of e 2 , we are not really sure that e 2 will b e executed, so the corr esponde nce may be wrong in the exact seman tics. Therefo re, we have to use a different method for treating e 2 . W e use th e following ide a: we ﬁx the exact set E of allowed events e 2 ( M ) and, in o rder to prove even t( e 1 ( x )) even t( e 2 ( x )) , we check th at only events e 1 ( M ) for M su ch th at e 2 ( M ) ∈ E can be executed. If we p rove this prope rty for a ny value of E , w e have proved the desired corr espond ence. So we intr oduce a predi- cate m - e ven t , such that m - ev ent ( e 2 ( M )) is true if an d o nly if e 2 ( M ) ∈ E . W e gen- erate clauses messa ge( M 1 , M ′ 1 ) ∧ . . . ∧ messag e( M n , M ′ n ) ∧ m - ev ent ( e 2 ( M 0 )) ⇒ message( M , M ′ ) when the process o utputs M ′ on c hannel M af ter ex ecutin g th e event e 2 ( M 0 ) and re ceiving M ′ 1 , . . . , M ′ n on channe ls M 1 , . . . , M n respectively . In other words, the outpu t of M ′ on chan nel M can b e executed only when m - even t( e 2 ( M 0 )) is true, that is, e 2 ( M 0 ) ∈ E . (When the outp ut of M ′ on chan nel M is un der sev- eral events, the clause contain s sev eral m - even t ato ms in its hy pothesis. W e also have similar cla uses with ev ent ( e 1 ( M )) instead of messag e( M , M ′ ) when the e vent e 1 is executed after executing e 2 and receiving M ′ 1 , . . . , M ′ n on channels M 1 , . . . , M n re- 18 spectiv ely .) For in stance, if the ev ents e 2 ( M 1 ) and e 2 ( M 2 ) are executed in a certa in trace of the pr otocol, we deﬁne E = { e 2 ( M 1 ) , e 2 ( M 2 ) } , so that m - even t( e 2 ( M 1 )) and m - even t( e 2 ( M 2 )) are true and all other m - e ven t facts are false. Then we show that the only ev ents e 1 that m ay be executed are e 1 ( M 1 ) and e 1 ( M 2 ) . W e prove a similar result for all values of E , w hich proves the desired correspon dence. In ord er to determine whether an atom is deriv able fro m the clauses, we use a resolution- based alg orithm. The resolu tion is pe rforme d for an u nknown value of E . So, basically , we keep m - even t atoms witho ut trying to evaluate t hem (which we ca n- not do since E is un known). I n th e vocabulary of resolution , we never select m - even t atoms. (W e detail this point in Section 6 .1.) Thus the obtain ed r esult ho lds for any value of E , which allows us to prove correspond ences. In or der to prove the correspo ndence even t( e 1 ( x )) even t( e 2 ( x )) , we show tha t even t( e 1 ( M )) is derivable only when m - even t( e 2 ( M )) holds. W e transfo rm the in itial set of clauses into a set of clauses that derives th e same atoms. If, in the obtained set of clauses, all clauses that conclude even t( e 1 ( M )) co ntain m - ev ent( e 2 ( M )) in their hypotheses, the n event ( e 1 ( M )) is deriv able only when m - ev ent ( e 2 ( M )) ho lds, so the desired correspon dence holds. W e still h av e to so lve one pr oblem. For simp licity , we h ave considered that ter ms, which rep resent messages, are d irectly used in clauses. Howev er, in or der to repre- sent nonc es in our analy sis for secrecy , we u se a spe cial encod ing of names: a n ame a created by a r estriction ( ν a ) is r epresented by a fu nction a [ M 1 , . . . , M n ] of the mes- sages M 1 , . . . , M n received above the restriction, so that names created after recei ving different message s a re d istinguished in the an alysis (which is impor tant f or the preci- sion of the analysis). Howe ver , this encodin g still merges names cr eated b y the same restriction af ter recei ving th e same m essages. For example , in the process ! c ( x )( ν a ) , the n ames created by ( ν a ) are repr esented by a [ x ] , so several names cre ated for the same value of x are merged . This merging is not acceptable for the veriﬁcation of cor- respond ences, because when we prove ev ent ( e 1 ( x )) even t( e 2 ( x )) , we must make sure that x contains exactly the same names in e 1 ( x ) and in e 2 ( x ) . In orde r to solve this pr oblem, we label each replication w ith a session identiﬁer i , which is an integer that takes a different value for each copy o f the process generated by the replication . W e add session identiﬁers as argu ments to our enco ding of n ames, wh ich beco mes a [ M 1 , . . . , M n , i 1 , . . . , i n ′ ] whe re i 1 , . . . , i n ′ are the session identiﬁers of the re plica- tions above the restrictio n ( ν a ) . For example, in th e process ! c ( x )( ν a ) , the nam es created by ( ν a ) ar e rep resented by a [ x, i ] . Each execution o f the restriction is th en associated with a distinct value of the session identiﬁers i 1 , . . . , i n ′ , so each n ame has a distinct encodin g. W e detail and fo rmalize this encoding in Section 5.1. 5 Fr om Processes to Horn Clauses In this section, we ﬁrst explain th e instru mentation of processes with session identiﬁers. Next, we e xplain the translation of processes into Horn clauses. 19 5.1 Instrumented Pr ocesses W e consider a closed process P 0 representin g the protocol we wish to ch eck. W e assume tha t the bound n ames of P 0 have been renamed so that they are pairwise distinct and distinct f rom names in Init ∪ fn ( P 0 ) and in the cor respond ence to prove. W e denote b y Q a p articular ad versary; b elow , we prove the c orrespon dence proper ties for any Q . Further more, we assume that, in the in itial co nﬁguratio n E 0 , { P 0 , Q } , the names of E 0 not in Init ∪ fn ( P 0 ) or in the correspo ndenc e to prove have been renamed to fresh names, and the bound names of Q have been renamed so that they are pairwise distinct and fre sh. (Th ese rena mings do not change th e satisﬁed corr espond ences, sin ce ( ν a ) P and the renam ed process ( ν a ′ ) P { a ′ /a } reduce to th e same c onﬁgur ation by (Red Res).) After encoding names, the terms are rep resented by patterns p (or “terms”, but we prefer the word “patterns” in order to a void confusion), which are generated by the following grammar: p ::= patterns x, y , z , i variable a [ p 1 , . . . , p n , i 1 , . . . , i n ′ ] name f ( p 1 , . . . , p n ) constructo r application For ea ch n ame a in P 0 we have a c orrespo nding pattern co nstruct a [ p 1 , . . . , p n , i 1 , . . . , i n ′ ] . W e treat a as a fun ction symbol, and write a [ p 1 , . . . , p n , i 1 , . . . , i n ′ ] rather than a ( p 1 , . . . , p n , i 1 , . . . , i n ′ ) on ly to distingu ish names fr om constructo rs. The sy m- bol a in a [ . . . ] is called a name fun ction symb ol . If a is a fr ee n ame, then its enco ding is simply a [ ] . I f a is boun d by a restriction ( ν a ) P in P 0 , then its encod ing a [ . . . ] takes as argument session identiﬁers i 1 , . . . , i n ′ , which can b e con stant session ide ntiﬁers λ or variables i (taken in a set V s disjoint fro m the set V o of or dinary variables). Th ere is o ne session identiﬁer for each rep lication above the r estriction ( ν a ) . The pattern a [ . . . ] ma y also take as argument patterns p 1 , . . . , p n containing the messages recei ved by inputs above the restriction ( ν a ) P in th e abstract syntax tre e of P 0 and the resu lt of destructor app lications above the restriction ( ν a ) P . (The precise deﬁnition is given below .) In ord er to deﬁne f ormally the p atterns associated with a n ame, we u se a no tion of instrumented processes. The syntax of instrumented processes is deﬁned as follows: • Th e replication ! P is labeled with a variable i in V s : ! i P . Th e proc ess ! i P represents copies of P for a coun table numb er of values of i . The variable i is a session identiﬁer . It ind icates which copy of P , that is, wh ich session, is executed. • Th e re striction ( ν a ) P is labeled with a restriction lab el ℓ : ( ν a : ℓ ) P , whe re ℓ is either a [ M 1 , . . . , M n , i 1 , . . . , i n ′ ] for r estrictions in h onest pr ocesses or b 0 [ a [ i 1 , . . . , i n ′ ]] for restrictions in the adversary . The symbol b 0 is a special name func- tion symb ol, distinct from all othe r such symbo ls. Using a speciﬁc instru menta- tion for the adversar y is helpful so that all na mes generated by the adversary are encoded by instan ces of b 0 [ x ] . They are therefore easy to generate. Th is labeling of restrictions is similar to a Church-sty le typin g: ℓ can be considered as the ty pe of a . (This type is polymo rphic since it can contain v ariables.) 20 The instrumente d processes are then gener ated by the follo wing grammar: P, Q ::= instrumented processes ! i P replication ( ν a : ℓ ) P restriction . . . (as in the standar d calculus) For in strumented processes, a semantic conﬁguration S, E , P co nsists of a set S of s es- sion id entiﬁers that h av e no t y et been used by P , an environment E tha t is a map ping from n ames to closed patter ns of the fo rm a [ . . . ] , and a ﬁnite mu ltiset of in strumented processes P . The ﬁrst semantic conﬁg uration uses any countable set of session ide nti- ﬁers S 0 . The domain o f E must always contain all free na mes of processes in P , a nd the initial en viron ment maps all names a to the p attern a [ ] . Th e sema ntic rules (Red Repl) and (Red Res) become: S, E , P ∪ { ! i P } → S \ { λ } , E , P ∪ { P { λ/i } , ! i P } where λ ∈ S (Red Repl) S, E , P ∪ { ( ν a : ℓ ) P } → S, E [ a ′ 7→ E ( ℓ ) ] , P ∪ { P { a ′ /a } } if a ′ / ∈ dom ( E ) (Red Res) where the mappin g E is extend ed to all terms as a sub stitution by E ( f ( M 1 , . . . , M n )) = f ( E ( M 1 ) , . . . , E ( M n )) and to restriction labels by E ( a [ M 1 , . . . , M n , i 1 , . . . , i n ′ ]) = a [ E ( M 1 ) , . . . , E ( M n ) , i 1 , . . . , i n ′ ] and E ( b 0 [ a [ i 1 , . . . , i n ′ ]]) = b 0 [ a [ i 1 , . . . , i n ′ ]] , so that it maps ter ms and restriction lab els to patterns. The ru le (Red Repl) takes an unused co nstant ses sion identiﬁer λ in S , and creates a copy of P with session identiﬁer λ . The rule (Red Res) creates a f resh nam e a ′ , substitutes it f or a in P , and adds to the environment E th e mapp ing of a ′ to its enc oding E ( ℓ ) . Other seman tic rules E , P → E , P ′ simply become S, E , P → S, E , P ′ . The instrumen ted p rocess P ′ 0 = instr( P 0 ) as sociated with the process P 0 is b uilt from P 0 as follows: • W e label each replication ! P of P 0 with a distinct, fresh session identiﬁer i , so that it becomes ! i P . • W e label each restriction ( ν a ) of P 0 with a [ t, s ] , so that it becomes ( ν a : a [ t, s ]) , where s is the sequence of sess ion identiﬁers that label r eplications above ( ν a ) in the ab stract syntax tree of P ′ 0 , in the order fr om top to bo ttom; t is the sequ ence of v ariables x that store recei ved messages in inputs M ( x ) above ( ν a ) in P 0 and results o f non -determ inistic destructor applica tions let x = g ( . . . ) in P else Q above ( ν a ) in P 0 . (A destructor is said to be n on-de terministic when it may return several different r esults for the same argumen ts. Adding the result of d estructor app lications to t is useful to impr ove pr ecision, only f or no n- deterministic destructors. For d eterministic destructors, the result of the destruc- tor can be uniquely determined from the oth er elements of t , so the addition is useless. If we ad d the result of non-de terministic destru ctors to t , we can show that the relative complete ness result of [1] still ho lds in the presen ce of no n- deterministic d estructors. This result shows that, for secre cy , th e Hor n clause approa ch is at least as precise as a large class of type systems.) 21 Hence names a re re presented by fun ctions a [ t, s ] of the in puts an d results of destructor applications in t and th e session iden tiﬁers in s . In each trace of the process, at most one name corresp onds to a gi ven a [ t, s ] , since d ifferent copies of the restrictio n have different values of session identiﬁers in s . Therefore, different names are not merged by the veriﬁer . For th e adversary , we u se a slightly different instrume ntation. W e build the instru- mented process Q ′ = ins trAdv( Q ) as fo llows: • W e label each replication ! P of Q with a distinct, fresh session iden tiﬁer i , so that it becomes ! i P . • W e lab el each restrictio n ( ν a ) of Q with b 0 [ a [ s ]] , so that it bec omes ( ν a : b 0 [ a [ s ]]) , where s is the seq uence of session identiﬁers that labe l rep lications above ( ν a ) in Q ′ . (Includ ing the session id entiﬁers a s argumen ts of non ces is nec essary for sound ness, as discussed in Section 4. In cluding the messages previously re- ceiv ed a s arguments of n onces is imp ortant for precision in the case of honest processes, in or der to relate the nonces to these messages. It is h owe ver useless for the a dversary: since we co nsider any Init -adversary Q , we h av e no de ﬁ- nite in formatio n on the relation between non ces genera ted by the adversary an d messages previously recei ved by the adversary . ) Remark 2 By moving restriction s downwards in th e sy ntax tre e of th e p rocess (u ntil the p oint at which the fresh nam e is used), one can add mor e argumen ts to the patter n that r epresents the f resh name, when th e restriction is moved un der an input, replica- tion, or destructor ap plication. Theref ore, th is transform ation can make our a nalysis more precise. The tool can perform this transformatio n automatically . Example 6 Th e instrumentation of the process of Section 2.3 yields: P ′ A ( sk A , pk A , pk B ) = ! i A c ( x pk B ) . ( ν a : a [ x pk B , i A ]) . . . ( ν r 1 : r 1 [ x pk B , i A ]) . . . c ( m ) . . . ( ν r 3 : r 3 [ x pk B , m, i A ]]) P ′ B ( sk B , pk B , pk A ) = ! i B c ( m ′ ) . . . ( ν b : b [ m ′ , i B ]) . . . ( ν r 2 : r 2 [ m ′ , i B ]) . . . P ′ = ( ν sk A : sk A [ ])( ν sk B : sk B [ ]) . . . ( P ′ A ( sk A , pk A , pk B ) | P ′ B ( sk B , pk B , pk A )) The nam es created b y the restriction ( ν a ) will be rep resented by th e pattern a [ x pk B , i A ] , so we have a different pattern f or each co py of the process, in dexed by i A , an d the p attern also records th e public key x pk B of the interlocutor of A . Similarly , the names created by the restriction ( ν b ) will be rep resented by the pattern b [ m ′ , i B ] . The semantics of instrum ented processes allo ws exactly the same communicatio ns and events as the o ne of standa rd pro cesses. More p recisely , let P be a multiset of in- strumented processes. W e deﬁn e unInstr( P ) as the multiset of processes of P without the instrumentatio n. Thu s we ha ve: Proposition 1 If E 0 , { P 0 , Q } → ∗ E 1 , P 1 , then ther e e xist E ′ 1 and P ′ 1 such th at for an y S , counta ble set of session identiﬁ e rs, ther e exists S ′ such that S , { a 7→ a [ ] | a ∈ E 0 } , 22 { instr( P 0 ) , instrAdv( Q ) } → ∗ S ′ , E ′ 1 , P ′ 1 , dom ( E ′ 1 ) = E 1 , unInstr( P ′ 1 ) = P 1 , a nd both traces execute the same events a t th e same steps a n d satisfy th e same atoms. Con versely , if S, { a 7→ a [ ] | a ∈ E 0 } , { ins tr( P 0 ) , instrAdv ( Q ) } → ∗ S ′ , E ′ 1 , P ′ 1 , then E 0 , { P 0 , Q } → ∗ dom ( E ′ 1 ) , unInstr( P ′ 1 ) , and both traces execute the same events at the same steps and satisfy the same atoms. Proof This is an easy pro of by induction on the leng th of the traces. The reductio n rules applied in both traces are rules with the same name. ✷ W e can d eﬁne corr esponden ces for in strumented pro cesses. These correspond ences and the clauses use facts deﬁned by the following grammar: F ::= facts attack er( p ) attacker knowledge message( p, p ′ ) message on a channel m - even t( p ) must-event even t( p ) may-event The fact attacker ( p ) mean s that the attacker may hav e p , and the fact messag e( p, p ′ ) means th at the m essage p ′ may app ear o n ch annel p . The fact m - even t( p ) mean s that even t ( M ) must h ave been executed with M cor respond ing to p , an d even t( p ) that event ( M ) may have been ex ecuted with M corr espondin g to p . W e use the word “fact” to distinguish them fr om atom s a ttack er( M ) , m essa ge( M , M ′ ) , a nd even t( M ) . The correspo ndence s d o not use the fact m - ev en t( p ) , but the clauses use it. The mapping E of a sem antic conﬁguration is extended to a toms by E (attac ker ( M )) = attack er( E ( M )) , E (message( M , M ′ )) = message( E ( M ) , E ( M ′ )) , and E (ev ent( M ) ) = even t( E ( M )) , so that it maps atom s to facts. W e de- ﬁne that an in strumented trace T satisﬁes an a tom α by naturally ad apting Deﬁnition 2. When F is no t m - even t( p ) , we say that an instrume nted trace T = S 0 , E 0 , P 0 → ∗ S ′ , E ′ , P ′ satisﬁes a fact F when there exists an ato m α such that T satisﬁes α and E ′ ( α ) = F . W e also de ﬁne th at ev ent ( M ) is executed at step τ in the instrumen ted trace T b y naturally adapting Deﬁnition 6. W e say that event ( p ) is executed at step τ in the in strumented tr ace T = S 0 , E 0 , P 0 → ∗ S ′ , E ′ , P ′ when th ere exists a term M such that event ( M ) is executed at step τ in T and E ′ ( M ) = p . Deﬁnition 10 Let P 0 be a closed p rocess an d P ′ 0 = instr( P 0 ) . The instrume nted process P ′ 0 satisﬁes the correspo ndence F ⇒ m _ j =1   F j l j ^ k =1 even t( p j k )   against Init -adversaries if and only if, for any Init -ad versary Q , for any trace T = S 0 , E 0 , { P ′ 0 , Q ′ } → ∗ S ′ , E ′ , P ′ , with Q ′ = instrAdv( Q ) , E 0 ( a ) = a [ ] for all a ∈ dom ( E 0 ) , and fn ( P ′ 0 ) ∪ Init ⊆ dom ( E 0 ) , if T satisﬁes σ F for some su bstitution σ , then there exist σ ′ and j ∈ { 1 , . . . , m } such tha t σ ′ F j = σ F a nd for all k ∈ { 1 , . . . , l j } , T satisﬁes even t( σ ′ p j k ) . 23 A correspo ndenc e fo r instru mented p rocesses implies a cor respond ence for stan- dard processes, as shown by the following lemma, prov ed in Appendix A. Lemma 1 Let P 0 be a closed pr ocess and P ′ 0 = instr( P 0 ) . Let M j k ( j ∈ { 1 , . . . , m } , k ∈ { 1 , . . . , l j } ) be terms; let α and α j ( j ∈ { 1 , . . . , m } ) b e atoms. Let p j k , F , F j be the patterns and facts obtained by r eplacing names a with patterns a [ ] in the terms and atoms M j k , α, α j r espectively . If P ′ 0 satisﬁes the corr espon dence F ⇒ m _ j =1   F j l j ^ k =1 even t( p j k )   against Init -adversaries then P 0 satisﬁes th e corr espon dence α ⇒ m _ j =1   α j l j ^ k =1 even t( M j k )   against Init -adversaries. For instrumented processes, we can specify prop erties referring to bound names of the pro cess, wh ich are rep resented by patter ns. Such a speciﬁcation is impossible in standard proc esses, becau se bound nam es can b e renam ed, so they cann ot b e ref erenced in terms in correspo ndences. 5.2 Generation o f Horn Clauses Giv en a closed process P 0 and a set o f na mes Init , th e pr otocol veriﬁer ﬁr st in struments P 0 to obtain P ′ 0 = instr( P 0 ) , then it builds a set of Horn clauses, repre senting the protoco l in p arallel with any Init -adversary . Th e clauses are of th e form F 1 ∧ . . . ∧ F n ⇒ F , where F 1 , . . . , F n , F are facts. Th ey com prise clauses fo r th e attacker and clauses for the protoc ol, deﬁned below . These clauses form the set R P ′ 0 , Init . The pre dicate m - even t is deﬁn ed by a set o f closed facts F me , such th at m - event ( p ) is true if and only if m - ev ent ( p ) ∈ F me . The facts in F me do not belong to R P ′ 0 , Init . The set F me is the set of facts that corresponds to the set of allo wed e vents E , mention ed in Section 4. 5.2.1 Clauses for the At tacker The clauses describing the attacker ar e almo st the same as fo r the veriﬁcatio n of secre cy in [ 1]. Th e o nly d ifference is that, her e, the attacker is given a n in ﬁnite set of fresh names b 0 [ x ] , instead of on ly one f resh name b 0 [ ] . In deed, we cannot merge all fre sh names c reated by the a ttacker , since we h av e to ma ke sure tha t different term s a re represented by different patterns for the v eriﬁcation of corresponden ces to be correctly implemented , as seen in Section 4. The abilities of the attacker are then represented by the following clauses: For each a ∈ In it , attack er( a [ ]) (Init) 24 attack er( b 0 [ x ]) (Rn) For each public constructor f of arity n , attack er( x 1 ) ∧ . . . ∧ attack er( x n ) ⇒ attack er( f ( x 1 , . . . , x n )) (Rf) For each public destructor g , for each rewrite rule g ( M 1 , . . . , M n ) → M in def ( g ) , attack er( M 1 ) ∧ . . . ∧ attack er( M n ) ⇒ attack er( M ) (Rg) message( x, y ) ∧ a ttack er( x ) ⇒ attack er( y ) (Rl) attack er( x ) ∧ attack er( y ) ⇒ message( x, y ) (Rs) The clause (I nit) r epresents the in itial knowledge of th e attacker . The clause (Rn) means that th e a ttacker can gene rate an unb ound ed num ber of new n ames. The clauses ( Rf) and (Rg) mean that the attacker can apply all o peration s to all terms it has, (Rf) fo r constructo rs, (Rg) for de structors. For (Rg), notice tha t the rewrite rules in def ( g ) do not contain names and that term s witho ut names are also p atterns, so the clau ses have the requ ired format. Clause (Rl) m eans that th e attacker can listen on all ch annels it has, and (Rs) that it can send all messages it has on all channels it has. If c ∈ Init , we can replace all occurren ces of message( c [ ] , M ) with a ttack er( M ) in the clauses. Indeed , these facts are equiv alent by the clauses (Rl) and (Rs). 5.2.2 Clauses for the Proto col When a fun ction ρ associates a patter n with each n ame and variable, and f is a construc- tor , we extend ρ as a substitutio n by ρ ( f ( M 1 , . . . , M n )) = f ( ρ ( M 1 ) , . . . , ρ ( M n )) . The translation [ [ P ] ] ρH of a process P is a set of clauses, where ρ is a function that associates a pattern w ith ea ch name and v ariab le, an d H is a seque nce of facts of the form message( p, p ′ ) or m - even t( p ) . The environment ρ map s each variable and name to its associated pattern representation. The sequence H keeps trac k of e vents th at ha ve been executed and o f me ssages received by the p rocess, since the se may tr igger o ther messages. The empty sequence is denoted by ∅ ; the concatenatio n of a fact F to the sequence H is denoted by H ∧ F . The pattern ρi is alw ays a session identiﬁer v ariable of V s . [ [0 ] ] ρH = ∅ [ [ P | Q ] ] ρH = [ [ P ] ] ρH ∪ [ [ Q ] ] ρH [ [! i P ] ] ρH = [ [ P ] ]( ρ [ i 7→ i ]) H [ [( ν a : a [ M 1 , . . . , M n , i 1 , . . . , i n ′ ]) P ] ] ρH = [ [ P ] ]( ρ [ a 7→ a [ ρ ( M 1 ) , . . . , ρ ( M n ) , ρ ( i 1 ) , . . . , ρ ( i n ′ )] ]) H [ [ M ( x ) .P ] ] ρH = [ [ P ] ]( ρ [ x 7→ x ])( H ∧ message( ρ ( M ) , x )) [ [ M h N i .P ] ] ρH = [ [ P ] ] ρH ∪ { H ⇒ message( ρ ( M ) , ρ ( N )) } [ [ let x = g ( M 1 , . . . , M n ) in P else Q ] ] ρH = [ { [ [ P ] ](( σ ρ )[ x 7→ σ ′ p ′ ])( σH ) | g ( p ′ 1 , . . . , p ′ n ) → p ′ is in def ( g ) and ( σ , σ ′ ) is a most genera l pair of substitutions such that σ ρ ( M 1 ) = σ ′ p ′ 1 , . . . , σ ρ ( M n ) = σ ′ p ′ n } ∪ [ [ Q ] ] ρH 25 [ [ if M = N then P else Q ] ] ρH = [ [ P ] ]( σ ρ )( σ H ) ∪ [ [ Q ] ] ρH where σ is the mo st general uniﬁer of ρ ( M ) and ρ ( N ) [ [ e vent ( M ) .P ] ] ρH = [ [ P ] ] ρ ( H ∧ m - even t( ρ ( M ))) ∪ { H ⇒ ev ent ( ρ ( M )) } The translation of a process is a set of Horn clauses that express that it may send certain messages or execute certain events. The clauses ar e similar to tho se of [1], except in the cases of replication, restriction, and the addition of e vents. • Th e nil process does nothing, so its translation is empty . • Th e clauses f or the parallel comp osition of processes P and Q are the union of clauses for P and Q . • Th e re plication o nly inserts th e n ew session id entiﬁer i in the environment ρ . It is other wise ignore d, becau se all Ho rn clauses are applicable arb itrarily many times. • For the re striction, we rep lace the restricted name a in q uestion with the patter n a [ ρ ( M 1 ) , . . . , ρ ( M n ) , ρ ( i 1 ) , . . . , ρ ( i n ′ )] . By d eﬁnition of the instrum entation, this pa ttern con tains the previous inputs, results of non-determ inistic destructo r applications, and session identiﬁers. • Th e sequenc e H is extended in the tra nslation of an in put, with the input in question. • Th e tr anslation o f an ou tput ad ds a clause, meanin g th at the outpu t is triggered when all cond itions in H are true. • Th e translation of a destructor app lication is the u nion o f the clauses for th e cases where the destructor succeeds (with an approp riate sub stitution) and where the destructor fails. For simplicity , we assume that the else branch of destru ctors may always be executed; t his is sufﬁcient in most cases, since the else br anch is often empty or just sends an error message. W e outline a more precise treatment in Section 9.2. • Th e con ditional if M = N then P else Q is in fact eq uiv alent to let x = e qual ( M , N ) in P else Q , wh ere the d estructor e qual is de ﬁned by e qual ( x, x ) → x , so the translation of the co nditional is a particular case of th e destructor application . W e g iv e it explicitly since it is particu larly simple. • Th e tra nslation of an event adds the hy pothesis m - even t( ρ ( M )) to H , meaning that P can be executed only if the event has been executed ﬁrst. Furtherm ore, it adds a cla use, meaning tha t the event is triggered wh en all co ndition s in H a re true. Remark 3 Dep ending o n the form of th e co rrespon dences we want to prove, we can sometimes simplify the clauses gener ated for events. Suppo se that all arguments o f ev ents in the process and in correspondences are of the form f ( M 1 , . . . , M n ) fo r some function symbol f . 26 If, for a certa in fun ction symbol f , events e ven t( f ( . . . )) occur on ly before in the desired correspon dences, th en it is easy to see in the following theorems that hy- potheses of the form m - ev ent ( f ( . . . )) in clauses can be removed witho ut changin g t he result, so the clauses gen erated by the event event ( M ) when M is o f the form f ( . . . ) can be simpliﬁed into: [ [ e vent ( M ) .P ] ] ρH = [ [ P ] ] ρH ∪ { H ⇒ even t( ρ ( M )) } (Intuitively , since the ev ents even t( f ( . . . )) occur on ly b efore in the desired corre- sponden ces, we never p rove that an event e vent ( f ( . . . )) ha s b een executed, so the facts m - ev ent( f ( . . . )) are useless.) Similarly , if even t( f ( . . . )) occu rs only af ter in the desired correspo ndence s, then clauses th at conclu de a fact of the form even t( f ( . . . )) can be removed without changin g the result, so the clauses generated by the event event ( M ) when M is of the form f ( . . . ) can be simpliﬁed into : [ [ e vent ( M ) .P ] ] ρH = [ [ P ] ] ρ ( H ∧ m - even t( ρ ( M ))) (Intuitively , since the events even t( f ( . . . )) o ccur on ly af ter in the desired c orrespo n- dences, we never prove prop erties of the for m “if e vent ( f ( . . . )) has been executed, then . . . ”, so clau ses that conclude ev ent( f ( . . . )) are useless.) This translation o f th e pro tocol into Ho rn clauses intro duces ap proxim ations. The actions a re co nsidered as imp licitly rep licated, since the clau ses can be applied any number of times. Th is appr oximation implies that the tool fails to prove p rotoco ls that ﬁrst nee d to keep som e value secret and later re veal it. For instan ce, con sider th e process ( ν d )( d h s i .c h d i | d ( x )) . This p rocess pr eserves th e secr ecy of s , be cause s is output on the pr iv ate channel d and rece iv ed by the inpu t on d , before the adversar y gets to know d b y the ou tput of d on the public ch annel c . Howe ver, the Ho rn clause method cannot prove this pr operty , b ecause it treats this pr ocess like a variant with additional replication s ( ν d )(! d h s i .c h d i | ! d ( x )) , which doe s not preserve the secrecy s . Similarly , the p rocess ( ν d )( d h M i | d ( x ) .d ( x ) . even t ( e 1 )) n ever executes the e vent e 1 , b ut the Horn clause method c annot prove th is property because it tr eats this process like ( ν d )(! d h M i | d ( x ) .d ( x ) . eve nt ( e 1 )) , which m ay execute e 1 . The o nly exception to this im plicit replication of proce sses is the creatio n of new names: since session identiﬁers appear in patterns, the created n ame is precisely related to the session that creates it, so name creation canno t be unduly repeated inside the same session. Due to these approx imations, o ur tool is not complete (it may produce false attacks) but, as we show belo w , it is sound (the security properties that it proves are alw ays true) . 5.2.3 Summary and Co r rectness Let ρ = { a 7→ a [ ] | a ∈ fn ( P ′ 0 ) } . W e deﬁne the clauses co rrespon ding to the instrumented process P ′ 0 as: R P ′ 0 , Init = [ [ P ′ 0 ] ] ρ ∅ ∪ { attack er( a [ ]) | a ∈ Init } ∪ { (Rn) , (Rf) , ( Rg) , (Rl) , ( Rs) } 27 Example 7 Th e clauses for the process P of Section 2. 3 are the clauses for the adver- sary , plus: attack er( p k ( sk A [ ])) (2) attack er( p k ( sk B [ ])) (3) H 1 ⇒ attack er( p encrypt p (( a [ x pk B , i A ] , pk ( sk A [ ])) , x pk B , r 1 [ x pk B , i A ])) (4) H 2 ⇒ attack er( p encrypt p ( x b, x pk B , r 3 [ x pk B , p 2 , i A ])) (5) H 3 ⇒ even t( e A ( pk ( sk A [ ]) , pk ( sk B [ ]) , a [ pk ( sk B [ ]) , i A ] , x b )) (6) H 3 ⇒ attack er( sencrypt ( sA a [ ] , a [ pk ( sk B [ ]) , i A ])) (7) H 3 ⇒ attack er( sencrypt ( sAb [ ] , x b )) (8) where p 2 = p en crypt p (( a [ x pk B , i A ] , x b, x pk B ) , pk ( sk A [ ]) , x r 2 ) H 1 = attack er( x pk B ) ∧ m - even t( e 1 ( pk ( sk A [ ]) , x pk B , a [ x pk B , i A ])) H 2 = H 1 ∧ attack er( p 2 ) ∧ m - even t( e 3 ( pk ( sk A [ ]) , x pk B , a [ x pk B , i A ] , x b )) H 3 = H 2 { pk ( sk B [ ]) /x pk B } attack er( p 1 ) ∧ m - even t( e 2 ( x pk A , pk ( sk B [ ]) , x a, b [ p 1 , i B ])) ⇒ attack er( p encrypt p (( x a , b [ p 1 , i B ] , pk ( sk B [ ])) , x pk A , r 2 [ p 1 , i B ])) (9) where p 1 = p en crypt p (( x a, x pk A ) , pk ( sk B [ ]) , x r 1 ) H 4 ⇒ even t( e B ( pk ( sk A [ ]) , pk ( sk B [ ]) , x a, b [ p ′ 1 , i B ])) (10) H 4 ⇒ attack er( sencrypt ( sBa [ ] , x a )) (11) H 4 ⇒ attack er( sencrypt ( sBb [ ] , b [ p ′ 1 , i B ])) (12 ) where p ′ 1 = p en crypt p (( x a, pk ( sk A [ ])) , pk ( sk B [ ]) , x r 1 ) H 4 = attack er( p ′ 1 ) ∧ m - even t( e 2 ( pk ( sk A [ ]) , pk ( sk B [ ]) , x a, b [ p ′ 1 , i B ])) ∧ attack er( p encrypt p ( b [ p ′ 1 , i B ] , pk ( sk B [ ]) , x r 3 )) Clauses (2) an d (3) c orrespo nd to the outpu ts in P ; they mean that the adversary h as the p ublic keys of the p articipants. Clauses (4) and (5 ) corr espond to the ﬁrst two outputs in P A . For example, (5) me ans that, if th e attacker has x pk B and the sec- ond message of the pro tocol p 2 and the events e 1 ( pk ( sk A [ ]) , x pk B , a [ x pk B , i A ]) and e 3 ( pk ( sk A [ ]) , x pk B , a [ x pk B , i A ] , x b ) are allowed, then the attac ker can g et p encrypt p ( x b, x pk B , r 3 [ x pk B , p 2 , i A ]) , becau se P A sends this message after re- ceiving x pk B and p 2 and executing th e ev ents e 1 and e 3 . When further more x pk B = pk ( sk B [ ]) , P A executes e vent e A and outputs the encryption of sA a [ ] under a [ x pk B , i A ] and the encr yption of s Bb [ ] und er x b . These ev ent and outp uts are taken into account by Clauses (6), ( 7), and (8) respe ctiv ely . Similarly , Clauses (9 ), (11), and (1 2) correspo nd to the outp uts in P B and (10) to the event e B . These clauses have been simpliﬁed using Remark 3, taking into a ccount that e 1 , e 2 , and e 3 appear only o n the right-ha nd si de of , and e A and e B only o n the left- hand side of in th e queries o f Examples 1, 2, and 3. Theorem 1 (Correctness o f the clauses) Let P 0 be a closed pr o cess and Q be a n Init -a dversary . Let P ′ 0 = instr( P 0 ) and Q ′ = instrAdv ( Q ) . Consider a trace T = 28 S 0 , E 0 , { P ′ 0 , Q ′ } → ∗ S ′ , E ′ , P ′ , with fn ( P ′ 0 ) ∪ Init ⊆ dom ( E 0 ) and E 0 ( a ) = a [ ] for a ll a ∈ dom ( E 0 ) . Assume tha t, if T satisﬁes even t( p ) , then m - ev ent( p ) ∈ F me . F in ally , assume that T satisﬁes F . Then F is d erivable fr om R P ′ 0 , Init ∪ F me . This result sh ows that, if the on ly executed events are those allowed in F me and a fact F is satisﬁed, then F is der iv able f rom the clauses. It is proved in Appen dix B. Using a techn ique similar to that o f [ 1], its pro of re lies on a typ e sy stem to express the soundness of the clauses on P ′ 0 , and on the subject redu ction of this type system to show t hat soun dness of the clauses is preserved during all executions of the process. 6 Solving Algorithm W e ﬁrst de scribe a basic so lving alg orithm without op timizations. Next, we list the optimization s that we use in ou r implem entation, an d we prove the correctness o f the algorithm . The termin ation of the algorithm is discussed in Section 8. 6.1 The Basic Al gorithm T o apply the previous results, we have to de termine whether a fact is der iv able from R P ′ 0 , Init ∪ F me . This may be undecidab le, but in pr actice th ere exist alg orithms th at terminate on numero us examples of p rotoco ls. In particular, we can use variants of res- olution algor ithms, such as the algorith ms described in [13, 14, 20, 69]. Th e algor ithm that we describe h ere is the one of [14] , extended with a secon d p hase to d etermine deriv ability o f any q uery . It also c orrespon ds to the extension to m - ev ent facts of the algorithm of [20]. W e ﬁrst d eﬁne resolution : when th e conclusion of a clause R uniﬁes with an hy- pothesis F 0 of a clau se R ′ , we can infer a new clause R ◦ F 0 R ′ , that correspo nds to applying R and R ′ one after the other . Formally , this is deﬁned as follo ws: Deﬁnition 11 Let R = H ⇒ C and R ′ = H ′ ⇒ C ′ be two c lauses. Assume that there e xists F 0 ∈ H ′ such that C an d F 0 are uniﬁable, and σ is the mo st general u niﬁer of C and F 0 . In this case, we deﬁne R ◦ F 0 R ′ = σ ( H ∪ ( H ′ \ { F 0 } )) ⇒ σ C ′ . An impo rtant idea to o btain an efﬁcient solving algorithm is to specif y cond itions that limit the application of re solution, while keep ing c ompleten ess. T he conditions that we use cor respond to resolution with free selection [9, 35, 55] : a selection function ch ooses selected facts in each clause, and resolution is perfo rmed only on selected facts, that is, the clause R ◦ F 0 R ′ is gen erated only wh en the conclusio n is selected in R and F 0 is selected in R ′ . Deﬁnition 12 W e deno te by sel a selection function, that is, a function from clauses to sets o f facts, such that sel ( H ⇒ C ) ⊆ H . I f F ∈ sel ( R ) , we say that F is selected in R . If sel ( R ) = ∅ , we say th at n o hyp othesis is selected in R , or th at the conclusio n of the clause is selected. 29 The choic e of the selection function can chan ge dramatically the spee d of the a lgorithm. Since th e algor ithm comb ines clauses b y r esolution on ly when the facts uniﬁed in the resolution are selected , we will choo se the selection fun ction to redu ce th e numb er of p ossible uniﬁcatio ns b etween selected facts. Having several selected facts slows down the algor ithm, becau se it h as more choices of resolutio ns to p erform , th erefor e we will s elect at most o ne f act in each clause. I n the case of protoco ls, facts of the form attack er( x ) , with x variable, can be uniﬁed will all facts of the f orm a ttack er( p ) . Therefo re we sho uld av oid selectin g them . Th e m - even t facts must n ev er be selected since they are not deﬁned by known c lauses. Deﬁnition 13 W e say that a fact F is u nselectable when F = attack er( x ) for so me variable x o r F = m - even t( p ) for some pattern p . Otherwise, we say that F is se- lectable . W e require that th e selectio n f unction never selects u nselectable h ypotheses and that sel ( H ⇒ attack er( x )) 6 = ∅ whe n H con tains a selectable fact. A basic selection function for security protocols is then sel 0 ( H ⇒ C ) = ( ∅ if ∀ F ∈ H , F is u nselectable { F 0 } where F 0 ∈ H an d F 0 is selectable, otherwise In the implementation, the hypotheses are represented by a list, and the selected fact is the ﬁrst selectable element of the list of hypoth eses. The so lving algorith m work s in two phases, su mmarized in Figure 4. The ﬁrst phase, satu rate , tran sforms the set of clauses into an equivalent but simpler one. The second phase, derivable , uses a d epth-ﬁrst search to determine wh ether a fact can be inferred or not from the clauses. The ﬁrst phase contains 3 steps. • Th e ﬁrst step inserts in R the in itial clauses repre senting th e p rotocol and the attacker (clauses that are in R 0 ), after simpliﬁcation by simpl ify (deﬁn ed below in Section 6.2) and elimination of subsumed clauses by elim . W e say t hat H 1 ⇒ C 1 subsumes H 2 ⇒ C 2 , an d w e write ( H 1 ⇒ C 1 ) ⊒ ( H 2 ⇒ C 2 ) , whe n th ere exists a su bstitution σ such that σ C 1 = C 2 and σ H 1 ⊆ H 2 . ( H 1 and H 2 are multisets, and we use her e multiset inclusion.) I f R ′ subsumes R , and R and R ′ are in R , then R is rem oved by eli m ( R ) . • Th e second step is a ﬁx point iteration that adds c lauses created by resolution. The com position of clauses R and R ′ is add ed only if no h ypoth esis is selected in R , and the hyp othesis F 0 of R ′ that we unif y is selected. When a clau se is created by resolution , it is added to the set of clauses R after simpliﬁcation. Subsumed clauses are eliminated from R . • At last, the third step returns the set of clauses of R with no selected hypothe sis. Basically , saturate preser ves deriv ability: F is de riv able from R 0 ∪ F me if and only if it is deriv able from saturate ( R 0 ) ∪ F me . A form al statement of this r esult is g iv en in Lemma 2 below . 30 First phase: saturation saturate ( R 0 ) = 1. R ← ∅ . For each R ∈ R 0 , R ← elim ( simplify ( R ) ∪ R ) . 2. Repeat until a ﬁxpoint is reached for each R ∈ R such that sel ( R ) = ∅ , for each R ′ ∈ R , for each F 0 ∈ sel ( R ′ ) such that R ◦ F 0 R ′ is deﬁned, R ← elim ( simplify ( R ◦ F 0 R ′ ) ∪ R ) . 3. Return { R ∈ R | sel ( R ) = ∅} . Second pha se: backwards depth-ﬁrst search deriv ( R, R , R 1 ) =          ∅ if ∃ R ′ ∈ R , R ′ ⊒ R { R } otherwise, if sel ( R ) = ∅ S { deriv ( simplify ′ ( R ′ ◦ F 0 R ) , { R } ∪ R , R 1 ) | R ′ ∈ R 1 , F 0 ∈ sel ( R ) such th at R ′ ◦ F 0 R is deﬁned } otherwise derivable ( F, R 1 ) = deriv ( F ⇒ F , ∅ , R 1 ) Figure 4: Solving algorithm The second phase s earch es the facts that can be inferred from R 1 = s aturate ( R 0 ) . This is simply a backward dep th-ﬁrst search. The call derivable ( F, R 1 ) return s a set of clauses R = H ⇒ C with empty selection, such th at R can be o btained by resolutio n from R 1 , C is an instance of F , and all in stances of F d eriv able from R 1 can b e derived by using as last clau se a clau se of derivable ( F, R 1 ) . (Form ally , if F ′ is an instance of F deriv able fro m R 1 , then ther e are a clause H ⇒ C ∈ derivable ( F , R 1 ) and a substitution σ such that F ′ = σ C and σ H is der iv able from R 1 .) The search itself is performed b y deriv ( R, R , R 1 ) . The function deriv starts with R = F ⇒ F an d tr ansforms th e hypo thesis of R by using a clause R ′ of R 1 to derive an element F 0 of the hy pothesis of R . So R is replace d with R ′ ◦ F 0 R (third case of the deﬁnitio n o f de riv ). The fact F 0 is cho sen using the selection fu nction se l . The obtained clause R ′ ◦ F 0 R is then simp liﬁed by the fu nction simplify ′ deﬁned in Section 6.2 . (Hen ce deriv derives the hyp othesis o f R using a b ackward dep th-ﬁrst search. At each step, the clause R can b e o btained by resolution from clauses of R 1 , and R concludes an instance of F .) The set R is the set of clauses that we have alrea dy seen during the search. Initially , R is empty , and the clause R is added to R in the th ird case of the deﬁnition of deriv . The transformation of R described above is repeated until one of t he following tw o condition s is satisﬁed: • R is su bsumed by a clause in R : we ar e in a cycle; we ar e lookin g for instances of facts that we hav e already looked for (ﬁrst case of the deﬁnition of deriv ); • sel ( R ) is empty: we hav e o btained a suitable clause R and we return it (second case of the deﬁnition of deriv ). 31 6.2 Simpliﬁcation Step s Before adding a clause to the clause base, it is ﬁrst simpliﬁed using the following function s. Some of them are standar d, such as the eliminatio n of tauto logies and of duplicate h ypothe ses; others a re speciﬁc to protocols. The simpliﬁcation fun ctions take as input a clause or a set of clauses and return a set of clauses. Decomposition of Dat a Constructors A data con structor is a con structor f of arity n that come s with associated d estructors g i for i ∈ { 1 , . . . , n } deﬁned b y g i ( f ( x 1 , . . . , x n )) → x i . Data con structors are ty pically u sed for representing data stru ctures. T u ples are examples o f data constructors. For e ach data construc tor f , the fo llowing clauses are generated: attack er( x 1 ) ∧ . . . ∧ a ttack e r( x n ) ⇒ a ttack er( f ( x 1 , . . . , x n )) (Rf) attack er( f ( x 1 , . . . , x n )) ⇒ attack er( x i ) (Rg) Therefo re, a ttack e r( f ( p 1 , . . . , p n )) is deriv able if and only if ∀ i ∈ { 1 , . . . , n } , attack er( p i ) is der iv able. So the function de c omp transf orms clauses as follows . When a fact o f th e form attack er( f ( p 1 , . . . , p n )) is met, it is replaced with attack er( p 1 ) ∧ . . . ∧ a ttack e r( p n ) . If this replacemen t is d one in th e co nclusion o f a clause H ⇒ attack er( f ( p 1 , . . . , p n )) , n clauses are crea ted: H ⇒ attack er( p i ) for each i ∈ { 1 , . . . , n } . This replacem ent is of co urse done recu rsiv ely: if p i itself is a data constructo r ap plication, it is r eplaced ag ain. Th e fu nction de c omphyp per forms this de- composition only in the hyp othesis of clauses. The fu nctions de c omp and de c omphyp leav e the clau ses (Rf) and (Rg) for data c onstructo rs unch anged. (When attack er( x ) cannot be selected, the clauses (Rf) and (Rg) for d ata constructors ar e in fact n ot necessary , because th ey genera te only tautolog ies during resolu tion. Howe ver, wh en attack er( x ) can be selected, which can not be excluded in extensions such as th e o ne presented in Section 9.3, these clauses may become necessary for soundn ess.) Elimination of T autologies The fun ction elimtaut removes clau ses whose co nclu- sion is already in the hypoth eses, since such clauses do not generate new facts. Elimination of Duplicate Hypotheses The fun ction elimdup eliminates duplicate hypoth eses of clauses. Elimination of Useless attack er( x ) H ypotheses If a clause H ⇒ C con tains in its hypoth eses attac ker( x ) , where x is a variable that does not appe ar elsewhere in the clause, the hy pothesis attac ker( x ) is removed by the fun ction elimattx . In deed, the attacker al ways has at least one message, so attack er( x ) is always satisﬁed. Secrecy Assumptions When the user knows tha t a fact F will n ot b e deriv able, he can tell it to the veriﬁer . (When this fact is of the for m a ttack e r( p ) , the user tells that p remain s secr et; th at is wh y we use the name “secrecy assumptio ns”.) Let F not be a set o f facts, for wh ich th e user claims that no instance o f these facts is d eriv able. The 32 solve P ′ 0 , Init ( F ) = 1. Let R 1 = s aturate ( R P ′ 0 , Init ) . 2. For each F ′ ∈ F not , if derivable ( F ′ , R 1 ) 6 = ∅ , then term inate with error . 3. Return derivable ( F, R 1 ) . Figure 5: Summary of the solving algorithm function elimnot rem oves all clau ses that have an instance of a fact in F not in th eir hypoth eses. As shown in Figure 5 , at the end of the saturation, th e solv ing alg orithm checks that the facts in F not are indeed underiv able fro m the ob tained clauses. If this condition is satisﬁed, solve P ′ 0 , Init ( F ) return s clauses that conclude instances of F . Otherwise, the user has given err oneou s in forma tion, so an error message is displayed. Even when the user gives err oneou s secrecy assum ptions, the veriﬁer never wro ngly claims that a protocol is secure. Mentioning such und eriv able facts pru nes the sear ch space, by removing useless clauses. This spee ds up the search pro cess. In most cases, the secret keys of the principals can not be k nown by the attacker , so examples o f u nderiv able facts are attack er( sk A [ ]) and a ttack er( sk B [ ]) . Elimination of Redundant Hypotheses W hen a clause is of the f orm H ∧ H ′ ⇒ C , and there exists σ such that σ H ⊆ H ′ and σ does n ot c hange the variables of H ′ and C , then the clause is replaced with H ′ ⇒ C by the function elimr e dundanthyp . Th ese clauses are semantically eq uiv alent: obviously , H ′ ⇒ C sub sumes H ∧ H ′ ⇒ C ; conv ersely , if a fact can be derived by an in stance σ ′ H ′ ⇒ σ ′ C o f H ′ ⇒ C , the n it can a lso be derived by the instan ce σ ′ σ H ∧ σ ′ H ′ ⇒ σ ′ C o f H ∧ H ′ ⇒ C , since the elements of σ ′ σ H can be derived because they are in σ ′ H ′ . This replac ement is especially usefu l when H con tains m - even t facts. Other wise, the elemen ts of H co uld be selected an d transfo rmed by resolution , until they are o f the form attack er( x ) , in which case they are removed by elimattx if σ x 6 = x (beca use x d oes not occur in H ′ and C since σ do es not change the variables o f H ′ and C ) or by elimdup if σ x = x ( because a ttack er( x ) = σ attack er( x ) ∈ σ H ⊆ H ′ ). In contrast, m - even t facts remain forever , becau se they are unselectable. Depen ding o n user settings, this replacement can be applied for all H , app lied only when H co ntains a m - even t fact, or switche d off, since testing this pro perty takes time and slows down small examples. On the other hand , on big examples, such as some of those gen er- ated by T ulaFale [12 ] for verifying W eb services, this techniq ue can yield imp ortant speedups. Putting All Simpliﬁcations T og ether The fu nction simplif y g roup s all t hese simpli- ﬁcations. W e deﬁne simpli fy = elimattx ◦ elimtaut ◦ elimnot ◦ elimr e dun danthyp ◦ elimdup ◦ de c omp . In this deﬁnition, the simpliﬁcations are ordered in such a way th at simplify ◦ simplify = simplify , so it is not necessary to repeat the simpliﬁcation. Similarly , simplify ′ = elimattx ◦ elimnot ◦ elimr e dundanthyp ◦ elimdup ◦ de c omphyp . In simplify ′ , we use de c omphyp instead o f de c omp , b ecause the con clu- 33 sion of the considered clause is the fact we want to derive, so it must not be modiﬁed. 6.3 Soundness The following lemmas show th e cor rectness of s aturate and derivable (Fig ure 4). Proofs can b e fou nd in Appendix C. Intuitively , the co rrectness of saturate exp resses that saturation preserves deri vability , provided the secrecy assumptions are satisﬁed. Lemma 2 (Correctness of s aturate ) Let F be a clo sed fa ct. If , for all F ′ ∈ F not , no instan c e of F ′ is d erivable fr om saturate ( R 0 ) ∪ F me , then F is d erivable fr om R 0 ∪ F me if and only if F is d erivable fr om sa turate ( R 0 ) ∪ F me . This result is proved by transforming a deriv ation o f F fro m R 0 ∪ F me into a d eriv ation of F (or a fact in F not ) from saturate ( R 0 ) ∪ F me . Basically , wh en th e derivation contains a clause R ′ with sel ( R ′ ) 6 = ∅ , we rep lace in th is deriv ation two clau ses R , with se l ( R ) = ∅ , an d R ′ that h ave been combined by resolution dur ing the execution of s aturate with a single clause R ◦ F 0 R ′ . This replacem ent d ecreases the numb er of clauses in the derivation, so it terminates, and, upon termina tion, all clauses of the obtained deriv ation satisfy sel ( R ′ ) = ∅ so th ey are in saturate ( R 0 ) ∪ F me . Intuitively , th e correctness of derivable expresses that if F ′ , instance of F , is deriv- able, then F ′ is der iv a ble from R 1 by a deriv ation in which the clause that conclud es F ′ is in derivable ( F, R 1 ) , provided the secrecy assumptions are s atisﬁed. Lemma 3 (Correctness of d erivable ) Let F ′ be a closed instan ce of F . If, for all F ′′ ∈ F not , derivable ( F ′′ , R 1 ) = ∅ , th en F ′ is derivab le fr om R 1 ∪ F me if an d only if th er e exist a clause H ⇒ C in derivable ( F, R 1 ) a nd a su b stitution σ such that σ C = F ′ and all elements of σ H a r e derivab le fr om R 1 ∪ F me . Basically , this result is proved by transformin g a deri vation of F ′ from R 1 ∪ F me into a d eriv ation of F ′ (or a fact in F not ) wh ose last clause (the o ne that con cludes F ′ ) is H ⇒ C and whose o ther clau ses a re still in R 1 ∪ F me . The tr ansforma tion relies o n the replacemen t of clauses combin ed by resolution during the execution of derivable . It is importa nt to apply saturate befo re derivable , so that all clauses in R 1 have no selected hypo thesis. Then the conclusion of th ese clauses is in general not attack er( x ) (with the simpliﬁcations o f Section 6.2 a nd the selection function sel 0 , it is never attack er( x ) ), so th at we a void unifying with attack er( x ) . Finally , the following th eorem shows the co rrectness of solve P ′ 0 , Init (Figure 5). Below , when we requ ire that solve P ′ 0 , Init ( F ) has a certain value, we also implicitly require that so lve P ′ 0 , Init ( F ) does no t terminate with er ror . Intuitively , if an instance F ′ of F is satisﬁed b y a trace T , then F ′ is derivable from R P ′ 0 , Init ∪ F me , so, by the soundn ess o f the solving algo rithm, it is d eriv able by a deriv ation whose last clause is in solve P ′ 0 , Init ( F ) . Th en there mu st exist a clause H ⇒ C ∈ solve P ′ 0 , Init ( F ) that can b e used to deri ve F ′ , so F ′ = σ C and the hypo thesis σ H is derivable from R P ′ 0 , Init ∪F me . In particular, th e ev ents in σ H are satisﬁed, that is, are in F me , so these ev ents have been executed in the trace T . Theo rem 2 below states this result for mally . It is proved by combin ing Lemmas 2 and 3, and Theor em 1. 34 Theorem 2 (Main t heorem) Let P 0 be a closed pr ocess and P ′ 0 = instr( P 0 ) . Let Q be an Init -adversary and Q ′ = instrAdv( Q ) . Consider a trace T = S 0 , E 0 , { P ′ 0 , Q ′ } → ∗ S ′ , E ′ , P ′ , with fn ( P ′ 0 ) ∪ Init ⊆ dom ( E 0 ) and E 0 ( a ) = a [ ] for all a ∈ dom ( E 0 ) . If T satisﬁes an in stance F ′ of F , then th e r e exist a clause H ⇒ C ∈ solve P ′ 0 , Init ( F ) and a substitution σ such tha t F ′ = σ C a nd, fo r a ll m - even t( p ) in σ H , T satisﬁes e ven t( p ) . Proof Since for all F ′′ ∈ F not , derivable ( F ′′ , R 1 ) = ∅ , b y Lemm a 3, no in stance of F ′′ is derivable from R 1 ∪ F me = s aturate ( R P ′ 0 , Init ) ∪ F me . Th is allows us to apply Lemma 2. Let F me = { m - even t( p ′ ) | T satisﬁes even t( p ′ ) } . By Theor em 1, since T sat- isﬁes F ′ , F ′ is derivable from R P ′ 0 , Init ∪ F me . By Lemma 2 , F ′ is derivable from saturate ( R P ′ 0 , Init ) ∪ F me = R 1 ∪ F me . By Lemma 3, there exist a clause R = H ⇒ C in solve P ′ 0 , Init ( F ) = derivable ( F, R 1 ) and a su bstitution σ such that σ C = F ′ and all elements of σH are deriv able from R 1 ∪ F me . For all m - ev ent ( p ) in σ H , m - even t( p ) is d eriv able from R 1 ∪ F me . Since no clau se in R 1 has a co nclusion of the fo rm m - even t( p ′ ) , m - ev ent ( p ) ∈ F me . Gi ven the choice of F me , this means that T satisﬁes even t( p ) . ✷ Theorem 2 is o ur ma in c orrectness result: it allows on e to show th at so me e vents must have been e xecuted. Th e correctness of the ana lysis for corresp onden ces follows from this theorem. Example 8 For the process P of Section 2.3, Init = { c } , and P ′ = instr( P ) , our tool shows that solve P ′ , Init (even t( e B ( x 1 , x 2 , x 3 , x 4 ))) = { m - even t( e 1 ( pk A , pk B , p a )) ∧ m - even t( e 2 ( pk A , pk B , p a , p b )) ∧ m - even t( e 3 ( pk A , pk B , p a , p b )) ⇒ even t( e B ( pk A , pk B , p a , p b )) } where pk A = pk ( sk A [ ]) , pk B = pk ( sk B [ ]) , p a = a [ pk B , i A ] p b = b [ p encrypt p (( p a , pk A ) , pk B , r 1 [ pk B , i A ]) , i B ] By Theorem 2 , if T satisﬁes even t( e B ( p 1 , p 2 , p 3 , p 4 )) , this event is an in stance o f even t( e B ( x 1 , x 2 , x 3 , x 4 )) , so, given the value of so lve P ′ , Init (even t( e B ( x 1 , x 2 , x 3 , x 4 ))) , there exists σ such th at even t( e B ( p 1 , p 2 , p 3 , p 4 )) = σ even t( e B ( pk A , pk B , p a , p b )) and T satisﬁes even t( σ e 1 ( pk A , pk B , p a )) = even t( e 1 ( p 1 , p 2 , p 3 )) even t( σ e 2 ( pk A , pk B , p a , p b )) = even t( e 2 ( p 1 , p 2 , p 3 , p 4 )) even t( σ e 3 ( pk A , pk B , p a , p b )) = even t( e 3 ( p 1 , p 2 , p 3 , p 4 )) Therefo re, if ev ent ( e B ( M 1 , M 2 , M 3 , M 4 )) has been executed, th en eve nt ( e 1 ( M 1 , M 2 , M 3 )) , event ( e 2 ( M 1 , M 2 , M 3 , M 4 )) , and e vent ( e 3 ( M 1 , M 2 , M 3 , M 4 )) have been executed. 35 7 A pplication to Corr espondences 7.1 Non-injectiv e Correspond ences Correspon dences for instrumented pr ocesses can be checked a s shown by the following theorem: Theorem 3 Let P 0 be a closed p r o c ess and P ′ 0 = ins tr( P 0 ) . Let p j k ( j ∈ { 1 , . . . , m } , k ∈ { 1 , . . . , l j } ) be patterns; let F and F j ( j ∈ { 1 , . . . , m } ) b e fac ts. A ssume th a t for all R ∈ solve P ′ 0 , Init ( F ) , ther e exist j ∈ { 1 , . . . , m } , σ ′ , an d H such that R = H ∧ m - even t( σ ′ p j 1 ) ∧ . . . ∧ m - even t( σ ′ p j l j ) ⇒ σ ′ F j . Then P ′ 0 satisﬁes the corr espond ence F ⇒ W m j =1  F j V l j k =1 even t( p j k )  against Init -adversaries. Proof Let Q be an Init -adversary and Q ′ = instrAdv( Q ) . Consider a tr ace T = S 0 , E 0 , { P ′ 0 , Q ′ } → ∗ S ′ , E ′ , P ′ , with fn ( P ′ 0 ) ∪ Init ⊆ dom ( E 0 ) and E 0 ( a ) = a [ ] for all a ∈ dom ( E 0 ) . Assume th at T satisﬁes σ F . By T heorem 2, there exist R = H ′ ⇒ C ′ ∈ solve P ′ 0 , Init ( F ) and σ ′′ such that σ F = σ ′′ C ′ and for all m - even t( p ) in σ ′′ H ′ , T satisﬁes even t( p ) . All clauses R in solve P ′ 0 , Init ( F ) are of th e form H ∧ m - even t( σ ′ p j 1 ) ∧ . . . ∧ m - even t( σ ′ p j l j ) ⇒ σ ′ F j for some j an d σ ′ . So, ther e exist j and σ ′ such that for all k ∈ { 1 , . . . , l j } , m - even t( σ ′ p j k ) ∈ H ′ and C ′ = σ ′ F j . Hen ce σ F = σ ′′ C ′ = σ ′′ σ ′ F j and fo r all k ∈ { 1 , . . . , l j } , m - even t( σ ′′ σ ′ p j k ) ∈ σ ′′ H ′ , so T satisﬁes ev ent( σ ′′ σ ′ p j k ) , so we have the result. ✷ From this theo rem and Lem ma 1 , we obtain correspo ndenc es for stand ard pro- cesses. Theorem 4 Let P 0 be a closed pr ocess an d P ′ 0 = instr( P 0 ) . Let M j k ( j ∈ { 1 , . . . , m } , k ∈ { 1 , . . . , l j } ) be terms; let α a n d α j ( j ∈ { 1 , . . . , m } ) be atoms. Let p j k , F , F j be the pa tterns and fa cts obtain ed by r eplacin g names a with pattern s a [ ] in the terms and atoms M j k , α, α j r espectively . Assume tha t, fo r all clau ses R in solve P ′ 0 , Init ( F ) , ther e exist j ∈ { 1 , . . . , m } , σ ′ , and H such that R = H ∧ m - even t( σ ′ p j 1 ) ∧ . . . ∧ m - even t( σ ′ p j l j ) ⇒ σ ′ F j . Then P 0 satisﬁes the corres po n dence α ⇒ W m j =1  α j V l j k =1 even t( M j k )  against Init -adversaries. Example 9 For the proc ess P of Section 2.3 , Init = { c } , an d P ′ = instr( P ) , the value of so lve P ′ , Init (even t( e B ( x 1 , x 2 , x 3 , x 4 ))) given in Example 8 sh ows that P satisﬁes the cor respond ence even t( e B ( x 1 , x 2 , x 3 , x 4 )) even t( e 1 ( x 1 , x 2 , x 3 )) ∧ even t( e 2 ( x 1 , x 2 , x 3 , x 4 )) ∧ even t( e 3 ( x 1 , x 2 , x 3 , x 4 )) again st Ini t -adversaries. As particu lar cases of corresp onden ces, we can show secrecy and non -injective agreemen t: Corollary 1 (Secrecy) Let P 0 be a closed pr ocess an d P ′ 0 = instr( P 0 ) . Let N b e a term. Let p be th e pattern o btained by r eplac ing names a with pa tterns a [ ] in the term 36 N . Assume that solve P ′ 0 , Init (attack er( p )) = ∅ . Then P 0 pr eserves the secr ecy o f all instances o f N fr om Init . Intuitively , if no instance of attack er( p ) is de riv able from the clauses rep resenting the protoco l, then the adversary cannot ha ve an instance of the term N co rrespon ding to p . Example 1 0 For the process P of Section 2.3, Init = { c } , and P ′ = instr( P ) , our tool sho ws that solve P ′ , Init (attack er( sA a [ ])) = ∅ . So P preserves the secrecy of sA a from Init . T he situation is similar for sAb , sBa , an d sBb . Corollary 2 (Non-inj e ctive agreement) Let P 0 be a closed pr ocess and P ′ 0 = instr( P 0 ) . Assume that, for ea ch R ∈ so lve P ′ 0 , Init (even t( e ( x 1 , . . . , x n ))) such that R = H ⇒ even t( e ( p 1 , . . . , p n )) , we have m - event ( e ′ ( p 1 , . . . , p n )) ∈ H . Then P 0 satisﬁes the correspondence even t( e ( x 1 , . . . , x n )) event ( e ′ ( x 1 , . . . , x n )) against Init -a dversaries. Intuitively , the condition means that, if ev en t( e ( p 1 , . . . , p n )) can be deri ved, m - even t( e ′ ( p 1 , . . . , p n )) occurs in the hy potheses. Then the theorem says that, if event ( e ( M 1 , . . . , M n )) ha s been executed, the n ev ent ( e ′ ( M 1 , . . . , M n )) ha s been executed. Example 1 1 For the process P of Section 2 .3, Init = { c } , and P ′ = instr( P ) , the value of so lve P ′ , Init (even t( e B ( x 1 , x 2 , x 3 , x 4 ))) given in Example 8 also shows that P satisﬁes the correspon dence even t( e B ( x 1 , x 2 , x 3 , x 4 )) even t( e 3 ( x 1 , x 2 , x 3 , x 4 )) against In it -adversaries. The to ol sh ows in a similar way that P satisﬁes the c or- respond ence even t( e A ( x 1 , x 2 , x 3 , x 4 )) ev ent ( e 2 ( x 1 , x 2 , x 3 , x 4 )) against Init - adversaries. 7.2 General Corr espondences In this sectio n, we explain h ow to p rove general cor respond ences. Mor eover , we also show t hat, when our veriﬁer proves injecti vity , it pr oves recentness as well. For exam- ple, when it proves a correspon dence even t( M ) inj ev ent( M ′ ) , it shows that, when the event eve nt ( M ) h as be en executed, not only the event event ( M ′ ) has been exe- cuted, but also this event h as been executed rec ently . As explained by Lowe [54], the precise meaning o f “recent” depends on the circum stances: it can be that event ( M ) is executed within the duration of the part of the process after even t ( M ′ ) , or it can be within a cer tain num ber of time units. Her e, we deﬁn e re centness as fo llows: the run- time of the session th at executes e vent ( M ) overlaps with the ru ntime of th e session that executes the correspond ing event ( M ′ ) event. W e can for mally deﬁn e rec ent co rrespon dences for instru mented p rocesses as fo l- lows. W e assume that, in P 0 , the events ar e u nder at least one re plication. W e deﬁne an instrum ented p rocess P ′ 0 = instr ′ ( P 0 ) , where instr ′ ( P 0 ) is deﬁn ed like instr( P 0 ) , except that the events even t ( M ) in P 0 are r eplaced with e vent ( M , i ) , where i is the session identiﬁer that labels the d own-most replication ab ove eve nt ( M ) in P 0 . The session identiﬁer i in dicates the session in which the considered event is ex ecuted . 37 When k = k 1 . . . k n is a n on-em pty sequ ence of indices, we denote by k ⌈ the sequence obtained by removing the last index from k : k ⌈ = k 1 . . . k n − 1 . Deﬁnition 14 Let P 0 be a closed pr ocess and P ′ 0 = ins tr ′ ( P 0 ) . W e say that P ′ 0 satisﬁes the r ecent corr espon dence even t( p ) ⇒ m _ j =1   even t( p ′ j ) l j ^ k =1 [inj] j k q j k   where q j k = even t( p j k ) m jk _ j =1 l jk j ^ k =1 [inj] j k j k q j k j k against Init -adversaries if and only if fo r any Init -adversary Q , fo r any trace T = S 0 , E 0 , { P ′ 0 , Q ′ } → ∗ S ′ , E ′ , P ′ , with Q ′ = instrAdv( Q ) , E 0 ( a ) = a [ ] for all a ∈ dom ( E 0 ) , and fn ( P ′ 0 ) ∪ Init ⊆ dom ( E 0 ) , ther e exists a function φ j k for each non - empty j k , such that f or all non -empty j k , φ j k maps a su bset of steps o f T to steps o f T an d • For all τ , if the event event ( σ p, λ ǫ ) is executed at step τ in T for som e σ and λ ǫ , then th ere exist σ ′ and J = ( j k ) k such that σ ′ p ′ j ǫ = σ p and, for all n on- empty k , φ makejk( k,J ) ( τ ) is deﬁn ed, e vent ( σ ′ p makejk ( k ,J ) , λ k ) is executed at step φ makejk( k,J ) ( τ ) in T , and if [inj] makejk( k,J ) = inj , then the runtimes of session( λ k ⌈ ) and session( λ k ) overlap (recentness). The runtime of sessio n( λ ) begins when the rule S, E , P ∪ { ! i P } → S \ { λ } , E , P ∪ { P { λ/i } , ! i P } is applied and ends when P { λ/i } h as disappeared. • For all non -empty j k , if [inj] j k = inj , then φ j k is injectiv e. • For all non- empty j k , for all j and k , if φ j k j k ( τ ) is deﬁned, then φ j k ( τ ) is deﬁned and φ j k j k ( τ ) ≤ φ j k ( τ ) . For all j and k , if φ j k ( τ ) is deﬁned, then φ j k ( τ ) ≤ τ . W e do no t deﬁne recentness f or standard processes, since it is dif ﬁcult to track formally the ru ntime of a session in these pro cesses. Instrum ented pro cesses make that very ea sy thanks to session identiﬁers. It is easy to infer c orrespon dences for standard processes from recent correspo ndence s f or instrumented p rocesses, wit h a proof similar to that o f Lemma 1. Lemma 4 Let P 0 be a closed pr ocess and P ′ 0 = instr ′ ( P 0 ) . Let M j k , M , and M ′ j be terms. Let p j k , p, p ′ j be the pa ttern s ob tained by replacing names a with patterns a [ ] in the terms M j k , M , M ′ j r espectively . If P ′ 0 satisﬁes the r ecent correspondence even t( p ) ⇒ m _ j =1   even t( p ′ j ) l j ^ k =1 [inj] j k q j k   38 wher e q j k = even t( p j k ) m jk _ j =1 l jk j ^ k =1 [inj] j k j k q j k j k against Init -adversaries then P 0 satisﬁes th e corr espon dence even t( M ) ⇒ m _ j =1   even t( M ′ j ) l j ^ k =1 [inj] j k q ′ j k   wher e q ′ j k = e ven t( M j k ) m jk _ j =1 l jk j ^ k =1 [inj] j k j k q ′ j k j k against Init -adversaries. Let P 0 be a closed process a nd P ′ 0 = ins tr ′ ( P 0 ) . W e adapt the generation of clauses as follows: the set of clauses R ′ P ′ 0 , Init is deﬁned as R P ′ 0 , Init except that [ [ M h N i .P ] ] ρH = [ [ P ] ] ρH ∪ { H { ρ | V o ∪ V s /  } ⇒ messa ge( ρ ( M ) , ρ ( N )) } [ [! i P ] ] ρH = [ [ P ] ]( ρ [ i 7→ i ])( H { ρ | V o ∪ V s /  } ) [ [ e vent ( M , i ) .P ] ] ρH = [ [ P ] ] ρ ( H ∧ m - even t( ρ ( M ) ,  )) ∪ { H ⇒ ev ent ( ρ ( M ) , i ) } where  is a sp ecial variable. The p redicate even t has as addition al argument the ses- sion identiﬁer in which the event is executed. Th e predic ate m - ev ent has as addition al argument an en viro nment ρ that gives v alues that variables will contain at the ﬁrst out- put or replicatio n th at fo llows the e vent;  is a placehold er for this en vironm ent. W e deﬁne solve ′ P ′ 0 , Init as solve P ′ 0 , Init except that it applies to R ′ P ′ 0 , Init instead of R P ′ 0 , Init . Let us ﬁrst consider th e particu lar case of injective corre sponden ces. W e consider general correspon dences in Theorem 5 below . Proposition 2 (Inject ive cor respondences) Let P 0 be a closed pr o cess an d P ′ 0 = instr ′ ( P 0 ) . W e assume tha t, in P 0 , a ll events are of the form event ( f ( M 1 , . . . , M n )) and that differ ent occurr ences of event have differ ent r oo t fu nction symbols. W e a lso assume that the pa tterns p , p ′ j , p j k satisfy the following con ditions: p an d p ′ j for j ∈ { 1 , . . . , m } ar e of the form f ( . . . ) fo r some function symbol f a nd fo r all j , k such th at [inj] j k = inj , p j k = f j k ( . . . ) for som e function symbol f j k . Let so lve ′ P ′ 0 , Init (even t( p, i )) = { R j r | j ∈ { 1 , . . . , m } , r ∈ { 1 , . . . , n j }} . Assume that there exist x j k , i j r , and ρ j r k ( j ∈ { 1 , . . . , m } , r ∈ { 1 , . . . , n j } , k ∈ { 1 , . . . , l j } ) such that • F or all j ∈ { 1 , . . . , m } , for all r ∈ { 1 , . . . , n j } , ther e e xist H and σ su ch that R j r = H ∧ m - even t( σp j 1 , ρ j r 1 ) ∧ . . . ∧ m - even t( σ p j l j , ρ j r l j ) ⇒ even t( σ p ′ j , i j r ) . • F or all j ∈ { 1 , . . . , m } , for all r a nd r ′ in { 1 , . . . , n j } , for all k ∈ { 1 , . . . , l j } such that [inj] j k = inj , ρ j r k ( x j k ) { λ/i j r } does n o t unify with ρ j r ′ k ( x j k ) { λ ′ /i j r ′ } when λ 6 = λ ′ . 39 Then P ′ 0 satisﬁes the r ecent correspondence even t( p ) ⇒ m _ j =1   even t( p ′ j ) l j ^ k =1 [inj] j k even t( p j k )   against Init -adversaries. This pro position is a particular case of Theorem 5 b elow . It is proved in Appendix E. By Theorem 3, after deleting session identiﬁers and en viron ments, th e ﬁrst item sho ws that P ′ 0 satisﬁes the correspo ndence even t( p ) ⇒ _ j =1 ..m,r   even t( p ′ j ) l j ^ k =1 even t( p j k )   (13) The e n viro nments and session id entiﬁers as well as the second item serve in pr ov- ing in jectivity . Suppose that [inj ] j k = inj , and deno te by an unknown ter m. If two instan ces of event ( p, i ) are executed in P ′ 0 for the b ranch j of the corre- sponden ce, by the ﬁrst item, they are instances of e vent ( σ j r p ′ j , i j r ) f or some r , so they ar e event ( σ ′ 1 σ j r 1 p ′ j , σ ′ 1 i j r 1 ) and eve nt ( σ ′ 2 σ j r 2 p ′ j , σ ′ 2 i j r 2 ) for some σ ′ 1 and σ ′ 2 . Furthermore, there is on ly o ne occurren ce of e vent ( f ( . . . ) , i ) in P ′ 0 , so the ev ent even t ( f ( . . . ) , i ) can b e executed at most once f or e ach value of the session identiﬁer i , so σ ′ 1 i j r 1 6 = σ ′ 2 i j r 2 . Then, by the ﬁrst item, correspo nding events event ( σ ′ 1 σ j r 1 p j k , ) an d e vent ( σ ′ 2 σ j r 2 p j k , ) hav e b een ex ecuted, with associated en- vironm ents σ ′ 1 ρ j r 1 k and σ ′ 2 ρ j r 2 k . By the second item, ρ j r 1 k ( x j k ) { λ 1 /i j r 1 } does not unify with ρ j r 2 k ( x j k ) { λ 2 /i j r 2 } f or d ifferent values λ 1 = σ ′ 1 i j r 1 and λ 2 = σ ′ 2 i j r 2 of the session iden tiﬁer . (In th is cond ition, r 1 can be eq ual to r 2 , and wh en r 1 = r 2 = r , the condition simply means that i j r occurs in ρ j r k .) So σ ′ 1 ρ j r 1 k ( x j k ) 6 = σ ′ 2 ρ j r 2 k ( x j k ) , so the events event ( σ ′ 1 σ j r 1 p j k ) , ) and e vent ( σ ′ 2 σ j r 2 p j k ) , ) ar e distinct, which shows injectivity . This poin t is very similar to the fact that injective agreeme nt is implied by non-injec ti ve agreem ent wh en the parameters of ev ents contain nonces gen- erated b y the ag ent to who m authentication is being m ade, bec ause the event can b e executed at m ost once for each value o f the no nce. (Th e session identiﬁer i j r in our theorem plays the role of the nonce.) [Andrew Gordon, personal commu nication]. Corollary 3 (Recent inject ive agreement) Let P 0 be a closed pr ocess and P ′ 0 = instr ′ ( P 0 ) . W e assume that, in P 0 , all events ar e of th e fo rm event ( f ( M 1 , . . . , M k )) and that differ ent occurr ences of event have differ en t r oo t function symbols. Let { R 1 , . . . , R n } = s olve ′ P ′ 0 , Init (even t( e ( x 1 , . . . , x m ) , i )) . Assume that th er e exist x , i r , and ρ r ( r ∈ { 1 , . . . , n } ) such that • F or all r ∈ { 1 , . . . , n } , R r = H ∧ m - even t( e ′ ( p 1 , . . . , p m ) , ρ r ) ⇒ even t( e ( p 1 , . . . , p m ) , i r ) for some p 1 , . . . , p m , a nd H . • F or all r a nd r ′ in { 1 , . . . , n } , ρ r ( x ) { λ/i r } doe s not unify with ρ r ′ ( x ) { λ ′ /i r ′ } when λ 6 = λ ′ . 40 Then P ′ 0 satisﬁes the recent corres pon dence event ( e ( x 1 , . . . , x m )) inj even t( e ′ ( x 1 , . . . , x m )) against Init -a dversaries. Proof This result is an immed iate consequence of Proposition 2. ✷ Example 1 2 For the pro cess P of Section 2.3, P ′ = instr ′ ( P ) , and Init = { c } , we have solve ′ P ′ , Init (even t( e B ( x 1 , x 2 , x 3 , x 4 ) , i )) = { H ∧ m - even t( e 3 ( pk A , pk B , a [ pk B , i A 0 ] , b [ p 1 , i B 0 ]) , ρ ) ⇒ even t( e B ( pk A , pk B , a [ pk B , i A 0 ] , b [ p 1 , i B 0 ]) , i B 0 ) } where pk A = pk ( sk A [ ]) , pk B = pk ( sk B [ ]) p 1 = p en crypt p (( a [ pk B , i A 0 ] , pk A ) , pk B , r 1 [ pk B , i A 0 ]) p 2 = p en crypt p (( a [ pk B , i A 0 ] , b [ p 1 , i B 0 ] , pk B ) , pk A , r 2 [ p 1 , i B 0 ]) ρ = { i A 7→ i A 0 , x pk B 7→ pk B , m 7→ p 2 } Intuitively , this result shows that eac h event e B ( pk A , pk B , a [ pk B , i A 0 ] , b [ p 1 , i B 0 ]) , executed in the session of index i B = i B 0 is p receded by a n event e 3 ( pk A , pk B , a [ pk B , i A 0 ] , b [ p 1 , i B 0 ]) executed in the session of ind ex i A = i A 0 with x pk B = pk B and m = p 2 . Since i B 0 occurs in this event ( or in its environment 4 ), different ex- ecutions of e B , which have different values of i B 0 , cannot cor respond to th e same execution of e 3 , so we hav e injecti v ity . M ore formally , the second hypothesis of Corol- lary 3 is satisﬁed because ρ ( m ) { λ/i B 0 } do es no t unify with ρ ( m ) { λ ′ /i B 0 } wh en λ 6 = λ ′ , since i B 0 occurs in ρ ( m ) = p 2 . The n, P ′ satisﬁes the re cent c orrespon dence even t( e B ( x 1 , x 2 , x 3 , x 4 )) inj even t( e 3 ( x 1 , x 2 , x 3 , x 4 )) again st Ini t -adversaries. The tool shows in a similar way that P ′ satisﬁes the recent corr esponden ce even t( e A ( x 1 , x 2 , x 3 , x 4 )) inj even t( e 2 ( x 1 , x 2 , x 3 , x 4 )) again st Ini t -adversaries. Let us now consider th e case of gener al correspo ndences. The basic idea is to de compo se th e gen eral corr espond ence to prove in to several correspon dences. For instance, the corre sponden ce event ( e B ( x 1 , x 2 , x 3 , x 4 )) (even t( e 3 ( x 1 , x 2 , x 3 , x 4 )) even t( e 2 ( x 1 , x 2 , x 3 , x 4 ))) is im plied by the co njunctio n o f th e cor respon- dences even t( e B ( x 1 , x 2 , x 3 , x 4 )) even t( e 3 ( x 1 , x 2 , x 3 , x 4 )) and even t( e 3 ( x 1 , x 2 , x 3 , x 4 )) even t( e 2 ( x 1 , x 2 , x 3 , x 4 )) . Howe ver , as no ted in Section 3.3, this pr oof technique would often fail beca use, in ord er to prove that e 2 ( x 1 , x 2 , x 3 , x 4 ) has been executed, we m ay need to know tha t e B ( x 1 , x 2 , x 3 , x 4 ) h as been executed, and no t only that e 3 ( x 1 , x 2 , x 3 , x 4 ) has b een executed. T o solve th is p roblem, we use th e fol- lowing idea: when we know that e B ( x 1 , x 2 , x 3 , x 4 ) has bee n executed, w e may be able to show that certain particular instances of e 3 ( x 1 , x 2 , x 3 , x 4 ) have been executed, and we can exploit this in formatio n in ord er to prove that e 2 ( x 1 , x 2 , x 3 , x 4 ) has been executed. I n oth er words, we rath er prove the correspo ndenc es even t( e B ( x 1 , x 2 , x 3 , x 4 )) ⇒ W m r =1 σ r even t( e B ( x 1 , x 2 , x 3 , x 4 )) σ r even t( e 3 ( x 1 , x 2 , x 3 , x 4 )) a nd for all 4 In general, the en vironment may contain more va riables than the ev ent itself, so looking for the s ession identi ﬁers in the en vironment instead of the e vent is more power ful. 41 r ≤ m , σ r even t( e 3 ( x 1 , x 2 , x 3 , x 4 )) σ r even t( e 2 ( x 1 , x 2 , x 3 , x 4 )) . Whe n the con- sidered gener al corr esponden ce has several nesting levels, we perform such a decom- position recursively . T he next theorem generalizes and formalizes these i deas. Below , th e notation ( Env j k ) j k represents a family Env j k of sets o f pairs ( ρ, i ) where ρ is an en viro nment and i is a session iden tiﬁer , one fo r each non-em pty j k . The notation ( Env j k j k ) j k represents a subfamily o f ( Env j k ) j k in which the ﬁrst two indices are j k , and this family is reindexed by omitting the ﬁxed indices j k . Theorem 5 Let P 0 be a closed pr ocess a nd P ′ 0 = instr ′ ( P 0 ) . W e assume that, in P 0 , all events ar e of the form even t ( f ( M 1 , . . . , M n )) a nd that differ ent oc curr ences of event h ave differ ent r oot fun ction symbols. Let us deﬁ ne verify( q ′ , ( Env j k ) j k ) , where j k is non- empty , by : V1. If q ′ = even t( p ) for some p , then verify( q ′ , ( Env j k ) j k ) is true. V2. If q ′ = ev ent ( p ) ⇒ W m j =1  even t( p ′ j ) V l j k =1 [inj] j k q ′ j k  and q ′ j k = even t( p j k ) . . . for some p , p ′ j , a nd p j k , where m 6 = 1 , l j 6 = 0 , o r p 6 = p ′ 1 , then verify( q ′ , ( Env j k ) j k ) is true if a nd only if ther e exists ( σ j r ) j r such that th e following three condition s hold: V2.1. W e have so lve ′ P ′ 0 , Init (even t( p, i )) ⊆ { H ∧ V l j k =1 m - even t( σ j r p j k , ρ j r k ) ⇒ even t( σ j r p ′ j , i j r ) for some H , j ∈ { 1 , . . . , m } , r , a nd ( ρ j r k , i j r ) ∈ Env j k for all k } . V2.2. F o r a ll j, r, k 0 , the common variables b e tween σ j r q ′ j k 0 on the one hand and σ j r p ′ j and σ j r q ′ j k for all k 6 = k 0 on the other ha n d o c c ur in σ j r p j k 0 . V2.3. F o r all j, r, k , verify( σ j r q ′ j k , ( Env j k j k ) j k ) is true. Consider the following recent corr espond ence: q = even t( p ) ⇒ m _ j =1   even t( p ′ j ) l j ^ k =1 [inj] j k q j k   wher e q j k = even t( p j k ) m jk _ j =1 l jk j ^ k =1 [inj] j k j k q j k j k W e assume that the pa tterns in the co rr esponden ce satisfy the fo llo wing con ditions: p and p ′ j for j ∈ { 1 , . . . , m } a r e of the form f ( . . . ) for some fu nction symbol f and, for all non -empty j k such that [inj] j k = inj , p j k = f j k ( . . . ) for some fu nction symbo l f j k . W e also assume tha t if inj occurs in q j k , th en [inj] j k = inj . Assume that there exist ( Env j k ) j k and ( x j k ) j k , whe r e j k is n o n-empty , such th at H1. verify( q , ( Env j k ) j k ) is true. H2. F or all non-emp ty j k , if [inj] j k = inj , then for all ( ρ, i ) , ( ρ ′ , i ′ ) ∈ Env j k , ρ ( x j k ) { λ/i } d oes not unify with ρ ′ ( x j k ) { λ ′ /i ′ } when λ 6 = λ ′ . 42 Then P ′ 0 satisﬁes the r ecent correspondence q against Init -adversaries. This theorem is rather complex, so we giv e some intuition here. I ts proof can be found in Appendix E. Point V2.1 allo ws us to in fer corresponden ces by Theorem 3: af ter deleting session identiﬁers and en viron ments, P ′ 0 satisﬁes the correspo ndences: even t( p ) ⇒ _ j =1 ..m,r   even t( σ j r p ′ j ) l j ^ k =1 even t( σ j r p j k )   (14) and, using the recursive calls of Point V2.3, even t( σ ′ j r k ⌈ p j k ) ⇒ _ j =1 ..m jk ,r   even t( σ ′ j r k j r p j k ) l jk j ^ k =1 even t( σ ′ j r k j r p j k j k )   (15) against Init -ad versaries, where σ ′ j r k j r = σ j r k j r σ j r k ⌈ . . . σ j r and we deno te by σ j r k j r the substitution σ j r obtained in recursive calls to verify index ed by j rk . In order to infer the d esired c orrespon dence, we need to sh ow in jectivity pro perties and to combine the co rrespon dences (1 4) an d ( 15) into a single corre sponden ce. Injectivity comes from Hypothesis H2: this hypoth esis gener alizes the second item o f Proposition 2 to the case of general correspo ndences. The corresp onden ces (14) an d (15 ) are co mbined into a single corresp onden ce us- ing Poin t V2. 2. W e illustrate this poin t on the simple example of the correspon dence even t( p ) ⇒ (ev ent ( p ′ 1 ) (even t( p 11 ) event ( p 1111 ))) . By V2.1 and the recursive call of V2.3, we hav e correspo ndenc es o f the form: even t( p ) ⇒ _ r (even t( σ 1 r p ′ 1 ) even t( σ 1 r p 11 )) (16) even t( σ 1 r p 11 ) ⇒ _ r ′ (even t( σ 1 r 11 r ′ σ 1 r p 11 ) even t( σ 1 r 11 r ′ σ 1 r p 1111 )) (17) for some σ 1 r and σ 1 r 11 r ′ . Th e co rrespon dence (1 7) implies the simpler correspon dence even t( σ 1 r p 11 ) event ( σ 1 r p 1111 ) . (18) Furthermo re, if an instance of event ( p ) is executed, e 1 = even t( σ p ) , then by (16), for some r an d σ ′ 1 such that σ p = σ ′ 1 σ 1 r p ′ 1 , the event e 2 = even t( σ ′ 1 σ 1 r p 11 ) has been executed bef ore e 1 . By (18 ), for some σ ′ 2 such th at σ ′ 1 σ 1 r p 11 = σ ′ 2 σ 1 r p 11 , the event e 3 = even t( σ ′ 2 σ 1 r p 1111 ) h as been executed befor e e 2 . W e now need to reconcile the sub stitutions σ ′ 1 and σ ′ 2 ; this c an b e done than ks to V2.2. Let us d e- ﬁne σ ′′ such th at σ ′′ x = σ ′ 1 x for x ∈ fv ( σ 1 r p 11 ) ∪ fv ( σ 1 r p ′ 1 ) an d σ ′′ x = σ ′ 2 x for x ∈ fv ( σ 1 r p 1111 ) ∪ fv ( σ 1 r p 11 ) . Such a substitution σ ′′ exists because th e co m- mon variables b etween fv ( σ 1 r p 11 ) ∪ fv ( σ 1 r p ′ 1 ) and fv ( σ 1 r p 1111 ) ∪ fv ( σ 1 r p 11 ) oc- cur in σ 1 r p 11 by V2.2, an d for the variables x ∈ fv ( σ 1 r p 11 ) , σ ′ 1 x = σ ′ 2 x since σ ′ 1 σ 1 r p 11 = σ ′ 2 σ 1 r p 11 . So, for some r and σ ′′ such th at σ p = σ ′′ σ 1 r p ′ 1 , the ev ent 43 e 2 = even t( σ ′′ σ 1 r p 11 ) has b een executed befor e e 1 and e 3 = ev ent ( σ ′′ σ 1 r p 1111 ) has been executed before e 2 . This result p roves the desired corresp onden ce event ( p ) ⇒ (even t( p ′ 1 ) (even t( p 11 ) event ( p 1111 )) . Point V2.2 gener alizes this technique to any corresponden ce. In the implementation, the hypoth eses o f this th eorem are checked as follows. In order to ch eck verify( q ′ , ( Env j k ) j k ) , we ﬁrst co mpute solve ′ P ′ 0 , Init (even t( p, i )) . By matching, we check V2.1 and obtain the v alues of σ j r , ρ j r k , and i j r for all j , r , and k . W e ad d ( ρ j r k , i j r ) to Env j k . W e compute σ j r p ′ j and σ j r q ′ j k for each j , r , and k , and check V2.2 and V2.3. After checking verify( q ′ , ( Env j k ) j k ) , we ﬁnally check Hypothesis H2 for each j k . W e start with a set that contain s the whole do main o f ρ fo r som e ( ρ, i ) ∈ Env j k . For each ( ρ, i ) and ( ρ ′ , i ′ ) in Env j k , we remove from this set the variables x such that ρ ( x ) { λ/i } uniﬁes with ρ ′ ( x ) { λ ′ /i ′ } for λ 6 = λ ′ . When th e obtained set is no n-empty , Hypothesis H2 is satisﬁed by tak ing fo r x j k any element of the obtained set. Otherwise, Hypothesis H2 is not satisﬁed. Example 1 3 For the examp le P of Section 2.3 , the previous theor em does n ot enab le us to prove th e correspon dence event ( e B ( x 1 , x 2 , x 3 , x 4 )) (inj even t( e 3 ( x 1 , x 2 , x 3 , x 4 )) (inj even t( e 2 ( x 1 , x 2 , x 3 , x 4 )) inj even t( e 1 ( x 1 , x 2 , x 3 )))) dir ectly . Indeed, Theorem 5 would re quire that we show a cor respond ence of the fo rm ev ent ( σ e 2 ( x 1 , x 2 , x 3 , x 4 )) inj even t( σ e 1 ( x 1 , x 2 , x 3 )) . Ho wever , such a correspon dence does not hold, because after executing a single event e 1 , the adversary can replay the ﬁrst message of the protoco l, so that B executes se veral ev ents e 2 . It is still p ossible to prove this correspo ndence by com bining the automatic proof of th e slightly weaker cor respond ence q = even t( e B ( x 1 , x 2 , x 3 , x 4 )) (inj even t( e 3 ( x 1 , x 2 , x 3 , x 4 )) (inj even t( e 1 ( x 1 , x 2 , x 3 )) ∧ inj even t( e 2 ( x 1 , x 2 , x 3 , x 4 )))) , which does not order t he events e 1 and e 2 , with a simple manual ar gum ent. (This technique applies to many othe r examp les.) Let us ﬁrst pr ove th e latter corre- sponden ce. Let P ′ = instr ′ ( P ) an d Init = { c } . W e have solve ′ P ′ , Init (even t( e B ( x 1 , x 2 , x 3 , x 4 ) , i )) = { H ∧ m - even t( e 3 ( pk A , pk B , a [ pk B , i A 0 ] , b [ p 1 , i B 0 ]) , ρ 111 ) ⇒ even t( e B ( pk A , pk B , a [ pk B , i A 0 ] , b [ p 1 , i B 0 ]) , i B 0 ) } solve ′ P ′ , Init (even t( e 3 ( pk A , pk B , a [ pk B , i A 0 ] , b [ p 1 , i B 0 ]) , i )) = { m - even t( e 1 ( pk A , pk B , a [ pk B , i A 0 ]) , ρ 111111 ) ∧ m - ev ent( e 2 ( pk A , pk B , a [ pk B , i A 0 ] , b [ p 1 , i B 0 ]) , ρ 111112 ) ⇒ even t( e 3 ( pk A , pk B , a [ pk B , i A 0 ] , b [ p 1 , i B 0 ]) , i A 0 ) } where pk A = pk ( sk A [ ]) , pk B = pk ( sk B [ ]) p 1 = p en crypt p (( a [ pk B , i A 0 ] , pk A ) , pk B , r 1 [ pk B , i A 0 ]) p 2 = p en crypt p (( a [ pk B , i A 0 ] , b [ p 1 , i B 0 ] , pk B ) , pk A , r 2 [ p 1 , i B 0 ]) ρ 111 = ρ 111111 = { i A 7→ i A 0 , x pk B 7→ pk B , m 7→ p 2 } ρ 111112 = { i B 7→ i B 0 , m ′ 7→ p 1 } 44 Intuitively , a s in Examp le 12 , the value o f so lve ′ P ′ , Init (even t( e B ( x 1 , x 2 , x 3 , x 4 ) , i )) guaran tees that each event e B ( pk A , pk B , a [ pk B , i A 0 ] , b [ p 1 , i B 0 ]) , executed in the ses- sion o f index i B = i B 0 is p receded by an e vent e 3 ( pk A , pk B , a [ pk B , i A 0 ] , b [ p 1 , i B 0 ]) executed in the session of index i A = i A 0 with x pk B = pk B and m = p 2 . Since i B 0 occurs in this e vent ( or in its en vironm ent), w e hav e injectivity . The value of s olve ′ P ′ , Init (even t( e 3 ( pk A , pk B , a [ pk B , i A 0 ] , b [ p 1 , i B 0 ]) , i )) gu arantees that eac h ev ent e 3 ( pk A , pk B , a [ pk B , i A 0 ] , b [ p 1 , i B 0 ]) executed in the session of ind ex i A = i A 0 is preceded by events e 1 ( pk A , pk B , a [ pk B , i A 0 ]) executed in t he session of index i A = i A 0 with x pk B = pk B and m = p 2 , and e 2 ( pk A , pk B , a [ pk B , i A 0 ] , b [ p 1 , i B 0 ]) e xe- cuted in the session of index i B = i B 0 with m ′ = p 1 . Since i A 0 occurs in these ev ents (or in the ir environments), we have in jectivity . So we obtain th e desired co rrespon dence even t( e B ( x 1 , x 2 , x 3 , x 4 )) (inj ev e n t( e 3 ( x 1 , x 2 , x 3 , x 4 )) (inj ev e n t( e 1 ( x 1 , x 2 , x 3 )) ∧ inj even t( e 2 ( x 1 , x 2 , x 3 , x 4 )))) . More formally , let us show that we can apply Theorem 5. W e have p = p ′ 1 = e B ( x 1 , x 2 , x 3 , x 4 ) , p 11 = e 3 ( x 1 , x 2 , x 3 , x 4 ) , p 1111 = e 1 ( x 1 , x 2 , x 3 ) , p 1112 = e 2 ( x 1 , x 2 , x 3 , x 4 ) . W e show verify( q , ( Env j k ) j k ) . Giv en the ﬁrst value of solve ′ P ′ , Init shown above, we satisfy V2.1 by letting σ 11 = { x 1 7→ pk A , x 2 7→ pk B , x 3 7→ a [ pk B , i A 0 ] , x 4 7→ b [ p 1 , i B 0 ] } and i 11 = i B 0 , with ( ρ 111 , i 11 ) ∈ Env 11 . Th e common variables between σ 11 q 11 = ev ent( e 3 ( pk A , pk B , a [ pk B , i A 0 ] , b [ p 1 , i B 0 ])) (inj even t( e 1 ( pk A , pk B , a [ pk B , i A 0 ])) ∧ inj event( e 2 ( pk A , pk B , a [ pk B , i A 0 ] , b [ p 1 , i B 0 ]))) and σ 11 p ′ 1 = e B ( pk A , pk B , a [ pk B , i A 0 ] , b [ p 1 , i B 0 ]) are i A 0 and i B 0 , and they occur in σ 11 p 11 = e 3 ( pk A , pk B , a [ pk B , i A 0 ] , b [ p 1 , i B 0 ]) . So we have V2.2 . Recursively , in order to obtain V2. 3, w e have to show verify( σ 11 q 11 , ( Env 11 j k ) j k ) . Given the sec- ond value of solve ′ P ′ , Init shown ab ove, we satisfy V2 .1 by letting σ 11111 = Id and i 11111 = i A 0 , with ( ρ 111111 , i 11111 ) ∈ Env 1111 and ( ρ 111112 , i 11111 ) ∈ Env 1112 . (W e p reﬁx th e ind ices with 1 11 in o rder to represent that these values con cern the recursive call with j = 1 , r = 1 , and k = 1 .) V2.2 holds trivially , because σ 11111 σ 11 q 111 k 0 = σ 11111 σ 11 even t( p 111 k 0 ) , sinc e the considered correspon dence has one n esting level only . V 2.3 holds be cause q 1111 reduces to e ven t( p 1111 ) , so verify( σ 11111 σ 11 q 1111 , ( Env 1111 j k ) j k ) h olds by V1, an d th e situation is similar for q 1112 . Therefore, we obtain H1 . In or der to show H2 , we have to ﬁnd x 11 such that ρ 111 ( x 11 ) { λ/i 11 } does not unify with ρ 111 ( x 11 ) { λ ′ /i 11 } wh en λ 6 = λ ′ . This proper ty hold s with x 11 = m , because i 11 = i B 0 occurs in ρ 111 ( m ) = p 2 . Simi- larly , ρ 111111 ( x 1111 ) { λ/i 11111 } does not unify with ρ 111111 ( x 1111 ) { λ ′ /i 11111 } when λ 6 = λ ′ , for x 1111 = i A , since i 11111 = i A 0 occurs in ρ 111111 ( i A ) . Finally , ρ 111112 ( x 1112 ) { λ/i 11111 } do es no t unif y with ρ 111112 ( x 1112 ) { λ ′ /i 11111 } whe n λ 6 = λ ′ for x 1112 = m ′ , since i 11111 = i A 0 occurs in ρ 111112 ( m ′ ) = p 1 . So, by Theor em 5, the p rocess P ′ satisﬁes the recen t co rrespon dence ev ent ( e B ( x 1 , x 2 , x 3 , x 4 )) (inj even t( e 3 ( x 1 , x 2 , x 3 , x 4 )) (inj event ( e 1 ( x 1 , x 2 , x 3 )) ∧ inj even t( e 2 ( x 1 , x 2 , x 3 , x 4 )))) against Init - adversaries. W e can then show that P ′ satisﬁes the r ecent corr esponde nce even t( e B ( x 1 , x 2 , x 3 , x 4 )) (inj e ven t( e 3 ( x 1 , x 2 , x 3 , x 4 )) (inj e ven t( e 2 ( x 1 , x 2 , x 3 , x 4 )) inj even t( e 1 ( x 1 , x 2 , x 3 )))) . W e ju st hav e to show that the event e 2 ( x 1 , x 2 , x 3 , x 4 ) is ex- ecuted afte r e 1 ( x 1 , x 2 , x 3 ) . The non ce a is cr eated just before executing e 1 ( x 1 , x 2 , x 3 ) = e 1 ( pk A , x pk B , a ) , and th e event e 2 ( x 1 , x 2 , x 3 , x 4 ) = e 2 ( x pk A , pk B , x a, b ) 45 contains a in the v ariable x 3 = x a . So e 2 has been executed after receiving a message that contains a , so after a has been sent in some message, so after executing ev ent e 1 . 8 T ermination In this section , we stud y termina tion prope rties of ou r algor ithm. W e ﬁr st show that it terminates on a restricted class o f pro tocols, na med tagged p r o to cols . Then , we study how to imp rove the cho ice of the selection fu nction in orde r to obtain term ination in other cases. 8.1 T ermination for T ag ged Pr otocols Intuitively , a tagge d p rotoco l is a pr otocol in wh ich each applicatio n of a con structor can be imm ediately distinguished from others in the protocol, for example b y a tag: for instance, when we want to encrypt m u nder k , we add the constant tag ct 0 to m , so that the encryp tion becomes sencrypt (( ct 0 , m ) , k ) where the tag ct 0 is a dif feren t con stant for each encryption in the protocol. The tags are checked when destructors ar e applied. This cond ition is easy to realize by ad ding tag s, an d it is also a go od proto col design : the participa nts use th e tags to iden tify the messages un ambigu ously , thu s avoiding type ﬂaw attacks [50]. In [2 0], in collab oration with Andrea s Pod elski, we have gi ven conditions on the clauses that intuitively correspo nd to tagged pro tocols, an d we have shown that, for tagged protoco ls using only pu blic c hannels, pu blic-key crypto graphy with atom ic keys, shared -key cryp tograph y and hash functions, and for secrecy p roperties, the solv- ing algorithm using the selection function sel 0 terminates. Here, we extend this result by giving a deﬁnition of tagged protoco ls for processes and showing tha t the clause gen eration algor ithm yields clauses th at satisfy the con - ditions of [20 ], so tha t the solving algorith m ter minates. (A similar result h as been proved for strong secrecy in the technical report [16].) Deﬁnition 15 (T agg ed protocol) A tagg ed p rotoco l is a process P 0 together with a signature of constructo rs and destructor s s uch that: C1. Th e only constructo rs and destructor s are those of Figure 2, plus e qual . C2. In every occurrence of M ( x ) and M h N i in P 0 , M is a name free in P 0 . C3. In every occurrence of f ( . . . ) with f ∈ { s en crypt , sencrypt p , p encrypt p , sign , nmrsign , h, mac } in P 0 , the ﬁrst argume nt of f is a tuple ( ct , M 1 , . . . , M n ) , where th e tag ct is a co nstant. Dif feren t oc currenc es of f h av e d ifferent values of the tag ct . C4. In e very occurr ence of let x = g ( . . . ) in P else Q , for g ∈ { sde crypt , sde crypt p , p de crypt p , che cksignatur e , getmessage } in P 0 , P = let y = 1 th n ( x ) in if y = ct then P ′ for some ct and P ′ . In e very occurren ce o f n mr che cksign in P 0 , its third argument is ( ct , M 1 , . . . , M n ) for some ct , M 1 , . . . , M n . 46 C5. Th e destructo r ap plications (includ ing eq uality tests) have n o else branch es. There exists a trac e of P 0 (without adversary ) in which all prog ram poin ts are executed e xactly once. C6. Th e seco nd argu ment of p encrypt p in th e tr ace o f Condition C5 is of the fo rm pk ( M ) fo r some M . C7. Th e arguments of p k and host in the trace of Condition C5 are atomic constants (free names or names created by re strictions not under inputs, non -determin istic destructor application s, or replications) and they are not tags. Condition C1 limits the set of allowed constructors and destructors. W e could give condition s on the f orm o f allowed de structor r ules, but the se con ditions ar e complex, so it is simpler an d mor e intuitive to give an explicit list. Conditio n C2 states th at all channels m ust be pu blic. This cond ition av oids the n eed for the predicate messa ge . Condition C3 guar antees th at tag s ar e ad ded in all messages, and Conditio n C4 guar- antees that tags are always checked. In most cases, the trace of Conditio n C5 is simply the inten ded execution of the protoco l. A ll ter ms that o ccur in the trace of Condition C5 have pairwise distinct tags (since each pro gram point is executed at most on ce, and tags a t different program points are different b y Conditio n C3 ). W e can p rove that it also guara ntees that the terms of all clauses generated for the process P 0 have instances in the set of terms that occur in th e trace of Cond ition C5 (u sing the fact th at all p rogra m points are executed at least once). These pr operties ar e key in the termination proo f. Mo re co ncretely , Condition C5 means that, after r emoving r eplications of P 0 , th e r esulting proce ss h as a trace that executes each pr ogram point (at least) once . In this trace, all d estructor applications succeed and the pr ocess reduces to a con ﬁguration with an empty set o f processes. Since, after re moving replication s, the num ber of traces of a pro cess is always ﬁnite, Conditio n C5 is decidable. Condition C6 means that, in its in tended execution, the p rotoco l uses p ublic-key encryp tion o nly with public ke ys, and C ond ition C7 means that long-term secret (sym- metric and asymmetric) keys are atomic constants. Example 1 4 A tag ged protocol can easily be obtain ed by taggin g the Needham - Schroeder-Lowe p rotocol. The tagged protocol consists of the following messages: Message 1. A → B : { ct 0 , a, pk A } pk B Message 2. B → A : { ct 1 , a, b, pk B } pk A Message 3. A → B : { ct 2 , b } pk B Each encry ption is tagged with a different tag ct 0 , ct 1 , an d ct 2 . This p rotoco l can b e represented in our calculus by the following process P : P A ( sk A , pk A , pk B ) = ! c ( x pk B ) . ( ν a ) event ( e 1 ( pk A , x pk B , a )) . ( ν r 1 ) c h p encrypt p (( ct 0 , a, pk A ) , x pk B , r 1 ) i . c ( m ) . let (= ct 1 , = a , x b, = x pk B ) = p de crypt p ( m, sk A ) in event ( e 3 ( pk A , x pk B , a, x b )) . ( ν r 3 ) c h p encrypt p (( ct 2 , x b ) , x pk B , r 3 ) i 47 if x pk B = pk B then ev ent ( e A ( pk A , x pk B , a, x b )) . c h sencrypt (( c t 3 , sA a ) , a ) i .c h sencrypt (( ct 4 , sAb ) , x b ) i P B ( sk B , pk B , pk A ) = ! c ( m ′ ) . let (= ct 1 , x a, x pk A ) = p de crypt p ( m, sk B ) in ( ν b ) event ( e 2 ( x pk A , pk B , x a, b )) . ( ν r 2 ) c h p encrypt p (( ct 2 , x a, b , pk B ) , x pk A , r 2 ) i . c ( m ′′ ) . let (= ct 3 , = b ) = p de crypt p ( m ′′ , sk B ) in if x pk A = pk A then event ( e B ( x pk A , pk B , x a, b )) . c h sencrypt (( c t 5 , sBa ) , x a ) i .c h sencrypt (( ct 6 , sBb ) , b ) i P T = ! c ( x 1 ) .c ( x 2 ) . c h x 2 i . ( c ( x 3 ) .c ( x 4 ) | c ( x 5 ) .c ( x 6 )) P = ( ν sk A )( ν sk B ) let pk A = pk ( sk A ) in let pk B = pk ( sk B ) in c h pk A i c h pk B i . ( P A ( sk A , pk A , pk B ) | P B ( sk B , pk B , pk A ) | P T ) The enc ryption s that are u sed fo r testing th e secrecy of nonces are also tag ged, w ith tags ct 3 to ct 6 . Furtherm ore, a process P T is add ed in ord er to satisfy Cond ition C5, because, without P T , in the absence o f adversary , the p rocess would b lock when it tries to send the p ublic keys pk A and pk B . The execution of Condition C5 is the in tended execution o f the pro tocol. In this execution, the p rocess P T receives the pu blic keys pk A and pk B ; it forwards pk B on channe l c to P A , so that a session between A and B starts. Then A an d B run this session no rmally , and ﬁnally output th e en cryption s of sA a , sA b , sBa , and sBb ; these e ncryptio ns are received by P T . The other co nditions of Deﬁnition 15 are easy to check, so P is tagged. Proposition 3 below applies to P , and also to the pro cess withou t P T , be cause th e addition of P T in fact does not chang e th e clauses. (Th e only clause gener ated from P T is a tautolog y , immediately removed by elimtaut .) W e prove t he following termination result in Appendix D: Proposition 3 F or sel = sel 0 , the alg orithm terminates on tag ged pr otoco ls for qu eries of the form α fals e when α is clo sed and all facts in F not ar e closed. The pr oof ﬁrst considers the particular c ase in which pk an d host have a sing le argu- ment in the ex ecutio n of C on dition C5, and t hen gener alizes by mapping all arguments of p k a nd host (wh ich are atomic constants by Condition C7) to a single constant. Th e proof of the particular case pro ceeds in tw o steps. The ﬁrst step shows that the clauses generated from a tagged protocol satisfy the conditions of [20]. Basically , these condi- tions require that the clauses for the protoco l satisfy the following proper ties: T1. The patterns in the c lauses are tagged , th at is, the ﬁrst a rgument o f all o ccur- rences of co nstructors except tu ples, pk , an d host is o f the form ( ct , M 1 , . . . , M n ) . The proo f of this prop erty relies on C ond itions C3 and C4. T2. Let S 1 be the set o f sub terms of patterns that correspon d to the term s that occur in the ex ecutio n of Condition C5. Every clause has an instance in which all patterns are in S 1 . The proof of this property relies on Condition C5. 48 T3. Each n on-variable, n on-da ta tagged p attern has at most one instance in S 1 . (A pattern is said to be no n-data when it is n ot of the f orm f ( . . . ) with f a data constructo r , that is, here, a tuple.) This property comes fro m Con dition C3 which guaran tees that th e tag s at d istinct occurr ences are distinct an d, for pk ( p ) and host ( p ) , f rom the hy pothesis that pk and host have a single argu ment in the execution of Condition C5. Note that the patter ns in the clauses (Rf) and (Rg) that com e from con structors and destructors are not tagged, so we need to handle them s pecially ; Conditions C1 and C6 are useful for that. The seco nd step of the proo f uses the result of [20 ] in order to conclude termin ation. Basically , this result shows that Properties T1 and T2 are preserved by resolution . The proof of this r esult r elies on the fact that, if two no n-variable non-data tagged patter ns unify and have instances in S 1 , then th eir instances in S 1 are equa l (by T3 ). So, wh en unifyin g two such patterns, their uniﬁcation still has an instance in S 1 . Fu rthermo re, we show th at the size of the instance in S 1 of a clau se ob tained b y resolu tion is no t greater th an the size of th e instance in S 1 of on e o f the initial c lauses. Hen ce, we ca n bound the size of the instance in S 1 of generated clau ses, which sh ows that only ﬁn itely many clauses are generated. The hypo thesis that all facts in F not are closed is n ot r eally a restrictio n, since we can alw ays remove facts from F not without changing the result. (It may just slow down the resolution.) The restriction to queries α false allows us to remove m - ev ent facts from clauses (by Remark 3 ). For mo re gen eral queries, m - e ven t facts may occur in clauses, and one can ﬁnd examples on which the algorithm does not terminate. Her e is such an example: P S = c ′ 1 ( y ); let z = sencrypt (( ct 0 , y ) , k S B ) in c ′ 2 h sencrypt (( ct 2 , sencrypt (( ct 1 , z ) , k S A )) , k S B ) i ; ev ent ( h (( ct 3 , y ))) ; c ′ 3 h z i P B = c ′ 2 ( z ′ ); c ′ 3 ( z ); let (= ct 0 , y ) = sde crypt ( z , k S B ) in let (= ct 2 , y ′ ) = sde crypt ( z ′ , k S B ) in event ( h (( ct 4 , y , y ′ ))); c ′ 4 h y ′ i P 0 = ( ν k S B ); ( c ′ 1 h C 0 i | ! P S | ! P B | c ′ 4 ( y ′ )) This example h as been built on purpose for exhibiting n on-ter mination, since we did not mee t such n on-term ination cases in our experiments with real pro tocols. One can interpret this example as fo llows. The participan t A shares a key k S A with a server S . Similarly , B sh ares a key k S B with S . The code of S is represented b y P S , the code of B by P B , and A is assume d to b e disho nest, so it is represen ted by the adver- sary . Th e process P S builds two tickets sencrypt (( ct 0 , y ) , k S B ) and sencrypt (( ct 2 , sencrypt (( ct 1 , sencrypt (( ct 0 , y ) , k S B )) , k S A )) , k S B ) . The ﬁrst ticket is for B , the second ticket should ﬁrst be decryp ted by B , the n sent to A , which is go ing to decryp t it again and sent it b ack to B . In the example, P B just de crypts the two tickets and forwards the s econ d one to A . It is easy to check that this process is a tagged protocol. 49 This process generates the following clauses: attack er( y ) ⇒ attack er( sencryp t (( ct 2 , sencrypt (( ct 1 , sencrypt (( ct 0 , y ) , k S B )) , k S A )) , k S B )) (19) attack er( y ) ∧ m - even t( h (( ct 3 , y ))) ⇒ a ttack e r( sencryp t (( ct 0 , y ) , k S B )) (20) attack er( sencryp t (( ct 0 , y ) , k S B )) ∧ attack er( sencrypt (( ct 2 , y ′ ) , k S B )) ∧ m - even t( h (( c t 4 , y , y ′ ))) ⇒ attack er( y ′ ) (21) attack er( C 0 ) (22) The ﬁrst two clauses come fro m P S , the th ird one from P B , and the last o ne fro m the output in P 0 . Obviously , clauses (Init) (in particular attack er( k S A ) since k S A ∈ fn ( P 0 ) ), (Rf) for sencrypt an d h , and (Rg) for sde crypt are also generated. Assuming the ﬁrst hypothesis is selected in (21), the solving algorithm perform s a resolution s tep between (20) and (21), which yields: attack er( y ) ∧ attacker ( sencrypt (( ct 2 , y ′ ) , k S B )) ∧ m - ev ent( h (( ct 3 , y ))) ∧ m - even t( h (( ct 4 , y , y ′ ))) ⇒ attack er( y ′ ) The second hypoth esis is selected in this clause. By resolving with (19), we obtain attack er( y ) ∧ attack er( y ′ ) ∧ m - even t( h (( ct 3 , y ))) ∧ m - even t( h (( ct 4 , y , sencrypt (( ct 1 , sencrypt (( ct 0 , y ′ ) , k S B )) , k S A )))) ⇒ attack er( sencrypt (( ct 1 , sencrypt (( ct 0 , y ′ ) , k S B )) , k S A )) By ap plying (Rg) for sde crypt and resolving with attack er( ct 1 ) and attack e r( k S A ) , we obtain: attack er( y ) ∧ attack er( y ′ ) ∧ m - even t( h (( ct 3 , y ))) ∧ m - even t( h (( ct 4 , y , sencrypt (( ct 1 , sencrypt (( ct 0 , y ′ ) , k S B )) , k S A )))) ⇒ attack er( sencrypt (( ct 0 , y ′ ) , k S B )) This clause is similar to (20), so we can r epeat this r esolution pr ocess, resolv ing with (21), (19), and decryptin g the conclusion . Hence we o btain n ^ j =1 attack er( y j ) ∧ m - even t( h (( ct 3 , y 1 ))) ∧ n − 1 ^ j =1 m - even t( h (( ct 4 , y j , sencrypt (( ct 1 , sencrypt (( ct 0 , y j +1 ) , k S B )) , k S A )))) ⇒ attack er( sencrypt (( ct 0 , y n ) , k S B )) for all n > 0 , so the algorith m does not terminate. As notice d in [20], terminatio n could be obtaine d in the presence of m - even t facts with an additional simpliﬁcation: 50 Elimination of u seless m - even t facts: elim - m - event eliminates m - even t facts in which a v ariable x occur s, and x only occurs in m - even t facts and in attack er( x ) h ypoth eses. This simpliﬁcation is always sound, because it creates a stronger clau se. It do es not lead to a loss of p recision wh en a ll variables o f events after also o ccur in the event before . (This hap pens in pa rticular for no n-injective agr eement.) Ind eed, assum e that m - even t( p ) contains a variable which d oes no t occur in the conc lusion. This is preserved by resolution, so when we o btain a clause m - even t( p ′ ) ∧ H ⇒ even t( p ′′ ) , where m - ev ent ( p ′ ) comes from m - ev ent ( p ) , p ′ contains a v ariable that does not occur in p ′′ , so this occurrence of m - even t( p ′ ) cannot be used to p rove th e desired correspon- dence. Howe ver, in the general case, this simpliﬁcation lead s to a loss of pr ecision. ( It may miss some m - even t facts.) That is wh y this optimization was present in early im- plementation s which veriﬁed only authen tication, and was later abandoned . W e co uld reintrod uce it when all variables of events after also occ ur in the event before , if we h ad termination pro blems com ing fr om m - even t facts for practical examp les. No such problem s hav e occurr ed up to no w . 8.2 Choice of the Selection Function Unfortu nately , not all p rotoco ls are tag ged. I n p articular, p rotoco ls using a Dif ﬁe- Hellman key ag reement (see Section 9. 1) are no t tagg ed in the sense of Deﬁnition 15. The algo rithm still terminates f or som e o f them (Skeme [ 52] for secrecy , SSH) with the p revious selection function sel 0 . Ho wever , it does not termina te with the selec- tion fu nction sel 0 for som e other examp les (Skeme [52] for o ne authentica tion prop- erty , t he Needham-Schroed er shar ed-key proto col [6 0], some versions o f the W oo-Lam shared-key pro tocol [70] an d [5 , E xample 6.2 ].) In th is section , we present heuristics to imp rove the ch oice of the selection fun ction, in o rder to av oid most simple non - termination cases. As rep orted in mor e detail in Section 1 0, these heur istics provide termination for Skeme [52] and the Needham-Schr oeder shared-key protoco l [60]. Let us determine which co nstraints the selection fu nction should satisfy to av oid loops in the algor ithm. First, assume that there is a clau se H ∧ F ⇒ σ F , wher e σ is a substitution such that all σ n F ar e distinct for n ∈ N . • Assume that F is selected in this clause, and there is a cla use H ′ ⇒ F ′ , wh ere F ′ uniﬁes with F , and the conclusion is selected in H ′ ⇒ F ′ . Let σ ′ be the most general uniﬁer of F and F ′ . So the algorithm genera tes: σ ′ H ′ ∧ σ ′ H ⇒ σ ′ σ F . . . σ ′ H ′ ∧ n − 1 ^ i =0 σ ′ σ i H ⇒ σ ′ σ n F assuming that the conclusion is selected in all these cla uses, and that no clause is removed because it is su bsumed b y anothe r clau se. So th e algor ithm would no t terminate. Th erefor e, in o rder to a void this situation , we sho uld avoid selecting F in the clause H ∧ F ⇒ σ F . 51 • Assume th at the con clusion is selected in the clause H ∧ F ⇒ σ F , and there is a clause H ′ ∧ σ ′ F ⇒ C (u p to renaming of variables), where σ ′ commutes with σ (in p articular, when σ and σ ′ have disjoint suppo rts), and tha t σ ′ F is selected in this clause. So the algorith m generates: σ ′ H ∧ σ H ′ ∧ σ ′ F ⇒ σ C . . . n − 1 ^ i =0 σ ′ σ i H ∧ σ n H ′ ∧ σ ′ F ⇒ σ n C assuming that σ ′ F is selected in all these clauses, and that no clau se is rem oved because it is subsumed by another clause. So the algorithm w ould not terminate. Therefo re, in order to av oid th is situation, if the conclu sion is selected in th e clause H ∧ F ⇒ σ F , we should a void selecting facts of the form σ ′ F , wher e σ ′ and σ have disjoint supports, in other clauses. In particular, since there are clauses of the form attac ker ( x 1 ) ∧ . . . ∧ attack er( x n ) ⇒ attack er( f ( x 1 , . . . , x n )) , b y the ﬁrst rem ark, th e facts a ttack e r( x i ) should n ot be se- lected in this clause. So the conclusio n will be selected in this clause and, by the second remark, facts of the form a ttack er( x ) with x variable should not be selected in other clauses. W e ﬁnd ag ain the constraint used in the deﬁnition of sel 0 . W e also have the following similar remarks after sw app ing conclusion and hypoth- esis. Assum e that th ere is a clause H ∧ σ F ⇒ F , where σ is a substitution su ch th at all σ n F ar e distinct for n ∈ N . W e shou ld a void selecting the conclusion in this clause and, if we select σ F in this c lause, we sho uld av oid selecting c onclusion s of the form σ ′ F , where σ ′ and σ have disjoint s upp orts, in other clauses. W e deﬁne a selection fun ction that takes into accoun t all these remarks. For a clause H ⇒ C , we deﬁne the weight w hyp ( F ) o f a fact F ∈ H b y: w hyp ( F ) =          −∞ if F is an unselectable fact − 2 if ∃ σ , σ F = C − 1 otherwise, if F ∈ S hyp 0 otherwise. The set S hyp is deﬁned as follows: at the beginning, S hyp = ∅ ; if we ge nerate a clause H ∧ F ⇒ σF wher e σ is a substitution that ma ps variables of F to ter ms th at are not all variables and, in this clause, we select the conclu sion, then we add to S hyp all facts σ ′ F with σ and σ ′ of d isjoint support (and ren amings of these facts). For simplicity , we have replaced the co ndition “all σ n F are distinct f or n ∈ N ” with “ σ maps variables of F to terms that are not all v ariables”. (T he former implies the latter but the con verse is wr ong.) Our aim is o nly to o btain good heuristics, since th ere exists no per fect selection fun ction that would provid e termination in all cases. The set S hyp can easily be rep resented ﬁnitely: just store th e facts F with, for each v ariable , a ﬂag indicating whether this variable can be substituted by any term by σ ′ , or only by a variable. Similarly , we deﬁne the weight of the conclu sion: w concl =      − 2 if ∃ σ, ∃ F ∈ H , σ C = F − 1 other wise, if C ∈ S concl 0 otherwise. 52 The set S concl is deﬁned as f ollows: at the beginn ing, S concl = ∅ ; if we gener ate a clause H ∧ σ F ⇒ F where σ is a substitution th at maps variables of F to terms that are not all variables and, in this clause, we select σ F , th en we add to S concl all facts σ ′ F with σ and σ ′ of disjoint suppor t (and renamin gs of these facts). Finally , we deﬁne sel 1 ( H ⇒ C ) = ( ∅ if ∀ F ∈ H , w hyp ( F ) < w concl , { F 0 } where F 0 ∈ H of maximu m weight, otherwise. Therefo re, we av oid unifyin g facts of smallest weight when that is possible. Th e se- lected fact F 0 can be any elemen t of H of maximum weight. I n the implementation, the hypoth eses are represen ted by a list, and the selected fact is the ﬁrst elemen t of the list of hypoth eses of maximum weight. W e can also n otice that the bigger the fact is, the stro nger are constraints to unif y it with ano ther fact. So selecting a bigg er fact sho uld reduce the po ssible un iﬁcations. Therefo re, we consider sel 2 , deﬁned as sel 1 except that w hyp ( F ) = size ( F ) instead of 0 in the last case. When selecting a fact that h as a negati ve weight, we are in one of the ca ses when termination will probably not be achie ved. W e therefore emit a warning in this case, so that the user can stop the progr am. 9 Extensions In this section , we b rieﬂy sketch a few extensions to the f ramework p resented previ- ously . The extensions of Sections 9.1, 9.2, and 9.3 were presented in [18] for the proof of pro cess equiv alences. W e sketch h ere how to a dapt them to the pr oof of c orrespon - dences. 9.1 Equational Theories and Difﬁe-Hellman Key Ag r eements Up to now , we h ave deﬁned crypto graph ic p rimitives by associatin g rewrite rule s to destructors. Anothe r way of deﬁn ing pr imitiv es is by equa tional theo ries, as in th e applied pi calculus [4] . Th is allows us to m odel, for instance, v ariants of encryp tion for which the failure of decryption cannot be detected or more complex primiti ves such as Difﬁe-Hellman key ag reements. T he Difﬁe-Hellman key a greemen t [3 8] ena bles two principals to build a shared secret. It is used as an elementar y step in more comp lex protoco ls, such as Skeme [52], SSH, SSL, and IPsec. As shown in [18], our veriﬁer can be extended to han dle some equation al theories. Basically , one shows that each trace in a mod el with an equatio nal theory cor respond s to a trace in a mod el in wh ich function sy mbols are eq uipped with additional r ewrite rules, and conversely . (W e c ould ad apt [18 , Lemma 1] to show th at this result also applies to corresp onden ces.) Th erefore , we can show th at a co rrespon dence proved in the model with rewrite rules implies the same cor respond ence in the mo del with an eq uational theo ry . Moreover, we have im plemented algo rithms that compute the rewrite rules from an equation al theory . 53 In the experim ents repo rted in this pape r , we use equa tional theories only for the Difﬁe-Hellman key agreement, which can be modeled by using tw o functions f and f ′ that satisfy the equation f ( y , f ′ ( x )) = f ( x, f ′ ( y )) . (23) In pr actice, the f unction s are f ( x, y ) = y x mo d p and f ′ ( x ) = b x mo d p , wher e p is prime and b is a genera tor of Z ∗ p . Th e equation f ( y , f ′ ( x )) = ( b x ) y mo d p = ( b y ) x mo d p = f ( x, f ′ ( y )) is satisﬁed. In our veriﬁer , fo llowing the id eas u sed in the applied pi calculus [4], we do not consider the underly ing number theory; we work abstractly with the equation (2 3). The Difﬁe-Hellman key a greemen t in volves two principals A a nd B . A ch ooses a random name x 0 , and send s f ′ ( x 0 ) to B . Similar ly , B choo ses a random name x 1 , and sends f ′ ( x 1 ) to A . Th en A computes f ( x 0 , f ′ ( x 1 )) and B computes f ( x 1 , f ′ ( x 0 )) . Both values are e qual by (2 3), and they are secr et: assuming tha t the attacker can not have x 0 or x 1 , it ca n co mpute neither f ( x 0 , f ′ ( x 1 )) nor f ( x 1 , f ′ ( x 0 )) . In our veriﬁer , the equation (23) is translated into the re write rules f ( y , f ′ ( x )) → f ( x, f ′ ( y )) f ( x, y ) → f ( x, y ) . Notice th at this d eﬁnition of f is non-d eterministic: a ter m such as f ( a, f ′ ( b )) can be r educed to f ( b, f ′ ( a )) and f ( a, f ′ ( b )) , so th at f ( a, f ′ ( b )) reduces to its two f orms modulo the equational theory . Th e f act that these re write rules model the equation (23) correctly follows from [18, Section 5]. When using this mo del, we have to adapt th e veriﬁcatio n o f cor respond ences. I n- deed, the con ditions on the clauses must be checked mod ulo the eq uation al th eory . (Using the rewrite rules, we can implement un iﬁcation modu lo th e equ ational the- ory , ba sically by rewriting the terms by the rewrite r ules before perfo rming syntactic uniﬁcation.) For example, in the case of n on-in jectiv e agreemen t, even if the p ro- cess P 0 satisﬁes no n-injective agreement aga inst Init -adversaries, it m ay ha ppen that a clause m - even t( e ′ ( p 1 , . . . , p n ) { f ( p 2 , f ′ ( p 1 )) /z } ) ⇒ event ( e ( p 1 , . . . , p n ) { f ( p 1 , f ′ ( p 2 )) /z } ) is in solve P ′ 0 , Init (even t( e ( x 1 , . . . , x n ))) . T he speciﬁcation is still satisﬁed in this case, because ( p 1 , . . . , p n ) { f ( p 1 , f ′ ( p 2 )) /z } = ( p 1 , . . . , p n ) { f ( p 2 , f ′ ( p 1 )) /z } modulo the equational theory . So we ha ve to test that, if H ⇒ ev ent( e ( p 1 , . . . , p n )) is in s olve P ′ 0 , Init (even t( e ( x 1 , . . . , x n ))) , then there exist p ′ 1 , . . . , p ′ n equal to p 1 , . . . , p n modulo the equatio nal theory such that m - ev ent( e ′ ( p ′ 1 , . . . , p ′ n )) ∈ H . More g ener- ally , the equality R = H ∧ m - e ven t( σ ′ p j 1 ) ∧ . . . ∧ m - even t( σ ′ p j l j ) ⇒ event ( σ ′ p ′ j ) in the hypothesis of Theorem 3 is checked modulo the equation al theory (using matching modulo the equation al theo ry to ﬁnd σ ′ ). Point V2.1 of the deﬁnition of verify and Hy- pothesis H2 of T heorem 5 are also checked modulo the equational theory . Furtherm ore, the following condition is added to Point V2.2 of the deﬁnition of verify : For all j , r , an d k , we let q c = σ j r q j k and p c = σ j r p j k , and we require that, for all su bstitutions σ a nd σ ′ , if σp c = σ ′ p c and for all x ∈ fv ( q c ) \ fv ( p c ) , σ x = σ ′ x , th en σ q c = σ ′ q c (where e qualities are considered modu lo the equation al theory). This proper ty is usefu l in the proof of Theore m 5 ( see Appendix E). It always holds when the equ ational theory is empty , b ecause σ p c = σ ′ p c implies that fo r all x ∈ 54 fv ( p c ) , σ x = σ ′ x , so for all x ∈ fv ( q c ) , σ x = σ ′ x . Howe ver , it does no t hold in general for any equational theory , so we need to check it e xplicitly when the equational theory is no n-emp ty . In th e implem entation, th is cond ition is checked as fo llows. Let θ be a renaming of variables of p c to fresh variables. W e check that, for e very σ u most general u niﬁer of p c and θ p c modulo the equation al theory , σ u q c = σ u θq c modulo the equational theo ry . When this che ck succeeds, we ca n prove t he c ondition above as follows. Let σ 0 be d eﬁned by , fo r a ll x ∈ fv ( q c ) , σ 0 x = σ x and, for all x ∈ fv ( θp c ) , σ 0 x = σ ′ θ − 1 x . If σp c = σ ′ p c , then σ 0 p c = σ p c = σ ′ p c = σ 0 θp c , so σ 0 uniﬁes p c and θp c , hence there exist σ 1 and a mo st gen eral un iﬁer σ u of p c and θ p c such that σ 0 = σ 1 σ u . W e have σ u q c = σ u θq c , so σ q c = σ 0 q c = σ 1 σ u q c = σ 1 σ u θq c = σ 0 θq c = σ ′ q c . This treatment of equations has the advantage that resolution can still use syntactic uniﬁcation, so it remains efﬁcient. However , it also has limitations; for example, it cannot hand le assoc iati ve function s, such as XOR, b ecause it would g enerate an in- ﬁnite num ber of rewrite rules for the de structors. W e refe r to [2 8, 31] for treatments of XOR and to [27 , 48, 56, 58 ] for treatments of Difﬁe-Hellman key agreeme nts with more detailed algeb raic relation s. Th e NRL protocol analy zer hand les a limited version of associativity for strings of bound ed length [43], which we could handle. 9.2 Pr ecise T reatment of else Branches In the gen eration of clauses described in Sectio n 5 .2, we con sider that th e else bran ch of d estructor a pplications may always be executed. Our implem entation takes into account these else b ranches more precisely . I n o rder to do th at, it uses a set of special variables GV ar and a pr edicate nounif , also u sed in [18], su ch that, for a ll closed patterns p and p ′ , nounif ( p, p ′ ) holds if and o nly if there is no closed sub stitution σ with d omain GV ar such that σ p = σ p ′ . Th e fact nounif ( p, p ′ ) means that p 6 = p ′ for all values of the special variables in GV ar . One can then ch eck the failure of an equality test M = M ′ by nounif ( ρ ( M ) , ρ ( M ′ )) an d the failure of a d estructor app lication g ( M 1 , . . . , M n ) by V g ( p 1 ,...,p n ) → p ∈ def ( g ) nounif (( ρ ( M 1 ) , . . . , ρ ( M n )) , GV ar ( p 1 , . . . , p n )) , where GV ar ( p ) is th e patter n p after renamin g all its variables to elemen ts of GV ar and ρ is the en viro nment that m aps variables to their co rrespon ding patterns. Intuitively , the r ewrite rule g ( p 1 , . . . , p n ) → p can be applied if an d o nly if ( ρ ( M 1 ) , . . . , ρ ( M n )) is an instance of ( p 1 , . . . , p n ) . So the rewrite ru le g ( p 1 , . . . , p n ) → p can not be applied if and only if nounif (( ρ ( M 1 ) , . . . , ρ ( M n )) , GV ar ( p 1 , . . . , p n )) . The predicate nounif is handled by speciﬁc simpliﬁcation step s in the solver , de- scribed and proved correct in [18]. 9.3 Scenarios wi th Se veral Stages Some pro tocols can be bro ken into se veral par ts, o r stage s, n umber ed 0, 1, . . . , such that when the protocol starts, stage 0 is executed; at some poin t in time, stage 0 stop s and stage 1 starts; later, stage 1 stops and stage 2 starts, and so on. Therefo re, s tages allow us to model a global clock. Our veriﬁer can be e xtende d to such scenarios with s everal stages, as sum marized in [18]. W e add a construc t t : P to the syntax o f pro cesses, which means that process P runs only in stage t , where t is an integer . 55 The g eneration o f clauses ca n easily be extended to proc esses with stages. W e use p redicates attack er t and messa ge t for each stage t , g enerate th e clau ses for the attacker fo r each stage, a nd the clauses f or the protocol with pr edicates attack er t and message t for each proce ss that run s in stage t . Furthermore , we add clauses attack er t ( x ) ⇒ attack er t +1 ( x ) (Rt) in order to transmit attacker knowledge from each stage t to the next stage t + 1 . Scenarios with se veral stages allow u s to model pro perties related to the comp ro- mise of keys. For example, we can model forward secrecy properties as follows. Con- sider a p ublic-key pro tocol P (without stage p reﬁx) and the process P ′ = 0 : P | 1 : c h sk A i ; c h sk B i , which run s P in stage 0 a nd later outpu ts the secret ke ys of A and B on the public chann el c in stage 1. If we pr ove that P ′ preserves the secre cy of the session keys of P , then the attacker can not ob tain these session keys even if it later compro mises the priv ate keys of A an d B , which is forward secrecy . 9.4 Compr omise of Session Keys W e conside r the situation in which the attacker co mpro mises some ses sion keys of the protoco l. Our goal is then to show th at th e o ther session keys of the pr otocol are still safe. For example, this pro perty does not ho ld for the N eedham- Schroede r shared-key protoco l [60] : in this pro tocol, when an attacker man ages to get some session keys, then it can also get the secrets of other sessions. If we assume th at the compromised sessions are all run b efore the stand ard sessions (to m odel tha t the adversar y needs tim e to break the session keys befor e being able to use the obtaine d informa tion against standard sessions), then th is can be modeled as a scenar io with two stages: in stag e 0, the pr ocess runs a modiﬁed version of the protoco l that outpu ts its session keys; in stag e 1, the standard sessions ru ns; we pr ove the security of the sessions of stage 1. Howe ver , we can also consider a stronger model, in whic h th e compro mised ses- sions may run in parallel with th e no n-comp romised one s. In this case, we ha ve a s ingle stage. Let P 0 be the process representing the whole protoco l. W e con sider that the part of P 0 not under replications correspond s to the crea tion of long-term secrets, and the part of P 0 under at least one replication corresponds to the sessions. W e say that the names generated under at least one replication in P 0 are session names . W e add one argument i c to the function symbols a [ . . . ] that encode session names in the instrumented process P ′ 0 ; this ad ditional argu ment is nam ed comp r om ise iden tiﬁer an d can take two values, s 0 or s 1 . W e consider that, during the execution of the protocol, eac h rep licated subp ro- cess ! Q X of P 0 generates two sets of copies of Q X , one with co mprom ise iden tiﬁer s 0 , one with s 1 . The attacker comp romises sessions th at inv olve only co pies o f p rocesses Q X with the compro mise identiﬁer s 0 . It does not compromise sessions that i nv olve at least one copy of some process Q X with comprom ise identiﬁer s 1 . The clauses for the process P 0 are generated as in Section 5.2 (except for the addi- tion of a variable compro mise identiﬁer as argument of ses sion name s). T he following 56 clauses are added: For each constructor f , comp( x 1 ) ∧ . . . ∧ comp( x k ) ⇒ comp( f ( x 1 , . . . , x k )) For each ( ν a : a [ . . . ]) under n replication s and k in puts and non-deter ministic destructor application s in P ′ 0 , comp( x 1 ) ∧ . . . ∧ comp( x k ) ⇒ comp( a [ x 1 , . . . , x k ]) if n = 0 comp( x 1 ) ∧ . . . ∧ comp( x k ) ⇒ comp( a [ x 1 , . . . , x k , i 1 , . . . , i n , s 0 ]) if n > 0 comp( x 1 ) ∧ . . . ∧ comp( x k ) ⇒ attack er( a [ x 1 , . . . , x k , i 1 , . . . , i n , s 0 ]) if n > 0 The predicate c omp is such that comp( p ) is true when all session names in p h av e compro mise identiﬁer s 0 . Th ese clauses express that the attac ker h as the session names that contain only the compro mise identiﬁer s 0 . In order to prove th e secrecy of a session name s , we query the f act attack er( s [ x 1 , . . . , x k , i 1 , . . . , i n , s 1 ]) . If this fact is u nderivable, then the pro tocol doe s not have the wea kness o f th e Need ham-Schr oeder share d-key pr otocol m entioned ab ove: the attacker canno t have th e secret s of a session th at it ha s n ot compro mised. In c on- trast, attack er( s [ x 1 , . . . , x k , i 1 , . . . , i n , s 0 ]) is always deriv a ble, since the attacker has compro mised the sessions with identiﬁer s 0 . W e can a lso p rove correspon dences in the presence of key com promise. W e want to prove that the non-co mpro mised sessions are secure, so we p rove th at, if an event event ( M ) has been executed in a copy of some Q X with comp romise identiﬁer s 1 , then the requir ed events eve nt ( M j k ) have b een executed in any p rocess. (A copy of Q X with comp romise identiﬁer s 1 may inter act with a co py of Q Y with co mpro mise identiﬁer s 0 and, in this case, the events event ( M j k ) may be executed in the copy of Q Y with compro mise identiﬁer s 0 .) W e obtain this result by adding the comprom ise identiﬁer i c as argument o f the pred icates m - event and even t in clauses, an d co rre- sponding ly adding s 1 as argument of event ( M ) and even t ( M j ) , and a fresh v ariable as argument of the oth er ev ents e vent ( M j k ) in queries. W e can then prove th e cor- respond ence in the same way as in the ab sence of key comp romise. Th e treatmen t of correspo ndences attack er( M ) . . . and message( M , M ′ ) . . . in which M a nd M ′ do not contain boun d names remains unch anged. 10 Experimental Results W e hav e impleme nted our veriﬁer in Oc aml and h av e perfo rmed tests o n various pro - tocols o f th e literatu re. The tests r eported here concer n secre cy and authe ntication proper ties for simple example s of protoco ls. More comp lex examples ha ve been stu d- ied, using ou r techn ique for pr oving correspon dences. W e do not d etail th em in th is paper, b ecause they ha ve been the subject of speciﬁc papers [2, 3, 19] . Our results are summarize d in Figure 6, with references to the papers that describe the pro tocols and the attacks. In these tests, the protoco ls are fully mod eled, in clud- ing interaction with the server for all versio ns of the Ne edham-Sch roeder, W o o-Lam shared ke y , Denning- Sacco, Otway-Rees, and Y ahalom protocols. T he ﬁrst column in- dicates the n ame o f the p rotoco l; we use the following abb reviations: NS for Ne edham- Schroeder, PK for pub lic-key , SK for shared -key , c orr . fo r corrected , tag. for tag ged, 57 unid. for un idirectional, and bid. for bid irectional. W e have tested th e Needham - Schroeder shared key pr otocol with the mod eling of key co mprom ise men tioned in Section 9. 4, in which the compro mised sessions can b e executed in par allel with the non-co mpro mised ones (version marked “co mp. ” in Figu re 6). Th e second column indicates the num ber of Hor n clauses that rep resent the p rotocol. The th ird colu mn indicates the total number of resolution steps perform ed for analyzing the protoco l. The fourth column giv es the ex ecution time of our analyzer , in ms, on a Pentium M 1.8 GHz. Sev eral secrecy and ag reement speciﬁcation s are ch ecked for each p rotoco l. The time given is th e total time needed to ch eck all speciﬁcation s. T he following factors inﬂuence the speed of the system: • W e use secrecy assumption s to speed up the sear ch. These assumptions say that the secr et keys o f the p rincipals, and the random values of the D ifﬁe-Hellman key agreeme nt in the Skeme pr otocol, r emain secret. On average, th e veriﬁer is two times slo wer without secrecy assumptions, in our tests. • W e mention ed sev eral selection f unction s, and the speed of the system can vary substantially depen ding on the selection fu nction. In the tests of Fig ure 6, we used the selec tion function sel 2 . With sel 1 , the system is two times slower on av erage on Need ham-Schr oeder shared -key , Otway-Rees, the variant o f [63 ] of Otway-Rees, and Skeme but faster on the bid irectional simpliﬁed Y ahalom (59 ms instead of 91 ms). The speed is almost unchanged for our other tests. On av erage , the v eriﬁer is 1.8 times slower with sel 1 than with sel 2 , in our tests. The selection func tion sel 0 giv es approxim ately the same speed as sel 1 , excep t for Skeme, for which the analysis doe s not terminate with sel 0 . (W e com ment further on terminatio n below .) • Th e tests of Figure 6 h av e been perf ormed without elimination of redund ant hy- potheses. With elimination of red undan t hypotheses that contain m - even t facts, we obtain appr oximately the sam e speed . With elimination of all r edund ant hy- potheses, the v eriﬁer is 1.3 times slo wer on av erag e in these tes ts, because of the time spent testing whether hypo theses are redund ant. When our to ol successfully proves that a protocol satisﬁes a certain speciﬁcation, we are sure th at this spe ciﬁcation ind eed hold s, by o ur so undn ess th eorems. When our tool d oes not m anage to prove that a p rotocol satisﬁes a certain speciﬁcation , it ﬁnds at least o ne clause and a der iv atio n of this clause that co ntradicts the sp eciﬁca- tion. The existence o f such a c lause d oes no t prove th at there is an attack: it may correspo nd to a false attack, du e to the app roxim ations introduc ed by the Horn clau se model. Howev er, u sing an extension of the techniqu e of [6] to e vents, in most cases, our tool reco nstructs a trace of the pro tocol, and thu s proves th at there is actually an attack again st the conside red speciﬁcation. In the tests o f Figure 6, this r econstructio n succeeds in all cases for secr ecy and non -injective correspo ndenc es, in the absenc e of key co mprom ise. The trace reconstru ction is n ot implemented yet in th e presence of key compromise (Section 9.4) or fo r injective correspondenc es. (I t presents ad ditional difﬁculties in the latter case, since th e trace should execute some event twice and others once in order to contradict injec tivity , wh ile th e deriv ation co rrespon ds to the execution 58 Protocol # # res. Time Cases with attacks cl. steps (ms) Secr ecy A B Ref. NS PK [60] 32 198 8 95 Nonces B Non e All [53] NS PK corr . [53] 36 148 1 51 None None None W oo -Lam PK [70] 23 104 7 All [40] W oo -Lam PK corr . [72] 27 156 6 No ne W oo -Lam SK [46] 25 184 8 All [8] W oo -Lam SK corr . [46] 21 244 4 No ne Denning- Sacco [37] 30 440 18 Ke y B All [5 ] Denning- Sacco corr . [5] 30 438 1 6 None Inj NS SK [60], tag. 31 272 1 41 None None None NS SK corr . [61], tag. 32 210 2 57 None None None NS SK [60], tag., comp . 50 25241 167 Key B None Inj [37] NS SK corr . [61], tag., comp. 53 23956 225 N one None None Y ahalom [26] 26 151 5 34 None Ke y None Simpler Y ahalom [26] , unid. 21 147 9 30 None Ke y None Simpler Y ahalom [26] , bid. 24 3685 9 1 None All None [67] Otway-Rees [62] 34 187 8 59 None Ke y Inj,Key [26] Simpler Otway-Rees [5] 28 193 4 31 None All All [6 3] Otway-Rees, v ariant of [63 ] 35 33 49 87 K ey B All All [63] Main mode of Skeme [52] 39 413 9 1 54 None None None Figure 6: Experimenta l results of e vents o nce, with badly re lated session id entiﬁers.) In the cases in whic h tr ace re- construction is not implemented , we hav e checked ma nually that t he protoco l is indeed subject to an attack, so our tool f ound no false attack in the tests o f Figure 6: for all speciﬁcations that hold, it has proved them. The last fo ur colum ns g iv e the results of th e analysis. Th e column “Se- crecy” concer ns secrecy pro perties, the colu mn A conc erns agree ment speciﬁca- tions even t( e ( x 1 , . . . , x n )) [inj] e ven t( e ′ ( x 1 , . . . , x n )) in which A executes the ev ent even t ( e ( M 1 , . . . , M n )) , the column B agreeme nt speciﬁca tions even t( e ( x 1 , . . . , x n )) [inj] even t( e ′ ( x 1 , . . . , x n )) in which B executes the event event ( e ( M 1 , . . . , M n )) . Th e last colu mn gives the r eference of the attack s when attacks a re f ound. The ﬁrst six protocols of Figure 6 (Needham-Sch roeder pu blic k ey and W oo-L am one- way authentication protocols) a re authenticatio n pro tocols. For them, we have tested non-in jectiv e and recent injective agreement on the n ame of the participa nts, and non - injective and injective fu ll agr eement (agreem ent o n all atomic data). For the Needham- Schroeder public k ey protocol, we ha ve als o tested the secrecy of nonces. “Nonces B ” means that the nonces N a and N b manipulated by B may not be secret, “None” means all tested spe ciﬁcations are satisﬁed (there is no attack), “ All” that our tool ﬁn ds an attack against all tested speciﬁca tions. The W oo and Lam p rotocols are on e -way au- thentication protocols: they are intended to authenticate A to B , b u t not B to A , so we have only tested them with B co ntaining event ( e ( M 1 , . . . , M n )) . Numerou s versions of the W oo an d Lam shared -key protocol have been p ublished 59 in the literature [70], [8], [5, end of Examp le 3.2], [5, Example 6.2], [72], [46] (ﬂawed and corrected versions). Our tool terminates and proves the correctness o f the corrected versions of [8 ] and o f [ 46]; it terminates an d ﬁnds an attack on the ﬂawed version of [46]. (The messages rece iv ed or sent by A do no t depend on th e host A wants to talk to, so A may start a session with the ad versary C , and the adversary can reu se the messages of this session to ta lk to B in A ’ s n ame.) W e can easily see that the versions of [70] and [5, Examp le 6. 2] are also subjec t to this attack, ev en if our too l does not terminate on them. The only difference between the protocol of [46] and that of [70] is that [ 46] adds tags to distinguish d ifferent encr yption sites. A s sho wn in Sec tion 8. 1, adding tags e nforces ter mination. Our to ol ﬁn ds the attack o f [ 29, botto m of pag e 52] on the version s of [5 , end of E xample 3.2 ] and [72]. For example , the version of [7 2] is Message 1. A → B : A Message 2. B → A : N B Message 3. A → B : { A, B , N B } K AS Message 4. B → S : { A, B , { A, B , N B } K AS } K BS Message 5. S → B : { A, B , N B } K BS and the attack is Message 1. I ( A ) → B : A Message 2. B → I ( A ) : N B Message 3. I ( A ) → B : N B Message 4. B → I ( A ) : { A, B , N B } K BS Message 5. I ( A ) → B : { A, B , N B } K BS In message 3, the adversary send s N B instead of { A, B , N B } K AS . B cannot see the difference and, acting as deﬁned in the protoco l, B unf ortunate ly sen ds exactly th e message needed by the adversary as message 5. So B think s he talks to A , while A and S can perfectly be dead. The attack found against the version of [5 , end of Exam ple 3.2] is very similar . The last ﬁve proto cols exchange a session key , so we have tested agreem ent on the n ames of the p articipants, and agreement on bo th the par ticipants and the session key (in stead o f full agreement, since a greemen t on the session key is m ore imp ortant than agreement on other values). In Figure 6, “Ke y B ” m eans that the ke y obtained by B may not be secret, “Ke y” m eans that agreemen t o n th e session key is wron g, “In j” means that injectiv e agreement is wrong, “ All” and “Non e” are as before. In the Needham- Schroeder shared key protocol [60], the last messages are Message 4. B → A : { N B } K Message 5. A → B : { N B − 1 } K where N B is a no nce. Rep resenting N B − 1 with a function minuso ne ( x ) = x − 1 , with associated destructor plusone deﬁned by p lusone ( minusone ( x )) → x , the algorith m does not terminate with the selection function sel 0 . The selection function s sel 1 or sel 2 giv en in Section 8.2 howe ver yield termination. W e can also notice that the pur pose of the subtraction is to distinguish the reply of A fr om B ’ s message. As mentio ned in [5], it would be clearer to ha ve: 60 Message 4. B → A : { Message 4 : N B } K Message 5. A → B : { Message 5 : N B } K W e h av e used this enco ding in the tests sh own in Figu re 6. Ou r tool then termin ates with selection function s sel 0 , sel 1 , and sel 2 . [20] e xplain s in more detail why these two messages encod ed with min usone p revent termination with sel 0 , an d why the add ition of tags “Message 4”, “Message 5” yields termination . Add ing the tags may strengthen the pro tocol (for in stance, in th e Needh am-Schro eder shared key pro tocol, it prev ents replaying Message 5 as a Message 4), so the secu rity of th e tagged version d oes not imply th e secu rity of the o riginal version . As m entioned in [5], using the tagg ed ver- sion is a better design choice becau se it p revents confusing different messages, so this version should be implemented. Our tool also does not terminate on Skeme with selec- tion f unction sel 0 , f or an authentication qu ery , but termin ates with selec tion fu nctions sel 1 or sel 2 . All other examples of Figure 6 terminate with the three selection functions sel 0 , sel 1 , and sel 2 . Among the examples of Figure 6, o nly the W oo-L am shared key pro tocol, ﬂawed and corrected versions o f [46] and the Needh am-Schro eder shared key protocol h ave explicit tags. Ou r to ol term inates on all oth er proto cols, even if they are not tag ged. T he termination can partly be explained by the n otion of “implicitly tagged” protocols [20]: the various message s are not d istinguished b y explicit tag s, but by oth er pro perties of th eir stru cture, suc h as the arity of the tuples that they co ntain. In Figure 6, the Denning- Sacco proto col and the W oo- Lam public key proto col are imp licitly tag ged. Still, the tool terminates on many e xamp les that are not e ven implicitly tagged. For the Y ahalom proto col, we show that, if B think s tha t k is a key to talk with A , then A also thin ks that k is a key to talk with B . The converse is clea rly wro ng, because the session key is sen t fr om A to B in the last message, so the adversary c an intercept this message, so that A h as the key b ut not B . For th e Otway-Rees p rotocol, we do not h ave agreement o n the session key , since the adversary can intercept messages in su ch a way tha t one participant h as the ke y and the othe r o ne has n o key . Th ere is also an attac k in which both par ticipants get a key , but not the same one [44]. The latter attack is not found by our tool, since it stops with the former attacks. For the simpliﬁed version o f th e Otway-Rees p rotoco l given in [5], B can ex- ecute its event eve nt ( e ( M 1 , . . . , M n )) with A dead , and A can execute its e vent event ( e ( M 1 , . . . , M n )) with B dead. As Burrows, Abad i, an d Needha m alre ady no ted in [26], even the original protocol do es not guarantee to B that A is ali ve (attack again st injective agreement that we also ﬁn d). [4 6] said that the pr otocol satisﬁed its authen ti- cation speciﬁcations, becau se they sho wed that neither A no r B can conclud e that k is a key for talking between A an d B without the server ﬁrst say ing so. (Of course, this proper ty is also important, and could also be checked with our veriﬁer .) 11 Conclusion W e have extended pre vious work on the veriﬁcation of security protocols by logic pro- grammin g tech niques, from secrecy to a very gen eral class of correspondence s, includ- ing not only authentication but also, for instance, corresponden ces that e xp ress that the 61 messages of the protocol have been sent and receiv ed in the expected order . This tech- nique enables us to check correspondenc es in a fully automatic w ay , without bounding the number of sessions of th e protocols. This t echn ique also yields an ef ﬁcient veriﬁer , as the experimental results demonstrate. Acknowledgmen ts W e would lik e to thank Mart´ ın Abadi, J ´ er ˆ ome Feret, C ´ edric Fournet, and Andre w Gor - don f or h elpful d iscussions o n this pape r . This work was par tly don e at Max-Planc k- Institut f ¨ ur Inform atik, Saarbr ¨ ucken, Germany . Refer ences [1] M. Ab adi and B. Blanch et. An alyzing secu rity proto cols with secrecy ty pes an d logic programs. Journal of the ACM , 52(1 ):102– 146, Jan . 200 5. [2] M. Abadi and B. Blanchet. Com puter-assisted veriﬁcation of a protocol for certi- ﬁed email. Sc ien ce of Computer Pr ogramming , 58(1– 2):3–2 7, Oct. 2005. Special issue SAS’03. [3] M. Abadi, B. Blan chet, an d C. Fournet. Ju st fast ke ying in the pi calcu lus. AC M T ransaction s on Info rmation and System Security ( TI SSEC) , 10( 3):1–5 9, July 2007. [4] M. Abadi and C. Fournet. Mobile values, ne w nam es, and secure co mmuni- cation. In 28th An nual ACM SI GPLAN-SIGACT Sy mposium on Principles of Pr ogramming Languages (POPL’01) , p ages 104– 115, L ondo n, Un ited Ki ng dom, Jan. 2001. A CM Pr ess. [5] M. Ab adi and R. Need ham. Pruden t engine ering practice fo r cr yptogr aphic pro- tocols. IEEE T ransactions on S oftwar e Engin e e ring , 22(1):6–15 , Jan. 1996. [6] X. Allamigeo n and B. Blanchet. Recon struction of attacks against cryp tograp hic protoco ls. I n 18th IEEE Computer Security F ou ndation s W orkshop (CSFW-18) , pages 140–15 4, Aix-en-Provence, France, June 2005. IEEE. [7] R. Amadio and S. Prasad. The game of the name in cryptogra phic tables. I n P . S. Thiagarajan an d R. Y ap, ed itors, A dvances in Comp u ting Sc ie n ce - ASIAN’9 9 , volume 1742 of Lectur e Notes o n Comp uter S cience , pages 15–27, Phuket, Thai- land, Dec. 1999. Springer . [8] R. Ander son an d R. Nee dham. Pro gramm ing Satan’ s computer . In J. v an Leeu - ven, editor, Computer Scien c e T oda y: Recen t T r end s and Developments , volume 1000 of Lectur e Notes on Computer Scien ce , pages 426–44 0. Springer, 1 995. [9] L. Bachmair and H. Ganzinger . Resolution theorem proving. In A. Robinson and A. V oronkov , editors, Hand book of Automated Reason ing , volume 1, chapter 2, pages 19–100 . North Holland, 2001. 62 [10] M. Backes, A. Cortesi, and M. Maffei. Causality-based ab straction of multiplicity in secu rity pr otocols. In 20th I EEE Comp uter S ecurity F oun dation s Sy m p osium (CSF’07) , pages 355–36 9, V enice, Italy , July 2007. IEEE. [11] M. Bellare and P . Rog away . Entity authen tication an d key distribution. I n D. R. Stinson, editor, Adva nces in Cryptology – CRYPTO 19 93 , volume 7 73 of Lec- tur e Notes on Computer Science , pages 2 32–2 49, Santa Barbara, California, Aug. 1993. Springer . [12] K. Bhargav an, C. Fournet, A. D. Gordon , an d R. Pu cella. T ulaFale: A secu- rity tool for web ser vices. In F o rmal Method s fo r Componen ts and Ob je c ts (FMCO 200 3) , volume 3188 of Lectu r e Notes on Computer Sc ie n ce , pages 19 7– 222, Leiden, The Netherlan ds, Nov . 2003 . Sprin ger . Paper and tool a vailable at http://secur ing.ws/ . [13] B. B lanche t. An efﬁcient cr yptog raphic p rotocol veriﬁer based o n Prolog rules. In 14th IEEE Computer S ecurity F oun dation s W o rkshop ( CS F W -14) , p ages 82–96, Cape Breton, Nov a Scotia, Canada, June 2001. IEEE Computer Society . [14] B. Blanchet. From secrecy to authenticity in security p rotocols. In M. Hermen egildo and G. Puebla, editors, 9 th In ternationa l Sta tic Analy sis S ym- posium (S A S’02) , volume 2 477 o f Lectu r e Notes on Compu ter Scien ce , p ages 342–3 59, Madrid, Spain, Sept. 2002. Springer . [15] B. Blanchet. Auto matic proo f o f stro ng secrecy fo r security protocols. In IEEE Symposium o n Secu rity an d P riva cy , p ages 86– 100, Oaklan d, Californ ia, Ma y 2004. [16] B. Blanchet. Autom atic pr oof of strong secrecy fo r secur ity pro tocols. T echnical Report MPI- I-200 4-NWG1-0 01, Max -Planck-I nstitut f ¨ ur Inf ormatik, Saarbr ¨ ucken, Germany , July 2004. [17] B. Blanchet. Security protoco ls: From linear to classical logic by a bstract inter- pretation. In formation Pr o cessing Letters , 95(5):47 3–479 , Sept. 2005 . [18] B. Blanchet, M. Abadi, and C. Fournet. Autom ated veriﬁcatio n o f selected equiv- alences for security pr otocols. J ourna l of Logic and Algebraic Pr ogramming , 75(1) :3–51, Feb .–Mar . 2008. [19] B. Blanchet an d A. Chaudhur i. Auto mated f ormal analysis of a protoco l for se- cure ﬁle sh aring on un trusted storage . In IE EE Symposium on Security and Pri- vacy , Oakland, CA, May 2008. IEEE. T o appear . [20] B. Blanchet and A. Podelski. V eriﬁcation of crypto graphic proto cols: T agging enforce s ter mination. Theoretical Compu ter Science , 333(1 -2):67 –90, Mar . 2005. Special issue FoSSaCS’03. [21] C. Bo dei, M. Buchho ltz, P . Degano, F . Nie lson, and H. R. Nielson. Static valida- tion of security protocols. Journal of Computer Secu rity , 13(3):347– 390, 2 005. 63 [22] P . Broadfoot, G. Lo we, an d B. R oscoe. Auto mating da ta inde penden ce. In 6th Eu- r op ean Sympo sium on Researc h in Comp uter S ecurity (E S ORICS 200 0) , volume 1895 of Lecture Notes on Computer Science , pages 175–19 0, T oulouse, Fra nce, Oct. 2000. Springer . [23] P . J. Bro adfoot and A. W . Roscoe. Embeddin g ag ents within the intruder to detect parallel attacks. Journal o f Computer Secu rity , 12(3/4):379 –408 , 2004 . [24] M. Bug liesi, R. F ocar di, a nd M. Maffei. A nalysis of typ ed an alyses o f auth enti- cation proto cols. In Pr oc. 1 8th I E EE Compu ter Security F o unda tions W orksh o p (CSFW’05) , page s 112–12 5, A ix-en-Provence, Fran ce, June 2005. IEEE Com p. Soc. Press. [25] M. Bugliesi, R. Focardi, and M. Maffei. Dyn amic types for authenticatio n. Jour- nal o f Computer Secu rity , 15(6):563– 617, 2 007. [26] M. Burrows, M. Abadi, and R. Needham. A logic of authentication. Pr oceedin gs of the Ro y a l S o ciety of Lon don A , 426:2 33–2 71, 198 9. A p reliminary version appeared as Dig ital Equipm ent Corporatio n Systems Research Center repor t No. 39, February 1989. [27] Y . Chev alier, R. K ¨ usters, M. Rusinowitch, and M. T uruan i. De ciding the security of pr otocols with Difﬁe-Hellman exponen tiation and produ cts in expon ents. In P . K. Pandya and J. Radhak rishnan, editors, FST TCS 200 3 : F ou ndation s of S oft- war e T echnology a nd Theoretical Compu ter Sc ie n ce, 23 r d Conference , volume 2914 of Lecture Notes on Comp uter Sc ie n ce , p ages 1 24–1 35, Mumb ai, In dia, Dec. 2003. Springer . [28] Y . Chevalier , R. K ¨ usters, M. Rusinowitch, and M. T uruan i. An NP d ecision pro - cedure for protocol insecurity with XOR. Theoretical Computer Scien c e , 338(1– 3):247 –274 , June 20 05. [29] J. Clark and J. Jacob. A sur vey of au thentication pr otocol literature : V ersion1 .0. T echnical rep ort, University of Y o rk, Depa rtment of Comp uter Science, Nov . 1997. [30] E . Cohen. First-order veriﬁcation of cryp tograp hic p rotoco ls. Journal of Com- puter Security , 11(2):1 89–2 16, 20 03. [31] H. Comon -Lund h and V . Shm atikov . In truder ded uctions, constra int solving and insecurity d ecision in pr esence of exclusive or . In Symp osium on Logic in Com- puter Science (LICS’ 03) , pages 2 71–2 80, Ottawa, Canada, June 200 3. IEEE Com- puter Society . [32] V . Cortier, J. Millen, and H. Rueß. Proving secre cy is easy enoug h. In 14th IEEE Computer Security F o undatio ns W orkshop (CSFW -14) , pag es 97– 108, Cape Breton, Nov a Scotia, Canada, June 2001. IEEE Computer Society . [33] C. J. F . Cre mers. Scyther - Semantics and V eriﬁcation of Security Pr otoco ls . Ph.D. dissertation, Eindhoven Univ ersity of T echnolog y , Nov . 2006. 64 [34] A. Datta, A. Derek, J. C. M itchell, and D. P avlovic. A deriv ation system and com- positional logic for security protocols. Journal of Comp u ter Secu rity , 13(3) :423– 482, 2005. [35] H. de Nivelle. Ordering Reﬁ nements o f Resolution . PhD thesis, T ech nische Uni- versiteit Delft, Oct. 1995. [36] M. Debbab i, M. M ejri, N. T awbi, a nd I. Y ahmadi. A new algor ithm fo r th e au- tomatic veriﬁcation of authentication protoco ls: From speciﬁcations to ﬂaws and attack scen arios. In DI MACS W orksho p o n De sign a nd F ormal V eriﬁcatio n o f Security Pr otoco ls , Rutgers Uni versity , Ne w Jersey , Sept. 1997. [37] D. E. Denning and G. M. Sacco. Timestamps in ke y distrib ution protocols. Com- mun. ACM , 24(8):53 3–53 6, Aug. 19 81. [38] W . Difﬁe and M. Hellman. New directio ns in crypto graphy . IEEE T ransaction s on In formation Theory , IT -22 (6):64 4–65 4, Nov . 1976. [39] D. Dolev and A. C. Y ao. On the security of pu blic ke y proto cols. IEEE T ransac- tions on Informa tion Theory , IT-2 9(12 ):198– 208, M ar . 198 3. [40] A. Du rante, R. Focardi, and R. Gor rieri. CVS at work : A r eport o n n ew failures upon some crypto graph ic protocols. In V . Gorod etski, V . Skormin, and L. Popy- ack, e ditors, Mathematical Method s, Models and Ar chitectur es fo r Computer Net- works Security (MMM-ACN S’0 1) , volume 2 052 of Lectur e Notes on Compu ter Science , pages 287–299 , S t. Petersburg, Russia, May 2001 . Springer . [41] N. Durgin , P . Lincoln, J. C. Mitchell, and A. Scedrov . Multiset rewriting and the co mplexity of bo unded security proto cols. Journal of Computer S ecurity , 12(2) :247–3 11, 2 004. [42] S. Escobar, C. Mead ows, and J. M eseguer . A rewriting-based in ference system for the NRL protocol analyzer an d its meta-logical proper ties. Theor etical Computer Science , 367(1 -2):16 2–202, 200 6. [43] S. Escob ar , C. Mead ows, a nd J. Meseguer . Equation al cryp tograp hic r easoning in the Maude -NRL proto col analyzer . Electr on ic No te s in Theo retical Co mp uter Science , 171(4 ):23–3 6, July 200 7. [44] F . J. T . F ´ abrega, J. C . Herzog, and J. D. Guttman. Strand spaces: Provin g secu rity protoco ls correct. Journal o f Compu te r Sec u rity , 7(2/3):191– 230, 1999. [45] A. Go rdon and A. Jeffrey . T y ping o ne-to-o ne and o ne-to-m any corresponden ces in secur ity p rotocols. In M . Okada, B. Pierce, A. Sced riv , H. T okud a, and A. Y onez awa, ed itors, S oftwar e S ecurity – Theories and S y stems, Mext-NSF-JSPS Internation al S ymposium, I SSS 2 0 02 , v olum e 2609 of Lecture Notes on Compu ter Science , pages 263–282 , T o kyo, Japan, Nov . 2002. Springer . [46] A. Gor don and A. Jeffrey . Authenticity by typing for security p rotocols. Journal of Computer Security , 11(4) :451–5 21, 20 03. 65 [47] A. Gordo n and A. Jeffre y . T yp es and ef fects for asymmetric cryptograp hic p roto- cols. Journal of Computer Security , 12( 3/4):43 5–48 4, 2004. [48] J. Go ubault- Larrecq, M. Ro ger, and K. N . V erma. Abstraction an d resolu tion modulo A C: How to verify Difﬁe-Hellman-like protoco ls automatically . Journal of Logic a n d Algebraic P r ogramming , 64(2):2 19–2 51, Aug . 2005. [49] J. D. Guttman and F . J. T . F ´ abrega. Authentication tests an d the structure of bundles. Theor etical Computer Scienc e , 283( 2):333 –380 , 2002 . [50] J. Heather, G. Lowe, and S. Schneider . How to prev ent type ﬂaw attacks on s ecu- rity pro tocols. In 13th IEEE Co mputer Sec u rity F ou ndatio ns W orksho p (CSFW- 13) , pages 255–2 68, Cambridg e, England , July 2000 . [51] J. Heather and S. Schneid er . A decision p rocedu re fo r the existence o f a rank function . Journal of Computer Security , 13 (2):31 7–344 , 200 5. [52] H. Krawczyk. SKE ME: A v ersatile secure k ey exchange mechanism for internet. In I nternet S ociety Symposium on Network and Distrib uted Systems Security , Feb. 1996. A vailable at http://bilbo.isu.e du/sndss/snd ss96.html . [53] G. Lowe. Breaking and ﬁxing the Needham-Schroed er public- key pr otocol using FDR. In T ools and A lgorithms for the Con struction an d Analy sis of Systems , volume 1055 of Lecture Notes on Comp uter Scienc e , p ages 14 7–166 . Sprin ger, 1996. [54] G. Lo we. A hierarch y of authenticatio n speciﬁcations. In 10th Compu ter Security F o unda tions W orkshop ( CSFW ’97) , p ages 3 1–43 , Rock port, Massach usetts, June 1997. IEEE Computer Society . [55] C. L ynch. Or iented equa tional log ic pr ogramm ing is com plete. Journal of Sym- bolic Comp utation , 21(1):23 –45, 1997. [56] C. Me adows and P . Narendran. A u niﬁcation algor ithm for the g roup Difﬁe- Hellman proto col. In W orksho p o n Issues in th e Theory of Se c urity (WITS’02) , Portland, Oregon, Jan. 2002. [57] C. A. Mead ows. Th e NRL pro tocol ana lyzer: An overview . J ournal of Logic Pr ogramming , 26(2):11 3–13 1, 199 6. [58] J. Millen and V . Shm atikov . Symbolic proto col analysis w ith an ab elian gro up operator or Difﬁe-Hellman expon entiation. Journal of Computer Secu rity , 13(3) :515–5 64, 2 005. [59] J. C. Mitchell, M. Mitchell, and U. Stern . Automated analysis o f cryptograp hic protoco ls using Mur ϕ . In 1997 I EEE Sympo sium on Security an d Privacy , pag es 141–1 51, 1997 . [60] R. M. Needham and M. D. Sch roeder . Using e ncryptio n for auth entication in large netw ork s of computers. Commun. ACM , 21(12):993 –999 , Dec. 1978 . 66 [61] R. M. Needh am and M . D. Schroeder . Auth entication revisited. Ope rating S ys- tems Review , 21(1):7, 1987. [62] D. Otway and O. Rees. Ef ﬁcient an d timely mutu al authen tication. Operating Systems R eview , 21(1):8– 10, 1987. [63] L . C. Paulson. The inductiv e app roach to verifying cryp tograph ic proto cols. Jour - nal o f Computer Secu rity , 6(1–2):85– 128, 1 998. [64] A. W . Roscoe and P . J. Broadf oot. Proving secur ity proto cols with model checkers by data in depend ence techn iques. Journal of Computer Security , 7(2, 3):14 7–190 , 1999. [65] M. Rusinowitch and M . T u ruani. Protocol insecurity with ﬁnite n umber of ses- sions is NP-co mplete. Theor etical Com p uter Scienc e , 2 99(1– 3):451 –475, Apr . 2003. [66] D. X. So ng, S. Berezin, an d A. Perrig. Athen a: a novel a pproac h to efﬁcient automatic security proto col analysis. Journal o f Computer Secu rity , 9(1/2 ):47– 74, 2001. [67] P . Syverson. A taxon omy of rep lay attacks. In 7th IEEE Computer Security F o unda tions W orkshop (CSFW-94) , pages 131–136 , Franconia , Ne w Hamp shire, June 1994. IEEE Computer Society . [68] P . Syverson an d C. Mead ows. A form al languag e for c ryptog raphic pro tocol requirem ents. Designs, Codes, and Cryptography , 7(1/2):27–5 9, 1 996. [69] C. W eidenbach . T ow ards an auto matic analysis of security p rotocols in ﬁrst- order logic. In H . Ganzinger , editor , 16th Internationa l Confer ence on Automated Deduction (CADE-16 ) , volume 163 2 of Lectur e Notes in Artiﬁcia l Intelligence , pages 314–32 8, T rento, Italy , July 1999 . S prin ger . [70] T . Y . C. W oo and S. S. Lam. Au thentication for d istributed systems. Comp uter , 25(1) :39–52 , Jan. 19 92. [71] T . Y . C. W oo an d S. S. Lam. A sem antic mo del f or au thentication proto cols. In Pr oc e edings I EEE Sympo sium on Resear ch in Secu rity a n d Privacy , p ages 178– 194, Oakland, California, May 1993. [72] T . Y . C. W oo an d S. S. Lam. Authentication for distributed systems. In D. Denn ing and P . Denning , ed itors, Internet B esie ged: Cou ntering Cyberspace Scofﬂaws , pages 319–35 5. A CM Press and Addison -W esley , Oct. 1997. A ppendi ces A Instrumented Processes Let last( s ) be the last eleme nt of the seq uence of session identiﬁers s , or ∅ whe n s = ∅ . Let lab el ( ℓ ) be deﬁned by lab el ( a [ t, s ]) = ( a, last( s )) and lab el ( b 0 [ a [ s ]]) = 67 ( a, last( s )) . W e deﬁne the multiset L ab el ( P ) as fo llows: L ab el (( ν a : ℓ ) P ) = { lab el ( ℓ )) } ∪ L ab el ( P ) , L ab el (! i P ) = ∅ , and in all oth er cases, L ab el ( P ) is the union o f th e L ab el ( P ′ ) f or all immediate sub processes P ′ of P . Le t L ab el ( E ) = { lab el ( E ( a )) | a ∈ dom ( E ) } and L ab el ( S ) = { ( a, λ ) | λ ∈ S, a any n ame functio n symbol } . Deﬁnition 16 An instrumented sema ntic con ﬁguration is a tr iple S, E , P such th at S is a countable set of constant session identiﬁers, the en viron ment E is a mapping from names to clo sed patterns, and P is a multiset of closed pro cesses. Th e instrumente d se- mantic conﬁgura tion is S, E , P well-labeled wh en the multiset L ab el ( S ) ∪ L ab el ( E ) ∪ S P ∈P L ab el ( P ) contain s no duplicates. Lemma 5 Let P 0 be a closed pr ocess and P ′ 0 = instr( P 0 ) . Let Q be an Init -ad versary and Q ′ = instrAdv ( Q ) . Let E 0 such that fn ( P ′ 0 ) ∪ Init ⊆ dom ( E 0 ) and , for all a ∈ dom ( E 0 ) , E 0 ( a ) = a [ ] . Th e co n ﬁguration S 0 , E 0 , { P ′ 0 , Q ′ } is a well-labe le d instrumented semantic conﬁ g uration. Proof W e have L ab el ( E 0 ) = { ( a, ∅ ) | a ∈ dom ( E 0 ) } , L ab el ( P ′ 0 ) = { ( a, ∅ ) | ( ν a : a [ . . . ]) occu rs in P ′ 0 not under a rep lication } , and L ab el ( Q ′ ) = { ( a, ∅ ) | ( ν a : b 0 [ a [ ]]) occurs in Q ′ not un der a replication } . T hese m ultisets c ontain no du plicates sin ce the bound names o f P ′ 0 and Q ′ are pairwise d istinct and d istinct from nam es in dom ( E 0 ) . So the multiset L ab el ( S 0 ) ∪ L ab el ( E 0 ) ∪ L ab el ( P ′ 0 ) ∪ L ab el ( Q ′ ) contains n o d uplicates. ✷ Lemma 6 If S, E , P is a well-labeled instrumented sema ntic conﬁgu ration and S, E , P → S ′ , E ′ , P ′ then S ′ , E ′ , P ′ is a well-labeled instrumented semantic co n- ﬁguration. Proof W e proceed by c ases on the reduction S, E , P → S ′ , E ′ , P ′ . The rule (Red Repl) removes the labels ( a, λ ) for a certain λ fro m L ab el ( S ) and a dds some of th em to L ab el ( P ) . The rule (Red Res) removes a label fro m L ab el ( P ) and adds i t to L ab el ( E ) . Other rule s can remove labels when they rem ove a subproc ess, but they do n ot add labels. ✷ Lemma 7 Let S, E , P be an instrumented semantic conﬁg uration. Let σ be a substitu- tion a nd σ ′ be deﬁned by σ ′ x = E ( σ x ) for all x . F or all terms M , E ( σ M ) = σ ′ E ( M ) and, for all atoms α , E ( σ α ) = σ ′ E ( α ) . Proof W e prove the result for terms M by indu ction on M . • If M = x , E ( σx ) = σ ′ x = σ ′ E ( x ) b y deﬁnition of σ ′ . • If M = a , E ( σa ) = E ( a ) = σ ′ E ( a ) , since E ( a ) is closed . • If M is a co mposite term M = f ( M 1 , . . . , M n ) , E ( σM ) = f ( E ( σ M 1 ) , . . . , E ( σM n )) = f ( σ ′ E ( M 1 ) , . . . , σ ′ E ( M n )) = σ ′ E ( M ) , by induction hypothesis. The extension to atoms is similar to the case of composite terms. ✷ 68 Lemma 8 If S, E , P is a well-labeled instrumen ted semantic c o nﬁgu ration, M and M ′ ar e closed terms, and E ( M ) = E ( M ′ ) , then M = M ′ . Proof The multiset L ab el ( E ) does not co ntain dup licates, h ence different names in E have different as sociated patterns, therefo re d ifferent ter ms have different associated patterns. ✷ Lemma 9 If S, E , P is a well-lab e le d in strumented semantic conﬁgu ration, M ′ is a closed term, and E ( M ′ ) = σ E ( M ) , the n ther e exists a su bstitution σ ′ such that M ′ = σ ′ M a n d, fo r all variab les x o f M , E ( σ ′ x ) = σx . W e h ave a similar result for atom s and for tuples con taining terms a nd a toms. Proof W e prove the result for terms by induction on M . • If M = x , E ( M ′ ) = σ E ( M ) = σ x . W e deﬁne σ ′ by σ ′ x = M ′ . • If M is a name, E ( M ) is closed, so E ( M ′ ) = σ E ( M ) = E ( M ) . By Lemma 8, M ′ = M = σ ′ M fo r any substitution σ ′ . • If M is a c omposite term M = f ( M 1 , . . . , M n ) , E ( M ′ ) = f ( σ E ( M 1 ) , . . . , σ E ( M n )) . T herefor e, M ′ = f ( M ′ 1 , . . . , M ′ n ) with E ( M ′ i ) = σE ( M i ) for all i ∈ { 1 , . . . , n } . By indu ction hyp othesis, f or all i ∈ { 1 , . . . , n } , there exists σ ′ i such that M ′ i = σ ′ i M i and, for all variables x of M i , E ( σ ′ i x ) = σ x . For all i, j , if x occurs in M i and M j , E ( σ ′ i x ) = σ x = E ( σ ′ j x ) , so by L emma 8, σ ′ i x = σ ′ j x . Thus we can merge all substitutions σ ′ i into a substitution σ ′ deﬁned by σ ′ x = σ ′ i x wh en x occurs in M i . So we have M ′ = σ ′ M and, for all variables x of M , E ( σ ′ x ) = σ x . The extension to atoms an d to tuples of terms an d atoms is similar to the c ase of com - posite terms. ✷ Proof (of Lemma 1) Let Q be a n Init -adversary and Q ′ = instrAdv ( Q ) . Let E 0 containing fn ( P 0 ) ∪ Init ∪ fn ( α ) ∪ S j fn ( α j ) ∪ S j,k fn ( M j k ) . Con sider a trace T = E 0 , { P 0 , Q } → E 1 , P 1 . Le t σ such that T satisﬁes σ α . By Propo sition 1, letting E ′ 0 = { a 7→ a [ ] | a ∈ E 0 } , there is a trace T ′ = S 0 , E ′ 0 , { P ′ 0 , Q ′ } → ∗ S ′ , E ′ 1 , P ′ 1 , unInstr( P ′ 1 ) = P 1 , an d both traces satisfy the same atoms, so T ′ also satisﬁes σ α . Since E ′ 0 contains the names of α , α j , a nd M j k , and E ′ 1 is an extension of E ′ 0 , E ′ 1 ( α ) = E ′ 0 ( α ) = F , E ′ 1 ( α j ) = E ′ 0 ( α j ) = F j , an d E ′ 1 ( M j k ) = E ′ 0 ( M j k ) = p j k . Let σ ′′ be deﬁned by σ ′′ x = E 1 ( σ x ) f or all x . By Lem ma 7, E ′ 1 ( σ α ) = σ ′′ E ′ 1 ( α ) , so E ′ 1 ( σ α ) = σ ′′ F . Hen ce T ′ satisﬁes σ ′′ F . Since P ′ 0 satisﬁes the g iv en correspo ndenc e, there exist σ ′′ 0 and j ∈ { 1 , . . . , m } such that σ ′′ 0 F j = σ ′′ F and f or all k ∈ { 1 , . . . , l j } , T ′ satisﬁes event ( σ ′′ 0 p j k ) , so there exists M ′′ k such tha t E ′ 1 ( M ′′ k ) = σ ′′ 0 p j k and T ′ satisﬁes even t( M ′′ k ) . Hence E ′ 1 ( M ′′ k ) = σ ′′ 0 E ′ 1 ( M j k ) and E ′ 1 ( σ α ) = σ ′′ F = σ ′′ 0 F j = σ ′′ 0 E ′ 1 ( α j ) , that is, E ′ 1 (( M ′′ 1 , . . . , M ′′ l j , σ α )) = σ ′′ 0 E ′ 1 ( M j 1 , . . . , M j l j , α j ) . By Lemma 9, there exists σ 0 such that ( M ′′ 1 , . . . , M ′′ l j , σ α ) = σ 0 ( M j 1 , . . . , M j l j , α j ) . So σ α = σ 0 α j and for all k ∈ { 1 , . . . , l j } , T ′ satisﬁes even t( σ 0 M j k ) , so T also satisﬁes ev ent( σ 0 M j k ) . ✷ 69 message( E ( M ) , E ( N ) ) ∈ F P ′ 0 , Init E ⊢ P E ⊢ M h N i .P (Output) ∀ T ′ such that message( E ( M ) , T ′ ) ∈ F P ′ 0 , Init , E [ x 7→ T ′ ] ⊢ P E ⊢ M ( x ) .P (Inpu t) E ⊢ 0 (Nil) E ⊢ P E ⊢ Q E ⊢ P | Q (Parallel) ∀ λ, E [ i 7→ λ ] ⊢ P E ⊢ ! i P (Replication) E [ a 7→ E ( ℓ )] ⊢ P E ⊢ ( ν a : ℓ ) P (Restriction) ∀ T such that g ( E ( M 1 ) , . . . , E ( M n )) → T , E [ x 7→ T ] ⊢ P E ⊢ Q E ⊢ let x = g ( M 1 , . . . , M n ) in P else Q (Destructor application) even t( E ( M )) ∈ F P ′ 0 , Init if m - even t( E ( M )) ∈ F P ′ 0 , Init then E ⊢ P E ⊢ e vent ( M ) .P (Event) Figure 7: T ype rules B Pr oof of Theorem 1 The correctn ess proof uses a ty pe system as a co n venient w ay o f expressing in variants of processes. Th is type system can b e seen as a modiﬁed version of the type system of [1 , Sectio n 7], which was used to prove the correctness of our p rotocol veriﬁer for secrecy properties. In this type system, the types are closed patterns: T ::= types a [ T 1 , . . . , T n , λ 1 , . . . , λ k ] name f ( T 1 , . . . , T n ) constructo r application The symbols λ 1 , . . . , λ k are con stant session identiﬁers, in a set S 0 . Let F P ′ 0 , Init be the set of closed facts deri vable from R P ′ 0 , Init ∪ F me . The ty pe rules are deﬁned in Figure 7. The environment E is a f unction from names and variables in V o to typ es a nd fro m variables in V s to con stant session identiﬁers. The mapp ing E is extended to all terms as a substitution by E ( f ( M 1 , . . . , M n )) = f ( E ( M 1 ) , . . . , E ( M n )) and to r estriction labels by E ( a [ M 1 , . . . , M n , i 1 , . . . , i n ′ ]) = a [ E ( M 1 ) , . . . , E ( M n ) , E ( i 1 ) , . . . , E ( i n ′ )] an d E ( b 0 [ a [ i 1 , . . . , i n ′ ]]) = b 0 [ a [ E ( i 1 ) , . . . , E ( i n ′ )]] , so that it map s closed ter ms an d restriction labels to type s. The rules de ﬁne th e judgmen t E ⊢ P , which means that th e process P is well-typed 70 in the en viron ment E . W e d o not consider the case of conditiona ls h ere, since it is a particular case of destructor applications. W e say tha t an instrumen ted semantic conﬁgur ation S, E , P is well-typ ed, and we write ⊢ S, E , P , when it is well-labeled and E ⊢ P f or all P ∈ P . Proof sketch (o f Theorem 1) Let P 0 be the co nsidered pro cess and P ′ 0 = instr ( P 0 ) . Let Q be an Init -adversary an d Q ′ = instrAdv( Q ) . Let E 0 such that fn ( P ′ 0 ) ∪ Init ⊆ dom ( E 0 ) and for all a ∈ dom ( E 0 ) , E 0 ( a ) = a [ ] . 1. T ypability of the adversary: Let P ′ be a sub process of Q ′ . Le t E be an envi- ronmen t such th at ∀ a ∈ fn ( P ′ ) , attack er( E ( a )) ∈ F P ′ 0 , Init and ∀ x ∈ fv ( P ′ ) , attack er( E ( x )) ∈ F P ′ 0 , Init . ( In particular, E is deﬁn ed for all fre e names a nd free variables of P ′ .) W e show that E ⊢ P ′ , b y indu ction on P ′ . This result is similar to [1, Lemma 5.1.4 ]. In par ticular, we o btain E 0 ⊢ Q ′ . 2. T ypability o f P ′ 0 : W e prove by inductio n on the pro cess P , subpro cess of P ′ 0 , that, if (a) ρ binds all free name s and v ariab les of P , (b ) R P ′ 0 , Init ⊇ [ [ P ] ] ρH , (c) σ is a closed substitution, and (d) σH can be derived from R P ′ 0 , Init ∪ F me , then σ ρ ⊢ P . This result is similar to [1, Lemma 7.2.2] . In particu lar , R P ′ 0 , Init ⊇ [ [ P ′ 0 ] ] ρ ∅ , where ρ = { a 7→ a [ ] | a ∈ fn ( P ′ 0 ) } . So, with E = σ ρ = { a 7→ a [ ] | a ∈ fn ( P ′ 0 ) } , E ⊢ P ′ 0 . A fortiori, E 0 ⊢ P ′ 0 . 3. Pr operties of P ′ 0 , Q ′ : By Lemma 5 , S 0 , E 0 , { P ′ 0 , Q ′ } is well-labeled. So, using the ﬁrst two points, ⊢ S 0 , E 0 , { P ′ 0 , Q ′ } . 4. Sub stitution lemma: Let E ′ = E [ x 7→ E ( M )] . W e show by induction on M ′ that E ( M ′ { M /x } ) = E ′ ( M ′ ) . W e sh ow by inductio n on P that, if E ′ ⊢ P , then E ⊢ P { M /x } . Th is result is similar to [1, Lemma 5.1.1] . 5. Sub ject reduction: Assume that ⊢ S, E , P and S, E , P → S ′ , E ′ , P ′ . Fu rther- more, assume that, if the reduction S, E , P → S ′ , E ′ , P ′ executes ev ent ( M ) , then m - ev ent ( E ( M ) ) ∈ F me . Th en ⊢ S ′ , E ′ , P ′ . This is proved by cases on the deriv ation of S, E , P → S ′ , E ′ , P ′ . This result is similar to [1, Lemma 5.1.3 ]. 6. Consider the trace T = S 0 , E 0 , { P ′ 0 , Q ′ } → ∗ S ′ , E ′ , P ′ . By the h ypoth- esis of the theorem , if even t ( M ) has been executed in T , then T satisﬁes even t( E ′ ( M )) , so m - even t( E ′ ( M )) ∈ F me . I f the reductio n th at executes event ( M ) is S, E , P → S, E , P ′′ , we have E ( M ) = E ′ ( M ) , since E ′ is an extension of E , and E already contains the n ames of M . Hence we o btain the hypoth esis of subject red uction. So, by Ite ms 3 and 5, we infer that all conﬁg u- rations in the trace are well-typed . When F = even t( p ) , since T satisﬁes even t( p ) , there exists M such that T satisﬁes even t( M ) a nd E ′ ( M ) = p . So T contains a reductio n S 1 , E 1 , P 1 ∪ { even t ( M ) .P } → S 1 , E 1 , P 1 ∪ { P } . Therefore E 1 ⊢ e vent ( M ) .P , so even t( E 1 ( M )) ∈ F P ′ 0 , Init . Moreover , E 1 ( M ) = E ′ ( M ) since E ′ is an ex- tension of E 1 , therefo re event ( E ′ ( M )) = even t( p ) = F is derivable from R P ′ 0 , Init ∪ F me . 71 When F = message( p, p ′ ) , since T satisﬁes mes sage( p, p ′ ) , there exist M and M ′ such that T satisﬁes message( M , M ′ ) , E ′ ( M ) = p , and E ′ ( M ′ ) = p ′ . So T contains a redu ction S 1 , E 1 , P 1 ∪ { M h M ′ i .P, M ( x ) .Q } → S 1 , E 1 , P 1 ∪ { P , Q { M /x }} . Therefore E 1 ⊢ M h M ′ i .P . This judg ment must have bee n derived b y (Output), so messa ge( E 1 ( M ) , E 1 ( M ′ )) ∈ F P ′ 0 , Init . Moreover , E 1 ( M ) = E ′ ( M ) and E 1 ( M ′ ) = E ′ ( M ′ ) sinc e E ′ is an extension of E 1 , so message( E ′ ( M ) , E ′ ( M ′ )) = messag e( p, p ′ ) = F is derivable from R P ′ 0 , Init ∪ F me . When F = attack er( p ′ ) , T also satisﬁes mes sage( c [ ] , p ′ ) for som e c ∈ Init . Therefo re, by the p revious case, mess age( c [ ] , p ′ ) is deriv able from R P ′ 0 , Init ∪ F me . Since c ∈ Init , attacker ( c [ ]) is in R P ′ 0 , Init . So, b y Clause (Rl), attack er( p ′ ) = F is d eriv able from R P ′ 0 , Init ∪ F me . ✷ C Correctn ess of the Solving Algorithm In term s of security , the soundn ess of our ana lysis means tha t, if a p rotocol is fo und secure by the analysis, then it is actu ally secur e. Showing soundn ess in this sen se essentially am ounts to showing that no deriv able fact is m issed b y th e r esolution al- gorithm, wh ich, in term s of logic pro gramm ing, is the co mpleteness o f the resolution algorithm . Acco rdingly , in ter ms of security , the completeness o f o ur analysis would mean that all secure p rotocols can be pr oved secure by our a nalysis. Com pleteness in terms of security correspon ds, in terms of logic programmin g, to the correctness of the resolution algorithm, which m eans that the resolu tion a lgorithm does n ot deriv e false facts. The com pleteness of “binary resolution with free selection”, which is our basic al- gorithm, was proved in [9 , 35, 55] . W e extend these pr oofs by showing that com plete- ness still h olds w ith our simp liﬁcations of clauses. (These simpliﬁcatio ns ar e of ten speciﬁc to security protocols.) As a p reliminary , we d eﬁne a sort system , with th ree sorts: session identiﬁer s, or- dinary patterns, and en viron ments. Name functio n symb ols expe ct session identiﬁers as their last k arguments where k is the numb er of rep lications above the restriction that deﬁnes the co nsidered n ame fun ction symbo l, an d or dinary patterns a s other ar- guments. The patter n a [ p 1 , . . . , p n , i 1 , . . . , i k ] is an ordinary pattern. Constru ctors f expect ordinary pattern s as argumen ts and f ( p 1 , . . . , p n ) is an ord inary pattern. T he predicates attack er and message expect o rdinary patterns as argumen ts. The p redi- cate even t exp ects an ordinar y p attern an d, for injective events, a session id entiﬁer . The predicate m - even t e xpe cts an or dinary pattern and, for injective events, a n en vi- ronmen t. W e say that a patter n, fact, clause, set of clauses is well-sorted whe n th ese constraints are satisﬁed. Lemma 10 All clauses manipula ted by the alg orithm a r e well-sorted, and if a variable occurs in the con clusion o f a cla use and is not a session identiﬁer , then it also o ccurs in non- m - even t facts in its hypothe sis. 72 Proof It is easy to check that all pattern s and f acts are well-sorted in the clause gener- ation algorithm. One only uniﬁes patterns of the same sort. T he en vironme nt ρ and the substitutions always map a variable to a pattern of the same sor t. Dur ing the building of clauses, the variables in th e image of ρ that are no t session id entiﬁers a lso occur in non- m - even t facts in H , and the variables in the conclusion of generated clauses are in the image of ρ . Hence, the clauses in R P ′ 0 , Init satisfy Lemma 10. Furthermo re, this property is preserved by reso lution. Resolution generates a clause R ′′ = σ u H ∧ σ u H ′ ⇒ σ u C ′ from clauses R = H ⇒ C a nd R ′ = H ′ ∧ F 0 ⇒ C ′ that satisfy Lemma 10, wh ere σ u is the mo st gen eral uniﬁer of C and F 0 . Th e substitution σ u uniﬁes elemen ts of the same sort, so σ u maps each variable to an elemen t of the same sort, so R ′′ is well-sor ted. I f a non- session identiﬁer v ariable x occ urs in σ u C ′ , then there is a n on-session id entiﬁer variable y in C ′ such th at x occu rs in σ u y . Th en y o ccurs in non- m - ev ent facts in th e h ypoth esis of R ′ , H ′ ∧ F 0 . First case: y occ urs in non - m - ev ent facts in H ′ , so x occu rs in σ u H ′ , so x o ccurs in non- m - even t facts in the hypoth esis of R ′′ . Secon d case: y occu rs in F 0 , so x occu rs in σ u F 0 = σ u C , so th ere is a non-session identiﬁer variable z such that z occur s in C an d x occu rs in σ u z , so z occurs in non- m - ev ent facts in H , so x occurs in non- m - ev ent facts in σ u H , so x occur s in non- m - ev e n t facts in the hypothe sis o f R ′′ . In bo th cases, x occur s in non- m - even t facts in the hypoth esis of R ′′ . Therefor e, R ′′ satisﬁes Lemma 10. This prop erty is also preserved by the simpliﬁcation functions. ✷ Deﬁnition 17 (Derivation) Let F b e a closed fact. Let R be a set of c lauses. A deriv ation of F fr om R is a ﬁn ite tree deﬁned as follows: 1. Its no des (except the roo t) are labeled by clauses R ∈ R . 2. Its edg es are labeled by closed facts. ( Edges go from a node to each of its sons.) 3. If the tree contains a node labeled by R with o ne inco ming edg e labeled by F 0 and n ou tgoing edges labeled by F 1 , . . . , F n , then R ⊒ { F 1 , . . . , F n } ⇒ F 0 . 4. The r oot has o ne outgo ing edg e, la beled by F . The uniqu e son o f the ro ot is named the subr oot . In a derivation, if there is a n ode labe led by R with o ne in coming ed ge lab eled by F 0 and n ou tgoing edges labeled by F 1 , . . . , F n , then the clause R can be used to infer F 0 from F 1 , . . . , F n . Th erefor e, there exists a deri vation of F from R if an d only if F can be inferred from clauses in R (in classical logic). The ke y idea of the proof of Lemma 2 is the following. Assume that F is deriv able from R 0 ∪ F me and consider a deri vation of F fro m R 0 ∪ F me . Assum e that the clauses R and R ′ are applied one after the other in the deri vation of F . Also assume that these clauses have been combined by R ◦ F 0 R ′ , yielding clause R ′′ . In th is case, we replace R and R ′ with R ′′ in the deriv ation of F . When no mor e replacement can be done, we show that all remaining clauses hav e no selected hypothesis. So all these clauses are in R 1 = saturate ( R 0 ) , and we have b uilt a derivation o f F from R 1 . T o show that this replacem ent process terminates, we remark tha t the total numb er of nodes of the deriv ation strictly decreases. 73 Next, we introduce the notion of data- decomp osed derivation. T his notion is useful for pr oving the correctn ess of the decom position of data con structors. (In the absence of data constructo rs, all deriv ations are data-decompo sed.) Deﬁnition 18 A deriv ation D is data -decomp osed if an d only if, fo r all edg es η ′ → η in D labele d by attack er( f ( p 1 , . . . , p n )) for some data constru ctor f , the n ode η ′ is labeled by a clau se attack er( f ( x 1 , . . . , x n )) ⇒ attack er( x i ) for som e i or the node η is labeled by the clau se attacker ( x 1 ) ∧ . . . ∧ attacker ( x n ) ⇒ attack er( f ( x 1 , . . . , x n )) . Intuitively , a deriv ation is d ata-decom posed wh en all in termediate facts pr oved in that der iv ation are decomp osed as mu ch as po ssible using data-d estructor clauses attack er( f ( x 1 , . . . , x n )) ⇒ a ttack er( x i ) bef ore being used to p rove other facts. W e are going to tr ansform the in itial deri vation in to a data-deco mposed d eriv ation. Further transform ations of the deriv ation will keep it data-decompo sed. The next lemma shows that two nodes in a deri vation can be replaced by one when combinin g t heir clauses by resolu tion. Lemma 11 Con sider a d ata-d ecomposed derivation contain ing a nod e η ′ , labeled R ′ . Let F 0 be a hyp othesis of R ′ . Then there exists a son η of η ′ , labeled R , such that the edge η ′ → η is labeled by an in stance o f F 0 , R ◦ F 0 R ′ is deﬁned, and, if sel ( R ) = ∅ and F 0 ∈ sel ( R ′ ) , o n e ob tains a da ta-deco mposed derivation o f th e same fact by replacing the nodes η an d η ′ with a nod e η ′′ labeled R ′′ = R ◦ F 0 R ′ . Proof This proof is illustrated in Figure 8. Let R ′ = H ′ ⇒ C ′ , H ′ 1 be the multiset of the labels of the ou tgoing edges o f η ′ , an d C ′ 1 the label o f its inco ming edge . W e have R ′ ⊒ ( H ′ 1 ⇒ C ′ 1 ) , so the re exists σ such that σ H ′ ⊆ H ′ 1 and σ C ′ = C ′ 1 . Hen ce there is an outgoing edge of η ′ labeled σF 0 , since σ F 0 ∈ H ′ 1 . Let η be the node at the end of this edge, let R = H ⇒ C be the label of η . W e rename the v ariables of R such th at they are distinct from the variables of R ′ . Let H 1 be the multiset o f the labels of the outgoin g edges of η . So R ⊒ ( H 1 ⇒ σF 0 ) . By the above choice of distinct variables, we can then extend σ suc h that σ H ⊆ H 1 and σ C = σ F 0 . The edge η ′ → η is labeled σ F 0 , instance of F 0 . Since σC = σ F 0 , the facts C and F 0 are uniﬁable, so R ◦ F 0 R ′ is deﬁned. L et σ ′ be the most gen eral un iﬁer o f C an d F 0 , an d σ ′′ such that σ = σ ′′ σ ′ . W e have R ◦ F 0 R ′ = σ ′ ( H ∪ ( H ′ \ { F 0 } )) ⇒ σ ′ C ′ . Moreover , σ ′′ σ ′ ( H ∪ ( H ′ \ { F 0 } )) ⊆ H 1 ∪ ( H ′ 1 \ { σ F 0 } ) an d σ ′′ σ ′ C ′ = σ C ′ = C ′ 1 . Hence R ′′ = R ◦ F 0 R ′ ⊒ ( H 1 ∪ ( H ′ 1 \ { σ F 0 } )) ⇒ C ′ 1 . The mu ltiset o f labels of outgoin g edges of η ′′ is p recisely H 1 ∪ ( H ′ 1 \ { σ F 0 } ) and the lab el o f its in coming edge is C ′ 1 , ther efore we have obtained a co rrect deriv ation by replacin g η and η ′ with η ′′ . Let us sh ow that the obtained d eriv ation is data-deco mposed. Consider an edge η ′ 1 → η 1 in this deri vation, lab eled by F = attack er( f ( p 1 , . . . , p n )) , where f is a data constructo r . • If η ′ 1 and η 1 are different from η ′′ , then the same edge e xists in the i nitial deriva- tion, so it is of the desired form. 74 η ′′ R ′′ η ′ η R ′ R C ′ 1 H 1 H ′ 1 C ′ 1 H 1 ∪ ( H ′ 1 − σ F 0 ) σ F 0 Figure 8: Merging of nodes of Lemma 11 • If η ′ 1 = η ′′ , then there is an edge η → η 1 labeled by F in the initial deriv ation. Since the initial derivation is da ta-decom posed, η is labeled by R = attac ker ( f ( x 1 , . . . , x n )) ⇒ a ttack er( x i ) o r η 1 is lab eled by R 1 = attack er( x 1 ) ∧ . . . ∧ attack er( x n ) ⇒ attack er( f ( x 1 , . . . , x n )) . The forme r case is impossible because sel ( R ) = ∅ . In the latter case, η 1 is labeled by R 1 , so we have the desired form in the obtained deriv ation. • If η 1 = η ′′ , th en there is an edge η ′ 1 → η ′ labeled by F in the initial deriv ation. Since the initial deriv ation is data-d ecompo sed, η ′ 1 is labeled b y R ′ 1 = attac ker( f ( x 1 , . . . , x n )) ⇒ attac ker ( x i ) o r η ′ is labeled by R ′ = attack er( x 1 ) ∧ . . . ∧ attack er( x n ) ⇒ attack er( f ( x 1 , . . . , x n )) . The latter case is impossible because sel ( R ) 6 = ∅ . In the former case, η ′ 1 is labeled by R ′ 1 , so we have the desired form in the obtained deriv ation. Hence the obtained deriv ation is data-decomp osed. ✷ Lemma 12 If a no de η o f a data-dec omposed d erivation D is la b eled b y R , the n o ne obtains a da ta-deco mposed derivation D ′ of the same fact as D b y r elabeling η with a clause R ′ such tha t R ′ ⊒ R . Proof Let H be the multiset o f labels of ou tgoing edges of the considered nod e η , and C be the label of its incom ing edge. W e hav e R ⊒ H ⇒ C . By tran siti vity o f ⊒ , R ′ ⊒ H ⇒ C . So we can relab el η with R ′ . Let us show that the obtained deriv ation D ′ is data-deco mposed. Consider an edge η ′ 1 → η 1 in D ′ , labeled by F = attack er( f ( p 1 , . . . , p n )) , wh ere f is a data constructor . • If η ′ 1 and η 1 are d ifferent fro m η , then the same edge exists in the initial d eriv ation D , so it is of the desired form. • If η ′ 1 = η , th en there is an ed ge η ′ 1 → η 1 in D , lab eled by F . Since D is data-d ecompo sed, η ′ 1 = η is labeled by R = attacker ( f ( x 1 , . . . , x n )) ⇒ 75 attack er( x i ) or η 1 is labeled b y R 1 = attacker ( x 1 ) ∧ . . . ∧ attac ker ( x n ) ⇒ attack er( f ( x 1 , . . . , x n )) in D . In the latter case, we have th e desired form in D ′ . In the form er case, let R ′ = H ′ ⇒ C ′ . W e h av e R ′ ⊒ R , so there ex- ists σ such that σ H ′ ⊆ { a ttack er ( f ( x 1 , . . . , x n )) } and σ C ′ = attack er( x i ) . Hence C ′ = attack er( y ) where σ y = x i , an d H ′ = ∅ or H ′ = attack er( z ) with σ z = f ( x 1 , . . . , x n ) or H ′ = a ttack er( f ( y 1 , . . . , y n )) with σ y j = x j for all j ≤ n . By Lemma 10, y occu rs in H ′ , so H ′ 6 = ∅ . If we had H ′ = attack er( z ) , σ z 6 = σ y , so z 6 = y , so this case is impo ssible. Hence H ′ = attack er( f ( y 1 , . . . , y n )) . Moreover, σ y j 6 = σ y fo r all j 6 = i , so y j 6 = y for all j 6 = i . Since y occu rs in H ′ , y = y i . Hence R ′ = R up to ren aming, and we have the desired form in D ′ . • If η 1 = η , then th ere is an e dge η ′ 1 → η 1 in D , labeled by F . Since D is data-deco mposed, η ′ 1 is labeled b y R ′ 1 = attacker ( f ( x 1 , . . . , x n )) ⇒ attack er( x i ) or η 1 = η is labeled by R = attack er( x 1 ) ∧ . . . ∧ attack er( x n ) ⇒ attack er( f ( x 1 , . . . , x n )) in D . In the f ormer case, we h ave the desired for m in D ′ . I n the latter case, let R ′ = H ′ ⇒ C ′ . W e ha ve R ′ ⊒ R , so there exists σ such that σ H ′ ⊆ { attacker ( x 1 ) , . . . , attack er( x n ) } an d σ C ′ = attack er( f ( x 1 , . . . , x n )) . Hence H ′ = V j ∈ J attack er( y j ) where J ⊆ { 1 , . . . , n } and σ y j = x j for all j ∈ J , and C ′ = attac ker ( y ) with σ y = f ( x 1 , . . . , x n ) or C ′ = attack er( f ( y ′ 1 , . . . , y ′ n )) with σ y ′ j = x j for all j ≤ n . By Lemma 10, if C ′ = attack er( y ) , y occur s in H ′ , but this is imp ossible becau se σ y j 6 = σ y for all j ∈ J . So C ′ = attack er( f ( y ′ 1 , . . . , y ′ n )) . By Lemma 10, y ′ j occurs in H ′ for all j ≤ n , so J = { 1 , . . . , n } and y ′ j = y j for all j ≤ n . Henc e R ′ = R up to renam ing, and we have the desired form in D ′ . Hence the obtained deriv ation D ′ is data-deco mposed. ✷ Deﬁnition 19 W e say tha t R ⊒ Set R ′ if, for all clauses R in R ′ , R is subsum ed by a clause of R . Lemma 13 If R ⊒ Set R ′ and D is a data - decomp o sed derivation co ntaining a nod e η lab eled by R ∈ R ′ , then o ne can build a data- decompo sed derivation D ′ of the same fact as D by relabeling η with a clau se in R . Proof Obvious by Lemma 12. ✷ Lemma 14 If R ⊒ Set R ′ , th en elim ( R ) ⊒ Set R ′ . Proof This is an immediate con sequence of the transiti vity of ⊒ . ✷ Lemma 15 At the end of saturate , R satisﬁes the following pr operties: 1. F or all R ∈ R 0 , R ⊒ Set simplify ( R ) ; 2. Let R ∈ R a nd R ′ ∈ R . Assume that sel ( R ) = ∅ an d there exists F 0 ∈ sel ( R ′ ) such tha t R ◦ F 0 R ′ is deﬁ ned. In this case, R ⊒ Set simplify ( R ◦ F 0 R ′ ) . 76 Proof T o p rove the ﬁrst pr operty , let R ∈ R 0 . W e show that, after the addition of R to R , R ⊒ Set simplify ( R ) . In the ﬁrst step of saturate , we execute the instruc tion R ← elim ( simplify ( R ) ∪ R ) . W e have simplify ( R ) ∪ R ⊒ Set simplify ( R ) , so, b y Lem ma 1 4, after execution of this instruction, R ⊒ Set simplify ( R ) . Assume that we ex ecute R ← elim ( simplify ( R ′′ ) ∪ R ) , and before this execution R ⊒ Set simplify ( R ) . Hence simplify ( R ′′ ) ∪ R ⊒ Set simplify ( R ) , so, by Lemm a 14, after the execution of this instruction, R ⊒ Set simplify ( R ) . The second property simply mean s that the ﬁxpoint is reached at th e end of saturate , so R = elim ( simplify ( R ◦ F 0 R ′ ) ∪ R ) . Since simplify ( R ◦ F 0 R ′ ) ∪ R ⊒ Set simplify ( R ◦ F 0 R ′ ) , b y L emma 14 , elim ( simpli fy ( R ◦ F 0 R ′ ) ∪ R ) ⊒ Set simplify ( R ◦ F 0 R ′ ) , so R ⊒ Set simplify ( R ◦ F 0 R ′ ) . ✷ Lemma 16 Let f ∈ { elimattx , elimtaut , elimnot , elimr e dundanthyp , elimdup , de c omp , de c omphyp , simplify , simplify ′ } . If the da ta-deco mposed d erivation D con tains a node η labeled R , then one obta ins a data -decomp osed d erivation D ′ of the sa me fa ct as D or o f an in stance o f a fac t in F not by r elabeling η with some R ′ ∈ f ( R ) or r emovin g η , and possibly deleting nod e s. Furthermore , if D ′ is not a derivation of the same fact as D , then η is r emoved. If D ′ contains a node labeled R ′ ∈ f ( R ) , then th e re e xists a derivation D using R , the clauses of D ′ except R ′ , a nd th e clau ses of R 0 that de rives the same fact as D ′ . When R is unch anged by f , that is, f ( R ) = { R } , this lemm a is o bvious. So, in the proof s belo w , we consider only the cases in which R is m odiﬁed by f . Proof (for elimattx ) Th e direct part is obvious: R ′ is built from R by removing some hypoth eses, so we just remove th e subtrees correspondin g to removed hy potheses of R . Con versely , let p be a clo sed pattern such that attack er( p ) is derivable f rom R 0 . (There exists an in ﬁnite num ber of such p .) W e build a de riv ation D by replacin g R ′ with R in D and adding a derivation of a ttack er( p ) as a sub tree of the no des lab eled by R ′ in D . ✷ Proof (for elimtaut ) Assume that R is a tau tology . For the dire ct par t, we remove η and replace it with one of its subtrees. The conv erse is o bvious since eli mtaut ( R ) = ∅ . ✷ Proof (for elimnot ) Assume th at R co ntains a s h ypoth esis an instance F o f a fact in F not . Then elimnot ( R ) = ∅ . Since D is a d eriv ation, a son η ′ of η infer s an instance of F . W e let D ′ be the sub-der iv a tion with subroo t η ′ . D ′ is a deri vation o f an instance of a fact in F not , so we obtain th e direct part. The converse is o bvious since elimnot ( R ) = ∅ . ✷ Proof (for elimr e dundanthyp ) W e have R = H ∧ H ′ ⇒ C , σ H ⊆ H ′ , σ does n ot change the variables of H ′ and C , and R ′ = H ′ ⇒ C . For the direct part, R ′ is built fro m R by removing some hyp otheses, so we just remove the subtrees correspon ding to removed hypo theses of R . 77 For the converse, we obtain a deriv ation D by du plicating the subtrees proving instances of elements of H ′ that are also in σ H an d replacing R ′ with R . ✷ Proof (for elimdup ) For the direct part, R ′ is built from R by removing som e h y- potheses, so we just remove the subtrees correspond ing to removed hypoth eses of R . Con versely , we can for m a derivation using R instead of R ′ by du plicating the subtrees that derive the duplicate hypotheses of R . ✷ Proof (for de c omp and de c omphyp ) If R is modiﬁed by de c omp o r de c omphyp , then R is of one of the following forms: • R = attack er( f ( p 1 , . . . , p n )) ∧ H ⇒ C , where f is a data constructor (for both de c omp and de c omphyp ). For the d irect pa rt, let η ′ be the son of η cor respond ing to the hy pothesis attack er( f ( p 1 , . . . , p n )) . The edge η → η ′ is lab eled by an instance o f attack er( f ( p 1 , . . . , p n )) , so, since D is d ata-decom posed, η ′ is labeled by attack er( x 1 ) ∧ . . . ∧ attack e r( x n ) ⇒ attack er( f ( x 1 , . . . , x n )) . (The cla use R that labels η c annot be attack er( f ( x 1 , . . . , x n )) ⇒ attacker ( x i ) , since this clause would be unmo diﬁed by de c omp and de c omphyp .) T hen we build D ′ by relabeling η with R ′ = attack er( p 1 ) ∧ . . . ∧ attack er( p n ) ∧ H ⇒ C and deleting η ′ . For t he conv erse, we replace R ′ = attack er( p 1 ) ∧ . . . ∧ attacker ( p n ) ∧ H ⇒ C in D ′ with attack er( x 1 ) ∧ . . . ∧ a ttack er( x n ) ⇒ a ttack er( f ( x 1 , . . . , x n )) and R = attac ker( f ( p 1 , . . . , p n )) ∧ H ⇒ C in D . • R = H ⇒ attack er( f ( p 1 , . . . , p n )) , wh ere f is a data constru ctor (for de c omp only). For the direct part, let η ′ be the father of η . The edge η ′ → η is labeled by an in- stance of attack e r( f ( p 1 , . . . , p n )) , so, since D is data-decompo sed, η ′ is labeled by attack er( f ( x 1 , . . . , x n )) ⇒ attac ker ( x i ) for som e i . (The clau se R th at la- bels η cann ot be attack er( x 1 ) ∧ . . . ∧ attack er( x n ) ⇒ attack er( f ( x 1 , . . . , x n )) since th is clause would be unmo diﬁed by de c omp .) The n we build D ′ by rela- beling η with R ′ = H ⇒ attack er( p i ) and deleting η ′ . For the conv erse, we replace R ′ = H ⇒ attack er( p i ) in D ′ with R = H ⇒ attack er( f ( p 1 , . . . , p n )) and attac ker ( f ( x 1 , . . . , x n )) ⇒ attacker ( x i ) in D . ✷ Proof (for simplify and simplify ′ ) For simplify an d simplify ′ , the result is obtained by applyin g Lemma 16 for the functio ns that compose si mplify and simplify ′ . ✷ Proof of Lemma 2 Let F be a clo sed fact. I f, for a ll F ′ ∈ F not , no instan ce of F ′ is deriva ble fr om saturate ( R 0 ) ∪ F me , th en F is derivab le fr o m R 0 ∪ F me if an d o n ly if F is derivable fr om saturate ( R 0 ) ∪ F me . Proof Assume that F is deriv able f rom R 0 ∪ F me and consider a deriv ation of F from R 0 ∪ F me . W e show that F o r an in stance of a fact in F not is d eriv able f rom saturate ( R 0 ) ∪ F me . 78 D D F f F f F f R f , 1 R f ,n F f , 1 F f ,n R f . . . F f D η ′ η η ′ Figure 9: Construction of a data-deco mposed deri vation W e ﬁrst transfo rm the deriv ation of F into a data- decomp osed deriv ation. W e say that an ed ge η ′ → η is o ffending wh en it is labeled by F f = attac ker ( f ( p 1 , . . . , p n )) for som e data constructo r f , η ′ is no t labeled by R f ,i = a ttack er( f ( x 1 , . . . , x n )) ⇒ attack er( x i ) f or some i , a nd η is no t labeled by R f = attac ker ( x 1 ) ∧ . . . ∧ attack er( x n ) ⇒ a ttack er( f ( x 1 , . . . , x n )) . W e consid er an o ffending edge η ′ → η such that the subtre e D of root η contains no offending ed ge. W e co py the subtree D , which conclud es F f , n times and ad d th e clau ses R f ,i for i = 1 , . . . n , to con clude F f ,i = a ttack er( p i ) , then use the clause R f to conclude F f again, as in Figure 9. T his transform ation decr eases the total numb er of data constru ctors at th e r oot o f labels of offending edges. In deed, since ther e are no offending edges in D , the o nly edges that may be o ffending in the new sub tree of ro ot η ′ are those labeled by F 1 , . . . , F n . The total num ber of d ata constru ctors at th e roo t of their labels is th e total n umber of d ata constructo rs at the r oot of p 1 , . . . , p n , which is on e less than the total number of data constructo rs at the roo t of f ( p 1 , . . . , p n ) . Hence, this transfo rmation terminates and, upon termin ation, the ob tained deriv ation contains no offending edg e, so it is data - decomp osed. W e consider the value of the set o f clauses R at th e end of sa turate . For eac h clause R in R 0 , R ⊒ Set simplify ( R ) (Le mma 15 , Pro perty 1). Assume that there exists a node labeled by R ∈ R 0 \ R in this der iv ation. By Lemm a 16, we can replace R with some R ′′ ∈ simplify ( R ) or remove R . (After this replacement, we may obtain a deriv ation of an instance o f a fact in F not instead of a deriv ation of F . ) If R is replaced with R ′′ , b y Lemma 13, we can rep lace R ′′ with a clause in R . This transfo rmation decreases the num ber of nodes labeled by clauses n ot in R . So this transfor mation terminates an d, upo n termination , no no de of the obtained deriv ation is labe led by a clause in R 0 \ R . Therefore , we obtain a data-decompo sed deriv ation D o f F o r of an 79 instance of a fact in F not from R ∪ F me . Next, we build a data- decomp osed der iv ation o f F o r of an instance of a fact in F not from R 1 ∪ F me , whe re R 1 = s aturate ( R 0 ) . If D contains a n ode labeled by a clau se not in R 1 ∪ F me , we can transform D as follows. Let η ′ be a lowest node of D labeled by a clau se not in R 1 ∪ F me . So all sons of η ′ are labeled b y elements o f R 1 ∪ F me . Le t R ′ be th e clau se labeling η ′ . Since R ′ / ∈ R 1 ∪ F me , sel ( R ′ ) 6 = ∅ . T ake F 0 ∈ sel ( R ′ ) . By Lemma 11, there exists a son of η of η ′ labeled by R , such that R ◦ F 0 R ′ is deﬁned. Since all sons of η ′ are labeled by elements of R 1 ∪ F me , R ∈ R 1 ∪ F me . By deﬁnition of the selection func tion, F 0 is not a m - even t fact, so R / ∈ F me , so R ∈ R 1 . Hence sel ( R ) = ∅ . So, by Lem ma 15, Prop erty 2, R ⊒ Set simplify ( R ◦ F 0 R ′ ) . So, by Lemma 11, we can replace η an d η ′ with η ′′ labeled by R ◦ F 0 R ′ . By L emma 16, we can replace R ◦ F 0 R ′ with some R ′′′ ∈ simplify ( R ◦ F 0 R ′ ) or remove R ◦ F 0 R ′ . • If R ◦ F 0 R ′ is replaced with R ′′′ , then by Le mma 13, we can replac e R ′′′ with a clause in R . The total number of nodes strictly de creases since η and η ′ are replaced with a single node. • If R ◦ F 0 R ′ is removed, then the total number of nodes strictly decreases since η and η ′ are removed. So in a ll cases, we o btain a deriv ation D ′ of F o r of an instance of a fact in F not from R ∪ F me , such that th e total num ber of no des strictly decreases. Hence , this replacemen t p rocess termin ates. Upon term ination, all clauses a re in R 1 ∪ F me . So we obtain a data-decomp osed deriv ation of F or o f an instance of a fact in F not from R 1 ∪ F me , which is the expected result. For the co nv erse implication , notice that if a fact is deriv able fro m R 1 then it is deriv able from R , and that all clau ses added to R do not create n ew d eriv able facts: when comp osing two clauses R and R ′ , th e created clause can d erive facts that could also by derived b y R an d R ′ . ✷ Proof o f Lemma 3 Let F ′ be a closed instance o f F . If, for all F ′′ ∈ F not , derivable ( F ′′ , R 1 ) = ∅ , then F ′ is derivable fr om R 1 ∪ F me if and only if ther e exist a clau se H ⇒ C in derivable ( F , R 1 ) an d a substitution σ such th at σ C = F ′ and all elements of σ H are derivab le fr om R 1 ∪ F me . Proof Let us prove the direct implication . L et F = { ( F, F ′ ) } ∪ { ( F ′′ , σ F ′′ ) | F ′′ ∈ F not , σ any substitution } . W e show that, if F ′ is deriv able from R 1 ∪ F me , then there exist a clause H ⇒ C in derivable ( F g , R 1 ) and a substitutio n σ su ch that ( F g , σ C ) ∈ F and all elemen ts of σ H a re d eriv able from R 1 ∪ F me . (This proper ty proves the desired resu lt. If, for all F ′′ ∈ F not , derivable ( F ′′ , R 1 ) = ∅ a nd F ′ is d eriv able fro m R 1 ∪ F me , then there exist a clause H ⇒ C in derivable ( F g , R 1 ) and a substitution σ such that ( F g , σ C ) ∈ F and all elemen ts of σ H are de riv able from R 1 ∪ F me . Since, for all F ′′ ∈ F not , derivable ( F ′′ , R 1 ) = ∅ , we h av e F g = F an d F / ∈ F not . Since ( F, σ C ) ∈ F , we have then σ C = F ′ .) Let D b e th e set of der iv ations D ′ of a fact F i such that, fo r som e F g and R , ( F g , F i ) ∈ F , the clause R ′ at the sub root of D ′ satisﬁes deriv ( R ′ , R , R 1 ) ⊆ derivable ( F g , R 1 ) an d ∀ R ′′ ∈ R , R ′′ 6⊒ R ′ , and the other clauses of D ′ are in R 1 ∪ F me . 80 Let attack er ′ be a new predicate sym bol. Let D be a deriv ation. If D is a der iv a- tion of a ttack er( p ) , we let D ′ be the de riv ation obtained by replacing the clause H ⇒ a ttack er( p 1 ) with H ⇒ attack er ′ ( p 1 ) and th e fact attack er( p ) de riv ed b y D with a ttack er ′ ( p ) . If D is not a deriv ation of attack er( p ) , we let D ′ be D . W e say tha t the derivation D is a lmo st-data- d ecompo sed wh en D ′ is d ata-decom posed. W e ﬁrst show th at all deriv ations D in D are almost-d ata-deco mposed. Let D ′ be the transform ed deriv ation as d eﬁned ab ove. Let η ′ → η b e an edge o f D ′ labeled by F = attac ker ( f ( p 1 , . . . , p n )) , where f is a da ta construc tor . T his ed ge is not th e out- going edge of th e root of D ′ , because D ′ does not conclu de attac ker ( p ) f or any p . So the clause that lab els η is of the form R = H ⇒ attack er( p ) an d it is in R 1 . In ord er to o btain a co ntradictio n, assume th at p is a v ariable x . Since sel ( R ) = ∅ , H co ntains only u nselectable facts. By L emma 10 , x occurs in no n- m - ev ent facts in H , so H contains a ttack er( x ) . So R is a tautology . This is impossible be cause R would have been removed from R 1 by elimtaut . So p is not a variable. Hence p = f ( p ′ 1 , . . . , p ′ n ) . If R was different from attack er( x 1 ) ∧ . . . ∧ attack e r( x n ) ⇒ a ttack er( f ( x 1 , . . . , x n )) , R would have been transfo rmed by de c omp , so R would not be in R 1 . Hence R = attacker ( x 1 ) ∧ . . . ∧ attack er( x n ) ⇒ attack er( f ( x 1 , . . . , x n )) . Therefore , D ′ is d ata-decom posed, so D is almost-data- decomp osed. Below , when we ap ply Lemma 1 1, 16, o r 12, we ﬁrst transfo rm the considere d deriv ation D into D ′ , ap ply the le mma to the data-decomp osed derivation D ′ , and transform it back by replacing attack er ′ with attack er . W e ob tain the same resu lt as by tran sforming D dir ectly , be- cause the simpliﬁcation s of simplify ′ apply in the same way when th e co nclusion is attack er( p ) o r attack er ′ ( p ) , since simplify ′ uses de c omphyp instead o f de c omp and does not use elimtaut . Let D 0 be a der iv ation of F ′ from R 1 ∪ F me . L et D ′ 0 be obtain ed fro m D 0 by adding a node labeled b y { F } ⇒ F at the subro ot o f D 0 . By d eﬁnition of derivable , deriv ( R ′ , ∅ , R 1 ) ⊆ derivable ( F , R 1 ) , an d ∀ R ′′ ∈ ∅ , R ′′ 6⊒ R ′ . Henc e D ′ 0 is a d eriv a- tion of F ′ in D , so D is no n-empty . Now consider a d eriv ation D 1 in D with the sm allest n umber of nodes. The clause R ′ labeling the sub root η ′ of D 1 satisﬁes ( F g , F i ) ∈ F , deriv ( R ′ , R , R 1 ) ⊆ derivable ( F g , R 1 ) , and ∀ R ′′ ∈ R , R ′′ 6⊒ R ′ . I n o rder to o btain a c ontradictio n, we assume th at se l ( R ′ ) 6 = ∅ . Let F 0 ∈ sel ( R ′ ) . By Lemma 11, th ere exists a so n η of η ′ , labeled by R , such that R ◦ F 0 R ′ is deﬁned. By hypothesis o n th e d eriv ation D 1 , R ∈ R 1 ∪ F me . By the choice o f the selectio n fun ction, F 0 is no t a m - even t fact, so R / ∈ F me , so R ∈ R 1 . Let R 0 = R ◦ F 0 R ′ . So, by Lemma 11, we can replace R ′ with R 0 , obtainin g a deri vation D 2 of F i with fewer nodes than D 1 . By Lemma 1 6, we can either replace R 0 with some R ′ 0 ∈ simplify ′ ( R 0 ) or remove R 0 , yielding a deriv ation D 3 . • In the latter case, D 3 is a deri vation of a f act F ′ i which is either F i or an instance of a fact F ′ g in F not . If F ′ i = F i , we let F ′ g = F g . So ( F ′ g , F ′ i ) ∈ F . W e replace R 0 with R ′ 0 = F ′ g ⇒ F ′ g in D 2 . Hence we o btain a der iv a tion with fewer nodes than D 1 and such that deriv ( R ′ 0 , ∅ , R 1 ) ⊆ derivable ( F ′ g , R 1 ) and ∀ R 1 ∈ ∅ , R 1 6⊒ R ′ 0 . So we h av e a deriv ation in D with fewer n odes than D 1 , which is a contra diction. 81 • In the fo rmer case, D 3 is a der iv a tion of F i , and deriv ( R ′ 0 , { R ′ } ∪ R , R 1 ) ⊆ deriv ( R ′ , R , R 1 ) ⊆ derivable ( F g , R 1 ) (third case of th e deﬁnitio n o f deriv ( R ′ , R , R 1 ) ). – If ∀ R 1 ∈ { R ′ } ∪ R , R 1 6⊒ R ′ 0 , D 3 is a derivation of F i in D , with fe wer nodes than D 1 , which is a contrad iction. – Oth erwise, ∃ R 1 ∈ { R ′ } ∪ R , R 1 ⊒ R ′ 0 . Th erefor e, by Lemma 12, we can build a der iv ation D 4 by rep lacing R ′ 0 with R 1 in D 3 . There is an old er call to deriv , of the form deriv ( R 1 , R ′ , R 1 ) , s uch that deriv ( R 1 , R ′ , R 1 ) ⊆ derivable ( F g , R 1 ) . Moreover, R 1 has been adde d to R ′ in this call, since R 1 appears in { R ′ } ∪ R . Therefore the th ird ca se of th e deﬁn i- tion of deriv ( R 1 , R ′ , R 1 ) has bee n applied, and not the ﬁrst case. So ∀ R 2 ∈ R ′ , R 2 6⊒ R 1 , so the derivation D 4 is in D an d has fewer nodes than D 1 , which is a contrad iction. In all cases, we co uld ﬁnd a derivation in D that has fewer no des than D 1 . Th is is a contradictio n, so sel ( R ′ ) = ∅ , hence R ′ ∈ derivable ( F g , R 1 ) . The other clauses of th is deriv ation are in R 1 ∪ F me . By d eﬁnition o f a derivation, R ′ ⊒ H ′ ⇒ F i where H ′ is th e mu ltiset of labe ls o f th e o utgoing ed ges o f the sub root of the der iv a tion. T aking R ′ = H ⇒ C , there exists σ such that σ C = F i and σ H ⊆ H ′ , so all elements of σH are deriv able from R 1 ∪ F me . W e have t he result, since ( F g , F i ) ∈ F . The proof o f the converse implica tion is left to the read er . (Basically , the clause R ◦ F 0 R ′ does not generate facts that cannot be generated by applying R and R ′ .) ✷ D T ermination Proof In this section, we give the proof of Propo sition 3 stated in Section 8.1 . W e den ote by P 0 a tagged protoc ol and let P ′ 0 = instr( P 0 ) . W e have the following properties: • By Cond ition C2, the in put and o utput con structs in th e proto col always use a public channel c . So the f acts message( c, p ) are replaced with attac ker ( p ) in all clauses. T he o nly rema ining clauses containing messag e are (Rl) and (Rs). Since message( x, y ) is selected in these clauses, the only infe rence with these clau ses is to combine (Rs) with ( Rl), and it y ields a tauto logy wh ich is imm ediately removed. The refore, we can ignore these clauses in our termination proof. • By h ypoth esis on the queries and Remark 3 , the clauses do not contain m - even t facts. In th is section, we u se the sort system d eﬁned at the b eginning of Ap pendix C (Lemma 10). The pa ttern s of a fact pr e d ( p 1 , . . . , p n ) are p 1 , . . . , p n . The patterns of a clause R are the p atterns o f all facts i n R , and we denote the set of p atterns o f R by p atterns ( R ) . A pattern is said to be non-d ata when it is no t of the form f ( . . . ) with f a data con - structor . The set su b ( S ) contains the subte rms of p atterns in the set S . Below , we use the word “program” for a set of clauses (that is, a logic program). 82 Deﬁnition 20 (W ea kly tag ged programs) L et S 0 be a ﬁnite set o f closed pattern s a nd tagGen be a set of pa tterns. A pattern is top-tagged when it is an instance of a pattern in tagGen . A pattern is fully tagged when all its n on-variable no n-data subterms ar e top-tag ged. Let R ProtAdv be th e set of clauses R that satisfy Lemma 1 0 a nd are of o ne of the following three forms: 1. R Proto col contains clauses R of the form F 1 ∧ . . . ∧ F n ⇒ F where for all i , F i is of the f orm attack er( p ) fo r some p , F is of the f orm attack e r( p ) o r even t( p ) for some p , there exists a substitution σ such that p att erns ( σ R ) ⊆ sub ( S 0 ) , and the patterns of R are f ully-tagg ed. 2. R Constr contains clauses of the form attack er( x 1 ) ∧ . . . ∧ attack er( x n ) ⇒ attack er( f ( x 1 , . . . , x n )) where f is a constructo r . 3. R Destr contains clauses of th e for m a ttack er( f ( p 1 , . . . , p n )) ∧ attack er( x 1 ) ∧ . . . ∧ attack er( x k ) ⇒ attack er( x ) where f is a constructor, p 1 , . . . , p n are fully tagged, x is on e of p 1 , . . . , p n , and f ( p 1 , . . . , p n ) is mo re general than every pattern of the form f ( . . . ) in su b ( S 0 ) . A program R 0 is weakly tagged if there e xist a ﬁnite set of closed patterns S 0 and a set of patterns tagGen such th at W1. R 0 is included in R ProtAdv . W2. If two patterns p 1 and p 2 in tagGen u nify , p ′ 1 is an instance of p 1 in sub ( S 0 ) , and p ′ 2 is an instance of p 2 in sub ( S 0 ) , then p ′ 1 = p ′ 2 . Intuitively , a patter n is to p-tagged wh en its r oot function symbol is tagged (that is, it is of the fo rm f (( ct , M 1 , . . . , M n ) , . . . ) ). A pattern is fully tag ged when all its function symbols are tagged. W e are goin g to show tha t all clauses gener ated by the resolutio n a lgorithm are in R ProtAdv . Basically , th e clau ses in R Proto col satisfy two conditio ns: they can be instantiated into c lauses whose patterns are in sub ( S 0 ) and th ey are tagged. Then , all patterns in clauses of R Proto col are instances of tagGen an d ha ve instance in sub ( S 0 ) . Property W2 allows u s to show th at this pr operty is p reserved by resolution : when unifyin g two patterns that satisfy th e in variant, the result of the u niﬁcation also satisﬁes the inv ariant, because the instances in sub ( S 0 ) of tho se two pa tterns ar e in fact equal. Thanks to this p roper ty , we can sh ow that clauses obtained b y resolutio n from clauses in R Proto col are still in R Proto col . T o pr ove term ination, we sh ow th at the size o f generated clauses decreases, for a suitable notion of size deﬁned below . The clauses of R Constr and R Destr are needed for constructors and destructor s. Althoug h they do not satisfy exactly the con ditions for being in R Proto col , their resolutio n with a clau se in R Proto col yields a clause in R Proto col . Let Par ams pk and Par ams host be th e sets of argumen ts of pk r esp. host in the terms that occu r in the trac e of Cond ition C5 . Le t c ondense ( R 0 ) be the set of clauses R obtained by R ← ∅ ; for each R ∈ R 0 , R ← elim ( simplify ( R ) ∪ R ) . W e ﬁrst consider the c ase in which a sing le lo ng-term key is used, that is, Par ams pk and Par ams host 83 E , P ∪ { 0 } , M → E , P , M (Red Nil’) E , P ∪ { ! i P } , M → E [ i 7→ Id 0 ] , P ∪ { P { Id 0 /i } } , M ∪ { Id 0 } (Red Repl’) E , P ∪ { P | Q } , M → E , P ∪ { P, Q } , M (Red Par’) E , P ∪ { ( ν a : ℓ ) P } → E [ a 7→ E ( ℓ )] , P ∪ { P } , M ∪ { M 1 , . . . , M n , a } (Red Res’) E , P ∪ { c h M i .Q } , M → E , P ∪ { Q } , M ∪ { M } (Red Out’) E , P ∪ { c ( x ) .P } , M → E [ x 7→ E ( M )] , P ∪ { P { M /x } } , M if M ∈ M (Red In’) E , P ∪ { let x = g ( M 1 , . . . , M n ) in P else 0 } , M → E [ x 7→ E ( M ′ )] , P ∪ { P { M ′ /x } } , M ∪ { M 1 , . . . , M n , M ′ } if g ( M 1 , . . . , M n ) → M ′ (Red Destr 1’) E , P ∪ { e vent ( M ) .Q } , M → E , P ∪ { Q } , M ∪ { M } (Red Event’) Figure 10: Special semantics for instrumented processes have at m ost o ne eleme nt. The results will be gener alized to any n umber of keys at the end of this section. The next p roposition shows that the in itial clauses given to the resolution algorithm form a weakly tagged progr am. Proposition 4 If P 0 is a tagged pr otocol such that Par ams pk and Par ams host have at most o ne element a nd P ′ 0 = ins tr( P 0 ) , then c ondense ( R P ′ 0 , Init ) is a weak ly tagged pr ogram. Proof sketch The fu lly detailed proo f is very lo ng (a bout 8 pages) so we give o nly a sketch h ere. A similar proof ( for stron g secrecy in stead o f secrecy and r eachability) with more details can be found in the technical report [16, Append ix C]. W e assume that different occurr ences of restrictions and variables have different identiﬁers and iden tiﬁers different from free n ames and variables. In Figu re 10 , we deﬁne a special semantics f or instru mented pr ocesses, wh ich is only used as a tool in the proo f. A semantic co nﬁgura tion consists of three com ponen ts: an environment E mapp ing names and variables to pattern s, a multiset of instrumen ted p rocesses P , and a set o f terms M . The semantics is deﬁned as a redu ction relation on semantic conﬁgur ations. In this seman tics, ( ν a ) creates the name a , instead of a fr esh n ame a ′ . Indeed , creating fresh nam es is useless, since the replication does not copy p rocesses in this semantics, and the names are initially pairwise distinct. Let E 0 = { a 7→ a [ ] | a ∈ fn ( P 0 ) } . W e show that E 0 , { P ′ 0 } , fn ( P 0 ) → ∗ E ′ , ∅ , M ′ , for some E ′ and M ′ , such that the second ar gum ent of p encrypt p in M ′ is of the f orm pk ( M ) and the argum ents of pk an d host in M ′ are atomic constants in Par ams pk and Par ams host respectively . T his result is obtained by simulating in the semantics of Figure 10 th e trac e of Con dition C5. Moreover , the second argum ent of p encrypt p in M ′ is of the form pk ( M ) by Condition C6 and the argumen ts of pk and host in M ′ 84 are atomic constants in Par ams pk and Par ams host respectively , by Condition C7 and deﬁnition of Par ams pk and Par ams host . Let us d eﬁne S 0 = E ′ ( M ′ ) ∪ { b 0 [Id 0 ] } . If Par ams pk is empty , we add some key k to it, so th at Par ams pk = { k } . Let c, c ′ , c ′′ , c ′′′ be c onstants. If S 0 contains no instance o f sencrypt ( x, y ) , we add sencrypt (( c, c ′ ) , c ′′ ) to S 0 . If S 0 contains no instance of sencryp t p ( x, y , z ) , we add sencryp t p (( c, c ′ ) , c ′′ , c ′′′ ) to S 0 . If S 0 contains no instan ce of p encrypt p ( x, y , z ) , we add p encrypt p (( c, c ′ ) , pk ( k ) , c ′′ ) to S 0 . If S 0 contains no instan ce o f sign ( x, y ) , we a dd sign (( c, c ′ ) , k ) to S 0 . If S 0 contains no instance of nmrsign ( x, y ) , we add n mrsign (( c, c ′ ) , k ) to S 0 . So S 0 is a ﬁnite set of closed patterns. Intu iti vely , S 0 is the set of p atterns correspo nding to closed terms that occur in the trace of Condition C5. Let E t be E in which all patterns a [ . . . ] ar e replaced with their corresponding term a . In all r eduction s E 0 , { P ′ 0 } , fn ( P 0 ) → ∗ E , P , M , all p atterns of th e f orm a [ . . . ] in the im age of E are equal to E ( a ) , so E ◦ E t = E . W e show the following result by induction on P : Let P be a n in strumented process, subpr ocess of P ′ 0 . Assume that E 0 , { P ′ 0 } , fn ( P 0 ) → ∗ E , P ∪ { E t ( P ) } , M → ∗ E ′ , ∅ , M ′ , and that there exists σ ′ such th at E ′ | dom ( ρ ) = σ ′ ◦ ρ a nd p atterns ( σ ′ H ) ⊆ sub ( S 0 ) . Then for all R ∈ [ [ P ] ] ρH , there exists σ ′′ such that p att erns ( σ ′′ R ) ⊆ sub ( S 0 ) . Let ρ 0 = { a 7→ a [ ] | a ∈ fn ( P 0 ) } . By ap plying this result to P = P ′ 0 , we obtain that for all clauses R in [ [ P ′ 0 ] ] ρ 0 ∅ , there exists a substitution σ such that p atterns ( σ R ) ⊆ sub ( S 0 ) . Let tagGen = { f (( ct i , x 1 , . . . , x n ) , x ′ 2 , . . . , x ′ n ′ ) | f ∈ { sencrypt , sencrypt p , p encrypt p , sign , nmrsign , h, mac }} ∪ { a [ x 1 , . . . , x n ] | a na me function symbol } ∪ { pk ( x ) , host ( x ) } ∪ { c | c a tomic constant } W e show the following result by induction on P : Assume tha t the p atterns of the image o f ρ and of H ar e fu lly tagged . Assume th at P is an instrum ented process, subp rocess of P ′ 0 . For all R ∈ [ [ P ] ] ρH , p attern s ( R ) are fu lly tagged. This result relies on Cond ition C3 to show that th e created terms are tagg ed, an d on Condition C4 to show that the tags are checked. By app lying this result to P = P ′ 0 , we obtain that for all R ∈ [ [ P ′ 0 ] ] ρ 0 ∅ , the patterns of R are fully tagg ed. By the previous results, [ [ P ′ 0 ] ] ρ 0 ∅ ⊆ R Proto col . The clauses (Rf) are in R Constr . The clauses (In it) and (Rn) are in R Proto col giv en the value o f S 0 . The cla uses (Rg) for n th i , sde crypt , sde crypt p , p de crypt p , and 85 getmessage are: attack er(( x 1 , . . . , x n )) ⇒ attacker ( x i ) ( n th i ) attack er( sencryp t ( x, y )) ∧ attacker ( y ) ⇒ attack er( x ) ( sde crypt ) attack er( sencryp t p ( x, y , z )) ∧ a ttack e r( y ) ⇒ attack er( x ) ( sde crypt p ) attack er( p encrypt p ( x, pk ( y ) , z )) ∧ attack er( y ) ⇒ attack er( x ) ( p de crypt p ) attack er( si gn ( x , y )) ⇒ attack er( x ) ( getmessage ) and they are in R Destr provided that all pub lic-key encry ptions in S 0 are of the form p encrypt p ( p 1 , pk ( p 2 ) , p 3 ) ( that is, Cond ition C6) . The clauses fo r che cksignatur e and nmr che cksign are attack er( si gn ( x , y )) ∧ attack er( p k ( y )) ⇒ attack er( x ) ( che cksignatur e ) attack er( nmrsign ( x , y )) ∧ attack er( pk ( y )) ∧ attack er( x ) ⇒ attacker ( true ) ( nmr che cksign ) These two clauses ar e subsumed re spectiv ely b y the clau ses for getmessage (g i ven above) and t rue (which is simply attack er( true ) since t rue is a zero- ary co nstruc- tor), so th ey a re eliminated by c ondense , i.e. , they ar e not in c ondense ( R P ′ 0 , Init ) . (This is impor tant, becau se they are not in R Destr .) Therefore all clau ses in c ondense ( R P ′ 0 , Init ) are in R ProtAdv , since the set of clauses R ProtAdv is p reserved by simpliﬁcation, so we have Condition W1. Different p atterns in t agGen do n ot unify . Moreover , each pattern i n tagGen has at most one instance in sub ( S 0 ) . For pk ( x ) an d host ( x ) , th is comes from the hyp othesis that Par ams pk and Par ams host have at m ost on e element. For atomic co nstants, th is is obviou s. (Th eir on ly instance is themselves.) For other patterns, this comes fro m the fact th at the trace o f Co ndition C5 executes each prog ram point at mo st once, an d that patterns created at dif feren t progr ams points are associated with different symbols ( f , c ) for f (( c, . . . ) , . . . ) and a for a [ . . . ] . (For f (( c, . . . ) , . . . ) , this comes from Cond i- tion C 3. For a [ . . . ] , this is because different r estrictions use a different f unction symbol by constructio n of the clauses.) So we have Condition W2. ✷ The next proposition shows that saturation terminates for weakly tagged program s. Proposition 5 Let R 0 be a set of clauses. I f c ondense ( R 0 ) is a weakly tagged pr o- gram (Deﬁ nition 20 ), then the computa tion of saturate ( R 0 ) terminates. Proof This result is very similar to [20, P rop osition 8], so we gi ve only a brief sketch and refer the reader to that paper for details. W e show by inductio n that all clau ses R gen erated from R 0 are in R Proto col ∪ R Constr ∪ R Destr and the patterns of attac ker facts in clauses R in R Proto col are non- data. First, by hyp othesis, all clauses in c ondense ( R 0 ) satisfy this p roperty , b y d eﬁnition of weakly tagged pro grams and bec ause o f the decomposition of data constru ctors by de c omp . 86 If we co mbine b y resolu tion two clau ses in R Constr ∪ R Destr , we in fact com bine a clause of R Constr with a c lause of R Destr . T he resulting clau se is a tautolog y by deﬁnition of R Constr and R Destr , so it is eliminated by elimtaut . Otherwise, w e com bine by reso lution a clause R in R Proto col with a clau se R ′ such that R ′ ∈ R Proto col , sel ( R ′ ) = ∅ , and s el ( R ) 6 = ∅ , or R ′ ∈ R Constr , or R ′ ∈ R Destr . Let R ′′ be the clause obtained by resolution of R and R ′ . W e show th at the patterns o f R ′′ are fully tagged , an d for ea ch σ such that p attern s ( σR ) ⊆ su b ( S 0 ) , there exists σ ′′ such that p atterns ( σ ′′ R ′′ ) ⊆ sub ( S 0 ) and size ( σ ′′ R ′′ ) < size ( σ R ) , where the size is deﬁn ed a s fo llows. The size of a pattern size ( p ) is deﬁned as usual, size (attack er( p )) = size (even t( p )) = size ( p ) , an d size ( F 1 ∧ . . . ∧ F n ⇒ F ) = size ( F 1 ) + . . . + size ( F n ) + size ( F ) . Let R s ∈ simplify ( R ′′ ) . The patterns of R s are no n-data fully tag ged, p atterns ( σ ′′ R s ) ⊆ sub ( S 0 ) , and size ( σ ′′ R s ) ≤ size ( σ ′′ R ′′ ) < size ( σ R ) . So R s ∈ R Proto col and its patterns are non-data. Moreover , for all ge nerated clauses R , there exists σ such that size ( σ R ) is smaller than the m aximum initial value of size ( σ R ) f or a clause o f the pr otocol. Ther e is a ﬁ- nite numbe r of such clauses (since size ( R ) ≤ size ( σR ) ). So saturate ( R 0 ) terminates. ✷ Next, we show that derivable terminates wh en it is called on th e result of th e satu- ration of a weakly tagged program . Proposition 6 If F is a c losed fact and R 1 is a weakly tagged p r ogram simpliﬁed by simplify such tha t, for a ll R ∈ R 1 , sel 0 ( R ) = ∅ , then derivable ( F , R 1 ) terminates. Proof W e show the follo wing proper ty: For all calls deriv ( R , R , R 1 ) , R = F ⇒ F or R = attack er( p 1 ) ∧ . . . ∧ attack er( p n ) ⇒ F wher e p 1 , . . . , p n are closed patterns. This pro perty is proved b y induction . It is obvio usly tru e for the initial c all to deriv , deriv ( F ⇒ F , ∅ , R 1 ) . For recu rsiv e calls to deriv , deriv ( R ′′ , R , R 1 ) , the clause R ′′ is in simplify ′ ( R ′ ◦ F 0 R ) , where R ′ = a ttack er( x 1 ) ∧ . . . ∧ attacker ( x k ) ⇒ F ′ since R ′ ∈ R 1 and R = F ⇒ F or R = attacker ( p 1 ) ∧ . . . ∧ attack er( p n ) ⇒ F where p 1 , . . . , p n are closed patterns, by ind uction hypothesis. After uniﬁcation o f F ′ and F 0 , x i is sub stituted by a clo sed pattern p ′ i (subpattern o f F 0 , an d F 0 is closed since F 0 is a hypothe sis of R ) , since x i appears in F ′ . ( If x i did not ap pear in F ′ , attack er( x i ) would ha ve been removed by elimattx .) If R = F ⇒ F , R ′ ◦ F 0 R = attacker ( p ′ 1 ) ∧ . . . ∧ attack er( p ′ k ) ⇒ F has only closed patterns in its hypoth eses, and so has the clause R ′′ in simplif y ′ ( R ′ ◦ F 0 R ) . Otherwise, R = attacker ( p 1 ) ∧ . . . ∧ a ttack e r( p n ) ⇒ F , F 0 = attacker ( p i ) , and p i is a closed pa ttern. W e ha ve R ′ ◦ F 0 R = attack er( p ′ 1 ) ∧ . . . ∧ attack er( p ′ k ) ∧ attack er( p 1 ) ∧ . . . ∧ a ttack e r( p i − 1 ) ∧ attack er( p i +1 ) ∧ . . . ∧ a ttack e r( p n ) ⇒ F , which has only closed patterns in its hy potheses, and so has the clause R ′′ in simplify ′ ( R ′ ◦ F 0 R ) . Moreover , p ′ 1 , . . . , p ′ k are disjoint subte rms o f p i , th erefore the total size of p ′ 1 , . . . , p ′ k is strictly smaller than th e size of p i . (If we had equality , F ′ would b e a variable; this variable would occur in the h ypoth esis by deﬁnition of 87 R ProtAdv , so R ′ would h ave bee n r emoved b y elimtaut .) Therefo re the total size of the patterns in the hypotheses strictly decreases. (T he simpliﬁcation function simplify ′ cannot increase this size.) This decrease proves termination. ✷ From the previous re sults, we infer the t ermin ation of the algorithm for tagged pro- tocols, when Par ams pk and Par ams host have at most one element. T he g eneral ca se can then be o btained as in [20 ]: we deﬁne a functio n O neKey which maps all ele- ments of P ar ams pk and Par ams host to a s ingle atomic constant. When P 0 is a tagged protoco l, OneKey( P 0 ) is a tagged p rotoco l in which Par ams pk and Par ams host are singletons. W e consider a “less op timized algorithm ” in which e limination of duplicate hypoth eses and o f tautolo gies are perf ormed on ly f or facts of the form attack er( x ) , elimination of r edund ant hypo theses is not perfo rmed, and elimination of subsumed clauses is per formed on ly for elimina ting the destructo r clauses for che cksignatur e and nmr che cksign . W e observe that the previous re sults still hold for the less opti- mized algorithm, with the same proof , so this algorithm terminates on OneKey( P 0 ) . All reso lution steps possible for the less op timized algorith m ap plied to P 0 are possi- ble for the less optimized algorithm applied to OneKey( P 0 ) as well (more patterns are uniﬁable, and th e re maining simpliﬁcatio ns o f the less optimized algorithm com mute with applicatio ns of OneKe y ). Hen ce, the der iv a tions from R P ′ 0 , Init are map ped by OneKey to derivations from R OneKey( P ′ 0 ) , Init , which are ﬁnite, so deriv ations fro m R P ′ 0 , Init are also ﬁnite, so the less optimized algorithm terminates on P 0 . W e can then show that th e or iginal, fu lly optimiz ed algor ithm also termin ates on P 0 . So we ﬁn ally obtain Proposition 3. E General Correspon dences In this app endix, we p rove Theorem 5. For simplicity , we assume th at the fun ction applications at the root of e vents are unary . Lemma 17 Let P 0 be a closed pr ocess a nd P ′ 0 = instr ′ ( P 0 ) . Let Q be a n Init - adversary and Q ′ = instrAdv ( Q ) . Assume that, in P 0 , the arguments of events ar e function applica tions. Let f b e a fun ction symbol. A ssume that the r e is a single oc - curr ence of ev ent ( f ( )) in P 0 and this occurr ence is un der a r eplication. Consider any trace T = S 0 , E 0 , { P ′ 0 , Q ′ } → ∗ S ′ , E ′ , P ′ . The multiset of session iden tiﬁers λ of events eve nt ( f ( ) , λ ) executed in T co ntains n o duplica tes. Proof Let us deﬁne th e multiset SId ( P ) by SId ( event ( f ( M ) , λ ) .P ) = { λ } ∪ SId ( P ) (for the given fu nction symbo l f ), SId (! i P ) = ∅ , and in all other cases, SId ( P ) is th e union of the SId ( P ′ ) for all imm ediate subp rocesses P ′ of P . For a trace T , let SId ( T ) be the set of session id entiﬁers λ of ev ents ev ent ( f ( ) , λ ) exe- cuted in the trace T . W e show that, for each trace T = S 0 , E 0 , { P ′ 0 , Q ′ } → ∗ S ′ , E ′ , P ′ , SId ( T ) ∪ S P ∈P ′ SId ( P ) ∪ S ′ contains no duplicates. The proof is by induction on the length of the trace. For the empty trace T = S 0 , E 0 , { P ′ 0 , Q ′ } → ∗ S 0 , E 0 , { P ′ 0 , Q ′ } , SId ( T ) = ∅ and SId ( P ′ 0 ) ∪ SId ( Q ) = ∅ by deﬁnition. 88 The red uction (Red Repl) moves at most one session identiﬁer f rom S ′ to S P ∈P ′ SId ( P ) (withou t intro ducing du plicates since there is one occur rence of event ( f ( ) , ) ). The reduc tion (Red Event) moves at most one session ide ntiﬁer fro m S P ∈P ′ SId ( P ) to SId ( T ) . Th e other redu ctions can only remove session iden tiﬁers from S P ∈P ′ SId ( P ) (by rem oving subproce sses). ✷ Lemma 18 Let P 0 = C [ eve nt ( f ( M )) .D [ event ( f m − event ( M , x ) .P ]] , wher e no r eplication occurs in D [ ] above the ho le [ ] , and the variab les an d names bou n d in P 0 ar e all p airwise distinct an d distinct fr om fr ee names. Assume that, in P 0 , the ar - guments o f events are function ap plication s, and tha t the re is a single occurr ence of event ( f ( )) and of eve nt ( f m − event ( , )) in P 0 . Let Q be an Init -adversary and Q ′ = instrAdv( Q ) . Let P ′ 0 = instr ′ ( P 0 ) . Con- sider a trace o f P ′ 0 : T = S 0 , E 0 , P 0 = { P ′ 0 , Q ′ } → ∗ S τ f , E τ f , P τ f . Then ther e e xists a fu nction φ i such that a) if e vent ( f m − event ( p, p ′ ) , λ ) is e xecuted at step τ in T for so me λ, p, p ′ , τ , then ev ent ( f ( p ) , λ ) is executed a t step φ i ( τ ) in T , b) φ i is injective, a nd c ) if φ i ( τ ) is deﬁned , then φ i ( τ ) < τ . Proof W e deno te by S τ , E τ , P τ the conﬁgura tion at the step τ in the trace T . Let S 1 ( τ ) = { ( λ, p ) | ev ent ( f ( p ) , λ ) is executed in the ﬁrst τ steps of T } , S 2 ( τ ) = { ( λ, p ) | ev ent ( f m − event ( p, p ′ ) , λ ) is executed in the ﬁrst τ steps of T } S 3 ( τ ) = { ( λ, p ) | ev ent ( f m − event ( M , M ′ ) , λ ) o ccurs not under event ( f ( M ) , λ ) in P τ for E τ ( M ) = p } For each τ , we show that S 2 ( τ ) ∪ S 3 ( τ ) ⊆ S 1 ( τ ) . • For τ = 0 , the sets S 1 ( τ ) , S 2 ( τ ) , and S 3 ( τ ) a re empty . • If S τ , E τ , P τ → S τ +1 , E τ +1 , P τ +1 using (Red E vent) to ex ecute event ( f ( M ) , λ ) , then the same ( λ, E τ +1 ( M )) is added to S 3 ( τ + 1) and to S 1 ( τ + 1 ) . Similarly , for (Red Event) executing e vent ( f m − event ( M , M ′ ) , λ ) , a p air ( λ, E τ +1 ( M )) is moved from S 3 ( τ ) to S 2 ( τ + 1) . Th ese chan ges preserve th e desired inclusion. • Oth erwise, if S τ , E τ , P τ → S τ +1 , E τ +1 , P τ +1 , th en S 1 ( τ + 1) = S 1 ( τ ) , S 2 ( τ + 1) = S 2 ( τ ) , an d S 3 ( τ + 1) ⊆ S 3 ( τ ) (beca use some subpr ocesses may be removed by the reduction ). In particular, S 2 ( τ f ) ⊆ S 1 ( τ f ) . By Lem ma 17, there is a bijectio n φ 1 from the session labels λ of executed event ( f ( ) , λ ) events in T to th e steps at which th ese events are executed in T , and similarly φ 2 for event ( f m − event ( , ) , ) events. L et φ i = φ 1 ◦ φ − 1 2 . • If even t ( f m − event ( p, p ′ ) , λ ) is executed at step τ , ( λ, p ) ∈ S 2 ( τ f ) ⊆ S 1 ( τ f ) , so event ( f ( p ) , λ ) is executed at a certain step τ ′ . So φ 2 ( λ ) = τ and φ 1 ( λ ) = τ ′ , so φ i ( τ ) is d eﬁned and τ ′ = φ i ( τ ) . • Since φ 1 and φ − 1 2 are injectiv e, φ i is injective. 89 • If φ i ( τ ) is d eﬁned, the e vent e vent ( f m − event ( σ y , σ x ) , λ ) is executed at step τ by (Red E vent). So ( λ, σ y ) ∈ S 3 ( τ ) , where P τ correspo nds to the state just b e- fore the ev ent event ( f m − event ( σ y , σ x ) , λ ) is executed. Hence ( λ, σy ) ∈ S 1 ( τ ) since S 2 ( τ ) ∪ S 3 ( τ ) ⊆ S 1 ( τ ) . So ev ent ( f ( σy ) , λ ) is executed at step τ ′ < τ . W e have φ 2 ( λ ) = τ and φ 1 ( λ ) = τ ′ , so φ i ( τ ) = τ ′ < τ . ✷ Proof (of Theorem 5 ) For each no n-empty j k , when [inj] j k = inj , let f j k be th e root fu nction sym bol of p j k . W e consider a mo diﬁed pro cess P 1 built f rom P 0 as follows. For each j k su ch that [inj] j k = inj and event ( f j k ( M )) occurs in P 0 , we add anoth er event eve nt ( f m − event j k ( M , x j k )) just under the deﬁnition of v ariable x j k if x j k is d eﬁned under event ( f j k ( M )) and ju st und er eve nt ( f j k ( M )) other wise. Let P ′ 1 = instr ′ ( P 1 ) . Th e process P ′ 1 is built fr om P ′ 0 as follows. For eac h j k such th at [inj] j k = inj and even t ( f j k ( M ) , i ) occu rs in P ′ 0 , we add anoth er event event ( f m − event j k ( M , x j k ) , i ) ju st under the deﬁnition of variable x j k if x j k is de- ﬁned under eve nt ( f j k ( M ) , i ) and just un der ev ent ( f j k ( M ) , i ) otherwise. (When [inj] j k = inj , x j k ∈ dom ( ρ j r k ) wher e ρ j r k is the en viro nment adde d as argument o f m - even t facts i n the clauses, so x j k is deﬁned either above event ( f j k ( M ) , i ) or under event ( f j k ( M ) , i ) with out any replication between t he ev ent and the deﬁnition of x j k , since the d omain of the environment g iv en as argument to m - ev e nt is set at replications by substituting  and not m odiﬁed later . ) W e will show that P ′ 1 satisﬁes the de sired correspo ndence. It is then clear that P ′ 0 also satisﬁes it. The clau ses R P ′ 1 , Init can be o btained from R ′ P ′ 0 , Init by replacin g all facts m - even t( p, ρ ) with m - even t( p, i ) ∧ ^ j k such that p = f jk ( p ′ ) and x jk ∈ dom ( ρ ) m - even t( f m − event j k ( p ′ , ρ ( x j k )) , i ) for some i , and adding clauses that conclud e even t( f m − event j k ( . . . ) , . . . ) . The clau ses in s olve P ′ 1 , Init can be obtained in th e sam e way from s olve ′ P ′ 0 , Init . So we can deﬁne a function v erify ′ like verify with an ad ditional argument ( x j k j ′ k ′ ) j k j ′ k ′ by adding ( x j kj k j ′ k ′ ) j k j ′ k ′ in the arguments o f recursi ve c all of Point V2.3 and replac- ing Point V2.1 with solve P ′ 1 , Init (even t( p, i )) ⊆ { H ∧ V l j k =1 m - even t(arg j r k , i j r k ) ⇒ even t( σ j r p ′ j , i j r ) for some H , j ∈ { 1 , . . . , m } , r , i j r k , and ( ρ j r k , i j r ) ∈ Env j k for all k } wh ere arg j r k = σ j r p j k if [inj] j k 6 = inj , an d arg j r k = f m − event j k ( σ j r p ′ , ρ j r k ( x j k )) if [inj] j k = inj an d p j k = f j k ( p ′ ) . When verify( q, ( Env j k ) j k ) is true, verify ′ ( q , ( Env j k ) j k , ( x j k ) j k ) is also true. Let Q be an Init -adversary and Q ′ = ins trAdv( Q ) . Let E 0 such that E 0 ( a ) = a [ ] for all a ∈ dom ( E 0 ) and fn ( P ′ 1 ) ∪ Init ⊆ dom ( E 0 ) . Let u s now co nsider a trace o f P ′ 1 , T = S 0 , E 0 , { P ′ 1 , Q ′ } → ∗ S ′ , E ′ , P ′ . By Lemma 18 , for ea ch n on-em pty j k such that [inj] j k = inj , there exists a fu nc- tion φ i j k such th at a) if event ( f m − event j k ( p, p ′ ) , λ ) is executed a t step τ in T for som e λ, p, p ′ , τ , then event ( f j k ( p ) , λ ) is executed at step φ i j k ( τ ) in T , b ) φ i j k is injective, and c) if φ i j k ( τ ) is d eﬁned, then φ i j k ( τ ) < τ . 90 When ψ j k is a family of f unction s from steps to steps in a trace, we deﬁn e ψ ◦ j k as follows: • ψ ◦ ǫ ( τ ) = τ for all τ ; • fo r all j k , fo r all j and k , ψ ◦ j k j k = φ i j k j k ◦ ψ j k j k ◦ ψ ◦ j k when [inj] j k j k = inj a nd ψ ◦ j k j k = ψ j k j k ◦ ψ ◦ j k otherwise. W e show that, if v er ify ′ ( q ′ , ( Env j k ) j k , ( x j k ) j k ) is true for q ′ = even t( p ) ⇒ m _ j =1   even t( p ′ j ) l j ^ k =1 [inj] j k q ′ j k   q ′ j k = even t( p j k ) m jk _ j =1 l jk j ^ k =1 [inj] j k j k q ′ j k j k then there exists a function ψ j k for each j k such that P1. For all τ , if the event event ( σ p, λ ǫ ) is ex ecuted at step τ in T , then there exist σ ′′ and J = ( j k ) k such th at σ ′′ p ′ j ǫ = σp and, fo r a ll non- empty k , ψ ◦ makejk( k,J ) ( τ ) is d eﬁned an d eve nt ( σ ′′ p makejk ( k,J ) , λ k ) is executed at step ψ ◦ makejk( k,J ) ( τ ) in T . P2. For all non-empty j k , if [inj] j k = inj and ψ j k ( τ ) is deﬁned, then event ( p ′′ 1 , λ ′ 1 ) is executed at step τ in T , event ( f m − event j k ( p ′′ 2 , θ ρ ( x j k )) , λ ′ 2 ) is e xecuted at step ψ j k ( τ ) in T , an d θ i = λ ′ 1 for some p ′′ 1 , p ′′ 2 , λ ′ 1 , λ ′ 2 , θ , and ( ρ, i ) ∈ Env j k , where f j k is the ro ot function symbo l of p j k . (This pr operty is used for provin g injectivity and recentne ss.) P3. For all non -empty j k , if ψ j k ( τ ) is d eﬁned, then ψ j k ( τ ) ≤ τ . The proof is by induction on q ′ . • If q ′ = even t( p ) (that is, m = 1 , l 1 = 0 , and p 1 = p ), we deﬁne j ǫ = 1 and σ ′′ = σ , so that σ ′′ p ′ j ǫ = σ p . All other condition s h old tri vially , since there is no non-em pty k . • Oth erwise, we deﬁne ψ j k as follows. Using Point V2.1, by Theorem 3, P ′ 1 satisﬁes the correspo ndence even t( p, i ) ⇒ _ j =1 ..m,r   even t( σ j r p ′ j , i j r ) l j ^ k =1 even t(ar g j r k , i j r k )   (24) against Init -ad versaries. Assume th at e vent ( σp , λ ) is executed at step τ in T f or som e sub stitution σ . Let us consider the trace T cut just after step τ . By Corresp onden ce (24), there 91 exist σ ′ , j ∈ { 1 , . . . , m } , and r such that σ ′ σ j r p ′ j = σ p , σ ′ i j r = σ λ = λ , and for k ∈ { 1 , . . . , l j } , there exists λ k such that eve nt ( σ ′ arg j r k , λ k ) is executed in the tra ce T cut after step τ . So th e event event ( σ ′ arg j r k , λ k ) is executed at step τ k ≤ τ in T . In this ca se, we deﬁne ψ j k ( τ ) = τ k and r ( τ ) = r . If [inj] j k = inj , the n eve nt ( σ ′ σ j r p j k , λ k ) is executed as step φ i j k ( ψ j k ( τ )) = ψ ◦ j k ( τ ) . If [inj] j k 6 = inj , the n a rg j r k = σ j r p j k , so event ( σ ′ σ j r p j k , λ k ) is ex ecuted as step ψ j k ( τ ) = ψ ◦ j k ( τ ) . By constructio n, if ψ j k ( τ ) is d eﬁned, then ψ j k ( τ ) ≤ τ . When [inj] j k = inj , we let f j k be the root function symbol of p j k . By Point V2.3, f or all j, r, k , verify ′ ( σ j r q ′ j k , ( Env j k j k ) j k , ( x j kj k ) j k ) is true. So, by induction hypoth esis, there exist functions ψ j r k,j k such that – For all τ k , if the e vent event ( σ ′ σ j r p j k , λ k ) is executed at step τ k in T , then ther e exist σ ′′ j r k and J = ( j j r k, k ) k such that σ ′′ j r k σ j r p j k = σ ′ σ j r p j k and, for all no n-emp ty k , ψ ◦ j r k, makejk( k,J ) ( τ k ) is deﬁned and event ( σ ′′ j r k σ j r p j k makejk( k,J ) , λ kk ) is executed at step ψ ◦ j r k, makejk( k,J ) ( τ k ) in T . – For all non -empty j k , if [inj] j k j k = inj and ψ j r k,j k ( τ ) is deﬁned, then event ( p ′′ 1 , λ ′ 1 ) is e xecuted at s tep τ in T , event ( f m − event j k j k ( p ′′ 2 , θ ρ ( x j k j k )) , λ ′ 2 ) is executed at step ψ j r k, j k ( τ ) in T and θi = λ ′ 1 for som e p ′′ 1 , p ′′ 2 , λ ′ 1 , λ ′ 2 , θ , a nd ( ρ, i ) ∈ Env j k j k . – For all non -empty j k , if ψ j r k, j k ( τ ) is deﬁne d, then ψ j r k,j k ( τ ) ≤ τ . W e deﬁne ψ j k j k ( τ ) = ψ j r k,j k ( τ ) fo r r = r ( τ ) . Then we h av e ψ ◦ j k j k ( τ ) = ψ ◦ j r k,j k ( ψ ◦ j k ( τ )) fo r r = r ( τ ) . Therefo re, for all τ , if event ( σ p, λ ) is executed at step τ in T , then – the re exist σ ′ , J ǫ = ( j k ) k , and r such th at j ǫ = j ∈ { 1 , . . . , m } , j k is unde- ﬁned f or all k 6 = ǫ , σ ′ σ j r p ′ j = σ p , and, fo r all k , ψ ◦ makejk( k,J ǫ ) ( τ ) is d eﬁned and event ( σ ′ σ j r p makejk ( k,J ǫ ) , λ k ) is executed as step ψ ◦ makejk( k,J ǫ ) ( τ ) ; – fo r all k , there exist σ ′′ j r k and J k = ( j k k ) kk such that σ ′′ j r k σ j r p j k = σ ′ σ j r p j k and, for all non- empty k , ψ ◦ makejk( k k,J k ) ( τ ) is deﬁned and event ( σ ′′ j r k σ j r p makejk ( k k ,J k ) , λ kk ) is executed at step ψ ◦ makejk( k k,J k ) ( τ ) in T . W e deﬁne a family of indice s J by merging J ǫ and J k for all k , that is, J = ( j k ) k . Therefo re, in or der to obtain P1, it is en ough to ﬁnd a substitution σ ′′ such th at σ ′′ p ′ j = σ ′ σ j r p ′ j , σ ′′ p j k = σ ′ σ j r p j k , an d σ ′′ p j k j k = σ ′′ j r k σ j r p j kj k for all no n- empty j k . Let us de ﬁne σ u as follows: – For all x ∈ fv ( σ j r p ′ j ) ∪ S k fv ( σ j r p j k ) , σ u x = σ ′ x . 92 – For all k , for all x ∈ fv ( σ j r q ′ j k ) \ fv ( σ j r p j k ) , σ u x = σ ′′ j r k x . By Poin t V2.2, these sets of variables are disjoint, so σ u is well deﬁned. Let σ ′′ = σ u σ j r . W e have σ ′′ p ′ j = σ u σ j r p ′ j = σ ′ σ j r p ′ j and σ ′′ p j k = σ u σ j r p j k = σ ′ σ j r p j k . Since σ ′′ q ′ j k = σ u σ j r q ′ j k , we just have to show th at σ u σ j r q ′ j k = σ ′′ j r k σ j r q ′ j k . W e have σ u σ j r p j k = σ ′ σ j r p j k = σ ′′ j r k σ j r p j k . Therefor e, if x ∈ fv ( σ j r p j k ) , then σ u x = σ ′′ j r k x . 5 Hence, for all x ∈ fv ( σ j r q ′ j k ) , σ u x = σ ′′ j r k x , which proves that σ u σ j r q ′ j k = σ ′′ j r k σ j r q ′ j k . Hence we obtain P1. If [inj] j k = inj and ψ j k ( τ ) is deﬁned, th en even t ( p ′′ 1 , λ ′ 1 ) = event ( σp, λ ) is executed at st ep τ in T , event ( f m − event j k ( p ′′ 2 , θ ρ ( x j k )) , λ ′ 2 ) = eve nt ( σ ′ arg j r k , λ k ) is ex ecuted at step ψ j k ( τ ) in T , and θi = λ ′ 1 for some p ′′ 1 = σ p , p ′′ 2 , λ ′ 1 = λ , λ ′ 2 = λ k , θ = σ ′ , an d ( ρ, i ) = ( ρ j r k , i j r ) ∈ Env j k . For all non-em pty j k , if [inj] j k j k = inj and ψ j kj k ( τ ) is deﬁned, then even t ( p ′′ 1 , λ ′ 1 ) is executed at step τ in T , even t ( f m − event j k j k ( p ′′ 2 , θ ρ ( x j k j k )) , λ ′ 2 ) is executed at step ψ j kj k ( τ ) in T , and θ i = λ ′ 1 for some p ′′ 1 , p ′′ 2 , λ ′ 1 , λ ′ 2 , θ , a nd ( ρ, i ) ∈ Env j k j k . So we obtain P2. If ψ j k ( τ ) is deﬁn ed, then ψ j k ( τ ) ≤ τ . For all n on-emp ty j k , if ψ j k j k ( τ ) is deﬁned, then ψ j k j k ( τ ) ≤ τ . Therefo re, we ha ve P3. Let q = even t( p ) ⇒ W m j =1  even t( p ′ j ) V l j k =1 [inj] j k q j k  , and q j k = e ven t( p j k ) W m jk j =1 V l jk j k =1 [inj] j k j k q j k j k . By Hy pothesis H1, verify ′ ( q , ( Env j k ) j k , ( x j k ) j k ) is tr ue, so there exists a function ψ j k for each j k such that P1, P2, and P3 are satisﬁed. Let φ j k = ψ ◦ j k . • By P1, for all τ , if the event e vent ( σ p, λ ǫ ) is executed at step τ in T , then there exist σ ′ and J = ( j k ) k such th at σ ′ p ′ j ǫ = σ p and, fo r all n on-em pty k , φ makejk( k,J ) ( τ ) is deﬁned and event ( σ ′ p makejk ( k ,J ) , λ k ) is executed at step φ makejk( k,J ) ( τ ) in T . Let us show rece ntness. Suppo se that [inj] makejk( k,J ) = inj . W e show that the runtimes o f sessio n( λ k ⌈ ) and session( λ k ) overlap. W e hav e φ makejk( k,J ) ( τ ) = φ i makejk( k,J ) ( ψ makejk( k,J ) ( φ makejk( k ⌈ ,J ) ( τ ))) . Let τ 1 = φ makejk( k ⌈ ,J ) ( τ ) . Th en ψ makejk( k,J ) ( τ 1 ) is deﬁned. Hence, by P2, e 1 = event ( p ′′ 1 , λ ′ 1 ) is executed at step τ 1 in T , e 2 = event ( f m − event makejk ( k,J ) ( p ′′ 2 , θ ρ ( x makejk( k,J ) )) , λ ′ 2 ) is exe- cuted at step τ 2 = ψ makejk ( k ,J ) ( τ 1 ) in T by a r eduction S τ 2 , E τ 2 , P τ 2 → S τ 2 +1 , E τ 2 +1 , P τ 2 +1 , and θ i = λ ′ 1 for some p ′′ 1 , p ′′ 2 , λ ′ 1 , λ ′ 2 , θ , an d ( ρ, i ) ∈ Env makejk( k,J ) . Since the event even t ( σ ′ p makejk( k ⌈ ,J ) , λ k ⌈ ) is also executed at step τ 1 = φ makejk( k ⌈ ,J ) ( τ ) , we have λ ′ 1 = λ k ⌈ . By the pro perties of φ i makejk( k,J ) , event ( f makejk ( k,J ) ( p ′′ 2 ) , λ ′ 2 ) is executed at step 5 This property does not hold in the presence of an equational theory (see Section 9.1). In that case, we conclud e by the additional hypothesis mentioned in Section 9.1. 93 φ i makejk( k,J ) ( τ 2 ) = φ makejk( k,J ) ( τ ) . Moreover , even t ( σ ′ p makejk( k,J ) , λ k ) is also executed at step φ makejk( k,J ) ( τ ) , so λ ′ 2 = λ k . By Hypo thesis H2, ρ ( x makejk( k,J ) ) { λ/i } does n ot unify with ρ ( x makejk( k,J ) ) { λ ′ /i } when λ 6 = λ ′ , so i occurs in ρ ( x makejk( k,J ) ) , so λ k ⌈ = λ ′ 1 = θ i o ccurs in θρ ( x makejk( k,J ) ) , so λ k ⌈ occurs in e 2 . So e 2 is executed afte r the rule S, E , P ∪ { ! i ′ P ′ } → S \ { λ k ⌈ } , E , P ∪ { P ′ { λ k ⌈ /i ′ } , ! i ′ P ′ } in T . Indeed, since λ k ⌈ occurs in the event e 2 executed at step τ 2 , λ k ⌈ ∈ S Id ′ ( E τ 2 ) ∪ SId ′ ( P τ 2 ) where SId ′ ( P ) (r esp. SId ′ ( E ) ) is the set o f session identiﬁers λ that occur in P (resp. E ). Mo reover , SId ′ ( E 0 ) ∪ SId ′ ( { P ′ 1 , Q ′ } ) = ∅ , and the only rule that increases SId ′ ( E ) ∪ SId ′ ( P ) is S, E , P ∪ { ! i P ′ } → S \ { λ } , E , P ∪ { P ′ { λ/i } , ! i P ′ } , which add s λ to SId ′ ( E ) ∪ S Id ′ ( P ) . T herefo re, e 2 is executed after the beginn ing of the ru n- time of session( λ k ⌈ ) . Moreover , e 2 is executed at step τ 2 = ψ makejk( k,J ) ( τ 1 ) and e 1 is executed at step τ 1 in T , with ψ makejk( k,J ) ( τ 1 ) ≤ τ 1 , so e 2 is executed b efore e 1 = event ( p ′′ 1 , λ k ⌈ ) . So e 2 = even t ( f m − event makejk( k,J ) ( p ′′ 2 , θ ρ ( x makejk( k,J ) )) , λ k ) is executed during th e runtime of s ession( λ k ⌈ ) , therefore the runtimes of session( λ k ⌈ ) and session( λ k ) overlap. • Le t us show that, for all non-empty j k , if [inj] j k = inj , then ψ j k is injecti ve. Let τ 1 and τ 2 such th at ψ j k ( τ 1 ) = ψ j k ( τ 2 ) . By P2, ev ent ( p ′′ 1 , λ ′ 1 ) is executed a t step τ 1 in T , e vent ( f m − event j k ( p ′′ 3 , θ 1 ρ 1 ( x j k )) , λ ′ 3 ) is executed at step ψ j k ( τ 1 ) in T , and θ 1 i 1 = λ ′ 1 for some p ′′ 1 , p ′′ 3 , λ ′ 1 , λ ′ 3 , θ 1 , and ( ρ 1 , i 1 ) ∈ Env j k . Also by P2, event ( p ′′ 2 , λ ′ 2 ) is executed at st ep τ 2 in T , even t ( f m − event j k ( p ′′ 4 , θ 2 ρ 2 ( x j k )) , λ ′ 4 ) is executed at step ψ j k ( τ 2 ) in T , and θ 2 i 2 = λ ′ 2 for some p ′′ 1 , p ′′ 4 , λ ′ 2 , λ ′ 4 , θ 2 , and ( ρ 2 , i 2 ) ∈ Env j k . Since ψ j k ( τ 1 ) = ψ j k ( τ 2 ) , θ 1 ρ 1 ( x j k ) = θ 2 ρ 2 ( x j k ) . By Hypothesis H2 , this implies that θ 1 i 1 = θ 2 i 2 , so λ ′ 1 = λ ′ 2 . By Lemm a 17, τ 1 = τ 2 , which proves the injectivity of ψ j k . • Le t us show that, f or all no n-emp ty j k , if [inj] j k = inj , th en φ j k is injective, by induction on the length of the sequence of indices j k . For all j an d k , if [inj] j k = inj , then φ j k is injective since φ i j k , ψ j k , and φ ǫ are injective. For all no n-empty j k , for all j an d k , if [inj] j k j k = inj , then, by hypo thesis, [inj] j k = inj , so, by in duction hy pothesis, φ j k is in jectiv e. Th e fu nctions φ i j k j k and ψ j k j k are injectiv e, so φ j k j k is also injective. • For all j k , for all j and k , if φ j k j k ( τ ) is de ﬁned, then φ j k ( τ ) is deﬁned, an d φ j k j k ( τ ) ≤ φ j k ( τ ) , since φ i j k j k ( τ ′′ ) ≤ τ ′′ and ψ j k j k ( τ ′ ) ≤ τ ′ by P3, when they are deﬁned. 94 In particular, for all j and k , if φ j k ( τ ) is d eﬁned, then φ j k ( τ ) ≤ φ ǫ ( τ ) = τ . This concludes the proof of the desired recent correspon dence. ✷ Proof (of Proposition 2) W e have v erify( q , ( Env j k ) j k ) with Env j k = { ( ρ j r k , i j r ) | r ∈ { 1 , . . . , n j }} , because the ﬁrst item imp lies V2.1, V2.2 ho lds trivially since q j k reduces to even t( p j k ) , and V2.3 also ho lds since q j k reduces to even t( p j k ) , so verify( σ j r q j k , ( Env j k j k ) j k ) holds by V1. The secon d item implies H2. So we have the result by Theorem 5. ✷ 95

Automatic Verification of Correspondences for Security Protocols

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment