Deciding security properties for cryptographic protocols. Application to key cycles

Deciding security propertie s for crypto graphic protocols. Applicatio n to k ey c ycles HUBER T COMON-LUNDH ENS CA CHAN & Research Center for Inf or mation Security , AIST , T ok yo and V ´ ER ONIQUE CORTIER LORIA, CNRS & Univ ersit ´ e Henri P oincar ´ e & INRIA Project CASSIS and EUGEN Z ˘ ALINESCU MSR-INRIA Joint Centre, Orsa y There is a large amount of work dedicated to the for mal veriﬁcation of security proto cols. In this paper, w e revisit and extend the NP-complet e decision pro cedure f or a b ounded num ber of sessi ons. W e use a, n ow sta ndard, deducibility constraint formalism for mo deling security proto cols. Our ﬁrst cont ribution is to gi v e a s imple set of constrain t sim pl iﬁcation rules, that allows to reduce an y de ducibility constraint syst em to a set of solve d forms , represen ting all solution s (within the bound on s essions). As a consequence, we prov e that deciding the existenc e of k ey cycles is NP-complete for a bounded num ber of sessi ons. The problem of k ey-cycles has b een put f orward by recent works relating computat ional and symbolic mo dels. The so-called soundness of the sym bolic mo del requires indeed that no k ey cycle (e.g., enc( k, k )) ev er occurs i n the execut ion of the pr oto col. Otherwise, stronger security assumptions (such as KDM-security) are required. W e show that our decision pro cedure can also b e applied to pro v e again the decidabili ty of authen tication-lik e prop erties and the decidability of a signiﬁcant fr agmen t of protocols wi th timestamps. Cate gories and Subject Descript ors: F . 3.1 [ Lo gics and Meanings o f Programs ]: V erify ing and Reasoni ng about Programs General T erms : Securit y Additional Key W ords and Phrases: formal pro ofs, security proto cols, symbolic constrain ts, v eri- ﬁcation 1. INTRODUCTION Security proto cols are small p rogram s that aim at securing comm unication s over a pub lic network, like Internet. Considering the incr easing size of networks and th eir d ependen ce on crypto graphic pro tocols, a high level of assurance is needed in the co rrectness of such protoco ls. The design o f suc h proto cols is difﬁcult and error-pron e; many attacks are dis- This work has bee n partially supported by th e ACI- SI Satin and the ARA SSIA Formacrypt. Permission to make digita l/hard copy of all or part of this material without fee for personal or classroom use provi ded tha t th e co pies a re not ma de or distribut ed for proﬁt or commercial a dv antage, the A CM copy right/serv er notice , the title of the publica tion, and its date appear , and notice is gi ven that copying is by permission of the A CM, Inc. T o c opy otherwise, to republi sh, to post on servers, or to redistribu te to lists requires prior speciﬁc permission and/or a fee. c  2018 AC M 1529-3785/2018 /0700-0001 $5.00 AC M Transactions on Computational Logic, V ol. V , No. N, October 2018, Pages 1–39. 2 · Huber t Comon-Lundh et al. covered even several years af ter the publica tion of a protocol. Consequently , there has been a growing inter est in applying formal m ethods for v alidating cryptograp hic pro tocols and many r esults have been obtained . The m ain advantage of this ap proach is its rela- ti ve simplicity wh ich m akes it amenab le to auto mated analysis. For example, the secrecy preservation is co -NP-comp lete fo r a bou nded num ber of sessions [Amadio and Lu giez 2000; Rusinowitch and T uruani 2001 ], and decid able f or an unb ounde d numb er of ses- sions un der some additiona l restriction s [Como n-Lun dh and Cortier 2003 ; Durgin et al. 1999; Lo we 1998; R amanu jam and Suresh 2005 ]. M any tools h av e als o been de veloped to automatically verify cryptog raphic p rotoco ls, like [Ar mando et al. 2 005; Blanchet 2 001; Millen and Shmatikov 2001; Cremers 2008] . Generalizing the constraint system appr oach. In this pap er , we re-inv estigate and ex- tend the N P-complete decision pr ocedur e for a bo unded numb er of sessions [Rusinowitch and T uruan i 2001 ]. In this setting (i. e. ﬁnite n umber of sessions), ded ucibility constrain t systems ha ve beco me the standard mo del for verifying security proper ties, w ith a spe- cial fo cus on secrecy . Starting with M illen and Sh matikov’ s pape r [Millen and Shmatikov 2001] ma ny results (e.g. [Com on-Lun dh and Shma tikov 2003; Baudet 20 05; Bursuc et al. 2007] ) hav e been o btained an d several too ls (e.g . [Corin an d Etalle 2 002] ) hav e been de vel- oped within this framework. Ou r ﬁrst co ntribution is to pr ovide a generic approach derived from [Comon-Lun dh an d S hmatikov 2 003] to d ecide g eneral security p roperties. W e sho w that any dedu cibility constraint sy stem can be transformed in (possibly se veral) much sim- pler ded ucibility constraint systems that ar e called solved forms , preserving all solutions of the o riginal system, an d n ot o nly its satisﬁability . In other word s, the ded ucibility con- straint system represents in a symbolic way all the possible sequ ences of message s that are prod uced, f ollowing the pr otocol rules, whatever are the intruder’ s action s. This set of symbolic traces is inﬁnite in g eneral. Solved for ms are a simple (an d ﬁn ite) rep resen- tation of such tr aces and we sh ow th at it is su itable for th e veriﬁcation of many security proper ties. W e also co nsider sorted terms, symmetr ic and asymmetr ic encryp tion, pairing and signa tures, but we do not co nsider algebr aic prop erties like Abelian g roups or exclu- si ve or . In ad dition, we p rove ter mination in po lynomial time of the (n on-d eterministic) deducib ility con straint simp liﬁcation. Co mpared to [ Rusinowitch and Turuani 20 01], our proced ure preserves all so lutions. Hen ce, we can repr esent for instanc e, all attacks on the secrecy and n ot only decide if ther e exists one. Mor eover , presenting the decision proce - dure using a small set of simpliﬁcation r ules yields more ﬂexibility for fur ther extensions and modiﬁcatio ns. The main orig inality is th at the metho d is applicab le to any security pr operty that can be expressed as a formula on the protocol trace and the agent memories. For example, our decision pr ocedur e (published in the LP AR’06 proc eedings [Cortier and Z ˘ alinescu 2006 ]) has be en used in [Cortier et al. 2 006] for p roving that a new notion of secrecy in p resence of hashes is decidab le (an d co-NP-co mplete) fo r a bounded nu mber of sessions. It has also been used in [Cortier et al. 20 07] in the proof o f mo dularity results for security of pr oto- cols. T o illustrate the large app licability of ou r decision pr ocedure , we show in this pap er how it can be used for p roving co -NP-complete ness of three kin ds of secu rity pro perties: the existence of key cycles, authe ntication-like pr operties, and secrecy of pro tocols with timestamps. For au thentication prop erties, we introdu ce a small logic that allows to specif y au then- tication and some similar security pro perties. Using ou r so lved for ms, we show th at any ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding security prope r ties f or crypto graphic protocols · 3 proper ty that can be expressed within this logic can be decid ed. The logic is smaller than NP A TRL [Syverson an d Meadows 199 6] or P S -L TL [Corin et al. 2 005; Corin 200 6], but we believe that d ecidability holds f or a larger logic, closer to the two a bove o nes. How- ev er , the goal of this work is not to in troduce a new logic, but rather to highlig ht the proof method. No te also that th e ab sence of key cycles cann ot b e expr essed in a ny of the thre e mentioned logics because it is not on ly a trace property b ut also a prop erty of the message structure (see below). For t imestamps, we actually retriev e a signiﬁcant fragment of the decidab le class identi- ﬁed by Bozg a et al [Bozg a et al. 20 04]. W e believe that our result ca n lead mo re easily to an implementatio n, since we on ly n eed to ad apt th e pr ocedur e implemented in A VISP A [Ar- mando et al. 2005] , while Bozga et al have designe d a completely ne w d ecision procedure, which de facto has not been implemented . Application to key cycles. Ou r seco nd main co ntribution is to use this appro ach to p ro- vide an NP-com plete decision proce dure for detecting the gener ation of key cycles during the execution of a p rotocol, in th e presence of an in truder, for a bou nded nu mber o f ses- sions. T o the best o f our kn owledge, this problem has not been addressed before. Th e key cycle pro blem is a problem that arises from the cr yptogr aphic commu nity . Indeed, two dis- tinct approach es for the rigorous design and analysis of cryptogra phic pro tocols ha ve been pursued in the literature: the so-called Dolev-Y ao, sym bolic, or fo rmal a pproach on the one han d and the cryp tograph ic, co mputation al, o r concr ete appro ach on the o ther han d. In th e sym bolic a pproach , messages are m odeled as f ormal term s that the adversar y can manipulate using a ﬁxed set o f op erations. In the cryptog raphic a pproach , messages are bit strings and the adversary is an arbitrar y probabilistic polynomial-time T uring machine. While results in this mod el yield strong secur ity guara ntees, th e pr oofs are often q uite in - volved and only r arely suitable for automation ( see, e.g., [ Goldwasser and Micali 1 984; Bellare and Rogaway 1993] ). Starting with the seminal work of Abadi and Ro gaway [Abadi and Rogaway 200 2], recent results inv estigate th e possibility of bridg ing the gap between the two appro aches. The goal is to obtain the best of both worlds: simple, autom ated s ecurity pro ofs that entail strong security g uarantees. Th e appro ach usually consists in provin g th at the Do lev-Y ao abstraction o f cryp tograph ic primitives is c orrect as soo n as strong enou gh primitives are used in the implemen tation. F or example, in th e case of asymmetric encryptio n, it has been shown [ Micciancio and W arinschi 2004b] that the perfect encryption assumption is a sound abstractio n for IND-CCA2, which co rrespond s to a well-estab lished secu rity lev el. The perfect en cryption assumption intuiti vely states that encryption is a black-box that can be open ed on ly when one has th e in verse key . Otherwise, no inf ormation can be learned from a cipher-text ab out the underly ing plain-text. Howe ver , it is not always sufﬁcient to ﬁnd the right cr yptogr aphic hypo theses. Formal models may need to be amended in order to be correct abstractio ns of the cryp tograp hic models. A widely used req uiremen t is to contro l how keys can enc rypt other keys. In a passiv e setting , soundn ess results [Ab adi and Ro gaway 2002 ; Miccian cio and W arin schi 2004a ] require that no ke y cycles can be gener ated dur ing the execution o f a pro tocol. Ke y cycles are messages like enc( k , k ) or enc( k 1 , k 2 ) , enc( k 2 , k 1 ) where a key encry pts itself or mo re generally when the encr yption relation between keys contains a cycle. Such key cycles have to be disallowed simp ly b ecause usual security d eﬁnitions for en cryption schemes do not y ield any guar antees otherwise. In the a cti ve setting, the typ ical hypo theses ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. 4 · Huber t Comon-Lundh et al. are even stronger . For instanc e, in [Backes an d Pﬁtzma nn 200 4; Janvier et al. 2 005] the authors r equire tha t a key k never en crypts a key generated be fore k or, m ore generally , that it is known in advance which key encryp ts which one. More precisely , the encryp tion relation ha s to be com patible with th e or der in which keys are g enerated, or more generally , it has to be compatib le with an a prior i gi ven or dering on ke ys . Related work o n key cycles. Some autho rs circumvent th e prob lem of key cycles by providing new security deﬁnitions f or en cryptio n, K ey Depend ent Messages security , or KDM in short, that allow key cycles [Ad ˜ ao et al. 200 5; Backes et al. 2 007]. Howe ver , the standard security n otions do not imply these new deﬁnition s, and ad-hoc encry ption schemes ha ve to be constructed. Mo st of these constructio ns use the random oracle m odel, which is pr ov ably non implemen table. Tho ugh there was some recent p rogress [Hofh einz and Unruh 20 08] towards construc ting a KDM-secure encryptio n sch eme in the standa rd model, no ne of the u sual, implemen ted encryptio n schemes h as b een pr oved to satisfy KDM-security . In a passi ve setting, Laud [Laud 2002] p roposed a modiﬁcation of the Dole v-Y ao m odel such that the new mo del is a soun d abstractio n even in the presen ce of key cycles. In his model the intrud er’ s power is streng thened b y add ing n ew dedu ction ru les. With the new rules, f rom a m essage con taining a key cycle, the intru der can infer all keys inv olved in the cycle as we ll a s the messages encry pted by these keys. Subsequently , Jan vier [Janvier 2006] p roved th at the intruder deductio n p roblem rema ins p olyno mial for the m odiﬁed deduction system. It was also suggested that this ap proach can be extended to active in- truders and in corpor ated in existing to ols, th ough, to the be st of o ur knowledge, this has not been com pleted yet. Note tha t the de ﬁnition of key cycles u sed in [Janvier 2006] is more permissive th an in [Ab adi and Rogaway 20 02] (which is u nnecessarily r estrictiv e) and it corresp onds to the approa ch of Laud [Laud 2002] . Deciding key cycle s. In this paper, we provid e an NP-complete decisio n proc edure f or detecting th e gener ation of key cycles du ring the execution o f a protoc ol, in the pr esence of an acti ve intrud er , for a bounde d number of session s. Our procedure work s for all the above mention ed deﬁnitions of key cycles: strict key cycles ( ` a la Abadi, Rogaway), non-strict ( ` a la Laud) key cycles, ke y ordering s ( ` a la Backes). W e therefore provide a necessary co mponen t fo r automa ted tools used in proving stro ng, cryptog raphic security proper ties, using existing so undness results. Since our app roach is an exten sion of the transform ation r ules derived fro m the result o f [Rusinowitch a nd T uruani 200 1], we b eliev e that o ur algorithm can b e easily im plemented since it can be adapted from the associated proced ure, already implem ented in A VISP A [Arma ndo et al. 20 05] fo r d eciding secrecy and authentica tion properties. Outline of the paper. The messages an d the intru der cap abilities are mod eled in Sec- tion 2. In Section 3.1, we deﬁn e deducibility constraint systems and show h ow they can b e used to e xpress protocol e xecutions. In Section 3.2, we deﬁne security properties and their satisfaction. In Section 4, we sho w that the s atisfaction of any (in)security property can b e non-d eterministically , polyno mially reduced to the satisﬁability of the same prob lem, this time o n simpler co nstraint systems. The simpliﬁcation rules de riv ed from [Como n-Lun dh and Shmatikov 200 3] are p rovided in Section 4 .1. T hey are actually not sufﬁcient to en- sure termin ation in poly nomial time. T hus we introdu ce in Section 4.6 a reﬁned dec ision proced ure, which is correct, c omplete, and termin ating in p olynom ial time. W e show in ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding security prope r ties f or crypto graphic protocols · 5 Section 5 how this appro ach ca n be used to o btain ou r main result of NP-co mpleteness for the decision of the key cycles gene ration. In Section 6 , we introduce a small lo gic to expre ss authen tication-like pro perties and we show how our techn ique can be u sed to decide any f ormula of this logic. In Sectio n 7 , we show how it can b e used to der i ve NP- completen ess for pro tocols with timestamps. So me co ncludin g rem arks abou t further work can be found in Section 8. 2. MESSA GES AND INTR UDER CAP ABILITIES 2.1 Syntax Cryptogr aphic primiti ves are repr esented by function symbols. Mo re speciﬁcally , we con- sider a signature ( S , F ) co nsisting in a set o f so rts S = { s, s 1 . . . } and a set of functio n symbols F = { enc , enca , sign , h i , priv } . Each fu nction symbo l is associated with an a r - ity : ar is a mapping from F to S ∗ × S , which we write ar( f ) = s 1 × · · · × s n → s . The four ﬁrst function sym bols in F ar e bin ary: for each of them ther e are s 1 , s 2 , s ∈ S such that ar( f ) = s 1 × s 2 → s . The last symbol is u nary: there are s, s ′ ∈ S su ch th at ar( f ) = s → s ′ . The symbo l h i r epresents the p airing functio n. Th e terms enc( m, k ) an d enca( m, k ) represent r espectiv ely the message m encr ypted with the symmetric (r esp. asymm etric) key k . The term sign( m, k ) represents the message m sign ed by the key k . The term priv( a ) represents the private key o f the agen t a . For simplicity , we con fuse the agents names with their pub lic k ey . (Or conv ersely , we claim tha t agents identities are deﬁned by their public keys). N = { a, b . . . } is a set of names and X = { x, y . . . } is a set of variables . Each n ame and each variable is associated with a sor t. W e as sume that there are inﬁnitely many nam es and inﬁnitely many v ariables of each sort. The set of terms of sort s is deﬁned inductively b y t ::= term of sort s | x variable x of sort s | a name a of sort s | f ( t 1 , . . . , t n ) application of symbol f ∈ F such that a r( f ) = s 1 × · · · × s n → s and each t i is a term of sort s i . W e assume a s pecial sort Msg that subsumes all the other sorts: any term is of sort Msg . Sorts are mostly left u nspeciﬁed in th is paper . They can be used in app lications to express that certain op erators can be ap plied on ly to some restricted terms. For example, we use sorts explicitly to express th at messages a re encry pted by ato mic keys (only in Section 5), and to represent timestamps (only in Section 7). As u sual, we write V ( t ) for the set o f variables occu rring in t . For a set T o f term s, V ( T ) denotes the union of the v ariables occurring in the terms of T . A term t is gr ound or closed if and only if V ( t ) = ∅ . A position or an occurr ence in a te rm t is a sequenc e of po siti ve integers co rrespond ing to p aths starting from the root in the tr ee-represen tation of t . For a term t an d a po sition p in this term , t | p denotes the subterm of t at position p . W e write St ( t ) and St ( T ) f or the set of subterms of a term t , an d o f a set of term s T , respectively . The size of a term t , deno ted | t | , is deﬁned in ductively as usu al: | t | = 1 if t is a variable or a nam e and t = 1 + P n i =1 | t i | if t = f ( t 1 , . . . , t n ) for f ∈ F . If T is a set o f ter ms then | T | denotes the sum of the sizes of its elements. Th e cardinality of a set T is denoted ACM Transactions on Computational Logic, V ol. V , No. N, October 2018. 6 · Huber t Comon-Lundh et al. Pairi ng S ⊢ x S ⊢ y S ⊢ h x, y i Symmetric encrypt ion S ⊢ x S ⊢ y S ⊢ enc( x, y ) Asymmetric encrypt ion S ⊢ x S ⊢ y S ⊢ enca( x, y ) Signing S ⊢ x S ⊢ y S ⊢ s i gn( x, y ) Symmetric decrypt ion S ⊢ enc( x, y ) S ⊢ y S ⊢ x First Projec tion S ⊢ h x, y i S ⊢ x Asymmetric decrypt ion S ⊢ enca( x, y ) S ⊢ priv ( y ) S ⊢ x Second Project ion S ⊢ h x, y i S ⊢ y Unsigning (optional ) S ⊢ s i gn( x, y ) S ⊢ x Axiom S, x ⊢ x Fig. 1. In truder deduction system. by ♯T . By abuse of notation , we sometimes denote by T , u the set T ∪ { u } . Substitutions are written σ = { t 1 / x 1 , . . . , t n / x n } with dom( σ ) = { x 1 , . . . , x n } . W e only consider well-sorted substitutio ns, for which x i and t i have the same sort. σ is closed if and only i f ev ery t i is closed. The application of a substitution σ to a term t is written σ ( t ) or tσ . A most general uniﬁer of two terms u and v is denoted by mgu( u, v ) . 2.2 Intruder c apabilit ies The a bility of th e intruder is mo deled by the dedu ction r ules displayed in Figur e 1 and correspo nds to the usual Dolev-Y ao rules. Pairing, signing , symm etric a nd asymm etric en cryption are th e composition rules. The other rules ar e deco mposition ru les . Intuitively , these d eduction rules say that an intrud er can c ompose m essages by pair ing, encryptin g, and sign ing messag es p rovided she has the corr espondin g keys and conversely , she can de compose messages b y proje cting or de- crypting provided she ho lds the decr yption keys. For signatu res, the intrud er is also a ble to verify whether a signature sig n( m, k ) and a message m match ( provided sh e has the veriﬁcation key), but this does no t give rise to any new message: th is capab ility needs no t to be represented in the deduction system. W e also con sider an optional rule S ⊢ sig n( x, y ) S ⊢ x that expr esses the ability to retrieve th e who le me ssage fr om its signature. This prop- erty may or may not hold depen ding on the sign ature scheme, and that is wh y th is rule is optional. No te that this rule is necessary fo r obtainin g sound ness prop erties w .r .t. cry pto- graphic digital signatu res. Ou r resu lts will h old in both cases, whether or no t this ru le is considered in the deductio n relation. A pr oof tree (so metimes simp ly called a proof ) is a tree whose labe ls ar e sequents T ⊢ u where T is a ﬁnite set of terms a nd u is a term. A proof tree is inductively deﬁne d as follows: —if u is a ter m and u ∈ T , then T ⊢ u is a pro of tree who se c onclusion is T ⊢ u , using the axiom; ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding security prope r ties f or crypto graphic protocols · 7 —if π 1 , . . . , π n are p roof tre es, whose respectiv e conclu sions are T ⊢ u 1 , . . . , T ⊢ u n respectively a nd S ⊢ t 1 · · · S ⊢ t n S ⊢ t is a rule R of the Fig ure 1 such tha t, for som e (well-sorted) substitution σ , t 1 σ = u 1 , . . . , t n σ = u n , then π 1 · · · π n T ⊢ tσ is a pr oof tree using R , whose conc lusion is T ⊢ tσ . W e will call subp r oof a subtree of a p roof tr ee. An strict subpr oof ( resp. immediate subpr oof ) of π is a sub proo f of π distinct from π (r esp. a maximal strict subproo f of π ). A term u is deduc ible from a set of terms T , which we sometimes write T ⊢ u by abuse of notation, if there exists a proof tree whose conclusion is T ⊢ u . Example 2 . 1 . The term h k 1 , k 2 i is dedu cible fro m the set S 1 = { enc( k 1 , k 2 ) , k 2 } , as the following proof tree shows: S 1 ⊢ enc( k 1 , k 2 ) S 1 ⊢ k 2 S 1 ⊢ k 1 S 1 ⊢ k 2 S 1 ⊢ h k 1 , k 2 i 3. DEDUCIBILITY CONSTRAINT SYSTEMS AND SECURITY PR OPERTIES Deducibility constraint systems are quite commo n (see e.g . [ Millen and Shma tikov 2001; Comon-L undh and Shmatikov 2003 ]) in modeling security proto cols. W e rec all here their deﬁnition and show how they can be u sed to specify g eneral secur ity prop erties. Then we prove that any deducibility constraint system can be tran sformed into simpler ones, called solved . Such simpliﬁed constrain ts are then used to decide the security properties. 3.1 Deducibility constraint systems In the usual a ttacker’ s model, the intruder controls the network. In particu lar she c an schedule the messages. Once such a scheduling is ﬁxed, she can still replace the messages with fake o nes, which are ne vertheless accepted by the honest participan ts. M ore p recisely , some pieces of messages cannot be analyzed by the participants, hence can be replaced by any other piece, pr ovided that th e attacker can con struct th e overall message. This can b e used to mount attacks. In th e fo rmal model, pieces that cann ot be analy zed are replace d with variables. Any substitution of th ese variables will be acce pted, pr ovided that the attacker can deduc e (us- ing the dedu ction system of Figur e 1) the correspo nding instance. Th e main pro blem then is to decide wheth er th ere is such a substitutio n, y ielding a vio lation of the secu rity prop - erty . Let us giv e a detailed example recalling how possible e xecution traces are formalized. Example 3 . 1 . Consider th e famou s Needham- Schroede r asymmetric ke y au thentica- tion protoco l [Needham and Schroed er 1978] designed for mutual authenticatio n: A → B : enca( h N A , A i , B ) B → A : enca( h N A , N B i , A ) A → B : enca( N B , B ) The agen t A sends to B h is name and a fresh nonce (a ra ndomly genera ted value) encrypted with the public key of B . The agen t B answer s by copying A ’ s nonce and adds a fresh ACM Transactions on Computational Logic, V ol. V , No. N, October 2018. 8 · Huber t Comon-Lundh et al. nonce N B , enc rypted by A ’ s pu blic key . The agent A ack nowledges by fo rwarding B ’ s nonce encryp ted by B ’ s p ublic ke y . Formally , this p rotoco l can be describ ed using two r oles A an d B . The role A has two parameters: a, b ( initiator and responder ), and is (informally ) speciﬁed as follows: A ( a, b ) : generate ( n a ) A 1 . send (enca( h n a , a i , b )) A 2 . receive (enca h n a , y i , a ) → send (enca( y , b )) where y is a variable: a cannot chec k that this p iece of th e message is a no nce genera ted by b . Hence it can be replaced by any term (or any term of a given sort, dependin g on what we want to model). Similarly , th e role of B takes the two parameters b, a , an d is speciﬁed as: B ( b, a ) : generate ( n b ) B 1 . receive (enca ( h x, a i , b )) → send (enca( h x, n b i , a )) B 2 . receive (enca ( n b , b )) W ithout lo ss o f g enerality , we may assume that send actions are per formed as soo n as the co rrespon ding receive action is completed : this is the best sch eduling strategy for the attacker , who will g et more inform ation for fu rther computing fake messages. F or this reason, we only need to consider the possible scheduling of receive ev ents. Let a, b b e ho nest participants and i b e a co rrupted one. Consider one session A ( a, i ) and one session B ( b, a ) . Th ere ar e three message d eliv eries to sche dule: A 2 , B 1 , B 2 an d B 2 has to occu r after B 1 . Assume the chosen schedulin g is B 1 , A 2 , B 2 . In th is scenario , the possible seque nces o f message delivery are instances of enca( h x, a i , b ) , enca( h n a , y i , a ) , enca( n b , b ) . Th e v ariables x, y can be replaced b y any term, provided th at the attacker can build the corresponding instances from her knowledge at the ap propria te con trol point. The initial intrud er kn owledge can be set to T 0 = { a, b, i, priv( i ) } , including the pri vate key of the corru pted agent. For th e ﬁrst message d eliv ery , the attacker has to be able to build the ﬁrst message instance from this initial knowledge and the message sent at step A 1 : T 1 def = T 0 ∪ { enca( h n a , a i , i ) }  enca( h x, a i , b ) (1) This notation will b e formally deﬁned later o n. Infor mally , this is a formu la, wh ich is satisﬁed by a sub stitution σ on x if enca( h x, a i , b ) σ is deducib le from T 1 , expressing the ability of the intruder to construct enca( h x, a i , b ) σ . Then, the agent b rep lies sen ding the corresp onding instanc e enca( h x, n b i , a ) , which increases th e attacker’ s k nowledge, hen ce enabling its u se for building the next message; we get the second deducibility constraint: T 2 def = T 1 ∪ { enca( h x, n b i , a ) }  enca( h n a , y i , a ) (2) Similarly , we constru ct a third deduc ibility constraint for the last message delivery: T 3 def = T 2 ∪ { enca( y , i ) }  enca( n b , b ) (3) Deﬁnition 3 . 2 . A deduc ibility constr aint system C is a ﬁnite set of expression s T  u , called dedu cibility con straints , wher e T is a non em pty set of terms, called the left-h and side of the deducib ility co nstraint and u is a term, called the right-hand side of the d e- ducibility constraint, such that: ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding security prope r ties f or crypto graphic protocols · 9 (1) the left-ha nd s ides of all ded ucibility constraints are totally ordered by inclusion; (2) if x ∈ V ( T ) fo r some ( T  u ) ∈ C the n T x def = min { T ′ | ( T ′  u ′ ) ∈ C, x ∈ V ( u ′ ) } exists and T x ( T . Inform ally , th e ﬁrst condition states that the intruder knowledge is always increasing . The second co ndition expresses that variables ab stract piec es of r eceived messages: th ey have to occur ﬁrst on the right side of a con straint T  u , before occu rring in some left side. Note that, due to point (1) , T x exists if and o nly if the set { T ′ | ( T ′  u ′ ) ∈ C, x ∈ V ( u ′ ) } is not em pty . The lin ear o rdering on left hand sid es also imp lies th e uniqueness of the minimum. Hence (2) can be restated equ iv alently as: (2) ∀ x ∈ V ( C ) , ∃ ( T  u ) ∈ C , x ∈ V ( u ) \ V ( T ) In what follows, we may use this formu lation instead. The left-hand side o f a deducibility co nstraint system C , deno ted by l hs ( C ) , is the max- imal left-hand side of t he deducibility constra ints of C . The right-ha nd side of a deducibil- ity constraint system C , denoted by rhs ( C ) , is the set o f right-h and sides of its deducibility constraints. V ( C ) denotes th e set of variables occu rring in C . ⊥ den otes the unsatisﬁable system. The size of a con straint system is deﬁned as | C | def = | lhs ( C ) ∪ rhs ( C ) | . A ded ucibility constrain t system C is also written as a co njunctio n of dedu cibility con- straints C = ^ 1 ≤ i ≤ n ( T i  u i ) with T i ⊆ T i +1 , for all i with 1 ≤ i ≤ n − 1 . Th e second condition in Deﬁnition 3.2 th en implies that if x ∈ V ( T i ) then ∃ j < i such th at T j = T x and T j ( T i . Deﬁnition 3 . 3 . A solution σ of a deduc ibility constrain t system C is a (well-sorted) groun d sub stitution whose domain is V ( C ) and such that, for e very T  u ∈ C , T σ ⊢ uσ . Example 3 . 4 . Coming back to Example 3.1, the substitution σ 1 = { n a / x , n b / y } is a solution of the deducibility constraint system since T 0 ∪ { enca( h n a , a i , i ) } ⊢ enca( h x, a i , b ) σ 1 T 1 σ 1 ∪ { enca( h x, n b i , a ) σ 1 } ⊢ enca( h n a , y i , a ) σ 1 T 2 σ 1 ∪ { enca( y , i ) σ 1 } ⊢ enca( n b , b ) 3.2 Security proper ties Deducibility con straint system s r epresent in a sym bolic and co mpact way a po ssibly inﬁ- nite set of tr aces (b ehaviors), which d epend on the attacker’ s actions. Security prop erties are formulas, that are interpreted over th ese traces. Deﬁnition 3 . 5 . G i ven a set of predicate symbols together with their interpretation ov er the set o f ground terms, a (in) security pr operty is a ﬁrst-o rder formula φ built on th ese predicate symbo ls. A solution of φ is a gro und substitution σ of V ( φ ) such that φσ is true in the given interp retation. ( W e also write σ | = φ ). If C is a deducib ility con straint s ystem and φ is a (in)security pr operty , po ssibly sharing free variables with C , a closed substitution σ from V ( φ ) ∪ V ( C ) is an attack for φ a nd C , if is a solution of both C a nd φ . ACM Transactions on Computational Logic, V ol. V , No. N, October 2018. 10 · Hu ber t Comon-L undh et al. Example 3 . 6 . If the secu rity proper ty is simp ly true (wh ich is always satisﬁed) and the only sort is Msg then we ﬁnd the usu al d educibility constraint system satisfaction pro blem, whose satisﬁability is known to be NP-comp lete [Rusino witch and T ur uani 2003]. Example 3 . 7 . Secrecy ca n be easily expressed by requ iring that the secr et data is not deducib le from the messag es sent on the n etwork. W e consider again the deducib ility constraint system C 1 deﬁned in Examp le 3.1 . The (in)secur ity pr operty th en expresses that n b is d educible: φ is th e dedu cibility co nstraint T 3  n b . No te that we may view a constraint (system) as a ﬁrst order formula. Then the substitution σ 1 = { n a / x , n b / y } is an attack for φ and C 1 and correspond s to the attack f ound by G. Lowe [Lowe 1996] . Note that such a dedu ction-based prop erty can be directly included in the constraint system by adding a deducibility constraint T 3  n b . Example 3 . 8 . Let us show here an example of authen tication pr operty . T w o agents A and B authen ticate on some me ssage m if whenever B ﬁnishes a session b elieving he has talked to A then A has indeed ﬁnished a session with B and th ey shar e the sam e value for m . No te that th e agents A and B ha ve in gener al a different view of the message m , depend ing e.g. on which nonces they have g enerated themselves and on which nonces they have recei ved. If m A denotes the view of m from A a nd m B the v iew of m from B , then the insecurity property states that there is a trace in which these two messages are distinct. Back to E xample 3 .1, con sider another scen ario with two in stances of the role A : A ( a, i ) and A ( a, b ) and on e in stance of the role B : B ( b, a ) . The attacker sch edules the comm u- nications as in Examp le 3.1: in particular the expected message delivery in A ( a, b ) is not scheduled (the m essage is no t delivered). Then the deducib ility constrain t sy stem C ′ 1 is identical to C 1 , except that T 0 is replaced with T ′ 0 = T 0 ∪ { enca ( h n ′ a , a i , b ) } . The nonce x received by b sh ould corresp ond to the no nce n ′ a sent by a for b ; we con sider m A = n ′ a , m B = x . The failure o f authen tication can be stated as th e simple for mula x 6 = n ′ a . The substitu- tion σ 1 deﬁned in Examp le 3.7 is then an attack , since b accepts the no nce n a instead of n ′ a : xσ 1 6 = n ′ a . In Sections 5, 6, 7 we provide with other exam ples co rrespond ing to tim e con straints, more general authentication -like p roperties, or to express that no key c ycles are allowed. 4. SIMPLIFYING DEDUCIBILITY CONSTRAINT SYSTEMS Using simpliﬁcation rules, solv ing deducib ility constraint systems can be r educed to solv- ing s impler constraint systems that we call solved. One nice pr operty o f the t ransfo rmation is that it works for any security prop erty . Deﬁnition 4 . 1 . A ded ucibility co nstraint system is solved if it is ⊥ or e ach of its con- straints are of the form T  x , where x is a variable. This deﬁnition corresponds to the notion of solved fo rm i n [Comon -Lundh an d Shmatikov 2003] . Note that the empty dedu cibility constraint system is solv ed. Solved d educibility con straint systems w ith the single sort Msg are particu larly simple in th e case o f the true p redicate since they always have a solutio n, as noticed in [Millen and Shmatikov 2001] . Indeed, let T 1 be th e smallest (w .r .t. inclusion) left ha nd side of all constraints of a deducib ility constraint system. From Deﬁnition 3 .2, T 1 is n on empty and ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding securi ty proper t ies for c r yptographic protocols · 11 R 1 C ∧ T  u C if T ∪ { x | ( T ′  x ) ∈ C, T ′ ( T } ⊢ u R 2 C ∧ T  u σ C σ ∧ T σ  uσ if σ = mgu( t, u ) , t ∈ St ( T ) , t 6 = u, t, u not variab les R 3 C ∧ T  u σ C σ ∧ T σ  uσ if σ = mgu( t 1 , t 2 ) , t 1 , t 2 ∈ St ( T ) , t 1 6 = t 2 , t 1 , t 2 not v ariabl es R ′ 3 C ∧ T  u σ C σ ∧ T σ  uσ if σ = mgu( t 2 , t 3 ) , enca( t 1 , t 2 ) , priv ( t 3 ) ∈ St ( T ) , t 2 6 = t 3 , t 2 or t 3 (or both) is a va riable R 4 C ∧ T  u ⊥ if V ( T , u ) = ∅ and T 6⊢ u R f C ∧ T  f ( u, v ) C ∧ T  u ∧ T  v for f ∈ { h i , enc , enca , sign } Fig. 2. Si mpliﬁcati on rules. has no v ariables. Let t ∈ T 1 . Th en th e substitutio n θ deﬁned b y xθ = t for e very variable x is a solution since T ⊢ xθ = t fo r any c onstraint T  x in the solved system. 4.1 Simpli ﬁcation r ules The simpliﬁcation rules we c onsider are deﬁn ed in Figu re 2 . For instance, the ru le R 1 removes a redund ant constraint, i.e., when it is a logical conseque nce of smaller constraints. The rule R 3 guesses some identity (confu sion) between two sent sub-messages. All the ru les are in fact in dexed by a substitution: when the re is no ind ex then the identity substitution is imp licitly assumed. W e write C n σ C ′ if there ar e C 1 , . . . , C n with n ≥ 1 , C ′ = C n , C σ 1 C 1 σ 2 . . . σ n C n , and σ = σ 1 σ 2 . . . σ n . W e write C ∗ σ C ′ if C n σ C ′ for some n ≥ 1 , or if C ′ = C and σ is th e identity substitution. Example 4 . 2 . Let us consider the following deducibility constraint system C :  T 1  h e nca( x, a ) , enca ( y , a ) i T 2  k 1 where T 1 = { a, h enca( k 1 , a ) , enca ( k 2 , a ) i} an d T 2 = T 1 ∪ { enc( y , x ) } . The ded ucibility constraint system C can be simp liﬁed into a solved fo rm using (for e xample) the following sequence of simpliﬁcation rules. C R hi    T 1  enca( x, a ) T 1  enca( y , a ) T 2  k 1 R enca        T 1  x T 1  a T 1  enca( y , a ) T 2  k 1 R 1    T 1  x T 1  enca( y , a ) T 2  k 1 since T 1 ⊢ a . Let σ = mgu  enca( k 1 , a ) , enca( y , a )  = { k 1 / y } . W e h av e    T 1  x T 1  enca( y , a ) T 2  k 1 R 2 σ    T 1  x T 1  enca( k 1 , a ) T 2 σ  k 1 R 1  T 1  x T 2 σ  k 1 R 1 T 1  x since T 1 ⊢ enca( k 1 , a ) and T 2 σ ∪ { x } ⊢ k 1 . In tuitiv ely , it mean s that any sub stitution o f the form { m / x , k 1 / y } such that m is deducib le from T 1 is solution of C . The simpliﬁcation rules are c orrect and complete: a d educibility con straint system C has a solution, which is also a solutio n of a (in)security pr operty φ , if an d only if there exists a ded ucibility constraint system C ′ in solved for m such that C ∗ σ C ′ and there is a ACM Transactions on Computational Logic, V ol. V , No. N, October 2018. 12 · Hu ber t Comon-L undh et al. solution o f bo th C ′ and φσ . Note that several simpliﬁcation rules can possibly be applied to a given d educibility constraint system. T H E O R E M 4 . 3 . Let C be a deducibility con straint system, θ a substitution, an d φ a (in)security pr operty . ( 1 ) (Correctness) If C ∗ σ C ′ for some ded ucibility constraint system C ′ and some sub - stitution σ , and if θ is an attack for φσ and C ′ , then σ θ is an attack for φ an d C . ( 2 ) (Comple teness) If θ is a n attac k for C an d φ , then ther e exis t a deduc ibility constraint system C ′ in solved form and su bstitutions σ, θ ′ such that θ = σ θ ′ , C ∗ σ C ′ , an d θ ′ is an attack for C ′ and φσ . ( 3 ) (T ermination) There is n o inﬁn ite d erivation sequ ence C σ 1 C 1 σ 2 · · · σ n C n · · · . Theorem 4.3 is proved in Sections 4.2, 4.3, and 4.4. Getting a polyn omial bound on the length of simpliﬁcation sequences requ ires ho wever an additional memorizatio n techniqu e. This is explained in Section 4.6. 4.2 Correctness W e ﬁrst giv e two simple lemmas. L E M M A 4 . 4 . If T ⊢ u th en V ( u ) ⊆ V ( T ) . P R O O F . The statement f ollows by i nduc tion on the depth of a proof of T ⊢ u , observing that n o dedu ction rule intro duces new variables. Indeed , V ( t ) ⊆ S i V ( t i ) for deductio n rules of the form S ⊢ t 1 . . . S ⊢ t k S ⊢ t with k > 0 , and V ( t ) ⊆ V ( S ) for the axio m (that is, if t ∈ S ). The next lemma sho ws the “cut elimination” property for the deduction system ⊢ . L E M M A 4 . 5 . If T ⊢ u a nd T , u ⊢ v the n T ⊢ v . P R O O F . Consider a pro of π of T ⊢ u and a proo f π ′ of T , u ⊢ v . The tree o btained from π ′ by —replacing the nodes T , u ⊢ t in π ′ with T ⊢ t , —replacing each new leaf T ⊢ u (the old T , u ⊢ u ) with the tree π , is a proof of T ⊢ v . As a consequ ence, if T ⊆ T ′ , T ′ ⊢ v , and T ⊢ u , for all u ∈ T ′ \ T , then T ⊢ v . W e show now that the simpliﬁcation rules preserve deducibility constraint systems. L E M M A 4 . 6 . The simpliﬁcation ru les tr ansform a d educibility constr aint sys tem into a deducib ility constr aint system. P R O O F . Let C b e a deducib ility constraint system, C = V i ( T i  u i ) and C σ C ′ . Since T i ⊆ T i +1 implies T i σ ⊆ T i +1 σ , C ′ satisﬁes the ﬁrst po int of the d eﬁnition of deducib ility constraint systems. W e show that C ′ also satisﬁes the second point of the deﬁn ition of deducibility constraint systems. Let ( T ′  u ′ ) ∈ C ′ and x ∈ V ( T ′ ) . W e h av e to prove that T ′ x exists and T ′ x ( T ′ . W e distinguish cases, dependin g on which simpliﬁcation rule is applied: ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding securi ty proper t ies for c r yptographic protocols · 13 —If the rule R 1 is applied , eliminating the constraint T  u . T hen C ′ = C \ { T  u } . If T x 6 = T th en T ′ x = T x (and thus T ′ x exists and T ′ x ( T ′ ). Suppo se that T x = T . Then there is ( T  u ′′ ) ∈ C such that x ∈ V ( u ′′ ) . If u 6 = u ′′ then again T ′ x = T x (since ( T ′ x  u ′′ ) ∈ C ′ ). Finally , suppose that u = u ′′ . By the min imality of T , it follows that x / ∈ V ( T ) and x / ∈ { y | ( T ′′  y ) ∈ C, T ′′ ( T } . Since x ∈ V ( u ) , by Lemm a 4. 4, T ∪ { y | ( T ′′  y ) ∈ C , T ′′ ( T } 6⊢ u , which contradicts the applicability of rule R 1 . —If one of the ru les R 2 , R 3 or R ′ 3 is ap plied, th en, f or each co nstraint ( T ′′  u ′′ ) ∈ C ′ , there is a constraint ( T  u ) ∈ C such that T σ = T ′′ and uσ = u ′′ . Consider ( T  u ) ∈ C such that T σ = T ′ and uσ = u ′ . If x is n ot in troduced by σ , then x ∈ V ( T ) . Then T x exists and T x ( T . Thus T x σ ⊆ T σ . If T x σ = T σ , th en x ∈ V ( T x ) , which contr adicts the minim ality of T x . Thu s T x σ ( T σ . W e also have that { T ′′ σ | ( T ′′  u ′′ ) ∈ C, x ∈ V ( u ′′ ) } ⊆ { T ′′ σ | ( T ′′ σ  u ′′ σ ) ∈ C ′ , x ∈ V ( u ′′ σ ) } , since, for any term u ′′ , if x ∈ V ( u ′′ ) , then x ∈ V ( u ′′ σ ) . It follows that T ′ x exists and T ′ x ⊆ T x σ . Hen ce T ′ x ( T ′ . Otherwise, assume that x is intro duced by σ : ∃ y ∈ V ( T ) such that x ∈ V ( y σ ) . Then T y exists and T y ( T . Let Y = { z ∈ V ( T ) | x ∈ V ( z σ ) } and let y 0 ∈ Y be such th at T y 0 = min { T y | y ∈ Y } . For all y ′ ∈ Y , we have t hat A def = { T ′′ σ | ( T ′′  u ′′ ) ∈ C ′ , x ∈ V ( u ′′ ) } = { T σ | ( T  u ) ∈ C, x ∈ V ( uσ ) } ⊇ { T σ | ( T  u ) ∈ C, ∃ z ∈ V ( u ) , x ∈ V ( z σ ) } ⊇ { T σ | ( T  u ) ∈ C, y ′ ∈ V ( u ) , x ∈ V ( y ′ σ ) } = { T σ | ( T  u ) ∈ C, y ′ ∈ V ( u ) } def = B y ′ . Thus T ′ x = min A ⊆ min B y ′ = T y ′ σ . From T y 0 ( T , we obtain th at T y 0 σ ⊆ T σ . Suppose, by contradic tion, that T y 0 σ = T σ . Th en x ∈ V ( T y 0 σ ) (since x ∈ V ( T σ ) ). That is, there exists z ∈ V ( T y 0 ) suc h tha t x ∈ V ( z σ ) . From co ndition 2 of Deﬁnition 3.2 applied to z , it follows th at T z ( T y 0 . As z is in Y , this contra dicts the cho ice of y 0 . Thus T ′ x ⊆ T y 0 σ ( T σ = T ′ . —If the rule R 4 is applied then there is nothing to prove. —If some rule R f is applied, then the p roper ty is preserved, since, if x ∈ V ( u ′′ ) for som e term u ′′ such th at ( T ′′  u ′′ ) ∈ C ′ , then the re is a term v with x ∈ V ( v ) such tha t ( T ′′  v ) ∈ C . L E M M A 4 . 7 C O R R E C T N E S S . If C σ C ′ , then for every solu tion τ for C ′ , σ τ is a solution of C . P R O O F . If C ′ is obtain ed by app lying R 1 , the n we have to prove that T τ ⊢ uτ , whe re T  u is the eliminated constraint. W e know tha t T ∪ { x | ( T ′  x ) ∈ C, T ′ ( T } ⊢ u . It follows that T τ ∪ { xτ | ( T ′  x ) ∈ C, T ′ ( T } ⊢ uτ . All constra ints T ′  x in C with T ′ ( T ar e also constraints in C ′ . Thus, for all such constraints, we h av e th at T ′ τ ⊢ xτ , and hence T τ ⊢ xτ . Then , from Lemma 4.5, we obtain that T τ ⊢ u τ . If C ′ is obtained by applying R 2 , R 3 or R ′ 3 , then , f or every co nstraint T  u of C , ( T σ ) τ ⊢ ( u σ ) τ , he nce T ( σ τ ) ⊢ u ( σ τ ) . ACM Transactions on Computational Logic, V ol. V , No. N, October 2018. 14 · Hu ber t Comon-L undh et al. If C ′ is o btained by a pplying some rule R f , then we o btain that T τ ⊢ f ( u, v ) τ from T τ ⊢ uτ and T τ ⊢ v τ by app lying the cor respond ing in ference rule (e.g. en cryptio n if f = enc ). Finally , C ′ cannot be obtained by the rule R 4 , since it is satisﬁable. It follows that, in all cases, σ τ satisﬁes C . 4.3 Completeness Let T 1 ⊆ T 2 ⊆ · · · ⊆ T n . W e say that a p roof π o f T i ⊢ u is left minimal if, whenever there is a proof of T j ⊢ u for some j < i , then, replacing T i with T j in all left members of the labels of π , yield s a proo f of T j ⊢ u . In other words, th e left-minim al proofs are those that can be perform ed in a minimal T j . W e say that a proof is simple if all its subproo fs are left m inimal and ther e is no repeated label on any branch. Remark that a subproof of a simple proof is simple. L E M M A 4 . 8 . If there is a pr oof of T i ⊢ u , then ther e is a simple pr oof of it. P R O O F . W e prove the prop erty by ind uction on th e pair ( i, m ) (con sidering the lexico- graphic order ing), where m is the size of a proo f of T i ⊢ u . If i = 1 then any (subpro of of any) proof of T 1 ⊢ u is left minimal and there exists a proof without repeated labels on any path. If i > 1 and th ere is a j < i such that T j ⊢ u , then we a pply the inductio n hyp othesis to obtain the existence of a simple pr oof o f T j ⊢ u . Th is pro of is also a simple p roof o f T i ⊢ u . If i > 1 and there is no j < i such that T j ⊢ u , then we app ly the ind uction hyp othesis on the imm ediate subp roofs π 1 , . . . , π n of the pr oof π o f T i ⊢ u . If the lab el T i ⊢ u app ears in one of th e resu lting p roofs π ′ i , then re place π with a su bproo f of π ′ i whose conclusion is T i ⊢ u . The new pr oof do es not contain any label T i ⊢ u . Other wise, if π is ob tained by app lying an inferen ce ru le R to π 1 , . . . , π n , then replace π with the p roof obtain ed b y applying R to π ′ 1 , . . . , π ′ n . In both cases the resulting proof and all of its subproofs are left minimal by construction , and hence the resulting proo f is simple. L E M M A 4 . 9 . Let C be a deducibility co nstraint system, θ b e a solution of C , T i be a left hand side of C su ch that, fo r any ( T  v ) ∈ C , if T ( T i , then v is a variable. Let u be any term. If th er e is a simple pr oof of T i θ ⊢ u , whose la st in fer ence rule is a decompo sition, t hen ther e is a non-va riable t ∈ St ( T i ) such that tθ = u . P R O O F . Consider a simple proof π of T i θ ⊢ u . W e may assume, withou t loss of gen- erality , that i is m inimal. O therwise, w e simply replace everywhere in the proo f T i with a minimal T j such that T j θ ⊢ u is derivable; by left minim ality , we get again a pr oof tr ee, whose last infer ence rule is a decompo sition. Su ch a T j ⊆ T i also satisﬁes the hypo theses of the lemma. W e re ason b y in duction on the d epth of the pro of π . W e make a c ase distinction, d e- pending on the last rule of π : The last rule is an axiom. Then u ∈ T i θ and there is t ∈ T i (thus t ∈ St ( T i ) ) such that tθ = u . By contrad iction, if t was a variable then T t  w , with t ∈ V ( w ) is a constrain t in C su ch that T t ( T i . Mo reover , by hy pothesis of the lemma, w must be a variable. Henc e w = t . Then T t θ ⊢ u , which con tradicts the minimality of i . ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding securi ty proper t ies for c r yptographic protocols · 15 The last rule is a symmetric decryption. π = π 1 T i θ ⊢ enc( u, w ) π 2 T i θ ⊢ w T i θ ⊢ u By simplicity , the last rule of π 1 cannot b e a co mposition : T i θ ⊢ u would appear twice on the same path. T hen, by in duction hypo thesis, ther e is a non variable t ∈ St ( T i ) such that tθ = enc( u, w ) . It fo llows tha t t = enc( t ′ , t ′′ ) with t ′ θ = u . If t ′ was a variable, then T t ′ θ ⊢ t ′ θ would be deriv able. Hence T t ′ θ ⊢ u would be deriv able, which a gain contradicts the minimality of i . Hence t ′ is not variable, as required. The last rule is an asymmetric decryption, (r esp. pr ojection, r esp. unsignin g). The proof is similar to the above one: by simplicity and b y induction hy pothesis, there is a non- variable t ∈ S t ( T i ) such that tθ = enca( u, v ) (resp. tθ = h u, v i , resp. tθ = sign( u, priv( v )) ). Then t = enca( t ′ , t ′′ ) (re sp. t = h t ′ , t ′′ i , resp. t = sign( t, t ′′ ) ). t ′ ∈ St ( T i ) , t ′ θ = u an d, by minimality of i , t ′ is not a variable. L E M M A 4 . 1 0 . Let C be a dedu cibility constraint system and θ be a solution o f C . Let T i be a left hand side of a constraint in C and u be a term, such that: ( 1 ) for any ( T  v ) ∈ C , if T ( T i , then v is a variable; ( 2 ) T i does not contain two distinct non-variab le subterms t 1 , t 2 with t 1 θ = t 2 θ ; ( 3 ) T i does not contain two terms enca ( t 1 , x ) and priv ( t 2 ) wher e x is a variable distinct fr om t 2 ; ( 4 ) T i does not contain two terms enca ( t 1 , t 2 ) and priv ( x ) wh er e x is a variable distinct fr om t 2 ; ( 5 ) u is a non -variable subterm of T i ; ( 6 ) T i θ ⊢ uθ . Then T ′ i ⊢ u , wher e T ′ i = T i ∪ { x | ( T  x ) ∈ C , T ( T i } . P R O O F . Let j be m inimal such th at T j θ ⊢ u θ . Thus j ≤ i and T j ⊆ T i . Con sider a simple p roof π of T j θ ⊢ uθ . W e reason by indu ction on the dep th o f π . W e analy ze the different cases, depend ing on the last rule of π : The last rule is an axiom. Suppose, by contrad iction, that u / ∈ T j . Then there is t ∈ T j such that tθ = u θ and t 6 = u . By hyp othesis 5, u is not a variable and, b y hyp othesis 2 of the lem ma, t, u can not be both n on-variable subterms of T i . It follows that t is a variable. Then T t θ ⊢ tθ , which implies T t θ ⊢ uθ , co ntradicting the minim ality of j , since T t ( T j . Hence u ∈ T j and then T ′ i ⊢ u , as requ ired. The last rule is the symmetric decryption rule. There is w such that T j θ ⊢ enc( uθ , w ) , T j θ ⊢ w : T j θ ⊢ enc( uθ , w ) T j θ ⊢ w T j θ ⊢ uθ By simplicity , the last rule of the p roof of T j θ ⊢ enc( uθ , w ) is a de composition . By Lemma 4. 9, there is t ∈ St ( T j ) , t not a variable, su ch that tθ = enc( uθ , w ) . Let t = enc( t 1 , t 2 ) and t 1 θ = uθ , t 2 θ = w . By inductio n hypoth esis, T ′ i ⊢ t . ACM Transactions on Computational Logic, V ol. V , No. N, October 2018. 16 · Hu ber t Comon-L undh et al. If t 1 was a variable, th en T t 1 ( T j and, by hyp othesis 1 of the lemma, T t 1 must b e the left-hand -side of a solved con straint: ( T t 1  t 1 ) ∈ C an d therefor e T t 1 θ ⊢ uθ , co ntradict- ing the minimality of j . Now , b y h ypoth esis 5 of the lemma, u is a non- variable subterm of T i , hence t 1 , u are two non variable subterms o f T i such that t 1 θ = uθ . By hypo thesis 2 of the lemma, this implies t 1 = u . On the oth er h and, if t 2 is a variable, t 2 ∈ V ( T i ) im plies T t 2 ( T i and, since T i is minimal unsolved, ( T t 2  t 2 ) ∈ C , which implies t 2 ∈ T ′ i . If t 2 is not a variable, then, from T j θ ⊢ t 2 θ and by induction hypo thesis, T ′ i ⊢ t 2 . So, in any case, T ′ i ⊢ t 2 . Now , we have both T ′ i ⊢ enc( u, t 2 ) and T ′ i ⊢ t 2 , from which we con clude that T ′ i ⊢ u , by symmetric decryptio n. The last rule is an asymmetric decryption rule. Ther e is a w such that T j θ ⊢ priv( w ) and T j θ ⊢ enca( uθ , w ) . As in th e previous case, ther e is a n on-variable t ∈ St ( T j ) such that tθ = enca( uθ , w ) . By indu ction hypothesis, T ′ i ⊢ t . Let t = enca ( t 1 , t 2 ) . As in the previous case, t 1 cannot b e a variable. T herefor e t 1 , u are two non -variable subterms of T i such th at t 1 θ = uθ , which implies that t 1 = u . ( W e use her e the hypo the- ses 2 and 5). On the oth er h and, th e last rule in the pr oof o f T j θ ⊢ priv( w ) is a d ecompo sition ( no composition ru le can yield a term heade d with priv ) . Then, b y Le mma 4.9 ( T j satisﬁes the hyp otheses of the lemma since T j ⊆ T i ), there is a non- variable sub term w 1 ∈ S t ( T j ) such that w 1 θ = priv ( w ) . Let w 1 = priv ( w 2 ) . By induc tion hypothesis, T ′ j ⊢ priv ( w 2 ) . enca( t 1 , t 2 ) θ k T j θ ⊢ enca( uθ , w ) priv( w 2 ) θ k T j θ ⊢ priv( w ) T j θ ⊢ uθ By hypo thesis 2 o f th e lemm a, t 2 and w 2 cannot b e both non-variable, un less they a re identical. Then, by hypoth eses 3 and 4 of the lemm a, we must h ave t 2 = w 2 . Finally , fro m T ′ i ⊢ enca( u, t 2 ) , T ′ i ⊢ priv ( t 2 ) we conclu de T ′ i ⊢ u . The last rule is a pr ojection rule. T j θ ⊢ h uθ , v i T j θ ⊢ uθ As befo re, by simplicity , th e last rule of the pr oof of T j θ ⊢ h uθ , v i must b e a decomp osition and, by Lemma 4.9, there is a n on v ariable term t ∈ St ( T j ) such that tθ = h uθ , v i . W e let t = h t 1 , t 2 i . By ind uction hypothesis, T ′ i ⊢ t . Now , as in the pr evious cases, t 1 cannot b e a variable, by minim ality of T j and hy poth- esis 1 of the lem ma. Next, by hy potheses 2 an d 5, we m ust have t 1 = u . Finally , fro m T ′ i ⊢ h u, t 2 i we conclu de T ′ i ⊢ u by projection . The last rule is an unsigning rule. T j θ ⊢ sign( uθ , v ) T j θ ⊢ uθ This case is identical to the previous one. ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding securi ty proper t ies for c r yptographic protocols · 17 The last rule is a composition . Assume fo r examp le that it is the sy mmetric enc ryption rule. T j θ ⊢ v 1 T j θ ⊢ v 2 T j θ ⊢ enc( v 1 , v 2 ) with u θ = e nc ( v 1 , v 2 ) . Since u is no t a variable, u = enc( u 1 , u 2 ) , u 1 θ = v 1 , and u 2 θ = v 2 . If u 1 (resp. u 2 ) is a variable then u 1 (resp. u 2 ) belon gs to V ( T i ) since u ∈ St ( T i ) . By point 2 of Deﬁnition 3.2 and hypothe sis 1 of the lemma, u 1 ∈ T ′ i (resp. u 2 ∈ T ′ i ). Otherwise, u 1 and u 2 are n on-variables. Then, b y indu ction hy pothesis, T ′ i ⊢ u 1 and T ′ i ⊢ u 2 . Hence in bo th cases we ha ve T ′ i ⊢ u 1 and T ′ i ⊢ u 2 . Th us T ′ i ⊢ u . The proof is similar for other compo sition rules. L E M M A 4 . 1 1 C O M P L E T E N E S S . If C is an u nsolved deducib ility con straint system and θ is a solution of C , then ther e is a deducibility constraint system C ′ , a substitution σ , and a solution τ of C ′ such that C σ C ′ and θ = σ τ . P R O O F . Consider a c onstraint T i  u i such that, for any ( T  v ) ∈ C su ch that T ( T i , v is a variable and assume u i is n ot a variable. If C is u nsolved, there is such a constraint in C . Since θ is a solution, T i θ ⊢ u i θ . Consider a simp le pr oof of T i θ ⊢ u i θ . W e distingu ish cases, depend ing on the last rule applied in this proof: The last rule is a composition . Since u is not a variable, u = f ( u 1 , . . . , u n ) and T i θ ⊢ u j θ for every j = 1 , ..., n . Then we may ap ply the transform ation rule R f to C , yieldin g constraints T i  u j in C ′ for ev ery j . θ is a solutio n of th e resulting ded ucibility con straint system C ′ by hypothesis. The last rule is an axiom or a decompo sition. By Lemma 4.9 , there is a non-variable term t ∈ St ( T i ) such that tθ = u i θ . W e distingu ish then again between ca ses, d ependin g on t, u i : Case t 6 = u i . Th en, since t, u i are both no n-variable terms, we may app ly the simpliﬁca- tion r ule R 2 to C : C σ C ′ where C ′ = C σ and σ = mgu( t, u i ) . Furtherm ore, tθ = u i θ , hence (by deﬁnitio n o f a mgu) there is a substitution τ such that θ = σ τ . Finally , θ is a solution of C , hen ce τ is a solution of C ′ . Case t = u i . Th en u i ∈ St ( T i ) . (1) If there are tw o distinct non -variable terms t 1 , t 2 ∈ St ( T i ) such that t 1 θ = t 2 θ . Then we apply the simpliﬁcation r ule R 3 , yielding a dedu cibility con straint system C ′ = C σ . As in the p revious case, there is a substitution τ su ch that θ = σ τ and τ is a solution of C ′ . (2) If th ere a re enca( t 1 , t 2 ) , priv( t 3 ) ∈ St ( T i ) su ch that either t 2 or t 3 is a variable, t 2 6 = t 3 and t 2 θ = t 3 θ , then we may apply the rule R ′ 3 and conclude as in the pre vious case. (3) Otherwise, we match all hyp otheses o f Lemma 4.10 a nd we conclud e th at T ′ i ⊢ u i . Then the rule R 1 can be ap plied to C , y ielding a de ducibility co nstraint system, of which θ is again a solution. ACM Transactions on Computational Logic, V ol. V , No. N, October 2018. 18 · Hu ber t Comon-L undh et al. 4.4 T ermination The simpliﬁcation rules also terminate, whatever strategy is used for their applicatio n: L E M M A 4 . 1 2 . The con straint simpliﬁcation rules of F igur e 2 are (str ongly) terminat- ing. P R O O F . Interp ret any dedu cibility constraint sy stem C as a p air of non -negative inte- gers I ( C ) = ( n, m ) where n is the n umber of variables of the system and m is the n umber of function sym bols o ccurring in the righ t han d side s o f th e system (her e, we assume n o sharing of subterms). I f C σ C ′ , then I ( C ) > lex I ( C ′ ) wher e ≥ lex is the lexicographic orderin g o n p airs of integers. In deed, the ﬁrst com ponen t strictly decrea ses by apply ing R 2 , R 3 , R ′ 3 , and any other rule st rictly decreases the second compon ent, while not increas- ing the ﬁr st one. T he w ell found edness o f th e lexicograph ic extension o f a we ll-found ed orderin g implies the termination of any sequence of rules. 4.5 Proof of Theorem 4.3 Theorem 4.3 follows from Lemmas 4.7, 4.11, and 4.12, by induction on th e deriv ation length, and since d educibility co nstraint systems on which n o simpliﬁcation rule can be applied m ust be solved. Note that the exten sion of the correctness and completn ess lemmas to security proper ties is tr ivial. Indeed, if φ is a ( in)security pro perty , then θ is a solution of φσ if and on ly if σθ is a solution of φ , for any substitutions θ and σ . 4.6 A decision procedure in NP-time The termin ation pr oof o f the last sectio n does n ot p rovide with tig ht complexity bound s. In f act, applying the simpliﬁcation rules may lead to branches of e xpon ential length (in th e size of the constraint system) . Indee d when applying a simpliﬁcation rule to a deducibility constraint, the initial c onstraint is rem oved f rom the con straint system an d replaced by new constraint(s). But this ded ucibility constrain t may appear again later o n, d ue to other simpliﬁcation rules. It is the case for e xample when co nsidering th e follo wing deducib ility constraint system. T 0 def = { enc( a, k 0 ) }  enc( x 0 , k 0 ) T 1 def = T 0 ∪ { enc( h x 0 , h x 0 , a ii , k 1 ) }  enc( x 1 , k 1 ) . . . T n def = T n − 1 ∪ { enc( h x n − 1 , h x n − 1 , a ii , k n ) }  enc( x n , k n ) T n +1 def = T n ∪ { a }  x n The ded ucibility constraint system C is clear ly satisﬁable and its size is linear in n . W e have that C 2 n σ  T 0  enc( x 0 , k 0 ) T n +1 σ  x n σ with σ ( x i +1 ) = h x i , h x i , a ii f or 0 ≤ i ≤ n − 1 . T his deriv ation is o btained b y apply ing rule R 2 and then R 1 for each co nstraint T i  enc( x i , k i ) with 1 ≤ i ≤ n . T he rule R 1 cannot be applied to T n +1 σ  x n σ since x 0 and the k eys k i are not present in or deri vable from T n +1 σ . Note that σ ′ = σ ∪ { a / x 0 } is a solution o f C and can be easily obtaine d b y rule R 2 on the ﬁrst constraint and then rule R 1 on both constraints. ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding securi ty proper t ies for c r yptographic protocols · 19 Howe ver , there is a branch of length 3(2 n − 1) fr om T  x n σ lead ing to T  x 0 (in solved form), where T denotes T n +1 σ . This is easy to see b y induction on n . It is true for n = 0 . Then using only the rules R h i and R 1 , we have T  x n σ R hi  T  x n − 1 σ T  h x n − 1 σ , a i m  T  x 0 T  h x n − 1 σ , a i R hi    T  x 0 T  x n − 1 σ T  a R 1  T  x 0 T  x n − 1 σ m T  x 0 with m = 3 (2 n − 1 − 1) by induction hypothesis. The length of the branch is 2 × 3(2 n − 1 − 1) + 3 = 3(2 n − 1) . This shows that there e xist branch es of exponential length in the size of the constraint. W e can p rove that it is actually not useful to consider dedu cibility constraints that have already been seen bef ore (like the con straint T  x n − 1 σ in our example). Thus we mem- orize the c onstraints th at hav e alre ady been v isited. The constraint simpliﬁcation rules, instead of operatin g on a single d educibility constrain t sy stem, r ewrite a pair of two con - straint systems, the seco nd o ne r epresenting deducib ility co nstraints th at have a lready be en processed at this stage: if C σ C ′ , then C ; D σ C ′ \ D ; D ∪ ( C \ C ′ ) The c onstraints (“me morized”) in D are th ose which were alrea dy analy zed ( i.e. trans- formed or eliminated). The initial constrain t system is C ; ∅ . First, memo rization indeed prevents fr om per forming several time s th e same tr ansfor- mation: L E M M A 4 . 1 3 . If C is a de ducibility constraint system a nd C ; ∅ ∗ σ C ′ ; D ′ then C ′ ∩ D ′ = ∅ . P R O O F . ( C ′ \ D ) ∩ (( C \ C ′ ) ∪ D ) = (( C ′ \ D ) ∩ D ) ∪ (( C ′ \ D ) ∩ ( C \ C ′ )) = ∅ This kind of memorization is correct and complete in a more gen eral setting. W e assume in this section that the r eader is familiar with the u sual notions of ﬁrst-order fo rmulas, ﬁrst- order structures, and models of ﬁrst-order logic. A (general) con straint is a (ﬁrst-or der) formu la, togeth er with a n interpr etation struc- ture S . A (general) co nstraint system C is a ﬁn ite set of constrain ts, whose interpretatio n is the same as their conju nction. If σ is an assignment of the fr ee variables of C to the domain of S , σ is a solution of C if σ , S | = C . I n the co ntext of constraint systems, S is omitted: the satisfaction relation | = r efers imp licitly to S . It is extended, as u sual, to entail- ment: C | = C ′ if any solu tion of C is also a solution of C ′ . W e may consider constraints c as singleton constraint systems, and thus write for example c | = c ′ instead of { c } | = { c ′ } . A (general) constraint system transformation is a binary relation ❀ on constrain ts such that, f or any seq uence (ﬁn ite or inﬁnite) C 1 ❀ · · · ❀ C n ❀ · · · , there is an ord ering ≥ on individual constraints such that, for ev ery i , for ev ery c ∈ C i \ C i +1 , we have { d ∈ C i +1 | d < c } | = c . (4) ACM Transactions on Computational Logic, V ol. V , No. N, October 2018. 20 · Hu ber t Comon-L undh et al. This expr esses the correctness of the transformatio ns: only red undan t for mulas are re- moved. The orde ring needs not to be well-founded. Our deducib ility constrain t systems and dedu cibility con straint simp liﬁcation rules sat- isfy these pr operties. More precisely , we ne ed to consider the sub stitutions (partial as- signments) as part of the constraint system , in ord er to ﬁt with the above d eﬁnition: co n- straint systems come in two pa rts: a set of dedu cibility c onstraints and a set of solved equations, record ing the substitution comp uted so-far . In oth er words, a seq uence of sim- pliﬁcation steps C 0 σ 1 C 1 σ 2 . . . can be written as a general transformation sequence C 0 ❀ ( C 1 ∧ σ 1 ) ❀ ( C 2 ∧ σ 1 ∧ σ 2 ) ❀ . . . , where su bstitutions { t 1 / x 1 , . . . , t n / x n } are seen as conjun ctions of solved equations ( x 1 = t 1 ) ∧ · · · ∧ ( x n = t n ) . W e show next that f or any sequenc e C 0 σ 1 C 1 σ 2 . . . o f simp liﬁcation step s th ere is an ordering ≥ on the corre sponding general constraints such that (4) hold s. W e start by deﬁn ing the o rdering . First, we or der the variables b y x > y if, for some i , y ∈ V ( xσ 1 . . . σ i ) . Intu itiv ely , x > y if x is instantiated bef ore y in the considered deriv ation. In deed, let i x be the minimum among all indexes i such that xσ i 6 = x if this minimum exists and ∞ otherwise. Then x > y implies that either i x < i y , or i x = i y and y ∈ V ( xσ i x ) . (Note that in this last case we cannot have b oth y ∈ V ( xσ i x ) and x ∈ V ( y σ i x ) , by the deﬁn ition of a mgu .) This o bservation proves that the relation > on variables is an orde ring. Next, we let ( T  u ) > ( T ′  u ′ ) if —either the m ultiset of variables occurrin g in T is strictly larger than the m ultiset of vari- ables occur ring in T ′ ; such mu ltisets are ordered by the multiset extension of th e order- ing on variables; —or else the multisets of variables are identical, and T ′ ( T ; —or else T = T ′ and the multiset o f variables in u is strictly larger than the multiset o f variables in u ′ ; —or else, T = T ′ , the mu ltisets of variable are identical and the size o f u is strictly larger than the size of u ′ . This is an order ing as a lexicograp hic compo sition of ordering s. Finally , an y solved equa- tion (i.e. s ubstitution ) is strictly smaller than any deducibility constraint, and eq uations are not compar able. The o rdering we ha ve ju st d eﬁned could h av e b een used for the termination proof, as it is a well-fou nded ordering . It will now be con sidered as the default order ing on co nstraints, when a deriv ation s equen ce is ﬁxed. This orde ring also satisﬁes the above required hypothe ses for general constraint system transform ations, as s hown by the proof of t he fo llowing pr oposition. P R O P O S I T I O N 4 . 1 4 . The simpliﬁcation rules o n deducib ility constraint systems form a general constraint system transformation. P R O O F . Let C 0 σ 0 C 1 σ 1 . . . be a simpliﬁcation sequence. W e consider the ord er- ing on deduc ibility constraints (viewed as general constraints) deﬁned abov e. W e show next that (4) ho lds. Note that in (4), c cann ot be a so lved equation, because at each step solved equation s ( x = xσ i ) m ay b e ad ded but no equatio n is eliminated . Thus ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding securi ty proper t ies for c r yptographic protocols · 21 let ( T  u ) ∈ C i \ C i +1 , for some i ≥ 0 . W e need to show that ^ ( T ′  u ′ ) ∈ C i +1 ( T ′  u ′ ) < ( T  u ) T ′  u ′ ∧ ^ 1 ≤ j ≤ i σ j | = T  u (5) W e in vestigate t he possible transfor mation rules. For the rules R 2 , R 3 , R ′ 3 , C i +1 = C i σ i . W e hav e ( T  u ) ≥ ( T σ i  uσ i ) since either the multiset of variables of T σ i is strictly smaller than the multiset o f variables of T , or else T = T σ i and, in the latter case, either the multiset of variables of uσ i is strictly smaller th an th e mu ltiset of variables of u or else u σ i = u . Mo reover , cσ ∧ σ | = c for all constraints c an d substitutions σ . Indeed, if θ is a solution of cσ ∧ σ th en xθ = xσ θ fo r any x ∈ dom( σ ) . I t follows that cθ = cσ θ , an d thus θ is a solution of c . Hence, we have in p articular that ( T σ i  uσ i ) ∧ σ i | = T ⊢ u , which shows that (5) holds for this case. For the rule R f , it sufﬁces to notice that { T  u 1 , . . . , T  u n } | = ( T  f ( u 1 , . . . , u n )) and ( T  u i ) < ( T  f ( u 1 , . . . , u n )) for every i . For the rule R 1 , the constraint T  u is a co nsequence of the ( strictly smaller ) con- straints T ′  x for T ′ ( T . Finally , th e rule R 4 only applies to unsatisﬁable deducibility constraints. The mem orization strategy can be de ﬁned, as above, for any gener al constraint system transform ation. The correc tness of the memo rization strategy r elies on the f ollowing in - variant: L E M M A 4 . 1 5 . F or any c onstraint system transformation ❀ , if C ; ∅ ❀ ∗ C ′ ; D ′ , then C ′ | = D ′ . P R O O F . W e prove, by indu ction on the length of the der i vation sequence the following stronger result: ∀ d ∈ D ′ , { c ∈ C ′ | c < d } | = d . The base case is straightfor ward as D ′ is empty . Next, assume tha t C ; D ❀ C ′ ; D ′ . By deﬁnition, D ′ = D ∪ ( C \ C ′ ) . If d ∈ C \ C ′ , by deﬁnition of a constraint transformation rule, { c ∈ C ′ | c < d } | = d . If d ∈ D , by ind uction hyp othesis, { c ∈ C | c < d } | = d . Hence { c ∈ C ′ | c < d } ∪ { c ∈ C \ C ′ | c < d } | = d . But, again by deﬁnition of constraint transform ations, any co nstraint in th e secon d set is a con sequence of the ﬁrst set: we get { c ∈ C ′ | c < d } | = d . It follows that the mem orization strategy is always correct when the o riginal con straint transform ation is correct. Now , th e memoriz ation strategy preserves the p roper ties of o ur deducib ility constrain t systems: L E M M A 4 . 1 6 . If C is a deduc ibility constraint system and C ; ∅ ∗ σ C ′ ; D ′ then C ′ is a deducibility constraint system. P R O O F . Let ( C i ; D i ) σ i +1 ( C i +1 ; D i +1 ) , with 0 ≤ i < n be the sequ ence of de- ducibility constraint systems obtained by apply ing successively the simpliﬁcation ru les, where C 0 = C , D 0 = ∅ , C n = C ′ , and C i σ i +1 C ′ i +1 (and thus C i +1 = C ′ i +1 \ D i , and D i +1 = D i ∪ ( C i \ C ′ i +1 ) ). W e know th at C ′ i is a ded ucibility co nstraint system, by Lemma 4.6. ACM Transactions on Computational Logic, V ol. V , No. N, October 2018. 22 · Hu ber t Comon-L undh et al. First, the lef t members o f C i are linearly or dered by in clusion, as they are a subset of the left member s of C ′ i . W e conside r now the other prope rty of deducibility constrain t systems. W e let ≥ be the orderin g o n constrain ts deﬁn ed befo re. W e show below , by indu ction on i that, for every x ∈ V ( C i ) , for e very ( T  u ) ∈ D i such that x ∈ V ( u ) \ V ( T ) , there is a ( T ′  u ′ ) ∈ C i such that x ∈ V ( u ′ ) \ V ( T ′ ) and ( T ′  u ′ ) < ( T  u ) . Note that this p roperty implies that C i is a deducibility co nstraint system: For e very variable x ∈ V ( C i ) , there is ( T x  u ) ∈ C ′ i such th at x ∈ V ( u ) \ V ( T x ) , as C ′ i is a deducib ility constraint system. If ( T x  u ) ∈ C i then we’ re done, oth erwise ( T x  u ) ∈ D i , and hence, by the stated proper ty , there is ( T ′ x  u ′ ) ∈ C i such th at x ∈ V ( u ′ ) \ V ( T ′ x ) . This shows that C i is a deducibility constraint system. The p roperty ho lds trivially for i = 0 . For the induction step, let x ∈ V ( C i +1 ) an d ( T  u ) ∈ C ′ i +1 be such that x ∈ V ( u ) \ V ( T ) . W e investigate three cases: —if C i +1 is obtain ed by on e of the rules R 2 , R 3 , R ′ 3 , then C i +1 = C i σ i +1 \ D i , and x / ∈ dom( σ i +1 ) . W e assum e w .l.o.g. that T  u is a minimal co nstraint in D i +1 such that x ∈ V ( u ) \ V ( T ) . There is ( T ′  u ′ ) ∈ C i such that x ∈ V ( u ′ ) \ V ( T ′ ) and ( T ′  u ′ ) ≤ ( T  u ) : if ( T  u ) / ∈ C i , then ( T  u ) ∈ D i and by induc tion hypoth esis, there is a ( T ′  u ′ ) ∈ C i such that x ∈ V ( u ′ ) \ V ( T ′ ) and ( T ′  u ′ ) < ( T  u ) . Let S = { y ∈ V ( T ′ ) | x ∈ V ( y σ i +1 ) } . By ind uction hyp othesis C i is a constraint system, an d hence, f or ev ery y ∈ S , there is a ( minimal) constraint T y  u y ∈ C i such that y ∈ V ( u y ) \ V ( T y ) . Since y ∈ V ( T ′ ) , T y ( T ′ . Let T 1  u 1 be a min imal element in { T y  u y | y ∈ S } ∪ { T ′  u ′ } . Suppose that x ∈ V ( T 1 σ i +1 ) . Since x / ∈ V ( T ′ ) and T y ( T ′ , it fo llows that x / ∈ V ( T y ) , and h ence there is z ∈ V ( T 1 ) such that x ∈ V ( z σ i +1 ) . It follows that z ∈ S and T z ( T 1 , which contra dicts the minimality of T 1  u 1 . Hence x ∈ V ( u 1 σ i +1 ) \ V ( T 1 σ i +1 ) . Also ( T 1 σ i +1  u 1 σ i +1 ) ≤ ( T 1  u 1 ) ≤ ( T ′  u ′ ) ≤ ( T  u ) . Further more, at least one of the inequalities is strict: if ( T  u ) ∈ D i the last ineq uality is strict, otherwise ( T  u ) ∈ ( C i \ C ′ i +1 ) = ( C i \ C i σ ) hence ( T σ i +1  uσ i +1 ) < ( T  u ) . I t follows that ( T 1 σ i +1  u 1 σ i +1 ) ∈ C i +1 by minimality of T  u . —if C i +1 is obtain ed by an R f rule. W e ma y assume w . l.o.g. th at T  u is a minimal constraint in D i +1 such that x ∈ V ( u ) \ V ( T ) . Either ( T  u ) ∈ D i , in which case, by induc tion hyp othesis, there is ( T ′  u ′ ) ∈ C i such that x ∈ V ( u ′ ) \ V ( T ′ ) a nd ( T ′  u ′ ) < ( T  u ) . If ( T ′  u ′ ) ∈ C i +1 , there is no thing to prove. Otherwise, u ′ = f ( u 1 , . . . , u n ) and , for ev ery j , ( T ′  u j ) ∈ C i +1 ∪ D i . Mo reover , th ere is an index j such that x ∈ V ( u j ) \ V ( T ′ ) an d, by minimality of T  u , ( T ′  u j ) ∈ C i +1 , hence completing this case. Or else ( T  u ) ∈ C i \ C ′ i +1 , in wh ich case u = f ( u 1 , . . . , u n ) an d ( T  u j ) ∈ C i +1 ∪ D i . As above, we conclude that for some j , x ∈ V ( u j ) \ V ( T ) , ( T  u j ) ∈ C i +1 and ( T  u j ) < ( T  u ) . —if C i +1 is obtain ed by the r ule R 1 , rem oving a constrain t T 1  u 1 , the n D i +1 = D i ∪ { T 1  u 1 } and, by Lemma 4 .6 f or any variable y ∈ V ( u 1 ) \ V ( T 1 ) there is a strictly smaller constraint ( T 2  u 2 ) ∈ C i such that y ∈ V ( u 2 ) \ V ( T 2 ) . The n we simply apply the induction hypo thesis. ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding securi ty proper t ies for c r yptographic protocols · 23 T H E O R E M 4 . 1 7 . Let C be a d educibility constraint system, θ a substitutio n an d φ a security pr operty . ( 1 ) (Correctness) If C ; ∅ ∗ σ C ′ ; D ′ for some deducibility c onstraint sys tem C ′ and some substitution σ , if θ is an attack for C ′ and φσ , then σ θ is an attack for C and φ . ( 2 ) (Comple teness) If θ is a n attac k for C an d φ , then ther e exis t a deduc ibility constraint system C ′ in solved form, a set o f deducib ility con straints D ′ and substitution s σ, θ ′ such that θ = σ θ ′ , C ; ∅ ∗ σ C ′ ; D ′ , and θ ′ is an attack for C ′ and φσ . ( 3 ) (T ermination) If C ; ∅ n σ C ′ ; D ′ for some d educibility constraint system C ′ and some substitution σ , then n is polyno mially bounded in the size of C . P R O O F . For correctn ess, we rely o n L emmas 4.7 , an d 4.15 : by Lemma 4.1 5, any solu- tion θ of C ′ is also a solutio n C ′ ∪ D ′ σ and, by Lemma 4.7 (and induction ), σ θ is a solution of C . For co mpleteness, from Lem ma 4.11 , we know that if C i is an unsolved d educibility constraint system and θ is an a ttack f or C i and φ , then the re is a deduc ibility constrain t system C ′ i +1 , a su bstitution σ i , and an attac k τ i for C ′ i +1 and φσ i such that C i σ i C ′ i +1 and θ = σ i τ i . Then τ i is a n attack also f or C ′ i +1 \ D i and φσ , for any set of constraints D i . By L emma 4.16, we know that when D i represents already visited constraints, th en C ′ i +1 \ D i is a ded ucibility constrain t system. W e can thus conclud e by indu ction on the deriv ation length n , taking C 0 = C , D 0 = ∅ , C i +1 = C ′ i +1 \ D i for all i , and C n = C ′ . Concernin g termination, we assume a DA G representation of the ter ms and constrain ts, in such a way that the size o f the constraint is pro portion al to the numb er of the distinct subterms oc curring in it. Next, ob serve that ♯ St ( tσ ) ≤ ♯ ( St ( t ) ∪ S x ∈ dom( θ ) St ( xθ )) . Hence, when u nifying two subter ms of t , with mgu θ , ♯ St ( tθ ) ≤ ♯ St ( t ) since, f or ev ery variable x ∈ dom( θ ) , xθ is a subter m of t . It follows that, for any constraint system C ′ ; D ′ such that C ; ∅ ∗ σ C ′ ; D ′ , ♯ St ( C ′ ) ≤ ♯ St ( C ) . Next, o bserve th at the num ber of distinct left hand sides of the constrain ts ♯ l hs ( C ′ ) is never in creasing: ♯ lhs ( C ′ ) ≤ ♯ lhs ( C ) . Furthermore, as long as we only app ly the rules R 1 , R f , starting fro m C ′′ , the left han d sides of the dedu cibility constrain t systems are ﬁxed: there are at most ♯ lhs ( C ′′ ) of them . Now , since, thanks to mem orization, we cannot get twice the same constraint, the numb er of consecutive R 1 , R f steps is bound ed by ♯ lhs ( C ′′ ) × ♯ St ( rhs ( C ′′ )) ≤ ♯ lhs ( C ) × ♯ St ( C ) It follows that th e length of a deriv ation sequ ence is b ound ed by ♯ V ( C ) × ♯ lhs ( C ) × ♯ St ( C ) ( for R 1 , R f steps) plus ♯ V ( C ) (for R 2 , R 3 , R ′ 3 steps) plus 1 (for a possible R 4 step). Theorem 4.17 extends the result of [ Rusinowitch and T uruani 2001] to sorted messages and genera l security pr operties. Handling ar bitrary secu rity p roperties is possible as soon as we do not fo rget any solution of the deducib ility constrain t systems (as we do ). If we only preserve the existence of a solution of the constraint (as in [Rusinowitch and T uruani 2001] ), it m ight b e the case that the so lution of C that we kept is not a solu tion of the proper ty φ , while the re are solutio ns of bo th φ and C , th at were lo st in the satisﬁability decision of C . In add ition, compar ed to [Rusinowitch an d Turuani 2001 ], presen ting the decision proce dure u sing a small set of simpliﬁcation ru les makes it mo re ea sily amen d- able to fu rther extension s a nd mod iﬁcations. For example, Theo rem 4.1 7 has been used ACM Transactions on Computational Logic, V ol. V , No. N, October 2018. 24 · Hu ber t Comon-L undh et al. in [Cor tier et a l. 20 06] for p roving tha t a new no tion of secrecy in p resence of hashes is decidable (and co-NP-com plete) for a boun ded number of s essions. Note that ter mination in polyn omial time also require s the use of a DA G (Dir ected Acyclic Graph) representation for terms. The following corollar y is easily ob tained from the previous theorem by obser ving that we can guess the simpliﬁcation rules which lead to a solved form. C O RO L L A RY 4 . 1 8 . Any p r operty φ tha t can be de cided in polynom ial time on solved deducib ility constraint systems can be dec ided in non-deterministic polynomia l time on arbitrary deducibility constraint systems. 4.7 An alter nativ e approach to polynomial-time ter mination Inspecting the com pleteness pro of, ther e is still some ro om f or choosing a strategy , while keeping com pleteness ( correctness is ind ependen t of the order of the rules app lication). T o obtain even m ore ﬂexibility , we slightly relax the condition o n th e application of the rule R 2 on a constrain t T  u : we require unifyin g a subter m t ∈ St ( T ) an d a subterm t ′ ∈ St ( u ) (instead of u nifying t with u ) where, as bef ore, t 6 = t ′ , t , t ′ non-variables. Remark that this chang e preserves the completeness of the procedure . Let us group the rules R 2 , R 3 , R ′ 3 and call th em sub stitution rules S . W e write S ( u, v ) if the substitution is obtained by unify ing u and v . Th ere are some basic observations: (1) If C R f C ′ S σ C ′ σ , then C S σ C σ R f C ′ σ . Hen ce we ma y always move forward the substitution rules. (2) If C 1 R f C ′ 1 and C 2 R f C ′ 2 , then C 1 ∧ C 2 R f C ′ 1 ∧ C 2 R f C ′ 1 ∧ C ′ 2 and C 1 ∧ C 2 R f C 1 ∧ C ′ 2 R f C ′ 1 ∧ C ′ 2 , hence any two consecutive application s of R f on different constraints can be performe d in any order . (3) The rules R 1 , R 4 can be ap plied at any time wh en they a re enabled ; we ma y ap ply them eagerly or postpone them until no other rule can be applied. (4) If C S ( u 1 ,v 1 ) σ 1 C σ 1 S ( u 2 σ 1 ,v 2 σ 1 ) σ 2 C σ 1 σ 2 , then, for some θ 1 , θ 2 , C S ( u 2 ,v 2 ) θ 1 C θ 1 S ( u 1 θ 1 ,v 1 θ 1 ) θ 2 C σ 1 σ 2 Hence any tw o consecutive substitution rules can be performed in any order . (5) If C S σ C σ R f C ′ σ , and S 6 = R 2 , then C R f C ′ S σ C ′ σ . This pr ovides with sev eral comp lete strategies. For instance the following strategy is complete: —apply eagerly R 4 and postpon e R 1 as much as possible —apply th e substitutio n rules eagerly (as soon as they are enabled). This implies that all substitutio n rules are ap plied at on ce, since the rules R 1 , R 4 , R f cannot e nable a substitution. —when R 4 and substitutions rules are not enabled, apply R f to the constraint, wh ose right hand side is maximal (in size). Such a strategy will also yield polynomial len gth derivations, sin ce we cannot get twice the same constraint: in any deriv ation sequence C 0 σ 1 · · · σ n C n , if ( T  u ) ∈ C i \ C i +1 (we say then that T  u h as been eliminated at th is step) , the n, for any j > i , ( T  u ) / ∈ C j . Indeed, fo r th e substitutio n rules, T  u is eliminated o nly when x ∈ V ( T  u ) an d ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding securi ty proper t ies for c r yptographic protocols · 25 x ∈ dom( σ i +1 ) , in which case f or any j > i , x / ∈ V ( C j ) . And, if T  u is e liminated by an R f rule, then | u | = max t ∈ rhs ( C i ) | t | . If, f or some j > i , th e constrain t T  u was in C j +1 and not in C j , then we w ould have max t ∈ rhs ( C j ) | t | > | u | . Thus the m aximum of th e sizes of the r ight han d sides ter ms would have increased , wh ich is not p ossible acco rding to our strategy . Then the complexity analysis of the proof of Theorem 4.17 can be applied here. The above observations can also be used to boun d the non- determinism ( which is useful in practice): fo r instance fr om ( 1) and (4) , we see that sub stitution rules can be applied “don’t care” : if we use a substitutio n r ule, we do no t need to consider oth er alter natives . More pr ecisely , if S ( t, u ) is a substitutio n rule th at is app licable to C , let Φ( C ) be the set of substitutio n ru les S ( t ′ , u ′ ) , which are applicab le to C a nd such that there is no θ other than the identity such that mgu( t, u ) θ = mgu( t ′ , u ′ ) . The n θ | = C = ⇒ _ S ( t ′ ,u ′ ) ∈ Φ( C ) ∃ θ ′ . θ = mgu( t ′ , u ′ ) θ ′ Similarly , fro m ( 5), a right-h and side member that is not uniﬁable with a non -variable subterm of the correspon ding left hand side, can be “don’t care” decomposed: θ | = C ∧ ( T  f ( u 1 , . . . , u n )) = ⇒ θ | = C ∧ ( T  u 1 ) ∧ . . . ∧ ( T  u n ) if f ( u 1 , . . . , u n ) is no t uniﬁable with any n on-variable s ubterm of T . 5. DECID ABILITY OF ENCR YP TION CYCLES Using th e gen eral appr oach pr esented in the pr evious section, verify ing par ticular pro p- erties like th e existence of key cycles or the con formatio n to a n a p riori given o rdering relation on keys can be red uced to decid ing these prop erties on solved deducib ility con - straint systems. W e d educe a n ew decid ability resu lt, usefu l in mode ls designed for p roving cryptog raphic prop erties. T o show that fo rmal mod els (like th e one pre sented in this article) are so und with respect to cry ptogra phic ones, the authors usually assum e that no key cycle can be produced during the execution of a p rotocol or, even stron ger , assume that th e “en crypts” relation on keys follows an a priori given ordering . For simp licity , an d sinc e ther e are very few p apers con straining the key r elations in an asymmetric setting, i n this section we restrict our attention to key cycles and ke y orders on symmetric keys. Mor eover , we consider atomic keys for symmetric encryptio n since there exists no general deﬁn ition (with a crypto graphic inter pretation) of key cycles in the case of arbitrary compo sed keys and soundn ess results are usually obtain ed for atomic ke ys. More pr ecisely , we assume a sort Key ⊂ Msg and we a ssume that the sor t of enc is Msg × Key → Msg . All the other sym bols are of sort M sg × · · · × Msg → Msg . Hen ce only names and variables can be of sort K ey . In th is sectio n we call key a variable or a name of sor t Key . Finally , for any list of term s L , L s is th e set of ter ms that are m embers of the list. In this section, we con sider (in)security properties of the form P ( L ) w here P is a pred- icate symbo l and L is a list of term s. I nforma lly , σ will be a solutio n of P ( L ) if L s σ contains a key cycle. The pr ecise inter pretation of P depend s on the no tion o f key-cycle: this is what we in vestigate ﬁrst in the following s ection. ACM Transactions on Computational Logic, V ol. V , No. N, October 2018. 26 · Hu ber t Comon-L undh et al. 5.1 Ke y cyc les Many deﬁn itions of k ey cycles are available in the literatu re. T hey are stated in terms of an “encryp tion” relation b etween keys or occ urrences of keys. An e arly deﬁnitio n pro posed by A badi and Rogaway [ Abadi and Rogaway 2002 ], ide ntiﬁes a key cycle with a cycle in the encr yption r elation, with n o cond itions on th e occurr ences of the keys. Howe ver , the d eﬁnition induce d by L aud’ s approach [Lau d 200 2] correspo nds to searching fo r su ch cycles only in the “visible” parts of a me ssage. For examp le the message enc(enc( k , k ) , k ′ ) contains a ke y cycle u sing the former deﬁnition b ut does not w hen using the latter one and assuming that k ′ is secr et. It is genera lly admitted th at the Abadi-Rogaway deﬁn ition is unnecessarily restrictiv e and hence we will say that the corresponding key cycles a re strict . Howe ver , fo r completeness reasons, we treat both cases. There can still be other variants of the d eﬁnition, depen ding on whether the relation “ k e ncrypts k ′ ” is restricted o r n ot to keys k ′ that occur in plain -text. For example, enc(enc( a, k ) , k ) may or may n ot co ntain a key cycle. As above, e ven if occurrences of keys used for encry pting (as k in enc( m, k ) ) n eed not be con sidered as encry pted keys, and hen ce can saf ely be ignor ed w hen deﬁn ing key cycles, we c onsider both cases. Note that the initial Abadi-Rogaway setting conside rs that enc(enc( a, k ) , k ) has a key cycle. W e write s < st t if a nd only if s is a subte rm of t . ⊑ is the least r eﬂexi ve and transiti ve relation satisfying: s 1 ⊑ ( s 1 , s 2 ) , s 2 ⊑ ( s 1 , s 2 ) , an d, if s ⊑ t , then s ⊑ enc( t, t ′ ) . Intuitively , s ⊑ t if s is a subterm of t that either o ccurs (at least o nce) in clear (i.e. n ot encryp ted) or o ccurs (at least once) in a plain-text position. A position p is a plain- text position in a ter m u if there exists an o ccurren ce q o f an encryption in u such that q · 1 ≤ p . Deﬁnition 5 . 1 . L et ρ 1 be a relation chosen in { < st , ⊑} . Let S be a set of terms a nd k , k ′ be two keys. W e say that k enc rypts k ′ in S (denoted k ρ S e k ′ ) if there exist m ∈ S and a term m ′ such that k ′ ρ 1 m ′ and enc( m ′ , k ) ⊑ m. For simplicity , we may write ρ e instead of ρ S e , if S is c lear from the context. Also, if m is a message we denote by ρ m e the relation ρ { m } e . Let S be a set of terms. W e deﬁne hidden ( S ) def = { k ∈ St ( S ) | k of sort Key , S 6⊢ k } . Deﬁnition 5 . 2 (S trict ke y cycle) . Let K be a set of keys. W e say th at a set of terms S contains a strict ke y cycle on K if there is a cycle in the restriction of the r elation ρ S e on K . Otherwise we say that S is strictly acyclic on K . W e d eﬁne th e pr edicate P skc as follows: L ∈ P skc if and o nly if th e set { m | L s ⊢ m } contains a strict key cycle on hidden ( L s ) . W e give now the deﬁnition indu ced by Lau d’ s app roach [Laud 200 2]. He has showed in a passiv e setting that if a proto col is secur e when th e intruder ’ s power is g i ven b y a modiﬁed Dole v-Y ao d eduction system ⊢ ∅ , then the protoco l is secure in the computatio nal model, without requir ing a “no key c ycle” condition. Rephr asing Laud’ s result in terms of the stan dard dedu ction system ⊢ gives rise to the deﬁnition of key cycles below , as it h as been proved in [Janvier 2006] . T o state the following d eﬁnition we need a more precise no tion than the en crypts re- lation. W e say that an occu rrence q of a key k is pr otected b y a key k ′ in a ter m m if m | q ′ = enc( m ′ , k ′ ) for some term m ′ and some position q ′ , and the occur rence of k at q in m is a plain-text occurr ence of k in m ′ , that is q ′ · 1 ≤ q . W e extend this d eﬁnition in ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding securi ty proper t ies for c r yptographic protocols · 27 the intuitive way to sets o f terms. Th is can be d one for example by ind exing the term s in the set and adding this index as a preﬁx to the position i n the term to obtain the position in the set. Deﬁnition 5 . 3 (Ke y cycle [J a n vier 2006]) . Let K be a set of keys. W e say that a set of terms S is acy clic on K if th ere exists a stric t p artial o rdering ≺ on K such that f or a ll k ∈ K , f or a ll o ccurren ces q of k in plain- text p osition in S , there is k ′ ∈ K such that k ′ ≺ k and q is protected by k ′ in S . Oth erwise we say that S contains a ke y cycle on K . W e d eﬁne th e pr edicate P kc as follows: fo r any list of ter ms L , L ∈ P kc if an d only if the set { m | L s ⊢ m } contain s a k ey c ycle on hidden ( L s ) . W e say that a term m contains a (strict) key c ycle if the set { m } contains one. Example 5 . 4 . The messages m = enc(enc( k , k ) , k ′ ) and m ′ = h enc( k 1 , k 2 ) , enc(enc( k 2 , k 3 ) , k 1 ) i are acyclic, wh ile the message m ′′ = hh enc( k 1 , k 2 ) , enc(enc( k 2 , k 1 ) , k 3 ) i , k 3 i has a key cycle. Th e or derings k ′ ≺ k and k 3 ≺ k 2 ≺ k 1 prove it for m and m ′ while f or m ′′ such a n ord ering can not be fou nd since k 3 is dedu cible. Ho wever , all th ree m essages have strict ke y cycles. 5.2 Ke y orderings In ord er to establish soundness of fo rmal mod els in a sym metric encr yption setting , the requirem ents on the en crypts relatio n can b e even stro nger, in p articular in the case of an ac ti ve intruder . I n [Backes and Pﬁtzman n 200 4] and [Janvier et al. 200 5] the au thors require that a key nev er encr ypts a yo unger key . Mo re precisely , the encr ypts relation has to b e com patible with the o rdering in which th e keys are generate d. Hen ce we also want to check whether there exist executions o f th e proto col fo r wh ich the en crypts relation is incompatib le with an a priori given ord er on ke ys. Deﬁnition 5 . 5 (Ke y or dering) . Let ≺ be a strict partial ordering on a set of ke ys K . W e say that a set of terms S is compa tible with ≺ on K if k ρ S e k ′ ⇒ k ′ 6 k , for all k , k ′ ∈ K. Giv en a strict partial ordering ≺ o n a s et of ke ys, we deﬁne the predicate P ≺ as follows: P ≺ holds on a list o f terms L if and only if the set { m | L s ⊢ m } is co mpatible with ≺ on hidden ( L s ) . For example, in [Backes and Pﬁtzmann 2004 ; Jan vier et al. 2005 ] the authors choose ≺ to be the order in which the k eys a re generated: k ≺ k ′ if k h as been generated before k ′ . W e denote by P ≺ the negation of P ≺ . Indeed, an attac k in this co ntext is an execution such that the encrypts relation is incompatib le with ≺ . 5.3 Proper ties that are independent of the notion of ke y cycle W e show h ow to decide the existence of key cycles or th e confo rmation to an o rdering in polyno mial time fo r solved d educibility con straint systems. Note that the set of messages on which our predicates are applied usually contains all messages sent on the network and possibly some addition al intruder knowledge. W e start with statements, that do not depend on which notion of key c ycle we choose. L E M M A 5 . 6 . Let S be a set of terms, m be a term an d k be a key such th at S ⊢ m and S 6⊢ k . Then for any plain-text occurrence q of k in m , ther e is a plain-text occurr ence ACM Transactions on Computational Logic, V ol. V , No. N, October 2018. 28 · Hu ber t Comon-L undh et al. q 0 in S such th at, if ther e is ke y k ′ with S 6⊢ k ′ , and which pr otects q 0 in S , then k ′ pr otects q in m . P R O O F . W e reason by induction on the depth of the proo f of S ⊢ m : —if the last rule is an axiom, then m ∈ S . W e may simply choose q 0 = q . —if the last rule is a decry ption, then S ⊢ enc ( m, k ′′ ) and S ⊢ k ′′ for some k ′′ 6 = k . T ake the p osition q 1 = 1 · q in enc( m, k ′′ ) . It is an occurr ence of k . Applying th e ind uction hypoth esis we obtain an occurrence q 0 of k in S such that, if there is a key k ′ with S 6⊢ k ′ and which pro tects q 0 in S , then k ′ protects q 1 in enc( m, k ′′ ) . Since S 6⊢ k ′ , it fo llows that k ′′ 6 = k ′ and hence k ′ protects q in m . —if the last rule is a another rule, we proceed in a similar way as above. As a corollary we o btain the follo wing pro position, which s tates that, in the passiv e case, a key cycle can be deduced from a set S only if it already appears in S . P R O P O S I T I O N 5 . 7 . Let L be a list of gr ound terms, and ≺ a strict partial o r dering on a set of keys. The predicate P kc (r espectively , P skc or P ≺ ) holds o n L if an d only if L s contains a ke y c ycle (respectively , L s contains a strict ke y cycle, or th e encrypts r elation on L s is not compatible with ≺ ). P R O O F . The right to left direction is trivial s ince L s ⊆ { m | L s ⊢ m } . W e will prove th e left to right d irection on ly for the key cycle pro perty , the other two proper ties c an be pr oved in a similar way . Assume that th ere is no strict p artial orde ring satisfying the conditions in Deﬁnition 5.3 for { m | L s ⊢ m } . In other words, for any s trict partial orderin g ≺ on hidden ( L s ) there is a key k and an occ urrence q of k in { m | L s ⊢ m } such that fo r any ke y k ′ , k ′ protects q in { m | L s ⊢ m } implies k ′ 6≺ k . Using the previous lemma we can replac e { m | L s ⊢ m } by L s in the previous sentence, thu s obtainin g that there is a key cycle in L s . The next lemma will be used to sho w that hidden ( L s θ ) does not depen d on the solution θ of a solved constraint C . L E M M A 5 . 8 . Let T  x be a constraint o f a solved constraint system C , θ a solution of C an d m a non-va riable term. If T θ ⊢ m then th er e is a non- variable term u with V ( u ) ⊆ V ( T ) such that T ∪ V ( T ) ⊢ u and m = uθ . P R O O F . W e write C as V i ( T i  x i ) , with 1 ≤ i ≤ n an d T i ⊆ T i +1 . Consid er the index i of th e constraint T  x , that is such th at ( T i  u i ) ∈ C , T i = T and u i = x . The lemma is pr oved by indu ction on ( i, l ) (consider ing the lexicograp hical ordering) whe re l is the length of the proof of T i θ ⊢ m . Consider the last rule of the proo f: —(axiom rule) m ∈ T i θ . T hen there is u ∈ T i such th at m = uθ . If u is a variable then there is j < i suc h tha t T j  u is a constrain t of C . W e h av e T j θ ⊢ uθ . T hen by induction hyp othesis the re is a non -variable term u ′ with V ( u ′ ) ⊆ V ( T j ) such that T j ∪ V ( T j ) ⊢ u ′ and uθ = u ′ θ . Henc e u ′ satisﬁes the condition s. —(decomp osition rule) Su ppose the ru le is the decr yption rule. Then th e premises o f the rule are T i θ ⊢ enc( m, k ) and T i θ ⊢ k f or some term k . By ind uction h ypothe sis there are n on-variable terms u 1 and u 2 with V ( u 1 ) , V ( u 2 ) ⊆ V ( T i ) suc h that T i ∪ V ( T i ) ⊢ u 1 , ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding securi ty proper t ies for c r yptographic protocols · 29 T i ∪ V ( T i ) ⊢ u 2 , u 1 θ = enc( m, k ) and u 2 θ = k . Then u 1 = enc( u, u ′ 2 ) with u θ = m and u ′ 2 θ = k . If u is a variable then, as in the previous case, we ﬁnd an u ′ satisfying the co nditions. Suppose u is n ot a variable. W e still n eed to show that T i ∪ V ( T i ) ⊢ u . If u ′ 2 is a variable then T i ∪ V ( T i ) ⊢ u ′ 2 since u ′ 2 ∈ V ( T i ) . I f u ′ 2 is not a variable then u ′ 2 θ = u ′ 2 hence u ′ 2 = u 2 . In both cases it fo llows that T i ∪ V ( T i ) ⊢ u . Th e projectio n rule case is simpler and is treated similarly . —(compo sition rule) This case follo ws easily from the induction hypo thesis applied on the premises. C O RO L L A RY 5 . 9 . Let T  x b e a co nstraint of a solved ded ucibility constr aint system C , a nd θ , θ ′ be two solutions of C . Then for any ke y k , T θ ⊢ k if and only if T θ ′ ⊢ k . P R O O F . Suppo se that T θ ⊢ k . From th e pr evious lemma we ob tain that there is a no n- variable u with V ( u ) ⊆ V ( T ) such th at T ∪ V ( T ) ⊢ u and k = uθ . Sinc e ke ys are atomic and θ is a gro und su bstitution it fo llows that u = k . Hence T θ ′ ∪ { xθ ′ | x ∈ V ( T ) } ⊢ k . So T θ ′ ⊢ k , since θ ′ is a so lution (and th us T θ ′ ⊢ xθ ′ for all x ∈ V ( T ) ) and by using Lemma 4.5. 5.4 D ecision results On solved d educibility constraint systems, it is po ssible to dec ide in p olyno mial time, whether an attacker can trigger a key cycle o r n ot, whatever n otion o f key cycle we con - sider: P R O P O S I T I O N 5 . 1 0 . Let C be a solved dedu cibility co nstraint system, L be a list of messages such th at V ( L s ) ⊆ V ( C ) a nd lhs ( C ) ⊆ L s , and ≺ a strict pa rtial or dering o n a set of ke ys. Decid ing whe ther ther e exists an attack for C and P ( L ) can be done in O ( | L | 2 ) , for any P ∈ { P kc , P skc , P ≺ } . W e dev ote the remaining of this section to the proof of the above p roposition . W e know by Proposition 5.7 that it is suf ﬁcient to analyz e the encryp ts (or pro tects) relation only on L s θ (and not on e very deducible term), where θ is an arbitrary solution. W e can safely assum e that there is exactly one ded ucibility constraint for each variable. Indeed , eliminating from C all constraints T ′  x for which ther e is a constraint T  x in C with T ( T ′ we obtain an equiv alent deducibility constraint system C ′ : σ is a solutio n of C ′ iff it is a so lution of C . Let t x be the term obtained b y pairing all ter ms of T x (in some arbitrary order ing). W e write C as V i ( T i  x i ) , with 1 ≤ i ≤ n and T i ⊆ T i +1 . W e construct the following substitution τ = τ 1 . . . τ n , and τ j is deﬁned inductiv ely as follows: - do m( τ 1 ) = { x 1 } and x 1 τ 1 = t x 1 - τ i +1 = τ i ∪ { t x i +1 τ i / x i +1 } . The con struction is co rrect by the deﬁnition of de ducibility constra int systems. It is clear that τ is a solution of C . W e show next that it is sufﬁcient to analyze this par ticular so lution. K e y cycles. W e focus ﬁrst on the property P kc . L E M M A 5 . 1 1 . Let C be a so lved dedu cibility constraint system, L a list of terms such that V ( L ) ⊆ V ( C ) , lhs ( C ) ⊆ L s , an d assume P is interpreted as P kc . Then there is an attack for C and P ( L ) if and only if τ is an attack for C and P ( L ) . ACM Transactions on Computational Logic, V ol. V , No. N, October 2018. 30 · Hu ber t Comon-L undh et al. P R O O F . W e ha ve to prove that if there is no partial ordering satis fying the condition s in Deﬁnition 5.3 fo r the set L s θ (accor ding to Proposition 5.7 ) then there is n o partial or dering satisfying the same conditions f or L s τ . Supp ose that th ere is a strict partial o rdering ≺ which satisﬁes the condition s for L s τ . W e prove that the same partial ord ering d oes the job for L s θ . Let C ′ = C ∧ ( L s  z ) where z is a new v ariable. C ′ is a deducibility c onstraint system since lhs ( C ) ⊆ L s . W e write C ′ as V i ( T i  x i ) , with 1 ≤ i ≤ n an d T i ⊆ T i +1 . W e prove by ind uction on i th at for all k ∈ hi dden ( L s θ ) , for all p lain-text occurren ces q of k in T i θ there is a key k ′ ∈ hidden ( L s θ ) such that k ′ ≺ k and k ′ protects q in T i θ . It is sufﬁcient to prove this since for i = n we have T i = L s . Remark also that from Coro llary 5.9 app lied to L s  z we obtain that hidden ( L s θ ) = hidden ( L s τ ) . For i = 1 we have T 1 = T 1 θ = T 1 τ hen ce the pro perty is clearly satisﬁed for θ since it is satisﬁed for τ . Let i > 1 . Consider an occ urrence q of a key k ∈ hidde n ( L s θ ) in a plain -text position of w for some w ∈ T i θ . Let t ∈ T i such that w = tθ . If q is a non- variable position in t then it is a p osition in tτ . And since τ is a solu tion we have that there is a key k ′ ∈ hidden ( L s τ ) (hen ce k ′ ∈ hi dden ( L s θ ) ) such tha t k ′ ≺ k and q is protected by k ′ in tτ . Th e key k ′ cannot occu r in some xτ , with x ∈ V ( t ) , sinc e otherwise k ′ is d educible ( indeed xτ = k ′ since the keys ar e atomic an d T x τ ⊢ xτ ) . Henc e k ′ occurs in t . Then k ′ protects q in t , an d thus in w also. If q is no t a non-variable position in t th en there is a v ariable x j ∈ V ( t ) with j < i su ch that the occurr ence q in tθ is an occurre nce of k in x j θ (for mally q = p · q ′ where p is some position of x j in t and q ′ is some occurrence of k in x j θ ) . Applyin g Lemma 5.6 we obtain that there is a n occur rence q 0 of k in T j θ such that if the re is a key k ′ with T j θ 6⊢ k ′ and which pr otects q 0 in T j θ then k ′ protects q ′ in x j θ . The existence of th e key k ′ is assur ed by the induc tion hypoth esis o n T j θ . Hence k ′ protects q ′ in x j θ and thus q in w . since otherwise ther e is x ∈ V ( L s ) such that xτ = k ′ , which imp lies that k ′ / ∈ hidden ( L s ) . Then q ′ is a position in L s θ . Mor eover q ′ protects q in L s θ . If q is no t a non-variable position in L s then there is a variable x ∈ V ( L s ) such that Hence we only need to ch eck wh ether τ is an attack for C and P ( L ) . Le t K = hidden ( L s τ ) . W e build inducti vely the sets K 0 = ∅ a nd for all i ≥ 1 , K i = { k ∈ K | ∀ q ∈ Pos p ( k , L s τ ) ∃ k ′ s.t. k ′ protects q and k ′ ∈ K i − 1 } where P os p ( m, T ) d enotes the plain- text position s o f a term m in a set T . Observe that fo r all i ≥ 0 , K i ⊆ K i +1 . This can be proved easily by ind uction on i . Moreover, since K is ﬁnite and K i ⊆ K for all i ≥ 0 , the n there is l ≥ 0 such that K i = K l for all i > l . L E M M A 5 . 1 2 . Ther e e xists i ≥ 0 such that K i = K if and only if Lτ ∈ P kc . P R O O F . Consider ﬁrst that ther e exists i ≥ 0 such that K i = K . Then take the following strict partial ord ering o n K : k ′ ≺ k if and o nly if there is j ≥ 0 such that k ′ ∈ K j and k / ∈ K j . Consider a ke y k ∈ K and a plain-text occurr ence q of k in L s τ . Then take l ≥ 1 minimal such that k ∈ K l . By th e deﬁn ition of K l there is k ′ ∈ K such tha t k ′ protects q and k ′ ∈ K l − 1 . Since l is minimal k / ∈ K i − 1 . Hen ce k ′ ≺ k . Th us Lτ ∈ P kc . Consider now that τ is a solutio n. Supp ose that K i +1 = K i ( K . L et k ∈ K \ K i +1 . Since k 6∈ K i +1 there is a plain-text occurr ence q of k such that for all k ′ ∈ K either k ′ does not pro tect q , or k ′ / ∈ K i . But since τ is a solution, ther e is k ′′ ∈ K suc h tha t ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding securi ty proper t ies for c r yptographic protocols · 31 k ′′ protects q and k ′′ ≺ k . It follows that k ′′ / ∈ K i , and thus k ′′ / ∈ K i +1 . Hence f or a n arbitrary k ∈ K \ K i +1 we have f ound k ′′ ∈ K \ K i +1 such that k ′′ ≺ k . That is, we can build an inﬁnite sequence . . . ≺ k ′′ ≺ k with d istinct elemen ts fr om a ﬁnite set – contradictio n. So there exists i ≥ 0 such that K i = K . Hence to check whe ther Lτ ∈ P kc , we o nly need to co nstruct the sets K i until K i +1 = K i and then to c heck wheth er K i = K . Th is algor ithm is similar to a classical metho d for ﬁnd ing a to pological sorting o f vertices (and f or ﬁndin g cycles) o f directed grap hs. It is also similar to that given by Janvier [Janvier 2006 ] for the in truder deductio n prob lem considerin g the deduction system of Laud [Laud 2002] . Regarding the co mplexity , there are at mo st ♯K sets to be b uild an d each set K i can be constru cted in O ( | L s τ | ) . If a D A G-representatio n o f the terms is used the n | L s τ | ∈ O ( | L s | ) . This gives a complexity of O ( | K | × | L s | ) for the above algorithm. Strict key cycles and ke y or derings.. For the other two pr operties P skc and P ≺ we pro- ceed in a similar manner . L E M M A 5 . 1 3 . Let T  x be a con straint of a solve d d educibility constraint system C and θ be a solution . Let m, u, k be terms such that T θ ⊢ m and enc( u, k ) ⊑ m an d T θ 6⊢ k . Then there exists a non-variable term v su ch tha t v ⊑ w for some w ∈ T a nd v θ = enc( u, k ) . P R O O F . W e write C as V i ( T i  x i ) , with 1 ≤ i ≤ n an d T i ⊆ T i +1 . Consid er the index i of the constraint T  x , that is such that T i  u i ∈ C , T i = T and u i = x . The lemma is proved by induction on ( i , l ) (lexicogr aphical order ing) wh ere l is the length of the proof of T i θ ⊢ m . Consid er the last rule of the proof: —(axiom r ule) m = tθ for some t ∈ T i . W e can h av e that eith er the re is t ′ ⊑ t su ch th at t ′ θ = enc( u, k ) , or enc( u, k ) ⊑ y θ for some y ∈ V ( t ) . In th e ﬁrst case take v = t ′ , w = t . In the second case, by the d eﬁnition o f deducib ility constrain t systems, there exists ( T j  y ) ∈ C with j < i . Since T j θ ⊢ y θ and T j θ 6⊢ k (since T j ⊆ T i ), we deduce by ind uction hyp othesis that there exists a non-variable term v suc h th at v ⊑ w for some w ∈ T j , hence w ∈ T i and v θ = e nc ( u , k ) . —(decomp osition rule) Let m ′ be the pr emise of the ru le. W e have that T i θ ⊢ m ′ (with a proof of a strictly smaller length ) and m ⊑ m ′ thus enc( u , k ) ⊑ m ′ . By ind uction hypoth esis, we deduce that ther e exists a non-variable term v suc h that v ⊑ w for som e w ∈ T i and v θ = e nc ( u , k ) . —(compo sition rule) All cases are similar to the previous o ne excep t if m = enc( u, k ) and the rule is S ⊢ x S ⊢ y S ⊢ en c( x, y ) . But th is case contradicts T i θ 6⊢ k . The following simple lemma is also needed for the proo f of Lemma 5.15. L E M M A 5 . 1 4 . Let T  x be a constraint of a solved deducibility constraint system C , θ be a so lution, k ∈ hidden ( T θ ) , and m a term such tha t T θ ⊢ m . If k ρ 1 m the n there is t ∈ T such that k ρ 1 t . ACM Transactions on Computational Logic, V ol. V , No. N, October 2018. 32 · Hu ber t Comon-L undh et al. P R O O F . W e write C as V i ( T i  x i ) , with 1 ≤ i ≤ n an d T i ⊆ T i +1 . Consid er the index i of th e constraint T  x , that is such th at ( T i  u i ) ∈ C , T i = T and u i = x . The lemma is pr oved by indu ction on ( i, l ) (consider ing the lexicograp hical ordering) whe re l is the length of the proof of T i θ ⊢ m . Consider the last rule of the proo f: —(axiom r ule) m ∈ T i θ or m a pub lic constant. I f m is a pub lic constant then k 6 = m since k ∈ hidden ( T θ ) . Thu s there is t ∈ T i such that m = tθ . If k ρ 1 t then we’ re done. Otherwise th ere is a variable y ∈ V ( t ) such th at k ρ 1 y θ . Also, there is j < i suc h th at T j  y is a constraint of C . Then , by i ndu ction hypothesis, ther e is t ′ ∈ T j , hence in T i , such that k ρ 1 t ′ . —(compo sition or d ecompo sition r ule) By inspec tion o f all the co mposition and de com- position rules we observe th at there is always a premise T i θ ⊢ m ′ with k ρ 1 m ′ for some term m ′ . Th e conclusion follows th en directly from the induction hypoth esis. The following lemma shows that it is sufﬁcient to analyze τ when check ing the proper- ties P skc and P ≺ . L E M M A 5 . 1 5 . Let C be a so lved dedu cibility constraint system, L a list of terms such that V ( L ) ⊆ V ( C ) an d lhs ( C ) ⊆ L s , and θ a solution of C . F or any k , k ′ ∈ hidden ( L s θ ) , if k encryp ts k ′ in L s θ then k encrypts k ′ in L s τ . P R O O F . Remember that hidden ( L s θ ) = hidden ( L s τ ) (Corollary 5.9). Consider two keys k , k ′ ∈ hidden ( L s θ ) such th at k encryp ts k ′ in L s θ . Then th ere are terms u, u ′ such that u ′ ∈ L s θ , enc( u, k ) ⊑ u ′ and k ′ ρ 1 u . W e can have th at either (ﬁrst case) th ere are v , w such that v ⊑ w ∈ L s , v non-variable and enc( u, k ) = v θ , or (second case) enc( u, k ) ⊑ xθ with x ∈ V ( L s ) . In the second case, co nsider the constraint ( T x  x ) ∈ C . W e have T x θ ⊢ xθ . Hence we can apply L emma 5.13 fo r xθ , u and k to obtain th at there exists a non -variable term v such th at v ⊑ w f or some w ∈ T x and v θ = enc( u, k ) . Hence, in both c ases, we o btained that ther e is a non -variable te rm v ∈ St ( L s ) (since T x ⊆ L s ) such that v θ = enc( u , k ) . Thus there is v 0 such that v = enc( v 0 , k ) . Indeed , otherwise v = enc( v 0 , y ) f or so me y ∈ V ( L s ) , hence y ∈ V ( C ) . Since C is solved we ha ve T y σ ⊢ y σ . But y σ = k , contrad icting k ∈ hi dden ( L s θ ) . W e have v 0 θ = u . Sin ce k ′ ρ 1 u and k ′ is a name or a v ariable, we can ha ve that k ′ ρ 1 v 0 , or k ′ ρ 1 y θ for some y ∈ V ( v 0 ) . If k ′ ρ 1 v 0 then k encrypts k ′ in L s , hence in L s τ also. If k ′ ρ 1 y θ then fro m the previous lem ma k ′ ρ 1 t for some t ∈ T y , and he nce k ′ ρ 1 y τ . Therefo re in both cases we have that k encry pts k ′ in L s τ . W e d educe that deciding wheth er th ere is an attack fo r C and P ( L ) , wh en P is inter- preted as P skc ,can be done simply by dec iding whether the restriction of the relation ρ L s τ e to K × K is cyclic. Deciding wh ether ther e is an attack for C and P ( L ) , wh en P is inter preted as P ≺ , can be d one by deciding whethe r the r estriction to K × K o f the relation ρ L s τ e has the follo wing proper ty Q : there are k , k ′ ∈ K such that k ρ L s τ e k ′ and k  k ′ . Checking the cyclicity of the relation ρ L s τ e reduces to checkin g the cyclicity of th e co r- respond ing directed graph, u sing a classic algorithm in O ( | K | 2 ) . Then, checking the prop- erty Q can be perfor med by analyzing all pairs ( k , k ′ ) ∈ K × K hence also in O ( | K | 2 ) . V er ifying any of the three pro perties require s a preliminary step of comp uting K = hidden ( L s τ ) . Com puting ded ucible subter ms can be pe rformed in linea r time, he nce th is ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding securi ty proper t ies for c r yptographic protocols · 33 computatio n step requires O ( | L s τ | ) . | L s τ | ≤ | L s | + | τ | ≤ | L s | + O ( | C | ) . If lhs ( C ) ⊆ L s , then | L s τ | = O ( | L | ) . It follows that the complexity of deciding whether there is an attack for C and P ( L ) is O ( | L | 2 ) , when P is interpreted as P kc , P skc or P ≺ . 5.5 N P-completeness Let C be a de ducibility constra int system and L a list of terms such th at V ( L s ) ⊆ V ( C ) and lhs ( C ) ⊆ L s . The NP mem bership of decid ing wheth er there is a n attack fo r C and P ( L ) (fo r o ur 3 p ossible inter pretations o f P ) follows immed iately f rom Coro llary 4.18 and Proposition 5.10. NP-hardn ess is obtained by adapting the constructio n for NP-hardness provided in [Rusi- nowitch and T uruani 2003 ]. More pr ecisely , we con sider the red uction o f the 3SA T prob - lem to our p roblem. For any 3SA T Boo lean form ula we con struct a pr otocol such th at the intruder can de duce a key cycle if and only if the fo rmula is satisﬁable. The co nstruction is th e same as in [Rusinowitch and Turuani 20 03] (page s 1 5 and 1 6) except that, in th e last r ule, the particip ant respon ds with the term enc( k , k ) , for some fre sh key k ( initially secret), instead of S ecr et . Then it is easy to see that th e on ly way to prod uce a key cycle on a secret key is to play this last rule which is equiv alent, using [Rusinowitch and T uruani 2003] , to the satisﬁability of the corresp onding 3SA T fo rmula. 6. A UTHENTICA TION- LIKE PR OPERTIE S W e prop ose a simp le d ecidable logic for security prope rties. Th is logic enables in particular to specify authenticatio n-like pr operties. 6.1 A simple logic The logic enables terms compar isons and is closed under Boolean connectives. Deﬁnition 6 . 1 . T he logic L is inductively d eﬁned by: φ ::= [ m 1 = m 2 ] | ¬ φ | φ ∨ φ | φ ∧ φ | ⊥ m 1 , m 2 terms V ( φ ) is th e set of variables o ccurrin g in its atomic formulas. σ | = [ m 1 = m 2 ] if m 1 σ and m 2 σ are ide ntical terms. σ 6| = ⊥ . Th is satisfaction relation is extended to any of the above formu las, in terpreting the Boolean connectives as usual. Example 6 . 2 . Let us c onsider again th e authenticatio n p roperty introdu ced in Ex am- ple 3.8. There is an attack o n authentication between A and B if A and B do no t agree on the n once n ′ a sent by A for B , that is if x = n ′ a at the end of th e ru n of th e pro tocol. Th is can be expressed by the following f ormula φ 1 = [ x 6 = n ′ a ] The s ubstitution σ 1 (assigning x to n a ) is an attack f or C ′ 1 (deﬁned in Ex ample 3.8) and φ 1 and demon strates a failure of authentication . More sophisticated pro perties can b e expressed using the log ic L . For examp le, wh en two sessions o f th e same r ole a re executed, one can expressed that an agent has received exactly once the right nonce n a , with the following formula. φ 2 = ([ x 1 = n a ] ∧ [ x 2 6 = n a ]) ∨ ([ x 1 6 = n a ] ∧ [ x 2 = n a ]) ACM Transactions on Computational Logic, V ol. V , No. N, October 2018. 34 · Hu ber t Comon-L undh et al. where x 1 (resp. x 2 ) repre sents the non ce received by the agen t in th e ﬁrst ( resp. second) session. W e can also express pro perties of the form : if two a gents ag ree on some term u , th ey also agree on some term v . This ca n be indeed modeled by the formula φ 3 = [ u 1 = u 2 ] → [ v 1 = v 2 ] where u 1 (resp. u 2 ) represen ts the view of u by the ﬁrst (re sp. second) agent and v 1 (resp. v 2 ) re presents the view o f v b y the ﬁrst (r esp. second) ag ent. The form ula A → B is th e usual notation for the formu la ¬ A ∨ B . 6.2 D ecidability T H E O R E M 6 . 3 . Let C be a deducib ility constraint system an d φ b e a formula of L . Deciding whe ther ther e is an attack for C an d φ can be performed in n on-de terministic polynomia l time. P R O O F . First, choo sing non -determin istically φ 1 or φ 2 in any subf ormula φ 1 ∨ φ 2 , we may , w . l.o.g. only consider the case where φ is a conjunc tion V j [ u j = u ′ j ] ∧ φ d , where φ d = V l [ v l 6 = v ′ l ] . Let σ be a mgu (idempo tent, which d oes n ot introd uce n ew variables) o f V j u j = u ′ j . The ded ucibility constraint system C has a joined solution with φ if and o nly if C σ and φ d σ have a common solution. As in the pr evious sections, we choose a representation of expr essions, such th at app lying a mgu of subter ms of an expression e on e does n ot increase the size of the expression e . W e ar e now lef t to th e case wh ere we have to decide whethe r a dedu cibility constraint system has a solution together with a prop erty of the form φ = V k i =1 [ u i 6 = v i ] . Applying Th eorem 4.3 , the re exists a solution θ of C and φ if an d only if there exist a deducib ility constraint s ystem C ′ in solved form and substitutions σ , θ ′ such that θ = σ θ ′ , C ∗ σ C ′ and θ ′ is an attack fo r C ′ and φσ . Thu s, we are now left to decid e whether there exists a solution to a solved con straint system C ′ and a fo rmula φσ of the form φσ = V k i =1 [ u i 6 = v i ] . If, for so me i , u i is identical to v i , then there is clearly no solution. W e claim that, otherwise, there is always a solution. This is an indepen dence o f disequatio n lem ma (as in [Colmerauer 1984] for instance), and the proof is similar to other independen ce o f dise- quations lemmas: L E M M A 6 . 4 . Let C b e a solv ed dedu cibility co nstraint system an d φ be the formula t 1 6 = u 1 ∧ . . . ∧ t n 6 = u n such that V ( φ ) ⊆ V ( C ) and, for every i , t i is not identica l to u i . Then ther e is always a solution θ o f C and φ . This is p roved by ind uction o n the numb er of variables of φ . In the base case, there is n o variable and the result is trivial as φ is a tautolo gy . Let T 0 be the smallest left-hand side of C . T 0 must be a non empty set of groun d terms. Note that there is an inﬁnite set of deducible terms from T 0 . Let x ∈ V ( φ ) . For each i , either t i = u i has no s olution , in which case t i 6 = u i is always satisﬁed, or else let S = { xσ i | σ i = mgu( t i , u i ) } . W e choose t x such that T ⊢ t x and t x / ∈ S . This is p ossible since S is ﬁn ite and ther e are inﬁnitely m any term s d educible from T . Now , for every i , t i [ t x / x ] is not identical to u i [ t x / x ] by con struction. Hence, we may apply the induction hypo thesis to φ [ t x / x ] and conc lude. ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding securi ty proper t ies for c r yptographic protocols · 35 7. TIMEST AMPS For mod eling timestamp s, we introd uce a n ew sort Time ⊆ M sg for time and we assume an inﬁnite numb er of names of sort Time , represented by r ational numbers or inte gers. W e assume th at the only two sor ts ar e Ti me an d M sg . Any value of time should be known to an intru der , that is wh y we add to the deductio n system the rule S ⊢ a for any name a of sort Time . All the pr evious results can b e easily exten ded to such a deduction system since groun d deducib ility remains decidab le in polyn omial t ime. T o express relations between timestamps, we use timed constraints. Deﬁnition 7 . 1 . A n integ er timed constraint or a rational timed constraint T is a con- junction of formu las of the form Σ k i =1 α i x i ⋉ β , where the α i and β are ration al number s, ⋉ ∈ { <, ≤} , and th e x i are variables of sort Time . A solu tion of a rational (resp. integer ) timed constrain t T is a closed substitutio n σ = { c 1 / x 1 , . . . , c k / x k } , where the c i are r ationals (resp. integers), that satisﬁes th e con - straint. Such timed p roperties can be u sed for examp le to say that a timestamp x 1 must be fresher th an a timestamp x 2 ( x 1 ≥ x 2 ) o r that x 1 must b e at least 30 seconds fr esher than x 2 ( x 1 ≥ x 2 + 30 ). Example 7 . 2 . W e consider the W ide Mouthed Frog Protocol [Clark and Jacob 1997]. A → S : A, enc( h T a , B , K ab i , K as ) S → B : enc( h T s , A, K ab i , K bs ) A send s to a server S a fresh k ey K ab intended for B . If the tim estamp T a is fresh enough , the server answer s by forwarding the key to B , adding its own timestamps. B simply checks whether th is ti mestamp is o lder than any other message he has rece i ved f rom S . As explained in [ Clark an d Jacob 1997 ], this p rotocol is ﬂa wed beca use an attacker can use the server to keep a session alive as lon g as he wants by replaying the answers of the server . This protocol can be modeled by the following deducib ility constraint system: S 1 def = { a, b, s, h a, enc( h 0 , b, k ab i , k as ) i}  h a, enc( h x t 1 , b, y 1 i , k as ) i , x t 2 (6) S 2 def = S 1 ∪ { enc( h x t 2 , a, y 1 i , k bs ) }  h b, enc( h x t 3 , a, y 2 i , k bs ) i , x t 4 (7) S 3 def = S 2 ∪ { enc( h x t 4 , b, y 2 i , k as ) }  h a, enc( h x t 5 , b, y 3 i , k as ) i , x t 6 (8) S 4 def = S 3 ∪ { enc( h x t 6 , a, y 3 i , k bs ) }  enc( h x t 7 , a, k ab i , k bs ) (9) where y 1 , y 2 , y 3 are variables of sort Msg an d x t 1 , . . . , x t 7 are variables of sort Tim e . W e add explicitly the tim estamps emitted by the agen ts on the righ t han d side of the constraints (that is in the messages expected by th e par ticipants) since th e intruder can sched ule th e message transmission whenever he wants. Note that on the right ha nd side of co nstraints we do hav e terms, but by ab use of notation we ha ve omitted the pairing function symbol. Initially , the intru der simply knows the n ames o f the agents and A ’ s m essage at time 0. Then S answers altern ati vely to req uests fro m A an d B . Since th e intruder contro ls th e network, the messages can be schedu led as slow (or fast) as the intr uder needs it. The server S sho uld no t answer if A ’ s timestamp is too old (let’ s say older than 30 seco nds) ACM Transactions on Computational Logic, V ol. V , No. N, October 2018. 36 · Hu ber t Comon-L undh et al. thus S ’ s timestamp can not be too much delay ed (no mo re th an 3 0 second s). Th is m eans that we shou ld have x t 2 ≤ x t 1 + 3 0 . Similarly , we sh ould have x t 4 ≤ x t 3 + 30 and x t 6 ≤ x t 5 + 30 . The last rule co rrespond s to B ’ s receptio n. In this scenario , B does not perfor m any check on the timestamp since it is the ﬁrst message he recei ves. W e say that there is an attack if there is a joined solu tion of the deducib ility constraint system an d the previously men tioned time c onstraints tog ether with x t 7 ≥ 30 . This last constraint expr esses that the timestamp r eceived by B is too large to come from A . Al- together, the time con straint becomes x t 2 ≤ x t 1 + 30 ∧ x t 4 ≤ x t 3 + 30 ∧ x t 6 ≤ x t 5 + 30 ∧ x t 7 ≥ 3 0 . Then the substitution corresp onding to the attack is σ = { k ab / y 1 , k ab / y 2 , k ab / y 3 , k ab / y 4 , 0 / x t 1 , 30 / x t 2 , 30 / x t 3 , 60 / x t 4 , 60 / x t 5 , 90 / x t 6 , 90 / x t 7 } . P R O P O S I T I O N 7 . 3 . Ther e is an atta ck to a solved dedu cibility constraint s ystem and a time constraint T iff T has a solution. P R O O F S K E T C H . Le t C be a solved dedu cibility constraint system, and T a timed con- straint. L et y 1 , . . . , y n be th e variables o f sor t Msg in C and x 1 , . . . , x k the variables of sort T ime in C . Clearly , any substitution σ o f the form y i σ = u i where u i ∈ S i for some ( S i  y i ) ∈ C an d x i σ = t i for t i any constant of so rt Time is a solution of C . Let σ ′ be the restriction of σ to the timed variables x 1 , . . . , x k . σ is an attack for C and T if and only if σ ′ is a solution to T . Th us there exists an attack for C and T if and only if T is satisﬁable. C O RO L L A RY 7 . 4 . Deciding wheth er a d educibility con straint system, together with a time constraint, has a solution is NP-complete. P R O O F . The NP member ship follows from the NP memb ership of time constraint satis- ﬁability , Th eorem 4.3 and Proposition 7.3. NP-hardn ess directly fo llows from the NP-hard ness of de ducibility constraint system solving, considerin g an empty timed constraint. 8. CONCLUSIONS W e have shown how , revisiting th e appro ach o f [Comon -Lundh and Shmatikov 2003 ; Rusi- nowitch and T uruani 2003 ], we can preserve the set of solutions, instead of only deciding the satisﬁability . W e also d eriv ed NP-co mpleteness results fo r som e security prop erties: key-cycles, auth entication, time constraints. Since the constrain t-based approach [Comon-Lu ndh and Shmatikov 2003; Rusinowitch and T uruani 200 3] has alre ady been im plemented in A VISP A [Arm ando et al. 2 005], it is likely that we ca n, with only sligh t efforts, a dapt this implementa tion to the case of key cycles and timestamps. More gen erally , we would like to take a dvantage of our result to derive decision pro ce- dures fo r even more secu rity p roperties. A typ ical example would be the com binations of se veral pro perties. Also, we cou ld investigate non-tr ace pro perties su ch as an onymity o r guessing attacks, for which there are very few decision resu lts (only [Bau det 2005], whose proced ure is quite complex). Regarding k ey c ycles, our approach is valid for a bound ed number of sessions only . Se- crecy is undecidable in general [Durgin et al. 20 04] for an unbound ed n umber of sessions. Such an undecid ability result co uld be easily adapted to th e prob lem o f detecting key cy- cles. Secrecy is d ecidable fo r several classes of p rotocols [Ramanu jam a nd Suresh 20 03; ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding securi ty proper t ies for c r yptographic protocols · 37 Comon-L undh and Cortier 20 03; Blanchet an d Podelski 2 003; V erma et al. 200 5] and an unbou nded number of sessions. W e plan to inv estigate how such fragm ents could be used to decide key cycles. Acknowledgments.. W e are particu larly gr ateful to M ichael Backes, Mich a ¨ el Rusinow- itch, St ´ eph anie Delaune, and Bogdan W arinschi for their very helpful s ugge stions. REFERENCES A B A D I , M . A N D R O G AW A Y , P . 2002. Reconci ling two vie ws of cryptography (the computatio nal soundness of formal encrypti on). Journal of Cryptolo gy 2 , 103–127. A D ˜ A O , P., B A N A , G . , H E R Z O G , J . , A N D S C E D ROV , A . 2005. Soundness of formal encryption in the presence of key-c ycle s. In Proc. of the 10th Europe an Symposium on R esear ch in Computer Security (ESORICS’05) . Lecture Notes in Computer Science , vol. 3679. Springe r V erlag, 374–396. A M A D I O , R . A N D L U G I E Z , D . 2000. On the reachab ility problem in cryptogra phic protocols. In Proc . of the 11th Int. Conf. on Concurre ncy Theory (CONCUR’00) . Lecture Notes in Computer Scienc e, vol. 1877. Springer V erla g, 380–394. A R M A N D O , A . , B A S I N , D. , B O I C H U T , Y . , C H E VAL I E R , Y . , C O M PAG N A , L . , C U E L L A R , J . , D R I E L S M A , P . H . , H ´ E A M , P . , K O U C H NA R E N KO , O . , M A N T OV A N I , J . , M ¨ O D E R S H E I M , S . , V O N O H E I M B , D . , R U S I N OW I T C H , M . , S A N T I A G O , J . , T U RU A N I , M . , V I G A N ` O , L . , A N D V I G N E R O N , L . 2005. The A VISP A tool for the auto- mated valida tion of internet security protocols and application s. In Pr oc. of the Computer Aided V eriﬁcation (CA V’05) . Lecture Notes in Computer Scienc e, vol. 3576. Springer V erla g. B A C K E S , M . A N D P FI T Z M A N N , B . 2004. Symmetric e ncryptio n in a simula table Dole v-Ya o style cryptographi c library . In P r oc. of the 17th IEEE Computer Security F ou ndations W orkshop (CSFW’04) . IEEE Computer Society Press, 204–218. B A C K E S , M . , P FI T Z M A N N , B . , A N D S C E D R OV , A . 2007. Ke y-dependen t message s ecurit y under acti ve attack s – BRSIM/UC-soundne ss of symbolic encryption with k ey cyc les. In Proc. of the 20 th IEEE Computer Security F oundation s Symposium (CSF’07) . IEEE Computer Society Press. Preprint on IA CR ePrint 2005/421 . B A U D E T , M . 2005. Deciding s ecurit y of protocols against off-line guessing attacks. In Pr oc. of the 12th ACM Conf . on Computer and Communication Security (CCS’05) . ACM Press, 16–25. B E L L A R E , M . A N D R O G AW A Y , P. 1993. Entity authent icati on and key distrib ution. In P r oc. of the 13th Annual Int. Conf. on A dvances in Cryptology (CRYPTO’93) . Lecture Notes in Computer Science, vol. 773. Springer V erlag, 232–249. B L A N C H E T , B . 2001. An efﬁc ient cryptographic protocol veriﬁer based on Prolog rules. In Pro c. of the 14th IEEE Compute r Security F oundations W orkshop (CSFW’01) . IEE E Compute r Society Press, 82–96. B L A N C H E T , B . A N D P O D E L S K I , A . 2003. V eriﬁcat ion of cryptographi c protocols: T ag ging enforces termina- tion. In F oundations of Softwar e Science and Computation Structur es (F oSSaCS’03) , A. Gordon, Ed. Lecture Notes in Computer Scienc e, vol. 2620. Springer V erla g, 136–152. B O Z G A , L . , E N E , C . , A N D L A K H N E C H , Y . 2004. A symbolic decision procedure for cryptographi c protocols with time stamps. In Proc. of the 15th Int. Conf. on Concurr ency Theory (CONCUR’04) . Lecture Notes in Computer Scienc e, vol. 3170. Springer V erla g, 177–192. B U R S U C , S . , C O M O N - L U N D H , H . , A N D D E L A U N E , S . 2007. Ass ociat iv e-commuta ti ve deducibility c onstraints. In Proc . of the 24th Annual Symposium on Theore tical A spects of Computer Science (ST ACS ’07) . L ecture Notes in Computer Scienc e, vol. 4393. Springer V erla g, 634–645. C L A R K , J . A N D J A C O B , J . 1997. A surve y of authentica tion protocol literature. A vail able at ht tp://www. cs.york.ac.uk/ ˜ jac/papers/dra reviewps.ps . C O L M E R AU E R , A . 1984. Equations and inequations on ﬁnite and inﬁnite trees. In Proc. of the Int. Conf. on F ifth Genera tion Computer Systems (FGCS’84) . 85–99. C O M O N - L U N D H , H . A N D C O RT I E R , V . 2003. New decidabil ity results for fragments of ﬁrst-order logic a nd a p- plica tion to cryptographic protocols. In Pro c. of the 14th Int. Conf. on Re writing T echn iques and Applicati ons (RT A’03) . Lecture Notes in Computer Scienc e, vol. 2706. Spring er V erlag, 148–164 . C O M O N - L U N D H , H . A N D S H M A T I K OV , V . 2003. Intruder d eduction s, constraint sol ving an d insecurity dec ision in presence of exclusi v e or . In Proc . of the 18th A nnual IEEE Symposium on Logic in Computer Scienc e (LICS’03) . IEEE Computer Societ y Press, 271–280. ACM Transactions on Computational Logic, V ol. V , No. N, October 2018. 38 · Hu ber t Comon-L undh et al. C O R I N , R . 2006. Analysis models for security protocols. Ph.D. thesis, Unive rsity of T wente, The Nethe rlands. C O R I N , R . A N D E TA L L E , S . 2002. An improv ed constraint-base d s ystem for the veriﬁca tion of security proto- cols. In Proc . of the 9t h Int. Symposium on St atic Analysis (SAS’02) . Lect ure Notes in Compute r Science, vol. 2477. Springer V erla g, 326–341. C O R I N , R . J . , S A P TAW I JAY A , A . , A N D E TA L L E , S . 2005. PS-L TL for constraint-ba sed security protocol anal- ysis. In Pr oc. of the 21st Int. Conf. on (ICLP’05) . Lecture Notes in Computer Science, vol. 3668. S pringer V erlag, 439–440. C O RT I E R , V ., D E L A I T R E , J . , A N D D E L A U N E , S . 200 7. Safely composing se curity protocols. In Proc . of the 27th Int. Conf. on F oundations of Softwar e T ec hnolo gy and Theoret ical Computer Science (FSTTCS’07) . Lecture Notes in Computer Scienc e, vol. 4855. Springer V erla g, 352–363. C O RT I E R , V ., K R E M E R , S . , K ¨ U S T E R S , R . , A N D W A R I N S C H I , B . 2006. Computatio nally sound symbolic se- crec y in the presenc e of hash functi ons. In Proc. of the 26 th Int. Conf . on F oundati ons of Softwar e T echnolo gy and Theore tical Computer Science (FSTTCS’06) . Lecture Notes in Computer Science , vol. 4337. Springer V erlag, 176–187. C O RT I E R , V . A N D Z ˘ A L I N E S C U , E . 2006. Deci ding key cycles for security protocol s. In Pr oc. of the 13th Int. Conf . on Logic for Pr ogr amming, Artiﬁcial Intellig ence , and Reasoni ng (LP AR’06) . Lect ure Note s in Artiﬁcia l Intell igence, vol. 4246. Springer V erlag , 317–331. C R E M E R S , C . 2008. The Scyth er Tool: V eriﬁcati on, fal siﬁcation, and analysis of security protocols. In Pr oc. of the 20th Int. Conf. Computer Aided V eriﬁcation (CA V’08) . Lecture Notes in Computer Science , vol. 5123. Springer V erla g, 414–418. D U R G I N , N . , L I N C O L N , P., A N D M I T C H E L L , J . 200 4. Multiset rewritin g and the complexi ty o f bounded security protocol s. J ournal of Computer Security 12, 2, 247–311. D U R G I N , N . , L I N C O L N , P . , M I T C H E L L , J . , A N D S C E D R OV , A . 1999. Undecidabi lity of bounded security protocol s. In Pr oc. of the W orkshop on F ormal Methods and Securi ty Protoc ols . G O L DWA S S E R , S . A N D M I C A L I , S . 1984. Probabilistic encryption. Journal of Computer and System Sci- ences 28 , 270–299. H O F H E I N Z , D . A N D U N R U H , D . 2008. T o wards key -dependen t message security in the standard m odel. In EUR OCRYPT 2008 . L ecture Notes in Computer Science, vol. 4965. Springer V erlag, 108–126. Prepri nt on IA CR ePrint 2007/333. J A N V I E R , R . 2006. Lien entre mod ` eles symboliques et computati onnels pour le protocoles cryptograph iques utilisa nt des hachage. Ph.D. thesis, Uni versi t ´ e Joseph Fourier , Grenoble. J A N V I E R , R . , L A K H N E C H , Y ., A N D M A Z A R E , L . 2005. (De)Compositions of Cryptographi c Schemes and t heir Applica tions to Protocols. Cryptolog y ePrint Archi ve, Report 2005/020. L AU D , P. 2002. Encryption cycles and two vie ws of cryptography . In Proc . of the Nordic W orkshop on Secure IT Systems (NORDSEC’02) . L OW E , G . 1996. Bre aking and ﬁxing the Needham-Schroed er public-k ey protocol using FDR. In Proc . of the 2nd Int. W orkshop on T ools and Algo rithms f or the Constructio n and Analy sis of Systems (TA CAS’96) . Lecture Notes in Computer Scienc e, vol. 1055. Springer V erla g, 147–166. L OW E , G . 1998. T o wards a completene ss result for m odel checking of security protocols. In Proc . of the 11th IEEE Compute r Security F oundations W orkshop (CSFW’98) . IEE E Compute r Society Press. M I C C I A N C I O , D . A N D W A R I N S C H I , B . 2004a. Complete ness theorems for the Abadi-Roga way logic of en- crypted expre ssions. Jou rnal of Computer Securit y 12, 1, 99–129. Preliminary version in WITS’02. M I C C I A N C I O , D . A N D W A R I N S C H I , B . 2004b . Soundness of formal encryp tion in the presenc e of acti ve adv er- saries. In Proc . of the 1st Theory of Cry ptogr aphy Confere nce (TCC’04) . Lecture Note s in Computer Scien ce, vol. 2951. Spring er V erlag, 133–151. M I L L E N , J . A N D S H M ATI K OV , V . 2001. Constrai nt so lving for bounded-proc ess cr yptographi c protocol analysi s. In Pr oc. of the 8th ACM C onf. on Compute r and Communicatio n Security (CCS’01) . ACM Press, 166– 175. N E E D H A M , R . M . A N D S C H R O E D E R , M . D . 1978. Using encryptio n for authentica tion in large networks of computers. Communicatio ns of the ACM 21, 12, 993–999. R A M A N U J A M , R . A N D S U R E S H , S . P. 2003. T agging m ake s secrec y decidable for unbounded nonces as well. In Pr oc. of the 23rd Conf. on F oundation s of Software T e chnolo gy and Theor etical Computer Science (FSTTCS’03) . Lecture Notes in Computer Science , vol. 2914. Springe r V erlag, 363–374. R A M A N U J A M , R . A N D S U R E S H , S . P . 2005. Decidabi lity of context-e xplic it security protocols. Jou rnal of Computer Securit y 13, 1, 135–165. ACM T ransactions on Computational Logic, V ol. V , No. N, October 2018. Deciding securi ty proper t ies for c r yptographic protocols · 39 R U S I N O W I T C H , M . A N D T U R U A N I , M . 200 1. Protocol insecurity with ﬁnite number of sessions is NP-complete . In Proc . of the 14th IEEE Computer Security F oundations W orkshop (CSFW’01) . IEEE Computer Society Press, 174–190. R U S I N O W I T C H , M . A N D T U R U A N I , M . 2003. Protocol insecuri ty with ﬁnite number of sessions and composed ke ys is NP-complete. Theor etical Computer Scienc e 299 , 451–475. S Y V E R S O N , P . A N D M E A D O W S , C . 1996. A formal language for cryptogra phic protocol requiremen ts. De- signes, Codes and Crypto graphy 7, 1-2, 27–59. V E R M A , K . N . , S E I D L , H . , A N D S C H W E N T I C K , T. 2005. On the complexit y of equationa l Horn clauses. In Pr oc. of the 22th Int. Conf . on Automate d Dedu ction (C ADE’05) . Lecture Notes in Computer Science. Springer V erlag, 337–352. Recei v ed August 2007; accepte d April 2008 ACM Transactions on Computational Logic, V ol. V , No. N, October 2018.

Deciding security properties for cryptographic protocols. Application to key cycles

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment