How To Find Out If A Key Cycle Is Generated During A Protocol

Deciding key cycles for security protocols

V´eronique Cortier1and Eugen Z˘alinescu1

Loria UMR 7503 & INRIA Lorraine projet Cassis & CNRS, France

Abstract. Many recent results are concerned with interpreting proofs of security done in symbolic models in the more detailed models of computational cryptog-raphy. In the case of symmetric encryption, these results stringently demand that no key cycle (e.g.{k}k) can be produced during the execution of protocols. While

security properties like secrecy or authentication have been proved decidable for many interesting classes of protocols, the automatic detection of key cycles has not been studied so far.

In this paper, we prove that deciding the existence of key-cycles is NP-complete for a bounded number of sessions. Next, we observe that the techniques that we use are of more general interest and apply them to reprove the decidability of a significant existing fragment of protocols with timestamps.

1

Introduction

Security protocols are small programs that aim at securing communications over a pub-lic network like Internet. The design of such protocols is difficult and error-prone; many attacks are discovered even several years after the publication of a protocol. Two dis-tinct approaches for the rigorous design and analysis of cryptographic protocols have been pursued in the literature: the so-called Dolev-Yao, symbolic, or formal approach on the one hand and the cryptographic, computational, or concrete approach on the other hand. In the symbolic approach, messages are modeled as formal terms that the adversary can manipulate using a fixed set of operations. The main advantage of this approach is its relative simplicity which makes it amenable to automated analysis tools (see, e.g., [9, 4, 22]). In the cryptographic approach, messages are bit strings and the adversary is an arbitrary probabilistic polynomial-time Turing machine. While results in this model yield strong security guarantees, the proofs are often quite involved and only rarely suitable for automation (see, e.g., [17, 7]).

Starting with the seminal work of Abadi and Rogaway [1], recent results investigate the possibility of bridging the gap between the two approaches. The goal is to obtain the best of both worlds: simple, automated security proofs that entail strong security guar-antees. The approach usually consists in proving that the abstraction of cryptographic primitives made in the Dolev-Yao model is correct as soon as strong enough primitives are used in the implementation. For example, it has been shown [21] that theperfect

encryption assumptionis a sound abstraction for IND-CCA2, which corresponds to a

well-established security level (a definition of this level of security can be found in [8]). The perfect encryption assumption intuitively states that encryption is a black-box that can be opened only when one has the inverse key. Otherwise, no information can be learned from a ciphertext about the underlying plaintext.

However, it is not always sufficient to find the right cryptographic hypotheses. For-mal models may need to be amended in order to be correct abstractions of the crypto-graphic models. This is in particular the case for symmetric encryption. For example, in [5], the authors consider extra-rules for the formal intruder in order to reflect the ability of a real intruder to choose its own keys in a particular manner.

A more widely used requirement is to control how keys can encrypt other keys. In a passive setting, soundness results [1, 19] require that no key cycles can be gen-erated during the execution of a protocol. Key cycles are messages likeenc(k, k)or

enc(k1, k2),enc(k2, k1)where a key encrypts itself or more generally when the en-cryption relation between keys contains a cycle. Such key cycles have to be disallowed simply because usual security definitions for encryption schemes do not provide any guarantees when such key cycles occur. In the active setting, the typical hypotheses are even stronger. For instance, in [5, 18] the authors require that a keyk1never encrypts a keyk2generated beforek1.

Some authors circumvent the problem of key cycles by providing new security def-initions for encryption that allow key cycles [3, 6]. However, the standard security no-tions do not imply these new definino-tions and ad-hoc encryption schemes have to be constructed in order to satisfy the definitions. These constructions use the random or-acle model which is provably non implementable. As a consequence, it is not known how to implement encryption schemes that satisfy the new definitions. In particular, none of the usual, implemented encryption schemes have been proved to satisfy the requirements.

Our main contribution is an NP-complete decision procedure for detecting the gen-eration of key cycles during the execution of a protocol, in the presence of an in-truder, for a bounded number of sessions. To the best of our knowledge, this prob-lem has not been addressed before. We therefore provide a necessary component for automated tools used in proving strong, cryptographical security properties, using ex-isting soundness results. Our result has been obtained following the classical approach of Rusinowitch-Turuani [24], revisited by Comon-Lundh [13, 15], where protocols are represented by constraint systems. Since this initial procedure is already implemented in Avispa [4] for deciding secrecy and authentication properties, we believe that our al-gorithm can be easily implemented since it can be adapted from the existing procedure. Our second contribution is to provide a generic approach derived from [13, 15] to decide general security properties. Comon-Lundh showed that any constraint system can be transformed in (possibly several) much simpler constraint systems that are called

solved forms. We show using (almost) the same transformation rules that, in order to

verify a property on a constraint system, it is always sufficient to verify the property on the solved forms obtained after transformation. Compared to [13, 15], the framework is slightly extended since we consider sorted terms, symmetric and asymmetric encryp-tion, pairing and signatures. We use this approach to first prove NP-completeness of the key-cycle problem but also to show co-NP-completeness of secrecy for protocols with timestamps. We actually retrieve a significant fragment of the decidable class identified by Bozgaet al[11]. We believe our result can lead more easily to an implementation since, again, we only need to adapt the procedure implemented in Avispa [4] while

Bozgaet alhave designed a completely new decision procedure, whichde factohas not been implemented.

The messages and the intruder capabilities are modeled in Section 2. In Section 3.1, we define constraint systems and show how they can be used to express protocol ex-ecutions. In Section 3.2, we define security properties and the notion of satisfiability of constraint systems. In 3.3, we explain how the satisfiability problem of any secu-rity property can be reduced to the satisfiability of the same problem but on simpler constraint systems. We show in Section 4.1 how this approach can be used to obtain our main result of NP-completeness of the generation of key cycles and in Section 4.2 how it can be used to derive NP-completeness for protocols with timestamps. Some concluding remarks about further work can be found in Section 5.

2

Messages and intruder capabilities

Cryptographic primitives are represented by function symbols. More specifically, we consider thesignature(S,F)made of a set ofsortsS ={s, s1. . .}and a set of

sym-bolsF = {enc,enca,sign,h i,pub,priv}together with arities of the formar(f) =

s1×s2 → sfor the four first symbols andar(f) = s → s0 for the two last ones. The symbolh irepresents the pairing function. The termsenc(m, k)andenca(m, k)

represent respectively the messagemencrypted with the symmetric (resp. asymmetric) keyk. The termsign(m, k)represents the messagemsigned by the keyk. The terms

pub(a)andpriv(a)represent respectively the public and private keys of an agenta. We fix an infinite set of names N = {a, b . . .} and an infinite set ofvariables

X ={x, y . . .}. We assume that names and variables are given with sorts. The set of

terms of sortsis defined inductively by

t::= term of sorts

| x variablexof sort s

| a nameaof sort s

| f(t1, . . . , tk) application of symbolf ∈ F

where for the last case, we further require thattiis a term of some sortsiandar(f) =

s1×. . .×sk →s. We assume a special sortMsgthat subsumes all the other sorts and such that any term is of sortMsg.

As usual, we writeV(t)for the set of variables occurring int. A term isground

orclosedif and only if it has no variables. Thesizeof a termt, denoted|t|, is defined

inductively as usual: |t| = 1if t is a variable or a name andt = 1 +Pn

i=1|ti| if

t=f(t1, . . . , tn)forf ∈ F. IfTis a set of terms then|T|denotes the sum of the sizes of its elements. We denote bySt(t)the set of subterms oft.

Substitutions are writtenσ={x1=t1, . . . , xn =tn}withdom(σ) ={x1, . . . , xn}. We only considerwell-sortedsubstitutions, that is substitutions for whichxiandtihave the same sort.σisclosedif and only if all of thetiare closed. The application of a sub-stitutionσto a termtis writtenσ(t) =tσ.

S`x S`y S` hx, yi S`x S`y S`enc(x, y) S`x S`y S`enca(x, y) S`x S`y S`sign(x, y) S` hx, yi S`x S` hx, yi S`y S`enc(x, y) S`y S`x S`enca(x,priv(y)) S`pub(y)

S`x

S`sign(x,priv(y))

(optional)

S`x Fig. 1.Intruder deduction system.

Sorts are mostly left unspecified in this paper. They can be used in applications to express that certain operators can be applied only to some restricted terms. For example, sorts can be used to require that messages are encrypted only by atomic keys.

2.2 Intruder capabilities

The ability of the intruder is modeled by a deduction system described in Figure 1 and corresponds to the usual Dolev-Yao rules. The first line describes thecompositionrules, the two last lines thedecompositionrules. Intuitively, these deduction rules say that an intruder can compose messages by pairing, encrypting and signing messages provided he has the corresponding keys and conversely, it can decompose messages by projecting or decrypting provided it has the decryption keys. For signatures, the intruder is also able toverifywhether a signaturesign(m, k)and a messagemmatch (provided she has the verification key), but this does not give her any new message. That is why this capability is not represented in the deduction system. We also consider an optional rule

S`sign(x,priv(y))

S`x that expresses that an intruder can retrieve the whole message from its signature. This property may or may not hold depending on the signature scheme, and that is why this rule is optional. All our results hold in both cases (deduction relation` defined with or without this rule).

A termuisdeduciblefrom a set of termsS, denoted by S ` uif there exists a

proof i.e. a tree such that the root isS ` u, the leaves are of the form S ` v with

v∈S(axiomrule) and every intermediate node is an instance of one of the rules of the

deduction system.

Example 1. The term hk1, k2i is deducible from the set S1 = {enc(k1, k2), k2}. A proof ofS1` hk1, k2iis:

S1`enc(k1, k2) S1`k2

S1`k1 S1`k2

3

Constraint systems and security properties

Constraint systems are quite common (see e.g. [15, 24]) in modeling security protocols. We recall here its formalism and show how it can be used to specify general security properties. Then we prove that any constraint system can be transformed into some more simplified constraint systems.

3.1 Constraint systems

Definition 1. Aconstraint systemC is a finite set of expressionsTi ttorTi ui,

whereTi is a non empty set of terms,ttis a special symbol that represents an always

deducible term, anduiis a term,1≤i≤n, such that:

- Ti⊆Ti+1, for all1≤i≤n−1;

- ifx∈ V(Ti)then∃j < isuch thatTj = min{T |T u∈C, x∈ V(u)}(for the

inclusion relation) andTj (Ti.

Theleft-hand side(right-hand side) of a constraintT uisT(respectivelyu). The left-hand sideof a constraint systemC, denoted bylhs(C), is the maximal set of messages

Tn. The right-hand side of a constraint system C, denoted byrhs(C), is the set of

right-hand sides of its constraints.V(C)denotes the set of variables occurring inC.⊥

denotes the unsatisfiable system.

Thesizeof a constraint system is defined as|C|def=|lhs(C)|+|rhs(C)|.

A constraint system is denoted as a conjunction of expressions. The left-hand side of a constraint systemCusually represents the messages sent on the network.

Example 2. Consider the famous Needham-Schroeder asymmetric key authentication

protocol [20] designed for mutual authentication.

A→B : enca(hNA, Ai,pub(B))

B→A: enca(hNA, NBi,pub(A))

A→B : enca(NB,pub(B))

The agent A sends to B his name and a fresh nonce (a randomly generated value) encrypted with the public key ofB. The agentB answers by copyingA’s nonce and adds a fresh nonceNB, encrypted byA’s public key. The agentA acknowledges by forwardingB’s nonce encrypted byB’s public key. We assume that a potential intruder has a complete control of the network: he may intercept, block and send new messages to arbitrary agents.

LetS0 ={a, b, i,pub(a),pub(b),pub(i),priv(i)}be the initial knowledge of the intruder. The following constraint systemC1models a scenario whereAstarts a session with a corrupted agentI(whose private key is known to the intruder) andB is willing to answer toA. We consider this very simple scenario for simplicity but of course we could also considerAtalking toBandBresponding toIfor example.

S1

def

=S0∪ {enca(hna, ai,pub(i))}enca(hx, ai,pub(b)) (1)

S2

def

=S1∪ {enca(hx, nbi,pub(a))}enca(hna, yi,pub(a)) (2)

S3

def

wherena andnb are names of sortMsgandxandy are variables of sortMsg. The setS1 represents the messages known to the intruder once A has contacted the cor-rupted agentI. Then the equations 1 and 2 can be read as follows: if a message of the form enca(hx, ai,pub(b))can be sent on the network, then B would answer to this message byenca(hx, nbi,pub(a)), which is added toS1. Subsequently, if a message of the formenca(hna, yi,pub(a))can be sent on the network, thenAwould answer byenca(y,pub(i))sinceAbelieves she is talking toI. The run is successful ifBcan finish his session by receiving the messageenca(nb,pub(b)). ThenB believes he has talked toAwhileAactually talked toI. If the protocol was secure, such a constraint system should not have a solution. The variables represent those parts of messages that are a priori unknown to the agents.

3.2 Security properties

A security property is modeled by a predicate on (lists of) terms. The terms represent some information about the execution of the protocol, for example the messages that are sent on the network.

Definition 2. Asecurity propertyis a predicate on lists of messages. For a listLwe

denote byLsthe set of messages of the listL.

LetC be a constraint system,La list of terms such thatV(Ls) ⊆ V(C)andP

a security property. AsolutionofC forP w.r.t.Lis a closed substitutionθsuch that

∀T u∈C,T θ`uθandP(Lθ)holds. Every substitution satisfiesT ttand none

satisfies⊥.

Example 3. If the predicateP is simply thetruepredicate (which holds for any list

of terms) and the only sort isMsgthen we simply retrieve the usual constraint system deduction problem, which is known to be NP-complete [13, 25].

Example 4. Secrecy can be easily expressed by requiring that the secret data is not

deducible from the messages sent on the network. We consider again the constraint systemC1defined in Example 2. LetL1be a list of the messages inlhs(C1). We define the predicateP1to hold on a list of messages if and only ifnbis deducible from it.

P1(L) =trueiffLs`nb Then the substitution

σ1={x=na, y=nb}

is a solution ofC1for the propertyP1w.r.t.L1and corresponds to the attack found by G. Lowe [20]. Note that such a deduction-based property could be directly encoded in the constraint system by adding a constraintT nbwhereT =lhs(C1).

Example 5. Authentication can also be defined using a predicateP2 on lists of

mes-sages. Consider again the constraint systemC1defined in Example 2 whereS0 is re-placed byS₀0 =S0∪ {enca(hn0a, ai,pub(b))}: the agentAalso initiates a session with

B. We can express that when the protocol is completed, the agentB should have ac-cepted only the noncen0_agenerated byAforB. More precisely, we considerL2= [x]

R1 C ∧ T u C ∧ T tt ifT∪ {x|T0x∈C, T0(T} `u

R2 C ∧ T u σCσ ∧T σuσ ifσ= mgu(t, u), t∈St(T),

t6=u, t, unot variables R3 C ∧ T u σCσ ∧T σuσ ifσ= mgu(t1, t2), t1, t2∈St(T),

t16=t2, t1, t2not variables

R4 C ∧ T u ⊥ ifV(T, u) =∅andT 6`u

Rf C ∧ Tf(u, v) C ∧ T u∧T v forf∈ { h i,enc,enca,sign}

Fig. 2.Simplification rules.

representing the value received byBforna. We defineP2to hold onLif and only if

L6= [na]. The substitutionσ1defined in Example 4 is a solution ofC1for the property

P2w.r.t.L2.

In Section 4, we provide other examples of predicates which encode time constraints or express that no key cycles are allowed.

3.3 General approach

Using some simplification rules, solving general constraint systems can be reduced to solving simpler constraint systems that we called solved. We say that a constraint sys-tem issolvedif it is different from⊥and each of its constraints are of the formT tt

orT x, wherexis a variable. This corresponds to the notion of solved form in [15]. Solved constraint systems with the single sortMsg are particularly simple in the case of thetruepredicate since they always have a solution, as noticed in [13]. Indeed, letT1be the smallest (w.r.t. inclusion) left hand side of a constraint. From the definition of a constraint system we have thatT1is non empty and has no variables. Lett ∈T1. Then the substitution θ defined by xθ = t for every variablex is a solution since

T `xθ=tfor any constraintT xof the solved system.

Thesimplification ruleswe consider are defined in Figure 2. All the rules are in

fact indexed by a substitution: when there is no index then the identity substitution is implicitly considered. We write C n_σ C0 if there areC1, . . . , Cn withn ≥ 1,

C0 =Cn,C σ1 C1 σ2 · · · σn Cn andσ =σ1σ2. . . σn. We writeC

∗ σ C0 if

C nσC0for somen≥1, orC0 =Candσis the empty substitution.

The simplification rules are correct, complete and terminating in polynomial time. Theorem 1. LetCbe a constraint system,θa substitution,Pa security property and

La list of messages such thatV(Ls)⊆ V(C).

1. (Correctness) IfC ∗σ C0for some constraint systemC0and some substitutionσ

and ifθis a solution ofC0 for the propertyP w.r.t.Lσthenσθis a solution ofC

for the propertyP w.r.t.L.

2. (Completeness) Ifθis a solution ofCfor the propertyPw.r.t.L, then there exist a

constraint systemC0and substitutionsσ, θ0such thatθ=σθ0,C ∗_σC0andθ0is

3. (Termination) IfC n

σ C0for some constraint systemC0 and some substitutionσ

thennis polynomially bounded in the size ofC.

The proof is a simple extension of the proof provided in [13] to sorted messages and general security properties. This last point simply relies on the fact that wheneverC ∗σ

C0thenL(σθ) = (Lσ)θfor any substitutionθ. All the proof details (mostly borrowed from [13]) can be found in the Appendix.

Corollary 1. Any propertyP that can be decided in polynomial time on solved straint systems can be decided in non-deterministic polynomial time on arbitrary con-straint systems.

4

Decidability of some specialized security properties

Using the general approach presented in the previous section, verifying particular prop-erties like the existence of key cycles or the conformation to ana priori given order relation on keys can be reduced to deciding these properties on solved constraint sys-tems. We deduce a new decidability result, useful in models designed for proving cryp-tographic properties. This approach also allows us to retrieve a significant fragment of [11] for protocols with timestamps.

4.1 Encryption cycles

To show that formal models (like the one presented in this article) are sound with respect to cryptographical ones, the authors usually assume that no key cycle can be produced during the execution of a protocol or, even stronger, assume that the encrypts relation follows ana priorigiven order.

In this section we restrict our attention to key cycles and key order on symmetric keys since there are very few papers constraining the key relations in an asymmetric setting. We consider atomic keys for symmetric encryption since this is also the standard assumption in our setting (that is key cycles or key order definitions). More precisely, we assume a sortKey⊂Msgand we assume that the sort ofencisMsg×Key→Msg. All the other symbols are of sortMsg× · · · ×Msg → Msg. Hence only names and variables can be of sortKey.

Key cycles Many definitions of key cycles are available in the literature. They are defined by considering cycles in theencryptsrelation between keys. But this relation differs from one article to another. For example, the early definition proposed by Abadi and Rogaway [2] says thatkencryptsk0as soon as there exists a termenc(m, k)such thatk0 _{is a subterm ofm. For example, bothenc(k, k)andenc(enc(a, k), k)contain} key cycles. However, in the definition proposed by Laud [19],enc(enc(a, k), k)does not contain a key cycle since the relation “kencryptsk0” is restricted to keysk0 that occur in plaintext. We consider the two variants for the notion of key cycles.

We writes <st tif and only ifsis a subterm oft. We define recursively the least reflexive and transitive relationvsatisfying:s1 v(s1, s2),s2 v(s1, s2), and ifsvt thensvenc(t, t0). Intuitively,svtifsis a subterm oftthat occurs at least once in a plaintext position.

Definition 3. Let ρ1 be a relation chosen in{<st,v}. LetSbe a set of messages and

k, k0 two terms of sortKey. We say thatk encryptsk0 inS (denotedk ρS

ek0) if there

existm∈Sand a termm0such that

k0ρ1m0and enc(m0, k)vm.

With ρ1 =<st, we retrieve the definition of Abadi and Rogaway. Withρ1 =vwe retrieve the definition of Laud. For simplicity, we may write ρe instead ofρSe ifS is clear from the context.

We say that a set of messagesScontains a key cycleif there is a cycle in the relation

ρS

e. Ifmis a message we denote byρme the relationρ {m}

e and say thatmcontains a cycle if{m}contains a cycle.

Definition 4. LetK be a set of names of sort Key. We define the predicate PK kc as

follows:PK

kc holds on a list of messagesLif and only if there is a messagem such

thatLs`mandmcontains a key cycle(k1, . . . , kn), withn≥1andki ∈Kfor all

1≤i≤n.

Key order In order to establish soundness of formal models in a symmetric encryption setting, the requirements on the encrypts relation can be even stronger, in particular in the case of an active intruder. In [5] and [18], the authors require that a key never encrypts a younger key. More precisely, the encrypts relation has to be compatible with the order in which the keys are generated. Hence we also want to check whether there exist executions of the protocol for which the encrypts relation is incompatible with a certain order on keys.

Definition 5. Let≤be a partial order on a set of names K of sort Key. We define

the predicatePK

≤ as follows:P≤K holds on a list of messagesLif and only if for any

messagemsuch thatLs`mthe encrypts relationρme iscompatiblewith≤, that is:

k ρm_e k0 ⇒ k06≤k.

For example, in [5, 18], the authors choose ≤to be the order in which the keys are generated:k≤k0ifkhas been generated beforek0. We denote byPK_≤ the negation of

PK

≤. Indeed, an attack in this context is an execution such that the encrypts relation is incompatible with≤, that is the predicatePK_≤ holds.

We provide a characterization in the passive case forPK kc andP

K

≤ to hold.

Proposition 1. Let L be a list of messages,K a set of names of sort Keyand ≤a

partial order onK. The predicatePK

kc (resp.P

K

≤) holds if and only if

– there isk∈Ksuch thatkis deducible fromLs, that isLs`k, or

– Lscontains a key cycle (resp. the encrypts relation onLsis not compatible with≤).

Indeed ifkis deducible fromLsthenenc(k, k)is deducible fromLs. Hence there is a deducible message containing a key cycle and for which the encrypts relation is not compatible with the order≤. If there are no deducible keys then the encrypts re-lation on any deducible message is included in the encrypts rere-lation onLs, hence the equivalences in the proposition.

Decidability In what follows, a solution ofCfor thetruepredicate w.r.t. an arbitrary list is said to be apartialsolution toC. Akeyis a term of sortKey.

We show how to decide the existence of key cycles or the conformation to an order in polynomial time for solved constraint systems.

Proposition 2. LetCbe a solved constraint system andLbe a list of messages such

thatV(Ls) ⊆ V(C),lhs(C) ⊆ Ls, andLs∩Key 6= ∅. Indeed, the intruder should

always know the messages sent on the network and some (dishonest) key. LetK be a

set of names of sortKeysuch thatLsθ6`kfor anyθpartial solution ofCand for any

k∈K. Let≤be a partial order onK.

– Deciding whetherChas a solution forPK

kcwrtLcan be done inO(|C|+|L|+|K|2). – Deciding whetherChas a solution forPK_≤ wrtLcan be done inO(|C|+|L|+|K|2_).

The rest of the section is devoted to the proof of Proposition 2.

Since the keys ofKare not deducible fromLsθ, for anyθpartial solution ofC, we know by Proposition 1 that it is sufficient to look at the encrypts relation only onLsθ (and not on every deducible term).

SinceCis solved, any constraint ofC is of the formT xor T tt. For each variablexofCwe denoteTx= min{T |T x∈C}. Lettxbe the term obtained by pairing all terms ofTx(in some arbitrary order). We construct the following substitution

τ =τ1. . . τq, whereqis the number of variables inC, andτjis defined inductively as follows:

- dom(τ1) ={x1}andx1τ1=tx1 - τj+1=τj∪ {txiτj/xi}, wherei= min{i

0_|x

i0 ∈/dom(τ_j)}.

The construction is correct by the definition of a constraint system. It is clear thatτis a partial solution ofC.

ConsiderTL

def

= max{Tx| x∈ V(Ls)}. That is,TLis the maximal left hand side of a constraint ofCsuch that the right hand side variable appears inL. We construct the following directed graphG= (K, A)as follows: ifkencryptsk0 inLs∪TLthen

(k, k0)∈A; and, ifkencryptsxinLs∪TL(wherex∈ V(Ls∪TL)) then(k, k0)∈A for allk0ρ1xτ.

The graph captures exactly the encrypts relation induced byτonCand any possible encrypts relation is contained in the graph.

Lemma 1. Letθbe a partial solution ofCandk, k0 ∈Kbe two non deducible keys, that isLsθ 6` k, k0. Ifk ρLesθk0, that iskencryptsk0 inLsθ then(k, k0) ∈ A.

Con-versely, if(k, k0)∈Athenk ρLsτ

e k0, that iskencryptsk0inLsτ. We deduce that deciding whetherC has a solution forPK

kc w.r.t.L can be done simply by deciding whether the graphGhas cycles. Indeed, if there is a solutionθsuch that there is a cycle(k1, . . . , kn)inLsθ, that is, for eachiwe havekiρLesθki+1, then (by Lemma 1)(ki, ki+1)∈Afor eachi, that is(k1, . . . , kn)is a cycle in the graphG. Conversely, if(k1, . . . , kn)is a cycle inGthen, again by Lemma 1,τ is a solution of

CforPK

Deciding whetherChas a solution forPK_≤w.r.t.Lcan be done by deciding whether the graphGhas the following propertyPG: there is(k, k0)∈Asuch thatk≤k0. And indeed, if there is a solutionθsuch thatPK_≤ holds onLθ, that isPK

≤ does not hold on

Lθ, then there arek, k0 ∈ Ksuch thatkρLsθ

e k0 andk ≤ k0. Hence(k, k0) ∈ Aand

k ≤k0. That is the propertyPGon the graphGholds. Conversely, if the propertyPG holds then there arek, k0 ∈Ksuch thatkencryptsk0inLτ andk≤k0, that isτis a solution ofCforPK_≤ w.r.t.L.

The graph can be constructed inO(|C|+|Ls|+|K|2). Testing for cycles and verifying propertyPGcan be simply done by traversing the graph inO(|K|2).

NP-completeness Consider a constraint systemC, a setKof names of sortKeyand a list of messagesLsuch thatV(Ls)⊆ V(C),lhs(C)⊆LsandLs∩Key6=∅. We want to decide the existence of a solution ofCforP_kcK(resp.P_≤K) w.r.t.L. By Proposition 1, there is a solution if and only if

1. either there existsk∈Ksuch that there exists a partial solution toCk

def

= C∧

Lsk,

2. or no key fromk∈Kis deducible (that isLsθ0k, for allθpartial solution ofC) andChas a solution forP_kcK(resp.P_≤K) w.r.t.L.

We guess whether we are in case 1 or 2 and in case 1 we also guess which key is de-ducible. In the first case, we check whetherCkhas a partial solution in non-deterministic polynomial time using Corollary 1. In the second case, we check whetherChas a solu-tion forPK

kc(resp.P≤K) w.r.t.Lusing Theorem 1 and Proposition 2.

NP-hardness is obtained by adapting the construction for NP-hardness provided in [25]. More precisely, we consider the reduction of the 3SAT problem to our problem. For any 3SAT boolean formula we construct a protocol such that the intruder can deduce a key cycle if and only if the formula is satisfiable. The construction is the same as in [25] (pages 15 and 16) except that, in the last rule, the participant responds with the termenc(k, k), for some fresh keyk(initially secret), instead ofSecret. Then it is easy to see that the only way to produce a key cycle on a secret key is to play this last rule which is equivalent, using [25], to the satisfiability of the corresponding 3SAT formula.

4.2 Timestamps

For modeling timestamps, we introduce a new sortTime ⊆ Msgfor time and we as-sume an infinite number of names of sortTime, represented by rational numbers or in-tegers. We assume that the only two sorts areTimeandMsg. Any value of time should be known to an intruder, that is why we add to the deduction system the rule

S`a for any nameaof sortTime. All the previous results can be easily extended to such a deduction system since ground deducibility (S

?

` u) remains decidable in polynomial time.

To express relations between timestamps, we use timed constraints. An integer

form

Σk_i=1αixinβ

where theαiandβare rational numbers,n∈ {<,≤}, and thexiare variables of sort

Time. Asolutionof a rational (resp. integer) timed constraintTis a closed substitution

σ={x1 =c1, . . . , xk =ck}, where theci are rationals (resp. integers), that satisfies the constraint.

Timed constraints between the variables of sortTimeare expressed through satisfi-ability of security properties.

Definition 6. A predicatePis atimed propertyifP isgeneratedby some (rational or integer) timed constraintT, that is ifT has variablesx1, . . . , xkthen for any listLof

messagesP(L)holds if and only if

– Lcontains exactlykmessagest1, . . . , tk of sortTimethat appear in this order in

the list

– andT(t1, . . . , tk)is true.

Such timed properties are typically used to say that a timestampx1must be fresher than a timestampx2 (x1 ≥x2) or thatx1must be at least 30 seconds fresher thanx2 (x1≥x2+ 30).

Example 6. We consider the Wide Mouthed Frog Protocol [12].

A→S:A,enc(hTa, B, Kabi, Kas)

S→B: enc(hTs, A, Kabi, Kbs)

A sends to a serverS a fresh key Kab intended for B. If the timestampTa is fresh enough, the server answers by forwarding the key toB, adding its own timestamps.B

simply checks whether this timestamp is older than any other message he has received fromS. As explained in [12], this protocol is flawed because an attacker can use the server to keep a session alive as long as he wants by replaying the answer of the server.

This protocol can be modeled by the following constraint system:

S1 def ={a, b,ha,enc(h0, b, kabi, kas)i}ha,enc(hxt1, b, y1i, kas)i, xt2 (4) S2 def =S1∪ {enc(hxt2, a, y1i, kbs)}enc(hxt3, a, y2i, kbs)i, xt4 (5) S3 def = S2∪ {enc(hxt4, b, y2i, kas)}enc(hxt5, b, y3i, kas)i, xt6 (6) S4 def =S3∪ {enc(hxt6, a, y3i, kbs)}enc(hxt7, b, kabi, kbs)i (7) wherey1, y2, y3are variables of sortMsgandxt1, . . . , xt7 are variables of sortTime. We add explicitly the timestamps emitted by the agents on the right hand side of the constraints (that is in the messages expected by the participants) since the intruder can schedule the message transmission whenever he wants.

Initially, the intruder simply knows the names of the agents andA’s message at time 0. Then S answers alternatively to requests from A andB. Since the intruder controls the network, the messages can be scheduled as fast as the intruder needs it. The serverSshould not answer ifA’s timestamp is too old (let’s say older than 30 seconds)

thusS’s timestamp cannot be too much delayed (no more than 30 seconds). This means that we should havext2 ≤ xt1+ 30. Similarly, we should havext4 ≤xt3 + 30and

xt6 ≤xt5+ 30. The last rule corresponds toB’s reception. In this scenario,Bdoes not perform any check on the timestamp since it is the first message he receives.

We say that there is an attack if there is a solution to the constraint system that satisfies the previously mentioned time constraints and such that the timestamp received byBis too fresh to come fromA:xt7 ≥90. Formally, we consider the timed property generated by the following timed constraint

xt2≤xt1+ 30 ∧ xt4 ≤xt3+ 30 ∧ xt6≤xt5+ 30 ∧ xt7 ≥90 Then the substitution corresponding to the attack is

σ={y1=y2=y3=y4=kab, xt1= 0, xt2=xt3= 30, xt4=xt5= 60, xt6=xt7= 90}. Proposition 3. Any timed property can be decided in non-deterministic polynomial time on solved constraints.

Proof (sketch).LetCbe a solved constraint, P a timed property andT a timed

con-straint generatingP. Letx1, . . . , xn be the variables of sortMsginCandy1, . . . , yk the variables of sort TimeinC. Clearly, any substitutionσof the form σ(xi) = ui whereui ∈Sifor someSi xi ∈Candσ(yi) = tifortiany constant of sortTime is a solution ofCfor thetrueproperty. Letσ0 be a the restriction ofσto the timed variablesy1, . . . , yk.

Clearly,σis a solution ofC forP if and only ifσ0 is a solution toT. Thus there exists a solution of C for P if and only ifT is satisfiable. The satisfiability ofT is solved by usual linear programming [26]. It is polynomial in the case of rational timed constraints and it is NP-complete in the case of integer timed constraints, thus the result.

NP-completeness We deduce by combining Theorem 1 and Proposition 2 that the problem of deciding timed properties on arbitrary constraint systems is in NP.

NP-hardness directly follows from the NP-hardness of constraint system solving by considering a predicate corresponding to an empty timed constraint.

5

Further work

We have shown how the generic approach we have derived from [13, 15, 24] can be used to retrieve two NP-completeness results. The first one enables us to detect key cycles while the second one enables us to solve constraint systems with timed constraints. In both cases, we had to provide a decision procedure only for a simple class of constraint systems. Since the constraint-based approach [13, 15, 24] has already been implemented in Avispa [4], we plan, using our results, to adapt this implementation to the case of key cycles and timestamps.

More generally, taking advantage of our generic approach, we would like to explore how decision procedures of distinct security properties can be combined on solved con-straint systems. In addition, in our two cases, decidability on solved concon-straints systems

was quite simple. It would be interesting to understand which classes of properties can be decided in the same manner.

Regarding key cycles, our approach is valid for a bounded number of sessions only. Secrecy is undecidable in general [16] for an unbounded number of sessions. Such an undecidability result could be easily adapted to the problem of detecting key cycles. Several decidable fragments have been designed [23, 14, 10, 27] for secrecy and an un-bounded number of sessions. We plan to investigate how such fragments could be used to decide key cycles.

Acknowledgment. We are particularly grateful to Micha¨el Rusinowitch and Bogdan

Warinschi for their very helpful suggestions.

References

1. M. Abadi and P. Rogaway. Reconciling two views of cryptography. InProc. of the Interna-tional Conference on Theoretical Computer Science (IFIP TCS’00), volume 1872 ofLNCS, pages 3–22, August 2000.

2. M. Abadi and Ph. Rogaway. Reconciling two views of cryptography (the computational soundness of formal encryption).Journal of Cryptology, 2:103–127, 2002.

3. Pedro Ad˜ao, Gergei Bana, Jonathan Herzog, and Andre Scedrov. Soundness of formal en-cryption in the presence of key-cycles. InProc. 10th European Symposium on Research in Computer Security (ESORICS’05), volume 3679 ofLNCS, pages 374–396, 2005.

4. A. Armando, D. Basin, Y. Boichut, Y. Chevalier, L. Compagna, J. Cuellar, P. Hankes Drielsma, P.C. H´eam, O. Kouchnarenko, J. Mantovani, S. M¨odersheim, D. von Oheimb, M. Rusinowitch, J. Santiago, M. Turuani, L. Vigan`o, and L. Vigneron. The Avispa tool for the automated validation of internet security protocols and applications. InProc. of Com-puter Aided Verification (CAV’05), volume 3576 ofLNCS, 2005.

5. M. Backes and B. Pfitzmann. Symmetric encryption in a simulatable Dolev-Yao style cryp-tographic library. InProc. 17th IEEE Computer Science Foundations Workshop (CSFW’04), pages 204–218, 2004.

6. Michael Backes, Birgit Pfitzmann, and Andre Scedrov. Key-dependent message security un-der active attacks. Cryptology ePrint Archive, Report 2005/421, 2005. http://eprint.iacr.org/. 7. M. Bellare and P. Rogaway. Entity authentication and key distribution. InAdvances in Cryptology – Crypto ’93, 13th Annual International Cryptology Conference, volume 773 of

LNCS, pages 232–249, 1993.

8. Mihir Bellare, Anand Desai, David Pointcheval, and Phillip Rogaway. Relations among notions of security for public-key encryption schemes. In Advances in Cryptology - Pro-ceedings of CRYPTO ’98, volume 1462 ofLNCS, pages 26–45, Santa Barbara, California, USA, August 1998. Springer-Verlag.

9. Bruno Blanchet. An efficient cryptographic protocol verifier based on Prolog rules. InProc. 14th IEEE Computer Security Foundations Workshop (CSFW’01), pages 82–96, 2001. 10. Bruno Blanchet and Andreas Podelski. Verification of cryptographic protocols: Tagging

enforces termination. In Andrew Gordon, editor,Foundations of Software Science and Com-putation Structures (FoSSaCS’03), volume 2620 ofLNCS, April 2003.

11. L. Bozga, C. Ene, and Y. Lakhnech. A symbolic decision procedure for cryptographic pro-tocols with time stamps. InProc. 15th International Conference on Concurrency Theory (CONCUR’04), LNCS, pages 177–192, London, England, 2004. Springer-Verlag.

12. J. Clark and J. Jacob. A survey of authentication protocol literature. Available at http://www.cs.york.ac.uk/˜jac/ papers/drareviewps.ps, 1997.

13. H. Comon-Lundh. R´esolution de contraintes et recherche d’attaques pour un nombre born´e de sessions. Available at http://www.lsv.ens-cachan.fr/˜comon/CRYPTO/bounded.ps. 14. H. Comon-Lundh and V. Cortier. New decidability results for fragments of first-order logic

and application to cryptographic protocols. InProc. of the 14th Int. Conf. on Rewriting Techniques and Applications (RTA’2003), volume 2706 ofLNCS, pages 148–164. Springer-Verlag, June 2003.

15. H. Comon-Lundh and V. Shmatikov. Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. InProc. of 18th Annual IEEE Symposium on Logic in Computer Science (LICS ’03), pages 271–280, 2003.

16. N. Durgin, P. Lincoln, J. Mitchell, and A. Scedrov. Undecidability of bounded security protocols. InProc. of the Workshop on Formal Methods and Security Protocols, 1999. 17. Shafi Goldwasser and Silvio Micali. Probabilistic encryption. Journal of Computer and

System Sciences, 28:270–299, 1984.

18. R. Janvier, Y. Lakhnech, and L. Mazare. (de)compositions of cryptographic schemes and their applications to protocols. Cryptology ePrint Archive, Report 2005/020, 2005. http://eprint.iacr.org/.

19. P. Laud. Encryption cycles and two views of cryptography. InNordic Workshop on Secure IT Systems (NORDSEC’02), 2002.

20. G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In

Tools and Algorithms for the Construction and Analysis of Systems (TACAS’96), volume 1055 ofLNCS, pages 147–166. Springer-Verlag, March 1996.

21. Daniele Micciancio and Bogdan Warinschi. Soundness of formal encryption in the presence of active adversaries. InProc. 1st Theory of Cryptography Conference (TCC’04), volume 2951 ofLNCS, pages 133–151, 2004.

22. J. K. Millen and V. Shmatikov. Constraint solving for bounded-process cryptographic pro-tocol analysis. InProc. 8th ACM Conference on Computer and Communications Security (CCS’01), pages 166–175, 2001.

23. R. Ramanujam and S.P.Suresh. Tagging makes secrecy decidable for unbounded nonces as well. InProc. of the 23rd Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS’03), Mumbai, 2003.

24. M. Rusinowitch and M. Turuani. Protocol insecurity with finite number of sessions is NP-complete. InProc. of the 14th Computer Security Foundations Workshop (CSFW’01), pages 174–190. IEEE Computer Society Press, 2001.

25. M. Rusinowitch and M. Turuani. Protocol insecurity with finite number of sessions and composed keys is NP-complete. Theoretical Computer Science, 299:451–475, 2003. 26. A. Schrijver.Theory of Linear and Integer Programming. Wiley, 1998.

27. Kumar Neeraj Verma, Helmut Seidl, and Thomas Schwentick. On the complexity of equa-tional horn clauses. InProc. of the 22th International Conference on Automated Deduction (CADE 2005), Lecture Notes in Computer Science, pages 337–352. Springer-Verlag, 2005.

A

Properties of the simplification rules

We prove in this section Theorem 1, that is the correctness, completeness and termina-tion of the simplificatermina-tion rules (in subsectermina-tions A.1, A.3 and A.2 respectively).

In what follows we call the deduction rules of Figure 1 pairing, symmetric and asymmetric encryption, signature and, first and second projection, symmetric and asym-metric decryption respectively.

LetC be a constraint system. For any T uand y ∈ V(T), we define Ty =

min{T00|T00u00, y∈ V(u00)}. A.1 Correctness

Lemma 2. The simplification rules transform a constraint system into a constraint sys-tem.

Proof. Suppose thatCis a constraint system,C =V

iTi ui andC σ C 0_{. Since}

Ti ⊆ Ti+1 impliesTiσ ⊆ Ti+1σwe have thatC0 meets point 1 of the definition of constraint systems.

We show that thatC0also meets point 2 of the definition of constraint systems. Let

T0 u0 ∈ C0 andx ∈ V(T0). We have to prove that T_x0 exists andT_x0 ( T0. We consider which simplification rule was applied.

– If ruleR1was applied, eliminating the constraintT ufromC, thenT0u0∈C and

Tx0 = min{T00|T00u00∈C0, x∈ V(u00)}

= min{T00_|T00_u00_{∈C\ {T u}, x∈ V(u}00_)}.

Ifmin{T00_|T00_u00_{∈C\ {T u}, x∈ V(u}00_{)}= min{T}00_|T00_u00_∈C,

x∈ V(u00)}then the property is clearly satisfied (as it is satisfied byT0u0inC). Otherwise, we have thatx∈ V(u)andT = min{T00|T00u00∈C,

x∈ V(u00)}. By minimality ofT it follows thatx /∈ V(T)andx /∈ {y|T00y∈

C, T00₍T}. Sincex∈ V(u), we have thatT∪ {y |T00 y∈C, T00 ₍T} 6`u

which contradicts the applicability of ruleR1.

– If rulesR2 orR3 were applied then there is an one-to-one relation between the constraints ofCandC0respectively. ConsiderT u∈Csuch thatT σ=T0and

uσ=u0.

Ifxis not introduced byσthenx ∈ V(T). ThenTx exists andTx ( T. Then

Txσ ⊆ T σ. If Txσ = T σ then x ∈ V(Tx) which contradicts the minimality ofTx. ThusTxσ ( T σ. We also have that{T00σ|T00u00∈C, x∈ V(u00)} ⊆ {T00σ|T00σu00σ∈C0, x∈ V(u00σ)}, since for any termu00, ifx∈ V(u00)then

x∈ V(u00σ). It follows thatT_x0 exists andT_x0 ⊆Txσ. HenceTx0 (T0.

Otherwise, supposexis introduced byσ, that is∃y ∈ V(T)such thatx∈ V(yσ). ThenTyexists andTy (T. We chooseysuch thatTyis minimal with respect to the inclusion relation. We have thatT_x0 ⊆min{T00σ|T00u00∈C, z∈ V(u00), x∈ V(zσ)} ⊆ Tyσ. AgainTy (T impliesTyσ (T σotherwiseTyσ =T σimplies that there existsz ∈ V(Ty)such that x∈ V(zσ). We havez 6=y by minimality ofTy. Thus there existsTz(Ty, which contradicts the minimality ofy. HenceTx0 exists andT_x0 (T0.

– If ruleR4was applied then the obtained result is a constraint system by definition. – If ruleRfwas applied then the property is preserved since ifx∈u00, for some term

u00such thatT00u00∈C0then there is a termvsuch thatT00v∈C.

Lemma 3 (correctness).IfC σ C0 then for every solutionτofC0for the property

P w.r.tLσ,στis a solution ofCfor the propertyPw.r.t.L.

Proof. If the applied rule wasR1then we have to prove thatT τ `uτ, whereT uis

the constraint replaced byT tt. We know thatT ∪ {x|T0x∈C, T0₍T} ` u. It follows thatT τ ∪ {xτ |T0x∈C, T0 <sub>(</sub>T} ` uτ. And since for anyT0 x ∈

C, T0₍T, we have thatT0τ`xτ, and henceT τ `xτ, we obtain thatT τ `uτ. Suppose that the rule applied in order to obtainC0wasR2orR3. Then we have for each constraintT uofC that(T σ)τ ` (uσ)τ, that is,T(στ) ` u(στ). If the rule wasRf then we obtain thatT τ `f(u, v)τfromT τ `uτ andT τ ` vτ by applying the corresponding rule (e.g. encryption iff = enc). Finally, ruleR4couldn’t have been applied.

We deduce thatστsatisfiesC. Moreover, sinceτis solution ofC0for the property

P w.r.tLσ, it means thatP((Lσ)τ)holds, that itP(L(στ))thusστ is solution ofC

for the propertyPw.r.tL.

A.2 Termination and solved forms

Lemma 4 (termination).IfC n

σ C0for some constraint systemC0and some

substi-tutionσthennis polynomially bounded in the size ofC.

Proof. To show termination, we assume that terms are represented by DAGs (directed

acyclic graphs), which allow terms to share identical subterms. The reader is refereed to [25] for a definition of DAG represented terms. Consider the following measure associated to a constraint systemC,I(C) = (|V(C)|,|C|), where the pairs are ordered lexicographically. No rule introduces new variables. Applying rulesR2andR3makes the number of variables to decrease andC0=Cσwhereσ= mgu(t1, t2),t1, t2being subterms ofC. The size ofσis polynomial in|t1|and|t2|thus polynomial in|C|. Since terms are represented by dags|C0| ≤ |C|+|σ|. Applying the other rules makes the size of the constraint system to decrease. Hencenis polynomially bounded in the size ofC.

A.3 Completeness

LetT1 ⊆T2 ⊆ · · · ⊆Tn. We say that a proofπofTi ` uisleft minimalif, for any

j < isuch thatTj `u,πis also a proof ofTj `u. We say that a proof issimpleif any subproof is left minimal and on any branch there are no two equal nodes.

Proof. We prove the property by induction on the pair(i, m)(considering again the lexicographical order), wheremis the size of a proof ofTi`u.

Ifi= 1then the proof is left minimal and it exists a proof without repeating nodes on branches.

Ifi >1and there isj < isuch thatTj `uthen apply the recursion hypothesis to obtain the existence of a simple proof ofTj `u. This proof is also a simple proof of

Ti`u.

Ifi >1and there is noj < isuch thatTj`u, then apply the recursion hypothesis on the immediate subproofs of the proof ofTi `u. If the nodeTi `uappears in the subproofs then consider one of those (sub)proofs ofTi `u. Otherwise apply the same last rule to obtain the root nodeTi `u. Anyhow, the obtained proof and all of its proper subproofs are left minimal by construction, and hence the obtained proof is simple.

For a constraint systemC, we call a left hand sideTi minimal unsolvedif for all

T u ∈ C such thatT ( Ti,uis a variable. In this case we denoteTi0 = Ti ∪ {x|T x∈C, T (Ti}.

Lemma 6. LetCbe a constraint system,θa solution andTi a minimal unsolved left

hand side ofC. If there is a simple proof ofTiθ`uhaving the last rule an axiom or a

decomposition then there ist∈St(Ti),tnot a variable, such thattθ=u.

Proof. Consider a simple proof ofTiθ`u. We reason by induction on the depth of the

proof. We can have that:

– The last rule is an axiom. Thenu ∈ Tiθ and hence there ist ∈ Ti (thus t ∈

St(Ti)) such that tθ = u. Ift is a variable then it existsi1 < isuch thatTi1 =

min{T0|T0 u0∈C, x∈ V(u0)}(see the definition of a constraint system). Since the proof ofTiθ`uis left minimal, it is also a proof ofTi1θ`tθ, that istθ∈Ti1θ. Hencetθ=t1θ, for somet1∈Ti1. Ift1is a variable, we can continue in the same way, until we find a termtk ∈Tik withik < isuch thattk is not a variable and

tkθ=u. We eventually find such a term sinceT1has no variables. SinceTik⊆Ti

we have, as required,tk∈St(Ti). – The last rule is a decomposition.

Suppose that it is a symmetric decryption. That is, there isw such that Tiθ `

enc(u, w),Tiθ`w. By simplicity of the proof, the last rule applied when obtaining

enc(u, w)was an axiom or a decomposition, otherwise the same node would appear twice. Then applying the induction hypothesis we have that there ist1 ∈St(Ti),

t1not a variable, such thatt1θ= enc(u, w). It follows thatt1 = enc(t01, t001)with

t0₁θ =u. Ift0₁is a variable thenTt0 1θ ` t

0

1θ =u. Since the proof is left minimal we have thatTt0

1θ ` enc(u, w). By induction hypothesis there ist2 ∈ St(Tt01),

t2not a variable such thatt2θ = enc(u, w). It follows thatt2 = enc(t02, t002)with

t0₂θ= u. Ift0₂is a variable we can continue in the same way. We will finally find

t0_k∈St(Tt0

k−1),t 0

knot a variable such thatt0kθ=u, becauseT1has no variables. For the other decomposition rules the same reasoning holds.

Lemma 7. LetCbe a constraint system,θa solution andTi a minimal unsolved left

hand side ofC, such thatTidoes not contain two distinct non variable unifiable

sub-terms. Ifu∈ St(Ti),unon variable, and there is a simple proof ofuθfromTiθthen

Proof. We reason by induction on the depth of the proof. Again, according to the last applied rule in the simple proof ofTiθ`uiθ, we can have:

– The last rule is an axiom. Thenuθ ∈ Tiθ. If u ∈ Ti then Ti ` ui and hence

T_i0 ` u. Otherwise, there ist1 ∈ Ti such that t1θ = uθ. We have t1 6= u, and hencet1is a variable, since otherwise there is a contradiction with the hypothesis (there are two distinct non variable unifiable termsuandt1 inSt(Ti)). We then haveTt1θ ` t1θ =uθ, and, by simplicity of the proofuθ ∈ Tt1θ. There is then

t2 ∈ Tt1 such thatt2θ = uθ. As beforet2is a variable. We can continue in this way, and we arrive at a contradiction sinceT1has no variables. Henceu∈Ti. – The last rule is a decomposition.

Suppose for example that it is the symmetric decryption rule. That is, there isw

such thatTiθ ` enc(uθ, w),Tiθ ` w. Applying Lemma 6 we obtain that there ist1 ∈ St(Ti),t1not a variable, such thatt1θ = enc(uθ, w). Since t1 is not a variable we have thatt1 = enc(t01, t001). We have thatt01θ = uθ andt001θ = w. Ift0₁ is a variable thenTt0

1θ ` t 0

1θ. Since the proof is left minimal we have that

Tt0

1θ ` enc(uθ, w). Then there ist2 ∈St(Tt01),t2 not a variable such thatt2θ =

enc(uθ, w). It follows that t2 = enc(t02, t002)witht02θ = uθandt002θ = w. Ift02 is a variable we can continue in the same way. Hence there istk ∈ St(Tt0

k−1) (thustk ∈ St(Ti)),tk = enc(t0k, t 00 k), such that t 0 k not a variable,t 0 kθ = uθand

t00_kθ = w. Since t0_k is not a variable, we have thatt0_k = u(otherwise we would have two distinct non variable unifiable termst0_k anduinSt(Ti)). We can apply the induction hypothesis to obtain thatT_i0 ` enc(t0<sub>k</sub>, t00<sub>k</sub>). Now, ift00<sub>k</sub> is a variable thent00<sub>k</sub> ∈ T<sub>i</sub>0, thusT<sub>i</sub>0 ` t00_k. Otherwise, ift00_k is not a variable then, by induction hypothesis,T_i0`t00<sub>k</sub>. Hence, in both cases, we obtain thatT<sub>i</sub>0 `u.

For the other decomposition rules the same reasoning holds. – The last rule is a composition.

Suppose for example that it is the symmetric encryption rule. Thenuθ= enc(w1, w2) andTiθ`w1andTiθ`w2. Sinceuis not a variable we have thatu= enc(u1, u2),

u1θ=w1andu2θ =w2. Ifu1(resp.u2) is a variable thenu1(resp.u2) is inTi0 (this is becauseu∈St(Ti)). Otherwise we apply the recursion hypothesis. Hence in both cases we haveT_i0`u1andTi0`u2. ThusTi0 `u.

For the other composition rules the same reasoning holds.

Lemma 8 (completeness).IfCis an unsolved constraint system andθis a solution of

Cfor the propertyP w.r.t.Lthen there is a constraint systemC0_{and solutionτofC}0

for the propertyPw.r.t.Lσsuch thatC _σC0andθ=στ.

Proof. Consider the minimal unsolved constraintTiui,uiis not a variable andujis

a variable, for allj < i.

We haveTiθ ` uiθ. Consider a simple proof ofTiθ ` uiθ. According to the last applied rule in this proof, we can have:

1. The last rule is a composition.

Suppose that it is the pairing rule. That is, there arew1, w2 such thatTiθ ` w1,

Tiθ ` w2andhw1, w2i= uiθ. Sinceui is not a variable there existsu0, u00such that ui = hu0, u00i. Hence we can apply the simplification rule Rh i in order to

obtainC0. Sinceu0θ =w1andu00θ =w2, the substitutionθis also a solution to

C0forP w.r.tL.

For the other composition rules the same reasoning holds, applying this time the correspondingRf rule.

2. The last rule is an axiom or a decomposition. Applying Lemma 6 we obtain that there ist∈St(Ti),tnot a variable, such thattθ=uiθ. We can have the following two possibilities:

(a) Ift6=uithen we apply the simplification ruleR2.

(b) Otherwise, ift=ui, thenu∈St(Ti). We consider the cases:

i. There are two distinct non variable unifiable termst1, t2 ∈ St(T). Then we apply the simplification ruleR3.

ii. Otherwise, the simplification ruleR1 can be applied. This follows from Lemma 7.

B

Decidability of key cycles

This section is devoted to the proof Lemma 1. We first introduce an intermediate lemma. Lemma 9. LetT xbe a constraint of a solved constraint systemCandθbe a simple

solution. Letm, u, kbe terms such that

T θ`mand enc(u, k)vmandT θ6`k.

Then there exists a non variable term wsuch that w v w0 _{for some w}0 _{∈ T and}

wθ= enc(u, k).

Consider the indexiof the constraintT x, that is such thatTiui∈C,Ti=Tand

ui=x. The lemma is proved by induction on(i, n)(lexicographical order) wherenis the length of the proof ofTiθ`m. Consider the last rule of the proof:

– (axiom rule)m=tθfor somet ∈Ti. We can have that either there ist0 vtsuch thatt0θ = enc(u, k), eitherenc(u, k) v yθfor somey ∈ V(t). In the first case takew = t0. In the second case, by definition of constraint systems, there exists

Tj y ∈Cwithj < i. SinceTjθ`mandTjθ 6`k(sinceTj ⊆Ti), we deduce by induction hypothesis that there exists a non variable termwsuch thatwv w0

for somew0_∈T

iandwθ= enc(u, k).

– (decomposition rule) Letm0 be the premise of the rule. We have thatTiθ ` m0 (with a proof of a strictly smaller length) andm v m0 thusenc(u, k) v m0. By induction hypothesis, we deduce that there exists a non variable termwsuch that

wvw0for somew0∈Tiandwθ= enc(u, k).

– (composition rule) All cases are similar to the previous one except ifm= enc(u, k)

and the rule isS`x S`y

S`enc(x, y). But this case contradictsTiθ6`k.

Lemma 1. Letθbe a partial solution ofCandk, k0 ∈Kbe two non deducible keys, that islhs(C)θ 6` k, k0. Ifk ρLsθ

e k0, that is kencryptsk0 inLsθthen (k, k0) ∈ A.

Conversely, if(k, k0)∈Athenk ρLsτ

e k0, that iskencryptsk0inLsτ.

Let us first remark there is nox∈ V(C)such thatxθ=k(ork0), otherwise we would have that there existsT x∈Csuch thatT θ`xθ=ki.e.kis deducible fromLsθ (sincelhs(C)⊆Ls).

Suppose thatkencryptsk0inLsθ. for some partial solutionθ. This implies that there are termsu, vsuch thatv ∈ Lsθ,enc(u, k)v vandk0ρ1u. We can have that either (first case) there arew, w0such thatwvw0∈Ls,wnon variable andenc(u, k) =wθ, either (second case)enc(u, k)vxθwithx∈ V(Ls). In the second case, consider the constraintTx x ∈ C. We haveTxθ ` xθ. Hence we can apply Lemma 9 forxθ,

uandkto obtain that there exists a non variable termwsuch thatw vw0 ∈ Txand

wθ= enc(u, k). Hence, in both cases, we obtain that there arew, w0,wvw0 ∈Ls∪TL (sinceTx⊆TL) such thatw= enc(w0, k)(sincekis not deducible).

We havew0θ =u. Sincek0ρ1uandk0 is a name or a variable, we can have that

k0ρ1w0or k0ρ1yθ for somey ∈ V(w0). Ifk0ρ1w0 thenkencryptsk0 inLs∪TL. Hence, by construction of the graph G, we have that (k, k0) ∈ A. Ifk0ρ1yθ then

k0ρ1yτ sincek0 is not deducible,θcannot introduce new keys andτ contains all the available keys. Hence, again by construction of the graphG, we have that(k, k0)∈A.

Conversely, suppose that(k, k0_{)is an arc in the graphG. Then, from the} construc-tion of the graph, we can have the following possibilities. Eitherkencryptsk0_inL

s∪TL orkencryptsxinLs∪TLandk0ρ1xτfor some variablex∈ V(Ls∪TL). Ifkencrypts

k0 inLsthenkencryptsk0 inLsτ. IfkencryptsxinLsandk0ρ1xτ thenkencrypts

k0 inLsτ. Ifkencryptsk0 inTLthenkencryptsk0 inty, whereTy=TL,y∈ V(Ls). Hencekencryptsk0inyτ, thus inLsτ. Finally, ifkencryptsxinTLandk0ρ1xτthen

kencryptsk0inTLτ, hence as before, intyand thus inLsτ. Therefore in all cases we have thatkencryptsk0inLsτ.