Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
4.4. DECIDABILITY RESULTS 91<br />
4.4.1 Symbolic model for constructive exclusive ownership vulnerability<br />
property<br />
In order to symbolically analyse the class <strong>of</strong> cryptographic protocols using<br />
digital signature schemes vulnerable to the constructive exclusive ownership<br />
property (also called digital signature schemes having duplicate signature<br />
key selection property), we consider the following signature FDSKS =<br />
{Sk, P k, sig, ver, Sk ′ , P k ′ , 1} where<br />
• Sk, denoting the secret key generation function which is a part <strong>of</strong> the key<br />
generation algorithm G, is a function with arity 1,<br />
• P k, denoting the public key generation function which is a part <strong>of</strong> the key<br />
generation algorithm G, is a function with arity 1,<br />
• sig, denoting the signature generation algorithm, is a function with arity<br />
2,<br />
• ver, denoting the verification algorithm, is a function with arity 3,<br />
• Sk ′ , denoting the “special” intruder secret key generation function, is a<br />
function with arity 2,<br />
• P k ′ , denoting the “special” intruder public key generation function, is a<br />
function with arity 2,<br />
• 1, denoting a possible output <strong>of</strong> ver, is a function with arity 0,<br />
The functions Sk, P k (respectively sig <strong>and</strong> ver) given above abstract the two<br />
parts <strong>of</strong> the key generation algorithm G (respectively the signature generation<br />
algorithm, <strong>and</strong> the verification algorithm) in a signature scheme. The key generation<br />
algorithm employs r<strong>and</strong>omly generated number to perform its computation.<br />
We assume that this number is kept secret <strong>and</strong> that it is destroyed at the<br />
end <strong>of</strong> the computation. We abstract this situation by assuming the functions<br />
modelling this algorithm are private. The special functions Sk ′ , P k ′ abstract<br />
the ability <strong>of</strong> the intruder, knowing an agent’s public key (pk), <strong>and</strong> the agent’s<br />
signature s on a message m, to construct a new pair <strong>of</strong> secret <strong>and</strong> public keys<br />
(P k ′ (pk, s), Sk ′ (pk, s)) such that the verification <strong>of</strong> s with respect to m <strong>and</strong> the<br />
new public key succeeds. We assume that FDSKS = FDSKSpub ∪ FDSKSpri where<br />
FDSKSpub = {sig, ver, Sk ′ , P k ′ , 1} <strong>and</strong> FDSKSpri = {Sk, P k}.<br />
The constructive exclusive ownership vulnerability property is represented<br />
by the following equational theory, denoted by HDSKS:<br />
⎧<br />
⎨<br />
HDSKS =<br />
⎩<br />
ver(x, sig(x, Sk(y)), P k(y)) = 1<br />
ver(x, sig(x, Sk ′ (y1, y2)), P k ′ (y1, y2)) = 1<br />
sig(x, Sk ′ (P k(y), sig(x, Sk(y)))) = sig(x, Sk(y))