Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
14 CHAPTER 1. INTRODUCTION<br />
have been obtained. These results can be divided into two classes: the decidability<br />
results with (respectively without) the perfect cryptography hypothesis. An<br />
encryption scheme is said to be perfect when no (not even partial) information<br />
about the plaintext can be obtained from a ciphertext without knowing the decryption<br />
(secret) key. This hypothesis has been introduced by R. Needham <strong>and</strong><br />
M. Schroeder [163], <strong>and</strong> D. Dolev <strong>and</strong> A. Yao [107] in their respective works.<br />
When the perfect encryption hypothesis is generalised to the other cryptographic<br />
primitives, we talk about the perfect cryptography hypothesis.<br />
While perfect cryptography hypothesis is not realistic, (actually the intruder<br />
may use the algebraic properties <strong>of</strong> cryptographic primitives when he is attacking<br />
the protocol), several important attacks have been discovered. An example<br />
<strong>of</strong> such attacks would be the attack discovered by G. Lowe on the Needham-<br />
Schroeder public key [145]. Furthermore, several results have been obtained,<br />
we show below some <strong>of</strong> them.<br />
Unbounded number <strong>of</strong> sessions. Assuming an unbounded number <strong>of</strong> sessions,<br />
the problem is undecidable [14, 81, 110, 111], <strong>and</strong> remains undecidable<br />
even if we suppose that no nonces (fresh data) are generated [81, 111],<br />
or we bound the size <strong>of</strong> messages [14, 110]. This problem becomes<br />
DEXPTIME-complete if we suppose that no nonces are generated <strong>and</strong><br />
bound the size <strong>of</strong> messages [71, 110]. In [106], the authors showed that<br />
the security <strong>of</strong> Ping-pong protocols is decidable in PTIME.<br />
Bounded number <strong>of</strong> sessions. Assuming a bounded number <strong>of</strong> sessions, M. Rusinowitch<br />
<strong>and</strong> M. Turuani [178] showed that the problem is co-NP-complete.<br />
Later, The perfect encryption hypothesis has been relaxed, <strong>and</strong> several algebraic<br />
properties <strong>of</strong> cryptographic primitives have been considered in the analysis <strong>of</strong><br />
cryptographic protocols. Several results have been obtained, we show below<br />
some <strong>of</strong> them. The problem is co-NP-complete for the Ping-pong protocols with<br />
commutative equational theory [69, 195]. The problem remains decidable for the<br />
bounded number <strong>of</strong> sessions with exclusive Or [87]. It also remains decidable<br />
for the abelian groups [188].<br />
Many researches have been focused on general classes <strong>of</strong> algebraic properties,<br />
<strong>and</strong> several results have been obtained in that field. For example, M.<br />
Baudet [32] has proved the decidability <strong>of</strong> the security problem for the class <strong>of</strong><br />
cryptographic protocols using primitives represented by subterm convergent<br />
equational theories. S. Delaune <strong>and</strong> F. Jacquemard [95] have proved the decidability<br />
<strong>of</strong> the security problem for the class <strong>of</strong> cryptographic protocols using<br />
primitives represented by convergent public-collapsing equational theories, etc.<br />
Other results can be found in [90].