Vérification automatique de protocoles cryptographiques ... · des protocoles cryptographiques dans le modèle calculatoire, et David Pointcheval pour m’avoir patiemment expliqué

Universite Paris-Dauphine

Habilitation a Diriger des Recherches

Verification automatique de protocolescryptographiques :

modele formel et modele calculatoire

Bruno Blanchet

CNRS, Ecole Normale Superieure, INRIA

[email protected]

soutenue le 26 novembre 2008

President du jury : Jacques Stern

Rapporteurs : Andrew Gordon

Jean Goubault-Larrecq

Serge Vaudenay

Examinateurs : Ralf Kusters

Mark Ryan

Coordinateur : Vangelis Paschos

Directeur de recherches : Patrick Cousot

ii

Remerciements

Je tiens tout d’abord a remercier les membres de mon jury d’habilitation. Jacques Sternm’a fait l’honneur de presider mon jury. Je l’en remercie tout particulierement. Patrick Cousota ete le directeur de mes travaux depuis ma these, apres avoir ete mon directeur de these. Je leremercie particulierement pour la grande liberte scientifique qu’il m’a accordee, sans laquelle jen’aurais jamais pu realiser les travaux presentes ici. Andrew Gordon, Jean Goubault-Larrecq etSerge Vaudenay ont ete les rapporteurs de ce memoire. Je tiens a les remercier pour le travailconsiderable qu’ils ont effectue. Ralf Kusters, Vangelis Paschos et Mark Ryan ont bien voulufaire partie de jury d’habilitation ; je les en remercie chaleureusement. Je remercie egalementAndrew Gordon, Ralf Kusters, Mark Ryan et Serge Vaudenay d’avoir fait le voyage depuisl’etranger pour ma soutenance.

Une grande partie de mon travail depuis ma these a ete realisee en collaboration avec des co-auteurs. Je les remercie pour leurs contributions qui ont considerablement enrichi mon travail :Martın Abadi, Xavier Allamigeon, Benjamin Aziz, Avik Chaudhuri, Patrick Cousot, RadhiaCousot, Jerome Feret, Cedric Fournet, Aaron D. Jaggard, Laurent Mauborgne, Antoine Mine,David Monniaux, Andreas Podelski, David Pointcheval, Xavier Rival, Andre Scedrov et Joe-KaiTsay.

Je tiens a remercier en particulier Martın Abadi : c’est essentiellement grace a lui que j’airealise le travail presente ici. Il est un des pionniers de la verification des protocoles cryptogra-phiques, et j’ai eu la chance d’effectuer sous sa direction un stage de deux mois a Bell LabsResearch, Palo Alto. Ce stage a considerablement influence la suite de ma recherche : il a etele point de depart de mon travail sur la verification des protocoles cryptographiques presentedans ce memoire, et aussi d’une collaboration fructueuse avec Martın Abadi qui s’est poursuiviedepuis.

Je remercie particulierement Jacques Stern pour avoir initie mon travail sur la verificationdes protocoles cryptographiques dans le modele calculatoire, et David Pointcheval pour m’avoirpatiemment explique les preuves calculatoires des protocoles. Le travail presente dans le cha-pitre 3 n’aurait pas existe sans eux.

Je remercie aussi tous les utilisateurs de mes logiciels ProVerif et CryptoVerif qui, par leursremarques pertinentes, ont contribue a ameliorer ces logiciels et m’ont encourage a poursuivreleur developpement.

Mes remerciements vont egalement a tous les membres des laboratoires dans lesquels j’aieffectue ces travaux : Bell Labs Research, Palo Alto (aout-octobre 2000), le projet Moscova del’INRIA Rocquencourt (jusqu’en septembre 2001), le departement d’informatique de l’Ecole nor-male superieure (a partir d’octobre 2001), et le Max-Planck-Institut fur Informatik (novembre2001-aout 2004). Ils m’ont accueilli dans une ambiance tres agreable et m’ont fourni d’excel-lentes conditions pour realiser mon travail. Je remercie en particulier Martın Abadi a Bell LabsResearch ; Jean-Jacques Levy, Alain Deutsch et Sylvie Loubressac a l’INRIA ; tous les membrespasses et presents de l’equipe Interpretation Abstraite ainsi que Joelle Isnard, Michele Angely,Lise-Marie Bivard, Sylvia Imbert, Valerie Mongiat et le Service de Prestations Informatiques al’ENS ; Harald Ganzinger, Andreas Podelski et Ellen Fries au MPI.

iii

iv

Ce travail a ete partiellement soutenu par le projet ANR (Agence Nationale de la Recherche)ARA SSIA FormaCrypt.

Avant-propos

Ce memoire d’habilitation presente une synthese des travaux que j’ai effectues depuis mathese de doctorat. Ces travaux ont principalement concerne la verification automatique de pro-tocoles cryptographiques.

Le premier chapitre presente une breve introduction aux protocoles cryptographiques, et si-tue mon travail dans l’abondante litterature sur la verification des protocoles cryptographiques.Le deuxieme chapitre traite du verificateur automatique de protocoles ProVerif, fonde sur lemodele formel des protocoles. Le troisieme chapitre traite quant a lui du verificateur Crypto-Verif, qui est fonde sur le modele calculatoire des protocoles. La conclusion presente quelquesperspectives de recherche dans ce domaine. Enfin, le chapitre 5 resume mes activites d’ensei-gnement et d’encadrement.

En annexe, vous trouverez un curriculum vitae detaille avec ma liste de publications, ainsique quatre de mes publications parmi les plus importantes.

En dehors de mon travail sur les protocoles cryptographiques, j’ai egalement participe,de novembre 2001 a novembre 2003, au projet Astree sur la verification de programmes Ctemps reel embarques critiques, avec Patrick Cousot, Radhia Cousot, Jerome Feret, LaurentMauborgne, Antoine Mine, David Monniaux et Xavier Rival. Ce projet a donne lieu a larealisation de l’analyseur Astree (www.astree.ens.fr) qui est capable de prouver automatique-ment l’absence d’erreurs a l’execution dans des programmes de plusieurs centaines de milliersde lignes [BCC+02, BCC+03]. Ce travail n’est pas detaille dans ce memoire.

v

vi

Table des matieres

1 Introduction 1

1.1 Protocoles cryptographiques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1.1 Primitives cryptographiques . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1.2 Un exemple de protocole . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.1.3 Des protocoles pour des applications variees . . . . . . . . . . . . . . . . . 4

1.1.4 Interet de la verification formelle . . . . . . . . . . . . . . . . . . . . . . . 5

1.2 Modeles des protocoles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.3 Proprietes de securite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.3.1 Proprietes de trace et proprietes d’equivalence . . . . . . . . . . . . . . . 6

1.3.2 Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.3.3 Authentification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.4 Verification des protocoles dans le modele formel . . . . . . . . . . . . . . . . . . 8

1.4.1 Proprietes de trace (secret, authentification, ...) . . . . . . . . . . . . . . . 8

1.4.2 Proprietes d’equivalence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.5 Lien entre modeles formel et calculatoire . . . . . . . . . . . . . . . . . . . . . . . 13

1.6 Preuve des protocoles dans le modele calculatoire . . . . . . . . . . . . . . . . . . 14

1.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2 Verification des protocoles dans le modele formel 17

2.1 Representation formelle des protocoles cryptographiques . . . . . . . . . . . . . . 17

2.1.1 Historique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.1.2 Un langage de representation des protocoles . . . . . . . . . . . . . . . . . 18

2.1.3 Un exemple de protocole dans ce langage . . . . . . . . . . . . . . . . . . 20

2.1.4 Semantique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.1.5 Extension aux theories equationnelles . . . . . . . . . . . . . . . . . . . . 21

2.2 Les clauses de Horn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.2.1 Definition du secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.2.2 Du pi calcul vers les clauses de Horn . . . . . . . . . . . . . . . . . . . . . 23

2.2.3 Resolution sur les clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2.2.4 Verification des proprietes de correspondances . . . . . . . . . . . . . . . 31

2.2.5 Scenarios a plusieurs phases . . . . . . . . . . . . . . . . . . . . . . . . . . 33

2.2.6 Preuves d’equivalences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

2.3 Resultats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

2.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3 Verification des protocoles dans le modele calculatoire 39

3.1 Langage de representation des jeux . . . . . . . . . . . . . . . . . . . . . . . . . . 40

3.2 Equivalence observationnelle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3.3 Transformations de jeux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3.3.1 Transformations syntaxiques . . . . . . . . . . . . . . . . . . . . . . . . . 44

3.3.2 Utiliser les hypotheses de securite sur les primitives . . . . . . . . . . . . 45

vii

viii Table des matieres

3.4 Proprietes de securite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493.4.1 Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493.4.2 Correspondances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

3.5 Strategie de preuve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523.6 Resultats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

4 Conclusion et perspectives 55

5 Activites d’enseignement et d’encadrement 575.1 Enseignement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

5.1.1 Travaux diriges a l’Ecole polytechnique . . . . . . . . . . . . . . . . . . . 575.1.2 Travaux diriges a l’ENSTA . . . . . . . . . . . . . . . . . . . . . . . . . . 575.1.3 Travaux diriges a l’Universite de Versailles . . . . . . . . . . . . . . . . . . 575.1.4 Cours en DEA et Master . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

5.2 Encadrement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585.2.1 Reconstruction d’attaques contre des protocoles cryptographiques . . . . 585.2.2 Analyse de protocoles presentes comme une liste de messages . . . . . . . 595.2.3 Analyse d’implantations de protocoles cryptographiques en Java . . . . . 59

Bibliographie 61

A Curriculum vitae 81

B Articles joints 89B.1 Analyzing Security Protocols with Secrecy Types and Logic Programs

Martın Abadi et Bruno Blanchet . . . . . . . . . . . . . . . . . . . . . . . . . . . 91B.2 Automatic Verification of Correspondences for Security Protocols

Bruno Blanchet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135B.3 Automated Verification of Selected Equivalences for Security Protocols

Bruno Blanchet, Martın Abadi et Cedric Fournet . . . . . . . . . . . . . . . . . . 213B.4 A Computationally Sound Mechanized Prover for Security Protocols

Bruno Blanchet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Chapitre 1

Introduction

Sommaire

1.1 Protocoles cryptographiques . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1.1 Primitives cryptographiques . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1.2 Un exemple de protocole . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.1.3 Des protocoles pour des applications variees . . . . . . . . . . . . . . . . 4

1.1.4 Interet de la verification formelle . . . . . . . . . . . . . . . . . . . . . . 5

1.2 Modeles des protocoles . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.3 Proprietes de securite . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.3.1 Proprietes de trace et proprietes d’equivalence . . . . . . . . . . . . . . 6

1.3.2 Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.3.3 Authentification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.4 Verification des protocoles dans le modele formel . . . . . . . . . . . 8

1.4.1 Proprietes de trace (secret, authentification, ...) . . . . . . . . . . . . . . 8

1.4.2 Proprietes d’equivalence . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.5 Lien entre modeles formel et calculatoire . . . . . . . . . . . . . . . . 13

1.6 Preuve des protocoles dans le modele calculatoire . . . . . . . . . . . 14

1.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Depuis ma these, l’essentiel de mon travail a concerne la verification automatique de proto-coles cryptographiques. Ce chapitre presente une introduction a ce domaine de recherche tresactif et y situe mes contributions. Les chapitres suivants se concentreront davantage sur monpropre travail.

1.1 Protocoles cryptographiques

Un protocole est une convention qui determine les messages echanges entre plusieurs or-dinateurs sur un reseau. Un protocole cryptographique utilise des primitives cryptographiques(chiffrement, signature, ..., expliquees un peu plus en detail ci-dessous) afin de garantir que lesmessages sont echanges de facon sure, meme si le reseau lui-meme n’est pas sur. C’est le cas enparticulier d’Internet, sur lequel des ordinateurs inconnus, potentiellement hostiles, peuvent seconnecter.

1.1.1 Primitives cryptographiques

Les protocoles cryptographiques utilisent comme briques de base des primitives cryptogra-phiques. Quelques primitives parmi les plus courantes sont les suivantes.

1

2 Chapitre 1. Introduction

Chiffrement a cle partagee Le chiffrement a cle partagee permet de coder un messagea l’aide d’une cle de telle sorte qu’il ne peut etre dechiffre en un temps raisonnable que parquelqu’un qui connaıt cette cle. On note traditionnellement {M}k le message M chiffre sous lacle k ; la cle k est utilisee pour obtenir M a partir du chiffre {M}k.

Un exemple de schema de chiffrement a cle partagee est DES, qui a ete abandonne au profitd’AES, plus sur. Le chiffrement permet de garantir la confidentialite du message transmis.

Chiffrement a cle publique Le chiffrement a cle publique, ou asymetrique, concept introduitpar Diffie et Hellman [DH76] en 1976, se distingue du chiffrement a cle partagee en ce que la clede dechiffrement n’est pas la meme que la cle de chiffrement. La cle de chiffrement est publique,donc n’importe qui peut chiffrer un message. Par contre, la cle de dechiffrement est secrete. Seulle possesseur de cette cle, destinataire du message, peut dechiffrer. On note {M}pk le chiffre deM sous la cle publique pk ; la cle secrete sk permet d’obtenir M a partir de {M}pk. Le schemade chiffrement a cle publique le plus connu est RSA, de Rivest, Shamir et Adleman [RSA78].

L’avantage principal du chiffrement a cle publique est que les participants qui s’echangent desmessages n’ont pas besoin de partager un secret a priori. Par contre, il est beaucoup plus couteuxque le chiffrement a cle partagee. Pour cette raison, on l’utilise en general pour communiquerune cle partagee qui sera utilisee ensuite pour chiffrer les donnees elles-memes.

Signatures Les signatures reposent egalement sur la cryptographie asymetrique, mais cettefois la situation est inverse : la cle de signature est secrete. Seul le possesseur de cette cle peutsigner. La cle de verification des signatures est publique, de sorte que n’importe qui peut verifierqu’une signature est correcte. On note {M}sk la signature du message M avec la cle secrete sk.

Le cryptosysteme RSA est egalement a la base d’un schema de signature. Les signaturesgarantissent l’authenticite du message signe. (Seul le possesseur de la cle secrete peut signer lemessage.)

Mise en accord de cles de Diffie-Hellman La mise en accord de cles de Diffie-Hellman [DH76] est fondee sur la propriete suivante de l’exponentiation modulaire : (ga)b =(gb)a = gab dans le groupe Z

∗p, ou p est un grand nombre premier et g est un generateur de

Z∗p, et sur l’hypothese qu’il est difficile de calculer gab a partir de ga et gb, sans connaıtre les

nombres aleatoires a et b (hypothese de Diffie-Hellman calculatoire), ou sur l’hypothese plusforte qu’il est difficile de distinguer ga, gb, gab de ga, gb, gc sans connaıtre les nombres aleatoiresa, b et c (hypothese de Diffie-Hellman decisionnelle).

Ces proprietes sont exploitees pour etablir une cle partagee entre deux participants A etB d’un protocole : A choisit aleatoirement a et envoie a B ga ; symetriquement, B choisitaleatoirement b et envoie a A gb. A peut alors calculer (gb)a, puisqu’il a a et recoit gb, tandisque B calcule (ga)b. Ces deux valeurs etant egales, elles peuvent etre utilisees pour calculer la clepartagee. L’attaquant, par contre, dispose de ga et gb, mais pas de a et b donc, par l’hypothesede Diffie-Hellman calculatoire, il ne peut pas calculer la cle.

Ou exclusif Le ou exclusif fournit un schema de chiffrement ideal : pour chiffrer un messageM , on choisit un nombre aleatoire a, et on calcule le ou exclusif de a et M bit a bit, a ⊕M .On retrouve M par a⊕ (a⊕M). Cependant, ce schema n’est sur que si la cle a est utilisee uneseule fois, ce qui pose un probleme pratique important : il faut transmettre au recepteur dumessage une cle aussi longue que l’ensemble des messages a chiffrer. On utilise donc rarementle ou exclusif seul comme schema de chiffrement, mais on l’utilise en combinaison avec d’autresprimitives dans des protocoles.

Fonctions de hachage Une fonction de hachage, notee ici h, calcule un nombre, le hache,dont la longueur est du meme ordre que celle d’une cle cryptographique (quelques centaines de

1.1. Protocoles cryptographiques 3

bits) a partir de donnees de longueur quelconque. Le hache sert a verifier l’integrite de la donneehachee : si le hache est le meme, la donnee hachee est consideree comme inchangee, donc unefonction de hachage doit satisfaire des proprietes comme la resistance a la pre-image (a partir deh, il est difficile de trouver m tel que h = h(m)) et la resistance aux collisions (il est difficile detrouver m1 et m2 distincts tels que h(m1) = h(m2)). Les fonctions de hachage les plus connuessont SHA-1 et MD5. (Des attaques ont ete trouvees contre ces deux fonctions [WY05, WYY05].)

Le lecteur qui desire plus de detail sur les primitives cryptographiques pourra consulter lesouvrages d’introduction a la cryptologie [Sch96, Sti05].

1.1.2 Un exemple de protocole

B (Bob)A (Alice)

{s}k

{{k}skA}pkB

k fraıche

Fig. 1.1 – Un exemple simple de protocole

Nous illustrons la notion de protocole cryptographique sur l’exemple suivant, version sim-plifiee du protocole de distribution de cles de Denning-Sacco a cle publique [DS81].

Message 1. A→ B : {{k}skA}pkB

k fraıcheMessage 2. B → A : {s}k

Ce protocole est illustre dans la figure 1.1. Dans le protocole, le participant A choisit une clefraıche k a chaque execution du protocole. Il signe cette cle avec sa cle secrete skA, et chiffre lemessage obtenu avec la cle publique de son interlocuteur B, et lui envoie le message. Quand ille recoit, B dechiffre (en utilisant sa cle secrete skB), verifie la signature de A et obtient la clek. Ayant verifie cette signature, B est convaincu que la cle a ete choisie par A, et le chiffrementsous pkB garantit que seul B a pu dechiffrer le message, donc k doit etre partagee entre A etB. B chiffre alors un secret s sous la cle partagee k. Seul A devrait etre capable de dechiffrer lemessage et d’obtenir le secret s.

En general, dans la litterature, comme dans l’exemple ci-dessus, les protocoles sont decritsinformellement en donnant la liste des messages qui doivent etre echanges entre les partici-pants. Cependant, il faut faire attention que ces descriptions sont seulement informelles : ellesindiquent ce qui se passe en absence d’attaquant. Mais un attaquant peut capturer les mes-sages ou envoyer ces propres messages, donc la source ou la destination d’un message peut nepas etre celle attendue. De plus, ces descriptions laissent implicites les verifications qui sont ef-fectuees par les participants quand ils recoivent les messages. Comme l’attaquant peut envoyerdes messages differents de ceux attendus, et exploiter la reponse obtenue, ces verifications sonttres importantes : elles determinent quels messages seront refuses ou acceptes, et peuvent doncproteger ou non contre des attaques. Les modeles formels des protocoles precisent tout cela. Untel modele sera presente a la section 2.1.

Le protocole ci-dessus est sujet a une attaque presentee dans la figure 1.2. Dans cette attaque,A execute le protocole avec un participant malhonnete C. Ce participant recupere le premiermessage du protocole {{k}skA

}pkC, le dechiffre et le rechiffre avec la cle publique de B. Le

message obtenu {{k}skA}pkB

correspond exactement au premier message d’une session entre


A (Alice)

k fraıche{{k}skA

}pkC{{k}skA

}pkB

{s}k

B (Bob)C (attaquant)

en tant que A (Alice)

Fig. 1.2 – Une attaque contre ce protocole

A et B. C envoie alors ce message a B en se faisant passer pour A. B repond en envoyant lesecret s, destine a A, chiffre sous k. C, ayant obtenu la cle k par le premier message peut alorsdechiffrer ce message et obtenir le secret s.

{s}k

A (Alice) B (Bob)

{{A,B, k}skA}pkB

k fraıche

Fig. 1.3 – Le protocole corrige

Le protocole peut facilement etre corrige. On ajoute les identites de A et B au messagesigne, ce qui donne le protocole suivant, egalement presente dans la figure 1.3 :

Message 1. A→ B : {{A,B, k}skA}pkB

k fraıcheMessage 2. B → A : {s}k

Quand il recoit le premier message, B verifie que les identites de A et B sont correctes (enparticulier, que sa propre identite apparaıt en deuxieme position). Apres cette modification,dans une session entre A et C, l’attaquant C recoit {{A,C, k}skA

}pkC. Il ne peut alors plus

transformer ce message en {{A,B, k}skA}pkB

, parce qu’il ne peut pas transformer la signaturequi contient C en une signature qui contient B a la place. L’attaque precedente est donc im-possible. Cependant, cela ne prouve pas que le protocole est correct : il peut y avoir d’autresattaques. Nous poursuivrons l’etude de ce petit exemple dans le chapitre 2 et verrons commentil peut etre verifie automatiquement.

1.1.3 Des protocoles pour des applications variees

Longtemps, l’usage de la cryptographie a ete essentiellement militaire, pour pouvoir commu-niquer des informations secretes sans que l’ennemi puisse les obtenir. De nos jours, la cryptogra-phie est beaucoup utilisee dans le domaine civil, en particulier sur Internet. Un type de protocoletres frequent est l’echange de cles : deux participants utilisent un protocole pour convenir d’unecle partagee, puis utilisent cette cle pour transmettre des donnees de facon sure. Les protocolessuivants fonctionnent de cette facon :

– SSH (Secure SHell) [Ylo06] est utilise pour des connexions sures vers des machines dis-tantes et pour des transferts de fichiers.

1.1. Protocoles cryptographiques 5

– TLS (Transport Layer Security) [DR06], qui a succede a SSL (Secure Socket Layer),fournit une couche au-dessus de TCP qui peut fournir des communications securisees an’importe quelle application. C’est en particulier le protocole utilise pour les URL https:

//. SSL version 1.0 n’a jamais ete publie, SSL 2.0 contenait des failles de securite, queSSL 3.0 a cherche a corriger [WS96]. TLS 1.0 est tres proche de SSL 3.0, et la versionactuelle TLS 1.1 contient encore quelques ameliorations mineures.

– IKEv2 (Internet Key Exchange, version 2 ) [Kau05] est le protocole d’echange de clesd’IPsec, qui permet de connecter des machines distantes comme si elles faisaient partied’un reseau prive, formant ainsi un reseau prive virtuel (VPN, Virtual Private Network).(La version 2 corrige des faiblesses de la premiere version, en particulier concernant laresistance aux attaques par deni de service. Une telle attaque consiste a initier de nom-breuses connexions sur un serveur de facon a ce qu’il n’ait plus les ressources necessairespour repondre aux demandes legitimes de connexion. Une telle attaque est facile si l’atta-quant peut initier une connexion avec peu de ressources alors que le serveur doit effectuerdes operations couteuses.)

Certains protocoles ont des buts plus specifiques. On peut citer par exemple :

– Les protocoles de vote electronique, tels que [BFP+01, CRS05], cherchent a garantir quechaque votant peut verifier que son vote est correctement pris en compte, que le secretdes votes est preserve, qu’un votant ne peut pas prouver a quelqu’un d’autre comment ila vote (pour eviter l’achat de votes).

– Les protocoles de signature de contrat, par exemple [BWW00] ou [GM99] (qui est er-rone [CKS04] et la correction proposee dans [CKS04] est elle-meme erronee [MR06]),cherchent en particulier a garantir que chacun des signataires ne peut pas obtenir uncontrat signe sans que les autres l’obtiennent aussi.

– Les protocoles de courrier electronique certifie [AGHP02, LMBG05] fournissent l’equiva-lent electronique de la lettre recommandee.

– Des protocoles sont utilises pour securiser les communications sur les reseaux sans filWiFi [IEE99] (WEP, Wired Equivalent Privacy, qui est sujet a des attaques [BHL06] eta ete remplace par WPA, WiFi Protected Access [WFA] et WPA2 [IEE04]).

– Des protocoles cryptographiques sont egalement utilises dans le cadre de la telephoniemobile ou des paiements par carte bancaire.

Des bibliotheques de protocoles, comme [CJ97] et comme le site Internet SPORE (SecurityProtocols Open Repository) a l’adresse http://www.lsv.ens-cachan.fr/spore/, fournissentde nombreux exemples de protocoles cryptographiques de la litterature.

1.1.4 Interet de la verification formelle

La conception de protocoles cryptographiques est particulierement delicate, comme le montreles nombreuses erreurs trouvees dans des protocoles apres leur publication. Un exemple extremeest le protocole de Needham-Schroeder a cle publique [NS78], publie en 1978, et contre lequelLowe a decouvert une attaque en 1996 en utilisant le verificateur de modeles FDR [Low96].Certains autres exemples de protocoles errones ont ete cites ci-dessus. De plus, les failles desecurite ne peuvent pas etre detectees par le test des protocoles, car elles n’apparaissent qu’enpresence d’un attaquant. Des erreurs dans des protocoles peuvent avoir des consequences graves,comme des pertes financieres dans le cas du commerce electronique. Pour toutes ces raisons, ilest particulierement important d’avoir des preuves formelles que les protocoles sont surs. C’estpourquoi ce sujet a fait l’objet de recherches tres actives.


1.2 Modeles des protocoles

Pour modeliser un protocole cryptographique, on suppose que le reseau est totalementcontrole par l’attaquant, qui peut ecouter les messages transmis, calculer sur ces messages,et envoyer aux participants du protocole n’importe quel message qu’il a reussi a calculer. Un telattaquant est appele attaquant actif, par opposition a un attaquant passif qui ecoute seulementles messages echanges, sans envoyer ses propres messages.

Deux modeles des protocoles cryptographiques ont ete consideres :

– Le modele formel, du a Needham et Schroeder [NS78] et a Dolev et Yao [DY83], et souventappele modele de Dolev-Yao, dans lequel les fonctions cryptographiques sont considereescomme des boıtes noires, les messages sont des termes sur ces fonctions cryptographiqueset l’attaquant est restreint a calculer a l’aide de ces fonctions. Ce modele suppose unecryptographie parfaite. Ainsi, pour le chiffrement, on suppose qu’on ne peut dechiffrerque si on a la cle. Plus generalement, on peut ajouter des equations pour modeliser lesproprietes des primitives cryptographiques, mais on fait toujours l’hypothese que les seulesegalites vraies sont celles explicitement donnees par ces equations.

– Le modele calculatoire (traduction de l’anglais computational), developpe au debut desannees 1980 par Goldwasser, Micali, Rivest, Yao, entre autres (voir par exemple [GM84,GMR88, Yao82]) dans lequel les messages sont des suites de bits (0 ou 1) et l’attaquantpeut executer n’importe quel algorithme modelise par une machine de Turing probabiliste.La longueur des cles est determinee par une valeur appelee parametre de securite, et letemps d’execution de l’attaquant doit etre polynomial dans le parametre de securite.Une propriete de securite est consideree comme vraie quand la probabilite qu’elle nesoit pas satisfaite est negligeable dans le parametre de securite. (On dit qu’une fonctionest negligeable quand elle est inferieure a tout inverse d’un polynome.) On peut bornerexplicitement cette probabilite en fonction du temps de calcul de l’attaquant et de laprobabilite de casser chaque primitive cryptographique, c’est ce qu’on appelle la securiteexacte.

Le modele calculatoire est beaucoup plus realiste, mais prouver des protocoles dans ce modeleest delicat et, jusqu’a tres recemment, ces preuves etaient manuelles. Le modele formel, aucontraire, se prete bien a des preuves automatiques, essentiellement par enumeration de tous lesmessages que peut calculer l’attaquant. Dans les annees 1990 et jusqu’a maintenant, la preuvede protocoles dans le modele formel a ete un champ d’application important pour les methodesformelles de verification.

1.3 Proprietes de securite

Les protocoles peuvent chercher a satisfaire des proprietes de securite tres variees. Les pro-prietes les plus courantes peuvent etre classees en deux categories, proprietes de traces et pro-prietes d’equivalence. Nous definissons ces deux categories, et mentionnons deux exemples par-ticulierement importants : secret et authentification.

1.3.1 Proprietes de trace et proprietes d’equivalence

Les proprietes de trace sont des proprietes qui peuvent etre definies sur chaque trace d’exe-cution du protocole. Le protocole satisfait une telle propriete quand elle est vraie pour toutetrace dans le modele formel, sauf pour un ensemble de traces de probabilite negligeable dansle modele calculatoire. Par exemple, le fait que certains etats ne soient pas accessibles est unepropriete de trace.

Les proprietes d’equivalence ou d’indistinguabilite signifient que l’attaquant ne peut pasdistinguer deux protocoles. Dans le modele formel, on parle en general d’equivalence de processus

1.3. Proprietes de securite 7

ou d’equivalence observationnelle [AG99, AG98, AF01], alors que dans le modele calculatoire,on parle plutot d’indistinguabilite. Ces equivalences permettent de modeliser des proprietesde securite subtiles. En particulier, elles permettent de modeliser qu’un protocole satisfait unespecification en requerant que le protocole et sa specification soient equivalents. Elles fournissentdes preuves compositionnelles : si un protocole P est equivalent a P ′, on peut remplacer P parP ′ dans un protocole plus complexe. Dans le modele calculatoire, cette approche est a la basede l’idee de composabilite universelle [Can01]. Par contre, dans le modele formel, leur preuveest plus difficile a automatiser que les preuves de proprietes de traces : elles ne peuvent pass’exprimer sur une trace, mais necessitent des relations entre traces (ou entre processus).

1.3.2 Secret

Le secret, ou confidentialite, signifie que l’attaquant ne peut pas obtenir certaines informa-tions sur les donnees. Dans le modele formel, le secret peut etre modelise de deux facons :

– Le plus souvent, le secret signifie que l’attaquant n’est pas capable d’obtenir exactementune certaine donnee. En cas d’ambiguıte, cette notion sera appelee secret syntaxique.

– On utilise parfois une notion plus forte, qu’on appellera secret fort et qui signifie quel’attaquant ne peut pas detecter un changement de la valeur secrete [Aba99, Bla04a].Autrement dit, l’attaquant n’a aucune information sur la valeur du secret.

La distinction entre secret syntaxique et secret fort peut etre illustree par un exemple simple :considerons une donnee dont l’attaquant connaıt la moitie des bits mais pas l’autre moitie.Cette donnee est secrete au sens syntaxique, car l’attaquant ne peut pas la reconstruire, maispas au sens du secret fort, puisqu’il peut voir si un des bits qu’il connaıt change. La notion desecret syntaxique ne peut pas etre utilisee pour exprimer le secret de donnees a choisir parmides constantes connues. Par exemple, parler du secret syntaxique d’un bit 0 ou 1 ne fait pas desens, car l’attaquant connaıt des le depart les valeurs 0 et 1. On doit dans ce cas utiliser le secretfort : l’attaquant ne doit pas etre capable de distinguer un protocole qui utilise la valeur 0 dumeme protocole qui utilise la valeur 1. Cortier, Rusinowitch et Zalinescu [CRZ07] ont montreque ces deux notions de secret sont souvent equivalentes, pour des donnees atomiques (qui nesont jamais separees en plusieurs morceaux, comme les nonces, qui sont des nombres aleatoireschoisis independamment a chaque execution du protocole, donc utilises une seule fois1) et desprimitives cryptographiques probabilistes.

La notion de secret fort est intuitivement plus proche de la notion de secret utilisee dans lemodele calculatoire, qui signifie qu’un attaquant polynomial probabiliste ne peut pas distingueravec une probabilite non-negligeable le secret d’un nombre aleatoire [AFP06].

Le secret syntaxique est une propriete de trace, tandis que le secret fort et le secret calcu-latoire sont des proprietes d’equivalence.

1.3.3 Authentification

L’authentification signifie que, si un participant A execute le protocole apparemment avecun participant B, alors B execute le protocole apparemment avec A, et reciproquement. Engeneral, on requiert egalement que A et B partagent les memes valeurs des parametres duprotocole.

Dans le modele formel, ceci est generalement modelise par des proprietes de correspon-dance [WL93, Low97], de la forme : si A execute un certain evenement e1 (par exemple, Atermine le protocole avec B), alors B a execute un certain evenement e2 (par exemple, B acommence une session du protocole avec A). Il existe plusieurs variantes de ces proprietes. Parexemple, on peut requerir que chaque execution de e1 correspond a une execution distincte dee2 (correspondance injective) ou, au contraire, que si e1 a ete execute alors e2 a ete execute

1En anglais, nonce word designe un mot cree pour l’occasion, qui n’est pas destine a etre reutilise.


au moins une fois (correspondance non-injective). Les evenements e1 et e2 peuvent egalementinclure plus ou moins de parametres suivant la propriete souhaitee. Ces proprietes sont desproprietes de trace.

La modelisation est assez similaire dans le modele calculatoire, avec la notion de matchingconversations [BR93b] et les formalisations plus recentes qui utilisent des identifiants de session,comme [BPR00, AFP06], qui requierent essentiellement que les messages echanges vus par A etpar B sont les memes, a probabilite negligeable pres.

1.4 Verification des protocoles dans le modele formel

Nous traitons d’abord de la verification des proprietes de trace, plus facile, puis des proprietesd’equivalence.

1.4.1 Proprietes de trace (secret, authentification, ...)

La verification automatique des protocoles dans le modele formel est certes plus facile quedans le modele calculatoire, mais elle presente quand meme des difficultes importantes. Essen-tiellement, l’espace d’etats a explorer est infini, pour deux raisons : la taille des messages n’estpas bornee en presence d’un attaquant actif ; le nombre de sessions (executions) du protocolen’est pas borne. Par contre, on peut facilement borner le nombre de participants au protocolesans oublier d’attaques [CLC04] : pour les protocoles qui ne font pas de tests de difference, unparticipant honnete est suffisant pour le secret si on autorise un participant a jouer tous lesroles du protocole, deux participants sont suffisants pour l’authentification.

Une solution simple a ce probleme consiste a n’explorer qu’une partie finie de l’espace d’etats,en limitant arbitrairement a la fois l’ensemble des messages et le nombre de sessions du protocole.On peut alors appliquer des techniques standard de verification de modeles (model-checking), enutilisant des systemes comme FDR [Low96], Murφ [MMS97], Maude [DMT98], Brutus [CJM00],Elan [Cir01] ou SATMC (SAT-based Model-Checker) [ACG03]. Ceci permet de trouver desattaques contre les protocoles, mais pas de prouver l’absence d’attaques, puisque des attaquespeuvent apparaıtre dans une partie inexploree de l’espace d’etats. (On peut d’ailleurs construireune famille de protocoles telle que le n-ieme protocole presente une attaque avec n sessionsparalleles [Mil99].)

Si on limite seulement le nombre de sessions, la verification des protocoles reste decidable :l’insecurite (existence d’une attaque) est NP-complete, moyennant des hypotheses raisonnablessur les primitives utilisees [RT03]. Dans le cas ou les primitives cryptographiques ont des rela-tions algebriques, la situation est plus compliquee. Par exemple, le ou exclusif est traite dansle cas d’un nombre borne de sessions dans [CLS03, CKRT03b, CKRT05] et la mise en ac-cord de cles de Diffie-Hellman dans [CKRT03a], toujours avec une complexite NP. Des algo-rithmes pratiques ont ete realises pour verifier les protocoles avec un nombre borne de sessions,par resolution de contraintes, comme [MS01] et CL-AtSe (Constraint-Logic-based Attack Sear-cher) [CV01], ou par des extensions de la verification de modeles comme OFMC (On-the-FlyModel-Checker) [BMV03]. Par contre, pour un nombre non-borne de sessions, le probleme estindecidable [DLMS04] pour un modele raisonnable des protocoles.

De nombreuses methodes ont ete utilisees pour verifier des protocoles avec un nombre non-borne de sessions, malgre cette indecidabilite, soit en se restreignant a des sous-classes, soit enfaisant intervenir l’utilisateur, soit en tolerant la non-terminaison de la verification, soit avecdes systemes incomplets (qui peuvent repondre “je ne sais pas”).

– Des logiques ont ete construites pour raisonner sur les protocoles. Les logiques de croyan-ces, comme les logiques BAN, de Burrows, Abadi et Needham [BAN89], GNY, de Gong,Needham et Yahalom [GNY90], et SVO, de Syverson et van Oorschot [SvO94], raisonnentsur ce que croient les participants du protocole. Des procedures de decision pour les

1.4. Verification des protocoles dans le modele formel 9

logiques BAN et GNY ont ete concues par Monniaux [Mon99], et la logique BAN a eteutilisee dans un outil automatique [KW96].La logique BAN est un des premiers formalismes introduits pour raisonner sur les pro-tocoles. Cependant, l’inconvenient majeur de ces logiques est qu’elles ne reposent pasdirectement sur la semantique operationnelle du protocole.Une autre logique, appelee PCL (Protocol Composition Logic) [DMP03, DDMP05] permetde prouver qu’une formule est vraie apres qu’un participant a execute certaines actions,en se fondant sur la semantique du protocole. Elle permet des raisonnements rigoureuxet systematiques sur les protocoles, mais n’a pas ete automatisee jusqu’a maintenant.Cremers [Cre08] pointe quelques faiblesses dans cette logique. Cervesato, Meadows etPavlovic [CMP05] ont concu une logique qui permet de prouver l’authentification a partird’hypotheses de secret, a prouver dans un autre formalisme. Ceci permet de separer lespreuves de secret des preuves d’authentification.

– Paulson [Pau98] a utilise l’assistant de preuves Isabelle pour prouver la securite de proto-coles cryptographiques. Les preuves dans un assistant de preuves requierent typiquementbeaucoup d’intervention humaine, mais permettent de prouver n’importe quel resultatmathematiquement correct. Une exception a ce point est le systeme automatique deCortier, Millen et Rueß dans PVS [CMR01], qui ne traite que le secret. Le prouveurTAPS [Coh03], fonde sur la logique du premier ordre, reussit souvent sans ou avec peud’intervention humaine.

– Le typage a egalement ete utilise pour la preuve de protocoles : Abadi [Aba99] prouve lesecret fort pour des protocoles qui utilisent le chiffrement a cle partagee. (Nous mention-nons ce travail ici bien qu’il s’agisse d’une propriete d’equivalence, a cause de sa proximiteavec les travaux sur la verification du secret syntaxique par typage.) En collaboration avecAbadi, nous avons concu un systeme de type pour prouver le secret pour des protocolesqui utilisent le chiffrement a cle publique [AB03], puis nous l’avons etendu a des primitivesvariees [AB05a].Gordon et Jeffrey [GJ03, GJ04, GJ02] ont concu le systeme Cryptic, pour verifier l’au-thentification par typage. Ils traitent la cryptographie a cle partagee et a cle publique.Bugliesi et al. [BFM07] verifient egalement l’authentification par typage. L’avantage prin-cipal de leur systeme est qu’il est compositionnel : il permet de prouver independammentla correction du code de chaque role du protocole. Cependant, la forme des messagesest restreinte a certains termes etiquetes. Cette approche est comparee avec Crypticdans [BFM05].Dans tous ces systemes de type, les types expriment des informations sur le niveau desecurite des donnees, comme par exemple “secret” pour des donnees secretes, “public”pour des donnees publiques. Le typage est mieux adapte a un usage au moins partiellementmanuel qu’a une verification completement automatique : l’inference de types est souventdifficile, donc des annotations de types sont necessaires. La verification de types peut parcontre souvent etre automatisee, comme dans le cas de Cryptic. Les types fournissent descontraintes qui peuvent aider les concepteurs de protocoles a garantir les proprietes desecurite souhaitees, mais les protocoles existants peuvent ne pas satisfaire ces contraintesmeme s’ils sont corrects.

– Le verificateur de Heather et Schneider [HS05], fonde sur les fonctions de rang, permetde verifier les protocoles qui utilisent des cles symetriques ou asymetriques atomiques.(Essentiellement, ce systeme construit une fonction, la fonction de rang, qui associe unecertaine valeur aux termes qui peuvent etre connus par l’attaquant et une autre aux termesqui ne le peuvent pas.)

– Les “strand spaces” [FHG99] sont un formalisme qui permet de raisonner sur les pro-tocoles. Ce formalisme a ete utilise a la fois pour des preuves manuelles et dans l’outilautomatique Athena [SBP01] qui combine verification de modeles et preuve de theoremes,


et utilise les strand spaces pour reduire l’espace d’etats. Scyther [Cre06] utilise une ex-tension de la methode d’Athena avec des motifs de traces (trace patterns) pour analysersimultanement un groupe de traces. Ces outils limitent parfois le nombre de sessions pourgarantir la terminaison.

– Broadfoot, Lowe et Roscoe [BLR00, RB99, BR04] ont etendu l’approche par verificationde modeles a un nombre non-borne de sessions. Ils recyclent les nonces, pour en utiliser unnombre fini dans un nombre infini d’executions. La technique a d’abord ete utilisee pourdes executions sequentielles, puis generalisee a des executions paralleles dans [BR04], maisavec la restriction supplementaire que les participants doivent etre “factorisables”. (Essen-tiellement, une execution du participant doit pouvoir etre separee en plusieurs executionstelles que chaque execution contient une seule valeur fraıche.)

– Une des toutes premieres approches pour la verification de protocoles est l’Interrogator, deMillen, Clark et Freedman [MCF87, Mil95]. Dans ce systeme, ecrit en Prolog, l’accessibilited’un etat apres une suite de messages est representee par un predicat, et le programmeeffectue une recherche en arriere pour determiner si un etat est accessible ou non. Leprincipal probleme de cette approche est la non-terminaison, et il est partiellement resoluen rendant le programme interactif, pour que l’utilisateur guide la recherche.L’analyseur de protocoles NRL (Naval Research Labs) [Mea96, EMM06] a ameliore cettetechnique en utilisant le retrecissement (narrowing) dans les systemes de reecriture. Iln’effectue pas d’abstractions. Il est donc correct et complet, mais peut ne pas terminer.

– On peut obtenir des resultats de decidabilite pour un nombre non-borne de sessions, pourdes sous-classes des protocoles. Par exemple, Ramanujan et Suresh [RS03] montrent que lesecret est decidable pour une classe de protocoles etiquetes, c’est-a-dire ou chaque messageest distingue des autres par une constante distincte (etiquette). Le schema d’etiquetageutilise interdit les copies aveugles, c’est-a-dire dans lesquelles un message est copie parun participant du protocole qui ne peut pas decomposer ce message. Arapinis et Duflotont etendu ce resultat [AD07], en interdisant toujours les copies aveugles. Comon et Cor-tier [CC05] montrent que le secret est decidable pour les protocoles qui ne creent qu’unnombre borne de nouvelles donnees et qui satisfont certaines restrictions sur les copiesde termes, proches de l’absence de copies aveugles. Ces resultats de decidabilite sont engeneral tres restrictifs en pratique.

– Plusieurs methodes sont fondees sur des abstractions [CC79] : elles surestiment les pos-sibilites d’attaques, la plupart du temps en calculant un sur-ensemble de la connaissancede l’attaquant. Elles permettent d’obtenir des systemes totalement automatiques maisincomplets.– Bolignano [Bol97] a ete un precurseur des methodes d’abstraction pour les protocoles

cryptographiques. Il confond des cles, nonces, ... de facon a ce qu’il n’en reste qu’unensemble fini, puis applique une procedure de decision.

– Monniaux [Mon03] a introduit une methode de verification de protocoles fondee surune representation abstraite de l’ensemble des termes que peut connaıtre l’attaquantpar des automates d’arbres. Cette methode a ete etendue par Goubault-Larrecq [GL00].Genet et Klay [GK00] combinent l’utilisation d’automates d’arbres avec de la reecriture.Cette methode a conduit a la realisation du verificateur TA4SP (Tree-Automata-basedAutomatic Approximations for the Analysis of Security Protocols) [BKV06].Le principal inconvenient de cette approche est que les automates d’arbres ne per-mettent pas de representer une information relationnelle sur les termes : quand unevariable apparaıt plusieurs fois dans un message, on oublie qu’elle a la meme valeur atoutes ses occurrences dans le message, ce qui limite la precision de l’analyse.

– L’analyse de flot de controle [Bod00, BDNN98] calcule l’ensemble des messages possiblesa chaque point du protocole. Elle est egalement non-relationnelle, et elle confond lesnonces crees au meme point du protocole dans differentes sessions. Ces approximations

1.4. Verification des protocoles dans le modele formel 11

permettent d’obtenir une complexite au pire cubique dans la taille du protocole. Ellea d’abord ete definie pour le secret de protocoles a cle partagee, puis etendue a l’au-thenticite des messages et aux protocoles a cle publique [BBD+05], avec une complexitepolynomiale.

– Dans sa these, Feret [Fer05] presente une analyse relationnelle par interpretation abs-traite sur un metalangage qui permet d’encoder beaucoup de langages de modelisation :pi calcul, ambients, bio-ambients, mais aussi spi calcul, pour analyser des protocolescryptographiques. Cette analyse est capable de distinguer les differentes sessions d’unprotocole.

– La plupart des verificateurs automatiques de protocoles cherchent a calculer la connais-sance de l’attaquant. Au contraire, le verificateur Hermes [BLP06] determine des formesde messages, par exemple chiffrement sous certaines cles, qui garantissent la preservationdu secret. L’article traite du chiffrement a cle partagee et a cle publique, mais la methodepeut aussi s’appliquer aux signatures et fonctions de hachage.

– Backes et al. [BCM07] prouvent le secret et l’authentification par une analyse fondee surl’interpretation abstraite. Cette analyse construit un graphe causal (causal graph) quicapture la causalite entre les evenements du protocole. Les proprietes de securite sontprouvees en parcourant ce graphe. Cette analyse termine toujours, mais est incomplete.Elle suppose que les messages sont types, de sorte que les noms (qui representent desnombres aleatoires) peuvent etre distingues des autres termes.

– Enfin, Weidenbach [Wei99] a introduit une methode automatique de preuves de pro-tocoles fondee sur la resolution sur des clauses de Horn. C’est la methode sur laquellej’ai le plus travaille : elle est a la base du verificateur ProVerif et fera l’objet du cha-pitre 2. Elle est incomplete car elle ignore le nombre de repetitions de chaque actiondu protocole. La terminaison n’est pas garantie en general, mais elle est garantie surcertaines sous-classes de protocoles, et elle peut etre obtenue dans tous les cas gracea une approximation supplementaire, qui fait perdre de l’information relationnelle surles messages, en transformant les clauses de Horn en clauses de la sous-classe decidableH1 [GL05]. Goubault-Larrecq a montre comment reconstruire un temoin de preuve enCoq a partir d’une preuve du protocole obtenue dans H1 [GL08], ce qui permet deverifier que l’outil a correctement prouve le protocole.Sans cette approximation supplementaire, meme si elle ne termine pas toujours et estincomplete, cette methode a l’interet de fournir un bon equilibre en pratique : elletermine dans l’immense majorite des cas et est tres precise et rapide. Elle permet detraiter des primitives cryptographiques variees, definies par des regles de reecriture oupar certaines equations.Cette methode peut etre vue comme une generalisation de la methode de verificationpar automates d’arbres. (Les automates d’arbres peuvent etre codes dans les clausesde Horn.) En collaboration avec Martın Abadi [AB05a], nous avons montre que cettemethode est equivalente a l’instance la plus precise d’un systeme de type generique pourles protocoles cryptographiques.

Des plateformes qui regroupent plusieurs techniques de verification ont egalement ete realisees :

– CAPSL (Common Authentication Protocol Specification Language) [DM00] fournit unlangage de description de protocoles, qui est traduit dans un langage intermediaire, CIL(CAPSL Intermediate Language), a base de reecriture de multi-ensembles (ou de faconequivalente de clauses de Horn avec existentiels en logique lineaire) [CDL+99]. Ce langageintermediaire peut etre traduit dans les langages d’entree de Maude, NRL, Athena et duverificateur par resolution de contraintes [MS01]. Ce modele a base de multi-ensemblesou de logique lineaire a ete compare avec les strand spaces dans [CDKS00, CDL+05].

– AVISPA (Automated Validation of Internet Security Protocols and Applications)[ABB+05]fournit comme CAPSL un langage de description de protocoles de haut-niveau HLPSL


(High-Level Protocol Specification Language), qui est traduit dans un langage interme-diaire [AVI03] a base de reecriture de multi-ensembles. Quatre verificateurs prennent enentree ce langage intermediaire : SATMC pour un espace d’etats borne, CL-AtSe et OFMCpour un nombre borne de sessions, TA4SP pour un nombre non-borne de sessions. Il existeaussi un traducteur de HLPSL vers ProVerif [GMP05].

1.4.2 Proprietes d’equivalence

La notion d’equivalence est un outil souvent utilise dans les calculs de processus, memeen l’absence de cryptographie [MPW92]. C’est l’outil de preuve introduit avec le spi calculpar Abadi et Gordon [AG99, AG98]. Le spi calcul est limite a quelques primitives cryptogra-phiques, d’abord le chiffrement a cle partagee, puis chiffrement a cle publique, signatures, etfonctions de hachage. Il a ete considerablement etendu par le pi calcul applique d’Abadi et Four-net [AF01], qui permet de specifier des primitives cryptographiques tres variees, definies par unetheorie equationnelle. D’autres calculs de processus et des variantes des notions d’equivalenceont egalement ete utilises [FGM00, BR05]. Cette approche a ete comparee avec le spi calculdans [GM03] ; un calcul de processus a ete compare avec le modele de reecriture de multi-ensembles dans [BCLM05].

Les techniques de preuves d’equivalences peuvent se classer comme suit :– Des techniques manuelles, qui peuvent traiter le cas general [AG99, AG98, AF01, BG02,

BDP02, BN05, Cor03]. Une idee fondamentale a la base de la plupart de ces techniquesest la suivante. L’equivalence observationnelle (ou congruence barbue) est definie enconsiderant un attaquant quelconque execute en parallele avec les processus que l’on veutprouver equivalents ; la definition de l’equivalence observationnelle comprend donc unequantification universelle sur tous les processus qui representent l’attaquant, ce qui rendsa preuve difficile. Pour resoudre ce probleme, on introduit une notion de bisimilariteetiquetee, dans laquelle les interactions avec l’attaquant sont remplacees par des tran-sitions etiquetees par l’action effectuee lors de cette interaction (emission ou reception,avec le message emis ou recu). On montre que la bisimilarite etiquetee est equivalente al’equivalence observationnelle. Ceci permet de supprimer la quantification universelle surl’attaquant, mais il reste encore a prouver manuellement la bisimilarite etiquetee ; cettetechnique peut bien sur aussi etre utilisee comme un premier pas vers l’automatisation dela preuve d’equivalences.

– Si on se reduit a un espace d’etats fini, on peut automatiser les preuves d’equivalences,comme dans [DFG00], qui automatise l’approche de [FGM00].

– Dans le cas d’un nombre borne de sessions, on dispose egalement de procedures automa-tiques : [DSV03] presente une technique a base de verification de modeles pour prouverl’equivalence de tests (may-testing equivalence) dans le spi calcul, qui est une variante del’equivalence plus faible que la congruence barbue, car elle ne tient pas compte des pointsde choix dans les processus.Huttel [Hut02] fournit une procedure de decision pour la bisimilarite etiquetee (ici, framedbisimilarity) dans le spi calcul, pour un nombre borne de sessions, mais la complexitede l’algorithme le rend difficilement applicable en pratique. (Le probleme est au moinsPSPACE-difficile.)Borgstrom, Briais et Nestmann [BBN04] fournissent une semantique symbolique du spicalcul (dans laquelle les messages qui viennent de l’attaquant sont representes par desvariables, ce qui evite de devoir considerer chaque message possible independamment).Une telle semantique est un premier pas vers l’automatisation de la preuve d’equivalences.Delaune, Kremer et Ryan [DKR07] definissent une bisimulation symbolique pour le picalcul applique, qui est egalement un pas vers l’automatisation des preuves d’equivalences.

– Dans le cas d’un nombre non-borne de sessions, l’automatisation du cas general est net-tement plus difficile. En collaboration avec Martın Abadi et Cedric Fournet, nous avons

1.5. Lien entre modeles formel et calculatoire 13

traite le cas particulier suivant en etendant ProVerif : nous montrons l’equivalence ob-servationnelle entre deux processus P et Q qui ne different que par les termes qu’ilscontiennent, en se ramenant a une propriete de trace sur un processus qui represente a lafois P et Q. Ce travail sera explique plus en detail dans la section 2.2.6.

– Abadi et Cortier [AC06] fournissent une procedure de decision pour l’equivalence statique,c’est-a-dire essentiellement l’equivalence observationnelle en presence d’un attaquant pas-sif, pour des primitives cryptographiques definies par une grande classe de theories equa-tionnelles.

Bien qu’il soit deja long, cet inventaire des techniques de verification de protocoles dansle modele formel n’est certainement pas exhaustif. Il montre cependant la grande variete destechniques utilisees pour la verification de protocoles dans le modele formel, et l’interet sus-cite par ce probleme dans la communaute des chercheurs en informatique, et en particulier enverification formelle.

1.5 Lien entre modeles formel et calculatoire

Recemment, suite au travail fondateur d’Abadi et Rogaway [AR02], on a cherche a faire lelien entre le modele formel et le modele calculatoire, et a montrer qu’une preuve obtenue dans lemodele formel etait aussi valide dans le modele calculatoire, ce qui permet d’obtenir des preuvesautomatiques de protocoles dans le modele calculatoire.

– Abadi et Rogaway [AR02] ont montre que si deux messages sont indistinguables au sensformel alors ils sont aussi indistinguables au sens calculatoire, si la seule primitive est lechiffrement a cle partagee, moyennant quelques restrictions techniques supplementaires.Abadi et Jurjens [AJ01] ont etendu ce resultat au cas de protocoles en presence d’unattaquant passif, Baudet, Cortier et Kremer [BCK05] a des primitives cryptographiquesdefinies par une grande classe de theories equationnelles (incluant le ou exclusif et lechiffrement symetrique deterministe), Abadi, Baudet et Warinschi [ABW06] a une theorieequationnelle qui comprend chiffrement a cle publique probabiliste et chiffrement a clepartagee probabiliste et deterministe, Bresson, Lakhnech, Mazare et Warinschi [BLMW07]a l’exponentiation modulaire (utilisee pour la mise en accord de cles de Diffie-Hellman).

– Micciancio et Warinschi [MW04b] montrent que les etats et les traces dans le modele cal-culatoire correspondent (a probabilite negligeable pres) aux etats et traces dans le modeleformel, pour le chiffrement a cle publique en presence d’un attaquant actif. Alors l’authen-tification dans le modele formel implique l’authentification dans le modele calculatoire.Cortier et Warinschi [CW05] et Janvier, Lakhnech et Mazare [JLM05] etendent ce travailaux signatures. Cortier et Warinschi [CW05] montrent egalement que le secret syntaxiquedans le modele formel implique le secret dans le modele calculatoire pour les nonces.Janvier, Lakhnech et Mazare [JLM06] etendent ces resultats aux fonctions de hachage dansle modele de l’oracle aleatoire, pour les proprietes de trace et pour le secret des noncespourvu qu’ils ne soient pas sous des applications de fonctions de hachage. (Le modelede l’oracle aleatoire [BR93a, CGH04] est un modele idealise ou on suppose l’existence defonctions aleatoires, qui donnent un resultat aleatoire pour toute nouvelle valeur de leurargument, mais redonnent le meme resultat pour la meme valeur de l’argument.) Cortier,Kremer, Kusters et Warinschi [CKKW06] suppriment la restriction sur le hachage desnonces grace a une notion modifiee de secret formel.Un outil [CHW06] a ete developpe en se fondant sur [CW05] pour obtenir des preuvescalculatoires en utilisant le verificateur formel AVISPA, pour des protocoles qui utilisentle chiffrement a cle publique et les signatures.

– Micciancio et Warinschi [MW04a] etudient egalement la propriete reciproque dans le caspassif : ils montrent que, si un attaquant ne peut pas distinguer deux systemes dans lemodele calculatoire, alors il ne peut pas les distinguer dans le modele formel, quand la seule


primitive est le chiffrement a cle partagee authentifie en presence d’un attaquant passif.(Dans sa definition de base, le chiffrement a cle partagee ne garantit pas l’authenticite dumessage : si l’attaquant choisit deux messages M1 et M2 et recupere un chiffre {Mb}k, oub vaut 0 ou 1, il ne doit pas etre capable de determiner b, mais cela n’interdit pas qu’unattaquant puisse creer un chiffre, par exemple par modification d’un chiffre qu’il a recu.Quand l’attaquant a une probabilite negligeable de creer un chiffre correct sans avoir lacle, on dit que le chiffrement est authentifie. On peut creer un schema de chiffrementauthentifie en adjoignant au chiffre un code d’authentification de message [BN00].)

– Herzog [Her03] montre que la securite dans le modele formel implique la securite dansle modele calculatoire, pour le chiffrement a cle publique, pourvu que le chiffrement soit“plaintext-aware”, c’est-a-dire qu’etre capable de creer un chiffre implique de connaıtrele message clair correspondant. Cette propriete est realisable dans le modele de l’oraclealeatoire.Herzog, Liskov et Micali [HLM03] donnent une definition modifiee de “plaintext-aware”,qui est suffisante pour le resultat ci-dessus et implementable en utilisant un tiers deconfiance.

– Backes, Pfitzmann et Waidner [BPW03a, BPW03b, BP04] ont developpe une bibliothequecryptographique abstraite qui inclut chiffrement a cle partagee authentifie et a cle pu-blique, code d’authentification de messages, signatures et nonces, et ils ont montre sacorrection par rapport aux primitives calculatoires, sous des attaques actives arbitraires.Backes et Pfitzmann [BP05a] lient les notions de secret calculatoire et formel dans le cadrede cette bibliotheque. Ce travail lie le modele calculatoire a une version non-standard dumodele de Dolev-Yao, dans laquelle la longueur des messages est presente. Il a ete utilisepour une preuve du protocole de Needham-Schroeder corrige par Lowe [Low96] verifieedans un assistant de preuve [SBB+06]. Ce travail est fonde sur la notion de simulationentre machines, qui a ete comparee avec l’approche par correspondances entre traces deMicciancio, Warinschi et al. dans [BDK07].

– Canetti et Herzog [CH06] montrent comment une analyse symbolique du style de celle faitedans le modele de Dolev-Yao peut etre utilisee pour prouver des proprietes de securite desprotocoles dans le cadre de la composabilite universelle [Can01] pour une classe restreintede protocoles qui utilisent seulement le chiffrement a cle publique. Ils utilisent alors monverificateur automatique de protocoles dans le modele de Dolev-Yao, ProVerif [Bla04a],pour verifier les protocoles dans ce cadre.

Cette approche a eu des succes importants, mais a aussi des limitations : des hypotheses supple-mentaires sont necessaires, car les deux modeles ne correspondent pas exactement. Les primitivescryptographiques doivent satisfaire des proprietes de securite fortes pour qu’elles correspondenta des primitives formelles. De plus, les protocoles doivent satisfaire certaines restrictions. Ainsi,pour le chiffrement a cle partagee, il ne doit pas exister de cycles de cles (dans lesquels une cle estchiffree directement ou indirectement par elle-meme, comme dans {k}k ou {k}k′ , {k′}k) ou bienune definition specifique de la securite du chiffrement est necessaire [ABHS05, BPS07]. (L’exis-tence de cycles de cles pour un nombre borne de sessions est un probleme co-NP-complet [CZ06].)Ces limitations ont conduit a l’idee d’automatiser directement les preuves dans le modele cal-culatoire.

1.6 Preuve des protocoles dans le modele calculatoire

Dans le modele calculatoire, les preuves de protocoles sont essentiellement manuelles. Leprincipe de base de ces preuves consiste a faire des preuves par reduction : on montre que s’ilexiste une attaque contre le protocole, alors on peut construire une attaque contre une hypothesede securite sur une des primitives cryptographiques utilisees. Les proprietes de securite desprimitives sont elles-memes prouvees par reduction : une attaque contre une primitive implique

1.6. Preuve des protocoles dans le modele calculatoire 15

de resoudre un probleme mathematique connu et considere comme difficile (factorisation degrands entiers, logarithme discret, ...).

Cependant, les preuves par reduction deviennent vite complexes quand plusieurs hypothesesde securite sur les primitives sont necessaires pour prouver le protocole. Shoup [Sho01, Sho02,Sho04] et Bellare et Rogaway [BR06] ont propose d’organiser ces preuves en suites de jeux :

– Le premier jeu correspond au protocole a prouver, en interaction avec un attaquant. Lebut de la preuve est de montrer que la probabilite de casser une certaine propriete desecurite de ce protocole est negligeable.

– Les jeux suivants sont obtenus les uns apres les autres, par transformations successives, desorte que la difference de probabilite entre deux jeux consecutifs est negligeable. La preuveque cette probabilite est negligeable repose soit sur une unique hypothese de securite surune primitive, soit sur des transformations de jeux qui sont sures inconditionnellement.(Par exemple, deux nombres aleatoires choisis uniformement dans un ensemble de chaınesde bits de longueur le parametre de securite ont une probabilite negligeable d’etre egaux.)

– Le dernier jeu est tel que la propriete de securite souhaitee est evidemment vraie, de parla forme meme du jeu. (Par exemple, si on souhaite montrer qu’un certain evenementdu protocole a une probabilite negligeable d’etre execute, le dernier jeu ne contiendrasimplement pas cet evenement.)

On peut alors en deduire que la probabilite de casser la propriete de securite dans le jeu initial estnegligeable. On peut evaluer cette probabilite en faisant la somme des differences de probabiliteentre deux jeux consecutifs et de la probabilite de casser la propriete de securite dans le jeufinal (qui est souvent nulle).

Des cadres de travail ont ete developpes afin de systematiser ces preuves, mais sans pourautant les automatiser :

– Lincoln et al. [LMMS98, LMMS99, MMS03, RMST04, MRST06] ont developpe un calculde processus polynomial probabiliste pour l’analyse des protocoles cryptographiques. Ilsdefinissent une notion d’equivalence observationnelle pour ce calcul, qui correspond al’indistinguabilite entre les jeux. Ils derivent egalement des proprietes de compositionaliteet un systeme de preuve equationnel pour ce calcul.

– Datta et al. [DDM+05, DDMW06] ont concu une logique correcte vis-a-vis du modelecalculatoire. Cette logique est une adaptation au modele calculatoire de la Protocol Com-position Logic concue pour le modele formel [DMP03, DDMP05].

– Corin et den Hartog [CdH06] utilisent une logique dans le style de la logique de Hoarepour formaliser les preuves par jeux.

– Canetti et al. [CCK+06] utilisent le cadre des time-bounded task-PIOAs (ProbabilisticInput/Output Automata) pour prouver des protocoles cryptographiques dans le modelecalculatoire. Ce cadre leur permet de combiner des comportements probabilistes et non-deterministes.

Barthe, Cerderquist et Tarento [BCT04, Tar05] ont formalise le modele generique et le modelede l’oracle aleatoire dans l’assistant de preuve Coq, et ont prouve des schemas de signature dansce cadre. Par rapport aux approches precedentes, cette technique a l’avantage de fournir despreuves verifiees mecaniquement, mais elle necessite beaucoup d’intervention humaine.

Les travaux suivants cherchent eux a automatiser les preuves dans le modele calculatoire :

– Halevi [Hal05] explique que realiser un prouveur automatique fonde sur les suites de jeuxserait utile et suggere des idees dans cette direction, mais il n’a pas encore realise un telprouveur.

– Laud [Lau05] a concu un systeme de type pour prouver les protocoles cryptographiquesdans le modele calculatoire. Ce systeme de type traite le chiffrement a cle partagee et acle publique, avec un nombre non-borne de sessions. Il repose sur la bibliotheque cryp-tographique de Backes-Pfitzmann-Waidner [BPW03a]. Un algorithme d’inference de typeest donne dans [BL06].


– Laud [Lau03] a concu une analyse automatique pour prouver le secret pour des pro-grammes dans un petit langage avec des boucles while, qui utilisent le chiffrement acle partagee probabiliste mais pas de dechiffrement, avec des attaquants passifs. AvecVene [LV05], il a concu un systeme de types pour le meme objectif. Smith et Alpızar [SA06]traitent les programmes avec dechiffrement. Courant, Ene et Lakhnech [CEL07] ont concuun systeme de type pour les programmes qui utilisent le chiffrement a cle partageedeterministe, ce qui introduit de nouvelles difficultes.

– Laud [Lau04] a realise un systeme qui prouve le secret pour des protocoles utilisant le chif-frement a cle partagee probabiliste en presence d’attaquants actifs, mais pour seulementune session du protocole. Bien que ce systeme soit assez limite, il produit des preuves parjeux.En collaboration avec David Pointcheval, nous avons considerablement etendu cette ap-proche, en traitant des primitives cryptographiques variees et un nombre polynomialde sessions, en presence d’un attaquant actif. Ce travail a conduit a la realisation duverificateur automatique CryptoVerif, et fera l’objet du chapitre 3.Recemment, Tsahhirov et Laud [TL07] ont developpe un outil de verification de proto-coles par suites de jeux. Cet outil utilise une representation des jeux par des graphes dedependances, et il est pour l’instant moins developpe que CryptoVerif : il ne traite que lechiffrement a cle publique et prouve des proprietes de secret ; il ne fournit pas de borneexplicite sur la probabilite de succes d’une attaque.

1.7 Conclusion

Ce chapitre a presente une introduction au domaine de protocoles cryptographiques et deleur verification. Il a montre combien ce domaine de recherche a ete et reste encore tres actif.Les chapitres suivants presentent mes propres recherches, qui ont conduit a la realisation dedeux verificateurs automatiques de protocoles, ProVerif et CryptoVerif.

Chapitre 2

Verification des protocoles dans lemodele formel

Sommaire

2.1 Representation formelle des protocoles cryptographiques . . . . . . 17

2.1.1 Historique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.1.2 Un langage de representation des protocoles . . . . . . . . . . . . . . . . 18

2.1.3 Un exemple de protocole dans ce langage . . . . . . . . . . . . . . . . . 20

2.1.4 Semantique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.1.5 Extension aux theories equationnelles . . . . . . . . . . . . . . . . . . . 21

2.2 Les clauses de Horn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.2.1 Definition du secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.2.2 Du pi calcul vers les clauses de Horn . . . . . . . . . . . . . . . . . . . . 23

2.2.3 Resolution sur les clauses . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2.2.4 Verification des proprietes de correspondances . . . . . . . . . . . . . . 31

2.2.5 Scenarios a plusieurs phases . . . . . . . . . . . . . . . . . . . . . . . . . 33

2.2.6 Preuves d’equivalences . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

2.3 Resultats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

2.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Dans ce chapitre, nous resumons les resultats de recherche qui ont permis la realisation duverificateur automatique de protocoles ProVerif. Ce verificateur est fonde sur le modele formel,de Dolev-Yao. Il peut traiter un nombre non-borne de sessions et des primitives cryptogra-phiques variees, definies par des regles de reecriture ou par des equations. Nous presentons toutd’abord la representation formelle des protocoles utilisee en entree par ProVerif, puis nous ex-pliquons la technique de verification utilisee, d’abord pour le secret, puis pour les proprietes decorrespondances et les equivalences observationnelles. Au passage, nous resumons des resultatsde terminaison de cette methode et des resultats de comparaison avec d’autres travaux (typage,modele de reecriture de multi-ensembles). Enfin, nous donnons quelques exemples d’etudes deprotocoles effectuees avec l’aide de ProVerif.

2.1 Representation formelle des protocoles cryptographiques

2.1.1 Historique

Afin de verifier formellement des protocoles, il est tout d’abord indispensable de disposerd’un modele formel de ces protocoles, avec une semantique operationnelle claire. De nombreuxmodeles ont ete proposes dans litterature, comme des calculs de processus [AG99, FGM00,AF01, BR05], les strand spaces [FHG99], et la reecriture de multi-ensembles [CDL+99].

17

18 Chapitre 2. Verification des protocoles dans le modele formel

M,N ::= termesx, y, z variablea, b, c, k, s nomf(M1, . . . ,Mn) application de constructeur

P,Q ::= processus

M〈N〉.P emissionM(x).P reception0 processus nulP | Q composition parallele!P replication(νa)P restrictionlet x = g(M1, . . . ,Mn) in P else Q application de destructeurlet x = M in P definition localeif M = N then P else Q conditionnelle

Fig. 2.1 – Syntaxe du calcul de processus

Ces modeles se distinguent les uns des autres par leur expressivite :

– La plupart des modeles supposent que tous les messages sont envoyes sur un reseau public,ou l’attaquant peut les manipuler. Ceci est suffisant pour traiter la plupart des protocolesde base. Les calculs de processus qui etendent le pi calcul, comme le spi calcul [AG99] etle pi calcul applique [AF01] sont plus expressifs, car ils considerent egalement des canauxprives, qui peuvent servir a coder des communications internes ou des cellules memoire,par exemple.

– Les primitives cryptographiques supportees peuvent etre plus ou moins generales. Beau-coup de modeles, dont le spi calcul [AG99] traitent quelques primitives fixees a priori. Lepi calcul applique [AF01] est beaucoup plus general : il permet de modeliser les proprietesdes primitives cryptographiques par des theories equationnelles quelconques.

Le modele que nous presentons en detail ci-dessous est intermediaire entre le spi calcul et le picalcul applique : il permet de definir des primitives cryptographiques par des regles de reecriture,ce qui est plus restrictif que des theories equationnelles generales. Nous resumerons brievementson extension a une large classe de theories equationnelles dans la section 2.1.5.

2.1.2 Un langage de representation des protocoles

La figure 2.1 donne la syntaxe de notre calcul de processus. Ce calcul distingue les termes,qui representent les messages du protocole, des processus, qui representent les programmes quimanipulent ces termes. Les noms a, b, c, k, s representent des donnees atomiques (nonces,cles, ...), alors que les variables x, y, z peuvent etre substituees par n’importe quel message.Le calcul distingue deux categories de symboles de fonction pour representer les primitivescryptographiques : les constructeurs, souvent notes f , et les destructeurs, souvent notes g.

Les constructeurs construisent de nouveaux termes. Donc les termes sont les variables, lesnoms et les applications de constructeurs f(M1, . . . ,Mn). Au contraire, les destructeurs n’ap-paraissent pas dans les termes, mais manipulent les termes dans les processus. Les destruc-teurs sont des fonctions partielles que les processus peuvent appliquer. Le processus let x =g(M1, . . . ,Mn) in P else Q essaie d’evaluer g(M1, . . . ,Mn) ; si cela reussit, x est lie au resultatobtenu et P est execute ; sinon, Q est execute. Plus precisement, la semantique d’un destruc-teur g d’arite n est definie par un ensemble fini def(g) de regles de reecriture de la formeg(M1, . . . ,Mn) → M ou M1, . . . ,Mn,M sont des termes sans noms, et les variables de M ap-paraissent dans M1, . . . ,Mn. Nous etendons naturellement ces regles par g(M ′1, . . . ,M

′n)→M ′

2.1. Representation formelle des protocoles cryptographiques 19

N-uplets :Constructeur : n-uplet ntuple(x1, . . . , xn)Destructeurs : projections ithn(ntuple(x1, . . . , xn))→ xi

Chiffrement a cle partagee :Constructeur : chiffrement de x sous la cle y, sencrypt(x, y)Destructeur : dechiffrement sdecrypt(sencrypt(x, y), y)→ xChiffrement a cle partagee probabiliste :Constructeur : chiffrement de x sous la cle y avec l’alea r, sencryptp(x, y, r)Destructeur : dechiffrement sdecryptp(sencryptp(x, y, r), y)→ xChiffrement a cle publique probabiliste :Constructeurs : chiffrement de x sous la cle y avec l’alea r, pencryptp(x, y, r)

generation de la cle publique a partir de la cle secrete y, pk(y)Destructeur : dechiffrement pdecryptp(pencryptp(x,pk(y), r), y)→ xSignatures :Constructeurs : signature du x avec la cle secrete y, sign(x, y)

generation de la cle publique a partir de la cle secrete y, pk(y)Destructeurs : verification de signature checksignature(sign(x, y),pk(y))→ x

message sans signature getmessage(sign(x, y))→ xSignatures qui ne revelent pas le message :Constructeurs : signature de x avec la cle secrete y, nmrsign(x, y)

generation de la cle publique a partir de la cle secrete x, pk(y)constante true

Destructeur : verification nmrchecksign(nmrsign(x, y),pk(y), x)→ trueFonctions de hachage :Constructeur : fonction de hachage h(x)

Fig. 2.2 – Constructeurs et destructeurs

si et seulement s’il existe une substitution σ et une regle de reecriture g(M1, . . . ,Mn) → Mdans def(g) telles que M ′i = σMi pour tout i ∈ {1, . . . , n} et M ′ = σM . En utilisant lesconstructeurs et les destructeurs, nous pouvons representer les structures de donnees et les pri-mitives cryptographiques comme resume dans la figure 2.2. Par exemple, la regle de reecrituresdecrypt(sencrypt(x, y), y)→ x signifie que, quand on dechiffre un chiffre sencrypt(M,N) avecla bonne cle N , on obtient le clair M . L’application du destructeur sdecrypt(M,N) echoue dansle message M a dechiffrer n’est pas un chiffre ou est un chiffre avec une cle differente de N .(Pour le chiffrement a cle publique, nous presentons seulement un chiffrement probabiliste car,dans le modele calculatoire, un chiffrement a cle publique sur est forcement probabiliste. Nousavons choisi de presenter les signatures deterministes ; nous pourrions facilement modeliser dessignatures probabilistes en ajoutant un troisieme argument r contenant l’alea, comme pour lechiffrement. L’alea r doit etre choisi par une restriction (νr) qui cree un nom frais r, representantun nombre aleatoire frais.)

Les autres constructions de la syntaxe de la figure 2.1 sont standard ; la plupart viennentdu pi calcul. Le processus M(x).P recoit un message sur le canal M , le stocke dans la variablex, et execute P . Le processus M〈N〉.P envoie le message N sur le canal M , puis execute P .(Nous autorisons les communications sur des canaux qui peuvent etre n’importe quel terme.) Leprocessus nul 0 ne fait rien. Le processus P | Q est la composition parallele de P et Q, utiliseepar exemple quand P et Q representent des programmes executes par differents participants duprotocole. La replication !P represente un nombre non-borne de copies de P en parallele ; ellepermet de representer un nombre non-borne de sessions du protocole. La restriction (νa)P creeun nouveau nom a puis execute P . La conditionnelle if M = N then P else Q execute P si M etN se reduisent vers le meme terme a l’execution ; sinon elle execute Q. Cette conditionnelle peut


etre definie comme du sucre syntaxique pour let x = equal(M,N) in P else Q, ou le destructeurequal est defini par equal(y, y)→ y et x n’apparaıt pas dans P . Nous definissons let x = M in Pcomme du sucre syntaxique pour P{M/x}, ou {M/x} est la substitution qui a x associe M .Une branche else peut etre omise quand elle contient seulement 0.

Le nom a est lie dans le processus (νa)P . La variable x est liee dans P dans les processusM(x).P et let x = g(M1, . . . ,Mn) in P else Q. Nous notons fn(P ) et fv(P ) les ensembles denoms et de variables libres dans P , respectivement. Un processus est clos quand il n’a pas devariable libre.

2.1.3 Un exemple de protocole dans ce langage

Nous illustrons ce langage en codant l’exemple de protocole de la section 1.1.2 par le pro-cessus P0 suivant :

P0 = (νskA)(νskB)let pkA = pk(skA) in let pkB = pk(skB) in c〈pkA〉.c〈pkB〉.

(PA(pkA, skA) | PB(pkB, skB, pkA))

PA(pkA, skA) = ! c(x pkB).(νk)(νr)c〈pencryptp(sign(k, skA), x pkB, r)〉.

c(x).let z = sdecrypt(x, k) in 0

PB(pkB, skB, pkA) = ! c(y).let y′ = pdecryptp(y, skB) in

let x k = checksignature(y′, pkA) in c〈sencrypt(s, x k)〉

Un tel processus peut etre donne en entree a l’outil ProVerif (dans une syntaxe ASCII). Ceprocessus cree tout d’abord les cles secretes skA et skB, calcule les cles publiques correspon-dantes pkA et pkB, et envoie ces cles sur le canal public c, de sorte que l’attaquant a ces clespubliques. Ensuite, il execute les processus PA et PB en parallele. Ces processus correspondentrespectivement aux roles de A et B dans le protocole. Ils commencent tous les deux par unereplication, ce qui permet de modeliser un nombre non-borne de sessions du protocole.

Le processus PA recoit tout d’abord sur le canal public c la cle x pkB, qui est la cle publiquede l’interlocuteur de A dans le protocole. Ce message ne fait pas a proprement parler partiedu protocole ; il permet a l’attaquant de choisir avec qui A va executer une session. Lors d’unesession normale du protocole cette cle est pkB, mais l’attaquant peut aussi choisir une autrecle, par exemple une de ses propres cles. Ensuite PA execute le role de A : il cree une nouvellecle k, la signe avec sa cle secrete skA, puis chiffre le tout sous x pkB avec l’alea r, et envoie lemessage obtenu sur le canal c. PA attend alors le deuxieme message du protocole sur le canal c,il le stocke dans x et le dechiffre. Si le dechiffrement reussit, le resultat (normalement le secrets) est stocke dans z.

Le processus PB recoit le premier message du protocole sur le canal c, le stocke dans y, ledechiffre avec skB et verifie la signature avec pkA. (La signature est verifiee avec la cle pkA deA et non avec une cle arbitraire choisie par l’attaquant car B n’envoie le deuxieme message {s}kque si son interlocuteur est le participant honnete A.) Si ces verifications reussissent, B penseque x k est une cle partagee entre A et B, et il envoie le secret s chiffre sous x k. Si le protocoleest correct, s doit rester secret.1 En utilisant la technique decrite ci-dessous, ProVerif montreque ce n’est pas le cas pour ce protocole, mais que c’est le cas pour sa version corrigee.

Dans le modele ci-dessus, nous avons suppose pour plus de simplicite que A et B jouentchacun un seul role dans le protocole. On pourrait facilement ecrire un modele plus general ouils jouent les deux roles, ou meme fournir une interface a l’attaquant qui lui permet de creerdynamiquement de nouveaux participants du protocole.

1Le secret s est un nom libre de P0 ; la definition du secret (definition 2.3 ci-dessous) ne permet pas deconsiderer le secret de noms lies. Bien sur, le nom s ne fait pas partie de la connaissance initiale de l’attaquant,qui contient uniquement le nom libre c.

2.1. Representation formelle des protocoles cryptographiques 21

E,P ∪ { 0 } → E,P (Red Nil)

E,P ∪ { !P } → E,P ∪ {P, !P } (Red Repl)

E,P ∪ {P | Q } → E,P ∪ {P,Q } (Red Par)

E,P ∪ { (νa)P } → E ∪ {a′},P ∪ {P{a′/a} } (Red Res)

ou a′ /∈ E.

E,P ∪ {N〈M〉.Q,N(x).P } → E,P ∪ {Q,P{M/x} } (Red I/O)

E,P ∪ { let x = g(M1, . . . ,Mn) in P else Q } → E,P ∪ {P{M ′/x} } (Red Destr 1)

si g(M1, . . . ,Mn)→M ′

E,P ∪ { let x = g(M1, . . . ,Mn) in P else Q } → E,P ∪ {Q } (Red Destr 2)

s’il n’existe aucun M ′ tel que g(M1, . . . ,Mn)→M ′

Fig. 2.3 – Semantique formelle

2.1.4 Semantique

La semantique de ce langage est definie formellement dans la figure 2.3. Le plus souvent,la semantique de tels calculs de processus est definie en combinant une equivalence structurelleet une relation de reduction, l’equivalence structurelle permettant de transformer les processuspour application les reductions, comme dans [AG99, AF01]. La semantique de notre calcul peutaussi etre definie de cette facon [AB05a, BAF08]. Ici, nous avons prefere la definir avec seulementune relation de reduction, sur des configurations de la forme E,P, ou l’environnement E estun ensemble fini de noms et P est un multi-ensemble fini de processus. L’environnement Edoit contenir tous les noms libres de processus de P. La configuration {a1, . . . , an}, {P1, . . . , Pn}correspond intuitivement au processus (νa1) . . . (νan)(P1 | . . . | Pn). Les regles de reduction dela figure 2.3 executent les processus comme suit : (Red Nil) supprime un processus nul ; (RedRepl) cree une nouvelle copie de P ; (Red Par) decompose une composition parallele ; (RedRes) cree un nom frais a′ (qui n’apparaıt pas dans E), l’ajoute a E et substitue a par a′ ; (RedI/O) est la regle de communication : elle reduit une emission et une reception sur le memecanal N en envoyant le message M ; (Red Destr 1) et (Red Destr 2) executent les applicationsde destructeurs : (Red Destr 1) quand l’application reussit et se reduit en M ′, (Red Destr 2)quand elle echoue. Dans ces regles, le symbole ∪ designe l’union multi-ensemble sur les multi-ensembles de processus. Les constructions if M = N then P else Q et let x = M in P etantdefinies comme du sucre syntaxique, leur semantique se deduit de celle des autres instructions.

L’avantage d’une telle semantique par rapport aux semantiques plus traditionnelles estqu’elle dirige davantage l’execution des processus. Ainsi, le renommage n’est effectue que par(Red Res), au lieu de pouvoir etre effectue a chaque reduction, et les transformations desreplications et compositions paralleles sont aussi plus dirigees. Ceci simplifie certaines preuves,par exemple pour les proprietes de correspondances (section 2.2.4) ou la reconstruction d’at-taques (section 2.2.2).

2.1.5 Extension aux theories equationnelles

En collaboration avec Martın Abadi et Cedric Fournet [BAF05, BAF08], nous avons etendunotre travail pour traiter des primitives cryptographiques definies par des theories equation-nelles. L’algebre de termes formee par les constructeurs est munie d’une theorie equationnelle,definie par un nombre fini d’equations. Par exemple, on peut modeliser un schema de chiffrementsymetrique dans lequel le dechiffrement reussit toujours (mais peut retourner un message qui


n’a pas de sens) par les equations

sdecrypt(sencrypt(x, y), y) = x

sencrypt(sdecrypt(x, y), y) = x(2.1)

ou sencrypt et sdecrypt sont des constructeurs. La premiere equation est standard ; la deuxiemepermet d’eviter que le test d’egalite sencrypt(sdecrypt(M,N), N) = M revele que M est unchiffre sous N . Ces equations sont verifiees par les schemas de chiffrement par blocs, quisont bijectifs. On peut egalement modeliser la mise en accord de cles de Diffie-Hellman parl’equation [AF01, ABF07]

(b^x)^y = (b^y)^x (2.2)

ou b est une constante et ^ est un constructeur binaire.L’idee essentielle de notre extension aux equations est de traduire ces equations en un

ensemble de regles de reecriture associees aux constructeurs. Par exemple, les equations (2.1)sont traduites dans les regles de reecriture

sencrypt(x, y)→ sencrypt(x, y) sdecrypt(x, y)→ sdecrypt(x, y)

sencrypt(sdecrypt(x, y), y)→ x sdecrypt(sencrypt(x, y), y)→ x(2.3)

tandis que l’equation (2.2) est traduite en

x^y → x^y (b^x)^y → (b^y)^x (2.4)

Intuitivement, ces regles de reecriture permettent, en les appliquant exactement une fois pourchaque constructeur, d’obtenir les differentes formes des termes modulo la theorie equationnelleconsideree.2 Les constructeurs sont alors simplement evalues comme les destructeurs dans lecalcul ci-dessus. Nous avons defini formellement le fait qu’un ensemble de regles de reecrituremodelise une theorie equationnelle ; nous avons concu des algorithmes qui calculent a partir desequations des regles de reecriture qui modelisent la theorie equationnelle en question [BAF08,section 5]. Nous avons montre que chaque trace dans le calcul a theorie equationnelle corresponda une trace dans le calcul a regles de reecriture, et reciproquement [BAF08, Lemme 1].3 Onest alors ramene au cas plus simple ou il n’y a pas d’equations. L’avantage principal de cettemethode est que la resolution, utilisee ci-dessous sur les clauses de Horn, peut continuer autiliser l’unification syntaxique ordinaire (au lieu de devoir utiliser l’unification modulo la theorieequationnelle), et reste donc efficace.

Cette extension aux equations a cependant des limitations : elle ne permet pas de modeliserles operations associatives, comme le ou exclusif, car cela necessiterait une infinite de regles dereecriture. Il serait peut-etre possible de traiter ces symboles en utilisant l’unification modulo latheorie equationnelle en question au lieu de l’unification syntaxique, au prix d’une plus grandecomplexite. Dans le cas d’un nombre borne de sessions, le ou exclusif est traite dans [CLS03,CKRT03b, CKRT05] et une theorie equationnelle plus complete pour l’exponentiation modulaire(utilisee pour la mise en accord de cles de Diffie-Hellman) est traitee dans [CKRT03a]. Unalgorithme d’unification pour l’exponentiation modulaire est presente dans [MN02].

2.2 Les clauses de Horn

Dans cette section, nous decrivons notre methode de verification de protocoles, fondee surles clauses de Horn. L’idee d’utiliser des clauses de Horn pour verifier les protocoles a ete in-troduite par Weidenbach [Wei99]. Nous avons etendu ses travaux en definissant une traduction

2Les regles de reecriture du style sdecrypt(x, y) → sdecrypt(x, y) sont necessaires pour que sdecrypt reussissetoujours. Grace a cette regle, l’evaluation de sdecrypt(M, N) reussit et laisse ce terme inchange quand M n’estpas de la forme sencrypt(M ′, N).

3Plus precisement, les tests d’inegalite dans (Red Destr 2) doivent toujours etre faits modulo la theorieequationnelle, meme dans le calcul a regles de reecriture.

2.2. Les clauses de Horn 23

systematique d’un modele formel des protocoles en clauses (alors qu’il construisait les clausesmanuellement) et en prouvant d’autres proprietes que le secret. Nous commencons par la pro-priete la plus simple, le secret, puis presentons nos extensions a des proprietes plus complexes(correspondances, equivalences).

2.2.1 Definition du secret

Nous supposons que le protocole est execute en presence d’un attaquant qui peut ecoutertous les messages, calculer et envoyer les messages qu’il a, suivant le modele de Needham-Schroeder [NS78] et Dolev-Yao [DY83]. Un tel attaquant est represente par n’importe quelprocessus qui a un certain ensemble de noms Init dans sa connaissance initiale.

Definition 2.1 Soit Init un ensemble fini de noms. Le processus clos Q est un Init-attaquantsi et seulement si fn(Q) ⊆ Init .

Intuitivement, on dit qu’une trace publie un message M quand ce message est envoye surun canal public (dans Init). Si l’attaquant obtient le message M , il peut toujours l’envoyer surun canal de Init .

Definition 2.2 Soit M un terme clos. On dit qu’une trace E0,P0 →∗ E′,P ′ publie M si et

seulement s’il existe E, P, x, P , Q, et c ∈ Init tels que cette trace contienne la reductionE,P ∪ { c〈M〉.Q, c(x).P } → E,P ∪ {Q,P{M/x} }.

On dit alors que P0 preserve le secret de M si M n’est jamais publie, en presence d’unattaquant quelconque.

Definition 2.3 Soit M un terme tel que fn(M) ⊆ fn(P0). Le processus P0 preserve le secret detoutes les instances de M a partir de Init si et seulement si, pour tout Init-attaquant Q0, pourtoute substitution σ, il n’existe aucune trace fn(P0) ∪ Init , {P0, Q0} →

∗ E′,P ′ qui publie σM .

2.2.2 Du pi calcul vers les clauses de Horn

Le verificateur de protocoles ProVerif prend en entree un processus P0, qui represente leprotocole a verifier, et un ensemble fini de noms Init , correspondant a la connaissance initialede l’attaquant. Nous supposons que les noms lies de P0 sont deux a deux distincts et distinctsdes noms libres et des noms de Init . ProVerif calcule alors un ensemble de clauses de Hornrepresentant le protocole et l’attaquant.

Dans ces clauses, les messages sont representes par des motifs (ou “termes”, mais nousutilisons le mot “motif” pour les distinguer des termes qui apparaissent dans les protocoles).Ces motifs sont notes p, comme pattern en anglais, et sont definis par la grammaire suivante :

p ::= motifsx, y, z, i variablea[p1, . . . , pn] nomf(p1, . . . , pn) application de constructeur

Les motifs different des termes par la representation des noms. Nous associons a chaque re-plication une variable fraıche i nommee identifiant de session, qui prend une valeur distinctepour chaque copie de processus creee par la replication. Dans les motifs, les noms crees par desrestrictions (νa) sont representes comme des fonctions a[p1, . . . , pn] des messages recus avantde creer le nom a, des resultats d’applications de destructeurs calculees avant de creer a etdes identifiants de session des replications au-dessus de (νa) dans l’arbre syntaxique de P0.Plus precisement, on a une construction a[p1, . . . , pn] pour chaque nom de Init et chaque nomlibre et chaque restriction dans P0. Nous traitons a comme un symbole de fonction, et ecrivons


a[p1, . . . , pn] au lieu de a(p1, . . . , pn) uniquement pour le distinguer d’un constructeur. Si a estdans Init ou libre dans P0, l’arite de cette fonction est 0, et a est simplement represente para[ ]. Si a est lie par une restriction (νa)P dans P0, l’arite de cette fonction est le nombre dereceptions de messages, d’applications de destructions et de replications au-dessus de (νa)P .Par exemple, dans le processus !c(x).(νk), on utilise le motif c[ ] pour le nom c et k[i, x] pourtout nom cree par la restriction (νk), ou i est l’identifiant de session associe a la replication et xle message recu sur le canal c. L’identifiant de session permet de distinguer tous les noms creespar des restrictions. (Sans lui, tous les noms crees par (νk) apres avoir recu le meme messagex seraient confondus.) Ceci est particulierement important pour la preuve de proprietes decorrespondances (voir section 2.2.4).

Les clauses utilisent deux predicats attacker et message. Le fait attacker(p) signifie quel’attaquant peut avoir le message p, et le fait message(p, p′) signifie que le message p′ peut etreenvoye sur le canal p.

F ::= faitsattacker(p) connaissance de l’attaquantmessage(p, p′) message sur un canal

Les clauses comprennent a la fois des clauses qui representent l’attaquant et des clauses quirepresentent le protocole.

Clauses pour l’attaquant

Les actions de l’attaquant sont representees par les clauses suivantes :

Pour tout a ∈ Init , attacker(a[ ]) (Init)

attacker(b[x]) ou b n’apparaıt pas dans P0 ni dans Init (Rn)

Pour tout constructeur f d’arite n,

attacker(x1) ∧ . . . ∧ attacker(xn)⇒ attacker(f(x1, . . . , xn))(Rf)

Pour tout destructeur g,

pour toute regle de reecriture g(M1, . . . ,Mn)→M dans def(g),

attacker(M1) ∧ . . . ∧ attacker(Mn)⇒ attacker(M)

(Rg)

message(x, y) ∧ attacker(x)⇒ attacker(y) (Rl)

attacker(x) ∧ attacker(y)⇒ message(x, y) (Rs)

Les clauses (Init) expriment que l’attaquant connaıt initialement les noms de Init . La clause (Rn)signifie que l’attaquant peut creer de nouveaux noms. Ces noms sont representes par des motifsde la forme b[x]. Les clauses (Rf) et (Rg) expriment que l’attaquant peut appliquer tous lessymboles de fonction, (Rf) pour les constructeurs, (Rg) pour les destructeurs. La clause (Rl)signifie que l’attaquant peut ecouter sur les canaux qu’il a, donc s’il a le canal x et que y estenvoye sur x, alors il obtient y. La clause (Rs) signifie que l’attaquant peut envoyer n’importequel message y qu’il a sur n’importe quel canal x qu’il a.

Clauses pour le protocole

Les clauses pour le protocole sont definies par induction sur la syntaxe du processus P0.L’environnement ρ associe a chaque nom et variable un motif. Si f est un constructeur, on etendl’environnement ρ aux termes comme une substitution, par ρ(f(M1, . . . ,Mn)) = f(ρ(M1), . . . ,ρ(Mn)).

La traduction [[P ]]ρsH d’un processus P est un ensemble de clauses, ou ρ est un environne-ment, s est une suite de motifs qui contient les arguments a utiliser dans le codage des noms frais,


et H une suite de faits de la forme message(p, p′). La suite vide est notee ∅ ; la concatenationd’un motif p a la suite s est notee s, p ; la concatenation d’un fait F a la suite H est notee H∧F .La traduction [[P ]]ρsH est definie comme suit :

[[0]]ρsH = ∅

[[P | Q]]ρsH = [[P ]]ρsH ∪ [[Q]]ρsH

[[!P ]]ρsH = [[P ]]ρ(s, i)H ou i est une variable fraıche

[[(νa)P ]]ρsH = [[P ]](ρ[a 7→ a[s]])sH

[[M(x).P ]]ρsH = [[P ]](ρ[x 7→ x′])(s, x′)(H ∧message(ρ(M), x′)) ou x′ est une variable fraıche

[[M〈N〉.P ]]ρsH = [[P ]]ρsH ∪ {H ⇒ message(ρ(M), ρ(N))}

[[let x = g(M1, . . . ,Mn) in P else Q]]ρsH =⋃{[[P ]]((σρ)[x 7→ σ′p′])(σs, σ′p′)(σH) | g(p′1, . . . , p

′n)→ p′ est dans def(g) et (σ, σ′) est une

paire de substitutions la plus generale telle que σρ(M1) = σ′p′1, . . . , σρ(Mn) = σ′p′n} ∪ [[Q]]ρsH

La traduction d’un processus est un ensemble de clauses qui permettent de deriver que leprocessus envoie certains messages. La suite H contient les messages recus par le processus, quipeuvent declencher l’envoi d’autres messages.

– Le processus nul 0 ne fait rien ; sa traduction est donc vide.– La traduction de la composition parallele P | Q est l’union des traductions de P et Q, carP | Q peut executer toutes les actions de P et de Q (y compris celles qui resultent d’uneinteraction entre P et Q).

– Dans le cas de la replication, l’identifiant de session i est ajoute a l’environnement ρ et a lasuite s. (La variable i n’est soumise a aucune contrainte speciale ; elle peut etre substitueepar n’importe quel terme.) A part cette addition, la replication est ignoree, car les clausespeuvent etre appliquees un nombre quelconque de fois, en logique classique.

– Dans le cas de la restriction (νa), on ajoute a l’environnement ρ l’image de a, qui est lemotif a[s], ou la suite s contient les identifiants de session des replications au-dessus de(νa), les messages recus au-dessus de (νa) et les resultats d’applications de destructeurscalculees au-dessus de (νa).

– Dans la traduction d’une reception, les suites H, ρ et s sont etendues avec le messagerecu.

– La traduction d’une emission ajoute une clause, qui represente que la reception des mes-sages de H peut declencher l’emission du message en question.

– Enfin, la traduction de l’application de destructeur est l’union du cas ou le destructeurreussit et de celui ou le destructeur echoue. Dans le premier cas, ρ, s et H sont instanciesavec une substitution σ qui enregistre que le destructeur a reussi. Dans le deuxieme cas,on considere que la branche else peut toujours etre executee. Cette approximation ne posepas de probleme dans la plupart des cas, car cette branche se contente en general de nerien faire ou d’envoyer un message d’erreur. Dans [BAF08], nous avons cependant montrecomment representer exactement dans les clauses l’echec des destructeurs, a l’aide d’unpredicat supplementaire nounif qui exprime des proprietes de la forme ∀x1, . . . , xn.p 6= p′.(Ce predicat est traite par des regles de simplification specifiques dans l’algorithme deresolution.)

Les clauses qui correspondent au processus P0 sont calculees par [[P0]]ρ0∅∅. Ces clauses sont dela forme message(p1, p

′1) ∧ . . . ∧message(pn, p

′n)⇒ message(p, p′) quand le processus P0 envoie

le message p′ sur le canal p apres avoir recu les message p′1, . . . , p′n sur les canaux p1, . . . , pn res-

pectivement. Quand le canal c est dans Init , l’attaquant a c, donc message(c[ ], p) est equivalenta attacker(p) par (Rl) et (Rs). ProVerif remplace alors message(c[ ], p) par attacker(p) dans lesclauses generees.


Resultats et exemple

Soit ρ0 = {a 7→ a[ ] | a ∈ fn(P0)}. L’ensemble de clauses correspondant au processus P0 est

RP0,Init = [[P0]]ρ0∅∅ ∪ {attacker(a[ ]) | a ∈ Init} ∪ {(Rn), (Rf), (Rg), (Rl), (Rs)}

Le theoreme suivant permet de prouver le secret a partir des clauses de Horn :

Theoreme 2.1 Soit P0 un processus clos, M un terme tel que fn(M) ⊆ fn(P0) et p le motifobtenu en remplacant chaque nom a de M par a[ ]. Si attacker(p) n’est pas derivable a partir deRP0,Init alors P0 preserve le secret de toutes les instances de M a partir de Init.

Nous avons effectue la preuve de ce theoreme en utilisant comme intermediaire un systemede types. Plus precisement, en collaboration avec Martın Abadi [AB05a], nous avons concu unsysteme de types generique qui permet de prouver le secret pour des protocoles qui utilisentdes primitives cryptographiques variees, definies par des constructeurs et des destructeurs. (Cesysteme de types etend un systeme precedent pour le chiffrement a cle publique [AB03].) Nousavons montre que la methode de verification a clauses de Horn (pour une variante sans identi-fiants de session) correspond a une instance particuliere de ce systeme de types, dans laquelleles types sont les motifs clos, ce qui prouve sa correction. Nous avons egalement montre quecette instance est la plus precise possible : si une propriete de secret peut etre prouvee par uneinstance quelconque de notre systeme de types, alors elle peut-etre prouvee par la methode aclauses de Horn.

Une petite extension de ce travail [Bla08a, annexe B] montre que la variante avec identifiantsde session correspond egalement a un systeme de types, qui permet de prouver sa correction,et donc le theoreme 2.1. Pour pouvoir appliquer ce theoreme, il faut determiner si un fait estderivable a partir des clauses. ProVerif utilise pour cela un algorithme de resolution decrit dansla section 2.2.3.

Exemple 2.1 Posons Init = {c} la connaissance initiale de l’attaquant. Pour le processusP0 de la section 2.1.3, les clauses [[P0]]ρ0∅∅ sont, apres remplacement de message(c[ ], p) parattacker(p) :

attacker(pk(skA[ ])) (2.5)

attacker(pk(skB[ ])) (2.6)

attacker(x pkB)⇒ attacker(pencryptp(sign(k[i, x pkB], skA[ ]), x pkB, r[i, x pkB])) (2.7)

attacker(pencryptp(sign(x m, skA[ ]),pk(skB[ ]), x r))⇒ attacker(sencrypt(s[ ], x m)) (2.8)

Les clauses (2.5) et (2.6) correspondent aux deux emissions dans P0 lui-meme, c〈pkA〉c〈pkB〉.Elles expriment que l’attaquant a les cles publiques. La clause (2.7) correspond a l’emissiondans PA : si l’attaquant a x pkB, il peut l’envoyer a la premiere reception de PA, et PA repondalors avec le message pencryptp(sign(k[i, x pkB], skA[ ]), x pkB, r[i, x pkB]), que l’attaquant in-tercepte. La deuxieme reception de PA et l’application de destructeur qui suit ne generentaucune clause, car aucun message n’est emis. Enfin, la clause (2.8) correspond a l’emission dansPB : si l’attaquant obtient un message de la forme pencryptp(sign(x m, skA[ ]),pk(skB[ ]), x r),il peut envoyer ce message a PB. Le dechiffrement et la verification de signature reussissent,donc PB repond en envoyant s chiffre sous x m, que l’attaquant intercepte.

Le fait attacker(s[ ]) est derivable a partir des clauses RP0,Init . On ne peut donc pas prouverle secret de s par le theoreme 2.1 pour ce protocole. La derivation obtenue par ProVerif est lasuivante : l’attaquant cree une cle secrete par (Rn), d’ou le fait attacker(b[x]). Par (Rf) pour leconstructeur pk, on derive attacker(pk(b[x])). Par (2.7), on derive attacker(pencryptp(sign(k[i,pk(b[x])], skA[ ]),pk(b[x]), r[i,pk(b[x])])). Par (Rg) pour le destructeur pdecryptp, on deriveattacker(sign(k[i,pk(b[x])], skA[ ]), car on a attacker(b[x]). Par (Rg) pour le destructeur


getmessage, on derive attacker(k[i,pk(b[x])]). Par (2.6), on a attacker(pk(skB[ ])), donc par (Rn)et (Rf) pour le constructeur pencryptp, on derive attacker(pencryptp(sign(k[i,pk(b[x])], skA[ ]),pk(skB[ ]), b[x′])). Par (2.8), on derive attacker(sencrypt(s[ ], k[i,pk(b[x])])). Enfin, sachantattacker(k[i,pk(b[x])]), on derive attacker(s[ ]) par (Rg) pour le destructeur sdecrypt.

Cette derivation correspond a l’attaque contre ce protocole mentionnee a la section 1.1.2, etque nous rappelons ici :

Message 1. A→ C : {{k}skA}pkC

Message 1’. C(A)→ B : {{k}skA}pkB

Message 2. B → C(A) : {s}k

L’envoi du message 1 correspond a l’application de la clause (2.7) ; ensuite l’attaquant calculele message 1’ et la cle k par application de destructeurs et constructeurs correspondant auxclauses (Rg) et (Rf) de la derivation ci-dessus. La reception du message 1’ et l’envoi du message 2correspond a la clause (2.8), et le dechiffrement final du message 2 a la clause (Rg) pour sdecrypt.

On peut modeliser de facon analogue la version corrigee du protocole, et calculer les clausescorrespondantes. ProVerif montre alors que attacker(s[ ]) n’est pas derivable a partir de cesclauses. Par le theoreme 2.1, on obtient alors que le protocole corrige preserve le secret de s apartir de {c}.

Dans l’exemple ci-dessus, nous avons explique informellement que la derivation obtenuecorrespond a une attaque. Lors d’un stage sous ma direction, Xavier Allamigeon a etenduProVerif pour qu’il reconstruise automatiquement une attaque a partir d’une derivation [AB05c].L’attaque reconstruite est une trace du processus P0 qui publie le secret M . La strategie utiliseepour reconstruire cette trace consiste a executer la semantique du processus P0, en se guidanta l’aide de la derivation : une reduction du processus n’est executee que si une clause dansla derivation correspond a cette reduction. Nous avons montre la correction et la terminaisonde cet algorithme. Nous avons egalement donne une definition formelle de cette correspondanceentre clauses et reductions, en donnant une construction explicite d’une derivation a partir d’unetrace de P0. Nous avons alors montre un resultat de completude partielle de la reconstructiond’attaques : si toutes les emissions dans P0 sont de la forme M〈N〉.P ou M est un nom deInit non-lie dans P0 ou bien P = 0, et que la derivation correspond a une trace, alors notrealgorithme reussit a reconstruire une trace correspondant a la derivation. De plus, avec lesmemes hypotheses, notre algorithme reconstruit la trace sans faire marche arriere. Il est donctres efficace dans ce cas, et en pratique il est en general tres rapide. Nous avons teste avec succescet algorithme de reconstruction d’attaques sur de nombreux protocoles de la litterature. Pourciter un exemple extreme, nous avons pu reconstruire une attaque impliquant 200 sessions enparallele contre le protocole f200g200 [Mil99]. (Le protocole fngn a une attaque qui utilise nsessions en parallele.)

Dans l’exemple ci-dessus, la derivation obtenue correspondait a une attaque. Ce n’est mal-heureusement pas toujours le cas, car la construction des clauses de Horn introduit des approxi-mations. Ces approximations sont tres utiles pour pouvoir traiter un espace d’etats infini, maisa cause de ces approximations, il peut arriver que ProVerif trouve une derivation bien que lesecret soit preserve. Dans ce cas, la reconstruction de trace echoue bien sur. Le cas ou ProVeriftrouve une derivation mais la reconstruction de trace echoue correspond a une reponse “je nesais pas”. Dans les autres cas, ProVerif donne une reponse exacte : soit il ne trouve pas dederivation et la propriete souhaitee est prouvee, soit la reconstruction de trace reussit et onobtient une attaque contre la propriete en question.

La principale approximation effectuee par ProVerif est que les clauses sont applicablesun nombre quelconque de fois, donc les repetitions (ou non) des actions sont ignorees. Enconsequence, les protocoles qui doivent d’abord garder un secret puis le revelent ensuite nepeuvent pas etre prouves par ProVerif. Par exemple, le processus P0 = (νc)(c〈s〉 | c(x).d〈c〉)preserve le secret de s a partir de {d}, mais ProVerif ne peut pas le prouver, car attacker(s[ ])


est derivable a partir des clauses (Rl), message(c[ ], s[ ]) et message(c[ ], x) ⇒ attacker(c[ ]) quisont dans RP0,{d}. (message(d[ ], c[ ]) est equivalent a attacker(c[ ]) car d est un canal public.)Les clauses ne prennent pas en compte que l’emission c〈s〉 doit avoir ete executee avant quel’attaquant obtienne le canal c. (Dans cet exemple, c est le secret qui est d’abord garde puisrevele.) Cet exemple peut aussi etre compris en remarquant que les clauses generees sont lesmemes que pour le processus P ′0 = (νc)(!c〈s〉 | !c(x).d〈c〉), ou les actions sont repetees et qui,lui, ne preserve pas le secret de s a partir de {d}.

Dans [Bla05], nous avons compare le modele en logique lineaire [CDL+99] (ou de faconequivalente le modele a reecriture de multi-ensembles) avec le modele abstrait a clauses deHorn (variante sans identifiants de session). Nous avons montre que ce dernier est obtenu apartir du modele en logique lineaire par une abstraction (au sens formel de l’interpretationabstraite [CC79]) qui ignore le nombre de repetitions de chaque action. Le modele en logiquelineaire represente le protocole par des formules de la forme :

!∀y1, . . . , yp.(F1 ⊗ . . .⊗ Fn ⊸ ∃x1, . . . xm.F′1 ⊗ . . .⊗ F

′n′) (2.9)

ou les existentiels correspondent a la creation de noms frais. Dans la presentation par multi-ensembles, l’etat du systeme est un multi-ensemble de faits, et quand on applique la for-mule (2.9), on retire de l’etat des faits instance de F1, . . . , Fn et on ajoute les instances corres-pondantes de F ′1, . . . , F

′n′ , apres avoir remplace x1, . . . xm par des noms frais. Apres abstraction,

on obtient des formules en logique classique, de la forme

∀y1, . . . , yp.(F1 ∧ . . . ∧ Fn ⇒ ∃x1, . . . , xm.F′1 ∧ . . . ∧ F

′n′) (2.10)

qui peuvent etre transformees en clauses de Horn apres skolemisation de x1, . . . , xm. C’est cetteskolemisation qui transforme les noms frais en fonctions des messages precedemment recus, sansintroduire de nouvelle approximation, car la skolemisation preserve la satisfiabilite en logiqueclassique. (Par contre, la skolemisation introduit une approximation si elle est faite en logiquelineaire.) Ainsi, par rapport au modele en logique lineaire, la seule approximation est celle dunombre de repetition des actions.

Par contre, par rapport a notre calcul de processus, qui est plus riche que le modele enlogique lineaire, on peut noter une approximation supplementaire : pour l’emission M〈N〉.P ,la representation a clauses de Horn considere que le processus P peut toujours etre execute,comme si le processus etait M〈N〉 | P , alors qu’en fait P ne peut etre execute qu’apres avoiremis N sur le canal M . (Les branches else des destructeurs sont aussi approchees dans la versionpresentee ici, mais, comme note ci-dessus, ProVerif les traite precisement.)

2.2.3 Resolution sur les clauses

Afin de determiner si un fait est derivable a partir des clauses, ProVerif utilise la resolutionavec selection libre [dN95, Lyn97, BG01] (alors que Weidenbach [Wei99] utilisait la resolutionavec selection ordonnee). Nous rappelons cet algorithme et resumons les principales optimisa-tions implantees dans ProVerif, puis nous discutons sa terminaison.

L’algorithme

L’algorithme de resolution infere de nouvelles clauses comme suit : a partir de deux clausesR = H ⇒ C et R′ = F ∧ H ′ ⇒ C ′ (ou F est une hypothese quelconque de R′), il infereR ◦F R′ = σH ∧ σH ′ ⇒ σC ′ ou C et F sont unifiables et σ est l’unificateur le plus generalde C et F . La clause R ◦F R′ combine donc R et R′, de sorte que R est utilisee pour prouverl’hypothese F de R′. La resolution est guidee par une fonction de selection sel : sel(R) retourneun fait (une hypothese ou la conclusion) de R, et l’etape de resolution ci-dessus n’est effectueeque si sel(R) = C et sel(R′) = F . L’algorithme de saturation saturate(R0) applique ces etapes


de resolution jusqu’a ce qu’un point fixe soit atteint, c’est-a-dire qu’aucune nouvelle clause nesoit creee. Quand le point fixe est atteint, saturate(R0) retourne le sous-ensemble des clausesR dans le point fixe telles que sel(R) est la conclusion de R4.

L’algorithme de resolution avec selection libre est correct5 pour n’importe quelle fonctionde selection, mais le choix de cette fonction influence considerablement ses performances (etsa terminaison). On peut remarquer que le fait attacker(x) ou x est une variable s’unifie avecn’importe quel fait attacker(p), donc si attacker(x) est selectionne, l’algorithme ne terminerapratiquement jamais. On evite donc de selectionner attacker(x). Une fonction de selection na-turelle est donc :

sel0(H ⇒ C) =

{C si tous les elements de H sont de la forme attacker(x), x variable

F ou F 6= attacker(x) et F ∈ H, sinon

L’algorithme implante dans ProVerif contient de nombreuses optimisations. Nous resumonsci-dessous les principales. D’autres optimisations sont presentees dans [Bla08a] ainsi que, pourdes predicats specifiques comme nounif, dans [Bla04a, BAF08]. Ces optimisations sont ap-pliquees sur les clauses initiales et apres chaque etape de resolution. Certaines de ces optimisa-tions sont specifiques des protocoles, comme les deux premieres ci-dessous, alors que d’autressont standard.

– Decomposition des constructeurs de donnees : on appelle constructeur de donnees unconstructeur f d’arite n accompagne de n destructeurs gi definis par gi(f(x1, . . . , xn))→xi. Des exemples typiques de constructeurs de donnees sont les n-uplets.Si f est un constructeur de donnees, attacker(f(p1, . . . , pn)) est equivalent a attacker(p1)∧. . . ∧ attacker(pn) par les clauses (Rf) attacker(x1) ∧ . . . ∧ attacker(xn) ⇒ attacker(f(x1,. . . , xn)) et (Rg) attacker(f(x1, . . . , xn)) ⇒ attacker(xi). On remplace alors le faitattacker(f(p1, . . . , pn)) par attacker(p1)∧ . . .∧attacker(pn) dans les clauses. Si ce rempla-cement est effectue dans la conclusion d’une clause, n clauses sont creees avec les memeshypotheses et les conclusions attacker(p1), . . . , attacker(pn) respectivement. Ce rempla-cement est effectue recursivement : si pi est encore une application d’un constructeur dedonnees, on effectue a nouveau le meme remplacement.Les clauses (Rf) et (Rg) correspondant au constructeur de donnees et a ses destructeursassocies sont exclues de cette transformation.

– Elimination des hypotheses attacker(x) : les hypotheses attacker(x), ou x n’apparaıt nullepart ailleurs dans la clause, sont supprimees. En effet, ces hypotheses peuvent toujoursetre satisfaites, par exemple par (Rn).

– Elimination des hypotheses dupliquees : on ne conserve qu’une copie des hypotheses pre-sentes en double dans une clause.

– Elimination des tautologies : les tautologies (clauses dont la conclusion est deja presentedans les hypotheses) sont supprimees.

– Elimination des clauses subsumees : on dit queH1 ⇒ C1 subsumeH2 ⇒ C2 si et seulements’il existe une substitution σ telle que σH1 ⊆ H2 (inclusion de multi-ensembles) et σC1 =C2. On elimine toutes les clauses qui sont subsumees par une autre clause de l’ensemblede clauses courant.

La correction de cet algorithme est justifiee par le theoreme suivant :

Theoreme 2.2 Soit F un fait clos. Le fait F est derivable a partir de R0 si et seulement s’ilest derivable a partir de saturate(R0).

4Pour des raisons historiques, les articles publies utilisent une notation legerement differente pour la fonctionde selection sel : sel(R) retourne un sous-ensemble des hypotheses de R, avec sel(H ⇒ C) = {F} quand F ∈ H

est selectionnee et sel(H ⇒ C) = ∅ quand la conclusion C est selectionnee.5Dans ce memoire, la notion de correction est comprise au sens de la securite, c’est-a-dire qu’aucune attaque

n’est omise. Cette notion de correction correspond pour l’algorithme de resolution au fait qu’aucune derivationn’est omise, c’est-a-dire a la completude de l’algorithme au sens de la programmation logique.


Ce theoreme est un cas particulier de [Bla08a, Lemme 2]. Il montre qu’on peut saturer lesclauses par saturate sans changer l’ensemble des faits derivables. On peut alors determinerquelles instances de pred(p1, . . . , pn) sont derivables par le calcul suivant : solveP0,Init(pred(p1,. . . , pn)) = {H ⇒ pred(p′1, . . . , p

′n) | H ⇒ pred ′(p′1, . . . , p

′n) ∈ saturate(R0)}, ou pred ′ est un

nouveau predicat et R0 = RP0,Init ∪ {pred(p1, . . . , pn)⇒ pred ′(p1, . . . , pn)}. En effet, σpred(p1,. . . , pn) est derivable a partir de RP0,Init si et seulement si σpred ′(p1, . . . , pn) est derivable apartir de R0, donc, par le theoreme 2.2, si et seulement si σpred ′(p1, . . . , pn) est derivable apartir de saturate(R0), donc si et seulement s’il existe une clause H ⇒ pred(p′1, . . . , p

′n) dans

solveP0,Init(pred(p1, . . . , pn)) et une substitution σ′ telles que σ′pred(p′1, . . . , p′n) = σpred(p1, . . . ,

pn) et σ′H est derivable a partir de saturate(R0). En particulier, si solveP0,Init(attacker(p)) = ∅,attacker(p) n’est pas derivable a partir de RP0,Init (et si solveP0,Init(attacker(p)) est non-videpour la fonction de selection sel0, au moins une instance de attacker(p) est derivable, puisqueH contiendra des faits de la forme attacker(x) dont une instance est derivable par (Rn)).

Terminaison

L’algorithme de saturation saturate ne termine pas toujours. En collaboration avec AndreasPodelski [BP05b], nous avons montre qu’il termine pour une classe importante de protocoles,les protocoles etiquetes (tagged protocols). Un protocole etiquete est un protocole dans lequelchaque application d’une primitive cryptographique est distinguee des autres par une constante(etiquette). Il est en general facile de transformer un protocole en un protocole etiquete, enajoutant des etiquettes. Par exemple, on peut transformer le protocole de la section 1.1.2 en unprotocole etiquete :

Message 1. A→ B : {c1, {c0, k}skA}pkB

k fraıcheMessage 2. B → A : {c2, s}k

ou les etiquettes sont c0, c1, c2. Le protocole etiquete conserve le comportement attendu du pro-tocole, c’est-a-dire que les executions sans attaques sont les memes. En presence d’attaques, ilpeut etre plus sur. L’ajout d’etiquettes participe donc a la bonne conception des protocoles,comme explique par exemple dans [AN96] : le recepteur d’un message utilise l’etiquette pourl’identifier sans ambiguıte. L’etiquetage evite par consequent les confusions de types qui ap-paraissent quand un message est pris pour un autre message. (Ceci est prouve formellementdans [HLS00] pour un schema d’etiquetage tres proche du notre.) Ceci signifie aussi que lasecurite du protocole etiquete n’implique pas la securite de la version non-etiquetee ; il fautdonc implanter la version etiquetee. L’etiquetage est aussi motive par des raisons pratiques, caril facilite le decodage des messages recus. Pour toutes ces raisons, l’etiquetage est deja presentdans des protocoles comme SSH.

Nous avons montre que notre algorithme de verification termine pour les protocoles etiquetesqui utilisent les primitives cryptographiques de la figure 2.2, pourvu que les cles publiquessoient atomiques. Dans [BP05b], nous donnons une caracterisation de ces protocoles au niveaudes clauses de Horn, alors que dans [Bla08a, section 8.1], nous avons etendu ce resultat endonnant une caracterisation au niveau des processus. L’algorithme termine souvent meme quandle protocole n’est pas etiquete. Ceci peut s’expliquer en partie car, dans certains protocoles, laforme des messages garantit qu’ils ne peuvent pas etre confondus les uns avec les autres, memesans etiquettes, par exemple parce qu’ils contiennent des n-uplets d’arite differente ou qu’ilsutilisent des primitives cryptographiques differentes. C’est d’ailleurs le cas du protocole de lasection 1.1.2. On parle alors d’etiquetage implicite.

D’autres auteurs ont prouve des resultats lies : Ramanujan et Suresh [RS03] ont montreque le secret est decidable pour les protocoles etiquetes. Leur resultat differe du notre pourdeux raisons. Leur schema d’etiquetage est plus restrictif, car il interdit les copies aveugles.Une copie aveugle se produit quand un participant renvoie une partie d’un message qu’il a recusans verifier ce qui est a l’interieur de cette partie. D’autre part, ils donnent un resultat de


decidabilite, tandis que notre resultat montre la terminaison d’un algorithme correct, efficaceen pratique, mais approche. Arapinis et Duflot ont etendu ce resultat [AD07], en interdisanttoujours les copies aveugles. Comon-Lundh et Cortier [CLC03] ont montre la terminaison d’unalgorithme qui utilise la resolution binaire ordonnee, la factorisation ordonnee et le splitting surles protocoles qui font au plus une copie aveugle dans chaque message. Notre resultat ne fixeaucune limite sur le nombre de copies aveugles, mais requiert l’etiquetage.

Nous avons egalement concu des heuristiques pour ameliorer le choix de la fonction deselection, en vue de favoriser la terminaison de l’algorithme meme quand le protocole n’est pasetiquete [Bla08a, section 8.2].

2.2.4 Verification des proprietes de correspondances

Les proprietes de correspondances sont des proprietes de la forme “si un certain evenementa ete execute, alors d’autres evenements ont ete executes”. Afin de modeliser ces proprietes, onintroduit donc une construction supplementaire dans notre calcul de processus event(M).P quiexecute l’evenement M , puis le processus P . La semantique de cette construction est definiesimplement par

E,P ∪ { event(M).P } → E,P ∪ {P } (Red Event)

Les Init-attaquants sont restreints aux processus qui ne contiennent pas d’evenements (sinon,aucune correspondance ne pourrait etre prouvee). On definit alors le fait qu’une trace executeun evenement :

Definition 2.4 SoitM un terme clos. On dit qu’une trace E0,P0 →∗ E′,P ′ execute l’evenement

M si et seulement s’il existe E, P et P tels que cette trace contienne la reduction E,P ∪{ event(M).P } → E,P ∪ {P }.

La correspondance event(M) ∨m

j=1

∧ljk=1 event(Mjk) signifie intuitivement que, si l’evenement

M a ete execute, alors il existe j tel que les evenements Mj1, . . . , Mjlj ont ete executes. Plusprecisement, pour toute valeur des variables de M , si l’evenement M a ete execute, alors ilexiste j et des valeurs des variables de Mj1, . . . , Mjlj qui n’apparaissent pas dans M tels queles evenements Mj1, . . . , Mjlj ont ete executes. La definition formelle est la suivante :

Definition 2.5 Le processus clos P0 satisfait la correspondance

event(M) m∨

j=1

lj∧

k=1

event(Mjk)

en presence d’un Init-attaquant si et seulement si, pour tout Init-attaquant Q, pour tout E0

contenant fn(P0) ∪ Init ∪ fn(M) ∪⋃

j,k fn(Mjk), pour toute substitution σ, pour toute traceT = E0, {P0, Q} →

∗ E′,P ′, si T execute l’evenement σM , alors il existe σ′ et j ∈ {1, . . . ,m}tels que σ′M = σM et, pour tout k ∈ {1, . . . , lj}, T execute l’evenement σ′Mjk.

Exemple 2.2 Par exemple, on peut modifier le processus P0 de la section 2.1.3 en ajoutantdes evenements comme suit :

P0 = (νskA)(νskB)let pkA = pk(skA) in let pkB = pk(skB) in c〈pkA〉c〈pkB〉.

(PA(pkA, skA) | PB(pkB, skB, pkA))

PA(pkA, skA) = ! c(x pkB).(νk)event(eA(pkA, x pkB, k)).

(νr)c〈pencryptp(sign(k, skA), x pkB, r)〉.c(x).let z = sdecrypt(x, k) in 0

PB(pkB, skB, pkA) = ! c(y).let y′ = pdecryptp(y, skB) in

let x k = checksignature(y′, pkA) in event(eB(pkA, pkB, x k)).c〈sencrypt(s, x k)〉


L’evenement eA(pkA, x pkB, k) signifie intuitivement que A a demarre une session du protocoleentre les participants de cles publiques pkA (c’est-a-dire A) et x pkB, avec la cle partagee k.De facon analogue, l’evenement eB(pkA, pkB, x k) signifie que B a accepte la cle partagee kdans une session entre les participants A et B. On peut alors chercher a montrer la correspon-dance event(eB(x, y, z)) event(eA(x, y, z)), qui signifie que, si eB(x, y, z) a ete execute, alorseA(x, y, z) a aussi ete execute. Autrement dit, si B pense executer une session du protocole avecA et la cle partagee z, alors A pense executer une session du protocole avec B et la meme clez. Ceci fournit une forme d’authentification.

Comme mentionne ci-dessus, notre methode de verification par clauses de Horn surap-proxime les actions qui peuvent etre executees. Ainsi, si attacker(p) est derivable a partir desclauses, l’attaquant peut avoir p : si attacker(p) n’est pas derivable, alors on est sur que l’atta-quant n’a pas p, mais la reciproque est fausse. Supposons maintenant que l’on souhaite prouverune propriete de correspondance telle que event(e1(x)) event(e2(x)), c’est-a-dire que l’onveut montrer que, si e1(x) a ete execute, alors e2(x) a ete execute. Pour faire une telle preuve,on peut surapproximer les executions de e1 : si la preuve reussit avec cette surapproximation,la propriete sera a fortiori vraie dans semantique exacte. On etend donc l’analyse pour le se-cret avec un predicat supplementaire event, tel que event(p) signifie que l’evenement p (plusformellement, l’evenement M de motif associe p) peut avoir ete execute. On cree des clausesmessage(p1, p

′1) ∧ . . . ∧ message(pn, p

′n) ⇒ event(p) quand le processus execute l’evenement p

apres avoir recu les messages p′1, . . . , p′n sur les canaux p1, . . . , pn respectivement. Par contre, on

ne peut pas surapproximer les executions de l’evenement e2 : si on prouve la correspondanceapres surapproximation de e2, on n’est pas vraiment sur que e2 va etre execute, et donc lacorrespondance peut etre fausse dans la semantique exacte. On doit donc utiliser une autremethode pour traiter e2.

Nous utilisons l’idee suivante : nous fixons l’ensemble exact E des evenements autorisese2(p) et, pour prouver event(e1(x)) event(e2(x)), nous verifions que seuls les evenementse1(p) pour p tel que e2(p) ∈ E peuvent etre executes. Donc, si e1(M) a ete execute, alors e1(p) aete execute pour p le motif correspondant a M , donc e2(p) ∈ E a ete execute, donc e2(M) a eteexecute, car un seul terme M correspond a un motif p donne grace aux identifiants de session quipermettent de distinguer les noms crees par une meme restriction. En prouvant cette proprietepour toute valeur de E , on obtient la correspondance souhaitee. On introduit donc un predicatm-event (must event) tel que m-event(p0) est vrai si et seulement si p0 ∈ E . On cree les clausesmessage(p1, p

′1)∧ . . .∧message(pn, p

′n)∧m-event(p0)⇒ message(p, p′) quand le processus emet

p′ sur le canal p apres avoir execute l’evenement p0 et recu p′1, . . . , p′n sur les canaux p1, . . . , pn

respectivement. Autrement dit, l’emission de p′ sur le canal p peut etre executee seulement sim-event(p0) est vrai, c’est-a-dire p0 ∈ E .

Plus generalement, on etend les formules de calcul des clauses au cas des evenements commesuit :

[[event(M).P ]]ρsH = [[P ]]ρs(H ∧m-event(ρ(M))) ∪ {H ⇒ event(ρ(M))}

On ajoute l’hypothese m-event(ρ(M)) a H pour exprimer que P ne peut etre execute que sil’evenement M est autorise (ce qui est utile pour e2 dans l’exemple ci-dessus), et on ajoute laclause H ⇒ event(ρ(M)) pour exprimer que l’evenement peut etre execute si H est vrai (ce quiest utile pour e1 dans l’exemple ci-dessus).

Pour determiner si un evenement peut etre execute, on determine si le fait correspondantest derivable a partir des clauses, en etendant l’algorithme de resolution precedent. En effet, laresolution doit etre effectuee pour une valeur inconnue de E . Donc on garde les faits m-eventsans essayer de les evaluer. (Les evaluer necessite de connaıtre E .) Pour cela, on modifie lafonction de selection pour qu’elle ne selectionne jamais un fait de la forme m-event(p). Ennotant Fme = {m-event(p) | p ∈ E}, le theoreme 2.2 devient alors :


Theoreme 2.3 Soit F un fait clos. Le fait F est derivable a partir de R0∪Fme si et seulements’il est derivable a partir de saturate(R0) ∪ Fme.

Alors, de meme que pour le secret, σpred(p1, . . . , pn) est derivable a partir de RP0,Init ∪ Fme

si et seulement s’il existe une clause H ⇒ pred(p′1, . . . , p′n) dans solveP0,Init(pred(p1, . . . , pn))

et une substitution σ′ telles que σ′pred(p′1, . . . , p′n) = σpred(p1, . . . , pn) et σ′H est derivable a

partir de saturate(R0)∪Fme, ou R0 = RP0,Init ∪{pred(p1, . . . , pn)⇒ pred ′(p1, . . . , pn)}. Commeles faits m-event ne sont conclus par aucune clause hors de Fme, les faits m-event de σ′H sontnecessairement dans Fme, ce qui permet de garantir que les evenements correspondants ont eteexecutes. On peut alors montrer le theoreme suivant :

Theoreme 2.4 Soit P0 un processus clos. Soient M , Mjk (j ∈ {1, . . . ,m}, k ∈ {1, . . . , lj}) destermes. Soient p, pjk les motifs obtenus en remplacant les noms a par les motifs a[ ] dans lestermes M , Mjk respectivement. Supposons que, pour toutes les clauses R ∈ solveP0,Init(event(p)),il existe j ∈ {1, . . . ,m}, σ′ et H tels que R = H ∧ m-event(σ′pj1) ∧ . . . ∧ m-event(σ′pjlj ) ⇒

event(σ′p). Alors P0 satisfait la correspondance event(M) ∨m

j=1

∧ljk=1 event(Mjk) en presence

d’un Init-attaquant.

Ce resultat est un cas particulier de [Bla08a, Theoreme 4]. Intuitivement, si toutes les clausessont de la forme H ∧m-event(σ′pj1) ∧ . . . ∧m-event(σ′pjlj ) ⇒ event(σ′p), alors, pour pouvoirderiver event(σ′p), il faut que m-event(σ′pj1), . . . , m-event(σ′pjlj ) soient vrais, donc pour pou-voir executer l’evenement σ′p, il faut avoir execute les evenements σ′pj1, . . . , σ′pjlj , ce quimontre la correspondance souhaitee.

Exemple 2.3 Dans le processus de l’exemple 2.2, solveP0,Init(event(eB(x, y, z))) contientla clause m-event(eA(pk(skA[ ]),pk(y′), k[i,pk(y′)])) ∧ attacker(y′) ⇒ event(eB(pk(skA[ ]),pk(skB[ ]), k[i,pk(y′)])). Cette clause empeche d’appliquer le theoreme 2.4 pour prouver la cor-respondance event(eB(x, y, z)) event(eA(x, y, z)), car le fait m-event(eA(pk(skA[ ]),pk(y′),k[i,pk(y′)])) contient pk(y′) au lieu de pk(skB[ ]). Cela correspond a nouveau a l’attaque connuecontre ce protocole : A execute une session avec C de cle secrete y′ et cle publique pk(y′),alors que B pense executer une session avec A. Par contre, pour la version corrigee du pro-tocole, solveP0,Init(event(eB(x, y, z))) = {m-event(eA(pk(skA[ ]),pk(skB[ ]), k[i,pk(skB[ ])])) ⇒event(eB(pk(skA[ ]),pk(skB[ ]), k[i,pk(skB[ ])]))}, donc la correspondance souhaitee est prouvee.

Nous avons etendu ces resultats aux correspondances injectives, c’est-a-dire dans lesquelleson requiert de plus que chaque execution de l’evenement M correspond a une execution distinctedes evenements Mjk. La preuve de l’injectivite exploite les identifiants de sessions pour distin-guer les differentes executions du meme evenement. Nous avons egalement etendu ce travail auxcorrespondances imbriquees, qui permettent d’exprimer des contraintes sur l’ordre dans lequelles evenements sont executes [Bla08a, section 7.2].

La reconstruction d’attaques a ete etendue aux correspondances non-injectives, et elle recons-truit l’attaque dans l’exemple 2.3. Nous prevoyons de l’etendre aux correspondances injectives.(La difficulte est que la derivation correspond a une execution de l’evenement M alors que, pourcontredire l’injectivite, il faut executer l’evenement M deux fois quand un evenement Mjk estexecute au plus une fois.)

2.2.5 Scenarios a plusieurs phases

Dans certaines etudes de protocoles, on considere des scenarios dans lesquels un certainprocessus est execute, puis, dans une deuxieme phase, ce processus s’arrete et l’execution d’unautre processus commence. Par exemple, quand on modelise le compromis de cles a long terme,on considere que, dans une premiere phase, le protocole est execute normalement, puis, dansune deuxieme phase, certaines cles sont publiees. On cherche alors a savoir quels secrets des


sessions du protocole executees dans la premiere phase sont preserves malgre le compromis descles (c’est la notion de forward secrecy).

De tels scenarios peuvent etre representes dans ProVerif grace a une extension de la syntaxe :le processus t : P represente un processus P qui s’execute dans la phase numero t. Le systemeexecute tout d’abord les processus en phase 0. Puis, a un certain moment dans l’execution, onpasse a la phase 1. A ce moment, seuls sont conserves les processus t : P pour t ≥ 1 prets aetre executes (c’est-a-dire que les processus en phase 0 sont arretes) et les processus 1 : P sontexecutes. Ensuite, on passe a la phase 2, et ainsi de suite.

Cette extension est traduite en clauses de Horn de la facon suivante. On considere despredicats attackert et messaget pour chaque phase t, au lieu des predicats attacker et message.Les clauses pour le protocole utilisent le predicat messaget pour traduire le processus P danst : P ; les clauses pour l’attaquant sont repetees pour chaque attackert. De plus, les clauses

attackert(x)⇒ attackert+1(x) (Rp)

pour tout t permettent de transmettre la connaissance de l’attaquant d’une phase a la suivante.

Cette extension a ete presentee dans [BAF08, section 8] et [Bla08a, section 9.3]. Une appli-cation de cette extension sera mentionnee dans la section suivante.

2.2.6 Preuves d’equivalences

La preuve d’equivalences de processus est la methode de preuve introduite initialement avecle spi calcul [AG99, AG98] et le pi calcul applique [AF01], dans le cadre de preuves manuelles.Intuitivement, deux processus sont equivalents quand l’attaquant ne peut pas les distinguer. Lapreuve de telles equivalences etant difficile a automatiser, nous nous sommes interesses seulementa certains cas particuliers d’equivalences plus faciles a traiter, mais quand meme importants enpratique.

Nous nous sommes tout d’abord interesses a la preuve du secret fort (dans le cas sans theorieequationnelle) [Bla04a, Bla04b] : le secret fort signifie que l’attaquant ne peut pas distinguerdeux versions du protocole qui utilisent des valeurs differentes du secret. Pour prouver le secretfort, nous nous ramenons a une propriete de trace : nous montrons qu’aucun test (applicationde destructeur, communication sur un canal) qui donne un resultat different pour differentesvaleurs du secret n’est accessible. Nous codons cette propriete d’accessibilite a l’aide de clausesde Horn, avec un predicat supplementaire utilise pour tester si une unification reussit pourcertaines valeurs du secret et pas pour d’autres.

En collaboration avec Martın Abadi et Cedric Fournet [BAF05, BAF08], nous nous sommesegalement interesses a une classe plus generale d’equivalences, mais dont la preuve est aussiplus couteuse : les equivalences entre deux processus P et Q qui ne different que par les termesqu’ils contiennent. Ces equivalences sont la encore prouvees en se ramenant a une propriete detrace, sur un processus qui represente a la fois P et Q. Cette idee etend la technique de Pottieret Simonet [PS02, Pot02] pour le flot d’information (sans cryptographie) au cas des protocolescryptographiques.

Plus formellement, on peut definir l’equivalence entre les processus P et Q comme suit.(Cette presentation s’inspire de celle de la these de Mathieu Baudet [Bau07], en particulierpour correspondre a la semantique definie a la section 2.1.4, tandis que notre presentationinitiale [BAF05, BAF08] utilisait une semantique avec equivalence structurelle.)

Definition 2.6 Soit Init un ensemble fini de noms (qui represente la connaissance initiale del’attaquant). On considere uniquement les configurations C = E,P telles que Init ⊆ E.

On dit qu’une configuration C = E,P emet sur N , et on note C ↓N , si et seulement s’ilexiste M et P tels que N〈M〉.P ∈ P.

Si Q est un Init-attaquant et C = E,P une configuration, on definit C | Q = E,P ∪ {Q}.


L’equivalence observationnelle ≈Init est la plus grande relation symetrique R sur les confi-gurations telle que C R C′ implique

1. pour tout a ∈ Init , si C ↓a, alors C′ →∗↓a ;

2. si C → C1, alors il existe C′1 telle que C′ →∗ C′1 et C1 R C′1 ;

3. pour tout Init-attaquant Q, (C | Q) R (C′ | Q).

On dit que P ≈Init P′ si et seulement si Init ∪ fn(P ), {P} ≈Init Init ∪ fn(P ′), {P ′}.

On definit d’abord l’equivalence observationnelle sur les configurations semantiques. Le point 1de cette definition garantit que si une configuration C emet sur un canal public, alors C′ aussi,sinon l’attaquant pourrait les distinguer immediatement. Le point 2 exprime que l’equivalenceest preservee par reduction, alors que le point 3 exprime qu’elle est preservee en presence d’unInit-attaquant. Enfin, on definit l’equivalence de deux processus a partir de l’equivalence surles configurations. (La connaissance de l’attaquant Init est ici explicite, par analogie avec lesdefinitions utilisees pour le secret et les correspondances, alors que, dans la plupart des travauxsur ce sujet, elle correspond aux noms libres des processus.)

On introduit maintenant un nouveau calcul qui permet de representer des paires de processusqui ne different que par les termes qu’ils contiennent, et qu’on appelle biprocessus. La grammairede ce calcul est une extension de la grammaire de la figure 2.1, avec le cas supplementairediff[M,M ′] pour les termes. Les Init-attaquants sont des processus sans diff. Etant donne unbiprocessus P , on definit deux processus fst(P ) et snd(P ), comme suit : fst(P ) est obtenuen remplacant toutes les occurrences de diff[M,M ′] par M dans P , et snd(P ) est obtenu enremplacant diff[M,M ′] par M ′ dans P . On definit fst(M) et snd(M) de facon similaire. Notrebut est de montrer que les processus fst(P ) et snd(P ) sont observationnellement equivalents.

Definition 2.7 Un biprocessus clos P satisfait la Init-equivalence si et seulement si fst(P ) ≈Init

snd(P ).

La semantique des biprocessus est definie comme dans la figure 2.3, sauf que les regles(Red I/O), (Red Destr 1) et (Red Destr 2) sont les suivantes :

E,P ∪ {N〈M〉.Q,N ′(x).P } → E,P ∪ {Q,P{M/x} } (Red I/O)

si fst(N) = fst(N ′) et snd(N) = snd(N ′)

E,P ∪ { let x = g(M1, . . . ,Mn) in P else Q } → E,P ∪ {P{diff[M,M ′]/x} } (Red Destr 1)

si g(fst(M1), . . . , fst(Mn))→M et g(snd(M1), . . . , snd(Mn))→M ′


s’il n’existe aucun M tel que g(fst(M1), . . . , fst(Mn))→M

et il n’existe aucun M ′ tel que g(snd(M1), . . . , snd(Mn))→M ′

Par cette semantique, un biprocessus P se reduit quand ses deux composantes fst(P ) et snd(P )se reduisent de la meme facon : une communication est executee quand le canal est le memepour les deux composantes ; une application de destructeur reussit (resp. echoue) quand ellereussit (resp. echoue) pour les deux composantes.

Quand les deux composantes ne se reduisent pas de la meme facon, on dit que la configurationC = E,P diverge, et on note C ↑ (vocabulaire et notation de [Bau07]) :

E,P ∪ {N〈M〉.Q,N ′(x).P } ↑ (Div I/O)

si (fst(N) = fst(N ′)) 6⇔ (snd(N) = snd(N ′))

E,P ∪ { let x = g(M1, . . . ,Mn) in P else Q } ↑ (Div Destr)

si (∃M, g(fst(M1), . . . , fst(Mn))→M) 6⇔ (∃M ′, g(snd(M1), . . . , snd(Mn))→M ′)


Si aucune configuration accessible ne diverge, alors les deux composantes du biprocessus Pconsidere se reduisent toujours de la meme facon. Dans ce cas, le biprocessus satisfait l’equiva-lence, comme le montre le theoreme suivant :

Theoreme 2.5 Soit P un biprocessus clos. Si, pour tout Init-attaquant Q, il n’existe aucuneconfiguration C telle que Init ∪ fn(P ), {P,Q} →∗ C ↑, alors P satisfait la Init-equivalence.

Grace au theoreme 2.5, il suffit de prouver une propriete de trace sur les biprocessus pour ob-tenir l’equivalence. Cette condition n’est cependant pas necessaire : par exemple, si P ≈Init P

′,le biprocessus if diff[true, false] = true then P else P ′ satisfait la Init-equivalence, mais letheoreme 2.5 ne nous permet pas de le prouver (car ce biprocessus diverge immediatement). Lacondition sur les traces des biprocessus est codee en clauses de Horn comme precedemment, maispour representer la semantique des biprocessus on utilise, a place de attacker(p) et message(p, p′),des faits attacker′(p1, p2) et message′(p1, p

′1, p2, p

′2), ou les composantes d’indice 1 correspondent

a fst(P ) et celles d’indice 2 a snd(P ). Le fait attacker′(p1, p2) signifie que, par les memes ac-tions, l’attaquant obtient p1 en interaction avec fst(P ) et p2 en interaction avec snd(P ). Lefait message′(p1, p

′1, p2, p

′2) signifie que, par les memes actions, fst(P ) envoie le message p′1 sur

le canal p1 tandis que snd(P ) envoie le message p′2 sur le canal p2. On utilise egalement lefait input′(p1, p2) pour exprimer qu’une reception sur le canal p1 peut-etre executee par fst(P )tandis que snd(P ) execute une reception sur p2 (ce qui permet a l’attaquant de tester l’egalitede ces canaux avec ceux utilises dans une emission). Le predicat nounif, deja mentionne a lasection 2.2.2, permet d’exprimer l’echec d’une application de destructeur. On peut ainsi coderen clauses la propriete de trace souhaitee sur les biprocessus, et la prouver par resolution, cequi permet d’appliquer le theoreme 2.5.

Dans sa these [Bau07], Mathieu Baudet a etudie cette methode de preuve d’equivalencede processus. Il a en particulier montre, dans un cadre similaire au notre, la decidabilite del’hypothese du theoreme 2.5 pour les processus sans replication.

Une application importante de ces preuves d’equivalences est l’etude des protocoles quiutilisent des secrets faibles, comme des mots de passe. Ces protocoles sont sujets a des attaquespar devinette, dans lesquelles l’attaquant devine le mot de passe (par exemple en essayant tousles mots d’un dictionnaire), puis verifie qu’il a correctement devine. Cette verification peutetre effectuee soit en ligne, en interagissant avec les participants du protocole, ce qu’on empechesimplement en limitant le nombre d’essais autorises, soit hors ligne, en calculant sur les messagesinterceptes, sans interaction avec les autres participants.

On peut modeliser les attaques par devinette hors-ligne en combinant la notion d’equivalenceobservationnelle, les scenarios a plusieurs phases (section 2.2.5) et les primitives definies par desequations (section 2.1.5), car pour se proteger contre ces attaques il est souvent necessaire qu’onne puisse pas detecter l’echec eventuel du dechiffrement.

Dans la phase 0, l’attaquant peut interagir avec le protocole, mais le secret faible w estconsidere comme impossible a deviner. Dans la phase 1, l’attaquant devine une valeur du se-cret faible. L’absence d’attaques par devinette hors ligne est caracterisee par une equivalence :l’attaquant ne peut pas distinguer le secret faible w utilise dans la phase 0 d’une valeur fraıchew′.

Definition 2.8 Soit P un processus clos sans prefixe de phase et Init un ensemble de nomsrepresentant la connaissance initiale de l’attaquant. On dit que P empeche les attaques pardevinette hors ligne contre w si (νw)(0 : P | 1 : (νw′)c〈diff[w,w′]〉) satisfait la Init-equivalence.

Nous avons prouve a l’aide de ProVerif que les protocoles EKE [BM92] et AugmentedEKE [BM93] satisfont cette propriete. Cette definition est dans la lignee des travaux de Cohen,Corin et al., Delaune et Jacquemard, Drieslma et al., et Lowe [Low02, Coh02, CMAFE03, DJ04,CDE04, DMV05]. Lowe [Low02] utilise le verificateur de modeles FDR pour traiter un nombreborne de sessions. Delaune et Jacquemard [DJ04] donnent une procedure de decision pour ce

2.3. Resultats 37

cas. Corin et al. [CDE04] donnent une definition fondee sur une equivalence comme la notremais ne considerent pas la premiere phase active et analysent une seule session.

2.3 Resultats

Le verificateur ProVerif est disponible sur Internet a l’adresse http://www.proverif.ens.

fr/. Il a ete applique avec succes a de nombreux protocoles de la litterature, pour prou-ver des proprietes de secret et d’authentification : versions erronees et corrigees des proto-coles de Needham-Schroeder a cle publique [NS78, Low96] et a cle partagee [NS78, BAN89,NS87], Woo-Lam a cle publique [WL92, WL97] et a cle partagee [WL92, AN95, AN96, WL97,GJ03], Denning-Sacco [DS81, AN96], Yahalom [BAN89], Otway-Rees [OR87, AN96, Pau98],Skeme [Kra96]. Les seuls cas de non-terminaison concernent certaines versions erronees du pro-tocole de Woo-Lam a cle partagee. Les autres protocoles ont ete verifies chacun en moins d’uneseconde sur un Pentium M 1.8 GHz [Bla08a].

Les proprietes d’equivalences ont egalement ete utilisees pour prouver le secret fort dans laversion corrigee du protocole de Needham-Schroeder a cle publique [Low96] et les protocolesOtway-Rees [OR87], Yahalom [BAN89] et Skeme [Kra96], la securite des protocoles a motsde passe EKE [BM92] et Augmented EKE [BM93], l’authenticite du protocole Wide-Mouth-Frog [AG99] (version pour une session) [Bla04a, BAF08]. Le temps d’execution va de moinsd’une seconde a 15 s sur ces tests, sur un Pentium M 1.8 GHz.

De plus, il a aussi ete utilise dans des etudes de cas plus substantielles :

– En collaboration avec Martın Abadi [AB05b], nous l’avons applique a la verification d’unprotocole de courrier electronique certifie [AGHP02]. Nous utilisons les proprietes de cor-respondances pour montrer que le recepteur recoit le message si et seulement si l’emetteura un accuse de reception. (Nous utilisons des arguments manuels simples pour prendre encompte le fait que l’arrivee des messages envoyes est garantie.) Une des versions testeesinclut la couche de transport du protocole SSH pour etablir un canal securise. (Tempstotal d’execution : 6 min sur un Pentium M 1.8 GHz.)

– En collaboration avec Martın Abadi et Cedric Fournet [ABF07], nous avons etudie leprotocole JFK (Just Fast Keying) [ABB+04], qui etait un des candidats au remplace-ment d’IKE comme protocole d’echange de cles dans IPSec. Nous combinons a la fois despreuves manuelles et l’utilisation de ProVerif pour prouver des correspondances et desequivalences. (Temps total d’execution : 3 min sur un Pentium M 1.8 GHz.)

– En collaboration avec Avik Chaudhuri [BC08], nous avons etudie le systeme de fichierssecurise Plutus [KRS+03] a l’aide de ProVerif, ce qui nous a permis de decouvrir et corrigercertaines faiblesses de l’article initial.

D’autres auteurs ont egalement utilise ProVerif pour verifier des protocoles ou construire d’autresoutils :

– Karthik Bhargavan et al. [BFGP03, BFG04, BCFG04] l’ont utilise pour construire l’outilde verification de services Web TulaFale : les services Web sont des protocoles qui trans-mettent des messages XML ; TulaFale traduit ces protocoles dans le format d’entree deProVerif, et utilise ProVerif pour prouver les proprietes de securite souhaitees.

– Karthik Bhargavan et al. [BFGT06, BFG06, BFGS08] utilisent ProVerif pour verifier desimplantations de protocoles dans le langage F# (un langage fonctionnel de l’environne-ment .NET de Microsoft) : un sous-ensemble de F# suffisant pour exprimer des protocolescryptographiques est traduit dans le format d’entree de ProVerif.

– Kevin Lux et al. [LMBG05] ont concu un service Web de courrier electronique certifie, etont verifie le protocole en utilisant TulaFale.

– Steve Kremer et Mark Ryan [KR04] determinent en utilisant ProVerif si un protocolepermet de construire une attaque a clair connu ou une attaque a clair ou chiffre choisicontre une primitive de chiffrement.


– Steve Kremer et Mark Ryan [KR05] l’ont egalement utilise pour verifier un protocole devote electronique.

– Ran Canetti et Jonathan Herzog [CH06] l’utilisent pour prouver des protocoles dans lemodele calculatoire : ils montrent que pour une classe restreinte de protocoles qui utilisentseulement le chiffrement a cle publique, une preuve dans le modele de Dolev-Yao impliquela securite dans le modele calculatoire, dans le cadre de la composabilite universelle.L’authentification est verifiee par des proprietes de correspondances, alors que le secretdes cles correspond au secret fort.

– Himanshu Khurana et Hyung-Seok Hahm [KH06] ont propose un nouveau protocole pourdes listes de discussion certifiees et l’ont verifie avec ProVerif.

– Jens Chr. Godskesen [God06] a verifie le protocole de routage pour reseaux ad-hoc ARAN(Authenticated Routing for Adhoc Networks).

– Michael Backes, Matteo Maffei et Dominique Unruh [BMU08] modelisent les protocoleszero-knowledge dans le pi calcul applique, et utilisent ProVerif pour verifier le protocoleDAA (Direct Anonymous Attestation). Ils ont montre la correction de cette modelisationvis-a-vis du modele calculatoire [BU08].

– Michael Backes, Catalin Hritcu et Matteo Maffei [BHM08] formalisent les principalesproprietes des protocoles de vote electronique (que les votes ne peuvent pas etre modifies,que seuls les inscrits peuvent voter, et seulement une fois, et la resistance aux coercitions)de facon a faciliter leur verification automatique. Ils utilisent alors ProVerif pour lesverifier.

2.4 Conclusion

Le verificateur automatique de protocoles ProVerif a ete concu pour fournir un bon com-promis entre precision et efficacite, en garantissant la correction des proprietes de securiteprouvees vis-a-vis du modele de protocoles considere, le modele de Dolev-Yao. Il effectue desapproximations, necessaires pour pouvoir traiter un nombre non-borne de sessions, mais il resteextremement precis : il donne une analyse relationnelle, dans laquelle la principale approxima-tion est l’oubli du nombre de repetitions de chaque action. Il permet de traiter des primitivescryptographiques variees, definies par des regles de reecriture ou des equations (meme si cer-taines theories equationnelles comme celle du ou exclusif ne peuvent pas etre traitees) et deprouver des proprietes de securite variees (secret, correspondances, certaines equivalences).

Ses principales limitations sont qu’il ne termine pas toujours (meme s’il termine sur lagrande classe des protocoles etiquetes et s’il termine la plupart du temps en pratique) et qu’ilse fonde sur le modele de Dolev-Yao, moins realiste que le modele calculatoire. Le verificateurCryptoVerif, decrit au chapitre suivant, resout ce dernier probleme en fournissant des preuvesvalides dans le modele calculatoire, mais il est a un stade de developpement moins avance queProVerif.

Chapitre 3

Verification des protocoles dans lemodele calculatoire

Sommaire

3.1 Langage de representation des jeux . . . . . . . . . . . . . . . . . . . 40

3.2 Equivalence observationnelle . . . . . . . . . . . . . . . . . . . . . . . . 44

3.3 Transformations de jeux . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3.3.1 Transformations syntaxiques . . . . . . . . . . . . . . . . . . . . . . . . 44

3.3.2 Utiliser les hypotheses de securite sur les primitives . . . . . . . . . . . 45

3.4 Proprietes de securite . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

3.4.1 Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

3.4.2 Correspondances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

3.5 Strategie de preuve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

3.6 Resultats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

3.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Ce chapitre presente le verificateur de protocoles CryptoVerif. La principale originalite dece verificateur est qu’il produit directement des preuves valides dans le modele calculatoire. Lespreuves produites sont des preuves par suites de jeux, comme celles utilisees d’habitude par lescryptographes dans des preuves manuelles. Comme indique dans la section 1.6, une preuve parjeux consiste en une suite de jeux dont le premier correspond au protocole a prouver. Chaqueautre jeu est obtenu a partir du precedent par des transformations telles que l’attaquant a uneprobabilite negligeable de distinguer deux jeux consecutifs. Dans le dernier jeu, l’attaquant aune probabilite negligeable de casser la propriete de securite a prouver, de par la forme memedu jeu, sans faire intervenir d’hypothese cryptographique. On en deduit alors que l’attaquant aune probabilite negligeable de casser la propriete souhaitee dans le jeu initial.

Les jeux sont formalises dans un calcul de processus probabiliste polynomial, concu pour fa-ciliter les preuves automatiques. Contrairement aux calculs de processus utilises dans le modeleformel, ce calcul ne fournit aucun choix non-deterministe, ce qui est important pour ne pas don-ner a l’attaquant la possibilite de deviner immediatement les secrets. CryptoVerif fournit unemethode generique permettant de specifier les hypotheses de securite de beaucoup de primitivescryptographiques, dont chiffrement a cle publique et a cle partagee, signatures, codes d’authen-tification de messages, fonctions de hachage. Il produit des preuves valides pour un nombre desessions polynomial dans le parametre de securite, en presence d’un attaquant actif. Il peutegalement evaluer la probabilite de succes d’une attaque en fonction de la probabilite de casserchaque primitive cryptographique et du nombre de sessions. Il peut prouver des proprietes desecret et de correspondances. (Ces dernieres permettent de verifier l’authentification, commedans le modele de Dolev-Yao.)

39

40 Chapitre 3. Verification des protocoles dans le modele calculatoire

M,N ::= termesi indice de replicationx[M1, . . . ,Mm] acces a une variablef(M1, . . . ,Mm) application de fonction

Q ::= processus d’entree0 processus nulQ | Q′ composition parallele!i≤nQ replication n foisnewChannel c;Q restriction de canal

c[M1, . . . ,Ml](x1 [i] : T1, . . . , xk [i] : Tk);P reception

P ::= processus de sortie

c[M1, . . . ,Ml]〈N1, . . . , Nk〉;Q emissionnew x[i1, . . . , im] : T ;P nombre aleatoirelet x[i1, . . . , im] : T = M in P affectationif defined(M1, . . . ,Ml) ∧M then P else P ′ conditionnelle

find (⊕m

j=1 uj1 [i] ≤ nj1, . . . , ujmj[i] ≤ njmj

suchthat

defined(Mj1, . . . ,Mjlj ) ∧Mj then Pj) else P recherche dans un tableau

Fig. 3.1 – Syntaxe du calcul de processus

Nous introduisons tout d’abord le langage utilise pour representer les protocoles et lesdifferents jeux des preuves cryptographiques. Puis nous formalisons la notion d’indistingua-bilite entre deux jeux, nous decrivons les transformations de jeux utilisees par CryptoVerif etles proprietes de securite prouvees sur le dernier jeu. Nous resumons la strategie utilisee pourorganiser les differentes transformations de jeux et les resultats obtenus sur des exemples deprotocoles.

3.1 Langage de representation des jeux

La syntaxe de ce langage est donnee dans la figure 3.1. Ce langage a ete inspire par le picalcul et les calculs de processus de [LMMS98, LMMS99, MRST06] et de [Lau05]. Pour plus desimplicite, nous illustrons ce langage sur un exemple tres simple de protocole, et renvoyons lelecteur a l’article [Bla08b] pour une presentation formelle.

On note η le parametre de securite, qui determine en particulier la longueur des cles. Celangage utilise des types T , qui correspondent pour chaque valeur du parametre de securitea un ensemble de chaınes de bits Iη(T ). Un type T est dit de longueur fixee quand Iη(T ) estl’ensemble de toutes les chaınes de bits d’une certaine longueur (qui peut dependre de η). Un typeT est dit grand quand 1

Iη(T ) est negligeable. (f(η) est negligeable quand pour tout polynome

q, il existe η0 ∈ N tel que pour tout η ≥ η0, f(η) ≤ 1q(η) .) On utilise les types bool , tel que

Iη(bool) = {true, false}, ou false = 0 et true = 1 ; bitstring , tel que Iη(bitstring) est l’ensemblede toutes les chaınes de bits et bitstring⊥ tel que Iη(bitstring⊥) est un symbole special ⊥ unionl’ensemble des chaınes de bits.

Les primitives cryptographiques et autres fonctions mathematiques sont modelisees par dessymboles de fonction f . Chaque symbole de fonction f est muni d’une declaration de typef : T1 × . . .× Tm → T . Pour chaque valeur de η, f correspond a une fonction Iη(f) de Iη(T )×. . . × Iη(Tm) vers Iη(T ), calculable en temps polynomial dans la longueur de ses argumentset la valeur de η. Par exemple, on represente les codes d’authentification de messages et lechiffrement symetrique par les fonctions definies ci-dessous. Ces definitions utilisent les notations

3.1. Langage de representation des jeux 41

suivantes, habituelles en cryptographie. Si S est un ensemble fini, xR←S choisit un element

aleatoire uniformement dans S et le stocke dans x. Si A est un algorithme probabiliste, x ←A(x1, . . . , xm) denote l’experience qui choisit un alea r et stocke dans x le resultat de l’executionde A(x1, . . . , xm) avec l’alea r. Sinon, x←M est une simple instruction d’affectation.

Definition 3.1 Soient Tmr, Tmk et Tms des types qui correspondent respectivement a desnombres aleatoires, des cles et des codes d’authentification de messages ; Tmr est un type delongueur fixee. Un code d’authentification de messages [BKR00] est constitue de trois symbolesde fonction :

– mkgen : Tmr → Tmk ou Iη(mkgen) = mkgenη est l’algorithme de generation de cles quiprend en argument une chaıne de bits aleatoire et retourne une cle. (Habituellement,mkgen est probabiliste ; ici, on separe le choix des nombres aleatoires des calculs, doncmkgen prend un argument supplementaire qui represente l’alea.)

– mac : bitstring × Tmk → Tms ou Iη(mac) = macη est l’algorithme de MAC (message au-thentication code, code d’authentification de message) qui prend en argument un messageet une cle et retourne le MAC correspondant. (On suppose ici que mac est deterministe ;on pourrait facilement coder un mac probabiliste en ajoutant un argument supplementairecomme pour mkgen.)

– check : bitstring×Tmk×Tms → bool ou Iη(check) = checkη est l’algorithme de verificationtel que checkη(m, k, t) = true si et seulement si t est un MAC valide du message m sousla cle k. (Comme mac est deterministe, checkη(m, k, t) est typiquement macη(m, k) = t.)

On a ∀m ∈ Iη(bitstring),∀r ∈ Iη(Tmr), checkη(m,mkgenη(r),macη(m,mkgenη(r))) = true.

Un MAC est UF-CMA (unforgeable under chosen message attacks, inforgeable sous desattaques a messages choisis) si et seulement si, pour tout polynome q,

maxA

Pr[r

R← Iη(Tmr); k ← mkgenη(r); (m, t)← A

macη(.,k),checkη(.,k,.) : checkη(m, k, t)]

est negligeable, ou l’adversaire A est n’importe quelle machine de Turing probabiliste, quis’execute en temps q(η), avec acces aux oracles macη(., k) et checkη(., k, .), et A n’a pas appelel’oracle macη(., k) sur le message m.

Intuitivement, quand le MAC est UF-CMA, l’attaquant a une probabilite negligeable deforger un MAC quand il n’a pas la cle k. On represente le chiffrement symetrique de faconanalogue.

Definition 3.2 Soient Tr et T ′r des types a longueur fixee ; soient Tk et Te des types. Un schemade chiffrement symetrique [BDJR97] est constitue de trois symboles de fonction kgen : Tr →Tk, enc : bitstring × Tk × T ′r → Te, et dec : Te × Tk → bitstring⊥, avec Iη(kgen) = kgenη,Iη(enc) = encη, Iη(dec) = decη, tels que pour tout m ∈ Iη(bitstring), r ∈ Iη(Tr), et r′ ∈ Iη(T

′r),

decη(encη(m, kgenη(r), r′), kgenη(r)) = m.

Soit LR(x, y, b) = x si b = 0 et LR(x, y, b) = y si b = 1, defini seulement si x et y sont deschaınes de bits de meme longueur. Un schema de chiffrement symetrique est IND-CPA (indis-tinguishable under chosen plaintext attacks, indistinguable sous des attaques a clairs choisis) siet seulement si pour tout polynome q,

maxA

2 Pr

[b

R←{0, 1}; r

R← Iη(Tr); k ← kgenη(r); b

′ ← Ar′R← Iη(T ′

r);encη(LR(.,.,b),k,r′) : b′ = b

]− 1

est negligeable, ou l’adversaire A est n’importe quelle machine de Turing probabiliste, quis’execute en temps q(η), avec acces a l’oracle de chiffrement gauche-droit qui, etant donne

deux chaınes de bits a0 et a1 de meme longueur, retourne r′R← Iη(T

′r); encη(LR(a0, a1, b), k, r

′),c’est-a-dire chiffre a0 si b = 0 et a1 si b = 1.


Intuitivement, quand le schema de chiffrement est IND-CPA, l’attaquant a une probabilitenegligeable de distinguer si on a chiffre a0 ou a1, quand il n’a pas la cle k.

A l’aide des primitives de MAC et de chiffrement, on peut construire le protocole tres simplesuivant :

A→ B : e,mac(e, xmk) ou e = enc(x′k, xk, x′′r) et x′′r , x

′k sont des nombres aleatoires frais

A et B sont supposes partager une cle de chiffrement symetrique xk et une cle de MAC xmk.A cree une cle fraıche x′k et l’envoie a B chiffree sous xk. Un MAC est ajoute au message, pourgarantir son integrite. Le but du protocole est que x′k soit une cle secrete partagee entre A etB.

Ce protocole peut etre modelise dans notre langage par le processus Q0 suivant :

Q0 = start(); new xr : Tr; let xk : Tk = kgen(xr) in

new x′r : Tmr; let xmk : Tmk = mkgen(x′r) in c〈〉; (QA | QB)

QA = !i≤ncA[i](); new x′k : Tk; new x′′r : T ′r;

let xm : bitstring = enc(k2b(x′k), xk, x′′r) in cA[i]〈xm,mac(xm, xmk)〉

QB = !i′≤ncB[i′](x′m, xma); if check(x′m, xmk, xma) then

let i⊥(k2b(x′′k)) = dec(x′m, xk) in cB[i′]〈〉

Le processus Q0 est suppose s’executer en presence qu’un attaquant, qui modelise egalementle reseau. Q0 attend tout d’abord de recevoir un message envoye par l’attaquant sur le canalstart, par la reception start(). Il choisit ensuite un nombre aleatoire xr uniformement distribuedans Tr, par la construction new xr : Tr. Il calcule alors la cle de chiffrement xk a partir de cenombre aleatoire par l’algorithme de generation de cles kgen. La cle de MAC xmk est choisie defacon similaire. Ensuite, Q0 emet un message vide sur le canal c ; apres avoir envoye ce message,le controle passe au processus qui recoit le message, qui fait partie de l’attaquant.

Plusieurs processus sont alors disponibles, definis par QA | QB ; ces processus represententles roles de A et B dans le protocole. Le processus QA | QB est la composition parallele deQA et QB ; il met a disposition simultanement les processus definis dans QA et dans QB. Lecalcul etant purement probabiliste, cette composition parallele differe de celle des calculs deprocessus utilises dans le modele formel : il n’y a pas de preemption entre processus ; le controlene change de processus qu’au moment des communications, ou il passe du processus emetteurau processus recepteur du message. Soient Q′A et Q′B tels que QA = !i≤nQ′A et QB = !i

′≤nQ′B.La replication !i≤nQ′A represente n copies du processus Q′A, indicees par l’indice de replicationi. (Le symbole n correspond a un entier Iη(n) pour chaque valeur du parametre de securite η ;Iη(n) est polynomial en η.) Le processus Q′A commence par une reception sur le canal cA[i] :le canal est indice par i pour que l’attaquant puisse choisir a quelle copie de Q′A il envoie lemessage. La situation est similaire pour Q′B. L’attaquant peut alors executer chaque copie deQ′A ou Q′B en envoyant un message sur le canal approprie cA[i] ou cB[i′].

Apres avoir recu un message sur cA[i], Q′A choisit aleatoirement une cle fraıche x′k et desjetons aleatoires x′′r utilises dans l’algorithme de chiffrement. Il chiffre alors la cle x′k sous lacle xk, et stocke le resultat dans xm. La variable x′k est de type Tk, le type des cles, alorsque l’algorithme de chiffrement attend une chaıne de bits quelconque, de type bitstring . Onutilise alors une fonction k2b pour convertir une donnee de type Tk en une donnee de typebitstring : k2b est l’injection naturelle de Tk dans bitstring . Elle est poly-injective, c’est-a-direqu’elle est injective et que sa fonction reciproque peut etre calculee en temps polynomial. Enfin,Q′A envoie sur le canal cA[i] le message forme de xm et de son MAC sous xmk, comme specifiedans le protocole. Le controle passe alors au processus qui recoit ce message, qui fait partie del’attaquant. Ce processus est cense faire suivre ce message a Q′B sur le canal cB[i′], mais il peutaussi agir differemment pour attaquer le protocole.

3.1. Langage de representation des jeux 43

Le processus Q′B attend le message x′m, xma sur le canal cB[i′]. Quand il recoit ce message, ilverifie que le MAC xma est un MAC correct de xm′ avec la fonction check et, si oui, il dechiffrex′m avec la cle xk. Le dechiffrement retourne le symbole special ⊥ quand il echoue, et une chaınede bits de type bitstring quand il reussit. La fonction i⊥ est l’injection naturelle de bitstring versbitstring⊥, de sorte que, quand i⊥(x) = dec(x′m′ , xk), le dechiffrement a reussi, et le clair est x.On traduit x de type bitstring vers le type Tk en utilisant la reciproque de k2b, quand x estbien de type Tk, c’est-a-dire quand x est la forme k2b(x′′k). Alors, x′′k contient normalement unecle x′k choisie par A. On va chercher a montrer que cette cle x′′k reste secrete, c’est-a-dire quel’attaquant ne peut pas la distinguer d’une cle aleatoire. Le processus Q′B conclut en envoyantun message vide sur cB[i′], pour repasser le controle a l’attaquant.

Dans ce calcul, toutes les variables definies sous une replication sont implicitement des ta-bleaux. Par exemple, la variable xm definie sous la replication !i≤n est implicitement un tableauindice par i : xm est une abreviation de xm[i]. De meme, x′k, x

′′r , x

′m, xma, x

′′k sont respective-

ment des abreviations de x′k[i], x′′r [i], x

′m[i′], xma[i

′], x′′k[i′]. L’utilisation de tableaux permet de

memoriser toutes les valeurs des variables dans les differentes copies des processus, ce qui permetde conserver en memoire l’ensemble de l’etat du systeme. Dans notre calcul, les tableaux rem-placent les listes souvent utilisees par les cryptographes dans leurs preuves. Par exemple, dans lapreuve, les messages dont on a calcule le MAC sous xmk seraient stockes dans une liste, et l’infor-geabilite des MACs montrerait que si la verification du MAC reussit, alors le message considereest dans cette liste. Dans notre calcul, ces messages sont stockes dans le tableau xm. Notrecalcul comprend egalement une construction de recherche dans les tableaux : find u1 ≤ n1, . . . ,um ≤ nm suchthat defined(M1, . . . ,Ml)∧M then P else P ′ cherche des indices u1, . . . , um tels queM1, . . . ,Ml sont definis et M est vrai. Quand de tels indices sont trouves, P est execute, sinonP ′ est execute. Par exemple, find u ≤ n suchthat defined(xm[u])∧ xm[u] = N then P cherche unindice u tel que xm[u] est defini et egal a N . Cette construction se generalise a des find a plusieursbranches. On note i un m-uplet i1, . . . , im. L’ordre et les indices de tableaux sur les n-uplets sontconsideres composante par composante, donc par exemple uj1 [i] ≤ nj1, . . . , ujmj

[i] ≤ njmjsera

eventuellement abrege uj [i] ≤ nj . La construction find (⊕m


suchthat defined(Mj1, . . . ,Mjlj ) ∧Mj then Pj) else P cherche une branche j ∈ [1,m] telle qu’ilexiste des valeurs de uj1, . . . , ujmj

pour lesquelles Mj1, . . . ,Mjlj sont definis et Mj est vrai. Encas de succes, Pj est execute. (S’il y a plusieurs choix, ils sont executes avec la meme probabi-lite.) En cas d’echec pour toutes les branches, P est execute. Ici, la construction find n’apparaıtpas dans le jeu initial, mais sera introduite par des transformations de jeux.

Enfin, notre calcul inclut une construction supplementaire, la restriction newChannel c;Qqui permet de restreindre la portee du canal c au processus Q ; le canal c est alors prive.

Comme detaille dans [Bla08b], un processus doit etre bien forme : cette condition impliqueque les chaınes de bits sont du type attendu et que les tableaux sont utilises correctement (quechaque cellule d’un tableau est affectee au plus une fois, et que les variables sont lues seulementapres avoir ete initialisees). CryptoVerif verifie que le processus initial est bien forme, et lestransformations de jeux utilisees preservent la bonne formation.

La semantique des processus est definie formellement par une relation de reduction proba-biliste (voir [Bla08b, Annexe B]). Tous les processus de notre calcul s’executent en temps poly-nomial probabiliste. On note Pr[Q η c〈a〉] la probabilite que le processus Q emette la chaınede bits a sur le canal c au cours de son execution. Un contexte est un processus qui contientun trou [ ]. Un contexte d’evaluation C est un contexte forme a partir de [ ], newChannel c;C,Q | C, et C | Q. On utilise un contexte d’evaluation pour representer l’attaquant. On note C[Q]le processus obtenu en remplacant le trou [ ] du contexte C par le processus Q. On note var(Q)l’ensemble des variables du processus Q. On utilise aussi la notation var(·) pour des contexteset des termes. On note fc(Q) l’ensemble des canaux libres (non-restreints) de Q.


3.2 Equivalence observationnelle

Informellement, deux processus sont observationnellement equivalents quand l’attaquant aune probabilite negligeable de les distinguer. Notre definition d’equivalence observationnelle estadaptee a partir des definitions pour des calculs precedents comme [MRST06].

Definition 3.3 (Equivalence observationnelle) Soient Q et Q′ deux processus et V un en-semble de variables. On suppose que Q et Q′ sont bien formes et que les variables de V sontdefinies dans Q et Q′, avec les memes types.

Un contexte d’evaluation C est dit acceptable pour Q, Q′, V si et seulement si var(C) ∩(var(Q) ∪ var(Q′)) ⊆ V et C[Q] est bien forme. (Alors C[Q′] l’est aussi.)

On dit que Q et Q′ sont observationnellement equivalents avec les variables publiques V , eton note Q ≈V Q′, si et seulement si, pour tout contexte d’evaluation C acceptable pour Q, Q′,V , pour tout canal c, pour toute chaıne de bits a, |Pr[C[Q] η c〈a〉] − Pr[C[Q′] η c〈a〉]| estnegligeable.

Intuitivement, le but de l’attaquant represente par le contexte C est de distinguer Q deQ′. Quand il reussit, il effectue une emission differente, par exemple c〈0〉 quand il a reconnu Qet c〈1〉 quand il a reconnu Q′. Quand Q ≈V Q′, le contexte a une probabilite negligeable dedistinguer Q de Q′.

La condition inhabituelle sur les variables de C vient de la presence des tableaux et de laconstruction associee find qui donne a C un acces direct aux variables de Q et Q′ : le contexte Cest autorise a acceder aux variables de Q et Q′ seulement quand elles sont dans V . Le resultatsuivant est facile a prouver :

Lemme 3.1 ≈V est une relation d’equivalence, et Q ≈V Q′ implique C[Q] ≈V ′C[Q′] pour tout

contexte d’evaluation C acceptable pour Q, Q′, V et tout V ′ ⊆ V ∪ (var(C)\ (var(Q)∪var(Q′))).

On note Q ≈V0 Q′ le cas particulier dans lequel, pour tout contexte d’evaluation C acceptable

pour Q, Q′, V , pour tout canal c, pour toute chaıne de bits a, Pr[C[Q] η c〈a〉] = Pr[C[Q′] η

c〈a〉]. Quand V est vide, on ecrit Q ≈ Q′ au lieu de Q ≈V Q′ et Q ≈0 Q′ au lieu de Q ≈V

0 Q′.A partir d’un processus Q0 correspondant au protocole a prouver, CryptoVerif construit

une suite de processus observationnellement equivalents Q0 ≈V Q1 ≈

V . . . ≈V Qm, grace auxtransformations de jeux resumees dans la section suivante. Par transitivite de ≈V , Q0 ≈

V Qm,et donc en prouvant une propriete de securite sur Qm, on peut en deduire que cette proprietereste vraie (a probabilite negligeable pres) sur Q0.

3.3 Transformations de jeux

Dans cette section, nous decrivons les transformations de jeux qui permettent de transformerle processus qui represente le protocole initial en un processus sur lequel la propriete de securitesouhaitee peut etre prouvee directement, par les criteres donnes dans la section 3.4. Ces trans-formations sont parametrees par l’ensemble V des variables auxquelles le contexte peut acceder.Ces transformations transforment un processus Q0 en un processus Q′0 tel que Q0 ≈

V Q′0.

3.3.1 Transformations syntaxiques

RemoveAssign(x) : suppression des affectations sur x. Quand x est defini par une affectationlet x[i1, . . . , il] : T = M in P , on remplace x par sa valeur M . Cette transformation n’estpas completement evidente quand x est accede par l’intermediaire de find : si x a plusieursdefinitions, on ne sait pas laquelle est concernee, donc le remplacement n’est pas possible pources acces a x. Il faut aussi veiller a respecter la semantique des conditions defined, et preserverl’invariant que si on accede a une variable, alors on est sur qu’elle est definie, soit parce que,

3.3. Transformations de jeux 45

syntaxiquement, elle a ete definie avant avec les memes indices, soit parce que l’acces est gardepar une condition defined adequate.

Exemple 3.1 Dans le processus de la section 3.1, la transformation RemoveAssign(xmk)remplace xmk par mkgen(x′r) dans tout le processus, et supprime l’affectation let xmk : Tmk =mkgen(x′r). Apres ce remplacement, mac(xm, xmk) devient mac(xm,mkgen(x′r)) et check(x′m,xmk, xma) devient check(x′m,mkgen(x′r), xma), ce qui fait apparaıtre des termes requis dans lasection 3.3.2. La situation est similaire pour RemoveAssign(xk).

SArename(x) : renommage de x pour qu’il ait une seule affectation (single assignment rename).Cette transformation renomme les variables pour qu’elles aient une seule definition dans lejeu ; ceci est utile pour distinguer les cas suivant quelle definition de x a defini x[i]. Cettetransformation est appliquee seulement quand x /∈ V . Quand x a m > 1 definitions, chaquedefinition de x est renommee en une variable differente x1, . . . , xm. Pour les acces au tableau x,une recherche dans le tableau x est remplacee par des recherches dans les tableaux x1, . . . , xm.

Simplify : simplification. La procedure de simplification des jeux est assez complexe. L’ideeprincipale est de collecter toutes les egalites qui sont vraies a chaque point de programme,puis d’utiliser un prouveur equationnel fonde sur un algorithme proche de la completion deKnuth-Bendix [KB70] pour deduire d’autres egalites et simplifier le jeu. Les egalites collecteescomprennent :

– Des equations definies par l’utilisateur, de la forme ∀x1 : T1, . . . ,∀xm : Tm,M , qui si-gnifient que M est vrai pour tout x1, . . . , xm de types T1, . . . , Tm. Par exemple, pour lesschemas de MAC et de chiffrement des definitions 3.1 et 3.2, on a :

∀r : Tmr,∀m : bitstring , check(m,mkgen(r),mac(m,mkgen(r))) = true (mac)

∀m : bitstring ;∀r : Tr,∀r′ : T ′r,dec(enc(m, kgen(r), r′), kgen(r)) = i⊥(m) (enc)

On exprime la poly-injectivite de la fonction k2b de l’exemple de la section 3.1 par

∀x : Tk,∀y : Tk, (k2b(x) = k2b(y)) = (x = y) ∀x : Tk, k2b−1(k2b(x)) = x (k2b)

ou k2b−1 est un symbole de fonction qui represente l’inverse de k2b. On a des formulessimilaires pour i⊥.

– Des equations qui viennent du processus. Par exemple, dans le processus if M then P else

P ′, on a M = true dans P et M = false dans P ′.– La faible probabilite de collision entre nombres aleatoires. Par exemple, quand x est defini

par new x : T et T est un grand type, x[M1, . . . ,Mm] = x[M ′1, . . . ,M′m] impliqueM1 = M ′1,

. . . , Mm = M ′m a probabilite negligeable pres.

Le prouveur combine ces proprietes pour simplifier les termes, et utilise les termes simplifiespour simplifier les processus. Par exemple, si M se simplifie en true, alors if M then P else P ′

se simplifie en P . De meme, une branche de find est supprimee quand la condition associee sesimplifie en false.

Des details sur la procedure de simplification peuvent etre trouves dans [Bla08b, annexe C]et la preuve de la proposition suivante dans [Bla08b, annexe E.1].

Proposition 3.1 Soit Q0 un processus bien forme et Q′0 le processus obtenu a partir de Q0 parune des transformations ci-dessus. Alors Q′0 est bien forme et Q0 ≈

V Q′0.

3.3.2 Utiliser les hypotheses de securite sur les primitives

La securite des primitives cryptographiques est definie en utilisant des equivalences observa-tionnelles donnees comme axiomes. Ce formalisme permet de specifier de nombreuses primitives


de facon generique. Ces equivalences sont ensuite utilisees par le prouveur pour transformer unjeu en un autre jeu observationnellement equivalent, comme explique ci-dessous.

Les hypotheses sur les primitives cryptographiques sont specifiees en utilisant des equivalen-ces de la forme (G1, . . . , Gm) ≈ (G′1, . . . , G

′m) ou G est defini par la grammaire suivante, avec

l ≥ 0 et m ≥ 1 :

G ::= groupe de fonctions!i≤nnew y1 : T1; . . . ; new yl : Tl; (G1, . . . , Gm) replication, restrictions(x1 : T1, . . . , xl : Tl)→ FP fonction

FP ::= processus fonctionnelM terme

new x[i] : T ;FP nombre aleatoire

let x[i] : T = M in FP affectation

find (⊕m

j=1 uj [i] ≤ nj suchthatdefined(Mj1, . . . ,Mjlj ) ∧Mj then FP j) else FP

recherche dans un tableau

Intuitivement, (x1 : T1, . . . , xl : Tl) → FP represente une fonction qui prend en argument desvaleurs x1, . . . , xl de types T1, . . . , Tl et retourne un resultat calcule par FP . L’equivalence obser-vationnelle (G1, . . . , Gm) ≈ (G′1, . . . , G

′m) exprime que l’attaquant a une probabilite negligeable

de distinguer les fonctions du membre gauche des fonctions correspondantes du membre droit.Formellement, les fonctions peuvent etre encodees comme des processus qui recoivent leurs ar-guments et renvoient leur resultat sur des canaux [Bla08b, section 3.2]. Pour plus de simplicite,on confond ici les fonctions et leur codage comme processus.

Par exemple, la securite d’un MAC (definition 3.1) est representee par l’equivalence L ≈ Rou

L = !i′′≤n′′

new r : Tmr; (

!i≤n(x : bitstring)→ mac(x,mkgen(r)),

!i′≤n′

(m : bitstring ,ma : Tms)→ check(m,mkgen(r),ma))

R = !i′′≤n′′

new r : Tmr; (

!i≤n(x : bitstring)→ mac′(x,mkgen′(r)),

!i′≤n′

(m : bitstring ,ma : Tms)→

find u ≤ n suchthat defined(x[u]) ∧ (m = x[u])

∧ check′(m,mkgen′(r),ma) then true else false)

(maceq)

ou mac′, check′ et mkgen′ sont des symboles de fonction de memes types que mac, check etmkgen respectivement. (On utilise des symboles de fonction differents dans les membres gaucheet droit uniquement pour empecher l’application repetee de la transformation induite par cetteequivalence : sinon, le membre droit serait une instance du membre gauche et la transformationpourrait etre repetee indefiniment. Comme on ajoute ces symboles de fonction, on ajoute aussil’equation

∀r : Tmr,∀m : bitstring , check′(m,mkgen′(r),mac′(m,mkgen′(r))) = true (mac′)

qui repete (mac) pour mac′, check′ et mkgen′.) Intuitivement, l’equivalence L ≈ R laisse in-changes les calculs de MACs (si l’on ignore l’utilisation de symboles de fonction avec prime dansR), et permet de remplacer la verification de MAC check(m,mkgen(r),ma) par une recherchedans le tableau x des messages dont le MAC a ete calcule avec la cle mkgen(r) : si m est trouvedans le tableau x et check(m,mkgen(r),ma), on retourne true ; sinon, la verification echoue (aprobabilite negligeable pres), donc on retourne false. (Si la verification reussissait alors que m

3.3. Transformations de jeux 47

n’est pas dans le tableau x, l’attaquant aurait forge un MAC.) Bien sur, la forme de L requiertque r soit utilise seulement pour calculer ou verifier des MACs, pour que l’equivalence soit cor-recte. Formellement, le resultat suivant montre la correction de notre modelisation. C’est uneconsequence assez directe de la definition 3.1, et il est prouve dans [Bla08b, annexe E.3].

Proposition 3.2 Si (mkgen,mac, check) est un code d’authentification de messages UF-CMA,Iη(mkgen′) = Iη(mkgen), Iη(mac′) = Iη(mac) et Iη(check′) = Iη(check), alors L ≈ R.

De facon analogue, si (kgen, enc,dec) est un schema de chiffrement symetrique (defini-tion 3.2), alors on a l’equivalence suivante :

!i′≤n′

new r : Tr; !i≤n(x : bitstring)→ new r′ : T ′r; enc(x, kgen(r), r′)

≈ !i′≤n′

new r : Tr; !i≤n(x : bitstring)→ new r′ : T ′r; enc′(Z(x), kgen′(r), r′)

(enceq)

ou enc′ et kgen′ sont des symboles de fonction de memes types que enc et kgen respectivement,et Z : bitstring → bitstring est une fonction qui retourne un chaıne de bits contenant uniquementdes zeros et de la meme longueur que son argument. En utilisant des equations comme ∀x :T,Z(T2b(x)) = ZT , on peut prouver que Z(T2b(x)) ne depend pas de x quand x est d’untype de longueur fixee et T2b : T → bitstring est l’injection naturelle. L’equivalence enceq

exprime intuitivement qu’on peut remplacer (a probabilite negligeable pres) le chiffrement xpar le chiffrement de Z(x), chaıne de bits de meme longueur que x. La representation d’autresprimitives cryptographiques dans CryptoVerif peut-etre trouvee dans [Bla08b, annexe D.3], ainsique dans [BP06, BJST08]. Les equivalences qui formalisent les hypotheses de securite sur lesprimitives sont concues et prouvees correctes manuellement a partir d’hypotheses de securitedans une forme plus standard, comme dans l’exemple du MAC. Ces preuves manuelles sontfaites seulement une fois pour chaque primitive, et l’equivalence obtenue peut etre reutiliseepour prouver de nombreux protocoles automatiquement.

Ces equivalences L ≈ R sont utilisees afin de transformer un processus Q0 observationnelle-ment equivalent a C[L] en un processus Q′0 observationnellement equivalent a C[R] pour un cer-tain contexte C. Pour detecter que Q0 ≈

V0 C[L], CryptoVerif utilise des conditions syntaxiques

suffisantes. Essentiellement, il s’agit de montrer que tous les usages des variables secretes de Lpeuvent etre codes comme des appels a des fonctions de L. Dans l’exemple du MAC, tous lesusages de r doivent etre codes comme appels aux fonctions (oracles) de MAC et de verification.Formellement, ces conditions sont assez complexes, et detaillees dans [Bla08b, section 3.2 etannexe D.1]. Une fois cette verification effectuee, le processus Q0 est transforme en Q′0, es-sentiellement en remplacant les appels aux fonctions de L par des appels aux fonctions cor-respondantes de R. Comme L ≈ R, par le lemme 3.1, on a C[L] ≈V C[R] donc on obtientQ0 ≈

V0 C[L] ≈V C[R] ≈V

0 Q′0. Le resultat suivant est prouve dans [Bla08b, annexe E.4] ; ilmontre la correction de la transformation.

Proposition 3.3 Soit Q0 un processus bien forme et Q′0 le processus obtenu a partir de Q0 parla transformation ci-dessus. Alors Q′0 est bien forme et, si L ≈ R, alors Q0 ≈

V Q′0.

Exemple 3.2 Pour traiter l’exemple de la section 3.1, on donne a CryptoVerif en entree l’in-dication que Tmr, Tr, T

′r et Tk sont des types a longueur fixee ; les declarations de types pour

les fonctions mkgen,mkgen′ : Tmr → Tmk, mac,mac′ : bitstring × Tmk → Tms, check, check′ :bitstring × Tmk × Tms → bool , kgen, kgen′ : Tr → Tk, enc, enc′ : bitstring × Tk × T

′r → Te, dec :

Te × Tk → bitstring⊥, k2b : Tk → bitstring , i⊥ : bitstring → bitstring⊥, Z : bitstring → bitstringet la constante Zk : bitstring ; les equations (mac), (mac′), (2.1) et ∀x : Tk,Z(k2b(x)) = Zk (quiexprime que toutes les cles ont la meme longueur) ; l’indication que k2b et i⊥ sont poly-injectives(qui cree les equations (k2b) et des equations similaires pour i⊥) ; les equivalences L ≈ R pourle MAC (maceq) et le chiffrement (enceq) ; et le processus Q0 de la section 3.1.


CryptoVerif applique tout d’abord RemoveAssign(xmk) au processus Q0, comme decritdans l’exemple 3.1. Le processus est alors transforme en utilisant la securite du MAC. On obtientle processus Q′0 suivant :

Q′0 = start(); new xr : Tr; let xk : Tk = kgen(xr) in new x′r : Tmr; c〈〉; (Q′A | Q

′B)

Q′A = !i≤ncA[i](); new x′k : Tk; new x′′r : T ′r; let xm : bitstring = enc(k2b(x′k), xk, x′′r) in

cA[i]〈xm,mac′(xm,mkgen′(x′r))〉

Q′B = !i′≤ncB[i′](x′m, xma);

find u ≤ n suchthat defined(xm[u]) ∧ x′m = xm[u] ∧ check′(x′m,mkgen′(x′r), xma) then

(if true then let i⊥(k2b(x′′k)) = dec(x′m, xk) in cB[i′]〈〉)

else

(if false then let i⊥(k2b(x′′k)) = dec(x′m, xk) in cB[i′]〈〉)

La definition initiale de x′r est supprimee et remplacee par une nouvelle definition, qu’on appelleencore x′r. Le terme mac(xm,mkgen(x′r)) est remplace par mac′(xm,mkgen′(x′r)). Le termecheck(x′m,mkgen(x′r), xma) devient find u ≤ n suchthat defined(xm[u])∧x′m = xm[u]∧check′(x′m,mkgen′(x′r), xma) then true else false, ce qui donne Q′B apres transformation des fonctions enprocessus. Le processus cherche le message x′m dans le tableau xm, qui contient les messagesdont le MAC a ete calcule avec la cle mkgen(x′r). Si le MAC de x′m n’a jamais ete calcule,la verification echoue toujours (elle retourne false) par definition de la securite du MAC (aprobabilite negligeable pres). Sinon, elle retourne true quand check′(x′m,mkgen′(x′r), xma).

Apres application de Simplify, Q′A reste inchange et Q′B devient

Q′′B = !i′≤ncB[i′](x′m, xma);

find u ≤ n suchthat defined(xm[u], x′k[u]) ∧ x′m = xm[u] ∧ check′(x′m,mkgen′(x′r), xma) then

let x′′k : Tk = x′k[u] in cB[i′]〈〉

Tout d’abord, les tests if true then . . . et if false then . . . sont simplifies. Le terme dec(x′m, xk) estsimplifie sachant que x′m = xm[u] par la condition du find, xm[u] = enc(k2b(x′k[u]), xk, x

′′r [u]) par

l’affectation qui definit xm, xk = kgen(xr) par l’affectation qui definit xk, et dec(enc(m, kgen(r),r′), kgen(r)) = i⊥(m) par (2.1). Donc on a dec(x′m, xk) = i⊥(k2b(x′k[u])). Par injectivite de i⊥ etk2b, l’affectation a x′′k devient simplement x′′k = x′k[u], en utilisant les equations ∀x : bitstring ,i−1⊥ (i⊥(x)) = x et ∀x : Tk, k2b−1(k2b(x)) = x.

Apres avoir applique RemoveAssign(xk), on applique la securite du chiffrement : le termeenc(k2b(x′k), kgen(xr), x

′′r) devient enc′(Z(k2b(x′k)), kgen(xr), x

′′r ). Apres simplification, il de-

vient enc′(Zk, kgen(xr), x′′r ), en utilisant ∀x : Tk,Z(k2b(x)) = Zk (qui exprime que toutes les

cles ont la meme longueur).On obtient donc le jeu suivant :

Q′′0 = start(); new xr : Tr; new x′r : Tmr; c〈〉; (Q′′A | Q

′′B)

Q′′A = !i≤ncA[i](); new x′k : Tk; new x′′r : T ′r; let xm : bitstring = enc(Zk, kgen(xr), x′′r) in


ou Q′′B reste comme ci-dessus.

Utiliser les tableaux au lieu de listes simplifie cette transformation : on n’a pas besoind’ajouter des instructions qui inserent les valeurs dans la liste, car toutes les variables sonttoujours implicitement dans des tableaux. De plus, s’il y a plusieurs occurrences de mac(xi, k)avec la meme cle dans le processus initial, chaque check(mj , k,maj) est remplace par un find avecune branche pour chaque occurrence de mac. De ce fait, CryptoVerif distingue automatiquement


les cas suivant l’occurrence de mac d’ou vient le MAC verifie maj , c’est-a-dire qu’il distingue lescas suivant la valeur de i telle que mj = xi. Typiquement, distinguer ces cas est utile dans lesetapes suivantes de la preuve du protocole. (Une situation similaire se produit pour les autresprimitives cryptographiques specifiees en utilisant find.)

3.4 Proprietes de securite

Cette section definit les proprietes de secret et de correspondances (qui incluent l’authenti-fication) et explique comment CryptoVerif les verifie.

3.4.1 Secret

On definit deux notions de secret. La premiere exprime qu’une variable (ou chaque elementd’un tableau) est indistinguable d’un nombre aleatoire.

Definition 3.4 (Secret pour une session) Soit x une variable de type T definie dans Qsous les replications !i1≤n1 . . . !im≤nm . Le processus Q preserve le secret de x pour une sessionsi Q | Qx ≈ Q | Q

′x, ou

Qx = c(u1 : [1, n1], . . . , um : [1, nm]); if defined(x[u1, . . . , um]) then c〈x[u1, . . . , um]〉

Q′x = c(u1 : [1, n1], . . . , um : [1, nm]); if defined(x[u1, . . . , um]) then new y : T ; c〈y〉

c /∈ fc(Q) et u1, . . . , um, y /∈ var(Q).

Intuitivement, l’attaquant ne peut pas distinguer un processus qui emet la valeur du secretd’un processus qui emet un nombre aleatoire. L’attaquant execute une seule requete de test,modelisee par Qx et Q′x.

Proposition 3.4 (Secret pour une session) Soit Q un processus tel qu’il existe un ensemblede variables S tel que 1) les definitions de x sont soit des restrictions new x[i] : T et x ∈ S, soitdes affectations let x[i] : T = z[M1, . . . ,Ml] ou z est defini par des restrictions new z[i′1, . . . , i

′l] :

T , et z ∈ S, et 2) tous les acces a des variables y ∈ S dans Q sont de la forme “let y′ [i] : T ′ =y[M1, . . . ,Ml]” avec y′ ∈ S. Alors Q | Qx ≈0 Q | Q

′x, donc Q preserve le secret de x pour une

session.

Intuitivement, seules les variables de S dependent des restrictions qui definissent x ; les messagesenvoyes et le flot de controle du processus ne dependent pas de x, donc l’attaquant n’a aucuneinformation sur x.

Le secret a proprement parler exprime que les elements d’un tableau sont indistinguables denombres aleatoires independants.

Definition 3.5 (Secret) Soit x une variable de type T definie dans Q sous les replications!i1≤n1 . . . !im≤nm . Le processus Q preserve le secret de x si Q | Rx ≈ Q | R

′x, ou

Rx = !i≤nc(u1 : [1, n1], . . . , um : [1, nm]); if defined(x[u1, . . . , um]) then c〈x[u1, . . . , um]〉

R′x = !i≤nc(u1 : [1, n1], . . . , um : [1, nm]); if defined(x[u1, . . . , um]) then

find u′ ≤ n suchthat defined(y[u′], u1[u′], . . . , um[u′]) ∧ u1[u

′] = u1 ∧ . . . ∧ um[u′] = um

then c〈y[u′]〉 else new y : T ; c〈y〉

c /∈ fc(Q) et u1, . . . , um, u′, y /∈ var(Q).


Intuitivement, l’attaquant ne peut pas distinguer un processus qui emet la valeur du secretpour plusieurs indices d’un processus qui emet des nombres aleatoires independants. Danscette definition, l’attaquant peut executer plusieurs requetes de test, modelisees par Rx et R′x.Cela correspond a la definition de securite “reel ou aleatoire” (real-or-random) [AFP06]. (Cettedefinition est plus forte que la definition standard avec une seule requete de test et plusieursrequetes qui revelent toujours x[u1, . . . , um] [AFP06].)

Informellement, CryptoVerif prouve le secret en montrant, en plus de l’hypothese de la pro-position 3.4, que chaque element du tableau x vient d’une execution distincte d’une restriction(et donc que les elements de x sont des nombres aleatoires independants).

Lemme 3.2 Si Q ≈{x} Q′ et Q preserve le secret de x pour une session alors Q′ preserve lesecret de x pour une session. Le meme resultat est vrai pour le secret.

On peut alors appliquer la technique suivante. Quand on veut prouver que Q0 preserve le secretde x (pour une session), on transforme Q0 par les transformations decrites dans la section 3.3avec V = {x}. Par les propositions 3.1 et 3.3, on obtient un processus Q′0 tel que Q0 ≈

V Q′0.On utilise la proposition 3.4 ou une proposition similaire pour le secret pour montrer que Q′0preserve le secret de x (pour une session) et on conclut finalement que Q0 preserve aussi lesecret de x (pour une session) grace au lemme 3.2.

Exemple 3.3 Apres les transformations de l’exemple 3.2, le seul acces a x′k dans le processusconsidere est let x′′k : Tk = x′k[u] et x′′k n’est pas utilise. Alors, par la proposition 3.4, ce pro-cessus preserve le secret de x′′k pour une session (avec S = {x′k, x

′′k}). Le lemme 3.2 montre que

le processus de la section 3.1 preserve aussi le secret de x′′k pour une session. Cependant, ceprocessus ne preserve pas le secret de x′′k, car l’attaquant peut forcer plusieurs sessions de B autiliser la meme cle x′′k, en rejouant le message envoye par A. De ce fait, CryptoVerif ne prouvepas le secret de x′′k pour cet exemple.

Les criteres donnes dans cette section peuvent sembler restrictifs, mais en fait, ils devraientetre suffisants pour tous les protocoles, pourvu que les transformations precedentes soient assezpuissantes pour transformer le protocole en un processus plus simple, sur lequel ces criterespeuvent etre appliques.

3.4.2 Correspondances

Afin de formaliser les correspondances, on etend notre calcul de processus avec des evene-ments event e(M1, . . . ,Mm), de facon similaire a ce qui a ete fait dans le modele de Dolev-Yao dans la section 2.2.4. Ces evenements ne changent pas l’etat du systeme. Les correspon-dances sont des proprietes de la forme “si certains evenements ont ete executes, alors d’autresevenements ont ete executes”. Plus precisement, on definit les formules logiques suivantes :

φ ::= formuleM termeevent(e(M1, . . . ,Mm)) evenementφ1 ∧ φ2 conjonctionφ1 ∨ φ2 disjonction

Les termes M,M1, . . . ,Mm dans les formules ne doivent pas contenir d’acces a des tableauxet leurs variables sont supposees distinctes des variables des processus. La formule M est vraiequand le termeM s’evalue en true ; la formule event(e(M1, . . . ,Mn)) est vraie quand l’evenemente(M1, . . . ,Mn) a ete execute. La conjonction et la disjonction sont definies comme d’habitude.Les formules notees ψ sont des conjonctions d’evenements. On definit les correspondances in-formellement comme suit :


Definition 3.6 On note E une suite d’evenements e(a1, . . . , am).La suite d’evenements E satisfait la correspondance ψ ⇒ φ si et seulement si, pour toute

valeur des variables de ψ, si E satisfait ψ, alors il existe des valeurs des variables de φ quin’apparaissent pas dans ψ telles que E satisfait φ.

Le processus Q satisfait la correspondance ψ ⇒ φ avec les variables publiques V si etseulement si pour tout contexte d’evaluation C acceptable pour Q,Q, V , la probabilite queC[Q] execute une suite d’evenements E qui ne satisfait pas ψ ⇒ φ est negligeable.

Dans cette definition, l’attaquant est represente par le contexte C.

Exemple 3.4 La correspondance

event(e1(x)) ∧ event(e2(x))⇒ event(e3(x)) ∨ (event(e4(x, y)) ∧ event(e5(y, z)))

signifie qu’a probabilite negligeable pres, pour tout x, si e1(x) et e2(x) ont ete executes, alorse3(x) a ete execute ou il existe y tel que e4(x, y) et e5(x, y) ont ete executes.

La notion d’equivalence observationnelle est adaptee pour que, quand Q ≈V Q′, les pro-cessus Q et Q′ executent les memes evenements a probabilite negligeable pres, en presenced’un contexte d’evaluation acceptable pour Q,Q′, V . On peut alors prouver le resultat suivant,analogue du lemme 3.2 pour les correspondances :

Lemme 3.3 Si Q ≈V Q′ et Q satisfait la correspondance c avec les variables publiques V , alorsQ′ la satisfait aussi.

Les transformations de jeux de la section 3.3 laissent les evenements inchanges, de sorte qu’ellestransforment un processusQ en un processusQ′ tel queQ ≈V Q′ pour la definition d’equivalenceobservationnelle adaptee aux evenements. On peut alors appliquer la meme technique que pourle secret : pour prouver que Q0 satisfait une correspondance c avec les variables publiques V , onle transforme en un processus Q′0 tel que Q0 ≈

V Q′0 par les transformations de la section 3.3, eton prouve que le processus Q′0 satisfait la correspondance c avec les variables publiques V . AlorsQ0 la satisfait aussi par le lemme 3.3. La technique utilisee pour prouver une correspondancesur Q′0 est detaillee dans [Bla07] ; on presente ici un exemple simple.

Exemple 3.5 Considerons l’exemple de processus de la section 3.1 auquel on a ajoute desevenements comme suit :


new x′r : Tmr; let xmk : Tmk = mkgen(x′r) in c〈〉; (QA | QB)


let xm : bitstring = enc(k2b(x′k), xk, x′′r) in event eA(x′k); cA[i]〈xm,mac(xm, xmk)〉

QB = !i′≤ncB[i′](x′m, xma); if check(x′m, xmk, xma) then

let i⊥(k2b(x′′k)) = dec(x′m, xk) in event eB(x′′k); cB[i′]〈〉

On souhaite prouver la correspondance suivante :

event(eB(x))⇒ event(eA(x)) (3.1)

c’est-a-dire montrer que, si B a termine le protocole avec la cle x (B a execute l’evenementeB(x)), alors A a choisi la cle x et l’a envoyee a B (A a execute l’evenement eA(x)).

Pour cela, on transforme Q0 comme dans le cas du secret. Apres avoir execute les trans-formations RemoveAssign(xmk), securite du MAC et Simplify, on obtient le processus Q′0suivant comme decrit dans l’exemple 3.2 :

Q′0 = start(); new xr : Tr; let xk : Tk = kgen(xr) in new x′r : Tmr; c〈〉; (Q′A | Q

′B)


Q′A = !i≤ncA[i](); new x′k : Tk; new x′′r : T ′r; let xm : bitstring = enc(k2b(x′k), xk, x′′r) in

event eA(x′k); cA[i]〈xm,mac′(xm,mkgen′(x′r))〉

Q′B = !i′≤ncB[i′](x′m, xma);

find u ≤ n suchthat defined(xm[u], x′k[u]) ∧ x′m = xm[u] ∧ check′(x′m,mkgen′(x′r), xma) then

let x′′k : Tk = x′k[u] in event eB(x′′k); cB[i′]〈〉

On peut alors prouver (3.1) sur ce processus. Si l’evenement eB(x) a ete execute, alors il aete execute dans une certaine instance numero i′ de Q′B, avec x′′k[i

′] = x. (On rappelle que lesvariables definies sous des replications sont implicitement des tableaux.) Puisque le point deprogramme event eB(x′′k) a ete atteint dans cette instance de Q′B, la condition du find est vraie,donc xm[u[i′]] et x′k[u[i

′]] sont definies et, par definition de x′′k, x′′k[i′] = x′k[u[i

′]]. Puisque x′k[u[i′]]

est definie, l’instance numero i = u[i′] de Q′A a ete executee. Comme le controle ne changede processus qu’au moment des envois de messages, eA(x′k[i]) a ete execute, et eA(x′k[i]) =eA(x′k[u[i

′]]) = eA(x′′k[i′]) = eA(x), ce qui prouve la correspondance souhaitee.

Les conditions de find sont souvent les points cles qui permettent de prouver les correspondances :elles permettent de prouver qu’une variable est definie, et donc que sa definition, situee dansun processus en parallele, a ete executee. C’est ce qui permet de montrer qu’un evenement aete execute.

CryptoVerif peut egalement prouver des correspondances injectives, dans lesquelles chaqueexecution d’un evenement de ψ correspond a un evenement distinct de φ. Pour montrer quedeux executions d’un evenement sont distinctes, on montre que les indices de replication associessont distincts [Bla07]. Dans l’exemple ci-dessus, la correspondance n’est pas injective : deuxexecutions de eB(x) peuvent correspondre a une seule execution de eA(x) car l’attaquant peutrejouer le message envoye de A a B.

Les proprietes de correspondances permettent de prouver l’authentification mutuelle et, com-binees avec le secret, elles permettent de prouver qu’un protocole d’echange de cles authentifieest correct [Bla07, section 7].

3.5 Strategie de preuve

Jusqu’a maintenant, nous avons decrit les transformations de jeux disponibles. Nous expli-quons maintenant comment ces transformations sont organisees afin de prouver des protocoles.

Au debut de la preuve et apres chaque transformation cryptographique (c’est-a-dire unetransformation de la section 3.3.2), CryptoVerif simplifie le jeu par Simplify et teste si lapropriete de securite souhaitee est prouvee, comme decrit dans la section 3.4. Dans ce cas, ils’arrete.

Afin d’effectuer les transformations cryptographiques et les autres transformations syn-taxiques, la strategie de preuve est fondee sur l’idee du conseil. Plus precisement, CryptoVerifessaie d’executer chacune des transformations cryptographiques disponibles. Quand une telletransformation echoue, elle retourne des transformations syntaxiques qui pourraient lui per-mettre de reussir. (Ce sont les transformations conseillees.) CryptoVerif essaie alors d’executerces transformations syntaxiques. Si elles echouent, elles peuvent a leur tour suggerer d’autrestransformations conseillees, qui sont alors executees. Quand les transformations syntaxiquesreussissent finalement, on essaie a nouveau la transformation cryptographique, qui peut reussirou echouer, peut-etre avec de nouvelles transformations conseillees, et ainsi de suite.

Par exemple, supposons qu’on essaie d’executer une transformation cryptographique quinecessite de reconnaıtre un certain terme M de L, mais qu’on trouve dans Q0 seulement unepartie de M , les autres parties etant des acces a des variables x[. . .] alors que M contient desapplications de fonctions. Dans ce cas, on conseille RemoveAssign(x). Par exemple, si Q0

3.6. Resultats 53

contient enc(M ′, xk, x′r) et on cherche enc(xm, kgen(xr), xr′), on conseille RemoveAssign(xk).

Si Q0 contient let xk = mkgen(xr) et on cherche mac(xm,mkgen(xr)), on conseille aussiRemoveAssign(xk). (La transformation de l’exemple 3.1 est conseillee pour cette raison.)CryptoVerif utilise quelques autres criteres pour conseiller des transformations [Bla08b, sec-tion 5].

3.6 Resultats

CryptoVerif a ete teste sur des exemples de protocoles de la litterature. Ces protocolesont ete testes dans une configuration ou les participants honnetes acceptent d’executer le pro-tocole avec l’attaquant. Dans ces exemples, le chiffrement a cle partagee est encode commechiffrement-puis-MAC ou le chiffrement est IND-CPA et le MAC est UF-CMA, comme dansl’exemple de la section 3.1, le chiffrement a cle publique est suppose IND-CCA2 (indistingui-shable under adaptive chosen-ciphertext attacks, indistinguable sous des attaques a chiffre choisiadaptatives) [BDPR98], le schema de signature est suppose UF-CMA (unforgeable under chosenmessage attacks, inforgeable sous des attaques a messages choisis).

Les protocoles suivants ont ete testes pour montrer le secret et le secret pour une sessiondes cles echangees, et la propriete d’echange de cles authentifie : Otway-Rees [OR87], Yaha-lom [BAN89] avec et sans confirmation de la cle (la confirmation de la cle casse son secret),et les versions initiale et corrigee de Needham-Schroeder a cle partagee [NS78, NS87] avec etsans confirmation de la cle, Denning-Sacco a cle publique [DS81, AN96], Needham-Schroeder acle publique [NS78, Low96] ou la cle est soit un des nonces NA ou NB, soit H(NA, NB). Cesprotocoles ont aussi ete testes pour l’authentification mutuelle ou dans un seul sens, suivant lebut du protocole ; pour cette propriete, on a teste egalement les versions initiale et corrigee desprotocoles de Woo-Lam a cle partagee [GJ01] et a cle publique [WL92, WL97] (qui n’echangentpas de cles). CryptoVerif reussit a prouver les proprietes qui sont correctes dans tous les cassauf :

– la preuve du secret de NA pour le protocole de Needham-Schroeder a cle publique (corrige)echoue car CryptoVerif n’exploite pas le fait que NA est accepte seulement apres que tousles messages qui contiennent NA ont ete envoyes.

– la preuve de l’echange de cles authentifie echoue pour le protocole de Needham-Schroedera cle publique (corrige) quand la cle est H(NA, NB), car CryptoVerif ne parvient pasa prouver certaines correspondances (mais la preuve d’authentification mutuelle reussitpour le protocole corrige sans cle).

– la preuve d’une correspondance echoue pour la version initiale du protocole de Needham-Schroeder a cle partagee, car CryptoVerif ne reussit pas a prouver que NB[i] 6= NB[i′]− 1a probabilite negligeable pres, quand NB est un nonce.

Pour les protocoles a cle publique, le mode manuel de CryptoVerif est utilise : l’utilisateur in-dique les etapes principales de la preuve ; la strategie de preuve automatique n’est pour l’instantpas suffisante pour prouver ces protocoles (en particulier, parce qu’elle ne distingue pas auto-matiquement les cas ou l’interlocuteur est honnete ou malhonnete). Le temps total d’executionpour tous ces tests est 2 min 45 s sur un AMD X2 4600, 2.4 GHz.

De plus, deux etudes de cas ont ete effectuees :

– En collaboration avec David Pointcheval [BP06], nous avons prouve la securite du schemade signature FDH (Full Domain Hash) et de schemas de chiffrement de [BR93a]. Cesexemples utilisent des primitives cryptographiques de plus bas niveau, comme les permu-tations a sens unique a trappe, qui ne sont pas modelisees dans le modele formel.

– En collaboration avec Aaron D. Jaggard, Andre Scedrov et Joe-Kai Tsay [BJST08], nousavons etudie le protocole Kerberos version 5 [NYHR05], avec et sans son extension a clepublique PKINIT [IET06].

Karthik Bhargavan et al. [BCF07] ont egalement commence a utiliser CryptoVerif pour verifier


des implantations de protocoles en F# dans le modele calculatoire. CryptoVerif est disponiblea l’adresse http://www.cryptoverif.ens.fr/.

3.7 Conclusion

Le verificateur CryptoVerif a ete le premier outil automatique a prouver des protocoles dansle modele calculatoire, en fournissant des preuves par jeux, comme celles faites a la main parles cryptographes.

CryptoVerif permet de modeliser des primitives cryptographiques variees, en exprimanttoutes les nuances sur leurs hypotheses de securite. Par exemple, on peut distinguer un MACfaiblement inforgeable (l’attaquant ne peut pas forger un MAC pour un nouveau message,comme dans la definition 3.1) d’un MAC fortement inforgeable (l’attaquant ne peut pas for-ger un nouveau MAC meme s’il connaıt un MAC pour le meme message). On peut faire unedistinction analogue pour les signatures. Differentes variantes de chiffrement a cle partageepeuvent etre codees, dont le chiffrement bijectif deterministe PRP (pseudo-random permuta-tion, permutation pseudo-aleatoire) ou SPRP (super pseudo-random permutation, permutationsuper-pseudo-aleatoire), et le chiffrement probabiliste IND-CPA, IND-CPA et INT-CTXT (ci-phertext integrity, integrite du chiffre) ou IND-CCA2 et INT-PTXT (plaintext integrity, integritedu clair). On peut egalement representer differentes variantes de chiffrement a cle publique, ainsique des fonctions de hachage resistantes aux collisions ou des oracles aleatoires.

CryptoVerif produit des preuves valides pour un nombre de sessions polynomial dans leparametre de securite, en presence d’un attaquant actif. Il prouve des proprietes de secret etde correspondances, qui permettent de montrer l’authentification mutuelle et l’echange de clesauthentifie. Il fournit une borne sur la probabilite de succes d’une attaque [BP06]. CryptoVerifdispose d’une strategie de preuve automatique, mais permet egalement a l’utilisateur de donnerles etapes essentielles de la preuve d’un protocole, pour reussir a prouver des protocoles quandla strategie automatique echoue, ou pour obtenir une meilleure reduction (une probabilite d’at-taque plus faible). Il reste cependant beaucoup d’extensions a realiser dans cet outil ; le chapitresuivant en mentionne quelques unes.

Recemment, Tsahhirov et Laud [TL07] ont developpe un outil analogue, qui utilise unerepresentation des jeux par des graphes de dependances. Cet outil est pour l’instant moinsdeveloppe que CryptoVerif : il traite le chiffrement a cle publique et prouve des proprietes desecret, sans fournir de borne explicite sur la probabilite d’attaque. AVISPA inclut un modulequi prouve les protocoles dans le modele calculatoire [CHW06] en utilisant une verification dansle modele formel et le resultat de [CW05] qui montre que la securite dans le modele formelimplique la securite dans le modele calculatoire pour les protocoles a cle publique (chiffrementet signatures).

Chapitre 4

Conclusion et perspectives

Ces dernieres annees, la verification des protocoles cryptographiques a ete un sujet derecherche tres actif. Mes contributions dans ce domaine ont essentiellement consiste en larealisation de deux outils automatiques de verification des protocoles cryptographiques, ProVe-rif et CryptoVerif. Mes contributions ont ete a la fois theoriques et pratiques : j’ai implante deslogiciels efficaces, mais j’ai aussi veille a ce qu’ils reposent sur des fondements theoriques precis,en particulier en prouvant leur correction vis-a-vis d’une semantique formelle du langage. Cesallers-retours entre la theorie et la pratique ont ete particulierement enrichissants.

Le verificateur ProVerif repose sur le modele formel des protocoles, dit modele de Dolev-Yao.Sa principale caracteristique est qu’il peut prouver des protocoles pour un nombre non-bornede sessions, grace a une representation abstraite par des clauses de Horn. Cet outil arriveessentiellement a maturite : il a deja ete utilise par de nombreux chercheurs, et mes travaux surcet outil consisteront principalement a ameliorer sa documentation et son interface, de facon afavoriser son adoption plus large.

Contrairement a la plupart des verificateurs automatiques de protocoles, CryptoVerif tra-vaille dans le modele calculatoire et produit des preuves par jeux. Il permet donc d’obtenir despreuves dans un modele plus realiste et proches de celles habituellement ecrites par les cryp-tographes. Ceci constitue une avancee tres importante. Cependant, beaucoup d’extensions sontencore a realiser avant d’obtenir un outil largement utilisable :

– Des ameliorations de la strategie de preuve seraient utiles afin d’obtenir plus souvent despreuves automatiques, en particulier pour les protocoles a cle publique.

– Les transformations cryptographiques devraient etre etendues, pour traiter davantage deprimitives, en particulier la mise en accord de cles de Diffie-Hellman, qui est utilisee dansbeaucoup de protocoles importants.

– On devrait egalement traiter davantage d’equations, en particulier les symboles associatifset commutatifs. (Ces equations sont en fait plus faciles a traiter dans CryptoVerif que dansProVerif : dans ProVerif, on aurait besoin d’unification modulo les equations, alors quedans CryptoVerif, le filtrage modulo suffit.)

– Pour plus de facilite d’utilisation, on pourrait creer une bibliotheque des primitives cryp-tographiques les plus courantes avec leur codage, pour que l’utilisateur n’ait pas besoinde les coder lui-meme.

– Il serait egalement interessant de traiter plus d’exemples de protocoles, en particulierdes protocoles qui ne sont pas habituellement analyses par des methodes formelles. Cesexemples pourraient suggerer de nouvelles extensions a realiser.

Un autre aspect sur lequel je n’ai pas encore travaille, mais qui me paraıt particulierementimportant est la verification d’implantations de protocoles, dans des langages de programmationstandards. En effet, les travaux precedents verifient des protocoles specifies dans des modelescomme le pi calcul applique ou des variantes, mais des erreurs peuvent etre introduites aumoment de l’implantation du protocole. Il est donc important de prouver les proprietes de

55

56 Chapitre 4. Conclusion et perspectives

securite sur l’implantation du protocole. Pour cela, on peut distinguer deux approches :– Une approche simple consiste a traduire le modele en une implantation par un compilateur

adapte, et dont on a prouve la correction. Cette approche a ete utilisee dans des outilscomme [SPP01, Mil02, PSD04]. Une limitation de cette approche est qu’elle offre moinsde flexibilite dans le codage du protocole qu’un langage de programmation habituel (oubien il faut transformer un langage de modelisation en un vrai langage de programmation,ce qui est difficile).

– Une approche qui offre plus de flexibilite consiste a analyser l’implantation du protocole.Plusieurs travaux ont commence a traiter ce probleme.Goubault-Larrecq et Parrennes [GLP05] analysent des protocoles ecrits en C et les tra-duisent en clauses de Horn, obtenant un modele assez similaire a celui utilise dans Pro-Verif. Ils utilisent ensuite le prouveur H1 de Goubault-Larrecq [GL05] pour prouver desproprietes sur le protocole.Bhargavan et al. [BFGT06] analysent des protocoles ecrits dans un sous-ensemble de F#en les traduisant dans le langage d’entree de ProVerif, et en utilisant ProVerif pour prouverles proprietes de securite. Recemment, ce travail a commence a etre adapte pour traduirele programme en F# vers le langage d’entree de CryptoVerif [BCF07]. Contrairement auxautres travaux mentionnes ici, ceci permet donc d’obtenir des preuves dans le modele cal-culatoire. Ces travaux analysent des implantations de reference ecrites en F# dans le butde faciliter la verification ; on verifie que ces implantations de reference sont raisonnablesen verifiant leur interoperabilite avec d’autres implantations ; cependant, on ne peut pasencore analyser directement le code d’implantations ecrites sans chercher a faciliter laverification.Bengtson et al. [BBF+08] ont propose un systeme de types pour prouver des proprietes desecurite de protocoles implantes en F#, etendant ainsi aux implantations l’approche deCryptic [GJ03, GJ04, GJ02] pour les modeles. Cette approche necessite des annotationsde types, qui facilitent la verification automatique.Poll et Schubert [PS07] ont verifie une implantation libre de SSH en Java, en utilisantESC/Java2. C’est a ma connaissance le seul travail qui a verifie une implantation qui n’apas ete construite pour cela. Cependant, ce travail presente des limitations : ESC/Java2verifie que l’implantation ne lance pas d’exceptions a l’execution, et verifie egalementque l’implantation respecte une specification formelle de SSH par un automate fini, quispecifie l’ordre des messages, mais pas leur contenu. De ce fait, les proprietes de securitedu protocole ne sont pas verifiees.

Des travaux importants sur la verification d’implantations de protocoles ont donc deja eterealises, mais il reste encore beaucoup de travail pour atteindre l’objectif ideal a long terme deprouver automatiquement des implantations reellement utilisees dans le modele calculatoire.

Chapitre 5

Activites d’enseignement etd’encadrement

5.1 Enseignement

J’ai commence a enseigner des la fin de mon DEA et je n’ai jamais cesse depuis. J’ai toutd’abord effectue des travaux diriges d’informatique dans des grandes ecoles et a l’universite,puis j’ai participe a des cours de DEA (devenu depuis master recherche).

5.1.1 Travaux diriges a l’Ecole polytechnique

Ma premiere experience de l’enseignement a ete l’encadrement de travaux diriges du coursde tronc commun “Algorithmes et programmation” de Jean-Jacques Levy et Robert Cori al’Ecole polytechnique. Ce cours abordait les themes suivants : tableaux (et tris), recursivite (ettris), structures de donnees : listes, piles, files, arbres, graphes analyse syntaxique, modularite.J’ai effectue 48 heures par an en encadrant deux groupes d’un peu plus de 20 eleves, sousla responsabilite d’un charge de TD ; chaque groupe effectuait 2 heures de TD par semaine,pendant 12 semaines.

– En 1996-97, j’ai enseigne, en tant que vacataire, le langage Pascal a des groupes dedebutants, sous la responsabilite de Jean-Dominique Gascuel ; Fabrice Le Fessant et moiencadrions ces deux groupes.

– En 1997-98, j’ai enseigne, en tant que vacataire, le langage C a des groupes moyens, sousla responsabilite de Michel Mauny.

– En 1998-99, j’ai enseigne, en tant que scientifique du contingent au laboratoire d’informa-tique de l’Ecole polytechnique, le langage Java a des groupes forts, sous la responsabilitede Philippe Chassignet.

5.1.2 Travaux diriges a l’ENSTA

En 1997-98, j’ai egalement encadre un groupe de travaux diriges dans le cours de StandardML de Philippe Granger et Alain Deutsch (IN202) a l’ENSTA (Ecole Nationale Superieuredes Techniques Avancees), au niveau debutant. J’ai effectue 15 heures de travaux diriges, sousforme de vacations. Les sujets abordes dans ces travaux diriges etaient les suivants : fonctionsrecursives, typage, types inductifs, structures et signatures, fonctions d’ordre superieur, preuvesde programmes ML, references.

5.1.3 Travaux diriges a l’Universite de Versailles

Dans le cadre de ma bourse de these (allocation couplee), j’ai ete moniteur a l’universite deVersailles. J’ai encadre des travaux diriges de Java en DEUG MIAS 2e annee, au 2e semestre,

57

58 Chapitre 5. Activites d’enseignement et d’encadrement

en 1999-00 et 2000-01. J’ai encadre deux groupes d’une trentaine d’etudiants, chaque groupeeffectuant 2 heures de TD par semaine. J’ai participe a la preparation des sujets de TD, d’examenet a la correction des examens. Les sujets abordes en TD etaient : tris, exceptions, fichiers,applets, interfaces graphiques. Ces TD comprenaient egalement un projet, a realiser a maisonpar les etudiants et que j’ai corrige pour mes groupes de TD.

5.1.4 Cours en DEA et Master

De 1999-00 a 2006-07, je suis intervenu 6 heures par an dans le cours d’interpretation abs-traite au DEA Semantique, Preuves et Programmation, devenu en 2000-01, DEA Program-mation : Semantique, Preuves et Langages, puis en 2004-05, Master Parisien de Recherche enInformatique (MPRI). L’intitule et les responsables du cours ont varie suivant les annees : jus-qu’en 2001-02, “Analyse statique par Interpretation abstraite” de Radhia Cousot, Alain Deutschet Arnaud Venet, en 2002-03, “Analyse statique par Interpretation abstraite”, de Radhia Cou-sot, Laurent Mauborgne et moi, en 2003-04, “Analyse statique de proprietes numeriques, desecurite et de mobilite”, de Radhia Cousot, Mathieu Martel et moi, puis a partir de 2004-05,“Interpretation abstraite : application a la verification et a l’analyse statique”, de Patrick etRadhia Cousot.

– De 1999-00 a 2002-03, j’ai presente mes travaux de these sur l’analyse d’echappementpour ML et Java [Bla98, Bla03, Bla00]. Cette analyse statique par interpretation abstraitepermet de prouver que la duree de vie de certaines donnees ne depasse pas leur porteestatique, ce qui permet ensuite d’effectuer des allocations en pile et, pour Java, d’eliminerdes synchronisations sur des donnees locales a un seul thread.

– De 2003-04 a 2006-07, j’ai presente mes travaux sur la verification automatique de proto-coles cryptographiques. Tous les ans, j’ai presente la technique de verification du secretet des proprietes de correspondances dans ProVerif [Bla01, AB05a, Bla08a]. En 2005-06,j’ai de plus presente la verification des equivalences de processus dans ProVerif [BAF08].En 2006-07, j’ai de plus presente une breve introduction a CryptoVerif [Bla08b].

Cette annee (2007-08), j’ai ete co-responsable avec Steve Kremer du cours “Protocoles crypto-graphiques : preuves formelles et calculatoires” (24 heures de cours au total, dont 12 que j’aienseignees). Steve Kremer a presente une introduction aux protocoles, les resultats de correctiondu modele formel vis-a-vis du modele calculatoire d’Abadi et Rogaway [AR02] (cas passif) etCortier et Warinschi [CW05] (cas actif), ainsi que l’indecidabilite de la verification des pro-tocoles dans le cas general et la decidabilite pour un nombre borne de sessions [RT03]. J’aipresente les verificateurs de protocoles ProVerif et CryptoVerif. Cedric Fournet est intervenusur la verification de protocoles et de leur implantations dans le cas des services web (3 heures).

5.2 Encadrement

J’ai encadre six stagiaires, d’abord au Max-Planck-Institut fur Informatik, a Sarrebruck,puis a l’Ecole normale superieure a Paris.

5.2.1 Reconstruction d’attaques contre des protocoles cryptographiques

Xavier Allamigeon a effectue son stage d’option scientifique de l’Ecole polytechnique sous madirection d’avril a juillet 2004 au Max-Planck-Institut fur Informatik. Il a concu et implante dansProVerif un algorithme de reconstruction d’attaques contre les protocoles cryptographiques. Ila prouve sa correction, sa terminaison, et un resultat de completude partielle : si la derivationcalculee par ProVerif correspond a une attaque, alors l’algorithme reussit a reconstruire cetteattaque. Pour citer un exemple extreme, cet algorithme a permis de reconstruire une attaqueimpliquant 200 sessions en parallele contre le protocole f200g200 [Mil99]. Ce travail a donne lieua une publication [AB05c].

5.2. Encadrement 59

5.2.2 Analyse de protocoles presentes comme une liste de messages

Mehmet Kiraz a effectue son stage de master de l’universite de la Sarre sous ma directiond’avril a octobre 2003. Il a realise une etude theorique en vue de traduire en clauses de Hornun protocole represente comme une suite de messages. Cette traduction pose des problemesdelicats, dans la mesure ou la liste de messages represente une execution correcte du protocole,mais n’explicite pas comment les participants reagissent a des messages incorrects. Il faut doncdeterminer quels tests les participants peuvent faire sur les messages recus.

Dans le cadre de son stage d’option scientifique de l’Ecole polytechnique, d’avril a juin 2005 al’Ecole normale superieure, Yannick Gerault a etendu ce travail : tandis que Mehmet Kiraz avaitconsidere uniquement quelques primitives fixees (chiffrement a cle partagee et a cle publique),Yannick Gerault a considere des primitives definies par des regles de reecriture arbitraires.

5.2.3 Analyse d’implantations de protocoles cryptographiques en Java

Plusieurs stagiaires ont travaille sur un projet a long terme de verification d’implantationsde protocoles cryptographiques en Java.

Dans le cadre de son stage d’ete de l’IIT Kanpur (juin et juillet 2002, au Max-Planck-Institutfur Informatik), Shiv Pratap Raghuwanshi a realise une implantation du protocole SSH (SecureSHell) dans le langage Java, specialement concue pour faciliter la verification automatique.Cette implantation est destinee a servir d’etude de cas pour la verification d’implantations deprotocoles.

Dans le cadre d’un stage au Max-Planck-Institut fur Informatik (juin a aout 2002), EmmaRabbidge a realise un front-end d’analyseur de bytecode Java. Ce front-end determine les classesnecessaires a l’application consideree par cloture transitive, et transforme le bytecode en un codetrois adresses en forme SSA (Static Single Assignment, ou chaque variable est affectee en unseul point de programme) [CFR+91], en vue de faciliter son analyse.

Dans le cadre d’un stage long a l’Ecole normale superieure (janvier a juin 2006), Mael Primeta concu et commence a implanter un prototype d’analyseur de bytecode Java, destine a traduirele programme en un ensemble de clauses de Horn, afin de prouver des proprietes de securite surle programme Java, de la meme facon qu’on les prouve dans ProVerif.

60 Chapitre 5. Activites d’enseignement et d’encadrement

Bibliographie

[AB03] Martın Abadi et Bruno Blanchet. – Secrecy types for asymmetric communi-cation. Theoretical Computer Science, vol. 298, n 3, avril 2003, pp. 387–415. –Special issue FoSSaCS’01.

[AB05a] Martın Abadi et Bruno Blanchet. – Analyzing security protocols with secrecytypes and logic programs. Journal of the ACM, vol. 52, n 1, janvier 2005, pp.102–146. – Article joint en annexe.

[AB05b] Martın Abadi et Bruno Blanchet. – Computer-assisted verification of a protocolfor certified email. Science of Computer Programming, vol. 58, n 1–2, octobre2005, pp. 3–27. – Special issue SAS’03.

[AB05c] Xavier Allamigeon et Bruno Blanchet. – Reconstruction of attacks againstcryptographic protocols. In : 18th IEEE Computer Security Foundations Work-shop (CSFW-18), pp. 140–154, Aix-en-Provence, France, juin 2005. IEEE.

[Aba99] Martın Abadi. – Secrecy by typing in security protocols. Journal of the ACM,vol. 46, n 5, septembre 1999, pp. 749–786.

[ABB+04] William Aiello, Steven M. Bellovin, Matt Blaze, Ran Canetti, John Ioan-

nidis, Keromytis Keromytis et Omer Reingold. – Just Fast Keying : Keyagreement in a hostile Internet. ACM Transactions on Information and SystemSecurity, vol. 7, n 2, mai 2004, pp. 242–273.

[ABB+05] Alessandro Armando, David Basin, Yohan Boichut, Yannick Chevalier,Luca Compagna, Jorge Cuellar, Paul Hankes Drielsma, Pierre-Cyrille Heam,Olga Kouchnarenko, Jacopo Mantovani, Sebastian Modersheim, David von

Oheimb, Michael Rusinowitch, Judson Santiago, Mathieu Turuani, Luca Vi-

gano et Laurent Vigneron. – The AVISPA tool for automated validation ofInternet security protocols and applications. In : Computer Aided Verification,17th International Conference, CAV 2005, ed. par Kousha Etessami et Sriram K.Rajamani, Lecture Notes on Computer Science, volume 3576, pp. 281–285, Edin-burgh, Scotland, juillet 2005. Springer.

[ABF07] Martın Abadi, Bruno Blanchet et Cedric Fournet. – Just fast keying in thepi calculus. ACM Transactions on Information and System Security (TISSEC),vol. 10, n 3, juillet 2007, pp. 1–59.

[ABHS05] Pedro Adao, Gergei Bana, Jonathan Herzog et Andre Scedrov. – Soundnessof formal encryption in the presence of key-cycles. In : Proceedings of the 10thEuropean Symposium On Research In Computer Security (ESORICS 2005), ed.par Sabrina de Capitani di Vimercati, Paul Syverson et Dieter Gollmann,Lecture Notes on Computer Science, volume 3679, pp. 374–396, Milan, Italy, sep-tembre 2005. Springer.

[ABW06] Martın Abadi, Mathieu Baudet et Bogdan Warinschi. – Guessing attacks andthe computational soundness of static equivalence. In : Proceedings of the 9thInternational Conference on Foundations of Software Science and Computation

61

62 Bibliographie

Structures (FoSSaCS’06), ed. par Luca Aceto et Anna Ingolfsdottir, LectureNotes on Computer Science, volume 3921, pp. 398–412, Vienna, Austria, mars2006. Springer.

[AC06] Martın Abadi et Veronique Cortier. – Deciding knowledge in security proto-cols under equational theories. Theoretical Computer Science, vol. 367, n 1–2,novembre 2006, pp. 2–32.

[ACG03] Alessandro Armando, Luca Compagna et Pierre Ganty. – SAT-based model-checking of security protocols using planning graph analysis. In : FME 2003 :Formal Methods, International Symposium of Formal Methods Europe, ed. parKeijiro Araki, Stefania Gnesi et Dino Mandrioli, Lecture Notes on ComputerScience, volume 2805, pp. 875–893, Pisa, Italy, septembre 2003. Springer.

[AD07] Myrto Arapinis et Marie Duflot. – Bounding messages for free in securityprotocols. In : 27th Conference on Foundations of Software Technology and Theo-retical Computer Science (FSTTCS’07), ed. par V. Arvind et Sanjiva Prasad,Lecture Notes on Computer Science, volume 4855, pp. 376–387, New Delhi, India,decembre 2007. Springer.

[AF01] Martın Abadi et Cedric Fournet. – Mobile values, new names, and secure com-munication. In : 28th Annual ACM SIGPLAN-SIGACT Symposium on Principlesof Programming Languages (POPL’01), pp. 104–115, London, United Kingdom,janvier 2001. ACM Press.

[AFP06] Michel Abdalla, Pierre-Alain Fouque et David Pointcheval. – Password-based authenticated key exchange in the three-party setting. IEE Proceedings In-formation Security, vol. 153, n 1, mars 2006, pp. 27–39.

[AG98] Martın Abadi et Andrew D. Gordon. – A bisimulation method for cryptographicprotocols. Nordic Journal of Computing, vol. 5, n 4, Winter 1998, pp. 267–303.

[AG99] Martın Abadi et Andrew D. Gordon. – A calculus for cryptographic protocols :The spi calculus. Information and Computation, vol. 148, n 1, janvier 1999, pp.1–70. – An extended version appeared as Digital Equipment Corporation SystemsResearch Center report No. 149, January 1998.

[AGHP02] Martın Abadi, Neal Glew, Bill Horne et Benny Pinkas. – Certified emailwith a light on-line trusted third party : Design and implementation. In : 11thInternational World Wide Web Conference, pp. 387–395, Honolulu, Hawaii, mai2002. ACM Press.

[AJ01] Martın Abadi et Jan Jurjens. – Formal eavesdropping and its computationalinterpretation. In : Theoretical Aspects of Computer Software (TACS’01), ed. parN. Kobayashi et B.C. Pierce, Lecture Notes on Computer Science, volume 2215,pp. 82–94, Sendai, Japan, octobre 2001. Springer.

[AN95] Ross Anderson et Roger Needham. – Programming Satan’s computer. In : Com-puter Science Today : Recent Trends and Developments, ed. par J. van Leeuven,Lecture Notes on Computer Science, volume 1000, pp. 426–440. Springer, 1995.

[AN96] Martın Abadi et Roger Needham. – Prudent engineering practice for cryptogra-phic protocols. IEEE Transactions on Software Engineering, vol. 22, n 1, janvier1996, pp. 6–15.

[AR02] Martın Abadi et Phillip Rogaway. – Reconciling two views of cryptography (thecomputational soundness of formal encryption). Journal of Cryptology, vol. 15, n2, 2002, pp. 103–127.

[AVI03] AVISPA. – Deliverable D2.3 : The intermediate format. – Available at http:

//www.avispa-project.org., 2003.

Bibliographie 63

[BAF05] Bruno Blanchet, Martın Abadi et Cedric Fournet. – Automated verificationof selected equivalences for security protocols. In : 20th IEEE Symposium onLogic in Computer Science (LICS 2005), pp. 331–340, Chicago, IL, juin 2005.IEEE Computer Society.

[BAF08] Bruno Blanchet, Martın Abadi et Cedric Fournet. – Automated verificationof selected equivalences for security protocols. Journal of Logic and Algebraic Pro-gramming, vol. 75, n 1, fevrier–mars 2008, pp. 3–51. – Article joint en annexe.

[BAN89] Michael Burrows, Martın Abadi et Roger Needham. – A logic of authentication.Proceedings of the Royal Society of London A, vol. 426, 1989, pp. 233–271. – Apreliminary version appeared as Digital Equipment Corporation Systems ResearchCenter report No. 39, February 1989.

[Bau07] Mathieu Baudet. – Securite des protocoles cryptographiques : aspects logiques etcalculatoires. – These de PhD, Ecole Normale Superieure de Cachan, janvier 2007.

[BBD+05] Chiara Bodei, Mikael Buchholtz, Pierpaolo Degano, Flemming Nielson etHanne Riis Nielson. – Static validation of security protocols. Journal of ComputerSecurity, vol. 13, n 3, 2005, pp. 347–390.

[BBF+08] Jesper Bengtson, Karthikeyan Bhargavan, Cedric Fournet, Andy Gordon etSergio Maffeis. – Refinement types for secure implementations. In : 21st IEEEComputer Security Foundations Symposium (CSF’08), pp. 17–32, Pittsburgh, PA,juin 2008. IEEE Computer Society.

[BBN04] Johannes Borgstrom, Sebastien Briais et Uwe Nestmann. – Symbolic bisi-mulation in the spi calculus. In : CONCUR 2004 : Concurrency Theory, ed. parPhilippa Gardner et Nobuko Yoshida, Lecture Notes on Computer Science, vo-lume 3170, pp. 161–176. Springer, aout 2004.

[BC08] Bruno Blanchet et Avik Chaudhuri. – Automated formal analysis of a protocolfor secure file sharing on untrusted storage. In : IEEE Symposium on Securityand Privacy, pp. 417–431, Oakland, CA, mai 2008. IEEE.

[BCC+02] Bruno Blanchet, Patrick Cousot, Radhia Cousot, Jerome Feret, LaurentMauborgne, Antoine Mine, David Monniaux et Xavier Rival. – Design andimplementation of a special-purpose static program analyzer for safety-criticalreal-time embedded software, invited chapter. In : The Essence of Computation :Complexity, Analysis, Transformation. Essays Dedicated to Neil D. Jones, ed. parT. Mogensen, D. A. Schmidt et I. H. Sudborough, pp. 85–108. – Springer,decembre 2002.

[BCC+03] Bruno Blanchet, Patrick Cousot, Radhia Cousot, Jerome Feret, LaurentMauborgne, Antoine Mine, David Monniaux et Xavier Rival. – A staticanalyzer for large safety-critical software. In : ACM SIGPLAN 2003 Conferenceon Programming Language Design and Implementation (PLDI’03), pp. 196–207,San Diego, California, juin 2003. ACM.

[BCF07] Karthikeyan Bhargavan, Ricardo Corin et Cedric Fournet. – Crypto-verifyingprotocol implementations in ML. In : Workshop on Formal and ComputationalCryptography (FCC’07), Venice, Italy, juillet 2007.

[BCFG04] Karthikeyan Bhargavan, Ricardo Corin, Cedric Fournet et Andrew Gordon.– Secure sessions for web services. In : ACM Workshop on Secure Web Services(SWS’04), Washington DC, octobre 2004.

[BCK05] Mathieu Baudet, Veronique Cortier et Steve Kremer. – Computationallysound implementations of equational theories against passive adversaries. In :Proceedings of the 32nd International Colloquium on Automata, Languages and

64 Bibliographie

Programming (ICALP’05), ed. par Luıs Caires et Luıs Monteiro, Lecture Noteson Computer Science, volume 3580, pp. 652–663, Lisboa, Portugal, juillet 2005.Springer.

[BCLM05] Stefano Bistarelli, Iliano Cervesato, Gabriele Lenzini et Fabio Martinelli.– Relating multiset rewriting and process algebras for security protocol analysis.Journal of Computer Security, vol. 13, n 1, 2005, pp. 3–47.

[BCM07] Michael Backes, Agostino Cortesi et Matteo Maffei. – Causality-based abs-traction of multiplicity in security protocols. In : 20th IEEE Computer SecurityFoundations Symposium (CSF’07), pp. 355–369, Venice, Italy, juillet 2007. IEEE.

[BCT04] Gilles Barthe, Jan Cederquist et Sabrina Tarento. – A machine-checkedformalization of the generic model and the random oracle model. In : SecondInternational Joint Conference on Automated Reasoning (IJCAR’04), ed. par Da-vid Basin et Michael Rusinowitch, Lecture Notes on Computer Science, volume3097, pp. 385–399, Cork, Ireland, juillet 2004. Springer.

[BDJR97] Mihir Bellare, Anand Desai, E. Jokipii et Phillip Rogaway. – A concretesecurity treatment of symmetric encryption. In : Proceedings of the 38th Sympo-sium on Foundations of Computer Science (FOCS’97), pp. 394–403, Miami Beach,Florida, octobre 1997. IEEE. Full paper available at http://www-cse.ucsd.edu/users/mihir/papers/sym-enc.html.

[BDK07] Michael Backes, Markus Durmuth et Ralf Kusters. – On simulatabilitysoundness and mapping soundness of symbolic cryptography. In : 27th Confe-rence on Foundations of Software Technology and Theoretical Computer Science(FSTTCS’07), ed. par V. Arvind et Sanjiva Prasad, Lecture Notes on ComputerScience, volume 4855, pp. 108–120, New Delhi, India, decembre 2007. Springer.

[BDNN98] Chiara Bodei, Pierpaolo Degano, Flemming Nielson et Hanne Riis Nielson.– Control flow analysis for the π-calculus. In : International Conference onConcurrency Theory (Concur’98), Lecture Notes on Computer Science, volume1466, pp. 84–98. Springer, septembre 1998.

[BDP02] Michele Boreale, Rocco De Nicola et Rosario Pugliese. – Proof techniquesfor cryptographic processes. SIAM Journal on Computing, vol. 31, n 3, 2002, pp.947–986.

[BDPR98] Mihir Bellare, Anand Desai, David Pointcheval et Phillip Rogaway. – Re-lations among notions of security for public-key encryption schemes. In : Advancesin Cryptology – CRYPTO 1998, ed. par H. Krawczyk, Lecture Notes on Compu-ter Science, volume 1462, pp. 26–45, Santa Barbara, California, USA, aout 1998.Springer.

[BFG04] Karthikeyan Bhargavan, Cedric Fournet et Andrew Gordon. – Verifyingpolicy-based security for web services. In : ACM Conference on Computer andCommunications Security (CCS’04), pp. 268–277, Washington DC, octobre 2004.ACM.

[BFG06] Karthikeyan Bhargavan, Cedric Fournet et Andrew Gordon. – Verified refe-rence implementations of WS-Security protocols. In : 3rd International Workshopon Web Services and Formal Methods (WS-FM 2006), ed. par Mario Bravetti,Manuel Nunez et Gianluigi Zavattaro, Lecture Notes on Computer Science, vo-lume 4184, pp. 88–106, Vienna, Austria, septembre 2006. Springer.

[BFGP03] Karthikeyan Bhargavan, Cedric Fournet, Andrew D. Gordon et RiccardoPucella. – TulaFale : A security tool for web services. In : Formal Methodsfor Components and Objects (FMCO 2003), Lecture Notes on Computer Science,

Bibliographie 65

volume 3188, pp. 197–222, Leiden, The Netherlands, novembre 2003. Springer.Paper and tool available at http://securing.ws/.

[BFGS08] Karthikeyan Bhargavan, Cedric Fournet, Andrew Gordon et Nikhil Swamy.– Verified implementations of the information card federated identity-managementprotocol. In : ACM Symposium on Information, Computer and CommunicationsSecurity (ASIACCS’08), pp. 123–135, Tokyo, Japan, mars 2008. ACM.

[BFGT06] Karthikeyan Bhargavan, Cedric Fournet, Andrew Gordon et Stephen Tse.– Verified interoperable implementations of security protocols. In : 19th IEEEComputer Security Foundations Workshop (CSFW’06), pp. 139–152, Venice, Italy,juillet 2006. IEEE Computer Society.

[BFM05] Michele Bugliesi, Riccardo Focardi et Matteo Maffei. – Analysis of typedanalyses of authentication protocols. In : Proc. 18th IEEE Computer SecurityFoundations Workshop (CSFW’05), pp. 112–125, Aix-en-Provence, France, juin2005. IEEE Comp. Soc. Press.

[BFM07] Michele Bugliesi, Riccardo Focardi et Matteo Maffei. – Dynamic types forauthentication. Journal of Computer Security, vol. 15, n 6, 2007, pp. 563–617.

[BFP+01] Olivier Baudron, Pierre-Alain Fouque, David Pointcheval, Guillaume Pou-

pard et Jacques Stern. – Practical multi-candidate election system. In : Pro-ceedings of the 20th ACM Symposium on Principles of Distributed Computing(PODC’01), pp. 274–283, Newport, Rhode Island, aout 2001. ACM Press.

[BG01] L. Bachmair et H. Ganzinger. – Resolution theorem proving. In : Handbookof Automated Reasoning, ed. par A. Robinson et A. Voronkov, chap. 2, pp.19–100. – North Holland, 2001.

[BG02] Michele Boreale et Daniele Gorla. – On compositional reasoning in the spi-calculus. In : Foundations of Software Science and Computation Structures, 5thInternational Conference, FOSSACS 2002, ed. par M. Nielsen et U. Engberg,Lecture Notes on Computer Science, volume 2303, pp. 67–81, Grenoble, France,avril 2002. Springer.

[BHL06] Andrea Bittau, Mark Handley et Joshua Lackey. – The final nail in WEP’scoffin. In : IEEE Symposium on Security and Privacy, pp. 386–400, Oakland,California, mai 2006. IEEE Computer Society.

[BHM08] Michael Backes, Catalin Hritcu et Matteo Maffei. – Automated verification ofelectronic voting protocols in the applied pi-calculus. In : 21st IEEE ComputerSecurity Foundations Symposium (CSF’08), pp. 195–209, Pittsburgh, PA, juin2008. IEEE Computer Society.

[BJST08] Bruno Blanchet, Aaron D. Jaggard, Andre Scedrov et Joe-Kai Tsay. –Computationally sound mechanized proofs for basic and public-key Kerberos.In : ACM Symposium on Information, Computer and Communications Security(ASIACCS’08), pp. 87–99, Tokyo, Japan, mars 2008. ACM.

[BKR00] Mihir Bellare, Joe Kilian et Phillip Rogaway. – The security of the cipherblock chaining message authentication code. Journal of Computer and SystemSciences, vol. 61, n 3, decembre 2000, pp. 362–399.

[BKV06] Yohan Boichut, Nikolai Kosmatov et Laurent Vigneron. – Validation ofprouve protocols using the automatic tool TA4SP. In : Proceedings of the ThirdTaiwanese-French Conference on Information Technology (TFIT 2006), pp. 467–480, Nancy, France, mars 2006.

[BL06] Michael Backes et Peeter Laud. – Computationally sound secrecy proofs bymechanized flow analysis. In : Proceedings of 13th ACM Conference on Computer

66 Bibliographie

and Communications Security (CCS’06), pp. 370–379, Alexandria, VA, novembre2006. ACM.

[Bla98] Bruno Blanchet. – Escape analysis : Correctness proof, implementation and ex-perimental results. In : 25th ACM SIGACT-SIGPLAN Symposium on Principlesof Programming Languages (POPL’98), pp. 25–37, San Diego, California, janvier1998. ACM Press.

[Bla00] Bruno Blanchet. – Analyse d’echappement. Applications a ML et JavaTM. –These de PhD, Ecole Polytechnique, 7 decembre 2000.

[Bla01] Bruno Blanchet. – An efficient cryptographic protocol verifier based on Prologrules. In : 14th IEEE Computer Security Foundations Workshop (CSFW-14), pp.82–96, Cape Breton, Nova Scotia, Canada, juin 2001. IEEE Computer Society.

[Bla03] Bruno Blanchet. – Escape analysis for JavaTM. theory and practice. ACM Tran-sactions on Programming Languages and Systems, vol. 25, n 6, novembre 2003,pp. 713–775.

[Bla04a] Bruno Blanchet. – Automatic proof of strong secrecy for security protocols. In :IEEE Symposium on Security and Privacy, pp. 86–100, Oakland, California, mai2004.

[Bla04b] Bruno Blanchet. – Automatic Proof of Strong Secrecy for Security Protocols.– Rapport technique n MPI-I-2004-NWG1-001, Saarbrucken, Germany, Max-Planck-Institut fur Informatik, juillet 2004.

[Bla05] Bruno Blanchet. – Security protocols : From linear to classical logic by abstractinterpretation. Information Processing Letters, vol. 95, n 5, septembre 2005, pp.473–479.

[Bla07] Bruno Blanchet. – Computationally sound mechanized proofs of correspondenceassertions. In : 20th IEEE Computer Security Foundations Symposium (CSF’07),pp. 97–111, Venice, Italy, juillet 2007. IEEE. Extended version available as ePrintReport 2007/128, http://eprint.iacr.org/2007/128.

[Bla08a] Bruno Blanchet. – Automatic verification of correspondences for security pro-tocols. – Report arXiv:0802.3444v1, 2008. Article joint en annexe et disponiblea http://arxiv.org/abs/0802.3444v1. Version sans preuves a paraıtre dans leJournal of Computer Security.

[Bla08b] Bruno Blanchet. – A computationally sound mechanized prover for securityprotocols. IEEE Transactions on Dependable and Secure Computing, vol. 5, n 4,octobre–decembre 2008, pp. 193–207. – Article joint en annexe.

[BLMW07] Emmanuel Bresson, Yassine Lakhnech, Laurent Mazare et Bogdan Warin-

schi. – A generalization of DDH with applications to protocol analysis and com-putational soundness. In : Advances in Cryptology – CRYPTO 2007, ed. par A. J.Menezes, Lecture Notes on Computer Science, volume 4622, pp. 482–499. Sprin-ger, aout 2007.

[BLP06] Liana Bozga, Yassine Lakhnech et Michael Perin. – Pattern-based abstrac-tion for verifying secrecy in protocols. International Journal on Software Tools forTechnology Transfer (STTT), vol. 8, n 1, fevrier 2006, pp. 57–76.

[BLR00] Philippa Broadfoot, Gavin Lowe et Bill Roscoe. – Automating data in-dependence. In : 6th European Symposium on Research in Computer Security(ESORICS 2000), Lecture Notes on Computer Science, volume 1895, pp. 175–190,Toulouse, France, octobre 2000. Springer.

[BM92] Steven M. Bellovin et Michael Merritt. – Encrypted Key Exchange : Password-based protocols secure against dictionary attacks. In : Proceedings of the 1992

Bibliographie 67

IEEE Computer Society Symposium on Research in Security and Privacy, pp. 72–84, mai 1992.

[BM93] Steven M. Bellovin et Michael Merritt. – Augmented Encrypted Key Ex-change : a password-based protocol secure against dictionary attacks and passwordfile compromise. In : Proceedings of the First ACM Conference on Computer andCommunications Security, pp. 244–250, novembre 1993.

[BMU08] Michael Backes, Matteo Maffei et Dominique Unruh. – Zero-knowledge inthe applied pi-calculus and automated verification of the direct anonymous at-testation protocol. In : 29th IEEE Symposium on Security and Privacy, pp.202–215, Oakland, CA, mai 2008. IEEE. Rapport technique disponible a http:

//eprint.iacr.org/2007/289.

[BMV03] David Basin, Sebastian Modersheim et Luca Vigano. – An on-the-fly model-checker for security protocol analysis. In : Computer Security – ESORICS 2003,8th European Symposium on Research in Computer Security, ed. par Einar Snek-

kenes et Dieter Gollman, Lecture Notes on Computer Science, volume 2808, pp.253–270, Gjøvik, Norway, octobre 2003. Springer.

[BN00] Mihir Bellare et Chanathip Namprempre. – Authenticated encryption : Re-lations among notions and analysis of the generic composition paradigm. In :Advances in Cryptology – ASIACRYPT’00, ed. par T. Okamoto, Lecture Noteson Computer Science, volume 1976, pp. 531–545, Kyoto, Japan, decembre 2000.Springer.

[BN05] Johannes Borgstrom et Uwe Nestmann. – On bisimulations for the spi calculus.Mathematical Structures in Computer Science, vol. 15, n 3, juin 2005, pp. 487–552.

[Bod00] Chiara Bodei. – Security Issues in Process Calculi. – These de PhD, Universitadi Pisa, janvier 2000.

[Bol97] Dominique Bolignano. – Towards a mechanization of cryptographic protocolverification. In : 9th International Conference on Computer Aided Verification(CAV’97), ed. par O. Grumberg, Lecture Notes on Computer Science, volume1254, pp. 131–142. Springer, 1997.

[BP04] Michael Backes et Birgit Pfitzmann. – Symmetric encryption in a simulatableDolev-Yao style cryptographic library. In : 17th IEEE Computer Security Foun-dations Workshop, pp. 204–218, Pacific Grove, CA, juin 2004. IEEE.

[BP05a] Michael Backes et Birgit Pfitzmann. – Relating symbolic and cryptographicsecrecy. IEEE Transactions on Dependable and Secure Computing, vol. 2, n 2,avril 2005, pp. 109–123.

[BP05b] Bruno Blanchet et Andreas Podelski. – Verification of cryptographic proto-cols : Tagging enforces termination. Theoretical Computer Science, vol. 333, n1-2, mars 2005, pp. 67–90. – Special issue FoSSaCS’03.

[BP06] Bruno Blanchet et David Pointcheval. – Automated security proofs withsequences of games. In : Advances in Cryptology – CRYPTO 2006, ed. par CynthiaDwork, Lecture Notes on Computer Science, volume 4117, pp. 537–554, SantaBarbara, CA, aout 2006. Springer.

[BPR00] Mihir Bellare, David Pointcheval et Phillip Rogaway. – Authenticated keyexchange secure against dictionary attacks. In : Advances in Cryptology – Pro-ceedings of EUROCRYPT ’00, ed. par B. Preneel, Lecture Notes on ComputerScience, volume 1807, pp. 139–155, Bruges, Belgique, 2000. Springer.

68 Bibliographie

[BPS07] Michael Backes, Birgit Pfiztmann et Andre Scedrov. – Key-dependent mes-sage security under active attacks—brsim/uc soundness of symbolic encryptionwith key cycles. In : 20th IEEE Computer Security Foundations Symposium(CSF’07), pp. 112–124, Venice, Italy, juillet 2007. IEEE.

[BPW03a] Michael Backes, Birgit Pfitzmann et Michael Waidner. – A composable cryp-tographic library with nested operations. In : 10th ACM conference on Computerand communication security (CCS’03), pp. 220–230, Washington D.C., octobre2003. ACM.

[BPW03b] Michael Backes, Birgit Pfitzmann et Michael Waidner. – Symmetric authenti-cation within a simulatable cryptographic library. In : Computer Security - ESO-RICS 2003, 8th European Symposium on Research in Computer Security, ed. parEinar Snekkenes et Dieter Gollman, Lecture Notes on Computer Science, vo-lume 2808, pp. 271–290, Gjøovik, Norway, octobre 2003. Springer.

[BR93a] Mihir Bellare et Philip Rogaway. – Random oracles are practical : a paradigmfor designing efficient protocols. In : Computer and Communications Security(CCS’93), pp. 62–73. ACM Press, 1993.

[BR93b] Mihir Bellare et Phillip Rogaway. – Entity authentication and key distribu-tion. In : Advances in Cryptology – CRYPTO 1993, ed. par Douglas R. Stinson,Lecture Notes on Computer Science, volume 773, pp. 232–249, Santa Barbara,California, aout 1993. Springer.

[BR04] P. J. Broadfoot et A. W. Roscoe. – Embedding agents within the intruder todetect parallel attacks. Journal of Computer Security, vol. 12, n 3/4, 2004, pp.379–408.

[BR05] Michele Bugliesi et Sabina Rossi. – Non-interference proof techniques for theanalysis of cryptographic protocols. Journal of Computer Security, vol. 13, n 1,2005, pp. 87–113.

[BR06] Mihir Bellare et Phillip Rogaway. – The security of triple encryption anda framework for code-based game-playing proofs. In : Advances in Cryptology –Eurocrypt 2006 Proceedings, ed. par S. Vaudenay, Lecture Notes on ComputerScience, volume 4004, pp. 409–426, Saint Petersburg, Russia, mai 2006. Springer.Extended version available at http://eprint.iacr.org/2004/331.

[BU08] Michael Backes et Dominique Unruh. – Computational soundness of symboliczero-knowledge proofs against active attackers. In : 21st IEEE Computer SecurityFoundations Symposium (CSF’08), pp. 255–269, Pittsburgh, PA, juin 2008. IEEEComputer Society.

[BWW00] Birgit Baum-Waidner et Michael Waidner. – Round-optimal and abuse-freeoptimistic multi-party contract signing. In : Automata, Languages, and Program-ming, 27th International Colloquium, ICALP 2000, ed. par Ugo Montanari, JoseD. P. Rolim et Emo Welzl, Lecture Notes on Computer Science, volume 1853,pp. 524–535, Geneva, Switzerland, juillet 2000. Springer.

[Can01] Ran Canetti. – Universally composable security : A new paradigm for cryp-tographic protocols. In : Proceedings of the 42nd Symposium on Foundationsof Computer Science (FOCS), pp. 136–145, Las Vegas, Nevada, octobre 2001.IEEE. An updated version is available at Cryptology ePrint Archive, http:


[CC79] Patrick Cousot et Radhia Cousot. – Systematic design of program analysisframeworks. In : 6th Annual ACM Symposium on Principles of ProgrammingLanguages, pp. 269–282, San Antonio, Texas, 29-31 janvier 1979.

Bibliographie 69

[CC05] Hubert Comon et Veronique Cortier. – Tree automata with one memory, setconstraints and cryptographic protocols. Theoretical Computer Science, vol. 331,n 1, fevrier 2005, pp. 143–214.

[CCK+06] Ran Canetti, Ling Cheung, Dilsun Kaynar, Moses Liskov, Nancy Linch,Olivier Pereira et Roberto Segala. – Time-bounded task-PIOAs : A frameworkfor analyzing security protocols. In : 20th Symposium on Distributed Computing(DISC), ed. par Shlomi Dolev, Lecture Notes on Computer Science, volume 4167,pp. 238–253, Stockholm, Sweden, septembre 2006. Springer.

[CDE04] R. Corin, J. M. Doumen et S. Etalle. – Analysing password protocol securityagainst off-line dictionary attacks. In : 2nd Int. Workshop on Security Issueswith Petri Nets and other Computational Models (WISP), Electronic Notes inTheoretical Computer Science, juin 2004.

[CdH06] Ricardo Corin et Jerry den Hartog. – A probabilistic Hoare-style logic forgame-based cryptographic proofs. In : 33rd International Colloquium on Auto-mata, Languages and Programming (ICALP), Track C (Security), Part II, ed.par M. Bugliesi, B. Preneel, V. Sassone et I. Wegener, Lecture Notes onComputer Science, volume 4052, pp. 252–263, Venice, Italy, juillet 2006. Springer.

[CDKS00] I. Cervesato, N. Durgin, M. Kanovich et A. Scedrov. – Interpreting strandsin linear logic. In : 2000 Workshop on Formal Methods and Computer Secu-rity, 12th International Conference on Computer Aided Verification (CAV 2000)Satellite Workshop, Chicago, Illinois, juillet 2000.

[CDL+99] I. Cervesato, N.A. Durgin, P.D. Lincoln, J.C. Mitchell et A. Scedrov.– A meta-notation for protocol analysis. In : 12th IEEE Computer SecurityFoundation Workshop (CSFW-12), pp. 55–69, Mordano, Italy, juin 1999.

[CDL+05] Iliano Cervesato, Nancy Durgin, Patrick Lincoln, John C. Mitchell et AndreScedrov. – A comparison between strand spaces and multiset rewriting for se-curity protocol analysis. Journal of Computer Security, vol. 13, n 2, 2005, pp.265–316.

[CEL07] Judicael Courant, Cristian Ene et Yassine Lakhnech. – Computationally soundtyping for non-interference : The case of deterministic encryption. In : 27th Confe-rence on Foundations of Software Technology and Theoretical Computer Science(FSTTCS’07), ed. par V. Arvind et Sanjiva Prasad, Lecture Notes on ComputerScience, volume 4855, pp. 364–375, New Delhi, India, decembre 2007. Springer.

[CFR+91] Ron Cytron, Jeanne Ferrante, Barry K. Rosen, Mark N. Wegman et F. Ken-neth Zadeck. – Efficiently computing static single assignment form and thecontrol dependance graph. ACM Transactions on Programming Languages andSystems, vol. 13, n 4, octobre 1991, pp. 451–490.

[CGH04] Ran Canetti, Oded Goldreich et Shai Halevi. – The random oracle metho-dology, revisited. Journal of the ACM, vol. 51, n 4, juillet 2004, pp. 557–594.

[CH06] Ran Canetti et Jonathan Herzog. – Universally composable symbolic analysisof mutual authentication and key exchange protocols. In : Proceedings, Theory ofCryptography Conference (TCC’06), ed. par Shai Halevi et Tal Rabin, LectureNotes on Computer Science, volume 3876, pp. 380–403, New York, NY, mars 2006.Springer. Extended version available at http://eprint.iacr.org/2004/334.

[CHW06] Veronique Cortier, Heinrich Hordegen et Bogdan Warinschi. – Explicit ran-domness is not necessary when modeling probabilistic encryption. In : Workshopon Information and Computer Security (ICS 2006), Timisoara, Romania, sep-tembre 2006. Proceedings to appear.

70 Bibliographie

[Cir01] Horatiu Cirstea. – Specifying authentication protocols using rewriting and stra-tegies. In : Practical Aspects of Declarative Languages (PADL’01), ed. par I.V.Ramakrishnan, Lecture Notes on Computer Science, volume 1990, pp. 138–152,Las Vegas, Nevada, mars 2001. Springer.

[CJ97] John Clark et Jeremy Jacob. – A Survey of Authentication Protocol Literature :Version1.0. – Rapport technique, University of York, Department of ComputerScience, novembre 1997.

[CJM00] Edmund M. Clarke, Somesh Jha et Will Marrero. – Verifying security pro-tocols with Brutus. ACM Transactions on Software Engineering and Methodology(TOSEM), vol. 9, n 4, 2000, pp. 443–487.

[CKKW06] Veronique Cortier, Steve Kremer, Ralf Kusters et Bogdan Warinschi. –Computationally sound symbolic secrecy in the presence of hash functions. In :Proceedings of the 26th Conference on Fundations of Software Technology andTheoretical Computer Science (FSTTCS’06), ed. par Naveen Garg et S. Arun-

Kumar, Lecture Notes on Computer Science, volume 4246, pp. 176–187, Kolkata,India, decembre 2006. Springer.

[CKRT03a] Yannick Chevalier, Ralf Kusters, Michael Rusinowitch et Mathieu Turuani.– Deciding the security of protocols with Diffie-Hellman exponentiation and pro-ducts in exponents. In : FST TCS 2003 : Foundations of Software Technologyand Theoretical Computer Science, 23rd Conference, ed. par Paritosh K. Pandya

et Jaikumar Radhakrishnan, Lecture Notes on Computer Science, volume 2914,pp. 124–135, Mumbai, India, decembre 2003. Springer.

[CKRT03b] Yannick Chevalier, Ralf Kusters, Michael Rusinowitch et Mathieu Turuani.– An NP decision procedure for protocol insecurity with XOR. In : 18th IEEESymposium on Logic in Computer Science (LICS 2003), pp. 261–270, Ottawa,Canada, juin 2003. IEEE Computer Society.

[CKRT05] Yannick Chevalier, Ralf Kusters, Michael Rusinowitch et Mathieu Turuani.– An NP decision procedure for protocol insecurity with XOR. Theoretical Com-puter Science, vol. 338, n 1–3, juin 2005, pp. 247–274.

[CKS04] Rohit Chadha, Steve Kremer et Andre Scedrov. – Formal analysis of multi-party contract signing. In : 17th IEEE Computer Security Foundations Workshop(CSFW’04), pp. 266–279, Asilomar, Pacific Grove, California, juin 2004. IEEEComputer Society.

[CLC03] Hubert Comon-Lundh et Veronique Cortier. – New decidability results forfragments of first-order logic and application to cryptographic protocols. In : 14thInt. Conf. Rewriting Techniques and Applications (RTA’2003), ed. par RobertNieuwenhuis, Lecture Notes on Computer Science, volume 2706, pp. 148–164,Valencia, Spain, juin 2003. Springer.

[CLC04] Hubert Comon-Lundh et Veronique Cortier. – Security properties : two agentsare sufficient. Science of Computer Programming, vol. 50, n 1–3, fevrier 2004, pp.51–71.

[CLS03] Hubert Comon-Lundh et Vitaly Shmatikov. – Intruder deductions, constraintsolving and insecurity decision in presence of exclusive or. In : Symposium onLogic in Computer Science (LICS’03), pp. 271–280, Ottawa, Canada, juin 2003.IEEE Computer Society.

[CMAFE03] Ricardo Corin, Sreekanth Malladi, Jim Alves-Foss et Sandro Etalle. – Guesswhat ? here is a new tool that finds some new guessing attacks. In : Workshop onIssues in the Theory of Security (WITS’03), ed. par Roberto Gorrieri, Warsaw,Poland, avril 2003.

Bibliographie 71

[CMP05] Iliano Cervesato, Catherine Meadows et Dusko Pavlovic. – An encapsulatedauthentication logic for reasoning about key distribution protocols. In : Proc. 18thIEEE Computer Security Foundations Workshop (CSFW’05), pp. 48–61, Aix-en-Provence, France, juin 2005. IEEE Comp. Soc. Press.

[CMR01] Veronique Cortier, Jon Millen et Harald Rueß. – Proving secrecy is easyenough. In : 14th IEEE Computer Security Foundations Workshop (CSFW-14),pp. 97–108, Cape Breton, Nova Scotia, Canada, juin 2001. IEEE Computer Society.

[Coh02] Ernie Cohen. – Proving protocols safe from guessing. In : Foundations of Com-puter Security, Copenhagen, Denmark, juillet 2002.

[Coh03] Ernie Cohen. – First-order verification of cryptographic protocols. Journal ofComputer Security, vol. 11, n 2, 2003, pp. 189–216.

[Cor03] Veronique Cortier. – Verification automatique des protocoles cryptographiques.– These de PhD, ENS de Cachan, mars 2003.

[Cre06] Cas J. F. Cremers. – Scyther - Semantics and Verification of Security Protocols.– Ph.D. dissertation, Eindhoven University of Technology, novembre 2006.

[Cre08] Cas J. F. Cremers. – On the Protocol Composition Logic PCL. In : ACM Sym-posium on Information, Computer and Communications Security (ASIACCS’08),pp. 66–76, Tokyo, Japan, mars 2008. ACM.

[CRS05] David Chaum, Peter Y. A. Ryan et Steve Schneider. – A practical voter-verifiable election scheme. In : Computer Security – ESORICS 2005, 10th Euro-pean Symposium on Research in Computer Security, ed. par Sabrina De Capitanidi Vimercati, Paul Syverson et Dieter Gollman, Lecture Notes on ComputerScience, volume 3679, pp. 118–139, Milan, Italy, septembre 2005. Springer.

[CRZ07] Veronique Cortier, Michael Rusinowitch et Eugen Zalinescu. – Relating twostandard notions of secrecy. Logical Methods in Computer Science, vol. 3, n 3,juillet 2007.

[CV01] Yannick Chevalier et Laurent Vigneron. – A tool for lazy verification of secu-rity protocols. In : 16th IEEE International Conference on Automated SoftwareEngineering (ASE 2001), pp. 373–376, Coronado Island, San Diego, CA, novembre2001. IEEE Computer Society.

[CW05] Veronique Cortier et Bogdan Warinschi. – Computationally sound, automa-ted proofs for security protocols. In : Proc. 14th European Symposium on Pro-gramming (ESOP’05), ed. par Mooly Sagiv, Lecture Notes on Computer Science,volume 3444, pp. 157–171, Edimbourg, U.K., avril 2005. Springer.

[CZ06] Veronique Cortier et Eugen Zalinescu. – Deciding key cycles for security pro-tocols. In : Logic for Programming, Articifial Intelligence, and Reasoning, 13thInternational Conference, LPAR 2006, ed. par Miki Hermann et Andrei Voron-

kov, Lecture Notes on Computer Science, volume 4246, pp. 317–331, Phnom Penh,Cambodia, novembre 2006. Springer.

[DDM+05] Anupam Datta, Ante Derek, John C. Mitchell, Vitaly Shmatikov et MathieuTuruani. – Probabilistic polynomial-time semantics for a protocol security logic.In : ICALP 2005 : the 32nd International Colloquium on Automata, Languagesand Programming, ed. par Luıs Caires et Luıs Monteiro, Lecture Notes onComputer Science, volume 3580, pp. 16–29, Lisboa, Portugal, juillet 2005. Springer.

[DDMP05] Anupam Datta, Ante Derek, John C. Mitchell et Dusko Pavlovic. – A deri-vation system and compositional logic for security protocols. Journal of ComputerSecurity, vol. 13, n 3, 2005, pp. 423–482.

72 Bibliographie

[DDMW06] Anupam Datta, Ante Derek, John C. Mitchell et Bogdan Warinschi. – Com-putationally sound compositional logic for key exchange protocols. In : Procee-dings of 19th IEEE Computer Security Foundations Workshop (CSFW’06), pp.321–334, Venice, Italy, juillet 2006. IEEE Computer Society.

[DFG00] Antonio Durante, Riccardo Focardi et Roberto Gorrieri. – A compiler foranalyzing cryptographic protocols using noninterference. ACM Transactions onSoftware Engineering and Methodology (TOSEM), vol. 9, n 4, octobre 2000, pp.488–528.

[DH76] W. Diffie et M. Hellman. – New directions in cryptography. IEEE Transactionson Information Theory, vol. IT-22, n 6, novembre 1976, pp. 644–654.

[DJ04] Stephanie Delaune et Florent Jacquemard. – A theory of dictionary attacksand its complexity. In : 17th IEEE Computer Security Foundations Workshop,pp. 2–15, Pacific Grove, CA, juin 2004. IEEE.

[DKR07] Stephanie Delaune, Steve Kremer et Mark D. Ryan. – Symbolic bisimula-tion for the applied pi-calculus. In : 27th Conference on Foundations of SoftwareTechnology and Theoretical Computer Science (FSTTCS’07), ed. par V. Arvind etSanjiva Prasad, Lecture Notes on Computer Science, volume 4855, pp. 133–145,New Delhi, India, decembre 2007. Springer.

[DLMS04] Nancy Durgin, Patrick Lincoln, John C. Mitchell et Andre Scedrov. – Mul-tiset rewriting and the complexity of bounded security protocols. Journal of Com-puter Security, vol. 12, n 2, 2004, pp. 247–311.

[DM00] Grit Denker et Jonathan Millen. – CAPSL integrated protocol environment.In : DARPA Information Survivability Conference and Exposition (DISCEX’00),pp. 207–221, Hilton Head, South Carolina, janvier 2000. IEEE.

[DMP03] Nancy Durgin, John C. Mitchell et Dusko Pavlovic. – A compositional logicfor proving security properties of protocols. Journal of Computer Security, vol. 11,n 4, 2003, pp. 677–721.

[DMT98] Grit Denker, Jose Meseguer et Carolyn Talcott. – Protocol specification andanalysis in Maude. In : Workshop on Formal Methods and Security Protocols, ed.par N. Heintze et J. Wing, Indianapolis, Indiana, 25 juin 1998.

[DMV05] Paul Hankes Drielsma, Sebastian Modersheim et Luca Vigano. – A formaliza-tion of off-line guessing for security protocol analysis. In : Logic for Programming,Artificial Intelligence, and Reasoning : 11th International Conference, LPAR 2004,ed. par Franz Baader et Andrei Voronkov, Lecture Notes on Computer Science,volume 3452, pp. 363–379, Montevideo, Uruguay, mars 2005. Springer.

[dN95] Hans de Nivelle. – Ordering Refinements of Resolution. – These de PhD,Technische Universiteit Delft, octobre 1995.

[DR06] Tim Dierks et Eric Rescorla. – RFC 4346 : The Transport Layer Security (TLS)protocol, version 1.1. – avril 2006. http://tools.ietf.org/html/rfc4346.

[DS81] Dorothy E. Denning et Giovanni Maria Sacco. – Timestamps in key distributionprotocols. Communications of the ACM, vol. 24, n 8, aout 1981, pp. 533–536.

[DSV03] Luca Durante, Riccardo Sisto et Adriano Valenzano. – Automatic testingequivalence verification of spi calculus specifications. ACM Transactions on Soft-ware Engineering and Methodology (TOSEM), vol. 12, n 2, avril 2003, pp. 222–284.

[DY83] Danny Dolev et Andrew C. Yao. – On the security of public key protocols. IEEETransactions on Information Theory, vol. IT-29, n 12, mars 1983, pp. 198–208.

Bibliographie 73

[EMM06] Santiago Escobar, Catherine Meadows et Jose Meseguer. – A rewriting-basedinference system for the NRL protocol analyzer and its meta-logical properties.Theoretical Computer Science, vol. 367, n 1-2, 2006, pp. 162–202.

[Fer05] Jerome Feret. – Analysis of mobile systems by abstract interpretation. – Thesede PhD, Ecole Polytechnique, fevrier 2005.

[FGM00] Riccardo Focardi, Roberto Gorrieri et Fabio Martinelli. – Non interferencefor the analysis of cryptographic protocols. In : Automata, Languages and Pro-gramming, 27th International Colloquium, ICALP’00, ed. par Ugo Montanari,Jose D. P. Rolim et Emo Welzl, Lecture Notes on Computer Science, volume1853, pp. 354–372, Geneva, Switzerland, juillet 2000. Springer.

[FHG99] F. Javier Thayer Fabrega, Jonathan C. Herzog et Joshua D. Guttman. –Strand spaces : Proving security protocols correct. Journal of Computer Security,vol. 7, n 2/3, 1999, pp. 191–230.

[GJ01] Andrew Gordon et Alan Jeffrey. – Authenticity by typing for security proto-cols. In : 14th IEEE Computer Security Foundations Workshop (CSFW-14), pp.145–159, Cape Breton, Nova Scotia, Canada, juin 2001. IEEE Computer Society.

[GJ02] Andrew Gordon et Alan Jeffrey. – Typing one-to-one and one-to-many cor-respondences in security protocols. In : Software Security – Theories and Sys-tems, Mext-NSF-JSPS International Symposium, ISSS 2002, ed. par M. Okada,B. Pierce, A. Scedriv, H. Tokuda et A. Yonezawa, Lecture Notes on Compu-ter Science, volume 2609, pp. 263–282, Tokyo, Japan, novembre 2002. Springer.

[GJ03] Andrew Gordon et Alan Jeffrey. – Authenticity by typing for security proto-cols. Journal of Computer Security, vol. 11, n 4, 2003, pp. 451–521.

[GJ04] Andrew Gordon et Alan Jeffrey. – Types and effects for asymmetric cryptogra-phic protocols. Journal of Computer Security, vol. 12, n 3/4, 2004, pp. 435–484.

[GK00] Thomas Genet et Francis Klay. – Rewriting for cryptographic protocol verifi-cation. In : 17th International Conference on Automated Deduction (CADE-17),ed. par D. McAllester, Lecture Notes on Computer Science, volume 1831, pp.271–290, Pittsburgh, PA, juin 2000. Springer.

[GL00] Jean Goubault-Larrecq. – A method for automatic cryptographic protocolverification (extended abstract), invited paper. In : Fifth International Workshopon Formal Methods for Parallel Programming : Theory and Applications (FMPP-TA’2000), ed. par J. Rolim et others, Lecture Notes on Computer Science, vo-lume 1800, pp. 977–984, Cancun, Mexique, mai 2000. Springer.

[GL05] Jean Goubault-Larrecq. – Deciding 〈1 by resolution. Information ProcessingLetters, vol. 95, n 3, aout 2005, pp. 401–408.

[GL08] Jean Goubault-Larrecq. – Towards producing formally checkable securityproofs, automatically. In : 21st IEEE Computer Security Foundations Sympo-sium (CSF’08), pp. 224–238, Pittsburgh, PA, juin 2008. IEEE Computer Society.

[GLP05] Jean Goubault-Larrecq et Fabrice Parrennes. – Cryptographic protocol ana-lysis on real C code. In : Proceedings of the 6th International Conference on Veri-fication, Model Checking and Abstract Interpretation (VMCAI’05), ed. par RadhiaCousot, Lecture Notes on Computer Science, volume 3385, pp. 363–379, Paris,France, janvier 2005. Springer.

[GM84] Shafi Goldwasser et Silvio Micali. – Probabilistic encryption. Journal of Com-puter and System Sciences, vol. 28, 1984, pp. 270–299.

[GM99] Juan A. Garay et Philip MacKenzie. – Abuse-free multi-party contract signing.In : Distributed Computing : 13th International Symposium, DISC’99, ed. par

74 Bibliographie

Prasad Jayanti, Lecture Notes on Computer Science, volume 1693, pp. 151–165,Bratislava, Slovak Republic, septembre 1999. Springer.

[GM03] Roberto Gorrieri et Fabio Martinelli. – Process algebraic frameworks for thespecification and analysis of cryptographic protocols. In : Mathematical Foun-dations of Computer Science 2003, 28th International Symposium, MFCS 2003,ed. par Branislav Rovan et Peter Vojtas, Lecture Notes on Computer Science,volume 2747, pp. 46–67, Bratislava, Slovakia, aout 2003. Springer.

[GMP05] Alexey Gotsman, Fabio Massacci et Marco Pistore. – Towards an independentsemantics and verification technology for the HLPSL specification language. Elec-tronic Notes in Theoretical Computer Science, vol. 135, n 1, juillet 2005, pp.59–77.

[GMR88] Shafi Goldwasser, Silvio Micali et Ronald Rivest. – A digital signature schemesecure against adaptative chosen-message attacks. SIAM Journal of Computing,vol. 17, n 2, avril 1988, pp. 281–308.

[GNY90] Li Gong, Roger Needham et Raphael Yahalom. – Reasoning about belief incryptographic protocols. In : Proceedings 1990 IEEE Symposium on Research inSecurity and Privacy, pp. 234–248, Oakland, California, mai 1990. IEEE ComputerSociety.

[God06] Jens Chr. Godskesen. – Formal verification of the aran protocol using the appliedpi-calculus. In : Proceedings of the Sixth International IFIP WG 1.7 Workshopon Issues in the Theory of Security (WITS’06), pp. 99–113, Vienna, Austria, mars2006.

[Hal05] Shai Halevi. – A plausible approach to computer-aided cryptographic proofs.– Cryptology ePrint Archive, Report 2005/181, juin 2005. Available at http:


[Her03] Jonathan Herzog. – A computational interpretation of Dolev-Yao adversaries.In : WITS’03 - Workshop on Issues in the Theory of Security, ed. par RobertoGorrieri, pp. 146–155, Warsaw, Poland, avril 2003.

[HLM03] Jonathan Herzog, Moses Liskov et Silvio Micali. – Plaintext awareness via keyregistration. In : Advances in Cryptology – CRYPTO 2003, ed. par Dan Boneh,Lecture Notes on Computer Science, volume 2729, pp. 548–564, Santa Barbara,California, aout 2003. Springer.

[HLS00] James Heather, Gavin Lowe et Steve Schneider. – How to prevent type flawattacks on security protocols. In : 13th IEEE Computer Security FoundationsWorkshop (CSFW-13), pp. 255–268, Cambridge, England, juillet 2000.

[HS05] James Heather et Steve Schneider. – A decision procedure for the existence ofa rank function. Journal of Computer Security, vol. 13, n 2, 2005, pp. 317–344.

[Hut02] Hans Huttel. – Deciding framed bisimilarity. In : 4th International Workshopon Verification of Infinite-State Systems (INFINITY’02), pp. 1–20, Brno, CzechRepublic, aout 2002.

[IEE99] IEEE Computer Society. – IEEE Standard 802.11 : IEEE Standard for Informa-tion technology–Telecommunications and information exchange between system–Local and metropolitan area networks–Specific requirements–Part 11 : WirelessLAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications,1999.

[IEE04] IEEE Computer Society. – IEEE Standard 802.11i : IEEE Standard for Informa-tion technology–Telecommunications and information exchange between system–Local and metropolitan area networks–Specific requirements–Part 11 : Wireless

Bibliographie 75

LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications,Amendment 6 : Medium Access Control (MAC) Security Enhancements, 2004.

[IET06] IETF. – Public key cryptography for initial authentication in Kerberos, 1996–2006. RFC 4556. Preliminary versions available as a sequence of Internet Draftsat http://tools.ietf.org/wg/krb-wg/draft-ietf-cat-kerberos-pk-init/.

[JLM05] Romain Janvier, Yassine Lakhnech et Laurent Mazare. – Completing thepicture : Soundness of formal encryption in the presence of active adversaries.In : Proc. 14th European Symposium on Programming (ESOP’05), ed. par MoolySagiv, Lecture Notes on Computer Science, volume 3444, pp. 172–185, Edimbourg,U.K., avril 2005. Springer.

[JLM06] Romain Janvier, Yassine Lakhnech et Laurent Mazare. – Relating the symbo-lic and computational models of security protocols using hashes. In : Proceedings ofthe Joint Workshop on Foundations of Computer Security and Automated Reaso-ning for Security Protocol Analysis (FCS-ARSPA’06), ed. par Pierpaolo Degano,Ralf Kusters, Luca Vigano et Steve Zdancewic, pp. 67–89, Seattle, Washing-ton, aout 2006.

[Kau05] Charlie Kaufman. – RFC 4306 : Internet Key Exchange (IKEv2) Protocol. –decembre 2005. http://www.ietf.org/rfc/rfc4306.txt.

[KB70] Donald E. Knuth et Peter B. Bendix. – Simple word problems in universalalgebras. In : Computational Problems in Abstract Algebra, ed. par J. Leech, pp.263–297. – Oxford, U.K., Pergamon Press, 1970.

[KH06] Himanshu Khurana et Hyung-Seok Hahm. – Certified mailing lists. In : Pro-ceedings of the ACM Symposium on Communication, Information, Computer andCommunication Security (ASIACCS’06), pp. 46–58, Taipei, Taiwan, mars 2006.ACM.

[KR04] Steve Kremer et Mark D. Ryan. – Analysing the vulnerability of protocols toproduce known-pair and chosen-text attacks. In : Proceedings of the 2nd Inter-national Workshop on Security Issues in Coordination Models, Languages, andSystems (SecCo 2004), ed. par R. Focardi et G. Zavattaro, Electronic Notesin Theoretical Computer Science, volume 128(5), pp. 87–104, aout 2004.

[KR05] Steve Kremer et Mark D. Ryan. – Analysis of an electronic voting protocol inthe applied pi calculus. In : Programming Languages and Systems : 14th EuropeanSymposium on Programming, ESOP 2005, ed. par Mooly Sagiv, Lecture Noteson Computer Science, volume 3444, pp. 186–200, Edimbourg, UK, avril 2005.Springer.

[Kra96] Hugo Krawczyk. – SKEME : A versatile secure key exchange mechanism for in-ternet. In : Internet Society Symposium on Network and Distributed Systems Se-curity, fevrier 1996. Available at http ://bilbo.isu.edu/sndss/sndss96.html.

[KRS+03] Mahesh Kallahalla, Erik Riedel, Ram Swaminathan, Qian Wang et KvinFu. – Plutus : Scalable secure file sharing on untrusted storage. In : 2nd Confe-rence on File and Storage Technologies (FAST’03), pp. 29–42, San Francisco, CA,avril 2003. Usenix.

[KW96] Darell Kindred et Jeannette M. Wing. – Fast, automatic checking of securityprotocols. In : USENIX 2nd Workshop on Electronic Commerce, pp. 41–52, no-vembre 1996.

[Lau03] Peeter Laud. – Handling encryption in an analysis for secure information flow.In : Programming Languages and Systems, 12th European Symposium on Program-ming, ESOP’03, ed. par Pierpaolo Degano, Lecture Notes on Computer Science,volume 2618, pp. 159–173, Warsaw, Poland, avril 2003. Springer.

76 Bibliographie

[Lau04] Peeter Laud. – Symmetric encryption in automatic analyses for confidentialityagainst active adversaries. In : IEEE Symposium on Security and Privacy, pp.71–85, Oakland, California, mai 2004.

[Lau05] Peeter Laud. – Secrecy types for a simulatable cryptographic library. In : 12thACM Conference on Computer and Communications Security (CCS’05), pp. 26–35, Alexandria, VA, novembre 2005. ACM.

[LMBG05] Kevin D. Lux, Michael J. May, Nayan L. Bhattad et Carl A. Gunter. – WSE-mail : Secure internet messaging based on web services. In : International Confe-rence on Web Services (ICWS’05), pp. 75–82, Orlando, Florida, juillet 2005. IEEEComputer Society.

[LMMS98] P. D. Lincoln, J. C. Mitchell, M. Mitchell et A. Scedrov. – A probabilisticpoly-time framework for protocol analysis. In : ACM Computer and Communi-cation Security (CCS-5), pp. 112–121, San Francisco, California, novembre 1998.

[LMMS99] P. D. Lincoln, J. C. Mitchell, M. Mitchell et A. Scedrov. – Probabilisticpolynomial-time equivalence and security protocols. In : FM’99 World CongressOn Formal Methods in the Development of Computing Systems, ed. par J.M.Wing, J. Woodcock et J. Davies, Lecture Notes on Computer Science, volume1708, pp. 776–793, Toulouse, France, septembre 1999. Springer.

[Low96] Gavin Lowe. – Breaking and fixing the Needham-Schroeder public-key protocolusing FDR. In : Tools and Algorithms for the Construction and Analysis ofSystems, Lecture Notes on Computer Science, volume 1055, pp. 147–166. Springer,1996.

[Low97] Gavin Lowe. – A hierarchy of authentication specifications. In : 10th ComputerSecurity Foundations Workshop (CSFW ’97), pp. 31–43, Rockport, Massachusetts,juin 1997. IEEE Computer Society.

[Low02] Gavin Lowe. – Analyzing protocols subject to guessing attacks. In : Workshopon Issues in the Theory of Security (WITS’02), Portland, Oregon, janvier 2002.

[LV05] Peeter Laud et Varmo Vene. – A type system for computationally secure infor-mation flow. In : 15th International Symposium on Fundamentals of Computa-tion Theory (FCT’05), ed. par Maciej Liskiewicz et Rudiger Reischuk, LectureNotes on Computer Science, volume 3623, pp. 365–377, Lubeck, Germany, aout2005. Springer.

[Lyn97] Christopher Lynch. – Oriented equational logic programming is complete. Journalof Symbolic Computation, vol. 21, n 1, 1997, pp. 23–45.

[MCF87] Jonathan K. Millen, Sidney C. Clark et Sheryl B. Freedman. – The Inter-rogator : Protocol security analysis. IEEE Transactions on Software Engineering,vol. SE-13, n 2, fevrier 1987, pp. 274–288.

[Mea96] Catherine A. Meadows. – The NRL protocol analyzer : An overview. Journal ofLogic Programming, vol. 26, n 2, 1996, pp. 113–131.

[Mil95] Jonathan K. Millen. – The Interrogator model. In : 1995 IEEE Symposium onSecurity and Privacy, pp. 251–260, Oakland, California, mai 1995. IEEE ComputerSociety Press.

[Mil99] Jonathan Millen. – A necessarily parallel attack. In : Workshop on FormalMethods and Security Protocols (FMSP’99), Trento, Italy, juillet 1999.

[Mil02] Giuseppe Milicia. – χ-spaces : Programming security protocols. In : Procee-dings of the 14th Nordic Workshop on Programming Theory (NWPT’02), Tallinn,Estonia, novembre 2002.

Bibliographie 77

[MMS97] John C. Mitchell, Mark Mitchell et Ulrich Stern. – Automated analysis ofcryptographic protocols using Murϕ. In : 1997 IEEE Symposium on Security andPrivacy, pp. 141–151, 1997.

[MMS03] P. Mateus, J. Mitchell et A. Scedrov. – Composition of cryptographic pro-tocols in a probabilistic polynomial-time process calculus. In : CONCUR 2003 -Concurrency Theory, 14-th International Conference, ed. par R. Amadio et D. Lu-

giez, Lecture Notes on Computer Science, volume 2761, pp. 327–349, Marseille,France, septembre 2003. Springer.

[MN02] Cathy Meadows et Paliath Narendran. – A unification algorithm for thegroup Diffie-Hellman protocol. In : Workshop on Issues in the Theory of Se-curity (WITS’02), Portland, Oregon, janvier 2002.

[Mon99] David Monniaux. – Decision procedures for the analysis of cryptographic proto-cols by logics of belief. In : 12th Computer Security Foundations Workshop, pp.44–54, Mordano, Italy, juin 1999. IEEE.

[Mon03] David Monniaux. – Abstracting cryptographic protocols with tree automata.Science of Computer Programming, vol. 47, n 2–3, 2003, pp. 177–202.

[MPW92] Robin Milner, Joachim Parrow et David Walker. – A calculus of mobileprocesses, parts I and II. Information and Computation, vol. 100, septembre 1992,pp. 1–40 and 41–77.

[MR06] Aybek Mukhamedov et Mark Ryan. – Resolve-impossibility for a contract-signing protocol. In : 19th Computer Security Foundations Workshop (CSFW’06),pp. 167–176, Venice, Italy, juillet 2006. IEEE Computer Society.

[MRST06] John C. Mitchell, Ajith Ramanathan, Andre Scedrov et V. Teague. – Aprobabilistic polynomial-time calculus for the analysis of cryptographic protocols.Theoretical Computer Science, vol. 353, n 1–3, mars 2006, pp. 118–164.

[MS01] Jonathan Millen et Vitaly Shmatikov. – Constraint solving for bounded-processcryptographic protocol analysis. In : Proc. 8th ACM Conference on Computerand Communications Security (CCS ’01), pp. 166–175, 2001.

[MW04a] Daniele Micciancio et Bogdan Warinschi. – Completeness theorems for theAbadi-Rogaway logic of encrypted expressions. Journal of Computer Security,vol. 12, n 1, 2004, pp. 99–129.

[MW04b] Daniele Micciancio et Bogdan Warinschi. – Soundness of formal encryptionin the presence of active adversaries. In : Theory of Cryptography Conference(TCC’04), ed. par Moni Naor, Lecture Notes on Computer Science, volume 2951,pp. 133–151, Cambridge, MA, USA, fevrier 2004. Springer.

[NS78] Roger M. Needham et Michael D. Schroeder. – Using encryption for authen-tication in large networks of computers. Communications of the ACM, vol. 21, n12, decembre 1978, pp. 993–999.

[NS87] Roger M. Needham et Michael D. Schroeder. – Authentication revisited. Ope-rating Systems Review, vol. 21, n 1, 1987, p. 7.

[NYHR05] Clifford Neuman, Tom Yu, Sam Hartman et Kenneth Raeburn. – The Ker-beros network authentication service (V5), juillet 2005. http://www.ietf.org/rfc/rfc4120.

[OR87] Dave Otway et Owen Rees. – Efficient and timely mutual authentication. Ope-rating Systems Review, vol. 21, n 1, 1987, pp. 8–10.

[Pau98] Larry C. Paulson. – The inductive approach to verifying cryptographic protocols.Journal of Computer Security, vol. 6, n 1–2, 1998, pp. 85–128.

78 Bibliographie

[Pot02] Francois Pottier. – A simple view of type-secure information flow in the π-calculus. In : Proceedings of the 15th IEEE Computer Security Foundations Work-shop, pp. 320–330, Cape Breton, Nova Scotia, juin 2002.

[PS02] Francois Pottier et Vincent Simonet. – Information flow inference for ML. In :Proceedings of the 29th ACM Symposium on Principles of Programming Languages(POPL’02), pp. 319–330, Portland, Oregon, janvier 2002.

[PS07] Erik Poll et Aleksy Schubert. – Verifying an implementation of SSH. In : 7thInternational Workshop on Issues in the Theory of Security (WITS’07), Braga,Portugal, mars 2007.

[PSD04] Davide Pozza, Riccardo Sisto et Luca Durante. – Spi2Java : Automatic crypto-graphic protocol Java code generation from spi calculus. In : 18th InternationalConference on Advanced Information Networking and Applications (AINA’04),volume 1, pp. 400–405, Fukuoka, Japan, mars 2004. IEEE Computer Society.

[RB99] A. W. Roscoe et P. J. Broadfoot. – Proving security protocols with modelcheckers by data independence techniques. Journal of Computer Security, vol. 7,n 2, 3, 1999, pp. 147–190.

[RMST04] Ajith Ramanathan, John Mitchell, Andre Scedrov et Vanessa Teague. –Probabilistic bisimulation and equivalence for security analysis of network proto-cols. In : FOSSACS 2004 - Foundations of Software Science and ComputationStructures, ed. par I. Walukiewicz, Lecture Notes on Computer Science, volume2987, pp. 468–483, Barcelona, Spain, mars 2004. Springer.

[RS03] R. Ramanujam et S.P. Suresh. – Tagging makes secrecy decidable with unboun-ded nonces as well. In : FST TCS 2003 : Foundations of Software Technologyand Theoretical Computer Science, ed. par P.K. Pandya et J. Radhakrishnan,Lecture Notes on Computer Science, volume 2914, pp. 363–374, Mumbai, India,decembre 2003. Springer.

[RSA78] Ronald Rivest, Adi Shamir et Leonard Adleman. – A method for obtainingdigital signatures and public key cryptosystems. Communications of the ACM,vol. 21, n 2, fevrier 1978, pp. 120–126.

[RT03] Michael Rusinowitch et Mathieu Turuani. – Protocol insecurity with finitenumber of sessions is NP-complete. Theoretical Computer Science, vol. 299, n1–3, avril 2003, pp. 451–475.

[SA06] Geoffrey Smith et Rafael Alpızar. – Secure information flow with random assi-gnment and encryption. In : 4th ACM Workshop on Formal Methods in SecurityEngineering (FMSE’06), pp. 33–43, Alexandria, Virginia, novembre 2006.

[SBB+06] Christoph Sprenger, Michael Backes, David Basin, Birgit Pfitzmann et Mi-chael Waidner. – Cryptographically sound theorem proving. In : 19th IEEEComputer Security Foundations Workshop (CSFW-19), pp. 153–166, Venice, Italy,juillet 2006. IEEE.

[SBP01] Dawn Xiaodong Song, Sergey Berezin et Adrian Perrig. – Athena : a novelapproach to efficient automatic security protocol analysis. Journal of ComputerSecurity, vol. 9, n 1/2, 2001, pp. 47–74.

[Sch96] Bruce Schneier. – Applied Cryptography, Second Edition. – John Wiley & Sons,1996.

[Sho01] Victor Shoup. – A proposal for an ISO standard for public-key encryption,decembre 2001. ISO/IEC JTC 1/SC27.

[Sho02] Victor Shoup. – OAEP reconsidered. Journal of Cryptology, vol. 15, n 4, sep-tembre 2002, pp. 223–249.

Bibliographie 79

[Sho04] Victor Shoup. – Sequences of games : a tool for taming complexity in securityproofs. – Cryptology ePrint Archive, Report 2004/332, novembre 2004. Availableat http://eprint.iacr.org/2004/332.

[SPP01] Dawn Song, Adrian Perrig et Doantam Phan. – AGVI—Automatic Genera-tion, Verification, and Implementation of security protocols. In : Computer AidedVerification (CAV’01), ed. par Gerard Berry, Hubert Comon et Alain Finkel,Lecture Notes on Computer Science, volume 2102, pp. 241–245, Paris, France,juillet 2001. Springer.

[Sti05] Douglas R. Stinson. – Cryptography : Theory and Practice, Third Edition. – CRCPress, novembre 2005.

[SvO94] Paul Syverson et Paul C. van Oorschot. – On unifying some cryptographicprotocol logics. In : Proceedings 1994 IEEE Symposium on Research in Securityand Privacy, pp. 14–28, Oakland, California, mai 1994. IEEE Computer Society.

[Tar05] Sabrina Tarento. – Machine-checked security proofs of cryptographic signatureschemes. In : Proceedings of the 10th European Symposium On Research In Com-puter Security (ESORICS 2005), ed. par Sabrina de Capitani di Vimercati,Paul Syverson et Dieter Gollmann, Lecture Notes on Computer Science, vo-lume 3679, pp. 140–158, Milan, Italy, septembre 2005. Springer.

[TL07] Ilja Tsahhirov et Peeter Laud. – Application of dependency graphs to secu-rity protocol analysis. In : 3rd Symposium on Trustworthy Global Computing(TGC’07), ed. par Gilles Barthe et Cedric Fournet, Lecture Notes on Com-puter Science, volume 4912, Sophia-Antipolis, France, novembre 2007. Springer.

[Wei99] Christoph Weidenbach. – Towards an automatic analysis of security protocolsin first-order logic. In : 16th International Conference on Automated Deduction(CADE-16), ed. par Harald Ganzinger, Lecture Notes in Artificial Intelligence,volume 1632, pp. 314–328, Trento, Italy, juillet 1999. Springer.

[WFA] Wi-Fi Alliance. – Wi-Fi Protected Access (WPA). http://www.wi-fi.org.

[WL92] Thomas Y. C. Woo et Simon S. Lam. – Authentication for distributed systems.Computer, vol. 25, n 1, janvier 1992, pp. 39–52.

[WL93] Thomas Y. C. Woo et Simon S. Lam. – A semantic model for authenticationprotocols. In : Proceedings IEEE Symposium on Research in Security and Privacy,pp. 178–194, Oakland, California, mai 1993.

[WL97] Thomas Y. C. Woo et Simon S. Lam. – Authentication for distributed systems.In : Internet Besieged : Countering Cyberspace Scofflaws, ed. par Dorothy Den-

ning et Peter Denning, pp. 319–355. ACM Press and Addison-Wesley, octobre1997.

[WS96] David Wagner et Bruce Schneier. – Analysis of the SSL 3.0 protocol. In :The Second USENIX Workshop on Electronic Commerce Proceedings, pp. 29–40,Oakland, California, novembre 1996. USENIX Press.

[WY05] Xiaoyun Wang et Hongbo Yu. – How to break md5 and other hash functions. In :Advances in Cryptology – EUROCRYPT 2005, ed. par Ronald Cramer, LectureNotes on Computer Science, volume 3494, pp. 19–35, Aarhus, Denmark, mai 2005.Springer.

[WYY05] Xiaoyun Wang, Yiqun Lisa Yin et Hongbo Yu. – Finding collisions in the fullSHA-1. In : Advances in Cryptology – CRYPTO 2005, ed. par Victor Shoup,Lecture Notes on Computer Science, volume 3621, pp. 17–36, Santa Barbara, Ca-lifornia, aout 2005. Springer.

80 Bibliographie

[Yao82] Andrew C. Yao. – Theory and applications of trapdoor functions. In : Proceedingsof the 23rd Annual Symposium on Foundations of Computer Science (FOCS’82),pp. 80–91, 1982.

[Ylo06] Tatu Ylonen. – The Secure Shell (SSH) protocol architecture. – janvier 2006.http://tools.ietf.org/html/rfc4251.

Annexe A

Curriculum vitae

Etat civil

Bruno Blanchet

Ecole normale superieure, departement d’informatique45, rue d’Ulm75005 Paris, FranceCourrier electronique : [email protected]

Ne le 9 avril 1974, celibataire, nationalite francaise.

Experience professionnelle

Depuis 2001

Charge de recherche au CNRS, affecte au laboratoire d’informatique de l’Ecole normalesuperieure, Paris, France (1re classe depuis 2005).

Formation

1997-1998 et 1999-2000These avec Alain Deutsch a l’INRIA Rocquencourt sous la direction de Patrick

Cousot, soutenue le 7 decembre 2000, a l’Ecole polytechnique,

mention Tres honorable avec felicitations, prix de these de l’Ecole polytechnique.Sujet : Analyse d’echappement. Applications a ML et JavaTM.

1998-1999

Service national, scientifique du contingent au laboratoire d’informatique de l’Ecolepolytechnique.

1994-1998

Eleve de l’Ecole normale superieure (recu 5e au concours d’entree).97-98 Premiere annee de these.96-97 Agregation de mathematiques, rang 24e.95-96 DEA de Semantique, Preuves et Programmation, mention Tres bien, rang 1er.94-95 Licence et maıtrise d’Informatique, mention Tres bien.

81

82 Annexe A. Curriculum vitae

Sejours dans des laboratoires etrangers

Nov. 2001-aout 2004Chef d’un groupe de recherche independant (Nachwuchsgruppenleiter),Max-Planck-Institut fur Informatik, Sarrebruck, Allemagne, environ 2 a 3 semainespar mois au Max-Planck-Institut.

Aout-oct. 2000Stage sous la direction de Martın Abadi, Bell Labs Research, Palo Alto, USA.Sujet : verification de protocoles cryptographiques.

Avril 2000Stage dans l’equipe de Reinhard Wilhelm, Universite de la Sarre, Sarrebruck,Allemagne.Sujet : codage en ligne d’objets en Java.

Activite editoriale

Editeur associe a l’International Journal of Applied Cryptography (IJACT), depuis 2006.Membre des comites de programme de2009 IEEE Computer Security Foundations Symposium (CSF’09)

ACM SIGPLAN Conference on Principles of Programming Languages (POPL’09)2008 ACM SIGPLAN Workshop on Programming Languages and Analysis for Security

(PLAS’08)IEEE Computer Security Foundations Symposium (CSF’08)Workshop on Formal and Computational Cryptography (FCC’08), PC co-chair

2007 Workshop on Formal and Computational Cryptography (FCC’07)Concurrency Theory (CONCUR’07)IEEE Computer Security Foundations Symposium (CSF’07)ACM SIGPLAN Conference on Programming Language Design and Implementation

(PLDI’07)2006 Workshop on Formal and Computational Cryptography (FCC’06)

IEEE Computer Security Foundations Workshop (CSFW’06)Workshop on Emerging Applications of Abstract Interpretation (EAAI’06)Foundations of Software Science and Computation Structures (FOSSACS’06)

2005 Mobile Code Safety and Program Verification Using Computational Logic Tools(MoveLog’05)

IEEE Computer Security Foundations Workshop (CSFW’05)Abstract Interpretation for Object Oriented Languages (AIOOL’05)European Symposium on Programming (ESOP’05)

2004 Concurrency Theory (CONCUR’04)ACM Symposium on Applied Computing (SAC’04) Security Track

2003 International Workshop in Formal Methods (IWFM’03)

Commission de specialistes

Membre de la commission de specialistes informatique de l’Ecole normale superieure de Cachan,depuis 2005.

Jurys de theses

2007 Mathieu Baudet, Ecole normale superieure de Cachan (examinateur)Securite des protocoles cryptographiques : aspects logiques et calculatoires.

83

2005 Zhang Yu, Ecole normale superieure de Cachan (examinateur)Relations logiques cryptographiques — Qu’est-ce que l’equivalence contextuelle desprotocoles cryptographiques et comment la prouver ?

Encadrement de la recherche

2006 Mael Primet, stage long, Ecole normale superieure.Verification d’implantations de protocoles cryptographiques en Java.

2005 Yannick Gerault, stage scientifique, Ecole polytechnique.Analyse de protocoles cryptographiques definis par une suite de messages.

2004 Xavier Allamigeon, stage scientifique, Ecole polytechnique.Reconstruction d’attaques contre des protocoles cryptographiques.

2003 Mehmet Kiraz, stage de master d’informatique, Universite de la Sarre.Formalisation et verification de descriptions informelles de protocoles cryptographiques.

2002 Emma Rabbidge.Implantation d’un front-end pour l’analyse du bytecode Java.Shiv Pratap Raghuwanshi, stage d’ete, IIT Kanpur.Implantation en Java du protocole SSH.

Enseignement

2007-2008 Cours “Protocoles cryptographiques : preuves formelles et calculatoires” avecSteve Kremer, au Master Parisien de Recherche en Informatique (MPRI), 12 heures

2003-2007 Intervention sur la verification de protocoles cryptographiques dans le coursd’analyse statique de Patrick et Radhia Cousot au DEA de Programmation :Semantique, Preuves et Langages, devenu Master Parisien de Recherche enInformatique (MPRI), 6 heures/an.

1999-2002 Intervention sur l’analyse d’echappement dans le cours d’analyse statique deRadhia Cousot au DEA Semantique, Preuves et Programmation, 6 heures/an.

1999-2001 Travaux diriges d’informatique a l’Universite de Versailles, 64 heures/an.1997-1998 Travaux diriges d’informatique a l’ENSTA, 15 heures.

1996-1999 Travaux diriges d’informatique a l’Ecole polytechnique, 48 heures/an.

Publications

Revues internationales a comite de lecture

[1] Bruno Blanchet. – Automatic Verification of Correspondences for Security Protocols.Journal of Computer Security. A paraıtre.

[2] Bruno Blanchet. – A Computationally Sound Mechanized Prover for Security Protocols.IEEE Transactions on Dependable and Secure Computing, vol. 5, n 4, octobre-decembre2008, pp. 193–207.

[3] Bruno Blanchet, Martın Abadi et Cedric Fournet. – Automated Verification of Se-lected Equivalences for Security Protocols. Journal of Logic and Algebraic Programming,vol. 75, n 1, fevrier-mars 2008, pp. 3–51.

[4] Martın Abadi, Bruno Blanchet et Cedric Fournet. – Just Fast Keying in the PiCalculus. ACM Transactions on Information and System Security (TISSEC), vol. 10, n3, juillet 2007, pp. 1–59.

[5] Martın Abadi et Bruno Blanchet. – Computer-Assisted Verification of a Protocol forCertified Email. Science of Computer Programming, vol. 58, n 1-2, octobre 2005, pp. 3–27.


[6] Bruno Blanchet. – Security Protocols : From Linear to Classical Logic by AbstractInterpretation. Information Processing Letters, vol. 95, n 5, septembre 2005, pp. 473–479.

[7] Bruno Blanchet et Andreas Podelski. – Verification of Cryptographic Protocols : Tag-ging Enforces Termination. Theoretical Computer Science, vol. 333, n 1-2, mars 2005, pp.67–90.

[8] Martın Abadi et Bruno Blanchet. – Analyzing Security Protocols with Secrecy Typesand Logic Programs. Journal of the ACM, vol. 52, n 1, janvier 2005, pp. 102–146.

[9] Bruno Blanchet. – Escape Analysis for JavaTM. Theory and Practice. ACM Transactionson Programming Languages and Systems (TOPLAS), vol. 25, n 6, novembre 2003, pp.713–775.

[10] Martın Abadi et Bruno Blanchet. – Secrecy Types for Asymmetric Communication.Theoretical Computer Science, vol. 298, n 3, avril 2003, pp. 387–415.

Conferences invitees dans des congres internationaux

[11] Bruno Blanchet. – An Automatic Security Protocol Verifier based on Resolution TheoremProving (tutorial invite). In : 20th International Conference on Automated Deduction(CADE-20), Tallinn, Estonie, juillet 2005.

[12] Bruno Blanchet. – Automatic Verification of Cryptographic Protocols : A Logic Pro-gramming Approach. In : 5th ACM-SIGPLAN International Conference on Principlesand Practice of Declarative Programming (PPDP’03), pp. 1–3, Uppsala, Suede, aout 2003.ACM.

[13] Bruno Blanchet. – Abstracting Cryptographic Protocols by Prolog Rules. In : 8th In-ternational Static Analysis Symposium (SAS’01), ed. par Patrick Cousot, Lecture Noteson Computer Science, volume 2126, pp. 433–436, Paris, France, juillet 2001. Springer.

Actes de colloques internationaux a comite de programme

[14] Bruno Blanchet et Avik Chaudhuri. – Automated Formal Analysis of a Protocol forSecure File Sharing on Untrusted Storage. In : IEEE Symposium on Security and Privacy,pp. 417–431, Oakland, CA, mai 2008. IEEE.

[15] Bruno Blanchet, Aaron D. Jaggard, Andre Scedrov et Joe-Kai Tsay. – Computatio-nally Sound Mechanized Proofs for Basic and Public-Key Kerberos. In : ACM Symposiumon Information, Computer and Communications Security (ASIACCS’08), pp. 87–99, To-kyo, Japon, mars 2008. ACM.

[16] Bruno Blanchet. – Computationally Sound Mechanized Proofs of Correspondence Asser-tions. In : 20th IEEE Computer Security Foundations Symposium (CSF’07), pp. 97–111,Venise, Italie, juillet 2007. IEEE.

[17] Bruno Blanchet et David Pointcheval. – Automated Security Proofs with Sequencesof Games. In : Advances in Cryptology – CRYPTO’06, ed. par Cynthia Dwork, LectureNotes on Computer Science, volume 4117, pp. 537-554, Santa Barbara, Californie, aout2006. Springer.

[18] Bruno Blanchet. – A Computationally Sound Mechanized Prover for Security Protocols.In : IEEE Symposium on Security and Privacy, pp. 140-154, Oakland, Californie, mai 2006.IEEE Computer Society.

[19] Bruno Blanchet, Martın Abadi et Cedric Fournet. – Automated Verification of Selec-ted Equivalences for Security Protocols. In : 20th IEEE Symposium on Logic in ComputerScience (LICS 2005), pp. 331–340, Chicago, Illinois, juin 2005.

85

[20] Xavier Allamigeon et Bruno Blanchet. – Reconstruction of Attacks against Crypto-graphic Protocols. In : 18th IEEE Computer Security Foundations Workshop (CSFW-18),pp. 140–154, Aix-en-Provence, France, juin 2005.

[21] Bruno Blanchet. – Automatic Proof of Strong Secrecy for Security Protocols. In : IEEESymposium on Security and Privacy, pp. 86–100, Oakland, Californie, mai 2004.

[22] Martın Abadi, Bruno Blanchet et Cedric Fournet. – Just Fast Keying in the Pi Cal-culus. In : Programming Languages and Systems : 13th European Symposium on Program-ming (ESOP’04), ed. par David Schmidt, Lecture Notes on Computer Science, volume2986, pp. 340–354, Barcelone, Espagne, mars 2004. Springer.

[23] Bruno Blanchet et Benjamin Aziz. – A Calculus for Secure Mobility. In : Eighth AsianComputing Science Conference (ASIAN’03), ed. par Vijay Saraswat, Lecture Notes onComputer Science, volume 2896, pp. 188–204, Mumbai, Inde, decembre 2003. Springer.

[24] Martın Abadi et Bruno Blanchet. – Computer-Assisted Verification of a Protocol forCertified Email. In : Static Analysis, 10th International Symposium (SAS’03), ed. parRadhia Cousot, Lecture Notes on Computer Science, volume 2694, pp. 316–335, SanDiego, Californie, juin 2003. Springer.

[25] Bruno Blanchet, Patrick Cousot, Radhia Cousot, Jerome Feret, Laurent Mau-

borgne, Antoine Mine, David Monniaux et Xavier Rival. – A Static Analyzer forLarge Safety-Critical Software. In : ACM SIGPLAN 2003 Conference on ProgrammingLanguage Design and Implementation (PLDI’03), pp. 196–207, San Diego, Californie, juin2003. ACM.

[26] Bruno Blanchet et Andreas Podelski. – Verification of Cryptographic Protocols : Tag-ging Enforces Termination. In : Foundations of Software Science and Computation Struc-tures (FoSSaCS’03), ed. par Andrew Gordon, Lecture Notes on Computer Science, volume2620, pp. 136–152, Varsovie, Pologne, avril 2003. Springer.

[27] Bruno Blanchet. – From Secrecy to Authenticity in Security Protocols. In : 9th Inter-national Static Analysis Symposium (SAS’02), ed. par Manuel Hermenegildo et GermanPuebla, Lecture Notes on Computer Science, volume 2477, pp. 342–359, Madrid, Espagne,septembre 2002. Springer.

[28] Martın Abadi et Bruno Blanchet. – Analyzing Security Protocols with Secrecy Typesand Logic Programs. In : 29th Annual ACM SIGPLAN - SIGACT Symposium on Prin-ciples of Programming Languages (POPL’02), pp. 33–44, Portland, Oregon, janvier 2002.ACM Press.

[29] Bruno Blanchet. – An Efficient Cryptographic Protocol Verifier Based on Prolog Rules.In : 14th IEEE Computer Security Foundations Workshop (CSFW-14), pp. 82–96, CapeBreton, Nova Scotia, Canada, juin 2001. IEEE Computer Society.

[30] Martın Abadi et Bruno Blanchet. – Secrecy Types for Asymmetric Communication.In : Foundations of Software Science and Computation Structures (FoSSaCS’01), ed. parF. Honsell et M. Miculan, Lecture Notes on Computer Science, volume 2030, pp. 25–41,Genes, Italie, avril 2001. Springer.

[31] Bruno Blanchet. – Escape Analysis for Object Oriented Languages. Application toJavaTM. In : Conference on Object-Oriented Programming, Systems, Languages and Ap-plications (OOPSLA’99), pp. 20–34, Denver, Colorado, novembre 1999.

[32] Bruno Blanchet. – Escape Analysis : Correctness Proof, Implementation and Experimen-tal Results. In : 25th ACM SIGACT-SIGPLAN Symposium on Principles of ProgrammingLanguages (POPL’98), pp. 25–37, San Diego, Californie, janvier 1998. ACM Press.


Workshops

[33] Bruno Blanchet, Aaron D. Jaggard, Andre Scedrov et Joe-Kai Tsay. – Computatio-nally Sound Mechanized Proofs of Basic and Public-Key Kerberos. – octobre 2007. ShlossDagstuhl seminar ”Formal Protocol Verification Applied”, Wadern, Germany.

[34] Bruno Blanchet. – A Computationally Sound Automatic Prover for Cryptographic Pro-tocols In : Workshop on the link between formal and computational models, Ecole normalesuperieure, Paris, France, juin 2005.

[35] Bruno Blanchet. – Automatic Proof of Strong Secrecy for Security Protocols In : Seminar“Language-Based Security”, Schloss Dagstuhl, Wadern, Allemagne, octobre 2003.

[36] Bruno Blanchet et Benjamin Aziz. – A Calculus for Locations, Mobility, and Cryptogra-phy In : Seminar “Reasoning about Shape”, Schloss Dagstuhl, Wadern, Allemagne, mars2003.

[37] Martın Abadi et Bruno Blanchet. – Secrecy Types for Asymmetric Communication.In : Seminar “Security through Analysis and Verification”, Schloss Dagstuhl, Wadern,Allemagne, decembre 2000.

Chapitre dans un ouvrage

[38] Bruno Blanchet, Patrick Cousot, Radhia Cousot, Jerome Feret, Laurent Mau-

borgne, Antoine Mine, David Monniaux et Xavier Rival. – Design and Implementationof a Special-Purpose Static Program Analyzer for Safety-Critical Real-Time EmbeddedSoftware, chapitre invite. In : The Essence of Computation : Complexity, Analysis, Trans-formation. Essays Dedicated to Neil D. Jones, ed. par T. Mogensen, D. A. Schmidt etI. H. Sudborough, pp. 85–108. – Springer, decembre 2002.

Logiciels

[39] Bruno Blanchet. – CryptoVerif, version 1.06. Verificateur de protocoles cryptographiquesdans le modele calculatoire. Disponible a http://www.cryptoverif.ens.fr/. 2007.

[40] Bruno Blanchet et Xavier Allamigeon. – ProVerif, version 1.14. Verificateur de proto-coles cryptographiques dans le modele formel. Disponible a http://www.proverif.ens.

fr/. 2007.

[41] Bruno Blanchet. – Analyseur d’echappement pour l’allocation en pile dans ObjectiveCaml, integre dans le compilateur Ocaml 1.05, construit a partir d’un prototype d’AlainDeutsch. Disponible a http://www.di.ens.fr/~blanchet/escape.html. 2001.

Rapports

[42] Bruno Blanchet. – Automatic Verification of Correspondences for Security Protocols.– Rapport arXiv:0802.3444v1, fevrier 2008. Disponible a http://arxiv.org/abs/0802.

3444v1.

[43] Bruno Blanchet. – Computationally sound mechanized proofs of correspondence as-sertions. – Cryptology ePrint Archive, Rapport 2007/128, avril 2007. Disponible ahttp://eprint.iacr.org/2007/128.

[44] Bruno Blanchet et David Pointcheval. – Automated security proofs with sequencesof games. – Cryptology ePrint Archive, Rapport 2006/069, fevrier 2006. Disponible ahttp://eprint.iacr.org/2006/069.

[45] Bruno Blanchet. – A computationally sound mechanized prover for security protocols.–Cryptology ePrint Archive, Rapport 2005/401, novembre 2005. Disponible a http://

eprint.iacr.org/2005/401.

87

[46] Bruno Blanchet. – Automatic Proof of Strong Secrecy for Security Protocols. – Rap-port technique MPI-I-2004-NWG1-001, Max-Planck-Institut fur Informatik, Sarrebruck,Allemagne, juillet 2004.

Memoires

[47] Bruno Blanchet. – Analyse d’echappement. Applications a ML et JavaTM. – These dedoctorat, Ecole polytechnique, 7 decembre 2000.

[48] Bruno Blanchet. – Rapport de magistere MMFAI. – ENS, octobre 1997.

[49] Bruno Blanchet. – Garbage Collection statique. – Rapport de DEA, INRIA, Rocquen-court, septembre 1996.


Annexe B

Articles joints

Verification des protocoles dans le modele formel

Martın Abadi et Bruno Blanchet. – Analyzing Security Protocols with Secrecy Types andLogic Programs. Journal of the ACM, vol. 52, n 1, janvier 2005, pp. 102–146.

Cet article presente un systeme de types pour verifier des proprietes de secret de pro-tocoles cryptographiques, codes dans un extension du pi calcul avec des symboles defonction. Ce systeme de types fournit un traitement generique de nombreuses primi-tives cryptographiques, dont chiffrement a cle publique et a cle partagee, signatures,fonctions de hachage. Nous etudions plusieurs instances de ce systeme. Nous mon-trons en particulier qu’une des instances de ce systeme de types est equivalente ala methode de verification du secret fondee sur les clauses de Horn, utilisee par leverificateur automatique ProVerif. Nous montrons egalement que cette instance dusysteme de types est la plus precise : si une propriete de secret peut etre prouveepar une instance quelconque du systeme de types, alors elle peut etre prouvee parcette instance.

Bruno Blanchet. – Automatic Verification of Correspondences for Security Protocols. RapportarXiv:0802.3444v1. Version sans preuves a paraıtre dans le Journal of Computer Security.

Cet article etend la methode de verification du secret fondee sur les clauses de Horn etpresentee dans l’article precedent aux proprietes de correspondances. Les proprietesde correspondance sont des proprietes de la forme “si un certain evenement a eteexecute, alors d’autres evenements ont ete executes”. Ces proprietes sont utiliseesen particulier pour formaliser l’authentification.

Cet article decrit egalement l’algorithme de resolution utilise sur les clauses de Horn,sa preuve de correction, et montre sa terminaison sur une sous-classe de protocolesbien concus, dans lesquels chaque chiffrement, signature, ... est distingue des autrespar une etiquette constante.

Bruno Blanchet, Martın Abadi et Cedric Fournet. – Automated Verification of SelectedEquivalences for Security Protocols. Journal of Logic and Algebraic Programming, vol. 75, n 1,fevrier-mars 2008, pp. 3–51.

Cet article etend egalement la methode de verification fondee sur les clauses de Horn,cette fois a la verification d’equivalences de processus. Intuitivement, deux processussont observationnellement equivalents quand l’attaquant ne peut pas les distinguer.Ces equivalences peuvent etre utilisees pour specifier de nombreuses proprietes desecurite subtiles. Ici, nous nous concentrons sur les equivalences entre processus Pet Q qui ne different que par le choix de certains termes. De telles equivalences

89

90 Annexe B. Articles joints

apparaissent souvent dans les applications, par exemple pour traiter les protocoles amots de passe faibles. Nous montrons comment les traiter comme des predicats surles traces d’un processus qui represente a la fois P et Q.

Cet article presente egalement le traitement des primitives cryptographiques mo-delisees par une theorie equationnelle. Cela permet par exemple de representer desprimitives de chiffrement pour lesquelles le dechiffrement reussit toujours, ce qui estune propriete utile pour obtenir certaines equivalences.

Verification des protocoles dans le modele calculatoire

Bruno Blanchet. – A Computationally Sound Mechanized Prover for Security Protocols.IEEE Transactions on Dependable and Secure Computing, vol. 5, n 4, octobre-decembre 2008,pp. 193–207.

Cet article presente le verificateur automatique de protocoles CryptoVerif. Contrai-rement a la plupart des verificateurs precedents, il n’est pas fonde sur le modeleformel, mais sur le modele calculatoire. Il produit des preuves presentees commedes suites de jeux, comme celles utilisees par les cryptographes. Ces jeux sont for-malises dans un calcul de processus probabiliste polynomial. CryptoVerif fournitune methode generique pour specifier les hypotheses de securite sur les primitivescryptographiques, qui peut traiter en particulier chiffrement a cle partagee et a clepublique, signatures, codes d’authentification de messages, fonctions de hachage. Ilproduit des preuves valides pour un nombre de sessions polynomial dans le parametrede securite, en presence d’un attaquant actif.

Analyzing Security Protocols with

Secrecy Types and Logic Programs∗

Martın Abadi

Computer Science Department

University of California, Santa Cruz

[email protected]

Bruno Blanchet

CNRS, Departement d’Informatique

Ecole Normale Superieure, Paris

[email protected]

Abstract

We study and further develop two language-based techniques for analyzing security pro-tocols. One is based on a typed process calculus; the other, on untyped logic programs.Both focus on secrecy properties. We contribute to these two techniques, in particular byextending the former with a flexible, generic treatment of many cryptographic operations.We also establish an equivalence between the two techniques.

1 Introduction

Concepts and methods from programming languages have long been useful in security (e.g., [47]).In recent years, they have played a significant role in understanding security protocols. Theyhave given rise to programming calculi for these protocols (e.g., [7, 9, 11, 21, 24, 28, 29, 31, 42, 44,52]). They have also suggested several approaches for reasoning about protocols, leading totheories as well as tools for formal protocol analysis. We describe some of these approachesbelow. Although several of them are incomplete (in the sense that they sometimes fail toestablish security properties), they are applicable to many protocols, including infinite-stateprotocols, often with little effort. Thus, they provide an attractive alternative to finite-statemodel checking (e.g., [43]) and to human-guided theorem proving (e.g., [50]).

In this work we pursue these language-based approaches to protocol analysis and aim toclarify their interconnections. We examine and further develop two techniques that representtwo popular, substantial, but largely disjoint lines of research. One technique relies on a typedprocess calculus, the other on untyped logic programs. We contribute to these two techniques,in particular by extending the former with a flexible, generic treatment of many cryptographicoperations. We also establish an equivalence between the two techniques. We believe that thisequivalence is surprising and illuminating.

The typed process calculus belongs in a line of research that exploits standard static-analysisideas and adapts them with security twists. There are by now several type systems for processesin which types not only track the expected structure of values and processes but also give securityinformation [1, 5, 20, 32, 33, 38, 39]. A related approach relies on control-flow analysis [18]; it hasan algorithmic emphasis, but it is roughly equivalent to typing at least in important specialcases [17]. Such static analyses have applications in a broader security context (e.g., [3, 37, 48,53]); security protocols constitute a particularly challenging class of examples. To date, however,such static analyses have dealt case by case with operations on data, and in particular withcryptographic operations. In this paper, we develop a general treatment of these operations.

∗This work was presented at the 29th Annual ACM Symposium on Principles of Programming Languages(2002). A preliminary version of this paper appears in the proceedings of that symposium.

91

92 Martın Abadi and Bruno Blanchet

In another line of research, security protocols are represented as logic programs, and theyare analyzed symbolically with general provers [26, 54] or with special-purpose algorithms andtools [4, 13–16, 21–23, 25, 34–36, 51]. (See also [40] for some of the roots of this approach.) Insome of this work [21, 23], the use of linear logic enables a rather faithful model of protocolstate, reducing (or eliminating) the possibility of false alarms; on the other hand, the treatmentof protocols with an unbounded number of sessions can become quite difficult. Partly for thisreason, and partly because of the familiarity and relative simplicity of classical logic, algorithmsand tools that rely on classical logic programs are prevalent. Superficially, these algorithms andtools are quite different from typing and control-flow analysis. However, in this paper we showthat one of these tools can be viewed as an implementation of a type system.

More specifically, we develop a generic type system for a process calculus that extends thepi calculus [46] with constructor operations and corresponding destructor operations. Theseoperations may be, for instance, tupling and projection, symmetric (shared-key) encryptionand decryption, asymmetric (public-key) encryption and decryption, digital signatures andsignature checking, and one-way hashing (with no corresponding destructor). As in the appliedpi calculus [7], these operations are not hardwired. The applied pi calculus is even more generalin that it does not require the classification of operations into constructors and destructors; weexpect that it can be treated along similar lines but with more difficulty (see Sections 2 and 8).Our type system for the process calculus gives secrecy information. The basic soundness theoremfor the type system, which we prove only once (rather than once per choice of operations), statesthat well-typed processes do not reveal their secrets.

We compare this generic type system with an automatic protocol checker. The checkertakes as input a process and translates it into an abstract representation by logic-programmingrules. This representation and its manipulation, but not the translation of processes, comefrom previous work [13], which develops an efficient tool for establishing secrecy propertiesof protocols. We show that establishing a secrecy property of a protocol with this checkercorresponds to typing the protocol in a particular instance of the generic type system. Thisresult implies a soundness property for the checker. Conversely, as a completeness property, weestablish that the checker corresponds to the “best” instance of our generic type system: if asecrecy property can be established using any instance of the type system, then it can also beestablished by the checker.

Throughout this paper, we use the following concept of secrecy (e.g., [2]): a protocol Ppreserves the secrecy of data M if P never publishes M , or anything that would permit thecomputation of M , even in interaction with an adversary Q. For instance, M may be a crypto-graphic key; its secrecy means that no adversary can obtain the key by attacking P . Althoughthis property allows the possibility that P reveals partial information about M , the property isattractive and often satisfactory.

For example, consider the following protocol (presented informally here, and studied morerigorously in the body of this paper):

Message 1. A→ B : pencrypt((k, pKA), pKB)Message 2. B → A : pencrypt((k,KAB), pKA)Message 3. A→ B : sencrypt(s,KAB)

This protocol establishes a session key KAB between two parties A and B, then uses the keyto transmit a secret s from A to B. It relies on a public-key encryption function pencrypt ,on a shared-key encryption function sencrypt , and on public keys pKA for A and pKB for B.For pencrypt and sencrypt , the second argument is the encryption key, the first the plaintextbeing encrypted. First, A creates a challenge k (a nonce), sends it to B paired with A’s publickey, encrypted under B’s public key. Then B replies with the same nonce and the session keyKAB, encrypted under A’s public key. When A receives this message, it recognizes k; it is thenconfident that the key KAB has been created by B. Finally, A sends the secret s under KAB.

Analyzing Security Protocols with Secrecy Types and Logic Programs 93

M,N ::= termsx, y, z variablea, b, c, k, s namef(M1, . . . ,Mn) constructor application

P,Q ::= processes

M〈N〉.P outputM(x).P input0 nilP | Q parallel composition!P replication(νa)P restrictionlet x = g(M1, . . . ,Mn) in P else Q destructor applicationlet x = M in P local definitionif M = N then P else Q conditional

Figure 1: Syntax of the process calculus

Can an attacker obtain s? The answer to this question may partly depend on delicate pointsthat the informal description of the protocol does not clarify, such as whether a public keycan be mistaken for a shared key. Once we address those points through a formal descriptionof the protocol, we can apply our analyses for establishing the secrecy of s or for identifyingvulnerabilities.

The next section presents our process calculus, without types. Section 3 gives a (fairlystandard) definition of secrecy. Section 4 presents our type system, and Section 5 gives themain soundness theorems for the type system and related results. As an application, Section 6explains how the type system can be instantiated to handle shared-key and public-key encryptionoperations. Section 7 formalizes and studies the logic-programming protocol checker. Section 8discusses an extension (to general equational theories). Section 9 concludes. An appendixcontains some proofs.

2 The Process Calculus (Untyped)

This section introduces our process calculus, by giving its syntax and its operational semantics.

2.1 Syntax and Informal Semantics

The syntax of our calculus is summarized in Figure 1. It distinguishes a category of terms(data) and one of processes (programs). It assumes an infinite set of names and an infiniteset of variables; a, b, c, k, s, and similar identifiers range over names, and x, y, and z rangeover variables. Names represent atomic data items, such as nonces and keys, while variablesare formal parameters that can be replaced by any term (atomic or complex). The syntax alsoassumes a set of symbols for constructors and destructors, each with an arity; we often use ffor a constructor and g for a destructor.

Constructors are used to build terms. Therefore, the terms are variables, names, and con-structor applications of the form f(M1, . . . ,Mn). On the other hand, destructors do not ap-pear in terms, but only manipulate terms in processes. They are partial functions on termsthat processes can apply. The process let x = g(M1, . . . ,Mn) in P else Q tries to evalu-ate g(M1, . . . ,Mn); if this succeeds, then x is bound to the result and P is executed, else Qis executed. More precisely, the semantics of a destructor g of arity n is given by a partialfunction from n-tuples of terms to terms, such that g(σM1, . . . , σMn) = σg(M1, . . . ,Mn) if


g(M1, . . . ,Mn) is defined and σ is a substitution that maps names and variables to terms.We may isolate a minimal set def(g) of equations g(M ′1, . . . ,M

′n) = M ′ that define g, where

M ′1, . . . ,M′n,M

′ are terms without free names, and all variables of M ′ occur in M ′1, . . . ,M′n.

Then g(M1, . . . ,Mn) is defined if and only if there exists a substitution σ and an equa-tion g(M ′1, . . . ,M

′n) = M ′ in def(g) such that Mi = σM ′i for all i ∈ {1, . . . , n}, and

g(M1, . . . ,Mn) = σM ′. This set of equations may be infinite, but it is usually finite andsmall in concrete examples.

Using these constructors and destructors, we can represent data structures, such as tuples,and cryptographic operations, for instance as follows:

• ntuple(M1, . . . ,Mn) is the tuple of the terms M1, . . . ,Mn, where ntuple is a constructor.(We sometimes abbreviate ntuple(M1, . . . ,Mn) to (M1, . . . ,Mn).) The n projections aredestructors ithn for i ∈ {1, . . . , n}, defined by

ithn(ntuple(M1, . . . ,Mn)) = Mi

• sencrypt(M,N) is the symmetric (shared-key) encryption of the message M under thekey N , where sencrypt is a constructor. The corresponding destructor sdecrypt is definedby

sdecrypt(sencrypt(M,N), N) = M

Thus, sdecrypt(M ′, N) returns the decryption ofM ′ ifM ′ is a message encrypted under N .

• In order to represent asymmetric (public-key) encryption, we may use two constructors pkand pencrypt : pk(M) builds a public key from a secret M and pencrypt(M,N) encryptsM under N . The corresponding destructor pdecrypt is defined by

pdecrypt(pencrypt(M, pk(N)), N) = M

• As for digital signatures, we may use a constructor sign, and write sign(M,N) for Msigned with the signature key N , and the two destructors checksignature and getmessagewith the equations:

checksignature(sign(M,N), pk(N)) = M

getmessage(sign(M,N)) = M

• We may represent a one-way hash function by the constructor H. There is no corre-sponding destructor; so we model that the term M cannot be retrieved from its hashH(M).

Thus, the process calculus supports many of the operations common in security protocols. Ithas limitations, though: for example, XOR cannot be directly represented by a constructor orby a destructor. We explain how we can treat such primitives in Section 8.

The other constructs in the syntax of Figure 1 are standard; most of them come from thepi calculus.

• The input process M(x).P inputs a message on channel M , and executes P with x boundto the input message. The output process M〈N〉.P outputs the message N on the channelM and then executes P . Here, we use an arbitrary term M to represent a channel: Mcan be a name, a variable, or a constructor application, but the process blocks if M doesnot reduce to a name at runtime. Our calculus is monadic (in that the messages areterms rather than tuples of terms), but a polyadic calculus can be simulated since tuplesare terms. It is also synchronous (in that a process P is executed after the output of amessage). As usual, we may omit P when it is 0.


• The nil process 0 does nothing.

• The process P | Q is the parallel composition of P and Q.

• The replication !P represents an unbounded number of copies of P in parallel.

• The restriction (νa)P creates a new name a, and then executes P .

• The local definition let x = M in P executes P with x bound to the term M .

• The conditional if M = N then P else Q executes P if M and N reduce to the sameterm at runtime; otherwise, it executes Q. As usual, we may omit an else clause when itconsists of 0.

The name a is bound in the process (νa)P . The variable x is bound in P in the processesM(x).P , let x = g(M1, . . . ,Mn) in P else Q, and let x = M in P . We write fn(P ) and fv(P )for the sets of names and variables free in P , respectively. A process is closed if it has no freevariables; it may have free names. We identify processes up to renaming of bound names andvariables. We write {M1/x1, . . . ,Mn/xn} for the substitution that replaces x1, . . . , xn with M1,. . . , Mn, respectively. When σ is such a substitution and D is some expression, we may writeσD or Dσ for the result of applying σ to D; the distinction is one of emphasis at most. Exceptwhen stated otherwise, substitutions always map variables (not names) to expressions.

As mentioned in the introduction, our calculus resembles the applied pi calculus [7]. Bothcalculi are extensions of the pi calculus with (fairly arbitrary) functions on terms. However, thereare also important differences between these calculi. The first one is that we use destructorsinstead of the equational theories of the applied pi calculus. (Section 8 contains further materialon equational theories.) The second difference is that our calculus has a built-in error-handlingconstruct (the else clause of the destructor application), whereas in the applied pi calculus theerror-handling must be done “by hand”. This error-handling construct makes typing easier.

2.2 An Example

As an example, we return to the exchange presented in the introduction, namely:

Message 1. A→ B : pencrypt((k, pKA), pKB)Message 2. B → A : pencrypt((k,KAB), pKA)Message 3. A→ B : sencrypt(s,KAB)

Next we show how to express this protocol in the process calculus. We return again to thisexample in later sections, and there we discuss its formal analysis.

Informal protocol descriptions, such as the one for this protocol, are often ambiguous [2],so several different process-calculus expressions may be reasonable counterparts to an informaldescription. We start with a relatively simple representation of the protocol, given in thefollowing process P :

P∆

= (νsKA)(νsKB)let pKA = pk(sKA) in

let pKB = pk(sKB) in e〈pKA〉.e〈pKB〉.(A | B)

A∆

= (νk)e〈pencrypt((k, pKA), pKB)〉.

e(z).let (x, y) = pdecrypt(z, sKA) in

if x = k then e〈sencrypt(s, y)〉

B∆

= e(z).let (x, y) = pdecrypt(z, sKB) in

(νKAB)e〈pencrypt((x,KAB), y)〉.

e(z′).let s′ = sdecrypt(z′,KAB) in 0


Here we write let (x, y) = M in Q instead of let z = M in let x = 1th2(z) in let y = 2th2(z) in Q,using pattern-matching on tuples. The keys sKA and sKB are the decryption keys that matchpKA and pKB, respectively, and e is a public channel. The messages e〈pKA〉 and e〈pKB〉, whichpublish pKA and pKB on e, model the fact that these keys are public. This code correspondsto a basic, one-shot version of the protocol, in which A talks only to B and in which honesthosts that play the roles of A and B use different keys.

It is easy to extend the code to represent more elaborate, general versions of the protocol.For instance, the following process P ′ represents a version in which A and B run an unboundednumber of sessions, A can talk to any host (whose public key A receives in xpKB

), and the hoststhat play the roles of A and B may have the same key:

P ′∆


let pKB = pk(sKB) in e〈pKA〉.e〈pKB〉.(!A′ | !B′ | !B′′)

A′∆

= e(xpKB).(νk)e〈pencrypt((k, pKA), xpKB

)〉.

e(z).let (x, y) = pdecrypt(z, sKA) in if x = k then

(if xpKB= pKA then e〈sencrypt(sA, y)〉

| if xpKB= pKB then e〈sencrypt(sB, y)〉)

B′∆

= e(z).let (x, y) = pdecrypt(z, sKB) in



B′′∆

= e(z).let (x, y) = pdecrypt(z, sKA) in



Here B′′ is much like B′ but uses the same key as A′. (A separate definition of B′′ is neededbecause, in the applied pi calculus, the syntactically different names sKA and sKB never meanthe same. Of course, the code duplication can easily be avoided by using a variable parameterfor the keys.)

This and other variants can be written rather directly as scripts in the input syntax of theautomatic protocol checker, which is quite close to that of the process calculus. The followingscript illustrates this point:

(* First some declarations, with equations *)

(* Shared-key encryption *)

fun sencrypt/2.reduc sdecrypt(sencrypt(x , y), y) = x .

(* Public-key encryption *)

fun pencrypt/2.fun pk/1.reduc pdecrypt(pencrypt(x , pk(y)), y) = x .

(* Declarations of free names *)

private free sA, sB.free e.


(* A secrecy query, for protocol analysis *)

query attacker : sA;attacker : sB.

(* The processes *)

let processA′ =in(e, xpkB);new k ;out(e, pencrypt((k , pkA), xpkB));in(e, z );let (x , y) = pdecrypt(z , skA) inif x = k then(if xpkB = pkA thenout(e, sencrypt(sA, y))

)|(if xpkB = pkB thenout(e, sencrypt(sB, y))

).

let processB ′ =in(e, z );let (x , y) = pdecrypt(z , skB) innew Kab;out(e, pencrypt((x ,Kab), y));in(e, z2 );let s2 = sdecrypt(z2 ,Kab) in0.

let processB ′′ =in(e, z );let (x , y) = pdecrypt(z , skA) innew Kab;out(e, pencrypt((x ,Kab), y));in(e, z2 );let s2 = sdecrypt(z2 ,Kab) in0.

process new skA;new skB ;let pkA = pk(skA) inlet pkB = pk(skB) inout(e, pkA);out(e, pkB);((!processA′) | (!processB ′) | (!processB ′′))

As can be seen from this example, writing a model of a protocol in the process calculusis much like programming it in a little language with concurrency, message passing on named


P | 0 ≡ P P | Q ≡ Q | P (P | Q) | R ≡ P | (Q | R)

!P ≡ P | !P

(νa1)(νa2)P ≡ (νa2)(νa1)P

a /∈ fn(P )

(νa)(P | Q) ≡ P | (νa)Q

P ≡ Q

P | R ≡ Q | R

P ≡ Q

!P ≡ !Q

P ≡ Q

(νa)P ≡ (νa)Q

P ≡ P

Q ≡ P

P ≡ Q

P ≡ Q Q ≡ R

P ≡ R

a〈M〉.Q | a(x).P → Q | P{M/x}(Red I/O)

g(M1, . . . ,Mn) = M ′

let x = g(M1, . . . ,Mn) in P else Q→ P{M ′/x}(Red Destr 1)

g(M1, . . . ,Mn) is not defined

let x = g(M1, . . . ,Mn) in P else Q→ Q(Red Destr 2)

let x = M in P → P{M/x}(Red Let)

if M = M then P else Q → P(Red Cond 1)

M 6= N

if M = N then P else Q → Q(Red Cond 2)

P → Q

P | R → Q | R(Red Par)

P → Q

(νa)P → (νa)Q(Red Res)

P ′ ≡ P, P → Q, Q ≡ Q′

P ′ → Q′(Red ≡)

Figure 2: Structural congruence and reduction

channels, and high-level, “black-box” operations on data (including cryptographic functions).In this respect, the calculus resembles many of the other programming calculi for protocolsmentioned in the introduction.

The literature contains additional examples that provide evidence of the effectiveness of thisprocess calculus and related ones for the analysis of a range of protocols. In particular, we haverecently used this process calculus in the study of a protocol for certified email [4, 8] and of theJFK protocol (a proposed replacement for IKE in IPsec) [6, 10].

2.3 Formal Semantics

The rules of Figure 2 axiomatize the reduction relation → for processes, thus defining theoperational semantics of our calculus. As is often done in process calculi (e.g., [46]), auxiliaryrules axiomatize the structural congruence relation ≡. This relation is useful for transformingprocesses so that the reduction rules can be applied. Both ≡ and → are defined only on closedprocesses.


We write →∗ the reflexive and transitive closure of →. As in [5], we say that the process Poutputs M immediately on c if and only if P ≡ c〈M〉.Q | R for some processes Q and R. Wesay that the process P outputs M on c if and only if P →∗ Q and Q outputs M immediatelyon c for some process Q.

3 A Definition of Secrecy

As indicated in the introduction, we use the following informal definition of secrecy: a protocolP preserves the secrecy of data M if P never publishes M , or anything that would permitthe computation of M , even in interaction with an adversary Q. Equivalently, a protocol Ppreserves the secrecy of data M if P in parallel with an adversary Q will never output M ona public channel. The interaction between P and Q takes place by communication on sharedchannels. These primarily include public channels (such as those of the Internet), on which Qmay eavesdrop, modify, and inject messages; they may also include other channels known to Q.In addition to these shared channels, P may use private channels for its internal computations.

Next we give a formal counterpart for this informal definition, in the context of our processcalculus and relying on the operational semantics of Section 2.3.

We represent the adversary Q as a process of the calculus, with some hypotheses that char-acterize Q’s initial capabilities. We formulate these hypotheses simply by using a set of namesS . Intuitively, Q knows the names in S initially; in particular, these names may represent thecryptographic keys, communication channels, and nonces that Q knows initially. In the course ofcomputation, Q may acquire some additional capabilities (for instance, additional cryptographickeys) not represented in S , by creating fresh names and receiving terms in messages.

In order to represent that Q may initially know complex terms rather than just names, wemay let P begin with the output of these terms on a public channel c ∈ S , so the restrictionthat S is a set of names entails no loss of generality.

Definition 3.1 Let S be a finite set of names. The closed process Q is a S -adversary if andonly if fn(Q) ⊆ S . The closed process P preserves the secrecy of M from S if and only if P | Qdoes not output M on c for any S -adversary Q and any c ∈ S .

If P preserves the secrecy of M from S , then it clearly cannot output M on some c ∈ S , thatis, on one of the channels known to the adversary. This guarantee corresponds to the informalrequirement that P never publishes M on its own. Moreover, P cannot publish data that wouldenable an adversary to compute M , because the adversary could go on to output M on somec ∈ S .

For instance, the process (νk)a〈sencrypt(s, k)〉 preserves the secrecy of s from {a}. Thisprocess publishes an encryption of s on the channel a, but not the decryption key; hence sdoes not escape. Similarly, the process (νa)a〈sencrypt(s, k)〉 preserves the secrecy of s from{k}; here the key is published but the channel remains private. On the other hand, the processa〈sencrypt(s, k)〉 does not preserve the secrecy of s from {a, k}: the adversary

a(x).a〈sdecrypt(x, k)〉

can receive sencrypt(s, k) on a, decrypt s, and resend it on a.

As an additional example, we may apply this definition of secrecy to the process P of theexample of Section 2.2. We may ask whether P preserves the secrecy of s from {e}. Thisproperty would mean that an attacker with access to e cannot learn s. Section 6.1 shows thatthis property indeed holds.

Definitions along these lines are quite common in protocol analysis. They are particularlypopular and useful for treating the secrecy of keys and other atomic data items. There arehowever alternatives, in particular some definitions based on the concept of noninterference.


According to those, a protocol parameter (such as the identity of a participant) is secret ifan adversary cannot tell an instance of the protocol with one value of the parameter from aninstance with a different value. The adversary may actually have these values, but ignore whichis in use. In contrast, Definition 3.1 implies that, when a process P keeps the secrecy of a termM , the adversary does not have M . See [2] for further details and discussion.

4 The Type System

This section presents a general type system for our process calculus: Section 4.1 describesparameters and assumptions of the type system, and Section 4.2 describes its judgments andthe type rules, which Figure 3 gives. The following sections include instances of this generaltype system.

4.1 Parameters and Requirements

The type system is parameterized by a set of types Types and a non-empty subset TPublic ⊆Types. These parameters will be fixed in each instance of the type system. Always, TPublic isintended as the set of types of data that can be known by the attacker. The set TPublic is crucialin formulating our secrecy results, in which we assume that the attacker has names with typesin TPublic and prove that it does not have names with types not in TPublic.

The type system relies on a function conveys : Types → P(Types) that satisfies prop-erty (P0):

(P0) If T ∈ TPublic, then conveys(T ) = TPublic.

Intuitively, conveys(T ) is the set of types of data that are conveyed by a channel of type T . (Itis empty when elements of T cannot be used as channels.) Data conveyed by a public channelis public, since the adversary can obtain it by listening on the channel. Conversely, public datacan appear on a public channel, since the adversary can send it.

The type system also relies on a partial function from types to types Of : Typesn → Typesfor each constructor f of arity n, and a function from types to sets of types Og : Typesn →P(Types) for each destructor g of arity n. Basically, these operators Of and Og give the typesof constructor and destructor applications (much like type declarations for f and g), so theydetermine the type rules for constructors and destructors. As the type rules say, if M1, . . . ,Mn

have respective types T1, . . . , Tn, f is a constructor of arity n, and Of (T1, . . . , Tn) is defined,then f(M1, . . . ,Mn) has type Of (T1, . . . , Tn). Similarly, if M1, . . . ,Mn have respective typesT1, . . . , Tn, g is a destructor of arity n, and g(M1, . . . ,Mn) is defined, then g(M1, . . . ,Mn) hasa type in Og(T1, . . . , Tn).

These constructor and destructor applications need not have unique or most general types(but terms do have unique types in a given environment). Constructors and destructors canaccept arguments of different types, and return results whose types depend on the types ofthe arguments. In this sense, we may say that they are overloaded functions; this overloadingsubsumes some forms of subtyping and parametric polymorphism.

We require the following properties:

(P1) If for all i ∈ {1, . . . , n}, Ti ∈ TPublic, then Of (T1, . . . , Tn) is defined and Of (T1, . . . , Tn) ∈TPublic.

(P2) If for all i ∈ {1, . . . , n}, Ti ∈ TPublic and T ∈ Og(T1, . . . , Tn), then T ∈ TPublic.

(P3) For each equation g(M1, . . . ,Mn) = M in def(g), if for all i ∈ {1, . . . , n}, E ⊢Mi :Ti, thenthere exists T ∈ Og(T1, . . . , Tn) such that E ⊢M : T .


These properties are both reasonable and necessary for the soundness of the type system. Thefirst two properties reflect that the result of applying a function to public terms should alsobe public, since the adversary can compute it. These properties are important in the proof ofthe Typability Lemma (Lemma 5.1.4 in Section 5). The third property essentially says thatthe definition of Og on types is compatible with the definition of g on terms. This property isuseful for type preservation when a destructor is applied, in the proof of the Subject ReductionLemma (Lemma 5.1.3 in Section 5).

Thus, in summary, the type system is parameterized by:

• the set of types Types,

• the subset TPublic ⊆ Types,

• the function conveys : Types → P(Types),

• a partial function Of : Typesn → Types for each constructor f of arity n, and

• a function Og : Typesn → P(Types) for each destructor g of arity n,

and these parameters are subject to conditions (P0, P1, P2, P3).

As it stands, the type system is not parameterized by a subtyping relation. On the otherhand, we sometimes find it convenient to use specific subtyping relations in instances of the typesystem, without however a “subsumption” rule [19]. This rule is present in many programminglanguages with subtyping (but not all: see for example Objective Caml). It would enablesus to view every element of a type T as having a type T ′ whenever T is a subtype of T ′,and therefore to apply any function f that expects an argument of type T ′ to any element oftype T . It would be fairly easy to add this rule, should one wish to do so; we have developedsome of the corresponding theory. We have not needed this rule because, as explained above,our constructors and destructors can accept arguments of different types, and return resultswhose types depend on the types of the arguments. Therefore, a function f that expects anargument of type T ′ can be defined to handle arguments of any other type T as well.

The soundness of the type system depends on the proper definition of constructors anddestructors. In particular, the result of a constructor must be a new term, not equal to anyother term. For instance, the identity function cannot be a constructor (but it may be adestructor). Otherwise, taking the identity function as a constructor, we could type it withOid (T ) = T ′ ∈ TPublic for all T , so it could convert a secret type into a public one, and thiswould lead to wrong secrecy proofs. Once the constructors and destructors are defined correctlyand the required properties (P0, P1, P2, P3) hold, the type system provides secrecy guarantees,as we show in the next section.

4.2 Judgments and Rules

Figure 3 gives the rules of the type system. In the rules, the metavariable u ranges over namesand variables (that is, over atomic terms), and T over types. The rules concern three judgments:

• E ⊢ ⋄ means that E is a well-formed typing environment.

• E ⊢M : T means that M is a term of type T in the environment E.

• E ⊢ P says that the process P is well-typed in the environment E.

The type rules for nil, parallel composition, replication, restriction, and local definition arestandard. We use a Curry-style typing for restriction, so we do not mention a type of a explicitlyin the construct (νa). (That is, we do not write (νa : T ) for some T .) This style of typing givesrise to a form of polymorphism: the type of a can change according to the environment. We


Well-formed environments:

∅ ⊢ ⋄(Env ∅)

E ⊢ ⋄ u /∈ dom(E)

E, u : T ⊢ ⋄(Env atom)

Terms:

E ⊢ ⋄ (u : T ) ∈ E

E ⊢ u : T(Atom)

E ⊢ ⋄ ∀i ∈ {1, . . . , n}, E ⊢Mi : Ti Of (T1, . . . , Tn) is defined

E ⊢ f(M1, . . . ,Mn) :Of (T1, . . . , Tn)

(Constructor application)

Processes:

E ⊢M : T E ⊢ N : T ′ T ′ ∈ conveys(T ) E ⊢ P

E ⊢M〈N〉.P(Output)

E ⊢M : T ∀T ′ ∈ conveys(T ), E, x : T ′ ⊢ P

E ⊢M(x).P(Input)

E ⊢ ⋄

E ⊢ 0(Nil)

E ⊢ P E ⊢ Q

E ⊢ P | Q(Parallel composition)

E ⊢ P

E ⊢ !P(Replication)

E, a : T ⊢ P

E ⊢ (νa)P(Restriction)

∀i ∈ {1, . . . , n}, E ⊢Mi : Ti ∀T ∈ Og(T1, . . . , Tn), E, x : T ⊢ P E ⊢ Q

E ⊢ let x = g(M1, . . . ,Mn) in P else Q(Destructor application)

E ⊢M : T E, x : T ⊢ P

E ⊢ let x = M in P(Local definition)

E ⊢M : T E ⊢ N : T ′ if T = T ′ then E ⊢ P E ⊢ Q

E ⊢ if M = N then P else Q(Conditional)

Figure 3: Type rules


could easily have a variant with explicit types on restrictions. The resulting type system wouldbe less powerful, but our soundness results would still hold.

By the rule (Output), the process M〈N〉.P is well-typed only if data of the type T ′ of Ncan be conveyed on a channel of the type T of M , that is, T ′ ∈ conveys(T ). Conversely, fortypechecking the process M(x).P via the rule (Input), the variable x is considered with all typesT ′ ∈ conveys(T ) where T is the type of M . The universal quantification on the type of x isunusual; it arises because a channel may convey data of several types. In security protocols,this flexibility is important because a channel may convey data from the adversary and fromhonest participants, and types can help distinguish these two cases.

The rule (Constructor application) types f(M1, . . . ,Mn) according to the correspond-ing operator Of . The rule (Destructor application) is similar to (Input); in let x =g(M1, . . . ,Mn) in P else Q, the variable x is considered with all the possible types ofg(M1, . . . ,Mn), that is, all elements of Og(T1, . . . , Tn).

Rule (Conditional) exploits the property that if two terms M and N have different typesthen they are certainly different. In this case, if M = N then P else Q may be well-typedwithout P being well-typed.

The constructs if M = N then P else Q and let x = M in P can be defined as special casesfrom let x = g(M1, . . . ,Mn) in P else Q, and their typing follows:

• Let equals be a binary destructor with equals(M,M) = M (and equals(M,N) un-defined otherwise), Oequals(T, T ) = {T}, and Oequals(T, T

′) = ∅ if T 6= T ′. Thenif M = N then P else Q can be defined and typed as let x = equals(M,N) in P else Q,where x /∈ fv(P ).

• Let id be a unary destructor with id(M) = M and Oid(T ) = {T}. Then let x = M in Pcan be defined and typed as let x = id(M) in P else 0.

Because of these encodings, we may omit the cases of if M = N then P else Q and let x =M in P in various arguments and proofs. The encodings also suggest that the typing rule(Conditional) for if M = N then P else Q is more natural than might seem at first sight.

In the rules (Input) and (Destructor application), the type system uses universal quantifica-tions over a possibly infinite set of types, and the rule (Restriction) involves picking a type froma possibly infinite set. These features are important for the richness of the type system. Forexample, had we attached a single type to the variable in (Destructor application), we could nothave dealt with situations in which a process receives an encrypted message with a cleartext ofa statically unknown type.

On the other hand, these features are challenging from an algorithmic perspective: type-checking and type inference are not easy to implement in general. Unless explicit types aregiven, typechecking requires guessing the types of restricted names. Even worse, typecheckingrequires considering bound variables with a potentially infinite set of types, and verifying hy-potheses for each of those types. That is why the instance presented in Section 6.1 is intendedprimarily for manual proofs.

Despite these difficulties, typechecking is certainly not out of reach, as we show. First,we demonstrate that the set of types is finite in significant cases, by providing an example inSection 6.2. Moreover, the logic-programming protocol checker of Section 7 yields a practicalimplementation in cases in which the sets are infinite.

Finally, having a very general (infinitary) type system strengthens our relative completenessresult of Section 7.3. This result shows that the checker can prove all secrecy properties thatcan be proved with any instance of the type system, even infinitary instances.


5 Properties of the Type System

Next we study the properties of the type system. We first establish a subject-reduction resultand other basic lemmas, then use these results for proving a theorem about secrecy. Technically,we follow the same pattern as in the special case (protocols with asymmetric communication)treated in our previous work [5], but some of the proofs require new arguments.

5.1 Subject Reduction and Typability

Lemma 5.1.1 (Substitution) If E,E′ ⊢ M : T and E, x : T,E′ ⊢ M ′ : T ′ then E,E′ ⊢M ′{M/x} : T ′. If E,E′ ⊢M : T and E, x : T,E′ ⊢ P then E,E′ ⊢ P{M/x}.

Proof The proof is by induction on the derivations of E, x :T,E′ ⊢M ′ :T ′ and of E, x : T,E ⊢P . The treatment of all rules is straightforward. 2

Lemma 5.1.2 (Subject congruence) If E ⊢ P and P ≡ Q then E ⊢ Q.

Proof This proof is similar to the corresponding proof for the type system of Cardelli, Ghelli,and Gordon [20]; it is an easy induction on the derivation of P ≡ Q. In the case of scopeextrusion, we use a weakening lemma, which is easy to prove by induction on type derivations.

2

The subject-reduction lemma says that typing is preserved by computation.

Lemma 5.1.3 (Subject reduction) If E ⊢ P and P → Q then E ⊢ Q.

Proof The proof is by induction on the derivation of P → Q.

• In the case of (Red I/O), we have

a〈M〉.Q | a(x).P → Q | P{M/x}

We assume E ⊢ a〈M〉.Q | a(x).P . This judgment must have been derived using the rule(Parallel composition), so E ⊢ a〈M〉.Q and E ⊢ a(x).P . The judgment E ⊢ a(x).P musthave been derived by (Input) from E ⊢ a : T and ∀T ′ ∈ conveys(T ), E, x : T ′ ⊢ P forsome T . The judgment E ⊢ a〈M〉.Q must have been derived by (Output) from E ⊢ a : T(for the same T as in the (Input) derivation, since each term has at most one type),E ⊢M : T ′, T ′ ∈ conveys(T ), and E ⊢ Q. By the substitution lemma (Lemma 5.1.1), weobtain E ⊢ P{M/x}. By (Parallel composition), E ⊢ Q | P{M/x}.

• In the case of (Red Destr 1), we have g(M1, . . . ,Mn) = M ′ and

let x = g(M1, . . . ,Mn) in P else Q→ P{M ′/x}

We assume E ⊢ let x = g(M1, . . . ,Mn) in P else Q. This judgment must havebeen derived by (Destructor application) from ∀i ∈ {1, . . . , n}, E ⊢ Mi : Ti, and∀T ∈ Og(T1, . . . , Tn), E, x : T ⊢ P for some T1, . . . , Tn. There exists an equationg(N1, . . . , Nn) = N ′ in def(g) and a substitution σ such that ∀i ∈ {1, . . . , n},Mi = σNi

and M ′ = σN ′. For each variable xj that occurs in N1, . . . , Nn, we have a subtermσxj of M1, . . . ,Mn, and a type Txj

must have been given to this subterm when typingM1, . . . ,Mn, so we have E ⊢ σxj : Txj

for each variable xj that occurs in N1, . . . , Nn. (Alloccurrences of each variable xj have the same type, since each term has at most one type.)Since E ⊢ σNi : Ti, we have E′ ⊢ Ni : Ti where E′ is the environment that associates eachvariable xj with the type Txj

. Since g(N1, . . . , Nn) = N ′ is in def(g), by (P3), there existsT ∈ Og(T1, . . . , Tn), such that E′ ⊢ N ′ : T . By the substitution lemma (Lemma 5.1.1),E ⊢M ′ : T . Since E, x : T ⊢ P , the substitution lemma yields E ⊢ P{M ′/x}.


• The cases (Red Let) and (Red Cond 1) follow by (Red Destr 1). (Recall that localdefinitions and conditionals can be encoded as destructor applications.)

The remaining cases are easy. 2

In the study of programming languages, it is common to complement subject-reductionproperties with progress properties. A typical progress property says that well-typed programsdo not get stuck as a result of dynamic type errors—for example, attempting to multiply aboolean and an integer. Dynamic type errors are meaningful whenever the language’s executionmodel includes dynamic type information, such as different tags on booleans and integers.Without such tags, on the other hand, the representations of booleans and integers may well bemultiplied, though the result of such an operation will typically be implementation-dependent.

In our context, by analogy, one might consider stating a progress property that wouldguarantee that no “dynamic secrecy-type error” causes a process to get stuck. A “dynamicsecrecy-type error” might be using public data as non-public data, or vice versa. Like ordinarydynamic type errors, “dynamic secrecy-type errors” are meaningful if the execution modelincludes dynamic type information, in this case tags that indicate secrecy types. The operationalsemantics of our process calculus does not however include such tags. Indeed, it is deliberatelyindependent of any secrecy information. Furthermore, our typings do not imply any progressproperty: as the following typability lemma says, every process is well-typed (at least in a fairlytrivial way that makes its free names and free variables public).

Lemma 5.1.4 (Typability) Let P be an untyped process. If fn(P ) ⊆ {a1, . . . , an}, fv(P ) ⊆{x1, . . . , xm}, T

′i ∈ TPublic for all i ∈ {1, . . . , n}, and Ti ∈ TPublic for all i ∈ {1, . . . ,m}, then

a1 : T ′1, . . . , an : T ′n, x1 : T1, . . . , xm : Tm ⊢ P

Proof We first prove by induction that all terms are of a type in TPublic; that is:

a1 : T ′1, . . . , an : T ′n, x1 : T1, . . . , xm : Tm ⊢M : T

with T ∈ TPublic if fn(M) ⊆ {a1, . . . , an}, fv(M) ⊆ {x1, . . . , xm}, T′i ∈ TPublic for all i ∈

{1, . . . , n}, and Ti ∈ TPublic for all i ∈ {1, . . . ,m}.

• For names and variables, this follows by Rule (Atom).

• For composite terms f(M1, . . . ,Mk), this follows by Rule (Constructor application) andinduction hypothesis, since if T ′′i ∈ TPublic for all i ∈ {1, . . . , k}, then Of (T ′′1 , . . . , T

′′k ) ∈

TPublic by (P1).

Now we prove the claim, by induction on the structure of P .

• For output, notice that if T ∈ TPublic, then TPublic ⊆ conveys(T ) by (P0).

• For input, if T ∈ TPublic, then TPublic ⊇ conveys(T ) by (P0).

• In the case of restriction, we let the type of the new name be in TPublic.

• For destructor application, notice that if T ′′i ∈ TPublic for all i ∈ {1, . . . , k}, then T ∈ TPublic

for all T ∈ Og(T′′1 , . . . , T

′′k ), by (P2).

2

This typability lemma is important because it means that any process that represents anadversary is well-typed. It is a formal counterpart to the informal idea that the type systemcannot constrain the adversary.


5.2 Secrecy

The secrecy theorem says that if a closed process P is well-typed in an environment E, and aname s is not of a type in TPublic according to E, then P preserves the secrecy of s from S ,where S is the set of names that are of a type in TPublic according to E. In other words, Ppreserves the secrecy of names whose type is not in TPublic against adversaries that can output,input, and compute on names of types in TPublic.

Theorem 5.2.1 (Secrecy) Let P be a closed process. Suppose that E ⊢ P , E ⊢ s : T ′, andT ′ /∈ TPublic. Let S = {a | E ⊢ a : T and T ∈ TPublic}. Then P preserves the secrecy of s fromS.

This secrecy theorem is a consequence of the subject-reduction lemma and the typability lemma.

Proof Suppose that S = {a1, . . . , al}, let Ti be the type of ai, so (ai :Ti) ∈ E with Ti ∈ TPublic.

In order to derive a contradiction, we assume that P does not preserve the secrecy of s fromS . Then there exists a process Q with fv(Q) = ∅ and fn(Q) ⊆ S , such that P | Q →∗ R andR ≡ c〈s〉.Q′ | R′, where c ∈ S . By Lemma 5.1.4, a1 : T1, . . . , al : Tl ⊢ Q, so E ⊢ Q. Therefore,E ⊢ P | Q. By Lemma 5.1.3, E ⊢ R, and by Lemma 5.1.2, E ⊢ c〈s〉.Q′ | R′. Since c ∈ S ,we have E ⊢ c : T and T ∈ TPublic for some T . The judgment E ⊢ c〈s〉.Q′ must be derived by(Output) from E ⊢ c : T and E ⊢ s : T ′ with T ′ ∈ conveys(T ). Furthermore, T ′ ∈ TPublic by(P0), contradicting the hypotheses of the theorem. So P preserves the secrecy of s from S . 2

We restate a special case of the theorem, as it may be particularly clear.

Corollary 5.2.2 Suppose that a : T, s : T ′ ⊢ P with T ∈ TPublic and T ′ /∈ TPublic. Then Ppreserves the secrecy of s from a. That is, for all closed processes Q such that fn(Q) ⊆ {a},P | Q does not output s on a.

Suppose that the secrecy theorem implies that a process P preserves the secrecy of twonames s and s′, treating each of these names separately. The two applications of the secrecytheorem may in general rely on two different ways of showing that P is well-typed, with twodifferent typing environments E and E′. We must have that E ⊢ s : T and E′ ⊢ s′ : T ′ for sometypes T, T ′ /∈ TPublic. However, we may also have that E ⊢ s′ : T1 and E′ ⊢ s : T ′1 for sometypes T1, T

′1 ∈ TPublic. Ideally, we may like to have a single environment E such that E ⊢ P ,

E ⊢ s : T , and E ⊢ s′ : T ′ with T, T ′ /∈ TPublic. Thus, E would make secret as much as possible,providing a “most secret typing” for P . In general, most secret typings are not always possible.For example, the instance of Section 6.1 does not guarantee the existence of most secret typings.(The proof is very similar to that in [5, Section 5.3].) In contrast, in the instance of Section 7,the types generated by the verifier yield most secret typings.

6 Some Instances of the Type System

As an important example, we show how the general type system applies to symmetric and asym-metric encryption. Specifically, we show two instances of the general type system, one infinitaryand the other finitary, for processes that use symmetric and asymmetric encryption, built usingthe constructors ntuple, sencrypt , pencrypt , and pk , and the corresponding destructors ithn,sdecrypt , and pdecrypt , introduced in Section 2. These instances are similar in scope and powerto previous special-purpose type systems [1, 5], but they treat additional constructs and couldeasily treat even more.

In both instances, we include types for public and secret data, Public and Secret (as wellas types with more structure, such as certain types for tuples). It would be straightforward toextend the instances with additional levels of secrecy, for example introducing an extra type


T ::= typesPublic public dataSecret secret dataT1 × . . .× Tn tupleC[T ] secret channel

KSecret[T ] secret shared key

DKSecret[T ] decryption key whose correspondingencryption key is secret

EKSecret[T ] secret encryption key

DKPublic[T ] decryption key whose correspondingencryption key is public

EKPublic[T ] public encryption key

Figure 4: Grammar of types in an instance of the type system

TopSecret. Our results carry over to such extensions, and they can imply, for example, thateven when data of type Secret is allowed to become public (by letting Secret ∈ TPublic), data oftype TopSecret need not be. Such results are perhaps reminiscent of classic work on multilevelsecurity (e.g., [27]). However, unlike in that classic work, we need not require that the typesform a lattice. We also have different concerns (for example, protecting against network attacksrather than against Trojan horses), and obtain different security guarantees (since our definitionof secrecy does not preclude all information flows).

6.1 An Infinitary Instance

For the first instance, the grammar of types is given in Figure 4. Informally, types have thefollowing meanings:

• Public is the type of public data.

• Secret is the type of secret data.

• T1 × . . .× Tn is the type of tuples, whose components are of types T1, . . . , Tn.

• C[T ] is the type of a channel that can convey data of type T and that cannot be knownby the adversary. (Channels that can be known by the adversary are of type Public.)Channel types are ordinary data types, so channel names can be encrypted and can besent in messages.

• KSecret[T ] is the type of symmetric keys that can be used to encrypt data of type T andthat cannot be known by the adversary. (Symmetric keys that can be known by theadversary are of type Public.)

• EKSecret[T ] is the type of secret asymmetric encryption keys that can be used to encryptcleartexts of type T .

• DKSecret[T ] is the type of asymmetric decryption keys for cleartexts of type T and suchthat the corresponding encryption keys are secret. These decryption keys are also secret.

• EKPublic[T ] is the type of public asymmetric encryption keys that can be used to encryptcleartexts of type T . The adversary can use these keys to encrypt its messages, so publicmessages can also be encrypted under these keys.


TPublic = {T | T ≤ Public}

= {Public,EKPublic[T ]} ∪ {T1 × . . .× Tn | ∀i ∈ {1, . . . , n}, Ti ∈ TPublic}.

If T ≤ Public, then conveys(T ) = TPublic;

conveys(C[T ]) = {T ′ | T ′ ≤ T}.

Ontuple(T1, . . . , Tn) = T1 × . . .× Tn.

If T1 ≤ Public and T2 ≤ Public, then Osencrypt(T1, T2) = Public;

if T ′ ≤ T, then Osencrypt(T′,KSecret[T ]) = Public.

If T1 ≤ Public and T2 ≤ Public, then Opencrypt(T1, T2) = Public;

if T ′ ≤ T, then Opencrypt(T′,EKL[T ]) = Public.

If T1 ≤ Public, then Opk (T1) = Public;

Opk (DKL[T ]) = EKL[T ].

Oithn(T1 × . . .× Tn) = {Ti}.

If T ≤ Public, then Osdecrypt(Public, T ) = TPublic;

Osdecrypt(Public,KSecret[T ]) = {T ′ | T ′ ≤ T}.

If T ≤ Public, then Opdecrypt(Public, T ) = TPublic;

Opdecrypt(Public,DKSecret[T ]) = {T ′ | T ′ ≤ T};

Opdecrypt(Public,DKPublic[T ]) = {T ′ | T ′ ≤ T} ∪ TPublic.

Other cases: conveys(T ) = ∅, Of (T1, . . . , Tn) is undefined, Og(T1, . . . , Tn) = ∅.

Figure 5: Definition of TPublic and type operators in an instance of the type system


• DKPublic[T ] is the type of asymmetric decryption keys for cleartexts of type T and suchthat the corresponding encryption keys are public. These decryption keys are howeversecret. When decrypting a message with such a key, the result can be of type T (innormal use of the key) or of type Public (when the adversary has used the correspondingencryption key to encrypt one of its messages).

We define TPublic and the type operators of the system in Figure 5. For this purpose, we letthe subtyping relation ≤ be reflexive and transitive, with

C[T ] ≤ Secret,

KSecret[T ] ≤ Secret,

DKSecret[T ] ≤ Secret,

EKSecret[T ] ≤ Secret,

DKPublic[T ] ≤ Secret,

EKPublic[T ] ≤ Public,

Public× . . .× Public ≤ Public,

if ∃i ∈ {1, . . . , n}, Ti = Secret then T1 × . . .× Tn ≤ Secret,

if T1 ≤ T′1, . . . , Tn ≤ T

′n then T1 × . . .× Tn ≤ T

′1 × . . .× T

′n.

Importantly, the definitions allow encryption under a public key of type EKPublic[T ] to acceptdata both of type Public and of type T . For the corresponding decryption, we handle bothcases: Opdecrypt(Public,DKPublic[T ]) includes both subtypes of T and subtypes of Public. (Asimilar idea appears in the special-purpose type system of [5].) As explained above, we do notneed a “subsumption” rule.

Proposition 6.1.1 These definitions satisfy the constraints of the general type system (P0, P1,P2, P3).

Proof (P0), (P1), and (P2) are obvious. We prove (P3).

• ithn(ntuple(M1, . . . ,Mn)) = Mi. Suppose that E ⊢ ntuple(M1, . . . ,Mn) : T . This judg-ment must have been derived by (Constructor application). Therefore, T = T1 × . . .× Tn

and E ⊢Mi : Ti, with Ti ∈ Oithn(T ).

• sdecrypt(sencrypt(M,N), N) = M . Suppose that E ⊢ sencrypt(M,N):T1 and E ⊢ N :T2.The former judgment must have been derived by (Constructor application). Therefore,E ⊢ M : T and Osencrypt(T, T2) = T1 = Public for some T . By definition of Osencrypt , wehave two cases.

In case T ≤ Public and T2 ≤ Public, we obtain E ⊢ M : T and T ∈ TPublic =Osdecrypt(Public, T2).

Otherwise, T2 = KSecret[T ′] with T ≤ T ′, so E ⊢M : T and T ∈ Osdecrypt(Public, T2).

• pdecrypt(pencrypt(M, pk(N)), N) = M . Suppose that E ⊢ pencrypt(M, pk(N)) : T1 andE ⊢ N : T2. The former judgment must have been derived by applying (Constructorapplication) twice, from E ⊢M : T with Opencrypt(T,Opk (T2)) = T1 = Public for some T .By definition of Opk , we have three cases.

In case T2 ≤ Public, we have Opk (T2) = Public. Moreover, since Opencrypt(T,Public) =Public, we also have T ∈ TPublic. Thus, E ⊢M :T and T ∈ TPublic = Opdecrypt(Public, T2).

In case T2 = DKSecret[T ′], we have Opk (T2) = EKSecret[T ′]. Moreover, sinceOpencrypt(T,EKSecret[T ′]) = Public, we also have T ≤ T ′. Thus, E ⊢ M : T andT ∈ Opdecrypt(Public, T2).


Otherwise, T2 = DKPublic[T ′], and we have Opk (T2) = EKPublic[T ′]. Moreover, sinceOpencrypt(T,EKPublic[T ′]) = Public, we also have T ≤ T ′ or T ∈ TPublic. We obtainE ⊢M : T and T ∈ Opdecrypt(Public, T2).

2

As an immediate corollary, Theorem 5.2.1 applies, so we can prove secrecy by typing. Forexample, the type system can be used to establish that s remains secret in the process P of theexample protocol of Section 2.2. For this proof, we define E

∆

= s : Secret, e : Public, and deriveE ⊢ P . In the (Restriction) rule, we choose the types

TsKA

∆

= DKPublic[Secret×KSecret[Secret]]

for sKA andTsKB

∆

= DKPublic[Secret× EKPublic[Secret×KSecret[Secret]]]

for sKB. Then pk(sKA) has the type

TpKA

∆

= Opk (TsKA)

= EKPublic[Secret×KSecret[Secret]]

and pk(sKB) has the type

TpKB

∆

= Opk (TsKB)

= EKPublic[Secret× EKPublic[Secret×KSecret[Secret]]]

The remainder of the process is typed in the environment:

E′∆

= E, sKA : DKPublic[Secret×KSecret[Secret]],

sKB : DKPublic[Secret× EKPublic[Secret×KSecret[Secret]]],

pKA : EKPublic[Secret×KSecret[Secret]],

pKB : EKPublic[Secret× EKPublic[Secret×KSecret[Secret]]]

We have that TpKA∈ conveys(Public) and TpKB

∈ conveys(Public) (since these types aresubtypes of Public). Then we only have to show that E′ ⊢ A and E′ ⊢ B. In the typing of A,we choose k of type Secret. Then

E′, k : Secret ⊢ pencrypt((k, pKA), pKB) : Public

follows by (Constructor application), so the output e〈pencrypt((k, pKA), pKB)〉 is well-typed by(Output). In the input e(z), by (Input), z can be of any subtype of Public, then by (Destructorapplication), we have to prove E′, k : Secret, x :Tx, y :Ty ⊢ if x = k then e〈sencrypt(s, y)〉, whereeither Tx ≤ Secret and Ty ≤ KSecret[Secret] or Tx ≤ Public and Ty ≤ Public.

• In the first case, the conditional is well-typed, since the output is well-typed.

• In the second case, the conditional is well-typed, since x and k cannot have the same type.

For typing B, by (Input), the type of z is a subtype of Public. By (Destructor application), wehave to show that

E′, x : Tx, y : Ty ⊢ (νKAB)

(e〈pencrypt((x,KAB), y)〉.e(z′).let s′ = sdecrypt(z′,KAB) in 0

)

where either Tx ≤ Secret and Ty ≤ EKPublic[Secret × KSecret[Secret]], or Tx ≤ Public andTy ≤ Public.


• In the first case, we choose KAB of type KSecret[Secret]. We have Tx × KSecret[Secret] ≤Secret × KSecret[Secret], and Ty = EKPublic[Secret × KSecret[Secret]] (the only subtype ofEKPublic[Secret×KSecret[Secret]] is itself), so Opencrypt(Tx ×KSecret[Secret], Ty) = Public.

• In the second case, we choose KAB of type Public. We have Tx × Public ≤ Public andTy ≤ Public, therefore Opencrypt(Tx × Public, Ty) = Public.

In both cases, it follows that the encryption is of type Public by (Constructor application), andthat the output is well-typed. In both cases, also, the input e(z′).let s′ = sdecrypt(z′,KAB) in 0is clearly well-typed. Thus, we obtain E ⊢ P . Finally, by Theorem 5.2.1, we conclude that Ppreserves the secrecy of s from {e}.

As for the process P ′ of Section 2.2, we cannot show that it preserves the secrecy of sA orsB from {e} using this instance of the type system. This difficulty stems from two differentuses of the key sKA, which appear because A plays both roles in the protocol. (Indeed, if sA

or sB were of type Secret, then y would be of type KSecret[Secret] in A′, so sKA would have atype of the form DKPublic[T × KSecret[Secret]], and y could be of type KSecret[Secret] in B′′ inconflict with the use of y as public encryption key.) In Section 6.2, we present a variant thatavoids this difficulty. We postpone the formal analysis of the process P ′ itself to Section 7.

6.2 A Finitary Instance

Typechecking may be difficult, or at least non-trivial, in infinitary instances such as the one ofSection 6.1, in which the type rules contain universal quantifications over infinite sets of types.In this section, we present a weaker instance that deals with the same function symbols butuses only a finite number of types. For this finitary instance, automatic typechecking and typeinference are easy by exhaustive exploration of all typings.

The set of types of this instance is:

Types = {Public,Secret,EKPublic,Public-Secret-EKPublic}

These types have the following meanings:

• Public is the type of public data and Secret is the type of secret data, as in the previousinstance.

• EKPublic is the type of public asymmetric encryption keys such that the correspondingdecryption keys are secret.

• Public-Secret-EKPublic is the type of triples whose first component is of type Public, secondcomponent is of type Secret, and third component is of type EKPublic.

We define TPublic and the type operators of the system in Figure 6. The resulting instance ofthe type system has similarities with the special-purpose type system of [1]. However, that typesystem does not handle public-key encryption; more importantly, it establishes a different notionof secrecy (a form of non-interference), and accordingly its typing of tests is more restrictive inorder to prevent the so-called “implicit” information flows.

Proposition 6.2.1 These definitions satisfy the constraints of the general type system (P0, P1,P2, P3).

Proof (P0), (P1), and (P2) are obvious. We prove (P3).

• ithn(ntuple(M1, . . . ,Mn)) = Mi. Suppose that E ⊢ ntuple(M1, . . . ,Mn) : T . This judg-ment must have been derived by (Constructor application), so we have four cases, one foreach case in the definition of Ontuple .


TPublic = {EKPublic,Public}.

If T ∈ TPublic, then conveys(T ) = TPublic;

conveys(Secret) = {Public-Secret-EKPublic}.

If T ∈ TPublic, then O3tuple(T, Secret,EKPublic) = Public-Secret-EKPublic;

Ontuple(Secret, . . . ,Secret) = Secret;

Ontuple(EKPublic, . . . ,EKPublic) = EKPublic;

if T1, . . . , Tn ∈ TPublic and there exists i ∈ {1, . . . , n} such that Ti 6= EKPublic,

then Ontuple(T1, . . . , Tn) = Public.

Osencrypt(Public-Secret-EKPublic,Secret) = Public;

if T1, T2 ∈ TPublic, then Osencrypt(T1, T2) = Public.

Opencrypt(Public-Secret-EKPublic,EKPublic) = Public;

if T1, T2 ∈ TPublic, then Opencrypt(T1, T2) = Public.

Opk (Secret) = EKPublic;

if T1 ∈ TPublic, then Opk (T1) = Public.

Oithn(EKPublic) = {EKPublic};

Oithn(Public) = TPublic;

Oithn(Secret) = {Secret};

O1th3(Public-Secret-EKPublic) = TPublic;

O2th3(Public-Secret-EKPublic) = {Secret};

O3th3(Public-Secret-EKPublic) = {EKPublic}.

If T ∈ TPublic, then Osdecrypt(Public, T ) = TPublic;

Osdecrypt(Public,Secret) = {Public-Secret-EKPublic}.

If T ∈ TPublic, then Opdecrypt(Public, T ) = TPublic;

Opdecrypt(Public,Secret) = {Public-Secret-EKPublic,EKPublic,Public}.

Other cases: conveys(T ) = ∅, Of (T1, . . . , Tn) is undefined, Og(T1, . . . , Tn) = ∅.

Figure 6: Definition of TPublic and type operators in another instance of the type system


1. n = 3, T = Public-Secret-EKPublic, E ⊢ M1 : T ′ with T ′ ∈ TPublic, E ⊢ M2 : Secret,E ⊢ M3 : EKPublic, and T ′ ∈ TPublic = O1th3

(T ), Secret ∈ O2th3(T ), EKPublic ∈

O3th3(T ).

2. T = Secret, E ⊢Mi : Secret, and Secret ∈ Oithn(Secret).

3. T = EKPublic, E ⊢Mi : EKPublic, and EKPublic ∈ Oithn(EKPublic).

4. T = Public, E ⊢Mi : Ti with Ti ∈ TPublic, and Ti ∈ TPublic = Oithn(Public).

• sdecrypt(sencrypt(M,N), N) = M . Suppose that E ⊢ sencrypt(M,N):T1 and E ⊢ N :T2.The former judgment must have been derived by (Constructor application). Therefore,E ⊢ M : T and Osencrypt(T, T2) = T1 = Public for some T . By definition of Osencrypt , wehave two cases.

In case T, T2 ∈ TPublic, we obtain E ⊢M : T and T ∈ TPublic = Osdecrypt(Public, T2).

Otherwise, T2 = Secret and T = Public-Secret-EKPublic, so E ⊢ M : T and T ∈Osdecrypt(Public, T2).

• pdecrypt(pencrypt(M, pk(N)), N) = M . Suppose that E ⊢ pencrypt(M, pk(N)) : T1 andE ⊢ N : T2. The former judgment must have been derived by applying (Constructorapplication) twice, from E ⊢M : T with Opencrypt(T,Opk (T2)) = T1 = Public for some T .By definition of Opk , we have two cases.

In case T2 ∈ TPublic, we have Opk (T2) = Public. Moreover, since Opencrypt(T,Public) =Public, we also have T ∈ TPublic. Thus, E ⊢M :T and T ∈ TPublic = Opdecrypt(Public, T2).

Otherwise, T2 = Secret, and we have Opk (T2) = EKPublic. Moreover, sinceOpencrypt(T,EKPublic) = Public, we also have T = Public-Secret-EKPublic or T ∈ TPublic.We obtain E ⊢M : T and T ∈ Opdecrypt(Public, T2).

2

The process P of Section 2.2 clearly does not typecheck in this type system, since the typesystem supports encryption of only public data and triples, and the protocol uses encryptionof pairs containing secrets. This point illustrates that this instance is more restrictive thanthe instance of the previous section. We can however adapt the protocol to obtain a similarprotocol that does typecheck. More precisely, we modify the encryptions so that their cleartextsare always of type Public-Secret-EKPublic. Thus the protocol becomes:

Message 1. A→ B : pencrypt((aPublic, k, pKA), pKB)Message 2. B → A : pencrypt((a′Public, (k,KAB), a′

EKPublic), pKA)

Message 3. A→ B : sencrypt((a′′Public, s, a′′EKPublic),KAB)

where aPublic and similar fields indicate arbitrary padding of the appropriate types. This pro-tocol can be represented by the following process:

P∆


let pKB = pk(sKB) in e〈pKA〉.e〈pKB〉.(A | B)

A∆

= (νk)(νaPublic)e〈pencrypt((aPublic, k, pKA), pKB)〉.

e(z).let (x′1, (x, y), x′3) = pdecrypt(z, sKA) in

if x = k then (νa′′Public)(νa′′EKPublic)

e〈sencrypt((a′′Public, s, a′′EKPublic), y)〉

B∆

= e(z).let (x1, x, y) = pdecrypt(z, sKB) in

(νKAB)(νa′Public)(νa′EKPublic)

e〈pencrypt((a′Public, (x,KAB), a′EKPublic), y)〉.

e(z′).let (x′′1, s′, x′′3) = sdecrypt(z′,KAB) in 0


This process is typable in this instance of the type system: letting E∆

= s : Secret, e : Public,we can show that E ⊢ P . In the (Restriction) rule, we choose the type Secret for sKA andsKB. Then pk(sKA) and pk(sKB) have the type Opk (Secret) = EKPublic. The remainder ofthe process is typed in the environment:

E′∆

= E, sKA : Secret, sKB : Secret, pKA : EKPublic, pKB : EKPublic

We check that EKPublic ∈ conveys(Public) (since this type is in TPublic), so the outputse〈pKA〉.e〈pKB〉 are well-typed. Then we only have to show that E′ ⊢ A and E′ ⊢ B. Inthe typing of A, we choose k of type Secret, aPublic of type Public. Then

E′, k : Secret, aPublic : Public ⊢ pencrypt((aPublic, k, pKA), pKB) : Public

follows by (Constructor application), so the output e〈pencrypt((aPublic, k, pKA), pKB)〉 iswell-typed by (Output). In the input e(z), by (Input), z can be of type Public orEKPublic, then by (Destructor application), (x′1, (x, y), x

′3) can be of type Public-Secret-EKPublic,

Public, or EKPublic, so (x, y) can be of type Secret, Public, or EKPublic, hence wehave to prove E′, k : Secret, x : Tx, y : Ty, a

′′Public : Public, a′′

EKPublic : EKPublic ⊢ if x =k then e〈sencrypt((a′′Public, s, a

′′EKPublic), y)〉, where either Tx = Ty = Secret or Tx, Ty ∈ TPublic.

• In the first case, the conditional is well-typed, since the output is well-typed.

• In the second case, the conditional is well-typed, since x and k cannot have the same type.

For typing B, by (Input), the type of z is in TPublic. By (Destructor application), we have toshow that

E′, x : Tx, y : Ty ⊢ (νKAB)(νa′Public)(νa′EKPublic)



where either Tx = Secret and Ty = EKPublic, or Tx, Ty ∈ TPublic.

• In the first case, we choose KAB of type Secret, a′Public of type Public, and a′EKPublic of

type EKPublic. Then (a′Public, (x,KAB), a′EKPublic) is of type Public-Secret-EKPublic and

Opencrypt(Public-Secret-EKPublic,EKPublic) = Public.

• In the second case, we choose KAB, a′Public, and a′EKPublic of type Public. Then

(a′Public, (x,KAB), a′EKPublic) is of type Public and Opencrypt(Public, Ty) = Public.

In both cases, it follows that the encryption is of type Public by (Constructor application), andthat the output is well-typed. The input e(z′).let (x′′1, s

′, x′′3) = sdecrypt(z′,KAB) in 0 is clearlywell-typed in both cases. Thus, we obtain E ⊢ P . Finally, by Theorem 5.2.1, we conclude thatP preserves the secrecy of s from {e}.

We can adapt the process P ′ of Section 2.2 in a similar way, with the redefinitions:

P ′∆


let pKB = pk(sKB) in e〈pKA〉.e〈pKB〉.(!A′ | !B′ | !B′′)

A′∆

= e(xpKB).(νk)(νaPublic)e〈pencrypt((aPublic, k, pKA), xpKB

)〉.

e(z).let (x′1, (x, y), x′3) = pdecrypt(z, sKA) in

if x = k then

(if xpKB= pKB then (νa′′Public)(νa

′′EKPublic)

e〈sencrypt((a′′Public, sB, a′′EKPublic), y)〉

| if xpKB= pKA then (νa′′Public)(νa

′′EKPublic)

e〈sencrypt((a′′Public, sA, a′′EKPublic), y)〉)


B′∆

= e(z).let (x1, x, y) = pdecrypt(z, sKB) in




B′′∆

= e(z).let (x1, x, y) = pdecrypt(z, sKA) in




We can show that this variant is well-typed in this instance of the type system: e : Public, sA :Secret, sB : Secret ⊢ P ′. Thus, we obtain that this process (but not the original process P ′ ofSection 2.2) preserves the secrecy of sA and sB from {e}.

As in these examples, this finitary instance of the type system requires a rather strongdiscipline in the format of data encrypted under secret keys or sent on secret channels. Whilethis discipline may not be hard to follow in writing new processes, it typically requires rewritingother processes before they can be typechecked. Even when the rewriting may appear simple,it may strengthen the processes in question. For example (as suggested above and explainedfully in Section 7) the original process P ′ of Section 2.2 does not satisfy the secrecy propertiesthat hold for its well-typed variant. What might be perceived as a disappointment if one isinterested in the properties of the original process is a positive outcome if one aims to obtainsecurity guarantees.

We return to the analysis of the original processes P and P ′ of Section 2.2 in Section 7.

7 The Protocol Checker

In this section we give a precise definition of a protocol checker based on untyped logic programs,then study its properties, in particular proving its equivalence to the type system. This equiv-alence is considerably less routine and predictable than properties such as subject reduction(Lemma 5.1.3).

As explained in the introduction, the checker takes as input a process and translates it into anabstract representation by logic-programming rules. This representation and its manipulation,but not the translation of processes, come from previous work [13]. Interested readers mayconsult that work for further explanations of the material in the early part of Section 7.1.

In our definition and study of the checker, we emphasize its use for proving secrecy properties,in particular that names remain secret in the sense defined in Section 3. However, the checkerhas also been used for establishing other security properties. In particular, it has been quiteeffective in proofs of authenticity properties, expressed as correspondences between events [14].Recently, it has also been used in establishing certain process equivalences that capture strongsecrecy properties [15].

7.1 Definition of the Protocol Checker

Given a closed process P0 and a set of names S , the protocol checker builds a set of rules, inthe form of Horn clauses.

The rules use two predicates: attacker and message. The fact attacker(p) means that theattacker may have p, and the fact message(p, p′) means that the message p′ may appear onchannel p.

F ::= factsattacker(p) attacker knowledgemessage(p, p′) channel messages


Here p and p′ range over patterns (or “terms”, but we prefer the word “patterns” in order toavoid confusion), which are generated by the following grammar:

p ::= patternsx, y, z variablea[p1, . . . , pn] namef(p1, . . . , pn) constructor application

For each name a in P0 we have a corresponding pattern construct a[p1, . . . , pn]. We treat a as afunction symbol, and write a[p1, . . . , pn] rather than a(p1, . . . , pn) only for clarity. If a is a freename, then the arity of this function is 0. If a is bound by a restriction (νa)P in P0, then thisarity is the number of input statements above the restriction (νa)P in the abstract syntax treeof P0. Without loss of generality, we assume that each restriction (νa)P in P0 has a differentname a, and that this name is different from any free name of P0. Thus, in the checker, a newname behaves as a function of the inputs that take place (lexically) before its creation. Forinstance, when we represent a process of the form (νb)a(x).(νc)Q, we use the pattern a[] for thename a, b[] for b, and c[x] for c. Basically, we map a and b to constants, and c to a function ofthe input x.

We use the same patterns even when we treat processes with more replications, such as!(νb)a(x).!(νc)Q. Despite the replications, we use a single pattern for b, and one that dependsonly on x for c. Thus, we distinguish names only when they are created after receiving differentinputs. In contrast, a restriction in a process always generates fresh names; hence the ruleswill not exactly reflect the operational semantics of processes, but this approximation is usefulfor automation and harmless in most examples. As we show below, this approximation is alsocompatible with soundness and completeness theorems that prove the equivalence between thetype system and the logic-programming system.

The rules comprise rules for the attacker and rules for the protocol. Next we define thesetwo kinds.

7.1.1 Rules for the Attacker

Initially, the attacker has all the names in a set S , hence the rules attacker(a[]) for each a ∈ S .Moreover, the abilities of the attacker are represented by the following rules:

For each constructor f of arity n,


For each destructor g,

for each equation g(M1, . . . ,Mn) = M in def(g),


(Rg)



The rules (Rf) and (Rg) mean that the attacker can apply all operations to all terms it has, (Rf)for constructors, (Rg) for destructors. The set of these rules is finite if the set of constructorsand each of the sets def(g) is finite; handling this set is easiest in this finite case. In (Rg), noticethat the terms M1, . . . ,Mn,M do not contain destructors, that equations in def(g) do not havefree names, and that terms without free names are also patterns, so the rules have the requiredformat. Rule (Rl) means that the attacker can listen on all the channels it has, and (Rs) thatit can send all the messages it has on all the channels it has.


7.1.2 Rules for the Protocol

When a function ρ associates a pattern with each name and variable, and f is a constructor,we extend ρ as a substitution by ρ(f(M1, . . . ,Mn)) = f(ρ(M1), . . . , ρ(Mn)).

The translation [[P ]]ρh of a process P is a set of rules, where the environment ρ is a functionthat associates a pattern with each name and variable, and h is a sequence of facts of theform message(p, p′). The empty sequence is denoted by ∅; the concatenation of a fact F to thesequence h is denoted by h ∧ F .

• [[0]]ρh = ∅

• [[P | Q]]ρh = [[P ]]ρh ∪ [[Q]]ρh

• [[!P ]]ρh = [[P ]]ρh

• [[(νa)P ]]ρh = [[P ]](ρ[a 7→ a[p′1, . . . , p′n]])h if h = message(p1, p

′1) ∧ . . . ∧message(pn, p

′n)

• [[M(x).P ]]ρh = [[P ]](ρ[x 7→ x])(h ∧message(ρ(M), x))

• [[M〈N〉.P ]]ρh = [[P ]]ρh ∪ {h⇒ message(ρ(M), ρ(N))}

• [[let x = g(M1, . . . ,Mn) in P else Q]]ρh =∪{[[P ]]((σρ)[x 7→ σ′p′])(σh) | g(p′1, . . . , p

′n) = p′ is in def(g) and (σ, σ′) is a most general

pair of substitutions such that σρ(M1) = σ′p′1, . . . , σρ(Mn) = σ′p′n} ∪ [[Q]]ρh

Thus, the translation of a process is, very roughly, a set of rules that enable us to prove that itsends certain messages. The sequence h keeps track of messages received by the process, sincethese may trigger other messages.

• The translation of 0 is the empty set, because this process does nothing.

• The translation of a parallel composition P | Q is the union of the translations of P andQ, because P | Q sends the messages of P and Q plus any messages that result from theinteraction of P and Q.

• Replication is ignored, because the target logic is classical, so all logical rules are applicablearbitrarily many times.

• For restriction, we replace the restricted name a in question with a pattern a[. . .] thatdepends on the messages received, as recorded in the sequence h.

• The sequence h is extended in the translation of an input, with the input in question.

• On the other hand, the translation of an output adds a clause; this clause represents thatreception of the messages in h can trigger the output in question.

• Finally, the translation of a destructor application takes the union of the clauses for thecase where the destructor succeeds (with an appropriate substitution) and those for thecase where the destructor fails; thus the translation avoids having to determine whetherthe destructor will succeed or fail.

7.1.3 Summary and Secrecy Results

Let ρ = {a 7→ a[] | a ∈ fn(P0)}. We define the rule base corresponding to the closed process P0

as:BP0,S = [[P0]]ρ∅ ∪ {attacker(a[]) | a ∈ S} ∪ {(Rf), (Rg), (Rl), (Rs)}

As an example, Figure 7 gives the rule base for the process P of the end of Section 2.1.In this rule base, all occurrences of message(c[],M) where c ∈ S are replaced by attacker(M).


attacker(x) ∧ attacker(y)⇒ attacker(pencrypt(x, y))

attacker(x)⇒ attacker(pk(x))

attacker(pencrypt(m, pk(k))) ∧ attacker(k)⇒ attacker(m)

attacker(x) ∧ attacker(y)⇒ attacker(sencrypt(x, y))

attacker(sencrypt(m, k)) ∧ attacker(k)⇒ attacker(m)

attacker(x) ∧ attacker(y)⇒ message(x, y)

message(x, y) ∧ attacker(x)⇒ attacker(y)

attacker(e[])

attacker(pk(sKA[]))

attacker(pk(sKB[]))

attacker(pencrypt((k[], pk(sKA[])), pk(sKB[])))

attacker(pencrypt((k[], x), pk(sKA[])))⇒ attacker(sencrypt(s[], x))

attacker(pencrypt((x, y), pk(sKB[])))

⇒ attacker(pencrypt((x,KAB[pencrypt((x, y), pk(sKB[]))]), y))

Figure 7: Rules for the process P of Section 2.2

These two facts are equivalent by the rules (Rl) and (Rs). The rules for tuples are omitted;these rules are built-in in the protocol checker [13].

We have the following secrecy result. Let s ∈ fn(P0). If attacker(s[]) cannot be derived fromBP0,S , then P0 preserves the secrecy of s from S . This result is the basis for a method for provingsecrecy properties. Of course, whether a fact can be derived from BP0,S may be undecidable,but in practice there exist algorithms that terminate on numerous examples of protocols. Inparticular, we can use variants of resolution algorithms, such as resolution with free selection,as in [13]. It has been shown that this algorithm always terminates for a class of protocols calledtagged protocols [16]. Intuitively, a tagged protocol is a protocol in which each application of acryptographic constructor (in particular, each encryption and each signature) is distinguishedfrom others by a constant tag. For instance, to encrypt m under k, we write sencrypt((c,m), k)instead of sencrypt(m, k), where c is a constant tag. Different encryptions in the protocoluse different tags, and the receiver of a message always checks the tags. Experimentally, thealgorithm also terminates on many non-tagged protocols. Comon and Cortier show that analgorithm using ordered binary resolution, ordered factorization, and splitting terminates onprotocols which blindly copy at most one term in each message [22]. (A blind copy happenswhen a participant sends back part of a message it received without looking at what is containedinside this part.)

The secrecy result discussed above can be proved directly. Instead, below we establish itby showing that we can build a typing of P0 in a suitable instance of our general type system;the result then follows from Theorem 5.2.1. We also establish a completeness theorem, as aconverse: the checker yields the “best” instance of our general type system.

7.2 Correctness

We use the rule base BP0,S to define an instance of our general type system, as follows.

• The grammar of types is:


T ::= typesa[T1, . . . , Tn] namef(T1, . . . , Tn) constructor application

The types are exactly closed patterns.

• TPublic = {T | attacker(T ) is derivable from BP0,S} (that is, the protocol checker says thatthe attacker may have T ).

• conveys(T ) = {T ′ | message(T, T ′) is derivable from BP0,S} (that is, the protocol checkersays that the channel T may convey T ′).

• Of (T1, . . . , Tn) = f(T1, . . . , Tn).

• Og(T1, . . . , Tn) = {σM | there exists an equation g(M1, . . . ,Mn) = M in def(g), σ mapsvariables to types, and for all i ∈ {1, . . . , n}, σMi = Ti}.

(Notice that this definition is compatible with the definition of Oid and Oequals in theencoding of let and conditionals of Section 4.)

We have the following two results:

Proposition 7.2.1 The checker’s type system satisfies the constraints (P0, P1, P2, P3) of thegeneral type system.

Lemma 7.2.2 Let P0 be a closed process and E = {a : a[] | a ∈ fn(P0)}. Then E ⊢ P0.

The proofs of these results are in an appendix.The secrecy theorem for the protocol checker follows from these results and the secrecy

theorem for the general type system (Theorem 5.2.1):

Theorem 7.2.3 (Secrecy) Let P0 be a closed process and s ∈ fn(P0). If attacker(s[]) cannotbe derived from BP0,S , then P0 preserves the secrecy of s from S.

Proof Let E = {a : a[] | a ∈ fn(P0)}, and E′ = {a : a[] | a ∈ fn(P0) ∪ S}. By Lemma 7.2.2,E ⊢ P0, so E′ ⊢ P0. Since attacker(s[]) cannot be derived from BP0,S , we have s[] /∈ TPublic. LetS ′ = {b | E′ ⊢ b : T and T ∈ TPublic}. By Theorem 5.2.1 (and Proposition 7.2.1), P0 preservesthe secrecy of s from S ′. We have S ⊆ S ′. (If b ∈ S , then attacker(b[]) ∈ BP0,S , so b[] ∈ TPublic

and E′ ⊢ b : b[], so b ∈ S ′.) Therefore, a fortiori, P0 preserves the secrecy of s from S . 2

For example, attacker(s[]) is not derivable from BP,{e} where P is the process of Section 2.2,so we can show using this theorem that P preserves the secrecy of s from {e}. We can also showthat the process P ′ preserves the secrecy sB from {e}. However, attacker(sA[]) is derivable fromBP ′,{e}, so we cannot prove that P ′ preserves the secrecy of sA from {e}. More precisely, wecan derive attacker(sA[]) as follows. The clauses

attacker(pk(sKA[])) (1)

attacker(xpKB)⇒ attacker(pencrypt((k[xpKB

], pk(sKA[])), xpKB)) (2)

attacker(pencrypt((k[pk(sKA[])], y), pk(sKA[]))) ∧ attacker(pk(sKA[]))

⇒ attacker(sencrypt(sA[], y))(3)

attacker(sencrypt(x, y)) ∧ attacker(y)⇒ attacker(x) (4)

are in BP ′,{e}: (1) comes from the output e〈pKA〉, (2) comes from the output ofmessage 1 by A e〈pencrypt((k, pKA), xpKB

)〉, (3) comes from the output of message 3


by A e〈sencrypt(sA, y)〉, and (4) means that the adversary can decrypt when it hasthe key; it is (Rg) for the destructor sdecrypt . By (1), attacker(pk(sKA[])) is true;by (2), we derive attacker(pencrypt((k[pk(sKA[])], pk(sKA[])), pk(sKA[]))); by (3), we deriveattacker(sencrypt(sA[], pk(sKA[]))); and by (4), we finally obtain attacker(sA[]). This deriva-tion corresponds to an attack against the protocol:

Message 1. A→ C(A) : pencrypt((k, pKA), pKA)Message 2. C → A : pencrypt((k, pKA), pKA)Message 3. A→ C(A) : sencrypt(s, pKA)

First A sends message 1 to itself playing the role of B. (This corresponds to applying theclause (2).) The attacker C intercepts this message and sends it back to A as message 2. Athen replies with message 3 sencrypt(s, pKA). (This corresponds to applying the clause (3).)The attacker can decrypt this reply. (This corresponds to applying the clause (4).) This attackdepends on A mistaking its own public key for a session key. Such “type confusions” are notalways possible in concrete implementations (for example, because public keys and session keysmay have different lengths). When they are, they can be prevented by tagging data withtype tags. The “type confusions” can also be prevented through discipline: for example, inSection 6.2, the constraint that encryptions must take plaintexts of type Public-Secret-EKPublic

prevents the attack on a variant of P ′. In this and many similar cases, type systems can supportthe prudent design of protocols.

We may note that this protocol is also subject to another attack, which does not compromisethe secrecy of sA and sB and which resembles Lowe’s attack against the Needham-Schroederpublic-key protocol [43]:

Message 1. A→ C : pencrypt((k, pKA), pKC)Message 1’. C(A)→ B : pencrypt((k, pKA), pKB)Message 2. B → C(A) : pencrypt((k,KAB), pKA)Message 2’. C → A : pencrypt((k,KAB), pKA)Message 3. A→ C : sencrypt(s,KAB)Message 3’. C(A)→ B : sencrypt(s,KAB)

In this attack, A executes a run with the adversary C, and C uses this run to execute a runof the protocol with B as if it were A. C decrypts the first message received from A, encryptsit with B’s public key, and sends it to B. B then replies with the second message, which Csimply forwards to A. A replies with the last message, which C forwards to B to complete therun. A then believes that k, KAB, and s are secrets shared with C, while B believes that theyare secrets shared with A. C can obtain k (but not s and KAB). We can exhibit this attackby adding one more message B → A : sencrypt(s′, k). The fact attacker(s′[]) is then derivablefrom the clauses that represent the protocol and the adversary, as expected since the resultingprotocol does not preserve the secrecy of s′. This attack can be prevented by adding the publickey pKB of B in the second message.

With this addition and the addition of tags (discussed above), we obtain the followingexchange:

Message 1. A→ B : pencrypt((c1, k, pKA), pKB)Message 2. B → A : pencrypt((c2, k,KAB, pKB), pKA)Message 3. A→ B : sencrypt(s,KAB)Message 4. B → A : sencrypt(s′, k)

where c1 and c2 are tags for messages 1 and 2, respectively. We have studied a process thatrepresents this exchange. Using the checker, we have proved that this process preserves thesecrecy of s and s′, as desired. (We omit details of this analysis for the sake of brevity.)


Despite what the previous examples might suggest, a derivation of the fact attacker(s[])does not always correspond to an actual attack that compromises the secrecy of the corre-sponding name s. For instance, the process P0 = (νc)(c〈s〉 | c(x).d〈c〉) preserves the secrecyof s from {d}, but the checker cannot establish it because attacker(s[]) is derivable from theclauses (Rl), message(c[], s[]), and message(c[], x) ⇒ attacker(c[]) that are in BP0,{d}. (Notethat message(d[], c[]) is equivalent to attacker(c[]) since d is a public channel.) These clauses donot take into account that the output c〈s〉 must have been executed before the adversary getsthe channel c. This incompleteness is not specific to the checker. In particular, our relativecompleteness result (below) implies that no instance of our general type system can prove thatP0 preserves the secrecy of s from {d}. Furthermore, in practice, the checker rarely signals falseattacks when applied to processes that correspond to actual protocols.

7.3 Completeness

The protocol checker is incomplete in the sense that it fails to prove some true properties.However, as the next theorem states, the protocol checker is relatively complete: it is as completeas the type system of Section 4.

Theorem 7.3.1 (Completeness) Let P0 be a closed process, s a name, and S a set of names.Suppose that an instance of the general type system proves (by Theorem 5.2.1) that P0 preservesthe secrecy of s from S. Then attacker(s[]) cannot be derived from BP0,S , so the protocol checkeralso proves that P0 preserves the secrecy of s from S.

This completeness result shows the power of the protocol checker. This power is not onlytheoretical: it has been demonstrated in practice on several examples [13], from simple protocolslike variants of the Needham-Schroeder protocols [49] to Skeme [41], a certified email protocol [4,8], and JFK [6, 10].

The completeness result does not however mean that the protocol checker constitutes theonly useful instance of the general type system. In particular, simpler instances are easier to usein manual reasoning. Presenting those instances by type rules (rather than logic programs) isoften quite convenient. Moreover, the checker does not always terminate, in particular when ittries to establish properties of an infinite family of types; in other instances of the type system,we may merge those types (obtaining some finite proofs at the cost of completeness). Similarly,the (rare) case where a set def(g) is large or infinite is more problematic for the checker thanfor the general type system. Finally, the general type system may be combined with othertype-based analyses for proving protocol properties other than secrecy (e.g., as in [32], whichdeals with authenticity properties).

The proof of the theorem requires establishing a correspondence between types T of aninstance of the general type system and closed patterns Tc (which are the types of the checkeraccording to Section 7.2): we define a partial function φ that maps Tc to T . Then we provethat all rules of BP0,S are satisfied, in the following sense:

Definition 7.3.2 The closed fact attacker(Tc) is said to be satisfied if φ(Tc) is defined andφ(Tc) ∈ TPublic. The closed fact message(Tc, T

′c) is satisfied if φ(T ′c) ∈ conveys(φ(Tc)). The

sequence of closed facts F1 ∧ . . .∧Fn is satisfied if for all i ∈ {1, . . . , n}, Fi is satisfied. The ruleF1 ∧ . . . ∧ Fn ⇒ F is satisfied if, for every closed substitution σ such that σ(F1 ∧ . . . ∧ Fn) issatisfied, σF is also satisfied.

Therefore, all facts derived from BP0,S are satisfied. Moreover, if s is proved secret by theinstance of the general type system, then attacker(s[]) is not satisfied. (If attacker(s[]) weresatisfied, we would also have that φ(s[]) ∈ TPublic, so the instance of the general type systemwould not be able to prove the secrecy of s.) Hence, attacker(s[]) cannot be derived from BP0,S .The result follows.


The rest of this section gives a more detailed explanation of the proof. We consider a closedprocess P0, a name s, and a set of names S . We also consider an instance of the general typesystem, and assume that this instance proves (by Theorem 5.2.1) that P0 preserves the secrecyof s from S . That is, we assume that, in this instance, there exists an environment E0 suchthat E0 ⊢ P0, E0 ⊢ s : T with T /∈ TPublic, and S = {a | E0 ⊢ a : T and T ∈ TPublic}. Withoutloss of generality, we may assume that E0 contains only names. We fix a proof of E0 ⊢ P0 forthe rest of this argument.

Now we consider the protocol checker. All values concerning this system have index c. Theset of types is:

Tc ::= typesa[Tc1, . . . , Tcn] namef(Tc1, . . . , Tcn) constructor application

Intuitively, a well-chosen environment for a subprocess P of P0 is an environment that canbe used to type P in a “standard” proof that P0 is well-typed, using the type system associatedwith the protocol checker in Section 7.2. A “standard” proof is one in which types introducedby the rule (Restriction) for (νa)Q are of the form a[Tc1, . . . , Tcn], where Tc1, . . . , Tcn are thetypes of the variables bound by inputs above (νa)Q in P0’s syntax tree.

A (Tc1, . . . , Tcn)-well-chosen environment for P is similar, except that the parameters(Tc1, . . . , Tcn) indicate which types should be chosen for the variables bound by inputs. Notethat a (Tc1, . . . , Tcn)-well-chosen environment for P does not always exist, for example whenthe number of parameters (Tc1, . . . , Tcn) does not correspond to the number of variables boundby inputs above P in P0.

Definition 7.3.3 Let Tc1, . . . , Tcn be closed patterns. A (Tc1, . . . , Tcn)-well-chosen environ-ment for an occurrence of a subprocess of P0 is defined as follows:

• A ()-well-chosen environment for P0 is ρ0 = {a 7→ a[] | (a : T ) ∈ E0}.

• If Ec is a (Tc1, . . . , Tcn)-well-chosen environment for M〈N〉.P , then Ec is a (Tc1, . . . , Tcn)-well-chosen environment for P .

• If Ec is a (Tc1, . . . , Tcn)-well-chosen environment for M(x).P , then Ec[x 7→ Tcn+1] is a(Tc1, . . . , Tcn, Tcn+1)-well-chosen environment for P , for all Tcn+1.

• If Ec is a (Tc1, . . . , Tcn)-well-chosen environment for P | Q, then Ec is a (Tc1, . . . , Tcn)-well-chosen environment for P and Q.

• If Ec is a (Tc1, . . . , Tcn)-well-chosen environment for !P , then Ec is a (Tc1, . . . , Tcn)-well-chosen environment for P .

• If Ec is a (Tc1, . . . , Tcn)-well-chosen environment for (νa)P , then Ec[a 7→ a[Tc1, . . . , Tcn]]is a (Tc1, . . . , Tcn)-well-chosen environment for P .

• Finally, if Ec is a (Tc1, . . . , Tcn)-well-chosen environment for let x = g(M1, . . . ,Mn) inP else Q, then Ec is a (Tc1, . . . , Tcn)-well-chosen environment for Q, and if in additionthere exist an equation g(M ′1, . . . ,M

′n) = M ′ in def(g) and a substitution σ such that

for all i ∈ {1, . . . , n}, σM ′i = Ec(Mi), then Ec[x 7→ σM ′] is a (Tc1, . . . , Tcn)-well-chosenenvironment for P . (In writing Ec(Mi), we view Ec as a function on atoms and extend itto terms as a substitution.)

A pair (ρ, h) is a well-chosen pair for P if h = message(c1, p1) ∧ . . . ∧message(cn, pn) and, forevery closed substitution σ, σρ is a (σp1, . . . , σpn)-well-chosen environment for P .


A (Tc1, . . . , Tcn)-well-chosen environment for P depends not only on the process P , buton its occurrence in P0. However, notice that if P = (νa)P ′ and we fix the bound namea, the occurrence of the process P is unique, since different restrictions in P0 must createdifferent names. We will have that, if [[P ]]ρh is called during the evaluation of [[P0]]ρ0∅ forρ0 = {a 7→ a[] | (a : T ) ∈ E0}, then (ρ, h) is a well-chosen pair for P .

The function φ is defined so that if a type Tc appears in a standard proof that P0 is well-typed using the type system associated with the protocol checker in Section 7.2, then φ(Tc)appears in the corresponding place in the proof of E0 ⊢ P0 in the instance of the general typesystem under consideration.

Definition 7.3.4 The partial function φ : Tc → T from types of the protocol checker to typesof the instance of the general type system is defined by induction on the term Tc:

• φ(f(Tc1, . . . , Tcn)) = Of (φ(Tc1), . . . , φ(Tcn)). (Therefore, φ(f(Tc1, . . . , Tcn)) is undefinedif Of (φ(Tc1), . . . , φ(Tcn)) is undefined.)

• If E0 ⊢ a : T , then φ(a[]) = T .

• When a is bound by a restriction in P0, we define φ(a[Tc1, . . . , Tcn]) as follows. Let P bethe process such that (νa)P is a subprocess of P0. Let Ec be a (Tc1, . . . , Tcn)-well-chosenenvironment for (νa)P . Let E = φ ◦ Ec. Then φ(a[Tc1, . . . , Tcn]) = T ′ where T ′ is suchthat E, a : T ′ ⊢ P is a judgment used to prove E0 ⊢ P0. There is at most one suchjudgment, so T ′ is unique.

If a (Tc1, . . . , Tcn)-well-chosen environment for (νa)P does not exist, or if no suitablejudgment E, a:T ′ ⊢ P appears in the proof of E0 ⊢ P0, then φ(a[Tc1, . . . , Tcn]) is undefined.

This definition is recursive, and we can check that it is well-founded using the followingordering. Names are ordered by a < b if a is bound above b in P0, or a is free and b is boundin P0. The ordering on terms is then the lexicographic ordering of pairs containing as firstcomponent the multiset of names that appear in the term and as second component the size ofthe term. In the first case of the definition of φ, the first component is constant or decreasesand the second one decreases. In the third case, the first component decreases: when definingφ(a[Tc1, . . . , Tcn]), in the recursive calls used to compute φ ◦ Ec, the name a at the top of theterm has disappeared, and the only names that have appeared with the computation of thewell-chosen environment are free names or names bound above a (therefore names smaller thana).

In an appendix, we establish the following three lemmas:

Lemma 7.3.5 Let a ∈ S. The fact attacker(a[]) is satisfied.

Lemma 7.3.6 The rules for the attacker are satisfied.

Lemma 7.3.7 Let P be an occurrence of a subprocess of P0, and (ρ, h) be a well-chosen pairfor P . If, for every closed substitution σ such that σh is satisfied, φ ◦ σρ ⊢ P has been provedto obtain E0 ⊢ P0, then the rules in [[P ]]ρh are satisfied. In particular, the rules in [[P0]]ρ0∅ aresatisfied, where ρ0 = {a 7→ a[] | (a : T ) ∈ E0}.

Using these lemmas, we obtain the theorem as indicated above:

Proof of Theorem 7.3.1 All the rules in BP0,S are satisfied, by Lemmas 7.3.5, 7.3.6, and7.3.7. By induction on derivations, we easily see that all facts derived from BP0,S are satisfied.Moreover, E0 ⊢ s : T , with T /∈ TPublic. By definition of φ, φ(s[]) = T /∈ TPublic. Therefore,attacker(s[]) is not satisfied, so attacker(s[]) cannot be derived from BP0,S , that is, the checkerclaims that P0 preserves the secrecy of s from S . 2


8 Treatment of General Equational Theories

As Section 2.1 indicates, the classification of functions into constructors and destructors haslimitations; for example, XOR does not fit in either class, so it is hard to treat. A convenientway to overcome these limitations is to allow more general equational theories, as in the appliedpi calculus [7]. This section briefly describes one treatment of those equational theories.

In this treatment, we assume that terms are subject to an equational theory T , definedby a set of equations M = N in which the terms M and N do not contain free names. Theequational theory is the smallest congruence relation that includes this set of equations andthat is preserved by substitution of terms for variables. We write T ⊢M = N when M equalsN in the equational theory.

We can extend the semantics of our calculus to handle equational theories. For this purpose,we can either require that the definitions of destructors be invariant under the equational theory,or allow destructors that can non-deterministically yield several values. In either case, we addthe structural congruence P{M/x} ≡ P{N/x} when T ⊢ M = N , and make sure that anelse branch of a destructor is selected only when no equation makes it possible to apply thedestructor. Similarly, for a conditional, the else branch should be selected only when thecorresponding terms are not equal modulo T .

It is fairly straightforward to extend the generic type system to equational theories. Itsuffices to add the condition that if two terms are equal then they have the same types:

(P4) If E ⊢M : T and T ⊢M = N , then E ⊢ N : T .

On the other hand, defining useful instances of the generic type system (in the style of Sec-tion 6.1) can sometimes be difficult. For instance, it is not clear what types should be used forXOR or for Diffie-Hellman key-agreement operations, though we have ideas on the latter.

In extending the protocol checker of Section 7, we can use essentially the same Horn clausesto represent a protocol, but these Horn clauses have to be considered modulo an equationaltheory, and that raises difficult issues. We have to perform unifications modulo an equationaltheory, or to use other techniques for reasoning on Horn clauses modulo equations, such asparamodulation [12]. (Correspondingly, in our proofs, the types that correspond to the checkerwould be quotients of closed patterns by an equational theory.)

For simplicity, the current implementation of the checker includes only a simple treatment ofequations. To each constructor f is attached a finite set of equations f(M1, . . . ,Mn) = M whichis required to satisfy certain closure conditions. It is then easy to generate appropriate Hornclauses for representing a protocol. Obviously, this approach limits which equational theoriescan be handled. For instance, this approach permits the equation f(x, g(y)) = f(y, g(x)), whichcan be used to model Diffie-Hellman operations [7], but unification modulo an equational theorycould yield a more detailed model [36, 45].

9 Conclusion

This paper makes two main contributions:

1. a type system for expressing and proving secrecy properties of security protocols with ageneric treatment of many cryptographic operations;

2. a tight relation between two useful but superficially quite different approaches to protocolanalysis, respectively embodied in the type system and in a logic-programming tool.

The first contribution can be seen as the continuation of a line of work on static analysesfor security, discussed in the introduction. So far, those static analyses have been developedsuccessfully but often in ad hoc ways. We believe that type systems such as ours not only areuseful in examples but also shed light on the constraints and the design space for static analyses.


In the last few years, there has been a vigorous proliferation of frameworks and techniquesfor reasoning about security protocols. Their relations are seldom explicit or obvious. Moreover,little is known about how to combine techniques. The second contribution is part of a broadereffort to understand those relations. It focuses on techniques based on types and on logicprograms because of their effectiveness and their popularity, illustrated by the many referencesgiven in the introduction. Previous work (in particular [30]) suggests connections between(untyped) process calculi and logic-programming notations for protocols; we go further byrelating proof methods in those two worlds. Such connections are perhaps the start of a healthyconsolidation.

Acknowledgments

This work was partly done while Martın Abadi was at Bell Labs Research, Lucent Technologies,and at InterTrust’s Strategic Technologies and Architectural Research Laboratory, and whileBruno Blanchet was at INRIA Rocquencourt and at Max-Planck-Institut fur Informatik. MartınAbadi’s research was partly supported by faculty research funds granted by the University ofCalifornia, Santa Cruz, and by the National Science Foundation under Grants CCR-0204162and CCR-0208800. We would like to thank the anonymous referees, the Area Editor, and XavierAllamigeon for their helpful comments on this paper.

Appendix: Additional Proofs

This appendix contains a few proofs omitted in the main body of the paper.

Proofs of Proposition 7.2.1 and Lemma 7.2.2

If a finite function E maps atoms to types, we write E also for the environment that binds eachatom u in dom(E) with u : E(u). The bindings can be in any order. In addition, the functionE is extended to all terms as a substitution.

Lemma .0.8 In the type system of Section 7.2, if E binds all names and variables in M totypes (that is, closed patterns), then

E ⊢M : E(M)

Proof The proof is by induction on the term M .

• For an atom u, we have E ⊢ u : E(u) by (Atom), hence the result.

• For a composite term f(M1, . . . ,Mn), we have E ⊢ Mi : E(Mi) by induction hypothesis.Therefore, by (Constructor application), we obtain E ⊢ f(M1, . . . ,Mn):E(f(M1, . . . ,Mn))since Of (E(M1), . . . , E(Mn)) = f(E(M1), . . . , E(Mn)) = E(f(M1, . . . ,Mn)).

2

Proof of Proposition 7.2.1 The proof relies on the rules that represent the attacker in thechecker.

(P0) The rule attacker(x) ∧ attacker(y) ⇒ message(x, y) is in BP0,S . If T ∈ TPublic and T ′ ∈TPublic, then attacker(T ) and attacker(T ′) can be derived from BP0,S . So message(T, T ′)can also be derived from BP0,S and T ′ ∈ conveys(T ). Therefore, T ∈ TPublic impliesTPublic ⊆ conveys(T ).

Conversely, the rule attacker(x) ∧ message(x, y) ⇒ attacker(y) is also in BP0,S . If T ∈TPublic and T ′ ∈ conveys(T ) then T ′ ∈ TPublic. Therefore, T ∈ TPublic implies TPublic ⊇conveys(T ).


(P1) The rule attacker(x1)∧. . .∧attacker(xn)⇒ attacker(f(x1, . . . , xn)) is in BP0,S . Therefore,if T1 ∈ TPublic, . . . , Tn ∈ TPublic, then Of (T1, . . . , Tn) ∈ TPublic.

(P2) Assume that T ∈ Og(T1, . . . , Tn). Then there exists an equation g(M1, . . . ,Mn) = Min def(g) and a substitution σ such that Ti = σMi for all i and T = σM . The ruleattacker(M1) ∧ . . . ∧ attacker(Mn) ⇒ attacker(M) is in BP0,S . If attacker(T1) ∧ . . . ∧attacker(Tn) can be derived from BP0,S , then attacker(T ) can also be derived from BP0,S ;therefore, if Ti ∈ TPublic for all i ∈ {1, . . . , n}, then T ∈ TPublic.

(P3) If g(M1, . . . ,Mn) = M is in def(g), and E ⊢ Mi : Ti for all i, then Ti = E(Mi) byLemma .0.8 and the uniqueness of the type of a term. So, taking T = E(M), we haveT ∈ Og(T1, . . . , Tn), by definition of Og, and E ⊢M : T , by Lemma .0.8.

2

Proof of Lemma 7.2.2 We prove by induction on the process P that, if

1. ρ binds all free names and variables of P to patterns,

2. BP0,S ⊇ [[P ]]ρh,

3. σ is a closed substitution, mapping all variables of h and of the image of ρ to patterns,

4. for all p and p′, if message(p, p′) ∈ h then σp′ ∈ conveys(σp),

then σρ ⊢ P .

• Case 0: σρ ⊢ 0 is always true (since σρ is well-formed).

• Case P | Q: Assume that [[P | Q]]ρh = [[P ]]ρh ∪ [[Q]]ρh ⊆ BP0,S . Assume that σ satisfies(3) and (4). By induction hypothesis, σρ ⊢ P and σρ ⊢ Q, so σρ ⊢ P | Q by (Parallelcomposition).

• Case !P : Assume that [[!P ]]ρh = [[P ]]ρh ⊆ BP0,S . Assume that σ satisfies (3) and (4). Byinduction hypothesis, σρ ⊢ P , so σρ ⊢ !P by (Replication).

• Case (νa)P : Let h = message(c1, p1) ∧ . . . ∧message(cn, pn). Assume that

[[(νa)P ]]ρh = [[P ]](ρ[a 7→ a[p1, . . . , pn]])h ⊆ BP0,S

Assume that σ satisfies (3) and (4). By induction hypothesis, σρ, a : σ(a[p1, . . . , pn]) ⊢ P .Therefore, σρ ⊢ (νa)P by (Restriction).

• Case M(x).P : Assume that

[[M(x).P ]]ρh = [[P ]](ρ[x 7→ x])(h ∧message(ρ(M), x)) ⊆ BP0,S

Assume that σ satisfies (3) and (4). By Lemma .0.8, σρ ⊢ M : σρ(M). Leth′ = h ∧ message(ρ(M), x). Let T ∈ conveys(σρ(M)). Let σ′ = σ[x 7→ T ]. Thenσ′x ∈ conveys(σ′ρ(M)), then message(p, p′) ∈ h′ implies σ′p′ ∈ conveys(σ′p). By induc-tion hypothesis, σ′ρ, x :σ′x ⊢ P . So for all T ∈ conveys(σρ(M)), σρ, x :T ⊢ P . By (Input),σρ ⊢M(x).P .

• Case M〈N〉.P : Assume that

[[M〈N〉.P ]]ρh = [[P ]]ρh ∪ {h⇒ message(ρ(M), ρ(N))} ⊆ BP0,S

Assume that σ satisfies (3) and (4). By induction hypothesis, σρ ⊢ P . By Lemma .0.8,σρ ⊢M :σρ(M) and σρ ⊢ N :σρ(N). The rule R = h⇒ message(ρ(M), ρ(N)) is in BP0,S .By condition (4), for each message(p, p′) in h, σp′ ∈ conveys(σp), so message(σp, σp′) isderivable from BP0,S . Using the rule R, the fact message(σρ(M), σρ(N)) is also derivablefrom BP0,S . Therefore, we have σρ(N) ∈ conveys(σρ(M)). By (Output), σρ ⊢M〈N〉.P .


• Case let x = g(M1, . . . ,Mn) in P else Q: Assume that

[[let x = g(M1, . . . ,Mn) in P else Q]]ρh =

∪ {[[P ]]((σ1ρ)[x 7→ σ′1p′])(σ1h)

| g(p′1, . . . , p′n) = p′ is in def(g)} ∪ [[Q]]ρh

⊆ BP0,S

where (σ1, σ′1) is a most general pair of substitutions such that σ1ρ(M1) =

σ′1p′1, . . . , σ1ρ(Mn) = σ′1p

′n. Assume that σ satisfies (3) and (4). By Lemma .0.8,

σρ ⊢Mi : σρ(Mi) for all i ∈ {1, . . . , n}.

If T ∈ Og(σρ(M1), . . . , σρ(Mn)), then there exist an equation g(p′1, . . . , p′n) = p′ in def(g)

and a substitution σ′ such that, for all i, σρ(Mi) = σ′p′i and T = σ′p′. Then there existsσ′′ such that σ = σ′′σ1 and σ′ = σ′′σ′1. Moreover, we have

[[P ]](σ1ρ[x 7→ σ′1p′])(σ1h) ⊆ BP0,S

For all message(p1, p2) ∈ σ′′σ1h = σh, we have p2 ∈ conveys(p1). By induction hypothesis

on P , we have σ′′σ1ρ, x : σ′′σ′1p′ ⊢ P , that is, σρ, x : σ′p′ ⊢ P .

Therefore, if T ∈ Og(σρ(M1), . . . , σρ(Mn)), then σρ, x : T ⊢ P . Finally, by in-duction hypothesis on Q, σρ ⊢ Q. By (Destructor application), σρ ⊢ let x =g(M1, . . . ,Mn) in P else Q.

In particular, BP0,S ⊇ [[P0]]ρ∅, where ρ = {a 7→ a[] | a ∈ fn(P0)}. Then, with E = σρ = {a : a[] |a ∈ fn(P0)}, we obtain E ⊢ P0. 2

Proof of Lemmas 7.3.5, 7.3.6, and 7.3.7

Proof of Lemma 7.3.5 Since a ∈ S , (a : T ) ∈ E0, with T ∈ TPublic. By definition of φ,φ(a[]) = T ∈ TPublic. Therefore, attacker(a[]) is satisfied. 2

Lemma .0.9 Let Ec be a partial function from atoms to closed patterns, defined for all namesand variables of M . The function Ec is extended to a substitution.

1. If φ ◦ Ec ⊢M : T then T = φ(Ec(M)) (in particular, φ(Ec(M)) is defined).

2. If φ(Ec(M)) is defined, then φ ◦ Ec ⊢M : φ(Ec(M)).

(If φ(Ec(M)) is defined, then φ is defined on Ec(u) for all u ∈ fn(M) ∪ fv(M).)

Proof The proof of (1) is by induction on M .

• CaseM is an atom u. Since φ◦Ec ⊢ u:T must have been derived by (Atom), T = φ(Ec(u)).

• Case M is a composite term f(M1, . . . ,Mn). Since φ ◦ Ec ⊢ M : T can be obtained onlyby (Constructor), for each i ∈ {1, . . . , n}, φ ◦ Ec ⊢ Mi : Ti and T = Of (T1, . . . , Tn).Therefore, by induction hypothesis, Ti = φ(Ec(Mi)) and, by definition of φ, T =Of (φ(Ec(M1)), . . . , φ(Ec(Mn))) = φ(f(Ec(M1), . . . , Ec(Mn))) = φ(Ec(M)).

The proof of (2) is also by induction on M .

• Case M is an atom u. By (Atom), φ ◦ Ec ⊢ u : φ(Ec(u)).

• Case M is a composite term f(M1, . . . ,Mn). Since φ(Ec(M)) = φ(f(Ec(M1), . . . ,Ec(Mn))) = Of (φ(Ec(M1)), . . . , φ(Ec(Mn))) is defined, ∀i ∈ {1, . . . , n}, φ(Ec(Mi)) isdefined. By induction hypothesis, we have φ ◦ Ec ⊢ Mi : φ(Ec(Mi)). Moreover,Of (φ(Ec(M1)), . . . , φ(Ec(Mn))) is defined, therefore, by (Constructor), φ ◦ Ec ⊢ M :φ(Ec(M)).


2

Proof of Lemma 7.3.6 Let us prove first that attacker(x) ∧message(x, y)⇒ attacker(y) issatisfied. Let σ be any closed substitution. If attacker(σx) and message(σx, σy) are satisfied,then φ(σx) ∈ TPublic, so by (P0), conveys(φ(σx)) = TPublic and φ(σy) ∈ conveys(φ(σx)) =TPublic. Then attacker(σy) is satisfied. Therefore, the rule attacker(x) ∧ message(x, y) ⇒attacker(y) is satisfied.

Similarly, attacker(x) ∧ attacker(y)⇒ message(x, y) is satisfied.Let f be a constructor. Let us prove that attacker(x1) ∧ . . . ∧ attacker(xn) ⇒

attacker(f(x1, . . . , xn)) is satisfied. Let σ be any closed substitution. Assume thatattacker(σx1), . . . , attacker(σxn) are satisfied. Then for all i ∈ {1, . . . , n}, φ(σxi) ∈TPublic, therefore φ(f(σx1, . . . , σxn)) = Of (φ(σx1), . . . , φ(σxn)) ∈ TPublic by (P1). Thenattacker(f(σx1, . . . , σxn)) is satisfied. Therefore, the rule attacker(x1) ∧ . . . ∧ attacker(xn) ⇒attacker(f(x1, . . . , xn)) is satisfied.

Assume that there is an equation g(M1, . . . ,Mn) = M in def(g), and let us prove thatattacker(M1)∧ . . .∧attacker(Mn)⇒ attacker(M) is satisfied. For every closed substitution σ, ifattacker(σM1), . . . , attacker(σMn) are satisfied, then for all i ∈ {1, . . . , n}, φ(σMi) ∈ TPublic, soOg(φ(σM1), . . . , φ(σMn)) ⊆ TPublic by (P2). Moreover, for all i ∈ {1, . . . , n}, φ◦σ ⊢Mi :φ(σMi)by Lemma .0.9(2), therefore φ ◦ σ ⊢ M : T and T ∈ Og(φ(σM1), . . . , φ(σMn)) for some T by(P3). By Lemma .0.9(1), T = φ(σM), so φ(σM) ∈ Og(φ(σM1), . . . , φ(σMn)). Hence φ(σM) ∈TPublic, so attacker(σM) is satisfied. Therefore, the rule attacker(M1) ∧ . . . ∧ attacker(Mn) ⇒attacker(M) is satisfied. 2

Proof of Lemma 7.3.7 By induction on P .

• Case 0: [[0]]ρh = ∅, so the result is obvious.

• Case P | Q: Let (ρ, h) be a well-chosen pair for P | Q. Let σ be such that σh is satisfied,and E = φ ◦ σρ. If E ⊢ P | Q has been proved to obtain E0 ⊢ P0, this must havebeen derived by (Parallel composition), therefore E ⊢ P and E ⊢ Q have been proved toobtain E0 ⊢ P0. Since this is true for any σ such that σh is satisfied, and (ρ, h) is also awell-chosen pair for P and Q, by induction hypothesis, the rules in [[P ]]ρh and in [[Q]]ρhare satisfied. Therefore, the rules in [[P | Q]]ρh = [[P ]]ρh ∪ [[Q]]ρh are satisfied.

• Case !P : Let (ρ, h) be a well-chosen pair for !P . Let σ such that σh is satisfied, andE = φ ◦ σρ. If E ⊢ !P has been proved to obtain E0 ⊢ P0, this must have been derivedby (Replication), then E ⊢ P has been proved to obtain E0 ⊢ P0. Since this is true forany σ such that σh is satisfied, and (ρ, h) is also a well-chosen pair for P , by inductionhypothesis, the rules in [[P ]]ρh are satisfied. Therefore, the rules in [[!P ]]ρh = [[P ]]ρh aresatisfied.

• Case (νa)P : Let (ρ, h) be a well-chosen pair for (νa)P . Let σ be such that σh is satisfied,and E = φ ◦ σρ. If E ⊢ (νa)P has been proved to obtain E0 ⊢ P0, this must have beenderived by (Restriction), then there exists T such that E, a : T ⊢ P has been proved toobtain E0 ⊢ P0. By definition of φ, T = φ(a[σp1, . . . , σpn]), where h = message(c1, p1) ∧. . .∧message(cn, pn), since σρ is a (σp1, . . . , σpn)-well-chosen environment for (νa)P . Wehave that (ρ[a 7→ a[p1, . . . , pn]], h) is a well-chosen pair for P , and for any σ such thatσh is satisfied, φ ◦ σρ, a : φ(a[σp1, . . . , σpn]) ⊢ P has been proved to obtain E0 ⊢ P0. Byinduction hypothesis, the rules in [[(νa)P ]]ρh = [[P ]](ρ[a 7→ a[p1, . . . , pn]])h are satisfied.

• Case M(x).P : Let (ρ, h) be a well-chosen pair for M(x).P . We assume that for allσ such that σh is satisfied, and E = φ ◦ σρ, E ⊢ M(x).P has been proved to obtainE0 ⊢ P0. Then this must have been derived by (Input), therefore E ⊢ M : T and ∀T ′ ∈conveys(T ), E, x : T ′ ⊢ P . By Lemma .0.9(1), T = φ(σρ(M)).


Let h′ = h ∧message(ρ(M), x). If σ′ is such that σ′h′ is satisfied, then message(σ′ρ(M),σ′x) is satisfied, then φ(σ′x) ∈ conveys(φ(σ′ρ(M))) = conveys(T ). Moreover, σ′h issatisfied, so we can apply the reasoning above to σ′ instead of σ, therefore E, x:φ(σ′x) ⊢ Pfor E = φ ◦ σ′ρ. Let ρ′ = ρ[x 7→ x]. Then (ρ′, h′) is a well-chosen pair for P , andφ ◦ σ′ρ′ ⊢ P has been proved to obtain E0 ⊢ P0. By induction hypothesis, the rules in[[P ]]ρ′h′ are satisfied. Therefore, the rules in [[M(x).P ]]ρh are satisfied.

• Case M〈N〉.P : Let (ρ, h) be a well-chosen pair for M〈N〉.P . Let σ be such that σh issatisfied, and E = φ ◦ σρ. If E ⊢ M〈N〉.P has been proved to obtain E0 ⊢ P0, then thismust have been derived by (Output), therefore E ⊢ M : T , E ⊢ N : T ′, T ′ ∈ conveys(T ),and E ⊢ P . By Lemma .0.9(1), T = φ(σρ(M)) and T ′ = φ(σρ(N)), therefore φ(σρ(N)) ∈conveys(φ(σρ(M))).

Let R = h ⇒ message(ρ(M), ρ(N)), and let σ′ be any closed substitution. If σ′h issatisfied, the argument of the paragraph above can be applied to σ′. Then φ(σ′ρ(N)) ∈conveys(φ(σ′ρ(M))), so message(σ′ρ(M), σ′ρ(N)) is satisfied. Therefore, R is satisfied.

We have that (ρ, h) is a well-chosen pair for P , and for all σ such that σh is satisfied,E ⊢ P has been proved to obtain E0 ⊢ P0. By induction hypothesis on P , the rules in[[P ]]ρh are satisfied.

Hence the rules in [[M〈N〉.P ]]ρh = [[P ]]ρh ∪ {R} are satisfied.

• Case let x = g(M1, . . . ,Mn) in P else Q: Let (ρ, h) be a well-chosen pair for let x =g(M1, . . . ,Mn) in P else Q. We assume that for all σ such that σh is satisfied, andE = φ ◦ σρ, E ⊢ let x = g(M1, . . . ,Mn) in P else Q has been proved to obtain E0 ⊢ P0.This must have been derived by (Destructor application), then ∀i ∈ {1, . . . , n}, E ⊢Mi :Ti,∀T ∈ Og(T1, . . . , Tn), E, x : T ⊢ P , and E ⊢ Q. By Lemma .0.9(1), Ti = φ(σρ(Mi)).

Assume that there is an equation g(p′1, . . . , p′n) = p′ in def(g). Let ρ′ = σ1ρ[x 7→ σ′1p

′] andh′ = σ1h where (σ1, σ

′1) is the most general pair of substitutions such that σ1ρ(M1) = σ′1p

′1,

. . . , σ1ρ(Mn) = σ′1p′n. Let σ′′ be such that σ′′h′ is satisfied. Then σ = σ′′σ1 is such that

σh is satisfied, so the argument of the paragraph above can be applied to σ. Moreoverσρ(Mi) = σ′′σ′1p

′i. We have φ ◦ σ′′σ′1 ⊢ p

′i : φ(σ′′σ′1p

′i) (by Lemma .0.9(2)). Therefore, by

(P3), φ ◦ σ′′σ′1 ⊢ p′ : φ(σ′′σ′1p

′) with φ(σ′′σ′1p′) ∈ Og(φ(σ′′σ′1p

′1), . . . , φ(σ′′σ′1p

′n)). That is,

φ(σ′′σ′1p′) ∈ Og(T1, . . . , Tn). Therefore E, x :φ(σ′′σ′1p

′) ⊢ P . That is, φ ◦σ′′ρ′ ⊢ P . This istrue for any σ′′ such that σ′′h′ is satisfied, and (ρ′, h′) is a well-chosen pair for P , thereforeby induction hypothesis, the rules in [[P ]]ρ′h′ are satisfied.

Moreover, (ρ, h) is also a well-chosen pair for Q, then by induction hypothesis, the rulesin [[Q]]ρh are satisfied. Therefore, the rules in [[let x = g(M1, . . . ,Mn) in P else Q]]ρh aresatisfied.

In particular, for [[P0]]ρ0∅, (ρ0, ∅) is a well-chosen pair for P0, and E0 = {a : φ(a[]) | (a : T ) ∈E0} = φ ◦ σρ0, for any σ. Therefore, φ ◦ σρ0 ⊢ P0 has been proved to obtain E0 ⊢ P0. Then therules in [[P0]]ρ0∅ are satisfied. 2

References

[1] M. Abadi. Secrecy by typing in security protocols. Journal of the ACM, 46(5):749–786,Sept. 1999.

[2] M. Abadi. Security protocols and their properties. In F. Bauer and R. Steinbrueggen,editors, Foundations of Secure Computation, NATO Science Series, pages 39–60. IOS Press,Amsterdam, The Netherlands, 2000. Volume for the 20th International Summer School onFoundations of Secure Computation, held in Marktoberdorf, Germany (1999).


[3] M. Abadi, A. Banerjee, N. Heintze, and J. G. Riecke. A core calculus of dependency. InProceedings of the 26th ACM Symposium on Principles of Programming Languages, pages147–160, New-York, NY, Jan. 1999. ACM Press.

[4] M. Abadi and B. Blanchet. Computer-assisted verification of a protocol for certified email.In R. Cousot, editor, Static Analysis, 10th International Symposium (SAS’03), volume2694 of Lecture Notes in Computer Science, pages 316–335, Berlin, Germany, June 2003.Springer-Verlag.

[5] M. Abadi and B. Blanchet. Secrecy types for asymmetric communication. TheoreticalComputer Science, 298(3):387–415, Apr. 2003.

[6] M. Abadi, B. Blanchet, and C. Fournet. Just Fast Keying in the pi calculus. In D. Schmidt,editor, Programming Languages and Systems: 13th European Symposium on Programming(ESOP 2004), volume 2986 of Lecture Notes in Computer Science, pages 340–354, Berlin,Germany, Mar. 2004. Springer-Verlag.

[7] M. Abadi and C. Fournet. Mobile values, new names, and secure communication. InProceedings of the 28th Annual ACM Symposium on Principles of Programming Languages(POPL’01), pages 104–115, New-York, NY, Jan. 2001. ACM Press.

[8] M. Abadi, N. Glew, B. Horne, and B. Pinkas. Certified email with a light on-line trustedthird party: Design and implementation. In 11th International World Wide Web Confer-ence, pages 387–395, New-York, NY, May 2002. ACM Press.

[9] M. Abadi and A. D. Gordon. A calculus for cryptographic protocols: The spi calculus.Information and Computation, 148(1):1–70, Jan. 1999. An extended version appeared asDigital Equipment Corporation Systems Research Center report No. 149, January 1998.

[10] W. Aiello, S. Bellovin, M. Blaze, R. Canetti, J. Ionnidis, A. Keromytis, and O. Reingold.Efficient, DoS-resistant, secure key exchange for internet protocols. In R. Sandhu, editor,ACM Conference on Computer and Communications Security (CCS’02), pages 48–58, New-York, NY, Nov. 2002. ACM.

[11] R. M. Amadio and D. Lugiez. On the reachability problem in cryptographic protocols. InC. Palamidessi, editor, CONCUR 2000: Concurrency Theory (11th International Confer-ence), volume 1877 of Lecture Notes in Computer Science, pages 380–394, Berlin, Germany,Aug. 2000. Springer-Verlag.

[12] L. Bachmair and H. Ganzinger. Equational reasoning in saturation-based theorem proving.In W. Bibel and P. Schmitt, editors, Automated Deduction — A Basis for Applications,volume I, chapter 11, pages 353–397. Kluwer, Dordrecht, The Netherlands, 1998.

[13] B. Blanchet. An efficient cryptographic protocol verifier based on Prolog rules. In 14thIEEE Computer Security Foundations Workshop (CSFW-14), pages 82–96, Los Alamitos,CA, June 2001. IEEE Computer Society.

[14] B. Blanchet. From secrecy to authenticity in security protocols. In M. Hermenegildoand G. Puebla, editors, 9th International Static Analysis Symposium (SAS’02), volume2477 of Lecture Notes in Computer Science, pages 342–359, Berlin, Germany, Sept. 2002.Springer-Verlag.

[15] B. Blanchet. Automatic proof of strong secrecy for security protocols. In IEEE Symposiumon Security and Privacy, pages 86–100, Los Alamitos, CA, May 2004. IEEE ComputerSociety.


[16] B. Blanchet and A. Podelski. Verification of cryptographic protocols: Tagging enforcestermination. In A. Gordon, editor, Foundations of Software Science and ComputationStructures (FoSSaCS’03), volume 2620 of Lecture Notes in Computer Science, pages 136–152, Berlin, Germany, Apr. 2003. Springer-Verlag.

[17] C. Bodei. Security Issues in Process Calculi. PhD thesis, Universita di Pisa, Jan. 2000.

[18] C. Bodei, P. Degano, F. Nielson, and H. Nielson. Control flow analysis for the π-calculus.In CONCUR’98: Concurrency Theory, volume 1466 of Lecture Notes in Computer Science,pages 84–98, Berlin, Germany, Sept. 1998. Springer Verlag.

[19] L. Cardelli. Type systems. In A. B. Tucker, editor, The Computer Science and EngineeringHandbook, chapter 103, pages 2208–2236. CRC Press, Boca Raton,FL, 1997.

[20] L. Cardelli, G. Ghelli, and A. D. Gordon. Secrecy and group creation. In C. Palamidessi,editor, CONCUR 2000: Concurrency Theory, volume 1877 of Lecture Notes in ComputerScience, pages 365–379, Berlin, Germany, Aug. 2000. Springer-Verlag.

[21] I. Cervesato, N. A. Durgin, P. D. Lincoln, J. C. Mitchell, and A. Scedrov. A meta-notationfor protocol analysis. In Proceedings of the 12th IEEE Computer Security FoundationsWorkshop (CSFW’99), pages 55–69, Los Alamitos, CA, June 1999. IEEE Computer Soci-ety.

[22] H. Comon-Lundh and V. Cortier. New decidability results for fragments of first-orderlogic and application to cryptographic protocols. In R. Nieuwenhuis, editor, 14th Int.Conf. Rewriting Techniques and Applications (RTA’2003), volume 2706 of Lecture Notesin Computer Science, pages 148–164, Berlin, Germany, June 2003. Springer-Verlag.

[23] K. J. Compton and S. Dexter. Proof techniques for cryptographic protocols. In J. Wieder-mann, P. van Emde Boas, and M. Nielsen, editors, Automata, Languages and Programming,26th International Colloquium, ICALP’99, volume 1644 of Lecture Notes in Computer Sci-ence, pages 25–39, Berlin, Germany, July 1999. Springer-Verlag.

[24] M. Dam. Proving trust in systems of second-order processes. In Proceedings of the 31thHawaii International Conference on System Sciences, volume VII, pages 255–264, 1998.

[25] M. Debbabi, M. Mejri, N. Tawbi, and I. Yahmadi. A new algorithm for the automaticverification of authentication protocols: From specifications to flaws and attack scenarios.In Proceedings of the DIMACS Workshop on Design and Formal Verification of SecurityProtocols, Rutgers University, New Jersey, Sept. 1997.

[26] G. Denker, J. Meseguer, and C. Talcott. Protocol specification and analysis in Maude.In N. Heintze and J. Wing, editors, Proc. of Workshop on Formal Methods and SecurityProtocols, 25 June 1998.

[27] D. E. Denning. Cryptography and Data Security. Addison-Wesley, Reading, Mass., 1982.

[28] A. Durante, R. Focardi, and R. Gorrieri. CVS: A compiler for the analysis of cryptographicprotocols. In Proceedings of the 12th IEEE Computer Security Foundations Workshop(CSFW’99), pages 203–212, Los Alamitos, CA, June 1999. IEEE Computer Society.

[29] N. Durgin, J. Mitchell, and D. Pavlovic. A compositional logic for protocol correctness.In 14th IEEE Computer Security Foundations Workshop (CSFW-14), pages 241–255, LosAlamitos, CA, June 2001. IEEE Computer Society.


[30] N. A. Durgin and J. C. Mitchell. Analysis of security protocols. In M. Broy and R. Stein-bruggen, editors, Calculational System Design, pages 369–395, Amsterdam, The Nether-lands, 1999. IOS Press.

[31] R. Focardi and R. Gorrieri. The compositional security checker: A tool for the verifica-tion of information flow security properties. IEEE Transactions on Software Engineering,23(9):550–571, Sept. 1997.

[32] A. Gordon and A. Jeffrey. Authenticity by typing for security protocols. In 14th IEEEComputer Security Foundations Workshop (CSFW-14), pages 145–159, Los Alamitos, CA,June 2001. IEEE Computer Society.

[33] A. Gordon and A. Jeffrey. Types and effects for asymmetric cryptographic protocols.In 15th IEEE Computer Security Foundations Workshop (CSFW-15), pages 77–91, LosAlamitos, CA, June 2002. IEEE Computer Society.

[34] J. Goubault-Larrecq. Protocoles cryptographiques: la logique a la rescousse! In AtelierSEcurite des Communications sur Internet (SECI’02), Sept. 2002.

[35] J. Goubault-Larrecq. Une fois qu’on n’a pas trouve de preuve, comment le faire compren-dre a un assistant de preuve ? In Actes 15emes journees francophones sur les langagesapplicatifs (JFLA’04), Rocquencourt, France, Jan. 2004. INRIA.

[36] J. Goubault-Larrecq, M. Roger, and K. N. Verma. Abstraction and resolution modulo AC:How to verify Diffie-Hellman-like protocols automatically. Journal of Logic and AlgebraicProgramming, 2004. To appear.

[37] N. Heintze and J. G. Riecke. The SLam calculus: programming with secrecy and integrity.In Proceedings of the 25th ACM Symposium on Principles of Programming Languages,pages 365–377, New-York, NY, 1998. ACM Press.

[38] M. Hennessy and J. Riely. Information flow vs. resource access in the asynchronous pi-calculus. In Proceedings of the 27th International Colloquium on Automata, Languages andProgramming, Lecture Notes in Computer Science, pages 415–427, Berlin, Germany, 2000.Springer-Verlag.

[39] K. Honda, V. Vasconcelos, and N. Yoshida. Secure information flow as typed processbehaviour. In G. Smolka, editor, Programming Languages and Systems: Proceedings ofthe 9th European Symposium on Programming (ESOP 2000), Held as Part of the JointEuropean Conferences on Theory and Practice of Software (ETAPS 2000), volume 1782of Lecture Notes in Computer Science, pages 180–199, Berlin, Germany, 2000. Springer-Verlag.

[40] R. Kemmerer, C. Meadows, and J. Millen. Three systems for cryptographic protocolanalysis. Journal of Cryptology, 7(2):79–130, Spring 1994.

[41] H. Krawczyk. SKEME: A versatile secure key exchange mechanism for internet. In Pro-ceedings of the Internet Society Symposium on Network and Distributed Systems Security,Feb. 1996. Available at http://bilbo.isu.edu/sndss/sndss96.html.

[42] P. Lincoln, J. Mitchell, M. Mitchell, and A. Scedrov. A probabilistic poly-time frame-work for protocol analysis. In Proceedings of the Fifth ACM Conference on Computer andCommunications Security, pages 112–121, New-York, NY, 1998. ACM Press.

[43] G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. InTools and Algorithms for the Construction and Analysis of Systems, volume 1055 of LectureNotes in Computer Science, pages 147–166, Berlin, Germany, 1996. Springer Verlag.


[44] C. Meadows. Panel on languages for formal specification of security protocols. In Proceed-ings of the 10th IEEE Computer Security Foundations Workshop, page 96, Los Alamitos,CA, 1997. IEEE Computer Society.

[45] C. Meadows and P. Narendran. A unification algorithm for the group Diffie-Hellmanprotocol. In Workshop on Issues in the Theory of Security (WITS’02), Jan. 2002.

[46] R. Milner. Communicating and Mobile Systems: the Pi-Calculus. Cambridge UniversityPress, Cambridge, United Kingdom, June 1999.

[47] J. H. Morris. Protection in programming languages. Commun. ACM, 16(1):15–21, Jan.1973.

[48] A. C. Myers. JFlow: Practical mostly-static information flow control. In Proceedingsof the 26th ACM Symposium on Principles of Programming Languages, pages 228–241,New-York, NY, Jan. 1999. ACM Press.

[49] R. M. Needham and M. D. Schroeder. Using encryption for authentication in large networksof computers. Commun. ACM, 21(12):993–999, Dec. 1978.

[50] L. C. Paulson. The inductive approach to verifying cryptographic protocols. Journal ofComputer Security, 6(1–2):85–128, 1998.

[51] P. Selinger. Models for an adversary-centric protocol logic. In J. Goubault-Larrecq, editor,Proceedings of the 1st Workshop on Logical Aspects of Cryptographic Protocol Verification,volume 55(1) of Electronic Notes in Theoretical Computer Science, pages 73–88, Amster-dam, The Netherlands, July 2001. Elsevier.

[52] E. Sumii and B. C. Pierce. Logical relations and encryption (Extended abstract). In14th IEEE Computer Security Foundations Workshop (CSFW-14), pages 256–269, LosAlamitos, CA, June 2001. IEEE Computer Society.

[53] D. Volpano, C. Irvine, and G. Smith. A sound type system for secure flow analysis. Journalof Computer Security, 4:167–187, 1996.

[54] C. Weidenbach. Towards an automatic analysis of security protocols in first-order logic. InH. Ganzinger, editor, 16th International Conference on Automated Deduction (CADE-16),volume 1632 of Lecture Notes in Artificial Intelligence, pages 314–328, Berlin, Germany,July 1999. Springer-Verlag.


Automatic Verification of Correspondences

for Security Protocols∗

Bruno Blanchet

CNRS, Ecole Normale Superieure, INRIA†

[email protected]

Abstract

We present a new technique for verifying correspondences in security protocols. In par-ticular, correspondences can be used to formalize authentication. Our technique is fullyautomatic, it can handle an unbounded number of sessions of the protocol, and it is efficientin practice. It significantly extends a previous technique for the verification of secrecy. Theprotocol is represented in an extension of the pi calculus with fairly arbitrary cryptographicprimitives. This protocol representation includes the specification of the correspondence tobe verified, but no other annotation. This representation is then translated into an abstractrepresentation by Horn clauses, which is used to prove the desired correspondence. Ourtechnique has been proved correct and implemented. We have tested it on various protocolsfrom the literature. The experimental results show that these protocols can be verified byour technique in less than 1 s.

1 Introduction

The verification of security protocols has already been the subject of numerous research works.It is particularly important since the design of protocols is error-prone, and errors cannot bedetected by testing, since they appear only in the presence of a malicious adversary. An impor-tant trend in this area aims to verify protocols in the so-called Dolev-Yao model [39], with anunbounded number of sessions, while relying as little as possible on human intervention. Whileprotocol insecurity is NP-complete for a bounded number of sessions [65], it is undecidable foran unbounded number of sessions [41]. Hence, automatic verification for an unbounded numberof sessions cannot be achieved for all protocols. It is typically achieved using language-basedtechniques such as typing or abstract interpretation, which can handle infinite-state systemsthanks to safe approximations. These techniques are not complete (a correct protocol can failto typecheck, or false attacks can be found by abstract interpretation tools), but they are sound(when they do not find attacks, the protocol is guaranteed to satisfy the considered property).This is important for the certification of protocols.

Our goal in this paper is to extend previous work in this line of research by providing a fullyautomatic technique for verifying correspondences in security protocols, without bounding thenumber of sessions of the protocol. Correspondences are properties of the form: if the protocolexecutes some event, then it must have executed some other events before1. We consider a richlanguage of correspondences, in which the events that must have been executed can be describedby a logical formula containing conjunctions and disjunctions. Furthermore, we consider bothnon-injective correspondences (if the protocol executes some event, then it must have executed

∗This paper is an updated and extended version of [13] and [14].†This research has been done within the INRIA ABSTRACTION project-team (common with the CNRS and

the ENS).1In the CSP terminology, our events correspond to CSP signal events.

135

136 Bruno Blanchet

some other events at least once) and injective correspondences (if the protocol executes someevent n times, then it must have executed some other events at least n times). Correspondences,initially named correspondence assertions [71], and the similar notion of agreement [54] werefirst introduced to model authentication. Intuitively, a protocol authenticates A to B if, whenB thinks he talks to A, then he actually talks to A. When B thinks he has run the protocol withA, he executes an event e(A,B). When A thinks she runs the protocol with B, she executesanother event e′(A,B). Authentication is satisfied when, if B executes his event e(A,B), thenA has executed her event e′(A,B). Several variants along this scheme appear in the literatureand, as we show below, our technique can handle most of them. Our correspondences canalso encode secrecy, as follows. A protocol preserves the secrecy of some value M when theadversary cannot obtain M . We associate an “event” attacker(M) to the fact that the adversaryobtains M , and represent the secrecy of M as “attacker(M) cannot be executed”, that is, “ifattacker(M) has been executed, then false.” More complex properties can also be specified byour correspondences, for example that all messages of the protocol have been sent in order; thisfeature was used in [3].

Our technique is based on a substantial extension of a previous verification technique forsecrecy [1, 13, 69]. More precisely, the protocol is represented in the process calculus introducedin [1], which is an extension of the pi calculus with fairly arbitrary cryptographic primitives.This process calculus is extended with events, used in the statement of correspondences. Theseevents are the only required annotation of the protocol; no annotation is needed to help thetool proving correspondences. The protocol is then automatically translated into a set of Hornclauses. This translation requires significant extensions with respect to the translation forsecrecy given in [1], and can be seen as an implementation of a type system, as in [1]. Some ofthese extensions improve the precision of the analysis, in particular to avoid merging differentnonces. Other extensions define the translation of events. Finally, this set of Horn clauses ispassed to a resolution-based solver, similar to that of [13, 20, 69]. Some minor extensions of thissolver are required to prove correspondences. This solver does not always terminate, but weshow in Section 8.1 that it terminates for a large class of well-designed protocols, named taggedprotocols. Our experiments also demonstrate that, in practice, it terminates on many examplesof protocols.

The main advantages of our method can be summarized as follows. It is fully automatic; theuser only has to code the protocol and the correspondences to prove. It puts no bounds on thenumber of sessions of the protocol or the size of terms that the adversary can manipulate. Itcan handle fairly general cryptographic primitives, including shared-key encryption, public-keyencryption, signatures, one-way hash functions, and Diffie-Hellman key agreements. It relies ona precise semantic foundation. One limitation of the technique is that, in rare cases, the solvingalgorithm does not terminate. The technique is also not complete: the translation into Hornclauses introduces an abstraction, which forgets the number of repetitions of each action [17].This abstraction is key to the treatment of an unbounded number of sessions. Due to thisabstraction, the tool provides sufficient conditions for proving correspondences, but can fail oncorrect protocols. Basically, it fails to prove protocols that first need to keep some value secretand later reveal it (see Section 5.2.2). In practice, the tool is still very precise and, in ourexperiments, it always succeeded in proving protocols that were correct.

Our technique is implemented in the protocol verifier ProVerif, available at http://www.

proverif.ens.fr/.

Comparison with Other Papers on ProVerif As mentioned above, this paper extendsprevious work on the verification of secrecy [1] in order to prove correspondences. Secrecy(defined as the impossibility for the adversary to compute the secret) and correspondences aretrace properties. Other papers deal with the proof of certain classes of observational equiva-lences, i.e., that the adversary cannot distinguish certain processes: [15, 16] deal with the proof

Automatic Verification of Correspondences for Security Protocols 137

of strong secrecy, i.e., that the adversary cannot see when the value of a secret changes; [18]deals with the proof of equivalences between processes that differ only by the terms that theycontain. Moreover, [18] also explains how to handle cryptographic primitives defined by equa-tional theories (instead of rewrite rules) and how to deal with guessing attacks against weaksecrets.

As shown in [20], the resolution algorithm terminates for tagged protocols. The presentpaper extends this result in Section 8.1, by providing a characterization of tagged protocols atthe level of processes instead of at the level of Horn clauses.

ProVerif can also reconstruct an attack using a derivation from the Horn clauses, whenthe proof of a secrecy property fails [6]. Although the present paper does not detail thispoint, this work has also been extended to the reconstruction of attacks against non-injectivecorrespondences.

Finally, [2], [3], and [19] present three case studies done at least partly using ProVerif: [2]studies a certified email protocol, [3] studies the Just Fast Keying protocol, and [19] studies thePlutus secure file system. These case studies rely partly on the results presented in this paper.

Related Work We mainly focus on the works that automatically verify correspondences andauthentication for security protocols, without bounding the number of sessions.

The NRL protocol analyzer [42, 57], based on narrowing in rewriting systems, can verifycorrespondences defined in a rich language of logical formulae [68]. It is sound and complete,but does not always terminate. Our Horn clause representation is more abstract than therepresentation of NRL, which should enable us to terminate more often and be more efficient,while remaining precise enough to prove most desired properties.

Gordon and Jeffrey designed a system named Cryptic for verifying authentication by typingin security protocols [45–47]. They handle shared-key and public-key cryptography. Our systemallows more general cryptographic primitives (including hash functions and Diffie-Hellman keyagreements). Moreover, in our system, no annotation is needed, whereas, in Cryptic, explicittype casts and checks have to be manually added. However, Cryptic has the advantage thattype checking always terminates, whereas, in some rare cases, our analyzer does not.

Bugliesi et al. [25] define another type system for proving authentication in security pro-tocols. The main advantage of their system is that it is compositional: it allows one to proveindependently the correctness of the code of each role of the protocol. However, the form ofmessages is restricted to certain tagged terms. This approach is compared with Cryptic in [24].

Backes et al. [10] prove secrecy and authentication for security protocols, using an abstract-interpretation-based analysis. This analysis builds a causal graph, which captures the causalityamong program events; the security properties are proved by traversing this graph. This analysiscan handle an unbounded number of sessions of the protocol; it always terminates, at the costof additional abstractions, which may cause false attacks. It handles shared-key and public-keycryptography, but not Diffie-Hellman key agreements. It assumes that the messages are typed,so that names can be distinguished from other terms.

Bodei et al. [21] show message authentication via a control flow analysis on a process calculusnamed Lysa. Like [10], they handle shared-key and public-key cryptography, and their analysisalways terminates, at the cost of additional abstractions. The notion of authentication theyprove is different from ours: they show message authentication rather than entity authentication.

Debbabi et al. [36] also verify authentication thanks to a representation of protocols byinference rules, very similar to our Horn clauses. However, they verify a weaker notion ofauthentication (corresponding to aliveness: if B terminates the protocol, then A must havebeen alive at some point before), and handle only shared-key encryption.

A few other methods require little human effort, while supporting an unbounded number ofruns: the verifier of [51], based on rank functions, can prove the correctness of or find attacksagainst protocols with atomic symmetric or asymmetric keys. Theorem proving [63] often

138 Bruno Blanchet

requires manual intervention of the user. An exception to this is [32], but it deals only withsecrecy. The theorem prover TAPS [30] often succeeds without or with little human intervention.

Model checking [53, 59] in general implies a limit on the number of sessions of the protocol.This problem has been tackled by [22, 23, 64]. They recycle nonces, to use only a finite numberof them in an infinite number of runs. The technique was first used for sequential runs, thengeneralized to parallel runs in [23], but with the additional restriction that the agents must be“factorisable”. (Basically, a single run of the agent has to be split into several runs such thateach run contains only one fresh value.)

Strand spaces [44] are a formalism for reasoning about security protocols. They have beenused for elegant manual proofs of authentication [49]. The automatic tool Athena [66] com-bines model checking and theorem proving, and uses strand spaces to reduce the state space.Scyther [33] uses an extension of Athena’s method with trace patterns to analyze simultane-ously a group of traces. These tools still sometimes limit the number of sessions to guaranteetermination.

Amadio and Prasad [7] note that authentication can be translated into secrecy, by usinga judge process. The translation is limited in that only one message can be registered by thejudge, so the verified authentication property is not exactly the same as ours.

Outline Section 2 introduces our process calculus. Section 3 defines the correspondences thatwe verify, including secrecy and various notions of authentication. Section 4 outlines the mainideas behind our technique for verifying correspondences. Section 5 explains the constructionof Horn clauses and shows its correctness, Section 6 describes our solving algorithm and showsits correctness, and Section 7 applies these results to the proof of correspondences. Section 8discusses the termination of our algorithm: it shows termination for tagged protocols and howto obtain termination more often in the general case. Section 9 presents some extensions to ourframework. Section 10 gives our experimental results on a selection of security protocols of theliterature, and Section 11 concludes. The proofs of our results are grouped in the appendices.

2 The Process Calculus

In this section, we present the process calculus that we use to represent security protocols: wegive its syntax, semantics, and illustrate it on an example protocol.


Figure 1 gives the syntax of terms (data) and processes (programs) of our calculus. The iden-tifiers a, b, c, k, and similar ones range over names, and x, y, and z range over variables. Thesyntax also assumes a set of symbols for constructors and destructors; we often use f for aconstructor and g for a destructor.

Constructors are used to build terms. Therefore, the terms are variables, names, and con-structor applications of the form f(M1, . . . ,Mn); the terms are untyped. On the other hand,destructors do not appear in terms, but only manipulate terms in processes. They are partialfunctions on terms that processes can apply. The process let x = g(M1, . . . ,Mn) in P else Qtries to evaluate g(M1, . . . ,Mn); if this succeeds, then x is bound to the result and P is exe-cuted, else Q is executed. More precisely, the semantics of a destructor g of arity n is givenby a set def(g) of rewrite rules of the form g(M1, . . . ,Mn) → M where M1, . . . ,Mn,M areterms without names, and the variables of M also occur in M1, . . . ,Mn. We extend theserules by g(M ′1, . . . ,M

′n) → M ′ if and only if there exist a substitution σ and a rewrite rule

g(M1, . . . ,Mn) → M in def(g) such that M ′i = σMi for all i ∈ {1, . . . , n}, and M ′ = σM . Weassume that the set def(g) is finite. (It usually contains one or two rules in examples.) Wedefine destructors by rewrite rules instead of the equalities used in [1]. This definition allows


M,N ::= termsx, y, z variablea, b, c, k namef(M1, . . . ,Mn) constructor application

P,Q ::= processes

M〈N〉.P outputM(x).P input0 nilP | Q parallel composition!P replication(νa)P restrictionlet x = g(M1, . . . ,Mn) in P else Q destructor applicationif M = N then P else Q conditionalevent(M).P event


destructors to yield several different results non-deterministically. (Non-deterministic rewriterules are used in our modeling of Diffie-Hellman key agreements; see Section 9.1). Using con-structors and destructors, we can represent data structures and cryptographic operations assummarized in Figure 2. (We present only probabilistic public-key encryption because, in thecomputational model, a secure public-key encryption algorithm must be probabilistic. We havechosen to present deterministic signatures; we could easily model probabilistic signatures byadding a third argument r containing the random coins, as for encryption. The coins shouldbe chosen using a restriction (νa) which creates a fresh name a, representing a fresh randomnumber.)

Constructors and destructors can be public or private. The public ones can be used by theadversary, which is the case when not stated otherwise. The private ones can be used only byhonest participants. They are useful in practice to model tables of keys stored in a server, forinstance. A public constructor host computes a host name from a long-term secret key, and aprivate destructor getkey returns the key from the host name, and simulates a lookup in a tableof pairs (host name, key). Using a public constructor host allows the adversary to create andregister any number of host names and keys. However, since getkey is private, the adversarycannot compute a key from the host name, which would break all protocols: host names arepublic while keys of honest participants are secret.

The process calculus provides additional instructions for executing events, which will beused for specifying correspondences. The process event(M).P executes the event event(M),then executes P .

The other constructs in the syntax of Figure 1 are standard; most of them come from thepi calculus. The input process M(x).P inputs a message on channel M , and executes P withx bound to the input message. The output process M〈N〉.P outputs the message N on thechannel M and then executes P . We allow communication on channels that can be arbitraryterms. (We could adapt our work to the case in which channels are only names.) Our calculusis monadic (in that the messages are terms rather than tuples of terms), but a polyadic calculuscan be simulated since tuples are terms. It is also synchronous (in that a process P is executedafter the output of a message). The nil process 0 does nothing. The process P | Q is the parallelcomposition of P and Q. The replication !P represents an unbounded number of copies of Pin parallel. The restriction (νa)P creates a new name a and then executes P . The conditionalif M = N then P else Q executes P if M and N reduce to the same term at runtime; otherwise,

140 Bruno Blanchet

Tuples:Constructor: tuple ntuple(x1, . . . , xn)Destructors: projections ithn(ntuple(x1, . . . , xn))→ xi

Shared-key encryption:Constructor: encryption of x under the key y, sencrypt(x, y)Destructor: decryption sdecrypt(sencrypt(x, y), y)→ xProbabilistic shared-key encryption:Constructor: encryption of x under the key y with random coins r, sencryptp(x, y, r)Destructor: decryption sdecryptp(sencryptp(x, y, r), y)→ xProbabilistic public-key encryption:Constructors: encryption of x under the key y with random coins r, pencryptp(x, y, r)

public key generation from a secret key y, pk(y)Destructor: decryption pdecryptp(pencryptp(x, pk(y), r), y)→ xSignatures:Constructors: signature of x with the secret key y, sign(x, y)

public key generation from a secret key y, pk(y)Destructors: signature verification checksignature(sign(x, y), pk(y))→ x

message without signature getmessage(sign(x, y))→ xNon-message-revealing signatures:Constructors: signature of x with the secret key y, nmrsign(x, y)

public key generation from a secret key y, pk(y)constant true

Destructor: verification nmrchecksign(nmrsign(x, y), pk(y), x)→ trueOne-way hash functions:Constructor: hash function h(x)Table of host names and keysConstructor: host name from key host(x)Private destructor: key from host name getkey(host(x))→ x

Figure 2: Constructors and destructors

it executes Q. We define let x = M in P as syntactic sugar for P{M/x}. As usual, we mayomit an else clause when it consists of 0.

The name a is bound in the process (νa)P . The variable x is bound in P in the processesM(x).P and let x = g(M1, . . . ,Mn) in P else Q. We write fn(P ) and fv(P ) for the sets ofnames and variables free in P , respectively. A process is closed if it has no free variables; itmay have free names. We identify processes up to renaming of bound names and variables.We write {M1/x1, . . . ,Mn/xn} for the substitution that replaces x1, . . . , xn with M1, . . . , Mn,respectively.

2.2 Operational Semantics

A semantic configuration is a pair E,P where the environment E is a finite set of names and Pis a finite multiset of closed processes. The environment E must contain at least all free namesof processes in P. The configuration {a1, . . . , an}, {P1, . . . , Pn} corresponds intuitively to theprocess (νa1) . . . (νan)(P1 | . . . | Pn). The semantics of the calculus is defined by a reductionrelation → on semantic configurations, shown in Figure 3. The rule (Red Res) is the only onethat uses renaming. This is important so that the parameters of events are not renamed afterthe execution of the event, to be able to compare them with the parameters of events executedlater. This semantics is superficially different from those of [1, 14], which were defined using astructural congruence relation and a reduction relation on processes. The new semantics (inparticular the renaming point mentioned above) provides simplifications in the definitions of


E,P ∪ { 0 } → E,P (Red Nil)

E,P ∪ { !P } → E,P ∪ {P, !P } (Red Repl)

E,P ∪ {P | Q } → E,P ∪ {P,Q } (Red Par)

E,P ∪ { (νa)P } → E ∪ {a′},P ∪ {P{a′/a} } (Red Res)

where a′ /∈ E.

E,P ∪ {N〈M〉.Q,N(x).P } → E,P ∪ {Q,P{M/x} } (Red I/O)

E,P ∪ { let x = g(M1, . . . ,Mn) in P else Q } → E,P ∪ {P{M ′/x} }

if g(M1, . . . ,Mn)→M ′ (Red Destr 1)


if there exists no M ′ such that g(M1, . . . ,Mn)→M ′

E,P ∪ { if M = M then P else Q } → E,P ∪ {P } (Red Cond 1)

E,P ∪ { if M = N then P else Q } → E,P ∪ {Q } (Red Cond 2)

if M 6= N

E,P ∪ { event(M).P } → E,P ∪ {P } (Red Event)

Figure 3: Operational semantics

correspondences (Definitions 2, 3, 6, 7, and 9) and in the proofs that correspondences hold.

2.3 Example

As a running example, we consider a simplified version of the Needham-Schroeder public-keyprotocol [60], with the correction by Lowe [53], in which host names are replaced by public keys,which makes interaction with a server useless. (The version tested in the benchmarks is thefull version. Obviously, our tool can verify much more complex protocols; we use this simpleexample for illustrative purposes.) The protocol contains the following messages:

Message 1. A→ B : {a, pkA}pkB

Message 2. B → A : {a, b, pkB}pkA

Message 3. A→ B : {b}pkB

A first sends to B a nonce (fresh name) a encrypted under the public key of B. B decrypts thismessage using his secret key skB and replies with the nonce a, a fresh nonce he chooses b, andits own public key pkB, all encrypted under pkA. When A receives this message, she decryptsit. When A sees the nonce a, she is convinced that B answered since only B can decrypt thefirst message and obtain a. Then A replies with the nonce b encrypted under pkB. B decryptsthis message. When B sees the nonce b, he is convinced that A replied, since only A coulddecrypt the second message and obtain b. The presence of pkA in the first message and pkB inthe second message makes explicit that these messages are for sessions between A and B, andso avoids man-in-the-middle attacks, such as the well-known attack found by Lowe [53]. This

142 Bruno Blanchet

protocol can be represented in our calculus by the process P , explained below:

PA(skA, pkA, pkB) = !c(x pkB).(νa)event(e1(pkA, x pkB, a)).

(νr1)c〈pencryptp((a, pkA), x pkB, r1)〉.

c(m).let (= a, x b,= x pkB) = pdecryptp(m, skA) in

event(e3(pkA, x pkB, a, x b)).(νr3)c〈pencryptp(x b, x pkB, r3)〉

if x pkB = pkB then

event(eA(pkA, x pkB, a, x b)).c〈sencrypt(sAa, a)〉.c〈sencrypt(sAb, x b)〉

PB(skB, pkB, pkA) = !c(m′).let (x a, x pkA) = pdecryptp(m′, skB) in (νb)

event(e2(x pkA, pkB, x a, b)).(νr2)c〈pencryptp((x a, b, pkB), x pkA, r2)〉.

c(m′′).let (= b) = pdecryptp(m′′, skB) in

if x pkA = pkA then

event(eB(x pkA, pkB, x a, b)).c〈sencrypt(sBa, x a)〉.c〈sencrypt(sBb, b)〉

P = (νskA)(νskB)let pkA = pk(skA) in let pkB = pk(skB) in

c〈pkA〉c〈pkB〉.(PA(skA, pkA, pkB) | PB(skB, pkB, pkA))

The channel c is public: the adversary can send and listen on it. We use a single public channeland not two or more channels because the adversary could take a message from one channel andrelay it on another channel, thus removing any difference between the channels. The process Pbegins with the creation of the secret and public keys of A and B. The public keys are outputon channel c to model that the adversary has them in its initial knowledge. Then the protocolitself starts: PA represents A, PB represents B. Both principals can run an unbounded numberof sessions, so PA and PB start with replications.

We consider that A and B are both willing to talk to any principal. So, to determine towhom A will talk, we consider that A first inputs a message containing the public key x pkB

of its interlocutor. (This interlocutor is therefore chosen by the adversary.) Then A starts aprotocol run by choosing a nonce a, and executing the event e1(pkA, x pkB, a). Intuitively, thisevent records that A sent Message 1 of the protocol, for a run with the participant of publickey x pkB, using the nonce a. Event e1 is placed before the actual output of Message 1; this isnecessary for the desired correspondences to hold: if event e1 followed the output of Message 1,one would not be able to prove that event e1 must have been executed, even though Message 1must have been sent, because Message 1 could be sent without executing event e1. The sit-uation is similar for events e2 and e3 below. Then A sends the first message of the protocolpencryptp((a, pkA), x pkB, r1), where r1 are fresh coins, used to model that public-key encryp-tion is probabilistic. A waits for the second message and decrypts it using her secret key skA. Ifdecryption succeeds, A checks that the message has the right form using the pattern-matchingconstruct let (= a, xb,= x pkB) = pdecryptp(m, skA) in . . . This construct is syntactic sugar forlet y = pdecryptp(m, skA) in let x1 = 1th3(y) in let xb = 2th3(y) in let x3 = 3th3(y) in if x1 =a then if x3 = x pkB then . . . Then A executes the event e3(pkA, x pkB, a, x b), to record thatshe has received Message 2 and sent Message 3 of the protocol, in a session with the participantof public key x pkB, and nonces a and x b. Finally, she sends the last message of the protocolpencryptp(x b, x pkB, r3). After sending this message, A executes some actions needed only forspecifying properties of the protocol. When x pkB = pkB, that is, when the session is betweenA and B, A executes the event eA(pkA, x pkB, a, x b), to record that A ended a session of theprotocol, with the participant of public key x pkB and nonces a and x b. A also outputs thesecret name sAa encrypted under the nonce a and the secret name sAb encrypted under thenonce x b. These outputs are helpful in order to formalize the secrecy of the nonces. Our toolcan prove the secrecy of free names, but not the secrecy of bound names (such as a) or ofvariables (such as x b). In order to overcome this limitation, we publish the encryption of a free


name sAa under a; then sAa is secret if and only if the nonce a chosen by A is secret. Similarly,sAb is secret if and only if the nonce x b received by A is secret.

The process PB proceeds similarly: it executes the protocol, with the additional evente2(x pkA, pkB, x a, b) to record that Message 1 has been received and Message 2 has been sentby B, in a session with the participant of public key x pkA and nonces x a and b. Afterfinishing the protocol itself, when x pkA = pkA, that is, when the session is between A andB, PB executes the event eB(x pkA, pkB, x a, b), to record that B finished the protocol, andoutputs sBa encrypted under x a and sBb encrypted under b, to model the secrecy of x a andb respectively.

The events will be used in order to formalize authentication. For example, we formalizethat, if A ends a session of the protocol, then B has started a session of the protocol with thesame nonces by requiring that, if eA(x1, x2, x3, x4) has been executed, then e2(x1, x2, x3, x4) hasbeen executed.2

3 Definition of Correspondences

In this section, we formally define the correspondences that we verify. We prove correspondencesof the form “if an event e has been executed, then events e11, . . . , e1l1 have been executed, or . . . ,or em1, . . . , emlm have been executed”. These events may include arguments, which allows oneto relate the values of variables at the various events. Furthermore, we can replace the event ewith the fact that the adversary knows some term (which allows us to prove secrecy properties),or that a certain message has been sent on a certain channel. We can prove that each executionof e corresponds to a distinct execution of some events ejk (injective correspondences, definedin Section 3.2), and we can prove that the events ejk have been executed in a certain order(general correspondences, defined in Section 3.3).

We assume that the protocol is executed in the presence of an adversary that can listen to allmessages, compute, and send all messages it has, following the so-called Dolev-Yao model [39].Thus, an adversary can be represented by any process that has a set of public names Init inits initial knowledge and that does not contain events. (Although the initial knowledge of theadversary contains only names in Init , one can give any terms to the adversary by sending themon a channel in Init .)

Definition 1 Let Init be a finite set of names. The closed process Q is an Init-adversary ifand only if fn(Q) ⊆ Init and Q does not contain events.

3.1 Non-injective Correspondences

Next, we define when a trace satisfies an atom α, generated by the following grammar:

α ::= atomattacker(M) attacker knowledgemessage(M,M ′) message on a channelevent(M) event

Intuitively, a trace satisfies attacker(M) when the attacker has M , or equivalently, when Mhas been sent on a public channel in Init . It satisfies message(M,M ′) when the message M ′

has been sent on channel M . Finally, it satisfies event(M) when the event event(M) has beenexecuted.

2For this purpose, the event eA must not be executed when A thinks she talks to the adversary. Indeed, in thiscase, it is correct that no event has been executed by the interlocutor of A, since the adversary never executesevents.

144 Bruno Blanchet

Definition 2 We say that a trace T = E0,P0 →∗ E′,P ′ satisfies attacker(M) if and only if T

contains a reduction E,P ∪ { c〈M〉.Q, c(x).P } → E,P ∪ {Q,P{M/x} } for some E, P, x, P ,Q, and c ∈ Init .

We say that a trace T = E0,P0 →∗ E′,P ′ satisfies message(M,M ′) if and only if T contains

a reduction E,P ∪ {M〈M ′〉.Q,M(x).P } → E,P ∪ {Q,P{M ′/x} } for some E, P, x, P , Q.We say that a trace T = E0,P0 →

∗ E′,P ′ satisfies event(M) if and only if T contains areduction E,P ∪ { event(M).P } → E,P ∪ {P } for some E, P, P .

The correspondence α ⇒∨m

j=1

(αj

∧ljk=1 event(Mjk)

), formally defined below, means

intuitively that, if an instance of α is satisfied, then for some j ∈ {1, . . . ,m}, the consideredinstance of α is an instance of αj and a corresponding instance of each of the events event(Mj1),. . . , event(Mjlj ) has been executed.3

Definition 3 The closed process P0 satisfies the correspondence

α⇒m∨

j=1

αj

lj∧

k=1

event(Mjk)

against Init-adversaries if and only if, for any Init-adversary Q, for any E0 containing fn(P0)∪Init∪ fn(α)∪

⋃j fn(αj)∪

⋃j,k fn(Mjk), for any substitution σ, for any trace T = E0, {P0, Q} →

∗

E′,P ′, if T satisfies σα, then there exist σ′ and j ∈ {1, . . . ,m} such that σ′αj = σα and, for allk ∈ {1, . . . , lj}, T satisfies event(σ′Mjk) as well.

This definition is very general; we detail some interesting particular cases below. Whenm = 0, the disjunction

∨mj=1 . . . is denoted by false. When α = αj for all j, we abbreviate the

correspondence by α ∨m

j=1

∧ljk=1 event(Mjk). This correspondence means that, if an instance

of α is satisfied, then for some j ≤ m, a corresponding instance of event(Mj1), . . . , event(Mjlj )has been executed. The variables in α are universally quantified (because, in Definition 3, σ isuniversally quantified). The variables in Mjk that do not occur in α are existentially quantified(because σ′ is existentially quantified).

Example 1 In the process of Section 2.3, the correspondence event(eB(x1, x2, x3, x4)) event(e1(x1, x2, x3))∧ event(e2(x1, x2, x3, x4))∧ event(e3(x1, x2, x3, x4)) means that, if the eventeB(x1, x2, x3, x4) has been executed, then the events e1(x1, x2, x3), e2(x1, x2, x3, x4), and e3(x1,x2, x3, x4) have been executed, with the same value of the arguments x1, x2, x3, x4.

The correspondence

event(R received(msg(x, z)))⇒

(event(R received(msg(x, (z′,Auth))))

event(S has(k,msg(x, (z′,Auth))))∧

event(TTP send(sign((sencrypt(msg(x, (z′,Auth)), k), x), skTTP ))))

∨ (event(R received(msg(x, (z′,NoAuth))))

event(S has(k,msg(x, (z′,NoAuth))))∧

event(TTP send(sign(sencrypt(msg(x, (z′,NoAuth)), k), skTTP ))))

means that, if the event R received(msg(x, z)) has been executed, then two cases can hap-pen: either z = (z′,Auth) or z = (z′,NoAuth) for some z′. In both cases, the eventsTTP send(certificate) and S has(k,msg(x, z)) have been executed for some k, but with a dif-ferent value of certificate: certificate = sign((S2TTP , x), skTTP ) when z = (z′,Auth), and

3The implementation in ProVerif uses a slightly different notation: αj is omitted, but additionnally equalitytests are allowed on the right-hand side of , so that one can check that α is actually an instance of αj .


certificate = sign(S2TTP , skTTP ) when z = (z′,NoAuth), with S2TTP = sencrypt(msg(x, z),k). A similar correspondence was used in our study of a certified email protocol, in collaborationwith Martın Abadi [2, Section 5, Proposition 4]. We refer to that paper for additional details.

The following definitions are particular cases of Definition 3.

Definition 4 The closed process P preserves the secrecy of all instances of M from Init if andonly if it satisfies the correspondence attacker(M) false against Init-adversaries.

When M is a free name, this definition is equivalent to that of [1].

Example 2 The process P of Section 2.3 preserves the secrecy of sAa when the correspondenceattacker(sAa) false is satisfied. In this case, intuitively, P preserves the secrecy of the noncea that A chooses. The situation is similar for sAb, sBa, and sBb.

Definition 5 Non-injective agreement is a correspondence of the form event(e(x1, . . . , xn)) event(e′(x1, . . . , xn)).

Intuitively, the correspondence event(e(x1, . . . , xn)) event(e′(x1, . . . , xn)) means that, if anevent e(M1, . . . ,Mn) is executed, then the event e′(M1, . . . ,Mn) has also been executed. Thisdefinition can be used to represent Lowe’s notion of non-injective agreement [54].

Example 3 In the example of Section 2.3, the correspondence event(eA(x1, x2, x3, x4)) event(e2(x1, x2, x3, x4)) means that, if A executes an event eA(x1, x2, x3, x4), then B has ex-ecuted the event e2(x1, x2, x3, x4). So, if A terminates the protocol thinking she talks to B,then B is actually involved in the protocol. Moreover, the agreement on the parameter of theevents, pkA = x pkA, x pkB = pkB, a = x a, and x b = b implies that B actually thinks hetalks to A, and that A and B agree on the values of the nonces.

The correspondence event(eB(x1, x2, x3, x4)) event(e3(x1, x2, x3, x4)) is similar, afterswapping the roles of A and B.

3.2 Injective Correspondences

Definition 6 We say that the event event(M) is executed at step τ in a trace T = E0,P0 →∗

E′,P ′ if and only if the τ -th reduction of T is of the form E,P∪{ event(M).P } → E,P∪{P }for some E, P, P .

Intuitively, an injective correspondence event(M) inj event(M ′) requires that each eventevent(σM) is enabled by distinct events event(σM ′), while a non-injective correspondenceevent(M) event(M ′) allows several events event(σM) to be enabled by the same eventevent(σM ′). We denote by [inj] an optional inj marker: it can be either inj or nothing. When[inj] = inj, an injective correspondence is required. When [inj] is nothing, the correspondencedoes not need to be injective.


event(M)⇒m∨

j=1

event(Nj)

lj∧

k=1

[inj]jkevent(Mjk)

against Init-adversaries if and only if, for any Init-adversary Q, for any E0 containing fn(P0)∪Init ∪ fn(M) ∪

⋃j fn(Nj) ∪

⋃j,k fn(Mjk), for any trace T = E0, {P0, Q} →

∗ E′,P ′, there existfunctions φjk from a subset of steps in T to steps in T such that

146 Bruno Blanchet

• For all τ , if the event event(σM) is executed at step τ in T for some σ, then thereexist σ′ and j such that σ′Nj = σM and, for all k ∈ {1, . . . , lj}, φjk(τ) is defined andevent(σ′Mjk) is executed at step φjk(τ) in T .

• If [inj]jk = inj, then φjk is injective.

The functions φjk map execution steps of events event(σM) to the execution steps ofthe events event(σ′Mjk) that enable event(σM). When [inj]jk = inj, the injectivity ofφjk guarantees that distinct executions of event(σM) correspond to distinct executions ofevent(σ′Mjk). When M = Nj for all j, we abbreviate the correspondence by event(M) ∨m

j=1

∧ljk=1[inj]jkevent(Mjk), as in the non-injective case.

Woo and Lam’s correspondence assertions [71] are a particular case of this definition. In-deed, they consider properties of the form: if γ1 or . . . or γk have been executed, then µ1 or. . . or µm must have been executed, denoted by γ1 | . . . | γk → µ1 | . . . | µm. Such a correspon-dence assertion is formalized in our setting by for all i ∈ {1, . . . , k}, the process satisfies thecorrespondence event(γi)

∨mj=1 inj event(µj).

Remark 1 Correspondences α ⇒∨m

j=1

(αj

∧ljk=1[inj]jkevent(Mjk)

)with α = attacker(M)

and at least one inj marker would always be wrong: the adversary can always repeat the outputof M on one of his channels any number of times. With α = message(M,M ′) and at leastone inj marker, the correspondence may be true only when the adversary cannot execute thecorresponding output. For simplicity, we focus on the case α = event(M) only.

Definition 8 Injective agreement is a correspondence of the form event(e(x1, . . . , xn)) inj event(e′(x1, . . . , xn)).

Injective agreement requires that the number of executions of event(e(M1, . . . ,Mn)) is smallerthan the number of executions of event(e′(M1, . . . ,Mn)): each execution of event(e(M1, . . . ,Mn)) corresponds to a distinct execution of event(e′(M1, . . . ,Mn)). This corresponds to Lowe’sagreement specification [54].

Example 4 In the example of Section 2.3, the correspondence event(eA(x1, x2, x3, x4)) inj event(e2(x1, x2, x3, x4)) means that each execution of event(eA(x1, x2, x3, x4)) correspondsto a distinct execution of event(e2(x1, x2, x3, x4)). So each completed session of A talking to Bcorresponds to a distinct session of B talking to A, and A and B agree on the values of thenonces.

The correspondence event(eB(x1, x2, x3, x4)) inj event(e3(x1, x2, x3, x4)) is similar, afterswapping the roles of A and B.

3.3 General Correspondences

Correspondences also give information on the order in which events are executed. Indeed, if wehave the correspondence

event(M)⇒m∨

j=1

event(Nj)

lj∧

k=1

[inj]jkevent(Mjk)

then the events event(Mjk) for k ≤ lj have been executed before event(Nj). Formally, in thedefinition of injective correspondences, we can define φjk such that φjk(τ) ≤ τ when φjk isdefined. (The inequality τ ′ ≤ τ means that τ ′ occurs before τ in the trace.) Indeed, otherwise,by considering the prefix of the trace that stops just after τ , we would contradict the corre-spondence. In this section, we exploit this point to define more general properties involving theordering of events.


Let us first consider some examples. Using the process of Section 2.3, we will denote by

event(eB(x1, x2, x3, x4)) (inj event(e3(x1, x2, x3, x4))

(inj event(e2(x1, x2, x3, x4)) inj event(e1(x1, x2, x3))))(1)

the correspondence that means that each execution of the event eB(x1, x2, x3, x4) correspondsto distinct executions of the events e1(x1, x2, x3), e2(x1, x2, x3, x4), and e3(x1, x2, x3, x4) in thisorder: each execution of eB(x1, x2, x3, x4) is preceded by a distinct execution of e3(x1, x2, x3, x4),which is itself preceded by a distinct execution of e2(x1, x2, x3, x4), which is itself preceded by adistinct execution of e1(x1, x2, x3). This correspondence shows that, when B terminates the pro-tocol talking with A, A and B have exchanged all messages of the protocol in the expected order.This correspondence is not equivalent to the conjunction of the correspondences event(eB(x1,x2, x3, x4)) inj event(e3(x1, x2, x3, x4)), event(e3(x1, x2, x3, x4)) inj event(e2(x1, x2, x3,x4)), and event(e2(x1, x2, x3, x4)) inj event(e1(x1, x2, x3)), because (1) may be true evenwhen, in order to prove that e2 is executed, we need to know that eB has been executed, andnot only that e3 has been executed and, similarly, in order to prove that e1 has been executed,we need to know that eB has been executed, and not only that e2 has been executed. Usinggeneral correspondences such as (1) is therefore strictly more expressive than using injectivecorrespondences. A correspondence similar to (1) has been used in our study of the Just FastKeying protocol, one of the proposed replacements for IKE in IPSec, in collaboration withMartın Abadi and Cedric Fournet [3, Appendix B.5].

As a more generic example, the correspondence event(M) ⇒∨m

j=1

(event(Mj)

∧ljk=1

([inj]jkevent(Mjk)

∨mjk

j′=1

∧ljkj′

k′=1[inj]jkj′k′event(Mjkj′k′)))

means that, if an instance ofevent(M) has been executed, then there exists j such that this instance of event(M) is aninstance of event(Mj) and for all k, a corresponding instance of event(Mjk) has been exe-cuted before event(Mj), and there exists j′k such that for all k′ a corresponding instance ofevent(Mjkj′

kk′) has been executed before event(Mjk).

Let us now consider the general definition. We denote by k a sequence of indices k. Theempty sequence is denoted ǫ. When j = j1 . . . jn and k = k1 . . . kn are sequences of the samelength, we denote by jk the sequence obtained by taking alternatively one index in each se-quence j and k: jk = j1k1 . . . jnkn. We sometimes use jk as an identifier that denotes asequence obtained in this way; for instance, “for all jk, φjk is injective” abbreviates “for

all j and k of the same length, φjk is injective”. We only consider sequences jk that occur

in the correspondence. For instance, for the correspondence event(M) ⇒∨m

j=1

(event(Mj)

∧lj

k=1

([inj]jkevent(Mjk)

∨mjk

j′=1

∧ljkj′

k′=1[inj]jkj′k′event(Mjkj′k′)))

, we consider the sequences

jk = ǫ, jk = jk, and jk = jkj′k′ where 1 ≤ j ≤ m, 1 ≤ k ≤ lj , 1 ≤ j′ ≤ mjk, and 1 ≤ k′ ≤ ljkj′ .

Given a family of indices J = (jk)k indexed by sequences of indices k, we define makejk(k, J)by makejk(ǫ, J) = ǫ and makejk(kk, J) = makejk(k, J)jkk. Less formally, if k = k1k2k3 . . .,we have makejk(k, J) = jǫk1jk1

k2jk1k2k3 . . . Intuitively, the correspondence contains disjunc-

tions over indices j and conjunctions over indices k, so we would like to express quantifica-tions of the form ∃jǫ∀k1∃jk1

∀k2∃jk1k2∀k3 . . . on the sequence jǫk1jk1

k2jk1k2k3 . . .. The notation

makejk(k, J) allows us to replace such a quantification with the quantification ∃J∀k on thesequence makejk(k, J).


event(M)⇒m∨

j=1

event(Mj)

lj∧

k=1

[inj]jkqjk

148 Bruno Blanchet

where

qjk = event(Mjk)

mjk∨

j=1

ljkj∧

k=1

[inj]jkjkqjkjk

against Init-adversaries if and only if, for any Init-adversary Q, for any E0 containing fn(P0)∪Init ∪ fn(M)∪

⋃j fn(Mj)∪

⋃jk fn(Mjk), for any trace T = E0, {P0, Q} →

∗ E′,P ′, there exists a

function φjk for each non-empty jk, such that for all non-empty jk, φjk maps a subset of stepsof T to steps of T and

• For all τ , if the event event(σM) is executed at step τ in T for some σ, then there exist σ′

and J = (jk)k such that σ′Mjǫ = σM and, for all non-empty k, φmakejk(k,J)(τ) is defined

and event(σ′Mmakejk(k,J)) is executed at step φmakejk(k,J)(τ) in T .

• For all non-empty jk, if [inj]jk = inj, then φjk is injective.

• For all non-empty jk, for all j and k, if φjkjk(τ) is defined, then φjk(τ) is defined andφjkjk(τ) ≤ φjk(τ). For all j and k, if φjk(τ) is defined, then φjk(τ) ≤ τ .

We abbreviate by qjk = event(Mjk) the correspondence

qjk = event(Mjk)

mjk∨

j=1

ljkj∧

k=1

[inj]jkjkqjkjk

when mjk = 1 and ljk1 = 0, that is, the disjunction∨m

jk

j=1

∧ljkj

k=1[inj]jkjkqjkjk is true. Injectivecorrespondences are then a particular case of general correspondences.

The function φjk maps the execution steps of instances of event(M) to the execution stepsof the corresponding instances of event(Mjk). The first item of Definition 9 guarantees thatthe required events have been executed. The second item means that, when the inj marker ispresent, the correspondence is injective. Finally, the third item guarantees that the events havebeen executed in the expected order.

Example 5 Let us consider again the correspondence (1). Using the notations of Definition 9,this correspondence is written event(eB(x1, x2, x3, x4)) inj q11 (or event(eB(x1, x2, x3, x4))⇒event(eB(x1, x2, x3, x4)) inj q11), where q11 = event(e3(x1, x2, x3, x4)) inj q1111, q1111 =event(e2(x1, x2, x3, x4)) inj q111111, and q111111 = event(e1(x1, x2, x3)). By Definition 9, thiscorrespondence means that there exist functions φ11, φ1111, and φ111111 such that:

• For all τ , if the event event(σeB(x1, x2, x3, x4)) is executed at step τ for some σ, thenφ11(τ), φ1111(τ), and φ111111(τ) are defined, and event(σe3(x1, x2, x3, x4)) is executed atstep φ11(τ), event(σe2(x1, x2, x3, x4)) is executed at step φ1111(τ), and event(σe1(x1, x2,x3)) is executed at step φ111111(τ). (Here, σ′ = σ since all variables of the correspondenceoccur in event(eB(x1, x2, x3, x4)). Moreover, jk = 1 for all k and the non-empty sequencesk are 1, 11, and 111, since all conjunctions and disjunctions have a single element. Thesequences makejk(k, J) are then 11, 1111, and 111111.)

• The functions φ11, φ1111, and φ111111 are injective, so distinct executions of eB(x1, x2, x3,x4) correspond to distinct executions of e1(x1, x2, x3), e2(x1, x2, x3, x4), and e3(x1, x2, x3,x4).

• When φ111111(τ) is defined, φ111111(τ) ≤ φ1111(τ) ≤ φ11(τ) ≤ τ , so the events e1(x1, x2,x3), e2(x1, x2, x3, x4), and e3(x1, x2, x3, x4) are executed in this order, before eB(x1, x2,x3, x4).


Similarly, general correspondences allow us to express that, if a protocol participant successfullyterminates with honest interlocutors, then the expected messages of the protocol have beenexchanged between the protocol participants, in the expected order. This notion is the formalcounterpart of the notion of matching conversations initially introduced in the computationalmodel by Bellare and Rogaway [11]. This notion of authentication is also used in [34].

We first focus on non-injective correspondences, and postpone the treatment of generalcorrespondences to Section 7.2.

4 Automatic Verification: from Secrecy to Correspondences

Let us first summarize our analysis for secrecy. The clauses use two predicates: attackerand message, where attacker(M) means that the attacker may have the message M andmessage(M,M ′) means that the message M ′ may be sent on channel M . The clauses relateatoms that use these predicates as follows. A clause message(M1,M

′1)∧. . .∧message(Mn,M

′n)⇒

message(M,M ′) is generated when the process outputs M ′ on channel M after receiving M ′1,. . . , M ′n on channels M1, . . . , Mn respectively. A clause attacker(M1) ∧ . . . ∧ attacker(Mn) ⇒attacker(M) is generated when the attacker can compute M from M1, . . . , Mn. The clausemessage(x, y)∧attacker(x)⇒ attacker(y) means that the attacker can listen on channel x whenhe has x, and the clause attacker(x)∧ attacker(y)⇒ message(x, y) means that the attacker cansend any message y he has on any channel x he has. When attacker(M) is derivable from theclauses the attacker may have M , that is, when attacker(M) is not derivable from the clauses,we are sure that the attacker cannot have M , but the converse is not true, because the Hornclauses can be applied any number of times, which is not true in general for all actions of theprocess. Similarly, when message(M,M ′) is derivable from the clauses, the message M ′ may besent on channel M . Hence our analysis overapproximates the execution of actions.

Let us now consider that we want to prove a correspondence, for instance event(e1(x)) event(e2(x)). In order to prove this correspondence, we can overapproximate the executions ofevent e1: if we prove the correspondence with this overapproximation, it will also hold in theexact semantics. So we can easily extend our analysis for secrecy with an additional predicateevent, such that event(M) means that event(M) may have been executed. We generate clausesmessage(M1,M

′1) ∧ . . . ∧message(Mn,M

′n) ⇒ event(M) when the process executes event(M)

after receiving M ′1, . . . , M ′n on channels M1, . . . , Mn respectively. However, such an overapprox-imation cannot be done for the event e2: if we prove the correspondence after overapproximatingthe execution of e2, we are not really sure that e2 will be executed, so the correspondence maybe wrong in the exact semantics. Therefore, we have to use a different method for treating e2.

We use the following idea: we fix the exact set E of allowed events e2(M) and, in order toprove event(e1(x)) event(e2(x)), we check that only events e1(M) for M such that e2(M) ∈ Ecan be executed. If we prove this property for any value of E , we have proved the desiredcorrespondence. So we introduce a predicate m-event, such that m-event(e2(M)) is true ifand only if e2(M) ∈ E . We generate clauses message(M1,M

′1) ∧ . . . ∧ message(Mn,M

′n) ∧

m-event(e2(M0))⇒ message(M,M ′) when the process outputsM ′ on channelM after executingthe event e2(M0) and receiving M ′1, . . . , M ′n on channels M1, . . . , Mn respectively. In otherwords, the output of M ′ on channel M can be executed only when m-event(e2(M0)) is true,that is, e2(M0) ∈ E . (When the output of M ′ on channel M is under several events, the clausecontains several m-event atoms in its hypothesis. We also have similar clauses with event(e1(M))instead of message(M,M ′) when the event e1 is executed after executing e2 and receiving M ′1,. . . , M ′n on channels M1, . . . , Mn respectively.)

For instance, if the events e2(M1) and e2(M2) are executed in a certain trace of the protocol,we define E = {e2(M1), e2(M2)}, so that m-event(e2(M1)) and m-event(e2(M2)) are true andall other m-event facts are false. Then we show that the only events e1 that may be executedare e1(M1) and e1(M2). We prove a similar result for all values of E , which proves the desired

150 Bruno Blanchet

correspondence.In order to determine whether an atom is derivable from the clauses, we use a resolution-

based algorithm. The resolution is performed for an unknown value of E . So, basically, we keepm-event atoms without trying to evaluate them (which we cannot do since E is unknown). In thevocabulary of resolution, we never select m-event atoms. (We detail this point in Section 6.1.)Thus the obtained result holds for any value of E , which allows us to prove correspondences. Inorder to prove the correspondence event(e1(x)) event(e2(x)), we show that event(e1(M)) isderivable only when m-event(e2(M)) holds. We transform the initial set of clauses into a set ofclauses that derives the same atoms. If, in the obtained set of clauses, all clauses that concludeevent(e1(M)) contain m-event(e2(M)) in their hypotheses, then event(e1(M)) is derivable onlywhen m-event(e2(M)) holds, so the desired correspondence holds.

We still have to solve one problem. For simplicity, we have considered that terms, whichrepresent messages, are directly used in clauses. However, in order to represent nonces in ouranalysis for secrecy, we use a special encoding of names: a name a created by a restriction(νa) is represented by a function a[M1, . . . ,Mn] of the messages M1, . . . ,Mn received abovethe restriction, so that names created after receiving different messages are distinguished inthe analysis (which is important for the precision of the analysis). However, this encoding stillmerges names created by the same restriction after receiving the same messages. For example,in the process !c(x)(νa), the names created by (νa) are represented by a[x], so several namescreated for the same value of x are merged. This merging is not acceptable for the verificationof correspondences, because when we prove event(e1(x)) event(e2(x)), we must make surethat x contains exactly the same names in e1(x) and in e2(x). In order to solve this problem,we label each replication with a session identifier i, which is an integer that takes a differentvalue for each copy of the process generated by the replication. We add session identifiers asarguments to our encoding of names, which becomes a[M1, . . . ,Mn, i1, . . . , in′ ] where i1, . . . , in′

are the session identifiers of the replications above the restriction (νa). For example, in theprocess !c(x)(νa), the names created by (νa) are represented by a[x, i]. Each execution of therestriction is then associated with a distinct value of the session identifiers i1, . . . , in′ , so eachname has a distinct encoding. We detail and formalize this encoding in Section 5.1.

5 From Processes to Horn Clauses

In this section, we first explain the instrumentation of processes with session identifiers. Next,we explain the translation of processes into Horn clauses.

5.1 Instrumented Processes

We consider a closed process P0 representing the protocol we wish to check. We assume thatthe bound names of P0 have been renamed so that they are pairwise distinct and distinctfrom names in Init ∪ fn(P0) and in the correspondence to prove. We denote by Q a particularadversary; below, we prove the correspondence properties for any Q. Furthermore, we assumethat, in the initial configuration E0, {P0, Q}, the names of E0 not in Init ∪ fn(P0) or in thecorrespondence to prove have been renamed to fresh names, and the bound names of Q havebeen renamed so that they are pairwise distinct and fresh. (These renamings do not changethe satisfied correspondences, since (νa)P and the renamed process (νa′)P{a′/a} reduce tothe same configuration by (Red Res).) After encoding names, the terms are represented bypatterns p (or “terms”, but we prefer the word “patterns” in order to avoid confusion), whichare generated by the following grammar:

p ::= patternsx, y, z, i variablea[p1, . . . , pn, i1, . . . , in′ ] name


f(p1, . . . , pn) constructor application

For each name a in P0 we have a corresponding pattern construct a[p1, . . . , pn, i1, . . . , in′ ]. Wetreat a as a function symbol, and write a[p1, . . . , pn, i1, . . . , in′ ] rather than a(p1, . . . , pn, i1, . . . ,in′) only to distinguish names from constructors. The symbol a in a[. . .] is called a name functionsymbol. If a is a free name, then its encoding is simply a[ ]. If a is bound by a restriction (νa)Pin P0, then its encoding a[. . .] takes as argument session identifiers i1, . . . , in′ , which can beconstant session identifiers λ or variables i (taken in a set Vs disjoint from the set Vo of ordinaryvariables). There is one session identifier for each replication above the restriction (νa). Thepattern a[. . .] may also take as argument patterns p1, . . . , pn containing the messages received byinputs above the restriction (νa)P in the abstract syntax tree of P0 and the result of destructorapplications above the restriction (νa)P . (The precise definition is given below.)

In order to define formally the patterns associated with a name, we use a notion of instru-mented processes. The syntax of instrumented processes is defined as follows:

• The replication !P is labeled with a variable i in Vs: !iP . The process !iP representscopies of P for a countable number of values of i. The variable i is a session identifier. Itindicates which copy of P , that is, which session, is executed.

• The restriction (νa)P is labeled with a restriction label ℓ: (νa :ℓ)P , where ℓ is either a[M1,. . . ,Mn, i1, . . . , in′ ] for restrictions in honest processes or b0[a[i1, . . . , in′ ]] for restrictionsin the adversary. The symbol b0 is a special name function symbol, distinct from all othersuch symbols. Using a specific instrumentation for the adversary is helpful so that allnames generated by the adversary are encoded by instances of b0[x]. They are thereforeeasy to generate. This labeling of restrictions is similar to a Church-style typing: ℓ canbe considered as the type of a. (This type is polymorphic since it can contain variables.)

The instrumented processes are then generated by the following grammar:

P,Q ::= instrumented processes!iP replication(νa : ℓ)P restriction. . . (as in the standard calculus)

For instrumented processes, a semantic configuration S,E,P consists of a set S of sessionidentifiers that have not yet been used by P, an environment E that is a mapping from namesto closed patterns of the form a[. . .], and a finite multiset of instrumented processes P. The firstsemantic configuration uses any countable set of session identifiers S0. The domain of E mustalways contain all free names of processes in P, and the initial environment maps all names ato the pattern a[ ]. The semantic rules (Red Repl) and (Red Res) become:

S,E,P ∪ { !iP } → S \ {λ}, E,P ∪ {P{λ/i}, !iP } where λ ∈ S (Red Repl)

S,E,P ∪ { (νa : ℓ)P }

→ S,E[a′ 7→ E(ℓ) ],P ∪ {P{a′/a} } if a′ /∈ dom(E)(Red Res)

where the mapping E is extended to all terms as a substitution by E(f(M1, . . . ,Mn)) =f(E(M1), . . . , E(Mn)) and to restriction labels by E(a[M1, . . . ,Mn, i1, . . . , in′ ]) = a[E(M1),. . . , E(Mn), i1, . . . , in′ ] and E(b0[a[i1, . . . , in′ ]]) = b0[a[i1, . . . , in′ ]], so that it maps terms andrestriction labels to patterns. The rule (Red Repl) takes an unused constant session identifier λin S, and creates a copy of P with session identifier λ. The rule (Red Res) creates a fresh namea′, substitutes it for a in P , and adds to the environment E the mapping of a′ to its encodingE(ℓ). Other semantic rules E,P → E,P ′ simply become S,E,P → S,E,P ′.

The instrumented process P ′0 = instr(P0) associated with the process P0 is built from P0 asfollows:

152 Bruno Blanchet

• We label each replication !P of P0 with a distinct, fresh session identifier i, so that itbecomes !iP .

• We label each restriction (νa) of P0 with a[t, s], so that it becomes (νa : a[t, s]), wheres is the sequence of session identifiers that label replications above (νa) in the abstractsyntax tree of P ′0, in the order from top to bottom; t is the sequence of variables x thatstore received messages in inputs M(x) above (νa) in P0 and results of non-deterministicdestructor applications let x = g(. . .) in P else Q above (νa) in P0. (A destructor is said tobe non-deterministic when it may return several different results for the same arguments.Adding the result of destructor applications to t is useful to improve precision, only fornon-deterministic destructors. For deterministic destructors, the result of the destructorcan be uniquely determined from the other elements of t, so the addition is useless. Ifwe add the result of non-deterministic destructors to t, we can show that the relativecompleteness result of [1] still holds in the presence of non-deterministic destructors. Thisresult shows that, for secrecy, the Horn clause approach is at least as precise as a largeclass of type systems.)

Hence names are represented by functions a[t, s] of the inputs and results of destructorapplications in t and the session identifiers in s. In each trace of the process, at most onename corresponds to a given a[t, s], since different copies of the restriction have differentvalues of session identifiers in s. Therefore, different names are not merged by the verifier.

For the adversary, we use a slightly different instrumentation. We build the instrumentedprocess Q′ = instrAdv(Q) as follows:

• We label each replication !P of Q with a distinct, fresh session identifier i, so that itbecomes !iP .

• We label each restriction (νa) of Q with b0[a[s]], so that it becomes (νa : b0[a[s]]), wheres is the sequence of session identifiers that label replications above (νa) in Q′. (Includingthe session identifiers as arguments of nonces is necessary for soundness, as discussed inSection 4. Including the messages previously received as arguments of nonces is importantfor precision in the case of honest processes, in order to relate the nonces to these messages.It is however useless for the adversary: since we consider any Init-adversary Q, we haveno definite information on the relation between nonces generated by the adversary andmessages previously received by the adversary.)

Remark 2 By moving restrictions downwards in the syntax tree of the process (until the pointat which the fresh name is used), one can add more arguments to the pattern that represents thefresh name, when the restriction is moved under an input, replication, or destructor application.Therefore, this transformation can make our analysis more precise. The tool can perform thistransformation automatically.

Example 6 The instrumentation of the process of Section 2.3 yields:

P ′A(skA, pkA, pkB) = !iAc(x pkB).(νa : a[x pkB, iA]) . . . (νr1 : r1[x pkB, iA]) . . .

c(m) . . . (νr3 : r3[x pkB,m, iA]])

P ′B(skB, pkB, pkA) = !iBc(m′) . . . (νb : b[m′, iB]) . . . (νr2 : r2[m′, iB]) . . .

P ′ = (νskA : skA[ ])(νskB : skB[ ]) . . . (P ′A(skA, pkA, pkB) | P ′B(skB, pkB, pkA))

The names created by the restriction (νa) will be represented by the pattern a[x pkB, iA], so wehave a different pattern for each copy of the process, indexed by iA, and the pattern also recordsthe public key x pkB of the interlocutor of A. Similarly, the names created by the restriction(νb) will be represented by the pattern b[m′, iB].


The semantics of instrumented processes allows exactly the same communications and eventsas the one of standard processes. More precisely, let P be a multiset of instrumented processes.We define unInstr(P) as the multiset of processes of P without the instrumentation. Thus wehave:

Proposition 1 If E0, {P0, Q} →∗ E1,P1, then there exist E′1 and P ′1 such that for any S,

countable set of session identifiers, there exists S′ such that S, {a 7→ a[ ] | a ∈ E0}, {instr(P0),instrAdv(Q)} →∗ S′, E′1,P

′1, dom(E′1) = E1, unInstr(P ′1) = P1, and both traces execute the

same events at the same steps and satisfy the same atoms.Conversely, if S, {a 7→ a[ ] | a ∈ E0}, {instr(P0), instrAdv(Q)} →∗ S′, E′1,P

′1, then

E0, {P0, Q} →∗ dom(E′1),unInstr(P ′1), and both traces execute the same events at the same

steps and satisfy the same atoms.

Proof This is an easy proof by induction on the length of the traces. The reduction rulesapplied in both traces are rules with the same name. 2

We can define correspondences for instrumented processes. These correspondences and theclauses use facts defined by the following grammar:

F ::= factsattacker(p) attacker knowledgemessage(p, p′) message on a channelm-event(p) must-eventevent(p) may-event

The fact attacker(p) means that the attacker may have p, and the fact message(p, p′) meansthat the message p′ may appear on channel p. The fact m-event(p) means that event(M)must have been executed with M corresponding to p, and event(p) that event(M) may havebeen executed with M corresponding to p. We use the word “fact” to distinguish them fromatoms attacker(M), message(M,M ′), and event(M). The correspondences do not use the factm-event(p), but the clauses use it.

The mapping E of a semantic configuration is extended to atoms by E(attacker(M)) =attacker(E(M)), E(message(M,M ′)) = message(E(M), E(M ′)), and E(event(M)) =event(E(M)), so that it maps atoms to facts. We define that an instrumented trace T sat-isfies an atom α by naturally adapting Definition 2. When F is not m-event(p), we say that aninstrumented trace T = S0, E0,P0 →

∗ S′, E′,P ′ satisfies a fact F when there exists an atom αsuch that T satisfies α and E′(α) = F . We also define that event(M) is executed at step τ inthe instrumented trace T by naturally adapting Definition 6. We say that event(p) is executedat step τ in the instrumented trace T = S0, E0,P0 →

∗ S′, E′,P ′ when there exists a term Msuch that event(M) is executed at step τ in T and E′(M) = p.

Definition 10 Let P0 be a closed process and P ′0 = instr(P0). The instrumented process P ′0satisfies the correspondence

F ⇒m∨

j=1

Fj

lj∧

k=1

event(pjk)

against Init-adversaries if and only if, for any Init-adversary Q, for any trace T =S0, E0, {P

′0, Q

′} →∗ S′, E′,P ′, with Q′ = instrAdv(Q), E0(a) = a[ ] for all a ∈ dom(E0), andfn(P ′0) ∪ Init ⊆ dom(E0), if T satisfies σF for some substitution σ, then there exist σ′ andj ∈ {1, . . . ,m} such that σ′Fj = σF and for all k ∈ {1, . . . , lj}, T satisfies event(σ′pjk).

A correspondence for instrumented processes implies a correspondence for standard pro-cesses, as shown by the following lemma, proved in Appendix A.

154 Bruno Blanchet

Lemma 1 Let P0 be a closed process and P ′0 = instr(P0). Let Mjk (j ∈ {1, . . . ,m}, k ∈{1, . . . , lj}) be terms; let α and αj (j ∈ {1, . . . ,m}) be atoms. Let pjk, F, Fj be the patternsand facts obtained by replacing names a with patterns a[ ] in the terms and atoms Mjk, α, αj

respectively. If P ′0 satisfies the correspondence

F ⇒m∨

j=1

Fj

lj∧

k=1

event(pjk)

against Init-adversaries then P0 satisfies the correspondence

α⇒m∨

j=1

αj

lj∧

k=1

event(Mjk)

against Init-adversaries.

For instrumented processes, we can specify properties referring to bound names of the pro-cess, which are represented by patterns. Such a specification is impossible in standard processes,because bound names can be renamed, so they cannot be referenced in terms in correspondences.

5.2 Generation of Horn Clauses

Given a closed process P0 and a set of names Init , the protocol verifier first instruments P0 toobtain P ′0 = instr(P0), then it builds a set of Horn clauses, representing the protocol in parallelwith any Init-adversary. The clauses are of the form F1 ∧ . . . ∧ Fn ⇒ F , where F1, . . . , Fn, Fare facts. They comprise clauses for the attacker and clauses for the protocol, defined below.These clauses form the set RP ′

0,Init . The predicate m-event is defined by a set of closed facts

Fme, such that m-event(p) is true if and only if m-event(p) ∈ Fme. The facts in Fme do notbelong to RP ′

0,Init . The set Fme is the set of facts that corresponds to the set of allowed events

E , mentioned in Section 4.

5.2.1 Clauses for the Attacker

The clauses describing the attacker are almost the same as for the verification of secrecy in [1].The only difference is that, here, the attacker is given an infinite set of fresh names b0[x], insteadof only one fresh name b0[ ]. Indeed, we cannot merge all fresh names created by the attacker,since we have to make sure that different terms are represented by different patterns for theverification of correspondences to be correctly implemented, as seen in Section 4. The abilitiesof the attacker are then represented by the following clauses:

For each a ∈ Init , attacker(a[ ]) (Init)

attacker(b0[x]) (Rn)

For each public constructor f of arity n,


For each public destructor g,

for each rewrite rule g(M1, . . . ,Mn)→M in def(g),


(Rg)



The clause (Init) represents the initial knowledge of the attacker. The clause (Rn) means thatthe attacker can generate an unbounded number of new names. The clauses (Rf) and (Rg)


mean that the attacker can apply all operations to all terms it has, (Rf) for constructors, (Rg)for destructors. For (Rg), notice that the rewrite rules in def(g) do not contain names and thatterms without names are also patterns, so the clauses have the required format. Clause (Rl)means that the attacker can listen on all channels it has, and (Rs) that it can send all messagesit has on all channels it has.

If c ∈ Init , we can replace all occurrences of message(c[ ],M) with attacker(M) in the clauses.Indeed, these facts are equivalent by the clauses (Rl) and (Rs).

5.2.2 Clauses for the Protocol

When a function ρ associates a pattern with each name and variable, and f is a constructor,we extend ρ as a substitution by ρ(f(M1, . . . ,Mn)) = f(ρ(M1), . . . , ρ(Mn)).

The translation [[P ]]ρH of a process P is a set of clauses, where ρ is a function that associatesa pattern with each name and variable, and H is a sequence of facts of the form message(p, p′)or m-event(p). The environment ρ maps each variable and name to its associated patternrepresentation. The sequence H keeps track of events that have been executed and of messagesreceived by the process, since these may trigger other messages. The empty sequence is denotedby ∅; the concatenation of a fact F to the sequence H is denoted by H ∧ F . The pattern ρi isalways a session identifier variable of Vs.

[[0]]ρH = ∅

[[P | Q]]ρH = [[P ]]ρH ∪ [[Q]]ρH

[[!iP ]]ρH = [[P ]](ρ[i 7→ i])H

[[(νa : a[M1, . . . ,Mn, i1, . . . , in′ ])P ]]ρH =

[[P ]](ρ[a 7→ a[ρ(M1), . . . , ρ(Mn), ρ(i1), . . . , ρ(in′)] ])H

[[M(x).P ]]ρH = [[P ]](ρ[x 7→ x])(H ∧message(ρ(M), x))

[[M〈N〉.P ]]ρH = [[P ]]ρH ∪ {H ⇒ message(ρ(M), ρ(N))}

[[let x = g(M1, . . . ,Mn) in P else Q]]ρH =⋃{[[P ]]((σρ)[x 7→ σ′p′])(σH)

| g(p′1, . . . , p′n)→ p′ is in def(g) and (σ, σ′) is a most general pair of

substitutions such that σρ(M1) = σ′p′1, . . . , σρ(Mn) = σ′p′n} ∪ [[Q]]ρH

[[if M = N then P else Q]]ρH = [[P ]](σρ)(σH) ∪ [[Q]]ρH

where σ is the most general unifier of ρ(M) and ρ(N)

[[event(M).P ]]ρH = [[P ]]ρ(H ∧m-event(ρ(M))) ∪ {H ⇒ event(ρ(M))}

The translation of a process is a set of Horn clauses that express that it may send certainmessages or execute certain events. The clauses are similar to those of [1], except in the casesof replication, restriction, and the addition of events.

• The nil process does nothing, so its translation is empty.

• The clauses for the parallel composition of processes P and Q are the union of clauses forP and Q.

• The replication only inserts the new session identifier i in the environment ρ. It is otherwiseignored, because all Horn clauses are applicable arbitrarily many times.

• For the restriction, we replace the restricted name a in question with the pattern a[ρ(M1),. . . , ρ(Mn), ρ(i1), . . . , ρ(in′)]. By definition of the instrumentation, this pattern containsthe previous inputs, results of non-deterministic destructor applications, and session iden-tifiers.

156 Bruno Blanchet

• The sequence H is extended in the translation of an input, with the input in question.

• The translation of an output adds a clause, meaning that the output is triggered when allconditions in H are true.

• The translation of a destructor application is the union of the clauses for the cases wherethe destructor succeeds (with an appropriate substitution) and where the destructor fails.For simplicity, we assume that the else branch of destructors may always be executed;this is sufficient in most cases, since the else branch is often empty or just sends an errormessage. We outline a more precise treatment in Section 9.2.

• The conditional if M = N then P else Q is in fact equivalent to let x =equal(M,N) in P else Q, where the destructor equal is defined by equal(x, x) → x,so the translation of the conditional is a particular case of the destructor application. Wegive it explicitly since it is particularly simple.

• The translation of an event adds the hypothesis m-event(ρ(M)) to H, meaning that Pcan be executed only if the event has been executed first. Furthermore, it adds a clause,meaning that the event is triggered when all conditions in H are true.

Remark 3 Depending on the form of the correspondences we want to prove, we can sometimessimplify the clauses generated for events. Suppose that all arguments of events in the processand in correspondences are of the form f(M1, . . . ,Mn) for some function symbol f .

If, for a certain function symbol f , events event(f(. . .)) occur only before in the desiredcorrespondences, then it is easy to see in the following theorems that hypotheses of the formm-event(f(. . .)) in clauses can be removed without changing the result, so the clauses generatedby the event event(M) when M is of the form f(. . .) can be simplified into:

[[event(M).P ]]ρH = [[P ]]ρH ∪ {H ⇒ event(ρ(M))}

(Intuitively, since the events event(f(. . .)) occur only before in the desired correspondences,we never prove that an event event(f(. . .)) has been executed, so the facts m-event(f(. . .)) areuseless.)

Similarly, if event(f(. . .)) occurs only after in the desired correspondences, then clausesthat conclude a fact of the form event(f(. . .)) can be removed without changing the result, sothe clauses generated by the event event(M) when M is of the form f(. . .) can be simplifiedinto:

[[event(M).P ]]ρH = [[P ]]ρ(H ∧m-event(ρ(M)))

(Intuitively, since the events event(f(. . .)) occur only after in the desired correspondences,we never prove properties of the form “if event(f(. . .)) has been executed, then . . . ”, so clausesthat conclude event(f(. . .)) are useless.)

This translation of the protocol into Horn clauses introduces approximations. The actionsare considered as implicitly replicated, since the clauses can be applied any number of times.This approximation implies that the tool fails to prove protocols that first need to keep somevalue secret and later reveal it. For instance, consider the process (νd)(d〈s〉.c〈d〉 | d(x)). Thisprocess preserves the secrecy of s, because s is output on the private channel d and received bythe input on d, before the adversary gets to know d by the output of d on the public channelc. However, the Horn clause method cannot prove this property, because it treats this processlike a variant with additional replications (νd)(!d〈s〉.c〈d〉 | !d(x)), which does not preserve thesecrecy of s. Similarly, the process (νd)(d〈M〉 | d(x).d(x).event(e1)) never executes the evente1, but the Horn clause method cannot prove this property because it treats this process like(νd)(!d〈M〉 | d(x).d(x).event(e1)), which may execute e1. The only exception to this implicit


replication of processes is the creation of new names: since session identifiers appear in patterns,the created name is precisely related to the session that creates it, so name creation cannot beunduly repeated inside the same session. Due to these approximations, our tool is not complete(it may produce false attacks) but, as we show below, it is sound (the security properties thatit proves are always true).

5.2.3 Summary and Correctness

Let ρ = {a 7→ a[ ] | a ∈ fn(P ′0)}. We define the clauses corresponding to the instrumentedprocess P ′0 as:

RP ′0,Init = [[P ′0]]ρ∅ ∪ {attacker(a[ ]) | a ∈ Init} ∪ {(Rn), (Rf), (Rg), (Rl), (Rs)}

Example 7 The clauses for the process P of Section 2.3 are the clauses for the adversary, plus:

attacker(pk(skA[ ])) (2)

attacker(pk(skB[ ])) (3)

H1 ⇒ attacker(pencryptp((a[x pkB, iA], pk(skA[ ])), x pkB, r1[x pkB, iA])) (4)

H2 ⇒ attacker(pencryptp(x b, x pkB, r3[x pkB, p2, iA])) (5)

H3 ⇒ event(eA(pk(skA[ ]), pk(skB[ ]), a[pk(skB[ ]), iA], x b)) (6)

H3 ⇒ attacker(sencrypt(sAa[ ], a[pk(skB[ ]), iA])) (7)

H3 ⇒ attacker(sencrypt(sAb[ ], x b)) (8)

where p2 = pencryptp((a[x pkB, iA], x b, x pkB), pk(skA[ ]), x r2)

H1 = attacker(x pkB) ∧m-event(e1(pk(skA[ ]), x pkB, a[x pkB, iA]))

H2 = H1 ∧ attacker(p2) ∧m-event(e3(pk(skA[ ]), x pkB, a[x pkB, iA], x b))

H3 = H2{pk(skB[ ])/x pkB}

attacker(p1) ∧m-event(e2(x pkA, pk(skB[ ]), x a, b[p1, iB]))

⇒ attacker(pencryptp((xa, b[p1, iB], pk(skB[ ])), x pkA, r2[p1, iB]))(9)

where p1 = pencryptp((x a, x pkA), pk(skB[ ]), x r1)

H4 ⇒ event(eB(pk(skA[ ]), pk(skB[ ]), x a, b[p′1, iB])) (10)

H4 ⇒ attacker(sencrypt(sBa[ ], x a)) (11)

H4 ⇒ attacker(sencrypt(sBb[ ], b[p′1, iB])) (12)

where p′1 = pencryptp((x a, pk(skA[ ])), pk(skB[ ]), x r1)

H4 = attacker(p′1) ∧m-event(e2(pk(skA[ ]), pk(skB[ ]), x a, b[p′1, iB])) ∧

attacker(pencryptp(b[p′1, iB], pk(skB[ ]), x r3))

Clauses (2) and (3) correspond to the outputs in P ; they mean that the adversary has thepublic keys of the participants. Clauses (4) and (5) correspond to the first two outputs in PA.For example, (5) means that, if the attacker has x pkB and the second message of the protocolp2 and the events e1(pk(skA[ ]), x pkB, a[x pkB, iA]) and e3(pk(skA[ ]), x pkB, a[x pkB, iA], x b)are allowed, then the attacker can get pencryptp(x b, x pkB, r3[x pkB, p2, iA]), because PA sendsthis message after receiving x pkB and p2 and executing the events e1 and e3. When furthermorex pkB = pk(skB[ ]), PA executes event eA and outputs the encryption of sAa[ ] under a[x pkB,iA] and the encryption of sBb[ ] under x b. These event and outputs are taken into account byClauses (6), (7), and (8) respectively. Similarly, Clauses (9), (11), and (12) correspond to theoutputs in PB and (10) to the event eB. These clauses have been simplified using Remark 3,taking into account that e1, e2, and e3 appear only on the right-hand side of , and eA and eBonly on the left-hand side of in the queries of Examples 1, 2, and 3.

158 Bruno Blanchet

Theorem 1 (Correctness of the clauses) Let P0 be a closed process and Q be an Init-adversary. Let P ′0 = instr(P0) and Q′ = instrAdv(Q). Consider a trace T = S0, E0, {P

′0, Q

′} →∗

S′, E′,P ′, with fn(P ′0) ∪ Init ⊆ dom(E0) and E0(a) = a[ ] for all a ∈ dom(E0). Assume that,if T satisfies event(p), then m-event(p) ∈ Fme. Finally, assume that T satisfies F . Then F isderivable from RP ′

0,Init ∪ Fme.

This result shows that, if the only executed events are those allowed in Fme and a fact F issatisfied, then F is derivable from the clauses. It is proved in Appendix B. Using a techniquesimilar to that of [1], its proof relies on a type system to express the soundness of the clauseson P ′0, and on the subject reduction of this type system to show that soundness of the clausesis preserved during all executions of the process.

6 Solving Algorithm

We first describe a basic solving algorithm without optimizations. Next, we list the optimiza-tions that we use in our implementation, and we prove the correctness of the algorithm. Thetermination of the algorithm is discussed in Section 8.

6.1 The Basic Algorithm

To apply the previous results, we have to determine whether a fact is derivable fromRP ′

0,Init ∪ Fme. This may be undecidable, but in practice there exist algorithms that ter-

minate on numerous examples of protocols. In particular, we can use variants of resolutionalgorithms, such as the algorithms described in [13, 14, 20, 69]. The algorithm that we describehere is the one of [14], extended with a second phase to determine derivability of any query. Italso corresponds to the extension to m-event facts of the algorithm of [20].

We first define resolution: when the conclusion of a clause R unifies with an hypothesis F0

of a clause R′, we can infer a new clause R ◦F0R′, that corresponds to applying R and R′ one

after the other. Formally, this is defined as follows:

Definition 11 Let R = H ⇒ C and R′ = H ′ ⇒ C ′ be two clauses. Assume that there existsF0 ∈ H

′ such that C and F0 are unifiable, and σ is the most general unifier of C and F0. Inthis case, we define R ◦F0

R′ = σ(H ∪ (H ′ \ {F0}))⇒ σC ′.

An important idea to obtain an efficient solving algorithm is to specify conditions that limit theapplication of resolution, while keeping completeness. The conditions that we use correspond toresolution with free selection [9, 35, 55]: a selection function chooses selected facts in each clause,and resolution is performed only on selected facts, that is, the clause R ◦F0

R′ is generated onlywhen the conclusion is selected in R and F0 is selected in R′.

Definition 12 We denote by sel a selection function, that is, a function from clauses to sets offacts, such that sel(H ⇒ C) ⊆ H. If F ∈ sel(R), we say that F is selected in R. If sel(R) = ∅,we say that no hypothesis is selected in R, or that the conclusion of the clause is selected.

The choice of the selection function can change dramatically the speed of the algorithm. Sincethe algorithm combines clauses by resolution only when the facts unified in the resolution areselected, we will choose the selection function to reduce the number of possible unificationsbetween selected facts. Having several selected facts slows down the algorithm, because it hasmore choices of resolutions to perform, therefore we will select at most one fact in each clause.In the case of protocols, facts of the form attacker(x), with x variable, can be unified will allfacts of the form attacker(p). Therefore we should avoid selecting them. The m-event factsmust never be selected since they are not defined by known clauses.


First phase: saturationsaturate(R0) =

1. R ← ∅.For each R ∈ R0, R ← elim(simplify(R) ∪R).

2. Repeat until a fixpoint is reachedfor each R ∈ R such that sel(R) = ∅,

for each R′ ∈ R, for each F0 ∈ sel(R′) such that R ◦F0R′ is defined,

R ← elim(simplify(R ◦F0R′) ∪R).

3. Return {R ∈ R | sel(R) = ∅}.

Second phase: backwards depth-first search

deriv(R,R,R1) =

∅ if ∃R′ ∈ R, R′ ⊒ R

{R} otherwise, if sel(R) = ∅⋃{deriv(simplify ′(R′ ◦F0

R), {R} ∪ R,R1) | R′ ∈ R1,

F0 ∈ sel(R) such that R′ ◦F0R is defined } otherwise

derivable(F,R1) = deriv(F ⇒ F, ∅,R1)

Figure 4: Solving algorithm

Definition 13 We say that a fact F is unselectable when F = attacker(x) for some variable xor F = m-event(p) for some pattern p. Otherwise, we say that F is selectable.

We require that the selection function never selects unselectable hypotheses and thatsel(H ⇒ attacker(x)) 6= ∅ when H contains a selectable fact.

A basic selection function for security protocols is then

sel0(H ⇒ C) =

{∅ if ∀F ∈ H, F is unselectable

{F0} where F0 ∈ H and F0 is selectable, otherwise

In the implementation, the hypotheses are represented by a list, and the selected fact is the firstselectable element of the list of hypotheses.

The solving algorithm works in two phases, summarized in Figure 4. The first phase,saturate, transforms the set of clauses into an equivalent but simpler one. The second phase,derivable, uses a depth-first search to determine whether a fact can be inferred or not from theclauses.

The first phase contains 3 steps.

• The first step inserts in R the initial clauses representing the protocol and the attacker(clauses that are in R0), after simplification by simplify (defined below in Section 6.2)and elimination of subsumed clauses by elim. We say that H1 ⇒ C1 subsumes H2 ⇒ C2,and we write (H1 ⇒ C1) ⊒ (H2 ⇒ C2), when there exists a substitution σ such thatσC1 = C2 and σH1 ⊆ H2. (H1 and H2 are multisets, and we use here multiset inclusion.)If R′ subsumes R, and R and R′ are in R, then R is removed by elim(R).

• The second step is a fixpoint iteration that adds clauses created by resolution. Thecomposition of clauses R and R′ is added only if no hypothesis is selected in R, and thehypothesis F0 of R′ that we unify is selected. When a clause is created by resolution, it isadded to the set of clauses R after simplification. Subsumed clauses are eliminated fromR.

• At last, the third step returns the set of clauses of R with no selected hypothesis.

160 Bruno Blanchet

Basically, saturate preserves derivability: F is derivable fromR0∪Fme if and only if it is derivablefrom saturate(R0) ∪ Fme. A formal statement of this result is given in Lemma 2 below.

The second phase searches the facts that can be inferred from R1 = saturate(R0). Thisis simply a backward depth-first search. The call derivable(F,R1) returns a set of clausesR = H ⇒ C with empty selection, such that R can be obtained by resolution from R1, C is aninstance of F , and all instances of F derivable from R1 can be derived by using as last clause aclause of derivable(F,R1). (Formally, if F ′ is an instance of F derivable from R1, then there area clause H ⇒ C ∈ derivable(F,R1) and a substitution σ such that F ′ = σC and σH is derivablefrom R1.)

The search itself is performed by deriv(R,R,R1). The function deriv starts with R = F ⇒ Fand transforms the hypothesis of R by using a clause R′ of R1 to derive an element F0 of thehypothesis of R. So R is replaced with R′ ◦F0

R (third case of the definition of deriv). The factF0 is chosen using the selection function sel. The obtained clause R′ ◦F0

R is then simplifiedby the function simplify ′ defined in Section 6.2. (Hence deriv derives the hypothesis of R usinga backward depth-first search. At each step, the clause R can be obtained by resolution fromclauses of R1, and R concludes an instance of F .) The set R is the set of clauses that we havealready seen during the search. Initially, R is empty, and the clause R is added to R in thethird case of the definition of deriv.

The transformation of R described above is repeated until one of the following two conditionsis satisfied:

• R is subsumed by a clause in R: we are in a cycle; we are looking for instances of factsthat we have already looked for (first case of the definition of deriv);

• sel(R) is empty: we have obtained a suitable clause R and we return it (second case ofthe definition of deriv).

6.2 Simplification Steps

Before adding a clause to the clause base, it is first simplified using the following functions.Some of them are standard, such as the elimination of tautologies and of duplicate hypotheses;others are specific to protocols. The simplification functions take as input a clause or a set ofclauses and return a set of clauses.

Decomposition of Data Constructors A data constructor is a constructor f of arity nthat comes with associated destructors gi for i ∈ {1, . . . , n} defined by gi(f(x1, . . . , xn)) → xi.Data constructors are typically used for representing data structures. Tuples are examples ofdata constructors. For each data constructor f , the following clauses are generated:

attacker(x1) ∧ . . . ∧ attacker(xn)⇒ attacker(f(x1, . . . , xn)) (Rf)

attacker(f(x1, . . . , xn))⇒ attacker(xi) (Rg)

Therefore, attacker(f(p1, . . . , pn)) is derivable if and only if ∀i ∈ {1, . . . , n}, attacker(pi) isderivable. So the function decomp transforms clauses as follows. When a fact of the formattacker(f(p1, . . . , pn)) is met, it is replaced with attacker(p1)∧. . .∧attacker(pn). If this replace-ment is done in the conclusion of a clause H ⇒ attacker(f(p1, . . . , pn)), n clauses are created:H ⇒ attacker(pi) for each i ∈ {1, . . . , n}. This replacement is of course done recursively: if pi

itself is a data constructor application, it is replaced again. The function decomphyp performsthis decomposition only in the hypothesis of clauses. The functions decomp and decomphypleave the clauses (Rf) and (Rg) for data constructors unchanged. (When attacker(x) cannot beselected, the clauses (Rf) and (Rg) for data constructors are in fact not necessary, because theygenerate only tautologies during resolution. However, when attacker(x) can be selected, whichcannot be excluded in extensions such as the one presented in Section 9.3, these clauses maybecome necessary for soundness.)


solveP ′0,Init(F ) =

1. Let R1 = saturate(RP ′0,Init).

2. For each F ′ ∈ Fnot, if derivable(F ′,R1) 6= ∅, then terminate with error.3. Return derivable(F,R1).

Figure 5: Summary of the solving algorithm

Elimination of Tautologies The function elimtaut removes clauses whose conclusion is al-ready in the hypotheses, since such clauses do not generate new facts.

Elimination of Duplicate Hypotheses The function elimdup eliminates duplicate hypothe-ses of clauses.

Elimination of Useless attacker(x) Hypotheses If a clause H ⇒ C contains in its hy-potheses attacker(x), where x is a variable that does not appear elsewhere in the clause, thehypothesis attacker(x) is removed by the function elimattx . Indeed, the attacker always has atleast one message, so attacker(x) is always satisfied.

Secrecy Assumptions When the user knows that a fact F will not be derivable, he can tellit to the verifier. (When this fact is of the form attacker(p), the user tells that p remains secret;that is why we use the name “secrecy assumptions”.) Let Fnot be a set of facts, for which theuser claims that no instance of these facts is derivable. The function elimnot removes all clausesthat have an instance of a fact in Fnot in their hypotheses. As shown in Figure 5, at the end ofthe saturation, the solving algorithm checks that the facts in Fnot are indeed underivable fromthe obtained clauses. If this condition is satisfied, solveP ′

0,Init(F ) returns clauses that conclude

instances of F . Otherwise, the user has given erroneous information, so an error message isdisplayed. Even when the user gives erroneous secrecy assumptions, the verifier never wronglyclaims that a protocol is secure.

Mentioning such underivable facts prunes the search space, by removing useless clauses. Thisspeeds up the search process. In most cases, the secret keys of the principals cannot be knownby the attacker, so examples of underivable facts are attacker(skA[ ]) and attacker(skB[ ]).

Elimination of Redundant Hypotheses When a clause is of the form H ∧H ′ ⇒ C, andthere exists σ such that σH ⊆ H ′ and σ does not change the variables of H ′ and C, thenthe clause is replaced with H ′ ⇒ C by the function elimredundanthyp. These clauses aresemantically equivalent: obviously, H ′ ⇒ C subsumes H ∧ H ′ ⇒ C; conversely, if a fact canbe derived by an instance σ′H ′ ⇒ σ′C of H ′ ⇒ C, then it can also be derived by the instanceσ′σH ∧ σ′H ′ ⇒ σ′C of H ∧H ′ ⇒ C, since the elements of σ′σH can be derived because theyare in σ′H ′.

This replacement is especially useful when H contains m-event facts. Otherwise, the el-ements of H could be selected and transformed by resolution, until they are of the formattacker(x), in which case they are removed by elimattx if σx 6= x (because x does not oc-cur in H ′ and C since σ does not change the variables of H ′ and C) or by elimdup if σx = x(because attacker(x) = σattacker(x) ∈ σH ⊆ H ′). In contrast, m-event facts remain forever,because they are unselectable. Depending on user settings, this replacement can be applied forall H, applied only when H contains a m-event fact, or switched off, since testing this propertytakes time and slows down small examples. On the other hand, on big examples, such as some ofthose generated by TulaFale [12] for verifying Web services, this technique can yield importantspeedups.

162 Bruno Blanchet

Putting All Simplifications Together The function simplify groups all these simplifica-tions. We define simplify = elimattx◦elimtaut◦elimnot◦elimredundanthyp◦elimdup◦decomp. Inthis definition, the simplifications are ordered in such a way that simplify ◦ simplify = simplify ,so it is not necessary to repeat the simplification.

Similarly, simplify ′ = elimattx ◦ elimnot ◦ elimredundanthyp ◦ elimdup ◦ decomphyp. Insimplify ′, we use decomphyp instead of decomp, because the conclusion of the considered clauseis the fact we want to derive, so it must not be modified.

6.3 Soundness

The following lemmas show the correctness of saturate and derivable (Figure 4). Proofs can befound in Appendix C. Intuitively, the correctness of saturate expresses that saturation preservesderivability, provided the secrecy assumptions are satisfied.

Lemma 2 (Correctness of saturate) Let F be a closed fact. If, for all F ′ ∈ Fnot, no instanceof F ′ is derivable from saturate(R0) ∪ Fme, then F is derivable from R0 ∪Fme if and only if Fis derivable from saturate(R0) ∪ Fme.

This result is proved by transforming a derivation of F from R0 ∪ Fme into a derivation of F(or a fact in Fnot) from saturate(R0) ∪ Fme. Basically, when the derivation contains a clauseR′ with sel(R′) 6= ∅, we replace in this derivation two clauses R, with sel(R) = ∅, and R′

that have been combined by resolution during the execution of saturate with a single clauseR ◦F0

R′. This replacement decreases the number of clauses in the derivation, so it terminates,and, upon termination, all clauses of the obtained derivation satisfy sel(R′) = ∅ so they are insaturate(R0) ∪ Fme.

Intuitively, the correctness of derivable expresses that if F ′, instance of F , is derivable,then F ′ is derivable from R1 by a derivation in which the clause that concludes F ′ is inderivable(F,R1), provided the secrecy assumptions are satisfied.

Lemma 3 (Correctness of derivable) Let F ′ be a closed instance of F . If, for all F ′′ ∈ Fnot,derivable(F ′′,R1) = ∅, then F ′ is derivable from R1 ∪ Fme if and only if there exist a clauseH ⇒ C in derivable(F,R1) and a substitution σ such that σC = F ′ and all elements of σH arederivable from R1 ∪ Fme.

Basically, this result is proved by transforming a derivation of F ′ fromR1∪Fme into a derivationof F ′ (or a fact in Fnot) whose last clause (the one that concludes F ′) is H ⇒ C and whoseother clauses are still in R1 ∪ Fme. The transformation relies on the replacement of clausescombined by resolution during the execution of derivable.

It is important to apply saturate before derivable, so that all clauses in R1 have no selectedhypothesis. Then the conclusion of these clauses is in general not attacker(x) (with the simpli-fications of Section 6.2 and the selection function sel0, it is never attacker(x)), so that we avoidunifying with attacker(x).

Finally, the following theorem shows the correctness of solveP ′0,Init (Figure 5). Below, when

we require that solveP ′0,Init(F ) has a certain value, we also implicitly require that solveP ′

0,Init(F )

does not terminate with error. Intuitively, if an instance F ′ of F is satisfied by a trace T ,then F ′ is derivable from RP ′

0,Init ∪ Fme, so, by the soundness of the solving algorithm, it is

derivable by a derivation whose last clause is in solveP ′0,Init(F ). Then there must exist a clause

H ⇒ C ∈ solveP ′0,Init(F ) that can be used to derive F ′, so F ′ = σC and the hypothesis σH is

derivable from RP ′0,Init ∪Fme. In particular, the events in σH are satisfied, that is, are in Fme,

so these events have been executed in the trace T . Theorem 2 below states this result formally.It is proved by combining Lemmas 2 and 3, and Theorem 1.


Theorem 2 (Main theorem) Let P0 be a closed process and P ′0 = instr(P0). Let Q be anInit-adversary and Q′ = instrAdv(Q).

Consider a trace T = S0, E0, {P′0, Q

′} →∗ S′, E′, P ′, with fn(P ′0) ∪ Init ⊆ dom(E0) andE0(a) = a[ ] for all a ∈ dom(E0).

If T satisfies an instance F ′ of F , then there exist a clause H ⇒ C ∈ solveP ′0,Init(F ) and a

substitution σ such that F ′ = σC and, for all m-event(p) in σH, T satisfies event(p).

Proof Since for all F ′′ ∈ Fnot, derivable(F ′′,R1) = ∅, by Lemma 3, no instance of F ′′ isderivable from R1 ∪ Fme = saturate(RP ′

0,Init) ∪ Fme. This allows us to apply Lemma 2.

Let Fme = {m-event(p′) | T satisfies event(p′)}. By Theorem 1, since T satisfies F ′, F ′ isderivable from RP ′

0,Init ∪ Fme. By Lemma 2, F ′ is derivable from saturate(RP ′

0,Init) ∪ Fme =

R1 ∪ Fme. By Lemma 3, there exist a clause R = H ⇒ C in solveP ′0,Init(F ) = derivable(F,R1)

and a substitution σ such that σC = F ′ and all elements of σH are derivable from R1 ∪ Fme.For all m-event(p) in σH, m-event(p) is derivable from R1 ∪ Fme. Since no clause in R1 hasa conclusion of the form m-event(p′), m-event(p) ∈ Fme. Given the choice of Fme, this meansthat T satisfies event(p). 2

Theorem 2 is our main correctness result: it allows one to show that some events must havebeen executed. The correctness of the analysis for correspondences follows from this theorem.

Example 8 For the process P of Section 2.3, Init = {c}, and P ′ = instr(P ), our tool showsthat

solveP ′,Init(event(eB(x1, x2, x3, x4))) = {m-event(e1(pkA, pkB, pa)) ∧

m-event(e2(pkA, pkB, pa, pb)) ∧

m-event(e3(pkA, pkB, pa, pb))

⇒ event(eB(pkA, pkB, pa, pb))}

where pkA = pk(skA[ ]), pkB = pk(skB[ ]), pa = a[pkB, iA]

pb = b[pencryptp((pa, pkA), pkB, r1[pkB, iA]), iB]

By Theorem 2, if T satisfies event(eB(p1, p2, p3, p4)), this event is an instance of event(eB(x1,x2, x3, x4)), so, given the value of solveP ′,Init(event(eB(x1, x2, x3, x4))), there exists σ such thatevent(eB(p1, p2, p3, p4)) = σevent(eB(pkA, pkB, pa, pb)) and T satisfies

event(σe1(pkA, pkB, pa)) = event(e1(p1, p2, p3))

event(σe2(pkA, pkB, pa, pb)) = event(e2(p1, p2, p3, p4))

event(σe3(pkA, pkB, pa, pb)) = event(e3(p1, p2, p3, p4))

Therefore, if event(eB(M1,M2,M3,M4)) has been executed, then event(e1(M1,M2,M3)),event(e2(M1,M2,M3,M4)), and event(e3(M1,M2,M3,M4)) have been executed.

7 Application to Correspondences

7.1 Non-injective Correspondences

Correspondences for instrumented processes can be checked as shown by the following theorem:

Theorem 3 Let P0 be a closed process and P ′0 = instr(P0). Let pjk (j ∈ {1, . . . ,m}, k ∈{1, . . . , lj}) be patterns; let F and Fj (j ∈ {1, . . . ,m}) be facts. Assume that for all R ∈solveP ′

0,Init(F ), there exist j ∈ {1, . . . ,m}, σ′, and H such that R = H ∧m-event(σ′pj1) ∧ . . . ∧

m-event(σ′pjlj )⇒ σ′Fj.

Then P ′0 satisfies the correspondence F ⇒∨m

j=1

(Fj

∧ljk=1 event(pjk)

)against Init-

adversaries.

164 Bruno Blanchet

Proof Let Q be an Init-adversary and Q′ = instrAdv(Q). Consider a trace T =S0, E0, {P

′0, Q

′} →∗ S′, E′,P ′, with fn(P ′0) ∪ Init ⊆ dom(E0) and E0(a) = a[ ] for all a ∈dom(E0). Assume that T satisfies σF . By Theorem 2, there exist R = H ′ ⇒ C ′ ∈ solveP ′

0,Init(F )

and σ′′ such that σF = σ′′C ′ and for all m-event(p) in σ′′H ′, T satisfies event(p). All clausesR in solveP ′

0,Init(F ) are of the form H ∧m-event(σ′pj1) ∧ . . . ∧m-event(σ′pjlj )⇒ σ′Fj for some

j and σ′. So, there exist j and σ′ such that for all k ∈ {1, . . . , lj}, m-event(σ′pjk) ∈ H′ and

C ′ = σ′Fj . Hence σF = σ′′C ′ = σ′′σ′Fj and for all k ∈ {1, . . . , lj}, m-event(σ′′σ′pjk) ∈ σ′′H ′,

so T satisfies event(σ′′σ′pjk), so we have the result. 2

From this theorem and Lemma 1, we obtain correspondences for standard processes.

Theorem 4 Let P0 be a closed process and P ′0 = instr(P0). Let Mjk (j ∈ {1, . . . ,m}, k ∈{1, . . . , lj}) be terms; let α and αj (j ∈ {1, . . . ,m}) be atoms. Let pjk, F, Fj be the patternsand facts obtained by replacing names a with patterns a[ ] in the terms and atoms Mjk, α, αj

respectively. Assume that, for all clauses R in solveP ′0,Init(F ), there exist j ∈ {1, . . . ,m}, σ′,

and H such that R = H ∧m-event(σ′pj1) ∧ . . . ∧m-event(σ′pjlj )⇒ σ′Fj.

Then P0 satisfies the correspondence α ⇒∨m

j=1

(αj

∧ljk=1 event(Mjk)

)against Init-

adversaries.

Example 9 For the process P of Section 2.3, Init = {c}, and P ′ = instr(P ), the value ofsolveP ′,Init(event(eB(x1, x2, x3, x4))) given in Example 8 shows that P satisfies the correspon-dence event(eB(x1, x2, x3, x4)) event(e1(x1, x2, x3)) ∧ event(e2(x1, x2, x3, x4)) ∧ event(e3(x1,x2, x3, x4)) against Init-adversaries.

As particular cases of correspondences, we can show secrecy and non-injective agreement:

Corollary 1 (Secrecy) Let P0 be a closed process and P ′0 = instr(P0). Let N be a term. Letp be the pattern obtained by replacing names a with patterns a[ ] in the term N . Assume thatsolveP ′

0,Init(attacker(p)) = ∅. Then P0 preserves the secrecy of all instances of N from Init.

Intuitively, if no instance of attacker(p) is derivable from the clauses representing the protocol,then the adversary cannot have an instance of the term N corresponding to p.

Example 10 For the process P of Section 2.3, Init = {c}, and P ′ = instr(P ), our tool showsthat solveP ′,Init(attacker(sAa[ ])) = ∅. So P preserves the secrecy of sAa from Init . The situationis similar for sAb, sBa, and sBb.

Corollary 2 (Non-injective agreement) Let P0 be a closed process and P ′0 = instr(P0).Assume that, for each R ∈ solveP ′

0,Init(event(e(x1, . . . , xn))) such that R = H ⇒ event(e(p1, . . . ,

pn)), we have m-event(e′(p1, . . . , pn)) ∈ H. Then P0 satisfies the correspondence event(e(x1,. . . , xn)) event(e′(x1, . . . , xn)) against Init-adversaries.

Intuitively, the condition means that, if event(e(p1, . . . , pn)) can be derived, m-event(e′(p1, . . . ,pn)) occurs in the hypotheses. Then the theorem says that, if event(e(M1, . . . ,Mn)) has beenexecuted, then event(e′(M1, . . . ,Mn)) has been executed.

Example 11 For the process P of Section 2.3, Init = {c}, and P ′ = instr(P ), the value ofsolveP ′,Init(event(eB(x1, x2, x3, x4))) given in Example 8 also shows that P satisfies the cor-respondence event(eB(x1, x2, x3, x4)) event(e3(x1, x2, x3, x4)) against Init-adversaries. Thetool shows in a similar way that P satisfies the correspondence event(eA(x1, x2, x3, x4)) event(e2(x1, x2, x3, x4)) against Init-adversaries.


7.2 General Correspondences

In this section, we explain how to prove general correspondences. Moreover, we also show that,when our verifier proves injectivity, it proves recentness as well. For example, when it provesa correspondence event(M) inj event(M ′), it shows that, when the event event(M) hasbeen executed, not only the event event(M ′) has been executed, but also this event has beenexecuted recently. As explained by Lowe [54], the precise meaning of “recent” depends on thecircumstances: it can be that event(M) is executed within the duration of the part of theprocess after event(M ′), or it can be within a certain number of time units. Here, we definerecentness as follows: the runtime of the session that executes event(M) overlaps with theruntime of the session that executes the corresponding event(M ′) event.

We can formally define recent correspondences for instrumented processes as follows. Weassume that, in P0, the events are under at least one replication. We define an instrumented pro-cess P ′0 = instr′(P0), where instr′(P0) is defined like instr(P0), except that the events event(M)in P0 are replaced with event(M, i), where i is the session identifier that labels the down-mostreplication above event(M) in P0. The session identifier i indicates the session in which theconsidered event is executed.

When k = k1 . . . kn is a non-empty sequence of indices, we denote by k⌈ the sequenceobtained by removing the last index from k: k⌈= k1 . . . kn−1.

Definition 14 Let P0 be a closed process and P ′0 = instr′(P0). We say that P ′0 satisfies therecent correspondence

event(p)⇒m∨

j=1

event(p′j)

lj∧

k=1

[inj]jkqjk

where

qjk = event(pjk)

mjk∨

j=1

ljkj∧

k=1

[inj]jkjkqjkjk

against Init-adversaries if and only if for any Init-adversary Q, for any trace T =S0, E0, {P

′0, Q

′} →∗ S′, E′,P ′, with Q′ = instrAdv(Q), E0(a) = a[ ] for all a ∈ dom(E0), andfn(P ′0) ∪ Init ⊆ dom(E0), there exists a function φjk for each non-empty jk, such that for all

non-empty jk, φjk maps a subset of steps of T to steps of T and

• For all τ , if the event event(σp, λǫ) is executed at step τ in T for some σ and λǫ,then there exist σ′ and J = (jk)k such that σ′p′jǫ

= σp and, for all non-empty k,φmakejk(k,J)(τ) is defined, event(σ′pmakejk(k,J), λk) is executed at step φmakejk(k,J)(τ) in

T , and if [inj]makejk(k,J) = inj, then the runtimes of session(λk⌈) and session(λk) overlap

(recentness).

The runtime of session(λ) begins when the rule S,E,P ∪ { !iP } → S \ {λ}, E,P ∪{P{λ/i}, !iP } is applied and ends when P{λ/i} has disappeared.

• For all non-empty jk, if [inj]jk = inj, then φjk is injective.

• For all non-empty jk, for all j and k, if φjkjk(τ) is defined, then φjk(τ) is defined andφjkjk(τ) ≤ φjk(τ). For all j and k, if φjk(τ) is defined, then φjk(τ) ≤ τ .

We do not define recentness for standard processes, since it is difficult to track formally theruntime of a session in these processes. Instrumented processes make that very easy thanksto session identifiers. It is easy to infer correspondences for standard processes from recentcorrespondences for instrumented processes, with a proof similar to that of Lemma 1.

166 Bruno Blanchet

Lemma 4 Let P0 be a closed process and P ′0 = instr′(P0). Let Mjk, M , and M ′j be terms. Letpjk, p, p

′j be the patterns obtained by replacing names a with patterns a[ ] in the terms Mjk,M,M ′j

respectively. If P ′0 satisfies the recent correspondence

event(p)⇒m∨

j=1

event(p′j)

lj∧

k=1

[inj]jkqjk

where

qjk = event(pjk)

mjk∨

j=1

ljkj∧

k=1

[inj]jkjkqjkjk

against Init-adversaries then P0 satisfies the correspondence

event(M)⇒m∨

j=1

event(M ′j)

lj∧

k=1

[inj]jkq′jk

where

q′jk

= event(Mjk)

mjk∨

j=1

ljkj∧

k=1

[inj]jkjkq′jkjk


Let P0 be a closed process and P ′0 = instr′(P0). We adapt the generation of clauses asfollows: the set of clauses R′

P ′0,Init

is defined as RP ′0,Init except that

[[M〈N〉.P ]]ρH = [[P ]]ρH ∪ {H{ρ|Vo∪Vs/�} ⇒ message(ρ(M), ρ(N))}

[[!iP ]]ρH = [[P ]](ρ[i 7→ i])(H{ρ|Vo∪Vs/�})

[[event(M, i).P ]]ρH = [[P ]]ρ(H ∧m-event(ρ(M),�)) ∪ {H ⇒ event(ρ(M), i)}

where � is a special variable. The predicate event has as additional argument the sessionidentifier in which the event is executed. The predicate m-event has as additional argument anenvironment ρ that gives values that variables will contain at the first output or replication thatfollows the event; � is a placeholder for this environment. (Recall that Vo is the set of ordinaryvariables and Vs the set of session identifier variables, so ρ|Vo∪Vs

is the environment restrictedto variables, names being excluded.) We define solve′P ′

0,Init as solveP ′

0,Init except that it applies

to R′P ′

0,Init

instead of RP ′0,Init .

Let us first consider the particular case of injective correspondences. We consider generalcorrespondences in Theorem 5 below.

Proposition 2 (Injective correspondences) Let P0 be a closed process and P ′0 = instr′(P0).We assume that, in P0, all events are of the form event(f(M1, . . . ,Mn)) and that differentoccurrences of event have different root function symbols.

We also assume that the patterns p, p′j , pjk satisfy the following conditions: p and p′j forj ∈ {1, . . . ,m} are of the form f(. . .) for some function symbol f and for all j, k such that[inj]jk = inj, pjk = fjk(. . .) for some function symbol fjk.

Let solve′P ′0,Init(event(p, i)) = {Rjr | j ∈ {1, . . . ,m}, r ∈ {1, . . . , nj}}. Assume that there

exist xjk, ijr, and ρjrk (j ∈ {1, . . . ,m}, r ∈ {1, . . . , nj}, k ∈ {1, . . . , lj}) such that

• For all j ∈ {1, . . . ,m}, for all r ∈ {1, . . . , nj}, there exist H and σ such that Rjr =H ∧m-event(σpj1, ρjr1) ∧ . . . ∧m-event(σpjlj , ρjrlj )⇒ event(σp′j , ijr).


• For all j ∈ {1, . . . ,m}, for all r and r′ in {1, . . . , nj}, for all k ∈ {1, . . . , lj} such that[inj]jk = inj, ρjrk(xjk){λ/ijr} does not unify with ρjr′k(xjk){λ

′/ijr′} when λ 6= λ′.

Then P ′0 satisfies the recent correspondence

event(p)⇒m∨

j=1

event(p′j)

lj∧

k=1

[inj]jkevent(pjk)


This proposition is a particular case of Theorem 5 below. It is proved in Appendix E. ByTheorem 3, after deleting session identifiers and environments, the first item shows that P ′0satisfies the correspondence

event(p)⇒∨

j=1..m,r

event(p′j)

lj∧

k=1

event(pjk)

(13)

The environments and session identifiers as well as the second item serve in proving injectivity.Suppose that [inj]jk = inj, and denote by an unknown term. If two instances of event(p, i)are executed in P ′0 for the branch j of the correspondence, by the first item, they are instancesof event(σjrp

′j , ijr) for some r, so they are event(σ′1σjr1

p′j , σ′1ijr1

) and event(σ′2σjr2p′j , σ

′2ijr2

)for some σ′1 and σ′2. Furthermore, there is only one occurrence of event(f(. . .), i) in P ′0, sothe event event(f(. . .), i) can be executed at most once for each value of the session identifieri, so σ′1ijr1

6= σ′2ijr2. Then, by the first item, corresponding events event(σ′1σjr1

pjk, ) andevent(σ′2σjr2

pjk, ) have been executed, with associated environments σ′1ρjr1k and σ′2ρjr2k. Bythe second item, ρjr1k(xjk){λ1/ijr1

} does not unify with ρjr2k(xjk){λ2/ijr2} for different values

λ1 = σ′1ijr1and λ2 = σ′2ijr2

of the session identifier. (In this condition, r1 can be equal to r2,and when r1 = r2 = r, the condition simply means that ijr occurs in ρjrk.) So σ′1ρjr1k(xjk) 6=σ′2ρjr2k(xjk), so the events event(σ′1σjr1

pjk), ) and event(σ′2σjr2pjk), ) are distinct, which

shows injectivity. This point is very similar to the fact that injective agreement is implied bynon-injective agreement when the parameters of events contain nonces generated by the agentto whom authentication is being made, because the event can be executed at most once foreach value of the nonce. (The session identifier ijr in our theorem plays the role of the nonce.)[Andrew Gordon, personal communication].

Corollary 3 (Recent injective agreement) Let P0 be a closed process and P ′0 = instr′(P0).We assume that, in P0, all events are of the form event(f(M1, . . . ,Mk)) and that dif-ferent occurrences of event have different root function symbols. Let {R1, . . . , Rn} =solve′P ′

0,Init(event(e(x1, . . . , xm), i)). Assume that there exist x, ir, and ρr (r ∈ {1, . . . , n}) such

that

• For all r ∈ {1, . . . , n}, Rr = H ∧m-event(e′(p1, . . . , pm), ρr)⇒ event(e(p1, . . . , pm), ir) forsome p1, . . . , pm, and H.

• For all r and r′ in {1, . . . , n}, ρr(x){λ/ir} does not unify with ρr′(x){λ′/ir′} when λ 6= λ′.

Then P ′0 satisfies the recent correspondence event(e(x1, . . . , xm)) inj event(e′(x1, . . . , xm))against Init-adversaries.

Proof This result is an immediate consequence of Proposition 2. 2

168 Bruno Blanchet

Example 12 For the process P of Section 2.3, P ′ = instr′(P ), and Init = {c}, we have

solve′P ′,Init(event(eB(x1, x2, x3, x4), i)) =

{H ∧m-event(e3(pkA, pkB, a[pkB, iA0], b[p1, iB0]), ρ)

⇒ event(eB(pkA, pkB, a[pkB, iA0], b[p1, iB0]), iB0)}

where pkA = pk(skA[ ]), pkB = pk(skB[ ])

p1 = pencryptp((a[pkB, iA0], pkA), pkB, r1[pkB, iA0])

p2 = pencryptp((a[pkB, iA0], b[p1, iB0], pkB), pkA, r2[p1, iB0])

ρ = {iA 7→ iA0, x pkB 7→ pkB,m 7→ p2}

Intuitively, this result shows that each event eB(pkA, pkB, a[pkB, iA0], b[p1, iB0]), executed in thesession of index iB = iB0 is preceded by an event e3(pkA, pkB, a[pkB, iA0], b[p1, iB0]) executedin the session of index iA = iA0 with x pkB = pkB and m = p2. Since iB0 occurs in thisevent (or in its environment4), different executions of eB, which have different values of iB0,cannot correspond to the same execution of e3, so we have injectivity. More formally, the secondhypothesis of Corollary 3 is satisfied because ρ(m){λ/iB0} does not unify with ρ(m){λ′/iB0}when λ 6= λ′, since iB0 occurs in ρ(m) = p2. Then, P ′ satisfies the recent correspondenceevent(eB(x1, x2, x3, x4)) inj event(e3(x1, x2, x3, x4)) against Init-adversaries.

The tool shows in a similar way that P ′ satisfies the recent correspondence event(eA(x1, x2,x3, x4)) inj event(e2(x1, x2, x3, x4)) against Init-adversaries.

Let us now consider the case of general correspondences. The basic idea is to decompose thegeneral correspondence to prove into several correspondences. For instance, the correspondenceevent(eB(x1, x2, x3, x4)) (event(e3(x1, x2, x3, x4)) event(e2(x1, x2, x3, x4))) is implied bythe conjunction of the correspondences event(eB(x1, x2, x3, x4)) event(e3(x1, x2, x3, x4)) andevent(e3(x1, x2, x3, x4)) event(e2(x1, x2, x3, x4)). However, as noted in Section 3.3, this prooftechnique would often fail because, in order to prove that e2(x1, x2, x3, x4) has been executed,we may need to know that eB(x1, x2, x3, x4) has been executed, and not only that e3(x1, x2, x3,x4) has been executed. To solve this problem, we use the following idea: when we know thateB(x1, x2, x3, x4) has been executed, we may be able to show that certain particular instancesof e3(x1, x2, x3, x4) have been executed, and we can exploit this information in order to provethat e2(x1, x2, x3, x4) has been executed. In other words, we rather prove the correspondencesevent(eB(x1, x2, x3, x4)) ⇒

∨mr=1 σrevent(eB(x1, x2, x3, x4)) σrevent(e3(x1, x2, x3, x4)) and

for all r ≤ m, σrevent(e3(x1, x2, x3, x4)) σrevent(e2(x1, x2, x3, x4)). When the consideredgeneral correspondence has several nesting levels, we perform such a decomposition recursively.The next theorem generalizes and formalizes these ideas.

Below, the notation (Env jk)jk represents a family Env jk of sets of pairs (ρ, i) where ρ is an

environment and i is a session identifier, one for each non-empty jk. The notation (Env jkjk)jk

represents a subfamily of (Env jk)jk in which the first two indices are jk, and this family isreindexed by omitting the fixed indices jk.

Theorem 5 Let P0 be a closed process and P ′0 = instr′(P0). We assume that, in P0, all eventsare of the form event(f(M1, . . . ,Mn)) and that different occurrences of event have differentroot function symbols.

Let us define verify(q′, (Env jk)jk), where jk is non-empty, by:

V1. If q′ = event(p) for some p, then verify(q′, (Env jk)jk) is true.

4In general, the environment may contain more variables than the event itself, so looking for the sessionidentifiers in the environment instead of the event is more powerful.


V2. If q′ = event(p) ⇒∨m

j=1

(event(p′j)

∧ljk=1[inj]jkq

′jk

)and q′jk = event(pjk) . . . for

some p, p′j, and pjk, where m 6= 1, lj 6= 0, or p 6= p′1, then verify(q′, (Env jk)jk) is true ifand only if there exists (σjr)jr such that the following three conditions hold:

V2.1. We have solve′P ′0,Init(event(p, i)) ⊆ {H ∧

∧ljk=1 m-event(σjrpjk, ρjrk) ⇒ event(σjrp

′j ,

ijr) for some H, j ∈ {1, . . . ,m}, r, and (ρjrk, ijr) ∈ Env jk for all k}.

V2.2. For all j, r, k0, the common variables between σjrq′jk0

on the one hand and σjrp′j and

σjrq′jk for all k 6= k0 on the other hand occur in σjrpjk0

.

V2.3. For all j, r, k, verify(σjrq′jk, (Env jkjk)jk) is true.

Consider the following recent correspondence:

q = event(p)⇒m∨

j=1

event(p′j)

lj∧

k=1

[inj]jkqjk

where

qjk = event(pjk)

mjk∨

j=1

ljkj∧

k=1

[inj]jkjkqjkjk

We assume that the patterns in the correspondence satisfy the following conditions: p and p′jfor j ∈ {1, . . . ,m} are of the form f(. . .) for some function symbol f and, for all non-empty jksuch that [inj]jk = inj, pjk = fjk(. . .) for some function symbol fjk. We also assume that if injoccurs in qjk, then [inj]jk = inj.

Assume that there exist (Env jk)jk and (xjk)jk, where jk is non-empty, such that

H1. verify(q, (Env jk)jk) is true.

H2. For all non-empty jk, if [inj]jk = inj, then for all (ρ, i), (ρ′, i′) ∈ Env jk, ρ(xjk){λ/i} doesnot unify with ρ′(xjk){λ

′/i′} when λ 6= λ′.

Then P ′0 satisfies the recent correspondence q against Init-adversaries.

This theorem is rather complex, so we give some intuition here. Its proof can be found inAppendix E.

Point V2.1 allows us to infer correspondences by Theorem 3: after deleting session identifiersand environments, P ′0 satisfies the correspondences:

event(p)⇒∨

j=1..m,r

event(σjrp

′j)

lj∧

k=1

event(σjrpjk)

(14)

and, using the recursive calls of Point V2.3,

event(σ′jrk⌈

pjk)⇒∨

j=1..mjk

,r

event(σ′

jrkjrpjk)

ljkj∧

k=1

event(σ′jrkjr

pjkjk)

(15)

against Init-adversaries, where σ′jrkjr

= σjrkjrσjrk⌈ . . . σjr and we denote by σjrkjr the substi-

tution σjr obtained in recursive calls to verify indexed by jrk. In order to infer the desiredcorrespondence, we need to show injectivity properties and to combine the correspondences (14)and (15) into a single correspondence. Injectivity comes from Hypothesis H2: this hypothesisgeneralizes the second item of Proposition 2 to the case of general correspondences.

170 Bruno Blanchet

The correspondences (14) and (15) are combined into a single correspondence usingPoint V2.2. We illustrate this point on the simple example of the correspondence event(p)⇒ (event(p′1) (event(p11) event(p1111))). By V2.1 and the recursive call of V2.3, we havecorrespondences of the form:

event(p)⇒∨

r

(event(σ1rp

′1) event(σ1rp11)

)(16)

event(σ1rp11)⇒∨

r′

(event(σ1r11r′σ1rp11) event(σ1r11r′σ1rp1111)) (17)

for some σ1r and σ1r11r′ . The correspondence (17) implies the simpler correspondence

event(σ1rp11) event(σ1rp1111). (18)

Furthermore, if an instance of event(p) is executed, e1 = event(σp), then by (16), for somer and σ′1 such that σp = σ′1σ1rp

′1, the event e2 = event(σ′1σ1rp11) has been executed before

e1. By (18), for some σ′2 such that σ′1σ1rp11 = σ′2σ1rp11, the event e3 = event(σ′2σ1rp1111) hasbeen executed before e2. We now need to reconcile the substitutions σ′1 and σ′2; this can bedone thanks to V2.2. Let us define σ′′ such that σ′′x = σ′1x for x ∈ fv(σ1rp11) ∪ fv(σ1rp

′1) and

σ′′x = σ′2x for x ∈ fv(σ1rp1111)∪ fv(σ1rp11). Such a substitution σ′′ exists because the commonvariables between fv(σ1rp11) ∪ fv(σ1rp

′1) and fv(σ1rp1111) ∪ fv(σ1rp11) occur in σ1rp11 by V2.2,

and for the variables x ∈ fv(σ1rp11), σ′1x = σ′2x since σ′1σ1rp11 = σ′2σ1rp11. So, for some r

and σ′′ such that σp = σ′′σ1rp′1, the event e2 = event(σ′′σ1rp11) has been executed before

e1 and e3 = event(σ′′σ1rp1111) has been executed before e2. This result proves the desiredcorrespondence event(p) ⇒ (event(p′1) (event(p11) event(p1111)). Point V2.2 generalizesthis technique to any correspondence.

In the implementation, the hypotheses of this theorem are checked as follows. In orderto check verify(q′, (Env jk)jk), we first compute solve′P ′

0,Init(event(p, i)). By matching, we check

V2.1 and obtain the values of σjr, ρjrk, and ijr for all j, r, and k. We add (ρjrk, ijr) to Env jk.We compute σjrp

′j and σjrq

′jk for each j, r, and k, and check V2.2 and V2.3.

After checking verify(q′, (Env jk)jk), we finally check Hypothesis H2 for each jk. We startwith a set that contains the whole domain of ρ for some (ρ, i) ∈ Env jk. For each (ρ, i) and (ρ′, i′)in Env jk, we remove from this set the variables x such that ρ(x){λ/i} unifies with ρ′(x){λ′/i′}for λ 6= λ′. When the obtained set is non-empty, Hypothesis H2 is satisfied by taking for xjk

any element of the obtained set. Otherwise, Hypothesis H2 is not satisfied.

Example 13 For the example P of Section 2.3, the previous theorem does not enableus to prove the correspondence event(eB(x1, x2, x3, x4)) (inj event(e3(x1, x2, x3, x4)) (inj event(e2(x1, x2, x3, x4)) inj event(e1(x1, x2, x3)))) directly. Indeed, Theorem 5 would re-quire that we show a correspondence of the form event(σe2(x1, x2, x3, x4)) inj event(σe1(x1,x2, x3)). However, such a correspondence does not hold, because after executing a single evente1, the adversary can replay the first message of the protocol, so that B executes several eventse2.

It is still possible to prove this correspondence by combining the automatic proof of theslightly weaker correspondence q = event(eB(x1, x2, x3, x4)) (inj event(e3(x1, x2, x3, x4)) (inj event(e1(x1, x2, x3))∧ inj event(e2(x1, x2, x3, x4)))), which does not order the events e1 ande2, with a simple manual argument. (This technique applies to many other examples.) Let usfirst prove the latter correspondence.

Let P ′ = instr′(P ) and Init = {c}. We have

solve′P ′,Init(event(eB(x1, x2, x3, x4), i)) =

{H ∧m-event(e3(pkA, pkB, a[pkB, iA0], b[p1, iB0]), ρ111)

⇒ event(eB(pkA, pkB, a[pkB, iA0], b[p1, iB0]), iB0)}


solve′P ′,Init(event(e3(pkA, pkB, a[pkB, iA0], b[p1, iB0]), i)) =

{m-event(e1(pkA, pkB, a[pkB, iA0]), ρ111111)

∧m-event(e2(pkA, pkB, a[pkB, iA0], b[p1, iB0]), ρ111112)

⇒ event(e3(pkA, pkB, a[pkB, iA0], b[p1, iB0]), iA0)}

where pkA = pk(skA[ ]), pkB = pk(skB[ ])

p1 = pencryptp((a[pkB, iA0], pkA), pkB, r1[pkB, iA0])

p2 = pencryptp((a[pkB, iA0], b[p1, iB0], pkB), pkA, r2[p1, iB0])

ρ111 = ρ111111 = {iA 7→ iA0, x pkB 7→ pkB,m 7→ p2}

ρ111112 = {iB 7→ iB0,m′ 7→ p1}

Intuitively, as in Example 12, the value of solve′P ′,Init(event(eB(x1, x2, x3, x4), i)) guarantees thateach event eB(pkA, pkB, a[pkB, iA0], b[p1, iB0]), executed in the session of index iB = iB0 is pre-ceded by an event e3(pkA, pkB, a[pkB, iA0], b[p1, iB0]) executed in the session of index iA = iA0

with x pkB = pkB and m = p2. Since iB0 occurs in this event (or in its environment), wehave injectivity. The value of solve′P ′,Init(event(e3(pkA, pkB, a[pkB, iA0], b[p1, iB0]), i)) guaran-tees that each event e3(pkA, pkB, a[pkB, iA0], b[p1, iB0]) executed in the session of index iA = iA0

is preceded by events e1(pkA, pkB, a[pkB, iA0]) executed in the session of index iA = iA0 withx pkB = pkB and m = p2, and e2(pkA, pkB, a[pkB, iA0], b[p1, iB0]) executed in the session of in-dex iB = iB0 with m′ = p1. Since iA0 occurs in these events (or in their environments), we haveinjectivity. So we obtain the desired correspondence event(eB(x1, x2, x3, x4)) (inj event(e3(x1,x2, x3, x4)) (inj event(e1(x1, x2, x3)) ∧ inj event(e2(x1, x2, x3, x4)))).

More formally, let us show that we can apply Theorem 5. We have p = p′1 = eB(x1,x2, x3, x4), p11 = e3(x1, x2, x3, x4), p1111 = e1(x1, x2, x3), p1112 = e2(x1, x2, x3, x4). We showverify(q, (Env jk)jk). Given the first value of solve′P ′,Init shown above, we satisfy V2.1 by lettingσ11 = {x1 7→ pkA, x2 7→ pkB, x3 7→ a[pkB, iA0], x4 7→ b[p1, iB0]} and i11 = iB0, with (ρ111, i11) ∈Env11. The common variables between σ11q11 = event(e3(pkA, pkB, a[pkB, iA0], b[p1, iB0])) (inj event(e1(pkA, pkB, a[pkB, iA0]))∧inj event(e2(pkA, pkB, a[pkB, iA0], b[p1, iB0]))) and σ11p

′1 =

eB(pkA, pkB, a[pkB, iA0], b[p1, iB0]) are iA0 and iB0, and they occur in σ11p11 = e3(pkA, pkB,a[pkB, iA0], b[p1, iB0]). So we have V2.2. Recursively, in order to obtain V2.3, we have to showverify(σ11q11, (Env11jk)jk). Given the second value of solve′P ′,Init shown above, we satisfy V2.1by letting σ11111 = Id and i11111 = iA0, with (ρ111111, i11111) ∈ Env1111 and (ρ111112, i11111) ∈Env1112. (We prefix the indices with 111 in order to represent that these values concern therecursive call with j = 1, r = 1, and k = 1.) V2.2 holds trivially, because σ11111σ11q111k0

=σ11111σ11event(p111k0

), since the considered correspondence has one nesting level only. V2.3holds because q1111 reduces to event(p1111), so verify(σ11111σ11q1111, (Env1111jk)jk) holds by V1,and the situation is similar for q1112. Therefore, we obtain H1. In order to show H2, wehave to find x11 such that ρ111(x11){λ/i11} does not unify with ρ111(x11){λ

′/i11} when λ 6= λ′.This property holds with x11 = m, because i11 = iB0 occurs in ρ111(m) = p2. Similarly,ρ111111(x1111){λ/i11111} does not unify with ρ111111(x1111){λ

′/i11111} when λ 6= λ′, for x1111 =iA, since i11111 = iA0 occurs in ρ111111(iA). Finally, ρ111112(x1112){λ/i11111} does not unify withρ111112(x1112){λ

′/i11111} when λ 6= λ′ for x1112 = m′, since i11111 = iA0 occurs in ρ111112(m′) =

p1. So, by Theorem 5, the process P ′ satisfies the recent correspondence event(eB(x1, x2, x3,x4)) (inj event(e3(x1, x2, x3, x4)) (inj event(e1(x1, x2, x3)) ∧ inj event(e2(x1, x2, x3, x4))))against Init-adversaries.

We can then show that P ′ satisfies the recent correspondence event(eB(x1, x2, x3, x4)) (injevent(e3(x1, x2, x3, x4)) (inj event(e2(x1, x2, x3, x4)) inj event(e1(x1, x2, x3)))). We justhave to show that the event e2(x1, x2, x3, x4) is executed after e1(x1, x2, x3). The nonce a iscreated just before executing e1(x1, x2, x3) = e1(pkA, x pkB, a), and the event e2(x1, x2, x3,x4) = e2(x pkA, pkB, x a, b) contains a in the variable x3 = x a. So e2 has been executed afterreceiving a message that contains a, so after a has been sent in some message, so after executing

172 Bruno Blanchet

event e1.

8 Termination

In this section, we study termination properties of our algorithm. We first show that it termi-nates on a restricted class of protocols, named tagged protocols. Then, we study how to improvethe choice of the selection function in order to obtain termination in other cases.

8.1 Termination for Tagged Protocols

Intuitively, a tagged protocol is a protocol in which each application of a constructor can beimmediately distinguished from others in the protocol, for example by a tag: for instance, whenwe want to encrypt m under k, we add the constant tag ct0 to m, so that the encryptionbecomes sencrypt((ct0,m), k) where the tag ct0 is a different constant for each encryption inthe protocol. The tags are checked when destructors are applied. This condition is easy torealize by adding tags, and it is also a good protocol design: the participants use the tags toidentify the messages unambiguously, thus avoiding type flaw attacks [50].

In [20], in collaboration with Andreas Podelski, we have given conditions on the clauses thatintuitively correspond to tagged protocols, and we have shown that, for tagged protocols usingonly public channels, public-key cryptography with atomic keys, shared-key cryptography andhash functions, and for secrecy properties, the solving algorithm using the selection functionsel0 terminates.

Here, we extend this result by giving a definition of tagged protocols for processes andshowing that the clause generation algorithm yields clauses that satisfy the conditions of [20],so that the solving algorithm terminates. (A similar result has been proved for strong secrecyin the technical report [16].)

Definition 15 (Tagged protocol) A tagged protocol is a process P0 together with a signatureof constructors and destructors such that:

C1. The only constructors and destructors are those of Figure 2, plus equal .

C2. In every occurrence of M(x) and M〈N〉 in P0, M is a name free in P0.

C3. In every occurrence of f(. . .) with f ∈ {sencrypt , sencryptp , pencryptp , sign,nmrsign, h,mac} in P0, the first argument of f is a tuple (ct ,M1, . . . ,Mn), where the tag ct is aconstant. Different occurrences of f have different values of the tag ct .

C4. In every occurrence of let x = g(. . .) in P else Q, for g ∈ {sdecrypt , sdecryptp , pdecryptp ,checksignature, getmessage} in P0, P = let y = 1thn(x) in if y = ct then P ′ for some ctand P ′.

In every occurrence of nmrchecksign in P0, its third argument is (ct ,M1, . . . ,Mn) for somect ,M1, . . . ,Mn.

C5. The destructor applications (including equality tests) have no else branches. There existsa trace of P0 (without adversary) in which all program points are executed exactly once.

C6. The second argument of pencryptp in the trace of Condition C5 is of the form pk(M) forsome M .

C7. The arguments of pk and host in the trace of Condition C5 are atomic constants (freenames or names created by restrictions not under inputs, non-deterministic destructorapplications, or replications) and they are not tags.


Condition C1 limits the set of allowed constructors and destructors. We could give conditionson the form of allowed destructor rules, but these conditions are complex, so it is simpler andmore intuitive to give an explicit list. Condition C2 states that all channels must be public.This condition avoids the need for the predicate message. Condition C3 guarantees that tagsare added in all messages, and Condition C4 guarantees that tags are always checked.

In most cases, the trace of Condition C5 is simply the intended execution of the proto-col. All terms that occur in the trace of Condition C5 have pairwise distinct tags (since eachprogram point is executed at most once, and tags at different program points are different byCondition C3). We can prove that it also guarantees that the terms of all clauses generatedfor the process P0 have instances in the set of terms that occur in the trace of Condition C5(using the fact that all program points are executed at least once). These properties are key inthe termination proof. More concretely, Condition C5 means that, after removing replicationsof P0, the resulting process has a trace that executes each program point (at least) once. Inthis trace, all destructor applications succeed and the process reduces to a configuration withan empty set of processes. Since, after removing replications, the number of traces of a processis always finite, Condition C5 is decidable.

Condition C6 means that, in its intended execution, the protocol uses public-key encryp-tion only with public keys, and Condition C7 means that long-term secret (symmetric andasymmetric) keys are atomic constants.

Example 14 A tagged protocol can easily be obtained by tagging the Needham-Schroeder-Lowe protocol. The tagged protocol consists of the following messages:

Message 1. A→ B : {ct0, a, pkA}pkB

Message 2. B → A : {ct1, a, b, pkB}pkA

Message 3. A→ B : {ct2, b}pkB

Each encryption is tagged with a different tag ct0, ct1, and ct2. This protocol can be representedin our calculus by the following process P :

PA(skA, pkA, pkB) = !c(x pkB).(νa)event(e1(pkA, x pkB, a)).

(νr1)c〈pencryptp((ct0, a, pkA), x pkB, r1)〉.

c(m).let (= ct1,= a, x b,= x pkB) = pdecryptp(m, skA) in

event(e3(pkA, x pkB, a, x b)).(νr3)c〈pencryptp((ct2, x b), x pkB, r3)〉

if x pkB = pkB then event(eA(pkA, x pkB, a, x b)).

c〈sencrypt((ct3, sAa), a)〉.c〈sencrypt((ct4, sAb), x b)〉

PB(skB, pkB, pkA) = !c(m′).let (= ct1, x a, x pkA) = pdecryptp(m, skB) in

(νb)event(e2(x pkA, pkB, x a, b)).

(νr2)c〈pencryptp((ct2, x a, b, pkB), x pkA, r2)〉.

c(m′′).let (= ct3,= b) = pdecryptp(m′′, skB) in

if x pkA = pkA then event(eB(x pkA, pkB, x a, b)).

c〈sencrypt((ct5, sBa), x a)〉.c〈sencrypt((ct6, sBb), b)〉

PT = !c(x1).c(x2).c〈x2〉.(c(x3).c(x4) | c(x5).c(x6))

P = (νskA)(νskB)let pkA = pk(skA) in let pkB = pk(skB) in

c〈pkA〉c〈pkB〉.(PA(skA, pkA, pkB) | PB(skB, pkB, pkA) | PT )

The encryptions that are used for testing the secrecy of nonces are also tagged, with tags ct3

to ct6. Furthermore, a process PT is added in order to satisfy Condition C5, because, withoutPT , in the absence of adversary, the process would block when it tries to send the public keys

174 Bruno Blanchet

pkA and pkB. The execution of Condition C5 is the intended execution of the protocol. In thisexecution, the process PT receives the public keys pkA and pkB; it forwards pkB on channel cto PA, so that a session between A and B starts. Then A and B run this session normally, andfinally output the encryptions of sAa, sAb, sBa, and sBb; these encryptions are received by PT .The other conditions of Definition 15 are easy to check, so P is tagged.

Proposition 3 below applies to P , and also to the process without PT , because the additionof PT in fact does not change the clauses. (The only clause generated from PT is a tautology,immediately removed by elimtaut .)

We prove the following termination result in Appendix D:

Proposition 3 For sel = sel0, the algorithm terminates on tagged protocols for queries of theform α false when α is closed and all facts in Fnot are closed.

The proof first considers the particular case in which pk and host have a single argument inthe execution of Condition C5, and then generalizes by mapping all arguments of pk and host(which are atomic constants by Condition C7) to a single constant. The proof of the particularcase proceeds in two steps. The first step shows that the clauses generated from a taggedprotocol satisfy the conditions of [20]. Basically, these conditions require that the clauses forthe protocol satisfy the following properties:

T1. The patterns in the clauses are tagged, that is, the first argument of all occurrences ofconstructors except tuples, pk , and host is of the form (ct ,M1, . . . ,Mn). The proof of thisproperty relies on Conditions C3 and C4.

T2. Let S1 be the set of subterms of patterns that correspond to the terms that occur in theexecution of Condition C5. Every clause has an instance in which all patterns are in S1.The proof of this property relies on Condition C5.

T3. Each non-variable, non-data tagged pattern has at most one instance in S1. (A pattern issaid to be non-data when it is not of the form f(. . .) with f a data constructor, that is,here, a tuple.) This property comes from Condition C3 which guarantees that the tags atdistinct occurrences are distinct and, for pk(p) and host(p), from the hypothesis that pkand host have a single argument in the execution of Condition C5.

Note that the patterns in the clauses (Rf) and (Rg) that come from constructors and destructorsare not tagged, so we need to handle them specially; Conditions C1 and C6 are useful for that.

The second step of the proof uses the result of [20] in order to conclude termination. Ba-sically, this result shows that Properties T1 and T2 are preserved by resolution. The proofof this result relies on the fact that, if two non-variable non-data tagged patterns unify andhave instances in S1, then their instances in S1 are equal (by T3). So, when unifying two suchpatterns, their unification still has an instance in S1. Furthermore, we show that the size of theinstance in S1 of a clause obtained by resolution is not greater than the size of the instance inS1 of one of the initial clauses. Hence, we can bound the size of the instance in S1 of generatedclauses, which shows that only finitely many clauses are generated.

The hypothesis that all facts in Fnot are closed is not really a restriction, since we can alwaysremove facts from Fnot without changing the result. (It may just slow down the resolution.) Therestriction to queries α false allows us to remove m-event facts from clauses (by Remark 3).For more general queries, m-event facts may occur in clauses, and one can find examples onwhich the algorithm does not terminate. Here is such an example:

PS = c′1(y); let z = sencrypt((ct0, y), kSB) in

c′2〈sencrypt((ct2, sencrypt((ct1, z), kSA)), kSB)〉; event(h((ct3, y))); c′3〈z〉


PB = c′2(z′); c′3(z); let (= ct0, y) = sdecrypt(z, kSB) in

let (= ct2, y′) = sdecrypt(z′, kSB) in event(h((ct4, y, y

′))); c′4〈y′〉

P0 = (νkSB); (c′1〈C0〉 | !PS | !PB | c′4(y′))

This example has been built on purpose for exhibiting non-termination, since we did not meetsuch non-termination cases in our experiments with real protocols. One can interpret thisexample as follows. The participant A shares a key kSA with a server S. Similarly, B sharesa key kSB with S. The code of S is represented by PS , the code of B by PB, and A isassumed to be dishonest, so it is represented by the adversary. The process PS builds twotickets sencrypt((ct0, y), kSB) and sencrypt((ct2, sencrypt((ct1, sencrypt((ct0, y), kSB)), kSA)),kSB). The first ticket is for B, the second ticket should first be decrypted by B, then sent to A,which is going to decrypt it again and sent it back to B. In the example, PB just decrypts thetwo tickets and forwards the second one to A. It is easy to check that this process is a taggedprotocol. This process generates the following clauses:

attacker(y)⇒

attacker(sencrypt((ct2, sencrypt((ct1, sencrypt((ct0, y), kSB)), kSA)), kSB))(19)

attacker(y) ∧m-event(h((ct3, y)))⇒ attacker(sencrypt((ct0, y), kSB)) (20)

attacker(sencrypt((ct0, y), kSB)) ∧ attacker(sencrypt((ct2, y′), kSB))

∧m-event(h((ct4, y, y′)))⇒ attacker(y′)

(21)

attacker(C0) (22)

The first two clauses come from PS , the third one from PB, and the last one from the output inP0. Obviously, clauses (Init) (in particular attacker(kSA) since kSA ∈ fn(P0)), (Rf) for sencryptand h, and (Rg) for sdecrypt are also generated. Assuming the first hypothesis is selectedin (21), the solving algorithm performs a resolution step between (20) and (21), which yields:

attacker(y) ∧ attacker(sencrypt((ct2, y′), kSB)) ∧

m-event(h((ct3, y))) ∧m-event(h((ct4, y, y′)))⇒ attacker(y′)

The second hypothesis is selected in this clause. By resolving with (19), we obtain

attacker(y) ∧ attacker(y′) ∧m-event(h((ct3, y))) ∧

m-event(h((ct4, y, sencrypt((ct1, sencrypt((ct0, y′), kSB)), kSA))))

⇒ attacker(sencrypt((ct1, sencrypt((ct0, y′), kSB)), kSA))

By applying (Rg) for sdecrypt and resolving with attacker(ct1) and attacker(kSA), we obtain:

attacker(y) ∧ attacker(y′) ∧m-event(h((ct3, y))) ∧

m-event(h((ct4, y, sencrypt((ct1, sencrypt((ct0, y′), kSB)), kSA))))

⇒ attacker(sencrypt((ct0, y′), kSB))

This clause is similar to (20), so we can repeat this resolution process, resolving with (21), (19),and decrypting the conclusion. Hence we obtain

n∧

j=1

attacker(yj) ∧m-event(h((ct3, y1))) ∧

n−1∧

j=1

m-event(h((ct4, yj , sencrypt((ct1, sencrypt((ct0, yj+1), kSB)), kSA))))

⇒ attacker(sencrypt((ct0, yn), kSB))

for all n > 0, so the algorithm does not terminate.As noticed in [20], termination could be obtained in the presence of m-event facts with an

additional simplification:

176 Bruno Blanchet

Elimination of useless m-event facts: elim-m-event eliminates m-event facts in whicha variable x occurs, and x only occurs in m-event facts and in attacker(x) hypotheses.

This simplification is always sound, because it creates a stronger clause. It does not lead to aloss of precision when all variables of events after also occur in the event before . (Thishappens in particular for non-injective agreement.) Indeed, assume that m-event(p) containsa variable which does not occur in the conclusion. This is preserved by resolution, so whenwe obtain a clause m-event(p′) ∧ H ⇒ event(p′′), where m-event(p′) comes from m-event(p),p′ contains a variable that does not occur in p′′, so this occurrence of m-event(p′) cannot beused to prove the desired correspondence. However, in the general case, this simplification leadsto a loss of precision. (It may miss some m-event facts.) That is why this optimization waspresent in early implementations which verified only authentication, and was later abandoned.We could reintroduce it when all variables of events after also occur in the event before ,if we had termination problems coming from m-event facts for practical examples. No suchproblems have occurred up to now.

8.2 Choice of the Selection Function

Unfortunately, not all protocols are tagged. In particular, protocols using a Diffie-Hellman keyagreement (see Section 9.1) are not tagged in the sense of Definition 15. The algorithm stillterminates for some of them (Skeme [52] for secrecy, SSH) with the previous selection functionsel0. However, it does not terminate with the selection function sel0 for some other examples(Skeme [52] for one authentication property, the Needham-Schroeder shared-key protocol [60],some versions of the Woo-Lam shared-key protocol [70] and [5, Example 6.2].) In this section,we present heuristics to improve the choice of the selection function, in order to avoid mostsimple non-termination cases. As reported in more detail in Section 10, these heuristics providetermination for Skeme [52] and the Needham-Schroeder shared-key protocol [60].

Let us determine which constraints the selection function should satisfy to avoid loops inthe algorithm. First, assume that there is a clause H ∧F ⇒ σF , where σ is a substitution suchthat all σnF are distinct for n ∈ N.

• Assume that F is selected in this clause, and there is a clause H ′ ⇒ F ′, where F ′ unifieswith F , and the conclusion is selected in H ′ ⇒ F ′. Let σ′ be the most general unifier ofF and F ′. So the algorithm generates:

σ′H ′ ∧ σ′H ⇒ σ′σF . . . σ′H ′ ∧n−1∧

i=0

σ′σiH ⇒ σ′σnF

assuming that the conclusion is selected in all these clauses, and that no clause is re-moved because it is subsumed by another clause. So the algorithm would not terminate.Therefore, in order to avoid this situation, we should avoid selecting F in the clauseH ∧ F ⇒ σF .

• Assume that the conclusion is selected in the clause H ∧ F ⇒ σF , and there is a clauseH ′ ∧ σ′F ⇒ C (up to renaming of variables), where σ′ commutes with σ (in particular,when σ and σ′ have disjoint supports), and that σ′F is selected in this clause. So thealgorithm generates:

σ′H ∧ σH ′ ∧ σ′F ⇒ σC . . .n−1∧

i=0

σ′σiH ∧ σnH ′ ∧ σ′F ⇒ σnC

assuming that σ′F is selected in all these clauses, and that no clause is removed becauseit is subsumed by another clause. So the algorithm would not terminate. Therefore, in


order to avoid this situation, if the conclusion is selected in the clause H ∧ F ⇒ σF , weshould avoid selecting facts of the form σ′F , where σ′ and σ have disjoint supports, inother clauses.

In particular, since there are clauses of the form attacker(x1) ∧ . . . ∧ attacker(xn) ⇒attacker(f(x1, . . . , xn)), by the first remark, the facts attacker(xi) should not be selected inthis clause. So the conclusion will be selected in this clause and, by the second remark, facts ofthe form attacker(x) with x variable should not be selected in other clauses. We find again theconstraint used in the definition of sel0.

We also have the following similar remarks after swapping conclusion and hypothesis. As-sume that there is a clause H∧σF ⇒ F , where σ is a substitution such that all σnF are distinctfor n ∈ N. We should avoid selecting the conclusion in this clause and, if we select σF in thisclause, we should avoid selecting conclusions of the form σ′F , where σ′ and σ have disjointsupports, in other clauses.

We define a selection function that takes into account all these remarks. For a clauseH ⇒ C,we define the weight whyp(F ) of a fact F ∈ H by:

whyp(F ) =

−∞ if F is an unselectable fact

−2 if ∃σ, σF = C

−1 otherwise, if F ∈ Shyp

0 otherwise.

The set Shyp is defined as follows: at the beginning, Shyp = ∅; if we generate a clauseH∧F ⇒ σFwhere σ is a substitution that maps variables of F to terms that are not all variables and, inthis clause, we select the conclusion, then we add to Shyp all facts σ′F with σ and σ′ of disjointsupport (and renamings of these facts). For simplicity, we have replaced the condition “all σnFare distinct for n ∈ N” with “σ maps variables of F to terms that are not all variables”. (Theformer implies the latter but the converse is wrong.) Our aim is only to obtain good heuristics,since there exists no perfect selection function that would provide termination in all cases. Theset Shyp can easily be represented finitely: just store the facts F with, for each variable, a flagindicating whether this variable can be substituted by any term by σ′, or only by a variable.

Similarly, we define the weight of the conclusion:

wconcl =

−2 if ∃σ, ∃F ∈ H,σC = F

−1 otherwise, if C ∈ Sconcl

0 otherwise.

The set Sconcl is defined as follows: at the beginning, Sconcl = ∅; if we generate a clauseH ∧ σF ⇒ F where σ is a substitution that maps variables of F to terms that are not allvariables and, in this clause, we select σF , then we add to Sconcl all facts σ′F with σ and σ′ ofdisjoint support (and renamings of these facts).

Finally, we define

sel1(H ⇒ C) =

{∅ if ∀F ∈ H,whyp(F ) < wconcl,

{F0} where F0 ∈ H of maximum weight, otherwise.

Therefore, we avoid unifying facts of smallest weight when that is possible. The selected factF0 can be any element of H of maximum weight. In the implementation, the hypotheses arerepresented by a list, and the selected fact is the first element of the list of hypotheses ofmaximum weight.

We can also notice that the bigger the fact is, the stronger are constraints to unify it withanother fact. So selecting a bigger fact should reduce the possible unifications. Therefore, weconsider sel2, defined as sel1 except that whyp(F ) = size(F ) instead of 0 in the last case.

178 Bruno Blanchet

When selecting a fact that has a negative weight, we are in one of the cases when terminationwill probably not be achieved. We therefore emit a warning in this case, so that the user canstop the program.

9 Extensions

In this section, we briefly sketch a few extensions to the framework presented previously. The ex-tensions of Sections 9.1, 9.2, and 9.3 were presented in [18] for the proof of process equivalences.We sketch here how to adapt them to the proof of correspondences.

9.1 Equational Theories and Diffie-Hellman Key Agreements

Up to now, we have defined cryptographic primitives by associating rewrite rules to destructors.Another way of defining primitives is by equational theories, as in the applied pi calculus [4].This allows us to model, for instance, variants of encryption for which the failure of decryptioncannot be detected or more complex primitives such as Diffie-Hellman key agreements. TheDiffie-Hellman key agreement [38] enables two principals to build a shared secret. It is used asan elementary step in more complex protocols, such as Skeme [52], SSH, SSL, and IPsec.

As shown in [18], our verifier can be extended to handle some equational theories. Basically,one shows that each trace in a model with an equational theory corresponds to a trace in amodel in which function symbols are equipped with additional rewrite rules, and conversely.(We could adapt [18, Lemma 1] to show that this result also applies to correspondences.)Therefore, we can show that a correspondence proved in the model with rewrite rules implies thesame correspondence in the model with an equational theory. Moreover, we have implementedalgorithms that compute the rewrite rules from an equational theory.

In the experiments reported in this paper, we use equational theories only for the Diffie-Hellman key agreement, which can be modeled by using two functions f and f ′ that satisfy theequation

f(y, f ′(x)) = f(x, f ′(y)). (23)

In practice, the functions are f(x, y) = yx mod p and f ′(x) = bx mod p, where p is prime andb is a generator of Z

∗p. The equation f(y, f ′(x)) = (bx)y mod p = (by)x mod p = f(x, f ′(y))

is satisfied. In our verifier, following the ideas used in the applied pi calculus [4], we do notconsider the underlying number theory; we work abstractly with the equation (23). The Diffie-Hellman key agreement involves two principals A and B. A chooses a random name x0, andsends f ′(x0) to B. Similarly, B chooses a random name x1, and sends f ′(x1) to A. Then Acomputes f(x0, f

′(x1)) and B computes f(x1, f′(x0)). Both values are equal by (23), and they

are secret: assuming that the attacker cannot have x0 or x1, it can compute neither f(x0, f′(x1))

nor f(x1, f′(x0)).

In our verifier, the equation (23) is translated into the rewrite rules

f(y, f ′(x))→ f(x, f ′(y)) f(x, y)→ f(x, y).

Notice that this definition of f is non-deterministic: a term such as f(a, f ′(b)) can be reducedto f(b, f ′(a)) and f(a, f ′(b)), so that f(a, f ′(b)) reduces to its two forms modulo the equationaltheory. The fact that these rewrite rules model the equation (23) correctly follows from [18,Section 5].

When using this model, we have to adapt the verification of correspondences. Indeed, theconditions on the clauses must be checked modulo the equational theory. (Using the rewriterules, we can implement unification modulo the equational theory, basically by rewriting theterms by the rewrite rules before performing syntactic unification.) For example, in the case ofnon-injective agreement, even if the process P0 satisfies non-injective agreement against Init-adversaries, it may happen that a clause m-event(e′(p1, . . . , pn){f(p2, f

′(p1))/z})⇒ event(e(p1,


. . . , pn){f(p1, f′(p2))/z}) is in solveP ′

0,Init(event(e(x1, . . . , xn))). The specification is still sat-

isfied in this case, because (p1, . . . , pn){f(p1, f′(p2))/z} = (p1, . . . , pn){f(p2, f

′(p1))/z} mod-ulo the equational theory. So we have to test that, if H ⇒ event(e(p1, . . . , pn)) is insolveP ′

0,Init(event(e(x1, . . . , xn))), then there exist p′1, . . . , p

′n equal to p1, . . . , pn modulo the

equational theory such that m-event(e′(p′1, . . . , p′n)) ∈ H. More generally, the equality R =

H ∧ m-event(σ′pj1) ∧ . . . ∧ m-event(σ′pjlj ) ⇒ event(σ′p′j) in the hypothesis of Theorem 3 ischecked modulo the equational theory (using matching modulo the equational theory to findσ′). Point V2.1 of the definition of verify and Hypothesis H2 of Theorem 5 are also checkedmodulo the equational theory. Furthermore, the following condition is added to Point V2.2 ofthe definition of verify:

For all j, r, and k, we let qc = σjrqjk and pc = σjrpjk, and we require that, for allsubstitutions σ and σ′, if σpc = σ′pc and for all x ∈ fv(qc) \ fv(pc), σx = σ′x, thenσqc = σ′qc (where equalities are considered modulo the equational theory).

This property is useful in the proof of Theorem 5 (see Appendix E). It always holds when theequational theory is empty, because σpc = σ′pc implies that for all x ∈ fv(pc), σx = σ′x, so forall x ∈ fv(qc), σx = σ′x. However, it does not hold in general for any equational theory, so weneed to check it explicitly when the equational theory is non-empty. In the implementation,this condition is checked as follows. Let θ be a renaming of variables of pc to fresh variables.We check that, for every σu most general unifier of pc and θpc modulo the equational theory,σuqc = σuθqc modulo the equational theory. When this check succeeds, we can prove thecondition above as follows. Let σ0 be defined by, for all x ∈ fv(qc), σ0x = σx and, for allx ∈ fv(θpc), σ0x = σ′θ−1x. If σpc = σ′pc, then σ0pc = σpc = σ′pc = σ0θpc, so σ0 unifies pc andθpc, hence there exist σ1 and a most general unifier σu of pc and θpc such that σ0 = σ1σu. Wehave σuqc = σuθqc, so σqc = σ0qc = σ1σuqc = σ1σuθqc = σ0θqc = σ′qc.

This treatment of equations has the advantage that resolution can still use syntactic unifi-cation, so it remains efficient. However, it also has limitations; for example, it cannot handleassociative functions, such as XOR, because it would generate an infinite number of rewriterules for the destructors. We refer to [28, 31] for treatments of XOR and to [27, 48, 56, 58] fortreatments of Diffie-Hellman key agreements with more detailed algebraic relations. The NRLprotocol analyzer handles a limited version of associativity for strings of bounded length [43],which we could handle.

9.2 Precise Treatment of else Branches

In the generation of clauses described in Section 5.2, we consider that the else branch of de-structor applications may always be executed. Our implementation takes into account theseelse branches more precisely. In order to do that, it uses a set of special variables GVar and apredicate nounif, also used in [18], such that, for all closed patterns p and p′, nounif(p, p′) holdsif and only if there is no closed substitution σ with domain GVar such that σp = σp′. The factnounif(p, p′) means that p 6= p′ for all values of the special variables in GVar .

One can then check the failure of an equality test M = M ′ by nounif(ρ(M), ρ(M ′)) andthe failure of a destructor application g(M1, . . . ,Mn) by

∧g(p1,...,pn)→p∈def(g) nounif((ρ(M1), . . . ,

ρ(Mn)),GVar(p1, . . . , pn)), where GVar(p) is the pattern p after renaming all its variables toelements of GVar and ρ is the environment that maps variables to their corresponding patterns.Intuitively, the rewrite rule g(p1, . . . , pn)→ p can be applied if and only if (ρ(M1), . . . , ρ(Mn))is an instance of (p1, . . . , pn). So the rewrite rule g(p1, . . . , pn) → p cannot be applied if andonly if nounif((ρ(M1), . . . , ρ(Mn)),GVar(p1, . . . , pn)).

The predicate nounif is handled by specific simplification steps in the solver, described andproved correct in [18].

180 Bruno Blanchet

9.3 Scenarios with Several Stages

Some protocols can be broken into several parts, or stages, numbered 0, 1, . . . , such that whenthe protocol starts, stage 0 is executed; at some point in time, stage 0 stops and stage 1 starts;later, stage 1 stops and stage 2 starts, and so on. Therefore, stages allow us to model a globalclock. Our verifier can be extended to such scenarios with several stages, as summarized in [18].We add a construct t : P to the syntax of processes, which means that process P runs only instage t, where t is an integer.

The generation of clauses can easily be extended to processes with stages. We use predicatesattackert and messaget for each stage t, generate the clauses for the attacker for each stage, andthe clauses for the protocol with predicates attackert and messaget for each process that runsin stage t. Furthermore, we add clauses

attackert(x)⇒ attackert+1(x) (Rt)

in order to transmit attacker knowledge from each stage t to the next stage t+ 1.Scenarios with several stages allow us to model properties related to the compromise of

keys. For example, we can model forward secrecy properties as follows. Consider a public-keyprotocol P (without stage prefix) and the process P ′ = 0 : P | 1 : c〈skA〉; c〈skB〉, which runs Pin stage 0 and later outputs the secret keys of A and B on the public channel c in stage 1. Ifwe prove that P ′ preserves the secrecy of the session keys of P , then the attacker cannot obtainthese session keys even if it later compromises the private keys of A and B, which is forwardsecrecy.

9.4 Compromise of Session Keys

We consider the situation in which the attacker compromises some session keys of the protocol.Our goal is then to show that the other session keys of the protocol are still safe. For example,this property does not hold for the Needham-Schroeder shared-key protocol [60]: in this protocol,when an attacker manages to get some session keys, then it can also get the secrets of othersessions.

If we assume that the compromised sessions are all run before the standard sessions (tomodel that the adversary needs time to break the session keys before being able to use theobtained information against standard sessions), then this can be modeled as a scenario withtwo stages: in stage 0, the process runs a modified version of the protocol that outputs itssession keys; in stage 1, the standard sessions runs; we prove the security of the sessions of stage1.

However, we can also consider a stronger model, in which the compromised sessions mayrun in parallel with the non-compromised ones. In this case, we have a single stage.

Let P0 be the process representing the whole protocol. We consider that the part of P0 notunder replications corresponds to the creation of long-term secrets, and the part of P0 underat least one replication corresponds to the sessions. We say that the names generated under atleast one replication in P0 are session names. We add one argument ic to the function symbolsa[. . .] that encode session names in the instrumented process P ′0; this additional argument isnamed compromise identifier and can take two values, s0 or s1. We consider that, during theexecution of the protocol, each replicated subprocess !QX of P0 generates two sets of copies ofQX , one with compromise identifier s0, one with s1. The attacker compromises sessions thatinvolve only copies of processes QX with the compromise identifier s0. It does not compromisesessions that involve at least one copy of some process QX with compromise identifier s1.

The clauses for the process P0 are generated as in Section 5.2 (except for the addition of avariable compromise identifier as argument of session names). The following clauses are added:

For each constructor f , comp(x1) ∧ . . . ∧ comp(xk)⇒ comp(f(x1, . . . , xk))


For each (νa : a[. . .]) under n replications and k inputs and non-deterministic

destructor applications in P ′0,

comp(x1) ∧ . . . ∧ comp(xk)⇒ comp(a[x1, . . . , xk]) if n = 0

comp(x1) ∧ . . . ∧ comp(xk)⇒ comp(a[x1, . . . , xk, i1, . . . , in, s0]) if n > 0

comp(x1) ∧ . . . ∧ comp(xk)⇒ attacker(a[x1, . . . , xk, i1, . . . , in, s0]) if n > 0

The predicate comp is such that comp(p) is true when all session names in p have compromiseidentifier s0. These clauses express that the attacker has the session names that contain onlythe compromise identifier s0.

In order to prove the secrecy of a session name s, we query the fact attacker(s[x1, . . . , xk,i1, . . . , in, s1]). If this fact is underivable, then the protocol does not have the weakness of theNeedham-Schroeder shared-key protocol mentioned above: the attacker cannot have the secrets of a session that it has not compromised. In contrast, attacker(s[x1, . . . , xk, i1, . . . , in, s0]) isalways derivable, since the attacker has compromised the sessions with identifier s0.

We can also prove correspondences in the presence of key compromise. We want to provethat the non-compromised sessions are secure, so we prove that, if an event event(M) hasbeen executed in a copy of some QX with compromise identifier s1, then the required eventsevent(Mjk) have been executed in any process. (A copy of QX with compromise identifier s1may interact with a copy of QY with compromise identifier s0 and, in this case, the eventsevent(Mjk) may be executed in the copy of QY with compromise identifier s0.) We obtainthis result by adding the compromise identifier ic as argument of the predicates m-event andevent in clauses, and correspondingly adding s1 as argument of event(M) and event(Mj), anda fresh variable as argument of the other events event(Mjk) in queries. We can then provethe correspondence in the same way as in the absence of key compromise. The treatment ofcorrespondences attacker(M) . . . and message(M,M ′) . . . in which M and M ′ do notcontain bound names remains unchanged.

10 Experimental Results

We have implemented our verifier in Ocaml and have performed tests on various protocols ofthe literature. The tests reported here concern secrecy and authentication properties for simpleexamples of protocols. More complex examples have been studied, using our technique forproving correspondences. We do not detail them in this paper, because they have been thesubject of specific papers [2, 3, 19].

Our results are summarized in Figure 6, with references to the papers that describe theprotocols and the attacks. In these tests, the protocols are fully modeled, including interactionwith the server for all versions of the Needham-Schroeder, Woo-Lam shared key, Denning-Sacco,Otway-Rees, and Yahalom protocols. The first column indicates the name of the protocol; weuse the following abbreviations: NS for Needham-Schroeder, PK for public-key, SK for shared-key, corr. for corrected, tag. for tagged, unid. for unidirectional, and bid. for bidirectional. Wehave tested the Needham-Schroeder shared key protocol with the modeling of key compromisementioned in Section 9.4, in which the compromised sessions can be executed in parallel withthe non-compromised ones (version marked “comp.” in Figure 6). The second column indicatesthe number of Horn clauses that represent the protocol. The third column indicates the totalnumber of resolution steps performed for analyzing the protocol.

The fourth column gives the execution time of our analyzer, in ms, on a Pentium M 1.8 GHz.Several secrecy and agreement specifications are checked for each protocol. The time given isthe total time needed to check all specifications. The following factors influence the speed ofthe system:

• We use secrecy assumptions to speed up the search. These assumptions say that the

182 Bruno Blanchet

Protocol # # res. Time Cases with attackscl. steps (ms) Secrecy A B Ref.

NS PK [60] 32 1988 95 Nonces B None All [53]NS PK corr. [53] 36 1481 51 None None NoneWoo-Lam PK [70] 23 104 7 All [40]Woo-Lam PK corr. [72] 27 156 6 NoneWoo-Lam SK [46] 25 184 8 All [8]Woo-Lam SK corr. [46] 21 244 4 None

Denning-Sacco [37] 30 440 18 Key B All [5]Denning-Sacco corr. [5] 30 438 16 None InjNS SK [60], tag. 31 2721 41 None None NoneNS SK corr. [61], tag. 32 2102 57 None None NoneNS SK [60], tag., comp. 50 25241 167 Key B None Inj [37]NS SK corr. [61], tag., comp. 53 23956 225 None None NoneYahalom [26] 26 1515 34 None Key NoneSimpler Yahalom [26], unid. 21 1479 30 None Key NoneSimpler Yahalom [26], bid. 24 3685 91 None All None [67]Otway-Rees [62] 34 1878 59 None Key Inj,Key [26]Simpler Otway-Rees [5] 28 1934 31 None All All [63]Otway-Rees, variant of [63] 35 3349 87 Key B All All [63]Main mode of Skeme [52] 39 4139 154 None None None

Figure 6: Experimental results

secret keys of the principals, and the random values of the Diffie-Hellman key agreementin the Skeme protocol, remain secret. On average, the verifier is two times slower withoutsecrecy assumptions, in our tests.

• We mentioned several selection functions, and the speed of the system can vary substan-tially depending on the selection function. In the tests of Figure 6, we used the selectionfunction sel2. With sel1, the system is two times slower on average on Needham-Schroedershared-key, Otway-Rees, the variant of [63] of Otway-Rees, and Skeme but faster on thebidirectional simplified Yahalom (59 ms instead of 91 ms). The speed is almost unchangedfor our other tests. On average, the verifier is 1.8 times slower with sel1 than with sel2, inour tests.

The selection function sel0 gives approximately the same speed as sel1, except for Skeme,for which the analysis does not terminate with sel0. (We comment further on terminationbelow.)

• The tests of Figure 6 have been performed without elimination of redundant hypothe-ses. With elimination of redundant hypotheses that contain m-event facts, we obtainapproximately the same speed. With elimination of all redundant hypotheses, the verifieris 1.3 times slower on average in these tests, because of the time spent testing whetherhypotheses are redundant.

When our tool successfully proves that a protocol satisfies a certain specification, we aresure that this specification indeed holds, by our soundness theorems. When our tool does notmanage to prove that a protocol satisfies a certain specification, it finds at least one clause anda derivation of this clause that contradicts the specification. The existence of such a clause doesnot prove that there is an attack: it may correspond to a false attack, due to the approximationsintroduced by the Horn clause model. However, using an extension of the technique of [6]to events, in most cases, our tool reconstructs a trace of the protocol, and thus proves that


there is actually an attack against the considered specification. In the tests of Figure 6, thisreconstruction succeeds in all cases for secrecy and non-injective correspondences, in the absenceof key compromise. The trace reconstruction is not implemented yet in the presence of keycompromise (Section 9.4) or for injective correspondences. (It presents additional difficultiesin the latter case, since the trace should execute some event twice and others once in order tocontradict injectivity, while the derivation corresponds to the execution of events once, withbadly related session identifiers.) In the cases in which trace reconstruction is not implemented,we have checked manually that the protocol is indeed subject to an attack, so our tool foundno false attack in the tests of Figure 6: for all specifications that hold, it has proved them.

The last four columns give the results of the analysis. The column “Secrecy” concernssecrecy properties, the column A concerns agreement specifications event(e(x1, . . . , xn)) [inj] event(e′(x1, . . . , xn)) in which A executes the event event(e(M1, . . . ,Mn)), the columnB agreement specifications event(e(x1, . . . , xn)) [inj] event(e′(x1, . . . , xn)) in which B exe-cutes the event event(e(M1, . . . ,Mn)). The last column gives the reference of the attacks whenattacks are found. The first six protocols of Figure 6 (Needham-Schroeder public key and Woo-Lam one-way authentication protocols) are authentication protocols. For them, we have testednon-injective and recent injective agreement on the name of the participants, and non-injectiveand injective full agreement (agreement on all atomic data). For the Needham-Schroeder publickey protocol, we have also tested the secrecy of nonces. “Nonces B” means that the nonces Na

and Nb manipulated by B may not be secret, “None” means all tested specifications are satisfied(there is no attack), “All” that our tool finds an attack against all tested specifications. The Wooand Lam protocols are one-way authentication protocols: they are intended to authenticate Ato B, but not B to A, so we have only tested them with B containing event(e(M1, . . . ,Mn)).

Numerous versions of the Woo and Lam shared-key protocol have been published in theliterature [70], [8], [5, end of Example 3.2], [5, Example 6.2], [72], [46] (flawed and correctedversions). Our tool terminates and proves the correctness of the corrected versions of [8] andof [46]; it terminates and finds an attack on the flawed version of [46]. (The messages receivedor sent by A do not depend on the host A wants to talk to, so A may start a session withthe adversary C, and the adversary can reuse the messages of this session to talk to B in A’sname.) We can easily see that the versions of [70] and [5, Example 6.2] are also subject to thisattack, even if our tool does not terminate on them. The only difference between the protocolof [46] and that of [70] is that [46] adds tags to distinguish different encryption sites. As shownin Section 8.1, adding tags enforces termination. Our tool finds the attack of [29, bottom ofpage 52] on the versions of [5, end of Example 3.2] and [72]. For example, the version of [72] is

Message 1. A→ B: AMessage 2. B → A: NB

Message 3. A→ B: {A,B,NB}KAS

Message 4. B → S: {A,B, {A,B,NB}KAS}KBS

Message 5. S → B: {A,B,NB}KBS

and the attack is

Message 1. I(A)→ B: AMessage 2. B → I(A): NB

Message 3. I(A)→ B: NB

Message 4. B → I(A): {A,B,NB}KBS

Message 5. I(A)→ B: {A,B,NB}KBS

In message 3, the adversary sends NB instead of {A,B,NB}KAS. B cannot see the difference

and, acting as defined in the protocol, B unfortunately sends exactly the message needed bythe adversary as message 5. So B thinks he talks to A, while A and S can perfectly be dead.The attack found against the version of [5, end of Example 3.2] is very similar.

184 Bruno Blanchet

The last five protocols exchange a session key, so we have tested agreement on the namesof the participants, and agreement on both the participants and the session key (instead offull agreement, since agreement on the session key is more important than agreement on othervalues). In Figure 6, “Key B” means that the key obtained by B may not be secret, “Key”means that agreement on the session key is wrong, “Inj” means that injective agreement iswrong, “All” and “None” are as before.

In the Needham-Schroeder shared key protocol [60], the last messages are

Message 4. B → A: {NB}KMessage 5. A→ B: {NB − 1}K

where NB is a nonce. Representing NB−1 with a function minusone(x) = x−1, with associateddestructor plusone defined by plusone(minusone(x))→ x, the algorithm does not terminate withthe selection function sel0. The selection functions sel1 or sel2 given in Section 8.2 however yieldtermination. We can also notice that the purpose of the subtraction is to distinguish the replyof A from B’s message. As mentioned in [5], it would be clearer to have:

Message 4. B → A: {Message 4 : NB}KMessage 5. A→ B: {Message 5 : NB}K

We have used this encoding in the tests shown in Figure 6. Our tool then terminates withselection functions sel0, sel1, and sel2. [20] explains in more detail why these two messagesencoded with minusone prevent termination with sel0, and why the addition of tags “Message4”, “Message 5” yields termination. Adding the tags may strengthen the protocol (for instance,in the Needham-Schroeder shared key protocol, it prevents replaying Message 5 as a Message4), so the security of the tagged version does not imply the security of the original version. Asmentioned in [5], using the tagged version is a better design choice because it prevents confusingdifferent messages, so this version should be implemented. Our tool also does not terminate onSkeme with selection function sel0, for an authentication query, but terminates with selectionfunctions sel1 or sel2. All other examples of Figure 6 terminate with the three selection functionssel0, sel1, and sel2.

Among the examples of Figure 6, only the Woo-Lam shared key protocol, flawed and cor-rected versions of [46] and the Needham-Schroeder shared key protocol have explicit tags. Ourtool terminates on all other protocols, even if they are not tagged. The termination can partlybe explained by the notion of “implicitly tagged” protocols [20]: the various messages are notdistinguished by explicit tags, but by other properties of their structure, such as the arity ofthe tuples that they contain. In Figure 6, the Denning-Sacco protocol and the Woo-Lam publickey protocol are implicitly tagged. Still, the tool terminates on many examples that are noteven implicitly tagged.

For the Yahalom protocol, we show that, if B thinks that k is a key to talk with A, then Aalso thinks that k is a key to talk with B. The converse is clearly wrong, because the sessionkey is sent from A to B in the last message, so the adversary can intercept this message, sothat A has the key but not B.

For the Otway-Rees protocol, we do not have agreement on the session key, since the ad-versary can intercept messages in such a way that one participant has the key and the otherone has no key. There is also an attack in which both participants get a key, but not the sameone [44]. The latter attack is not found by our tool, since it stops with the former attacks.

For the simplified version of the Otway-Rees protocol given in [5], B can execute its eventevent(e(M1, . . . ,Mn)) with A dead, and A can execute its event event(e(M1, . . . ,Mn)) withB dead. As Burrows, Abadi, and Needham already noted in [26], even the original protocoldoes not guarantee to B that A is alive (attack against injective agreement that we also find).[46] said that the protocol satisfied its authentication specifications, because they showed thatneither A nor B can conclude that k is a key for talking between A and B without the server


first saying so. (Of course, this property is also important, and could also be checked with ourverifier.)

11 Conclusion

We have extended previous work on the verification of security protocols by logic programmingtechniques, from secrecy to a very general class of correspondences, including not only authen-tication but also, for instance, correspondences that express that the messages of the protocolhave been sent and received in the expected order. This technique enables us to check corre-spondences in a fully automatic way, without bounding the number of sessions of the protocols.This technique also yields an efficient verifier, as the experimental results demonstrate.

Acknowledgments

We would like to thank Martın Abadi, Jerome Feret, Cedric Fournet, and Andrew Gordonfor helpful discussions on this paper. This work was partly done at Max-Planck-Institut furInformatik, Saarbrucken, Germany.

References

[1] M. Abadi and B. Blanchet. Analyzing security protocols with secrecy types and logicprograms. Journal of the ACM, 52(1):102–146, Jan. 2005.

[2] M. Abadi and B. Blanchet. Computer-assisted verification of a protocol for certified email.Science of Computer Programming, 58(1–2):3–27, Oct. 2005. Special issue SAS’03.

[3] M. Abadi, B. Blanchet, and C. Fournet. Just fast keying in the pi calculus. ACM Trans-actions on Information and System Security (TISSEC), 10(3):1–59, July 2007.

[4] M. Abadi and C. Fournet. Mobile values, new names, and secure communication. In 28thAnnual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages(POPL’01), pages 104–115, London, United Kingdom, Jan. 2001. ACM Press.

[5] M. Abadi and R. Needham. Prudent engineering practice for cryptographic protocols.IEEE Transactions on Software Engineering, 22(1):6–15, Jan. 1996.

[6] X. Allamigeon and B. Blanchet. Reconstruction of attacks against cryptographic protocols.In 18th IEEE Computer Security Foundations Workshop (CSFW-18), pages 140–154, Aix-en-Provence, France, June 2005. IEEE.

[7] R. Amadio and S. Prasad. The game of the name in cryptographic tables. In P. S.Thiagarajan and R. Yap, editors, Advances in Computing Science - ASIAN’99, volume1742 of Lecture Notes on Computer Science, pages 15–27, Phuket, Thailand, Dec. 1999.Springer.

[8] R. Anderson and R. Needham. Programming Satan’s computer. In J. van Leeuven, editor,Computer Science Today: Recent Trends and Developments, volume 1000 of Lecture Noteson Computer Science, pages 426–440. Springer, 1995.

[9] L. Bachmair and H. Ganzinger. Resolution theorem proving. In A. Robinson andA. Voronkov, editors, Handbook of Automated Reasoning, volume 1, chapter 2, pages 19–100. North Holland, 2001.

186 Bruno Blanchet

[10] M. Backes, A. Cortesi, and M. Maffei. Causality-based abstraction of multiplicity in securityprotocols. In 20th IEEE Computer Security Foundations Symposium (CSF’07), pages 355–369, Venice, Italy, July 2007. IEEE.

[11] M. Bellare and P. Rogaway. Entity authentication and key distribution. In D. R. Stinson,editor, Advances in Cryptology – CRYPTO 1993, volume 773 of Lecture Notes on ComputerScience, pages 232–249, Santa Barbara, California, Aug. 1993. Springer.

[12] K. Bhargavan, C. Fournet, A. D. Gordon, and R. Pucella. TulaFale: A security tool for webservices. In Formal Methods for Components and Objects (FMCO 2003), volume 3188 ofLecture Notes on Computer Science, pages 197–222, Leiden, The Netherlands, Nov. 2003.Springer. Paper and tool available at http://securing.ws/.

[13] B. Blanchet. An efficient cryptographic protocol verifier based on Prolog rules. In 14thIEEE Computer Security Foundations Workshop (CSFW-14), pages 82–96, Cape Breton,Nova Scotia, Canada, June 2001. IEEE Computer Society.

[14] B. Blanchet. From secrecy to authenticity in security protocols. In M. Hermenegildo andG. Puebla, editors, 9th International Static Analysis Symposium (SAS’02), volume 2477 ofLecture Notes on Computer Science, pages 342–359, Madrid, Spain, Sept. 2002. Springer.

[15] B. Blanchet. Automatic proof of strong secrecy for security protocols. In IEEE Symposiumon Security and Privacy, pages 86–100, Oakland, California, May 2004.

[16] B. Blanchet. Automatic proof of strong secrecy for security protocols. Technical ReportMPI-I-2004-NWG1-001, Max-Planck-Institut fur Informatik, Saarbrucken, Germany, July2004.

[17] B. Blanchet. Security protocols: From linear to classical logic by abstract interpretation.Information Processing Letters, 95(5):473–479, Sept. 2005.

[18] B. Blanchet, M. Abadi, and C. Fournet. Automated verification of selected equivalencesfor security protocols. Journal of Logic and Algebraic Programming, 75(1):3–51, Feb.–Mar.2008.

[19] B. Blanchet and A. Chaudhuri. Automated formal analysis of a protocol for secure filesharing on untrusted storage. In IEEE Symposium on Security and Privacy, pages 417–431, Oakland, CA, May 2008. IEEE.

[20] B. Blanchet and A. Podelski. Verification of cryptographic protocols: Tagging enforcestermination. Theoretical Computer Science, 333(1-2):67–90, Mar. 2005. Special issue FoS-SaCS’03.

[21] C. Bodei, M. Buchholtz, P. Degano, F. Nielson, and H. R. Nielson. Static validation ofsecurity protocols. Journal of Computer Security, 13(3):347–390, 2005.

[22] P. Broadfoot, G. Lowe, and B. Roscoe. Automating data independence. In 6th EuropeanSymposium on Research in Computer Security (ESORICS 2000), volume 1895 of LectureNotes on Computer Science, pages 175–190, Toulouse, France, Oct. 2000. Springer.

[23] P. J. Broadfoot and A. W. Roscoe. Embedding agents within the intruder to detect parallelattacks. Journal of Computer Security, 12(3/4):379–408, 2004.

[24] M. Bugliesi, R. Focardi, and M. Maffei. Analysis of typed analyses of authenticationprotocols. In Proc. 18th IEEE Computer Security Foundations Workshop (CSFW’05),pages 112–125, Aix-en-Provence, France, June 2005. IEEE Comp. Soc. Press.


[25] M. Bugliesi, R. Focardi, and M. Maffei. Dynamic types for authentication. Journal ofComputer Security, 15(6):563–617, 2007.

[26] M. Burrows, M. Abadi, and R. Needham. A logic of authentication. Proceedings of theRoyal Society of London A, 426:233–271, 1989. A preliminary version appeared as DigitalEquipment Corporation Systems Research Center report No. 39, February 1989.

[27] Y. Chevalier, R. Kusters, M. Rusinowitch, and M. Turuani. Deciding the security ofprotocols with Diffie-Hellman exponentiation and products in exponents. In P. K. Pandyaand J. Radhakrishnan, editors, FST TCS 2003: Foundations of Software Technology andTheoretical Computer Science, 23rd Conference, volume 2914 of Lecture Notes on ComputerScience, pages 124–135, Mumbai, India, Dec. 2003. Springer.

[28] Y. Chevalier, R. Kusters, M. Rusinowitch, and M. Turuani. An NP decision procedurefor protocol insecurity with XOR. Theoretical Computer Science, 338(1–3):247–274, June2005.

[29] J. Clark and J. Jacob. A survey of authentication protocol literature: Version1.0. Technicalreport, University of York, Department of Computer Science, Nov. 1997.

[30] E. Cohen. First-order verification of cryptographic protocols. Journal of Computer Security,11(2):189–216, 2003.

[31] H. Comon-Lundh and V. Shmatikov. Intruder deductions, constraint solving and insecuritydecision in presence of exclusive or. In Symposium on Logic in Computer Science (LICS’03),pages 271–280, Ottawa, Canada, June 2003. IEEE Computer Society.

[32] V. Cortier, J. Millen, and H. Rueß. Proving secrecy is easy enough. In 14th IEEE ComputerSecurity Foundations Workshop (CSFW-14), pages 97–108, Cape Breton, Nova Scotia,Canada, June 2001. IEEE Computer Society.

[33] C. J. F. Cremers. Scyther - Semantics and Verification of Security Protocols. Ph.D.dissertation, Eindhoven University of Technology, Nov. 2006.

[34] A. Datta, A. Derek, J. C. Mitchell, and D. Pavlovic. A derivation system and compositionallogic for security protocols. Journal of Computer Security, 13(3):423–482, 2005.

[35] H. de Nivelle. Ordering Refinements of Resolution. PhD thesis, Technische UniversiteitDelft, Oct. 1995.

[36] M. Debbabi, M. Mejri, N. Tawbi, and I. Yahmadi. A new algorithm for the automaticverification of authentication protocols: From specifications to flaws and attack scenarios.In DIMACS Workshop on Design and Formal Verification of Security Protocols, RutgersUniversity, New Jersey, Sept. 1997.

[37] D. E. Denning and G. M. Sacco. Timestamps in key distribution protocols. Commun.ACM, 24(8):533–536, Aug. 1981.

[38] W. Diffie and M. Hellman. New directions in cryptography. IEEE Transactions on Infor-mation Theory, IT-22(6):644–654, Nov. 1976.

[39] D. Dolev and A. C. Yao. On the security of public key protocols. IEEE Transactions onInformation Theory, IT-29(12):198–208, Mar. 1983.

[40] A. Durante, R. Focardi, and R. Gorrieri. CVS at work: A report on new failures upon somecryptographic protocols. In V. Gorodetski, V. Skormin, and L. Popyack, editors, Mathemat-ical Methods, Models and Architectures for Computer Networks Security (MMM-ACNS’01),

188 Bruno Blanchet

volume 2052 of Lecture Notes on Computer Science, pages 287–299, St. Petersburg, Russia,May 2001. Springer.

[41] N. Durgin, P. Lincoln, J. C. Mitchell, and A. Scedrov. Multiset rewriting and the complexityof bounded security protocols. Journal of Computer Security, 12(2):247–311, 2004.

[42] S. Escobar, C. Meadows, and J. Meseguer. A rewriting-based inference system for theNRL protocol analyzer and its meta-logical properties. Theoretical Computer Science,367(1-2):162–202, 2006.

[43] S. Escobar, C. Meadows, and J. Meseguer. Equational cryptographic reasoning inthe Maude-NRL protocol analyzer. Electronic Notes in Theoretical Computer Science,171(4):23–36, July 2007.

[44] F. J. T. Fabrega, J. C. Herzog, and J. D. Guttman. Strand spaces: Proving securityprotocols correct. Journal of Computer Security, 7(2/3):191–230, 1999.

[45] A. Gordon and A. Jeffrey. Typing one-to-one and one-to-many correspondences in securityprotocols. In M. Okada, B. Pierce, A. Scedriv, H. Tokuda, and A. Yonezawa, editors, Soft-ware Security – Theories and Systems, Mext-NSF-JSPS International Symposium, ISSS2002, volume 2609 of Lecture Notes on Computer Science, pages 263–282, Tokyo, Japan,Nov. 2002. Springer.

[46] A. Gordon and A. Jeffrey. Authenticity by typing for security protocols. Journal of Com-puter Security, 11(4):451–521, 2003.

[47] A. Gordon and A. Jeffrey. Types and effects for asymmetric cryptographic protocols.Journal of Computer Security, 12(3/4):435–484, 2004.

[48] J. Goubault-Larrecq, M. Roger, and K. N. Verma. Abstraction and resolution modulo AC:How to verify Diffie-Hellman-like protocols automatically. Journal of Logic and AlgebraicProgramming, 64(2):219–251, Aug. 2005.

[49] J. D. Guttman and F. J. T. Fabrega. Authentication tests and the structure of bundles.Theoretical Computer Science, 283(2):333–380, 2002.

[50] J. Heather, G. Lowe, and S. Schneider. How to prevent type flaw attacks on securityprotocols. In 13th IEEE Computer Security Foundations Workshop (CSFW-13), pages255–268, Cambridge, England, July 2000.

[51] J. Heather and S. Schneider. A decision procedure for the existence of a rank function.Journal of Computer Security, 13(2):317–344, 2005.

[52] H. Krawczyk. SKEME: A versatile secure key exchange mechanism for internet. In InternetSociety Symposium on Network and Distributed Systems Security, Feb. 1996. Available athttp://bilbo.isu.edu/sndss/sndss96.html.

[53] G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. InTools and Algorithms for the Construction and Analysis of Systems, volume 1055 of LectureNotes on Computer Science, pages 147–166. Springer, 1996.

[54] G. Lowe. A hierarchy of authentication specifications. In 10th Computer Security Foun-dations Workshop (CSFW ’97), pages 31–43, Rockport, Massachusetts, June 1997. IEEEComputer Society.

[55] C. Lynch. Oriented equational logic programming is complete. Journal of Symbolic Com-putation, 21(1):23–45, 1997.


[56] C. Meadows and P. Narendran. A unification algorithm for the group Diffie-Hellmanprotocol. In Workshop on Issues in the Theory of Security (WITS’02), Portland, Oregon,Jan. 2002.

[57] C. A. Meadows. The NRL protocol analyzer: An overview. Journal of Logic Programming,26(2):113–131, 1996.

[58] J. Millen and V. Shmatikov. Symbolic protocol analysis with an abelian group operator orDiffie-Hellman exponentiation. Journal of Computer Security, 13(3):515–564, 2005.

[59] J. C. Mitchell, M. Mitchell, and U. Stern. Automated analysis of cryptographic protocolsusing Murϕ. In 1997 IEEE Symposium on Security and Privacy, pages 141–151, 1997.

[60] R. M. Needham and M. D. Schroeder. Using encryption for authentication in large networksof computers. Commun. ACM, 21(12):993–999, Dec. 1978.

[61] R. M. Needham and M. D. Schroeder. Authentication revisited. Operating Systems Review,21(1):7, 1987.

[62] D. Otway and O. Rees. Efficient and timely mutual authentication. Operating SystemsReview, 21(1):8–10, 1987.


[64] A. W. Roscoe and P. J. Broadfoot. Proving security protocols with model checkers by dataindependence techniques. Journal of Computer Security, 7(2, 3):147–190, 1999.

[65] M. Rusinowitch and M. Turuani. Protocol insecurity with finite number of sessions isNP-complete. Theoretical Computer Science, 299(1–3):451–475, Apr. 2003.

[66] D. X. Song, S. Berezin, and A. Perrig. Athena: a novel approach to efficient automaticsecurity protocol analysis. Journal of Computer Security, 9(1/2):47–74, 2001.

[67] P. Syverson. A taxonomy of replay attacks. In 7th IEEE Computer Security Founda-tions Workshop (CSFW-94), pages 131–136, Franconia, New Hampshire, June 1994. IEEEComputer Society.

[68] P. Syverson and C. Meadows. A formal language for cryptographic protocol requirements.Designs, Codes, and Cryptography, 7(1/2):27–59, 1996.

[69] C. Weidenbach. Towards an automatic analysis of security protocols in first-order logic. InH. Ganzinger, editor, 16th International Conference on Automated Deduction (CADE-16),volume 1632 of Lecture Notes in Artificial Intelligence, pages 314–328, Trento, Italy, July1999. Springer.

[70] T. Y. C. Woo and S. S. Lam. Authentication for distributed systems. Computer, 25(1):39–52, Jan. 1992.

[71] T. Y. C. Woo and S. S. Lam. A semantic model for authentication protocols. In ProceedingsIEEE Symposium on Research in Security and Privacy, pages 178–194, Oakland, California,May 1993.

[72] T. Y. C. Woo and S. S. Lam. Authentication for distributed systems. In D. Denning andP. Denning, editors, Internet Besieged: Countering Cyberspace Scofflaws, pages 319–355.ACM Press and Addison-Wesley, Oct. 1997.

190 Bruno Blanchet

Appendices

A Instrumented Processes

Let last(s) be the last element of the sequence of session identifiers s, or ∅ when s = ∅. Letlabel(ℓ) be defined by label(a[t, s]) = (a, last(s)) and label(b0[a[s]]) = (a, last(s)). We define themultiset Label(P ) as follows: Label((νa : ℓ)P ) = {label(ℓ))} ∪ Label(P ), Label(!iP ) = ∅, andin all other cases, Label(P ) is the union of the Label(P ′) for all immediate subprocesses P ′ ofP . Let Label(E) = {label(E(a)) | a ∈ dom(E)} and Label(S) = {(a, λ) | λ ∈ S, a any namefunction symbol}.

Definition 16 An instrumented semantic configuration is a triple S,E,P such that S is acountable set of constant session identifiers, the environment E is a mapping from names toclosed patterns, and P is a multiset of closed processes. The instrumented semantic configura-tion is S,E,P well-labeled when the multiset Label(S)∪Label(E)∪

⋃P∈P Label(P ) contains no

duplicates.

Lemma 5 Let P0 be a closed process and P ′0 = instr(P0). Let Q be an Init-adversary and Q′ =instrAdv(Q). Let E0 such that fn(P ′0)∪ Init ⊆ dom(E0) and, for all a ∈ dom(E0), E0(a) = a[ ].The configuration S0, E0, {P

′0, Q

′} is a well-labeled instrumented semantic configuration.

Proof We have Label(E0) = {(a, ∅) | a ∈ dom(E0)}, Label(P ′0) = {(a, ∅) | (νa : a[. . .]) occursin P ′0 not under a replication}, and Label(Q′) = {(a, ∅) | (νa : b0[a[ ]]) occurs in Q′ not undera replication}. These multisets contain no duplicates since the bound names of P ′0 and Q′ arepairwise distinct and distinct from names in dom(E0). So the multiset Label(S0)∪ Label(E0)∪Label(P ′0) ∪ Label(Q′) contains no duplicates. 2

Lemma 6 If S,E,P is a well-labeled instrumented semantic configuration and S,E,P →S′, E′,P ′ then S′, E′,P ′ is a well-labeled instrumented semantic configuration.

Proof We proceed by cases on the reduction S,E,P → S′, E′,P ′. The rule (Red Repl) removesthe labels (a, λ) for a certain λ from Label(S) and adds some of them to Label(P). The rule(Red Res) removes a label from Label(P) and adds it to Label(E). Other rules can removelabels when they remove a subprocess, but they do not add labels. 2

Lemma 7 Let S,E,P be an instrumented semantic configuration. Let σ be a substitution andσ′ be defined by σ′x = E(σx) for all x. For all terms M , E(σM) = σ′E(M) and, for all atomsα, E(σα) = σ′E(α).

Proof We prove the result for terms M by induction on M .

• If M = x, E(σx) = σ′x = σ′E(x) by definition of σ′.

• If M = a, E(σa) = E(a) = σ′E(a), since E(a) is closed.

• If M is a composite term M = f(M1, . . . ,Mn), E(σM) = f(E(σM1), . . . , E(σMn)) =f(σ′E(M1), . . . , σ

′E(Mn)) = σ′E(M), by induction hypothesis.

The extension to atoms is similar to the case of composite terms. 2

Lemma 8 If S,E,P is a well-labeled instrumented semantic configuration, M and M ′ areclosed terms, and E(M) = E(M ′), then M = M ′.

Proof The multiset Label(E) does not contain duplicates, hence different names in E havedifferent associated patterns, therefore different terms have different associated patterns. 2


Lemma 9 If S,E,P is a well-labeled instrumented semantic configuration, M ′ is a closed term,and E(M ′) = σE(M), then there exists a substitution σ′ such that M ′ = σ′M and, for allvariables x of M , E(σ′x) = σx. We have a similar result for atoms and for tuples containingterms and atoms.

Proof We prove the result for terms by induction on M .

• If M = x, E(M ′) = σE(M) = σx. We define σ′ by σ′x = M ′.

• If M is a name, E(M) is closed, so E(M ′) = σE(M) = E(M). By Lemma 8, M ′ = M =σ′M for any substitution σ′.

• IfM is a composite termM = f(M1, . . . ,Mn), E(M ′) = f(σE(M1), . . . , σE(Mn)). There-fore, M ′ = f(M ′1, . . . ,M

′n) with E(M ′i) = σE(Mi) for all i ∈ {1, . . . , n}. By induction

hypothesis, for all i ∈ {1, . . . , n}, there exists σ′i such that M ′i = σ′iMi and, for all variablesx of Mi, E(σ′ix) = σx. For all i, j, if x occurs in Mi and Mj , E(σ′ix) = σx = E(σ′jx), soby Lemma 8, σ′ix = σ′jx. Thus we can merge all substitutions σ′i into a substitution σ′

defined by σ′x = σ′ix when x occurs in Mi. So we have M ′ = σ′M and, for all variables xof M , E(σ′x) = σx.

The extension to atoms and to tuples of terms and atoms is similar to the case of compositeterms. 2

Proof (of Lemma 1) Let Q be an Init-adversary and Q′ = instrAdv(Q). Let E0 containingfn(P0)∪Init∪fn(α)∪

⋃j fn(αj)∪

⋃j,k fn(Mjk). Consider a trace T = E0, {P0, Q} → E1,P1. Let

σ such that T satisfies σα. By Proposition 1, letting E′0 = {a 7→ a[ ] | a ∈ E0}, there is a traceT ′ = S0, E

′0, {P

′0, Q

′} →∗ S′, E′1,P′1, unInstr(P ′1) = P1, and both traces satisfy the same atoms,

so T ′ also satisfies σα. Since E′0 contains the names of α, αj , and Mjk, and E′1 is an extensionof E′0, E

′1(α) = E′0(α) = F , E′1(αj) = E′0(αj) = Fj , and E′1(Mjk) = E′0(Mjk) = pjk. Let σ′′ be

defined by σ′′x = E1(σx) for all x. By Lemma 7, E′1(σα) = σ′′E′1(α), so E′1(σα) = σ′′F . HenceT ′ satisfies σ′′F . Since P ′0 satisfies the given correspondence, there exist σ′′0 and j ∈ {1, . . . ,m}such that σ′′0Fj = σ′′F and for all k ∈ {1, . . . , lj}, T

′ satisfies event(σ′′0pjk), so there existsM ′′k such that E′1(M

′′k ) = σ′′0pjk and T ′ satisfies event(M ′′k ). Hence E′1(M

′′k ) = σ′′0E

′1(Mjk) and

E′1(σα) = σ′′F = σ′′0Fj = σ′′0E′1(αj), that is, E′1((M

′′1 , . . . ,M

′′lj, σα)) = σ′′0E

′1(Mj1, . . . ,Mjlj , αj).

By Lemma 9, there exists σ0 such that (M ′′1 , . . . ,M′′lj, σα) = σ0(Mj1, . . . ,Mjlj , αj). So σα =

σ0αj and for all k ∈ {1, . . . , lj}, T′ satisfies event(σ0Mjk), so T also satisfies event(σ0Mjk). 2

B Proof of Theorem 1

The correctness proof uses a type system as a convenient way of expressing invariants of pro-cesses. This type system can be seen as a modified version of the type system of [1, Section 7],which was used to prove the correctness of our protocol verifier for secrecy properties. In thistype system, the types are closed patterns:

T ::= typesa[T1, . . . , Tn, λ1, . . . , λk] namef(T1, . . . , Tn) constructor application

The symbols λ1, . . . , λk are constant session identifiers, in a set S0. Let FP ′0,Init be the set of

closed facts derivable from RP ′0,Init ∪ Fme.

The type rules are defined in Figure 7. The environment E is a function from names andvariables in Vo to types and from variables in Vs to constant session identifiers. The mapping Eis extended to all terms as a substitution by E(f(M1, . . . ,Mn)) = f(E(M1), . . . , E(Mn)) and to

192 Bruno Blanchet

message(E(M), E(N)) ∈ FP ′0,Init E ⊢ P


∀T ′ such that message(E(M), T ′) ∈ FP ′0,Init , E[x 7→ T ′] ⊢ P

E ⊢M(x).P(Input)

E ⊢ 0(Nil)

E ⊢ P E ⊢ Q

E ⊢ P | Q(Parallel)

∀λ,E[i 7→ λ] ⊢ P

E ⊢ !iP(Replication)

E[a 7→ E(ℓ)] ⊢ P

E ⊢ (νa : ℓ)P(Restriction)

∀T such that g(E(M1), . . . , E(Mn))→ T,E[x 7→ T ] ⊢ P E ⊢ Q

E ⊢ let x = g(M1, . . . ,Mn) in P else Q(Destructor application)

event(E(M)) ∈ FP ′0,Init if m-event(E(M)) ∈ FP ′

0,Init then E ⊢ P

E ⊢ event(M).P(Event)


restriction labels by E(a[M1, . . . ,Mn, i1, . . . , in′ ]) = a[E(M1), . . . , E(Mn), E(i1), . . . , E(in′)] andE(b0[a[i1, . . . , in′ ]]) = b0[a[E(i1), . . . , E(in′)]], so that it maps closed terms and restriction labelsto types. The rules define the judgment E ⊢ P , which means that the process P is well-typedin the environment E. We do not consider the case of conditionals here, since it is a particularcase of destructor applications.

We say that an instrumented semantic configuration S,E,P is well-typed, and we write⊢ S,E,P, when it is well-labeled and E ⊢ P for all P ∈ P.

Proof sketch (of Theorem 1) Let P0 be the considered process and P ′0 = instr(P0). Let Qbe an Init-adversary and Q′ = instrAdv(Q). Let E0 such that fn(P ′0)∪ Init ⊆ dom(E0) and forall a ∈ dom(E0), E0(a) = a[ ].

1. Typability of the adversary: Let P ′ be a subprocess of Q′. Let E be an environment suchthat ∀a ∈ fn(P ′), attacker(E(a)) ∈ FP ′

0,Init and ∀x ∈ fv(P ′), attacker(E(x)) ∈ FP ′

0,Init .

(In particular, E is defined for all free names and free variables of P ′.) We show thatE ⊢ P ′, by induction on P ′. This result is similar to [1, Lemma 5.1.4]. In particular, weobtain E0 ⊢ Q

′.

2. Typability of P ′0: We prove by induction on the process P , subprocess of P ′0, that, if(a) ρ binds all free names and variables of P , (b) RP ′

0,Init ⊇ [[P ]]ρH, (c) σ is a closed

substitution, and (d) σH can be derived from RP ′0,Init ∪ Fme, then σρ ⊢ P . This result is

similar to [1, Lemma 7.2.2].

In particular, RP ′0,Init ⊇ [[P ′0]]ρ∅, where ρ = {a 7→ a[ ] | a ∈ fn(P ′0)}. So, with E = σρ =

{a 7→ a[ ] | a ∈ fn(P ′0)}, E ⊢ P′0. A fortiori, E0 ⊢ P

′0.

3. Properties of P ′0, Q′: By Lemma 5, S0, E0, {P

′0, Q

′} is well-labeled. So, using the first twopoints, ⊢ S0, E0, {P

′0, Q

′}.


4. Substitution lemma: Let E′ = E[x 7→ E(M)]. We show by induction on M ′ thatE(M ′{M/x}) = E′(M ′). We show by induction on P that, if E′ ⊢ P , then E ⊢ P{M/x}.This result is similar to [1, Lemma 5.1.1].

5. Subject reduction: Assume that ⊢ S,E,P and S,E,P → S′, E′,P ′. Furthermore, assumethat, if the reduction S,E,P → S′, E′,P ′ executes event(M), then m-event(E(M)) ∈Fme. Then ⊢ S′, E′,P ′. This is proved by cases on the derivation of S,E, P → S′, E′, P ′.This result is similar to [1, Lemma 5.1.3].

6. Consider the trace T = S0, E0, {P′0, Q

′} →∗ S′, E′,P ′. By the hypothesis of the theorem,if event(M) has been executed in T , then T satisfies event(E′(M)), so m-event(E′(M)) ∈Fme. If the reduction that executes event(M) is S,E,P → S,E,P ′′, we have E(M) =E′(M), since E′ is an extension of E, and E already contains the names of M . Hencewe obtain the hypothesis of subject reduction. So, by Items 3 and 5, we infer that allconfigurations in the trace are well-typed.

When F = event(p), since T satisfies event(p), there exists M such that T satisfiesevent(M) and E′(M) = p. So T contains a reduction S1, E1,P1 ∪ {event(M).P} →S1, E1,P1 ∪ {P}. Therefore E1 ⊢ event(M).P , so event(E1(M)) ∈ FP ′

0,Init . Moreover,

E1(M) = E′(M) since E′ is an extension of E1, therefore event(E′(M)) = event(p) = Fis derivable from RP ′

0,Init ∪ Fme.

When F = message(p, p′), since T satisfies message(p, p′), there exist M and M ′ suchthat T satisfies message(M,M ′), E′(M) = p, and E′(M ′) = p′. So T contains a reductionS1, E1,P1∪{M〈M

′〉.P,M(x).Q} → S1, E1,P1∪{P,Q{M/x}}. Therefore E1 ⊢M〈M′〉.P .

This judgment must have been derived by (Output), so message(E1(M), E1(M′)) ∈

FP ′0,Init . Moreover, E1(M) = E′(M) and E1(M

′) = E′(M ′) since E′ is an extensionof E1, so message(E′(M), E′(M ′)) = message(p, p′) = F is derivable from RP ′

0,Init ∪ Fme.

When F = attacker(p′), T also satisfies message(c[ ], p′) for some c ∈ Init . Therefore,by the previous case, message(c[ ], p′) is derivable from RP ′

0,Init ∪ Fme. Since c ∈ Init ,

attacker(c[ ]) is inRP ′0,Init . So, by Clause (Rl), attacker(p′) = F is derivable fromRP ′

0,Init∪

Fme. 2

C Correctness of the Solving Algorithm

In terms of security, the soundness of our analysis means that, if a protocol is found secure bythe analysis, then it is actually secure. Showing soundness in this sense essentially amounts toshowing that no derivable fact is missed by the resolution algorithm, which, in terms of logicprogramming, is the completeness of the resolution algorithm. Accordingly, in terms of security,the completeness of our analysis would mean that all secure protocols can be proved secure byour analysis. Completeness in terms of security corresponds, in terms of logic programming, tothe correctness of the resolution algorithm, which means that the resolution algorithm does notderive false facts.

The completeness of “binary resolution with free selection”, which is our basic algorithm,was proved in [9, 35, 55]. We extend these proofs by showing that completeness still holds withour simplifications of clauses. (These simplifications are often specific to security protocols.)

As a preliminary, we define a sort system, with three sorts: session identifiers, ordinarypatterns, and environments. Name function symbols expect session identifiers as their lastk arguments where k is the number of replications above the restriction that defines theconsidered name function symbol, and ordinary patterns as other arguments. The patterna[p1, . . . , pn, i1, . . . , ik] is an ordinary pattern. Constructors f expect ordinary patterns as ar-guments and f(p1, . . . , pn) is an ordinary pattern. The predicates attacker and message expect

194 Bruno Blanchet

ordinary patterns as arguments. The predicate event expects an ordinary pattern and, for in-jective events, a session identifier. The predicate m-event expects an ordinary pattern and, forinjective events, an environment. We say that a pattern, fact, clause, set of clauses is well-sortedwhen these constraints are satisfied.

Lemma 10 All clauses manipulated by the algorithm are well-sorted, and if a variable occursin the conclusion of a clause and is not a session identifier, then it also occurs in non-m-eventfacts in its hypothesis.

Proof It is easy to check that all patterns and facts are well-sorted in the clause generationalgorithm. One only unifies patterns of the same sort. The environment ρ and the substitutionsalways map a variable to a pattern of the same sort. During the building of clauses, the variablesin the image of ρ that are not session identifiers also occur in non-m-event facts in H, and thevariables in the conclusion of generated clauses are in the image of ρ. Hence, the clauses inRP ′

0,Init satisfy Lemma 10.

Furthermore, this property is preserved by resolution. Resolution generates a clause R′′ =σuH ∧ σuH

′ ⇒ σuC′ from clauses R = H ⇒ C and R′ = H ′ ∧ F0 ⇒ C ′ that satisfy Lemma 10,

where σu is the most general unifier of C and F0. The substitution σu unifies elements of thesame sort, so σu maps each variable to an element of the same sort, so R′′ is well-sorted. If anon-session identifier variable x occurs in σuC

′, then there is a non-session identifier variabley in C ′ such that x occurs in σuy. Then y occurs in non-m-event facts in the hypothesis ofR′, H ′ ∧ F0. First case: y occurs in non-m-event facts in H ′, so x occurs in σuH

′, so x occursin non-m-event facts in the hypothesis of R′′. Second case: y occurs in F0, so x occurs inσuF0 = σuC, so there is a non-session identifier variable z such that z occurs in C and x occursin σuz, so z occurs in non-m-event facts in H, so x occurs in non-m-event facts in σuH, so xoccurs in non-m-event facts in the hypothesis of R′′. In both cases, x occurs in non-m-eventfacts in the hypothesis of R′′. Therefore, R′′ satisfies Lemma 10.

This property is also preserved by the simplification functions. 2

Definition 17 (Derivation) Let F be a closed fact. Let R be a set of clauses. A derivationof F from R is a finite tree defined as follows:

1. Its nodes (except the root) are labeled by clauses R ∈ R.

2. Its edges are labeled by closed facts. (Edges go from a node to each of its sons.)

3. If the tree contains a node labeled by R with one incoming edge labeled by F0 and noutgoing edges labeled by F1, . . . , Fn, then R ⊒ {F1, . . . , Fn} ⇒ F0.

4. The root has one outgoing edge, labeled by F . The unique son of the root is named thesubroot.

In a derivation, if there is a node labeled by R with one incoming edge labeled by F0 and noutgoing edges labeled by F1, . . . , Fn, then the clause R can be used to infer F0 from F1, . . . , Fn.Therefore, there exists a derivation of F from R if and only if F can be inferred from clausesin R (in classical logic).

The key idea of the proof of Lemma 2 is the following. Assume that F is derivable fromR0 ∪Fme and consider a derivation of F from R0 ∪Fme. Assume that the clauses R and R′ areapplied one after the other in the derivation of F . Also assume that these clauses have beencombined by R ◦F0

R′, yielding clause R′′. In this case, we replace R and R′ with R′′ in thederivation of F . When no more replacement can be done, we show that all remaining clauseshave no selected hypothesis. So all these clauses are in R1 = saturate(R0), and we have built aderivation of F from R1.


To show that this replacement process terminates, we remark that the total number of nodesof the derivation strictly decreases.

Next, we introduce the notion of data-decomposed derivation. This notion is useful forproving the correctness of the decomposition of data constructors. (In the absence of dataconstructors, all derivations are data-decomposed.)

Definition 18 A derivation D is data-decomposed if and only if, for all edges η′ → η in Dlabeled by attacker(f(p1, . . . , pn)) for some data constructor f , the node η′ is labeled by aclause attacker(f(x1, . . . , xn)) ⇒ attacker(xi) for some i or the node η is labeled by the clauseattacker(x1) ∧ . . . ∧ attacker(xn)⇒ attacker(f(x1, . . . , xn)).

Intuitively, a derivation is data-decomposed when all intermediate facts proved inthat derivation are decomposed as much as possible using data-destructor clausesattacker(f(x1, . . . , xn)) ⇒ attacker(xi) before being used to prove other facts. We are goingto transform the initial derivation into a data-decomposed derivation. Further transformationsof the derivation will keep it data-decomposed.

The next lemma shows that two nodes in a derivation can be replaced by one when combiningtheir clauses by resolution.

Lemma 11 Consider a data-decomposed derivation containing a node η′, labeled R′. Let F0

be a hypothesis of R′. Then there exists a son η of η′, labeled R, such that the edge η′ → η islabeled by an instance of F0, R◦F0

R′ is defined, and, if sel(R) = ∅ and F0 ∈ sel(R′), one obtainsa data-decomposed derivation of the same fact by replacing the nodes η and η′ with a node η′′

labeled R′′ = R ◦F0R′.

Proof This proof is illustrated in Figure 8. Let R′ = H ′ ⇒ C ′, H ′1 be the multiset of the labelsof the outgoing edges of η′, and C ′1 the label of its incoming edge. We have R′ ⊒ (H ′1 ⇒ C ′1), sothere exists σ such that σH ′ ⊆ H ′1 and σC ′ = C ′1. Hence there is an outgoing edge of η′ labeledσF0, since σF0 ∈ H

′1. Let η be the node at the end of this edge, let R = H ⇒ C be the label

of η. We rename the variables of R such that they are distinct from the variables of R′. LetH1 be the multiset of the labels of the outgoing edges of η. So R ⊒ (H1 ⇒ σF0). By the abovechoice of distinct variables, we can then extend σ such that σH ⊆ H1 and σC = σF0.

The edge η′ → η is labeled σF0, instance of F0. Since σC = σF0, the facts C and F0 areunifiable, so R◦F0

R′ is defined. Let σ′ be the most general unifier of C and F0, and σ′′ such thatσ = σ′′σ′. We have R ◦F0

R′ = σ′(H ∪ (H ′ \ {F0}))⇒ σ′C ′. Moreover, σ′′σ′(H ∪ (H ′ \ {F0})) ⊆H1 ∪ (H ′1 \ {σF0}) and σ′′σ′C ′ = σC ′ = C ′1. Hence R′′ = R ◦F0

R′ ⊒ (H1 ∪ (H ′1 \ {σF0}))⇒ C ′1.The multiset of labels of outgoing edges of η′′ is precisely H1 ∪ (H ′1 \ {σF0}) and the label ofits incoming edge is C ′1, therefore we have obtained a correct derivation by replacing η and η′

with η′′.

Let us show that the obtained derivation is data-decomposed. Consider an edge η′1 → η1 inthis derivation, labeled by F = attacker(f(p1, . . . , pn)), where f is a data constructor.

• If η′1 and η1 are different from η′′, then the same edge exists in the initial derivation, so itis of the desired form.

• If η′1 = η′′, then there is an edge η → η1 labeled by F in the initial derivation. Sincethe initial derivation is data-decomposed, η is labeled by R = attacker(f(x1, . . . , xn)) ⇒attacker(xi) or η1 is labeled by R1 = attacker(x1) ∧ . . . ∧ attacker(xn) ⇒ attacker(f(x1,. . . , xn)). The former case is impossible because sel(R) = ∅. In the latter case, η1 islabeled by R1, so we have the desired form in the obtained derivation.

• If η1 = η′′, then there is an edge η′1 → η′ labeled by F in the initial derivation. Sincethe initial derivation is data-decomposed, η′1 is labeled by R′1 = attacker(f(x1, . . . , xn))⇒

196 Bruno Blanchet

η′′R′′

η′

η

R′

R

C ′1

H1

H ′1

C ′1

H1 ∪ (H ′1 − σF0)

σF0

Figure 8: Merging of nodes of Lemma 11

attacker(xi) or η′ is labeled by R′ = attacker(x1)∧ . . .∧attacker(xn)⇒ attacker(f(x1, . . . ,xn)). The latter case is impossible because sel(R) 6= ∅. In the former case, η′1 is labeledby R′1, so we have the desired form in the obtained derivation.

Hence the obtained derivation is data-decomposed. 2

Lemma 12 If a node η of a data-decomposed derivation D is labeled by R, then one obtains adata-decomposed derivation D′ of the same fact as D by relabeling η with a clause R′ such thatR′ ⊒ R.

Proof Let H be the multiset of labels of outgoing edges of the considered node η, and C bethe label of its incoming edge. We have R ⊒ H ⇒ C. By transitivity of ⊒, R′ ⊒ H ⇒ C. Sowe can relabel η with R′.

Let us show that the obtained derivation D′ is data-decomposed. Consider an edge η′1 → η1

in D′, labeled by F = attacker(f(p1, . . . , pn)), where f is a data constructor.

• If η′1 and η1 are different from η, then the same edge exists in the initial derivation D, soit is of the desired form.

• If η′1 = η, then there is an edge η′1 → η1 in D, labeled by F . Since D is data-decomposed,η′1 = η is labeled by R = attacker(f(x1, . . . , xn)) ⇒ attacker(xi) or η1 is labeled byR1 = attacker(x1)∧ . . .∧ attacker(xn)⇒ attacker(f(x1, . . . , xn)) in D. In the latter case,we have the desired form in D′. In the former case, let R′ = H ′ ⇒ C ′. We have R′ ⊒ R, sothere exists σ such that σH ′ ⊆ {attacker(f(x1, . . . , xn))} and σC ′ = attacker(xi). HenceC ′ = attacker(y) where σy = xi, and H ′ = ∅ or H ′ = attacker(z) with σz = f(x1, . . . , xn)or H ′ = attacker(f(y1, . . . , yn)) with σyj = xj for all j ≤ n. By Lemma 10, y occurs inH ′, so H ′ 6= ∅. If we had H ′ = attacker(z), σz 6= σy, so z 6= y, so this case is impossible.Hence H ′ = attacker(f(y1, . . . , yn)). Moreover, σyj 6= σy for all j 6= i, so yj 6= y for allj 6= i. Since y occurs in H ′, y = yi. Hence R′ = R up to renaming, and we have thedesired form in D′.

• If η1 = η, then there is an edge η′1 → η1 in D, labeled by F . Since D is data-decomposed,η′1 is labeled by R′1 = attacker(f(x1, . . . , xn)) ⇒ attacker(xi) or η1 = η is labeled byR = attacker(x1)∧ . . .∧ attacker(xn)⇒ attacker(f(x1, . . . , xn)) in D. In the former case,we have the desired form in D′. In the latter case, let R′ = H ′ ⇒ C ′. We have R′ ⊒ R, sothere exists σ such that σH ′ ⊆ {attacker(x1), . . . , attacker(xn)} and σC ′ = attacker(f(x1,. . . , xn)). Hence H ′ =

∧j∈J attacker(yj) where J ⊆ {1, . . . , n} and σyj = xj for all

j ∈ J , and C ′ = attacker(y) with σy = f(x1, . . . , xn) or C ′ = attacker(f(y′1, . . . , y′n))


with σy′j = xj for all j ≤ n. By Lemma 10, if C ′ = attacker(y), y occurs in H ′, butthis is impossible because σyj 6= σy for all j ∈ J . So C ′ = attacker(f(y′1, . . . , y

′n)). By

Lemma 10, y′j occurs in H ′ for all j ≤ n, so J = {1, . . . , n} and y′j = yj for all j ≤ n.Hence R′ = R up to renaming, and we have the desired form in D′.

Hence the obtained derivation D′ is data-decomposed. 2

Definition 19 We say that R ⊒Set R′ if, for all clauses R in R′, R is subsumed by a clause of

R.

Lemma 13 If R ⊒Set R′ and D is a data-decomposed derivation containing a node η labeled by

R ∈ R′, then one can build a data-decomposed derivation D′ of the same fact as D by relabelingη with a clause in R.

Proof Obvious by Lemma 12. 2

Lemma 14 If R ⊒Set R′, then elim(R) ⊒Set R

′.

Proof This is an immediate consequence of the transitivity of ⊒. 2

Lemma 15 At the end of saturate, R satisfies the following properties:

1. For all R ∈ R0, R ⊒Set simplify(R);

2. Let R ∈ R and R′ ∈ R. Assume that sel(R) = ∅ and there exists F0 ∈ sel(R′) such thatR ◦F0

R′ is defined. In this case, R ⊒Set simplify(R ◦F0R′).

Proof To prove the first property, let R ∈ R0. We show that, after the addition of R to R,R ⊒Set simplify(R).

In the first step of saturate, we execute the instruction R ← elim(simplify(R) ∪ R). Wehave simplify(R) ∪ R ⊒Set simplify(R), so, by Lemma 14, after execution of this instruction,R ⊒Set simplify(R).

Assume that we execute R ← elim(simplify(R′′) ∪ R), and before this execution R ⊒Set

simplify(R). Hence simplify(R′′)∪R ⊒Set simplify(R), so, by Lemma 14, after the execution ofthis instruction, R ⊒Set simplify(R).

The second property simply means that the fixpoint is reached at the end of saturate, soR = elim(simplify(R ◦F0

R′) ∪ R). Since simplify(R ◦F0R′) ∪ R ⊒Set simplify(R ◦F0

R′), byLemma 14, elim(simplify(R ◦F0

R′) ∪R) ⊒Set simplify(R ◦F0R′), so R ⊒Set simplify(R ◦F0

R′).2

Lemma 16 Let f ∈ {elimattx , elimtaut, elimnot, elimredundanthyp, elimdup, decomp,decomphyp, simplify, simplify ′}.

If the data-decomposed derivation D contains a node η labeled R, then one obtains a data-decomposed derivation D′ of the same fact as D or of an instance of a fact in Fnot by relabelingη with some R′ ∈ f(R) or removing η, and possibly deleting nodes. Furthermore, if D′ is not aderivation of the same fact as D, then η is removed.

If D′ contains a node labeled R′ ∈ f(R), then there exists a derivation D using R, the clausesof D′ except R′, and the clauses of R0 that derives the same fact as D′.

When R is unchanged by f , that is, f(R) = {R}, this lemma is obvious. So, in the proofsbelow, we consider only the cases in which R is modified by f .

198 Bruno Blanchet

Proof (for elimattx) The direct part is obvious: R′ is built from R by removing some hy-potheses, so we just remove the subtrees corresponding to removed hypotheses of R.

Conversely, let p be a closed pattern such that attacker(p) is derivable from R0. (Thereexists an infinite number of such p.) We build a derivation D by replacing R′ with R in D andadding a derivation of attacker(p) as a subtree of the nodes labeled by R′ in D. 2

Proof (for elimtaut) Assume that R is a tautology. For the direct part, we remove η andreplace it with one of its subtrees. The converse is obvious since elimtaut(R) = ∅. 2

Proof (for elimnot) Assume that R contains as hypothesis an instance F of a fact in Fnot.Then elimnot(R) = ∅. Since D is a derivation, a son η′ of η infers an instance of F . We let D′

be the sub-derivation with subroot η′. D′ is a derivation of an instance of a fact in Fnot, so weobtain the direct part. The converse is obvious since elimnot(R) = ∅. 2

Proof (for elimredundanthyp) We have R = H ∧H ′ ⇒ C, σH ⊆ H ′, σ does not change thevariables of H ′ and C, and R′ = H ′ ⇒ C.

For the direct part, R′ is built from R by removing some hypotheses, so we just remove thesubtrees corresponding to removed hypotheses of R.

For the converse, we obtain a derivation D by duplicating the subtrees proving instances ofelements of H ′ that are also in σH and replacing R′ with R. 2

Proof (for elimdup) For the direct part, R′ is built from R by removing some hypotheses, sowe just remove the subtrees corresponding to removed hypotheses of R.

Conversely, we can form a derivation using R instead of R′ by duplicating the subtrees thatderive the duplicate hypotheses of R. 2

Proof (for decomp and decomphyp) If R is modified by decomp or decomphyp, then R is ofone of the following forms:

• R = attacker(f(p1, . . . , pn)) ∧ H ⇒ C, where f is a data constructor (for both decompand decomphyp).

For the direct part, let η′ be the son of η corresponding to the hypothesis attacker(f(p1,. . . , pn)). The edge η → η′ is labeled by an instance of attacker(f(p1, . . . , pn)), so, sinceD is data-decomposed, η′ is labeled by attacker(x1)∧ . . .∧ attacker(xn)⇒ attacker(f(x1,. . . , xn)). (The clause R that labels η cannot be attacker(f(x1, . . . , xn)) ⇒ attacker(xi),since this clause would be unmodified by decomp and decomphyp.) Then we build D′ byrelabeling η with R′ = attacker(p1) ∧ . . . ∧ attacker(pn) ∧H ⇒ C and deleting η′.

For the converse, we replace R′ = attacker(p1) ∧ . . . ∧ attacker(pn) ∧H ⇒ C in D′ withattacker(x1) ∧ . . . ∧ attacker(xn) ⇒ attacker(f(x1, . . . , xn)) and R = attacker(f(p1, . . . ,pn)) ∧H ⇒ C in D.

• R = H ⇒ attacker(f(p1, . . . , pn)), where f is a data constructor (for decomp only).

For the direct part, let η′ be the father of η. The edge η′ → η is labeled by an instanceof attacker(f(p1, . . . , pn)), so, since D is data-decomposed, η′ is labeled by attacker(f(x1,. . . , xn))⇒ attacker(xi) for some i. (The clause R that labels η cannot be attacker(x1) ∧. . . ∧ attacker(xn) ⇒ attacker(f(x1, . . . , xn)) since this clause would be unmodified bydecomp.) Then we build D′ by relabeling η with R′ = H ⇒ attacker(pi) and deleting η′.

For the converse, we replace R′ = H ⇒ attacker(pi) in D′ with R = H ⇒ attacker(f(p1,. . . , pn)) and attacker(f(x1, . . . , xn))⇒ attacker(xi) in D. 2

Proof (for simplify and simplify ′) For simplify and simplify ′, the result is obtained by ap-plying Lemma 16 for the functions that compose simplify and simplify ′. 2


D D

Ff Ff

Ff

Rf,1 Rf,n

Ff,1 Ff,n

Rf

. . .

Ff

D

η′

η

η′

Figure 9: Construction of a data-decomposed derivation

Proof of Lemma 2 Let F be a closed fact. If, for all F ′ ∈ Fnot, no instance of F ′ is derivablefrom saturate(R0) ∪ Fme, then F is derivable from R0 ∪ Fme if and only if F is derivable fromsaturate(R0) ∪ Fme.

Proof Assume that F is derivable fromR0∪Fme and consider a derivation of F fromR0∪Fme.We show that F or an instance of a fact in Fnot is derivable from saturate(R0) ∪ Fme.

We first transform the derivation of F into a data-decomposed derivation. We say thatan edge η′ → η is offending when it is labeled by Ff = attacker(f(p1, . . . , pn)) for some dataconstructor f , η′ is not labeled by Rf,i = attacker(f(x1, . . . , xn)) ⇒ attacker(xi) for some i,and η is not labeled by Rf = attacker(x1) ∧ . . . ∧ attacker(xn) ⇒ attacker(f(x1, . . . , xn)). Weconsider an offending edge η′ → η such that the subtree D of root η contains no offending edge.We copy the subtree D, which concludes Ff , n times and add the clauses Rf,i for i = 1, . . . n,to conclude Ff,i = attacker(pi), then use the clause Rf to conclude Ff again, as in Figure 9.This transformation decreases the total number of data constructors at the root of labels ofoffending edges. Indeed, since there are no offending edges in D, the only edges that may beoffending in the new subtree of root η′ are those labeled by F1, . . . , Fn. The total number ofdata constructors at the root of their labels is the total number of data constructors at theroot of p1, . . . , pn, which is one less than the total number of data constructors at the rootof f(p1, . . . , pn). Hence, this transformation terminates and, upon termination, the obtainedderivation contains no offending edge, so it is data-decomposed.

We consider the value of the set of clauses R at the end of saturate. For each clause R inR0, R ⊒Set simplify(R) (Lemma 15, Property 1). Assume that there exists a node labeled byR ∈ R0 \R in this derivation. By Lemma 16, we can replace R with some R′′ ∈ simplify(R) orremove R. (After this replacement, we may obtain a derivation of an instance of a fact in Fnot

instead of a derivation of F .) If R is replaced with R′′, by Lemma 13, we can replace R′′ witha clause in R. This transformation decreases the number of nodes labeled by clauses not in R.So this transformation terminates and, upon termination, no node of the obtained derivation islabeled by a clause in R0 \R. Therefore, we obtain a data-decomposed derivation D of F or ofan instance of a fact in Fnot from R∪ Fme.

Next, we build a data-decomposed derivation of F or of an instance of a fact in Fnot fromR1 ∪Fme, where R1 = saturate(R0). If D contains a node labeled by a clause not in R1 ∪Fme,we can transform D as follows. Let η′ be a lowest node of D labeled by a clause not in R1∪Fme.So all sons of η′ are labeled by elements of R1 ∪ Fme. Let R′ be the clause labeling η′. Since

200 Bruno Blanchet

R′ /∈ R1∪Fme, sel(R′) 6= ∅. Take F0 ∈ sel(R′). By Lemma 11, there exists a son of η of η′ labeledby R, such that R ◦F0

R′ is defined. Since all sons of η′ are labeled by elements of R1 ∪ Fme,R ∈ R1 ∪Fme. By definition of the selection function, F0 is not a m-event fact, so R /∈ Fme, soR ∈ R1. Hence sel(R) = ∅. So, by Lemma 15, Property 2, R ⊒Set simplify(R ◦F0

R′). So, byLemma 11, we can replace η and η′ with η′′ labeled by R ◦F0

R′. By Lemma 16, we can replaceR ◦F0

R′ with some R′′′ ∈ simplify(R ◦F0R′) or remove R ◦F0

R′.

• If R ◦F0R′ is replaced with R′′′, then by Lemma 13, we can replace R′′′ with a clause in

R. The total number of nodes strictly decreases since η and η′ are replaced with a singlenode.

• If R ◦F0R′ is removed, then the total number of nodes strictly decreases since η and η′

are removed.

So in all cases, we obtain a derivationD′ of F or of an instance of a fact in Fnot fromR∪Fme, suchthat the total number of nodes strictly decreases. Hence, this replacement process terminates.Upon termination, all clauses are in R1 ∪ Fme. So we obtain a data-decomposed derivation ofF or of an instance of a fact in Fnot from R1 ∪ Fme, which is the expected result.

For the converse implication, notice that if a fact is derivable from R1 then it is derivablefrom R, and that all clauses added to R do not create new derivable facts: when composingtwo clauses R and R′, the created clause can derive facts that could also by derived by R andR′. 2

Proof of Lemma 3 Let F ′ be a closed instance of F . If, for all F ′′ ∈ Fnot,derivable(F ′′,R1) = ∅, then F ′ is derivable from R1 ∪ Fme if and only if there exist a clauseH ⇒ C in derivable(F,R1) and a substitution σ such that σC = F ′ and all elements of σH arederivable from R1 ∪ Fme.

Proof Let us prove the direct implication. Let F = {(F, F ′)} ∪ {(F ′′, σF ′′) | F ′′ ∈ Fnot, σany substitution}. We show that, if F ′ is derivable from R1 ∪ Fme, then there exist a clauseH ⇒ C in derivable(Fg,R1) and a substitution σ such that (Fg, σC) ∈ F and all elements ofσH are derivable from R1∪Fme. (This property proves the desired result. If, for all F ′′ ∈ Fnot,derivable(F ′′,R1) = ∅ and F ′ is derivable from R1 ∪ Fme, then there exist a clause H ⇒ Cin derivable(Fg,R1) and a substitution σ such that (Fg, σC) ∈ F and all elements of σH arederivable from R1 ∪ Fme. Since, for all F ′′ ∈ Fnot, derivable(F ′′,R1) = ∅, we have Fg = F andF /∈ Fnot. Since (F, σC) ∈ F , we have then σC = F ′.)

Let D be the set of derivations D′ of a fact Fi such that, for some Fg and R, (Fg, Fi) ∈ F , theclause R′ at the subroot of D′ satisfies deriv(R′,R,R1) ⊆ derivable(Fg,R1) and ∀R′′ ∈ R, R′′ 6⊒R′, and the other clauses of D′ are in R1 ∪ Fme.

Let attacker′ be a new predicate symbol. Let D be a derivation. If D is a derivation ofattacker(p), we let D′ be the derivation obtained by replacing the clause H ⇒ attacker(p1)with H ⇒ attacker′(p1) and the fact attacker(p) derived by D with attacker′(p). If D isnot a derivation of attacker(p), we let D′ be D. We say that the derivation D is almost-data-decomposed when D′ is data-decomposed. We first show that all derivations D in D arealmost-data-decomposed. Let D′ be the transformed derivation as defined above. Let η′ → ηbe an edge of D′ labeled by F = attacker(f(p1, . . . , pn)), where f is a data constructor. Thisedge is not the outgoing edge of the root of D′, because D′ does not conclude attacker(p) forany p. So the clause that labels η is of the form R = H ⇒ attacker(p) and it is in R1. Inorder to obtain a contradiction, assume that p is a variable x. Since sel(R) = ∅, H containsonly unselectable facts. By Lemma 10, x occurs in non-m-event facts in H, so H containsattacker(x). So R is a tautology. This is impossible because R would have been removed fromR1 by elimtaut . So p is not a variable. Hence p = f(p′1, . . . , p

′n). If R was different from

attacker(x1)∧ . . .∧ attacker(xn)⇒ attacker(f(x1, . . . , xn)), R would have been transformed by


decomp, so R would not be in R1. Hence R = attacker(x1)∧ . . .∧attacker(xn)⇒ attacker(f(x1,. . . , xn)). Therefore, D′ is data-decomposed, so D is almost-data-decomposed. Below, when weapply Lemma 11, 16, or 12, we first transform the considered derivation D into D′, apply thelemma to the data-decomposed derivation D′, and transform it back by replacing attacker′ withattacker. We obtain the same result as by transforming D directly, because the simplificationsof simplify ′ apply in the same way when the conclusion is attacker(p) or attacker′(p), sincesimplify ′ uses decomphyp instead of decomp and does not use elimtaut .

Let D0 be a derivation of F ′ from R1 ∪ Fme. Let D′0 be obtained from D0 by adding anode labeled by {F} ⇒ F at the subroot of D0. By definition of derivable, deriv(R′, ∅,R1) ⊆derivable(F,R1), and ∀R′′ ∈ ∅, R′′ 6⊒ R′. Hence D′0 is a derivation of F ′ in D, so D is non-empty.

Now consider a derivation D1 in D with the smallest number of nodes. The clause R′

labeling the subroot η′ of D1 satisfies (Fg, Fi) ∈ F , deriv(R′,R,R1) ⊆ derivable(Fg,R1), and∀R′′ ∈ R, R′′ 6⊒ R′. In order to obtain a contradiction, we assume that sel(R′) 6= ∅. LetF0 ∈ sel(R′). By Lemma 11, there exists a son η of η′, labeled by R, such that R ◦F0

R′ isdefined. By hypothesis on the derivation D1, R ∈ R1 ∪ Fme. By the choice of the selectionfunction, F0 is not a m-event fact, so R /∈ Fme, so R ∈ R1. Let R0 = R◦F0

R′. So, by Lemma 11,we can replace R′ with R0, obtaining a derivation D2 of Fi with fewer nodes than D1.

By Lemma 16, we can either replace R0 with some R′0 ∈ simplify ′(R0) or remove R0, yieldinga derivation D3.

• In the latter case, D3 is a derivation of a fact F ′i which is either Fi or an instance of a factF ′g in Fnot. If F ′i = Fi, we let F ′g = Fg. So (F ′g, F

′i ) ∈ F .

We replace R0 with R′0 = F ′g ⇒ F ′g in D2. Hence we obtain a derivation with fewer nodesthan D1 and such that deriv(R′0, ∅,R1) ⊆ derivable(F ′g,R1) and ∀R1 ∈ ∅, R1 6⊒ R′0. So wehave a derivation in D with fewer nodes than D1, which is a contradiction.

• In the former case, D3 is a derivation of Fi, and deriv(R′0, {R′} ∪ R,R1) ⊆ deriv(R′,R,

R1) ⊆ derivable(Fg,R1) (third case of the definition of deriv(R′,R,R1)).

– If ∀R1 ∈ {R′} ∪ R, R1 6⊒ R′0, D3 is a derivation of Fi in D, with fewer nodes than

D1, which is a contradiction.

– Otherwise, ∃R1 ∈ {R′} ∪ R, R1 ⊒ R′0. Therefore, by Lemma 12, we can build a

derivation D4 by replacing R′0 with R1 in D3. There is an older call to deriv, of theform deriv(R1,R

′,R1), such that deriv(R1,R′,R1) ⊆ derivable(Fg,R1). Moreover,

R1 has been added to R′ in this call, since R1 appears in {R′} ∪ R. Therefore thethird case of the definition of deriv(R1,R

′,R1) has been applied, and not the firstcase. So ∀R2 ∈ R

′, R2 6⊒ R1, so the derivation D4 is in D and has fewer nodes thanD1, which is a contradiction.

In all cases, we could find a derivation inD that has fewer nodes thanD1. This is a contradiction,so sel(R′) = ∅, hence R′ ∈ derivable(Fg,R1). The other clauses of this derivation are inR1∪Fme.By definition of a derivation, R′ ⊒ H ′ ⇒ Fi where H ′ is the multiset of labels of the outgoingedges of the subroot of the derivation. Taking R′ = H ⇒ C, there exists σ such that σC = Fi

and σH ⊆ H ′, so all elements of σH are derivable from R1 ∪ Fme. We have the result, since(Fg, Fi) ∈ F .

The proof of the converse implication is left to the reader. (Basically, the clause R ◦F0R′

does not generate facts that cannot be generated by applying R and R′.) 2

D Termination Proof

In this section, we give the proof of Proposition 3 stated in Section 8.1. We denote by P0 atagged protocol and let P ′0 = instr(P0). We have the following properties:

202 Bruno Blanchet

• By Condition C2, the input and output constructs in the protocol always use a publicchannel c. So the facts message(c, p) are replaced with attacker(p) in all clauses. The onlyremaining clauses containing message are (Rl) and (Rs). Since message(x, y) is selectedin these clauses, the only inference with these clauses is to combine (Rs) with (Rl), and ityields a tautology which is immediately removed. Therefore, we can ignore these clausesin our termination proof.

• By hypothesis on the queries and Remark 3, the clauses do not contain m-event facts.

In this section, we use the sort system defined at the beginning of Appendix C (Lemma 10).The patterns of a fact pred(p1, . . . , pn) are p1, . . . , pn. The patterns of a clause R are the

patterns of all facts in R, and we denote the set of patterns of R by patterns(R). A pattern issaid to be non-data when it is not of the form f(. . .) with f a data constructor. The set sub(S)contains the subterms of patterns in the set S. Below, we use the word “program” for a set ofclauses (that is, a logic program).

Definition 20 (Weakly tagged programs) Let S0 be a finite set of closed patterns andtagGen be a set of patterns.

A pattern is top-tagged when it is an instance of a pattern in tagGen.A pattern is fully tagged when all its non-variable non-data subterms are top-tagged.Let RProtAdv be the set of clauses R that satisfy Lemma 10 and are of one of the following

three forms:

1. RProtocol contains clauses R of the form F1∧ . . .∧Fn ⇒ F where for all i, Fi is of the formattacker(p) for some p, F is of the form attacker(p) or event(p) for some p, there exists asubstitution σ such that patterns(σR) ⊆ sub(S0), and the patterns of R are fully-tagged.

2. RConstr contains clauses of the form attacker(x1)∧ . . .∧attacker(xn)⇒ attacker(f(x1, . . . ,xn)) where f is a constructor.

3. RDestr contains clauses of the form attacker(f(p1, . . . , pn)) ∧ attacker(x1) ∧ . . . ∧attacker(xk) ⇒ attacker(x) where f is a constructor, p1, . . . , pn are fully tagged, x isone of p1, . . . , pn, and f(p1, . . . , pn) is more general than every pattern of the form f(. . .)in sub(S0).

A program R0 is weakly tagged if there exist a finite set of closed patterns S0 and a set ofpatterns tagGen such that

W1. R0 is included in RProtAdv.

W2. If two patterns p1 and p2 in tagGen unify, p′1 is an instance of p1 in sub(S0), and p′2 is aninstance of p2 in sub(S0), then p′1 = p′2.

Intuitively, a pattern is top-tagged when its root function symbol is tagged (that is, it is ofthe form f((ct ,M1, . . . ,Mn), . . .)). A pattern is fully tagged when all its function symbols aretagged.

We are going to show that all clauses generated by the resolution algorithm are in RProtAdv.Basically, the clauses in RProtocol satisfy two conditions: they can be instantiated into clauseswhose patterns are in sub(S0) and they are tagged. Then, all patterns in clauses of RProtocol

are instances of tagGen and have instance in sub(S0). Property W2 allows us to show that thisproperty is preserved by resolution: when unifying two patterns that satisfy the invariant, theresult of the unification also satisfies the invariant, because the instances in sub(S0) of thosetwo patterns are in fact equal. Thanks to this property, we can show that clauses obtained byresolution from clauses in RProtocol are still in RProtocol. To prove termination, we show thatthe size of generated clauses decreases, for a suitable notion of size defined below. The clauses


E,P ∪ { 0 },M→ E,P,M (Red Nil’)

E,P ∪ { !iP },M→ E[i 7→ Id0],P ∪ {P{Id0/i} },M∪ {Id0} (Red Repl’)

E,P ∪ {P | Q },M→ E,P ∪ {P,Q },M (Red Par’)

E,P ∪ { (νa : ℓ)P } → E[a 7→ E(ℓ)],P ∪ {P },M∪ {M1, . . . ,Mn, a} (Red Res’)

E,P ∪ { c〈M〉.Q },M→ E,P ∪ {Q },M∪ {M} (Red Out’)

E,P ∪ { c(x).P },M→ E[x 7→ E(M)],P ∪ {P{M/x} },M if M ∈M (Red In’)

E,P ∪ { let x = g(M1, . . . ,Mn) in P else 0 },M→

E[x 7→ E(M ′)],P ∪ {P{M ′/x} },M∪ {M1, . . . ,Mn,M′}

if g(M1, . . . ,Mn)→M ′(Red Destr 1’)

E,P ∪ { event(M).Q },M→ E,P ∪ {Q },M∪ {M} (Red Event’)

Figure 10: Special semantics for instrumented processes

of RConstr and RDestr are needed for constructors and destructors. Although they do not satisfyexactly the conditions for being in RProtocol, their resolution with a clause in RProtocol yields aclause in RProtocol.

Let Paramspk and Paramshost be the sets of arguments of pk resp. host in the terms thatoccur in the trace of Condition C5. Let condense(R0) be the set of clauses R obtained byR ← ∅; for each R ∈ R0, R ← elim(simplify(R) ∪ R). We first consider the case in which asingle long-term key is used, that is, Paramspk and Paramshost have at most one element. Theresults will be generalized to any number of keys at the end of this section. The next propositionshows that the initial clauses given to the resolution algorithm form a weakly tagged program.

Proposition 4 If P0 is a tagged protocol such that Paramspk and Paramshost have at most oneelement and P ′0 = instr(P0), then condense(RP ′

0,Init) is a weakly tagged program.

Proof sketch The fully detailed proof is very long (about 8 pages) so we give only a sketchhere. A similar proof (for strong secrecy instead of secrecy and reachability) with more detailscan be found in the technical report [16, Appendix C].

We assume that different occurrences of restrictions and variables have different identifiersand identifiers different from free names and variables. In Figure 10, we define a special se-mantics for instrumented processes, which is only used as a tool in the proof. A semanticconfiguration consists of three components: an environment E mapping names and variablesto patterns, a multiset of instrumented processes P, and a set of terms M. The semantics isdefined as a reduction relation on semantic configurations. In this semantics, (νa) creates thename a, instead of a fresh name a′. Indeed, creating fresh names is useless, since the replicationdoes not copy processes in this semantics, and the names are initially pairwise distinct.

Let E0 = {a 7→ a[ ] | a ∈ fn(P0)}. We show that E0, {P′0}, fn(P0) →

∗ E′, ∅,M′, for someE′ and M′, such that the second argument of pencryptp in M′ is of the form pk(M) and thearguments of pk and host inM′ are atomic constants in Paramspk and Paramshost respectively.This result is obtained by simulating in the semantics of Figure 10 the trace of Condition C5.Moreover, the second argument of pencryptp in M′ is of the form pk(M) by Condition C6and the arguments of pk and host in M′ are atomic constants in Paramspk and Paramshost

respectively, by Condition C7 and definition of Paramspk and Paramshost .Let us define S0 = E′(M′) ∪ {b0[Id0]}. If Paramspk is empty, we add some key k to

it, so that Paramspk = {k}. Let c, c′, c′′, c′′′ be constants. If S0 contains no instance ofsencrypt(x, y), we add sencrypt((c, c′), c′′) to S0. If S0 contains no instance of sencryptp(x,y, z), we add sencryptp((c, c′), c′′, c′′′) to S0. If S0 contains no instance of pencryptp(x, y, z), we

204 Bruno Blanchet

add pencryptp((c, c′), pk(k), c′′) to S0. If S0 contains no instance of sign(x, y), we add sign((c, c′),k) to S0. If S0 contains no instance of nmrsign(x, y), we add nmrsign((c, c′), k) to S0. So S0

is a finite set of closed patterns. Intuitively, S0 is the set of patterns corresponding to closedterms that occur in the trace of Condition C5.

Let Et be E in which all patterns a[. . .] are replaced with their corresponding term a. In allreductions E0, {P

′0}, fn(P0) →

∗ E,P,M, all patterns of the form a[. . .] in the image of E areequal to E(a), so E ◦ Et = E. We show the following result by induction on P :

Let P be an instrumented process, subprocess of P ′0. Assume that E0, {P′0},

fn(P0) →∗ E,P ∪ {Et(P )},M →∗ E′, ∅,M′, and that there exists σ′ such that

E′|dom(ρ) = σ′ ◦ ρ and patterns(σ′H) ⊆ sub(S0). Then for all R ∈ [[P ]]ρH, there

exists σ′′ such that patterns(σ′′R) ⊆ sub(S0).

Let ρ0 = {a 7→ a[ ] | a ∈ fn(P0)}. By applying this result to P = P ′0, we obtain that for allclauses R in [[P ′0]]ρ0∅, there exists a substitution σ such that patterns(σR) ⊆ sub(S0).

Let

tagGen = {f((ct i, x1, . . . , xn), x′2, . . . , x′n′) |

f ∈ {sencrypt , sencryptp , pencryptp , sign,nmrsign, h,mac}}

∪ {a[x1, . . . , xn] | a name function symbol}

∪ {pk(x), host(x)} ∪ {c | c atomic constant}

We show the following result by induction on P :

Assume that the patterns of the image of ρ and of H are fully tagged. Assume thatP is an instrumented process, subprocess of P ′0. For all R ∈ [[P ]]ρH, patterns(R) arefully tagged.

This result relies on Condition C3 to show that the created terms are tagged, and on Condi-tion C4 to show that the tags are checked. By applying this result to P = P ′0, we obtain thatfor all R ∈ [[P ′0]]ρ0∅, the patterns of R are fully tagged.

By the previous results, [[P ′0]]ρ0∅ ⊆ RProtocol.The clauses (Rf) are in RConstr. The clauses (Init) and (Rn) are in RProtocol given the value

of S0. The clauses (Rg) for nthi, sdecrypt , sdecryptp , pdecryptp , and getmessage are:

attacker((x1, . . . , xn))⇒ attacker(xi) (nthi)

attacker(sencrypt(x, y)) ∧ attacker(y)⇒ attacker(x) (sdecrypt)

attacker(sencryptp(x, y, z)) ∧ attacker(y)⇒ attacker(x) (sdecryptp)

attacker(pencryptp(x, pk(y), z)) ∧ attacker(y)⇒ attacker(x) (pdecryptp)

attacker(sign(x, y))⇒ attacker(x) (getmessage)

and they are in RDestr provided that all public-key encryptions in S0 are of the formpencryptp(p1, pk(p2), p3) (that is, Condition C6). The clauses for checksignature andnmrchecksign are

attacker(sign(x, y)) ∧ attacker(pk(y))⇒ attacker(x) (checksignature)

attacker(nmrsign(x, y)) ∧ attacker(pk(y)) ∧ attacker(x)⇒ attacker(true) (nmrchecksign)

These two clauses are subsumed respectively by the clauses for getmessage (given above) andtrue (which is simply attacker(true) since true is a zero-ary constructor), so they are eliminatedby condense, i.e., they are not in condense(RP ′

0,Init). (This is important, because they are not

in RDestr.) Therefore all clauses in condense(RP ′0,Init) are in RProtAdv, since the set of clauses

RProtAdv is preserved by simplification, so we have Condition W1.


Different patterns in tagGen do not unify. Moreover, each pattern in tagGen has at mostone instance in sub(S0). For pk(x) and host(x), this comes from the hypothesis that Paramspk

and Paramshost have at most one element. For atomic constants, this is obvious. (Theironly instance is themselves.) For other patterns, this comes from the fact that the trace ofCondition C5 executes each program point at most once, and that patterns created at differentprograms points are associated with different symbols (f, c) for f((c, . . .), . . .) and a for a[. . .].(For f((c, . . .), . . .), this comes from Condition C3. For a[. . .], this is because different restrictionsuse a different function symbol by construction of the clauses.) So we have Condition W2. 2

The next proposition shows that saturation terminates for weakly tagged programs.

Proposition 5 Let R0 be a set of clauses. If condense(R0) is a weakly tagged program (Defi-nition 20), then the computation of saturate(R0) terminates.

Proof This result is very similar to [20, Proposition 8], so we give only a brief sketch and referthe reader to that paper for details.

We show by induction that all clauses R generated from R0 are in RProtocol∪RConstr∪RDestr

and the patterns of attacker facts in clauses R in RProtocol are non-data.

First, by hypothesis, all clauses in condense(R0) satisfy this property, by definition of weaklytagged programs and because of the decomposition of data constructors by decomp.

If we combine by resolution two clauses in RConstr ∪ RDestr, we in fact combine a clause ofRConstr with a clause of RDestr. The resulting clause is a tautology by definition of RConstr andRDestr, so it is eliminated by elimtaut .

Otherwise, we combine by resolution a clause R in RProtocol with a clause R′ such thatR′ ∈ RProtocol, sel(R′) = ∅, and sel(R) 6= ∅, or R′ ∈ RConstr, or R′ ∈ RDestr. Let R′′ be the clauseobtained by resolution of R and R′. We show that the patterns of R′′ are fully tagged, and foreach σ such that patterns(σR) ⊆ sub(S0), there exists σ′′ such that patterns(σ′′R′′) ⊆ sub(S0)and size(σ′′R′′) < size(σR), where the size is defined as follows. The size of a pattern size(p)is defined as usual, size(attacker(p)) = size(event(p)) = size(p), and size(F1 ∧ . . . ∧ Fn ⇒ F ) =size(F1) + . . .+ size(Fn) + size(F ).

Let Rs ∈ simplify(R′′). The patterns of Rs are non-data fully tagged, patterns(σ′′Rs) ⊆sub(S0), and size(σ′′Rs) ≤ size(σ′′R′′) < size(σR). So Rs ∈ RProtocol and its patterns arenon-data.

Moreover, for all generated clauses R, there exists σ such that size(σR) is smaller than themaximum initial value of size(σR) for a clause of the protocol. There is a finite number of suchclauses (since size(R) ≤ size(σR)). So saturate(R0) terminates. 2

Next, we show that derivable terminates when it is called on the result of the saturation ofa weakly tagged program.

Proposition 6 If F is a closed fact and R1 is a weakly tagged program simplified by simplifysuch that, for all R ∈ R1, sel0(R) = ∅, then derivable(F,R1) terminates.

Proof We show the following property:

For all calls deriv(R,R,R1), R = F ⇒ F or R = attacker(p1)∧. . .∧attacker(pn)⇒ Fwhere p1, . . . , pn are closed patterns.

This property is proved by induction. It is obviously true for the initial call to deriv, deriv(F ⇒F, ∅,R1). For recursive calls to deriv, deriv(R′′,R,R1), the clause R′′ is in simplify ′(R′ ◦F0

R), where R′ = attacker(x1) ∧ . . . ∧ attacker(xk) ⇒ F ′ since R′ ∈ R1 and R = F ⇒ F orR = attacker(p1) ∧ . . . ∧ attacker(pn) ⇒ F where p1, . . . , pn are closed patterns, by inductionhypothesis. After unification of F ′ and F0, xi is substituted by a closed pattern p′i (subpattern

206 Bruno Blanchet

of F0, and F0 is closed since F0 is a hypothesis of R), since xi appears in F ′. (If xi did notappear in F ′, attacker(xi) would have been removed by elimattx .)

If R = F ⇒ F , R′ ◦F0R = attacker(p′1)∧ . . .∧ attacker(p′k)⇒ F has only closed patterns in

its hypotheses, and so has the clause R′′ in simplify ′(R′ ◦F0R).

Otherwise, R = attacker(p1) ∧ . . . ∧ attacker(pn)⇒ F , F0 = attacker(pi), and pi is a closedpattern. We have R′◦F0

R = attacker(p′1)∧. . .∧attacker(p′k)∧attacker(p1)∧. . .∧attacker(pi−1)∧attacker(pi+1) ∧ . . . ∧ attacker(pn) ⇒ F , which has only closed patterns in its hypotheses, andso has the clause R′′ in simplify ′(R′ ◦F0

R). Moreover, p′1, . . . , p′k are disjoint subterms of pi,

therefore the total size of p′1, . . . , p′k is strictly smaller than the size of pi. (If we had equality,

F ′ would be a variable; this variable would occur in the hypothesis by definition of RProtAdv,so R′ would have been removed by elimtaut .) Therefore the total size of the patterns in thehypotheses strictly decreases. (The simplification function simplify ′ cannot increase this size.)This decrease proves termination. 2

From the previous results, we infer the termination of the algorithm for tagged protocols,when Paramspk and Paramshost have at most one element. The general case can then beobtained as in [20]: we define a function OneKey which maps all elements of Paramspk andParamshost to a single atomic constant. When P0 is a tagged protocol, OneKey(P0) is a taggedprotocol in which Paramspk and Paramshost are singletons. We consider a “less optimized al-gorithm” in which elimination of duplicate hypotheses and of tautologies are performed onlyfor facts of the form attacker(x), elimination of redundant hypotheses is not performed, andelimination of subsumed clauses is performed only for eliminating the destructor clauses forchecksignature and nmrchecksign. We observe that the previous results still hold for the lessoptimized algorithm, with the same proof, so this algorithm terminates on OneKey(P0). Allresolution steps possible for the less optimized algorithm applied to P0 are possible for the lessoptimized algorithm applied to OneKey(P0) as well (more patterns are unifiable, and the re-maining simplifications of the less optimized algorithm commute with applications of OneKey).Hence, the derivations fromRP ′

0,Init are mapped by OneKey to derivations fromROneKey(P ′

0),Init ,

which are finite, so derivations from RP ′0,Init are also finite, so the less optimized algorithm ter-

minates on P0. We can then show that the original, fully optimized algorithm also terminateson P0. So we finally obtain Proposition 3.

E General Correspondences

In this appendix, we prove Theorem 5. For simplicity, we assume that the function applicationsat the root of events are unary.

Lemma 17 Let P0 be a closed process and P ′0 = instr′(P0). Let Q be an Init-adversary andQ′ = instrAdv(Q). Assume that, in P0, the arguments of events are function applications. Letf be a function symbol. Assume that there is a single occurrence of event(f( )) in P0 and thisoccurrence is under a replication. Consider any trace T = S0, E0, {P

′0, Q

′} →∗ S′, E′,P ′. Themultiset of session identifiers λ of events event(f( ), λ) executed in T contains no duplicates.

Proof Let us define the multiset SId(P ) by SId(event(f(M), λ).P ) = {λ} ∪ SId(P ) (for thegiven function symbol f), SId(!iP ) = ∅, and in all other cases, SId(P ) is the union of theSId(P ′) for all immediate subprocesses P ′ of P . For a trace T , let SId(T ) be the set of sessionidentifiers λ of events event(f( ), λ) executed in the trace T .

We show that, for each trace T = S0, E0, {P′0, Q

′} →∗ S′, E′,P ′, SId(T )∪⋃

P∈P ′ SId(P )∪S′

contains no duplicates. The proof is by induction on the length of the trace.

For the empty trace T = S0, E0, {P′0, Q

′} →∗ S0, E0, {P′0, Q

′}, SId(T ) = ∅ and SId(P ′0) ∪SId(Q) = ∅ by definition.


The reduction (Red Repl) moves at most one session identifier from S′ to⋃

P∈P ′ SId(P )(without introducing duplicates since there is one occurrence of event(f( ), )). The reduction(Red Event) moves at most one session identifier from

⋃P∈P ′ SId(P ) to SId(T ). The other

reductions can only remove session identifiers from⋃

P∈P ′ SId(P ) (by removing subprocesses).2

Lemma 18 Let P0 = C[event(f(M)).D[event(fm−event(M,x).P ]], where no replication occursin D[ ] above the hole [ ], and the variables and names bound in P0 are all pairwise distinct anddistinct from free names. Assume that, in P0, the arguments of events are function applications,and that there is a single occurrence of event(f( )) and of event(fm−event( , )) in P0.

Let Q be an Init-adversary and Q′ = instrAdv(Q). Let P ′0 = instr′(P0). Consider a trace ofP ′0: T = S0, E0,P0 = {P ′0, Q

′} →∗ Sτf , Eτf ,Pτf .

Then there exists a function φi such that a) if event(fm−event(p, p′), λ) is executed at stepτ in T for some λ, p, p′, τ , then event(f(p), λ) is executed at step φi(τ) in T , b) φi is injective,and c) if φi(τ) is defined, then φi(τ) < τ .

Proof We denote by Sτ , Eτ ,Pτ the configuration at the step τ in the trace T . Let

S1(τ) = {(λ, p) | event(f(p), λ) is executed in the first τ steps of T },

S2(τ) = {(λ, p) | event(fm−event(p, p′), λ) is executed in the first τ steps of T }

S3(τ) = {(λ, p) | event(fm−event(M,M ′), λ) occurs not under event(f(M), λ) in

Pτ for Eτ (M) = p}

For each τ , we show that S2(τ) ∪ S3(τ) ⊆ S1(τ).

• For τ = 0, the sets S1(τ), S2(τ), and S3(τ) are empty.

• If Sτ , Eτ ,Pτ → Sτ+1, Eτ+1,Pτ+1 using (Red Event) to execute event(f(M), λ), thenthe same (λ,Eτ+1(M)) is added to S3(τ + 1) and to S1(τ + 1). Similarly, for (RedEvent) executing event(fm−event(M,M ′), λ), a pair (λ,Eτ+1(M)) is moved from S3(τ) toS2(τ + 1). These changes preserve the desired inclusion.

• Otherwise, if Sτ , Eτ ,Pτ → Sτ+1, Eτ+1,Pτ+1, then S1(τ + 1) = S1(τ), S2(τ + 1) = S2(τ),and S3(τ + 1) ⊆ S3(τ) (because some subprocesses may be removed by the reduction).

In particular, S2(τf) ⊆ S1(τf). By Lemma 17, there is a bijection φ1 from the session labels λ of

executed event(f( ), λ) events in T to the steps at which these events are executed in T , andsimilarly φ2 for event(fm−event( , ), ) events. Let φi = φ1 ◦ φ

−12 .

• If event(fm−event(p, p′), λ) is executed at step τ , (λ, p) ∈ S2(τf) ⊆ S1(τf), soevent(f(p), λ) is executed at a certain step τ ′. So φ2(λ) = τ and φ1(λ) = τ ′, so φi(τ) isdefined and τ ′ = φi(τ).

• Since φ1 and φ−12 are injective, φi is injective.

• If φi(τ) is defined, the event event(fm−event(σy, σx), λ) is executed at step τ by (RedEvent). So (λ, σy) ∈ S3(τ), where Pτ corresponds to the state just before the eventevent(fm−event(σy, σx), λ) is executed. Hence (λ, σy) ∈ S1(τ) since S2(τ)∪S3(τ) ⊆ S1(τ).So event(f(σy), λ) is executed at step τ ′ < τ . We have φ2(λ) = τ and φ1(λ) = τ ′, soφi(τ) = τ ′ < τ . 2

Proof (of Theorem 5) For each non-empty jk, when [inj]jk = inj, let fjk be the root function

symbol of pjk. We consider a modified process P1 built from P0 as follows. For each jk such that

208 Bruno Blanchet

[inj]jk = inj and event(fjk(M)) occurs in P0, we add another event event(fm−eventjk

(M,xjk))

just under the definition of variable xjk if xjk is defined under event(fjk(M)) and just un-

der event(fjk(M)) otherwise. Let P ′1 = instr′(P1). The process P ′1 is built from P ′0 as

follows. For each jk such that [inj]jk = inj and event(fjk(M), i) occurs in P ′0, we add an-

other event event(fm−eventjk

(M,xjk), i) just under the definition of variable xjk if xjk is de-

fined under event(fjk(M), i) and just under event(fjk(M), i) otherwise. (When [inj]jk = inj,xjk ∈ dom(ρjrk) where ρjrk is the environment added as argument of m-event facts in theclauses, so xjk is defined either above event(fjk(M), i) or under event(fjk(M), i) without anyreplication between the event and the definition of xjk, since the domain of the environmentgiven as argument to m-event is set at replications by substituting � and not modified later.)We will show that P ′1 satisfies the desired correspondence. It is then clear that P ′0 also satisfiesit.

The clauses RP ′1,Init can be obtained from R′

P ′0,Init

by replacing all facts m-event(p, ρ) with

m-event(p, i) ∧∧

jk such that p=fjk

(p′) and xjk∈dom(ρ)

m-event(fm−eventjk

(p′, ρ(xjk)), i)

for some i, and adding clauses that conclude event(fm−eventjk

(. . .), . . .).

The clauses in solveP ′1,Init can be obtained in the same way from solve′P ′

0,Init . So we

can define a function verify′ like verify with an additional argument (xjkj′k′)jkj′k′ by adding(xjkjkj′k′)jkj′k′ in the arguments of recursive call of Point V2.3 and replacing Point V2.1

with solveP ′1,Init(event(p, i)) ⊆ {H ∧

∧ljk=1 m-event(argjrk, ijrk) ⇒ event(σjrp

′j , ijr) for some H,

j ∈ {1, . . . ,m}, r, ijrk, and (ρjrk, ijr) ∈ Env jk for all k} where argjrk = σjrpjk if [inj]jk 6= inj, and

argjrk = fm−eventjk (σjrp

′, ρjrk(xjk)) if [inj]jk = inj and pjk = fjk(p′). When verify(q, (Env jk)jk)

is true, verify′(q, (Env jk)jk, (xjk)jk) is also true.

Let Q be an Init-adversary and Q′ = instrAdv(Q). Let E0 such that E0(a) = a[ ] forall a ∈ dom(E0) and fn(P ′1) ∪ Init ⊆ dom(E0). Let us now consider a trace of P ′1, T =S0, E0, {P

′1, Q

′} →∗ S′, E′,P ′.By Lemma 18, for each non-empty jk such that [inj]jk = inj, there exists a function φi

jk

such that a) if event(fm−eventjk

(p, p′), λ) is executed at step τ in T for some λ, p, p′, τ , then

event(fjk(p), λ) is executed at step φijk

(τ) in T , b) φijk

is injective, and c) if φijk

(τ) is defined,

then φijk

(τ) < τ .

When ψjk is a family of functions from steps to steps in a trace, we define ψ◦jk

as follows:

• ψ◦ǫ (τ) = τ for all τ ;

• for all jk, for all j and k, ψ◦jkjk

= φijkjk◦ ψjkjk ◦ ψ

◦jk

when [inj]jkjk = inj and ψ◦jkjk

=

ψjkjk ◦ ψ◦jk

otherwise.

We show that, if verify′(q′, (Env jk)jk, (xjk)jk) is true for

q′ = event(p)⇒m∨

j=1

event(p′j)

lj∧

k=1

[inj]jkq′jk

q′jk

= event(pjk)

mjk∨

j=1

ljkj∧

k=1

[inj]jkjkq′jkjk

then there exists a function ψjk for each jk such that


P1. For all τ , if the event event(σp, λǫ) is executed at step τ in T , then there exist σ′′ andJ = (jk)k such that σ′′p′jǫ

= σp and, for all non-empty k, ψ◦makejk(k,J)

(τ) is defined and

event(σ′′pmakejk(k,J), λk) is executed at step ψ◦makejk(k,J)

(τ) in T .

P2. For all non-empty jk, if [inj]jk = inj and ψjk(τ) is defined, then event(p′′1, λ′1) is executed

at step τ in T , event(fm−eventjk

(p′′2, θρ(xjk)), λ′2) is executed at step ψjk(τ) in T , and

θi = λ′1 for some p′′1, p′′2, λ

′1, λ

′2, θ, and (ρ, i) ∈ Env jk, where fjk is the root function

symbol of pjk. (This property is used for proving injectivity and recentness.)

P3. For all non-empty jk, if ψjk(τ) is defined, then ψjk(τ) ≤ τ .

The proof is by induction on q′.

• If q′ = event(p) (that is, m = 1, l1 = 0, and p1 = p), we define jǫ = 1 and σ′′ = σ, so thatσ′′p′jǫ

= σp. All other conditions hold trivially, since there is no non-empty k.

• Otherwise, we define ψjk as follows.

Using Point V2.1, by Theorem 3, P ′1 satisfies the correspondence

event(p, i)⇒∨

j=1..m,r

event(σjrp

′j , ijr)

lj∧

k=1

event(argjrk, ijrk)

(24)


Assume that event(σp, λ) is executed at step τ in T for some substitution σ. Let usconsider the trace T cut just after step τ . By Correspondence (24), there exist σ′, j ∈{1, . . . ,m}, and r such that σ′σjrp

′j = σp, σ′ijr = σλ = λ, and for k ∈ {1, . . . , lj}, there

exists λk such that event(σ′ argjrk, λk) is executed in the trace T cut after step τ . Sothe event event(σ′ argjrk, λk) is executed at step τk ≤ τ in T . In this case, we defineψjk(τ) = τk and r(τ) = r.

If [inj]jk = inj, then event(σ′σjrpjk, λk) is executed as step φijk(ψjk(τ)) = ψ◦jk(τ).

If [inj]jk 6= inj, then argjrk = σjrpjk, so event(σ′σjrpjk, λk) is executed as step ψjk(τ) =ψ◦jk(τ).

By construction, if ψjk(τ) is defined, then ψjk(τ) ≤ τ .

When [inj]jk = inj, we let fjk be the root function symbol of pjk.

By Point V2.3, for all j, r, k, verify′(σjrq′jk, (Env jkjk)jk, (xjkjk)jk) is true. So, by induction

hypothesis, there exist functions ψjrk,jk such that

– For all τk, if the event event(σ′σjrpjk, λk) is executed at step τk in T , then thereexist σ′′jrk and J = (jjrk,k)k such that σ′′jrkσjrpjk = σ′σjrpjk and, for all non-empty

k, ψ◦jrk,makejk(k,J)

(τk) is defined and event(σ′′jrkσjrpjkmakejk(k,J), λkk) is executed at

step ψ◦jrk,makejk(k,J)

(τk) in T .

– For all non-empty jk, if [inj]jkjk = inj and ψjrk,jk(τ) is defined, then event(p′′1, λ′1)

is executed at step τ in T , event(fm−eventjkjk

(p′′2, θρ(xjkjk)), λ′2) is executed at step

ψjrk,jk(τ) in T and θi = λ′1 for some p′′1, p′′2, λ

′1, λ

′2, θ, and (ρ, i) ∈ Env jkjk.

– For all non-empty jk, if ψjrk,jk(τ) is defined, then ψjrk,jk(τ) ≤ τ .

We define ψjkjk(τ) = ψjrk,jk(τ) for r = r(τ). Then we have ψ◦jkjk

(τ) = ψ◦jrk,jk

(ψ◦jk(τ)) for

r = r(τ).

Therefore, for all τ , if event(σp, λ) is executed at step τ in T , then

210 Bruno Blanchet

– there exist σ′, Jǫ = (jk)k, and r such that jǫ = j ∈ {1, . . . ,m}, jk is unde-fined for all k 6= ǫ, σ′σjrp

′j = σp, and, for all k, ψ◦makejk(k,Jǫ)

(τ) is defined and

event(σ′σjrpmakejk(k,Jǫ), λk) is executed as step ψ◦makejk(k,Jǫ)(τ);

– for all k, there exist σ′′jrk and Jk = (jkk)kk such that σ′′jrkσjrpjk = σ′σjrpjk and, for

all non-empty k, ψ◦makejk(kk,Jk)

(τ) is defined and event(σ′′jrkσjrpmakejk(kk,Jk), λkk) is

executed at step ψ◦makejk(kk,Jk)

(τ) in T .

We define a family of indices J by merging Jǫ and Jk for all k, that is, J = (jk)k. Therefore,in order to obtain P1, it is enough to find a substitution σ′′ such that σ′′p′j = σ′σjrp

′j ,

σ′′pjk = σ′σjrpjk, and σ′′pjkjk = σ′′jrkσjrpjkjk for all non-empty jk. Let us define σu asfollows:

– For all x ∈ fv(σjrp′j) ∪

⋃k fv(σjrpjk), σux = σ′x.

– For all k, for all x ∈ fv(σjrq′jk) \ fv(σjrpjk), σux = σ′′jrkx.

By Point V2.2, these sets of variables are disjoint, so σu is well defined. Let σ′′ = σuσjr.

We have σ′′p′j = σuσjrp′j = σ′σjrp

′j and σ′′pjk = σuσjrpjk = σ′σjrpjk. Since σ′′q′jk =

σuσjrq′jk, we just have to show that σuσjrq

′jk = σ′′jrkσjrq

′jk. We have σuσjrpjk = σ′σjrpjk =

σ′′jrkσjrpjk. Therefore, if x ∈ fv(σjrpjk), then σux = σ′′jrkx.5 Hence, for all x ∈ fv(σjrq

′jk),

σux = σ′′jrkx, which proves that σuσjrq′jk = σ′′jrkσjrq

′jk. Hence we obtain P1.

If [inj]jk = inj and ψjk(τ) is defined, then event(p′′1, λ′1) = event(σp, λ) is executed

at step τ in T , event(fm−eventjk (p′′2, θρ(xjk)), λ

′2) = event(σ′ argjrk, λk) is executed at

step ψjk(τ) in T , and θi = λ′1 for some p′′1 = σp, p′′2, λ′1 = λ, λ′2 = λk, θ = σ′, and

(ρ, i) = (ρjrk, ijr) ∈ Env jk. For all non-empty jk, if [inj]jkjk = inj and ψjkjk(τ) is

defined, then event(p′′1, λ′1) is executed at step τ in T , event(fm−event

jkjk(p′′2, θρ(xjkjk)), λ

′2) is

executed at step ψjkjk(τ) in T , and θi = λ′1 for some p′′1, p′′2, λ

′1, λ

′2, θ, and (ρ, i) ∈ Env jkjk.

So we obtain P2.

If ψjk(τ) is defined, then ψjk(τ) ≤ τ . For all non-empty jk, if ψjkjk(τ) is defined, thenψjkjk(τ) ≤ τ . Therefore, we have P3.

Let q = event(p) ⇒∨m

j=1

(event(p′j)

∧ljk=1[inj]jkqjk

), and qjk = event(pjk)

∨mjk

j=1

∧ljkj

k=1[inj]jkjkqjkjk. By Hypothesis H1, verify′(q, (Env jk)jk, (xjk)jk) is true, so there ex-

ists a function ψjk for each jk such that P1, P2, and P3 are satisfied. Let φjk = ψ◦jk

.

• By P1, for all τ , if the event event(σp, λǫ) is executed at step τ in T , then there existσ′ and J = (jk)k such that σ′p′jǫ

= σp and, for all non-empty k, φmakejk(k,J)(τ) is defined

and event(σ′pmakejk(k,J), λk) is executed at step φmakejk(k,J)(τ) in T .

Let us show recentness. Suppose that [inj]makejk(k,J) = inj. We show that

the runtimes of session(λk⌈) and session(λk) overlap. We have φmakejk(k,J)(τ) =

φimakejk(k,J)

(ψmakejk(k,J)(φmakejk(k⌈,J)(τ))). Let τ1 = φmakejk(k⌈,J)(τ). Then ψmakejk(k,J)(τ1)

is defined. Hence, by P2, e1 = event(p′′1, λ′1) is executed at step τ1 in T , e2 =

event(fm−eventmakejk(k,J)

(p′′2, θρ(xmakejk(k,J))), λ′2) is executed at step τ2 = ψmakejk(k,J)(τ1) in T

by a reduction Sτ2 , Eτ2 ,Pτ2 → Sτ2+1, Eτ2+1,Pτ2+1, and θi = λ′1 for some p′′1, p′′2, λ

′1,

λ′2, θ, and (ρ, i) ∈ Envmakejk(k,J). Since the event event(σ′pmakejk(k⌈,J), λk⌈) is also exe-

cuted at step τ1 = φmakejk(k⌈,J)(τ), we have λ′1 = λk⌈. By the properties of φimakejk(k,J)

,

5This property does not hold in the presence of an equational theory (see Section 9.1). In that case, weconclude by the additional hypothesis mentioned in Section 9.1.


event(fmakejk(k,J)(p′′2), λ

′2) is executed at step φi

makejk(k,J)(τ2) = φmakejk(k,J)(τ). Moreover,

event(σ′pmakejk(k,J), λk) is also executed at step φmakejk(k,J)(τ), so λ′2 = λk.

By Hypothesis H2, ρ(xmakejk(k,J)){λ/i} does not unify with ρ(xmakejk(k,J)){λ′/i} when

λ 6= λ′, so i occurs in ρ(xmakejk(k,J)), so λk⌈ = λ′1 = θi occurs in θρ(xmakejk(k,J)), so λk⌈occurs in e2.

So e2 is executed after the rule S,E,P ∪ {!i′P ′} → S \ {λk⌈}, E,P ∪ {P

′{λk⌈/i′}, !i

′P ′} in

T . Indeed, since λk⌈ occurs in the event e2 executed at step τ2, λk⌈ ∈ SId ′(Eτ2)∪SId ′(Pτ2)

where SId ′(P) (resp. SId ′(E)) is the set of session identifiers λ that occur in P (resp. E).Moreover, SId ′(E0)∪SId ′({P ′1, Q

′}) = ∅, and the only rule that increases SId ′(E)∪SId ′(P)is S,E,P ∪ {!iP ′} → S \ {λ}, E,P ∪ {P ′{λ/i}, !iP ′}, which adds λ to SId ′(E) ∪ SId ′(P).Therefore, e2 is executed after the beginning of the runtime of session(λk⌈).

Moreover, e2 is executed at step τ2 = ψmakejk(k,J)(τ1) and e1 is executed at step τ1 in T ,

with ψmakejk(k,J)(τ1) ≤ τ1, so e2 is executed before e1 = event(p′′1, λk⌈).

So e2 = event(fm−eventmakejk(k,J)

(p′′2, θρ(xmakejk(k,J))), λk) is executed during the runtime of

session(λk⌈), therefore the runtimes of session(λk⌈) and session(λk) overlap.

• Let us show that, for all non-empty jk, if [inj]jk = inj, then ψjk is injective. Let τ1and τ2 such that ψjk(τ1) = ψjk(τ2). By P2, event(p′′1, λ

′1) is executed at step τ1 in T ,

event(fm−eventjk

(p′′3, θ1ρ1(xjk)), λ′3) is executed at step ψjk(τ1) in T , and θ1i1 = λ′1 for

some p′′1, p′′3, λ

′1, λ

′3, θ1, and (ρ1, i1) ∈ Env jk. Also by P2, event(p′′2, λ

′2) is executed

at step τ2 in T , event(fm−eventjk

(p′′4, θ2ρ2(xjk)), λ′4) is executed at step ψjk(τ2) in T , and

θ2i2 = λ′2 for some p′′1, p′′4, λ

′2, λ

′4, θ2, and (ρ2, i2) ∈ Env jk. Since ψjk(τ1) = ψjk(τ2),

θ1ρ1(xjk) = θ2ρ2(xjk). By Hypothesis H2, this implies that θ1i1 = θ2i2, so λ′1 = λ′2. ByLemma 17, τ1 = τ2, which proves the injectivity of ψjk.

• Let us show that, for all non-empty jk, if [inj]jk = inj, then φjk is injective, by induction

on the length of the sequence of indices jk.

For all j and k, if [inj]jk = inj, then φjk is injective since φijk, ψjk, and φǫ are injective.

For all non-empty jk, for all j and k, if [inj]jkjk = inj, then, by hypothesis, [inj]jk = inj,

so, by induction hypothesis, φjk is injective. The functions φijkjk

and ψjkjk are injective,

so φjkjk is also injective.

• For all jk, for all j and k, if φjkjk(τ) is defined, then φjk(τ) is defined, and φjkjk(τ) ≤

φjk(τ), since φijkjk

(τ ′′) ≤ τ ′′ and ψjkjk(τ′) ≤ τ ′ by P3, when they are defined.

In particular, for all j and k, if φjk(τ) is defined, then φjk(τ) ≤ φǫ(τ) = τ .

This concludes the proof of the desired recent correspondence. 2

Proof (of Proposition 2) We have verify(q, (Env jk)jk) with Env jk = {(ρjrk, ijr) | r ∈ {1,. . . , nj}}, because the first item implies V2.1, V2.2 holds trivially since qjk reduces to event(pjk),and V2.3 also holds since qjk reduces to event(pjk), so verify(σjrqjk, (Env jkjk)jk) holds by V1.The second item implies H2. So we have the result by Theorem 5. 2

212 Bruno Blanchet

Automated Verification of Selected Equivalences for Security

Protocols∗

Bruno Blanchet

CNRS, Ecole Normale Superieure, Paris

Martın Abadi

University of California, Santa Cruz

and Microsoft Research, Silicon valley

Cedric Fournet

Microsoft Research, Cambridge

Abstract

In the analysis of security protocols, methods and tools for reasoning about protocolbehaviors have been quite effective. We aim to expand the scope of those methods andtools. We focus on proving equivalences P ≈ Q in which P and Q are two processes thatdiffer only in the choice of some terms. These equivalences arise often in applications. Weshow how to treat them as predicates on the behaviors of a process that represents P and Qat the same time. We develop our techniques in the context of the applied pi calculus andimplement them in the tool ProVerif.

1 Introduction

Many security properties can be expressed as predicates on system behaviors. These propertiesinclude some kinds of secrecy properties (for instance, “the system never broadcasts the keyk”). They also include correspondence properties (for instance, “if the system deletes file f ,then the administrator must have requested it”). Such predicates on system behaviors arethe focus of many successful methods for security analysis. In recent years, several tools havemade it possible to prove many such predicates automatically or semi-automatically, even forinfinite-state systems (e.g., [15, 40, 43]).

Our goal in this work is to expand the scope of those methods and tools. We aim to applythem to important security properties that have been hard to prove and that cannot be easilyphrased as predicates on system behaviors. Many such properties can be written as equivalences.For instance, the secrecy of a boolean parameter x of a protocol P (x) may be written as theequivalence P (true) ≈ P (false). Similarly, as is common in theoretical cryptography, we maywish to express the correctness of a construction P by comparing it to an ideal functionality Q,writing P ≈ Q. Here the relation ≈ represents observational equivalence: P ≈ Q means thatno context (that is, no attacker) can distinguish P and Q. A priori, P ≈ Q is not a simplepredicate on the behaviors of P or Q.

We focus on proving equivalences P ≈ Q in which P and Q are two variants of thesame process obtained by selecting different terms on the left and on the right. In particu-lar, P (true) ≈ P (false) is such an equivalence, since P (true) and P (false) differ only in thechoice of value for the parameter x. Both P (true) and P (false) are variants of a process that wemay write P (diff[true, false]); the two variants are obtained by giving different interpretationsto diff[true, false], making it select either true or false.

∗A preliminary version of this work was presented at the 20th IEEE Symposium on Logic in Computer Science(LICS 2005) [20].

213

214 Bruno Blanchet, Martın Abadi, and Cedric Fournet

Although the notation diff can be viewed as a simple informal abbreviation, we find thatthere is some value in giving it a formal status. We define a calculus that supports diff. With acareful definition of the operational semantics of this calculus, we can establish the equivalenceP (true) ≈ P (false) by reasoning about behaviors of P (diff[true, false]).

In this operational semantics, P (diff[true, false]) behaves like both P (true) and P (false)from the point of view of the attacker, as long as the attacker cannot distinguish P (true) andP (false). The semantics requires that the results of reducing P (true) and P (false) can be writtenas a process with subexpressions of the form diff[M1,M2]. On the other hand, when P (true)and P (false) would do something that may differentiate them, the semantics specifies that theexecution of P (diff[true, false]) gets stuck. Hence, if no behavior of P (diff[true, false]) ever getsstuck, then P (true) ≈ P (false). Thus, we can prove equivalences by reasoning about behaviors,though not the behaviors of the original processes in isolation.

This technique applies not only to an equivalence P (true) ≈ P (false) that represents theconcealment of a boolean parameter, but to a much broader class of equivalences that arise insecurity analysis and that go beyond secrecy properties. In principle, every equivalence couldbe rewritten as an equivalence in our class: we might try to prove P ≈ Q by examining thebehaviors of

if diff[true, false] = true then P else Q

This observation suggests that we should not expect completeness for an automatic technique.Indeed, the class of equivalences that we can establish automatically does not include sometraditional bisimilarities. Accordingly, we aim to complement, not to replace, other proof meth-ods. Moreover, we are primarily concerned with soundness and usefulness, and (in contrast withsome related work [7, 23–25, 29, 38]) we emphasize simplicity and automation over generality.We believe, however, that the use of diff is not “just a hack”, because diff is amenable to arigorous treatment and because operators much like diff have already proved useful in othercontexts—in particular, in elegant soundness proofs of information-flow type systems [44, 45].Baudet’s recent thesis includes a further study of diff and obtains a decidability result forprocesses without replication [12].

We implement our technique in the tool ProVerif [15]. This tool is a protocol analyzer forprotocols written in the applied pi calculus [6], an extension of the pi calculus with functionsymbols that may represent cryptographic operations. Internally, ProVerif translates protocolsto Horn clauses in classical logic, and uses resolution on these clauses. The mapping to clas-sical logic (rather than linear logic) embodies a safe abstraction which ignores the number ofrepetitions of each action, and which is key to the treatment of infinite-state systems [19]. Weextend the translation into Horn clauses and also the manipulation of these Horn clauses.

While the implementation in ProVerif requires a non-trivial development of theory and code,it is rather fruitful. It enables us to treat, automatically, interesting proofs of equivalences. Inparticular, as in previous ProVerif proofs, it does not require that all systems under considerationbe finite-state. We demonstrate these points through small examples and larger applications.

Specifically, we apply our technique to an infinite-state analysis of the important EncryptedKey Exchange (EKE) protocol [13, 14]. (Password-based protocols such as EKE have attractedmuch attention in recent years, partly because of the difficulty of reasoning about them.) Wealso use our technique for checking certain equivalences that express authenticity propertiesin an example from the literature [8]. In other applications, automated proofs of equivalencesserve as lemmas for manual proofs of other results. We illustrate this combination by revisitingproofs for the JFK protocol [9].

One of the main features of the approach presented in this paper is that it is compatiblewith the inclusion of equational theories on function symbols. We devote considerable attentionto their proper, sound integration. Those equational theories serve in modelling properties ofthe underlying cryptographic operations; they are virtually necessary in many applications. Forinstance, an equational theory may describe a decryption function that returns “junk” when its

Automated Verification of Selected Equivalences for Security Protocols 215

input is not a ciphertext under the expected key. Without equational theories, we may be ableto model decryption only as a destructor that fails when there is a mismatch between ciphertextand key. Because the failure of decryption would be observable, it can result in false indicationsof attacks. Our approach overcomes this problem.

In contrast, a previous method for proving equivalences with ProVerif [17] does not addressequivalences that depend on equational theories. Moreover, that method applies only to pairsof processes in which the terms that differ are global constants, not arbitrary terms. In theserespects, the approach presented in this paper constitutes a clear advance. It enables significantproofs that were previously beyond the reach of automated techniques.

ProVerif belongs in a substantial body of work on sound, useful, but incomplete methodsfor protocol analysis. These methods rely on a variety of techniques from the programming-language literature, such as type systems, control-flow analyses, and abstract interpretation(e.g., [1, 22, 37, 42]). The methods are of similar power for proving predicates on behaviors [3, 21].On the other hand, they typically do not target proofs of equivalences, or treat only specificclasses of equivalences for particular equational theories.

The next section describes the process calculus that serves as setting for this work. Section 3defines and studies observational equivalence. Section 4 contains some examples. Section 5deals with equational theories. Section 6 explains how ProVerif maps protocols with diff toHorn clauses. Section 7 is concerned with proof techniques for those Horn clauses. Section 8 in-troduces a simple construct for breaking protocols into stages, as a convenience for applications.Section 9 describes applications. Section 10 mentions other related work and concludes. TheAppendix contains proofs. The proof scripts for all examples and applications of this paper, aswell as the tool ProVerif, are available at http://www.di.ens.fr/~blanchet/obsequi/.

2 The process calculus

This section introduces our process calculus, by giving its syntax and its operational semantics.This calculus is a combination of the original applied pi calculus [6] with one of its dialects [17].This choice of calculus gives us the richness of the original applied pi calculus (in particularwith regard to equational theories) while enabling us to leverage ProVerif.

2.1 Syntax and informal semantics

Figure 1 summarizes the syntax of our calculus. It defines a category of terms (data) andprocesses (programs). It assumes an infinite set of names and an infinite set of variables; a, b,c, k, s, and similar identifiers range over names, and x, y, and z range over variables. It alsoassumes a signature Σ (a set of function symbols, with arities and with associated definitionsas explained below). We distinguish two categories of function symbols: constructors anddestructors. We often write f for a constructor, g for a destructor, and h for a constructor or adestructor. Constructors are used for building terms. Thus, the terms M,N, . . . are variables,names, and constructor applications of the form f(M1, . . . ,Mn).

As in the applied pi calculus [6], terms are subject to an equational theory. Identifyingan equational theory with its signature Σ, we write Σ ⊢ M = N for an equality modulo theequational theory, and Σ ⊢ M 6= N an inequality modulo the equational theory. (We writeM = N and M 6= N for syntactic equality and inequality, respectively.) The equational theoryis defined by a finite set of equations Σ ⊢Mi = Ni, where Mi and Ni are terms that contain onlyconstructors and variables. The equational theory is then obtained from this set of equationsby reflexive, symmetric, and transitive closure, closure by substitution (for any substitution σ,if Σ ⊢ M = N then Σ ⊢ σM = σN), and closure by context application (if Σ ⊢ M = N thenΣ ⊢ M ′{M/x} = M ′{N/x}, where {M/x} is the substitution that replaces x with M). Weassume that there exist M and N such that Σ ⊢M 6= N .


M,N ::= termsx, y, z variablea, b, c, k, s namef(M1, . . . ,Mn) constructor application

D ::= term evaluationsM termeval h(D1, . . . , Dn) function evaluation

P,Q,R ::= processesM(x).P input

M〈N〉.P output0 nilP | Q parallel composition!P replication(νa)P restrictionlet x = D in P else Q term evaluation

Figure 1: Syntax for terms and processes

As previously implemented in ProVerif, destructors are partial, non-deterministic operationson terms that processes can apply. More precisely, the semantics of a destructor g of arity n isgiven by a finite set defΣ(g) of rewrite rules g(M ′1, . . . ,M

′n) → M ′, where M ′1, . . . ,M

′n,M

′

are terms that contain only constructors and variables, the variables of M ′ are bound inM ′1, . . . ,M

′n, and variables are subject to renaming. Then g(M1, . . . ,Mn) is defined if and

only if there exists a substitution σ and a rewrite rule g(M ′1, . . . ,M′n) → M ′ in defΣ(g) such

that Mi = σM ′i for all i ∈ {1, . . . , n}, and in this case g(M1, . . . ,Mn)→ σM ′. In order to avoiddistinguishing constructors and destructors in the definition of term evaluation, we let defΣ(f)be {f(x1, . . . , xn)→ f(x1, . . . , xn)} when f is a constructor of arity n.

The process let x = D in P else Q tries to evaluate D; if this succeeds, then x is boundto the result and P is executed, else Q is executed. Here the reader may ignore the prefix evalwhich may occur in D, since eval f and f have the same semantics when f is a constructor,and destructors are used only with eval. In Section 5, we distinguish eval f and f in order toindicate when terms are evaluated.

Using constructors, destructors, and equations, we can model various data structures (tu-ples, lists, . . . ) and cryptographic primitives (shared-key encryption, public-key encryption,signatures, . . . ). Typically, destructors represent primitives that can visibly succeed or fail,while equations apply to primitives that always succeed but may sometimes return “junk”. Forinstance, suppose that one can detect whether shared-key decryption succeeds or fails; then wewould use a constructor enc, a destructor dec, and the rewrite rule dec(enc(x, y), y)→ x. Oth-erwise, we would use two constructors enc and dec, and the equations dec(enc(x, y), y) = x andenc(dec(x, y), y) = x. The second equation prevents that the equality test enc(dec(M,N), N) =M reveal that M must be a ciphertext under N . (The first equation is standard; the second isnot, but it holds for block ciphers.) We refer to previous work [6, 17] for additional explanationsand examples.

The rest of the syntax of Figure 1 is fairly standard pi calculus. The input process M(x).Pinputs a message on channel M , and executes P with x bound to the input message. The outputprocess M〈N〉.P outputs the message N on channel M and then executes P . (We allow M tobe an arbitrary term; we could require that M be a name, as is frequently done, and adapt otherdefinitions accordingly.) The nil process 0 does nothing and is sometimes omitted in examples.The process P | Q is the parallel composition of P and Q. The replication !P represents anunbounded number of copies of P in parallel. The restriction (νa)P creates a new name a, and


M ⇓Meval h(D1, . . . , Dn)⇓σN

if h(N1, . . . , Nn)→ N ∈ defΣ(h),and σ is such that for all i, Di ⇓Mi and Σ ⊢Mi = σNi

P | 0 ≡ PP | Q ≡ Q | P(P | Q) | R ≡ P | (Q | R)(νa)(νb)P ≡ (νb)(νa)P(νa)(P | Q) ≡ P | (νa)Q

if a /∈ fn(P )

P ≡ PQ ≡ P ⇒ P ≡ QP ≡ Q, Q ≡ R ⇒ P ≡ RP ≡ Q ⇒ P | R ≡ Q | RP ≡ Q ⇒ (νa)P ≡ (νa)Q

N〈M〉.Q | N ′(x).P → Q | P{M/x}if Σ ⊢ N = N ′ (Red I/O)

let x = D in P else Q→ P{M/x}if D ⇓M (Red Fun 1)

let x = D in P else Q→ Qif there is no M such that D ⇓M (Red Fun 2)

!P → P | !P (Red Repl)P → Q ⇒ P | R → Q | R (Red Par)P → Q ⇒ (νa)P → (νa)Q (Red Res)P ′ ≡ P, P → Q, Q ≡ Q′ ⇒ P ′ → Q′ (Red ≡)

Figure 2: Semantics for terms and processes

then executes P . The syntax does not include the conditional if M = N then P else Q, whichcan be defined as let x = equals(M,N) in P else Q where x is a fresh variable and equals is abinary destructor with the rewrite rule equals(x, x)→ x. We always include this destructor inΣ.

We write fn(P ) and fv(P ) for the sets of names and variables free in P , respectively, whichare defined as usual. A process is closed if it has no free variables; it may have free names. Weidentify processes up to renaming of bound names and variables. An evaluation context C is aclosed context built from [ ], C | P , P | C, and (νa)C.

2.2 Formal semantics

The rules of Figure 2 axiomatize the reduction relation for processes (→Σ), thus defining theoperational semantics of our calculus. Auxiliary rules define term evaluation (⇓Σ) and thestructural congruence relation (≡); this relation is useful for transforming processes so that thereduction rules can be applied. Both ≡ and →Σ are defined only on closed processes. We write→∗Σ for the reflexive and transitive closure of →Σ, and →∗Σ≡ for its union with ≡. When Σ isclear from the context, we abbreviate →Σ and ⇓Σ to → and ⇓, respectively.

This semantics differs in minor ways from the semantics of the applied pi calculus [6].In particular, we do not substitute equals for equals in structural congruence, but only in acontrolled way in certain rules. Thus, the rule for I/O does not require a priori that the inputand output channels be equal: it explicitly uses the equational theory to compare them. Wealso use a reduction rule (Red Repl) for modelling replication, instead of the more standard,but essentially equivalent, structural congruence rule. This weakening of structural congruencein favor of the reduction relation is designed to simplify our proofs.


N〈M〉.Q | N ′(x).P → Q | P{M/x} (Red I/O)if Σ ⊢ fst(N) = fst(N ′) and Σ ⊢ snd(N) = snd(N ′)

let x = D in P else Q→ P{diff[M1,M2]/x} (Red Fun 1)if fst(D)⇓M1 and snd(D)⇓M2

let x = D in P else Q→ Q (Red Fun 2)if there is no M1 such that fst(D)⇓M1 andthere is no M2 such that snd(D)⇓M2

Figure 3: Generalized rules for biprocesses

3 Observational equivalence

In this section we introduce diff formally and establish a sufficient condition for observationalequivalence. We first recall the standard definition of observational equivalence from the picalculus:

Definition 1 The process P emits on M (P ↓M ) if and only if P ≡ C[M ′〈N〉.R] for someevaluation context C that does not bind fn(M) and Σ ⊢M = M ′.

(Strong) observational equivalence ∼ is the largest symmetric relation R on closed processessuch that P R Q implies

1. if P ↓M then Q ↓M ;

2. if P → P ′ then Q→ Q′ and P ′ R Q′ for some Q′;

3. C[P ] R C[Q] for all evaluation contexts C.

Weak observational equivalence ≈ is defined similarly, with →∗ ↓M instead of ↓M and →∗

instead of →.

Intuitively, a context may represent an adversary, and two processes are observationally equiv-alent when no adversary can distinguish them.

Next we introduce a new calculus that can represent pairs of processes that have the samestructure and differ only by the terms and term evaluations that they contain. We call sucha pair of processes a biprocess. The grammar for the calculus is a simple extension of thegrammar of Figure 1, with additional cases so that diff[M,M ′] is a term and diff[D,D′] isa term evaluation. We also extend the definition of contexts to permit the use of diff, andsometimes refer to contexts without diff as plain contexts.

Given a biprocess P , we define two processes fst(P ) and snd(P ), as follows: fst(P ) is obtainedby replacing all occurrences of diff[M,M ′] with M and diff[D,D′] with D in P , and similarly,snd(P ) is obtained by replacing diff[M,M ′] with M ′ and diff[D,D′] with D′ in P . We definefst(D), fst(M), snd(D), and snd(M) similarly. Our goal is to show that the processes fst(P ) andsnd(P ) are observationally equivalent:

Definition 2 Let P be a closed biprocess. We say that P satisfies observational equivalencewhen fst(P ) ∼ snd(P ).

The semantics for biprocesses is defined as in Figure 2 with generalized rules (Red I/O),(Red Fun 1), and (Red Fun 2) given in Figure 3. Reductions for biprocesses bundle thosefor processes: if P → Q then fst(P ) → fst(Q) and snd(P ) → snd(Q). Conversely, however,reductions in fst(P ) and snd(P ) need not correspond to any biprocess reduction, in particularwhen they do not match up. Our first theorem shows that the processes are equivalent whenthis does not happen.


Definition 3 We say that the biprocess P is uniform when fst(P ) → Q1 implies that P → Qfor some biprocess Q with fst(Q) ≡ Q1, and symmetrically for snd(P )→ Q2.

Theorem 1 Let P0 be a closed biprocess. If, for all plain evaluation contexts C and reductionsC[P0]→

∗ P , the biprocess P is uniform, then P0 satisfies observational equivalence.

Proof Let P be a closed biprocess such that C[P ] →∗≡ Q always yields a uniform biprocessQ, and consider the relation

R = {(fst(Q), snd(Q)) | C[P ]→∗≡ Q}

In particular, we have fst(P ) R snd(P ), so we can show that P satisfies observational equivalenceby establishing that the relation R′ = R ∪R−1 meets the three conditions of Definition 1. Bysymmetry, we focus on R. Assume fst(Q) R snd(Q).

1. Assume fst(Q) ↓M , and let TM = M(x).c〈c〉 for some fresh name c. As usual in the picalculus, the predicate ↓M tests the ability to send any message on M , hence for anyplain process Qi, we have Qi ↓M if and only if Qi | TM → Ri | c〈c〉 for some Ri.

Here, we have fst(Q) | TM → R1 | c〈c〉 for some R1. The reductions C[P ] →∗≡ Q implyC[P ] | TM →

∗≡ Q | TM . By hypothesis (with the context C[ ] | TM ), Q | TM is uniform,hence Q | TM → Q′ for some Q′ with fst(Q′) ≡ R1 | c〈c〉. Since c does not occur anywherein Q, by case analysis on this reduction step with our semantics for biprocesses we obtainQ′ ≡ R | c〈c〉 for some biprocess R. Thus, we obtain snd(Q) | TM → snd(R) | c〈c〉, andfinally snd(Q) ↓M .

2. If fst(Q) → Q′1 then, by uniformity, we have Q → Q′ with fst(Q′) = Q′1. Thus,C[P ]→∗≡→ Q′ and, by definition ofR, we obtain fst(Q′) R snd(Q′). Finally, by definitionof the semantics of biprocesses, Q→ Q′ implies snd(Q)→ snd(Q′).

3. Let C ′ be a plain evaluation context. By definition of the semantics of biprocesses,C[P ] →∗≡ Q always implies C ′[C[P ]] →∗≡ C ′[Q], hence C ′[fst(Q)] = fst(C ′[Q]) Rsnd(C ′[Q]) = C ′[snd(Q)]. 2

Our plan is to establish the hypothesis of Theorem 1 by automatically verifying that allthe biprocesses P in question meet conditions that imply uniformity. The next corollary detailsthose conditions, which guarantee that a communication and an evaluation, respectively, succeedin fst(P ) if and only if they succeed in snd(P ):

Corollary 1 Let P0 be a closed biprocess. Suppose that, for all plain evaluation contexts C, allevaluation contexts C ′, and all reductions C[P0]→

∗ P ,

1. if P ≡ C ′[N〈M〉.Q | N ′(x).R], then Σ ⊢ fst(N) = fst(N ′) if and only if Σ ⊢ snd(N) =snd(N ′),

2. if P ≡ C ′[let x = D in Q else R], then there exists M1 such that fst(D)⇓M1 if and onlyif there exists M2 such that snd(D)⇓M2.

Then P0 satisfies observational equivalence.

Proof We show that P is uniform, then we conclude by Theorem 1. Let us show that, iffst(P )→ P ′1 then there exists a biprocess P ′ such that P → P ′ and fst(P ′) ≡ P ′1. The case forsnd(P )→ P ′2 is symmetric.

By induction on the derivation of fst(P )→ P ′1, we first show that there exist C, Q, and Q′1such that P ≡ C[Q], P ′1 ≡ fst(C)[Q′1], and fst(Q)→ Q′1 using one of the four process rules (Red


I/O), (Red Fun 1), (Red Fun 2), or (Red Repl): every step in this derivation trivially commuteswith fst, except for structural steps that involve a parallel composition and a restriction, in casea ∈ fn(P ) but a /∈ fn(fst(P )). In that case, we use a preliminary renaming from a to some fresha′ /∈ fn(P ).

For each of these four rules, relying on a hypothesis of Corollary 1, we find Q′ such thatfst(Q′) = Q′1 and Q→ Q′ using the corresponding biprocess rule:

(Red I/O): We have Q = N〈M〉.R | N ′(x).R′ with Σ ⊢ fst(N) = fst(N ′) and Q′1 = fst(R) |fst(R′){fst(M)/x}. For Q′ = R | R′{M/x}, we have fst(Q′) = Q′1 and, by hypothesis 1,Σ ⊢ snd(N) = snd(N ′), hence Q→ Q′.

(Red Fun 1): We have Q = let x = D in R else R′ with fst(D)⇓M1 and Q′1 = fst(R){M1/x}.By hypothesis 2, snd(D)⇓M2 for some M2. We take Q′ = R{diff[M1,M2]}, so thatfst(Q′) = Q′1 and Q→ Q′.

(Red Fun 2): We have Q = let x = D in R else R′ with no M1 such that fst(D)⇓M1 andQ′1 = fst(R′). By hypothesis 2, there is no M2 such that snd(D)⇓M2. We obtain Q→ Q′

for Q′ = R′.

(Red Repl): We have Q = !R and Q′1 = fst(R) | !fst(R). We take Q′ = R | !R, so thatfst(Q′) = Q′1 and Q→ Q′.

To conclude, we take the biprocess P ′ = C[Q′] and the reduction P → P ′. 2

Thus, we have a sufficient condition for observational equivalence of biprocesses. Thiscondition is essentially a reachability condition on biprocesses. Starting in Section 5, weadapt existing techniques for reasoning about processes in order to prove this condition.The condition is however not necessary: as suggested in the introduction, if P ∼ Q, thenif diff[true, false] = true then P else Q satisfies observational equivalence, but Theorem 1 andCorollary 1 will not enable us to prove this fact.

4 Examples in the applied pi calculus

This section illustrates our approach by revisiting examples of observational equivalences pre-sented with the applied pi calculus [6]. Interestingly, all those equivalences can be formulatedusing biprocesses, proved via Theorem 1 and, it turns out, verified automatically by ProVerif.Section 9 presents more complex examples.

We begin with equivalences that can be expressed with biprocesses that perform a singleoutput, of the form (νa1, . . . , ak)c〈M〉 where c is a name that does not occur in a1, . . . , ak

or in M . Intuitively, such equivalences state that no environment can differentiate fst(M)from snd(M) without knowing some name in a1, . . . , ak. Such equivalences on terms underrestrictions are called static equivalences [6]. They arise when one considers attackers that firstintercept a series of messages, then attempt to differentiate two configurations of the protocolby computing on those messages without interacting with the protocol further. Here, the termM may be a tuple diff[M1,M

′1], . . . , diff[Mn,M

′n] that collects all pairs of intercepted messages,

and a1 ,. . . , ak may be names that represent all local secrets and fresh values used by theprotocol.

Static equivalences play a central role in the extension of proof techniques from the purepi calculus to the applied pi calculus. In particular, observational equivalence in the appliedpi calculus can be reduced to standard pi calculus requirements plus static equivalences [6].In other words, proofs of observational equivalences can be decomposed into lemmas that dealwith terms and general arguments that relate processes with different structures; the formerdepend on the signature, while the latter come from the pure pi calculus. In our experience, a


large fraction of the proof effort is typically devoted to those lemmas on terms, and Theorem 1is a good tool for establishing them.

Example 1 Consider a cryptographic hash function, modelled as a constructor h with neitherrewrite rule nor equation. The environment should not be able to distinguish a freshly generatedrandom value, modelled as a fresh name a, from its hash h(a) [6, Section 4.2]. Formally, usingthe automated technique presented in this paper, we verify that the biprocess (νa)c〈diff[a, h(a)]〉satisfies equivalence. On the other hand, P = (νa, a′)c〈(a, diff[a′, h(a)])〉 does not satisfy equiv-alence: although both processes emit a pair of fresh terms, the environment can distinguish oneprocess from the other by computing a hash of the first element of the pair and comparing itto the second element of the pair, using the context

C[ ] = c(x, y).if y = h(x) then d〈c〉 else 0 | [ ]

With our biprocess semantics, C[P ] performs a (Red I/0) step then gets stuck on the test(νa, a′)if diff[a′, h(a)] = h(a) then d〈c〉 else 0. 2

Example 2 Diffie-Hellman computations used in key agreement protocols can be expressed interms of a constant b, a binary constructor ^, and the equation (b^x)^y = (b^y)^x [4, 6]. Withthis signature, we verify that

(νa1, a2, a3)c〈(bâ1, bâ2, diff[(bâ1)â2, bâ3])〉

satisfies equivalence. This equivalence closely corresponds to the Decisional Diffie-Hellman as-sumption often made by cryptographers; it is also the main lemma in the proof of [6, Theorem 3].Intuitively, even if the environment is given access to the exponentials bâ1 and bâ2, thosevalues are (apparently) unrelated to the Diffie-Hellman secret (bâ1)â2, since the environmentcannot distinguish this secret from the exponential of any fresh unrelated value a3. 2

The remaining two examples concern applications beyond proofs of static equivalences.

Example 3 Non-deterministic encryption is a variant of public-key encryption that furtherprotects the secrecy of the plaintext by embedding some additional, fresh value in each encryp-tion. It can be modelled using three functions for public-key decryption, public-key encryption,and public-key derivation, linked by the equation

pdec(penc(x, pk(y), z), y) = x

where z is the additional parameter for the encryption. A key property of non-deterministicencryption is that, without knowledge of the decryption key, ciphertexts appear to be unrelatedto the plaintexts, even if the attacker knows the plaintexts and the encryption key. A strongversion of this property is that the ciphertexts cannot be distinguished from freshly generatedrandom values. Formally, we state that

(νs)(c〈pk(s)〉 | !c′(x).(νa)c〈diff[penc(x, pk(s), a), a]〉)

satisfies equivalence. This biprocess is more complex than those presented above; instead ofa single output, it performs a first output to reveal the public key pk(s) (but not s!), thenrepeatedly inputs a term x from the environment and either outputs its encryption under pk(s)or outputs a fresh, unrelated name. Thus, a single biprocess represents the family of staticequivalences that relate a series of non-deterministic encryptions for any series of plaintext toa series of fresh, independent names. (Formally, each such equivalence can be obtained as acorollary of this biprocess equivalence, by applying the congruence property of equivalence forthe particular context that sends the plaintexts of values on channel c′ and reads the encryptionkey and encryptions on channel c.) 2


Example 4 Biprocesses can also be used for relating an abstract specification of a crypto-graphic primitive with its implementation in terms of lower-level functions. As an example, weconsider the construction of message authentication codes (MACs) for messages of arbitrarylength, as modelled in the applied pi calculus [6, Section 6]. MAC functions are essentiallykeyed hash functions; MACs should not be subject to tampering or forgery. More formally,the usage of MACs can be captured via a little protocol that generates MACs on demand andchecks them:

P0 = (νk)(!c′(x).c〈x,mac(k, x)〉| c(x, y).if y = mac(k, x) then c′′〈x〉)

The unforgeability of MACs means that the MAC checker succeeds and forwards a message xon c′′ only if a MAC has been generated for x by sending it to the MAC generator on c′.

Let P be P0 with the term diff[mac(k, x), impl(k, x)] instead of the two occurrences ofmac(k, x). For a given signature with no equation for mac, a function impl may be said toimplement mac correctly when P satisfies equivalence. With this formulation, we can verifythe correctness of the second construction considered in [6], impl(k, x) = f(k, f(k, x)), withequation f(k, (x, y)) = h(f(k, x), y), where f is a keyed hash function that iterates a compressionfunction h on the message blocks. We can also confirm that the first construction consideredin [6], impl(k, x) = f(k, x) with the same equation f(k, (x, y)) = h(f(k, x), y), is subject to astandard extension attack: anyone that obtains the MAC impl(k,N1) can produce the MACimpl(k, (N1, N2)) as h(impl(k,N1), N2) for any message extension N2 without knowing k. 2

5 Modelling equations with rewrite rules

We handle equations by translating from a signature with equations to a signature withoutequations. This translation is designed to ease implementation: with it, resolution can continueto rely on ordinary syntactic unification, and remains very efficient. Although our technique isgeneral and automatic, it does have limitations: it does not apply to some equational theories,in particular theories with associative symbols such as XOR. (It may be possible to handlesome of those theories by shifting from syntactic unification to unification modulo the theoryin question, at the cost of increased complexity.)

5.1 Definitions

We consider an auxiliary rewriting system on terms, S, that defines partial normal forms.The terms manipulated by S do not contain diff, but they may contain variables. The rulesof S do not contain names and do not have a single variable on the left-hand side. We saythat a term is irreducible by S when none of the rewrite rules of S applies to it; we say thatthe set of terms M is in normal form relatively to S and Σ, and write nfS,Σ(M), if andonly if all terms of M are irreducible by S and, for all subterms N1 and N2 of terms of M, ifΣ ⊢ N1 = N2 then N1 = N2. Intuitively, we allow for the possibility that terms may have severalirreducible forms (see Example 6 below), requiring that M use irreducible forms consistently.This requirement implies, for instance, that if the rewrite rule f(x, x)→ x applies modulo theequational theory to a term f(N1, N2) then N1 and N2 are identical and the rule f(x, x) → xalso applies without invoking the equational theory. We extend the definition of nfS,Σ(·) to setsof processes: nfS,Σ(P) if and only if the set of terms that appear in processes in P is in normalform.

For a signature Σ′ (without equations), we define evaluation on open terms as a relation


D ⇓′ (M,σ), where σ collects instantiations of D obtained by unification:

M ⇓′ (M, ∅)

eval h(D1, . . . , Dn) ⇓′ (σuN, σuσ′)

if (D1, . . . , Dn) ⇓′ ((M1, . . . ,Mn), σ′),h(N1, . . . , Nn)→ N is in defΣ′(h) andσu is a most general unifier of (M1, N1), . . . , (Mn, Nn)

(D1, . . . , Dn) ⇓′ ((σnM1, . . . , σnMn−1,Mn), σnσ)if (D1, . . . , Dn−1) ⇓

′ ((M1, . . . ,Mn−1), σ) and σDn ⇓′ (Mn, σn)

As suggested in Section 2, we rely on eval for indicating term evaluations: whilef(M1, . . . ,Mn) ⇓′ (f(M1, . . . ,Mn), ∅), deriving eval f(M1, . . . ,Mn) ⇓′ (M,σ) requires an ap-plication of a rewrite rule for the constructor f .

We let addeval(M1, . . . ,Mn) be the tuple of term evaluations obtained by adding eval beforeeach function symbol of M1, . . . , Mn. Using these definitions, we describe when a signature Σ′

with rewrite rules models another signature Σ with equations:

Definition 4 Let Σ and Σ′ be signatures on the same function symbols. We say that Σ′ modelsΣ if and only if

1. The equational theory of Σ′ is syntactic equality: Σ′ ⊢M = N if and only if M = N .

2. The constructors of Σ′ are the constructors of Σ; their definition defΣ′(f) contains the rulef(x1, . . . , xn)→ f(x1, . . . , xn), plus perhaps other rules such that there exists a rewritingsystem S on terms that satisfies the following properties:

S1. If M → N is in S, then Σ ⊢M = N .

S2. If nfS,Σ(M), then for any term M there exists M ′ such that Σ ⊢ M ′ = M andnfS,Σ(M∪ {M ′}).

S3. If f(N1, . . . , Nn)→ N is in defΣ′(f), then Σ ⊢ f(N1, . . . , Nn) = N .

S4. If Σ ⊢ f(M1, . . . ,Mn) = M and nfS,Σ({M1, . . . ,Mn,M}), then there exist σ andf(N1, . . . , Nn) → N in defΣ′(f) such that M = σN and Mi = σNi for all i ∈{1, . . . , n}.

3. The destructors of Σ′ are the destructors of Σ, with a rule g(M ′1, . . . ,M′n) → M ′ in

defΣ′(g) for each g(M1, . . . ,Mn) → M in defΣ(g) and each addeval(M1, . . . ,Mn,M) ⇓′

((M ′1, . . . ,M′n,M

′), σ).

Condition 1 says that the equational theory of Σ′ is trivial. In Condition 2, Properties S1and S2 concern the relation of S and Σ. Property S1 guarantees that all rewrite rules of Sare sound according to the equational theory of Σ. Property S2 requires there are “enough”normal forms: that for every term M there is an S-irreducible Σ-equal term M ′, and thatM ′ can be chosen consistently with a set M in normal form. Properties S3 and S4 concernthe definition of constructors in Σ′. Property S3 guarantees that the rewrite rules that definethe constructors are sound according to the equational theory of Σ. Property S4 requires thatthere are “enough” rewrite rules: basically, that when M1, . . . , Mn are in normal form, everynormal form of f(M1, . . . ,Mn) can be generated by applying a rewrite rule for f in Σ′ tof(M1, . . . ,Mn). Finally, according to Condition 3, the definition of destructors in Σ′ can becomputed by applying the rewrite rules of constructors in Σ′ to the definition of destructors inΣ.

According to this definition, we deal with any equations on f in Σ by evaluating f oncein Σ′. (We use eval markers in expressions accordingly: eval f and f represent f before and


after this evaluation, respectively.) This characteristic entails a limitation of our approach. Forinstance, suppose that we have f(f ′(x)) = f ′(f(x)) in the equational theory of Σ, and we wanta Σ′ that models Σ. In Σ′, we should equate f ′(f(. . . f(a))) and f(. . . f(f ′(a))) by one reductionstep, so we need one rewrite rule for each length of sequence of applications of f , so defΣ′(f ′)cannot be finite. Associative symbols like XOR pose a similar problem.

5.2 Examples

The following two examples illustrate the definitions of Section 5.1. ProVerif handles theseexamples automatically, using the approach of Section 5.3.

Example 5 Suppose that Σ has the constructors enc and dec with the equations

dec(enc(x, y), y) = x enc(dec(x, y), y) = x

In Σ′, we adopt the rewrite rules:

dec(x, y)→ dec(x, y) enc(x, y)→ enc(x, y)dec(enc(x, y), y)→ x enc(dec(x, y), y)→ x

We have that Σ′ models Σ for the rewriting system S with rules dec(enc(x, y), y) → x andenc(dec(x, y), y)→ x, and a single normal form for every term. 2

Example 6 In order to model the Diffie-Hellman equation of Example 2, we define Σ′ withthree rewrite rules:

b→ b x^y → x^y (b^x)^y → (b^y)^x

and use an empty S. Intuitively, applying ^ to (b^x) and y yields both possible forms of(b^x)^y modulo the equational theory, (b^x)^y and (b^y)^x. Hence, a term M may haveseveral irreducible forms M ′ that satisfy nfS,Σ({M ′}) and Σ ⊢ M ′ = M : one can choose(b^N)^N ′ or (b^N ′)^N . 2

5.3 Algorithms

Next we explain a method for finding, for a given signature Σ, a signature Σ′ that models Σand a corresponding rewriting system S. This method is embodied in algorithms that, whenthey terminate, yield the definition of defΣ′(f) for each constructor of Σ. The definition ofdefΣ′(g) for each destructor of Σ follows from Condition 3 of Definition 4. These algorithmsdo not always terminate because, for some equational theories, they generate an unboundednumber of rewrite rules. However, they often terminate in practice, as our examples illustrate;moreover, Lemma 7 in Appendix A.2 establishes a termination result for a significant class oftheories, the convergent subterm theories [5].

Our first algorithm handles convergent (terminating and confluent) theories. It applies, forinstance, to Example 5. Here and elsewhere, we write T for a term context (a term with a hole).

Algorithm 1 (Convergent theories) Let Mi = Ni (for i ∈ {1, . . . ,m}) be the equationsthat define the equational theory of Σ. Let S be defined by the rewrite rules Mi → Ni. Assumethat S is convergent, and let M↓ be the normal form of M relatively to S.

When E is a set of rewrite rules, we define normalize(E) by– replacing each rule f(M1, . . . ,Mn)→ N of E with f(M1↓, . . . ,Mn↓)→ N↓;– removing rules of the form M →M from E;– if M → N is in E, removing all other rules of the form T [σM ]→ T [σN ] from E.

Let E = normalize(S).


Repeat until E reaches a fixpointFor each pair of rules M →M ′ and N → N ′ in E and each T

such that M ′ = T [M ′′], M ′′ is not a variable,and σu is the most general unifier of M ′′ and N ,

set E = normalize(E ∪ {σuM → σuT [σuN′]}).

For each constructor f ,defΣ′(f) = {f(M1, . . . ,Mn)→N ∈ E} ∪ {f(x1, . . . , xn)→ f(x1, . . . , xn)}.

In this algorithm, we add to E new rewrite rules obtained by composing two rewrite rulesof E, until a fixpoint is reached. Lemma 7 in Appendix A.2 shows that a fixpoint is reachedimmediately for convergent subterm theories.

Before running the algorithm, we can check that S is convergent as follows.

• The termination of S can be established via a reduction ordering >, by showing that ifM → M ′ is in S, then M > M ′. In the implementation, we use a lexicographic pathordering.

• The confluence of S can be established via the critical-pair theorem, by showing that allcritical pairs are joinable [31].

Alternatively, one could use the Knuth-Bendix completion algorithm in order to transform arewriting system into a convergent one.

Our next algorithm handles linear theories, such as that of Example 6.

Algorithm 2 (Linear theories) Let Σ be a signature such that all equations of Σ are linear:each variable occurs at most once in the left-hand side and at most once in the right-hand side.Let S be empty.

When E is a set of rewrite rules, we define normalize(E) by:– removing rules of the form M →M from E;– if M → N is in E, removing all other rules of the form T [σM ]→ T [σN ] from E.

Let E = normalize({M → N,N →M |M = N is an equation of Σ}).Repeat until E reaches a fixpoint

For each pair of rules M →M ′ and N → N ′ in E and each Tsuch that M ′ = T [M ′′], M ′′ and N are not variables,and σu is the most general unifier of M ′′ and N ,

set E = normalize(E ∪ {σuM → σuT [σuN′]}).

For each pair of rules M →M ′ and N → N ′ in E and each Tsuch that N = T [N ′′], M ′ and N ′′ are not variables,and σu is the most general unifier of M ′ and N ′′,

set E = normalize(E ∪ {σuT [σuM ]→ σuN′}).

For each constructor f ,defΣ′(f) = {f(M1, . . . ,Mn)→ N ∈ E} ∪ {f(x1, . . . , xn)→ f(x1, . . . , xn)}.

In this algorithm, when two rewrite rules of E have a critical pair with one another, wecompose them and add the result to E.

Algorithms 1 and 2 are similar. The main difference is that Algorithm 1 performs additionaloptimizations that are sound for convergent rewriting systems but not for linear equational the-ories. In particular, in the initial definition of E, Algorithm 1 considers rewrite rules orientedonly in the direction of S, while Algorithm 2 considers both directions. Furthermore, in Algo-rithm 1, normalize reduces the right-hand sides and the strict subterms of the left-hand sidesof rewrite rules by S, while Algorithm 2 does not include this reduction. As a consequence, thesecond way of combining rules of E in Algorithm 2 is not necessary in Algorithm 1, since therules thus created would be reduced by normalize into an instance of an already existing rule.

Our final algorithm combines the two previous ones:


Algorithm 3 (Union) Let Σ be a signature.Split the set of equations of Σ into subsets Ei that use disjoint sets of constructors.Let Econv be the union of those subsets Ei that we can prove convergent.Let Elin be the union of those subsets Ei that are linear and are not in Econv.If some subsets Ei are neither in Econv nor in Elin, then fail.Apply Algorithm 1 to Econv, obtaining the rewriting system Sconv and the definition defΣ′(f)of the constructors of Econv.Apply Algorithm 2 to Elin, obtaining the definition defΣ′(f) of the constructors of Elin.Let S = Sconv.

The following theorem says that these three algorithms are correct. It is proved in Ap-pendix A.

Theorem 2 If Algorithm 1, 2, or 3 produces a signature Σ′ from a signature Σ, then Σ′ modelsΣ.

5.4 Reductions with equations and rewrite rules

From this point on, we assume that Σ′ models Σ. We extend equality modulo Σ from termsto biprocesses and term evaluations: Σ ⊢ P = P ′ if and only if P ′ can be obtained from Pby replacing some of its subterms M (not containing diff or eval) with subterms equal moduloΣ. We define Σ ⊢ D = D′ similarly. Finally, we define P →Σ′,Σ P ′ as P →Σ P ′ except thatsignature Σ′ is used for reduction rules (Red I/O) and (Red Fun 1)—signature Σ is still usedfor (Red Fun 2).

We say that a biprocess P0 is unevaluated when every term in P0 is either a variable ordiff[a, a] for some name a. Hence, every function symbol in P0 must be in a term evaluation andprefixed by eval. For any biprocess P , we can build an unevaluated biprocess unevaluated(P )by introducing a term evaluation for every non-trivial term and a diff for every name (with P ≈unevaluated(P )). For instance, the unevaluated biprocess built from the process of Example 3is:

(νs)(let y = eval pk(diff[s, s]) in diff[c, c]〈y〉 |

!diff[c′, c′](x).(νa)

let z = diff[eval enc(x, eval pk(diff[s, s]), diff[a, a]), diff[a, a]] in diff[c, c]〈z〉)

Lemma 1 Let P0 be a closed, unevaluated biprocess. If P0 →∗Σ≡ P ′0, Σ ⊢ P ′0 = P ′, and

nfS,Σ({P ′}), then P0 →∗Σ′,Σ≡ P ′. Conversely, if P0 →

∗Σ′,Σ≡ P ′ then there exists P ′0 such that

Σ ⊢ P ′0 = P ′ and P0 →∗Σ≡ P ′0.

This lemma gives an operational correspondence between→Σ and→Σ′,Σ. A similar lemma holdsfor processes instead of biprocesses, and can be used for extending previous proof techniquesfor secrecy [3] and correspondence [16] properties, so that they apply under equational theories.These extensions are implemented in ProVerif. We do not detail them further since we focuson equivalences in this paper. Using Lemma 1, we obtain:

Lemma 2 A closed biprocess P0 satisfies the conditions of Corollary 1 if and only if, for all plainevaluation contexts C, all evaluation contexts C ′, and all reductions unevaluated(C[P0])→

∗Σ′,Σ

P , we have

1. if P ≡ C ′[N〈M〉.Q | N ′(x).R] and fst(N) = fst(N ′), then Σ ⊢ snd(N) = snd(N ′),

2. if P ≡ C ′[let x = D in Q else R] and fst(D)⇓Σ′ M1 for some M1, then snd(D)⇓ΣM2 forsome M2,


as well as the symmetric properties where we swap fst and snd.

The lemmas above are proved in Appendix B.

6 Clause generation

Given a closed biprocess P0, our protocol verifier builds a set of Horn clauses. This sectionexplains the generation of the clauses, substantially extending to biprocesses previous work atthe level of processes.

6.1 Patterns and facts

In the clauses, the terms of processes are represented by patterns, with the following grammar:

p ::= patternsx, y, z, i variablef(p1, . . . , pn) constructor applicationa[p1, . . . , pn] nameg element of GVar

We assign a distinct, fresh session identifier variable i to each replication of P0. (We will usea distinct value for i for each copy of the replicated process.) We assign a pattern a[p1, . . . , pn]to each name a of P0. We treat a as a function symbol, and write a[p1, . . . , pn] rather thana(p1, . . . , pn) only for clarity. We sometimes write a for a[ ]. If a is a free name, then its patternis a[ ]. If a is bound by a restriction (νa) in P0, then its pattern takes as arguments the termsreceived as inputs, the results of term evaluations, and the session identifiers of replications inthe context that encloses the restriction. For example, in the process !c′(x).(νa)P , each namecreated by (νa) is represented by a[i, x] where i is the session identifier for the replication andx is the message received as input in c′(x). We assume that each restriction (νa) in P0 hasa different name a, distinct from any free name of P0. Moreover, session identifiers enable usto distinguish names created in different copies of processes. Hence, each name created in theprocess calculus is represented by a different pattern in the verifier.

Patterns include an infinite set of constants GVar . These constants are basically universallyquantified variables, and occur only in arguments of the predicate nounif, defined in Definition 5below. We write GVar(M) for the term obtained from M by replacing the variables of M withnew constants in the set GVar .

Clauses are built from the following predicates:

F ::= factsatt′(p, p′) attacker knowledgemsg′(p1, p2, p

′1, p′2) output message p2 on p1 (resp. p′2 on p′1)

input′(p, p′) input on p (resp. p′)nounif(p, p′) impossible unificationbad bad

Informally, att′(p, p′) means that the attacker may obtain p in fst(P ) and p′ in snd(P ) by thesame operations; msg′(p1, p2, p

′1, p′2) means that message p2 may appear on channel p1 in fst(P )

and that message p′2 may appear on channel p′1 in snd(P ) after the same reductions; input′(p, p′)means that an input may be executed on channel p in fst(P ) and on channel p′ in snd(P ), thusenabling the attacker to infer whether p (resp. p′) is equal to another channel used for output;nounif(p, p′) means that p and p′ cannot be unified modulo Σ by substituting elements of GVarwith patterns; finally, bad serves in detecting violations of observational equivalence: when badis not derivable, we have observational equivalence.


An evident difference with respect to previous translations from processes to clauses is thatpredicates have twice as many arguments: we use the binary predicate att′ instead of the unaryone att and the 4-ary predicate msg′ instead of the binary one msg. This extension allows usto represent information for both variants of a biprocess.

The predicate nounif is not defined by clauses, but by special simplification steps in thesolver, defined in Section 7.

Definition 5 Let p and p′ be closed patterns. The fact nounif(p, p′) holds if and only if thereis no closed substitution σ with domain GVar such that Σ ⊢ σp = σp′.

6.2 Clauses for the attacker

The following clauses represent the capabilities of the attacker:

For each a ∈ fn(P0), att′(a[ ], a[ ]) (Rinit)

For some b that does not occur in P0, att′(b[x], b[x]) (Rn)

For each function h, for each pair of rewrite rules

h(M1, . . . ,Mn)→M and h(M ′1, . . . ,M′n)→M ′ in defΣ′(h)

(after renaming of variables),

att′(M1,M′1) ∧ . . . ∧ att′(Mn,M

′n)→ att′(M,M ′)

(Rf)

msg′(x, y, x′, y′) ∧ att′(x, x′)→ att′(y, y′) (Rl)

att′(x, x′) ∧ att′(y, y′)→ msg′(x, y, x′, y′) (Rs)

att′(x, x′)→ input′(x, x′) (Ri)

input′(x, x′) ∧msg′(x, z, y′, z′) ∧ nounif(x′, y′)→ bad (Rcom)

For each destructor g,

for each rewrite rule g(M1, . . . ,Mn)→M in defΣ′(g),∧

g(M ′1,...,M ′

n)→M ′ in defΣ′ (g)

nounif((x′1, . . . , x′n),GVar((M ′1, . . . ,M

′n)))

∧ att′(M1, x′1) ∧ . . . ∧ att′(Mn, x

′n)→ bad

(Rt)

plus symmetric clauses (Rcom′) and (Rt′) obtained from (Rcom) and (Rt) by swapping the firstand second arguments of input′ and att′ and the first and third arguments of msg′.

Clause (Ri) means that, if the attacker has x (resp. x′), then it can attempt an inputon x (resp. x′), thereby testing whether it is equal to some other channel used for output.Clauses (Rcom) and (Rcom′) detect when a communication can occur in one variant of thebiprocess and not in the other: the input and output channels are equal in one variant anddifferent in the other. These clauses check that condition 1 of Lemma 2 and its symmetric aretrue.

Clause (Rt) checks that for all applications of a destructor g, if this application succeeds infst(P ), then it succeeds in snd(P ), possibly using another rule. Clause (Rt′) checks the converse.These two clauses are essential for obtaining condition 2 of Lemma 2. Consider, for instance, thedestructor equals of Section 2.2. After a minor simplification, Clauses (Rt) and (Rt′) become

att′(x, y) ∧ att′(x, y′) ∧ nounif(y, y′)→ bad (1)

att′(y, x) ∧ att′(y′, x) ∧ nounif(y, y′)→ bad (2)

The other clauses are adapted from previous work [3, 16] by replacing unary (resp. bi-nary) predicates with binary (resp. 4-ary) ones. Clause (Rinit) indicates that the attackerinitially has all free names of P0. Clause (Rn) means that the attacker can generate freshnames b[x]. Clause (Rf) mean that the attacker can apply all functions to all terms it has. In


this clause, the rewrite rules h(M1, . . . ,Mn) → M and h(M ′1, . . . ,M′n) → M ′ may be different

elements of defΣ′(h); their variables are renamed so that M1, . . . ,Mn,M on the one hand andM ′1, . . . ,M

′n,M

′ on the other hand do not share variables. Clause (Rl) means that the attackercan listen on all the channels it has, and (Rs) that it can send all the messages it has on all thechannels it has.

6.3 Clauses for the protocol

The translation [[P ]]ρss′H of a biprocess P is a set of clauses, where ρ is an environment thatassociates a pair of patterns with each name and variable, s and s′ are sequences of patterns, andH is a sequence of facts. The empty sequence is written ∅; the concatenation of a pattern p to thesequence s is written s, p; the concatenation of a fact F to the sequenceH is writtenH∧F . Whenρ associates a pair of patterns with each name and variable, and f is a constructor, we extendρ as a substitution by ρ(f(M1, . . . ,Mn)) = (f(p1, . . . , pn), f(p′1, . . . , p

′n)) where ρ(Mi) = (pi, p

′i)

for all i ∈ {1, . . . , n}. We denote by ρ(M)1 and ρ(M)2 the components of the pair ρ(M). Welet ρ(diff[M,M ′]) = (ρ(M)1, ρ(M

′)2). We define [[P ]]ρss′H as follows:

[[0]]ρss′H = ∅

[[!P ]]ρss′H = [[P ]]ρ(s, i)(s′, i)H

where i is a fresh variable

[[P | Q]]ρss′H = [[P ]]ρss′H ∪ [[Q]]ρss′H

[[(νa)P ]]ρss′H = [[P ]](ρ[a 7→ (a[s], a[s′])])ss′H

[[M(x).P ]]ρss′H = [[P ]](ρ[x 7→ (x′, x′′)])(s, x′)(s′, x′′)(H ∧msg′(ρ(M)1, x′, ρ(M)2, x

′′))

∪ {H → input′(ρ(M)1, ρ(M)2)}

where x′ and x′′ are fresh variables

[[M〈N〉.P ]]ρss′H = [[P ]]ρss′H ∪ {H → msg′(ρ(M)1, ρ(N)1, ρ(M)2, ρ(N)2)}

[[let x = D in P else Q]]ρss′H =⋃{[[P ]]((σρ)[x 7→ (p, p′)])(σs, p)(σs′, p′)(σH) | (ρ(D)1, ρ(D)2) ⇓

′ ((p, p′), σ)}

∪ [[Q]]ρss′(H ∧ ρ(fails(fst(D)))1 ∧ ρ(fails(snd(D)))2)

∪ {σH ∧ σρ(fails(snd(D)))2 → bad | ρ(D)1 ⇓′ (p, σ)}

∪ {σH ∧ σρ(fails(fst(D)))1 → bad | ρ(D)2 ⇓′ (p′, σ)}

where fails(D) =∧

σ|D ⇓′(p,σ) nounif(D,GVar(σD))

In the translation, the environment ρ maps names and variables to their corresponding pairof patterns—one pattern for each variant of the biprocess. The sequences s and s′ contain allinput messages, session identifiers, and results of term evaluations in the enclosing context—onesequence for each variant of the biprocess. They are used in the restriction case (νa)P , to buildpatterns a[s] and a[s′] that correspond to the name a. The sequence H contains all facts thatmust be true to run the current process.

The clauses generated are similar to those of [16], but clauses are added to indicate whichtests the adversary can perform, and predicates have twice as many arguments.

• Replication creates a new session identifier i, added to s and s′. Replication is otherwiseignored, since Horn clauses can be applied any number of times anyway.

• In the translation of an input, the sequence H is extended with the input in question andthe environment ρ with a binding of x to a new variable x′ in variant 1, x′′ in variant 2.Moreover, a new clause H → input′(ρ(M)1, ρ(M)2) is added, indicating that when allconditions in H are true, an input on channel M may be executed. This input may enable


the adversary to infer that M is equal to some channel used for output; Clauses (Rcom)or (Rcom′) derive bad when this information may break equivalence.

• The output case adds a clause stating that message N may be sent on channel M .

• Finally, the clauses for a term evaluation are the union of clauses for the cases where theterm evaluation succeeds on both sides (then we execute P ), where the term evaluationfails on both sides (then we execute Q), and where the term evaluation fails on one sideand succeeds on the other (then we derive bad). Indeed, in the last case, the adversarymay get to know whether the term evaluation succeeds or fails (when the code executedin the success case is visibly different from the code executed in the failure case).

Example 7 The biprocess of Example 3 yields the clauses:

msg′(c, pk(s), c, pk(s))

msg′(c′, x, c′, x′)→ msg′(c, penc(x, pk(s), a[i, x]), c, a[i, x′])

The first clause corresponds to the output of the public key pk(s). The second clause correspondsto the other output: if a message x (resp. x′) is received on channel c′, then the messagepenc(x, pk(s), a[i, x]) in the first variant (resp. a[i, x′] in the second variant) is sent on channelc. The encoding of the fresh name a as a pattern a[i, x] is explained in Section 6.1. 2

Example 8 The process c(x).let y = eval dec(x, a) in c〈y〉, where dec is a destructor definedby dec(enc(x, y), y)→ x, yields the clauses:

msg′(c, enc(y, a), c, x′) ∧ nounif(x′, enc(g, a))→ bad

msg′(c, x, c, enc(y′, a)) ∧ nounif(x, enc(g, a))→ bad

msg′(c, enc(y, a), c, enc(y′, a))→ msg′(c, y, c, y′)

In the first clause, a message received on c is of the form enc(y, a) in the first variant but not inthe second variant; decryption succeeds only in the first variant, so the process is not uniformand we derive bad. The second clause is the symmetric case. In the third clause, decryptionsucceeds in both variants, and yields an output on channel c. 2

6.4 Proving equivalences

Let ρ0 = {a 7→ (a[ ], a[ ]) | a ∈ fn(P0)}. We define the set of clauses that corresponds tobiprocess P0 as:

RP0= [[unevaluated(P0)]]ρ0∅∅∅ ∪ {(Rinit), (Rn), . . . , (Rt), (Rt′)}

The following result is proved in Appendix D. It shows the soundness of the translation.

Theorem 3 If bad is not a logical consequence of RP0, then P0 satisfies observational equiva-

lence.

When bad is a logical consequence of RP0, the derivation of bad from RP0

can serve for re-constructing a violation of the hypothesis of Corollary 1, via an extension of recent techniquesfor secrecy analysis [10]. However, the translation of protocols to Horn clauses performs safeabstractions that sometimes result in false counterexamples: the Horn clauses can be appliedany number of times, so the translation ignores the number of repetitions of actions. For in-stance, (νc)(c〈M〉 | c(x).c(x).P ) satisfies equivalence for any P because P is never executed,and (νc)(c〈diff[M1,M2]〉 | c(x).d〈c〉) satisfies equivalence for any M1 and M2 because its diff


disappears before the attacker obtains channel c. Our technique cannot prove these equiva-lences in general. The latter example illustrates that our technique typically fails for bipro-cesses that first keep some value secret and later reveal it. The reason for the failures on(νc)(c〈M〉 | c(x).c(x).P ) and (νc)(c〈diff[M1,M2]〉 | c(x).d〈c〉) is that the translation to classicalHorn clauses basically treats these two biprocesses like variants with additional replications,namely (νc)(!c〈M〉 | c(x).c(x).P ) and (νc)(!c〈diff[M1,M2]〉 | !c(x).d〈c〉) respectively, and thesevariants do not necessarily satisfy equivalence. On the other hand, the safe abstractions that thetranslation performs are crucial for the applicability of our technique to infinite-state systems,which is illustrated by many of the examples in this paper.

We also have the following lemma, which is important for proving the soundness of somesimplification steps in the solving algorithm below, enabling us to work with terms in normalform only. It is proved in Appendix C.

Lemma 3 If bad is derivable from RP0then bad is derivable from RP0

by a derivation suchthat nfS,Σ(F) where F is the set of intermediately derived facts in this derivation, excludingnounif facts.

7 Solving algorithm

In order to determine whether bad is a logical consequence of RP0, we use an algorithm based

on resolution with free selection, adapting a previous algorithm [17].

7.1 The basic resolution algorithm

The algorithm infers new clauses by resolution, as follows. From two clauses R = H → C andR′ = F ∧ H ′ → C ′ (where F is any hypothesis of R′) such that C and F are unifiable, withmost general unifier σ, it infers R ◦F R

′ = σH ∧ σH ′ → σC ′:

H → C F ∧H ′ → C ′

σH ∧ σH ′ → σC ′

The clause R ◦F R′ is the combination of R and R′, in which R proves the hypothesis F of R′.

Resolution is guided by a selection function: sel(R) returns a subset of the hypotheses of R,and the resolution step above applies only when sel(R) = ∅ and F ∈ sel(R′). When sel(R) = ∅,we say that the conclusion of R is selected. In this paper, we use the following selection rules:

• nounif(p1, p2) is never selected. (It is handled by special simplification steps.)

• bad is never selected, except in the clause bad, and in clauses whose hypotheses are all ofthe form nounif(p1, p2). (If we select bad in a clause H → bad, then the algorithm willfail to prove that bad is not derivable. That is why we avoid selecting bad when possible.)

• att′(x, x′) with any variables x, x′ is selected only when no other fact can be selected.(Our intent is to obtain termination, whereas facts att′(x, x′) can be unified with allfacts att′(p, p′) to generate many additional clauses.) In this case, att′(x, x′) is selectedpreferably when x (or x′) occurs in a fact nounif(x, p′) where p′ is not a variable. (When weselect att′(x, x′), this fact will be unified with some other fact, thus hopefully instantiatingx, so that we make progress determining whether nounif(x, p′) is true or not.)

7.2 General simplifications

As part of the algorithm, we apply a series of simplification functions on clauses. Some of themare standard, such as the elimination of tautologies (performed by elimtaut) and duplicatehypotheses (performed by elimdup). We omit their definitions. Others are specific to ourpurpose:


• Elimination of att′(x, y): elimattx removes hypotheses att′(x, y) when x and y do notappear elsewhere in the clause, except possibly in nounif facts. The variables x and ymay be the same variable.

• Elimination of useless variables: elimvar transforms clauses of the form

R = att′(x, y) ∧ att′(x, y′) ∧H → C

into R{y/y′}, when R is not Clause (1).

The soundness of elimvar can be established by cases. If we can derive facts att′(px, py)and att′(px, py′) such that Σ ⊢ py 6= py′ from the other clauses, then we can derive bad byapplying Clause (1), included in the clause base as Clause (Rt) for g = equals. Otherwise,in any derivation of bad obtained by Lemma 3, any application of R uses the same fact tomatch both att′(x, y) and att′(x, y′), and the transformed clause also applies. (The clauseR uses att′(px, py) and att′(px, py′) with Σ ⊢ py = py′ , hence py = py′ by the conclusion ofLemma 3.)

The function elimvar also performs the symmetric simplification, relying on the presenceof Clause (2).

• Elimination of useless forms modulo equality: simpeq removes clauses that contain a factF that is not a nounif fact and is not in normal form relatively to S. The soundness ofthis simplification follows from Lemma 3. A typical example concerns decryption, whenit is defined by an equation (as in Example 5): we can remove any clause that containsdec(enc(y, x), x).

This simplification could be extended to clauses that contain several syntactically differentforms of the same term modulo the equational theory, although that would be moredifficult to implement.

7.3 Simplifications for nounif

These simplifications are adapted from those for testunif (from [17]).

• Unification: unify transforms clauses of the form H ∧ nounif(p1, p2)→ C as follows. Forevery nounif(p1, p2) hypothesis in turn, it tries to unify p1 and p2 modulo the equationaltheory, considering elements of GVar as variables. If this unification fails, then the clausebecomes H → C, because nounif(p1, p2) holds when Σ ⊢ σp1 6= σp2 for all σ. Otherwise,unify replaces the clause with

H ∧n∧

j=1

nounif((xj1, . . . , x

jkj

), (σjxj1, . . . , σjx

jkj

))→ C

where σ1, . . . , σn are the most general unifiers of p1 and p2 modulo the equational theoryand xj

1, . . . , xjkj

are all variables affected by σj . (These may include elements of GVar .) Inthis unification, σj is built so that all variables in its domain and its image are variables ofp1 and p2, and the variables in its domain do not occur in its image. Note that an instanceof

∧nj=1 nounif((xj

1, . . . , xjkj

), (σjxj1, . . . , σjx

jkj

)) is true if and only if the same instance of

nounif(p1, p2) is, because σp1 = σp2 if and only if there exists j ∈ {1, . . . , n} such thatσ(xj

1, . . . , xjkj

) = σσj(xj1, . . . , x

jkj

), for all σ with domain GVar ∪Var where Var is the setof variables.

In order to compute unification modulo the equational theory of p1 and p2, we rewriteboth terms according to the rewrite rules for the function symbols that they contain(generating some bindings for variables), then syntactically unify the results. Formally,


the most general unifiers of p1 and p2 modulo Σ are the substitutions σuσ such thataddeval(p1, p2) ⇓

′ ((p′1, p′2), σ) and σu is the most general unifier of p′1 and p′2.

For instance, with an empty equational theory, unify transforms the clause

H ∧ nounif((enc(x′, y′), z′), (enc(g, y), g))→ C

intoH ∧ nounif((x′, y′, z′), (g, y, g))→ C (3)

Assuming the equational theory of Example 6, unify transforms the clause

H ∧ nounif(x^y, x′^y′)→ C

intoH ∧ nounif((x, y), (x′, y′)) ∧ nounif((x, x′), (b^y′, b^y))→ C

• Swap: swap transforms facts nounif((p1, . . . , pn), (p′1, . . . , p′n)) in clauses obtained after

unify . When pi is a variable and p′i ∈ GVar , it swaps pi and p′i everywhere in the nouniffact. Note that an instance of the new nounif fact is true if and only if the same instanceof the old one is, since the unification constraints remain the same.

For instance, swap transforms Clause (3) into

H ∧ nounif((g, y′, z′), (x′, y, x′))→ C (4)

• Elimination of elements of GVar : elimGVar transforms facts nounif((p1, . . . , pn),(p′1, . . . , p

′n)) in clauses obtained after unify and swap: when pi = g ∈ GVar , it elimi-

nates the pair pi, p′i from the nounif fact.

An instance of the new nounif fact is true if and only if the same instance of the old oneis, because g ∈ GVar cannot occur elsewhere in the nounif fact. (This property comesfrom the result of unify and is preserved by swap.)

For instance, elimGVar transforms Clause (4) into

H ∧ nounif((y′, z′), (y, x′))→ C

• Detection of failed nounif: elimnouniffalse removes clauses that contain the hypothesisnounif((), ()).

7.4 Combining the simplifications

We group all simplifications, as follows:

• We define the simplification function simplify = elimtaut ◦ elimattx ◦ elimdup ◦◦elimnouniffalse ◦ repeat(elimGVar ◦ swap ◦ unify ◦ elimvar ◦ simpeq). The expressionrepeat(f) means that the application of function f is repeated until a fixpoint is obtained,that is, f(R) = R. It is enough to repeat the simplification only when elimvar has mod-ified the set of clauses. Indeed, no new simplification would be done in the other cases.The repetition never leads to an infinite loop, because the number of variables decreasesat each iteration.

• We let condense(R) apply simplify to R and then eliminate subsumed clauses. We saythat H1 → C1 subsumes H2 → C2 (and we write (H1 → C1) ⊒ (H2 → C2)) if and only ifthere exists a substitution σ such that σC1 = C2 and σH1 ⊆ H2 (as a multiset inclusion).If R contains clauses R and R′ such that R subsumes R′, then R′ is removed. (In thatcase, R can do all derivations that R′ can do.)


Finally, we define the algorithm saturate(R0). Starting from condense(R0), the algorithmadds clauses inferred by resolution with the selection function sel and condenses the resultingclause set until a fixpoint is reached. When a fixpoint is reached, saturate(R0) is the set ofclauses R in the clause set such that sel(R) = ∅.

We have the following soundness result:

Theorem 4 If saturate(RP0) terminates and its result contains no clause of the form H → bad,

then bad is not derivable from RP0.

This result is proved in Appendix E.

8 Extension to scenarios with several stages

Many protocols can be broken into stages, and their security properties can be formulated interms of these stages. Typically, for instance, if a protocol discloses a session key after theconclusion of a session, then the secrecy of the data exchanged during the session may becompromised but not its authenticity. In some cases, the disclosure of keys and other keyingmaterial is harmless and even useful at certain points in protocol executions (e.g., [2]). In thissection we extend our technique to protocols with several successive stages. This extensionconsists in the following changes:

• The syntax of processes is supplemented with a stage prefix, t : P , where t is a nonnegativeinteger. Intuitively, t represents a global clock, and the process t : P is active only duringstage t.

• The semantics of processes (and biprocesses) is extended by adding the rules of Figure 4to those of Figures 2 and 3. This new semantics is a refinement, since P → Q in thesimple semantics if and only if t : P →t t : Q in the refined semantics. Conversely, ifP ′ →t Q

′ for staged processes, then P → Q in the simple semantics, where P and Q areobtained from P ′ and Q′ by erasing all stage prefixes.

• Instead of att′, msg′, and input′, the clause generation uses distinct predicates att′t, msg′t,and input′t for each stage t used in the protocol. The clauses for the protocol use thepredicates indexed by t when translating the process P in t : P . The clauses for theattacker are replicated for each att′t. In addition, new clauses carry over the attacker’sknowledge from one stage to the next:

att′t(x, x′)→ att′t+1(x, x

′) (Rp)

As an optimization, when the protocol uses only plain processes for the initial stages t ≤ i(that is, diff occurs only at later stages), we translate these processes using the moreefficient clause generation of [3], with predicates that keep track of a single process, ratherthan the two variants of a biprocess.

• Our main theorems hold for staged biprocesses, with minor adaptations and extra opti-mizations in algorithms. In particular, all definitions and theorems now use→ = ∪t≥0 →t

instead of →.

9 Applications

This section surveys some of the applications of our proof method. The total runtime of allproof scripts for the experiments described below is 45 s on a Pentium M 1.8 GHz. None ofthese applications could be handled by ProVerif without the extensions presented in this paper.


(νa)t : P ≡ t : (νa)Pt : (P | Q) ≡ t : P | t : Qt : t′ : P ≡ t′ : P if t < t′

P → Q ⇒ t : P →t t : Q (Red Stage)

P →t Q ⇒ P | R →t Q | R (Red Par)P →t Q ⇒ (νa)P →t (νa)Q (Red Res)

P ′ ≡ P, P →t Q, Q ≡ Q′ ⇒ P ′ →t Q′ (Red ≡)

Figure 4: Semantics for stages

9.1 Weak secrets

A weak secret represents a secret value with low entropy, such as a human-memorizable pass-word. Protocols that rely on weak secrets are often subject to guessing attacks, whereby anattacker guesses a weak secret, perhaps using a dictionary, and verifies its guess. The guess ver-ification may rely on interaction with protocol participants or on computations on interceptedmessages (e.g., [13, 35, 36]). With some care in protocol design, however, those attacks can beprevented:

• On-line guessing attacks can be mitigated by limiting the number of retries that partic-ipants allow. An attacker that repeatedly attempts to guess the weak secret should beeventually detected and stopped if it tries to verify its guesses by interacting with otherparticipants.

• Off-line guessing attacks can be prevented by making sure that, even if the attacker(systematically) guesses the weak secret, it cannot verify whether its guess is correct bycomputing on intercepted traffic.

Off-line guessing attacks can be explained and modelled in terms of a 2-stage scenario. Instage 0, on-line attacks are possible, but the weak secret is otherwise unguessable. In stage 1,the attacker obtains a possible value for the weak secret (intuitively, by guessing it). Theabsence of off-line attacks is characterized by an equivalence: the attacker cannot distinguishthe weak secret used in stage 0 from an unrelated fresh value.

In our calculus, we arrive at the following definition:

Definition 6 (Weak secrecy) Let P be a closed process with no stage prefix. We say thatP prevents off-line attacks against w when (νw)(0 : P | 1 : (νw′)c〈diff[w,w′]〉) satisfies observa-tional equivalence.

This definition is in line with the work of Cohen, Corin et al., Delaune and Jacquemard, Drielsmaet al., and Lowe [26–28, 30, 32, 41]. Lowe uses the model-checker FDR to handle a boundednumber of sessions, while Delaune and Jacquemard give a decision procedure in this case.Corin et al. give a definition based on equivalence like ours, but do not consider the first, activestage; they analyze only one session.

As a first example, assume that a principal attempts to prove knowledge of a shared passwordw to a trusted server by sending a hash of this password encrypted under the server’s publickey. (For simplicity, the protocol does not aim to provide freshness guarantees, so anyone mayreplay this proof.) Omitting the code for the server, a first protocol may be written:

P = (νs)c〈pk(s)〉.c〈penc(h(w), pk(s))〉

The first output reveals the public key of the server; the second output communicates the proofof knowledge of w. This protocol does not prevent off-line attacks against w. ProVerif finds an


attack that corresponds to the following adversary:

A = 0 : c(pk).c(e).

1 : c(w).if e = penc(h(w), pk) then Guessed〈〉

A corrected protocol uses non-deterministic encryption (see Example 3):

P = (νs, a)c〈pk(s)〉.c〈penc(h(w), pk(s), a)〉

ProVerif automatically produces a proof for this corrected protocol.As a second example, we consider a simplified version of EKE [13]:

PA = (νdA)c〈enc(b^dA, w)〉

PB = c(x).(νdB)let k = dec(x,w)^dB in c〈enc(b^dB, w), k〉

P = !PA | !PB

Here, two parties obtain a shared session key k = (b^dA)^dB via a Diffie-Hellman exchange,in which b^dA and b^dB are exchanged protected by a weak secret w. The EKE protocol hasseveral rounds of key confirmation; here, instead, we immediately give the session key k to theattacker. Still, relying on the contextual property of equivalence, we can define a context thatperforms these key confirmations. Since that context does not use the weak secret, the resultingprotocol prevents off-line attacks against w as long as the original protocol does.

We have proved security properties of several versions of EKE: the public-key and theDiffie-Hellman versions for EKE [13], and the version with hashed passwords and the one withsignatures for Augmented EKE [14]. Unlike the protocol displayed above, our models includean unbounded number of possibly dishonest principals that run parallel sessions.

For the analysis of such protocols, we define encryption under a weak secret by the equationaltheory of Example 5. The use of this equational theory is important, as it entails that the ad-versary cannot check whether a decryption is successful and thereby check a guess. In contrast,a straightforward presentation with constructors and destructors but without the equationaltheory (see Section 2.1) would not be adequate in this respect: with that presentation, an at-tacker could verify a guess w′ of w by testing whether the decryption of the first message of theprotocol with w′ succeeds.

9.2 Authenticity

Abadi and Gordon [8] use equivalences for expressing authenticity properties, and treat a variantof the Wide-Mouth-Frog protocol as an example. In this protocol, two participants A and Bshare secret keys kAS and kSB with a server S, respectively. Participant A generates a key kAB,sends it encrypted to S, which forwards it reencrypted to B. Then A sends the payload x toB encrypted under kAB. Finally, B forwards the payload that it receives, possibly for furtherprocessing. Essentially, authenticity is defined as an equivalence between the protocol and aspecification. The specification is an idealized variant of the protocol, obtained by modifying Bso that, independently of what it receives, it forwards A’s payload x.

For the one-session version [8, Section 3.2.2], the protocol and the specification can becombined into the following biprocess P0:

PA = (νkAB)c〈enc(kAB, kAS)〉.c〈enc(x, kAB)〉

PS = c(y1).let y2 = dec(y1, kAS) in c〈enc(y2, kSB)〉

PB = c(y3).let y4 = dec(y3, kSB) in c(y5).let x′ = dec(y5, y4) in e〈diff[x, x′]〉

P0 = c(x).(νkAS)(νkSB)(PA | PS | PB)

with the rewrite rule dec(enc(x, y), y)→ x for the destructor dec.


The technique presented in this paper automatically proves that P0 satisfies observationalequivalence, and hence establishes the desired authenticity property. Thus, it eliminates theneed for a laborious manual proof. The technique can also be used for simplifying the proof ofauthenticity for the multi-session version.

Authenticity properties are sometimes formulated as correspondence assertions on behav-iors, rather than as equivalences. Previous work shows how to check those assertions withProVerif [16]. However, that previous work does not apply to equivalences.

9.3 Complete sessions in JFK

Finally, we show other ways in which automated proofs of equivalences can contribute to protocolanalyses, specifically studying JFK, a modern session-establishment protocol for IP security [9].

In recent work [4], we modelled JFK in the applied pi calculus. We used processes for rep-resenting the reachable states of JFK, for any number of principals and sessions, and statedsecurity properties as equivalences. Although we relied on ProVerif for reasoning about be-haviors, our main proofs of equivalences were manual. Applying the techniques of this paper,we can revise and largely automate those proofs. The resulting proofs rely on equivalences onbiprocesses, verified by ProVerif, composed with standard pi calculus equivalences that do notdepend on the signature for terms.

In particular, a core property of JFK is that, once a session completes, its session key is(apparently) unrelated to the cryptographic material exchanged during the session, and allthose values can be replaced by distinct fresh names [4, Theorem 2]. This property can bestated and proved in terms of a biprocess S that outputs either the actual results of JFKcomputations (in fst(S)) or distinct fresh names (in snd(S)), in parallel with the rest of the JFKsystem to account for any other sessions. The proof of this property goes as follows. The JFKsystem is split into S ≈ C[S′], where S′ is similar to S but omits unimportant parts of JFK,collected in the evaluation context C[ ]. The proof that S ≈ C[S′] is straightforward; it relies onpi calculus equivalences that eliminate communications on private channels introduced in thesplit. ProVerif shows that S′ satisfies equivalence. Using the contextual property of equivalence,C[S′] satisfies equivalence, hence fst(S) ≈ snd(S).

10 Conclusion

In the last decade, there has been substantial research on proof methods for security protocols.While many of those proof methods have focused on predicates on behaviors, others haveaddressed equivalences between systems (e.g., [1, 6–8, 23–25, 29, 33, 34, 38, 39, 46]). Much of thisresearch is concerned with obtaining sound and complete proof systems, often via sophisticatedbisimulations, and eventually decision algorithms for restricted cases. In our opinion, these areimportant goals, and the results to date are significant.

In the present paper, we aim to contribute to this body of research with a different approach.We do not emphasize the development of bisimulation techniques. Rather, we leverage behavior-oriented techniques and tools (ProVerif, in particular) for equivalence proofs. We show how toderive equivalences by reasoning about behaviors—specifically, by reasoning about behaviorsof applied pi calculus biprocesses. We also show how to translate those biprocesses to Hornclauses and how to reason about their behaviors by resolution. The resulting proof method issound, although that is not simple to establish. We demonstrate the usefulness of the methodthrough automated analyses of interesting, infinite-state systems.

Acknowledgments Bruno Blanchet’s work was partly done at Max-Planck-Institut fur In-formatik, Saarbrucken. Martın Abadi’s work was partly supported by the National Science


Foundation under Grants CCR-0204162, CCR-0208800, and CCF-0524078. We are grateful toHarald Ganzinger for helpful discussions on the treatment of equational theories.

References

[1] M. Abadi. Secrecy by typing in security protocols. Journal of the ACM, 46(5):749–786,Sept. 1999.

[2] M. Abadi, A. Birrell, M. Burrows, F. Dabek, and T. Wobber. Bankable postage for networkservices. In V. Saraswat, editor, Advances in Computing Science – ASIAN 2003, Program-ming Languages and Distributed Computation, 8th Asian Computing Science Conference,volume 2896 of Lecture Notes on Computer Science, pages 72–90, Mumbai, India, Dec.2003. Springer.

[3] M. Abadi and B. Blanchet. Analyzing security protocols with secrecy types and logicprograms. Journal of the ACM, 52(1):102–146, Jan. 2005.

[4] M. Abadi, B. Blanchet, and C. Fournet. Just fast keying in the pi calculus. ACM Trans-actions on Information and System Security (TISSEC). To appear. An extended abstractappears in Programming Languages and Systems, 13th European Symposium on Program-ming (ESOP 2004).

[5] M. Abadi and V. Cortier. Deciding knowledge in security protocols under equationaltheories. Theoretical Computer Science, 367(1–2):2–32, Nov. 2006.

[6] M. Abadi and C. Fournet. Mobile values, new names, and secure communication. In 28thAnnual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages(POPL’01), pages 104–115, London, United Kingdom, Jan. 2001. ACM Press.

[7] M. Abadi and A. D. Gordon. A bisimulation method for cryptographic protocols. NordicJournal of Computing, 5(4):267–303, Winter 1998.

[8] M. Abadi and A. D. Gordon. A calculus for cryptographic protocols: The spi calculus.Information and Computation, 148(1):1–70, Jan. 1999. An extended version appeared asDigital Equipment Corporation Systems Research Center report No. 149, January 1998.

[9] W. Aiello, S. M. Bellovin, M. Blaze, R. Canetti, J. Ioannidis, K. Keromytis, and O. Rein-gold. Just Fast Keying: Key agreement in a hostile Internet. ACM Transactions onInformation and System Security, 7(2):242–273, May 2004.

[10] X. Allamigeon and B. Blanchet. Reconstruction of attacks against cryptographic protocols.In 18th IEEE Computer Security Foundations Workshop (CSFW-18), pages 140–154, Aix-en-Provence, France, June 2005. IEEE.

[11] F. Baader and C. Tinelli. Deciding the word problem in the union of equational theo-ries. Technical Report UIUCDCS-R-98-2073, UILU-ENG-98-1724, University of Illinois atUrbana-Champaign, Oct. 1998.

[12] M. Baudet. Securite des protocoles cryptographiques: aspects logiques et calculatoires. PhDthesis, Ecole Normale Superieure de Cachan, 2007.

[13] S. M. Bellovin and M. Merritt. Encrypted Key Exchange: Password-based protocols secureagainst dictionary attacks. In Proceedings of the 1992 IEEE Computer Society Symposiumon Research in Security and Privacy, pages 72–84, May 1992.


[14] S. M. Bellovin and M. Merritt. Augmented Encrypted Key Exchange: a password-basedprotocol secure against dictionary attacks and password file compromise. In Proceedingsof the First ACM Conference on Computer and Communications Security, pages 244–250,Nov. 1993.

[15] B. Blanchet. An efficient cryptographic protocol verifier based on Prolog rules. In 14thIEEE Computer Security Foundations Workshop (CSFW-14), pages 82–96, Cape Breton,Nova Scotia, Canada, June 2001. IEEE Computer Society.

[16] B. Blanchet. From secrecy to authenticity in security protocols. In M. Hermenegildo andG. Puebla, editors, 9th International Static Analysis Symposium (SAS’02), volume 2477 ofLecture Notes on Computer Science, pages 342–359, Madrid, Spain, Sept. 2002. Springer.

[17] B. Blanchet. Automatic proof of strong secrecy for security protocols. In IEEE Symposiumon Security and Privacy, pages 86–100, Oakland, California, May 2004.

[18] B. Blanchet. Automatic proof of strong secrecy for security protocols. Technical ReportMPI-I-2004-NWG1-001, Max-Planck-Institut fur Informatik, Saarbrucken, Germany, July2004.

[19] B. Blanchet. Security protocols: From linear to classical logic by abstract interpretation.Information Processing Letters, 95(5):473–479, Sept. 2005.

[20] B. Blanchet, M. Abadi, and C. Fournet. Automated verification of selected equivalences forsecurity protocols. In 20th IEEE Symposium on Logic in Computer Science (LICS 2005),pages 331–340, Chicago, IL, June 2005. IEEE Computer Society.

[21] C. Bodei. Security Issues in Process Calculi. PhD thesis, Universita di Pisa, Jan. 2000.

[22] C. Bodei, P. Degano, F. Nielson, and H. R. Nielson. Control flow analysis for the π-calculus.In International Conference on Concurrency Theory (Concur’98), volume 1466 of LectureNotes on Computer Science, pages 84–98. Springer, Sept. 1998.

[23] M. Boreale, R. De Nicola, and R. Pugliese. Proof techniques for cryptographic processes.SIAM Journal on Computing, 31(3):947–986, 2002.

[24] J. Borgstrom, S. Briais, and U. Nestmann. Symbolic bisimulation in the spi calculus. InP. Gardner and N. Yoshida, editors, CONCUR 2004: Concurrency Theory, volume 3170of Lecture Notes on Computer Science, pages 161–176. Springer, Aug. 2004.

[25] J. Borgstrom and U. Nestmann. On bisimulations for the spi calculus. In H. Kirchner andC. Ringeissen, editors, Algebraic Methodology and Software Technology: 9th InternationalConference, AMAST 2002, volume 2422 of Lecture Notes on Computer Science, pages287–303, Saint-Gilles-les- Bains, Reunion Island, France, Sept. 2002. Springer.

[26] E. Cohen. Proving protocols safe from guessing. In Foundations of Computer Security,Copenhagen, Denmark, July 2002.

[27] R. Corin, J. M. Doumen, and S. Etalle. Analysing password protocol security against off-line dictionary attacks. In 2nd Int. Workshop on Security Issues with Petri Nets and otherComputational Models (WISP), Electronic Notes in Theoretical Computer Science, June2004.

[28] R. Corin, S. Malladi, J. Alves-Foss, and S. Etalle. Guess what? here is a new tool thatfinds some new guessing attacks. In R. Gorrieri, editor, Workshop on Issues in the Theoryof Security (WITS’03), Warsaw, Poland, Apr. 2003.


[29] V. Cortier. Verification automatique des protocoles cryptographiques. PhD thesis, ENS deCachan, Mar. 2003.

[30] S. Delaune and F. Jacquemard. A theory of dictionary attacks and its complexity. In 17thIEEE Computer Security Foundations Workshop, pages 2–15, Pacific Grove, CA, June2004. IEEE.

[31] N. Dershowitz and D. A. Plaisted. Rewriting. In A. Robinson and A. Voronkov, editors,Handbook of Automated Reasoning, volume I, chapter 9, pages 535–610. Elsevier Science,2001.

[32] P. H. Drielsma, S. Modersheim, and L. Vigano. A formalization of off-line guessing forsecurity protocol analysis. In F. Baader and A. Voronkov, editors, Logic for Programming,Artificial Intelligence, and Reasoning: 11th International Conference, LPAR 2004, volume3452 of Lecture Notes on Computer Science, pages 363–379, Montevideo, Uruguay, Mar.2005. Springer.

[33] L. Durante, R. Sisto, and A. Valenzano. Automatic testing equivalence verification ofspi calculus specifications. ACM Transactions on Software Engineering and Methodology(TOSEM), 12(2):222–284, Apr. 2003.

[34] R. Focardi and R. Gorrieri. The compositional security checker: A tool for the verifica-tion of information flow security properties. IEEE Transactions on Software Engineering,23(9):550–571, Sept. 1997.

[35] L. Gong. Verifiable-text attacks in cryptographic protocols. In INFOCOM ’90, The Confer-ence on Computer Communications, pages 686–693, San Francisco, CA, June 1990. IEEE.

[36] L. Gong, T. M. A. Lomas, R. M. Needham, and J. H. Saltzer. Protecting poorly cho-sen secrets from guessing attacks. IEEE Journal on Selected Areas in Communications,11(5):648–656, June 1993.

[37] A. Gordon and A. Jeffrey. Authenticity by typing for security protocols. In 14th IEEEComputer Security Foundations Workshop (CSFW-14), pages 145–159, Cape Breton, NovaScotia, Canada, June 2001. IEEE Computer Society.

[38] H. Huttel. Deciding framed bisimilarity. In 4th International Workshop on Verification ofInfinite-State Systems (INFINITY’02), pages 1–20, Brno, Czech Republic, Aug. 2002.

[39] P. D. Lincoln, J. C. Mitchell, M. Mitchell, and A. Scedrov. Probabilistic polynomial-timeequivalence and security protocols. In J. Wing, J. Woodcock, and J. Davies, editors, FM’99World Congress On Formal Methods in the Development of Computing Systems, volume1708 of Lecture Notes on Computer Science, pages 776–793, Toulouse, France, Sept. 1999.Springer.

[40] G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. InTools and Algorithms for the Construction and Analysis of Systems, volume 1055 of LectureNotes on Computer Science, pages 147–166. Springer, 1996.

[41] G. Lowe. Analyzing protocols subject to guessing attacks. In Workshop on Issues in theTheory of Security (WITS’02), Portland, Oregon, Jan. 2002.

[42] D. Monniaux. Abstracting cryptographic protocols with tree automata. Science of Com-puter Programming, 47(2–3):177–202, 2003.



[44] F. Pottier. A simple view of type-secure information flow in the π-calculus. In Proceedingsof the 15th IEEE Computer Security Foundations Workshop, pages 320–330, Cape Breton,Nova Scotia, June 2002.

[45] F. Pottier and V. Simonet. Information flow inference for ML. In Proceedings of the 29thACM Symposium on Principles of Programming Languages (POPL’02), pages 319–330,Portland, Oregon, Jan. 2002.

[46] A. Ramanathan, J. Mitchell, A. Scedrov, and V. Teague. Probabilistic bisimulation andequivalence for security analysis of network protocols. In I. Walukiewicz, editor, FOSSACS2004 - Foundations of Software Science and Computation Structures, volume 2987 of Lec-ture Notes on Computer Science, pages 468–483, Barcelona, Spain, Mar. 2004. Springer.

Appendix

The Appendix contains proofs of the main results of this paper. Proof scripts for all exam-ples and applications, as well as the tool ProVerif, are available at http://www.di.ens.fr/

~blanchet/obsequi/.

A Proof of Theorem 2

In this section, we prove the correctness of Algorithms 1, 2, and 3 given in Section 5.3. Webegin with preliminary lemmas on modelling equational theories.

A.1 Preliminary lemmas

Lemma 4 Let N be either a name or a variable. If Σ ⊢M = N and nfS,Σ({M}), then M = N .For any set of terms M, if nfS,Σ(M), then nfS,Σ(M∪ {N}).

Proof We detail the proof for N = a.If we had M 6= a, then either M contains a, so M does not satisfy nfS,Σ({M}), or M does

not contain a. In this latter case, since Σ is invariant by substitution of terms for names, forall M ′, we have Σ ⊢ a{M ′/a} = M{M ′/a} so Σ ⊢ M ′ = M , then all terms are equated by Σ,which contradicts the hypothesis.

Let M ′′ be any subterm of an element ofM. We have nfS,Σ({M ′′}), so if Σ ⊢M ′′ = a, thenM ′′ = a, by the previous property. Moreover, a is irreducible by S. So we have nfS,Σ(M∪{a}).

2

Lemma 5 Assume S = ∅ and Σ is any equational theory. Then Property S2 is true.

Proof We show the following property: If nfS,Σ(M), then for any term M there exists M ′

such that Σ ⊢M ′ = M and nfS,Σ(M∪ {M ′}).The proof is by induction on M .

• Cases M = a and M = x: Let M ′ = M ; by Lemma 4, nfS,Σ(M∪ {M ′}).

• Case M = f(N1, . . . , Nn): By induction hypothesis, there exist N ′1, . . . , N′n such that

Σ ⊢ Ni = N ′i and nfS,Σ(M∪ {N ′1, . . . , N′n}). (For Ni, we apply the induction hypothesis

withM∪ {N ′1, . . . , N′i−1} instead ofM.)

If there exists a subterm M ′ of M∪ {N ′1, . . . , N′n} such that Σ ⊢ f(N1, . . . , Nn) = M ′,

then we have nfS,Σ(M∪ {M ′}).

Otherwise, let M ′ = f(N ′1, . . . , N′n). We have Σ ⊢ M ′ = f(N1, . . . , Nn), and nfS,Σ(M∪

{M ′}) since the subterms of M∪ {M ′} are the subterms of M∪ {N ′1, . . . , N′n} and the


term M ′, nfS,Σ(M∪{N ′1, . . . , N′n}) and the new subterm M ′ is different from any subterm

of M∪ {N ′1, . . . , N′n} modulo the equational theory of Σ. 2

A.2 Convergent theories

Lemma 6 The signature Σ′ built by Algorithm 1 models Σ.

Proof Properties S1 and S3 are obvious.

Let us prove Property S2. Assume that nfS,Σ(M). Let M ′ = M↓. Then Σ ⊢ M = M ′ andM ′ is irreducible by S. Let N1 and N2 be two subterms of M∪ {M ′} such that Σ ⊢ N1 = N2,that is, N1↓ = N2↓. Moreover, N1 and N2 are in normal form relatively to S, so N1 = N2.Hence nfS,Σ(M∪ {M ′}).

Finally, we prove Property S4. When M = f(M1, . . . ,Mn), we let M↓s = f(M1↓, . . . ,Mn↓)be the term obtained by reducing to normal form the strict subterms of M . We first note a fewelementary properties of the algorithm:

P1. If N → N ′ is in S, then there is N1 → N ′1 in E such that T [σN1] = N↓s and T [σN ′1] = N ′↓for some σ and T . (This is true at the beginning of an execution of the algorithm, andremains true during the execution, since a rule N1 → N ′1 is removed from E only whenthere is another rule N2 → N ′2 such that N1 = T [σN2] and N ′1 = T [σN ′2] for some σ andT .)

P2. If N is reducible by a rule in E, then it is also reducible by a rule in S. (This is true atthe beginning of an execution of the algorithm and remains true during the execution.)

P3. If N → N ′ is in E, then N is not a variable, and all variables of N ′ occur in N . (Thisis true at the beginning of an execution of the algorithm and remains true during theexecution.)

P4. At the end of the algorithm, if N1 → N ′1 and N2 → N ′2 in E are such that N ′1 = T [N ′′1 ],N ′′1 is not a variable, and σu is the most general unifier of N ′′1 and N2, then there existN3 → N ′3 in E, T ′, and σ such that T ′[σN3] = (σuN1)↓

s and T ′[σN ′3] = σuT [σuN′2]↓.

(This simply expresses that the fixpoint is reached: the rule (σuN1)↓s → σuT [σuN

′2]↓ has

been added to E.)

We show the following two properties, P5(n) for n > 0 and P6(n) for n ≥ 0:

P5(n). If the longest reduction of M by S is of length n and M = M↓s, then there existN → N ′ in E and σ such that M = σN and M↓ = σN ′.

P6(n). If the longest reduction of σN ′1 by S is of length n, M = σN1 →∗S σN

′1, M = M↓s,

and N1 → N ′1 is in E, then there exist N2 → N ′2 in E and σ′ such that M = σ′N2 →∗S

σ′N ′2 = M↓.

The proof is by induction on n.

• Proof of P5(n) (n > 0).

Since M = M↓s, the strict subterms of M are irreducible, so the first application ofa rewrite rule in any reduction of M much touch the root function symbol of M . LetN → N ′ be this rewrite rule. There exists σ1 such that M = σ1N . Since N → N ′ is inS, by P1, there is N1 → N ′1 in E such that T [σ2N1] = N↓s and T [σ2N

′1] = N ′↓ for some

σ2 and T . Since the strict subterms of σ1N are irreducible by S, the strict subterms ofN are also irreducible by S, hence N↓s = N . Furthermore, T = [ ], since otherwise astrict subterm of N would be reducible by N1 → N ′1 in E, so using P2, it would also be


reducible by S. Hence σ1σ2N1 = σ1N = M and σ1σ2N′1 = σ1(N

′↓). Let σ = σ1σ2. ThenM = σN1 →

+S σN

′1.

By P6(n′) where n′ is the length of the longest reduction of σN ′1 (n′ < n), there existN2 → N ′2 in E and σ′ such that M = σ′N2 →

∗S σ′N ′2 = M↓, which is P5(n).

• Proof of P6(n), n = 0, σN ′1 is irreducible by S. Then σN ′1 = M↓ and we have P6(0) bytaking σ′ = σ, N2 = N1, and N ′2 = N ′1.

• Proof of P6(n), n > 0, σN ′1 is reducible by S.

Let us consider a minimal subterm of σN ′1 which is reducible by S, that is, a subterm ofσN ′1 reducible by S but such that all its strict subterms are irreducible by S. Such a termis of the form σN ′3, where N ′3 is a non-variable subterm of N ′1. (Indeed, all terms σx andtheir subterms are irreducible by S, since they are strict subterms of M and M = M↓s.)

The longest reduction of σN ′3 is at most as long as the one of σN ′1, so by P5, there existN4 → N ′4 in E and σ′′ such that σN ′3 = σ′′N4 and (σN ′3)↓ = σ′′N ′4. Thus we haveM = σN1 →

∗S σN

′1 = σT [σN ′3] = σT [σ′′N4]→

+S σT [σ′′N ′4] = σT [(σN ′3)↓].

The rewrite rules N1 → N ′1 and N4 → N ′4 have a critical pair, that is, N ′1 = T [N ′3], N′3

is not a variable, and N ′3 and N4 unify, with most general unifier σu. By P4, there isN5 → N ′5 in E such that T ′[σ5N5] = (σuN1)↓

s and T ′[σ5N′5] = σuT [σuN

′4]↓ for some T ′

and σ5. Moreover, σuN1 is more general than σN1, so the strict subterms of σuN1 areirreducible, since the strict subterms of σN1 are. So (σuN1)↓

s = σuN1. FurthermoreT ′ = [ ], since otherwise a strict subterm of σuN1 would be reducible by E, so using P2,it would also be reducible by S. Hence σ5N5 = σuN1 and σ5N

′5 = σuT [σuN

′4]↓.

Then M = σ1N5 →∗S σ1N

′5 for some σ1. Moreover, σN ′1 = σT [σ′′N4] →

+S σT [σ′′N ′4] →

∗S

σ1N′5, so the longest reduction of σ1N

′5 is strictly shorter than the longest reduction

of σN ′1, hence by P6 applied to σ1N′5, there exist σ′ and N2 → N ′2 in E such that

M = σ′N2 →∗S σ′N ′2 = M↓. This yields P6 for σN ′1.

We now turn to the proof of Property S4 itself. Assume Σ ⊢ f(M1, . . . ,Mn) = M andnfS,Σ({M,M1, . . . ,Mn}). We show that there exist f(N1, . . . , Nn) → N in defΣ′(f) and σsuch that M = σN and Mi = σNi. Since M is irreducible, we have M = f(M1, . . . ,Mn)↓.

• If f(M1, . . . ,Mn) is irreducible by S, then f(M1, . . . ,Mn) = M and we have the resultusing the rule f(x1, . . . , xn)→ f(x1, . . . , xn) always in defΣ′(f).

• Otherwise, we have f(M1, . . . ,Mn)↓s = f(M1, . . . ,Mn) since Mi is irreducible for alli ∈ {1, . . . , n}. Property P5 for the term f(M1, . . . ,Mn) yields the desired result, sinceevery rule f(N1, . . . , Nn)→ N ′ of E is in defΣ′(f). 2

We say that S is a convergent subterm system when S is convergent and all its rewrite rulesare of the form M → N where N is either a strict subterm of M or a closed term in normalform with respect to S [5, 12].

Lemma 7 When S is a convergent subterm rewriting system, Algorithm 1 terminates and thefinal value of E is normalize(S).

Proof Let S be a convergent subterm system, with Σ the associated equational theory. LetE1 be obtained by replacing each rule f(M1, . . . ,Mn) → N of S with f(M1↓, . . . ,Mn↓) → N↓and removing rules of the form M →M . Let E2 = normalize(S). We first show:

P1. if M 6= N , Σ ⊢ M = N , and N and the strict subterms of M are in normal form, thenthere exist M1 → N1 in E2 and σ such that M = σM1 and N = σN1.


Since Σ ⊢M = N , we have M↓ = N↓. The term N is in normal form, so M↓ = N , so M →∗S N .Since M 6= N , M →S M

′ →∗S N . Since the strict subterms of M are in normal form, there area rewrite rule M1 →M ′1 of S and a substitution σ such that M = σM1 and M ′ = σM ′1. If M ′1is a strict subterm of M1, M

′ is a strict subterm of M , so M ′ is in normal form, hence M ′ = N .If M ′1 is a closed term in normal form, M ′ = M ′1 is in normal form, so we also have M ′ = N .

Moreover, M ′1 and the strict subterms of M1 are in normal form since M ′ and the strictsubterms of M are. So the rewrite rule M1 → N1 is preserved by the transformation of S intoE1, so M1 → N1 is in E1. Finally, if M1 → N1 is removed when transforming E1 into E2, thereare another rule M ′1 → N ′1 in E2 and a substitution σ′ such that M1 = σ′M ′1 and N1 = σ′N ′1,so Property P1 holds in any case.

Let M0 → N0 be a rewrite rule added by Algorithm 1. We show that E2 = normalize(E2 ∪{M0 → N0}). Let E3 be obtained by replacing each rule f(M1, . . . ,Mn)→ N of E2∪{M0 → N0}with f(M1↓, . . . ,Mn↓) → N↓ and removing rules of the form M → M . Since E2 has alreadybeen normalized, when we transform E2 ∪ {M0 → N0} into E3, only M0 → N0 is transformed,into a rule M → N . If M = N , the rule M → N is removed, so we immediately haveE2 = normalize(E2 ∪ {M0 → N0}). Otherwise, by Property P1, there exist M1 → N1 in E2 (soin E3) and σ such that M = σM1 and N = σN1. Hence M0 → N0 is removed by the last stepof normalize, so E2 = normalize(E2 ∪ {M0 → N0}). We conclude that the fixpoint is reachedbefore iterating, and it is E2. 2

A.3 Linear theories


Proof Property S1 is obvious. Property S2 follows from Lemma 5. Property S3 follows fromthe invariant that, if M → M ′ is in E, then Σ ⊢ M = M ′. Next, we prove Property S4. Wefirst note a few elementary properties of the algorithm:

P1. If N = N ′ or N ′ = N is an equation of Σ, then there is N1 → N ′1 in E such thatT [σN1] = N and T [σN ′1] = N ′ for some σ and T . (This is true at the beginning of anexecution of the algorithm, and remains true during the execution, since a rule N1 → N ′1is removed from E only when there is another rule N2 → N ′2 in E such that N1 = T [σN2]and N ′1 = T [σN ′2] for some σ and T .)

P2. At the end of the algorithm, if N1 → N ′1 and N2 → N ′2 in E are such that N ′1 = T [N ′′1 ],N ′′1 and N2 are not variables, and σu is the most general unifier of N ′′1 and N2, then thereexist N3 → N ′3 in E, T ′, and σ such that T ′[σN3] = σuN1 and T ′[σN ′3] = σuT [σuN

′2].

(This simply expresses that the fixpoint is reached: the rule (σuN1) → σuT [σuN′2] has

been added to E.)

Similarly, if N1 → N ′1 and N2 → N ′2 in E are such that N2 = T [N ′′2 ], N ′1 and N ′′2 are notvariables, and σu is the most general unifier of N ′1 and N ′′2 , then there exist N3 → N ′3 inE, T ′, and σ such that T ′[σN3] = σuT [σuN1] and T ′[σN ′3] = σuN

′2.

Let us now prove a few more properties:

P3. For all M,M ′, if Σ ⊢M = M ′ then M →∗E M ′.

Assume that Σ ⊢ M = M ′ comes from one equation of Σ. Then there are N = N ′ in Σ,T , and σ such that M = T [σN ] and M ′ = T [σN ′]. Hence, by P1, there are N1 → N ′1 inE, T ′, and σ′ such that N = T ′[σ′N1] and N ′ = T ′[σ′N ′1]. So M = T [(σT ′)[σσ′N1]] →E

T [(σT ′)[σσ′N ′1]] = M ′. The property stated above follows immediately.

P4. If M1 →E M2 →E M3 using two rules M → N and M ′ → N ′ of E such that neither Nnor M ′ are variables, M1 = T1[σ1M ], M2 = T1[σ1N ] = T2[σ2M

′], and M3 = T2[σ2N′] for

some contexts T1 and T2 and substitutions σ1 and σ2, then


• either M1 →E M3 in a single step;

• or the rules commute: M1 →E M ′2 →E M3 where M1 →E M ′2 comes from M ′ → N ′

and M ′2 →E M3 comes from M → N .

We prove the property by case analysis on T1 and T2:

(1) The occurrences of the holes of T1 and T2 are not nested: there exists T ′′ such thatT1 = T ′′[[ ], σ2M

′] and T2 = T ′′[σ1N, [ ]]. So M1 = T ′′[σ1M,σ2M′], M2 = T ′′[σ1N, σ2M

′],and M3 = T ′′[σ1N, σ2N

′]. Then the rules commute: M1 = T ′′[σ1M,σ2M′] →E M ′2 =

T ′′[σ1M,σ2N′]→E M3 = T ′′[σ1N, σ2N

′].

(2) The occurrence of the hole of T1 is inside the one of T2: T1 = T2[T′]. We distinguish

two subcases:

(2a) T ′ is an instance of M ′: T ′ = σ3M′. So we have M1 = T2[(σ3M

′)[σ1M ]], M2 =T2[(σ3M

′)[σ1N ]], and M3 = T2[(σ3N′)[σ1N ]]. The linearity of N ′ guarantees that σ3N

′

contains at most one hole, since σ3M′ contains one hole.

If σ3N′ contains no hole (that is, the variable x of M ′ such that σ3x contains a hole does

not occur in N ′), then M1 = T2[(σ3M′)[σ1M ]]→E M3 = T2[(σ3N

′)] by M ′ →E N ′.

If σ3N′ contains exactly one hole, the rules commute: M1 = T2[(σ3M

′)[σ1M ]]→E M ′2 =T2[(σ3N

′)[σ1M ]]→E M3 = T2[(σ3N′)[σ1N ]].

(2b) T ′ is not an instance of M ′. Since T ′[σ1N ] = σ2M′ and M ′ is linear, the hole of T ′

occurs at a non-variable position in M ′, so N and M ′ form a critical pair and, by PropertyP2, E contains a rule that corresponds to the application of both rewrite rules M → Nand M ′ → N ′.

(3) The occurrence of the hole of T2 is inside the one of T1: T2 = T1[T′]. The proof is

similar to the one for case (2).

Let Σ ⊢ f(M1, . . . ,Mn) = M with nfS,Σ({M,M1, . . . ,Mn}). We show that there existf(N1, . . . , Nn)→ N in defΣ′(f) and σ such that M = σN and Mi = σNi for all i ∈ {1, . . . , n}.

Since Σ ⊢ f(M1, . . . ,Mn) = M , we have f(M1, . . . ,Mn)→∗E M by P3. Consider a shortestsequence such that f(M1, . . . ,Mn)→∗E M .

• In this sequence, consecutive rewrite rules always commute, because otherwise we wouldobtain a shorter sequence by P4.

• If this sequence uses a rule x → M ′ in E, consider the last such rule. It commutes withthe rule that immediately follows. So we obtain a sequence in which x → M ′ is appliedlast. This is impossible since nfS,Σ({M}). From now on, we consider a sequence that doesnot use any rewrite rule of the form x→M ′.

• If this sequence uses no rewrite rule applied with empty context, then M = f(M ′1, . . . ,M′n)

and Mi →∗E M ′i , so Σ ⊢ Mi = M ′i . Since nfS,Σ({M1, . . . ,Mn,M}), Mi = M ′i , so M =

f(M1, . . . ,Mn). Then f(x1, . . . , xn)→ f(x1, . . . , xn) in defΣ′(f) and σxi = Mi yields thedesired result.

• If this sequence uses at least one rewrite rule applied with empty context, letf(N1, . . . , Nn)→ N be the first such rule.

If the sequence uses a rule M ′ → x in E before f(N1, . . . , Nn) → N , then this rule isapplied with non-empty context (because otherwise f(N1, . . . , Nn)→ N would not be thefirst rule with empty context). Consider the first such rule. This rule commutes with therule just before it. Moreover, after commutation, M ′ → x is still applied with non-emptycontext. (The only case that would make the context disappear is when the rewrite rulebefore was y →M ′′, but this case cannot occur as shown above.) So we obtain a sequence


in which M ′ → x is applied first, and with non-empty context. This is impossible sincenfS,Σ({M1, . . . ,Mn}). So we consider a sequence not using rules of the form M ′ → xbefore f(N1, . . . , Nn)→ N .

The rule f(N1, . . . , Nn) → N commutes with the rule just before it. The rulef(N1, . . . , Nn) → N is still applied with an empty context after commutation. So wecan obtain a sequence in which f(N1, . . . , Nn)→ N is applied first. All rewrite rules afterthe first one are applied with a context that is an instance of N (because otherwise N isnot a variable and the first rule applied with a context that is not an instance of N canbe commuted with other rewrite rules so that it occurs just after f(N1, . . . , Nn) → N ,so it has a critical pair with f(N1, . . . , Nn) → N , so we could obtain a shorter sequenceby P2). So M = σ′N for some σ′. Furthermore f(M1, . . . ,Mn) = f(σN1, . . . , σNn) →E

σN →∗E M = σ′N for some σ. Then for all x ∈ fv(N), σx →∗E σ′x, so for all x ∈ fv(N),Σ ⊢ σx = σ′x. Moreover, nfS,Σ(M1, . . . ,Mn,M), so σx = σ′x, and M = σN , which yieldsthe result. 2

A.4 Union of disjoint equational theories

Let Σ be a signature such that its set of function symbols can be partitioned into F1 ∪ F2 andits set of equations can be partitioned into E′1∪E

′2, where E′1 contains only function symbols in

F1 and E′2 in F2. Let Σ1 be the signature obtained by considering only the equations E′1, andΣ2 only the equations E′2.

Lemma 9 If Σ ⊢ f(M1, . . . ,Mn) = M , nf∅,Σ({M,M1, . . . ,Mn}), and f ∈ Fi (i = 1 or 2) thenΣi ⊢ f(M1, . . . ,Mn) = M .

Proof To prove this result, we use the decision algorithm for the word problem in a union ofdisjoint equational theories, by Baader and Tinelli [11, Section 4]. We use the notations of [11],and we refer the reader to that paper for details.

Assume i = 1. (The case i = 2 is symmetric.) Let us start with S0 = {x0 6≡ y0, x0 ≡f(M1, . . . ,Mn), y0 ≡ M}. Since Σ ⊢ f(M1, . . . ,Mn) = M , by completeness of their algorithm,their algorithm terminates with S = {v 6≡ v} ∪ T .

Let S be a set of equations and disequations, such that all equations of S are of the formv ≡ M , if v ≡ M and v ≡ N are in S then M = N , and ≺ is acyclic on S. Let us define asubstitution σ by σv = M when (v ≡M) ∈ S. Since ≺ is acyclic on S, we can define σ∗ as thesubstitution obtained by composing σ with itself as many times as needed so that terms do notchange any more. Let recS(v) = σ∗v.

If we apply the rules of the algorithm according to a suitable strategy (made explicit below),we can show that the algorithm preserves the following invariant:

P1. There is no equation v ≡M ′ in Sj such that (v ≡M ′) ≺ (x0 ≡M′′).

P2. If j > 0, then for all v 6= x0 such that v occurs in Sj−1 and Sj , we have recSj−1(v) =

recSj(v).

P3. For all v 6= x0 such that v occurs in Sj , recSj(v) is a subterm of M1, . . . ,Mn,M (so if

v, v′ 6= x0 occur in Sj and Σ ⊢ recSj(v) = recSj

(v′), then recSj(v) = recSj

(v′), sincenf∅,Σ({M,M1, . . . ,Mn})).

P4. If j > 0 and x0 ≡M′′ ∈ Sj , then Σ1 ⊢ recSj−1

(x0) = recSj(x0).

P5. When x0 ≡M′′ ∈ Sj , M

′′ is a non-variable 1-term.

P6. If j > 0, u 6≡ u′ ∈ Sj−1, and v 6≡ v′ ∈ Sj , then Σ1 ⊢ recSj−1(u) = recSj

(v) and Σ1 ⊢recSj−1

(u′) = recSj(v′).


During the first stage (construction of the abstraction system), these properties are obvious.We even have recSj−1

(v) = recSj(v) for all v that occur in Sj−1, and the disequation x0 6≡ y0 is

not changed.

During the second stage (application of Coll1, Coll2, Ident, Simpl), we do not apply Simplsince the authors remark that it is not necessary. We show that if Sj−1 is transformed into Sj

by Coll1, Coll2, or Ident, and Sj−1 satisfies the invariant, then so does Sj .

• For Coll1 and Coll2 with x 6= x0, Σi ⊢ y = t, so Σ ⊢ recSj−1(x) = recSj−1

(y), so by P3,recSj−1

(x) = recSj−1(y), so y = t. Then for all v that occur in Sj , recSj−1

(v) = recSj(v),

so we have P2 and P4 for Sj . P3 holds for Sj since P2 holds for Sj and P3 holds for Sj−1.We have recSj−1

(x) = recSj−1(y) = recSj

(y), so P6 follows. P1 and P5 are easy to show.

• For Coll1 with x = x0, Σ1 ⊢ y = t, and T{r/x0} = T since x0 does not occur in theright-hand side of equalities by P1. So for all v that occur in Sj (that is, all v that occurin Sj−1 except x0), recSj−1

(v) = recSj(v), so we have P2 for Sj ; P3 follows. P4 and P5

hold since Sj contains no equation of the form x0 ≡ M ′′. Since Σ ⊢ y = t, we haveΣ1 ⊢ recSj−1

(x0) = recSj−1(y) = recSj

(y), so P6 follows. P1 is easy to show.

• For Coll2 with x = x0, Σ1 ⊢ y = t, and T is replaced with T{y/x0}, which modifies onlythe disequation, since x0 does not occur in the right-hand side of equalities by P1. Weconclude as in the previous case.

• For Ident, we never apply Ident with y = x0; when Ident would be applicable with y = x0,we apply instead Ident with x = x0 (which is possible by P1).

If we apply Ident with x, y 6= x0, then Σi ⊢ s = t, so Σ ⊢ recSj−1(x) = recSj−1

(y), so by P3,recSj−1

(x) = recSj−1(y), so s = t. Then, for all v that occur in Sj , recSj−1

(v) = recSj(v),

so we have P2 and P4; P3 follows. We have recSj−1(x) = recSj−1

(y) = recSj(y), so P6

follows. P1 and P5 are easy to show.

If we apply Ident with x = x0, y 6= x0, then Σ1 ⊢ s = t. x0 does not occur in the right-handside of equalities by P1. So replacing x0 with y in T changes only the disequation. Thenfor all v that occur in Sj , recSj−1

(v) = recSj(v), so we have P2 and P4; P3 follows. Since

Σ1 ⊢ s = t, we have Σ ⊢ recSj−1(x0) = recSj−1

(y) = recSj(y), so P6 follows. P1 and P5

are easy to show.

Since, in the end, S contains v 6≡ v, by P6, we have Σ1 ⊢ recS0(x0) = recS(v) and Σ1 ⊢

recS0(y0) = recS(v) which implies Σ1 ⊢ f(M1, . . . ,Mn) = M . 2

This result can be used to prove the correctness of Algorithm 3.


Proof The set of function symbols of Σ can be partitioned into F1 ∪F2, where Econv containsonly function symbols in F1 and Elin in F2. Let Σ1 be the signature obtained by consideringonly equations Econv, and Σ2 only Elin.

Because of the particular way in which we prove that subsets Ei are convergent, we havethat their union Econv is also convergent, so we can apply Algorithm 1 to Econv. (When weprove termination of each Ei via a lexicographic path ordering, we order the function symbolsof Ei. We order the function symbols of Econv by the union of these orderings. Then thecorresponding lexicographic path ordering shows the termination of Econv. The confluence ofEconv follows from the confluence of every Ei by the critical-pair theorem.)

Properties S1 and S3 are obvious. We prove Property S2 by induction on M :

• Cases M = a and M = x: Let M ′ = M ; by Lemma 4, nfS,Σ(M∪ {M}).


• Case M = f(M1, . . . ,Mn): By induction hypothesis, there exist M ′1, . . . ,M′n such that

Σ ⊢Mi = M ′i and nfS,Σ(M∪{M ′1, . . . ,M′n}). (For Mi, we apply the induction hypothesis

withM∪ {M ′1, . . . ,M′i−1} instead ofM.)

Case 1: there exists a subterm M ′ ofM∪{M ′1, . . . ,M′n} such that Σ ⊢ f(M1, . . . ,Mn) =

M ′. Then M ′ is irreducible by S and nfS,Σ(M∪ {M ′}), so we have the result.

Case 2: there exists no subterm M ′′ ofM∪{M ′1, . . . ,M′n} such that Σ ⊢ f(M1, . . . ,Mn) =

M ′′.

Case 2.1: Assume f ∈ F2. Let M ′ = f(M ′1, . . . ,M′n). We have Σ ⊢ f(M1, . . . ,Mn) = M ′.

Moreover, M ′ is irreducible by S since M ′1, . . . ,M′n are, f ∈ F2, and no rewrite rule of S

contains a function symbol in F2 or a variable in the left-hand side. Then nfS,Σ(M∪{M ′})since the subterms of M∪ {M ′} are the subterms of M∪ {M ′1, . . . ,M

′n} and the term

M ′, nfS,Σ(M∪ {M ′1, . . . ,M′n}), and the new subterm M ′ is different from any subterms

of M∪ {M ′1, . . . ,M′n} modulo the equational theory of Σ.

Case 2.2: Assume f ∈ F1. Let M ′ = f(M ′1, . . . ,M′n)↓. We have Σ ⊢ f(M1, . . . ,Mn) = M ′.

Moreover, M ′ is irreducible by S by definition. If nfS,Σ(M∪{M ′}) was wrong, there wouldexist N and N ′ subterms ofM∪{M ′} such that Σ ⊢ N = N ′ and N 6= N ′. Let us choosesuch terms N and N ′ such that the pair (max(size(N), size(N ′)),min(size(N), size(N ′)))ordered lexicographically is minimal. When size(N) < size(N ′), we swap N and N ′,so that we always have size(N) ≥ size(N ′). Let N = f ′(N1, . . . , Nn′). We havenfS,Σ(N1, . . . , Nn′ , N ′). (If nfS,Σ(N1, . . . , Nn′ , N ′) was not true, considering subterms ofN1, . . . , Nn′ , N ′ that falsify nfS,Σ(N1, . . . , Nn′ , N ′) would yield a smaller counterexample.)

Notice that nfS,Σ(N1, . . . , Nn′ , N ′) implies nf∅,Σ(N1, . . . , Nn′ , N ′), so we can applyLemma 9.

If f ′ ∈ F1, then Σ1 ⊢ f′(N1, . . . , Nn′) = N ′ by Lemma 9. Hence f ′(N1, . . . , Nn′)↓ = N ′↓.

The terms N ′ and f ′(N1, . . . , Nn′) are subterms of M∪ {M ′}, so they are irreducible byS, so f ′(N1, . . . , Nn′) = N ′. Hence, we have a contradiction.

If f ′ ∈ F2, then Σ2 ⊢ f ′(N1, . . . , Nn′) = N ′ by Lemma 9. Since the reduction off(M ′1, . . . ,M

′n) into M ′ modifies only the top-level context of M ′ within F1, all sub-

terms of M ∪ {M ′} with root symbol in F2 are also subterms of M ∪ {M ′1, . . . ,M′n},

so they satisfy nfS,Σ. So the root symbol of N ′ is in F1. Let N ′ = f ′′(N ′1, . . . , N′n′′),

f ′′ ∈ F1. If nfS,Σ(N ′1, . . . , N′n′′ , N), we can apply the case f ′ ∈ F1 above to Σ ⊢

f ′′(N ′1, . . . , N′n′′) = N . Otherwise, the counterexample to nfS,Σ(N ′1, . . . , N

′n′′ , N) is not

smaller than Σ ⊢ N = N ′ since it is minimal, and size(N) ≥ size(N ′), so the counterex-ample to nfS,Σ(N ′1, . . . , N

′n′′ , N) consists of two subterms of N ; this situation is impossible

since N = f ′(N1, . . . , Nn′) is a subterm of M∪ {M ′1, . . . ,M′n}, so all its subterms satisfy

nfS,Σ.

Hence we have nfS,Σ(M∪ {M ′}).

Finally, we prove Property S4. Let Σ ⊢ f(M1, . . . ,Mn) = M with nfS,Σ({M,M1, . . . ,Mn}).If f ∈ Fi (i = 1, 2), then Σi ⊢ f(M1, . . . ,Mn) = M by Lemma 9 (since nfS,Σ(M′) impliesnf∅,Σ(M′)). If i = 1, we conclude by Property S4 for Algorithm 1. If i = 2, we conclude byProperty S4 for Algorithm 2. 2

B Proofs of Lemmas 1 and 2

From this point on, we assume that Σ′ models Σ. We say that a term or a term evaluation isplain when it does not contain diff.


B.1 Preliminary lemmas

The following lemma shows the soundness of D′ ⇓′ (M ′, σ′) with respect to D ⇓Σ′ M .

Lemma 11 Let σ be a closed substitution.Let D be a plain term evaluation. If σD ⇓Σ′ M , then there exist M ′, σ1, and σ′1 such that

D ⇓′ (M ′, σ1), M = σ′1M′, and σ = σ′1σ1 except on fresh variables introduced in the computation

of D ⇓′ (M ′, σ1).Let D1, . . . , Dn be plain term evaluations. If for all i ∈ {1, . . . , n}, σDi ⇓Σ′ Mi, then there

exist M ′1, . . . ,M′n, σ1, and σ′1 such that (D1, . . . , Dn) ⇓′ ((M ′1, . . . ,M

′n), σ1), Mi = σ′1M

′i for

all i ∈ {1, . . . , n}, and σ = σ′1σ1 except on fresh variables introduced in the computation of(D1, . . . , Dn) ⇓′ ((M ′1, . . . ,M

′n), σ1).

Proof The proof is by mutual induction following the definition of ⇓′.

• Case D = M ′: Take σ1 = ∅, σ′1 = σ. Since M = σM ′, we have the result.

• Case D = eval h(D1, . . . , Dn): Since eval h(σD1, . . . , σDn)⇓Σ′ M , there existh(N1, . . . , Nn)→ N in defΣ′(h) and σm such that σDi ⇓Σ′ σmNi and M = σmN .

By induction hypothesis, there exist M ′i , σ1, and σ′1 such that (D1, . . . , Dn) ⇓′

((M ′1, . . . ,M′n), σ1), σmNi = σ′1M

′i for all i ∈ {1, . . . , n}, and σ = σ′1σ1 except on fresh

variables introduced in the computation of (D1, . . . , Dn) ⇓′ ((M ′1, . . . ,M′n), σ1).

Let σu be the most general unifier of M ′i and Ni for i ∈ {1, . . . , n}. (The substitution σu

exists since σmNi = σ′1M′i .) Then eval h(D1, . . . , Dn) ⇓′ (σuN, σuσ1). The substitution

that maps variables of Ni, N as σm and other variables as σ′1 is a unifier of M ′i and Ni,so there exists σ′′1 such that σm = σ′′1σu on variables of Ni, N , and σ′1 = σ′′1σu on othervariables.

Then σ′′1σuN = σmN = M and σ′′1σuσ1 = σ′1σ1 = σ except on fresh variables introducedin the computation of (D1, . . . , Dn) ⇓′ ((M ′1, . . . ,M

′n), σ1) and variables of N1, . . . , Nn, N ,

that is, fresh variables introduced in the computation of D ⇓′ (σuN, σuσ1).

• Case (D1, . . . , Dn): We have, for all i in {1, . . . , n}, σDi ⇓Σ′ Mi.

By induction hypothesis, there exist M ′i , σ1, and σ′1 such that (D1, . . . , Dn−1) ⇓′

((M ′1, . . . ,M′n−1), σ1), Mi = σ′1M

′i for all i ∈ {1, . . . , n − 1}, and σ = σ′1σ1 except on

fresh variables introduced in the computation of (D1, . . . , Dn−1) ⇓′ ((M ′1, . . . ,M

′n−1), σ1).

Then σDn = σ′1σ1Dn, so σ′1(σ1Dn)⇓Σ′ Mn. So by induction hypothesis, there exist M ′n,σ2, and σ′2 such that σ1Dn ⇓

′ (M ′n, σ2), Mn = σ′2M′n, and σ′1 = σ′2σ2 except on fresh

variables introduced in the computation of σ1Dn ⇓′ (M ′n, σ2).

Hence (D1, . . . , Dn) ⇓′ ((σ2M′1, . . . , σ2M

′n−1,M

′n), σ2σ1), Mi = σ′1M

′i = σ′2(σ2M

′i) for all

i ∈ {1, . . . , n − 1}, Mn = σ′2M′n, and σ = σ′1σ1 = σ′2σ2σ1 except on fresh variables

introduced in the computation of (D1, . . . , Dn) ⇓′ ((σ2M′1, . . . , σ2M

′n−1,M

′n), σ2σ1). 2

Lemma 12 Let σ be a closed substitution and M a plain term. If Σ ⊢ M ′ = σM andnfS,Σ({M ′} ∪ {σx | x ∈ fv(M)}) then σaddeval(M)⇓Σ′ M ′.

Proof The proof is by induction on M .

• Case M = x: We have Σ ⊢ σx = σM = M ′. Since nfS,Σ({σx,M ′}), σx = M ′. Moreover,σaddeval(M) = σx⇓Σ′ σx = M ′.

• Case M = a: Since Σ ⊢ M ′ = σM and nfS,Σ({M ′}), we have M ′ = a by Lemma 4, soσaddeval(M) = a⇓Σ′ a = M ′.


• Case M = f(M1, . . . ,Mn): We have Σ ⊢ M ′ = σM = f(σM1, . . . , σMn) andnfS,Σ({M ′} ∪ {σx | x ∈ fv(M)}). By Property S2, there exist M ′1, . . . ,M

′n such that

Σ ⊢ σMi = M ′i and nfS,Σ({M ′,M ′1, . . . ,M′n} ∪ {σx | x ∈ fv(M)}). By Property S4, there

exist f(N1, . . . , Nn)→ N in defΣ′(f) and σ′ such that M ′ = σ′N and σ′Ni = M ′i for all i ∈{1, . . . , n}. By induction hypothesis, σaddeval(Mi)⇓Σ′ M ′i = σ′Ni for all i ∈ {1, . . . , n}.By definition of ⇓Σ′ , σaddeval(M) = eval f(σaddeval(M1), . . . , σaddeval(Mn))⇓Σ′ σ′N =M ′. 2

The following lemma shows the soundness of the rewrite rules of h in Σ′ with respect tothese rewrite rules in Σ. When h is a destructor, this is proved using the previous two lemmas,and when h is a constructor, this follows from the definition of “Σ′ models Σ”. Lemma 14extends this result to a term evaluation D by induction on D.

Lemma 13 If h(N1, . . . , Nn) → N is in defΣ(h), Σ ⊢ Mi = σNi for all i ∈ {1, . . . , n}, Σ ⊢M = σN , and nfS,Σ({M1, . . . ,Mn,M}), then there exist h(N ′1, . . . , N

′n) → N ′ in defΣ′(h) and

σ′ such that Mi = σ′N ′i for all i ∈ {1, . . . , n} and M = σ′N ′.

Proof Case 1: h is a constructor in Σ. We have Σ ⊢M = h(M1, . . . ,Mn). The result followsfrom Property S4.

Case 2: h is a destructor in Σ. By Property S2, there exists σ0 such that Σ ⊢ σ0x = σx forall x ∈ fv(N1, . . . , Nn, N) and nfS,Σ({M1, . . . ,Mn,M}∪{σ0x | x ∈ fv(N1, . . . , Nn, N)}). So Σ ⊢M = σ0N and Σ ⊢ Mi = σ0Ni for all i ∈ {1, . . . , n}. By Lemma 12, σ0addeval(N)⇓Σ′ M andσ0addeval(Ni)⇓Σ′ Mi for all i ∈ {1, . . . , n}. By Lemma 11, there exist N ′1, . . . , N

′n, N ′, σ1, and

σ′ such that addeval(N1, . . . , Nn, N) ⇓′ ((N ′1, . . . , N′n, N

′), σ1), σ′N ′i = Mi for all i ∈ {1, . . . , n},

and σ′N ′ = M . Then h(N ′1, . . . , N′n)→ N ′ is in defΣ′(h), σ′N ′i = Mi for all i ∈ {1, . . . , n}, and

σ′N ′ = M . 2

Lemma 14 Let D be a plain term evaluation. If D ⇓ΣM , Σ ⊢ M ′ = M , Σ ⊢ D′ = D, andnfS,Σ({M ′, D′}), then D′ ⇓Σ′ M ′.

Proof The proof is by induction on D.

• Case D = M : We have M ⇓ΣM , so Σ ⊢ D′ = D = M = M ′ and nfS,Σ({M ′, D′}) soD′ = M ′, and D′ ⇓Σ′ M ′.

• Case D = eval h(D1, . . . , Dn): Since D ⇓ΣM , we have that h(N1, . . . , Nn) → N is indefΣ(h), Di ⇓ΣMi and Σ ⊢ σNi = Mi for all i ∈ {1, . . . , n}, and σN = M . So Σ ⊢ σN =M ′. Since Σ ⊢ D′ = D, we have D′ = eval h(D′1, . . . , D

′n), with Σ ⊢ D′i = Di for all

i ∈ {1, . . . , n}. By Property S2, there exist M ′1, . . . ,M′n such that Σ ⊢ Mi = M ′i for all

i ∈ {1, . . . , n} and nfS,Σ({M ′, D′,M ′1, . . . ,M′n}). By induction hypothesis, D′i ⇓Σ′ M ′i for

all i ∈ {1, . . . , n}. By Lemma 13, there exist h(N ′1, . . . , N′n)→ N ′ in defΣ′(h) and σ′ such

that M ′ = σ′N ′ and σ′N ′i = M ′i for all i ∈ {1, . . . , n}. Then D′ ⇓Σ′ σ′N ′ = M ′. 2

We define the function removeeval such that removeeval(D) = M where D is a term evalu-ation that contains no destructor, and M is the term obtained by removing any eval before thefunction symbols of D.

Lemma 15 Assume that D is a plain term evaluation that contains no destructor. If D ⇓′

(M,σ) then Σ ⊢ σremoveeval(D) = M .

Assume that D1, . . . , Dn are plain term evaluations that contain no destructor. If(D1, . . . , Dn) ⇓′ ((M1, . . . ,Mn), σ) then Σ ⊢ σremoveeval(Di) = Mi for all i ∈ {1, . . . , n}.



• Case D = M : We have σ = ∅, so Σ ⊢ σM = M .

• Case D = eval f(D1, . . . , Dn): We have eval f(D1, . . . , Dn) ⇓′ (σuN, σuσ) where(D1, . . . , Dn) ⇓′ ((M1, . . . ,Mn), σ), f is a constructor in Σ, f(N1, . . . , Nn) → N isin defΣ′(f) (with new variables), and σu is the most general unifier of (M1, N1), . . . ,(Mn, Nn). Then by Property S3, Σ ⊢ f(N1, . . . , Nn) = N . By induction hypothesis,Σ ⊢ σremoveeval(Di) = Mi. Moreover we have σuMi = σuNi. Hence we obtain Σ ⊢σuσremoveeval(eval f(D1, . . . , Dn)) = f(σuσremoveeval(D1), . . . , σuσremoveeval(Dn)) =f(σuM1, . . . , σuMn) = f(σuN1, . . . , σuNn) = σuN .

• Case (D1, . . . , Dn): We have (D1, . . . , Dn) ⇓′ ((σ′M1, . . . , σ′Mn−1,Mn), σ′σ) where

(D1, . . . , Dn−1) ⇓′ ((M1, . . . ,Mn−1), σ) and σDn ⇓

′ (Mn, σ′). Then by induction hypoth-

esis, Σ ⊢ σremoveeval(Di) = Mi for i ∈ {1, . . . , n − 1} and Σ ⊢ σ′removeeval(σDn) =Mn. Hence, Σ ⊢ σ′σremoveeval(Di) = σ′Mi for i ∈ {1, . . . , n − 1} and Σ ⊢σ′σremoveeval(Dn) = Mn. 2

The following two lemmas show a completeness property: we do not lose precision by trans-lating computation in Σ into computations in Σ′. The proof of Lemma 16 relies on Lemma 15for destructor applications.

Lemma 16 If h(N1, . . . , Nn) → N is in defΣ′(h) then there exists h(N ′1, . . . , N′n) → N ′ in

defΣ(h) and σ such that Σ ⊢ Ni = σN ′i for all i ∈ {1, . . . , n} and Σ ⊢ N = σN ′.

Proof Case 1: h is a constructor in Σ. By Property S3, Σ ⊢ h(N1, . . . , Nn) = N . Let σ bedefined by σxi = Ni for all i ∈ {1, . . . , n}, N ′i = xi for all i ∈ {1, . . . , n}, and N ′ = h(x1, . . . , xn).We have h(N ′1, . . . , N

′n) → N ′ in defΣ(h) because h(x1, . . . , xn) → h(x1, . . . , xn) is in defΣ(h).

We also have Σ ⊢ Ni = σN ′i for all i ∈ {1, . . . , n} and Σ ⊢ N = h(N1, . . . , Nn) = σN ′.

Case 2: h is a destructor in Σ. Then there exists h(N ′1, . . . , N′n) → N ′ in defΣ(h), such

that addeval(N ′1, . . . , N′n, N

′) ⇓′ ((N1, . . . , Nn, N), σ). By Lemma 15, Σ ⊢ N = σN ′ and for alli ∈ {1, . . . , n}, Σ ⊢ Ni = σN ′i . 2

Lemma 17 Let D be a plain term evaluation. If Σ ⊢ D′ = D and D′ ⇓Σ′ M ′ then D ⇓ΣM forsome M such that Σ ⊢M = M ′.


• Case D = M : We have D ⇓ΣM . Moreover Σ ⊢ D′ = D, so D′ is also a term, andM ′ = D′. Finally, D = M , D′ = M ′, and Σ ⊢ D′ = D, so Σ ⊢M = M ′.

• Case D = eval h(D1, . . . , Dn): Since Σ ⊢ D′ = D, we have D′ = eval h(D′1, . . . , D′n) with

Σ ⊢ D′i = Di. Since D′ ⇓Σ′ M ′, there exist h(N1, . . . , Nn) → N in defΣ′(h) and σ suchthat M ′ = σN , and for all i ∈ {1, . . . , n}, D′i ⇓Σ′ σNi. By induction hypothesis, Di ⇓ΣMi

with Σ ⊢Mi = σNi.

By Lemma 16, there exist h(N ′1, . . . , N′n)→ N ′ in defΣ(h) and σ′, such that Σ ⊢ N = σ′N ′

and for all i ∈ {1, . . . , n}, Σ ⊢ Ni = σ′N ′i . Then Di ⇓ΣMi, Σ ⊢ Mi = σNi = σσ′N ′i , andh(N ′1, . . . , N

′n)→ N ′ is in defΣ(h), so D ⇓Σ σσ

′N ′. Moreover, Σ ⊢M ′ = σN = σσ′N ′. 2

The following lemma is useful to deal with rule (Red Fun 2): when D fails to evaluate, thelemma ensures that D′ also fails to evaluate, even with the equational theory of Σ. To this end,Lemma 18 requires D′ ⇓ΣM

′, whereas Lemma 17 requires D′ ⇓Σ′ M ′.

Lemma 18 Let D be a plain term evaluation. If Σ ⊢ D′ = D and D′ ⇓ΣM′ then D ⇓ΣM for

some M such that Σ ⊢M = M ′.



• Case D = M : We have D ⇓ΣM . Moreover Σ ⊢ D′ = D, so D′ is also a term, andM ′ = D′. Finally, D = M , D′ = M ′, and Σ ⊢ D′ = D, so Σ ⊢M = M ′.

• Case D = eval h(D1, . . . , Dn): Since Σ ⊢ D′ = D, we have D′ = eval h(D′1, . . . , D′n) with

Σ ⊢ D′i = Di. Since D′ ⇓ΣM′, there exist h(N1, . . . , Nn) → N in defΣ(h) and σ such

that M ′ = σN , and for all i ∈ {1, . . . , n}, D′i ⇓ΣM′i with Σ ⊢ M ′i = σNi. By induction

hypothesis, Di ⇓ΣMi with Σ ⊢ Mi = σNi. Then D = eval h(D1, . . . , Dn)⇓Σ σN andΣ ⊢ σN = M ′. 2

B.2 Proof of Lemma 1

Lemma 1 is an obvious consequence of the following lemma.

Lemma 19 Let P0 be a closed, unevaluated biprocess.If P0 →

∗Σ≡ P ′0, Σ ⊢ Q′0 = P ′0, and nfS,Σ({Q′0}), then P0 →

∗Σ′,Σ≡ Q′0 by a reduction whose

intermediate biprocesses Q all satisfy nfS,Σ({Q}).Conversely, if P0 →

∗Σ′,Σ≡ Q′0 then there exists P ′0 such that Σ ⊢ Q′0 = P ′0 and P0 →

∗Σ≡ P ′0.

Proof We write VC (P ) when P is a closed process whose terms M are either variables orterms of the form diff[M1,M2] where M1 and M2 are closed terms that do not contain diff.(Function symbols prefixed by eval are not constrained.) We have the following properties:

P1. If VC (P ) and P ≡ P ′ then VC (P ′). The proof is by induction on the derivation ofP ≡ P ′. All cases are easy, since ≡ cannot change terms.

P2. If VC (P ) and P →Σ P ′ then VC (P ′). The proof is by induction on the derivation ofP →Σ P ′. The only change of terms is done by the substitution {M/x} in the rules(Red I/O) and (Red Fun 1). This substitution replaces a variable with a closed termM = diff[M1,M2], hence the result. (For (Red I/O), M is of the form diff[M1,M2]because of VC (P ).)

P3. If VC (P{diff[M1,M2]/x}), Σ ⊢ P{diff[M1,M2]/x} = P ′′, and nfS,Σ(P ∪ {P ′′}), thenthere exist P ′, M ′1, and M ′2 such that Σ ⊢ P = P ′, Σ ⊢ M1 = M ′1, Σ ⊢ M2 = M ′2,P ′′ = P ′{diff[M ′1,M

′2]/x}, and nfS,Σ(P ∪ {P ′,M ′1,M

′2}).

Since P0 is closed and unevaluated, VC (P0). Therefore, by P1 and P2, if P0 →∗Σ≡ P , then

VC (P ). Moreover, the only process P such that Σ ⊢ P0 = P and nfS,Σ({P}) is P0 by Lemma 4.Let us show that, if P ≡ P ′, Σ ⊢ Q′ = P ′, and nfS,Σ(P ∪ {Q′}), then there exists Q such

that Σ ⊢ Q = P , nfS,Σ(P ∪ {Q}), and Q ≡ Q′. The proof is by induction on the derivation ofP ≡ P ′. All cases are easy, since ≡ does not depend on terms.

Let us show that, if VC (P ), P →Σ P ′, Σ ⊢ Q′ = P ′, and nfS,Σ(P ∪ {Q′}), then there existsQ such that Σ ⊢ Q = P , nfS,Σ(P ∪ {Q}), and Q →Σ′,Σ Q′. The proof is by induction on thederivation of P →Σ P ′.

• Case (Red I/O): Since VC (P ), we have P = diff[M1,M2]〈N〉.R | diff[M ′1,M′2](x).R

′ →Σ

R | R′{N/x} = P ′ with Σ ⊢ M1 = M ′1 and Σ ⊢ M2 = M ′2. Since Σ ⊢ Q′ = P ′ andnfS,Σ(P∪{Q′}), we have Q′ = R1 | R

′1{N1/x} for some R1, R

′1, N1 such that Σ ⊢ R1 = R,

Σ ⊢ R′1 = R′, Σ ⊢ N1 = N , and nfS,Σ(P ∪ {R1, R′1, N1}) by P3.

By Property S2, there exist M ′′1 and M ′′2 such that Σ ⊢M ′′1 = M1 = M ′1, Σ ⊢M ′′2 = M2 =M ′2, and nfS,Σ(P ∪ {R1, R

′1, N1,M

′′1 ,M

′′2 }).

We let Q = diff[M ′′1 ,M′′2 ]〈N1〉.R1 | diff[M ′′1 ,M

′′2 ](x).R′1. Then Σ ⊢ Q = P . Moreover

nfS,Σ(P ∪{Q}) since nfS,Σ(P ∪{R1, R′1, N1,M

′′1 ,M

′′2 }), and Q→Σ′,Σ Q′, hence the result.


• Case (Red Fun 1): We have P = let x = D in R else R′ →Σ R{diff[M,M ′]/x} = P ′

with fst(D)⇓ΣM and snd(D)⇓ΣM′. Since Σ ⊢ Q′ = P ′ and nfS,Σ(P ∪ {Q′}), we have

Q′ = R1{diff[M1,M′1]/x} for some R1,M1,M

′1 such that Σ ⊢ R1 = R, Σ ⊢ M1 = M ,

Σ ⊢M ′1 = M ′, and nfS,Σ(P ∪ {R1,M1,M′1}) by P3.

By Property S2, there exist D1 and R′1 such that Σ ⊢ D1 = D, Σ ⊢ R′1 = R′, andnfS,Σ(P ∪ {D1, R

′1, R1,M1,M

′1}). By Lemma 14, fst(D1)⇓Σ′ M1 and snd(D1)⇓Σ′ M ′1. Let

Q = let x = D1 in R1 else R′1. Then Σ ⊢ Q = P , nfS,Σ(P ∪ {Q}), and Q→Σ′,Σ Q′.

• Case (Red Fun 2): We have P = let x = D in R else P ′ →Σ P ′, there exists no M suchthat fst(D)⇓ΣM , and there exists no M ′ such that snd(D)⇓ΣM

′. We have Σ ⊢ Q′ = P ′

and nfS,Σ(P ∪ {Q′}).

By Property S2, there exist D1 and R1 such that Σ ⊢ D1 = D, Σ ⊢ R1 = R andnfS,Σ(P∪{R1, D1, Q

′}). Then, there exists no M such that fst(D1)⇓ΣM , and there existsno M ′ such that snd(D1)⇓ΣM

′. (Otherwise, by Lemma 18, there would exist M suchthat fst(D)⇓ΣM , and M ′ such that snd(D)⇓ΣM

′.) Let Q = let x = D1 in R1 else Q′.Then Σ ⊢ Q = P , nfS,Σ(P ∪ {Q}), and Q→Σ′,Σ Q′.

• Case (Red Repl): We have P = !R →Σ R | !R = P ′. Since Σ ⊢ Q′ = P ′ and nfS,Σ(P ∪{Q′}), we have Q′ = R1 | !R1 for some R1 such that Σ ⊢ R1 = R. Let Q = !R1. Then wehave Σ ⊢ Q = P , nfS,Σ(P ∪ {Q}), and Q→Σ′,Σ Q′.

• Cases (Red Par) and (Red Res): Easy by induction hypothesis.

• Case (Red ≡): Easy using the corresponding property for ≡ and the induction hypothesis.

Therefore, if P0 →∗Σ≡ P ′0, Σ ⊢ Q′0 = P ′0, and nfS,Σ({Q′0}), then there exists Q0 such that

nfS,Σ({Q0}), Σ ⊢ Q0 = P0, and Q0 →∗Σ′,Σ≡ Q′0 by a reduction whose intermediate biprocesses

Q all satisfy nfS,Σ({Q}), simply by applying several times the results shown above. Since theonly process P such that Σ ⊢ P0 = P and nfS,Σ({P}) is P0, we have Q0 = P0, so we concludethat if P0 →

∗Σ≡ P ′0, Σ ⊢ Q′0 = P ′0, and nfS,Σ({Q′0}), then P0 →

∗Σ′,Σ≡ Q′0 by a reduction whose

intermediate biprocesses Q all satisfy nfS,Σ({Q}).For the converse, we show that, if P ≡ P ′ and Σ ⊢ Q = P , then there exists Q′ such that

Σ ⊢ Q′ = P ′ and Q ≡ Q′. The proof is by induction on the derivation of P ≡ P ′. All cases areeasy, since ≡ does not depend on terms.

We also show that, if VC (P ), P →Σ′,Σ P ′ and Σ ⊢ Q = P , then there exists Q′ such thatΣ ⊢ Q′ = P ′, and Q→Σ Q′. The proof is by induction on the derivation of P →Σ′,Σ P ′.

• Case (Red I/O): Since VC (P ), we have P = diff[M1,M2]〈N〉.R | diff[M1,M2](x).R′ →Σ′,Σ

R | R′{N/x} = P ′. Since Σ ⊢ Q = P , we have Q = diff[M ′1,M′2]〈N

′〉.R1 |diff[M ′′1 ,M

′′2 ](x).R′1 with Σ ⊢ M1 = M ′1 = M ′′1 , Σ ⊢ M2 = M ′2 = M ′′2 , Σ ⊢ N ′ = N ,

Σ ⊢ R = R1, and Σ ⊢ R′ = R′1. Then Q→Σ Q′ = R1 | R′1{N

′/x} with Σ ⊢ Q′ = P ′.

• Case (Red Fun 1): We have P = let x = D in R else R′ →Σ′,Σ R{diff[M1,M2]/x} =P ′ with fst(D)⇓Σ′ M1 and snd(D)⇓Σ′ M2. Since Σ ⊢ Q = P , we have Q = let x =D′ in R1 else R′1 with Σ ⊢ D′ = D, Σ ⊢ R1 = R, and Σ ⊢ R′1 = R′. By Lemma 17,fst(D′)⇓ΣM

′1 with Σ ⊢ M1 = M ′1 and snd(D′)⇓ΣM

′2 with Σ ⊢ M2 = M ′2. Hence Q →Σ

Q′ = C ′[R1{diff[M ′1,M′2]/x}] with Σ ⊢ Q′ = P ′.

• Case (Red Fun 2): We have P = let x = D in R else P ′ →Σ′,Σ P ′, there exists no M1 suchthat fst(D)⇓ΣM1, and there exists no M2 such that snd(D)⇓ΣM2. Since Σ ⊢ Q = P , wehave Q = let x = D′ in R1 else Q′ with Σ ⊢ D′ = D, Σ ⊢ R1 = R, and Σ ⊢ Q′ = P ′.Then, there exists no M ′1 such that fst(D′)⇓ΣM

′1, and there exists no M ′2 such that

snd(D′)⇓ΣM′2. (Otherwise, by Lemma 18, there would exist M1 such that fst(D)⇓ΣM1

and M2 such that snd(D)⇓ΣM2.) Hence Q→Σ Q′ and Σ ⊢ Q′ = P ′.


• Case (Red Repl): We have P = !R →Σ′,Σ R | !R = P ′. Since Σ ⊢ Q = P , we haveQ = !R1 with Σ ⊢ R1 = R. Let Q′ = R1 | !R1. So Σ ⊢ Q′ = P ′ and Q→Σ Q′.

• Cases (Red Par) and (Red Res): Easy by induction hypothesis.

• Case (Red ≡): Easy using the corresponding property for ≡ and the induction hypothesis.

We conclude that, if P0 →∗Σ′,Σ≡ Q′0 then there exists P ′0 such that Σ ⊢ Q′0 = P ′0 and P0 →

∗Σ≡

P ′0, simply by applying several times the results shown above, withQ = P in the first application.2

B.3 Proof of Lemma 2

We first show that it is enough to consider unevaluated processes as initial configurations(Lemma 22), then prove Lemma 2 itself.

Let P R P ′ if and only if P ′ is obtained from P by adding some lets on terms with con-structors that occur in inputs or outputs (for instance transforming M〈N〉.P into let x =M in let y = N in x〈y〉.P where x and y are fresh variables), prefixing some constructors inlets with eval, and replacing some terms M with diff[fst(M), snd(M)].

For the next two proofs, we consider an alternative, equivalent definition of ≡, in which asymmetric rule Q ≡ P is added for each rule P ≡ Q in the definition of ≡ and the implicationP ≡ Q⇒ Q ≡ P is removed from the definition of ≡.

Lemma 20 If P R Q and P ≡ P ′ then there exists Q′ such that P ′ R Q′ and Q ≡ Q′.If P R Q and P →Σ P ′ then there exists Q′ such that P ′ R Q′ and Q→+

Σ Q′.

Proof Obvious, by induction on the derivation of P ≡ P ′ and P →Σ P ′ respectively. 2

Lemma 21 If Σ ⊢ P = Q, Q R R, and R ≡ R′ then there exists P ′ and Q′ such thatΣ ⊢ P ′ = Q′, Q′ R R′, and P ≡ P ′.

If Σ ⊢ P = Q, Q R R, and R →Σ R′ then there exists P ′ and Q′ such that Σ ⊢ P ′ = Q′,Q′ R R′, and P →Σ P ′ or P = P ′.

Proof Obvious, by induction on the derivation of R ≡ R′ and R→Σ R′ respectively. 2

Lemma 22 Let P0 be a closed biprocess. The hypotheses of Corollary 1 are true if and only ifthey are true with unevaluated(C[P0]) instead of C[P0].

Proof We have C[P0] R unevaluated(C[P0]). We first show that if the hypotheses of Corol-lary 1 are true for unevaluated(C[P0]), then they are true for C[P0].

• If C[P0] →∗Σ≡ C ′1[N1〈M1〉.Q1 | N ′1(x).R1], then by Lemma 20, we haveunevaluated(C[P0]) →

∗Σ≡ P ′ with C ′1[N1〈M1〉.Q1 | N

′1(x).R1] R P ′. Then we have

P ′ →∗Σ C ′[N〈M〉.Q | N ′(x).R] with C ′1 R C ′, fst(N) = fst(N1), snd(N) = snd(N1),fst(N ′) = fst(N ′1), snd(N ′) = snd(N ′1), fst(M) = fst(M1), snd(M) = snd(M1), Q1 R Q,and R1 R R, by reducing the term evaluations of constructors that may occur aboveinputs and outputs in P ′. So unevaluated(C[P0]) →

∗Σ≡ C ′[N〈M〉.Q | N ′(x).R], with

fst(N) = fst(N1), snd(N) = snd(N1), fst(N ′) = fst(N ′1), and snd(N ′) = snd(N ′1). Hence,if the first hypothesis of Corollary 1 is true with unevaluated(C[P0]), then it is true withC[P0].

• If C[P0] →∗Σ≡ C ′1[let y1 = D1 in Q1 else R1], then by the same reasoning as above,

unevaluated(C[P0]) →∗Σ≡ C ′[P ] where let y1 = D1 in Q1 else R1 R P . Hence, we have

P = let y1 = D′1 in Q′1 else R′1 where D′1 is obtained by prefixing some constructors of D1


with eval and reorganizing diffs. We have fst(D1)⇓ΣM1 if and only if fst(D′1)⇓ΣM1, if andonly if snd(D′1)⇓ΣM2 (by the second hypothesis of Corollary 1 for unevaluated(C[P0])),if and only if snd(D1)⇓ΣM2. This yields the second hypothesis of Corollary 1 for C[P0].

We now show the converse: if the hypotheses of Corollary 1 are true for C[P0], then they aretrue for unevaluated(C[P0]).

• Assume that unevaluated(C[P0]) →∗Σ≡ C ′1[N1〈M1〉.Q1 | N

′1(x).R1]. By Lemma 21,

C[P0] →∗Σ≡ P with Σ ⊢ P = P ′ and P ′ R C ′1[N1〈M1〉.Q1 | N

′1(x).R1]. Then

P = C ′[N〈M〉.Q | N ′(x).R] with Σ ⊢ fst(N) = fst(N1), Σ ⊢ snd(N) = snd(N1),Σ ⊢ fst(N ′) = fst(N ′1), Σ ⊢ snd(N ′) = snd(N ′1), Σ ⊢ fst(M) = fst(M1), andΣ ⊢ snd(M) = snd(M1). So, if the first hypothesis of Corollary 1 is true with C[P0],then it is true with unevaluated(C[P0]).

• Assume that unevaluated(C[P0]) →∗Σ≡ C ′1[let y1 = D1 in Q1 else R1]. By Lemma 21,

C[P0] →∗Σ≡ P with Σ ⊢ P = P ′ and P ′ R C ′1[let y1 = D1 in Q1 else R1]. We have two

cases:

– Case 1: let y1 is introduced by R. Then R1 = 0 and D1 does not contain destruc-tors. Hence there exists M1 such that fst(D1)⇓ΣM1 and there exists M2 such thatsnd(D1)⇓ΣM2.

– Case 2: let y1 comes from P ′. Hence P = C ′[let y1 = D′1 in Q′1 else R′1] where D′1is obtained by removing some eval prefixes of D1, reorganizing diffs, and replacingterms with equal terms modulo Σ. We have fst(D1)⇓ΣM1 for some M1 if and only iffst(D′1)⇓ΣM1 for some M1, if and only if snd(D′1)⇓ΣM2 for some M2 (by the secondhypothesis of Corollary 1 for C[P0]), if and only if snd(D1)⇓ΣM2 for some M2.

This yields the second hypothesis of Corollary 1 for unevaluated(C[P0]). 2

Lemma 2 is an obvious consequence of the following lemma.

Lemma 23 Let P0 be a closed biprocess. Suppose that, for all plain evaluation contexts C,all evaluation contexts C ′, and all reductions unevaluated(C[P0]) →

∗Σ′,Σ P whose intermediate

biprocesses P ′ all satisfy nfS,Σ({P ′}),

1. if P ≡ C ′[N〈M〉.Q | N ′(x).R] and fst(N) = fst(N ′), then Σ ⊢ snd(N) = snd(N ′),

2. if P ≡ C ′[let x = D in Q else R] and fst(D)⇓Σ′ M1 for some M1, then snd(D)⇓ΣM2 forsome M2,

as well as the symmetric properties where we swap fst and snd. Then P0 satisfies the hypothesesof Corollary 1.

Conversely, if P0 satisfies the hypotheses of Corollary 1, then for all plain evaluation contextsC, evaluation contexts C ′, and reductions unevaluated(C[P0])→

∗Σ′ P , we have properties 1 and 2

above, as well as the symmetric properties where we swap fst and snd.

Proof By Lemma 22, we can work with unevaluated(C[P0]) instead of C[P0]. We show thetwo hypotheses of Corollary 1.

• Assume that unevaluated(C[P0]) →∗Σ≡ C ′[N〈M〉.Q | N ′(x).R] and Σ ⊢ fst(N) =

fst(N ′). By Property S2, there exists P ′ such that Σ ⊢ P ′ = C ′[N〈M〉.Q | N ′(x).R]and nfS,Σ({P ′}). By Lemma 19, unevaluated(C[P0]) →

∗Σ′,Σ≡ P ′. Moreover, P ′ =

C ′′[diff[N1, N2]〈M′〉.Q1 | diff[N ′1, N

′2](x).R1], where Σ ⊢ N1 = fst(N), Σ ⊢ N2 = snd(N),

Σ ⊢ N ′1 = fst(N ′), and Σ ⊢ N ′2 = snd(N ′). Since nfS,Σ({P ′}), N1 = N ′1. Hence, byhypothesis 1, Σ ⊢ N2 = N ′2. So Σ ⊢ snd(N) = snd(N ′).

We obtain the case unevaluated(C[P0]) →∗≡ C ′[N〈M〉.Q | N ′(x).R] and Σ ⊢ snd(N) =

snd(N ′) by symmetry.


• Assume that unevaluated(C[P0]) →∗Σ≡ C ′[let y = D in Q else R] and there exists M1

such that fst(D)⇓ΣM1. By Property S2, there exist P ′, M ′1, and D′ such that Σ ⊢ P ′ =C ′[let y = D in Q else R], Σ ⊢ M ′1 = M1, Σ ⊢ D′ = D, and nfS,Σ({P ′,M ′1, D

′}). ThenP ′ = C ′′[let y = D′ in Q′ else R′]. By Lemma 19, unevaluated(C[P0]) →

∗Σ′,Σ≡ P ′.

By Lemma 14, fst(D′)⇓Σ′ M ′1. By hypothesis 2, snd(D′)⇓ΣM′2. By Lemma 18, since

Σ ⊢ snd(D′) = snd(D) and snd(D′)⇓ΣM′2, we have snd(D)⇓ΣM2.

We obtain the case unevaluated(C[P0]) →∗≡ C ′[let y = D in Q else R] and there exists

M2 such that snd(D)⇓ΣM2 by symmetry.

Next, we prove the converse property.

• Assume that unevaluated(C[P0]) →∗Σ′,Σ≡ C ′[N〈M〉.Q | N ′(x).R] and fst(N) = fst(N ′).

By Lemma 19, we have unevaluated(C[P0]) →∗Σ≡ C1[N1〈M1〉.Q1 | N1(x).R1] with Σ ⊢

C ′[N〈M〉.Q | N ′(x).R] = C1[N1〈M1〉.Q1 | N1(x).R1] so Σ ⊢ N = N1 and Σ ⊢ N ′ = N ′1.Using the first hypothesis of Corollary 1, since Σ ⊢ fst(N1) = fst(N ′1), we have Σ ⊢snd(N1) = snd(N ′1), hence Σ ⊢ snd(N) = snd(N ′).

We obtain the case unevaluated(C[P0]) →∗Σ′,Σ≡ C ′[N〈M〉.Q | N ′(x).R] and snd(N) =

snd(N ′) by symmetry.

• Assume that unevaluated(C[P0]) →∗Σ′,Σ≡ C ′[let y = D in Q else R] and there ex-

ists M1 such that fst(D)⇓Σ′ M1. As above, unevaluated(C[P0]) →∗Σ≡ C1[let y =

D1 in Q1 else R1] with Σ ⊢ D1 = D. By Lemma 17, fst(D1)⇓ΣM′1 for some M ′1. Using

the second hypothesis of Corollary 1, snd(D1)⇓ΣM′2, hence by Lemma 18, snd(D)⇓ΣM2.

We obtain the case unevaluated(C[P0]) →∗Σ′,Σ≡ C ′[let y = D in Q else R] and there

exists M2 such that snd(D)⇓Σ′ M2 by symmetry. 2

C Proof of Lemma 3

When F is a set that contains patterns, facts, sequences of patterns or facts, clauses, environ-ments that map variables and names to pairs of patterns, . . . , we say that nfS,Σ(F) if and onlyif all patterns that appear in F are irreducible by S and for all p1, p2 subpatterns of elementsof F , if Σ ⊢ p1 = p2 then p1 = p2.

We say that nf ′S,Σ(F) if and only if nfS,Σ(F ′) where F ′ is obtained from F by removingnounif facts. When D is a derivation, we say that nf ′S,Σ(D) when nf ′S,Σ(F) where F is the setof intermediately derived facts of D.

We say that F1 ∧ · · · ∧ Fn ∼ F ′1 ∧ · · · ∧ F′n when, for all i ∈ {1, . . . , n}, either Fi = F ′i or Fi

and F ′i are nounif facts and Σ ⊢ Fi = F ′i . We say that Σ ⊢ F1 ∧ · · · ∧ Fn ∼ F ′1 ∧ · · · ∧ F′n when

for all i ∈ {1, . . . , n}, Σ ⊢ Fi = F ′i . This definition is naturally extended to clauses.

The special treatment of nounif facts in the definition of ∼ and in Lemma 3 is necessaryso that the following results hold. In particular, Lemma 28 would be wrong for Clauses (Rt)and (Rt′), which contain nounif facts.

Lemma 24 If h(N1, . . . , Nn) → N is in defΣ′(h), Σ ⊢ N ′′ = σN , Σ ⊢ N ′′i = σNi for alli ∈ {1, . . . , n}, and nfS,Σ({N ′′1 , . . . , N

′′n , N

′′}), then there exist a closed substitution σ′ andh(N ′1, . . . , N

′n)→ N ′ in defΣ′(h) such that N ′′ = σ′N ′ and N ′′i = σ′N ′i for all i ∈ {1, . . . , n}.

Proof The result follows from Lemmas 16 and 13. 2

The following lemma generalizes Lemma 15 to the case in which D may contain destructors.It is used in the proof of Lemma 26 below.


Lemma 25 Let D be a plain term evaluation. If D ⇓′ (p, σ) and σ′ is a closed substitution,then there exists p′ such that σ′σD ⇓Σ p

′ and Σ ⊢ p′ = σ′p.

Let D1, . . . , Dn be plain term evaluations. If (D1, . . . , Dn) ⇓′ ((p1, . . . , pn), σ) and σ′ is aclosed substitution then there exist p′1, . . . , p

′n such that for all i ∈ {1, . . . , n}, σ′σDi ⇓Σ p

′i and

Σ ⊢ p′i = σ′pi.


• Case D = p: We have p ⇓′ (p, ∅), σ = ∅, so σ′σD = σ′p⇓Σ σ′p, so we have the result with

p′ = σ′p.

• Case D = eval h(D1, . . . , Dn): Since eval h(D1, . . . , Dn) ⇓′ (p, σ), there existh(N1, . . . , Nn) → N in defΣ′(h), p1, . . . , pn, σ′′, and σu such that (D1, . . . , Dn) ⇓′

((p1, . . . , pn), σ′′), σu is a most general unifier of (p1, . . . , pn) and (N1, . . . , Nn), p = σuN ,and σ = σuσ

′′. By induction hypothesis, there exist p′1, . . . , p′n such that for all

i ∈ {1, . . . , n}, σ′σuσ′′Di ⇓Σ p

′i and Σ ⊢ p′i = σ′σupi, so σ′σDi ⇓Σ p

′i. By Lemma 16,

there exist h(N ′1, . . . , N′n) → N ′ in defΣ(h) and σ1 such that Σ ⊢ Ni = σ1N

′i for all

i ∈ {1, . . . , n} and Σ ⊢ N = σ1N′. So Σ ⊢ p′i = σ′σupi = σ′σuNi = σ′σuσ1N

′i and

Σ ⊢ σ′p = σ′σuN = σ′σuσ1N′. Let p′ = σ′σuσ1N

′. We have σ′σD ⇓Σ p′ and Σ ⊢ p′ = σ′p.

• Case (D1, . . . , Dn): Since (D1, . . . , Dn) ⇓′ ((p1, . . . , pn), σ), we have (D1, . . . , Dn−1) ⇓′

((p′′1, . . . , p′′n−1), σ1), σ1Dn ⇓

′ (pn, σ2), pi = σ2p′′i for all i ∈ {1, . . . , n − 1}, and σ = σ2σ1.

By induction hypothesis, there exist p′1, . . . , p′n−1 such that for all i ∈ {1, . . . , n − 1},

σ′σ2σ1Di ⇓Σ′ p′i and Σ ⊢ p′i = σ′σ2p′′i , so σ′σDi ⇓Σ′ p′i and Σ ⊢ p′i = σ′pi. Also by induction

hypothesis, there exists p′n such that σ′σ2σ1Dn ⇓Σ′ p′n and Σ ⊢ p′n = σ′pn, so σ′σDn ⇓Σ′ p′nand Σ ⊢ p′n = σ′pn. 2

Lemma 26 Let D be a plain term evaluation such that the subterms M of D are variablesor names. If ρ(D) ⇓′ (p′, σ′), σ is a closed substitution, Σ ⊢ p = σp′, Σ ⊢ σ′0ρ

′ = σσ′ρ, andnfS,Σ({p, σ′0ρ

′}), then there exist σ′′, p′′, σ′′0 such that ρ′(D) ⇓′ (p′′, σ′′), σ′0 = σ′′0σ′′ except on

fresh variables introduced in the computation of ρ′(D) ⇓′ (p′′, σ′′), and p = σ′′0p′′.

Let Di (i ∈ {1, . . . , n}) be plain term evaluations such that the subterms M of Di arevariables or names. If (ρ(D1), . . . , ρ(Dn)) ⇓′ ((p′1, . . . , p

′n), σ′), σ is a closed substitution, Σ ⊢

pi = σp′i for all i ∈ {1, . . . , n}, Σ ⊢ σ′0ρ′ = σσ′ρ, and nfS,Σ({p1, . . . , pn, σ

′0ρ′}), then there

exist σ′′, p′′1, . . . , p′′n, σ′′0 such that (ρ′(D1), . . . , ρ

′(Dn)) ⇓′ ((p′′1, . . . , p′′n), σ′′), σ′0 = σ′′0σ

′′ except onfresh variables introduced in the computation of (ρ′(D1), . . . , ρ

′(Dn)) ⇓′ ((p′′1, . . . , p′′n), σ′′), and

pi = σ′′0p′′i for all i ∈ {1, . . . , n}.

Proof We prove the first property. (The second one follows in a similar way.) By Lemma 25,there exists p1 such that σσ′ρ(D)⇓Σ p1 and Σ ⊢ p1 = σp′. Then Σ ⊢ p = p1, Σ ⊢ σ′0ρ

′(D) =σσ′ρ(D), and nfS,Σ({p, σ′0ρ

′(D)}). So by a variant of Lemma 14 for patterns instead of terms,σ′0ρ′(D)⇓Σ′ p. By a variant of Lemma 11 for patterns instead of terms, we obtain the desired

result. 2

Lemma 27 Let P0 be a closed, unevaluated process. If [[P ]]ρss′H is called during the generationof [[P0]]ρ0∅∅∅, σ is a closed substitution, Σ ⊢ ρ2 = σρ, Σ ⊢ s2 = σs, Σ ⊢ s′2 = σs′, Σ ⊢ H2 ∼ σH,and nf ′S,Σ({ρ2, s2, s

′2, H2}), then there exist σ1, ρ1, H1, s1, s

′1 such that ρ2 = σ1ρ1, s2 = σ1s1,

s′2 = σ1s′1, H2 ∼ σ1H1, and [[P ]]ρ1s1s

′1H1 is called during the generation of [[P0]]ρ0∅∅∅.

Proof The process P is a subprocess of P0. We proceed by induction on P : we show the resultfor P0 itself, and we show that if the result is true for some occurrence of P , then it is also truefor the occurrences of the direct subprocesses of P .


• Case P0: We have ρ2 = ρ0, s2 = s′2 = ∅, and H2 = ∅. Then we obtain the result by lettingσ1 be any substitution, ρ1 = ρ0, s1 = s′1 = ∅, and H1 = ∅.

• Case 0: Void, since it has no subprocesses.

• Case P | Q: Obvious by induction hypothesis.

• Case !P : Assume [[P ]]ρss′H is called. Then ρ = ρ3, s = (s3, i), s′ = (s′3, i), H = H3, and

[[!P ]]ρ3s3s′3H3 has been called. Let ρ2, s2, s

′2, H2 such that Σ ⊢ ρ2 = σρ, Σ ⊢ s2 = σs,

Σ ⊢ s′2 = σs′, Σ ⊢ H2 ∼ σH, and nf ′S,Σ({ρ2, s2, s′2, H2}).

Then ρ2 = ρ4, s2 = (s4, p), s′2 = (s′4, p), H2 = H4 where Σ ⊢ ρ4 = σρ3, Σ ⊢ s4 = σs3,

Σ ⊢ s′4 = σs′3, Σ ⊢ H4 ∼ σH3, and Σ ⊢ p = σi.

By induction hypothesis, there exist σ1, ρ5, s5, s′5, H5 such that ρ4 = σ1ρ5, s4 = σ1s5,

s′4 = σ1s′5, H4 ∼ σ1H5, and [[!P ]]ρ5s5s

′5H5 has been called. Since i is a fresh variable, we

can define σ1i = p.

Then [[P ]]ρ5(s5, i)(s′5, i)H5 has been called, ρ2 = σ1ρ5, s2 = σ1(s5, i), s

′2 = σ1(s

′5, i), and

H2 ∼ σ1H5.

• Case (νa)P : Assume [[P ]]ρss′H is called. Then ρ = ρ3[a 7→ (a[s], a[s′])] and [[(νa)P ]]ρ3ss′H

has been called. Let ρ2, s2, s′2, H2 such that Σ ⊢ ρ2 = σρ, Σ ⊢ s2 = σs, Σ ⊢ s′2 = σs′,

Σ ⊢ H2 ∼ σH, and nf ′S,Σ({ρ2, s2, s′2, H2}).

Then ρ2 = ρ4[a 7→ (a[s2], a[s′2])] where Σ ⊢ ρ4 = σρ3.


s′2 = σ1s′1, H2 ∼ σ1H1, and [[(νa)P ]]ρ5s1s

′1H1 has been called.

Then [[P ]](ρ5[a 7→ (a[s1], a[s′1])])s1s

′1H1 has been called, ρ2 = σ1(ρ5[a 7→ (a[s1], a[s

′1])]),

s2 = σ1s1, s′2 = σ1s

′1, and H2 ∼ σ1H1.

• Case M〈N〉.P : Obvious by induction hypothesis.

• Case M(x).P : Assume [[P ]]ρss′H is called. Then ρ = ρ3[x 7→ (x′, x′′)], s = (s3, x′),

s′ = (s′3, x′′), H = H3 ∧ msg′(ρ3(M)1, x

′, ρ3(M)2, x′′), and [[M(x).P ]]ρ3s3s

′3H3 has been

called. Let ρ2, s2, s′2, H2 such that Σ ⊢ ρ2 = σρ, Σ ⊢ s2 = σs, Σ ⊢ s′2 = σs′, Σ ⊢ H2 ∼ σH,

and nf ′S,Σ({ρ2, s2, s′2, H2}).

Then ρ2 = ρ4[x 7→ (p′, p′′)], s2 = (s4, p′), s′2 = (s′4, p

′′), H2 = H4 ∧msg′(ρ4(M)1, p

′, ρ4(M)2, p′′) where Σ ⊢ ρ4 = σρ3, Σ ⊢ s4 = σs3, Σ ⊢ s′4 = σs′3,

Σ ⊢ H4 ∼ σH3, Σ ⊢ p′ = σx′, and Σ ⊢ p′′ = σx′′. (Since P0 is unevaluated, M is avariable y or diff[a, a] for some name a. Let u = y in the first case and u = a in the secondcase. We have u ∈ dom(ρ3) = dom(ρ4). We have nf ′S,Σ({ρ2, s2, s

′2, H2}) so a fortiori

nf ′S,Σ({ρ4, H2}), and the first and third arguments of msg′ are equal to ρ4(M)1 = ρ4(u)1and ρ4(M)2 = ρ4(u)2 modulo Σ respectively, so they are exactly ρ4(M)1 and ρ4(M)2.)


s′4 = σ1s′5, H4 ∼ σ1H5, and [[M(x).P ]]ρ5s5s

′5H5 has been called. Since x′ and x′′ are fresh

variables, we can define σ1x′ = p′ and σ1x

′′ = p′′.

Then [[P ]](ρ5[x 7→ (x′, x′′)])(s5, x′)(s′5, x

′′)(H5 ∧ msg′(ρ5(M)1, x′, ρ5(M)2, x

′′)) has beencalled, and ρ2 = σ1(ρ5[x 7→ (x′, x′′)]), s2 = σ1(s5, x

′), s′2 = σ1(s′5, x′′), and H2 ∼

σ1(H5 ∧msg′(ρ5(M)1, x′, ρ5(M)2, x

′′)).

• Case let x = D in P else Q:

Subprocess P : Assume [[P ]]ρss′H is called. Then we have ρ = (σ1ρ3)[x 7→ (p1, p′1)],

s = (σ1s3, p1), s′ = (σ1s

′3, p′1), and H = σ1H3 where [[let x = D in P else Q]]ρ3s3s

′3H3 has


been called and (ρ(D)1, ρ(D)2) ⇓′ ((p1, p

′1), σ1). Let ρ2, s2, s

′2, H2 such that Σ ⊢ ρ2 = σρ,

Σ ⊢ s2 = σs, Σ ⊢ s′2 = σs′, Σ ⊢ H2 ∼ σH, and nf ′S,Σ({ρ2, s2, s′2, H2}).

Then ρ2 = ρ4[x 7→ (p4, p′4)], s2 = (s4, p4), s

′2 = (s′4, p

′4), H2 = H4 with Σ ⊢ ρ4 = σσ1ρ3,

Σ ⊢ s4 = σσ1s3, Σ ⊢ s4 = σσ1s′3, Σ ⊢ H4 ∼ σσ1H3, Σ ⊢ p4 = σp1, Σ ⊢ p′4 = σp′1, and

nf ′S,Σ({ρ4, s4, s′4, H4, p4, p

′4}).

By induction hypothesis, there exist σ′0, ρ5, s5, s′5, H5 such that ρ4 = σ′0ρ5, s4 = σ′0s5,

s′4 = σ′0s′4, H4 ∼ σ

′0H5, and [[let x = D in P else Q]]ρ5s5s


By Lemma 26, there exist σ2, p2, p′2, and σ3 such that (ρ5(D)1, ρ5(D)2) ⇓

′ ((p2, p′2), σ2),

σ′0 = σ3σ2 except on fresh variables introduced in the computation of (ρ5(D)1, ρ5(D)2) ⇓′

((p2, p′2), σ2), p4 = σ3p2, and p′4 = σ3p

′2.

Moreover, by definition of [[let x = D in P else Q]], [[P ]]((σ2ρ5)[x 7→ (p2, p′2)])(σ2s5, p2)

(σ2s′5, p′2)(σ2H5) has been called, so we obtain the result by letting ρ1 = (σ2ρ5)[x 7→

(p2, p′2)], s1 = (σ2s5, p2), s

′1 = (σ2s

′5, p′2), H1 = σ2H5: we have ρ2 = ρ4[x 7→ (p4, p

′4)] =

(σ′0ρ5)[x 7→ (σ3p2, σ3p′2)] = σ3((σ2ρ5)[x 7→ (p2, p

′2)]) = σ3ρ1, and similarly for s2, s

′2, and

H2.

Subprocess Q: Assume [[Q]]ρss′H is called. Then H = H3 ∧ ρ(fails(fst(D)))1 ∧ρ(fails(snd(D)))2 and [[let x = D in P else Q]]ρss′H3 has been called. Let ρ2, s2, s

′2, H2 such

that Σ ⊢ ρ2 = σρ, Σ ⊢ s2 = σs, Σ ⊢ s′2 = σs′, Σ ⊢ H2 ∼ σH, and nf ′S,Σ({ρ2, s2, s′2, H2}).

Then H2 = H4 ∧ H4nounif where H4nounif consists of nounif facts, Σ ⊢ H4nounif ∼σρ(fails(fst(D)))1 ∧ σρ(fails(snd(D)))2, and Σ ⊢ H4 ∼ σH3.


s′2 = σ1s′1, H4 ∼ σ1H5, and [[let x = D in P else Q]]ρ1s1s


Then [[Q]]ρ1s1s′1(H5 ∧ ρ1(fails(fst(D)))1 ∧ ρ1(fails(snd(D)))2) has been called, which yields

the desired result, knowing that H2 = H4 ∧ H4nounif ∼ σ1H5 ∧ σ1ρ1(fails(fst(D)))1 ∧σ1ρ1(fails(snd(D)))2, since Σ ⊢ σ1ρ1 = ρ2 = σρ. 2

Lemma 28 Let P0 be a closed, unevaluated process. For all clauses H → C ∈ RP0, for

all closed substitutions σ, for all H2 → C2 such that Σ ⊢ H2 → C2 ∼ σ(H → C) andnf ′S,Σ({H2, C2}), there exist a closed substitution σ1 and a clause H1 → C1 ∈ RP0

such thatH2 ∼ σ1H1 and C2 = σ1C1.

Proof The clauses of [[P0]]ρ0∅∅∅ are generated from the following cases:

• H → C = H → input′(ρ(M)1, ρ(M)2) where [[M(x).P ]]ρss′H has been called during thegeneration of [[P0]]ρ0∅∅∅. Since Σ ⊢ H2 → C2 ∼ σ(H → C) and nf ′S,Σ({H2, C2}), we haveΣ ⊢ H2 ∼ σH, C2 = input′(p2, p

′2), Σ ⊢ p2 = σρ(M)1, and Σ ⊢ p′2 = σρ(M)2.

Since P0 is unevaluated, M is a variable y or diff[a, a] for some name a. Let u = y in thefirst case and u = a in the second case. We have u ∈ dom(ρ). We define ρ2 by ρ2(u) =diff[p2, p

′2] and extend ρ2 to dom(ρ) in such a way that Σ ⊢ ρ2 = σρ and nf ′S,Σ({H2, ρ2})

by Property S2. We also define s2 and s′2 so that Σ ⊢ s2 = σs, Σ ⊢ s′2 = σs′, andnf ′S,Σ({H2, ρ2, s2, s

′2}) by Property S2. By Lemma 27, there exist σ1, ρ1, s1, s

′1, H1 such

that ρ2 = σ1ρ1, s2 = σ1s1, s′2 = σ1s

′1, H2 ∼ σ1H1, and [[M(x).P ]]ρ1s1s

′1H1 has been

called.

Then H1 → input′(ρ1(M)1, ρ1(M)2) is in [[P0]]ρ0∅∅∅, H2 ∼ σ1H1, C2 = input′(p2, p′2) =

input′(ρ2(M)1, ρ2(M)2) = σ1input′(ρ1(M)1, ρ1(M)2).

• H → C = H → msg′(ρ(M)1, ρ(N)1, ρ(M)2, ρ(N)2) where [[M〈N〉.P ]]ρss′H has beencalled. This case is similar to the previous one. (The terms M and N are variables ordiff[a, a] for some name a.)


• H → C = σ′H ′ ∧ σ′ρ(fails(snd(D)))2 → bad where [[let x = D in P else Q]]ρss′H ′ hasbeen called and ρ(D)1 ⇓

′ (p′, σ′). Since Σ ⊢ H2 → C2 ∼ σ(H → C) and nf ′S,Σ({H2, C2}),we have H2 = H3 ∧H3nounif where Σ ⊢ H3 ∼ σσ′H ′ and H3nounif consists of nounif factssuch that Σ ⊢ H3nounif ∼ σσ

′ρ(fails(snd(D)))2. By Property S2, there exist ρ3, s3, s′3 such

that Σ ⊢ ρ3 = σσ′ρ, Σ ⊢ s3 = σσ′s, Σ ⊢ s′3 = σσ′s′, and nf ′S,Σ({ρ3, s3, s′3, H3}).

By Lemma 27, there exist σ1, ρ1, s1, s′1, H1 such that ρ3 = σ1ρ1, s3 = σ1s1, s

′3 = σ1s

′1,

H3 ∼ σ1H1, and [[let x = D in P else Q]]ρ1s1s′1H1 has been called.

By Property S2, we can choose p such that Σ ⊢ p = σp′ and nfS,Σ({p, σ1ρ1}). ByLemma 26, there exist σ′1, p

′1, and σ′′1 such that ρ1(D)1 ⇓

′ (p′1, σ′1) and σ1 = σ′′1σ

′1 except

on fresh variables introduced in the computation of ρ1(D)1 ⇓′ (p′1, σ

′1). Then σ′1H1 ∧

σ′1ρ1(fails(snd(D)))2 → bad is in [[P0]]ρ0∅∅∅. Moreover σ′′1(σ′1H1 ∧ σ′1ρ1(fails(snd(D)))2) =

σ1H1 ∧ σ1ρ1(fails(snd(D)))2 ∼ H3 ∧ H3nounif ∼ H2, since Σ ⊢ σ1ρ1 = ρ3 = σσ′ρ, andσ′′1bad = bad = C, so we have the desired result.

• H → C = σ′H ′∧σ′ρ(fails(fst(D)))1 → bad where [[let x = D in P else Q]]ρss′H ′ has beencalled and ρ(D)2 ⇓

′ (p′, σ′). This case is symmetric from the previous one.

For the other clauses:

• For Clause (Rinit), C2 = C, H2 = ∅, so we have the result by taking H1 → C1 = H → C.

• For Clauses (Rn), (Rl), (Rs), (Ri), (Rcom), and (Rcom′), H2 = σ′H and C2 = σ′C wherefor all x ∈ fv(H → C), Σ ⊢ σ′x = σx, and nfS,Σ({σ′x | x ∈ fv(H → C)}). (Indeed, thefunction symbols in H,C do not appear in equations of Σ.) So we obtain the result bytaking H1 → C1 = H → C and σ1 = σ′.

• For Clause (Rf), H = att′(M1, N1)∧. . .∧att′(Mn, Nn), C = att′(M,N), h(M1, . . . ,Mn)→M in defΣ′(h), h(N1, . . . , Nn)→ N in defΣ′(h), H2 = att′(M ′′1 , N

′′1 ) ∧ . . . ∧ att′(M ′′n , N

′′n),

C2 = att′(M ′′, N ′′) with Σ ⊢ M ′′ = σM , Σ ⊢ N ′′ = σN , Σ ⊢ M ′′i = σMi and Σ ⊢ N ′′i =σNi for all i ∈ {1, . . . , n}, and nfS,Σ({M ′′, N ′′,M ′′1 , . . . ,M

′′n , N

′′1 , . . . , N

′′n}). By Lemma 24,

there exist σ1 and h(M ′1, . . . ,M′n) → M ′ in defΣ′(h) such that M ′′ = σ1M

′ and for alli ∈ {1, . . . , n}, M ′′i = σ1M

′i . By Lemma 24 again, there exist σ1 and h(N ′1, . . . , N

′n)→ N ′

in defΣ′(h) such that N ′′ = σ1N′ and for all i ∈ {1, . . . , n}, N ′′i = σ1N

′i . (We can use

the same substitution σ1 since the first and second arguments of the predicate att′ donot share variables.) Hence σ1att′(M ′i , N

′i) = att′(M ′′i , N

′′i ) for all i ∈ {1, . . . , n} and

σ1att′(M ′, N ′) = att′(M ′′, N ′′). We take H1 → C1 = att′(M ′1, N′1) ∧ . . . ∧ att′(M ′n, N

′n)→

att′(M ′, N ′), which yields the desired result.

• For Clause (Rt), we have C2 = C = bad, H = Hnounif ∧ att′(M1, x1) ∧ . . . ∧ att′(Mn, xn),H2 = H2nounif ∧ att′(M ′′1 , N

′′1 ) ∧ . . . ∧ att′(M ′′n , N

′′n) where Hnounif and H2nounif consist of

nounif facts, Σ ⊢ H2nounif = σHnounif , g(M1, . . . ,Mn) → M in defΣ′(g), Σ ⊢ M ′′i = σMi

and Σ ⊢ N ′′i = σxi for all i ∈ {1, . . . , n}, and nfS,Σ({M ′′1 , . . . ,M′′n , N

′′1 , . . . , N

′′n}). By

Lemma 24, there exist σ1 and g(M ′1, . . . ,M′n) → M ′ in defΣ′(g) such that M ′′ = σ1M

′

and for all i ∈ {1, . . . , n}, M ′′i = σ1M′i . We extend σ1 by defining for all i ∈ {1, . . . , n},

σ1xi = N ′′i . Hence σ1att′(M ′i , xi) = att′(M ′′i , N′′i ) for all i ∈ {1, . . . , n} and Σ ⊢ H2nounif =

σHnounif = σ1Hnounif since for all i ∈ {1, . . . , n}, Σ ⊢ σ1xi = N ′′i = σxi and fv(Hnounif) ={x1, . . . , xn}. We take H1 → C1 = Hnounif ∧ att′(M ′1, x1)∧ . . .∧ att′(M ′n, xn)→ bad whichyields the result.

The case of Clause (Rt′) is symmetric. 2

Lemma 29 Assume P0 is a closed, unevaluated process. If F is derivable from RP0, Σ ⊢

F ′′ ∼ F , and nf ′S,Σ(F ∪ {F ′′}), then F ′′ is derivable from RP0by a derivation D such that

nf ′S,Σ(F ∪ {D}).


Proof The proof is by induction on the derivation of F . Assume that F is derived fromF1, . . . , Fn, using a clause R ∈ RP0

: there exists a closed substitution σ such that σR =F1 ∧ . . .∧ Fn → F . Let F ′′ such that Σ ⊢ F ′′ ∼ F and nf ′S,Σ(F ∪ {F ′′}). By Property S2, thereexist F ′′1 , . . . , F

′′n such that Σ ⊢ F ′′i ∼ Fi for all i ∈ {1, . . . , n} and nf ′S,Σ(F ∪ {F ′′, F ′′1 , . . . , F

′′n}).

By Lemma 28, there exist a closed substitution σ1 and a clause R′ = F ′1 ∧ . . .∧F′n → F ′ ∈ RP0

such that F ′′ = σ1F′ and F ′′i ∼ σ1F

′i for all i ∈ {1, . . . , n}. So F ′′ is derivable from F ′′1 , . . . , F

′′n

by R′. Furthermore, for all i ∈ {1, . . . , n}, Σ ⊢ F ′′i ∼ Fi, nf ′S,Σ(F ∪ {F ′′1 , . . . , F′′n , F

′′}), and Fi isderivable from RP0

. So by induction hypothesis, F ′′i is derivable from RP0, by a derivation Di

such that nfS,Σ(F ∪ {D1, . . . ,Di, F′′i+1, . . . , F

′′n , F

′′}). (We apply the induction hypothesis withF ∪ {D1, . . . ,Di−1, F

′′i+1, . . . , F

′′n , F

′′} instead of F ∪ {F ′′}.) Then F ′′ is derivable from RP0by

a derivation D built from D1, . . . ,Dn and R′, such that nf ′S,Σ(F ∪ {D}). 2

Lemma 3 is a particular case of Lemma 29, taking F = F ′′ = bad.

D Proof of Theorem 3

The following lemma is useful for establishing the soundness of the translation of “there existsno p such that σD ⇓Σ p” into σfails(D). This translation appears when we show the soundnessof clauses for term evaluations.

Lemma 30 If σfails(D) is false then there exists a pattern p such that σD ⇓Σ p.

Proof By definition of fails, there exist a pattern p and σ′ such that D ⇓′ (p, σ′) andσnounif(D,GVar(σ′D)) is false. By definition of nounif, there exists a closed σ′′ such thatΣ ⊢ σD = σ′′σ′D. By Lemma 25, since D ⇓′ (p, σ′), there exists p′ such that σ′′σ′D ⇓Σ p

′ andΣ ⊢ p′ = σ′′p. By a variant of Lemma 18 for patterns instead of terms, Σ ⊢ σD = σ′′σ′D impliesσD ⇓Σ p

′′ for some p′′ such that Σ ⊢ p′′ = p′. 2

Proof (of Theorem 3) We exploit the theory developed in [3, 16] to prove the hypothesesof Lemma 2. This theory uses a type system to express the invariant that corresponds tothe soundness of the clauses, and a subject reduction theorem to show that the invariant isindeed preserved. Here, types range over pairs of closed patterns, after adding constant sessionidentifiers λ to the grammar of patterns.

We first define instrumented biprocesses in which a pattern is associated with each name.The syntax of instrumented biprocesses is the same as the syntax of biprocesses except thatthe replication is replaced with !iP where i is a variable session identifier and the restriction isreplaced with (νa : a0[M1, . . . ,Mn]) where a0 is a function symbol and M1, . . . ,Mn are termsor (constant or variable) session identifiers. In Section 6.3 and below, we reuse the name a asfunction symbol a0. In contrast with a and any names occurring in M1, . . . ,Mn, however, thefunction symbol a0 is not subject to renaming, so we may have a 6= a0 after an α-conversionon a.

To every closed biprocess P with pairwise distinct bound variables, we associate the instru-mented biprocess instr(P ) obtained by adding a distinct session identifier i to each replicationin P and by labelling each restriction (νa) of P with (νa : a[x1, . . . , xn]) where x1, . . . , xn arethe variables and session identifiers bound above (νa) in instr(P ). Conversely, we let delete(P )be the biprocess obtained by erasing instrumentation from any instrumented biprocess P .

We define the semantics of instrumented biprocesses using configurations Λ;P where Λ isa countable set of constant session identifiers and P is an instrumented biprocess. Intuitively,Λ is the set of session identifiers not yet used in the reduction of P . The rule (Red Repl) isdefined as follows for instrumented biprocesses:

Λ; !iP → Λ− {λ}; !iP | P{λ/i} if λ ∈ Λ


This rule chooses a fresh session identifier λ in Λ, removes it from Λ, and uses it for the newcopy of P . The other rules of Figures 2 and 3 that define reduction and structural congruenceare lifted from P → Q to Λ;P → Λ;Q and from P ≡ Q to Λ;P ≡ Λ;Q.

By construction, instrumented biprocesses include the variables that were collected by sand s′ in the definition of [[ ]]ρss′H of Section 6.3. Hence, the clauses [[P ]]ρ0∅∅∅ can be computedfrom instr(P ) as follows: [[P ]]ρ0∅∅∅ = [[instr(P )]]ρ0∅ where

[[0]]ρH = ∅

[[!iP ]]ρH = [[P ]](ρ[i 7→ (i, i)])H

[[P | Q]]ρH = [[P ]]ρH ∪ [[Q]]ρH

[[(νa : a[x1, . . . , xn])P ]]ρH =

[[P ]](ρ[a 7→ (a[ρ(x1)1, . . . , ρ(xn)1], a[ρ(x1)2, . . . , ρ(xn)2])])H

[[M(x).P ]]ρH = [[P ]](ρ[x 7→ (x′, x′′)])(H ∧msg′(ρ(M)1, x′, ρ(M)2, x

′′))

∪ {H → input′(ρ(M)1, ρ(M)2)}

where x′ and x′′ are fresh variables

[[M〈N〉.P ]]ρH = [[P ]]ρH ∪ {H → msg′(ρ(M)1, ρ(N)1, ρ(M)2, ρ(N)2)}

[[let x = D in P else Q]]ρH =⋃{[[P ]]((σρ)[x 7→ (p, p′)])(σH) | (ρ(D)1, ρ(D)2) ⇓

′ ((p, p′), σ)}

∪ [[Q]]ρ(H ∧ ρ(fails(fst(D)))1 ∧ ρ(fails(snd(D)))2)

∪ {σH ∧ σρ(fails(snd(D)))2 → bad | ρ(D)1 ⇓′ (p, σ)}

∪ {σH ∧ σρ(fails(fst(D)))1 → bad | ρ(D)2 ⇓′ (p′, σ)}

Let C be a plain evaluation context. For each reduction unevaluated(C[P0]) →∗Σ′,Σ≡ P ,

there is a reduction Λ0; instr(unevaluated(C[P0])) →∗Σ′,Σ≡ Λ;P ′ such that delete(P ′) = P

(and conversely). Let P ′0 = instr(unevaluated(P0)). There exists an unevaluated evalua-tion context C ′ such that diff occurs only in terms diff[a, a] for some names a in C ′ andinstr(unevaluated(C[P0])) = C ′[P ′0].

Let RC′,P0be the set of clauses obtained by adding to RP0

the clauses

att′(a[x1, . . . , xn], a[x1, . . . , xn]) (Rn′)

such that either (νa : a[x′1, . . . , x′n]) occurs in C ′ or n = 0, a ∈ fn(C ′), and a /∈ fn(P ′0). The

fact bad is derivable from RC′,P0if and only if bad is derivable from RP0

, since we can replaceall patterns a[. . .] of names created by the context C ′ with patterns b[i], as long as differentnames have different images, so we can replace the Clauses (Rn′) with Clause (Rn). Hence, thedefinition of RP0

is sufficient.

Next, we define a type system, similar to that of [3, Section 7]. Here, the types are pairs ofclosed patterns. The type environment E is a function from variables and names to types. It isextended to terms as a substitution, so that a term M has type E(M). The typing judgmentE ⊢ P says that the instrumented biprocess P is well-typed in environment E. This judgmentis formally defined in Figure 5, where FC′,P0

is the set of closed facts derivable from RC′,P0.

When M1, . . . ,Mn is a sequence of terms and (variable or constant) session identifiers, asin labels of restrictions, we define last(M1, . . . ,Mn) as the last Mi that is a session identi-fier, or ∅ when no Mi is a session identifier. Let us define the multiset Label(P ) as follows:Label((νa : a0[M1, . . . ,Mn])P ) = {(a0, last(M1, . . . ,Mn))} ∪ Label(P ), Label(!iP ) = ∅, and inall other cases, Label(P ) is the union of the Label(P ′) for all immediate subprocesses P ′ ofP . When E maps names to closed patterns, let Label(E) = {(a0, last(M1, . . . ,Mn)) | (a 7→a0[M1, . . . ,Mn] ∈ E}. Let Label(Λ) = {(a, λ) | λ ∈ Λ}. We say that E ⊢ Λ;P is well-labelled


input′(E(M)1, E(M)2) ∈ FC′,P0

∀p1, p2 such that msg′(E(M)1, p1, E(M)2, p2) ∈ FC′,P0, E[x 7→ (p1, p2)] ⊢ P

E ⊢M(x).P(Input)

msg′(E(M)1, E(N)1, E(M)2, E(N)2) ∈ FC′,P0E ⊢ P


E ⊢ 0(Nil)

E ⊢ P E ⊢ Q

E ⊢ P | Q(Parallel)

∀λ,E[i 7→ (λ, λ)] ⊢ P

E ⊢!iP(Replication)

E[a 7→ (a0[E(M1)1, . . . , E(Mn)1], a0[E(M1)2, . . . , E(Mn)2]) ] ⊢ P

E ⊢ (νa : a0[M1, . . . ,Mn])P(Restriction)

∀p1, p2 such that E(D)1 ⇓Σ′ p1 and E(D)2 ⇓Σ′ p2, E[x 7→ (p1, p2)] ⊢ Pif 6 ∃p1, E(D)1 ⇓Σ p1 and 6 ∃p2, E(D)2 ⇓Σ p2, then E ⊢ Q

if ∃p1, E(D)1 ⇓Σ′ p1 and 6 ∃p2, E(D)2 ⇓Σ p2, then bad ∈ FC′,P0

if 6 ∃p1, E(D)1 ⇓Σ p1 and ∃p2, E(D)2 ⇓Σ′ p2, then bad ∈ FC′,P0

E ⊢ let x = D in P else Q(Term evaluation)


when the multisets Label(E1) ∪ Label(Λ) ∪ Label(P ) and Label(E2) ∪ Label(Λ) ∪ Label(P ) con-tain no duplicates, where E1 and E2 are the first and second components of E. We say thatE ⊢ Λ;P when E ⊢ Λ;P is well-labelled and E ⊢ P . Showing that Label(E1) and Label(E2)contain no duplicates guarantees that different terms have different types. More precisely, if Emaps names to closed patterns a[. . .], E is extended to terms as a substitution, and Label(E)contains no duplicates, then we have the following properties:

E1. E is an injection (if E(M) = E(N) then M = N) and also an injection modulo Σ (ifΣ ⊢ E(M) = E(N) then Σ ⊢M = N).

E2. Let N be a term not containing names; if E(M ′) is an instance of N , then M ′ is aninstance of N ; if E(M ′) is an instance of N modulo Σ, then M ′ is an instance of Nmodulo Σ.

E3. If D ⇓Σ′ M , then E(D)⇓Σ′ E(M). (This is proved by induction on D.)

E4. If Σ ⊢ D′ = E(D) and D′ ⇓Σ p′ then there exists M such that Σ ⊢ p′ = E(M) and

D ⇓ΣM . (This is proved by induction on D, using E2.)

Let E0 = {a 7→ (a[ ], a[ ]) | a ∈ fn(C ′[P ′0])}.

1. Typability of the adversary: Let P ′ be a subprocess of C ′. Let E be an environment suchthat for all a ∈ fn(P ′), att′(E(a), E(a)) ∈ FC′,P0

and for all x ∈ fv(P ′), att′(E(x), E(x)) ∈FC′,P0

. We show that E ⊢ P ′ by induction on P ′, similarly to [3, Lemma 5.1.4].

We detail the case of term evaluations, since it significantly differs from that in [3]. Inorder to show the desired property in this case, it suffices to show that if for all a ∈ fn(D),att′(E(a), E(a)) ∈ FC′,P0

and for all x ∈ fv(D), att′(E(x), E(x)) ∈ FC′,P0, then we have

the two properties:


(a) if E(D)1 ⇓Σ′ p1 and E(D)2 ⇓Σ′ p2, then att′(p1, p2) ∈ FC′,P0;

(b) if E(D)1 ⇓Σ′ p1 and 6 ∃p2, E(D)2 ⇓Σ p2, then bad ∈ FC′,P0; symmetrically, if

E(D)2 ⇓Σ′ p2 and 6 ∃p1, E(D)1 ⇓Σ p1, then bad ∈ FC′,P0.

The proof is by induction on D.

• Case D = diff[a, a]: We have E(D)1 = E(a)1 ⇓Σ′ E(a)1 and E(D)2 =E(a)2 ⇓Σ′ E(a)2, and by hypothesis att′(E(a)1, E(a)2) ∈ FC′,P0

, so Property (a)holds. We also have E(D)1 = E(a)1 ⇓ΣE(a)1 and E(D)2 = E(a)2 ⇓ΣE(a)2, soProperty (b) holds.

• Case D = x: This case is similar to that for D = diff[a, a].

• Case D = eval h(D1, . . . , Dn): Property (a) follows from the induction hypothesisand Clause (Rf). Next, we prove the first part of Property (b). The second part ofProperty (b) follows by symmetry.

Since E(D)1 ⇓Σ′ p1, there exist h(N1, . . . , Nn) → N in defΣ′(h), p1, p1,1, . . . , p1,n,and σ such that E(Di)1 ⇓Σ′ p1,i for all i ∈ {1, . . . , n}, p1 = σN , and p1,i = σNi forall i ∈ {1, . . . , n}. Since there exists no p2 such that E(D)2 ⇓Σ p2, either for some i ∈{1, . . . , n} there exists no p2,i such that E(Di)2 ⇓Σ p2,i (and bad ∈ FC′,P0

by inductionhypothesis), or for all i ∈ {1, . . . , n} there exists p2,i such that E(Di)2 ⇓Σ p2,i, andthere exist no h(N ′1, . . . , N

′n)→ N ′ in defΣ(h) and σ such that for all i ∈ {1, . . . , n},

Σ ⊢ p2,i = σN ′i . Hence, h must be a destructor.

By Property S2, there exists an environment E′ such that Σ ⊢ E′(a) = E(a) forall a ∈ fn(D), Σ ⊢ E′(x) = E(x) for all x ∈ fv(D), and nfS,Σ(E′). By Lemma 29,att′(E′(a)1, E

′(a)2) ∈ FC′,P0for all a ∈ fn(D) and att′(E′(x)1, E

′(x)2) ∈ FC′,P0

for all x ∈ fv(D). We have nfS,Σ(E′(Di)) and Σ ⊢ E′(Di)2 = E(Di)2. By Prop-erty S2, there exist p′2,1, . . . , p′2,n such that Σ ⊢ p′2,i = p2,i for all i ∈ {1, . . . , n} andnfS,Σ(E′, p′2,1, . . . , p

′2,n). By a variant of Lemma 14 for patterns instead of terms,

E′(Di)2 ⇓Σ′ p′2,i for all i ∈ {1, . . . , n}.

By a variant of Lemma 18 for patterns instead of terms, E′(Di)1 ⇓Σ p′1,i for some

p′1,i such that Σ ⊢ p′1,i = p1,i. By Property S2, there exist p′′1,1, . . . , p′′1,n, p

′′1

such that Σ ⊢ p′′1,i = p′1,i for all i ∈ {1, . . . , n}, Σ ⊢ p′′1 = p1, andnfS,Σ(E′, p′2,1, . . . , p

′2,n, p

′′1,1, . . . , p

′′1,n, p

′′1). By a variant of Lemma 14 for patterns

instead of terms, E′(Di)1 ⇓Σ′ p′′1,i for all i ∈ {1, . . . , n}. By induction hypothesis,Property (a), we obtain att′(p′′1,i, p

′2,i) ∈ FC′,P0

for all i ∈ {1, . . . , n}.

Since Σ ⊢ p′2,i = p2,i, there exist no σ and h(N ′1, . . . , N′n) → N ′ in defΣ(h) such

that for all i ∈ {1, . . . , n}, Σ ⊢ p′2,i = σN ′i . By Lemma 16, there exist no σ andh(N ′1, . . . , N

′n)→ N ′ in defΣ′(h) such that for all i ∈ {1, . . . , n}, Σ ⊢ p′2,i = σN ′i , that

is, we have∧

h(N ′1,...,N ′

n)→N ′ in defΣ′ (h)

nounif((p′2,1, . . . , p′2,n),GVar(N ′1, . . . , N

′n))

Since Σ ⊢ p′′1,i = p1,i, Σ ⊢ p′′1 = p1, and nfS,Σ(p′′1,1, . . . , p′′1,n, p

′′1), by Lemma 16 and a

variant of Lemma 13 for patterns instead of terms, there exist h(N1, . . . , Nn) → Nis defΣ′(h) and Σ such that p′′1,i = σNi for all i ∈ {1, . . . , n} and p′′1 = σN . Hence,by Clause (Rt), bad ∈ FC′,P0

.

2. Typability of P ′0: We prove by induction on the process P , subprocess of P ′0, that, if (a) ρbinds all free names and variables of P , (b) σ is a closed substitution, (c) RC′,P0

⊇ [[P ]]ρH,and (d) σH can be derived from RC′,P0

, then σρ ⊢ P .

Again, we detail the case of term evaluations. We suppose that ρ binds all free namesand variables of let x = D in P else Q, σ is a closed substitution, RC′,P0

⊇ [[let x =


D in P else Q]]ρH, and σH is derivable from RC′,P0. We show that σρ ⊢ let x =

D in P else Q. To apply the type rule (Term evaluation), it suffices to show that:

• For all p1, p2 such that σρ(D)1 ⇓Σ′ p1 and σρ(D)2 ⇓Σ′ p2, we have σρ[x 7→ (p1, p2)] ⊢P .

By a variant of Lemma 11 for patterns instead of terms, there exist p′1, p′2, σ

′, andσ′′ such that (ρ(D)1, ρ(D)2) ⇓

′ ((p′1, p′2), σ

′), p1 = σ′′p′1, p2 = σ′′p′2, and σ = σ′′σ′

except on the fresh variables introduced in the computation of (ρ(D)1, ρ(D)2) ⇓′

((p′1, p′2), σ

′).

Hence σ′′σ′H = σH can be derived fromRC′,P0, and [[P ]]((σ′ρ)[x 7→ (p′1, p

′2)])(σ

′H) ⊆[[let x = D in P else Q]]ρH ⊆ RC′,P0

so, by induction hypothesis, σ′′(σ′ρ[x 7→(p′1, p

′2)]) ⊢ P , that is, σρ[x 7→ (p1, p2)] ⊢ P .

• If there exists no p1 such that σρ(D)1 ⇓Σ p1 and there exists no p2 such thatσρ(D)2 ⇓Σ p2, then σρ ⊢ Q.

By Lemma 30, σρ(fails(fst(D)))1 and σρ(fails(snd(D)))2 are true, so σ(H ∧ρ(fails(fst(D)))1∧ρ(fails(snd(D)))2) can be derived from RC′,P0

. Moreover [[Q]]ρ(H∧ρ(fails(fst(D)))1 ∧ ρ(fails(snd(D)))2) ⊆ [[let x = D in P else Q]]ρH ⊆ RC′,P0

so, byinduction hypothesis, σρ ⊢ Q.

• If there exists p1 such that σρ(D)1 ⇓Σ′ p1 and there exists no p2 such thatσρ(D)2 ⇓Σ p2, then bad ∈ FC′,P0

.

By a variant of Lemma 11 for patterns instead of terms, there exist p′1, σ′, and

σ′′ such that ρ(D)1 ⇓′ (p′1, σ

′), p1 = σ′′p′1, and σ = σ′′σ′ except on the fresh vari-ables introduced in the computation of ρ(D)1 ⇓

′ (p′1, σ′). There exists no p2 such

that σ′′σ′ρ(D)2 ⇓Σ p2, so by Lemma 30, σ′′σ′ρ(fails(snd(D)))2 holds, hence σ′′(σ′H ∧σ′ρ(fails(snd(D)))2) can be derived from RC′,P0

. Since σ′H ∧ σ′ρ(fails(snd(D)))2 →bad ∈ [[let x = D in P else Q]]ρH ⊆ RC′,P0

, bad ∈ FC′,P0.

• If there exists no p1 such that σρ(D)1 ⇓Σ p1 and there exists p2 such thatσρ(D)2 ⇓Σ′ p2, then bad ∈ FC′,P0

. This property follows from the one above bysymmetry.

By definition, RC′,P0⊇ [[P ′0]]ρ0∅, where ρ0 = {a 7→ (a[ ], a[ ]) | a ∈ fn(P ′0)}. Taking P = P ′0,

we obtain E ⊢ P ′0 with E = σρ0 = {a 7→ (a[ ], a[ ]) | a ∈ fn(P ′0)}. (This result is similarto [3, Lemma 7.2.2].)

3. Properties of C ′[P ′0]: We show that E0 ⊢ Λ0;C′[P ′0]. In order to prove this result, we show

that E0 ⊢ C′[P ′0] by induction on C ′.

When C ′ = [ ], the result follows from Property 2. When C ′ = (νa : a[ ])C ′′, the resultfollows by induction hypothesis and the type rule (Restriction). When C ′ = C ′′ | Q, theresult follows from Property 1 and the type rule (Parallel).

4. Substitution lemma: Let E′ = E[x 7→ (E(M)1, E(M)2)]. We show by induction onM ′ that E(M ′{M/x}) = E′(M ′). We show by induction on P that, if E′ ⊢ P , thenE ⊢ P{M/x}. This is similar to [3, Lemma 5.1.1].

5. Subject congruence: If E ⊢ Λ;P and P ≡ P ′, then E ⊢ Λ;P ′. We prove by induction onthe derivation of P ≡ P ′ that if E ⊢ P and P ≡ P ′, then E ⊢ P ′ and Label(P ′) = Label(P ),similarly to [3, Lemma 5.1.2].

6. Subject reduction: If E ⊢ Λ;P and Λ;P → Λ′;P ′, then E ⊢ Λ′, P ′. We prove by inductionon the derivation of Λ;P → Λ′;P ′ that if E ⊢ Λ;P and Λ;P → Λ′;P ′, then E ⊢ Λ′, P ′

and Label(Λ′) ∪ Label(P ′) ⊆ Label(Λ) ∪ Label(P ), similarly to [3, Lemma 5.1.3].


7. Proof of the second hypothesis of Lemma 2: Assume that

unevaluated(C[P0]) →∗Σ′,Σ≡ C1[let y = D in Q else Q′]

and fst(D)⇓Σ′ M1 for some M1. Then Λ0;C′[P ′0] →

∗Σ′,Σ≡ Λ;C ′1[let y = D in Q1 else Q′1]

where delete(C ′1[let y = D in Q1 else Q′1]) = C1[let y = D in Q else Q′]. We haveE0 ⊢ Λ0;C

′[P ′0], so by subject reduction and subject congruence, E0 ⊢ Λ;C ′1[let y =D in Q1 else Q′1]. Since E0 ⊢ C

′1[let y = D in Q1 else Q′1] has been derived by type

rules (Restriction) and (Parallel), there exists an environment E such that E ⊢ let y =D in Q1 else Q′1 and since Label((E0)1) ∪ Label(Λ) ∪ Label(C ′1[let y = D in Q1 else Q′1])and Label((E0)2) ∪ Label(Λ) ∪ Label(C ′1[let y = D in Q1 else Q′1]) contain no duplicates,Label(E1) and Label(E2) contain no duplicates.

Since fst(D)⇓Σ′ M1, by Property E3, E(D)1 ⇓Σ′ E(M1)1. Since E ⊢ let y =D in Q1 else Q′1 has been derived by type rule (Term evaluation) and bad /∈ FC′,P0

,there exists p2 such that E(D)2 ⇓Σ p2. So by Property E4, there exists M2 such thatsnd(D)⇓ΣM2, which establishes the second hypothesis of Lemma 2.

8. Proof of the first hypothesis of Lemma 2: Assume that

unevaluated(C[P0]) →∗Σ′,Σ≡ C1[N〈M〉.Q | N

′(x).R]

and fst(N) = fst(N ′). As above, there exists an environment E such that E ⊢ N〈M〉.Q′ |N ′(x).R′ and E1 and E2 satisfy Properties E1, E2, E3, and E4.

Since E ⊢ N〈M〉.Q′ | N ′(x).R′ has been derived by type rules (Parallel),(Output), and (Input), we have msg′(E(N)1, E(M)1, E(N)2, E(M)2) ∈ FC′,P0

andinput′(E(N ′)1, E(N ′)2) ∈ FC′,P0

. Since fst(N) = fst(N ′), E(N)1 = E(N ′)1. Since badis not derivable from RC′,P0

, nounif(E(N)2, E(N ′)2) is false—otherwise bad would bederivable by (Rcom)—so, by definition of nounif, Σ ⊢ E(N)2 = E(N ′)2. By Property E1,E2 is injective modulo Σ and we obtain Σ ⊢ snd(N ′) = snd(N).

The symmetric hypotheses of Lemma 2 follow by symmetry.

To conclude our proof of Theorem 3, we apply Lemma 2 and Corollary 1. 2

E Proof of Theorem 4

E.1 Unification modulo the equational theory

We use the standard convention that, when computing a most general unifier σu of Mi, Ni

for i ∈ {1, . . . , n}, we always arrange that dom(σu) ∩ fv(im(σu)) = ∅ and dom(σu) ∪fv(σuM1, σuN1, . . . , σuMn, σuNn) ⊆ ∪i(fv(Mi) ∪ fv(Ni)). (We recall that dom(σ) = {x | x 6=σx}.) Since dom(σu) ∩ fv(im(σu)) = ∅, σu is idempotent.

If σ is a most general unifier of Mi, Ni for i ∈ {1, . . . , n} and σ′ is a most general unifier ofσM ′i , σN

′i for i ∈ {1, . . . , n′} then σ′σ is a most general unifier of Mi, Ni for i ∈ {1, . . . , n} and

M ′i , N′i for i ∈ {1, . . . , n′}.

Lemma 31 If σD ⇓′ (M ′, σ′) and σ is a most general unifier, then σ′σ is also a most generalunifier, and there exists M ′′ such that M ′ = σ′σM ′′.

Proof The proof is by mutual induction following the definition of ⇓′. All cases are easy. 2

Lemma 32 We have Σ ⊢ σM = σM ′ if and only if there exist N , N ′, σ′, and σu suchthat addeval(M,M ′) ⇓′ ((N,N ′), σ′), σu is the most general unifier of N and N ′, and for allx ∈ fv(M,M ′), Σ ⊢ σx = σσuσ

′x.


Proof Assume Σ ⊢ σM = σM ′. By Property S2, there exist M ′′ and σ′ such that Σ ⊢M ′′ = σM = σM ′, Σ ⊢ σx = σ′x for all x ∈ fv(M,M ′), and nfS,Σ({M ′′} ∪ {σ′x | x ∈fv(M,M ′)}). Since Σ ⊢ σ′M = σ′M ′ = M ′′, by Lemma 12 we have σ′addeval(M)⇓Σ′ M ′′ andσ′addeval(M ′)⇓Σ′ M ′′. By Lemma 11, there exist N,N ′, σ1, σ

′1 such that addeval(M,M ′) ⇓′

((N,N ′), σ1), M′′ = σ′1N , M ′′ = σ′1N

′, and σ′ = σ′1σ1 except on fresh variables introduced inthe computation of addeval(M,M ′) ⇓′ ((N,N ′), σ1).

So N and N ′ unify. Let σu be their most general unifier. Let σ′′1 such that σ′1 = σ′′1σu.Let x ∈ fv(M,M ′). We have Σ ⊢ σx = σ′x = σ′′1σuσ1x = σ′′1σuσ1σuσ1x = σ′σuσ1x = σσuσ1x.(Indeed, σuσ1 is a most general unifier by Lemma 31 and the composition of most generalunifiers, so it is idempotent.)

Conversely, assume that there exist N,N ′, σ′σu such that addeval(M,M ′) ⇓′ ((N,N ′), σ′),σu is the most general unifier of N and N ′ and for all x ∈ fv(M,M ′), Σ ⊢ σx = σσuσ

′x. Then

Σ ⊢ σM = σσuσ′M

= σσuN by Lemma 15

= σσuN′ since σu is the most general unifier of N and N ′

= σσuσ′M ′ by Lemma 15 again

= σM ′ 2

E.2 Soundness of the solving algorithm

The following proofs are partly adaptations of previous proofs [15, 18]. In addition, they estab-lish the soundness of all simplifications for nounif.

Let R0 = RP0be the initial set of clauses, R1 = saturate(R0) be the final set of clauses, and

R be the set of clauses during the saturation. At the end of the saturation algorithm, we haveR1 = {R ∈ R | sel(R) = ∅}.

Lemma 33 At the end of the saturation, R satisfies the following properties:

1. For all R ∈ simplify(R0), there exists R′ ∈ R such that R′ ⊒ R.

2. Let R ∈ R and R′ ∈ R. Assume that sel(R) = ∅ and there exists F0 ∈ sel(R′) such thatR◦F0

R′ is defined. In this case, for all R′′ ∈ simplify(R◦F0R′), there exists R′′′ ∈ R such

that R′′′ ⊒ R′′.

Proof To prove the first property, let R ∈ simplify(R0). We show that during the wholeexecution of the saturation, there exists R′ ∈ R such that R′ ⊒ R.

The algorithm first builds simplify(R0) (which obviously satisfies the required property),then removes subsumed clauses by condense. The property is preserved by elimination ofsubsumed clauses. So R = condense(R0) satisfies the property. Further additions of clausesand eliminations of subsumed clauses preserve the property, so we have the result.

The second property states that the fixpoint is reached at the end of saturation. 2

We now give a precise definition of derivations.

Definition 7 (Derivation) Let Tfacts be the set of true nounif facts. Let R be a set of clausesand F be a closed fact. A derivation of F from R is a finite tree defined as follows:

1. Nodes (except the root) are labelled by clauses R ∈ R or nounif facts in Tfacts.

2. Edges are labelled by closed facts. (Edges go from a node to each of its sons.)

3. The root has one outgoing edge, labelled by F .


4. If the tree contains a node labelled by R with one incoming edge labelled by F0 and noutgoing edges labelled by F1, . . . , Fn, then R ⊒ {F1, . . . , Fn} → F0. If the tree containsa node labelled by a fact in Tfacts, then this node has one incoming edge labelled by thesame fact and no outgoing edge.

In a derivation, if there is a node labelled by R with one incoming edge labelled by F0 and noutgoing edges labelled by F1, . . . , Fn, then the clause R can be used to infer F0 from F1, . . . , Fn.Therefore, there exists a derivation of F from R if and only if F can be inferred from clausesin R.

The key idea of the proof of the algorithm is the following. Assume that bad is derivablefrom R0 and consider a derivation of bad from R0. Assume that the clauses R and R′ areapplied one after the other in the derivation of bad. Also assume that these clauses have beencombined by R ◦F0

R′, yielding clause R′′. In this case, we replace R′ by R′′ in the derivationof bad. When no more replacement can be made, we show that all remaining clauses haveno selected hypothesis. Then all these clauses are in R1 = saturate(R0), and we have built aderivation of bad from R1. Moreover, this replacement process terminates because the numberof nodes of the derivation strictly decreases.

Lemma 34 Consider a derivation that contains a node η′, labelled R′. Let F0 be a hypothesisof R′. Then there exists a son η of η′, labelled R, such that the edge from η′ to η is labelledby an instance of F0, R ◦F0

R′ is defined, and we still have a derivation of the same fact if wereplace the nodes η and η′ by a node η′′ labelled R′′ = R ◦F0

R′.

Proof This proof is already given in [18], with a figure. Let R′ = H ′ → C ′, H ′1 be themultiset of the labels of the outgoing edges of η′, and C ′1 the label of its incoming edge. Wehave R′ ⊒ (H ′1 → C ′1), then there exists σ such that σH ′ ⊆ H ′1 and σC ′ = C ′1. Then thereis an outgoing edge of η′ labelled σF0, since σF0 ∈ H

′1. Let η be the node at the end of this

edge, let R = H → C be the label of η. We rename the variables of R so that they are distinctfrom the variables of R′. Let H1 be the multiset of the labels of the outgoing edges of η. ThenR ⊒ (H1 → σF0). By the above choice of distinct variables, we can then extend σ in such away that σH ⊆ H1 and σC = σF0.

The edge from η′ to η is labelled σF0, which is an instance of F0. We have σC = σF0,then C and F0 are unifiable, then R ◦F0

R′ is defined. Let σ′ be the most general unifier ofC and F0, and σ′′ such that σ = σ′′σ′. We have R ◦F0

R′ = σ′(H ∪ (H ′ − F0)) → σ′C ′.Moreover, σ′′σ′(H ∪ (H ′ − F0)) ⊆ H1 ∪ (H ′1 − σF0) and σ′′σ′C ′ = σC ′ = C ′1. Then R′′ =R ◦F0

R′ ⊒ (H1 ∪ (H ′1 − σF0))→ C ′1. The multiset of labels of outgoing edges of η′′ is preciselyH1∪(H ′1−σF0) and the label of its incoming edge is C ′1, so we have obtained a correct derivationby replacing η and η′ with η′′. 2

Lemma 35 If D is a derivation whose node η is labelled R, then we obtain a derivation D′ ofthe same fact by relabelling η with a clause R′ such that R′ ⊒ R.

Proof Let H be the multiset of labels of outgoing edges of the considered node η, and C bethe label of its incoming edge. We have R ⊒ H → C. By transitivity of ⊒, R′ ⊒ H → C. Sowe can relabel η with R′. 2

We now prove the soundness of each simplification function described in Section 7, and oftheir composition simplify .

Lemma 36 Let f range over the simplification functions simpeq, elimvar, elimGVar ◦ swap ◦unify, elimnouniffalse, elimdup, elimattx , elimtaut, and simplify.

Let Rt = {(1), (2)} when f ∈ {elimvar , simplify} and Rt = ∅ otherwise.Let D be a derivation of bad such that nf ′S,Σ(D) with a node η labelled R.


We obtain a derivation D′ of bad by relabelling the node η with some clause R′ ∈ f({R})∪Rt,deleting nodes, and modifying nodes labelled by a fact in Tfacts.

The set of clauses Rt collects clauses that must be included in the clause set for the transfor-mation to be correct. The proofs closely follow the intuitions for soundness given in Section 7.

Proof (for simpeq) Since nf ′S,Σ(D), the facts of σR (except nounif facts) are irreducible by S,so a fortiori the facts of R (except nounif facts) are irreducible by S, hence simpeq({R}) = {R},which obviously implies the desired result. 2

Proof (for elimvar) Let R = H → C, where H = att′(x, y) ∧ att′(x, y′) ∧ . . . and R′ =R{y/y′}. (The case H = att′(y, x) ∧ att′(y′, x) ∧ . . . is symmetric.) Let H ′ be the multiset oflabels of outgoing edges of η and C ′ the label of its incoming edge. Since D is a derivation,there exists σ such that σH ⊆ H ′, and σC = C ′.

• Assume Σ ⊢ σy = σy′. Since we have nf ′S,Σ(D), σy = σy′. Then σR′ = σR, so D′ obtainedfrom D by relabelling η with R′ is a derivation.

• Otherwise, Σ ⊢ σy 6= σy′ and thus σnounif(y, y′) ∈ Tfacts. Let D′ be obtained by rela-belling the node η with the clause att′(x, y)∧ att′(x, y′)∧ nounif(y, y′)→ bad (1), addingthe son σnounif(y, y′), and returning the subtree with root η. Since att′(x, y) ∈ H, wehave σatt′(x, y) ∈ σH ⊆ H ′, and similarly for att′(x, y′). Thus, D′ is a derivation of bad.

2

Proof (for elimGVar ◦ swap ◦ unify) Let R = H ∧ F → C be the clause modified byelimGVar ◦ swap ◦ unify . We show that if σF ∈ Tfacts, then elimGVar ◦ swap ◦ unify replaces Rwith R′ = H ∧ F ′1 ∧ . . . ∧ F

′n → C, and σF ′1, . . . , σF

′n ∈ Tfacts.

It is easy to infer the lemma from this property. Indeed, let H ′ be the multiset of labels ofoutgoing edges of η and C ′ the label of its incoming edge. Since D is a derivation, there existsσ such that σH ∧ σF ⊆ H ′, and σC = C ′. Then σF is derived by a son of η, so σF ∈ Tfacts.Then by the above property σF ′1, . . . , σF

′n ∈ Tfacts, and D′ obtained from D by relabelling η

with R′ = H ∧ F ′1 ∧ . . . ∧ F′n → C and replacing σF with σF ′1, . . . , σF

′n as sons of η is also a

derivation.

• We now prove that unify replaces F = nounif(p, p′) with F ′1 ∧ . . . ∧ F′n such that, if

σF ∈ Tfacts, then σF ′1, . . . , σF′n ∈ Tfacts.

By definition of nounif, σF ∈ Tfacts if and only if there exists no closed substitutionσ′ with domain GVar such that Σ ⊢ σ′σp = σ′σp′. By Lemma 32, Σ ⊢ σ′σp = σ′σp′

if and only if there exist N,N ′, σ′′, σu such that addeval(p, p′) ⇓′ ((N,N ′), σ′′), σu

is the most general unifier of N and N ′, and for all x ∈ fv(M,M ′), Σ ⊢ σσ′x =σσ′σuσ

′′x. The fact F is replaced with F ′1, . . . , F′n, where F ′j = nounif(pj , p

′j) =

nounif((xj1, . . . , x

jkj

), σuσ′′(xj

1, . . . , xjkj

)) for each σuσ′′ obtained as above. So Σ ⊢ σ′σp =

σ′σp′ if and only if there exists j ∈ {1, . . . , n} such that Σ ⊢ σ′σpj = σ′σp′j . So σF ∈ Tfactsif and only if σF ′1, . . . , σF

′n ∈ Tfacts. This equivalence implies the result.

• Next, we show that swap replaces F = nounif(p1, p2) with F ′ = nounif(p′1, p′2) such that,

if σF ∈ Tfacts, then σF ′ ∈ Tfacts.

We can easily show that for all σ′ with domain GVar ∪ Var , Σ ⊢ σ′p1 = σ′p2 if and onlyif Σ ⊢ σ′p′1 = σ′p′2. This equivalence yields the result.

• Finally, we show that elimGVar replaces F = nounif((g, p1, . . . , pn), (p′0, . . . , p′n)) (where

g ∈ GVar) with F ′ = nounif((p1, . . . , pn), (p′1, . . . , p′n)) such that, if σF ∈ Tfacts, then

σF ′ ∈ Tfacts.


Assume σF ∈ Tfacts. Then there exists no σ′ with domain GVar such that Σ ⊢σ′σ(g, p1, . . . , pn) = σ′σ(p′0, . . . , p

′n). So there exists no σ′1 such that Σ ⊢ σ′1σ(p1, . . . , pn) =

σ′1σ(p′1, . . . , p′n). Indeed, if σ′1 existed, σ′ = σ′1{σp

′0/g} would contradict the non-existence

of σ′. (Note that g does not occur elsewhere in F , because F is obtained after applyingunify and swap.) Then σF ′ ∈ Tfacts. 2

Proof (for elimnouniffalse) Let F = nounif((), ()). For all σ, σF /∈ Tfacts. So R = H∧F → Ccannot be the label of a node in a derivation D. (Hence elimnouniffalse may harmlessly removeR.) 2

Proof (for elimdup) The result is obvious: the hypotheses of R′ are included in the hypothe-ses of R, so R′ ⊒ R. 2

Proof (for elimattx) The result is obvious: the hypotheses of R′ are included in the hypothe-ses of R, so R′ ⊒ R. 2

Proof (for elimtaut) The result is obvious: we remove η and replace it with one of its subtrees.2

Proof (for simplify) We apply Lemma 36 for every simplification function that definessimplify . 2

Theorem 5 If saturate(R0) terminates and there is a derivation D of bad from R0 withnf ′S,Σ(D), then there is a derivation D′ of bad from saturate(R0) with nf ′S,Σ(D′).

The key idea of the proof is to replace clauses as allowed by the previous lemmas. Whenthe replacement terminates, we can show that all clauses are in saturate(R0). We show thetermination using the decrease of the number of nodes of the derivation not in Tfacts.

Proof Let us consider a derivation D of bad from R0 such that nf ′S,Σ(D). (The propertynf ′S,Σ(D) is preserved by the transformations of the derivation described below: these transfor-mations do not introduce new non-nounif intermediately derived facts.)

For each clause R in R0, for each R′′ ∈ simplify(R), there exists a clause R′ in R such thatR′ ⊒ R′′ (Lemma 33, Property 1). Assume that there exists a node labelled R in this derivation.By Lemma 36, we can replace R with some R′′ ∈ simplify(R)∪{(1), (2)}. Clauses (1) and (2) aresubsumed by some clause in R, since they are obtained by simplification from (Rt), resp. (Rt′)for g = equals. So, in all cases, there exists R′ ∈ R such that R′ ⊒ R′′. By Lemma 35, we canreplace R′′ with R′. Therefore, we can replace nodes labelled by R with nodes labelled by R′.This way, we obtain a derivation of bad from R.

Next, we build a derivation of bad from R1, where R1 = saturate(R0).

Consider a derivation D of bad from R such that nf ′S,Σ(D). If D contains a node labelledby a clause not in R1 ∪ Tfacts, we can transform D as follows. Let η′ be a lowest node of Dlabelled by a clause not in R1 ∪ Tfacts. Then all sons of η′ are labelled by clauses in R1 ∪ Tfacts.Let R′ be the clause labelling η′. Since R′ /∈ R1 ∪ Tfacts, sel(R′) 6= ∅. Take F0 ∈ sel(R′). ByLemma 34, there exists a son η of η′ labelled R, such that R ◦F0

R′ is defined. Since all sons ofη′ are labelled by clauses in R1 ∪Tfacts, R ∈ R1 ∪Tfacts. Moreover, by definition of the selectionfunction, F0 is not a nounif fact, so R /∈ Tfacts, so R ∈ R1, hence sel(R) = ∅ and R ∈ R. ByLemma 34, we can replace η and η′ with η′′ labelled by R ◦F0

R′. By Lemma 36, we can replaceR ◦F0

R′ with some R′′′ ∈ simplify(R ◦F0R′) ∪ {(1), (2)}. By Lemma 33, Property 2, for each

R′′′ ∈ simplify(R ◦F0R′), there exists R′′ ∈ R such that R′′ ⊒ R′′′; as noted above, this is also

true for (1) and (2) so for all R′′′ ∈ simplify(R◦F0R′)∪{(1), (2)}, there exists R′′ ∈ R such that

R′′ ⊒ R′′′. By Lemma 35, we can replace R′′′ with R′′, and we obtain a derivation D′ of bad


from R, such that nf ′S,Σ(D′) and D′ contains fewer nodes not in Tfacts as D (since the resolutionof two clauses removes one node, and simplifications do not add nodes not in Tfacts).

Since the number of nodes not in Tfacts strictly decreases, this transformation process ter-minates.

When we cannot perform this transformation any more, all nodes of the derivation arelabelled by clauses in R1 ∪ Tfacts, hence we have obtained a derivation D′ of bad from R1 suchthat nf ′S,Σ(D′). 2

Proof (of Theorem 4) If bad is derivable from RP0then it is derivable from RP0

by aderivation that satisfies nf ′S,Σ (by Lemma 3), then it is derivable from saturate(RP0

) by aderivation that satisfies nf ′S,Σ (by Theorem 5), then saturate(RP0

) contains a clause of the formH → bad. 2


A Computationally Sound Mechanized Prover for Security Protocols

Bruno Blanchet∗†

Abstract

We present a new mechanized prover for secrecy properties ofsecurity protocols. In contrast to most previous provers, our tooldoes not rely on the Dolev-Yao model, but on the computationalmodel. It produces proofs presented as sequences of games;these games are formalized in a probabilistic polynomial-timeprocess calculus. Our tool provides a generic method for speci-fying security properties of the cryptographic primitives, whichcan handle shared-key and public-key encryption, signatures,message authentication codes, and hash functions. Our toolpro-duces proofs valid for a number of sessions polynomial in thesecurity parameter, in the presence of an active adversary.Wehave implemented our tool and tested it on a number of exam-ples of protocols from the literature.

1 Introduction

There exist two main approaches for analyzing security pro-tocols. In the computational model, messages are bitstrings,and the adversary is a probabilistic polynomial-time Turing ma-chine. This model is close to the real execution of protocols,but the proofs are usually manual and informal. In contrast,inthe formal, Dolev-Yao model, cryptographic primitives arecon-sidered as perfect blackboxes, modeled by function symbolsinan algebra of terms, possibly with equations. The adversarycancompute using these blackboxes. This abstract model makes itpossible to build automatic verification tools, but the securityproofs are in general not sound with respect to the computa-tional model.

Since the seminal paper by Abadi and Rogaway [3], there hasbeen much interest in relating both frameworks (see for exam-ple [1, 9, 12, 23, 27, 28, 37, 38]), to show the soundness of theDolev-Yao model with respect to the computational model, andthus obtain automatic proofs of protocols in the computationalmodel. However, this approach has limitations: since the com-putational and Dolev-Yao models do not correspond exactly,ad-ditional hypotheses are necessary in order to guarantee sound-ness. (For example, key cycles have to be excluded, or a specificsecurity definition of encryption is needed [5].)

In this paper, we propose a different approach for automat-ically proving protocols in the computational model: we havebuilt a mechanized prover that works directly in the computa-tional model, without considering the Dolev-Yao model. Ourtool produces proofs valid for a number of sessions polynomial

∗B. Blanchet is with CNRS,Ecole Normale Superieure, Paris, FranceE-mail: [email protected]

†A short version of this paper appears at IEEE Symposium on Security andPrivacy, Oakland, California, May 2006.

in the security parameter, in the presence of an active adversary.These proofs are presented as sequences of games, as used bycryptographers [16,44,45]: the initial game represents the proto-col to prove; the goal is to show that the probability of breakinga certain security property (secrecy in this paper) is negligible inthis game; intermediate games are obtained each from the pre-vious one by transformations such that the difference of proba-bility between consecutive games is negligible; the final gameis such that the desired probability is obviously negligible fromthe form of the game. The desired probability is then negligiblein the initial game.

We represent games in a process calculus. This calculus isinspired by the pi-calculus and by the calculi of [33, 34, 39]and of [32]. In this calculus, messages are bitstrings, and cryp-tographic primitives are functions from bitstrings to bitstrings.The calculus has a probabilistic semantics, and all processes runin polynomial time. The main tool for specifying security prop-erties is observational equivalence:Q is observationally equiv-alent toQ′, Q ≈ Q′, when the adversary has a negligible prob-ability of distinguishingQ from Q′. With respect to previouscalculi mentioned above, our calculus introduces an importantnovelty which is key for the automatic proof of security proto-cols: the values of all variables during the execution of a processare stored in arrays. For instance,x[i] is the value ofx in thei-th copy of the process that definesx. Arrays replace lists oftenused by cryptographers in their manual proofs of protocols.Forexample, consider the definition of security of a message au-thentication code (MAC). Informally, this definition says thatthe adversary has a negligible probability of forging a MAC,that is, that all correct MACs have been computed by callingthe MAC oracle. So, in cryptographic proofs, one defines a listcontaining the arguments of calls to the MAC oracle, and whenchecking a MAC of a messagem, one can additionally checkthatm is in this list, with a negligible change in probability. Inour calculus, the arguments of the MAC oracle are stored in ar-rays, and we perform a lookup in these arrays in order to findthe messagem. Arrays make it easier to automate proofs sincethey are always present in the calculus: one does not need to addexplicit instructions to insert values in them, in contrastto thelists used in manual proofs. Therefore, many trivially sound butdifficult to automate syntactic transformations disappear. Fur-thermore, relations between elements of arrays can easily be ex-pressed by equalities, possibly involving computations onarrayindices.

Our prover relies on a collection of game transformations, inorder to transform the initial protocol into a game on which thedesired security property is obvious. The most important kindof transformations exploits the definition of security of crypto-graphic primitives in order to obtain a simpler game. As de-scribed in Section 3.2, these transformations can be specified

273

274 Bruno Blanchet

in a generic way: we represent the definition of security of eachcryptographic primitive by an observational equivalenceL ≈ R,where the processesL andR encode functions: they input thearguments of the function and send its result back. Then, theprover can automatically transform a processQ that calls thefunctions ofL (more precisely, contains as subterms terms thatperform the same computations as functions ofL) into a processQ′ that calls the functions ofR instead. We have used this tech-nique to specify several variants of shared-key and public-keyencryption, signature, message authentication codes, andhashfunctions, simply by giving the appropriate equivalenceL ≈ Rto the prover. Other game transformations are syntactic trans-formations, used in order to be able to apply the definition ofcryptographic primitives, or to simplify the game obtainedafterapplying these definitions.

In order to prove protocols, these game transformations areorganized using a proof strategy based on advice: when a trans-formation fails, it suggests other transformations that should beapplied before, in order to enable the desired transformation.Thanks to this strategy, protocols can often be proved in a fullyautomatic way. For delicate cases, our prover has an interac-tive mode, in which the user can manually specify the trans-formations to apply. It is usually sufficient to specify a fewtransformations coming from the security definitions of prim-itives, by indicating the concerned cryptographic primitive andthe concerned secret key if any; the prover infers the intermedi-ate syntactic transformations by the advice strategy. Thismodeis helpful for proving some public-key protocols, in which sev-eral security definitions of primitives can be applied, but onlyone leads to a proof of the protocol. Importantly, our proveris always sound: whatever indications the user gives, when theprover shows a security property of the protocol, the property in-deed holds assuming the given hypotheses on the cryptographicprimitives.

Our prover CryptoVerif has been implemented in Ocaml(17300 lines of code for version 1.03 of CryptoVerif) andis available athttp://www.di.ens.fr/ ˜ blanchet/cryptoc-eng.html .

1.1 Outline

The next section presents our process calculus for representinggames. Section 3 describes the game transformations that weuse for proving protocols. Section 4 gives criteria for proving se-crecy properties of protocols. Section 5 explains how the proverchooses which transformation to apply at each point. Section 6presents our experimental results. Section 7 discusses relatedwork and Section 8 concludes. The appendices contain addi-tional formal details, proof sketches, and details on the model-ing of some cryptographic primitives.

1.2 Notations

We recall the following standard notations. We denote by{M1/x1, . . . ,Mm/xm} the substitution that replacesxj withMj for eachj ≤ m. The cardinal of a set or multisetS is

denoted by|S|. If S is a finite set,xR←S chooses a random

M,N ::= termsi replication indexx[M1, . . . ,Mm] variable accessf(M1, . . . ,Mm) function application

Q ::= input process0 nilQ | Q′ parallel composition!i≤nQ replicationn timesnewChannel c;Q channel restrictionc[M1, . . . ,Ml](x1 [i] : T1, . . . , xk [i] : Tk);P

input

P ::= output processc[M1, . . . ,Ml]〈N1, . . . , Nk〉;Q outputnew x[i1, . . . , im] : T ;P random numberlet x[i1, . . . , im] : T = M in P assignmentif defined(M1, . . . ,Ml) ∧M then P else P ′

conditionalfind (

⊕mj=1 uj1 [i] ≤ nj1, . . . , ujmj

[i] ≤ njmj

suchthat defined(Mj1, . . . ,Mjlj ) ∧Mj then Pj)else P array lookup


element uniformly inS and assigns it tox. If A is a probabilis-tic algorithm,x ← A(x1, . . . , xm) denotes the experiment ofchoosing random coinsr and assigning tox the result of run-ningA(x1, . . . , xm) with coinsr. Otherwise,x←M is a sim-ple assignment statement.

2 A Calculus for Games


The syntax of our calculus is summarized in Figure 1. Thiscalculus was inspired by the pi calculus and by the calculi of[33,34, 39] and of [32]. We denote byη the security parameter,which determines in particular the length of keys.

This calculus assumes a countable set of channel names, de-noted byc. There is a mappingmaxlenη from channels to inte-gers, such thatmaxlenη(c) is the maximum length of a messagesent on channelc. Longer messages are truncated. For allc,maxlenη(c) is polynomial inη. (This is key to guaranteeingthat all processes run in probabilistic polynomial time.)

Our calculus also uses parameters, denoted byn, which cor-respond to integer values polynomial in the security parameter.So, denoting byIη(n) the interpretation ofn for a given valueof the security parameterη, Iη(n) is a polynomially bounded,efficiently computable function ofη.

Our calculus also uses types, denoted byT . For each valueof the security parameterη, each type corresponds to a subsetIη(T ) of Bitstring ∪ {⊥} whereBitstring is the set of all bit-strings and⊥ is a special symbol. The setIη(T ) must be recog-nizable in polynomial time, that is, there exists an algorithm thatdecides whetherx ∈ Iη(T ) in time polynomial in the length ofx and the value ofη. Let fixed-lengthtypes be typesT such that

A Computationally Sound Mechanized Prover for Security Protocols 275

Iη(T ) is the set of all bitstrings of a certain length, this lengthbeing a function ofη bounded by a polynomial. Letlarge typesbe typesT such that 1

|Iη(T )| is negligible. (f(η) is negligiblewhen for all polynomialsq, there existsηo ∈ N such that forall η > η0, f(η) ≤ 1

q(η) .) Particular types are predefined:bool ,such thatIη(bool) = {true, false}, wherefalse is 0 andtrue is1; bitstring , such thatIη(bitstring) = Bitstring ; bitstring⊥such thatIη(bitstring⊥) = Bitstring ∪ {⊥}; [1, n] wherenis a parameter, such thatIη([1, n]) = [1, Iη(n)]. (We considerintegers as bitstrings without leading zeroes.)

The calculus also uses function symbolsf . Each functionsymbol comes with a type declarationf : T1 × . . . × Tm →T . For each value ofη, each function symbolf corresponds toa functionIη(f) from Iη(T1) × . . . × Iη(Tm) to Iη(T ), suchthatIη(f)(x1, . . . , xm) is computable in polynomial time in thelengths ofx1, . . . , xm and the value ofη. Particular functionsare predefined, and some of them use the infix notation:M = Nfor the equality test,M 6= N for the inequality test (both takingtwo values of the same typeT and returning a value of typebool ), M ∨ N for the boolean or,M ∧ N for the boolean and,¬M for the boolean negation (taking and returning values oftypebool ).

In this calculus, terms represent computations on bitstrings.The replication indexi is an integer which serves in distin-guishing different copies of a replicated process!i≤n. (Repli-cation indices are typically used as array indices.) The vari-able accessx[M1, . . . ,Mm] returns the content of the cell ofindicesM1, . . . ,Mm of the m-dimensional array variablex.We usex, y, z, u as variable names. The function applicationf(M1, . . . ,Mm) returns the result of applying functionf toM1, . . . ,Mm.

The calculus distinguishes two kinds of processes: input pro-cessesQ are ready to receive a message on a channel; outputprocessesP output a message on a channel after executing someinternal computations. The input process 0 does nothing;Q | Q′

is the parallel composition ofQ andQ′; !i≤nQ representsncopies ofQ in parallel, each with a different value ofi ∈ [1, n];newChannel c;Q creates a new private channelc and executesQ; the semantics of the inputc[M1, . . . ,Ml](x1 [i] : T1, . . . ,

xk [i] : Tk);P will be explained below together with the seman-tics of the output.

The output processnew x[i1, . . . , im] : T ;P chooses a newrandom number uniformly inIη(T ), stores it inx[i1, . . . , im],and executesP . (The typeT must be a fixed-length type,because probabilistic polynomial-time Turing machines canchoose random numbers uniformly only in such types.) Func-tion symbols represent deterministic functions, so all randomnumbers must be chosen bynew x[i1, . . . , im] : T . Determin-istic functions make automatic syntactic manipulations easier:we can duplicate a term without changing its value. The processlet x[i1, . . . , im] : T = M in P stores the bitstring value ofM(which must be inIη(T )) in x[i1, . . . , im] and executesP . Next,we explain the processfind (

⊕mj=1 uj1 [i] ≤ nj1, . . . , ujmj

[i] ≤njmj

suchthat defined(Mj1, . . . ,Mjlj ) ∧Mj then Pj) else P ,

where i denotes a tuplei1, . . . , im′ . The order and array in-dices on tuples are taken component-wise, so for instance,uj1 [i] ≤ nj1, . . . , ujmj

[i] ≤ njmjcan be further abbreviated

uj [i] ≤ nj . A simple example is the following:find u ≤ nsuchthat defined(x[u]) ∧ x[u] = a then P ′ else P tries to findan indexu such thatx[u] is defined andx[u] = a, and whensuch au is found, it executesP ′ with that value ofu; other-wise, it executesP . In other words, thisfind construct looksfor the valuea in the arrayx, and whena is found, it storesin u an index such thatx[u] = a. Therefore, thefind con-struct allows us to access arrays, which is key for our purpose.More generally,find u1 [i] ≤ n1, . . . , um [i] ≤ nm suchthat

defined(M1, . . . ,Ml)∧M then P ′ else P tries to find values ofu1, . . . , um for whichM1, . . . ,Ml are defined andM is true. Incase of success, it executesP ′. In case of failure, it executesP .This is further generalized tom branches:find (

⊕mj=1 uj1 [i] ≤

nj1, . . . , ujmj[i] ≤ njmj

suchthat defined(Mj1, . . . ,Mjlj ) ∧Mj then Pj) else P tries to find a branchj in [1,m] such thatthere are values ofuj1, . . . , ujmj

for whichMj1, . . . ,Mjlj aredefined andMj is true. In case of success, it executesPj .In case of failure for all branches, it executesP . More for-mally, it evaluates the conditionsdefined(Mj1, . . . ,Mjlj )∧Mj

for eachj and each value ofuj1 [i], . . . , ujmj[i] in [1, nj1] ×

. . . × [1, njmj]. If none of these conditions istrue, it exe-

cutesP . Otherwise, it chooses randomly with uniform1 prob-ability onej and one value ofuj1 [i], . . . , ujmj

[i] such that thecorresponding condition istrue and executesPj . The condi-tional if defined(M1, . . . ,Ml) ∧M then P else P ′ executesPif M1, . . . ,Ml are defined andM evaluates totrue. Otherwise,it executesP ′. This conditional is defined as syntactic sugar forfind suchthat defined(M1, . . . ,Ml) ∧M then P else P ′. Theconjunctdefined(M1, . . . ,Ml) can be omitted whenl = 0 andM can be omitted when it istrue.

Finally, let us explain the outputc[M1, . . . ,Ml]〈N1, . . . ,Nk〉;Q. A channelc[M1, . . . ,Ml] consists of both a chan-nel namec and a tuple of termsM1, . . . ,Ml. Channel namesc allow us to define private channels to which the adver-sary can never have access, bynewChannel c. (This is use-ful in the proofs, although all channels of protocols are of-ten public.) TermsM1, . . . ,Ml are intuitively analogous toIP addresses and ports which are numbers that the adversarymay guess. A semantic configuration always consists of asingle output process (the process currently being executed)and several input processes. When the output process exe-cutesc[M1, . . . ,Ml]〈N1, . . . , Nk〉;Q, one looks for an inputon channelc[M ′l . . . ,M

′l ], whereM ′1, . . . ,M

′l evaluate to the

same bitstrings asM1, . . . ,Ml, and with the same arityk,in the available input processes. If no such input process isfound, the process blocks. Otherwise, one such input processc[M ′1, . . . ,M

′l ](x1 [i] : T1, . . . , xk [i] : Tk);P is chosen ran-

domly with uniform probability. The communication is then ex-ecuted: for eachj ≤ k, the output messageNj is evaluated, itsresult is truncated to lengthmaxlenη(c), the obtained bitstringis stored inxj [i] if it is in Iη(Tj) (otherwise the process blocks).

1A probabilistic polynomial-time Turing machine can choose a random num-ber uniformly in a set of cardinalm only whenm is a power of 2. Whenm isnot a power of 2, there exist approximate algorithms: for example, in order toobtain a random integer in[0, m − 1], we can choose a random integerr uni-formly among[0, 2k − 1] for a certaink large enough and returnr mod m.The distribution can be made as close as we wish to the uniform distribution bychoosingk large enough.

276 Bruno Blanchet

Finally, the output processP that follows the input is executed.The input processQ that follows the output is stored in the avail-able input processes for future execution. Note that the syntaxrequires an output to be followed by an input process, as in [32].If one needs to output several messages consecutively, one cansimply insert fictitious inputs between the outputs. The adver-sary can then schedule the outputs by sending messages to theseinputs.

Using different channels for each input and output allows theadversary to control the network. For instance, we may write!i≤nc[i](x[i] : T ) . . . c′[i]〈M〉 . . . The adversary can then de-cide which copy of the replicated process receives its message,simply by sending it onc[i] for the appropriate value ofi.

An else branch of find or if may be omitted when it iselse yield〈〉; 0. (Note that “else 0” would not be syntacticallycorrect.) A trailing 0 after an output may be omitted.

Variables can be defined by assignments, inputs, restrictions,and array lookups. Thecurrent replication indicesat a certainprogram point in a process arei1, . . . , im where the replicationsabove the considered program point are!i1≤n1 . . . !im≤nm . Weoften abbreviatex[i1, . . . , im] by x wheni1, . . . , im are the cur-rent replication indices, but it should be kept in mind that this isonly an abbreviation. Variables defined under a replicationmustbe arrays: for example!i1≤n1 . . . !im≤nm let x[i1, . . . , im] : T =M in . . . More formally, we require the following invariant:

Invariant 1 (Single definition) The processQ0 satisfies In-variant 1 if and only if

1. in every definition ofx[i1, . . . , im] in Q0, the indicesi1, . . . , im of x are the current replication indices at thatdefinition, and

2. two different definitions of the same variablex in Q0 arein different branches of afind (or if).

Invariant 1 guarantees that each variable is assigned at mostonce for each value of its indices. (Indeed, item 2 shows thatonly one definition of each variable can be executed for givenindices in each trace.)

Invariant 2 (Defined variables) The processQ0 satisfies In-variant 2 if and only if every occurrence of a variable accessx[M1, . . . ,Mm] in Q0 is either

• syntactically under the definition ofx[M1, . . . ,Mm] (inwhich caseM1, . . . ,Mm are in fact the current replicationindices at the definition ofx);

• or in adefined condition in afind process;

• or inM ′j orPj in a process of the formfind (⊕m′′

j=1 uj [i] ≤nj suchthat defined(M ′j1, . . . ,M

′jlj

) ∧M ′j then Pj) else

P where for somek ≤ lj , x[M1, . . . ,Mm] is a subterm ofM ′jk.

Invariant 2 guarantees that variables can be accessed only whenthey have been initialized. It checks that the definition of thevariable access is either in scope (first item) or checked by afind (last item). Both invariants are checked by the prover forthe initial game and preserved by all game transformations.

We say that a functionf : T1 × . . . × Tm → T is poly-injectivewhen it is injective and its inverses can be computedin polynomial time, that is, there exist functionsf−1

j : T → Tj

(1 ≤ j ≤ m) such thatf−1j (f(x1, . . . , xm)) = xj andf−1

j canbe computed in polynomial time in the length off(x1, . . . , xm)and in the security parameter. Whenf is poly-injective,we define a pattern matching constructlet f(x1, . . . , xm) =M in P else Q as an abbreviation forlet y : T = M in

let x1 : T1 = f−11 (y) in . . . let xm : Tm = f−1

m (y) in

if f(x1, . . . , xm) = y then P else Q. We naturally generalizethis construct tolet N = M in P else Q whereN is built frompoly-injective functions and variables.

We denote byvar(P ) the set of variables that occur inP andby fc(P ) the set of free channels ofP . (We use similar notationsfor input processes.)

2.2 Example

Let us introduce two cryptographic primitives that we use below.

Definition 1 Let Tmr, Tmk, andTms be types that correspondintuitively to random seeds, keys, and message authenticationcodes, respectively;Tmr is a fixed-length type. A message au-thentication code [15] consists of three function symbols:

• mkgen : Tmr → Tmk whereIη(mkgen) = mkgenη isthe key generation algorithm taking as argument a randombitstring and returning a key. (Usually,mkgen is a ran-domized algorithm; here, since we separate the choice ofrandom numbers from computation,mkgen takes an addi-tional argument representing the random coins.)

• mac : bitstring × Tmk → Tms whereIη(mac) = macη

is the MAC algorithm taking as argument a message anda key, and returning the corresponding tag. (We assumehere thatmac is deterministic; we could easily encode arandomizedmac by adding an additional argument as formkgen.)

• check : bitstring × Tmk × Tms → bool whereIη(check) = checkη is a checking algorithm such thatcheckη(m, k, t) = true if and only if t is a valid MACof messagem under keyk. (Sincemac is deterministic,checkη(m, k, t) is typicallymacη(m, k) = t.)

We have ∀m ∈ Bitstring ,∀r ∈ Iη(Tmr), checkη(m,mkgenη(r),macη(m,mkgenη(r))) = true.

A MAC is UF-CMA (satisfies unforgeability under chosenmessage attacks) if and only if for all polynomialsq,

maxA

Pr

[r

R← Iη(Tmr); k ← mkgenη(r);

(m, t)← Amacη(.,k),checkη(.,k,.) : checkη(m, k, t)

]

is negligible, where the adversaryA is any probabilistic Turingmachine, running in timeq(η), with oracle access tomacη(., k)andcheckη(., k, .), andA has not calledmacη(., k) on messagem.

Definition 2 Let Tr andT ′r be fixed-length types; letTk andTe be types. A symmetric encryption scheme [13] consists of


three function symbolskgen : Tr → Tk, enc : bitstring ×Tk × T ′r → Te, and dec : Te × Tk → bitstring⊥, withIη(kgen) = kgenη, Iη(enc) = encη, Iη(dec) = decη, suchthat for all m ∈ Bitstring , r ∈ Iη(Tr), and r′ ∈ Iη(T ′r),decη(encη(m, kgenη(r), r′), kgenη(r)) = m.

Let LR(x, y, b) = x if b = 0 andLR(x, y, b) = y if b = 1,defined only whenx and y are bitstrings of the same length.A symmetric encryption scheme is IND-CPA (satisfies indistin-guishability under chosen plaintext attacks) if and only iffor allpolynomialsq,

maxA

2Pr

[b

R←{0, 1}; r

R← Iη(Tr); k ← kgenη(r);

b′ ← Ar′ R← Iη(T ′

r);encη(LR(.,.,b),k,r′) : b′ = b

]− 1

is negligible, where the adversaryA is any probabilis-tic Turing machine, running in timeq(η), with oracle ac-cess to the left-right encryption algorithm which, giventwo bitstrings a0 and a1 of the same length, returns

r′R← Iη(T ′r); encη(LR(a0, a1, b), k, r

′), that is, encryptsa0

whenb = 0 anda1 whenb = 1.

Example 1 Let us consider the following trivial protocol:

A→ B : e,mac(e, xmk) wheree = enc(x′k, xk, x′′r )

andx′′r , x′k are fresh random numbers

A andB are assumed to share a keyxk for a symmetric encryp-tion scheme and a keyxmk for a message authentication code.A creates a fresh keyx′k and sends it encrypted underxk toB.A MAC is appended to the message, in order to guarantee in-tegrity. The goal of the protocol is thatx′k should be a secretkey shared betweenA andB. This protocol can be modeled inour calculus by the following processQ0:


new x′r : Tmr; let xmk : Tmk = mkgen(x′r) in

c〈〉; (QA | QB)


let xm : bitstring = enc(k2b(x′k), xk, x′′r ) in

cA[i]〈xm,mac(xm, xmk)〉

QB = !i′≤ncB [i′](x′m, xma);

if check(x′m, xmk, xma) then

let i⊥(k2b(x′′k)) = dec(x′m, xk) in cB [i′]〈〉

WhenQ0 receives a message on channelstart, it begins exe-cution: it generates the keysxk andxmk by choosing randomcoinsxr andxr′ and applying the appropriate key generationalgorithms. Then it yields control to the context (the adver-sary), by outputting on channelc. After this output,n copiesof processes forA andB are ready to be executed, when thecontext outputs on channelscA[i] or cB [i] respectively. In asession that runs as expected, the context first sends a mes-sage oncA[i]. ThenQA creates a fresh keyx′k (Tk is as-sumed to be a fixed-length type), encrypts it underxk with ran-dom coinsx′′r , computes the MAC underxmk of the ciphertext,and sends the ciphertext and the MAC oncA[i]. The function

k2b : Tk → bitstring is the natural injectionIη(k2b)(x) = x;it is needed only for type conversion. The context is then ex-pected to forward this message oncB [i]. WhenQB receives thismessage, it checks the MAC, decrypts, and stores the obtainedkey inx′′k . (The functioni⊥ : bitstring → bitstring⊥ is the nat-ural injection; it is useful to check that decryption succeeded.)This keyx′′k should be secret.

The context is responsible for forwarding messages fromA toB. It can send messages in unexpected ways in order to mountan attack.

Although we use a trivial running example due to length con-straints, this example is sufficient to illustrate the main featuresof our prover. Section 6 presents results obtained on more real-istic protocols.

2.3 Type System

We use a type system to check that bitstrings of the proper typeare passed to each function and that array indices are used cor-rectly.

To be able to type variable accesses used not under their defi-nition (such accesses are guarded by afind construct), the type-checking algorithm proceeds in two passes. In the first pass,it builds a type environmentE , which maps variable namesxto types[1, n1] × . . . × [1, nm] → T , where the definition ofx[i1, . . . , im] of type T occurs under replications!i1≤n1 , . . . ,!im≤nm . The tool checks that all definitions of the same variablex yield the same value ofE(x), so thatE is properly defined.

In the second pass, the process is typechecked in the typeenvironmentE by a simple type system. This type system isdetailed in Appendix A. It defines the judgmentE ⊢ Q, whichmeans that the processQ is well-typed in environmentE .

Invariant 3 (Typing) The processQ0 satisfies Invariant 3 ifand only if the type environmentE for Q0 is well-defined, andE ⊢ Q0.

We require the adversary to be well-typed. This requirementdoes not restrict its computing power, because it can alwaysde-fine type-cast functionsf : T → T ′ to bypass the type system.Similarly, the type system does not restrict the class of protocolsthat we consider, since the protocol may contain type-cast func-tions. The type system just makes explicit which set of bitstringsmay appear at each point of the protocol.

2.4 Formal Semantics

The semantics is defined by a probabilistic reduction relationformally detailed in Appendix B. The notationE,M ⇓ ameansthat the termM evaluates to the bitstringa in environmentE.We denote byPr[Q η c〈a〉] the probability that at least one ofthe outputs ofQ on channelc sends the bitstringa. (Whenc isnot free inQ, Pr[Q η c〈a〉] = 0.)

Our semantics is such that, for each processQ, there existsa probabilistic polynomial time Turing machine that simulatesQ. (Processes run in polynomial time since the number of pro-cesses created by a replication and the length of messages sent

278 Bruno Blanchet

on channels are bounded by polynomials.) Conversely, our cal-culus can simulate a probabilistic polynomial-time Turingma-chine, simply by choosing coins bynew and by applying a func-tion symbol defined to perform the same computations as theTuring machine.

2.5 Observational Equivalence

A context is a process containing a hole[ ]. An evaluation con-textC is a context built from[ ], newChannel c;C, Q | C, andC | Q. We use an evaluation context to represent the adversary.We denote byC[Q] the process obtained by replacing the hole[ ] in the contextC with the processQ. Our definition of ob-servational equivalence is adapted from definitions for previouscalculi such as [39].

Definition 3 (Observational equivalence)Let Q and Q′ betwo processes andV a set of variables. Assume thatQ andQ′

satisfy Invariants 1, 2, and 3 and the variables ofV are definedin Q andQ′, with the same types.

An evaluation contextC is said to beacceptablefor Q, Q′,V if and only if var(C) ∩ (var(Q) ∪ var(Q′)) ⊆ V andC[Q]satisfies Invariants 1, 2, and 3. (ThenC[Q′] also satisfies theseinvariants.)

We say thatQ andQ′ are observationally equivalentwithpublic variablesV , writtenQ ≈V Q′, when for all evaluationcontextsC acceptable forQ, Q′, V , for all channelsc and bit-stringsa, |Pr[C[Q] η c〈a〉]−Pr[C[Q′] η c〈a〉]| is negligi-ble.

Intuitively, the goal of the adversary represented by contextC is to distinguishQ fromQ′. When it succeeds, it performs adifferent output, for examplec〈0〉 when it has recognizedQ andc〈1〉 when it has recognizedQ′. WhenQ ≈V Q′, the contexthas negligible probability of distinguishingQ fromQ′.

The unusual requirement on variables ofC comes from thepresence of arrays and of the associatedfind construct whichgivesC direct access to variables ofQ andQ′: the contextCis allowed to access variables ofQ andQ′ only when they arein V . (In more standard settings, the calculus does not haveconstructs that allow the context to access variables ofQ andQ′.) The following result is not difficult to prove:

Lemma 1 ≈V is an equivalence relation, andQ ≈V Q′ im-plies thatC[Q] ≈V ′

C[Q′] for all evaluation contextsC ac-ceptable forQ, Q′, V and allV ′ ⊆ V ∪ (var(C) \ (var(Q) ∪var(Q′))).

We denote byQ ≈V0 Q′ the particular case in which for all

evaluation contextsC acceptable forQ, Q′, V , for all channelsc and bitstringsa, Pr[C[Q] η c〈a〉] = Pr[C[Q′] η c〈a〉].WhenV is empty, we writeQ ≈ Q′ instead ofQ ≈V Q′ andQ ≈0 Q

′ instead ofQ ≈V0 Q′.

3 Game Transformations

In this section, we describe the game transformations that al-low us to transform the process that represents the initial pro-tocol into a process on which the desired security property can

be proved directly, by criteria given in Section 4. These trans-formations are parametrized by the setV of variables that thecontext can access. As we shall see in Section 4,V containsvariables that we would like to prove secret. (The context willcontain test queries that access these variables.) These trans-formations transform a processQ0 into a processQ′0 such thatQ0 ≈

V Q′0.

3.1 Syntactic Transformations

RemoveAssign(x): When x is defined by an assignmentlet x[i1, . . . , il] : T = M in P , we replacex with its value.Precisely, the transformation is performed only whenx doesnot occur inM (non-cyclic assignment). Whenx has sev-eral definitions, we simply replacex[i1, . . . , il] with M in P .(For accesses tox guarded byfind, we do not know whichdefinition of x is actually used.) Whenx has a single defini-tion, we replace everywhere in the gamex[M1, . . . ,Ml] withM{M1/i1, . . . ,Ml/il}. We additionally update thedefined

conditions offind to preserve Invariant 2 and to make surethat, if a condition offind guarantees thatx[M1, . . . ,Ml]is defined in the initial game, then so does the correspond-ing condition offind in the transformed game. (Essentially,when y[M ′1, . . . ,M

′l′ ] occurs inM , the transformation typ-

ically creates new occurrences ofy[M ′′1 , . . . ,M′′l′ ] for some

M ′′1 , . . . ,M′′l′ , so the condition thaty[M ′′1 , . . . ,M

′′l′ ] is defined

must sometimes be explicitly added to conditions offind in or-der to preserve Invariant 2.) Whenx ∈ V , its definition is keptunchanged. Otherwise, whenx is not referred to at all afterthe transformation, we remove the definition ofx. Whenx isreferred to only at the root ofdefined tests, we replace its def-inition with a constant. (The definition point ofx is important,but not its value.)

Example 2 In the process of Example 1, the transforma-tion RemoveAssign(xmk) substitutesmkgen(x′r) for xmk inthe whole process and removes the assignmentlet xmk :Tmk = mkgen(x′r). After this substitution, mac(xm,xmk) becomesmac(xm,mkgen(x′r)) and check(x′m, xmk,xma) becomescheck(x′m,mkgen(x′r), xma), thus exhibitingterms required in Section 3.2. The situation is similar forRemoveAssign(xk).

SArename(x): The transformationSArename (single assign-ment rename) aims at renaming variables so that each vari-able has a single definition in the game; this is useful for dis-tinguishing cases depending on which definition ofx has setx[i]. This transformation can be applied only whenx /∈ V .Whenx hasm > 1 definitions, we rename each definition ofx to a different variablex1, . . . , xm. Termsx[i] under a defini-tion of xj [i] are then replaced withxj [i]. Each branch of findFB = u[i] ≤ n suchthat defined(M ′1, . . . ,M

′l′) ∧M then P

wherex[M1, . . . ,Ml] is a subterm of someM ′k for k ≤ l′ is re-placed withm branchesFB{xj [M1, . . . ,Ml]/x[M1, . . . ,Ml]}for 1 ≤ j ≤ m.


Example 3 Consider the following process

start(); new rA : Tr; let kA : Tk = kgen(rA) in

new rB : Tr; let kB : Tk = kgen(rB) in yield〈〉; (QK | QS)

QK = !i≤nc[i](h : Th, k : Tk)

if h = A then let k′ : Tk = kA in yield〈〉 else

if h = B then let k′ : Tk = kB in yield〈〉 else

let k′ : Tk = k in yield〈〉

QS = !i′≤n′

c′[i′](h′ : Th); find u ≤ n suchthat

defined(h[u], k′[u]) ∧ h′ = h[u] thenP1(k′[u]) elseP2

The processQK stores in(h, k′) a table of pairs (host name,key): the key forA is kA, forB, kB , and for any otherh, the ad-versary can choose the keyk. The processQS queries this tableof keys to find the keyk′[u] of hosth′, then executesP1(k

′[u]).If h′ is not found, it executesP2.

By the transformationSArename(k′), we can perform a caseanalysis, to distinguish the cases in whichk′ = kA, k′ = kB ,or k′ = k. After transformation, we obtain the following pro-cesses:

Q′K = !i≤nc[i](h : Th, k : Tk)

if h = A then let k′1 : Tk = kA in yield〈〉 else

if h = B then let k′2 : Tk = kB in yield〈〉 else

let k′3 : Tk = k in yield〈〉

Q′S = !i′≤n′

c′[i′](h′ : Th);

find u ≤ n suchthat defined(h[u], k′1[u])

∧ h′ = h[u] then P1(k′1[u])

⊕ u ≤ n suchthat defined(h[u], k′2[u])

∧ h′ = h[u] then P1(k′2[u])


∧ h′ = h[u] then P1(k′3[u]) else P2

After the simplification (sketched below),Q′S becomes:

Q′′S = !i′≤n′

c′[i′](h′ : Th);

find u ≤ n suchthat defined(h[u], k′1[u])

∧ h′ = A then P1(kA)


∧ h′ = B then P1(kB)


∧ h′ = h[u] then P1(k[u]) else P2

since, whenk′1[u] is defined,k′1[u] = kA andh[u] = A, andsimilarly for k′2[u] andk′3[u].

Simplify : The prover uses a simplification algorithm, based onan equational prover, using an algorithm similar to the Knuth-Bendix completion [29]. This equational prover uses:

• User-defined equations, of the form∀x1 : T1, . . . ,∀xm :Tm,M which mean that for all environmentsE, if for all

j ≤ m, E(xj) ∈ Iη(Tj), thenE,M ⇓ true. For exam-ple, considering MAC and encryption shemes as in Defini-tions 1 and 2 respectively, we have:

∀r : Tmr,∀m : bitstring ,

check(m,mkgen(r),mac(m,mkgen(r))) = true

(mac)

∀m : bitstring ;∀r : Tr,∀r′ : T ′r,

dec(enc(m, kgen(r), r′), kgen(r)) = i⊥(m)(enc)

We express the poly-injectivity of the functionk2b of Ex-ample 1 by

∀x : Tk,∀y : Tk, (k2b(x) = k2b(y)) = (x = y)

∀x : Tk, k2b−1(k2b(x)) = x(k2b)

wherek2b−1 is a function symbol that denotes the inverseof k2b. We have similar formulas fori⊥.

• Equations that come from the process. For example, in theprocessif M then P else P ′, we haveM = true in P andM = false in P ′.

• The low probability of collision between random values.For example, whenx is defined bynew x : T andT isa large type,x[M1, . . . ,Mm] = x[M ′1, . . . ,M

′m] implies

M1 = M ′1, . . . ,Mm = M ′m up to negligible probability.

Similarly, when 1)x is defined bynew x : T andT is alarge type, 2) for each value ofM1, there is at most onevalue ofx (or of a part ofx of a large type) that can yieldthat value ofM1, and 3)M2 does not depend onx, thenM1 6= M2 up to negligible probability. The fact thatM2

does not depend onx is proved using a dependency analy-sis.

The prover combines these properties to simplify terms, anduses simplified forms of terms to simplify processes. For exam-ple, ifM simplifies totrue, thenif M then P else P ′ simplifiestoP . Similarly, a branch offind is removed when the associatedcondition simplifies tofalse.

Details on the simplification procedure can be found in Ap-pendix C and the proof of the following proposition in Ap-pendix E.1.

Proposition 1 LetQ0 be a process that satisfies Invariants 1,2, and 3 andQ′0 the process obtained fromQ0 by one of thetransformations above. ThenQ′0 satisfies Invariants 1, 2, and 3,andQ0 ≈

V Q′0.

3.2 Applying the Definition of Security of Primi-tives

The security of cryptographic primitives is defined using obser-vational equivalences given as axioms. Importantly, this formal-ism allows us to specify many different primitives in a genericway. Such equivalences are then used by the prover in order totransform a game into another, observationally equivalentgame,as explained below in this section.

280 Bruno Blanchet

The primitives are specified using equivalences of the form(G1, . . . , Gm) ≈ (G′1, . . . , G

′m) whereG is defined by the fol-

lowing grammar, withl ≥ 0 andm ≥ 1:

G ::= group of functions!i≤nnew y1 : T1; . . . ; new yl : Tl; (G1, . . . , Gm)

replication, restrictions(x1 : T1, . . . , xl : Tl)→ FP function

FP ::= functional processesM termnew x[i] : T ;FP random numberlet x[i] : T = M in FP assignmentfind (

⊕mj=1 uj [i] ≤ nj suchthat

defined(Mj1, . . . ,Mjlj ) ∧Mj then FP j) else FP

array lookup

Intuitively, (x1 : T1, . . . , xl : Tl) → FP represents a functionthat takes as argument valuesx1, . . . , xl of typesT1, . . . , Tl re-spectively and returns a result computed byFP . The obser-vational equivalence(G1, . . . , Gm) ≈ (G′1, . . . , G

′m) expresses

that the adversary has a negligible probability of distinguish-ing functions in the left-hand side from corresponding func-tions in the right-hand side. Formally, functions can be en-coded as processes that input their arguments and output their

result on a channel, as shown in Figure 2:[[FP ]]ji

denotes thetranslation of the functional processFP into an output pro-

cess; [[G]]ji

denotes the translation of the group of functions

G into an input process. The translation of!i≤nnew y1 :T1; . . . ; new yl : Tl; (G1, . . . , Gm) inputs and outputs on chan-nel cj so that the context can trigger the generation of randomnumbersy1, . . . , yl. The translation of(x1 : T1, . . . , xl : Tl)→FP inputs the arguments of the function on channelcj andtranslatesFP , which outputs the result ofFP on cj . (Inthe left-hand side of equivalences, the resultFP of functionsmust simply be a termM .) The observational equivalence(G1, . . . , Gm) ≈ (G′1, . . . , G

′m) is then an abbreviation for

[[(G1, . . . , Gm)]] ≈ [[(G′1, . . . , G′m)]].

For example, the security of a MAC (Definition 1) is repre-sented by the equivalenceL ≈ R where:

L = !i′′≤n′′

new r : Tmr; (

!i≤n(x : bitstring)→ mac(x,mkgen(r)),

!i′≤n′


check(m,mkgen(r),ma))

R = !i′′≤n′′

new r : Tmr; (

!i≤n(x : bitstring)→ mac′(x,mkgen′(r)),

!i′≤n′


find u ≤ n suchthat defined(x[u]) ∧ (m = x[u])

∧ check′(m,mkgen′(r),ma) then true else false)

(maceq)

wheremac′, check′, andmkgen′ are function symbols with thesame types asmac, check, andmkgen respectively. (We usedifferent function symbols on the left- and right-hand sides, just

to prevent a repeated application of the transformation inducedby this equivalence. Since we add these function symbols, wealso add the equation

∀r : Tmr,∀m : bitstring ,

check′(m,mkgen′(r),mac′(m,mkgen′(r))) = true

(mac′)

which restates (mac) for mac′, check′, andmkgen′.) Intuitively,the equivalenceL ≈ R leaves MAC computations unchanged(except for the use of primed function symbols inR), and al-lows one to replace a MAC checkingcheck(m,mkgen(r),ma)with a lookup in the arrayx of messages whosemac has beencomputed with keymkgen(r): if m is found in the arrayx andcheck(m,mkgen(r),ma), we returntrue; otherwise, the checkfails (up to negligible probability), so we returnfalse. (If thecheck succeeded withm not in the arrayx, the adversary wouldhave forged a MAC.) Obviously, the form ofL requires thatris used only to compute or check MACs, for the equivalence tobe correct. Formally, the following result shows the correctnessof our modeling. It is a fairly easy consequence of Definition1,and is proved in Appendix E.3.

Proposition 2 If (mkgen,mac, check) is a UF-CMA messageauthentication code,Iη(mkgen′) = Iη(mkgen), Iη(mac′) =Iη(mac), andIη(check′) = Iη(check), then[[L]] ≈ [[R]].

Similarly, if (kgen, enc,dec) is an IND-CPA symmetric en-cryption scheme (Definition 2), then we have the followingequivalence:

!i′≤n′

new r : Tr; !i≤n(x : bitstring)→

new r′ : T ′r; enc(x, kgen(r), r′)

≈ !i′≤n′

new r : Tr; !i≤n(x : bitstring)→

new r′ : T ′r; enc′(Z(x), kgen′(r), r′)

(enceq)

whereenc′ andkgen′ are function symbols with the same typesasenc andkgen respectively, andZ : bitstring → bitstring

is the function that returns a bitstring of the same length asits argument, consisting only of zeroes. Using equations suchas∀x : T,Z(T2b(x)) = ZT , we can prove thatZ(T2b(x))does not depend onx when x is of a fixed-length type andT2b : T → bitstring is the natural injection. The represen-tation of other primitives can be found in Appendix D.3. Theequivalences that formalize the security assumptions on prim-itives are designed and proved correct by hand from securityassumptions in a more standard form, as in the MAC example.Importantly, these manual proofs are done only once for eachprimitive, and the obtained equivalence can be reused for prov-ing many different protocols automatically.

We use such equivalencesL ≈ R in order to transform a pro-cessQ0 observationally equivalent toC[[[L]]] into a processQ′0observationally equivalent toC[[[R]]], for some evaluation con-textC. In order to check thatQ0 ≈

V C[[[L]]], the prover usessufficient conditions, which essentially guarantee that all uses ofcertain secret variables ofQ0, in a setS, can be implemented bycalling functions ofL. LetM be a set of occurrences of terms,


[[(G1, . . . , Gm)]] = [[G1]]1 | . . . | [[Gm]]m

[[!i≤nnew y1 : T1; . . . ; new yl : Tl; (G1, . . . , Gm)]]ji

=

!i≤ncj [i, i](); new y1 : T1; . . . ; new yl : Tl; cj [i, i]〈〉; ([[G1]]j,1

i,i| . . . | [[Gm]]j,m

i,i)

[[(x1 : T1, . . . , xl : Tl)→ FP ]]ji

= cj [i](x1 : T1, . . . , xl : Tl); [[FP ]]ji

[[M ]]ji

= cj [i]〈M〉

[[new x[i] : T ;FP ]]ji

= new x[i] : T ; [[FP ]]ji

[[let x[i] : T = M in FP ]]ji

= let x[i] : T = M in [[FP ]]ji

[[find (⊕m

j=1 uj [i] ≤ nj suchthat defined(Mj1, . . . ,Mjlj ) ∧Mj then FP j) else FP ]]ji

=

find (⊕m

j=1 uj [i] ≤ nj suchthat defined(Mj1, . . . ,Mjlj ) ∧Mj then [[FP j ]]j

i) else [[FP ]]j

i

wherecj are pairwise distinct channels,i = i1, . . . , il′ , andj = j0, . . . , jl′ .

Figure 2: Translation from functional processes to processes

corresponding to uses of variables ofS. Informally, the provershows the following properties.

• For eachM ∈ M, there exist a termNM , which is theresult of a function ofL, and a substitutionσM such thatM = σMNM . (Precisely,σM applies to the abbreviatedform of NM in which we writex instead ofx[i].) Intu-itively, the evaluation ofM in Q0 will correspond to a callto the function with resultNM in C[[[L]]].

• The variables ofS do not occur inV , are bound by restric-tions inQ0, and occur only in termsM = σMNM ∈ Min Q0, at occurrences that are images byσM of variablesbound by restrictions inL. (To be precise, the variables ofS are also allowed to occur at the root ofdefined condi-tions; in that case, their value does not matter, just the factthat they are defined.)

• Let i andi′ be the sequences of current replication indicesatNM inL and atM inQ0, respectively. The prover showsthat there exists a functionmapIdxM that maps the arrayindices atM in Q0 to the array indices atNM in L: theevaluation ofM when i′ = a will correspond inC[[[L]]]

to the evaluation ofNM when i = mapIdxM (a). Thus,σM andmapIdxM induce a correspondence between termsand variables ofQ0 and variables ofL: for all M ∈ M,for all x[i′′] that occur inNM , (σMx){a/i′} correspondsto x[i′′]{mapIdxM (a)/i}, that is,(σMx){a/i′} in a traceof Q0 has the same value asx[i′′]{mapIdxM (a)/i} in thecorresponding trace ofC[[[L]]] (i′′ is a prefix of i). Wedetail below conditions that this correspondence has to sat-isfy.

For example, consider a processQ0 that containsM1 =enc(M ′1, kgen(xr), x

′r[i1]) under a replication!i1≤n1 andM2 =

enc(M ′2, kgen(xr), x′′r [i2]) under a replication!i2≤n2 , where

xr, x′r, x′′r are bound by restrictions. LetS = {xr, x′r, x′′r},

M = {M1,M2}, andNM1= NM2

= enc(x[i′, i], kgen(r[i′]),r′[i′, i]). The functionsmapIdxM1

andmapIdxM2are defined

by

mapIdxM1(a1) = (1, a1) for a1 ∈ [1, Iη(n1)]

mapIdxM2(a2) = (1, a2 + Iη(n1)) for a2 ∈ [1, Iη(n2)]

ThenM ′1{a1/i1} corresponds tox[1, a1], xr to r[1], x′r[a1]to r′[1, a1], M ′2{a2/i2} to x[1, a2 + Iη(n1)], and x′′r [a2] tor′[1, a2 + Iη(n1)]. The functionsmapIdxM1

andmapIdxM2

are such thatxr′ [a1] andxr′′ [a2] never correspond to the samecell of r′; indeed,xr′ [a1] andxr′′ [a2] are independent randomnumbers inQ0, so their images inC[[[L]]] must also be indepen-dent random numbers.

The above correspondence must satisfy the following sound-ness conditions:

• whenx is a function argument inL, the term that corre-sponds tox[a′] must have the same type asx[a′], and whentwo terms correspond to the samex[a′], they must evaluateto the same value;

• whenx is bound bynew x : T in L, the term that corre-sponds tox[a′] must evaluate toz[a′′] wherez ∈ S andz isbound bynew z : T in Q0, and the relation that associatesz[a′′] to x[a′] is an injective function (so that independentrandom numbers inL correspond to independent randomnumbers inQ0).

It is easy to check that, in the previous example, these conditionsare satisfied.

The transformation ofQ0 intoQ′0 consists in two steps. First,we replace the restrictions that define variables ofS with re-strictions that define fresh variables corresponding to variablesbound bynew in R. The correspondence between variables ofQ0 and variables ofC[[[L]]] is extended to include these freshvariables. Second, we reorganizeQ0 so that each evaluationof a termM ∈ M first stores the values of the argumentsx1, . . . , xm of the function(x1 : T1, . . . , xm : Tm) → NM infresh variables, then computesNM and stores its result in a freshvariable, and uses this variable instead ofM ; then we simply re-place the computation ofNM with the corresponding functional

282 Bruno Blanchet

process ofR, taking into account the correspondence of vari-ables.

The full formal description of this transformation is givenAp-pendix D.1. The following proposition shows the soundness ofthe transformation and is proved in Appendix E.4.

Proposition 3 LetQ0 be a process that satisfies Invariants 1,2, and 3 andQ′0 the process obtained fromQ0 by the abovetransformation. ThenQ′0 satisfies Invariants 1, 2, and 3 and,if [[L]] ≈ [[R]] for all polynomialsmaxlenη(cj0,...,jl

) andIη(n)wheren is any replication bound ofL or R, thenQ0 ≈

V Q′0.

Example 4 In order to treat Example 1, the prover is given asinput the indication thatTmr, Tr, T

′r, andTk are fixed-length

types; the type declarations for the functionsmkgen,mkgen′ :Tmr → Tmk, mac,mac′ : bitstring × Tmk → Tms,check, check′ : bitstring × Tmk × Tms → bool , kgen, kgen′ :Tr → Tk, enc, enc′ : bitstring × Tk × T ′r → Te, dec :Te × Tk → bitstring⊥, k2b : Tk → bitstring , i⊥ :bitstring → bitstring⊥, Z : bitstring → bitstring , and theconstantZk : bitstring ; the equations (mac), (mac′), (enc),and∀x : Tk,Z(k2b(x)) = Zk (which expresses that all keyshave the same length); the indication thatk2b andi⊥ are poly-injective (which generates the equations (k2b) and similar equa-tions fori⊥); equivalencesL ≈ R for MAC (maceq) and encryp-tion (enceq); and the processQ0 of Example 1.

The prover first appliesRemoveAssign(xmk) to the pro-cessQ0 of Example 1, as described in Example 2. The pro-cess can then be transformed using the security of the MAC.Let S = {x′r}, M1 = mac(xm[i],mkgen(x′r)), M2 =check(x′m[i′],mkgen(x′r), xma[i′]), and M = {M1,M2}.We have NM1

= mac(x[i′′, i],mkgen(r[i′′])), NM2=

check(m[i′′, i′],mkgen(r[i′′]),ma[i′′, i′]), mapIdxM1(a1) =

(1, a1), andmapIdxM2(a2) = (1, a2), soxm[a1] corresponds

to x[1, a1], x′r to r[1], x′m[a2] to m[1, a2], and xma[a2] toma[1, a2].

After transformation, we get the following processQ′0:

Q′0 = start(); new xr : Tr; let xk : Tk = kgen(xr) in

new x′r : Tmr; c〈〉; (Q′A | Q

′B)

Q′A = !i≤ncA[i](); new x′k : Tk; new x′′r : T ′r;

let xm : bitstring = enc(k2b(x′k), xk, x′′r ) in


Q′B = !i′≤ncB [i′](x′m, xma);

find u ≤ n suchthat defined(xm[u]) ∧ x′m = xm[u] ∧

check′(x′m,mkgen′(x′r), xma) then

(if true then let i⊥(k2b(x′′k)) = dec(x′m, xk) in

cB [i′]〈〉)

else

(if false then let i⊥(k2b(x′′k)) = dec(x′m, xk) in

cB [i′]〈〉)

The initial definition of x′r is removed and replaced with anew definition, which we still callx′r. The termmac(xm,mkgen(x′r)) is replaced withmac′(xm,mkgen′(x′r)). The term

check(x′m,mkgen(x′r), xma) becomesfind u ≤ n suchthat

defined(xm[u])∧x′m = xm[u]∧check′(x′m,mkgen′(x′r), xma)then true else false, which yieldsQ′B after transformation offunctional processes into processes. The process looks up themessagex′m in the arrayxm, which contains the messageswhose MAC has been computed with keymkgen(x′r). If theMAC of x′m has never been computed, the check always fails (itreturnsfalse) by the definition of security of the MAC. Other-wise, it returnstrue whencheck′(x′m,mkgen′(x′r), xma).

After applyingSimplify ,Q′A is unchanged andQ′B becomes

Q′′B = !i′≤ncB [i′](x′m, xma);

find u ≤ n suchthat defined(xm[u], x′k[u]) ∧

x′m = xm[u] ∧ check′(x′m,mkgen′(x′r), xma) then

let x′′k : Tk = x′k[u] in cB [i′]〈〉

First, the testsif true then . . . andif false then . . . are simpli-fied. The termdec(x′m, xk) is simplified knowingx′m = xm[u]by thefind condition,xm[u] = enc(k2b(x′k[u]), xk, x

′′r [u]) by

the assignment that definesxm, xk = kgen(xr) by the assign-ment that definesxk, anddec(enc(m, kgen(r), r′), kgen(r)) =i⊥(m) by (enc). So we havedec(x′m, xk) = i⊥(k2b(x′k[u])).By injectivity of i⊥ and k2b, the assignment tox′′k simplybecomesx′′k = x′k[u], using the equations∀x : bitstring ,i−1⊥ (i⊥(x)) = x and∀x : Tk, k2b−1(k2b(x)) = x.

After applying RemoveAssign(xk), we apply the se-curity of encryption: enc(k2b(x′k), kgen(xr), x

′′r ) becomes

enc′(Z(k2b(x′k)), kgen(xr), x′′r ). After Simplify , it becomes

enc′(Zk, kgen(xr), x′′r ), using ∀x : Tk,Z(k2b(x)) = Zk

(which expresses that all keys have the same length).So we obtain the following game:

Q′′0 = start(); new xr : Tr; new x′r : Tmr; c〈〉; (Q′′A | Q

′′B)

Q′′A = !i≤ncA[i](); new x′k : Tk; new x′′r : T ′r;

let xm : bitstring = enc(Zk, kgen(xr), x′′r ) in


whereQ′′B remains as above.

Using arrays instead of lists simplifies this transformation:we do not need to add instructions that insert values in the list,since all variables are always implicitly arrays. Moreover, ifthere are several occurrences ofmac(xi, k) with the same keyin the initial process, eachcheck(mj , k,maj) is replaced witha find with one branch for each occurrence ofmac. Therefore,the prover distinguishes automatically the cases in which thechecked MACmaj comes from each occurrence ofmac, thatis, it distinguishes cases depending on the value ofi such thatmj = xi. Typically, distinguishing these cases is useful in thefollowing steps of the proof of the protocol. (A similar situationarises for other cryptographic primitives specified usingfind.)

4 Criteria for Proving Secrecy Proper-ties

Let us now define syntactic criteria that allow us to prove se-crecy properties of protocols. The proofs for these resultscanbe found in Appendix E.5.


Definition 4 (One-session secrecy)The processQ preservesthe one-session secrecy ofx whenQ | Qx ≈ Q | Q

′x, where

Qx = c(u1 : [1, n1], . . . , um : [1, nm]);

if defined(x[u1, . . . , um]) then c〈x[u1, . . . , um]〉

Q′x = c(u1 : [1, n1], . . . , um : [1, nm]);

if defined(x[u1, . . . , um]) then new y : T ; c〈y〉

c /∈ fc(Q), u1, . . . , um, y /∈ var(Q), andE(x) = [1, n1]× . . .×[1, nm]→ T .

Intuitively, the adversary cannot distinguish a process that out-puts the value of the secret from one that outputs a random num-ber. The adversary performs a single test query, modeled byQx

andQ′x.

Proposition 4 (One-session secrecy)Consider a processQsuch that there exists a set of variablesS such that 1) the defi-nitions ofx are either restrictionsnew x[i] : T andx ∈ S, orassignmentslet x[i] : T = z[M1, . . . ,Ml] wherez is definedby restrictionsnew z[i′1, . . . , i

′l] : T , andz ∈ S, and 2) all ac-

cesses to variablesy ∈ S in Q are of the form “let y′ [i] : T ′ =y[M1, . . . ,Ml]” with y′ ∈ S. ThenQ | Qx ≈0 Q | Q

′x, hence

Q preserves the one-session secrecy ofx.

Intuitively, only the variables inS depend on the restriction thatdefinesx; the sent messages and the control flow of the processare independent ofx, so the adversary obtains no informationon x. In the implementation, the setS is computed by fixpointiteration, starting fromx or z and adding variablesy′ defined by“ let y′ [i] : T ′ = y[M1, . . . ,Ml]” wheny ∈ S.

Definition 5 (Secrecy) The processQ preserves the secrecy ofx whenQ | Rx ≈ Q | R

′x, where

Rx = !i≤nc(u1 : [1, n1], . . . , um : [1, nm]);

if defined(x[u1, . . . , um]) then c〈x[u1, . . . , um]〉

R′x = !i≤nc(u1 : [1, n1], . . . , um : [1, nm]);

if defined(x[u1, . . . , um]) then

find u′ ≤ n suchthat defined(y[u′], u1[u′], . . . , um[u′])

∧ u1[u′] = u1 ∧ . . . ∧ um[u′] = um

then c〈y[u′]〉 else new y : T ; c〈y〉

c /∈ fc(Q), u1, . . . , um, u′, y /∈ var(Q), E(x) = [1, n1]× . . .×

[1, nm]→ T , andIη(n) ≥ Iη(n1)× . . .× Iη(nm).

Intuitively, the adversary cannot distinguish a process that out-puts the value of the secret for several indices from one thatoutputs independent random numbers. In this definition, thead-versary can perform several test queries, modeled byRx andR′x. This corresponds to the “real-or-random” definition of se-curity [4]. (As shown in [4], this notion is stronger than themore standard approach in which the adversary can perform asingle test query and some reveal queries, which always revealx[u1, . . . , um].)

Proposition 5 (Secrecy)Assume thatQ satisfies the hypothesisof Proposition 4.

WhenT is a trace ofC[Q] for some evaluation contextC,we definedefRestrT (x[a]), the defining restriction ofx[a] intrace T , as follows: if x[a] is defined bynew x[a] : T inT , defRestrT (x[a]) = x[a]; if x[a] is defined bylet x[a] :T = z[M1, . . . ,Ml], defRestrT (x[a]) = z[a′1, . . . , a

′l] where

E,Mk ⇓ a′k for all k ≤ l andE is the environment inT at the

definition ofx[a].

Assume that for all evaluation contextsC acceptable forQ,0, {x}, the probabilityPr[∃(T , a, a′), C[Q] reduces accordingto T ∧ a 6= a′ ∧ defRestrT (x[a]) = defRestrT (x[a′])] is neg-ligible. ThenQ preserves the secrecy ofx.

The last hypothesis can be verified using the same equationalprover as forSimplify in Section 3.1, as detailed in Ap-pendix E.2. Intuitively, this hypothesis guarantees that whena 6= a′, we havedefRestrT (x[a]) 6= defRestrT (x[a′]) exceptin cases of negligible probability, sox[a] andx[a′] are definedby different restrictions, so they are independent random num-bers.

As we show in [18], this notion of secrecy composed with cor-respondence assertions [48] can be used to prove security ofakey exchange. (Correspondence assertions are properties of theform “if some evente(M) has been executed then some eventsei(Mi) for i ≤ m have been executed”. We have recently imple-mented the verification of correspondence assertions in Cryp-toVerif [18].)

Lemma 2 If Q ≈{x} Q′ andQ preserves the one-session se-crecy ofx thenQ′ preserves the one-session secrecy ofx. Thesame result holds for secrecy.

We can then apply the following technique. When we wantto prove thatQ0 preserves the (one-session) secrecy ofx, wetransformQ0 by the transformations described in Section 3 withV = {x}. By Propositions 1 and 3, we obtain a processQ′0 suchthatQ0 ≈

V Q′0. We use Propositions 4 or 5 to show thatQ′0 pre-serves the (one-session) secrecy ofx and finally conclude thatQ0 also preserves the (one-session) secrecy ofx by Lemma 2.

Example 5 After the transformations of Example 4, the onlyvariable access tox′k in the considered process islet x′′k : Tk =x′k[u] andx′′k is not used in the considered process. So by Propo-sition 4, the considered process preserves the one-sessionse-crecy ofx′′k (with S = {x′k, x

′′k}). By Lemma 2, the process of

Example 1 also preserves the one-session secrecy ofx′′k . How-ever, this process does not preserve the secrecy ofx′′k , becausethe adversary can force several sessions ofB to use the samekeyx′′k , by replaying the message sent byA. (Accordingly, thehypothesis of Proposition 5 is not satisfied.)

The criteria given in this section might seem restrictive, butin fact, they should be sufficient for all protocols, provided theprevious transformation steps are powerful enough to transformthe protocol into a simpler protocol, on which these criteria canthen be applied.

284 Bruno Blanchet

5 Proof Strategy

Up to now, we have described the available game transforma-tions. Next, we explain how we organize these transformationsin order to prove protocols.

At the beginning of the proof and after each successfulcryptographic transformation (that is, a transformation of Sec-tion 3.2), the prover executesSimplify and tests whether the de-sired security properties are proved, as described in Section 4.If so, it stops.

In order to perform the cryptographic transformations and theother syntactic transformations, our proof strategy relies of theidea of advice. Precisely, the prover tries to execute each avail-able cryptographic transformation in turn. When such a cryp-tographic transformation fails, it returns some syntactictrans-formations that could make the desired transformation work.(These are the advised transformations.) Then the prover tries toperform these syntactic transformations. If they fail, they mayalso suggest other advised transformations, which are thenex-ecuted. When the syntactic transformations finally succeed,weretry the desired cryptographic transformation, which maysuc-ceed or fail, perhaps with new advised transformations, andsoon.

The prover determines the advised transformations as fol-lows:

• Assume that we try to execute a cryptographic transfor-mation, and need to recognize a certain termM of L, butwe find inQ0 only part ofM , the other parts being vari-able accessesx[. . .] while we expect function applications.In this case, we adviseRemoveAssign(x). For example,if Q0 containsenc(M ′, xk, x

′r) and we look forenc(xm,

kgen(xr), xr′), we adviseRemoveAssign(xk). If Q0 con-tains let xk = mkgen(xr) and we look formac(xm,mkgen(xr)), we also adviseRemoveAssign(xk). (Thetransformation of Example 2 is advised for this reason.)

• When we try to executeRemoveAssign(x), x has severaldefinitions, and there are accesses to variablex guarded byfind in Q0, we adviseSArename(x).

• When we check whetherx is secret or one-session se-cret, we have an assignmentlet x[i] : T = y[M ] in P ,and there is at least one assignment definingy, we adviseRemoveAssign(y).

When we check whetherx is secret or one-session secret,we have an assignmentlet x[i] : T = y[M ] in P , y isdefined by restrictions,y has several definitions, and somevariable accesses toy are not of the formlet y′[i′] : T =

y[M ′] in P ′, we adviseSArename(y).

These pieces of advice are the only ones we use, but one mayobviously extend them if needed.

6 Experimental Results

We have successfully tested our prover on a number of proto-cols given in the literature. All these protocols have been testedin a configuration in which the honest participants are willing to

run sessions with the adversary, and we prove secrecy of keysfor sessions between honest participants. In these examples,shared-key encryption is encoded using a symmetric encryptionscheme and a MAC as in Example 1, public-key encryption isassumed to be IND-CCA2 (indistinguishability under adaptivechosen-ciphertext attacks) [14], public-key signature isassumedto be UF-CMA (unforgeability under chosen message attacks).

For each proof, the prover outputs the sequence of gamesit has built, a succinct explanation of the transformation per-formed between consecutive games, and an indication whetherthe proof succeeded or failed. When the proof fails, the proverstill outputs a sequence of games, but the last game of this se-quence does not show the desired property and cannot be trans-formed further by the prover. Manual inspection of this gameoften makes it possible to understand why the proof failed: be-cause there is an attack (if there is an attack on the last game),because of a limitation of the prover (if it should in fact be ableto prove the property or to transform the game further), for otherreasons (such as the protocol cannot be proved from the givenassumptions; this situation may not lead immediately to a prac-tical attack in the computational model).

Otway-Rees [42] We automatically prove the secrecy of theexchanged key.

Yahalom [20] For the original version of the protocol, ourprover cannot show the one-session secrecy of the exchangedkey, because the protocol is not secure, at least using encrypt-then-MAC as definition of encryption. Indeed, there is a con-firmation round{NB}K whereK is the exchanged key. Thismessage may reveal some information onK. After removingthis confirmation round, our prover shows the one-session se-crecy ofK. However, it cannot show the secrecy ofK, sincein the absence of a confirmation round, the adversary may forceseveral sessions of Yahalom to use the same key.

Needham-Schroeder shared-key [40] As in the Yahalomprotocol, a key confirmation round may reveal some informa-tion on the key. After removing this round, our prover showsthe one-session secrecy of the exchanged key. It does not provethe secrecy of the exchanged key, because the adversary mayforce several sessions of the protocol to use the same key. Ourprover shows the secrecy for the corrected version [41].

Denning-Sacco public-key [25] Our prover cannot show theone-session secrecy of the exchanged key, since there is an at-tack against this protocol [2]. The one-session secrecy of theexchanged key is proved for the corrected version [2]. Secrecyis not proved since the adversary can force several sessionsofthe protocol to use the same key. (We do not model timestampsin this protocol.) In contrast to the previous examples, we givethe main proof steps to the prover manually, as follows:

SArename Rkeycrypto enc rkBcrypto sign rkScrypto sign rkAsuccess


The variableRkey defines a table of public keys and is as-signed at three places, corresponding to principalsA andB, andto other principals defined by the adversary (like the variablek′ in Example 3). The instructionSArename Rkey allowsus to distinguish these three cases. The instructioncryptoenc rkB means that the prover should apply the definition ofsecurity of encryption (primitiveenc ), for the key generatedfrom random numberrkB . The instructionsuccess meansthat prover should check whether the desired security propertiesare proved.

Needham-Schroeder public-key [40] This protocol is an au-thentication protocol. Since our prover cannot check authen-tication yet, we transform it into a key exchange protocol inseveral ways, by choosing for the key either one of the noncesNA andNB shared betweenA andB, or H(NA, NB) whereH is a hash function (in the random oracle model). When thekey isH(NA, NB), the one-session secrecy of the key cannotbe proved for the original protocol, due to the well-known at-tack [35]. For the corrected version [35], our prover shows se-crecy of the keyH(NA, NB). For both the original and the cor-rected versions, the prover cannot prove the one-session secrecyof NA or NB . ForNB , the failure of the proof corresponds toan attack: the adversary can check whether it is givenNB or arandom number by sending{N ′B}pkB

toB as the last messageof the protocol:B accepts if and only ifN ′B = NB . ForNA,the failure of the proof comes from limitations of our prover: theprover cannot take into account thatNA is accepted only afterall messages that containNA have been sent, which prevents theprevious attack. (This is the only case in our examples wherethe failure of the proof comes from limitations of the prover.This problem could probably be solved by improving the trans-formationSimplify .) Like for the Denning-Sacco protocol, weprovided the main proof steps to the prover manually, as followswhen the distributed key isNA orNB :

SArename Rkeycrypto sign rkScrypto enc rkAcrypto enc rkBsuccess

When the distributed key isH(NA, NB), the proof is as follows:

SArename Rkeycrypto sign rkScrypto enc rkAcrypto enc rkBcrypto hashSArename Na_39simplifysuccess

The total runtime for all these tests is 77 s on a Pen-tium M 1.8 GHz, for version 1.03 of our prover CryptoVerif.These examples are included in the CryptoVerif distribu-tion available athttp://www.di.ens.fr/ ˜ blanchet/cryptoc-eng.html .

7 Related Work

Results that show the soundness of the Dolev-Yao model withrespect to the computational model, e.g. [23,28,38], make it pos-sible to use Dolev-Yao provers in order to prove protocols inthecomputational model. However, these results have limitations,in particular in terms of allowed cryptographic primitives(theymust satisfy strong security properties so that they correspond toDolev-Yao style primitives), and they require some restrictionson protocols (such as the absence of key cycles).

Several frameworks exist for formalizing proofs of protocolsin the computational model. Backes, Pfitzmann, and Waid-ner [7,9,10] have designed an abstract cryptographic library in-cluding symmetric and public-key encryption, message authen-tication codes, signatures, and nonces and shown its soundnesswith respect to computational primitives, under arbitraryac-tive attacks. Backes and Pfitzmann [8] relate the computationaland formal notions of secrecy in the framework of this library.Recently, this framework has been used for a computationally-sound machine-checked proof of the Needham-Schroeder-Loweprotocol [46]. Canetti [21] introduced the notion of universalcomposability. With Herzog [22], they show how a Dolev-Yao-style symbolic analysis can be used to prove security propertiesof protocols within the framework of universal composability,for a restricted class of protocols using public-key encryptionas only cryptographic primitive. Then, they use the automaticDolev-Yao verification tool Proverif [17] for verifying proto-cols in this framework. Lincoln, Mateus, Mitchell, Mitchell,Ramanathan, Scedrov, and Teague [33,34,36,39,43] developeda probabilistic polynomial-time calculus for the analysisof se-curity protocols. They define a notion of process equivalencefor this calculus, derive compositionality properties, and de-fine an equational proof system for this calculus. Datta, Derek,Mitchell, Shmatikov, and Turuani [24] have designed a com-putationally sound logic that enables them to prove computa-tional security properties using a logical deduction system. Theframeworks mentioned in this paragraph can be used to provesecurity properties of protocols in the computational sense, but,except for [22] which relies on a Dolev-Yao prover and for themachine-checked proofs of [46], they have not been mechanizedup to now, as far as we know.

Laud [30] designed an automatic analysis for proving secrecyfor protocols using shared-key encryption, with passive adver-saries. He extended it [31] to active adversaries, but with onlyone session of the protocol. This work is the closest to ours.We extend it considerably by handling more primitives and apolynomial number of sessions.

Recently, Laud [32] designed a type system for proving se-curity protocols in the computational model. This type sys-tem handles shared-key and public-key encryption, with an un-bounded number of sessions. This system relies on the Backes-Pfitzmann-Waidner library. A type inference algorithm is givenin [6].

Barthe, Cerderquist, and Tarento [11, 47] have formalizedthe generic model and the random oracle model in the inter-active theorem prover Coq, and proved signature schemes inthis framework. In contrast to our specialized prover, proofsin generic interactive theorem provers require a lot of human ef-

286 Bruno Blanchet

fort, in order to build a detailed enough proof for the theoremprover to check it.

Halevi [26] explains that implementing an automatic proverbased on sequences of games would be useful and suggests ideasin this direction, but does not actually implement one.

8 Conclusion

This paper presents a prover for security protocols sound inthecomputational model. This prover works with no or very littlehelp from the user, can handle a wide variety of cryptographicprimitives in a generic way, and produces proofs valid for apolynomial number of sessions in the presence of an active ad-versary. Thus, it represents important progress with respect toprevious work in this area.

We have recently extended our prover to provide exact se-curity proofs (that is, proofs with an explicit probabilityof anattack, instead of the asymptotic result that this probability isnegligible) [19] and to prove correspondence assertions [18]. Inthe future, it would also be interesting to handle even more cryp-tographic primitives, such as Diffie-Hellman key agreements.(The equivalence!i≤nnew a : T ; new b : T ; (() → ga, () →gb, () → gab) ≈ !i≤nnew a : T ; new b : T ; new c : T ; (() →ga, () → gb, () → gc) models the decisional Diffie-Hellmanassumption. However, it is not sufficient for our prover to han-dle protocols that use Diffie-Hellman key agreements, becausethe corresponding cryptographic transformation would requiregab to be formed only fora andb chosen in the same copy of asingle replicated process, which is typically not the case:a andb are chosen by two different participants of the protocol. Soamore involved equivalence is needed, and in fact the languageof equivalences that we use to specify the security properties ofprimitives will need to be extended.)

The essential idea of simulating proofs by sequences ofgames in an automatic tool can be applied to any protocol orcryptographic scheme. However, our tool applies in a fairlydi-rect way the security assumptions on the primitives and can-not perform deep mathematical reasoning. Therefore, it is bestsuited for proving security protocols that use rather high-levelprimitives such as encryption and signatures. It is more lim-ited for proving the security of such primitives from lower-levelprimitives, since more subtle mathematical arguments are oftenneeded.

Acknowledgments

I warmly thank David Pointcheval for his advice and expla-nations of the computational proofs of protocols. This projectwould not have been possible without him. I also thank JacquesStern for initiating this work. This work was partly supportedby the ANR project ARA SSIA Formacrypt.

References

[1] M. Abadi and J. Jurjens. Formal eavesdropping andits computational interpretation. In N. Kobayashi and

B. Pierce, editors,Theoretical Aspects of Computer Soft-ware (TACS’01), volume 2215 ofLecture Notes on Com-puter Science, pages 82–94, Sendai, Japan, Oct. 2001.Springer.

[2] M. Abadi and R. Needham. Prudent engineering practicefor cryptographic protocols.IEEE Transactions on Soft-ware Engineering, 22(1):6–15, Jan. 1996.

[3] M. Abadi and P. Rogaway. Reconciling two views of cryp-tography (the computational soundness of formal encryp-tion). Journal of Cryptology, 15(2):103–127, 2002.

[4] M. Abdalla, P.-A. Fouque, and D. Pointcheval. Password-based authenticated key exchange in the three-party set-ting. IEE Proceedings Information Security, 153(1):27–39, Mar. 2006.

[5] P. Adao, G. Bana, J. Herzog, and A. Scedrov. Sound-ness of formal encryption in the presence of key-cycles. InS. de Capitani di Vimercati, P. Syverson, and D. Gollmann,editors,Proceedings of the 10th European Symposium OnResearch In Computer Security (ESORICS 2005), volume3679 ofLecture Notes on Computer Science, pages 374–396, Milan, Italy, Sept. 2005. Springer.

[6] M. Backes and P. Laud. Computationally sound secrecyproofs by mechanized flow analysis. InProceedings of13th ACM Conference on Computer and CommunicationsSecurity (CCS’06), pages 370–379, Alexandria, VA, Nov.2006. ACM.

[7] M. Backes and B. Pfitzmann. Symmetric encryption in asimulatable Dolev-Yao style cryptographic library. In17thIEEE Computer Security Foundations Workshop, pages204–218, Pacific Grove, CA, June 2004. IEEE.

[8] M. Backes and B. Pfitzmann. Relating symbolic and cryp-tographic secrecy.IEEE Transactions on Dependable andSecure Computing, 2(2):109–123, Apr. 2005.

[9] M. Backes, B. Pfitzmann, and M. Waidner. A compos-able cryptographic library with nested operations. In10thACM conference on Computer and communication secu-rity (CCS’03), pages 220–230, Washington D.C., Oct.2003. ACM.

[10] M. Backes, B. Pfitzmann, and M. Waidner. Symmetric au-thentication within a simulatable cryptographic library.InE. Snekkenes and D. Gollman, editors,Computer Security- ESORICS 2003, 8th European Symposium on Researchin Computer Security, volume 2808 ofLecture Notes onComputer Science, pages 271–290, Gjøovik, Norway, Oct.2003. Springer.

[11] G. Barthe, J. Cederquist, and S. Tarento. A machine-checked formalization of the generic model and the ran-dom oracle model. In D. Basin and M. Rusinowitch, edi-tors,Second International Joint Conference on AutomatedReasoning (IJCAR’04), volume 3097 ofLecture Notes onComputer Science, pages 385–399, Cork, Ireland, July2004. Springer.


[12] M. Baudet, V. Cortier, and S. Kremer. Computationallysound implementations of equational theories against pas-sive adversaries. In L. Caires and L. Monteiro, editors,Proceedings of the 32nd International Colloquium on Au-tomata, Languages and Programming (ICALP’05), vol-ume 3580 ofLecture Notes on Computer Science, pages652–663, Lisboa, Portugal, July 2005. Springer.

[13] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway.A concrete security treatment of symmetric encryption.In Proceedings of the 38th Symposium on Foundationsof Computer Science (FOCS’97), pages 394–403, Mi-ami Beach, Florida, Oct. 1997. IEEE. Full paperavailable athttp://www-cse.ucsd.edu/users/mihir/papers/sym-enc.html .

[14] M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Re-lations among notions of security for public-key encryp-tion schemes. In H. Krawczyk, editor,Advances in Cryp-tology – CRYPTO 1998, volume 1462 ofLecture Notes onComputer Science, pages 26–45, Santa Barbara, Califor-nia, USA, Aug. 1998. Springer.

[15] M. Bellare, J. Kilian, and P. Rogaway. The security ofthe cipher block chaining message authentication code.Journal of Computer and System Sciences, 61(3):362–399,Dec. 2000.

[16] M. Bellare and P. Rogaway. The security of triple encryp-tion and a framework for code-based game-playing proofs.In S. Vaudenay, editor,Advances in Cryptology – Euro-crypt 2006 Proceedings, volume 4004 ofLecture Notes onComputer Science, pages 409–426, Saint Petersburg, Rus-sia, May 2006. Springer. Extended version available athttp://eprint.iacr.org/2004/331 .

[17] B. Blanchet. Automatic proof of strong secrecy for secu-rity protocols. InIEEE Symposium on Security and Pri-vacy, pages 86–100, Oakland, California, May 2004.

[18] B. Blanchet. Computationally sound mechanized proofsof correspondence assertions. In20th IEEE Computer Se-curity Foundations Symposium (CSF’07), pages 97–111,Venice, Italy, July 2007. IEEE. Extended version availableas ePrint Report 2007/128,http://eprint.iacr.org/2007/128 .

[19] B. Blanchet and D. Pointcheval. Automated securityproofs with sequences of games. In C. Dwork, editor,Ad-vances in Cryptology – CRYPTO 2006, volume 4117 ofLecture Notes on Computer Science, pages 537–554, SantaBarbara, CA, Aug. 2006. Springer.

[20] M. Burrows, M. Abadi, and R. Needham. A logic of au-thentication.Proceedings of the Royal Society of LondonA, 426:233–271, 1989. A preliminary version appeared asDigital Equipment Corporation Systems Research Centerreport No. 39, February 1989.

[21] R. Canetti. Universally composable security: A newparadigm for cryptographic protocols. InProceedings of

the 42nd Symposium on Foundations of Computer Science(FOCS), pages 136–145, Las Vegas, Nevada, Oct. 2001.IEEE. An updated version is available at Cryptology ePrintArchive,http://eprint.iacr.org/2000/067 .

[22] R. Canetti and J. Herzog. Universally composable sym-bolic analysis of mutual authentication and key exchangeprotocols. In S. Halevi and T. Rabin, editors,Proceed-ings, Theory of Cryptography Conference (TCC’06), vol-ume 3876 ofLecture Notes on Computer Science, pages380–403, New York, NY, Mar. 2006. Springer. Ex-tended version available athttp://eprint.iacr.org/2004/334 .

[23] V. Cortier and B. Warinschi. Computationally sound, au-tomated proofs for security protocols. In M. Sagiv, ed-itor, Proc. 14th European Symposium on Programming(ESOP’05), volume 3444 ofLecture Notes on ComputerScience, pages 157–171, Edimbourg, U.K., Apr. 2005.Springer.

[24] A. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, andM. Turuani. Probabilistic polynomial-time semantics for aprotocol security logic. In L. Caires and L. Monteiro, ed-itors, ICALP 2005: the 32nd International Colloquium onAutomata, Languages and Programming, volume 3580 ofLecture Notes on Computer Science, pages 16–29, Lisboa,Portugal, July 2005. Springer.

[25] D. E. Denning and G. M. Sacco. Timestamps in key dis-tribution protocols.Commun. ACM, 24(8):533–536, Aug.1981.

[26] S. Halevi. A plausible approach to computer-aided cryp-tographic proofs. Cryptology ePrint Archive, Report2005/181, June 2005. Available athttp://eprint.iacr.org/2005/181 .

[27] J. Herzog. A computational interpretation of Dolev-Yaoadversaries. Theoretical Computer Science, 340:57–81,June 2005.

[28] R. Janvier, Y. Lakhnech, and L. Mazare. Completing thepicture: Soundness of formal encryption in the presenceof active adversaries. In M. Sagiv, editor,Proc. 14th Eu-ropean Symposium on Programming (ESOP’05), volume3444 ofLecture Notes on Computer Science, pages 172–185, Edimbourg, U.K., Apr. 2005. Springer.

[29] D. E. Knuth and P. B. Bendix. Simple word problemsin universal algebras. In J. Leech, editor,ComputationalProblems in Abstract Algebra, pages 263–297. PergamonPress, Oxford, U.K., 1970.

[30] P. Laud. Handling encryption in an analysis for secureinformation flow. In P. Degano, editor,Programming Lan-guages and Systems, 12th European Symposium on Pro-gramming, ESOP’03, volume 2618 ofLecture Notes onComputer Science, pages 159–173, Warsaw, Poland, Apr.2003. Springer.

288 Bruno Blanchet

[31] P. Laud. Symmetric encryption in automatic analyses forconfidentiality against active adversaries. InIEEE Sym-posium on Security and Privacy, pages 71–85, Oakland,California, May 2004.

[32] P. Laud. Secrecy types for a simulatable cryptographiclibrary. In 12th ACM Conference on Computer and Com-munications Security (CCS’05), pages 26–35, Alexandria,VA, Nov. 2005. ACM.

[33] P. D. Lincoln, J. C. Mitchell, M. Mitchell, and A. Scedrov.A probabilistic poly-time framework for protocol analysis.In ACM Computer and Communication Security (CCS-5),pages 112–121, San Francisco, California, Nov. 1998.

[34] P. D. Lincoln, J. C. Mitchell, M. Mitchell, and A. Sce-drov. Probabilistic polynomial-time equivalence and secu-rity protocols. In J. Wing, J. Woodcock, and J. Davies,editors, FM’99 World Congress On Formal Methods inthe Development of Computing Systems, volume 1708of Lecture Notes on Computer Science, pages 776–793,Toulouse, France, Sept. 1999. Springer.

[35] G. Lowe. Breaking and fixing the Needham-Schroederpublic-key protocol using FDR. InTools and Algorithmsfor the Construction and Analysis of Systems, volume 1055of Lecture Notes on Computer Science, pages 147–166.Springer, 1996.

[36] P. Mateus, J. Mitchell, and A. Scedrov. Composition ofcryptographic protocols in a probabilistic polynomial-timeprocess calculus. In R. Amadio and D. Lugiez, editors,CONCUR 2003 - Concurrency Theory, 14-th InternationalConference, volume 2761 ofLecture Notes on ComputerScience, pages 327–349, Marseille, France, Sept. 2003.Springer.

[37] D. Micciancio and B. Warinschi. Completeness theoremsfor the Abadi-Rogaway logic of encrypted expressions.Journal of Computer Security, 12(1):99–129, 2004.

[38] D. Micciancio and B. Warinschi. Soundness of formal en-cryption in the presence of active adversaries. In M. Naor,editor,Theory of Cryptography Conference (TCC’04), vol-ume 2951 ofLecture Notes on Computer Science, pages133–151, Cambridge, MA, USA, Feb. 2004. Springer.

[39] J. C. Mitchell, A. Ramanathan, A. Scedrov, and V. Teague.A probabilistic polynomial-time calculus for the analysisof cryptographic protocols.Theoretical Computer Science,353(1–3):118–164, Mar. 2006.

[40] R. M. Needham and M. D. Schroeder. Using encryptionfor authentication in large networks of computers.Com-mun. ACM, 21(12):993–999, Dec. 1978.

[41] R. M. Needham and M. D. Schroeder. Authentication re-visited. Operating Systems Review, 21(1):7, 1987.

[42] D. Otway and O. Rees. Efficient and timely mutual authen-tication. Operating Systems Review, 21(1):8–10, 1987.

[43] A. Ramanathan, J. Mitchell, A. Scedrov, and V. Teague.Probabilistic bisimulation and equivalence for securityanalysis of network protocols. In I. Walukiewicz, edi-tor,FOSSACS 2004 - Foundations of Software Science andComputation Structures, volume 2987 ofLecture Notes onComputer Science, pages 468–483, Barcelona, Spain, Mar.2004. Springer.

[44] V. Shoup. A proposal for an ISO standard for public-keyencryption, Dec. 2001. ISO/IEC JTC 1/SC27.

[45] V. Shoup. OAEP reconsidered.Journal of Cryptology,15(4):223–249, Sept. 2002.

[46] C. Sprenger, M. Backes, D. Basin, B. Pfitzmann, andM. Waidner. Cryptographically sound theorem proving.In 19th IEEE Computer Security Foundations Workshop(CSFW-19), pages 153–166, Venice, Italy, July 2006.IEEE.

[47] S. Tarento. Machine-checked security proofs of crypto-graphic signature schemes. In S. de Capitani di Vimer-cati, P. Syverson, and D. Gollmann, editors,Proceedingsof the 10th European Symposium On Research In Com-puter Security (ESORICS 2005), volume 3679 ofLectureNotes on Computer Science, pages 140–158, Milan, Italy,Sept. 2005. Springer.

[48] T. Y. C. Woo and S. S. Lam. A semantic model for authen-tication protocols. InProceedings IEEE Symposium onResearch in Security and Privacy, pages 178–194, Oak-land, California, May 1993.

Appendices

A Type System

In this section, we define the type system, used in our calculusto check that bitstrings belong to the expected type.

To be able to type variable accesses used not under their defi-nition (such accesses are guarded by afind construct), the type-checking algorithm proceeds in two passes. In the first pass,webuild a type environmentE , which maps variable namesx totypesT1 × . . . × Tm → T , whereT1, . . . , Tm are the intervaltypes of the indices ofx, andT is the type ofx[i1, . . . , im]. Thistype environment is built as follows:

• If x is defined bynew x[i1, . . . , im] : T , let x[i1, . . . ,im] : T = M , or c[M1, . . . ,Ml](. . . , x[i1, . . . , im] : T,. . .), and the replications above this subprocess are!i1≤n1 ,. . . , !im≤nm , thenE(x) = [1, n1]× . . .× [1, nm]→ T .

• If u is defined by find . . . ⊕ . . . u[i1, . . . , im] ≤n . . . suchthat defined(. . .) ∧ . . . then . . . ⊕ . . . and thereplications above thisfind are !i1≤n1 , . . . , !im≤nm , thenE(u) = [1, n1]× . . .× [1, nm]→ [1, n].

We require that all definitions of the same variablex yield thesame value ofE(x), so thatE is properly defined.

A process can then be typechecked in the type environmentEusing the rules of Figure 3. This figure defines three judgments:


E(i) = T

E ⊢ i : T(TIndex)

E(x) = T1 × . . .× Tm → T ∀j ≤ m, E ⊢Mj : Tj

E ⊢ x[M1, . . . ,Mm] : T(TVar)

f : T1 × . . .× Tm → T ∀j ≤ m, E ⊢Mj : Tj

E ⊢ f(M1, . . . ,Mm) : T(TFun)

E ⊢ 0 (TNil)

E ⊢ Q E ⊢ Q′

E ⊢ Q | Q′(TPar)

E [i 7→ [1, n]] ⊢ Q

E ⊢ !i≤nQ(TRepl)

E ⊢ Q

E ⊢ newChannel c;Q(TNewChannel)

∀j ≤ l, E ⊢Mj : T ′j ∀j ≤ k, E ⊢ xj [i] : Tj E ⊢ P

E ⊢ c[M1, . . . ,Ml](x1 [i] : T1, . . . , xk [i] : Tk);P(TIn)

∀j ≤ l, E ⊢Mj : T ′j ∀j ≤ k, E ⊢ Nj : Tj E ⊢ Q

E ⊢ c[M1, . . . ,Ml]〈N1, . . . , Nk〉;Q(TOut)

T fixed-length type E ⊢ x[i] : T E ⊢ P

E ⊢ new x[i] : T ;P(TNew)

E ⊢M : T E ⊢ x[i] : T E ⊢ P

E ⊢ let x[i] : T = M in P(TLet)

∀j ≤ m,∀k ≤ mj , E ⊢ ujk [i] : [1, njk]∀j ≤ m,∀k ≤ lj , E ⊢Mjk : Tjk

∀j ≤ m, E ⊢Mj : bool ∀j ≤ m, E ⊢ Pj E ⊢ P

E ⊢ find (⊕m


suchthat

defined(Mj1, . . . ,Mjlj ) ∧Mj then Pj) else P

(TFind)

Figure 3: Typing rules

• E ⊢ M : T means that termM has typeT in environmentE .

• E ⊢ P andE ⊢ Q mean that the output processP and theinput processQ are well-typed in environmentE , respec-tively.

In x[M1, . . . ,Mm], M1, . . . ,Mm must be of the suitable in-terval type. Whenf(M1, . . . ,Mm) is called andf : T1 × . . .×Tm → T , Mj must be of typeTj , andf(M1, . . . ,Mm) is thenof typeT . The type system requires each subterm to be well-typed. Furthermore, inlet x : T = M in P , M must be of typeT . In

find (⊕m


suchthat

defined(Mj1, . . . ,Mjlj ) ∧Mj then Pj) else P

Mj is of typebool for all j ≤ m. In !i≤nQ, i is of type[1, n] inQ. Fornew x[i] : T , T must be a fixed-length type.

We say that an occurrence of a termM in a processQ is oftypeT whenE ⊢ M : T whereE is the type environment ofQextended withi 7→ [1, n] for each replication!i≤n aboveM inQ.

B Formal Semantics

B.1 Definition of the Semantics

The formal semantics of our calculus is presented in Figures4and 5. In this figure and in the rest of the appendix, we use⊎ formultiset union. WhenS is a multiset,S(x) is the number of el-ements ofS equal tox. A semantic configuration is a quadrupleE,P,Q, C, whereE is an environment mapping array cells tobitstrings or⊥, P is the output process currently scheduled,Qis the multiset of input processes running in parallel withP , Cis the set of channels already created. The semantics is definedby reduction rules of the formE,P,Q, C

p−→η,t E

′, P ′,Q′, C′

meaning thatE,P,Q, C reduces toE′, P ′,Q′, C′ with probabil-ity p, when the security parameter isη. The value of the securityparameter is often omitted to lighten the notation. The index tjust serves in distinguishing reductions that yield the same con-figuration with the same probability in different ways, so that theprobability of a certain reduction can be computed correctly:

Pr[E,P,Q, C →η E′, P ′,Q′, C′] =

∑

E,P,Q,Cp−→η,tE′,P ′,Q′,C′

p

The probability of a trace is computed as follows:

Pr[E1, P1,Q1, C1 →η . . .→η E′m, P

′m,Q

′m, C

′m]

=

m−1∏

j=1

Pr[Ej , Pj ,Qj , Cj →η E′j+1, P

′j+1,Q

′j+1, C

′j+1]

We define an auxiliary relation for evaluating terms:E,M ⇓η

a, or simplyE,M ⇓ a, means that the termM evaluates tothe bitstringa in environmentE. Rule (Cst) simply evaluatesconstants to themselves. This rule serves for replication in-dices, which are substituted with constant values when reduc-ing the replication. Rule (Var) looks for the value of the array

290 Bruno Blanchet

Terms andfind conditions:

E, a ⇓ a (Cst)

∀j ≤ m,E,Mj ⇓ aj x[a1, . . . , am] ∈ Dom(E)

E, x[M1, . . . ,Mm] ⇓ E(x[a1, . . . , am])(Var)

∀j ≤ m,E,Mj ⇓ aj f : T1 × . . .× Tm → T∀j ≤ m,aj ∈ Iη(Tj)

E, f(M1, . . . ,Mm) ⇓ Iη(f)(a1, . . . , am)(Fun)

¬∀k ≤ l,∃ak, E,Mk ⇓ ak

E, (defined(M1, . . . ,Ml) ∧M) ⇓ false(Def1)

∀k ≤ l,∃ak, E,Mk ⇓ ak E,M ⇓ a a ∈ {false, true}

E, (defined(M1, . . . ,Ml) ∧M) ⇓ a(Def2)

Input processes:

E, {0} ⊎ Q, C E,Q, C (Nil)

E, {Q1 | Q2} ⊎ Q, C E, {Q1, Q2} ⊎ Q, C (Par)

E, {!i≤nQ} ⊎ Q, C E, {Q{a/i} | a ∈ [1, Iη(n)]} ⊎ Q, C(Repl)

c′ /∈ C

E, {newChannel c;Q} ⊎ Q, C E, {Q{c′/c}} ⊎ Q, C ∪ {c′}

(NewChannel)

∀j ≤ l, E,Mj ⇓ aj

E, {c[M1, . . . ,Ml](x1[a′] : T1, . . . , xk[a′] : Tk);P} ⊎ Q, C

E, {c[a1, . . . , al](x1[a′] : T1, . . . , xk[a′] : Tk);P} ⊎ Q, C

(Input)

reduce(E,Q, C) is the normal form ofE,Q, C by

Figure 4: Semantics (1)

variable in the environment. Rule (Fun) evaluates the functioncall. Rules (Def1) and (Def2) evaluate conditions offind: WhensomeMk is not defined,defined(M1, . . . ,Ml)∧M returnsfalseby (Def1). Otherwise, it returns the boolean value ofM by(Def2).

We use an auxiliary reduction relation η, or simply , forreducing input processes. This relation transforms configura-tions of the formE,Q, C. Rule (Nil) removes nil processes.Rules (Par) and (Repl) expand parallel compositions and repli-cations, respectively. Rule (NewChannel) creates a new channeland adds it toC. Semantic configurations are considered equiv-alent modulo renaming of channels inC, so that a single seman-tic configuration is obtained after applying (NewChannel).Rule(Input) evaluates the terms in the input channel. The input it-self is not executed: the communication is done by the (Output)rule. The relation is convergent (confluent and terminating),so it has normal forms. Since processes inQ in configurationsE,P,Q, C are in normal form by , they always start with aninput.

Rules (New) to (Find2) simply reduce the scheduled process.As explained in the footnote page 275, we use an approximatelyuniform probability distribution for choosing an element amonga setS whenm = |S| is not a power of 2. Letk be the smallest

Output processes:

T fixed-length type a ∈ Iη(T )

E, new x[a′] : T ;P,Q, C1

|Iη(T )|

−−−−→N(a) E[x[a′] 7→ a], P,Q, C

(New)

E,M ⇓ a a ∈ Iη(T )

E, let x[a′] : T = M in P,Q, C1−→L E[x[a′] 7→ a], P,Q, C

(Let)

∀j ≤ m,∀v ≤ nj , E[uj [a′] 7→ v], (Dj ∧Mj) ⇓ aj,v

S = {j, v | aj,v = true} aj0,v0= true

Ej0,v0= E[uj0 [a

′] 7→ v0]

E, find (⊕m

j=1 uj [a′] ≤ nj suchthat Dj ∧Mj then Pj)

else P,Q, Camong(S)−−−−−−→F1(j0,v0) Ej0,v0

, Pj0 ,Q, C

(Find1)

∀j ≤ m,∀v ≤ nj , E[uj [a′] 7→ v], (Dj ∧Mj) ⇓ false

E, find (⊕m

j=1 uj [a′] ≤ nj suchthat Dj ∧Mj then Pj)

else P,Q, C1−→F2 E,P,Q, C

(Find2)

∀j ≤ l, E,Mj ⇓ aj ∀j ≤ k,E,Nj ⇓ bjE,Q′, C′ = reduce(E, {Q′′}, C)

S = {Q ∈ Q | for somex′1, . . . , x′k, a′′, T ′1, . . . , T

′k, P

′,

Q = c[a1, . . . , al](x′1[a′′] : T ′1, . . . , x

′k[a′′] : T ′k).P ′}

Q0 = c[a1, . . . , al](x1[a′] : T1, . . . , xk[a′] : Tk).P ∈ S∀j ≤ k, b′j = bj&(2maxlenη(c) − 1) ∈ Iη(Tj)

E, c[M1, . . . ,Ml]〈N1, . . . , Nk〉.Q′′,Q, C

S(Q0)×among(S)−−−−−−−−−−−→O(Q0)

E[x1[a′] 7→ b′1, . . . , xk[a′] 7→ b′k], P,Q ⊎Q′ \ {Q0}, C′

(Output)

Figure 5: Semantics (2)

integer such that2k ≥ m. We choose a random integerr uni-formly among[0, 2k+f(η) − 1] for a certain functionf . Whenris in [0, (2k+f(η) divm×m)− 1], r mod m returns a randominteger in[0,m−1], with the same probability for all elements of[0,m−1]. Whenr is in [2k+f(η) divm×m, 2k+f(η)−1], we cando anything; we choose to block. The probability of being in thiscase is(2k+f(η) mod m)/2k+f(η) ≤ m/2k+f(η) ≤ 1/2f(η),so it can be made as small as we wish by choosingf(η) largeenough. We choosef(η) ≥ αη for someα > 0, so that itis negligible. The probability of choosing each element ofS isthenamong(S) = 2k+f(η) div m

2k+f(η) . Thenamong(S) approximates1/m. Rules (Find1) and (Find2) evaluate afind. They computethe value of all conditionsDj ∧Mj of this find for all possi-ble valuesv of the indicesuj [a′]. When all these conditions arefalse, rule (Find2) executes theelse branch of thefind. Whenat least one of these conditions is true, rule (Find1) chooses onesuch true case (forj = j0 andv = v0) with approximately uni-form probability, and executes the correspondingthen branch ofthe find.


Rule (Output) performs communications: it evaluates theterms in the channel and the sent messages, selects an inputon the desired channel randomly, and immediately executes thecommunication. The scheduled process after this rule is there-ceiving process. (The process blocks if no suitable input isavail-able.)

The initial configuration for running processQ0 isinitConfig(Q0) = ∅, start〈〉,Q, C where ∅,Q, C =reduce(∅, {Q0}, fc(Q0)).

Definition 6 Let c be a channel name anda be a bitstring.We say thatE,P,Q, C executesc〈a〉 immediatelywhenP =c〈M〉.Q andE,M ⇓ a for someQ andM .

The probability thatQ executesc〈a〉 is denotedPr[Q η

c〈a〉]. Whenc ∈ fc(Q), Pr[Q η c〈a〉] =∑T ∈T

Pr[T ] whereT is the set of tracesinitConfig(Q) →η . . . →η Em, Pm,Qm,Cm such thatEm, Pm,Qm, Cm executesc〈a〉 immediately andfor all j < m, Ej , Pj ,Qj , Cj does not executec〈a〉 immedi-ately. Whenc /∈ fc(Q), Pr[Q η c〈a〉] = 0.

B.2 Each Variable is Defined at Most Once

In this section, we show that Invariant 1 implies that each arraycell is assigned at most once during the execution of a process.

WhenS andS′ are multisets,max(S, S′) is the multiset suchthatmax(S, S′)(x) = max(S(x), S′(x)). We define the mul-tiset of variable accesses that may be defined by a process asfollows:

Defined(0) = ∅

Defined(Q1 | Q2) = Defined(Q1) ⊎Defined(Q2)

Defined(!i≤nQ) =⊎

a∈[1,Iη(n)]

Defined(Q{a/i})

Defined(newChannel c;Q) = Defined(Q)

Defined(c[M1, . . . ,Ml](x1[a] : T1, . . . , xk[a] : Tk);P ) =

{xj [a] | j ≤ k} ⊎Defined(P )

Defined(c[M1, . . . ,Ml]〈N1, . . . , Nk〉;Q) = Defined(Q)

Defined(new x[a] : T ;P ) = {x[a]} ⊎Defined(P )

Defined(let x[a] : T = M in P ) = {x[a]} ⊎Defined(P )

Defined(find (⊕m

j=1 uj [a] ≤ nj suchthatdefined(Mj1,

. . . ,Mjlj ) ∧Mj then Pj) else P ) =

max(m

maxj=1{uj [a]} ⊎Defined(Pj),Defined(P ))

We defineDefined(E) = Dom(E), Defined(E,P,Q, C) =Defined(E) ⊎Defined(P ) ⊎

⊎Q∈QDefined(Q).

Invariant 4 (Single definition, for executing games)The se-mantic configurationE,P,Q, C satisfies Invariant 4 if and onlyif Defined(E,P,Q, C) does not contain duplicate elements.

Lemma 3 If Q0 satisfies Invariant 1, theninitConfig(Q0) sat-isfies Invariant 4.

Lemma 4 If E,P,Q, Cp−→t E′, P ′,Q′, C′ with p > 0 and

E,P,Q, C satisfies Invariant 4, then so doesE′, P ′,Q′, C′.

Proof sketch We show by cases following the defini-tion of

p−→t that if E,P,Q, C

p−→t E′, P ′,Q′, C′ then

Defined(E,P,Q, C) ⊆ Defined(E′, P ′,Q′, C′). The result fol-lows. �

Therefore, ifQ0 satisfies Invariant 1, then each variable is de-fined at most once for each value of its array indices in a traceofQ0. Indeed, by Invariant 4, just before executing a definition ofx[a], Defined(E,P,Q, C) does not contain duplicate elements,sox[a] /∈ Dom(E) sincex[a] ∈ Defined(P ) ⊎Defined(Q).

B.3 Variables are Defined Before Being Used

In this section, we show that Invariant 2 implies that all variablesare defined before being used. In order to show this property,weuse the following invariant:

Invariant 5 (Defined variables, for executing games)Thesemantic configurationE,P,Q, C satisfies Invariant 5 if andonly if every occurrence of a variable accessx[M1, . . . ,Mm] inP orQ is either

• present inDom(E): for all j ≤ m, E,Mj ⇓ aj andx[a1, . . . , am] ∈ Dom(E);

• or syntactically under the definition ofx[M1, . . . ,Mm] (inwhich case for allj ≤ m, Mj is a constant or variablereplication index);

• or in adefined condition in afind process;

• or inM ′j orPj in a process of the formfind (⊕m′′

j=1 uj [i] ≤nj suchthat defined(M ′j1, . . . ,M

′jlj

)∧M ′j then Pj else P

where for somek ≤ lj , x[M1, . . . ,Mm] is a subterm ofM ′jk.

Lemma 5 If Q0 satisfies Invariant 2, theninitConfig(Q0) sat-isfies Invariant 5.

Lemma 6 If E,P,Q, Cp−→t E′, P ′,Q′, C′ with p > 0 and

E,P,Q, C satisfies Invariant 5, then so doesE′, P ′,Q′, C′.

Proof sketch If x[M1, . . . ,Mm] is in the second case of In-variant 5, and we execute the definition ofx[M1, . . . ,Mm],then for all j ≤ m, Mj is a constant replication index andx[M1, . . . ,Mm] is added toDom(E) by rules (New), (Let),(Find1), or (Output), so it moves to the first case of Invariant 5.

If x[M1, . . . ,Mm] is in the third case of Invariant 5, and weexecute the correspondingfind, this access tox simply disap-pears.

If x[M1, . . . ,Mm] is in the last case of Invariant 5, and weexecute thefind selecting branchj, thenx[M1, . . . ,Mm] is asubterm ofM ′jk for k ≤ lj . We show by induction onM that,if E,M ⇓ a, then for all subtermsx[M1, . . . ,Mm] of M , forall j′ ≤ m, E,Mj′ ⇓ aj′ andx[a1, . . . , am] is in Dom(E).Therefore, by hypothesis of the semantic rule forfind, for allj′ ≤ m, E,Mj′ ⇓ aj′ andx[a1, . . . , am] is in Dom(E). Sox[M1, . . . ,Mm] also moves to the first case of Invariant 5.

In all other cases, the situation remains unchanged. �

292 Bruno Blanchet

Therefore, ifQ0 satisfies Invariant 2, then in traces ofQ0, thetestx[a1, . . . , am] ∈ Dom(E) in rule (Var) always succeeds,except when the considered term occurs in adefined conditionof afind.

Indeed, consider an application of rule (Var), where the ar-ray accessx[M1, . . . ,Mm] is not in adefined condition of afind. Then, this array access is not under any variable definitionor find, so for all j ≤ m, E,Mj ⇓ aj andx[a1, . . . , am] ∈Dom(E). Hence, the testx[a1, . . . , am] ∈ Dom(E) succeeds.

B.4 Typing

In this section, we show that our type system is compatible withthe semantics of the calculus, that is, we define a notion of typ-ing for semantic configurations and show that typing is pre-served by reduction (subject reduction). Finally, the propertythat semantic configurations are well-typed shows that certainconditions in the semantics always hold.

We say thatE ⊢η E if and only if E(x[a1, . . . , am]) = aimplies E(x) = T1 × . . . × Tm → T with for all j ≤ m,aj ∈ Iη(Tj) anda ∈ Iη(T ). We defineE ⊢η P asE ⊢ P ,E ⊢η Q asE ⊢ Q, andE ⊢η M : T asE ⊢ M : T , with theadditional ruleE ⊢η a : T if and only if a ∈ Iη(T ). (This ruleis useful to type constant replication indices. In the formulasgiving the typing rules, replication indicesi may then also beconstantsa.) We say thatE ⊢η E,P,Q, C if and only ifE ⊢η E,E ⊢η P , and for allQ ∈ Q, E ⊢η Q. Similarly,E ⊢η E,Q, C ifand only ifE ⊢η E and for allQ ∈ Q, E ⊢η Q.

Lemma 7 If E ⊢η E, E ⊢η M : T , andE,M ⇓ a, thenE ⊢η a : T

Proof sketch By induction on the derivation ofE,M ⇓ a. �

Lemma 8 If E ⊢η E,Q, C and E,Q, C E′,Q′, C′, thenE ⊢η E

′,Q′, C′.So, ifE ⊢η E,Q, C, thenE ⊢η reduce(E,Q, C).

Proof sketch By cases on the derivation ofE,Q, C

E′,Q′, C′. In the case of the replication, we use a substitutionlemma, noticing thata ∈ Iη([1, n]), soE ⊢η a : [1, n]. In thecase of the input, we use Lemma 7. �

Lemma 9 If E ⊢ Q0, thenE ⊢η initConfig(Q0).

Proof sketch By Lemma 8 and the previous definitions. �

Lemma 10 (Subject reduction) If E ⊢η E,P,Q, C and

E,P,Q, Cp−→t E′, P ′,Q′, C′ with p > 0, then E ⊢η

E′, P ′,Q′, C′.

Proof sketch By cases on the derivation ofE,P,Q, Cp−→t

E′, P ′,Q′, C′, using Lemmas 7 and 8. �

As an immediate consequence of Lemmas 9, 10, and 7, weobtain: ifQ0 satisfies Invariant 3, then in traces ofQ0, the testsT fixed-length typein rule (New),a ∈ Iη(T ) in rule (Let),∀j ≤m,aj ∈ Iη(Tj) in rule (Fun), and the testa ∈ {false, true} inrule (Def2) always succeed.

B.5 Runtime

Proposition 6 For each processQ, there exists a probabilisticpolynomial time Turing machine that simulatesQ.

Proof We give a very brief sketch of this proof here. Werefer the reader to [39] for a more detailed proof for a differentcalculus; their proof could be adapted to our calculus.

The length of all bitstrings manipulated by processes is poly-nomial in the security parameterη. Indeed, by hypothesis, thelength of received messages is limited bymaxlenη, so polyno-mial in the security parameterη. The length of random bitstringsis also polynomial in the security parameter by hypothesis onthe types. Function symbols correspond to functions that run inpolynomial time, so they output bitstrings of size polynomial inthe size of their inputs, so also polynomial in the security pa-rameter.

Since the number of copies generated by each replicationis polynomial in the security parameter, the total number ofexecuted instructions is polynomial in the security parameter.Moreover, it is easy to see that each instruction runs in polyno-mial time since bitstrings are of polynomial length. Therefore,processes run in polynomial time. �

C Simplification

In this section, we define the transformationSimplify , whichis used to simplify games. The simplification proceeds as fol-lows. It uses information from several sources: equations andrewrite rules given by user, that come in particular from alge-braic properties of cryptographic primitives; facts that hold atcertain points in the game due to the form of the game; depen-dency information obtained by two dependency analyses. (Theglobal dependency analysis tracks which variables depend onany element of the arrayx at any program point. The local de-pendency analysis tracks which terms depend on the current cellof the arrayx, x[i], at each program point.) The simplificationalgorithm uses this information in order to infer equalities usinga Knuth-Bendix-like equational prover. The obtained equalitiesare used to simplify the game, by replacing a term with an equalterm or by simplifyingfind when the system proves that somebranches cannot be taken.

C.1 User-defined Rewrite Rules

The user can give two kinds of information:

• claims of the form∀x1 : T1, . . . ,∀xm : Tm,M whichmean that for all environmentsE, if for all j ≤ m,E(xj) ∈ Iη(Tj), thenE,M ⇓ true.

Such claims must be well-typed, that is,{x1 7→ T1, . . . ,xm 7→ Tm} ⊢M : bool .

They are translated into rewrite rules as follows:

– If M is of the formM1 = M2 and var(M2) ⊆var(M1), we generate the rewrite rule∀x1 : T1, . . . ,∀xm : Tm,M1 →M2.


– If M is of the formM1 6= M2, we generate therewrite rules∀x1 : T1, . . . ,∀xm : Tm, (M1 =M2) → false, ∀x1 : T1, . . . ,∀xm : Tm, (M1 6=M2) → true. (Such rules are used for instance toexpress that different constants are different.)

– Otherwise, we generate the rewrite rule∀x1 : T1, . . . ,∀xm : Tm,M → true.

• claims of the formnew y1 : T ′1, . . . , new yl : T ′l ,∀x1 : T1,. . . ,∀xm : Tm,M1 ≈ M2 with var(M2) ⊆ var(M1). In-formally, these claims mean thatM1 andM2 evaluate tothe same bitstring except in cases of negligible probabil-ity, provided thaty1, . . . , yl are chosen randomly with uni-form probability amongT ′1, . . . , T

′l respectively, and that

x1, . . . , xm are of typeT1, . . . , Tm. (x1, . . . , xm may de-pend ony1, . . . , yl.) Formally, a first approach is to definethese claims as: for all polynomialsq, there exists a negli-giblep(η) such that

maxA

Pr[E(y1)R← Iη(T ′1); . . . E(yl)

R← Iη(T ′l );

(E(x1), . . . , E(xm))← A(E(y1), . . . , E(yl));

E,M1 ⇓ a;E,M2 ⇓ a′ : a 6= a′] ≤ p(η)

whereA is a probabilistic Turing machine running in timeq(η). However, this phrasing requires checking that the re-strictions that createy1, . . . , yl are pairwise distinct, whichis sometimes delicate. (It may depend on the value of arrayindices.) So we prefer the following definition, in whichthe substitutionσ allows us to renamey1, . . . , yl to possi-bly equal variablesy′1, . . . , y

′l′ :

The claimnew y1 : T ′1, . . . , new yl : T ′l ,∀x1 :T1, . . . ,∀xm : Tm,M1 ≈ M2 means thatfor all polynomials q, there exists a negligi-ble p(η) such that, for all substitutionsσ thatmapy1, . . . , yl to variablesy′1, . . . , y

′l′ such that

σ{y1, . . . , yl} = {y′1, . . . , y′l′} and for allj ≤ l,

if σyj = y′j′ thenT ′′j′ = T ′j , we have

maxA

Pr[E(y′1)R← Iη(T ′′1 ); . . . E(y′l′)

R← Iη(T ′′l′ );

(E(x1), . . . , E(xm))← A(E(y′1), . . . , E(y′l′));

E, σM1 ⇓ a;E, σM2 ⇓ a′ : a 6= a′] ≤ p(η)

whereA is a probabilistic Turing machine run-ning in timeq(η).

The claims need to be adapted to this definition. For in-stance, we writenew x : T ; new y : T ; pkgen(x) =pkgen(y) ≈ x = y rather thannew x : T ; new y : T ;pkgen(x) = pkgen(y) ≈ false, since we may havepkgen(x) = pkgen(y) with probability 1 whenx andyare in fact the same variable.

The above claim must be well-typed, that is,{x1 7→ T1,. . . , xm 7→ Tm, y1 7→ T ′1, . . . , yl 7→ T ′l } ⊢M1 = M2.

This claim is translated into the rewrite rulenew y1 : T ′1,. . . , new yl : T ′l ,∀x1 : T1, . . . ,∀xm : Tm,M1 →M2.

The termM reduces intoM ′ by the rewrite rulenew y1 : T ′1,. . . , new yl : T ′l ,∀x1 : T1, . . . ,∀xm : Tm,M1 → M2 if andonly if M = C[σM1], M ′ = C[σM2], whereC is a term con-text andσ is a substitution that mapsxj to any term of typeTj for all j ≤ m andyj to terms to the formx[M ] wherex isdefined only by restrictionsnew x : T ′j for all j ≤ l.

The prover has built-in rewrite rules for defining booleanfunctions:

¬true→ false ¬false→ true ∀x : bool ,¬(¬x)→ x

∀x : T,∀y : T,¬(x = y)→ x 6= y

∀x : T,∀y : T,¬(x 6= y)→ x = y

∀x : T, x = x→ true ∀x : T, x 6= x→ false

∀x : bool ,∀y : bool ,¬(x ∧ y)→ (¬x) ∨ (¬y)

∀x : bool ,∀y : bool ,¬(x ∨ y)→ (¬x) ∧ (¬y)

∀x : bool , x ∧ true→ x ∀x : bool , x ∧ false→ false

∀x : bool , x ∨ true→ true ∀x : bool , x ∨ false→ x

The prover also has support for commutative function sym-bols, that is, binary function symbolsf : T × T → T ′ suchthat for allx, y ∈ Iη(T ), Iη(f)(x, y) = Iη(f)(y, x). For suchsymbols, all equality and matching tests are performed modulocommutativity. The functions∧, ∨, =, and 6= are commutative.So, for instance, the last four rewrite rules above may also beused to rewritetrue∧M intoM , false∧M into false, true∨Minto true, andfalse ∨M into M . Used-defined functions mayalso be declared commutative;xor is an example of such a com-mutative function.

C.2 Collecting True Facts from a Game

We usefactsto represent properties that hold at certain programpoints in processes. We consider two kinds of facts:defined(M)means thatM is defined, and a termM means thatM is true (theboolean termM evaluates totrue). In this section, we showhow to compute a set of factsFP that are guaranteed to hold atthe program pointP of the game.

The functioncollectFacts collects facts that hold at each pro-gram point of the game. More precisely, for each occurrencePof a subprocess of the game, it computes a setFP of facts thathold at that occurrence. (It is important thatP is an occurrenceand not a process: processes at several occurrences may be equaland must be distinguished from one another here.) The functioncollectFacts also computes a setD containing pairs(x[i], P )

wherex[i] has been defined just above processP . (If there areseveral definitions ofx, there is one such pair for each definitionof x.) Finally, for output processesP , collectFacts(P ) returnsa set of facts that will hold when the next output is executed andstores this set inFFut

P . (The superscriptFut stands forfuture,since these facts do not hold yet atP , but will hold in the future.)

The functioncollectFacts is defined in Figure 6. It is initiallycalled bycollectFacts(Q0). It takes into account thatx[i] maybe defined by an input, a restriction, a let, or a find and updatesD accordingly. Furthermore, when we executelet x[i] : T =

M in P ′, x[i] = M holds inP ′ andx[i] is defined inP ′. Whenwe executefind (

⊕mj=1 uj1 [i] ≤ nj1, . . . , ujmj

[i] ≤ njmj

suchthat defined(Mj1, . . . ,Mjlj ) ∧Mj then Pj) else P ′, Mj

294 Bruno Blanchet

collectFacts(Q) =

if Q = Q1 | Q2 then collectFacts(Q1); collectFacts(Q2)

if Q = !i≤nQ′ then collectFacts(Q′)

if Q = newChannel c;Q′ then collectFacts(Q′)

if Q = c[M1, . . . ,Ml](x1 [i] : T1, . . . , xk [i] : Tk);P then

FP = {defined(xj [i]) | j ≤ k};FFutP = collectFacts(P )

D = D ∪ {(xj [i], P ) | j ≤ k}

collectFacts(P ) =

if P = c[M1, . . . ,Ml]〈N1, . . . , Nk〉;Q then

collectFacts(Q); return ∅

if P = new x[i] : T ;P ′ then

FP ′ = {defined(x[i])};FFutP ′ = collectFacts(P ′)

D = D ∪ {(x[i], P ′)}; return FP ′ ∪ FFutP ′

if P = let x[i] : T = M in P ′ then

FP ′ = {defined(x[i]), x[i] = M}

FFutP ′ = collectFacts(P ′)

D = D ∪ {(x[i], P ′)}; return FP ′ ∪ FFutP ′

if P = find (⊕m

j=1uj1 [i] ≤ nj1, . . . , ujmj

[i] ≤ njmj

suchthat defined(Mj1, . . . ,Mjlj ) ∧Mj then Pj) elseP ′

then

for eachj ≤ m,

FPj= {defined(uj1[i′]), . . . , defined(ujmj

[i′]),

defined(Mj1), . . . , defined(Mjlj ),Mj}

FFutPj

= collectFacts(Pj);

D = D ∪ {(uj1[i′], Pj), . . . , (ujmj[i′], Pj)}

FP ′ = {¬Mj | mj = lj = 0};FFutP ′ = collectFacts(P ′)

return (FP ′ ∪ FFutP ′ ) ∩

m⋂

j=1

(FPj∪ FFut

Pj)

Figure 6: The functioncollectFacts

holds inPj , Mj1, . . . ,Mjlj , uj1 [i], . . . , ujmj[i] are defined in

Pj , and¬Mj holds inP ′ whenmj = lj = 0.After calling collectFacts(Q0), we complete the computed

setsFP (whereP may be an input or output process) by addingfacts that come from processes aboveP :

FP ← FP ∪ FP ′ if P is immediately underP ′

We also add facts that we can deduce from factsdefined(M).Precisely, ifdefined(M) ∈ FP andx[M1, . . . ,Mm] is a sub-term ofM , then we take into account facts that are known to betrue at the definitions ofx by adding them toFP as follows:

FP ← FP ∪

⋂

(x[i1,...,im],P ′)∈D

σ(FP ′ ∪ (FFutP ′ ∩ FP ))

if P is underP ′

σ(FP ′ ∪ FFutP ′ ) otherwise

whereσ = {M1/i1, . . . ,Mm/im}. Indeed, ifdefined(M) ∈FP andx[M1, . . . ,Mm] is a subterm ofM , thenx[M1, . . . ,Mm] is defined atP , so some definition ofx[M1, . . . ,Mm], justabove the processP ′, must have been executed before reachingP , so the facts that hold atP ′ also hold atP , with a suitablesubstitution of indices: we haveσFP ′ , that is,FP ′{M1/i1, . . . ,Mm/im}. Moreover, if the occurrenceP is not syntacticallyunder the occurrenceP ′, then the code ofP ′ must have beenexecuted until the next output before yielding control to someother code and reachingP , so in factσ(FP ′ ∪ FFut

P ′ ) hold. IfP is syntactically underP ′, it is possible that the code ofP ′

has been executed until reachingP instead of until reaching thenext output, so we have onlyσ(FP ′ ∪ (FFut

P ′ ∩ FP )). If thereare several definitions ofx, we do not know which one has beenexecuted, so we only add toFP the facts that hold in all cases,by taking the intersection on all definitions ofx.

This operation may add newdefined facts toFP , so it isexecuted until a fixpoint is reached, except that, in order toavoid infinite loops, we do not execute this step for definitionsdefined(M) in which M contains nested occurrences of thesame symbol (such asx[. . . x[. . .] . . .]).

We also consider an additional fact that serves in express-ing that the condition part of afind failed. Precisely, thefact elsefind((u1 ≤ n1, . . . , um ≤ nm), (M1, . . . ,Ml),M)means that for allu1 ∈ [1, n1], . . . , um ∈ [1, nm],the termsM1, . . . ,Ml are not all defined orM is false.The functioncollectElseFind described in Figure 7 collectselsefind facts that hold at each occurrence. The functioncollectElseFind(P,F) is called whenF is the set of trueelsefind facts at occurrenceP . It sets the value ofFElseFind

P

toF .

• In the case of restrictions, assignments, andthen branchesof find, it takes into account that a variablex oruj1, . . . , ujmj

is newly defined. Henceelsefind facts thatclaim that one of these variables is not defined are removed.

• In the case of theelse branch of afind, it adds the newelsefind facts that hold when the conditions of thefind fail.These conditions express that eachthen branch of thefind

fails by aelsefind fact. To construct this fact, we replace(by applyingσj) the termsuj1 [i], . . . , ujmj

[i] with freshvariablesu1, . . . , umj

, respectively.


collectElseFind(Q) =

if Q = Q1 | Q2 then

collectElseFind(Q1); collectElseFind(Q2)

if Q = !i≤nQ′ then collectElseFind(Q′)

if Q = newChannel c;Q′ then collectElseFind(Q′)


collectElseFind(P, ∅)

collectElseFind(P,F) =

FElseFindP = F


collectElseFind(Q)

if P = new x[i] : T ;P ′

or P = let x[i] : T = M in P ′ then

F ′ = {elsefind((u ≤ n), (M1, . . . ,Ml),M) ∈ F |

x does not occur inM1, . . . ,Ml}

collectElseFind(P ′,F ′)

if P = find (⊕m

j=1uj1 [i] ≤ nj1, . . . , ujmj

[i] ≤ njmj


then

for eachj ≤ m,

F ′j = {elsefind((u ≤ n), (M1, . . . ,Ml),M) ∈ F

| uj1, . . . , ujmjdo not occur inM1, . . . ,Ml}

collectElseFind(Pj ,F′j)

σj = {u1/uj1 [i], . . . , umj/ujmj

[i]}

collectElseFind(P ′,F∪

{elsefind((u1 ≤ nj1, . . . , umj≤ njmj

),

σj(Mj1, . . . ,Mjlj ), σjMj) | j ∈ {1, . . . ,m}})

Figure 7: The functioncollectElseFind

• In the case of an output, any code may be executed beforethe input processes under it, so any variable may be definedby that code, and allelsefind facts are removed. That iswhy the functioncollectElseFind for input processes hasnoF argument (this argument would always be empty) andcallscollectElseFind(P, ∅) for processesP that follow aninput.

Theelsefind facts can be used to add new facts to the factsFP .Indeed, ifFP implies thatM1, . . . ,Ml are defined for somevalues ofu1, . . . , um, then the factelsefind((u1 ≤ n1, . . . ,um ≤ nm), (M1, . . . ,Ml),M) implies thatM is false for thesevalues ofu1, . . . , um. Precisely, we execute:

FP ← FP ∪ {¬σM | elsefind((u1 ≤ n1, . . . , um ≤ nm),

(M1, . . . ,Ml),M) ∈ FElseFindP ,Dom(σ) = {u1, . . . , um},

for eachj ∈ {1, . . . , l}, σMj is a subterm ofM ′j and

defined(M ′j) ∈ FP }

The possible images ofσ are found by exploring the set ofdefined facts inFP .

Furthermore, when the previous update ofFP adds facts, weagain complete the computed setsFP by adding facts that comefrom processes aboveP :

FP ← FP ∪ FP ′ if P is immediately underP ′

We could also iterate the addition of consequences ofdefined

facts. (However, for simplicity, the current implementation doesnot perform such an iteration.)

C.3 Global Dependency Analysis

For each variablex, the global dependency analysis tries to finda set of variablesS such that only variables inS depend onx.In particular, when the global dependency analysis succeeds, thecontrol flow and the view of the adversary do not depend onx,except in cases of negligible probability.

Let x be a variable defined only by restrictionsnew x : TwhereT is a large type. LetSdef be a set of variables definedonly by assignments. LetSdep be a set of variables containingx. (Intuitively, Sdep will be a superset of variables that dependonx.)

We say that a functionf : T → T ′ is uniform when eachelement ofIη(T ′) has at most|Iη(T )|/|Iη(T ′)| antecedents byf . In particular, this is true in the following two cases:

• f is such thatf(x) is uniformly distributed inIη(T ′) if xis uniformly distributed inIη(T ).

• f is the restriction to the image off ′ of an inverse off ′, wheref ′ is a poly-injective function. (We considerthat f(x) is undefined whenx is not in the image off ′. Here, in contrast to the rest of the paper, we al-low f : T → T ′ to be defined only on a subset ofIη(T ).) Precisely, whenxk ∈ Sdef is defined by a pattern-matchinglet f ′(x1, . . . , xn) = M in P else P ′, we havexk = f ′

−1k (M), but furthermore whenxk is defined we

know that the value ofM is in the image off ′, so we havexk = f(M) wheref = f ′

−1k |im f ′ .

296 Bruno Blanchet

We say thatM characterizes a part ofx with Sdef ,Sdep

when for allM0 obtained fromM by substituting variables ofSdef with their definition (when there is a dependency cycleamong variables ofSdef , we do not substitute a variable insideits definition), αM0 = M0 implies f1(. . . fk((αx)[M ′])) =

f1(. . . fk(x[M ])) for some uniform functionsf1, . . . , fk and forsomeM andM ′, whereα is a renaming of variables ofSdep tofresh variables,x[M ] is a subterm ofM0, (αx)[M ′] is a subtermof αM0, the variables inSdep do not occur inM or M ′, T is thetype of the result off1 (or of x whenk = 0), andT is a largetype. In that case, the value ofM uniquely determines the valueof f1(. . . fk(x[M ])).

We use a simple rewriting prover to determine that. We con-sider the set of termsM0 = {αM0 = M0}, and we rewriteelements ofM0 using the first kind of user-defined rewriterules mentioned in the first point of this section and the rule{M1 ∧M2} ∪M

′ → {M1,M2} ∪M′.

WhenM0 can be rewritten to a set that contains an equal-ity of the form f1(. . . fk(x[M ])) = f1(. . . fk((αx)[M ′])) orf1(. . . fk((αx)[M ′])) = f1(. . . fk(x[M ])) for someM andM ′

such that the variables inSdep do not occur inM or M ′, wehave thatM characterizes a part ofx with Sdef , Sdep.

We say thatM characterizes a part ofx whenM character-izes a part ofx with ∅, S′ whereS′ is {x} union the set of allvariables except those defined by restrictions. (We know thatvariables different fromx and defined by restrictions do not de-pend onx, so in the absence of more precise information, wecan setSdep = S′.)

We say thatonly dep(x) = S when intuitively, only vari-ables inS depend onx, and the adversary cannot see the valueof x. Formally,only dep(x) = S when

• S ∩ V = ∅.

• Variables ofS do not occur in input or output channels ormessages, that is, they do not occur in the termsM1, . . . ,Mm, N1, . . . ,Nk in the inputc[M1, . . . ,Mm](x1 [i] : T1,

. . . , xk [i] : Tk) or in the outputc[M1, . . . ,Mm]〈N1, . . . ,Nk〉.

• Variables ofS exceptx are defined only by assignments.

• If a variabley ∈ S occurs inM in let z : T = M in P ,thenz ∈ S.

• Variables inS may occur indefined conditions offind butonly at the root of them.

• All termsMj in processesfind (⊕m

j=1 uj [i] ≤ nj suchthat

defined(Mj1, . . . ,Mjlj ) ∧Mj then Pj) else P ′ are com-binations by∧, ∨, or¬ of terms that either do not containvariables inS or are of the formM1 = M2 orM1 6= M2

whereM1 characterizes a part ofx with S \ {x}, S and novariable ofS occurs inM2, orM2 characterizes a part ofxwith S \ {x}, S and no variable ofS occurs inM1.

The last item implies that the result of tests does not dependonthe values of variables inS, except in cases of negligible proba-bility. Indeed, the testsM1 = M2 with M1 characterizes a partof x with S \ {x}, S andM2 does not depend on variables in

S are false except in cases of negligible probability, since thevalue ofM1 uniquely determines the value off1(. . . fk(x[M ]))

andM2 does not depend onf1(. . . fk(x[M ])), so the equal-ity M1 = M2 happens for a single value off1(. . . fk(x[M ])),which yields a negligible probability becausef1, . . . , fk are uni-form, x is chosen with uniform probability, and the type of theresult of f1 is large. Similarly, the testsM1 6= M2 are trueexcept in cases of negligible probability.

In checking the conditions ofonly dep(x) = S, we do notconsider the parts of the code that are unreachable due to testswhose result is known by the conditions above.

The setS is computed by a fixpoint iteration, starting from{x} and adding variables defined by assignments that dependon variables already inS.

C.4 Local Dependency Analysis

For each program pointP and each variablex, the local depen-dency analysis tries to find which variables and terms dependonx[i] at program pointP , wherei denotes the current replicationindices at the definition ofx. It simplifies the game on-the-flywhen possible.

For each occurrence of a processP and each variablex suchthat a restrictionnew x : T occurs aboveP andT is a largetype, we compute a set of termsindepP (x) that are indepen-dent ofx[i] wherei denotes the current replication indices at thedefinition ofx.

For each occurrence of a processP and each variablex suchthat a restrictionnew x : T occurs aboveP andT is a largetype, we also computedependP (x) which can be either⊤ (Idon’t know) or a set of pairs(y,M) wherey[i] depends onx[i]by assignments, andM is a term definingy[i] as a function ofx[i]. (The tuplei denotes the current replication indices at thedefinition ofx and ofy.)

We define “M characterizes a part ofx[i] at P ” asfollows. Let α be defined byα(f(M1, . . . ,Mm)) =f(αM1, . . . , αMm); α(i) = i wherei is a replication index;α(M ′) = M ′ whenM ′ ∈ indepP (x); α(y[M1, . . . ,Mm′ ]) =y[αM1, . . . , αMm′ ] wheny 6= x andy either is defined only byrestrictions ordependP (x) 6= ⊤ and(y,M ′) /∈ dependP (x)for anyM ′; α(y[M1, . . . ,Mm′ ]) = y′[αM1, . . . , αMm′ ] wherey′ is a fresh variable, otherwise. We writey′ = αy in thiscase. We say thatM characterizes a part ofx[i] at P whenαM = M implies f1(. . . fk((αx)[i])) = f1(. . . fk(x[i])) forsome uniform functionsf1, . . . , fk, wherex[i] is a subterm ofM , (αx)[i] is a subterm ofαM , T ′ is the type of the result off1 (or of x whenk = 0), andT ′ is a large type. In that case, thevalue ofM uniquely determines the value off1(. . . fk(x[i])).This property is shown by a simple rewriting prover, as in theglobal dependency analysis.

We denote bysubterms(M) the set of subterms of the termM .

We say thatM does not depend onx at P when M isbuilt by function applications from terms inindepP (x), repli-cations indices, and termsy[M1, . . . ,Mm] such thatM1, . . . ,Mm do not depend onx at P , y 6= x, and eithery is definedonly by restrictions ordependP (x) 6= ⊤ andy 6= y′ for all


depAnal(Q, indep) =

∀y,dependQ(y) = ⊤; indepQ = indep

if Q = Q1 | Q2 then

depAnal(Q1, indep); depAnal(Q2, indep)

if Q = !i≤nQ′ then depAnal(Q′, indep)

if Q = newChannel c;Q′ then depAnal(Q′, indep)


depAnal(P, {∀y, y 7→ ⊤}, indep)

Figure 8: Local dependency analysis (1)

(y′,M ′) ∈ dependP (x). Since terms inindepP (x) do not de-pend onx[i] and whendependP (x) 6= ⊤, variables not in thefirst component ofdependP (x) do not depend onx[i], the con-ditions above guarantee thatM does not depend onx[i], wherei are the current replication indices at the definition ofx.

Whendepend 6= ⊤, we denote byMdepend the term ob-tained fromM by replacingy[i] with M ′ for each(y,M ′) ∈

depend, wherei denotes the replication indices at the definitionof y.

We definesimplifyTerm such thatsimplifyTerm(M,P ) is asimplified version ofM , equal toM except in cases of negli-gible probability. The termsimplifyTerm(M,P ) is defined asfollows:

• Case 1:M is M1 = M2. For eachx, we proceed as fol-lows. If dependP (x) = ⊤, letM0 = M1; otherwise, letM0 = M1dependP (x). Let M ′0 andM ′2 be obtained re-spectively fromM0 andM2 by replacing all array indicesthat depend onx atP with fresh replication indices. IfM ′0characterizes a part ofx[i] atP , andM ′2 does not dependonx atP , thensimplifyTerm(M,P ) = false. Indeed,Mis equal tofalse up to negligible probability in this case.We have similar cases swappingM1 andM2 or whenMisM1 6= M2. (In the latter case,simplifyTerm(M,P ) =true.)

• Case 2:M isM1 ∧M2. LetM ′1 = simplifyTerm(M1, P )andM ′2 = simplifyTerm(M2, P ). If M ′1 orM ′2 arefalse,we returnfalse. If M ′1 is true, we returnM ′2. If M ′2 is true,we returnM ′1. Otherwise, we returnM ′1 ∧M

′2. We have

similar cases whenM isM1 ∨M2 or¬M1.

• In all other cases,simplifyTerm(M,P ) = M .

The local dependency analysis is defined in Figures 8 and 9.The functiondepAnal is initially called with depAnal(Q0, ∅)where∅ designates the function defined nowhere.

• For input processes,depAnal setsdependQ(y) to ⊤, sothatdependQ gives no information, and propagatesindep.

Indeed, wheny[i′] is set in some output processP0, thevalue ofy[i′] may be output byP0 or read byfind in otheroutput processes executed afterP0, so as soon asP0 passescontrol to another process by the first output after the def-inition of y, we lose track of exactly which variables de-pend ony[i′]. However, variables already defined before

depAnal(P,depend, indep) =

dependP = depend; indepP = indep


depAnal(Q, indep)

if P = new x[i] : T ;P ′ then

if T is a large type then

depend′(x) = ∅

indep′(x) =⋃

defined(M)∈FPsubterms(M)

∀y 6= x,depend′(y) = depend(y),

indep′(y) = indep(y) ∪ {x[i]}

depAnal(P ′,depend′, indep′)

if P = let x[i] : T = M in P ′ then

∀y, if M does not depend ony atP then

depend′(y) = depend(y)

indep′(y) = {x[i]} ∪ indep(y)

else

if depend(y) 6= ⊤ then

depend′(y) = depend(y)∪{(x,Mdepend(y))}

else

depend′(y) = ⊤

indep′(y) = indep(y)

depAnal(P ′,depend′, indep′)

if P = find (⊕m

j=1uj1 [i] ≤ nj1, . . . , ujmj

[i] ≤ njmj


then

for eachj ≤ m,M ′j = simplifyTerm(Mj , P )

replaceMj with M ′jif M ′j = false then remove thej-th branch

if M ′j = true andlj = 0 then replaceP ′with yield〈〉

if m = 0 then

replaceP with P ′; depAnal(P ′,depend, indep)

else ifm = 1,m1 = l1 = 0, andM1 = true then

replaceP with P1; depAnal(P1,depend, indep)

else

∀y, if ∀j, k,Mjk andM ′j do not depend ony atP then

depend′(y) = depend(y)

for eachj ≤ m, indepj(y) = indep(y) ∪ {M ′ |

M ′∈subterms(M) for somedefined(M)∈FPj,

M ′ does not depend ony atP}else

depend′(y) = ⊤

for eachj ≤ m, indepj(y) = indep(y)

for eachj ≤ m,depAnal(Pj ,depend′, indepj)

depAnal(P ′,depend′, indep)

Figure 9: Local dependency analysis (2)

298 Bruno Blanchet

P0 passes control to another process and proved to be in-dependent ofy[i′] remain independent ofy[i′], so we canpropagateindep in all subprocesses ofP0.

• In the case of an output,depAnal forgets the informationin dependP as mentioned above.

• In the case of a restrictionnew x[i] : T , if T is a largetype, we create the dependency information for the newlydefined variablex: no variable depends onx[i], and allterms already defined before the restriction are independentof x[i]. We also note thatx[i] is independent ofy[i′] forother variablesy by addingx[i] to indep(y).

• In the case of an assignmentlet x[i] : T = M , if M de-pends ony[i′] for some variabley, thenx[i] depends ony[i′], sox is added todepend(y) (if it is not⊤); otherwise,x[i] does not depend ony[i′] so it is added toindep(y).

• In the case of afind, we first simplify each condition ofthefind, remove branches when we can prove that they aretaken with negligible probability, and remove thefind it-self when we know which branch is taken and this branchof thefind does not define variables. Furthermore, if somecondition of find depends ony[i] for some variabley,depend′(y) is set to⊤: the control flow depends ony[i]so future assignments in fact depend ony[i] even if the as-signed expression itself does not, so we can no longer keeptrack precisely of which variables depend ony[i]. Other-wise, we add all terms that are guaranteed to be defined andindependent ofy[i] to indep(y).

C.5 Equational Prover

We use an algorithm inspired by the Knuth-Bendix completionalgorithm [29], with differences detailed below.

The prover manipulates pairsF ,R whereF is a set of facts(M or defined(M)) andR is a set of rewrite rulesM1 → M2.We say thatM reduces intoM ′ by M1 → M2 whenM =C[M1] andM ′ = C[M2] for some term contextC. (That is, allvariables in rewrite rules ofR are considered as constants.) Theprover starts with a certain set of factsF andR = ∅. Then theprover transforms the pairs(F ,R) by the following rules (therule F,R

F ′,R′ means thatF ,R is transformed intoF ′,R′):

F ∪ {F},R

F ∪ {F ′},R

if F reduces intoF ′ by a rule ofR ora user-defined rewrite rule

(1)

F ∪ {M1 ∧M2},R

F ∪ {M1,M2},R(2)

F ∪ {x[M1, . . . ,Mm] = x[M ′1, . . . ,M′m]},R

F ∪ {M1 = M ′1, . . . ,Mm = M ′m},R

whenx is defined only by restrictionsnew x : T andT is a large type

(3)

F ∪ {M1 = M2},R

{false},R

when one of the following conditionsholds:

• denoting byM ′1 the term obtained fromM1 by replac-ing all array indices that are not replication indices withfresh replication indices, we have the following proper-ties: x occurs inM ′1, x is defined only by restrictionsnew x : T , T is a large type,M ′1 characterizes a part ofx, andM2 is obtained by optionally applying functionsymbols to terms of the formy[M ] wherey is definedonly by restrictions andy 6= x;

• x occurs inM1, x is defined only by restrictionsnew x :T , T is a large type,M1 characterizes a part ofx,only dep(x) = S, and no variable ofS occurs inM2;

• simplifyTerm(M1 = M2, P ) = false, whereP is thecurrent program point.

(4)

F ∪ {M = M ′},R

F ,R∪ {M →M ′}if M > M ′ (5)

F ,R∪ {M1 →M2}

F ∪ {M1 = M ′2},R

if M2 reduces intoM ′2 by a rule ofRor a user-defined rewrite rule

(6)

F ,R∪ {M1 →M2}

F ∪ {M ′1 = M2},Rif M1 reduces intoM ′1 by a rule ofR

(7)

We also use the symmetrics of Rules (4) and (5) obtained byswapping the two sides of the equality.

Rule (1) simplifies facts using rewrite rules. Rule (2) decom-poses conjunctions of facts. Rules (3) and (4) exploit the elimi-nation of collisions between random values. Rule (3) takes intoaccount that, whenx is defined by a restriction of a large type,two different cells ofx have a negligible probability of contain-ing the same value. So when two cells ofx contain the samevalue, we can conclude up to negligible probability that they arethe same cell. Rule (4) expresses thatM1 andM2 have a negligi-ble probability of being equal whenx is defined by a restrictionof a large type,M1 characterizes a part ofx, andM2 does notdepend ofx. The first item of (4) establishes these propertieswithout further dependency analysis; the second item exploitsthe global dependency analysis; and the third item exploitsthelocal dependency analysis.

Rule (5) is applied only when Rules (1) to (4) cannot be ap-plied. Rule (5) transforms equations into rewrite rules by ori-enting them. We say thatM > M ′ when eitherM is the formx[M ], x does not occur inM ′, andx is not defined only byrestrictions, orM = x[M1, . . . ,Mm], M ′ = x[M ′1, . . . ,M

′m],

and for all j ≤ m, Mj > M ′j . Intuitively, our goal is to re-placeM with M ′ whenM ′ defines the content of the variableM . (Notice that this is not an ordering; the Knuth-Bendix al-gorithm normally uses a reduction ordering to orient equations.However, we tried some reduction orderings, namely the lex-icographic path ordering and the Knuth-Bendix ordering, andobtained disappointing results: the prover fails to prove manyequalities because too many equations are left unoriented.Thesimple heuristic given above succeeds more often, at the ex-pense of a greater risk of non-termination, but that does notcause problems in practice on our examples. We believe that this


comes from the particular structure of equations, which comefrom let definitions and from conditions offind or if, and tendto define variables from other variables without creating depen-dency cycles.)

Rules (6) and (7) are systematically applied to simplify allrewrite rules ofR after a new rewrite rule has been added byRule (5). Since all terms in rewrite rules ofR are considered asconstants, Rule (7) in fact includes the deduction of equationsfrom critical pairs done by the standard Knuth-Bendix comple-tion algorithm.

We say thatF yields a contradictionwhen the prover, startingfrom (F , ∅), derivesfalse.

C.6 Game Simplification

We use the following transformations in order to simplifygames. These transformations exploit the information collectedas explained in the previous sections.

• Each termM in the game is replaced with a simplified termM ′ obtained by reducingM by user-defined rewrite rules(first point of this section) and the rewrite rules obtainedfromFPM

by the above equational prover wherePM is thesmallest process containingM . The replacement is per-formed only when at least one user-defined rewrite rule hasbeen used, to avoid complicating the game by substitutingall variables with their value.

• If P = find (⊕m


suchthat defined(Mj1, . . . ,Mjlj ) ∧Mj then Pj) else P ′,

ujk [i] reduces intoM ′ by user-defined rewrite rules (firstpoint of this section) and the rewrite rules obtained fromFPj

, andujk does not occur inM ′, thenujk is removed

from thej-th branch of thisfind, ujk [i] is replaced withM ′

in Mj1, . . . ,Mjlj ,Mj andPj is replaced withlet ujk [i] :

[1, njk] = M ′ in Pj . (Intuitively, ujk [i] = M ′, so thevalue ofujk [i] can be computed by evaluatingM ′ insteadof performing an array lookup. We removeujk [i] from thevariables looked up byfind and replaceujk [i] with its valueM ′.)

• Suppose thatP = find (⊕m

j=1 uj1 [i] ≤ nj1, . . . ,

ujmj[i] ≤ njmj

suchthat defined(Mj1, . . . ,Mjlj ) ∧Mj

then Pj) else P ′, x[N1, . . . , Nl] is a subterm ofMjk, andnone of the following conditions holds: a)P is under adefinition ofx in Q0; b) Q0 containsQ1 | Q2 such that adefinition ofx occurs inQ1 andP is underQ2 or a defini-tion of x occurs inQ2 andP is underQ1; c) Q0 containslp + 1 replications above a processQ that contains a def-inition of x andP , wherelp is the length of the longestcommon prefix betweenN1, . . . , Nl and the current repli-cation indices at the definitions ofx. Then thej-th branchof thefind is removed. (In this case,x[N1, . . . , Nl] cannotbe defined atP , so thej-th branch of thefind cannot betaken.)


j=1 uj [i] ≤ nj suchthat defined(Mj1, . . . ,Mjlj ) ∧Mj then Pj) else P ′ andFPj

yields a contradic-tion, then thej-th branch of thefind is removed.

• If P = find else P ′, thenP is replaced withP ′.

• If find (⊕m

j=1 uj [i] ≤ nj suchthat defined(Mj1, . . . ,Mjlj ) ∧Mj then Pj) else P ′ andFP ′ yields a contradic-tion, thenP ′ is replaced withyield〈〉.

• If P = find u[i] ≤ n suchthat M then P1 else P ′, FP ′

yields a contradiction, and the variables inu are not usedoutsideP and are not inV , thenP is replaced withP1.(When thefind defines variablesu used elsewhere, we can-not remove it.)


j=1 uj [i] ≤ nj suchthat defined(Mj1, . . . ,

Mjlj ) ∧ Mj then yield〈〉) else yield〈〉 and the variablesin uj are not used outsideP and are not inV , thenP isreplaced withyield〈〉.

• Thedefined conditions offind are updated so that Invari-ant 2 is satisfied. (When such adefined condition guaran-tees thatM is defined,defined(M) implies defined(M ′),and after simplificationM ′ appears in the scope of thiscondition, thenM ′ has to be added to this condition if itis not already present.)

• If P = new x : T ;P ′ or let x : T = M in P ′ andx is notused in the game and is not inV , thenP is replaced withP ′.

C.7 Further Simplifications

After applying the game simplifications described above, wefurther apply the following transformations:

MoveNew We move restrictions downwards in the code asmuch as possible, when they have no array access usingfind.A new x[i] : T cannot be moved under a replication, orunder a parallel composition when both sides usex, or alet let y[i] : T = M in . . ., input c[M1, . . . ,Ml](x1 [i] :

T1, . . . , xk [i] : Tk), outputc[M1, . . . ,Ml]〈N1, . . . , Nk〉 whenxoccurs inM,M1, . . . ,Ml, N1, . . . , Nk, or afind when the con-ditions usex. It can be moved under the other constructs, dupli-cating it if necessary, when we move it under afind that usesxin several branches. Note that when the restrictionnew x[i] : Tcannot be moved under an input, a parallel composition, or areplication, it must be written above the output that is locatedabove the considered input, parallel composition or replication,so that the syntax of processes is not violated.

When this transformation duplicates anew x[i] : T by mov-ing it under afind that usesx in several branches, a subsequentSArename(x) enables us to distinguish several cases dependingin which branchx is created, which is useful in some proofs.

RemoveAssign(useless): As a particular case of the transfor-mationRemoveAssign, we remove useless assignments, that is,assignments tox whenx is unused and assignmentslet x[i] :

T = y[M ]. Since removing such assignments may also removeuses of other variables, we repeat this removal until a fixpoint isreached.

SArename(auto): As a particular case of the transformationSArename, whenx hasm > 1 definitions and all variable ac-cesses tox are of the formx[i1, . . . , il] under a definition of

300 Bruno Blanchet

x[i1, . . . , il], wherei1, . . . , il are the current replication indicesat this definition ofx (that is,x has no array access usingfind),we renamex to x1, . . . , xm with a different name for each defi-nition.

D Applying the Definition of Security ofPrimitives

D.1 Formalization of the Transformation

In this appendix, we formalize the transformation performed byexploiting equivalences that come from the definition of secu-rity of cryptographic primitives. We require the followingcon-ditions for the equivalencesL ≈ R that model cryptographicprimitives:

H0. [[L]] and [[R]] satisfy Invariants 1, 2, and 3. Furthermore,the result of each function inR has the same type as theresult of the corresponding function ofL.

H1. In L, the functional processesFP are simply termsM ;all their array accesses use the current replication indices.(Allowing let or find in L is difficult, because we need torecognize the termsM in a context and in a possibly syn-tactically modified form.)

H2. L andR have the same structure: same replications, samenumber of functions, same number of arguments with thesame types for each function.

H3. The variablesyj defined bynew andxj defined by functioninputs inL andR are distinct from other variables definedin R.

H4. Under !i≤n with no restriction in L, one can haveonly a single function(x1 : T1, . . . , xl : Tl) → FP .(One can transform!i≤n((x1 : T1) → FP1, . . . ,

(xm : Tm) → FPm, !i1≤n1 . . . , . . . , !im′≤nm′ . . .) into

(!i≤n(x1 : T1) → FP1, . . . , !i≤n(xm : Tm) → FPm,

!i1≤n′1 . . . , . . . , !im′≤n′

m′ . . .) in order to eliminate situa-tions that do not satisfy this requirement.)

H5. Replications inL (resp. R) must have pairwise distinctboundsn. (This strengthens the typing: the typing thenguarantees that, if several variables are accessed with thesame array indices, then these variables are defined underthe same replication.)

H6. For all restrictionsnew y : T that occur above a termMin L, y occurs inM . (This guarantees that, in Hypothe-sis H′3.1 below,zjk[Mj1, . . . ,Mjqj

] is defined for allj ≤ landk ≤ mj . With Hypothesis H4, this guarantees thatindexj is well-defined in Hypothesis H′3.1.3 below.)

H7. Finds inR are of the form

find (⊕m

j=1 uj ≤ nj suchthat defined(zj1[uj1], . . . ,

zjlj [ujlj ]) ∧Mj then FP j) else FP ′

where the following conditions are satisfied:

• For all1 ≤ k ≤ lj , ujk is the concatenation of a pre-fix of the current replication indices (the same prefixfor all k) and a non-empty prefix ofuj .

• Whenuj is non-empty, at least oneujk for 1 ≤ k ≤lj is the concatenation of a prefix of the current repli-cation indices with the whole sequenceuj .

• Whenlj 6= 0, there existsk ∈ {1, . . . , lj} such thatfor all k′ 6= k, zjk′ is defined syntactically above alldefinitions ofzjk and ujk′ is a prefix ofujk. (Thisimplies that the same find cannot access variables de-fined in different functions under the same replicationin R.)

• Finally, variableszjk are not defined by afind in R.(Otherwise, the transformation would be consider-ably more complicated.)

Such equivalencesL ≈ R are used by the prover by replacinga processQ0 observationally equivalent toC[[[L]]] with a pro-cessQ′0 observationally equivalent toC[[[R]]], for some evalua-tion contextC. We now give sufficient conditions for a processto be equivalent toC[[[L]]]. These conditions essentially guaran-tee that all uses of certain secret variables ofQ0, in a setS, canbe implemented by calling functions ofL. These conditions areexplained in more detail below.

We first define the functionextract used in order to extractinformation from the left- or right-hand sides of the equivalence.

extract((x1 : T1, . . . , xl : Tl)→ M, ()) =

(x1 : T1, . . . , xl : Tl)→ M

extract(!i≤nnew y1 : T1; . . . ; new yl : Tl; (G1, . . . , Gm),

(j1, . . . , jk)) =

(y1 : T1, . . . , yl : Tl), extract(Gj1 , (j2, . . . , jk))

extract((G1, . . . , Gm), (j0, . . . , jk)) =

extract(Gj0 , (j1, . . . , jk))

We rename the variables ofQ0 such that variables ofL andR do not occur inQ0. Assume that there exist a set of variablesS and a setM of occurrences of terms inQ0 such that:

H′1. S ∩ V = ∅.

H′2. No term inM occurs in the condition part of afind

(defined(M1, . . . ,Ml) ∧M ) or in the channel of an input.

H′3. For eachM ∈ M, there exist a sequenceBL(M) =(j0, . . . , jl) such thatextract(L,BL(M)) = (y11 : T11,. . . , y1m1

: T1m1), . . . , (yl1 : Tl1, . . . , ylml

: Tlml),

(x1 : T1, . . . , xm : Tm) → N and a substitutionσ suchthatM = σN (σ applies to the abbreviated form ofN inwhich we writex instead ofx[i]) and the following condi-tions hold:

H′3.1. For allj ≤ l andk ≤ mj , σyjk is a variable accesszjk[Mj1, . . . ,Mjqj

], with zjk ∈ S. We definezjk =varImL(yjk,M).


H′3.1.1. All definitions ofzjk in Q0 are of the formnew zjk[. . .] : Tjk, and for allk ≤ mj , they oc-cur under the same replications (but they may oc-cur under different replications for different val-ues ofj).

H′3.1.2. Whenj 6= j′ or k 6= k′, zjk 6= zj′k′ .

H′3.1.3. The sequence of array indicesMj1, . . . ,Mjqj

is the same for allk ≤ mj (but may dependon j). We denote byindexj(M) a substitu-tion that maps the current replication indices atthe definition ofzjk to Mj1, . . . ,Mjqj

respec-tively. If ml = 0, indexl(M) is not set bythe previous definition, so we setindexl(M)to map the current replication indices atMto themselves. For eachj < l, there existsa substitutionρj(M) such thatindexj(M) =indexj+1(M) ◦ ρj(M) and the image ofρj(M)does not contain the current replication indices atM . We denote byim indexj(M) the sequenceimage byindexj(M) of the sequence of currentreplication indices at the definition ofzjk (so,im indexj(M) = (Mj1, . . . ,Mjqj

)). We defineim ρj(M) similarly.

H′3.2. For allj ≤ m, σxj is a term of typeTj .

H′3.3. All occurrences inQ0 of a variable inS are either aszjk above or at the root of an argument of adefined

test in afind process.

To make it precise which termM each element refers to,we addM as a subscript, writingyjk,M for yjk, zjk,M

for zjk, Tjk,M for Tjk, xj,M for xj , Tj,M for Tj , NM

for N , andσM for σ. We also definenNewj,M = mj ,nNewSeqM = l, andnInputM = m.

H′4. We say that two termsM,M ′ ∈ M share the firstl′ se-quences of random variables whenyjk,M = yjk,M ′ andzjk,M = zjk,M ′ for all j ≤ l′ and k ≤ nNewj,M =nNewj,M ′ 6= 0. Let l′ be the greatest integer such thatM andM ′ share the firstl′ sequences of random variables.Then we require:

H′4.1. The sets of variables{zjk,M | j > l′ andk ≤nNewj,M} and {zjk,M ′ | j > l′ andk ≤nNewj,M ′}must be disjoint.

H′4.2. ρj(M) = ρj(M′) for all j < l′.

H′4.3. If l′ = nNewSeqM andNM = NM ′ , then thereexistsM0 such thatM = (indexl′(M))M0, M ′ =(indexl′(M

′))M0, andM0 does not contain the cur-rent replication indices atM orM ′.

When these conditions are satisfied, there exists a contextCsuch thatQ0 ≈

V0 C[[[L]]].

Terms inM must not occur in conditions offind (Hypothe-sis H′2) because such terms may refer to variables defined byfind, and by the transformation, these variables might be movedoutside their scope, thus violating Invariant 2. Terms inMmustnot occur in the channel of an input, because otherwise, after the

transformation, the input process might need to perform compu-tations byfind or let, forbidden by the syntax. (This requirementis not a limitation in practice, since terms in channels of inputsare typically the current replication indices, so they do not con-tain cryptographic primitives.)

In Hypothesis H′3, the sequenceBL(M) indicates whichbranch ofL corresponds to the termM .

Hypothesis H′3.2 checks that the values received by inputsin L are of the proper type. Hypothesis H′3.1.1 checks thatvariableszjk,M that correspond to variables defined bynew inLare of the proper type. The variablesyjk defined bynew in L areused only in termsN in L. Correspondingly, Hypothesis H′3.3checks that the corresponding variableszjk,M ∈ S are not usedelsewhere inQ0 and Hypothesis H′1 checks that they cannot beused directly by the context.

In L, for distinct j, k, the variablesyjk correspond to inde-pendent random numbers. Correspondingly, Hypothesis H′3.1.2requires that the variableszjk,M are created by different restric-tions for distinctj, k. In L, the variablesyjk are accessed withthe same indices for anyk (but a fixedj). Correspondingly, Hy-pothesis H′3.1.3 requires that the variableszjk,M are accessedwith the same indicesim indexj(M) for anyk. When instancesof N andN ′ both refer toyjk with the same indices, then theyalso refer toyj′k′ with the same indices whenj′ ≤ j. Corre-spondingly, ifM andM ′ refer to the samezjk, by Hypothe-sis H′4.1, they also refer to the samezj′k′ for j′ ≤ j. Moreover,if indexj(M) and indexj(M

′) evaluate to the same bitstrings,then indexj′(M) and indexj′(M ′) also evaluate to the samebitstrings, sinceindexj′(M) = indexj(M) ◦ ρj−1(M) ◦ . . . ◦ρj′(M) by Hypothesis H′3.1.3 andρk(M) = ρk(M ′) for k < jby Hypothesis H′4.2. These conditions guarantee that we canestablish a correspondence from the array cells of variables ofS in Q0 to the array cells of variables defined bynew in L, andthat this correspondence is an injective function, as required inSection 3.2.

Finally, a termN in L is evaluated at most once for eachvalue of the indices ofyl1, . . . , ylml

, soN is computed for asingle value of the argumentsx1, . . . , xm. Correspondingly, byHypothesis H′4.3, whenM andM ′ share thel = nNewSeqM

sequences of random variables andindexl(M) andindexl(M′)

evaluate to the same bitstring, thenM andM ′ evaluate to thesame bitstring.

We compute the possible values of the setsS andM by fix-point iteration. We start withM = ∅ andS containing a singlevariable ofQ0 bound by a restriction. (We try all possible vari-ables.) When a termM ofQ0 contains a variable inS, we try tofind a function inL that corresponds toM , and if we succeed,we addM toM, and add toS variables inM that correspondto variables bound by restrictions inL. (If we fail, the transfor-mation is not possible.) We continue until a fixpoint is reached,in which case all occurrences of variables ofS are in terms ofM.

We now describe how we construct a processQ′0 such thatQ′0 ≈

V0 C[[[R]]].

1. We first move restrictions in the right-hand side of theequivalence, so that they occur above the reception of thearguments of functional processes instead of inside func-tional processes. As explained below, this is necessary for

302 Bruno Blanchet

the correctness of the subsequent transformation ofQ0,when restrictions appear in the corresponding part of theleft-hand side. More precisely, we transform the right-hand side of the equivalence,R, as follows: for eachj1, . . . , jl, if extract(L, (j1, . . . , jl)) = (y11 : T11, . . . ,y1m1

: T1m1), . . . , (yl1 : Tl1, . . . , ylml

: Tlml), (x1 : T1,

. . . , xm : Tm) → N with ml 6= 0 and extract(R, (j1,

. . . , jl)) = (y′11 : T ′11, . . . , y′1m′

1: T ′1m′

1), . . . , (y′l1 : T ′l1,

. . . , y′lm′l: T ′lm′

l), (x1 : T1, . . . , xm : Tm)→ FP , for each

new z : T in FP ,

• we addz : T in the sequence of random variablesy′l1 : T ′l1, . . . , y

′lm′

l: T ′lm′

l;

• if z does not occur indefined conditions offind in R,we removenew z : T from FP ;

• otherwise, we replacenew z : T with let z′ : T = cst

for some constantcst and addz′[M ] to eachdefined

condition ofR that containsz[M ].

This transformation is needed, because in the right-hand side, a new random number must be cho-sen exactly for each different call to the function(x1 : T1, . . . , xm : Tm) → FP . This would not be guar-anteed without that transformation, because when the left-hand sideN is evaluated at several occurrences withthe same random numbersyl1 : Tl1, . . . , ylml

: Tlml

(ml 6= 0), these occurrences all correspond to a singlecall to (x1 : T1, . . . , xm : Tm) → N , so a single call to(x1 : T1, . . . , xm : Tm) → FP , but we create a copy ofFP for each occurrence. After the transformation,FP

contains no choice of random numbers, so we can eval-uate it several times without changing the result. Whenml = 0, evaluations ofN at several occurrences can cor-respond to different calls to(x1 : T1, . . . , xm : Tm)→ N ,so the transformation is not necessary.

2. Next, we create fresh variables corresponding to vari-ables of the right-hand side of the equivalence. ForeachM ∈ M, let extract(R,BL(M)) = (y′11,M :T ′11,M , . . . , y′1m′

1,M : T ′1m′1,M ), . . . , (y′l1,M : T ′l1,M , . . . ,

y′lm′l,M : T ′lm′

l,M ), (x1,M : T1,M , . . . , xm,M : Tm,M ) →

FPM with l = nNewSeqM , m = nInputM and we de-fine nNew′j,M = m′j . We create fresh variablesz′jk,M =varImR(y′jk,M ,M) for each j ≤ nNewSeqM , k ≤nNew′j,M , andM ∈ M, such that ifM andM ′ sharethe first l′ sequences of random variables, thenz′jk,M =

z′jk,M ′ for j ≤ l′ andk ≤ nNew′j,M . All variablesz′jk,M

are otherwise pairwise distinct.

We also create a fresh variablevarImR(xj,M ,M) for eachj ≤ nInputM and eachM ∈ M, and a fresh variablevarImR(z,M) for each variablez defined bylet or new inFPM and eachM ∈M.

3. We update thedefined conditions offinds, in order to pre-serve Invariant 2. More precisely, if adefined condition ofa find containszj1,M [M1, . . . ,Ml′ ] for someM , we adddefined(z′jk′,M [M1, . . . ,Ml′ ]) for all k′ ≤ nNew′j,M tothis condition. (So that accesses toz′jk′,M [M1, . . . ,Ml′ ]

created when transforming termM satisfy Invariant 2,since accesses tozj1,M [M1, . . . ,Ml′ ] occur inM and sat-isfy Invariant 2.)

4. We update restrictions corresponding to restrictions oftheleft-hand side of the equivalence: we either remove themor replace them with restrictions corresponding to theright-hand side of the equivalence. More precisely, whenx ∈ S occurs at the root of a termMk in a conditiondefined(M1, . . . ,Ml), we replace its definitionnew x :T ;Qwith let x : T = cst inQ for some constantcst; whenit does not occur indefined tests, we remove its definition.If x = zj1,M for someM , we addnew z′jk,M : T ′jk,M foreachk ≤ nNew′j,M wherenew x : T was.

5. Finally, we transform the termsM ∈ M corresponding tofunctions of the left-hand side of the equivalence into theircorresponding functional process in the right-hand side.For each termM ∈ M, letPM = CM [M ] be the smallestprocess containingM . (Note thatM never occurs in an in-put, soPM is an output process.) Letl = nNewSeqM . WereplacePM with (new z′lk,M : T ′lk,M ; )k≤nNew′

l,MP ′M if

nNewl,M = 0 andnNew′l,M > 0, and withP ′M otherwise,where

– P ′M = (let varImR(xk,M ,M) : Tk,M = σMxk,M

in)k≤nInputMtransfφ0,CM

(FPM ).

– φ0 is defined as follows:

φ0(xj,M [i1, . . . , il]) = varImR(xj,M ,M)[i′1, . . . , i′l′ ]

φ0(z[i1, . . . , il]) = varImR(z,M)[i′1, . . . , i′l′ ]

φ0(y′jk,M [i1, . . . , ij ]) =

varImR(y′jk,M ,M)[im indexj(M)]

wherei1, . . . , il are the current replication indices at thedefinition ofxj,M in R, i′1, . . . , i

′l′ are the current replica-

tion indices atM in Q0, andz is a variable defined byletor new in FPM .

– A functionφ from array accesses to array accesses is ex-tended to terms as a substitution, byφ(f(M1, . . . ,Mm)) =f(φ(M1), . . . , φ(Mm)).

– transfφ,CM(FP) is defined recursively as follows:

transfφ,CM(M ′) = CM [φ(M ′)]

transfφ,CM(new z : T ;FP ′) =

new varImR(z,M) : T ; transfφ,CM(FP ′)

transfφ,CM(let z : T = M ′ in FP ′) =

let varImR(z,M) : T = φ(M ′) in transfφ,CM(FP ′)

transfφ,CM(find(

⊕m

j=1FB j) else FP ′) =

find(⊕m

j=1transfφ,CM

(FB j)) else transfφ,CM(FP ′)

and forfind branchesFB , transfφ,CM(FB) is defined as

follows:

transfφ,CM(suchthat M ′ then FP ′) =

suchthat φ(M ′) then transfφ,CM(FP ′)


transfφ,CM(u ≤ n suchthat

defined(zk[Mk1, . . . ,Mkl′k]1≤k≤l) ∧M1 then FP ′) =

⊕M ′∈M′

u′ ≤ n′ suchthat

defined(φ′(zk[Mk1, . . . ,Mkl′k])1≤k≤l) ∧

im indexj1(M′){u′/i′} = im indexj1(M) ∧

φ′(M1) then transfφ′,CM(FP ′)

wherel 6= 0; j1 is the length of the prefix of the currentreplication indices that occurs inMk1, . . . ,Mkl′

k(by

Hypothesis H7);M′ is the set ofM ′ ∈ M such thatvarImR(zk,M

′) is defined fork ≤ l andM ′ andMshare the firstj1 sequences of random variables;i′ isthe sequence of current replication indices atM ′; u′ is asequence formed with a fresh variable for each variable ini′; n′ is the sequence of bounds of replications aboveM ′;φ′ is an extension ofφ with φ′(zk[Mk1, . . . ,Mkl′

k]) =

varImR(zk,M′)[im indexj(M

′){u′/i′}] if zk = y′jk′,M ′

for some k′, and φ′(zk[Mk1, . . . ,Mkl′k]) =

varImR(zk,M′)[u′] if zk is defined by let or by a

function input.

The two essential parts of the transformation are the last twoones, numbered 4 and 5. In step 4, we add the restrictions tocreate random variables that correspond to random variables ofR. We create the variablesz′jk,M at the place wherezj1,M wascreated in the initial game (We could have chosenzjk′,M foranyk′.), or when there is nozj1,M , we havej = nNewSeqM

and we createz′jk,M just before evaluatingM . In step 5, wetransform the termM itself into the corresponding functionalprocess ofR, FPM . The only delicate part for evaluatingFPM

is the case offind: instead of looking up arrays ofR, we lookup the corresponding arrays ofQ′0 given by the mappingφ.

D.2 Extension

We introduce a small extension to the equivalences(G1,. . . , Gm) ≈ (G′1, . . . , G

′m) described in Section 3.2.

These equivalences become(G1 mode1, . . . , Gm modem) ≈(G′1, . . . , G

′m), wheremodej is either empty or[all ]. The

mode [all ] is an indication for the prover, to guide the appli-cation of the equivalence without changing its semantics. Whenmodej = [all ], M must contain all occurrences in the initialgameQ of the root function symbols of termsM insideGj .Whenmodej is empty, at least one variable defined bynew inGj must correspond to a variable inS.

The following hypotheses guarantee the good usage ofmodes:

H8. At most onemodej can be empty. (Otherwise, whenseveral sets of random variables can be chosen for eachGj , there are many possible combinations for applying thetransformation.)

H9. If Gj is of the form!i≤n(x1 : T1, . . . , xl : Tl)→ FP with-out any restriction, thenmodej = [all ]. (A restriction isneeded in the definition of empty mode.)

D.3 Modeling other Primitives

This appendix gives the definition of a number of cryptographicprimitives in our prover.

D.3.1 Super-Pseudo-Random Permutations (SPRP)

Tr large, fixed length;T large, fixed length

e, d : T × Tk → T

kgen : Tr → Tk

∀m : T,∀r : Tr, d(e(m, kgen(r)), kgen(r)) = m

∀m : T,∀r : Tr, e(d(m, kgen(r)), kgen(r)) = m

!i′′≤n′′

new r : Tr; (

!i≤n(x : T )→ e(x, kgen(r)),

!i′≤n′

(m : T )→ d(m, kgen(r)))

≈

!i′′≤n′′

new r : Tr; (

!i≤n(x : T )→

find u ≤ n suchthat defined(x[u], r′[u]) ∧

x = x[u] then r′[u]

⊕ u ≤ n′ suchthat defined(r′′[u],m[u]) ∧

x = r′′[u] then m[u]

else new r′ : T ; r′,

!i′≤n′

(m : T )→

find u ≤ n suchthat defined(r′[u], x[u]) ∧

m = r′[u] then x[u]

⊕ u ≤ n′ suchthat defined(m[u], r′′[u]) ∧

m = m[u] then r′′[u]

else new r′′ : T ; r′′)

This equivalence expresses that the encryption and decryp-tion oracles can be replaced with inverse random permutations.These random permutations are built as follows for the encryp-tion oracle: when we receive an argumentx already passed tothe encryption oracle, we return the previous result; when wereceive the result of a previous call to the decryption oracle, wereturn the argument of the decryption oracle in that call; oth-erwise, we return a fresh random number. (Collisions betweenrandom numbers inTr have negligible probability, so we ob-tain permutations except in cases of negligible probability.) Theconstruction is similar for the decryption oracle.

D.3.2 Public-Key Cryptography

UF-CMA Signature

Tr large, fixed length;T ′r fixed length

s, s′ : T × Tsk × T′r → Ts

c, c′ : T × Tpk × Ts → bool

skgen, skgen′ : Tr → Tsk

pkgen,pkgen′ : Tr → Tpk

304 Bruno Blanchet

∀m : T,∀r : Tr,∀r′ : T ′r,

c(m,pkgen(r), s(m, skgen(r), r′)) = true

∀m : T,∀r : Tr,∀r′ : T ′r,

c′(m,pkgen′(r), s′(m, skgen′(r), r′)) = true

new x : Tr; new y : Tr; f(x) = f(y) ≈ x = y

for f ∈ {pkgen, skgen,pkgen′, skgen′}

!i≤nnew r : Tr; (

()→ pkgen(r),

!i′≤n′

new r′ : T ′r; (x : T )→ s(x, skgen(r), r′)),

!i′′≤n′′

(m : T, y : Tpk, si : Ts)→ c(m, y, si) [all ]

≈

1. !i≤nnew r : Tr; (

2. ()→ pkgen′(r),

3. !i′≤n′

new r′ : T ′r; (x : T )→ s′(x, skgen′(r), r′)),

4. !i′′≤n′′

(m : T, y : Tpk, si : Ts)→

5. find u ≤ n, u′ ≤ n′ suchthat defined(r[u], x[u, u′])

6. ∧ y = pkgen′(r[u]) ∧m = x[u, u′]

7. ∧ c′(m, y, si) then true else

8. find u ≤ n suchthat defined(r[u])

9. ∧ y = pkgen′(r[u]) then false else

10. c(m, y, si)

The first three lines of each side of the equivalence expressthat the generation of public keys and the computation of thesignature are left unchanged in the transformation. The verifi-cation of a signaturec(m, y, si) is replaced with a lookup in thepreviously computed signatures: if the signature is checked us-ing one of the keyspkgen′(r[u]) (that is, ify = pkgen′(r[u])),then it can be valid only when it has been computed by the sig-nature oracles′(x, skgen′(r[u]), r′), that is, whenm = x[u, u′]for someu′. Lines 5-7 of the right-hand side of the equivalencetry to find such au′ and returntrue when they succeed. Lines 8-9 of the right-hand side returnsfalse when no suchu′ is foundin lines 5-7, buty = pkgen′(r[u]) for someu. The last line han-dles the case when the keyy is notpkgen′(r[u]). In this case,we check the signature as before. (Usingc and notc′ in the lastline of the transformation allows to reapply this transformationwith another value ofr.)

We can model deterministic signatures in a similar way, byremoving the third argument ofs.

IND-CCA2 Public-Key Encryption


enc, enc′ : T × Tpk × T′r → Te

dec,dec′ : Te × Tsk → T⊥

skgen, skgen′ : Tr → Tsk


i⊥ : T → T⊥ (poly-injective)

ZT : T

∀m : T,∀r : Tr,∀r′ : T ′r,

dec(enc(m,pkgen(r), r′), skgen(r)) = i⊥(m)

∀m : T,∀r : Tr,∀r′ : T ′r,

dec′(enc′(m,pkgen′(r), r′), skgen′(r)) = i⊥(m)


for f ∈ {pkgen,pkgen′, skgen, skgen′}

!i≤nnew r : Tr; (

()→ pkgen(r),

!i′≤n′

(m : Te)→ dec(m, skgen(r))),

!i′′≤n′′

new r′ : T ′r; (x : T, y : Tpk)→ enc(x, y, r′) [all ]

≈

!i≤nnew r : Tr; (

!i≤n()→ pkgen′(r),

!i′≤n′

(m : Te)→ find u ≤ n′′ suchthat

defined(m′[u], x[u], y[u]) ∧ y[u] = pkgen′(r)

∧m = m′[u] then i⊥(x[u]) else dec′(m, skgen′(r))),

!i′′≤n′′

(x : T, y : Tpk)→

find u′ ≤ n suchthat defined(r[u′]) ∧ y = pkgen′(r[u′])

then new r′ : T ′r;

let m′ : Te = enc′(ZT ,pkgen′(r[u′]), r′) in m′

else new r′′ : T ′r; enc(x, y, r′′)

When no decryption is present, this transformation reduces toIND-CPA public key encryption, described below.

IND-CPA Public-Key Encryption


enc, enc′ : T × Tpk × T′r → Te

dec : Te × Tsk → T⊥

skgen : Tr → Tsk


i⊥ : T → T⊥ (poly-injective)

ZT : T

∀m : T,∀r : Tr,∀r′ : T ′r,

dec(enc(m,pkgen(r), r′), skgen(r)) = i⊥(m)


for f ∈ {pkgen, skgen, skgen′}

!i≤nnew r : Tr; ()→ pkgen(r),

!i′≤n′

new r′ : T ′r; (x : T, y : Tpk)→ enc(x, y, r′) [all ]

≈

!i≤nnew r : Tr; ()→ pkgen′(r),

!i′≤n′

(x : T, y : Tpk)→

find u ≤ n suchthat defined(r[u]) ∧ y = pkgen′(r[u])

then new r′ : T ′r; enc′(ZT ,pkgen′(r[u]), r′)

else new r′′ : T ′r; enc(x, y, r′′)


D.3.3 Hash Functions

Collision Resistant Hash Function

Tk fixed length

h : Tk × bitstring → T

new k : Tk;∀x : bitstring ,∀y : bitstring ,

h(k, x) = h(k, y) ≈ x = y

Hash Function in the Random Oracle Model

T fixed length

h : bitstring → T

!i≤n(x : bitstring)→ h(x) [all ]

≈0

!i≤n(x : bitstring)→

find u ≤ n suchthat defined(x[u], r[u]) ∧ x = x[u]

then r[u]

else new r : T ; r

Note that the game must include, in parallel with the protocolto verify, the process!i≤nc(x : bitstring); c〈h(x)〉. Otherwise,the prover would incorrectly assume that the adversary cannotcompute the hash function. This particularity is related tothefact that a random oracle is unimplementable: otherwise, theadversary could implement it without being explicitly given ac-cess to it.

D.3.4 Xor

xor : T × T → T (commutative)

∀x : T, y : T, xor(x, xor(x, y)) = y.

∀x : T, y : T, z : T, (xor(x, z) = xor(y, z)) = (x = y).

!i≤nnew k : T ; (x : T )→ xor(x, k)

≈0

!i≤nnew k : T ; (x : T )→ k

This modeling ofxor could be improved by taking into accountmore equations, in particular associativity.

E Proofs

E.1 Proof of Proposition 1

The proof thatQ′0 satisfies Invariants 1, 2, and 3 is in generaleasy, and the proof ofQ0 ≈

V0 Q′0 relies on a correspondence

between traces ofC[Q0] and traces ofC[Q′0], with the sameprobability and such that a configuration of the trace ofC[Q0]executesc〈a〉 immediately if and only if the corresponding con-figuration of the corresponding trace ofC[Q′0] executesc〈a〉 im-mediately. This correspondence is obtained by replacing someinternal actions ofQ0 with corresponding internal actions ofQ′0. We sketch the proof only for the cases ofSArename(x)andSimplify , and leave the case ofRemoveAssign(x) to thereader.

Proof sketch of Proposition 1 for SArename(x) The pro-cessQ′0 satisfies Invariant 1 because definitions of variables du-plicated bySArenameall occur in a different branch of afind.

For Invariant 2, each variable accessxj [M1, . . . ,Ml] in Q′0comes from a variable accessx[M1, . . . ,Ml] in Q0. SinceQ0

satisfies Invariant 2, either this access is under its definition, inwhich caseSArename(x) has replaced this definition ofx witha definition ofxj , soxj [M1, . . . ,Ml] is under its definition inQ′0; or this access is in adefined test, in which case it is also ina defined test inQ′0; or this access is in a branch offind witha conditiondefined(N1, . . . , Nl′) such thatx[M1, . . . ,Ml] is asubterm ofNj for somej ≤ l′, in which casex[M1, . . . ,Ml]has been substituted withxj [M1, . . . ,Ml] in this branch offind,soxj [M1, . . . ,Ml] is under a suitabledefined condition. There-fore,Q′0 satisfies Invariant 2.

For Invariant 3, the type environmentE ′ for Q′0 is obtainedfrom the type environmentE for Q0, by settingE ′(x1) = . . . =E ′(xm) = E(x) andE ′(x) is not defined. (Indeed, all definitionsof x in Q0 have the same typeE(x), which is therefore the typeof the definitions ofxj , j ≤ m in Q′0.) The proof ofE ′ ⊢ Q′0is obtained from the proof ofE ⊢ Q0, by replacing requeststo E(x) with requests toE(xj) for somej ≤ m, and duplicat-ing parts of the proof ofE ⊢ Q0 that correspond to duplicatedbranches offind.

Finally, let us prove thatQ0 ≈V0 Q′0. We denote by

SArename(x,Q) the process obtained by applyingSAre-name(x) to Q. Let j be a partial function froml-tuples ofindicesa1, . . . , al to subscripts1, . . . ,m of variablex. Infor-mally, j is such thatx[a1, . . . , al] in a trace ofQ0 correspondsto xj(a1,...,al)[a1, . . . , al] in the corresponding trace ofQ′0. Wedefine a functionSArenamej that relates configurations in atrace ofQ0 to configurations in a trace of the renamed processQ′0. Below, we will show that this function maps traces ofQ0

to traces ofQ′0 of the same probability, which will show thedesired equivalenceQ0 ≈

V0 Q′0.

• We defineSArenamej for terms so thatSArenamej(x,E,M) replaces occurrences ofx in M with the appropriatexj . More precisely,

SArenamej(x,E, x[M1, . . . ,Ml]) =

xj(a1,...,al)[SArenamej(x,E,M1), . . . ,

SArenamej(x,E,Ml)]

whenE,Mk ⇓ ak for k ≤ l and

x[a1, . . . , al] ∈ Dom(E);

SArenamej(x,E, y[M1, . . . ,Ml]) =

y[SArenamej(x,E,M1), . . . ,SArenamej(x,E,Ml)]

wheny 6= x;

SArenamej(x,E, f(M1, . . . ,Ml)) =

f(SArenamej(x,E,M1), . . . ,SArenamej(x,E,Ml));

SArenamej(x,E, i) = i

• We define SArenamej for (input and output) pro-cesses as follows:SArenamej(x,E, P1) first computesSArename(x, P1) = P2. More precisely, it renames eachdefinition ofx to the name used when renaming the whole

306 Bruno Blanchet

processQ0; it replaces variable accesses tox with variableaccesses toxj when the definition ofx that caused this re-placement inQ0 also occurs inP1; it duplicates branchesof find asSArename(x,Q0), renaming variable accessesto x into variable accesses toxj when thefind that causedthis replacement inQ0 also occurs inP1. (When a variableaccess tox is under both a definition ofx andfind, or un-der several nestedfinds that guarantee that it is defined, itis important to follow exactly the renaming procedure thathappened inQ0. Formally, this can be done by annotat-ing each construct in processes with a distinct occurrencesymbol and by reducing annotated processes. When weperformSArename(x,Q0), we can then remember the oc-currence symbols of the constructs that cause each variablerenaming.) Finally,SArenamej replaces each termM inP2 with SArenamej(x,E,M).

• We also defineSArenamej for environments: E′ =SArenamej(x,E) if and only if E′(xj(a1,...,al)[a1, . . . ,al]) = E(x[a1, . . . , al]) whenx[a1, . . . , al] ∈ Dom(E),E′(y[a1, . . . , al]) = E(y[a1, . . . , al]) when y 6= x andy[a1, . . . , al] ∈ Dom(E), andE′(y[a1, . . . , al]) is unde-fined in all other cases.

• We extendSArenamej to semantic configurations:

SArenamej(x, (E,P,Q, C)) =

(SArenamej(x,E),SArenamej(x,E, P ),

{SArenamej(x,E,Q1) | Q1 ∈ Q}, C)

We also defineSArenamej(x, (E,Q, C)) in the same way.

We first show that ifE,M ⇓ a, then

SArenamej(x,E),SArenamej(x,E,M) ⇓ a

The proof proceeds by induction onM . The only inter-esting case isM = x[M1, . . . ,Ml]. Since E,M ⇓ ahas been derived by (Var),E,Mk ⇓ ak for all k ≤l and a = E(x[a1, . . . , al]). By induction hypothesis,SArenamej(x,E),SArenamej(x,E,Mk) ⇓ ak for all k ≤ l.Moreover,

SArenamej(x,E, x[M1, . . . ,Ml]) =

xj(a1,...,al)[SArenamej(x,E,M1), . . . ,

SArenamej(x,E,Ml)]

and

SArenamej(x,E)(xj(a1,...,al)[a1, . . . , al]) =

E(x[a1, . . . , al]) = a

soSArenamej(x,E),SArenamej(x,E,M) ⇓ a.Next, we can show by cases on the reductionE,Q, C

E′,Q′, C′ that, ifE,Q, C E′,Q′, C′, then

SArenamej(x, (E,Q, C)) SArenamej(x, (E′,Q′, C′)).

Hence

SArenamej(x, reduce(E,Q, C)) =

reduce(SArenamej(x, (E,Q, C)))

Let C be any evaluation context acceptable forQ0, Q′0,V . We show that for each traceinitConfig(C[Q0]) →η . . .→η Em, Pm,Qm, Cm, there exists a traceinitConfig(C[Q′0])→η . . . →η E′m, P

′m,Q

′m, Cm with the same proba-

bility, and a function jm such that E′m, P′mQ′m, Cm =

SArenamejm(x, (Em, Pm,Qm, Cm)). The proof proceeds by

induction on the lengthm of the trace. For the induction step,we distinguish cases depending on the last reduction step ofthetrace.

• Initial casem = 0: fc(C[Q0]) = fc(C[Q′0]) since thetransformationSArenamedoes not modify channels. Letj0 be the function defined nowhere. We have,C[Q′0] =SArenamej0(x, ∅, C[Q0]). Indeed, sincex /∈ V , x /∈var(C), so

SArenamej0(x, ∅, C[Q0]) = SArename(x,C[Q0]) =

C[SArename(x,Q0)] = C[Q′0]

Therefore,

SArenamej0(x, (∅, {C[Q0]}, fc(C[Q0]))) =

(∅, {C[Q′0]}, fc(C[Q′0]))

Hence we have

SArenamej0(x, reduce(∅, {C[Q0]}, fc(C[Q0]))) =

reduce(∅, {C[Q′0]}, fc(C[Q′0]))

Thus,

SArenamej0(x, initConfig(C[Q0])) =

initConfig(C[Q′0])

• The last step of the trace is a definition ofx[a1, . . . , al]:By induction hypothesis, we have a trace of lengthm− 1,with an associated functionjm−1. SinceC[Q0] satisfiesInvariant 1, the configurationEm−1, Pm−1,Qm−1, Cm−1

satisfies Invariant 4, sox[a1, . . . , al] /∈ Dom(Em−1).Since P ′m−1 = SArenamejm−1

(x,Em−1, Pm−1), thefirst instruction ofP ′m−1 is a definition ofxk[a1, . . . , al]for some k (using the property “ifE,M ⇓ a, thenSArenamej(x,E),SArenamej(x,E,M) ⇓ a” shownabove to prove that the indices ofx, resp. xk, are thesame in the execution ofPm−1 and ofP ′m−1). We definejm = jm−1[(a1, . . . , al) 7→ k], and show that we obtain asuitable trace of lengthm with this functionjm.

• The last step of the trace is afind whosedefined condi-tion refers tox: By induction hypothesis, we have a traceof lengthm − 1, with an associated functionjm−1. If abranchFB of thefind in Pm−1 succeeds for certain valuesof the variables defined byfind, exactly one of its copiessucceeds inP ′m−1, the copy whosedefined condition referstoxjm−1(a1,...,al)[a1, . . . , al] when thedefined condition ofthe branchFB in Pm−1 refers tox[a1, . . . , al]. If a branchof thefind fails inPm−1, all its copies fail inP ′m−1. There-fore, the number|S| of successful choices of thefind is thesame inPm−1 and inP ′m−1. Hence, the probability thateach successful branch is taken is the same. WhenPm−1


executes a successful branch, we build the correspondingtrace ofP ′m−1 by executing the successful copy of thisbranch. WhenPm−1 executes theelse branch,P ′m−1 alsoexecutes theelse branch. So we obtain a suitable traceof lengthm with associated functionjm = jm−1 (exceptwhen thefind also definesx[a′1, . . . , a

′l], in which case the

previous item of the proof must also be applied).

• All other cases are easy: they execute in the same way inPm−1 and inP ′m−1.

We also show the converse property, that for each traceinitConfig(C[Q′0]) →η . . . →η E

′m, P

′m,Q

′m, Cm, there exists

a traceinitConfig(C[Q0]) →η . . . →η Em, Pm,Qm, Cm withthe same probability and

E′m, P′mQ′m, Cm = SArenamejm

(x, (Em, Pm,Qm, Cm)).

The proof is similar to the proof above.If E′m, P

′mQ′m, Cm = SArenamejm

(x, (Em, Pm,Qm, Cm)),then for all channelsc and bitstringsa, Em, Pm,Qm, Cm exe-cutesc〈a〉 immediately if and only ifE′m, P

′m,Q

′m, Cm executes

c〈a〉 immediately. SoPr[C[Q0] η c〈a〉] = Pr[C[Q′0] η

c〈a〉]. Therefore,Q0 ≈V0 Q′0. �

Proof sketch of Proposition 1 for Simplify The proof ofInvariants 1, 2, and 3 is relatively easy, so we focus on the proofof Q0 ≈

V Q′0.Let C be any evaluation context acceptable forQ0, Q′0, V .

Let q(η) be the maximum runtime ofC[Q0], whereq is a poly-nomial. We denote byC0 the initial configuration ofC[Q0],initConfig(C[Q0]).

We definepmax(η) = max({ 1|Iη(T )| | T is a large type} ∪

{p(η) associated to user-defined rewrite rules, for an adversaryof runtimeq(η)}). The probabilitypmax(η) is negligible, sinceit is the maximum of a constant number of negligible functions.We shall prove below that the probability that a desired factdoesnot hold is at mostq′(η)pmax(η), whereq′ is a polynomial, so itis negligible.

The proof follows the structure of the simplification algo-rithm: we prove the correctness of each component of the al-gorithm separately.

Correctness of the collection of true facts. We consider aslightly modified semantics for our calculus, in which each pro-cess is accompanied with a substitution that defines the valuesof the replication indices in that process. For example, therule(Repl) becomes in this semantics:

E, {(σ, !i≤nQ)} ⊎ Q, C

E, {(σ[i 7→ a], Q) | a ∈ [1, Iη(n)]} ⊎ Q, C

When evaluating a termM in a process with substitution(σ,Q)or (σ, P ), we now useE, σ,M ⇓ a instead ofE,M ⇓ a, withthe ruleE, σ, i ⇓ σi instead of (Cst), and the other rules modi-fied accordingly.

The judgmentE, σ ⊢ F means that a factF holds in en-vironmentE and substitutionσ. It is defined byE, σ ⊢ Mif and only if E, σ,M ⇓ true; E, σ ⊢ defined(M) if andonly if E, σ,M ⇓ a for somea; E, σ ⊢ elsefind((u1 ≤

n1, . . . , um ≤ nm), (M1, . . . ,Ml),M) if and only if forall x1 ∈ [1, Iη(n1)], . . . , xm ∈ [1, Iη(nm)], we haveE, σ′, (defined(M1, . . . ,Ml)∧M) ⇓ false whereσ′ = σ[u1 7→x1, . . . , um 7→ xm]. We extend this definition to sets of factsnaturally. We say thatFP is correct for all P when C0

p−→t

. . .p′

−→t′ E, (σ, P ),Q, C impliesE, σ ⊢ FP . Our goal is toshow thatFP is indeed correct for allP .

For occurrences of processesP , Q in C and in the processstart〈〉; 0 used in the initial configuration, we letFP = FQ =FFut

P = FElseFindP = FElseFind

Q = ∅.We show S0: immediately after callingcollectFacts, if

E1, (σ1, P1),Q1, C1p−→t E, (σ, P ),Q, C then E, σ ⊢ FP .

If the reduced process is inC, the result is obvious sinceFP = ∅. Otherwise, we proceed by cases on the reductionE1, (σ1, P1),Q1, C1

p−→t E, (σ, P ),Q, C. For example, in the

case (Let),E1, σ,M ⇓ a, a ∈ Iη(T ), andE1, (σ, let x[i] : T =

M in P ),Q, C1−→L E = E1[x[σi] 7→ a], (σ, P ),Q, C. We

haveFP = {defined(x[i]), x[i] = M}. SinceE, σ, x[i] ⇓ a,we haveE, σ ⊢ defined(x[i]). We also haveE, σ,M ⇓ a, soE, σ ⊢ x[i] = M , soE, σ ⊢ FP . We proceed in a similar wayfor the other cases.

We show that, immediately after callingcollectFacts, FP is

correct for allP , that is, ifC0p−→t . . .

p′

−→t′ E, (σ, P ),Q, C thenE, σ ⊢ FP . For the initial configuration, the property is obvioussinceFP = ∅. For the other configurations, we conclude by(S0).

We show the invariantS1: FC[Q0] = ∅ and ifQ is an inputprocess andP is the input or output process just aboveQ, thenFQ ⊆ FP . This property is obvious aftercollectFacts sinceFQ = ∅, and it is preserved by all updates toFQ (provided theconsequences ofdefined facts are not added inQ before theyare added inP , which we can easily satisfy).

We proveS2: if E,Q, C E′,Q′, C′ and for all(σ,Q) ∈Q, E, σ ⊢ FQ, then for all (σ,Q) ∈ Q′, E′, σ ⊢ FQ.The proof is easy by cases on the derivation ofE,Q, C E′,Q′, C′, using (S1). Therefore, we haveS2’: if E′,Q′, C′ =reduce(E,Q, C) and for all(σ,Q) ∈ Q, E, σ ⊢ FQ, then forall (σ,Q) ∈ Q′, E′, σ ⊢ FQ.

Next, we prove that ifFP is correct for allP , thenF ′P ob-tained by

F ′P = FP ∪ FP ′ if P is immediately underP ′

is correct for allP . We show that, ifC0p−→t . . .

p′

−→t′

E, (σ, P ),Q, C then for all (σ′, P ′) ∈ {(σ, P )} ⊎ Q,E, σ′ ⊢ F ′P ′ . The proof proceeds by induction onthe length of the trace. For the initial configuration,FC[Q0] = ∅ by (S1), so ∅, ∅ ⊢ FC[Q0], and ∅, ∅ ⊢Fstart〈〉, so the property follows immediately from (S2’).For the inductive step, if the last reduction of the trace

is (Output), we haveE1, (σ1, P1), {(σ,Q)} ⊎ Q1, C1p′

−→t′

E, (σ, P ),Q, C with P1 = c[M1, . . . ,Ml]〈N1, . . . , Nk〉.Q1,Q = c[M ′1, . . . ,M

′l ](x1 [i] : T1, . . . , xk [i] : Tk).P , E =

E1[x1[σi] 7→ . . . , . . . , xk[σi] 7→ . . .], Q = Q1 ⊎ Q2, andE1,Q2, C = reduce(E1, {(σ1, Q1)}, C1). If P is inC,F ′P = ∅,soE, σ ⊢ F ′P . Otherwise,E, σ ⊢ F ′Q by induction hypoth-esis. MoreoverE, σ ⊢ FP sinceFP is correct for allP , so

308 Bruno Blanchet

E, σ ⊢ F ′P sinceF ′P = FQ∪FP ⊆ F′Q∪FP . By induction hy-

pothesis, for all(σ′, Q′) ∈ Q1,E1, σ′ ⊢ F ′Q′ . Also by induction

hypothesis,E1, σ1 ⊢ F′P1

, soE1, σ1 ⊢ F′Q1⊆ F ′P1

by (S1).By (S2’), for all (σ′, Q′) ∈ Q2, E1, σ

′ ⊢ F ′Q′ . So for all(σ′, Q′) ∈ Q = Q1 ⊎ Q2, E1, σ

′ ⊢ F ′Q′ , soE, σ′ ⊢ F ′Q′ sinceE is an extension ofE1. If the last reduction is not (Output), it isof the formE1, (σ, P

′),Q, Cp−→t E, (σ, P ),Q, C whereE is an

extension ofE1. By induction hypothesis, for all(σ′, Q′) ∈ Q,E1, σ

′ ⊢ F ′Q′ , so for all(σ′, Q′) ∈ Q, E, σ′,⊢ F ′Q′ . SinceFP

is correct for allP ,E, σ ⊢ FP andE1, σ ⊢ FP ′ , soE, σ ⊢ FP ′ ,soE, σ ⊢ F ′P = FP ∪ FP ′ .

We show S3: if E, (σ, P ),Q, Cp−→t . . .

p′

−→t′

E′, (σ′, P ′),Q′, C′ whereP ′ is an output and no process be-fore P ′ in this trace is an output, thenE′, σ′ ⊢ FFut

P . Sinceno process beforeP ′ in this trace is an output, this trace doesnot contain the reduction rule (Output). The proof proceedsby induction onP . If P is an output, the result is obvi-ous sinceFFut

P = collectFacts(P ) = ∅. Otherwise, letP1, . . . , Pm be the immediate subprocesses ofP . We haveE, (σ, P ),Q, C

p−→t E1, (σ, Pj),Q, C for some extensionE1

of E and somej ∈ {1, . . . ,m}. Moreover, by definition ofcollectFacts, FFut

P = collectFacts(P ) =⋂m

j=1(FPj∪ FFut

Pj),

where the value ofFPjis considered immediately after calling

collectFacts. By (S0),E1, σ ⊢ FPj, soE′, σ′ ⊢ FPj

sinceE′

is an extension ofE1 andσ′ = σ since no (Output) reductionoccurs in this trace. By induction hypothesis,E′, σ′ ⊢ FFut

Pj,

soE′, σ′ ⊢ FPj∪ FFut

Pjfor somej ∈ {1, . . . ,m}. Therefore,

E′, σ′ ⊢ FFutP .

We now show that ifFP is correct for allP , andF ′P is ob-tained by

F ′P = FP ∪

⋂

(x[i1,...,im],P ′)∈D

σ′(FP ′ ∪ (FFutP ′ ∩ FP ))

if P is underP ′

σ′(FP ′ ∪ FFutP ′ ) otherwise

whereσ′ = {M1/i1, . . . ,Mm/im}, whendefined(M) ∈ FP

andx[M1, . . . ,Mm] is a subterm ofM , andF ′P = FP oth-erwise, thenF ′P is also correct for allP . We assume that

C0p−→t . . .

p′

−→t′ E, (σ, P ),Q, C and show thatE, σ ⊢ F ′P .SinceFP is correct for allP , E, σ ⊢ FP . SinceE, σ ⊢defined(M), E, σ,Mj ⇓ aj for all j ≤ m andx[a1, . . . , am] ∈Dom(E). Therefore, some definition ofx[a1, . . . , am] has beenexecuted in the considered trace. Next, we show that, for some(x[i1, . . . , im], P ′) ∈ D, we haveE, σ1 ⊢ FP ′ ; if P is un-der P ′ thenE, σ1 ⊢ F

FutP ′ ∩ FP ; and if P is not underP ′

thenE, σ1 ⊢ FFutP ′ , whereσ1(i1) = a1, . . . , σ1(im) = am.

The desired result follows. LetE1, (σ1, P1),Q1, C1p1−→t1

E2, (σ1, P2),Q2, C2 be the reduction that definesx[a1, . . . , am]in the considered trace. We haveE2, σ1 ⊢ FP2

sinceFP

is correct for allP . So E, σ1 ⊢ FP2sinceE is an exten-

sion of E2 so all facts that hold inE2 also hold inE. Wehave(x[i1, . . . , im], P2) ∈ D. If P is not underP2, the trace

E2, (σ1, P2),Q2, C2p2−→t2 . . .

p′

−→t′ E, (σ, P ),Q, C must exe-cute an output, so by (S3),E3, σ3 ⊢ F

FutP2

where the configu-ration in which the first output afterE2, (σ1, P2),Q2, C2 is exe-cuted isE3, (σ3, P3),Q3, C3, soE, σ1 ⊢ F

FutP2

. (We haveσ3 =σ1, since the substitutionσ is changed only when executing a

communication.) IfP is underP2, two cases can happen. Either

the traceE2, (σ1, P2),Q2, C2p2−→t2 . . .

p′

−→t′ E, (σ, P ),Q, Cexecutes an output, and we haveE, σ1 ⊢ F

FutP2

as above, or

E2, (σ1, P2),Q2, C2p2−→t2 . . .

p′

−→t′ E, (σ, P ),Q, C executesno output, soσ = σ1. (The substitutionσ is changed onlywhen executing a communication.) SinceFP is correct forall P , E, σ ⊢ FP , henceE, σ1 ⊢ FP . Then, in both cases,E, σ1 ⊢ F

FutP2∩ FP .

Next, we showS4: if C0p−→t . . .

p′

−→t′ E, (σ, P ),Q, C thenE, σ ⊢ FElseFind

P . The proof proceeds by induction on thelength of the trace. For the initial configuration, the result is ob-vious sinceFElseFind

P = ∅. For the inductive step, if the reducedprocess is inC, the result is obvious sinceFElseFind

P = ∅. Oth-erwise, we proceed by cases on the last reduction of the trace.In the (Output) case, the result is obvious sinceFElseFind

P = ∅.In the (New), (Let), and (Find1) cases,σ is unchanged,E isextended with definitions for some variables, andelsefind factsthat claim that these variables are not defined are removed fromFElseFind

P , so we still haveE, σ ⊢ FElseFindP . In the (Find2)

case forP ′ = find (⊕m


suchthat defined(Mj1, . . . ,Mjlj ) ∧ Mj then Pj) else P , Eandσ are unchanged and since (Find2) is executed,∀j ≤ m,∀a1 ∈ [1, Iη(nj1)], . . . , ∀amj

∈ [1, Iη(njmj)], E[uj1[σi] 7→

a1, . . . , ujmj[σi] 7→ amj

], σ, (defined(Mj1, . . . ,Mjlj )∧Mj) ⇓false. FElseFind

P = FElseFindP ′ ∪ {elsefind((u1 ≤ nj1, . . . ,

umj≤ njmj

), σj(Mj1, . . . ,Mjlj ), σjMj) | j ∈ {1, . . . ,m}}

whereσj = {u1/uj1 [i], . . . , umj/ujmj

[i]}. By induction hy-pothesisE, σ ⊢ FElseFind

P ′ . Moreover,E, σ ⊢ elsefind((u1 ≤nj1, . . . , umj

≤ njmj), σj(Mj1, . . . ,Mjlj ), σjMj) for j ∈

{1, . . . ,m}, soE, σ ⊢ FElseFindP .

We now show that ifFP is correct for allP , thenF ′P obtainedby

F ′P = FP ∪ {¬σ′M | elsefind((u1 ≤ n1, . . . , um ≤ nm),

(M1, . . . ,Ml),M) ∈ FElseFindP ,Dom(σ′) = {u1, . . . , um},

for eachj ∈ {1, . . . , l}, σ′Mj is a subterm ofM ′j and

defined(M ′j) ∈ FP }

is also correct for allP . Assuming thatC0p−→t . . .

p′

−→t′

E, (σ, P ),Q, C, we show thatE, σ ⊢ F ′P . SinceFP is correctfor all P , E, σ ⊢ FP . By (S4),E, σ ⊢ FElseFind

P . Assumeelsefind((u1 ≤ n1, . . . , um ≤ nm), (M1, . . . ,Ml),M) ∈FElseFind

P and for eachj ∈ {1, . . . , l}, σ′Mj is a subterm ofM ′janddefined(M ′j) ∈ FP . Letak be such thatE, σ, σ′uk ⇓ ak foreachk ∈ {1, . . . ,m}. Let σ′′ = σ[u1 7→ a1, . . . , um 7→ am].SinceE, σ ⊢ defined(M ′j), we haveE, σ,M ′j ⇓ a

′j for somea′j

soE, σ, σ′Mj ⇓ a′′j for somea′′j , soE, σ′′,Mj ⇓ a

′′j . (This is

proved by induction onMj .) By definition of elsefind facts,E, σ′′, (defined(M1, . . . ,Ml) ∧ M) ⇓ false so E, σ′′,M ⇓false, that is, E, σ, σ′M ⇓ false, so E, σ ⊢ ¬σ′M . SoE, σ ⊢ F ′P .

Therefore, we conclude that at the end of the computation,FP is correct for allP .

Correctness of the local dependency analysis.As above inthe correctness of the collection of true facts, we denote byP


an occurrence of a process, so that we can distinguish identicalsubprocesses that occur at several occurrences in a process.

We first show the soundness of the local dependency analy-sis ignoring modifications in the game performed bydepAnal.Then we will show the soundness of the game modifications,that is, that these modifications change the behavior of the gameonly with negligible probability. Since the game modificationsdo not change the part of the computation ofdepend andindepperformed before the modification, thedepAnal procedure isequivalent to performing a full dependency analysis withoutgame modification, performing game modification, redoing thewhole dependency analysis analysis on the modified game, andso on, until a fixpoint is reached. Therefore, the separate proofof the dependency analysis and the game modifications outlinedabove is sufficient to prove the correctness of thedepAnal pro-cedure.

We haveS5: if y is defined only by restrictions andy 6= x,then there exists noM such that(y,M) ∈ dependP (x). Thisproperty is obvious since the only case in which an element(y,M) is added independP (x) is in the assignmentlet y[i] :T = M ′ in P ′, so such an addition cannot happen wheny isdefined only by restrictions.

For eachσ,depend, indep, we define an equivalence relation∼σ,depend,indep on environments byE ∼σ,depend,indep E

′ if andonly if

• for all M ∈ indep, for all b, E, σ,M ⇓ b if and only ifE′, σ,M ⇓ b;

• if depend 6= ⊤, then for allz[a] such thatz[a] 6= x[σi] andthere exists no(y,M) ∈ depend such thatz[a] = y[σi],E(z[a]) is defined if and only ifE′(z[a]) is defined andwhen they are defined,E(z[a]) = E′(z[a]) (i denotes thecurrent replication indices at definition ofx);

• and for all y such thaty 6= x and y is defined only byrestrictions, for alla, E(y[a]) is defined if and only ifE′(y[a]) is defined and when they are defined,E(y[a]) =E′(y[a]).

WhenE ∼σ,depend,indep E′, the environmentsE andE′ dif-fer only by variables that depend onx[σi], according to theinformation contained independ and indep. That is, termsin indep have the same value inE andE′ (first item); whendepend 6= ⊤, variables not independ have the same value inE andE′ (second item); variables defined only by restrictionshave the same value inE andE′ (third item). We abbreviate∼σ,dependP (x),indepP (x) by∼σ,P .

We showS6: if M ′ does not depend onx atP andE ∼σ,P

E′, thenE, σ,M ′ ⇓ b if and only if E′, σ,M ′ ⇓ b. Thisproperty expresses the correctness of the definition of “M ′ doesnot depend onx at P ”. We prove that ifE, σ,M ′ ⇓ b thenE′, σ,M ′ ⇓ b, by induction on the derivation thatM ′ does notdepend onx atP . The converse follows immediately by swap-ping the roles ofE andE′.

• CaseM ′ = f(M ′1, . . . ,M′m) and for allj ≤ m, M ′j does

not depend onx atP . SinceE, σ,M ′ ⇓ b, E, σ,M ′j ⇓ bjandIη(f)(b1, . . . , bm) = b for someb1, . . . , bm. Hence byinduction hypothesis,E′, σ,M ′j ⇓ bj , soE′, σ,M ′ ⇓ b.

• CaseM ′ ∈ indepP (x). The result comes from the defini-tion of∼σ,P .

• CaseM ′ is a replication index. We haveE, σ,M ′ ⇓ σM ′

andE′, σ,M ′ ⇓ σM ′, so the result holds.

• CaseM ′ = y[M ′1, . . . ,M′m], M ′1, . . . ,M

′m do not de-

pend onx at P ′, y 6= x, and eithery is defined onlyby restrictions ordependP (x) 6= ⊤ and y 6= y′ for all(y′,M ′′) ∈ dependP (x). SinceE, σ,M ′ ⇓ b, E, σ,M ′j ⇓bj andE(y[b1, . . . , bk]) = b for someb1, . . . , bk. Henceby induction hypothesis,E′, σ,M ′j ⇓ bj . By definitionof ∼σ,P , E′(y[b1, . . . , bk]) = E(y[b1, . . . , bk]) = b, soE′, σ,M ′ ⇓ b.

Let us consider the following propertyL0:

1. If Pr[C0 →∗ E, (σ, P ),Q, C] > 0, dependP (x) 6= ⊤, and

(y,M) ∈ dependP (x), thenE, σ,M ⇓ E(y[σi]) whereidenotes the current replication indices atP ;

2. If Pr[C0 →∗ E, (σ, P ),Q, C] > 0 andM ∈ indepP (x),

thenE, σ,M ⇓ a for somea;

3. For eachb ∈ Iη(T ), for eachσ, for eachE0, Pr[∃E,∃Q,

∃C,C0 →∗ E, (σ, P ),Q, C ∧ E ∼σ,P E0 ∧ E(x[σi]) =

b] ≤ 1|Iη(T )| Pr[∃E,∃Q,∃C,C0 →

∗ E, (σ, P ),Q, C ∧

E ∼σ,P E0] wherei denotes the current replication indicesat the definition ofx.

We will show that ifdependP (x) 6= ⊤, then (L0) holds atP .This property expresses the correctness of the local dependencyanalysis atP , when dependP (x) 6= ⊤. (We will considerthe general case below, Property L1.) Item 1 says that, when(y,M) ∈ dependP (x),M evaluates to the contents ofy. Item 2says that, whenM ∈ indepP (x), the value ofM is always de-fined atP . Finally, the last item is the most important one: itexpresses the independence properties. Essentially, the tracesthat differ by the value ofx[σi] all have the same probability,and differ only by the values of variables that depend onx[σi],collected independP (x), so their environments are related by∼σ,P . When the value ofx[σi] is fixed tob, the probability ofreaching an environment related toE0 by ∼σ,P is then 1

|Iη(T )|

times the probability of reaching such an environment for anyvalue ofx[σi].

We first showS7: if (L0) holds atP with indep instead ofindepP (x), for allE, σ such thatPr[C0 →

∗ E, (σ, P ),Q, C] >0, E, σ,M ′ ⇓ a for somea, andM ′ does not depend onxat P with indep instead ofindepP (x), then (L0) also holds atP with indep ∪ {M ′} instead ofindepP (x). Essentially, thisproperty means thatM ′ can be added toindepP (x) whenM ′

does not depend onx atP . Items 1 and 2 of (L0) hold by hy-pothesis. IfE ∼σ,dependP (x),indep E

′, by (S6),E, σ,M ′ ⇓ b ifand only ifE′, σ,M ′ ⇓ b, soE ∼σ,dependP (x),indep∪{M ′} E

′.Conversely, we have obviously: ifE ∼σ,dependP (x),indep∪{M ′}

E′, thenE ∼σ,dependP (x),indep E′, so∼σ,dependP (x),indep =∼σ,dependP (x),indep∪{M ′}. This proves Item 3 of (L0), and con-cludes the proof of (L0).

Next, we proveS8: if dependP (x) 6= ⊤ then (L0) holds atP , by decreasing induction on the processP . The only cases inwhichdependP (x) 6= ⊤ are as follows:

310 Bruno Blanchet

• P occurs inP ′ = new x[i] : T ;P whereT is a largetype. We havedependP (x) = ∅ and indepP (x) =⋃

defined(M)∈FP ′subterms(M). Item 1 of (L0) holds triv-

ially. For all traces of non-zero probability that reachP ,the last reduction reducesP ′ by (New), so these traces areall of the formC0 →

∗ E′, (σ, P ′),Q, C → E, (σ, P ),Q, C

whereE = E′[x[σi] 7→ a′] for some a′ ∈ Iη(T ).Since FP is correct for allP , E′, σ ⊢ FP ′ , so forall M ′ ∈ subterms(M) such thatdefined(M) ∈ FP ′ ,E′, σ,M ′ ⇓ a for somea, henceE, σ,M ′ ⇓ a sinceE isan extension ofE′, which proves Item 2 of (L0). By thesemantic rule (New), for allb ∈ Iη(T ), Pr[∃E,∃Q,∃C,

C0 →∗ E, (σ, P ),Q, C ∧ E ∼σ,P E0 ∧ E(x[σi]) = b] =

1|Iη(T )| Pr[∃E,∃Q,∃C,C0 →

∗ E, (σ, P ),Q, C ∧ E ∼σ,P

E0] since the conditionE ∼σ,P E0 does not use the valueof E(x[σi]). (The first item ofE ∼σ,P E0 does not usethe value ofE(x[σi]) because the elements ofindepP (x)

are all defined inE′ andE′(x[σi]) is not defined. Theother two items never useE(x[σi]).) Therefore, we obtainItem 3 of (L0).

• P occurs inP ′ = new y[i] : T ′;P with y 6= x. Wehave dependP (x) = dependP ′(x) and indepP (x) =

indepP ′(x)∪ {y[i]}. For all traces of non-zero probabilitythat reachP , the last reduction reducesP ′ by (New), sothese traces are all of the formC0 →

∗ E′, (σ, P ′),Q, C →

E, (σ, P ),Q, C whereE = E′[y[σi] 7→ a′] for somea′ ∈ Iη(T ′). Item 1 of (L0) comes from the inductionhypothesis (atP ′) and the fact thatE is an extension ofE′. Item 2 of (L0) comes from the induction hypothesis (atP ′), the fact thatE is an extension ofE′, and the fact thatE(y[σi]) is defined. LetE′0 = E

0|y[σi]be the environment

E0 restricted to the variables defined atP ′.

Pr

[∃(E,Q, C),C0 →

∗ E, (σ, P ),Q, C

∧ E ∼σ,P E0 ∧ E(x[σi]) = b

]

=1

|Iη(T ′)|Pr

[∃(E′,Q, C),C0 →

∗ E′, (σ, P ′),Q, C

∧ E′ ∼σ,P ′ E′0 ∧ E(x[σi]) = b

]

≤1

|Iη(T ′)|

1

|Iη(T )|Pr

∃(E′,Q, C),C0 →

∗ E′, (σ, P ′),Q, C∧E′ ∼σ,P ′ E′0

≤1

|Iη(T )|Pr

[∃(E,Q, C),C0 →

∗ E, (σ, P ),Q, C∧ E ∼σ,P E0

]

The first step is by the semantic rule (New), the second stepby induction hypothesis, and the last step by the semanticrule (New) again. Therefore, we obtain Item 3 of (L0).

• P occurs inP ′ = let y[i] : T ′ = M in P with y 6= x.For all traces of non-zero probability that reachP , thelast reduction reducesP ′ by (Let), so these traces are allof the formC0 →

∗ E′, (σ, P ′),Q, C → E, (σ, P ),Q, C

whereE′, σ,M ⇓ a′ andE = E′[y[σi] 7→ a′]. LetE′0 = E

0|y[σi].

If M does not depend onx atP ′, we havedependP (x) =

dependP ′(x) and indepP (x) = indepP ′(x) ∪ {y[i]}. Inthis case, by (S6),E′, σ,M ⇓ a′ if and only ifE′0, σ,M ⇓

a′ (whereE′ ∼σ,P ′ E′0 are environments atP ′). We canthen show that (L0) holds atP using the induction hypoth-esis. (We haveE ∼σ,P E0 if and only ifE′ ∼σ,P ′ E′0 andE0 = E′0[y[σi] 7→ a′].)

Otherwise, we havedependP (x) = dependP ′(x) ∪{(y,MdependP ′(x))} andindepP (x) = indepP ′(x). Byinduction hypothesis, for all(y′,M ′) ∈ dependP ′(x),E′, σ,M ′ ⇓ E′(y′[σi]), soE, σ,M ′ ⇓ E(y′[σi]), henceE, σ,MdependP ′(x) ⇓ a′ = E(y[σi]), so we obtainItem 1 of (L0). Item 2 of (L0) follows immediately fromthe induction hypothesis. Item 3 of (L0) also follows fromthe induction hypothesis. (We haveE ∼σ,P E0 if and onlyif E′ ∼σ,P ′ E′0.)

• P occurs inP ′ = find (⊕m

j=1 uj1 [i] ≤ nj1, . . . , ujmj[i] ≤

njmjsuchthat defined(Mj1, . . . ,Mjlj )∧Mj then Pj) else

P ′′, P is eitherP ′′ or Pj for somej ≤ m, and for allj, k, Mjk andM ′j do not depend onx at P ′. We havedependP (x) = dependP ′(x), indepP (x) = indepP ′(x)if P = P ′′, and indepP (x) = indepP ′(x) ∪ {M ′ |M ′ ∈ subterms(M) for somedefined(M) ∈ FPj

, M ′

does not depend onx at P ′} if P = Pj . By (S6), wecan show that the same branch of thefind is taken withthe same probability for allE such thatE ∼σ,P ′ E0 forthe sameE0. Using the induction hypothesis, we canthen show that (L0) holds atP with indepP ′(x) insteadof indepP (x). This concludes the proof whenP = P ′′.WhenP = Pj , letM ′′1 , . . . ,M

′′l be the termsM ′ such that

M ′ ∈ subterms(M) for somedefined(M) ∈ FPjand

M ′ does not depend onx atP ′. SinceFPjis correct and

Pr[C0 →∗ E, (σ, P ),Q, C] = p > 0 thenE, σ ⊢ FPj

, soE, σ,M ′′k ⇓ a for somea. The termM ′′k does not dependon x at P with indepP ′(x) ∪ {M ′′1 , . . . ,M

′′k−1} instead

of indepP (x). By (S7) applied atP with indepP ′(x) ∪{M ′′1 , . . . ,M

′′k−1} instead ofindepP (x), if (L0) holds at

P with indepP ′(x)∪{M ′′1 , . . . ,M′′k−1}, then (L0) holds at

P with indepP ′(x) ∪ {M ′′1 , . . . ,M′′k }. So (L0) holds atP

with indepP ′(x) ∪ {M ′′1 , . . . ,M′′l } = indepP (x).

For eachσ, P , we define a special semantics of processes.This semantics executes the processC[Q0] normally until itreaches a configurationE′, (σ′, P ′),Q, C such thatP ′ is thesmallest superprocess ofP such thatdependP ′(x) 6= ⊤ andσ′(i) = σ(i) for all i ∈ Dom(σ′). After reaching this con-figuration, it executes restrictions for all variables defined onlyby restrictions inC[Q0] that have not been assigned yet andexecutes the not-executed-yet restrictions and the assignmentsP1 = let y : T = M in P2 such thatM does not depend onx at P1 betweenP ′ andP . In the second part of the trace,a configuration is onlyE′′, (σ′′, P ′′); σ′′ is always set to beσ restricted to the current replication indices atP ′′. We writeC0→

′∗E, (σ, P ) to designate a trace in this special semantics.(WhendependP (x) 6= ⊤, this semantics executes the processnormally, and finally executes restrictions for all variables de-fined only by restrictions that have not been assigned yet.)

We will show the following propertyL1:

1. If Pr[C0 →∗ E, (σ, P ),Q, C] > 0, dependP (x) 6= ⊤, and

(y,M) ∈ dependP (x), thenE, σ,M ⇓ E(y[σi]) wherei


denotes the current replication indices atP ;

2. If Pr[C0 →∗ E, (σ, P ),Q, C] > 0 andM ∈ indepP (x),

thenE, σ,M ⇓ a for somea;

3. For each b ∈ Iη(T ), for each σ, for each E0,Pr[∃(E,Q, C),C0 →

∗ E, (σ, P ),Q, C ∧ E ∼σ,P E0 ∧

E(x[σi]) = b] ≤ 1|Iη(T )| Pr[∃E1,C0→

′∗E1, (σ, P ) ∧

E1|Dom(E0) ∼σ,P E0] where i denotes the current repli-cation indices at the definition ofx.

Property (L1) expresses the correctness of the local dependencyanalysis atP . It differs from (L0) by the use of the specialsemantics→′ in Item 3. This semantics is necessary whendependP (x) = ⊤, because in that case the control-flow mayalso depend on the value ofx[σi], soP may not be reachablefor certain values ofx[σi], which breaks the inequality betweenprobabilities of (L0), Item 3. In contrast, the special seman-tics→′ computesE1, (σ, P ) without taking into account thecontrol-flow, so this problem is avoided.

Property (S7) also holds for (L1), with the same proof asfor (L0).

We showS9: if (L0) holds at P , then (L1) holds atP .Let E1 be E extended with values for all variables definedonly by restrictions. IfE ∼σ,P E0, the variables definedonly by restrictions are defined for the same indices inE andin E0, so E1|Dom(E0) = E, henceE1|Dom(E0) ∼σ,P E0.Therefore,Pr[∃(E,Q, C),C0 →

∗ E, (σ, P ),Q, C ∧ E ∼σ,P

E0] ≤ Pr[∃E1,C0→′∗E1, (σ, P ) ∧ E1|Dom(E0) ∼σ,P E0],

which proves (L1).We show S9’: if (L0) holds at P , then (L1) holds at

P with ∼σ,⊤,indepP (x) instead of∼σ,P . If E ∼σ,P E′,then E ∼σ,⊤,indepP (x) E′. So each equivalence class of∼σ,⊤,indepP (x) is a union of equivalence classes of∼σ,P . So weobtain (L0) with∼σ,⊤,indepP (x) instead of∼σ,P by adding prob-abilities. We conclude that (L1) holds atP with ∼σ,⊤,indepP (x)

instead of∼σ,P using a proof similar to that of (S9).We showS10: If P is an output process,P ′ is the small-

est output process such thatP is a strict subprocess ofP ′,(L1) holds atP ′ with ∼σ,⊤,indepP ′ (x) instead of∼σ,P ′ , anddependP (x) = ⊤, then (L1) holds atP with indepP ′(x) in-stead ofindepP (x). The equivalence between environmentsfor (L1) at P with indepP ′(x) instead ofindepP (x) is also∼σ,⊤,indepP ′ (x), sincedependP (x) = ⊤. Item 1 of (L1) holdstrivially at P sincedependP (x) = ⊤. For the proof of Item 3of (L1), we letp = Pr[∃(E,Q, C),C0 →

∗ E, (σ, P ),Q, C ∧

E ∼σ,⊤,indepP ′ (x) E0 ∧ E(x[σi]) = b].

• CaseP ′ = let y[i] : T ′ = M in P . In traces of non-zero probability that reachP , the last reduction of the tracereducesP ′ by (Let), so these traces are all of the form:

C0 →∗ E′, (σ, P ′),Q, C → E, (σ, P ),Q, C

whereE′, σ,M ⇓ a andE = E′[y[σi] 7→ a] and the cor-responding trace of→′ is

C0→′∗E′1, (σ, P

′)→′ E1, (σ, P )

whereE′1, σ,M ⇓ a′ andE1 = E′1[y[σi] 7→ a′]. LetE′0 =

E0|y[σi]

be the environmentE0 restricted to the variables

defined atP ′. For allM ′ ∈ indepP ′(x), E1, σ,M′ ⇓ b

for someb since (L1) holds atP ′. ThenE, σ,M ′ ⇓ b,so Item 2 of (L1) holds atP with indepP ′(x) instead ofindepP (x). Since all elements ofindepP ′(x) must be de-fined atP ′ (by Item 2 of (L1) atP ′), y[σi] is not definedat P ′, andy is not defined only by restrictions, the con-dition E ∼σ,⊤,indepP ′ (x) E0 in Item 3 of (L1) atP withindepP ′(x) instead ofindepP (x) does not use the valueof E(y[σi]), henceE ∼σ,⊤,indepP ′ (x) E0 if and only ifE′ ∼σ,⊤,indepP ′ (x) E′0, andE1|Dom(E0) ∼σ,⊤,indepP ′ (x)

E0 if and only if E′1|Dom(E′0)∼σ,⊤,indepP ′ (x) E

′0, so the

probabilities that occur in Item 3 of (L1) are the samefor P ′ and forP with indepP ′(x) instead ofindepP (x).Therefore, Item 3 of (L1) holds atP with indepP ′(x) in-stead ofindepP (x).

• CaseP ′ = new y[i] : T ′;P , wherey is not defined only byrestrictions. In traces of non-zero probability that reachP ,the last reduction of the trace reducesP ′ by (New). Thiscase is similar to thelet case above.

• CaseP ′ = new y[i] : T ′;P , wherey is defined only byrestrictions. In traces of non-zero probability that reachP ,the last reduction of the trace reducesP ′ by (New). Item 2is proved as in thelet case above. Let us consider Item 3.Let E′0 = E

0|y[σi]be the environmentE0 restricted to the

variables defined atP ′. Let i′ be the replication indices atthe definition ofx. (i′ is a prefix ofi.)

p = Pr

∃(E,E′,Q, C),C0 →

∗ E′, (σ, P ′),Q, C → E, (σ, P ),Q, C

∧E ∼σ,⊤,indepP ′ (x) E0 ∧ E(x[σi′]) = b

=1

|Iη(T ′)|Pr

∃(E′,Q, C),C0 →

∗ E′, (σ, P ′),Q, C∧ E′ ∼σ,⊤,indepP ′ (x) E

′0

∧ E′(x[σi′]) = b

≤1

|Iη(T ′)|

1

|Iη(T )|Pr

[∃E′1,C0→

′∗E′1, (σ, P′) ∧

E′1|Dom(E′0)∼σ,⊤,indepP ′ (x) E

′0

]

≤1

|Iη(T )|Pr

[∃E1,C0→

′∗E1, (σ, P )∧ E1|Dom(E0) ∼σ,⊤,indepP ′ (x) E0

]

The first step comes from the semantic rule (New), the sec-ond step from (L1) atP ′, the last step from the assign-ment of variables defined only by restrictions in the spe-cial →′ semantics. (Note thatE′1 = E1, but the con-dition E′1|Dom(E′

0)∼σ,⊤,indepP ′ (x) E′0 does not use the

value ofE′1(y[σi]).) This inequality proves (L1) atP withindepP ′(x) instead ofindepP (x).

• Cases in which there is no assignment and no restrictionbetweenP andP ′. Everything that is defined atP ′ is alsodefined atP , since the environment atP is an extension ofthe environment atP ′, so Item 2 of (L1) holds atP sinceit holds atP ′. Let us now prove Item 3 of (L1). The finalenvironmentE′ of the→′ trace is the same forP and forP ′, so the right-hand side of the inequality is the same forP and forP ′. The left-hand side decreases fromP ′ to P ,since all traces that reachP must first have reachedP ′, sothe inequality still holds.

312 Bruno Blanchet

From the previous results, we show that (L1) holds at all out-put processesP . The proof proceeds by decreasing inductionon P . If dependP (x) 6= ⊤, we have the result using (S8)and (S9). Otherwise, letP ′ be the smallest output process suchthat P is a strict subprocess ofP ′. If dependP ′(x) 6= ⊤,by (S8) and (S9’), (L1) holds atP ′ with ∼σ,⊤,indepP ′ (x) insteadof ∼σ,P ′ . If dependP ′(x) = ⊤, by induction hypothesis, (L1)holds atP ′, that is, (L1) holds atP ′ with ∼σ,⊤,indepP ′ (x) in-stead of∼σ,P ′ . In both cases, by (S10), (L1) holds atP withindepP ′(x) instead ofindepP (x). The only cases in whichindepP ′(x) 6= indepP (x) are as follows:

• CaseP ′ = new y[i] : T ′;P , y 6= x, indepP (x) =

indepP ′(x) ∪ {y[i]}. Wheny is defined only by restric-tions,y[i] does not depend onx atP with indepP ′(x) in-stead ofindepP (x), so, by (S7), (L1) holds atP . Other-wise, in traces of non-zero probability that reachP , the lastreduction of the trace reducesP ′ by (New), so these tracesare all of the form:

C0 →∗ E′, (σ, P ′),Q, C → E, (σ, P ),Q, C

whereE = E′[y[σi] 7→ a] for somea ∈ Iη(T ′). So Item 2of (L1) holds atP . LetE′0 = E

0|y[σi]. Let i′ be the repli-

cation indices at the definition ofx. (i′ is a prefix ofi.) Weprove Item 3 of (L1) as follows:

p = Pr

∃(E,E′,Q, C),C0 →

∗ E′, (σ, P ′),Q, C → E, (σ, P ),Q, C

∧ E ∼σ,⊤,indepP (x) E0 ∧ E(x[σi′]) = b

=1

|Iη(T ′)|Pr

∃(E′,Q, C),C0 →

∗ E′, (σ, P ′),Q, C∧ E′ ∼σ,⊤,indepP ′ (x) E

′0

∧ E′(x[σi′]) = b

≤1

|Iη(T ′)|

1

|Iη(T )|Pr

[∃E′1,C0→

′∗E′1, (σ, P′) ∧

E′1|Dom(E′0)∼σ,⊤,indepP ′ (x) E

′0

]

≤1

|Iη(T )|Pr

∃(E1, E

′1),

C0→′∗E′1, (σ, P

′)→′ E1, (σ, P )∧ E1|Dom(E0) ∼σ,⊤,indepP (x) E0

The first step comes from the semantic rule (New), the sec-ond step from (L1) atP ′, the last step from the special→′

semantics ofnew. This inequality proves (L1) atP .

• CaseP ′ = find (⊕m


suchthat defined(Mj1, . . . ,Mjlj ) ∧ Mj then Pj) else

P ′′, dependP (x) = dependP ′(x) = ⊤, P = Pj ,indepP (x) = indepP ′(x) ∪ {M ′ | M ′ ∈ subterms(M)for somedefined(M) ∈ FPj

, M ′ does not depend onx atP ′}. For allM ′ such thatM ′ ∈ subterms(M) for somedefined(M) ∈ FPj

andM ′ does not depend onx at P ′,M ′ does not depend onx atP with indepP ′(x) instead ofindepP (x). SinceFP is correct for allP , for allE, σ suchthatPr[C0 →

∗ E, (σ, P ),Q, C] > 0, we haveE, σ ⊢ FP ,soE, σ,M ′ ⇓ a for somea. So, by (S7), (L1) holds atP .

• CaseP ′ = let y[i] : T ′ = M in P , y 6= x, M does notdepend onx at P ′. The termM does not depend onx atP with indepP ′(x) instead ofindepP (x). By (S7), (L1)

holds atP with indepP ′(x) ∪ {M} instead ofindepP (x).In all traces (of non-zero probability) considered in (L1),we haveE, σ, y[i] ⇓ b if and only if E, σ,M ⇓ b andE1, σ, y[i] ⇓ b if and only ifE1, σ,M ⇓ b, so (L1) holds atP with indepP (x) = indepP ′(x) ∪ {y[i]}.

This result concludes the proof of soundness of the dependencyanalysis.

We now show the soundness ofsimplifyTerm. Essentially,whenM simplifies toM ′,M andM ′ evaluate to the same valueexcept in cases of negligible probability. More precisely,weshowS11: for eachP , M , M ′, if M ′ = simplifyTerm(M,P ),thenPr[∃(E, σ,Q, C),C0 →

∗ E, (σ, P ),Q, C ∧ E, σ, (M ′ =M) ⇓ false] ≤ q′(η)pmax(η) for some polynomialq′.The proof proceeds by induction on the derivation thatM ′ = simplifyTerm(M,P ). We only consider the casesimplifyTerm(M1 = M2, P ) = false; the other cases are simi-lar or easy. We show that ifsimplifyTerm(M1 = M2, P ) =false then p = Pr[∃(E, σ,Q, C),C0 →

∗ E, (σ, P ),Q, C ∧E, σ, (M1 = M2) ⇓ true] ≤ q′(η)pmax(η) for some polyno-mial q′. WhendependP (x) = ⊤, let M0 = M1; otherwise,let M0 = M1dependP (x). Let M ′0 andM ′2 be obtained re-spectively fromM0 andM2 by replacing all array indices thatdepend onx atP with fresh replication indices. We assume thatM ′0 characterizes a part ofx[i] at P , andM ′2 does not dependonx atP .

Let σ andσ′ be fixed, such thatσ′ is an extension ofσ tothe fresh replication indices ofM ′0 andM ′2. We denote byEequivalence classes for∼σ,P =∼σ′,P . We show that for alla, forall E, there existsb such that for allE ∈ E, if E, σ′,M ′0 ⇓ a,thenE, σ′, f1(. . . fk(x[i])) ⇓ b.

• Assume that there existsE′ ∈ E such thatE′, σ′,M ′0 ⇓ a.We define an environmentE′′ by E′′(y[a]) = E(y[a])for all y[a] ∈ Dom(E) and E′′((αy)[a]) = E′(y[a])for variablesy renamed to fresh variables byα. WehaveE′′((αy)[a]) = E′(y[a]) for all y[a] ∈ Dom(E′),since whenαy = y, E′(y[a]) = E(y[a]) sinceE ∼σ,P

E′. HenceE′′, σ′,M ′0 ⇓ a and E′′, σ′, αM ′0 ⇓ a,so E′′, σ′, (αM ′0 = M ′0) ⇓ true. So by rewriting,E′′, σ′, (f1(. . . fk((αx)[i])) = f1(. . . fk(x[i]))) ⇓ true.Let b such thatE′′, σ′, f1(. . . fk((αx)[i])) ⇓ b. ThenE′′, σ′, f1(. . . fk(x[i])) ⇓ b.

• Otherwise, there exists noE ∈ E such thatE, σ′,M ′0 ⇓ a,so the result holds trivially.

So there exists a functionf such that for alla, for all E, forall E ∈ E, if E, σ′,M ′0 ⇓ a, thenE, σ′, f1(. . . fk(x[i])) ⇓f(a, σ′, E).

If E, σ, (M1 = M2) ⇓ true andE ∈ E, E, σ,M1 ⇓ a andE, σ,M2 ⇓ a for somea. ThenE, σ,M0 ⇓ a by Item 1 of (L1).So there exists an extensionσ′ of σ to the fresh replication in-dices ofM ′0 andM ′2 such thatE, σ′,M ′0 ⇓ a andE, σ′,M ′2 ⇓ a.ThenE, σ′, f1(. . . fk(x[i])) ⇓ f(a, σ′, E). SinceE, σ′,M ′2 ⇓ aandM ′2 does not depend onx at P , by (S6), we havea =f ′(σ′, E) for some functionf ′, henceE(x[σi]) ∈ Sx(σ′, E) =(Iη(f1) ◦ . . . ◦ Iη(fk))−1(f(f ′(σ′, E), σ′, E)). Let T1, . . . , Tk

be the types of the arguments off1, . . . , fk respectively; let


T0 = T ′ be the type of the result off1; Tk = T . We have|Sx(σ′, E)| ≤ |Iη(T1)|

|Iη(T0)|× . . .× |Iη(Tk)|

|Iη(Tk−1)|=|Iη(Tk)||Iη(T0)|

=|Iη(T )||Iη(T ′)| ,

sincef1, . . . , fk are uniform. Leti′ = Dom(σ) be the currentreplication indices atP .

p = Pr

[∃(E, σ,Q, C),C0 →

∗ E, (σ, P ),Q, C∧ E, σ, (M1 = M2) ⇓ true

]

≤∑

E

∑

σ′

Pr

[∃(E,Q, C),C0 →

∗ E, (σ′|i′, P ),Q, C

∧ E ∈ E ∧ E(x[σ ′i]) ∈ Sx(σ′, E)

]

≤∑

E

∑

σ′

∑

b∈Sx(σ′,E)

Pr

∃(E,Q, C),C0 →

∗ E, (σ′|i′, P ),Q, C

∧ E ∈ E ∧ E(x[σ ′i]) = b

≤∑

E

∑

σ′

∑

b∈Sx(σ′,E)

1

|Iη(T )|Pr

[∃E′,C0→

′∗E′, (σ′|i′, P )

∧ E′|Dom(E)

∈ E

]

by Item 3 of (L1). (Dom(E) denotes the domain of an elementof E, for instance the smallest one.)

p ≤1

|Iη(T ′)|

∑

σ′

∑

E

Pr

[∃E′,C0→

′∗E′, (σ′|i′, P )

∧ E′|Dom(E)

∈ E

]

≤q1(η)

|Iη(T ′)|

whereq1(η) is the number of possibleσ′, which is polynomialin η.

We now show the correctness of the game simplificationsperformed indepAnal. If Q0 is the process before sim-plification andQ′0 the process after simplification, we showthat Q0 ≈

V Q′0. For simplicity, we consider one trans-formation at a time, and use transitivity of≈V to concludewhen several transformations are applied. For each traceinitConfig(C[Q0]) →

∗ Em, Pm,Qm, Cm, except in cases ofnegligible probability, we show that there exists a correspondingtraceinitConfig(C[Q′0]) →

∗ E′m′ , P ′m′ ,Q′m′ , C′m′ with E′m′ =Em,P ′m′ is obtained fromPm by the same transformation asQ′0fromQ0,Q′m′ is obtained fromQm by the same transformationasQ′0 fromQ0, C′m′ = Cm, with the same probability. The proofproceeds by induction onm. The casem = 0 is obvious, sincethe game simplifications do not change input processes. For theinductive step, we reason by cases on the last reduction stepofthe trace ofC[Q0]. We consider only the cases in which thetransition may be altered by the game simplification.

• Case 1: WhensimplifyTerm(M,P ) = M ′, we replaceMwith M ′ in P . We exclude traces such thatE, σ 6⊢ M =M ′. (They have negligible probability by (S11).) In theremaining traces,E, σ ⊢M = M ′. SoE, σ,M ⇓ a if andonly if E, σ,M ′ ⇓ a, and the transformed process reducesin the same way as the initial process.

• Case 2: WhenMj = false, we remove thej-th branchof find (

⊕mj=1 uj1 [i] ≤ nj1, . . . , ujmj

[i] ≤ njmjsuchthat

defined(Mj1, . . . ,Mjlj )∧Mj then Pj) else P ′ In all tracesE, σ, (defined(Mj1, . . . ,Mjlj ) ∧ Mj) ⇓ false, so in thereduction rule (Find1), the setS never contains(j, v) forany v, hence by (Find1) or (Find2), the process takes the

same branch of thefind with the same probability, whetheror not thej-th branch is present.

• The other cases are similar.

We also show the converse property: for each trace ofC[Q′0],except in cases of negligible probability, there exists a corre-sponding trace ofC[Q0] with the same probability. Moreover,for all channelsc and bitstringsa, Em, Pm,Qm, Cm executesc〈a〉 immediately if and only ifE′m′ , P ′m′ ,Q′m′ , C′m′ executesc〈a〉 immediately, soPr[C[Q0] η c〈a〉] = Pr[C[Q′0] η

c〈a〉], which yields the desired equivalenceQ0 ≈V Q′0.

Correctness of the equational prover. We say thatE, σ ⊢(F ,R) when E, σ ⊢ F and for all (M1 → M2) ∈ R,E, σ ⊢ M1 = M2. For eachP , the equational prover rewritespairs F ,R starting from (FP , ∅) according to a certain se-quence. We denote by(Fj ,Rj)(P ) the j-th element of thissequence. So we have(F0,R0)(P ) = (FP , ∅), and for allj, wehave (Fj−1,Rj−1)(P )

(Fj ,Rj)(P ) . Let pm′(P ) = Pr[∃(E, σ,Q, C),C0 →∗

E, (σ, P ),Q, C ∧ E, σ 6⊢ (Fm′ ,Rm′)(P )]. We showS12: foreachP , pm′(P ) ≤ q′(η)pmax(η) for some polynomialq′. Theproof proceeds by induction onm′. Form′ = 0, this is an imme-diate consequence of the property thatE, σ ⊢ (F0,R0)(P ) =(FP , ∅) sinceFP is correct for allP , with q′(η) = 0. For theinductive step,

pm′(P ) ≤ pm′−1(P )

+ Pr

∃(E, σ,Q, C),C0 →

∗ E, (σ, P ),Q, C∧ E, σ ⊢ (Fm′−1,Rm′−1)(P )∧ E, σ 6⊢ (Fm′ ,Rm′)(P )

By induction hypothesis,pm′−1(P ) ≤ q′(η)pmax(η) for somepolynomial q′. So we just have to show that ifF,R

F ′,R′ thenPr[∃(E, σ,Q, C),C0 →

∗ E, (σ, P ),Q, C ∧ E, σ ⊢ (F ,R) ∧E, σ 6⊢ (F ′,R′)] ≤ q′(η)pmax(η) for some polynomialq′. Weproceed by cases on the derivation ofF,R

F ′,R′ .

• The cases (2), (5), (7), as well as the cases (1) and (6) whenthe reduction uses a rule ofR, are obvious and there is noloss of probability (that is,q′(η) = 0.)

• Cases (1) and (6) when the reduction uses a user-definedrewrite rule new y1 : T ′1, . . . , new yl : T ′l ,∀x1 :T1, . . . ,∀xm : Tm,M1 → M2, with associated proba-bility p(η): Assuming this user-defined claim is correct,whenE, σ ⊢ (F ,R) but E, σ 6⊢ (F ′,R′), for at leastone value of the indices of restrictions that correspond toy1, . . . , yl, the processC[Q0] provides an adversary thatsatisfies the conditions of the definition of the correspond-ing user claim. (The proof of Proposition 2 below detailsa similar argument in a more complicated case.) So theprobability thatE, σ ⊢ (F ,R) andE, σ 6⊢ (F ′,R′) is atmostp(η) times the number of possible values for the in-dices of restrictions that correspond toy1, . . . , yl, whichis polynomial inη, so the result holds withq′(η) equal tothe number of possible values for the indices of restrictionsthat correspond toy1, . . . , yl.

• Case (3): Assume thatE, σ ⊢ (F ,R) and E, σ 6⊢(F ′,R′). So for all j ≤ m, E, σ,Mj ⇓ aj ,

314 Bruno Blanchet

E, σ,M ′j ⇓ a′j , (a1, . . . , am) 6= (a′1, . . . , a′m), and

E(x[a1, . . . , am]) = E(x[a1, . . . , am]). Since for eacha1, . . . , am, x[a1, . . . , am] is chosen randomly with uni-form probability among|Iη(T )| values, the probability that

this happens is smaller thanq′′(η)(q′′(η)−1)

2|Iη(T )| whereq′′(η) isthe number of possible values ofa1, . . . , am, which is apolynomial inη.

• Case (4): We first show that, ifM characterizes a part ofxwith Sdef , Sdep, then for allM0 obtained fromM by sub-stituting variables ofSdef with their definition, there exista tuple of termsM , a large typeT , and uniform functionsf1, . . . , fk such thatT is the type of the result off1 (or ofx whenk = 0) and for eacha, E0, andσ, there existsbsuch that for allE such thatE equalsE0 on variables notin Sdep, if E, σ,M0 ⇓ a thenE, σ, f1(. . . fk(x[M ])) ⇓ b.Indeed,M0 = {αM0 = M0} is rewritten into a set thatcontainsf1(. . . fk((αx)[M ′])) = f1(. . . fk(x[M ])). Dueto the form of rewrite rules,(αx)[M ′] is a subterm ofαM0

andx[M ] is a subterm ofM0. Moreover, the variables inSdep do not occur inM or M ′.

– If a is such that there existsE′ such thatE′ equalsE0 on variables not inSdep, E′, σ, αM0 ⇓ aand E′ defines variables ofαM0, let b such thatE′, σ, f1(. . . fk((αy)[M ′])) ⇓ b. Then for allEsuch thatE equalsE0 on variables not inSdep andE, σ,M0 ⇓ a, we can define theE′′ that mapsvariables ofM0 asE and variables ofαM0 asE′.ThenE′′, σ, (αM0 = M0) ⇓ true, so by rewritingE′′, σ, f1(. . . fk((αx)[M ′])) = f1(. . . fk(x[M ])) ⇓

true, soE, σ, f1(. . . fk(x[M ])) ⇓ b.

– Otherwise, there is noE such thatE equalsE0 onvariables not inSdep andE, σ,M0 ⇓ a, so the resultholds trivially.

So there exists a functionf such that for eacha, σ, E,if E, σ,M0 ⇓ a thenE, σ, f1(. . . fk(x[M ])) ⇓ f(a, σ,

E|Sdep). Since the variables inSdep do not occur inM ,

there exists a tuple of functionsf such thatE, σ, M ⇓

f(σ,E|Sdep). So E, σ, f1(. . . fk(x[f(σ,E|Sdep

)])) ⇓

f(a, σ,E|Sdep).

Let us now consider the three cases of Rule (4). Ineach case, we show thatp = Pr[∃E,∃σ,∃Q,∃C,C0 →

∗

E, (σ, P ),Q, C ∧ E, σ ⊢ M1 = M2] ≤ q′(η)pmax(η) forsome polynomialq′ and forM1,M2 that satisfy the hy-pothesis of Rule (4).

– First case:M ′1 is obtained fromM1 by replacing all ar-ray indices that are not replication indices with fresh repli-cation indices,x occurs inM ′1, x is defined by restrictionsnew x : T ′, T ′ is a large type,M ′1 characterizes a partof x, andM2 is obtained by optionally applying functionsymbols to terms of the formy[M ′] wherey is defined byrestrictions andy 6= x.

LetM ′2 be obtained fromM2 by replacing all array indicesthat are not replication indices with fresh replication in-

dices. LetSindep be the set of variables defined only byrestrictions, excludingx. SinceM ′1 characterizes a part ofx, there exist a large typeT , functionsf and f , and uni-form functionsf1, . . . , fk such thatT is the type of theresult off1 (or of x whenk = 0) and for eacha,E, andσ,if E, σ,M1 ⇓ a thenE, σ, f1(. . . fk(x[f(σ,E|Sindep

)])) ⇓f(a, σ,E|Sindep

).

If E, σ ⊢ M1 = M2 then we haveE, σ,M1 ⇓ a andE, σ,M2 ⇓ a for somea. Then there exists an exten-sion σ′ of σ to the fresh replication indices ofM ′1 andM ′2 such thatE, σ′,M ′1 ⇓ a andE, σ′,M ′2 ⇓ a. SoE, σ′, f1(. . . fk(x[f(σ′, E|Sindep

)])) ⇓ f(a, σ′, E|Sindep)

and since only the variables ofSindep occur inM ′2, there isa functionf ′ such thata = f ′(σ′, E|Sindep

). So

E(x[f(σ′, E|Sindep)]) ∈ Sx(σ,E|Sindep

) = (Iη(f1) ◦

. . . ◦ Iη(fk))−1(f(f ′(σ′, E|Sindep), σ′, E|Sindep

)).

Let T1, . . . , Tk be the types of the arguments off1, . . . , fk

respectively; T0 = T , Tk = T ′. We have|Sx(σ,E|Sindep

)| ≤ |Iη(T1)||Iη(T0)|

× . . .× |Iη(Tk)||Iη(Tk−1)|

=|Iη(Tk)||Iη(T0)|

=|Iη(T ′)||Iη(T )| sincef1, . . . , fk are uniform. LetEindep be anenvironment giving values to variables ofSindep. Leti′ = Dom(σ) be the current replication indices atP .

p ≤∑

σ′

∑

Eindep

Pr

∃(E,Q, C),C0 →

∗ E, (σ′i′, P ),Q, C

∧ E|Sindep= Eindep ∧

E(x[f(σ′, Eindep)]) ∈ Sx(σ′, Eindep)

≤∑

σ′

1

|Iη(T )|

∑

Eindep

Pr

∃(E,Q, C),C0 →

∗ E, (σ, P ),Q, C∧ E|Sindep

= Eindep

≤q1(η)

|Iη(T )|

whereq1(η) is the number of possibleσ′, which is polyno-mial in η. So the result follows withq′(η) = q1(η).

– Second case:x occurs inM1, x is defined by restrictionsnew x : T ′, T ′ is a large type,M1 characterizes a part ofx, only dep(x) = S, and no variable ofS occurs inM2.

We consider traces ofC[Q0] that differ by the choices ofvalues ofx. Sinceonly dep(x) = S, these traces differonly by the values of variables inS, after excluding excep-tional traces in which we haveE, σ, (M1 = M2) ⇓ truefor M1,M2 considered in Rule (4) or for some testM1 =M2 orM1 6= M2 in Q0 such thatM1 characterizes a partof x with S \ {x}, S, and no variable inS occurs inM2.

In the considered traces, the value ofM2 is the samea, which is therefore a function ofσ andE|S , so a =

f ′(σ,E|S). Assume thatE, σ, (M1 = M2) ⇓ true. ThenE, σ,M1 ⇓ a. Then there is someM0 obtained fromM1

by substituting variables inS \ {x} with their definitionsuch thatE, σ,M0 ⇓ a. (We choose the definition ofthese variables used to set them in environmentE.) WhenM1,M2 come from Rule (4), we setM0 = M1. The num-ber of choices ofM0 is independent ofη: it can be bounded


knowing the number of different definitions of variables inS and the number of occurrences of these variables in thetermsM1.

Due to the properties of “characterize”, there exist alarge typeT , functionsf and f , and uniform functionsf1, . . . , fk such thatT is the type of the result off1 (orof x whenk = 0) and for eacha, σ, E, if E, σ,M0 ⇓a then E, σ, f1(. . . fk(x[f(σ,E|S)])) ⇓ f(a, σ,E|S).

So E(x[f(σ,E|S)]) ∈ Sx(σ,E|S) = (Iη(f1) ◦ . . . ◦

Iη(fk))−1(f(f ′(σ,E|S), σ, E|S). Let T1, . . . , Tk be thetypes of the arguments off1, . . . , fk respectively;T0 = T ,Tk = T ′. We have|Sx(σ,E|S)| ≤ |Iη(T1)|

|Iη(T0)|× . . . ×

|Iη(Tk)||Iη(Tk−1)|

=|Iη(Tk)||Iη(T0)|

=|Iη(T ′)||Iη(T )| sincef1, . . . , fk are uni-

form.

The probability thatE, σ, (M1 = M2) ⇓ true is atmost the sum for all choices ofM0 of the probabil-ity that E(x[f(σ,E|S)]) ∈ Sx(σ,E|S), so it is at most∑

M0

1|Iη(T )| . (Note thatT may depend on the choice of

M0.) Therefore, the probability of excluded traces is atmost

∑M1,M2

∑M0

q1(η)|Iη(T )| where the number of possible

σ, that is, the number of executions of the testM1 = M2

orM1 6= M2 is at mostq1(η), polynomial inη.

For traces that have not been excluded,E, σ, (M1 =M2) ⇓ false, so the result follows withq′(η) =∑

M1,M2

∑M0

q1(η).

– Third case:simplifyTerm(M1 = M2, P ) = false. Theresult follows immediately from the correctness of the localdependency analysis, Property (S11).

Similarly, we also haveS12’: For eachQ′, Pr[∃(E,σ, P,Q, C, c,M1, . . . ,Ml, N1, . . . , Nk, Q

′′, σ′,Q′, C′),C0 →∗

E, (σ, P ),Q, C ∧ P = c[M1, . . . ,Ml]〈N1, . . . , Nk〉.Q′′ ∧

E, {(σ,Q′′)}, C ∗ E,Q′, C′ ∧ (σ′, Q′) ∈ Q′ ∧ E, σ′ 6⊢(Fm′ ,Rm′)(Q′)] ≤ q′(η)pmax(η) for some polynomialq′.

We have FQ′ = FP , hence (Fm′ ,Rm′)(Q′) =(Fm′ ,Rm′)(P ), and σ′ is an extension ofσ, so E, σ ⊢(Fm′ ,Rm′)(P ) impliesE, σ′ ⊢ (Fm′ ,Rm′)(Q′). So the re-sult follows from (S12).

Correctness of game simplification.For simplicity, we con-sider one transformation at a time, and use transitivity of≈V

to conclude when several transformations are applied. Foreach traceinitConfig(C[Q0]) →

∗ Em, Pm,Qm, Cm, except incases of negligible probability, we show that there exists acor-responding traceinitConfig(C[Q′0]) →

∗ E′m′ , P ′m′ ,Q′m′ , C′m′

with E′m′ = Em, P ′m′ is obtained fromPm by the same trans-formation asQ′0 from Q0, Q′m′ is obtained fromQm by thesame transformation asQ′0 fromQ0, C′m′ = Cm, with the sameprobability. The proof proceeds by induction onm.

For the casem = 0, the only simplification that can beapplied to input processes is the simplification of terms in in-put channels. Moreover, ifQ′ is the transformed process,FQ′ = ∅ sinceFC[Q0] = ∅ andQ′ is obtained fromC[Q0]by , which reduces only input processes. So(F0,R0)(Q

′) =(∅, ∅). No rule of the equational prover applies on(∅, ∅), so(Fm′ ,Rm′)(Q′) = (∅, ∅), hence no rewrite rule ofRm′ can be

applied. So one can only simplify terms in the input channelof Q′ by a user-defined rewrite rule. The proof then proceedsexactly as in Case 1 below.

For the inductive step, we reason by cases on the last reduc-tion step of the trace ofC[Q0]. We consider only the cases inwhich the transition may be altered by the game simplification.

• Case 1:M reduces intoM ′ by a user-defined rewrite rule,and we replaceM withM ′ in the smallest (input or output)processPM = CM [M ] that containsM . If E, σ,M ⇓ athenE, σ,M ′ ⇓ a′ (since the variable accesses inM ′ areincluded in those ofM andM andM ′ are well-typed).Whena 6= a′, the game provides an adversary that satisfiesthe conditions of the definition of the corresponding userclaim (as in the item “Cases (1) and (6) when the reductionuses a user-defined rewrite rule” above) so this situationhas negligible probability and can be excluded. Otherwise,a = a′, andCM [M ′] reduces in the same way asPM =CM [M ].

• Case 2:M reduces intoM ′ by a rule ofR, and we re-placeM with M ′ in the smallest processPM = CM [M ]that containsM , whereR is the set of rewrite rules ob-tained by the equational prover fromFPM

. We first as-sume thatPM is an output process. We exclude tracessuch thatE, σ 6⊢ (Fm′ ,Rm′)(PM ). (They have negli-gible probability by (S12).) In the remaining traces, forall (M1 → M2) ∈ R = Rm′ , E, σ ⊢ M1 = M2,so E, σ ⊢ M = M ′. SoE, σ,M ⇓ a if and only ifE, σ,M ′ ⇓ a, andCM [M ′] reduces in the same way asPM = CM [M ]. When we reduce a term in the channelof an input, we have a similar proof with an input processQM = CM [M ] instead ofPM and using (S12’) insteadof (S12).

• Case 3:P = find (⊕m

j=1 uj1 [i] ≤ nj1, . . . , ujmj[i] ≤

njmjsuchthat defined(Mj1, . . . ,Mjlj ) ∧ Mj then Pj)

else P ′, FPjyields a contradiction, and we remove the

j-th branch of thefind. We exclude traces in whichE, σ, (defined(Mj1, . . . ,Mjlj ) ∧Mj) ⇓ true. Let S wethe set defined in the reduction rule (Find1). We have|S| ≤

∑mj=1

∏mj

l=1 njl = q(η) for some polynomialq,

and among(S) = 2k+f(η) div |S|2k+f(η) wherek is the smallest

integer such that2k ≥ |S|, so among(S) ≥ 2f(η)

2k+f(η) ≥12k ≥

12|S| ≥

12q(η) . By (Find1), P reduces intoPj

with probability at leastamong(S), so at least 12q(η) , when

E, σ, (defined(Mj1, . . . ,Mjlj ) ∧Mj) ⇓ true. Therefore,

Pr

[∃(E, σ,Q, C),C0 →

∗ E, (σ, P ),Q, C∧ E, σ, (defined(Mj1, . . . ,Mjlj ) ∧Mj) ⇓ true

]

≤ 2q(η) Pr [∃(E, σ,Q, C),C0 →∗ E, (σ, Pj),Q, C]

≤ 2q(η) Pr

[∃(E, σ,Q, C),C0 →

∗ E, (σ, Pj),Q, C∧ E, σ 6⊢ (Fm′ ,Rm′)(Pj)

]

sinceE, σ 6⊢ (Fm′ ,Rm′)(Pj) is always true sinceFPj

yields a contradiction. So the excluded traces have neg-ligible probability by (S12). In the remaining traces,E, σ, (defined(Mj1, . . . ,Mjlj )∧Mj) ⇓ false, so the setS

316 Bruno Blanchet

never contains(j, v) for anyv, hence by (Find1) or (Find2),the process takes the same branch of thefind with the sameprobability, whether or not thej-th branch is present.

• Case 4:P0 = find (⊕m

j=1 uj1 [i] ≤ nj1, . . . , ujmj[i] ≤

njmjsuchthat defined(Mj1, . . . ,Mjlj )∧Mj then Pj) else

P ′, x[N1, . . . , Nl] is a subterm ofMjk, and none of the fol-lowing conditions holds: a)P0 is under a definition ofx inQ0; b)Q0 containsQ1 | Q2 such that a definition ofx oc-curs inQ1 andP0 is underQ2 or a definition ofx occursin Q2 andP0 is underQ1; c) Q0 containslp + 1 replica-tions above a processQ that contains a definition ofx andP0, wherelp is the length of the longest common prefixbetweenN1, . . . , Nl and the current replication indices atthe definitions ofx. Thej-th branch of thefind is removed.

We show thatx[N1, . . . , Nl] cannot be defined atP0 asfollows. We say that the formulaφ(E, (σ, P ),Q, C) is truewhen one of the following condition holds:

A. x[a1, . . . , am] ∈ Dom(E), (σ′′, P ′′) ∈ Q⊎{(σ, P )},P0 is under P ′′, and σ′′i′′k = ak for all k ≤min(lp, |Dom(σ′′)|), wherei′′k is thek-th replicationindex atP ′′;

B. {(σ′, P ′), (σ′′, P ′′)} ⊆ Q ⊎ {(σ, P )} (multi-set inclusion), P ′ contains a definition ofx,P0 is under P ′′, σ′i′k = σ′′i′′k for all k ≤min(lp, |Dom(σ′)|, |Dom(σ′′)|) wherei′k is thek-threplication index atP ′ andi′′k is thek-th replicationindex atP ′′;

C. (σ′, P ′) ∈ Q ⊎ {(σ, P )} where

C.a. P0 is under a definition ofx in P ′;C.b. orP ′ containsQ1 | Q2 such that a definition of

x occurs inQ1 andP0 is underQ2 or a definitionof x occurs inQ2 andP0 is underQ1;

C.c. orP ′ containslp + 1 − |Dom(σ′)| replicationsabove a processQ that contains a definition ofxandP0.

Next, we show that if a configuration in the trace satisfiesφ, then the previous configuration also satisfiesφ.

More precisely, we first show that ifφ(E, (σ, P ),Q′′ ⊎Q′, C′) andE,Q, C E,Q′, C′, thenφ(E, (σ, P ),Q′′ ⊎Q, C). The proof is by cases on the reduction rule of .Case (Nil) is obvious. For rule (Par), if we are in case Band both processesP ′ andP ′′ are generated by (Par), thenbefore applying (Par), we are in case C.b. In all other cases,we remain in the same case of the definition ofφ before ap-plying (Par). For rule (Repl), if we are in case B and bothprocessesP ′ andP ′′ are generated by (Repl), then beforeapplying (Repl), we are in case C.c. In all other cases, weremain in the same case before applying (Repl). For rules(NewChannel) and (Input), we remain in the same case.

Therefore, ifφ(E, (σ, P ),Q′′ ⊎ Q′, C′) andE,Q′, C′ =reduce(E,Q, C), thenφ(E, (σ, P ),Q′′ ⊎Q, C).

We also show that, if φ(E′, (σ′, P ′),Q′, C′) andE, (σ, P ),Q, C

p−→t E′, (σ′, P ′),Q′, C′, then φ(E,

(σ, P ),Q, C). The proof is by cases on the reduction rule

ofp−→t. For rule (Find2), we remain in the same case

of the definition ofφ. For rules (New), (Let), (Find1),if we are in case A after applying the reduction and thereduction definesx[a1, . . . , am], then we are in caseC.a before the reduction if(σ′′, P ′′) is (σ, P ) and incase B otherwise. Otherwise, we remain in the same

case. For rule (Output),E, (σ, c[M ]〈N1, . . . , Nk〉.Q′′),

{(σ′, c[a](x1[a′] : T1, . . . , xk[a′] : Tk).P )} ⊎ Q, Cis transformed into E′, (σ′, P ),Q ⊎ {(σ,Q′′)}, C,where E′ = E[x1[a′] 7→ . . . , . . . , xk[a′] 7→ . . .],then we reduceE′, {(σ,Q′′)}, C by the functionreduce. By the property shown forreduce, we haveφ(E′, (σ′, P ),Q ⊎ {(σ,Q′′)}, C). If we are in case Aand the input definesx[a1, . . . , am], then before (Output),we are in case C.a if(σ′′, P ′′) is (σ, P ) and in case Botherwise. Otherwise, we remain in the same case.

Next, we show that if thej-th branch of thefind is taken by(Find1) when evaluatingP0, then the last configuration ofthe trace satisfiesφ. In this case,x[a1, . . . am] ∈ Dom(E)in a configurationE, (σ, P0),Q, C such thatσik = ak forall k ≤ lp, whereik is thek-th replication index atP0. Soφ(E, (σ, P0),Q, C) (case A).

Therefore, by the previous proof,φ holds for the initialconfiguration, so we haveφ(∅, (∅, start〈〉), {(∅, C[Q0])},∅). Case A cannot happen becauseE is empty; case B can-not happen becausestart〈〉 contains neitherP0 nor a def-inition of x and(σ′, P ′) and(σ′′, P ′′) cannot be the sameprocess(∅, C[Q0]). So we are in case C withP ′ = C[Q0]andσ′ = ∅. SinceC contains neitherP0 nor a definitionof x, we obtain that one of the conditions a), b), c) holds,which contradicts the hypothesis. So thej-th branch of thefind cannot be taken, and can be removed.

• The other cases can be handled in a way similar to cases1–3.

We also show the converse property: for each trace ofC[Q′0],except in cases of negligible probability, there exists a corre-sponding trace ofC[Q0] with the same probability. Moreover,for all channelsc and bitstringsa, Em, Pm,Qm, Cm executesc〈a〉 immediately if and only ifE′m′ , P ′m′ ,Q′m′ , C′m′ executesc〈a〉 immediately, soPr[C[Q0] η c〈a〉] = Pr[C[Q′0] η

c〈a〉], which yields the desired equivalence.

We leave the proof of the additional transformationsMove-New, RemoveAssign(useless), and SArename(auto) to thereader. The proof technique is similar to that forSArename(x).

�

E.2 Proving the Last Hypothesis of Proposition 5

In this section, we show how to prove the last hypothesis ofProposition 5. We use the notations of Proposition 5 and of theproof ofSimplify in the previous section.

For each definitionP of x in Q, we definedefRestrP (x[i])


as follows:

defRestrP (x[i]) =

x[i] if P = new x[i′] : T ;P ′

z[M1, . . . ,Ml]{i/i′}

if P = let x[i′] : T = z[M1, . . . ,Ml] in P ′

Let FP [i] denote the facts that hold atP with current replica-tion indices renamed toi, that is,FP [i] = FP {i/i′} where thereplication indices atP arei′.

For each pair of definitions ofx, P, P ′, we check that, ifdefRestrP (x[i]) = z[M1, . . . ,Ml] and defRestrP ′(x[i′]) =

z[M ′1, . . . ,M′l ], then FP [i] ∪ FP ′ [i′] ∪ {i 6= i′,M1 =

M ′1, . . . ,Ml = M ′l} yields a contradiction. That is,i 6=i′∧M1 = M ′1∧ . . .∧Ml = M ′l is false except in cases of negli-gible probability, taking into account the facts that are known tohold atP andP ′. When this check succeeds, the last hypothesisof Proposition 5 holds, as shown by the next proposition.

Proposition 7 Assume that, for all pairsP , P ′ of defini-tions of x in Q, if defRestrP (x[i]) = z[M1, . . . ,Ml] anddefRestrP ′(x[i′]) = z[M ′1, . . . ,M

′l ], thenFP [i]∪FP ′ [i′]∪{i 6=

i′,M1 = M ′1, . . . ,Ml = M ′l} yields a contradiction (with localdependency analysis disabled).

ThenPr[∃(T , a, a′), C[Q] reduces according toT ∧ a 6= a′∧

defRestrT (x[a]) = defRestrT (x[a′])] is negligible.

The local dependency analysis is disabled because it gives in-formation valid only at a certain process occurrence, and herewe combine facts obtained at two occurrencesP andP ′.

Proof Consider a traceT of C[Q] and a 6= a′ such thatdefRestrT (x[a]) = defRestrT (x[a′])]. Let P andP ′ be theprocesses that definex[a] andx[a′], respectively, in this trace.Let σ be mapping the replication indices atP to a, σ′ be map-ping the replication indices atP ′ to a′, andσ′′ be mappingi toa andi′ to a′. LetE′′ be the environment at the end ofT .

Just before the definition ofx[a] is executed, the configura-tion of T is of the formE, (σ, P ), . . ., so, sinceFP is cor-rect for all P , E, σ ⊢ FP , so E′′, σ′′ ⊢ FP [i]. Similarly,E′′, σ′′ ⊢ FP ′ [i′]. Since a 6= a′, E′′, σ′′ ⊢ i 6= i′. SincedefRestrT (x[a]) = defRestrT (x[a′])], defRestrP (x[i]) =

z[M1, . . . ,Ml], defRestrP ′(x[i′]) = z[M ′1, . . . ,M′l ], for some

z,M1, . . . ,Ml,M′1, . . . ,M

′l , andE′′, σ′′ ⊢ M1 = M ′1, . . . ,

E′′, σ′′ ⊢ Ml = M ′l . SoE′′, σ′′ ⊢ FP,P ′ , whereFP,P ′ =

FP [i] ∪ FP ′ [i′] ∪ {i 6= i′,M1 = M ′1, . . . ,Ml = M ′l}.Hence Pr[∃(T , a, a′), C[Q] reduces according toT ∧

a 6= a′ ∧ defRestrT (x[a]) = defRestrT (x[a′])] ≤∑P,P ′ Pr[∃(E′′, σ′′),C0 →

∗ E′′, . . . ∧ E′′, σ′′ ⊢ FP,P ′ ].When the local dependency analysis is disabled, the proof of

correctness of the equational prover (S12) shown in the previoussection also shows that, ifF,R

F ′,R′ , then

Pr

[∃(E′′, σ′′),C0 →

∗ E′′, . . .∧ E′′, σ′′ ⊢ F ,R∧ E′′, σ′′ 6⊢ F ′,R′

]

is negligible. Moreover, for allP and P ′ definitionsof x in Q, since FP,P ′ yields a contradiction,FP,P ′ , ∅

is transformed intofalse,R′ by the equational prover, soPr [∃(E′′, σ′′),C0 →

∗ E′′, . . . ∧ E′′, σ′′ ⊢ FP,P ′ ] is negligible,which shows the desired result. �


Proof of Proposition 2 The idea of the proof is to show thatif an adversary (represented by a contextC) distinguishes[[L]]from [[R]], then we can build an adversaryAa against the secu-rity of the mac for the keymkgen(r[a]), for somea ∈ Iη(n′′).

LetC be an evaluation context acceptable for[[L]], [[R]], ∅.We define a probabilistic polynomial Turing machineAa, for

a ∈ [1, Iη(n′′)], as follows. Aa uses oraclesmac(., k) andcheck(., k, .). Aa simulatesC[[[L]]] except that:

• for a′ < a, in copies corresponding toi′′ = a′ of L,Aa computesfind u ≤ n suchthat defined(x[u]) ∧ (m =x[u]) ∧ check(m,mkgen(r),ma) then true else false in-stead ofcheck(m,mkgen(r),ma), and

• in the copy corresponding toi′′ = a, Aa does not choosea random numberr[a], it calls the oraclemac(., k) on xinstead of computingmac(x,mkgen(r)), and instead ofcomputingcheck(m,mkgen(r),ma), it computesb1 =check(m, k,ma) using the oraclecheck(., k, .) andb2 =find u ≤ n suchthat defined(x[u])∧ (m = x[u])∧ b1 then

true else false; if b1 6= b2, the execution of the Turing ma-chine stops, with result(m,ma); otherwise, the executioncontinues using valueb1 = b2.

WhenAa has not stopped due to the last item above, it returns⊥ when the simulation ofC[[[L]]] terminates.

WhenAa returns(m, t), b1 6= b2. Moreover, ifb1 = 0, thenb2 = 0 by definition ofb2. Sob1 = 1 andb2 = 0. Therefore,there is nou such thatm = x[u], henceAa has not called theoraclemac(., k) onm. Moreover, there exists a polynomialqsuch that for alla, Aa runs in timeq(η). So by Definition 1,maxa pa(η) is negligible, where

pa(η) = Pr

[r

R← Iη(Tmr); k ← mkgenη(r); (m, t)← Aa :

checkη(m, k, t)

]

Since Iη(n′′) is polynomial in η,∑

a∈[1,Iη(n′′)] pa(η) ≤

maxa pa(η)× Iη(n′′) is also negligible.On the other hand, letc be a channel anda′ be a bitstring.

We need to evaluate|Pr[C[[[L]]] η c〈a′〉] − Pr[C[[[R]]] η

c〈a′〉]|. We consider three categories of pairs of traces(T , T ′)whereT andT ′ are traces ofC[[[L]] andC[[[R]]] respectively:

1. TracesT andT ′ have the same configurations except forthe replacement ofL with R in processes, they terminate,and none of their configurations executesc〈a′〉 immedi-ately.

2. TracesT andT ′ have the same configurations except forthe replacement ofL with R in processes up to a pointat which their corresponding configurations both executec〈a′〉 immediately.

318 Bruno Blanchet

3. TracesT andT ′ have the same configurations except forthe replacement ofL with R in processes up to a pointat which their configurations differ because for somea ∈[1, Iη(n′′)], for some messagesm, ma received on chan-nel c2[a] (wherec2 is the channel used in[[L]] and[[R]] forthe second parallel process ofL andR), the result returnedby [[L]] differs from the one returned by[[R]]. In this case,

the simulating Turing machine that runsrR← Iη(Tmr); k ←

mkgenη(r) and executesAa will return (m,ma), by con-struction.

All traces ofC[[[L]]] fall in one of the above categories, andsimilarly for traces ofC[[[R]]]. Traces of the first category haveno contribution toPr[C[[[L]]] η c〈a

′〉] and toPr[C[[[R]]] η

c〈a′〉]; traces of the second category cancel out when computingPr[C[[[L]]] η c〈a

′〉]− Pr[C[[[R]]] η c〈a′〉]. So

|Pr[C[[[L]]] η c〈a′〉]− Pr[C[[[R]]] η c〈a

′〉]|

≤ Pr[(T , T ′) is in the third category]

≤∑

a∈[1,Iη(n′′)]

Pr[rR← Iη(Tmr); k ← mkgenη(r); (m, t)← Aa]

≤∑

a∈[1,Iη(n′′)]

pa(η)

Hence|Pr[C[[[L]]] η c〈a′〉] − Pr[C[[[R]]] η c〈a′〉]| isnegligible, so[[L]] ≈ [[R]]. �


Let us first introduce some notations. We denote byLj0,...,jk

the subtrees ofL defined as follows by induc-tion on k. We define L1, . . . , Lm′ such that L =(L1, . . . , Lm′). The functional processLj0,...,jk

being defined,we defineLj0,...,jk,1, . . . , Lj0,...,jk,m′ to be the immediate sub-functional-processes ofLj0,...,jk

, so thatLj0,...,jkis of the

form !i≤nnew y1 : T1; . . . ; new ym : Tm; (Lj0,...,jk,1, . . . ,Lj0,...,jk,m′).

When Lj0,...,jk= !i≤nnew y1 : T1; . . . ; new ym :

Tm; (Lj0,...,jk,1, . . . , Lj0,...,jk,m′), we define ij0,...,jk= i,

nj0,...,jk= n, y(j0,...,jk),k′ = yk′ , andnNewj0,...,jk

= m.

WhenLj0,...,jl= (x1 : T1, . . . , xm : Tm) → FP , we say

thatLj0,...,jlis a leaf ofL, and we definex(j0,...,jl),k′ = xk′ ,

T(j0,...,jl),k′ = Tk′ , andnInputj0,...,jl= m.

In order to prove Proposition 3, we define a contextC suchthatQ0 ≈

V0 C[[[L]]] andC[[[R]]] ≈V

0 Q′0. WhileQ0 evaluatesthe terms inM directly, the contextC will send messages to[[L]]in order to evaluate these terms inC[[[L]]]. Similarly, the processQ′0 contains inlined versions of the functional processes inR,whileC[[[R]]] computes the same result by sending messages to[[R]].

In order to defineC, we first define a processrelay(L) asfollows:

relay((G1, . . . , Gm)) = relay(G1)1 | . . . | relay(Gm)m

relay(!i≤nnew y1 : T1; . . . ; new yl : Tl; (G1, . . . , Gm))j

i=

!i≤ndj [i, i](); cj [i, i]〈〉; cj [i, i](); dj [i, i]〈〉;

(relay(G1)j,1

i,i| . . . | relay(Gm)j,m

i,i|

!i′≤n′

dj [i, i](); dj [i, i]〈〉)

relay((x1 : T1, . . . , xl : Tl)→ FP)j

i=

dj [i](x1 : T1, . . . , xl : Tl); cj [i]〈x1, . . . , xl〉;

cj [i](r : bitstring); dj [i]〈r〉;

!i′≤n′

dj [i](x1 : T1, . . . , xl : Tl); dj [i]〈r〉

where i = i1, . . . , il′ and j = j0, . . . , jl′ . The relay processcorresponding to replicated restrictions relays messagessent onchanneldj to channelcj (used in[[L]] and[[R]]) so that the corre-sponding random numbersy1, . . . , yl are chosen by[[L]]. Whenthose random numbers have already been chosen, the processaccepts messages ondj but yields control back to the sendingprocess without executing anything by outputting ondj . Thus,the caller of the relay process can harmlessly ask several timesfor choosing the same random numbers. Similarly, the relayprocess corresponding to a function relays the arguments ofthe function received on channeldj to channelcj , so that[[L]]replies on channelcj with the resultr of the function, whichis forwarded to channeldj . The relay process also allows call-

ing several times the same function with the same values ofjand i, in which case it always returns the same resultr. (Wemake sure in the following that when a function is called sev-eral times, the calls all use the same arguments.) SinceL andR are required to have the same structure by Hypothesis H2,relay(L) = relay(R).

We introduce the following auxiliary definitions, which allowus to define the correspondencemapIdxM from replication in-dices atM in Q0 to replication indices atNM in L:

• For eachM ∈ M and k ≤ nNewSeqM , we definecountη(k,M) as follows. Letn1, . . . , nl be the sequenceof bounds of replications above the definition ofzkk′,M foranyk′. Let l′ be the length of the longest common prefixof im indexk(M) and im indexk0

(M) for k0 < k. Wedefinecountη(k,M) = Iη(nl′+1) × . . . × Iη(nl). Wedefine parameterscountk,M such thatIη(countk,M ) =countη(k,M).

We define function symbolsnumk,M : [1, n1] × . . . ×[1, nl] → [1, countk,M ] such thatIη(numk,M )(a1, . . . ,al) = 1 + (al′+1 − 1) + Iη(nl′+1) × ((al′+2 − 1) +Iη(nl′+2) × . . . + Iη(nl−1) × (al − 1)). Thennumk,M

establishes a bijection between the lastl − l′ componentsof its argument and its result.

• We define tot countη(j0, . . . , jk) as the sum ofcountη(k + 1,M ′′) for all M ′′ such that the firstk + 1 elements ofBL(M ′′) are equal toj0, . . . , jk,counting only once termsM ′′ that share the firstk + 1sequences of random variables.

We set Iη(nj0,...,jk) = tot countη(j0, . . . , jk), where

nj0,...,jkis the bound of the replication at the root of


Lj0,...,jkin L. The value ofIη(nj0,...,jk

) is then largeenough so that there is always an available copy of the de-sired replicated process when we need to execute one.

The replication at the root ofrelay(Lj0,...,jk)j0,...,jk

i1,...,ikis

also bounded bynj0,...,jk. The other replication of

relay(Lj0,...,jk)j0,...,jk

i1,...,ikis bounded byn′, whereIη(n′) is

the sum for allM ∈ M of Iη(n1) × . . . × Iη(nl) wheren1, . . . , nl is the sequence of bounds of replications aboveM in Q0.

• We order the term occurrences inM arbitrarily, with a totalordering. Letstartη(k,M) be defined as follows. LetM ′

the smallest (in the chosen ordering ofM) term occurrenceofM that shares the firstk sequences of random variableswith M . Thenstartη(k,M) is the sum ofcountη(k,M ′′)for all M ′′ smaller thanM ′ such that the firstk elementsof BL(M ′′) are equal to the firstk elements ofBL(M ′),counting only once termsM ′′ that share the firstk se-quences of random variables.

We define function symbolsaddstartk,M : [1,countk,M ] → [1, nj0,...,jk

] whereBL(M) = (j0, . . . , jk,. . .), such thatIη(addstartk,M )(a) = startη(k,M) + a.

• Let us defineconvindex(k,M) as the sequence of terms

convindex(k,M) =

(addstart1,M (num1,M (im index1(M))),

. . . , addstartk,M (numk,M (im indexk(M))))

This sequence of terms implements the functionmapIdxM

mentioned in the explanation of the transformation,in Section 3.2. More precisely,mapIdxM (a) =

convindex(l,M){a/i}, wherei is the sequence of currentreplication indices atM andl = nNewSeqM .

Then we defineC = (newChannel cj ; newChannel dj ; )j([ ] |

relay(L) | Q′′0) where the processQ′′0 is defined fromQ0 asfollows:

• Whenx ∈ S, we replace its definitionnew x : T ;Q withlet x : T = cst in Q for some constantcst.

• For eachM ∈ M, let PM = CM [M ] be thesmallest subprocess ofQ0 containing M . Let l =nNewSeqM and m = nInputM . Let BL(M) =(j0, . . . , jl). Let dM = dj0,...,jl

[convindex(l,M)] andfor all k ≤ l, dM,k = dj0,...,jk−1

[convindex(k,M)].We replacePM with dM,1〈〉; dM,1(); . . . dM,l〈〉; dM,l();dM 〈σMx1,M , . . . , σMxm,M 〉; dM (y : bitstring);CM [y]wherey is a fresh variable.

Instead of evaluating the termsM ∈ M directly as inQ0, Q′′0sends messages to the relay processrelay(L), which will thenforward them to[[L]] in C[[[L]]] and to[[R]] in C[[[R]]].

Lemma 11 Q0 ≈V0 C[[[L]]]

Proof The bounds of replications of[[L]] andrelay(L) havebeen defined above. As outlined in the proof of Proposition 6,the length of all bitstrings manipulated byQ0 is polynomial inη.

We can therefore definemaxlenη(cj) to be a polynomial largeenough so that messages sent oncj by C[[[L]]] are never trun-cated. We definemaxlenη(dj) = maxlenη(cj); then messagesondj are never truncated.

Let C ′ be any evaluation context acceptable forQ0, C[[[L]]],V . We relate traces ofC ′[Q0] and ofC ′[C[[[L]]]] as follows.

We assume that the channelscj anddj do not occur inC ′ andQ0, and that during reductions (NewChannel), these channelsare substituted by themselves. (This is easy to guarantee byrenaming; this assumption simplifies notations in the proof.)

We writeM =E M ′ whenE,M ⇓ a andE,M ′ ⇓ a forsome bitstringa. We denote byk-th(i) thek-th component ofthe tuplei, and by|i| the number of elements of the tuplei.

We define a relation between variables ofS in Q0

and variablesy defined by new in [[L]]: we say thaty[a1, . . . , aj ]

var−−→E varImL(y,M)[a′] when for all

k′ ≤ j, E, addstartk′,M (numk′,M (im (ρj−1(M) ◦ . . . ◦

ρk′(M)){a′/i})) ⇓ ak′ , wherei ≤ n are the current replicationindices at the definition ofvarImL(y,M) with their associatedbounds, and for alll ≤ |i|, l-th(a′) ∈ [1, Iη(l-th(n))]. (Notethat

var−−→ depends onη.)

We show that the relationvar−−→E is a (partial) function, that

is, if y[a1, . . . , aj ]var−−→E MV and y[a1, . . . , aj ]

var−−→E M ′V

thenMV = M ′V . Assume thaty[a1, . . . , aj ]var−−→E z′[a′] and

y[a1, . . . , aj ]var−−→E z′′[a′′]. Then

• we havez′ = varImL(y,M ′) and

E, addstartk′,M ′(numk′,M ′(im (ρj−1(M′) ◦

. . . ◦ ρk′(M ′)){a′/i′})) ⇓ ak′ for all k′ ≤ j

where i′ ≤ n′ are the current replication indices at thedefinition of z′ with their associated bounds, and for alll ≤ |i′|, l-th(a′) ∈ [1, Iη(l-th(n′))],

• we havez′′ = varImL(y,M ′′) and

E, addstartk′,M ′′(numk′,M ′′(im (ρj−1(M′′) ◦

. . . ◦ ρk′(M ′′)){a′′/i′′})) ⇓ ak′ for all k′ ≤ j

where i′′ ≤ n′′ are the current replication indices at thedefinition of z′′ with their associated bounds, and for alll ≤ |i′′|, l-th(a′′) ∈ [1, Iη(l-th(n′′))].

For all terms M ′′, we have eitherstartη(k′,M ′′) ≤startη(k′,M ′) or startη(k′,M ′′) ≥ startη(k′,M ′) +countη(k′,M ′) since startη(k′,M ′′) is computed by addingcountη(k′,M3) for some termsM3 in a fixed order. Moreover,numk′,M ′(. . .) evaluates to a bitstring in[1, countη(k′,M ′)].Therefore, startη(k′,M ′′) ≤ startη(k′,M ′). By sym-metry, startη(k′,M ′′) ≥ startη(k′,M ′). So we havefor all k′ ≤ j, startη(k′,M ′) = startη(k′,M ′′) andnumk′,M ′(im (ρj−1(M

′) ◦ . . . ◦ ρk′(M ′)){a′/i′}) =E

numk′,M ′′(im (ρj−1(M′′) ◦ . . . ◦ ρk′(M ′′)){a′′/i′′}). Since

startη(j,M ′) = startη(j,M ′′), by definition of startη, M ′

shares the firstj sequences of random variables withM ′′.Sincey hasj indices,y is defined underj replications inL,so varImL(y,M ′) = varImL(y,M ′′), that is,z′ = z′′. So

320 Bruno Blanchet

|a′| = |a′′|. By Hypothesis H′4.2,ρk′(M ′) = ρk′(M ′′) for allk′ < j. By definition ofnum, Iη(numk′,M ′) = Iη(numk′,M ′′)for all k′ ≤ j.

We show by induction onk′ that if for all k′′ ≤ k′,numk′′,M ′(im (ρk′−1(M

′) ◦ . . . ◦ ρk′′(M ′)){a′/i′}) =E

numk′′,M ′(im (ρk′−1(M′) ◦ . . . ◦ ρk′′(M ′)){a′′/i′}), where

i′ ≤ n′ are the current replication indices at the definition ofzk′ ,M ′ with their associated bounds, andl-th(a′), l-th(a′′) ∈

[1, Iη(l-th(n′))], thena′ = a′′.

• For k′ = 1, we assumenum1,M ′(a′) =E num1,M ′(a′′).The longest common prefix ofindex1(M

′) andindexj′′(M ′) for j′′ < 1 is empty, sinceindexj′′(M ′)is defined only forj′′ ≥ 1. So num1,M ′ establishes abijection between the tuplesa′ smaller than the currentreplication bounds at definition ofz1 ,M ′ and the interval[1, countη(1,M ′)]. Soa′ = a′′.

• For k′ > 1, we assume thatnumk′′,M ′(im (ρk′−1(M′) ◦

. . . ◦ ρk′′(M ′)){a′/i′}) =E numk′′,M ′(im (ρk′−1(M′) ◦

. . . ◦ ρk′′(M ′)){a′′/i′}) for all k′′ ≤ k′. Let k′ind <

k′. Let E, im (ρk′−1(M′) ◦ . . . ◦ ρk′

ind(M ′)){a′/i′} ⇓

a′ind andE, im (ρk′−1(M′) ◦ . . . ◦ ρk′

ind(M ′)){a′′/i′} ⇓

a′′ind. By hypothesis, we have for allk′′ ≤k′ind, numk′′,M ′(im (ρk′

ind−1(M′) ◦ . . . ◦ ρk′′(M ′))

{a′ind/i′ind}) =E numk′′,M ′(im (ρk′ind−1(M

′) ◦ . . . ◦

ρk′′(M ′)){a′′ind/i′ind}) where i′ind ≤ n′ind arethe current replication indices at the definition ofzk′

ind ,M ′ with their associated bounds. By induc-

tion hypothesis, a′ind = a′′ind, so for all k′′ <k′, im (ρk′−1(M

′) ◦ . . . ◦ ρk′′(M ′)){a′/i′} =E

im (ρk′−1(M′) ◦ . . . ◦ ρk′′(M ′)){a′′/i′}. For k′′ = k′,

we havenumk′,M ′(a′) =E numk′,M ′(a′′).

Let l be the length of the longest common prefix ofim indexk′(M ′) andim indexk′′

0(M ′) for k′′0 < k′. Since

indexk′′0(M ′) = indexk′(M ′)◦ρk′−1(M

′)◦. . .◦ρk′′0(M ′),

the firstl components ofim (ρk′−1(M′) ◦ . . . ◦ ρk′′

0(M ′))

are then the firstl components ofi′, so the firstl compo-nents ofa′ and a′′ are equal. Moreovernumk′,M ′ estab-lishes a bijection between the last|a′| − l components ofits argument and the interval[1, countη(k′,M ′)]. So thelast |a′| − l components ofa′ and a′′ are equal. Hencea′ = a′′.

Therefore, we conclude thata′ = a′′, soz′[a′] = z′′[a′′].Next, we show that the function

var−−→E is injective. If

y′[a′1, . . . , a′j′ ]

var−−→E z[a1, . . . , aj ] andy′′[a′′1 , . . . , a

′′j′′ ]

var−−→E

z[a1, . . . , aj ], then z = varImL(y′,M ′) and z =varImL(y′′,M ′′). By Hypothesis H′4.1,M ′ andM ′′ share atleast the firstj′ = j′′ sequences of random variables andy′ =y′′. By Hypothesis H′4.2, ρk′(M ′) = ρk′(M ′′) for all k′ <j′ = j′′. By definition ofaddstart andnum, startη(k′,M ′) =startη(k′,M ′′) and Iη(numk′,M ′) = Iη(numk′,M ′′) for allk′ ≤ j′ = j′′. Hencea′k′ = a′′k′ for all k′ ≤ j′ = j′′. Soy′[a′1, . . . , a

′j′ ] = y′′[a′′1 , . . . , a

′′j′′ ].

For each traceinitConfig(C ′[Q0]) → . . . → Em, Pm,Qm,Cm of C ′[Q0] of probability pm, we show that there exists atraceinitConfig(C ′[C[[[L]]]])→ . . .→ E′m′ , P ′m′ ,Q′m′ , C′m′ ofC ′[C[[[L]]]] of probabilityp′m′ such that

• For all z /∈ S, E′m′(z[a′1, . . . , a′j′ ]) = Em(z[a′1, . . . , a

′j′ ]);

for all z ∈ S, z[a′1, . . . , a′j′ ] is in Dom(Em) if and only

if it is in Dom(E′m′); if y is defined bynew in L andy[a1, . . . , aj ] ∈ Dom(E′m′) then there existsMV such thaty[a1, . . . , ak]

var−−→Em

MV andMV ∈ Dom(Em) and forall suchMV , E′m′(y[a1, . . . , aj ]) = Em(MV ).

• P ′m′ is obtained fromPm asQ′′0 from Q0 (transformingonly the occurrences that appear inPm), Q′m′ = Q1

m′ ⊎Q2

m′ ⊎ Q3m′ , whereQ1

m′ is obtained fromQm asQ′′0 fromQ0 (transforming only the occurrences that appear inQm),Q2

m′ is what remains ofrelay(L) after partial execution,andQ3

m′ is what remains of[[L]] after partial execution.More precisely, let

relay(La1,...,ak

j0,...,jk) =

relay(Lj0,...,jk)j0,...,jk

i1,...,ik{a1/i1, . . . , ak/ik}

[[La1,...,ak

j0,...,jk]] = [[Lj0,...,jk

]]j0,...,jk

i1,...,ik{a1/i1, . . . , ak/ik}

where i1, . . . , ik are the replications indices ofL aboveLj0,...,jk

. These processes correspond respectively to therelay process and to the translation of the subtreeLj0,...,jk

of L, for the value of the replication indicesa1, . . . , ak.Let redRepl(a, !i≤nP ) = P{a/i}. ThenQ2

m′ andQ3m′

are formed as follows:

– for eachj0, . . . , jk−1, a1, . . . , ak such that

y(j0,...,jk−1),k′ [a1, . . . , ak] ∈ Dom(E′m′),

Q2m′ contains

dj0,...,jk−1[a1, . . . , ak](); dj0,...,jk−1

[a1, . . . , ak]〈〉

possibly several times.

– for eachj0, . . . , jk−1, a1, . . . , ak such that

y(j0,...,jk−2),k′′ [a1, . . . , ak−1] ∈ Dom(E′m′) and

y(j0,...,jk−1),k′ [a1, . . . , ak] /∈ Dom(E′m′),

Q2m′ contains redRepl(ak, relay(L

a1,...,ak−1

j0,...,jk−1)) and

Q3m′ containsredRepl(ak, [[L

a1,...,ak−1

j0,...,jk−1]]).

– for eachj0, . . . , jl, a1, . . . , al such that

y(j0,...,jl−1),k′ [a1, . . . , al] ∈ Dom(E′m′)

and Lj0,...,jlis a leaf of L, either Q2

m′ containsrelay(La1,...,al

j0,...,jl) and Q3

m′ contains [[La1,...,al

j0,...,jl]], or

Q2m′ contains

dj0,...,jl[a1, . . . , al](x(j0,...,jl),1 : T(j0,...,jl),1, . . . ,

x(j0,...,jl),l′ : T(j0,...,jl),l′); dj0,...,jl[a1, . . . , al]〈r〉

with l′ = nInputj0,...,jl, possibly several times,

and there existM ′ ∈ M and a′ such thatEm, convindex(l,M ′){a′/i′} ⇓ a1, . . . , al,Em,M

′{a′/i′} ⇓ r, andBL(M ′) = (j0, . . . , jl),wherei′ is the sequence of replication indices atM ′.


where for eachk, ak is a bitstring in[1, tot countη(j0, . . . ,jk−1)].

• C′m′ = Cm ∪ {cj , dj | j}.

• p′m′ = pm ×∏

z,a′1,...,a′

j′|Iη(T )| whereT is the type of

z and z ∈ S, a′1, . . . , a′j′ are such thatz[a′1, . . . , a

′j′ ] ∈

Dom(Em) and there exists noy[a1, . . . , aj ] ∈ Dom(E′m′)

such thaty[a1, . . . , aj ]var−−→Em

z[a′1, . . . , a′j′ ].

Note that the same trace ofC ′[C[[[L]]]] corresponds to∏z,a′

1,...,a′j′|Iη(T )| traces ofC ′[Q0] that differ only by the val-

ues ofEm(z[a′1, . . . , a′j′ ]) for z ∈ S, a′1, . . . , a

′j′ as defined in

the last item above.The proof proceeds by induction on the lengthm of the trace

of C ′[Q0]. For the induction step, we distinguish cases depend-ing on the last reduction step of the trace.

• For the initial case, we show by induction onC ′′ that for allC ′′,Q, C, σ such thatσ substitutes channel names for chan-nel names without touchingcj anddj , there existQ′, C′, σ′

such thatσ′ substitutes channel names for channel nameswithout touchingcj and dj , ∅, {C ′′[σQ0]} ⊎ Q, C

∗

∅, {σ′Q0} ⊎ Q′, C′, and ∅, {C ′′[σC[[[L]]]]} ⊎ Q, C ∗

∅, {σ′C[[[L]]]} ⊎ Q′, C′. This is obvious whenC ′′ = [ ],with σ′ = σ,Q′ = Q, andC′ = C. We show this result byapplying (Par) whenC ′′ = C1 | Q1 orC ′′ = Q1 | C1, and(NewChannel) whenC ′′ = newChannel c;C1.

So we can apply this result toC ′′ = C ′, σ = Id,Q = ∅, andC = fc(C ′[Q0]). We havefc(C ′[Q0]) =fc(C ′[C[[[L]]]]), since fc(Q0) = fc(Q′′0) = fc(C[[[L]]]).Therefore, there existQ, C, σ such thatσ substitutes chan-nel names for channel names without touchingcj anddj ,∅, {C ′[Q0]}, fc(C

′[Q0]) ∗ ∅, {σQ0} ⊎ Q, C, and

∅, {C ′[C[[[L]]]]}, fc(C ′[C[[[L]]]]) ∗ ∅, {σC[[[L]]]} ⊎ Q, C

∗ ∅, {σQ′′0 , relay(L), [[L]]} ⊎ Q, C ∪ {cj , dj | j}

by (NewChannel) and (Par)

∗ ∅, {σQ′′0} ⊎ Q

20 ⊎Q

30 ⊎Q, C ∪ {cj , dj | j}

by (Par) and (Repl)

where Q20 = {redRepl(a, relay(Lj0)

j0) | j0, a ∈[1, tot countη(j0)]} is what remains fromrelay(L) afterexpansion of parallel compositions and replications andQ3

0 = {redRepl(a, [[Lj0 ]]j0) | j0, a ∈ [1, tot countη(j0)]}

is what remains of[[L]] after expansion of parallel compo-sitions and replications.

Moreover,σQ′′0 is obtained fromσQ0 asQ′′0 fromQ0, andQ does not contain any occurrence modified when trans-forming Q0 into Q′′0 , so {σQ′′0} ⊎ Q is obtained from{σQ0} ⊎ Q asQ′′0 fromQ0.

Reducing{σQ′′0} ⊎ Q and{σQ0} ⊎ Q by until theyare in normal form, we obtain thatreduce(∅, {C ′[Q0]},fc(C ′[Q0])) = (∅,Q0, C

′) and reduce(∅, {C ′[C[[[L]]]]},

fc(C ′[C[[[L]]]])) = (∅,Q10 ⊎ Q

20 ⊎ Q

30, C′ ∪ {cj , dj | j}),

whereQ10 is obtained fromQ0 asQ′′0 from Q0. There-

fore, initConfig(C ′[Q0]) andinitConfig(C ′[C[[[L]]]]) sat-isfy the desired invariant.

• When the trace ofC ′[Q0] executesnew x[a1, . . . , al] : Tby (New) for x ∈ S at stepm, the corresponding traceof C ′[C[[[L]]]] executeslet x[a1, . . . , al] : T = cst in by(Let) at stepm′. This yields|Iη(T )| traces ofC ′[Q0], onefor each value ofEm(x[a1, . . . , al]), each with probabilitypm = pm−1/|Iη(T )|. In contrast, this yields a single traceof C ′[C[[[L]]]], with probabilityp′m′ = p′m′−1.

Moreover, there exists noy[a′1, . . . , a′l′ ] ∈ Dom(E′m′)

such thaty[a′1, . . . , a′l′ ]

var−−→Em

x[a1, . . . , al]. Other-wise, by the first point of the invariant, before the def-inition of x[a1, . . . , al], there would existMV such thaty[a′1, . . . , a

′l′ ]

var−−→Em−1

MV andMV ∈ Dom(Em−1).

SinceEm is an extension ofEm−1, y[a′1, . . . , a′l′ ]

var−−→Em

MV . Sincevar−−→Em

is injective, MV = x[a1, . . . , al].This yields a contradiction, sinceMV ∈ Dom(Em−1)but x[a1, . . . , al] /∈ Dom(Em−1) by Invariant 4. (The ar-ray cellx[a1, . . . , al] cannot be defined several times in atrace.)

It is then easy to see that the invariant is satisfied.

• When the trace ofC ′[Q0] executesσiPM for M ∈M, thecorresponding trace ofC ′[C[[[L]]]] executes

σi(dM,1〈〉; dM,1(); . . . dM,l〈〉; dM,l();

dM 〈σMx1,M , . . . , σMxm,M 〉; dM (y : bitstring);CM [y])

whereσi = {a/i}, i is the sequence of current replicationindices atPM , andBL(M) = (j0, . . . , jl).

Fork ≤ l, let ak be such that

Em, addstartk,M (numk,M (σi(im indexk(M))))) ⇓ ak

and letbk be such thatEm, σi(im indexk(M)) ⇓ bk.

Let m′k be the step of the trace ofC ′[C[[[L]]]]after executing σidM,k〈〉;σidM,k(), where dM,k =dj0,...,jk−1

[convindex(k,M)]. We show by induction onk that for allk′, y(j0,...,jk−1),k′ [a1, . . . , ak] ∈ Dom(E′m′

k)

and that the invariant is satisfied at stepm′k except thatσi(dM,1〈〉; dM,1(); . . . ; dM,k〈〉; dM,k()) has been removedfrom P ′m′

k. Let zkk′ = varImL(y((j0,...,jk−1),k′ ,M). We

havey(j0,...,jk−1),k′ [a1, . . . , ak]var−−→Em

zkk′ [bk]. More-

over,zkk′ [bk] ∈ Dom(Em) sincezkk′ [σi(im indexk(M))]occurs inσiM , andσiM is successfully evaluated in thetrace ofC ′[Q0]. We distinguish two cases:

– 1) y((j0,...,jk−1),k′ [a1, . . . , ak] ∈ Dom(E′m′k−1

).

By the invariant at stepm′k−1, Q2m′

k−1contains

dj0,...,jk−1[a1, . . . , ak](); dj0,...,jk−1

[a1, . . . , ak]〈〉.

So we can executeσidM,k〈〉;σidM,k() by two(Output) steps, without changing the environment,so y(j0,...,jk−1),k′ [a1, . . . , ak] ∈ Dom(E′m′

k) and

the invariant is satisfied at stepm′k except thatσi(dM,1〈〉; dM,1(); . . . dM,k〈〉; dM,k()) is removedfrom P ′m′

k.

322 Bruno Blanchet

– 2) y(j0,...,jk−1),k′ [a1, . . . , ak] /∈ Dom(E′m′k−1

). By

induction hypothesis,y(j0,...,jk−2),k′ [a1, . . . , ak−1] ∈Dom(E′m′

k−1). By the invariant at stepm′k−1,

redRepl(ak, relay(La1,...,ak−1

j0,...,jk−1)) ∈ Q2

m′k−1

and

redRepl(ak, [[La1,...,ak−1

j0,...,jk−1]]) ∈ Q3

m′k−1

.

By (Output) twice, we send an empty message ondj0,...,jk−1

[a1, . . . , ak] and oncj0,...,jk−1[a1, . . . , ak].

By (New), we definey(j0,...,jk−1),k′ [a1, . . . , ak] for

each k′. We chooseEm(zkk′ [bk]) as value ofy(j0,...,jk−1),k′ [a1, . . . , ak] (with probability 1

|Iη(T )|

where T is the type ofy(j0,...,jk−1),k′). Finally,by (Output) twice, we send an empty message oncj0,...,jk−1

[a1, . . . , ak] and ondj0,...,jk−1[a1, . . . , ak].

Then the invariant is satisfied at stepm′k except thatσi(dM,1〈〉; dM,1(); . . . dM,k〈〉; dM,k()) is removedfrom P ′m′

k. (Note that the probability of the trace

of C ′[C[[[L]]]] is divided by∏

k′ |Iη(T(j0,...,jk−1),k′)|whereT(j0,...,jk−1),k′ is the type ofy(j0,...,jk−1),k′ [a1,. . . , ak]. This is what is required by the invariantsincey(j0,...,jk−1),k′ [a1, . . . , ak] is defined at stepm′kbut was not at stepm′k−1.)

So y(j0,...,jk−1),k′ [a1, . . . , ak] ∈ Dom(E′m′l) for all k ≤

l and k′, and the invariant is satisfied at stepm′l ex-cept thatσi(dM,1〈〉; dM,1(); . . . dM,l〈〉; dM,l()) is removedfrom P ′m′

l. Let a be such thatEm, σiM ⇓ a. Let

m′′ be the step of the trace ofC ′[C[[[L]]]] after executingσi(dM 〈σMx1,M , . . . , σMxl′,M 〉; dM (y : bitstring)) withl′ = nInputM . By the invariant, we have two cases:

– 1) relay(La1,...,al

j0,...,jl) ∈ Q2

m′l

and[[La1,...,al

j0,...,jl]] ∈ Q3

m′l.

The processσidM 〈σMx1,M , . . . , σMxl′,M 〉 sendsthe value of σiσMxk′,M for k′ ≤ l′ on chan-nel dj0,...,jl

[a1, . . . , al]. By (Output), this mes-sage is received byrelay(La1,...,al

j0,...,jl), which for-

wards it by (Output) again to[[La1,...,al

j0,...,jl]] on chan-

nel cj0,...,jl[a1, . . . , al]. On reception of this mes-

sage by[[La1,...,al

j0,...,jl]], E′m′′(x(j0,...,jl),k′ [a1, . . . , al]) is

set to the received value, soEm, σiσMxk′,M ⇓E′m′′(x(j0,...,jl),k′ [a1, . . . , al]) for each k′ ≤ l′.For all k ≤ l and k′, sincey(j0,...,jk−1),k′ [a1, . . . ,

ak]var−−→Em

zkk′ [bk], by the invariant we haveE′m′

l(y(j0,...,jk−1),k′ [a1, . . . , ak]) = Em(zkk′ [bk]), so

E′m′′(y(j0,...,jk−1),k′ [a1, . . . , ak]) = Em(zkk′ [bk]).

Moreover,σMykk′,M = zkk′ [im indexk(M)], so

Em, σiσMykk′,M ⇓ E′m′′(y(j0,...,jk−1),k′ [a1, . . . , ak])

Therefore, for all variablesx of NM defined underk replications,Em, σiσMx ⇓ E′m′′(x[a1, . . . , ak]).SinceM = σMNM , we haveEm, σiσMNM ⇓a, so E′m′′ , NM{a1/i1, . . . , al/il} ⇓ a, wherei1, . . . , il are the replication indices ofL aboveLj0,...,jl

. Hence[[La1,...,al

j0,...,jl]] sends backa on channel

cj0,...,jl[a1, . . . , al] by (Output), which is forwarded

on channeldj0,...,jl[a1, . . . , al] by relay(La1,...,al

j0,...,jl) by

(Output) again, soa is stored iny[a] by Q′′. ThusE′m′′(y[a]) = a.

In order to show that the invariant still holds after thisstep, we remark that, after these outputs, the relayprocess makes available the following process

dj0,...,jl[a1, . . . , al](x(j0,...,jl),1 : T(j0,...,jl),1, . . . ,

x(j0,...,jl),l′ : T(j0,...,jl),l′); dj0,...,jl[a1, . . . , al]〈a〉

and we haveEm, convindex(l,M){a/i} ⇓ a1, . . . ,

al, Em,M{a/i} ⇓ a, andBL(M) = (j0, . . . , jl).

– 2) dj0,...,jl[a1, . . . , al](x(j0,...,jl),1 : T(j0,...,jl),1, . . . ,

x(j0,...,jl),l′ : T(j0,...,jl),l′); dj0,...,jl[a1, . . . , al]〈r〉 ∈

Q2m′

land there existM ′ ∈ M and a′ such

that Em, convindex(l,M ′){a′/i′} ⇓ a1, . . . , al,Em,M

′{a′/i′} ⇓ r, andBL(M ′) = (j0, . . . , jl),wherei′ is the sequence of current replication indicesatM ′.

We haveEm, convindex(l,M){a/i} ⇓ a1, . . . , al

by definition ofa1, . . . , al. So

convindex(l,M ′){a′/i′} =Em

convindex(l,M){a/i}

so, as shown in the proof thatvar−−→E is a function,

indexl(M′){a′/i′} =Em

indexl(M){a/i} =Embl

andM ′ andM share the firstl sequences of randomvariables, that is, all sequences of random variables,or ml = 0 andM = M ′. Moreover,BL(M) =BL(M ′) = (j0, . . . , jl), soNM = NM ′ .

If ml = 0 andM = M ′, a′ = a, soEm, σiM ⇓ r,sor = a.

Otherwise, by Hypothesis H′4.3, there exists a termM0 such thatM = (indexl(M))M0, M ′ =(indexl(M

′))M0, andM0 does not contain the cur-rent replication indices atM or M ′. Thena =Em

M{a/i} =EmM0{bl/i′′} =Em

M ′{a′/i′} =Emr

wherei′′ is the sequence of current replication indicesat definition ofzlk′,M for anyk′.

Therefore, in all cases, we obtainE′m′′(y[a]) = a, soσiCM [y] in the trace ofC ′[C[[[L]]]] executes in the sameway asσiCM [M ] in the trace ofC ′[Q0], which yields thedesired invariant.

• The other cases are easy: both sides reduce in the sameway.

Conversely, we show that all traces ofC ′[C[[[L]]]] correspond toa trace ofC ′[Q0] with the same relation as above. The prooffollows a technique similar to the previous proof.

So∏

z,a′1,...,a′

j′|Iη(T )| traces ofC ′[Q0], each of probabil-

ity pm, correspond to one trace ofC ′[C[[[L]]]] with probabilityp′m′ = pm ×

∏z,a′

1,...,a′j′|Iη(T )|. Moreover, for all channels


c and bitstringsa, Em, Pm,Qm, Cm executesc〈a〉 immediatelyif and only if E′m′ , P ′m′ ,Q′m′ , C′m′ executesc〈a〉 immediately.So Pr[C ′[Q0] η c〈a〉] = Pr[C ′[C[[[L]]]] η c〈a〉]. HenceQ0 ≈

V0 C[[[L]]]. �

Lemma 12 Q′0 ≈V0 C[[[R]]]

Proof sketch The proof uses the same technique as the proofof Lemma 11. The main addition is that, in contrast toL, Rmay contain functional processes that are more complex thanjust terms. In order to handle them, we need to define a re-lation between variables ofQ′0 and variables ofR defined bylet or new in functional processes: wheny is such a variable,y[a1, . . . , al]

var−−→E varImR(y,M)[a′] where for allk ≤ l,

E, addstartk,M (numk,M (im indexk(M){a′/i})) ⇓ ak and iis the sequence of current replication indices atM . The relationvar−−→E is not a function for these variables, but we can show thatwheny[a1, . . . , al] is related to several variables, these variableshold the same value at runtime.

The most delicate case is that offind functional processes

FP = find (⊕m

j=1 uj ≤ nj suchthat defined(zj1[uj1], . . . ,

zjlj [ujlj ]) ∧Mj then FP j) else FP ′

where for eachk, ujk is the concatenation of the prefix of thecurrent replication indices of lengthl′0 and of a non-empty pre-fix of uj . When executing such afind process,[[R]] tests thevalue ofzjk[a1, . . . , al′1

] for all indices ofa1, . . . , al′1such that

a1, . . . , al′0correspond to a prefix of the current replication in-

dices. Correspondingly,transfφ,CM(FP) tests the values of all

variables that are related tozjk[a1, . . . , al′1] by

var−−→. �

Lemma 13 ProcessQ′0 satisfies Invariant 1.

Proof ProcessQ′0 satisfies Invariant 1 since all newly createddefinitions concern fresh variables; for variables ofQ′0 that cor-respond to variables defined bynew or by an input inR, thereis a single definition for each of them inQ′0; for variables ofQ′0that correspond to variables defined bylet inR, there are severaldefinitions only when there are several definitions of these vari-ables inR, and since[[R]] satisfies Invariant 1, these definitionsare in different branches offind (or if) in R, so also inQ′0. �


Proof The only variable accesses created inQ′0 come fromtransfφ0,CM

(FP). We show by induction onFP that the onlyvariable accesses created bytransfφ,CM

(FP) and not guardedby a correspondingfind are inim φ. (We do not consider vari-able accesses inCM , which already existed inQ0.) So theonly variable accesses created bytransfφ0,CM

(FPM ) and notguarded by a correspondingfind are inim φ0. Moreover, vari-able accesses inim φ0 are of three kinds:

1. varImR(xj,M ,M)[i′1, . . . , i′l′ ] which are defined inP ′M ,

just abovetransfφ0,CM(FPM ).

2. varImR(y′jk,M ,M)[im indexj(M)] where

(a) eithernNewj,M > 0 and zj1,M [im indexj(M)] isguaranteed to be defined, since it occurs at this pointin the initial processQ0 which satisfies Invariant 2.By the addition ofdefined conditions infind and thefact thatz′jk,M = varImR(y′jk,M ,M) is defined inQ′0 wherezj1,M was defined inQ0, this implies thatvarImR(y′jk,M ,M)[im indexj(M)] is also defined.

(b) or nNewj,M = 0, then im indexj(M) is the se-quence of current replication indices atM , andvarImR(y′jk,M ,M)[im indexj(M)] is defined justaboveP ′M .

3. varImR(z,M)[i′1, . . . , i′l′ ] where z is defined by

let in FPM . Since [[R]] satisfies Invariant 2, ac-cesses to z[i1, . . . , il] in FPM occur under thedefinition of z[i1, . . . , il] in FPM , so accesses tovarImR(z,M)[i′1, . . . , i

′l′ ] = φ0(z[i1, . . . , il]) also occur

under their definition intransfφ0,CM(FPM ).

Therefore,Q′0 satisfies Invariant 2. �


Proof The only newly added variable definitions arelet varImR(xj,M ,M) : Tj,M = σMxj,M and new z′jk,M :T ′jk,M . Each variablevarImR(xj,M ,M) has at most one def-inition in Q′0. For variablesz′jk,M , when several of these def-initions are added for the same variablez′jk,M , they are addedin place of the definition(s) ofzj1,M , so by Hypothesis H′3.1.1,they occur under the same replications, so they all have the sametype. Therefore, the type environment forQ′0 is well-defined.

Assume thatM ∈ M and PM = CM [M ] is the small-est process containingM . Let EL be the type environment atPM = CM [M ] in Q0; let ER be the type environment atP ′Min Q′0; let E ′L be the type environment atNM in L; let E ′R bethe type environment atFPM in R. We know thatEL ⊢ PM ,and show thatER ⊢ P ′M . It is then easy to see thatQ′0 is well-typed knowing thatQ0 is well-typed. We note thatER is anextension ofEL with types for variablesvarImR(y′jk,M ′ ,M ′),varImR(xj,M ′ ,M ′), and varImR(z,M ′) when z is definedby let in FPM ′ , for eachM ′ ∈ M. By Hypothesis H′3.2,EL ⊢ σMxj,M : Tj,M , soER ⊢ σMxj,M : Tj,M , sinceER is anextension ofEL. Then, in order to showER ⊢ P ′M , it is enoughto showER ⊢ transfφ0,CM

(FPM ).

We say thatφ is well-typed whenz[M ] ∈ Dom(φ) andE ′R ⊢z[M ] : T ′ impliesER ⊢ φ(z[M ]) : T ′.

First, it is easy to show by induction onM ′ that for all well-typedφ, for all M ′ such thatE ′R ⊢ M ′ : T , we haveER ⊢φ(M ′) : T .

Next, we show that for all well-typedφ, if E ′R ⊢ [[FP ′]]ji

and

the type of the result ofFP ′ is the type ofNM , thenER ⊢transfφ,CM

(FP ′), by induction onFP ′.

• If FP ′ = M ′, we have to show thatER ⊢ CM [φ(M ′)]. LetT such thatEL ⊢M : T .

We haveM = σMNM , so ifNM contains a function sym-bol, E ′L ⊢ NM : T . If NM = xj,M , M = σMxj,M

is of type Tj,M by Hypothesis H′3.2, soT = Tj,M ,

324 Bruno Blanchet

hence we also haveE ′L ⊢ NM : T . If NM = yjk,M ,M = σMyjk,M = zjk,M [im indexj(M)] is of typeTjk,M

by Hypothesis H′3.1.1, soT = Tjk,M and we also haveE ′L ⊢ NM : T .

By hypothesis, we have thenE ′R ⊢ M ′ : T , so ER ⊢φ(M ′) : T . SinceEL ⊢ CM [M ] with EL ⊢ M : T , bya substitution lemma, we conclude thatER ⊢ CM [φ(M ′)].

• The inductive cases follow easily usingE ′R ⊢ [[FP ′]]ji

andthe property proved above to type terms.

In the case of afind branch with non-emptydefined condi-tions, we extendφ intoφ′ as follows. Leti′ be the sequenceof current replication indices atM ′ and u′ be a sequenceformed with a fresh variable for each variable ini′.

– If zk = y′jk′,M ′ for somek′, then

φ′(zk[Mk1, . . . ,Mkl′k]) =

varImR(zk,M′)[im indexj(M

′){u′/i′}].

Since varImR(zk,M′) is defined wherezj1,M ′ is

defined, the indices ofvarImR(zk,M′) are the in-

dices of zj1,M ′ , so im indexj(M′) is of the suit-

able type. Moreover,u′ and i′ have the same types,so by a substitution lemma,im indexj(M

′){u′/i′}is of the suitable type. Moreoverzk in R andvarImR(zk,M

′) in Q′0 are both declared of typeT ′jk′,M ′ , soE ′R ⊢ zk[Mk1, . . . ,Mkl′

k] : T ′jk′,M ′ and

ER ⊢ varImR(zk,M′)[im indexj(M

′){u′/i′}] :T ′jk′,M ′ .

– If zk is defined by let or by a function in-put,φ′(zk[Mk1, . . . ,Mkl′

k]) = varImR(zk,M

′)[u′].varImR(zk,M

′) is declared under the same replica-tions asM ′, so u′ is of the suitable type. The vari-ableszk inR andvarImR(zk,M

′) inQ′0 are declaredof the same type, so ifE ′R ⊢ zk[Mk1, . . . ,Mkl′

k] : T ′

thenER ⊢ varImR(zk,M′)[u′] : T ′.

Soφ′ is well-typed.

Moreover, we show thatER ⊢ im indexj1(M′){u′/i′} =

im indexj1(M) : bool . We havezj1k,M = zj1k,M ′ sinceM andM ′ share thej1 first sequences of random vari-ables, soim indexj1(M

′) and im indexj1(M) are of thesame type, since they are both used as indices ofzj1k,M .Since u′ and i′ are of the same type, by a substitutionlemma, im indexj1(M

′){u′/i′} and im indexj1(M) areof the same type, which yields the desired result.

It is easy to see thatφ0 is well-typed. MoreoverE ′R ⊢ [[FPM ]]ji

and the type of the result ofFPM is the type ofNM by Hypoth-esis H0, soER ⊢ transfφ0,CM

(FPM ). �

Proof of Proposition 3 Invariants 1, 2, and 3 have beenproved in Lemmas 13, 14, and 15 respectively. Finally, weshow thatQ0 ≈

V Q′0. After renaming variables so thatVandC do not contain variables ofL andR, by Lemmas 1, 11,and 12,Q0 ≈

V0 C[[[L]]] ≈V C[[[R]]] ≈V

0 Q′0, so by transitivityQ0 ≈

V Q′0. �

E.5 Proofs for Section 4

Proof of Proposition 4 Let C be an acceptable context forQ | Qx, Q | Q′x, ∅. We relate the traces ofC[Q | Qx] andC[Q | Q′x] as follows:

• If a trace ofC[Q | Qx] never executes the subprocessc〈x[u1, . . . , um]〉 of Qx, then we obtain a trace ofC[Q |Q′x] with the same probability, by just replacingQx withQ′x and subprocesses ofQx with the corresponding sub-process ofQ′x.

• Otherwise, the considered trace ofC[Q | Qx] executesthe subprocessc〈x[u1, . . . , um]〉 of Qx exactly once, withE(u1) = a1, . . . , E(um) = am, andE(x[a1, . . . , am]) =a, whereE is the environment whenc〈x[u1, . . . , um]〉 isexecuted. By hypothesis, the definition ofx[a1, . . . , am]in this trace is either a restrictionnew x[a1, . . . , am] : T ,or an assignmentlet x[a1, . . . , am] : T = z[M1, . . . ,Ml]with E,Mk ⇓ a′k for all k ≤ l, and the definition ofz[a′1, . . . , a

′l] in this trace isnew z[a′1, . . . , a

′l] : T .

We build |Iη(T )| traces of C[Q | Q′x] from thistrace, by choosing any value ofIη(T ) for the restrictionnew x[a1, . . . , am] : T or new z[a′1, . . . , a

′l] : T defined

above, and the valuea for the restrictionnew y : T of Q′x.By definition ofS, these traces are the same as the traceof C[Q | Qx] except perhaps for values of variables inS, and for the processQ′x instead ofQx. The probabilityof each of these traces is1/|Iη(T )| times the probabilityof the considered trace ofC[Q | Qx], since these traceschoose one more random number inIη(T ) than the traceof C[Q | Qx].

Moreover, all traces ofC[Q | Q′x] are obtained by the previousconstruction. (To show that, we rebuild a trace ofC[Q | Qx]from the trace ofC[Q | Q′x] by the reverse construction of theone detailed above.)

For each configurationEm, Pm,Qm, Cm of the trace ofC[Q |Qx], and corresponding configurationE′m′ , P ′m′ ,Q′m′ , C′m′ ofthe trace ofC[Q | Q′x], for all channelsc and bitstringsa, Em, Pm,Qm, Cm executesc〈a〉 immediately if and only ifE′m′ , P ′m′ ,Q′m′ , C′m′ executesc〈a〉 immediately.

Therefore,Pr[C[Q | Qx] η c〈a〉] = Pr[C[Q | Q′x] η

c〈a〉], soQ | Qx ≈0 Q | Q′x. �

Proof sketch of Proposition 5 Let C be an acceptable con-text forQ | Qx,Q | Q′x, ∅.

We first exclude tracesT such thatdefRestrT (x[a]) =

defRestrT (x[a′]) and a 6= a′. These traces have negligibleprobability by hypothesis, sinceC[ | Qx] is an acceptable con-text forQ, 0,{x}. So this removal does not change the result.

For the remaining traces, whena 6= a′, defRestrT (x[a]) 6=

defRestrT (x[a′]), so the definitions ofx[a] and x[a′] do notcome from a single execution of the same restriction. (Sox[a]

andx[a′] are independent random numbers.) Then we can applya proof similar to that of Proposition 4, except that we replaceeach tested value ofx[a′] with independent random numbersinstead of single one. �


Proof of Lemma 2 Let us prove the result for one-sessionsecrecy. (The proof is essentially the same for secrecy.) Thecontexts[ ] | Qx and[ ] | Q′x are acceptable contexts forQ, Q′,{x} (after renamingu1, . . . , um, y so that they do not occur inQ andQ′). We haveQ ≈{x} Q′. So, by Lemma 1,Q | Qx ≈Q′ | Qx andQ | Q′x ≈ Q′ | Q′x. SinceQ preserves the one-session secrecy ofx, Q | Qx ≈ Q | Q′x. So, by transitivity of≈,Q′ | Qx ≈ Q

′ | Q′x. Therefore,Q′ preserves the one-sessionsecrecy ofx. �

326 Bruno Blanchet

Documents

Vérification automatique de protocoles cryptographiques ... · des protocoles cryptographiques dans le modèle calculatoire, et David Pointcheval pour m’avoir patiemment expliqué