An experiment is described that confirms the security of a well-studied class of cryptographic protocols (Dolev-Yao intruder model) can be verified by two-way nondeterministic pushdown automata (2NPDA). A nondeterministic pushdown program checks whether the intersection of a regular language (the protocol to verify) and a given Dyck language containing all canceling words is empty. If it is not, an intruder can reveal secret messages sent between trusted users. The verification is guaranteed to terminate in cubic time at most on a 2NPDA-simulator. The interpretive approach used in this experiment simplifies the verification, by separating the nondeterministic pushdown logic and program control, and makes it more predictable. We describe the interpretive approach and the known transformational solutions, and show they share interesting features. Also noteworthy is how abstract results from automata theory can solve practical problems by programming language means.Keywords protocol verification, ping-pong protocols, cryptographic protocols, nondeterministic programming, two-way pushdown automata, memoizing interpreters 1 Introduction Soon after the introduction of public-key encryption [26], it was found that an adversary can obtain a secret message sent on a network between trusted users, not by breaking the cryptographic algorithm, but by breaking the communication protocol through complex interactions with the users. A key finding by Dolev and Yao [8,9] was that the security problem of cryptographic ping-pong protocols can be mapped onto a decidable grammar problem. They gave an algorithm for constructing, for any given ping-pong protocol, a nondeterministic finite-state automaton (regular language) representing all possible interactions between the trusted users and the adversary, and a special-purpose algorithm for deciding the security question by computing the collapsing-state relation by a closure algorithm. Their original algorithm decided the security question in time O(n 8 ), where n is the size of the automaton [8,9]. This was later improved to O(n 3 ) [7]. The security of protocols is very important because public-key crypto systems are widely used for electronic communication and underpin various Internet standards.Recently, Nepeivoda [24] showed that the security of ping-pong protocols can also be verified by program transformation. Instead of regular expressions, the protocol in question is mapped onto a prefix grammar encoded as a first-order functional program in such a way that it can be used to decide the security question by a program transformer, specifically a supercompiler. This method builds upon work solving other verification problems by general-purpose program transformation (e.g., [2,22]). The main steps of these two methods are shown on the left-and right-most branches in Fig. 1. This paper takes another programming language approach -an interpreter for a nondeterministic language is used instead of a program transformer. We show how to write a two-way nondeterministic pushdown (2NPDA)...