Exploiting Symmetries When Proving Equivalence Properties for Security Protocols

Abstract: Verification of privacy-type properties for cryptographic protocols in an active adversarial environment, modelled as a behavioural equivalence in concurrent-process calculi, exhibits a high computational complexity. While undecidable in general, for some classes of common cryptographic primitives the problem is coNEXP-complete when the number of honest participants is bounded.In this paper we develop optimisation techniques for verifying equivalences, exploiting symmetries between the two processes under stud… Show more

“…QUESTION: Are the two processes equivalent by session? Surprisingly, despite practical improvements by order of magnitudes of the verification time compared to trace equivalence [24], this performance gap is not reflected in the theoretical, worst-case complexity. The same reduction as trace equivalence can indeed be used to prove equivalence by session coNEXP-hard.…”

“…Equivalence by session. We also briefly mention another equivalence, between diffequivalence and trace equivalence (but incomparable with labelled bisimilarity) [24]. Known as equivalence by session, it was originally presented as a sound proof technique for trace equivalence in the bounded fragment, that was inducing less false attacks than diff-equivalence.…”

“…In this fragment of the calculus, most of the studied equivalences coincide and their complexity also drops exponentially. This class has been investigated significantly [9,17,21,24] although several variants coexist in the literature, as discussed in [8]. For example the results of [9,24] hold for action-determinate processes, meaning that the processes never reach an intermediary state where two inputs (resp.…”

“…This class has been investigated significantly [9,17,21,24] although several variants coexist in the literature, as discussed in [8]. For example the results of [9,24] hold for action-determinate processes, meaning that the processes never reach an intermediary state where two inputs (resp. outputs) on the same communication channel are executable in parallel; whereas a more permissive definition is used in [21].…”

“…On the contrary, the so-called private semantics only allows private, unintercepted communications on channels that are unknown to the attacker, modelling an attacker that continuously eavesdrops on the network (rather than an attacker that has the capability of eavesdropping any communication). The private semantics is actually used in tools such as TAMARIN [50] and AKISS [17] and also in the presentation of equivalence by session [24]. While both semantics are equivalent when it comes to reachability properties, they surprisingly happen to be incomparable for equivalence properties [8].…”

The Hitchhiker’s Guide to Decidability and Complexity of Equivalence Properties in Security Protocols

“…QUESTION: Are the two processes equivalent by session? Surprisingly, despite practical improvements by order of magnitudes of the verification time compared to trace equivalence [24], this performance gap is not reflected in the theoretical, worst-case complexity. The same reduction as trace equivalence can indeed be used to prove equivalence by session coNEXP-hard.…”

“…Equivalence by session. We also briefly mention another equivalence, between diffequivalence and trace equivalence (but incomparable with labelled bisimilarity) [24]. Known as equivalence by session, it was originally presented as a sound proof technique for trace equivalence in the bounded fragment, that was inducing less false attacks than diff-equivalence.…”

“…In this fragment of the calculus, most of the studied equivalences coincide and their complexity also drops exponentially. This class has been investigated significantly [9,17,21,24] although several variants coexist in the literature, as discussed in [8]. For example the results of [9,24] hold for action-determinate processes, meaning that the processes never reach an intermediary state where two inputs (resp.…”

“…This class has been investigated significantly [9,17,21,24] although several variants coexist in the literature, as discussed in [8]. For example the results of [9,24] hold for action-determinate processes, meaning that the processes never reach an intermediary state where two inputs (resp. outputs) on the same communication channel are executable in parallel; whereas a more permissive definition is used in [21].…”

“…On the contrary, the so-called private semantics only allows private, unintercepted communications on channels that are unknown to the attacker, modelling an attacker that continuously eavesdrops on the network (rather than an attacker that has the capability of eavesdropping any communication). The private semantics is actually used in tools such as TAMARIN [50] and AKISS [17] and also in the presentation of equivalence by session [24]. While both semantics are equivalent when it comes to reachability properties, they surprisingly happen to be incomparable for equivalence properties [8].…”

The Hitchhiker’s Guide to Decidability and Complexity of Equivalence Properties in Security Protocols

Indistinguishability Beyond Diff-Equivalence in ProVerif

A Decision Procedure for Alpha-Beta Privacy for a Bounded Number of Transitions