Extending ProVerifs Resolution Algorithm for Verifying Group - - PowerPoint PPT Presentation

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works

Extending ProVerif’s Resolution Algorithm for Verifying Group Protocols

Miriam Paiola miriam.paiola@ens.fr

Ecole Normale Sup´ erieure

June 25, 2010

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 1 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works

Contents

1

Introduction Representation with Horn clauses Resolution

2

Group Protocols

3

Generalized Horn Clauses Syntax

4

Resolution algorithm Extension of the definition of Resolution Relation with Horn clauses The Algorithm

5

Conclusions and Further works

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 2 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works

Cryptographic protocols and their Verification

Cryptographic protocols are protocols that perform a security-related function and apply cryptographic methods. The confidence in these protocols can be increased by a formal analysis in order to verify security properties considering cryptographic primitives as black boxes. For an unbounded number of sessions undecidability. Group protocols are protocols that involve an unbounded number of participants the number of steps and the form of messages depend on the number of participants.

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 3 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works

Overview of ProVerif

Protocol: Pi calculus + cryptography Properties to prove: secrecy, authentication,... Automatic translator Horn clauses Derivability queries Resolution with selection The property is true Potential attack

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 4 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses

Example

Denning-Sacco

Message 1 A → B : pencrypt(sign(k, skA[ ]), pk(skB[ ])) Message 2 B → A : sencrypt(s, k)

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses

Example

Denning-Sacco

Message 1 A → B : pencrypt(sign(k, skA[ ]), pk(skB[ ])) Message 2 B → A : sencrypt(s, k)

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses

Example

Denning-Sacco

Message 1 A → B : pencrypt(sign(k, skA[ ]), pk(x)) Message 2 B → A : sencrypt(s, k)

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses

Example

Denning-Sacco

Message 1 A → B : pencrypt(sign(k, skA[ ]), pk(x)) Message 2 B → A : sencrypt(s, k)

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses

Example

Denning-Sacco

Message 1 A → B : pencrypt(sign(k[pk(x)], skA[ ]), pk(x)) Message 2 B → A : sencrypt(s, k)

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses

Example

Denning-Sacco

Message 1 A → B : pencrypt(sign(k[pk(x)], skA[ ]), pk(x)) Message 2 B → A : sencrypt(s, k) attacker(pk(x)) ⇒ attacker(pencrypt(sign(k[pk(x)], skA[ ]), pk(x))

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses

Example

Denning-Sacco

Message 1 A → B : pencrypt(sign(k[pk(x)], skA[ ]), pk(x)) Message 2 B → A : sencrypt(s, k) attacker(pk(x)) ⇒ attacker(pencrypt(sign(k[pk(x)], skA[ ]), pk(x)) Message 1 A → B : pencrypt(sign(k, skA[ ]), pk(skB[ ])) Message 2 B → A : sencrypt(s, k)

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses

Example

Denning-Sacco

Message 1 A → B : pencrypt(sign(k[pk(x)], skA[ ]), pk(x)) Message 2 B → A : sencrypt(s, k) attacker(pk(x)) ⇒ attacker(pencrypt(sign(k[pk(x)], skA[ ]), pk(x)) Message 1 A → B : pencrypt(sign(k, skA[ ]), pk(skB[ ])) Message 2 B → A : sencrypt(s, k)

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses

Example

Denning-Sacco

Message 1 A → B : pencrypt(sign(k[pk(x)], skA[ ]), pk(x)) Message 2 B → A : sencrypt(s, k) attacker(pk(x)) ⇒ attacker(pencrypt(sign(k[pk(x)], skA[ ]), pk(x)) Message 1 A → B : pencrypt(sign(y, skA[ ]), pk(skB[ ])) Message 2 B → A : sencrypt(s, y)

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses

Example

Denning-Sacco

Message 1 A → B : pencrypt(sign(k[pk(x)], skA[ ]), pk(x)) Message 2 B → A : sencrypt(s, k) attacker(pk(x)) ⇒ attacker(pencrypt(sign(k[pk(x)], skA[ ]), pk(x)) Message 1 A → B : pencrypt(sign(y, skA[ ]), pk(skB[ ])) Message 2 B → A : sencrypt(s, y) attacker(pencrypt(sign(y, skA[ ]), pk(skB[ ]))) ⇒ attacker(sencrypt(s, y))

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses

Representation of a protocol

Messages are represented by patterns p ::= x | a[p1, . . . , pn] | f (p1, . . . , pn) a, b, sencrypt(s, pk) Properties are represented by facts F ::= attacker(p) The protocol and the abilities of the attacker are represented by Horn clauses F1 ∧ · · · ∧ Fn ⇒ F attacker(s) ∧ attacker(pk) ⇒ attacker(sencrypt(s, pk))

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 6 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Resolution

Resolution

Definition (Resolution) H1 ⇒ C1 F ∧ H2 ⇒ C2 σ(H1 ∧ H2) ⇒ σC2 where σ is the most general unifier of C1 and F. The selection function selects: a hypothesis not of the form attacker(x) if possible, the conclusion otherwise Resolve until a fixpoint is reached. Keep clauses whose conclusion is selected. Theorem The obtained clauses derive the same facts as the initial clauses

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 7 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works

Example

Asokan-Ginzboorg protocol

Let the set of players be {ai, i = 1, . . . , n + 1} for n ≥ 1 and an+1 be the

• leader. The protocol describes the establishment of a session key between

the leader and the other n participants. (1) an+1 → ALL : an+1, sencrypt(e, p) (2) ai → an+1 : ai, sencrypt(ri, si, e) (3) an+1 → ai : sencrypt(s1, . . . , sn, sn+1, ri) (4) ai → an+1 : ai, sencrypt(si, h(s1, . . . , sn+1), K), for some i where K = f (s1, . . . , sn+1)

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 8 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Syntax

Generalized Horn Clauses

Syntax 1

pG, s, t ::= patterns x(ι1,...,ιh) where 0 ≤ h variable f (pG

1 , . . . , pG l )

function application aι[pG

1 , . . . , pG l ]

indexed names mpair(i, pG) list constructor F G ::= facts attacker(pG) fact

• (i1,...,ih)∈I F G

conjunction fact RG ::= F G

1 ∧ · · · ∧ F G n ∧ δ ⇒ F G

generalized Horn clause

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 9 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Syntax

Generalized Horn Clauses

Syntax 2

E ::= equation over variables ∀(i1, . . . , ih) ∈ I, E bounded quantification ∀i, E unbounded quantification x(ι1,...,ιh) . = pG equation ι ::= index replacement φ(ι1, . . . , ιh) i E ′ ::= equation over indices ∀(i1, . . . , ih) ∈ I, E ′ bounded quantification ∀i, E ′ unbounded quantification ι . = ι′ equation δ ::= conditions set ∅ empty set E ∪ δ equation E ′ ∪ δ equation

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 10 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Syntax

Representation of the protocol

ai → an+1 : ai, sencrypt(ri, si, e) an+1 → ai : sencrypt(s1, . . . , sn, sn+1, ri) ai → an+1 : ai, sencrypt(si, h(s1, . . . , sn+1), K), for some i

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 11 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Syntax

Representation of the protocol

ai → an+1 : ai, sencrypt(ri, si, e) 1. an+1 → ai : an+1, sencrypt(e, p) 2. ai → an+1 : ai, sencrypt(ri, si, e) an+1 → ai : sencrypt(s1, . . . , sn, sn+1, ri) ai → an+1 : ai, sencrypt(si, h(s1, . . . , sn+1), K), for some i

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 11 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Syntax

Representation of the protocol

ai → an+1 : ai, sencrypt(ri, si, e) 1. an+1 → ai : an+1, sencrypt(y, p) 2. ai → an+1 : ai, sencrypt(ri[y], si[y], y) an+1 → ai : sencrypt(s1, . . . , sn, sn+1, ri) ai → an+1 : ai, sencrypt(si, h(s1, . . . , sn+1), K), for some i

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 11 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Syntax

Representation of the protocol

ai → an+1 : ai, sencrypt(ri, si, e) attacker(an+1, sencrypt(y, p[ ])) ∧ ∅ ⇒ attacker(ai, sencrypt(ri[y], si[y], y)) an+1 → ai : sencrypt(s1, . . . , sn, sn+1, ri) ai → an+1 : ai, sencrypt(si, h(s1, . . . , sn+1), K), for some i

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 11 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Syntax

Representation of the protocol

ai → an+1 : ai, sencrypt(ri, si, e) attacker(an+1, sencrypt(y, p[ ])) ∧ ∅ ⇒ attacker(ai, sencrypt(ri[y], si[y], y)) an+1 → ai : sencrypt(s1, . . . , sn, sn+1, ri)

• i∈{1,...,n}

attacker(ai, sencrypt(vi, wi, e[ ])) ∧ ∅ ⇒ attacker(sencrypt(mpair(i, wi), z[mpair(i, vi, wi)], vi)) ai → an+1 : ai, sencrypt(si, h(s1, . . . , sn+1), K), for some i

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 11 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Syntax

Representation of the protocol

ai → an+1 : ai, sencrypt(ri, si, e) attacker(an+1, sencrypt(y, p[ ])) ∧ ∅ ⇒ attacker(ai, sencrypt(ri[y], si[y], y)) an+1 → ai : sencrypt(s1, . . . , sn, sn+1, ri)

• i∈{1,...,n}

attacker(ai, sencrypt(vi, wi, e[ ])) ∧ ∅ ⇒ attacker(sencrypt(mpair(i, wi), z[mpair(i, vi, wi)], vi)) ai → an+1 : ai, sencrypt(si, h(s1, . . . , sn+1), K), for some i attacker(sencrypt(mpair(j, kj), kn+1, ri[y])) ∧ {ki . = si[y]} ⇒ attacker(ai, sencrypt(si[y], h(mpair(j, kj), kn+1), K)), where K = f (mpair(j, kj), kn+1)

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 11 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extension of the definition of Resolution

Unification Algorithm

We want to unify the facts F G and C G with conditions set δ1, δ2 input: {∀(i1, . . . , ih) ∈ I F G = C G, δ1, δ2}

• utput: σ, δ: σ is the set of substitutions done during the algorithm,

δ is the set of equations that remain when the algorithm ends.

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 12 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extension of the definition of Resolution

Unification Algorithm

We want to unify the facts F G and C G with conditions set δ1, δ2 input: {∀(i1, . . . , ih) ∈ I F G = C G, δ1, δ2}

• utput: σ, δ: σ is the set of substitutions done during the algorithm,

δ is the set of equations that remain when the algorithm ends. Intuition aι[s1, . . . , sk] = aι′[t1, . . . , tk], replace with s1 = t1, . . . , sk = tk, ι . = ι′ ∀i1, . . . , ik x(i1,...,ik) = t and fi(t) ⊆ {i1, . . . , ik}: if x(i′

1,...,i′ k) does not

appear in t, then replace x(i1,...,ik) with t in every other equation x(ι1,...,ιk) = t: if t = x(ι1,...,ιk) and x(ι1,...,ιk) appears in t, then halt with failure. mpair(i, s) = mpair(i, t), replace with ∀ i s = t.

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 12 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extension of the definition of Resolution

Resolution

HG

1 ∧ δG 1 ⇒ C G 1

attacker(pG) ∧ HG

2 ∧ δG 2 ⇒ C G 2

σ(HG

1 ∧ HG 2 ) ∧ δ ⇒ σC G 2

where σ, δ is the result of the unification algorithm with input {attacker(pG) = C G

1 , δ2, δ1}

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 13 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extension of the definition of Resolution

Hyperresolution (1)

HG

1 ∧ δG 1 ⇒ C G 1

• (j1,...,jh)∈J F G ∧ HG

2 ∧ δG 2 ⇒ C G 2

?

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 14 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extension of the definition of Resolution

Hyperresolution (1)

HG

1 ∧ δG 1 ⇒ C G 1

• (j1,...,jh)∈J F G ∧ HG

2 ∧ δG 2 ⇒ C G 2

?

RG

1

= attacker(ah) ∧ HG

1 ∧ δ1 ⇒ attacker(ak, y)

RG

2

=

• (i,j)∈I

attacker(ai, bj) ∧ HG

2 ∧ δ2 ⇒ C G 2

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 14 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extension of the definition of Resolution

Hyperresolution (1)

HG

1 ∧ δG 1 ⇒ C G 1

• (j1,...,jh)∈J F G ∧ HG

2 ∧ δG 2 ⇒ C G 2

?

RG

1

= attacker(ah) ∧ HG

1 ∧ δ1 ⇒ attacker(ak, y)

RG

2

=

• (i,j)∈I

attacker(ai, bj) ∧ HG

2 ∧ δ2 ⇒ C G 2

For each value of (i, j), we can resolve on a different instance of RG

1 ,

hence the variables of RG

1 should be renamed to a different name for

each value of (i, j)

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 14 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extension of the definition of Resolution

Hyperresolution (1)

HG

1 ∧ δG 1 ⇒ C G 1

• (j1,...,jh)∈J F G ∧ HG

2 ∧ δG 2 ⇒ C G 2

?

RG

1

= attacker(ah) ∧ H

G 1 ∧ δ1 ⇒ attacker(ak, y(i,j))

RG

2

=

• (i,j)∈I

attacker(ai, bj) ∧ HG

2 ∧ δ2 ⇒ C G 2

For each value of (i, j), we can resolve on a different instance of RG

1 ,

hence the variables of RG

1 should be renamed to a different name for

each value of (i, j)

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 14 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extension of the definition of Resolution

Hyperresolution (1)

HG

1 ∧ δG 1 ⇒ C G 1

• (j1,...,jh)∈J F G ∧ HG

2 ∧ δG 2 ⇒ C G 2

?

RG

1

= attacker(ah) ∧ H

G 1 ∧ δ1 ⇒ attacker(ak, y(i,j))

RG

2

=

• (i,j)∈I

attacker(ai, bj) ∧ HG

2 ∧ δ2 ⇒ C G 2

For each value of (i, j), we can resolve on a different instance of RG

1 ,

hence the variables of RG

1 should be renamed to a different name for

each value of (i, j) During the resolution algorithm, we have ak = ai (which means i = k) for some (i, j) ∈ I.

However, this would imply that all names ai are resolved with ak for the same k. This is not the desired semantics. In fact, one can choose a different value of k for each resolution step, so for each (i, j), hence k becomes a function of (i, j).

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 14 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extension of the definition of Resolution

Hyperresolution (1)

HG

1 ∧ δG 1 ⇒ C G 1

• (j1,...,jh)∈J F G ∧ HG

2 ∧ δG 2 ⇒ C G 2

?

RG

1

= attacker(aψ(i,j)) ∧ H′G

1

∧ δ′

1 ⇒ attacker(aφ(i,j), y(i,j))

RG

2

=

• (i,j)∈I

attacker(ai, bj) ∧ HG

2 ∧ δ2 ⇒ C G 2

For each value of (i, j), we can resolve on a different instance of RG

1 ,

hence the variables of RG

1 should be renamed to a different name for

each value of (i, j) During the resolution algorithm, we have ak = ai (which means i = k) for some (i, j) ∈ I.

However, this would imply that all names ai are resolved with ak for the same k. This is not the desired semantics. In fact, one can choose a different value of k for each resolution step, so for each (i, j), hence k becomes a function of (i, j).

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 14 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extension of the definition of Resolution

Hyperresolution (1)

HG

1 ∧ δG 1 ⇒ C G 1

• (j1,...,jh)∈J F G ∧ HG

2 ∧ δG 2 ⇒ C G 2

?

RG

1

= attacker(aψ(i,j)) ∧ H′G

1

∧ δ′

1 ⇒ attacker(aφ(i,j), y(i,j))

RG

2

=

• (i,j)∈I

attacker(ai, bj) ∧ HG

2 ∧ δ2 ⇒ C G 2

Definition (Immersion) Let RG

1 = HG 1 ∧ δ1 ⇒ C G 1 be a clause. The immersion of RG 1 into the

indices j1, . . . , jh is the clause R′G

1

• btained by:

replacing all free indices ik of RG

1 with functions of j1, . . . , jh:

ik → φ(j1, . . . , jh), adding indices j1, . . . , jh to all the variables of RG

1

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 14 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extension of the definition of Resolution

Hyperresolution (2)

HG

1 ∧ δG 1 ⇒ C G 1

• (j1,...,jh)∈J F G ∧ HG

2 ∧ δG 2 ⇒ C G 2

σ(

(j1,...,jh)∈J′ H′G 1 ∧ (j1,...,jh)∈JJ′ F G ∧ HG 2 ) ∧ δ ⇒ σC G 2

where H′G

1 ∧ δ′ 1 ⇒ C ′G 1

is the immersion of RG

1 ; σ, δ is the result of the

unification algorithm with input {∀(j1, . . . , jh) ∈ J′ F G = C ′G

1 , δ2, δ1} and

∅ ⊂ J′ ⊂ J

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 15 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extension of the definition of Resolution

Hyperresolution (2)

HG

1 ∧ δG 1 ⇒ C G 1

• (j1,...,jh)∈J F G ∧ HG

2 ∧ δG 2 ⇒ C G 2

σ(

(j1,...,jh)∈J′ H′G 1 ∧ (j1,...,jh)∈JJ′ F G ∧ HG 2 ) ∧ δ ⇒ σC G 2

where H′G

1 ∧ δ′ 1 ⇒ C ′G 1

is the immersion of RG

1 ; σ, δ is the result of the

unification algorithm with input {∀(j1, . . . , jh) ∈ J′ F G = C ′G

1 , δ2, δ1} and

∅ ⊂ J′ ⊂ J HG

1 ∧ δG 1 ⇒ C G 1

• (j1,...,jh)∈J F G ∧ HG

2 ∧ δG 2 ⇒ C G 2

σ(

(j1,...,jh)∈J H′G 1 ∧ HG 2 ) ∧ δ ⇒ σC G 2

where where H′G

1 ∧ δ′ 1 ⇒ C ′G 1

is the immersion of RG

1 ; σ, δ is the result of

the unification algorithm with input {∀(j1, . . . , jh) ∈ J F G = C ′G

1 , δ2, δ1}

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 15 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Relation with Horn clauses

Translation from GHC to HC

Definition (Environment) Given a GHC RG, an environment T for RG is a function that associates: to n, an instance of the number of agents nT; to each set of indices I that appears in RG, one set ∅ ⊂ I T ⊆ {1, . . . , nT}h, where h is the number of indices in the tuples (i1, . . . , ih) ∈ I; to each free index i that appears in RG, an index iT ∈ {1, . . . , nT}; to each index function φ with arity h that appears in RG, a function φT : {1, . . . , nT}h → {1, . . . , nT}. Given a set of GHC R, given a number ˜ n, a general environment T is the set of all possible environments T for RG in R such that nT = ˜ n. Given an environment T we can translate a GHC RG into a HC RGT.

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 16 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Relation with Horn clauses

Example

Given the clause

• i∈I

attacker(ai) ∧ attacker(bk) ∧ ∅ ⇒ attacker(aφ(k)) a possible environment is T = {nT = 4, I = {1, 3}, k = 4, φ = {1 → 3, 2 → 2, 3 → 4, 4 → 1}}. The translated clause is: attacker(a1) ∧ attacker(a3) ∧ attacker(b4) ⇒ attacker(a1)

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 17 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Relation with Horn clauses

Relation with Horn Clauses

A step of the unification algorithm for GHC corresponds to one or more steps of the unification algorithm for HC.

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 18 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Relation with Horn clauses

Relation with Horn Clauses

A step of the unification algorithm for GHC corresponds to one or more steps of the unification algorithm for HC. Theorem Let RG

1 = HG 1 ∧ δ ⇒ C G 1 and RG 2 = HG 2 ∧ δ ⇒ C G 2 be two clauses such

that, given an environment T, RGT

1

and RGT

2

resolve into a clause R.

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 18 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Relation with Horn clauses

Relation with Horn Clauses

A step of the unification algorithm for GHC corresponds to one or more steps of the unification algorithm for HC. Theorem Let RG

1 = HG 1 ∧ δ ⇒ C G 1 and RG 2 = HG 2 ∧ δ ⇒ C G 2 be two clauses such

that, given an environment T, RGT

1

and RGT

2

resolve into a clause R. Then RG

1 and RG 2 can be resolved by resolution or hyperresolution into

the clause RG and RGT differs only by renaming variables from R.

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 18 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works The Algorithm

Selection functions (1)

In the original algorithm the resolution is guided through a selection function sel0 that selects:

a hypothesis not of the form attacker(x) if possible the conclusion otherwise

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 19 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works The Algorithm

Selection functions (1)

In the original algorithm the resolution is guided through a selection function sel0 that selects:

a hypothesis not of the form attacker(x) if possible the conclusion otherwise

Difficulty in GHC: we can have some fact attacker(xi) where Q xi . = p appears in δ

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 19 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works The Algorithm

Selection functions (1)

In the original algorithm the resolution is guided through a selection function sel0 that selects:

a hypothesis not of the form attacker(x) if possible the conclusion otherwise

Difficulty in GHC: we can have some fact attacker(xi) where Q xi . = p appears in δ This means that depending on the environment chosen xi we have two possibilities for the translation of attacker(xi):

xi has been substituted with p xi remains

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 19 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works The Algorithm

Selection functions (1)

In the original algorithm the resolution is guided through a selection function sel0 that selects:

a hypothesis not of the form attacker(x) if possible the conclusion otherwise

Difficulty in GHC: we can have some fact attacker(xi) where Q xi . = p appears in δ This means that depending on the environment chosen xi we have two possibilities for the translation of attacker(xi):

xi has been substituted with p xi remains

⇒ 2 selection functions

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 19 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works The Algorithm

Selection functions (2)

selG

1 (HG ∧ δ ⇒ C G) =

                               {F G

0 }

where F G

0 ∈ HG and

F G

0 = attacker(variable) and

F G

0 = (i1,...,ik )∈I attacker(variable)

{F G

0 }

where F G

0 ∈ H and ∃ xι1,...,ιh variable,

F G

0 = attacker(xι1,...,ιh) or

F G

0 = (i1,...,ik ) attacker(xι1,...,ιh)

and ∃E ∈ δs.t.E = Q xι1,...,ιh . = p and p is not a variable ∅

• therwise

selG

2 (HG ∧ δ ⇒ C G) =

         {F G

0 }

where F G

0 ∈ HG and

F G

0 = attacker(variable) and

F G

0 = (i1,...,ik )∈I attacker(variable)

∅

• therwise

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 20 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works The Algorithm

Extension of the Resolution Algorithm (1)

saturateG(RG

0 ) =

1 RG ← ∅. For each RG ∈ RG

0 , RG ← elimG (RG ∪ RG).

2 Repeat until a fixpoint is reached for each RG ∈ RG such that selG

2 (RG) = ∅

for each R′G ∈ RG, for each F G

0 = attacker(p) ∈ selG 1 (R′G) such

that RG ◦F G

0 R′G is defined

RG ←elimG({RG ◦F G

0 R′G} ∪ RG)

for each R′G ∈ RG, for each F G

0 = (j1,...,jh)∈J F G ∈ selG 1 (R′G),

RG ← elimG({RG ◦(j1,...,jh)∈J′

F G

R′G} ∪ RG), RG ← elimG({RG ◦(j1,...,jh)∈J

F G

R′G} ∪ RG) 3 Return {RG ∈ RG | selG

2 (RG) = ∅}

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 21 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works The Algorithm

Extension of the Resolution Algorithm (2)

Theorem Let RG be a set of generalized Horn clauses and T be a general environment for RG. Let R be a set of Horn clauses such that R ⊆ RGT , where RGT = {RGT | RG ∈ RG and T ∈ T is an environment for RG}. Then saturate(R) ⊆ (saturateG(RG))T .

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 22 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works

Conclusions

extended syntax of Horn clauses generalized Horn clauses; define a relation between GHC and HC; adapted the definitions for HC to deal with GHC:

subsumption unification algorithm resolution resolution + hyperresolution

new algorithm for verifying secrecy for group protocols.

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 23 / 24

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works

Further works

extend the process calculus to describe group protocols and translate it into generalized Horn clauses; reduce the approximations induced by the definitions of subsumption and by the two selection functions; extend this work to equational theories dynamic groups

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 24 / 24

Appendix

Theorem (Soundness of the unification algorithm) Let σG, δG the result of the unification of F G

1 and F G 2 for (i1, . . . , ih) ∈ I

under δ1 and δ2. Then, for all environments T such that mgu(δT

1 )(F G 1 {(i′ 1, . . . , i′ h)/(i1, . . . , ih)})T and

mgu(δT

2 )(F G 1 {(i′ 1, . . . , i′ h)/(i1, . . . , ih)})T are unifiable for all

(i′

1, . . . , i′ h) ∈ I T, mgu(δGT)σGT = σ mgu(δT 1 ) mgu(δT 2 ), where

σ = mgu{ mgu(δT

1 )(F G 1 {(i′ 1, . . . , i′ h)/(i1, . . . , ih)})T =

mgu(δT

2 )(F G 1 {(i′ 1, . . . , i′ h)/(i1, . . . , ih)})T | (i′ 1, . . . , i′ h) ∈ I T}.

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols

Appendix

Subsumption (1)

Definition (Renaming and Substitution) An renaming ρ is a bijection that maps: indices to indices: ρ(i) = i′; set symbols to set symbols: ρ(I) = I ′; function symbols φ to function symbols: ρ(φ) = φ′ . A substitution σG is a mapping from variables to patterns that associates to each variable x(i1,...,ih) ∈ dom(σG) a value p where fi(p) ∈ {i1, . . . , ih}. Given a fixed environment T, we define the translation of a substitution σG as the substitution σGT obtained replacing the mapping x(i1,...,ih) → p with the mappings: x(iT

1 ,...,iT h ) → (p{(iT

1 , . . . , iT h )/(i1, . . . , ih})T.

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols

Appendix

Subsumption (2)

Definition (Subsumption) We say that RG

1 = HG 1 ∧ δ1 ⇒ C G 1 subsumes RG 2 = HG 2 ∧ δ2 ⇒ C G 2 , and

we write RG

1 ⊒ RG 2 , if there exist a renaming ρ and a substitution σG

such that σGC G

1 = ρC G 2 , σGHG 1 ⊆ ρHG 2 and σGδ1 ⊆ ρδ2.

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols

Appendix

Subsumption (2)

Definition (Subsumption) We say that RG

1 = HG 1 ∧ δ1 ⇒ C G 1 subsumes RG 2 = HG 2 ∧ δ2 ⇒ C G 2 , and

we write RG

1 ⊒ RG 2 , if there exist a renaming ρ and a substitution σG

such that σGC G

1 = ρC G 2 , σGHG 1 ⊆ ρHG 2 and σGδ1 ⊆ ρδ2.

The clause RG

1 = attacker(ai, xφ(i)) ∧ {xφ(i) = cφ(i)} ⇒ attacker(yi)

subsumes RG

2 = attacker(ak, wψ(k)) ∧ {wψ(k) = cψ(k)} ⇒ attacker(zk).

ρ = {k → i, ψ → φ} and σ = {xi → wi, yi → zi}

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols

Appendix

Relation with Horn clauses

Theorem If RG

1 ⊒ RG 2 then for all environments T such that RGT 2

exists there exists a environment T ′ such that RGT

1

exists, nT = nT ′ and RGT ′

1

⊒ RGT

2

.

Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols