Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, - - PowerPoint PPT Presentation

Rewriting in Protocol Verification

Stéphanie Delaune

Univ Rennes, CNRS, IRISA, France

Monday, June 29th, 2020

1/23

Cryptographic protocols everywhere !

Cryptographic protocols

◮ small programs designed to secure communication (e.g. secrecy, authentication, anonymity, . . . ) ◮ use cryptographic primitives (e.g. encryption, signature, . . . . . . )

The network is unsecure!

Communications take place over a public network like the Internet.

2/23

Cryptographic protocols everywhere !

Cryptographic protocols

◮ small programs designed to secure communication (e.g. secrecy, authentication, anonymity, . . . ) ◮ use cryptographic primitives (e.g. encryption, signature, . . . . . . ) It becomes more and more important to protect our privacy.

2/23

How cryptographic protocols can be attacked?

Cryptanalysis

◮ Differential attacks, ◮ Boomerang attacks, ◮ Cube attacks, ◮ . . .

3/23

How cryptographic protocols can be attacked?

Logical attacks

◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol This is the so-called Dolev-Yao attacker !

3/23

How cryptographic protocols can be attacked?

Logical attacks

◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: An authentication flaw on the Needham Schroeder protocol A → B : {A, NA}pub(B) B → A : {NA, NB}pub(A) A → B : {NB}pub(B) NS protocol (1978)

3/23

How cryptographic protocols can be attacked?

Logical attacks

◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: An authentication flaw on the Needham Schroeder protocol A → B : {A, NA}pub(B) B → A : {NA, NB}pub(A) A → B : {NB}pub(B) A → B : {A, NA}pub(B) B → A : {NA, NB, B}pub(A) A → B : {NB}pub(B) NS protocol (1978) NS-Lowe protocol (1995)

3/23

How cryptographic protocols can be attacked?

Logical attacks

◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: FREAK attack by Barghavan et al. (2015) A logical flaw that allows a man-in-the- middle attacker to downgrade connections from ’strong’ RSA to ’export grade’ RSA.

3/23

How cryptographic protocols can be attacked?

Logical attacks

◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: A traceability attack on the BAC protocol (2010) privacy issue The register - Jan. 2010

3/23

Basic Acccess Control (BAC) protocol

Passport

(KE , KM)

Reader

(KE , KM)

get_challenge NP , KP NP NR , KR {NR, NP , KR}KE , MACKM ({NR, NP , KR}KE ) {NP, NR, KP}KE , MACKM ({NP, NR, KP }KE ) Kseed = KP ⊕ KR Kseed = KP ⊕ KR 4/23

Unlinkability/Untraceability

Informally, an observer/attacker can not observe the difference between the two following situations:

• 1. a situation where the same passport

may be used twice (or even more);

• 2. a situation where each passport is

used at most once.

5/23

Unlinkability/Untraceability

Informally, an observer/attacker can not observe the difference between the two following situations:

• 1. a situation where the same passport

may be used twice (or even more);

• 2. a situation where each passport is

used at most once. More formally, !new ke.new km.(!PBAC | !RBAC)

?

≈ !new ke.new km.( PBAC | RBAC) ↑ ↑

many sessions for each passport

• nly one session

for each passport

(we still have to formalize the notion of equivalence)

5/23

Some other equivalence-based security properties

Vote privacy the fact that a particular voter voted in a particular way is not revealed to anyone Strong secrecy the fact that an adversary cannot see any difference when the value of the secret changes − → stronger than the notion of secrecy as non-deducibility. Guessing attack the fact that an adversary can not learn the value of passwords even if he knows that they have been choosen in a particular dic- tionary.

6/23

How rewriting and unification theory can help us in protocol verification?

7/23

Messages as terms - Back to the BAC protocol

Nonces nr, np, and keys kr, kp, ke, km are modelled using names Cryptographic primitives are modelled using function symbols ◮ encryption/decryption: senc/2, sdec/2 ◮ concatenation/projections: , /2, proj1/1, proj2/1 ◮ mac construction: mac/2 sdec(senc(x, y), y) = x proj1(x, y) = x proj2(x, y) = y

8/23

Messages as terms - Back to the BAC protocol

Nonces nr, np, and keys kr, kp, ke, km are modelled using names Cryptographic primitives are modelled using function symbols ◮ encryption/decryption: senc/2, sdec/2 ◮ concatenation/projections: , /2, proj1/1, proj2/1 ◮ mac construction: mac/2 sdec(senc(x, y), y) = x proj1(x, y) = x proj2(x, y) = y Exclusive-or operator: ⊕ of arity 2 and 0 (neutral element) x ⊕ (y ⊕ z) = (x ⊕ y) ⊕ z x ⊕ x = x ⊕ y = y ⊕ x x ⊕ 0 = x

8/23

Messages as terms - Back to the BAC protocol

Nonces nr, np, and keys kr, kp, ke, km are modelled using names Cryptographic primitives are modelled using function symbols ◮ encryption/decryption: senc/2, sdec/2 ◮ concatenation/projections: , /2, proj1/1, proj2/1 ◮ mac construction: mac/2 sdec(senc(x, y), y) = x proj1(x, y) = x proj2(x, y) = y Equational theories are useful to model algebraic properties of cryptographic primitives.

8/23

Computations as recipes

frame = knowledge of the attacker = sequence of messages φ = {w1 ⊲ u1, . . . , wℓ ⊲ uℓ}

9/23

Computations as recipes

frame = knowledge of the attacker = sequence of messages φ = {w1 ⊲ u1, . . . , wℓ ⊲ uℓ} Example: adec(aenc(x, pk(y)), y) → x {w1 ⊲ pk(ska); w2 ⊲ pk(skb); w3 ⊲ skc; w4 ⊲ aenc(a, na, pk(skc))}. initial knowledge 1st message of NS

9/23

Computations as recipes

frame = knowledge of the attacker = sequence of messages φ = {w1 ⊲ u1, . . . , wℓ ⊲ uℓ} Example: adec(aenc(x, pk(y)), y) → x {w1 ⊲ pk(ska); w2 ⊲ pk(skb); w3 ⊲ skc; w4 ⊲ aenc(a, na, pk(skc))}. initial knowledge 1st message of NS Some recipes: ◮ from his private key skc, the attacker is able to get his public key with R = pk(w3); ◮ R = aenc(adec(w4, w3), w2) – this is the first step of the man-in-the-middle attack on NS protocol

9/23

Computations as recipes

frame = knowledge of the attacker = sequence of messages φ = {w1 ⊲ u1, . . . , wℓ ⊲ uℓ} Example: adec(aenc(x, pk(y)), y) → x {w1 ⊲ pk(ska); w2 ⊲ pk(skb); w3 ⊲ skc; w4 ⊲ aenc(a, na, pk(skc))}. initial knowledge 1st message of NS Some recipes: ◮ from his private key skc, the attacker is able to get his public key with R = pk(w3); ◮ R = aenc(adec(w4, w3), w2) – this is the first step of the man-in-the-middle attack on NS protocol Rewriting is useful to express computations performed by the attacker.

9/23

Static equivalence

Warm-up − → this is the so-called passive attacker

10/23

The static equivalence problem (φ ∼ ψ)

◮ Input: two substitutions (called frames) φ and ψ φ = {w1 ⊲ u1, . . . , wℓ ⊲ uℓ} ψ = {w1 ⊲ v1, . . . , wℓ ⊲ vℓ} ◮ Output: Can the attacker distinguish the two frames, i.e. does there exist a test R1

?

= R2 such that: R1φ =E R2φ but R1ψ =E R2ψ (or the converse).

11/23

The static equivalence problem (φ ∼ ψ)

◮ Input: two substitutions (called frames) φ and ψ φ = {w1 ⊲ u1, . . . , wℓ ⊲ uℓ} ψ = {w1 ⊲ v1, . . . , wℓ ⊲ vℓ} ◮ Output: Can the attacker distinguish the two frames, i.e. does there exist a test R1

?

= R2 such that: R1φ =E R2φ but R1ψ =E R2ψ (or the converse). Example 1: adec(aenc(x, pk(y)), y) = x ◮ φ = {w1 ⊲ pk(sks); w2 ⊲ aenc(yes, pk(sks))}; and ◮ ψ = {w1 ⊲ pk(sks); w2 ⊲ aenc(no, pk(sks))}.

11/23

The static equivalence problem (φ ∼ ψ)

◮ Input: two substitutions (called frames) φ and ψ φ = {w1 ⊲ u1, . . . , wℓ ⊲ uℓ} ψ = {w1 ⊲ v1, . . . , wℓ ⊲ vℓ} ◮ Output: Can the attacker distinguish the two frames, i.e. does there exist a test R1

?

= R2 such that: R1φ =E R2φ but R1ψ =E R2ψ (or the converse). Example 1: adec(aenc(x, pk(y)), y) = x ◮ φ = {w1 ⊲ pk(sks); w2 ⊲ aenc(yes, pk(sks))}; and ◮ ψ = {w1 ⊲ pk(sks); w2 ⊲ aenc(no, pk(sks))}. − → They are not in static equivalence: aenc(yes,w1) ? = w2.

11/23

The static equivalence problem (φ ∼ ψ)

◮ Input: two substitutions (called frames) φ and ψ φ = {w1 ⊲ u1, . . . , wℓ ⊲ uℓ} ψ = {w1 ⊲ v1, . . . , wℓ ⊲ vℓ} ◮ Output: Can the attacker distinguish the two frames, i.e. does there exist a test R1

?

= R2 such that: R1φ =E R2φ but R1ψ =E R2ψ (or the converse). Example 2: (randomized encryption) ◮ φ = {w1 ⊲ pk(sks); w2 ⊲ aenc(yes, r, pk(sks))}; and ◮ ψ = {w1 ⊲ pk(sks); w2 ⊲ aenc(no, r, pk(sks))}.

11/23

The static equivalence problem (φ ∼ ψ)

◮ Input: two substitutions (called frames) φ and ψ φ = {w1 ⊲ u1, . . . , wℓ ⊲ uℓ} ψ = {w1 ⊲ v1, . . . , wℓ ⊲ vℓ} ◮ Output: Can the attacker distinguish the two frames, i.e. does there exist a test R1

?

= R2 such that: R1φ =E R2φ but R1ψ =E R2ψ (or the converse). Example 2: (randomized encryption) ◮ φ = {w1 ⊲ pk(sks); w2 ⊲ aenc(yes, r, pk(sks))}; and ◮ ψ = {w1 ⊲ pk(sks); w2 ⊲ aenc(no, r, pk(sks))}. − → They are in static equivalence.

11/23

Static equivalence – some existing results

Theory E Deduction Static Equivalence subterm convergent PTIME blind signature, decidable

• homo. encryption

[Abadi & Cortier, 06] ACU NP-complete PTIME [Cortier & D., 10] ACUN/AG PTIME PTIME [Chevalier et al, 03] [Cortier & D., 10] ACUNh/AGh PTIME decidable [D., 06] [Cortier & D., 10]

12/23

The case of monoidal theories, e.g. XOR, AG, ...

Getting some inspiration from existing results and proofs in unification theory, e.g. [Nutt, 90], and [Baader & Schulz, 96], we associate a semi-ring SE to a monoidal theory E: Z/2Z for ACUN, Z for AG, Z/2Z[X] for ACUNh, . . .

13/23

The case of monoidal theories, e.g. XOR, AG, ...

Getting some inspiration from existing results and proofs in unification theory, e.g. [Nutt, 90], and [Baader & Schulz, 96], we associate a semi-ring SE to a monoidal theory E: Z/2Z for ACUN, Z for AG, Z/2Z[X] for ACUNh, . . .

Theorem [Cortier & D., 10]

Static equivalence in E is reducible in PTIME to Input Two matrices A1 and A2 over SE Output Does the following equality holds? {(X, Y ) ∈ Sℓ

E × Sℓ E | X · A1 = Y · A1}

= {(X, Y ) ∈ Sℓ

E × Sℓ E | X · A2 = Y · A2}

13/23

Reduction on an example – E = AG and SE = Z

− → a and b two constants (e.g. nonces) ◮ φ1 = {w1 ⊲ a + b + b; w2 ⊲ b; w3 ⊲ a + a + a}

14/23

Reduction on an example – E = AG and SE = Z

− → a and b two constants (e.g. nonces) ◮ φ1 = {w1 ⊲ a + b + b; w2 ⊲ b; w3 ⊲ a + a + a} Question: Is a deducible from φ1, i.e does there exists X such that X · A1 = V ? A1 =

  

1 2 1 3

  

and V =

• 1
• 14/23

Reduction on an example – E = AG and SE = Z

− → a and b two constants (e.g. nonces) ◮ φ1 = {w1 ⊲ a + b + b; w2 ⊲ b; w3 ⊲ a + a + a} Question: Is a deducible from φ1, i.e does there exists X such that X · A1 = V ? A1 =

  

1 2 1 3

  

and V =

• 1
• Answer: Yes ! X = (1 − 2 0).

− → this corresponds to recipe R = w1 + −(w2) + −(w2). Indeed, we have that: Rφ1 ↓ = a + b + b + −(b) + −(b) = a

14/23

Reduction on an example – E = AG and SE = Z

− → a and b two constants (e.g. nonces) ◮ φ1 = {w1 ⊲ a + b + b; w2 ⊲ b; w3 ⊲ a + a + a} ◮ φ2 = {w1 ⊲ a + b + b; w2 ⊲ b + b; w3 ⊲ 3a − 6b} Question: Is φ1

?

∼ φ2, i.e. do {(X, Y ) | X · A1 = Y · A1} and {(X, Y ) | X · A2 = Y · A2} have the same set of solutions? A1 =

  

1 2 1 3

  

and A2 =

  

1 2 2 3 −6

  

14/23

Reduction on an example – E = AG and SE = Z

− → a and b two constants (e.g. nonces) ◮ φ1 = {w1 ⊲ a + b + b; w2 ⊲ b; w3 ⊲ a + a + a} ◮ φ2 = {w1 ⊲ a + b + b; w2 ⊲ b + b; w3 ⊲ 3a − 6b} Question: Is φ1

?

∼ φ2, i.e. do {(X, Y ) | X · A1 = Y · A1} and {(X, Y ) | X · A2 = Y · A2} have the same set of solutions? A1 =

  

1 2 1 3

  

and A2 =

  

1 2 2 3 −6

  

Answer: Yes ! φ1 ∼E φ2

14/23

Reduction on an example – E = AG and SE = Z

− → a and b two constants (e.g. nonces) ◮ φ1 = {w1 ⊲ a + b + b; w2 ⊲ b; w3 ⊲ a + a + a} ◮ φ2 = {w1 ⊲ a + b + b; w2 ⊲ b + b; w3 ⊲ 3a − 6b} Question: Is φ1

?

∼ φ2, i.e. do {(X, Y ) | X · A1 = Y · A1} and {(X, Y ) | X · A2 = Y · A2} have the same set of solutions? A1 =

  

1 2 1 3

  

and A2 =

  

1 2 2 3 −6

  

Answer: Yes ! φ1 ∼E φ2 In both cases (deduction and equivalence), we only have to consider sets of linear equations with coefficient in Z.

14/23

Combination result

If deduction and static equivalence are decidable for two disjoint theories E1 and E2 then they are also decidable for E1 ∪ E2. [Cortier & D., 10] Example: this allows one to combine encryption and exclusive-or

15/23

Combination result

If deduction and static equivalence are decidable for two disjoint theories E1 and E2 then they are also decidable for E1 ∪ E2. [Cortier & D., 10] Example: this allows one to combine encryption and exclusive-or Proof (sketch): given φ and ψ built on E1 ∪ E2

• 1. saturate both frames simultaneously with deducible subterms

(notion of alien subterms); − → this leads to φ+ and ψ+

• 2. abstract subterms coming from Ei (i = 1, 2)

− → this leads to φ+

i and ψ+ i

• 3. check whether: φ+

i ≈E2−i ψ+ i (with i = 1, 2)

− → inspiration from [Schmidt-Schauß, 89; Baader & Schluz, 96]

15/23

Caution !

One should never underestimate the attacker ! The attacker can listen to the communication but also: ◮ intercept the messages that are sent by the participants, ◮ build new messages according to his deduction capabilities, and ◮ send messages on the communication network. − → this is the co-called active attacker

16/23

from frames to constraint systems

A constraint system C is a triple (φ; D; E) where:

• 1. φ = {w1 ⊲ v1; . . . ; wℓ ⊲ vℓ} is an open frame;
• 2. D is a set of deducibility constraints: X

?

⊲ x with ar(X) < ℓ

• 3. E is a unification problem (modulo E)

+ some conditions (e.g. monotonicity, origination).

17/23

from frames to constraint systems

A constraint system C is a triple (φ; D; E) where:

• 1. φ = {w1 ⊲ v1; . . . ; wℓ ⊲ vℓ} is an open frame;
• 2. D is a set of deducibility constraints: X

?

⊲ x with ar(X) < ℓ

• 3. E is a unification problem (modulo E)

+ some conditions (e.g. monotonicity, origination). Example: a simple challenge-response protocol A → B : {req, n}k B → A : {rep, hash(n)}k

17/23

from frames to constraint systems

A constraint system C is a triple (φ; D; E) where:

• 1. φ = {w1 ⊲ v1; . . . ; wℓ ⊲ vℓ} is an open frame;
• 2. D is a set of deducibility constraints: X

?

⊲ x with ar(X) < ℓ

• 3. E is a unification problem (modulo E)

+ some conditions (e.g. monotonicity, origination). Example: a simple challenge-response protocol A → B : {req, n}k B → A : {rep, hash(n)}k 1.

w1 ⊲ {req, n}k; w2 ⊲ {rep, hash(proj2(sdec(x, k)))}k

• 2. X

?

⊲ x with ar(X) = 1

• 3. proj1(sdec(x, k)) = req

17/23

from frames to constraint systems

A constraint system C is a triple (φ; D; E) where:

• 1. φ = {w1 ⊲ v1; . . . ; wℓ ⊲ vℓ} is an open frame;
• 2. D is a set of deducibility constraints: X

?

⊲ x with ar(X) < ℓ

• 3. E is a unification problem (modulo E)

+ some conditions (e.g. monotonicity, origination). Example: a simple challenge-response protocol A → B : {req, n}k B → A : {rep, hash(n)}k 1.

w1 ⊲ {req, n}k; w2 ⊲ {rep, hash(proj2(sdec(x, k)))}k

• 2. X

?

⊲ x with ar(X) = 1

• 3. proj1(sdec(x, k)) = req

− → Solution: X → w1 (and x → {req, n}k).

17/23

Existing tools based on constraint solving

− → for a bounded number of sessions only ◮ CL-AtSe [Turuani, RTA’06], OFMC [Basin et al, 05] for reachability properties, e.g. secrecy, authentication: the security problem boils down to decide whether a constraint system admits a solution.

18/23

Existing tools based on constraint solving

− → for a bounded number of sessions only ◮ CL-AtSe [Turuani, RTA’06], OFMC [Basin et al, 05] for reachability properties, e.g. secrecy, authentication: the security problem boils down to decide whether a constraint system admits a solution. ◮ DeepSec [Cheval et al., 18] for equivalence-based properties, e.g. strong secrecy vote-privacy, unlinkability: the security problem boils down to decide whether two (sets) of constraint systems have the same set of solutions. − → DeepSec also deals with =

18/23

Going back to monoidal theories

Remenber that we associate a semi-ring SE to a monoidal theory E: Z/2Z for ACUN, Z for AG, Z/2Z[X] for ACUNh, . . . − → the previous encoding leads to quadratic equations.

19/23

Going back to monoidal theories

Remenber that we associate a semi-ring SE to a monoidal theory E: Z/2Z for ACUN, Z for AG, Z/2Z[X] for ACUNh, . . . − → the previous encoding leads to quadratic equations. However, it can be shown that they have a specific structure, and this has been exploited to derive the following results: Theory E SE Satisfiability Equivalence ACUN Z/2Z PTIME PTIME AG Z [Chevalier et al., 10] [Delaune et al., 12] ACUNh Z/2Z[h] PTIME PTIME AGh Z[h] [Delaune et al., 12] [Delaune et al., 12]

19/23

A common difficulty in the active setting

Getting rid of rewriting steps that may occur inside C = (φ; D; E).

20/23

A common difficulty in the active setting

Getting rid of rewriting steps that may occur inside C = (φ; D; E). Protocol: A → B : {n}k B → A : {hash(n)}k Constraint system C = (φ; D; E):

• 1. w1 ⊲ {n}k; w2 ⊲ {hash(sdec(x, k))}k)
• 2. X

?

⊲ x with ar(X) = 1

• 3. E = ∅.

20/23

A common difficulty in the active setting

Getting rid of rewriting steps that may occur inside C = (φ; D; E). Protocol: A → B : {n}k B → A : {hash(n)}k Constraint system C = (φ; D; E):

• 1. w1 ⊲ {n}k; w2 ⊲ {hash(sdec(x, k))}k)
• 2. X

?

⊲ x with ar(X) = 1

• 3. E = ∅.

Two kinds of solutions for C: ◮ C1: either x is replaced by an encryption with k, i.e. {y}k, and we can compute in advance that w2 ⊲ {hash(y)}k ; ◮ C2: or x is replaced by something else, and in this case w2 ⊲ {hash(sdec(x, k))}k . No further rewriting step is then authorised in C1 and C2. − → variant(C) = {C1, C2}

20/23

Finite Variant Property (FVP)

[Comon & D., 05] An equational theory E (represented by a rewrite sytem ↓ - possibly modulo E′ = AC) has the finite variant property if for any term t, we can compute a finite set of instances tσ1, . . . , tσn such that: {tσ ↓ | σ ∈ Σ} =

n

• i=1

{tσi ↓ θ | θ ∈ Σ} where Σ is the set of normalized substitutions. − → variant(t) = {tσ1, . . . , tσn}.

21/23

Finite Variant Property (FVP)

[Comon & D., 05] An equational theory E (represented by a rewrite sytem ↓ - possibly modulo E′ = AC) has the finite variant property if for any term t, we can compute a finite set of instances tσ1, . . . , tσn such that: {tσ ↓ | σ ∈ Σ} =

n

• i=1

{tσi ↓ θ | θ ∈ Σ} where Σ is the set of normalized substitutions. − → variant(t) = {tσ1, . . . , tσn}. Examples: ◮ Symmetric, asymmetric encryptions, (blind) signatures, several equational theories used to model modular exponentiation (up to AC) have the FVP; ◮ homomorphic encryption {x, y}z = {x}z, {y}z does not satisfy the FVP.

21/23

Finite Variant Property (FVP)

[Comon & D., 05] An equational theory E (represented by a rewrite sytem ↓ - possibly modulo E′ = AC) has the finite variant property if for any term t, we can compute a finite set of instances tσ1, . . . , tσn such that: {tσ ↓ | σ ∈ Σ} =

n

• i=1

{tσi ↓ θ | θ ∈ Σ} where Σ is the set of normalized substitutions. − → variant(t) = {tσ1, . . . , tσn}. A link with rewriting theory! Actually, the finite variant property is implied by the termination of basic narrowing when E′ = ∅. A bit more tricky when E′ = AC.

21/23

Some existing tools exploiting the FVP

Maude-NPA [Meier et al., 13] [Escobar et al., 07] [Cheval et al., 18]

22/23

Some existing tools exploiting the FVP

Maude-NPA [Meier et al., 13] [Escobar et al., 07] [Cheval et al., 18] From its input: rule B: [!Key(k), In(x)] --> [Out(senc{h(sdec(x,k))}k)] Tamarin computes:

22/23

Conclusion

Many UNIF topics are of interest for protocol verification: ◮ Equational unification and unification modulo theories ◮ Narrowing ◮ Higher-Order Unification ◮ Contraint Solving ◮ Disunification ◮ . . .

23/23

Conclusion

Many UNIF topics are of interest for protocol verification: ◮ Equational unification and unification modulo theories ◮ Narrowing ◮ Higher-Order Unification ◮ Contraint Solving ◮ Disunification ◮ . . . Challenging theory: A useful equational theory on which existing tools behave badly is homomophic encryption (e-voting protocols): {x}pk(s) ⋆ {y}pk(s) = {x + y}pk(s)

23/23

Conclusion

Many UNIF topics are of interest for protocol verification: ◮ Equational unification and unification modulo theories ◮ Narrowing ◮ Higher-Order Unification ◮ Contraint Solving ◮ Disunification ◮ . . . Challenging theory: A useful equational theory on which existing tools behave badly is homomophic encryption (e-voting protocols): {x}pk(s) ⋆ {y}pk(s) = {x + y}pk(s)

Thanks you for listening

23/23