Research Collection
Report
Abstractions for Security Protocol Verification
Author(s): Nguyen, Thanh Binh; Sprenger, Christoph
Publication Date: 2015
Permanent Link: https://doi.org/10.3929/ethz-a-010347780
Rights / License: In Copyright - Non-Commercial Use Permitted
This page was generated automatically upon download from the ETH Zurich Research Collection. For moreinformation please consult the Terms of use.
ETH Library
Abstractions for Security Protocol Verification
Binh Thanh Nguyen and Christoph Sprenger
Institute of Information SecurityDepartment of Computer Science, ETH Zurich, Switzerland
Abstract. We present a large class of security protocol abstractionswith the aim of improving the scope and efficiency of verification tools.We propose typed abstractions, which transform a term’s structure basedon its type, and untyped abstractions, which remove atomic messages,variables, and redundant terms. Our theory improves on previous workby supporting a useful subclass of shallow subterm-convergent rewritetheories, user-defined types, and untyped variables to cover type flawattacks. We prove soundness results for an expressive property languagethat includes secrecy and authentication. Applying our abstractions torealistic IETF protocol models, we achieve dramatic speedups and extendthe scope of several modern security protocol analyzers.
1 Introduction
Security protocols play a central role in today’s networked applications. Pastexperience has amply shown that informal arguments justifying the securityof such protocols are insufficient. This makes security protocols prime candi-dates for formal verification. In the last two decades, research in formal securityprotocol verification has made enormous progress, which is reflected in manystate-of-the-art tools including AVANTSSAR [1], ProVerif [6], Maude-NPA [14],Scyther [10], and Tamarin [21]. These tools can verify small to medium-sizedprotocols in a few seconds or less, sometimes for an unbounded number of ses-sions. Despite this success, they can still be challenged when verifying real-worldprotocols such as those defined in standards and deployed on the internet (e.g.,TLS, IKE, and ISO/IEC 9798). Such protocols typically have messages with nu-merous fields, support many alternatives (e.g., cryptographic setups), and maybe composed from more basic protocols (e.g., IKEv2-EAP).
Abstraction [7] is a standard technique to over-approximate complex systemsby simpler ones for verification. Sound abstractions preserve counterexamples (orattacks in security terms) from concrete to abstracted systems. In the contextof security protocols, abstractions are extensively used. Here, we only mention afew examples. First, the Dolev-Yao model is a standard (not necessarily sound)abstraction of cryptography. Second, many tools use abstractions to map theverification problem into the formalism of an efficient solver or reasoner. Wecall these back-end abstractions. For example, ProVerif [6] translates models inthe applied pi calculus to a set of Horn clauses, SATMC [4] reduces protocolverification to SAT solving, and Paulson [23] models protocols as inductively
defined trace sets. Finally, some abstractions aim at speeding up automatedanalysis by simplifying protocols within a given protocol model before feedingthem to verifiers [18,22]. Our work belongs to this class of front-end abstractions.
Extending Hui and Lowe’s work [18], we proposed in [22] a rich class of proto-col abstractions and proved its soundness for a wide range of security properties.We used a type system to uniformly transform all terms of a given type (e.g., apattern in a protocol role and its instances during execution) whereas [18] onlycovers ground terms. Our work [22] exhibits several limitations: (1) the theoryis limited to the free algebra over a fixed signature; (2) all variables have strict(possibly structured) types, hence we cannot precisely model ticket forwardingor Diffie-Hellman exchanges. While the type system enables fine-grained controlover abstractions (e.g., by discerning different nonces), it may eliminate realis-tic attacks such as type flaw attacks; (3) some soundness conditions involvingquantifiers are hard to check in practice; and (4) it presents few experimentalresults for a single tool (SATMC) using abstractions that are crafted manually.
In this work, we address all the limitations above. First, we work with a usefulsubclass of shallow subterm-convergent rewrite theories modulo a set of axiomsto model cryptographic operations. Second, we support untyped variables, user-defined types, and subtyping. User-defined types enable the grouping of similaratomic types (e.g., session keys) and adjusting the granularity of matching inmessage abstraction. Third, we have separated the removal of variables, atomicmessages, and redundancies (new untyped abstractions) from the transformationof the message structure (typed abstractions). This simplifies the specificationsand soundness proof of typed abstractions. Fourth, we provide effectively check-able syntactic criteria for the conditions of the soundness theorem. Finally, weextended Scyther [10] with fully automated support for our abstraction method-ology. We validated our approach on an extensive set of realistic case studiesdrawn from the IKEv1, IKEv2, ISO/IEC 9798, and PANA-AKA standard pro-posals. Our abstractions result in very substantial performance gains. We havealso obtained positive results for several other state-of-the-art verifiers (ProVerif,CL-Atse, OFMC, and SATMC) with manually produced abstractions.
Example: The IKEv2-mac protocol The Internet Key Exchange (IKE) fam-ily of protocols is part of the IPsec protocol suite for securing Internet Protocol(IP) communication. IKE establishes a shared key, which is later used for secur-ing IP packets, realizes mutual authentication, and offers identity protection asan option. Its first version (IKEv1) dates back to 1998 [17]. The second version(IKEv2) [20] significantly simplifies the first one. However, the protocols in thisfamily are still complex and contain a large number of fields.
Concrete protocol. As our running example, we present a member of the IKEv2family, called IKEv2-mac (or IKEm for short), which sets up a session key usinga Diffie-Hellman (DH) key exchange, provides mutual authentication based onMACs, and also offers identity protection. We use Cremers’ models of IKE [11] asa basis for our presentation and experiments (see Section 4.2). Our starting point
2
is the following concrete IKEm protocol between an initiator A and a responder B.
IKEm(1). A→ B : SPIa, o, sA1 , gx ,NaIKEm(2). B → A : SPIa,SPIb, sA1 , gy ,NbIKEm(3). A→ B : SPIa,SPIb, {|A,B,AUTHa, sA2 , tSa, tSb|}SKIKEm(4). B → A : SPIa,SPIb, {|B,AUTHb, sA2 , tSa, tSb|}SK
Here, SPIa and SPIb denote the Security Parameter Indices that determinecryptographic algorithms, o is a constant number, sA1 and sA2 are SecurityAssociations, g is the DH group generator, x and y are secret DH exponents, Naand Nb are nonces, and tSa and tSb denote Traffic Selectors specifying certainIP parameters. AUTHa and AUTHb denote the authenticators of A and B andSK the session key derived from the DH key gxy . These are defined as follows.
SK = kdf(Na,Nb, gxy ,SPIa,SPIb)AUTHa = mac(sh(A,B),SPIa, o, sA1 , gx ,Na,Nb, prf(SK , A))AUTHb = mac(sh(B,A),SPIa,SPIb, sA1 , gy ,Nb,Na, prf(SK , B))
We model the functions mac, kdf, and prf as hash functions and use sh(A,B) andsh(B,A) to refer to the (single) long-term symmetric key shared by A and B.
We consider the following security properties: (P1) the secrecy of the DH keygxy , which implies the secrecy of SK , and (P2) mutual non-injective agreementon the nonces Na and Nb and the DH half-keys gx and gy .
Abstraction. Our theory supports the construction of abstract models by remov-ing inessential fields and operations. For example, in IKEm we can remove: (i)the symmetric encryptions with the session key SK ; then (ii) all atomic top-levelfields except Na and Nb; (iii) all fields of SK except the DH key gxy ; and (iv)from the authenticators: the fields SPIa, SPIb, and sA1 and the application ofprf including the agent names underneath. The resulting protocol is IKE2
m:
IKE2m(1). A→ B : gx ,Na IKE2
m(3). A→ B : AUTHaIKE2
m(2). B → A : gy ,Nb IKE2m(4). B → A : AUTHb
where SK = kdf(gxy) and AUTHa = mac(sh(A,B), o, gx ,Na,Nb,SK ) for role Aand AUTHb = mac(sh(B,A), gy ,Nb,Na,SK ) for role B.
Scyther verifies the properties (P1) and (P2) in 8.7s on the concrete and in1.7s on an automatically generated abstract protocol (which is less intuitive thanthe one presented here). Our soundness results imply that the original protocolIKEm also enjoys these properties. We chose the protocol IKEm as running exam-ple for its relative simplicity compared to the other protocols in our case studies.In many of our experiments (Section 4.2), our abstractions (i) result in muchmore substantial speedups, or (ii) enable the successful unbounded verificationof a protocol where it times out or exhausts memory on the original protocol.
2 Security protocol model
We define a term algebra TΣ(V ) over a signature Σ and a set of variables V in thestandard way. Let Σn denote the symbols of arity n. We call the elements of Σ0
3
atoms and write Σ≥1 for the set of proper function symbols. For a fixed Σ≥1, wewill vary Σ0 to generate different sets of terms, denoted by T (V,Σ0), includingterms in protocol roles, network messages, and types. We write subs(t) for the setof subterms of t and define the size of t by |t| = |subs(t)|. We also define vars(t) =subs(t)∩V . If vars(t) = ∅ then t is called ground. We denote the top-level symbolof a (non-variable) term t by top(t) and the set of its symbols in Σ≥1 by ct(t). Aposition is a sequence of natural numbers. We denote the subterm of t at positionp with t|p and write t[u]p for the term obtained by replacing t|p at position pby u. We also partition Σ into sets of public and private symbols, denoted byΣpub and Σpri. We assume Σpub includes pairing 〈·, ·〉 which associates to theright, e.g., 〈t, u, v〉 = 〈t, 〈u, v〉〉. We usually write, e.g., {|t, u, v|}k rather than{|〈t, u, v〉|}k. We define the splitting function by split(〈t, u〉) = split(t) ∪ split(u)on pairs and split(t) = {t} on other terms t. We call the elements of split(t) thefields of t. For n ∈ N, n denotes {1, . . . , n}.
The set of message terms isM = T (V,A∪F ∪C), where V, A, F , and C arepairwise disjoint infinite sets of variables, agents, fresh values, and constants.
2.1 Type system
We introduce a type system akin to [2] and extend it with subtyping. We definethe set of atomic types by Yat = Y0 ∪ {α,msg} ∪ {βn | n ∈ F} ∪ {γc | c ∈ C},where α, βn, and γc are the types of agents, the fresh value n, and the constant c,respectively. Moreover, msg is the type of all messages and Y0 is a disjoint setof user-defined types. The set of all types is then defined by Y = T (∅,Yat).
We assume that all variables have an atomic type, i.e., V = {Vτ}τ∈Yat is afamily of disjoint infinite sets of variables. Let Γ : V → Yat be such that Γ (X) = τif and only if X ∈ Vτ . We extend Γ to atoms by defining Γ (a) = α, Γ (n) = βn,and Γ (c) = γc for a ∈ A, n ∈ F , and c ∈ C, and then homomorphically to allterms t ∈M. We call τ = Γ (t) the type of t and sometimes also write t : τ .
The subtyping relation 4 on types is defined by the following inference rulesand by two additional rules (not shown) defining its reflexivity and transitivity.
τ ∈ Yτ 4 msg
S(msg)τ1 40 τ2τ1 4 τ2
S(40)τ1 4 τ ′1 · · · τn 4 τ ′n
c(τ1, . . . , τn) 4 c(τ ′1, . . . , τ′n)
S(c ∈ Σn)
Every type is a subtype of msg by the first rule. The second rule embeds auser-defined atomic subtyping relation 40 ⊆ (Yat \ {msg}) × Y0, which relatesatomic types (except msg) to user-defined atomic types in Y0. For simplicity, werequire that 40 is a partial function. The third rule ensures that subtyping ispreserved by all symbols. The set of subtypes of τ is τ↓ = {τ ′ ∈ Y | τ ′ 4 τ}.
2.2 Equational theories
An equation over a signature Σ is an unordered pair {s, t}, written s ' t, wheres, t ∈ TΣ(Vmsg). An equation presentation E = (Σ,E) consists of a signatureΣ and a set E of equations over Σ. The equational theory induced by E is the
4
smallest Σ-congruence, written =E , containing all instances of equations in E.We often identify E with the induced equational theory.
A rewrite rule is an oriented pair l → r, where vars(r) ⊆ vars(l) ⊆ Vmsg .A rewrite theory is a triple R = (Σ,Ax,R) where Σ is a signature, Ax a setof Σ-equations, and R a set of rewrite rules. The rewriting relation →R,Ax onTΣ(V ) is defined by t→R,Ax t
′ iff there exists a non-variable position p in t, a rulel→ r ∈ R, and a substitution σ such that t|p =Ax lσ and t′ = t[rσ]p. If t→∗R,Ax t′and t′ is irreducible, we call t′ R,Ax-normal and also say that t′ is a normal formof t. Under suitable termination, confluence, and coherence conditions (see [19]for definitions), one can decompose an equational theory (Σ,E) into a rewritetheory (Σ,Ax,R) where Ax ⊆ E and, for all terms t, u ∈ TΣ(V ), we have t =E uiff t↓R,Ax=Ax u↓R,Ax. Here, t↓R,Ax denotes any normal form of t. In this paper,we work with decomposable equational theories.
A rewriting theory R is subterm-convergent if it is convergent and, for eachl→ r ∈ R, r is either a proper subterm of l or ground and in normal form withrespect to R. For our soundness result, we consider the subclass S of subterm-convergent rewrite theories where each rule in R has one of the following forms.
– (R1): d(c(x1, . . . , xn, t), u)→ xj , where c, d ∈ Σpub, t, u are terms, j ∈ n, andx1, . . . , xn are pairwise distinct variables with xi /∈ vars(t, u) for all i ∈ n.
– (R2): d(c(x1, . . . , xn)) → xj , where c, d ∈ Σpub, j ∈ n, and x1, . . . , xn arepairwise distinct variables.
– (R3): c(x1, . . . , xn)→ xj where c ∈ Σpub, xj is a variable with j ∈ n, and xiis a variable or an atom for all i ∈ n.
– (R4): l→ a for a constant a.
Intuitively, the first three forms enable different types of projection of a term’sarguments. Rules R1 and R2 apply a destructor d to extract one of c’s arguments.In rule R1 the destructor has two arguments. The terms t and u can be seen apair of matching keys required to extract xj . Rule R3 uses no destructor. Finally,R4 models rewriting a term to a constant. Since the rules (R1-R3) have limiteddepth, we call the class S of rewrite theories shallow subterm-convergent.
We also introduce a condition on the equations Ax of the rewrite theory.
Definition 1. A rewrite theory (Σ,Ax,R) is well-formed if for all {s, t} ∈ Ax,we have (i) neither s nor t is a pair and (ii) top(s) = top(t).
We only consider equational theories that can be decomposed into a shallowsubterm-convergent, well-formed rewrite theory. These are adequate to modelmany well-known cryptographic primitives as illustrated by the examples below.
Example 1. We model the protocols of our case studies (see Sections 1 and 4) inthe rewrite theory Rcs = (Σcs, Axcs, Rcs) where
Σcs = {sh, pk, pri, prf, kdf,mac, 〈·, ·〉, π1, π2, {| · |}·, {| · |}−1· , {·}·, {·}−1· , [·]·, ver}∪Σ0cs
contains function symbols for: shared, public, and private long-term keys (whereΣpri = {sh, pri}); hash functions prf, kdf, and mac; pairs and projections; sym-metric and asymmetric encryption and decryption; and signing and verification.
5
The set of atoms Σ0cs is specified later. The set Rcs consists of rewrite rules for
projections (type R2) and for decryption and signature verification (type R1):
π1(〈X,Y 〉)→ X {|{|X|}K |}−1K → X ver([X]pri(K), pk(K))→ Xπ2(〈X,Y 〉)→ Y {{X}pk(K)}−1pri(K) → X
We have two equations in Axcs, namely, exp(exp(g,X), Y ) ' exp(exp(g, Y ), X)to model Diffie-Hellman key exchange and sh(X,Y ) ' sh(Y,X).
Example 2. The theory of XOR is given by the following rewrite system wherethe rules are of types R2, R3 and R4. The rightmost rule ensures coherence [19].
X ⊕ Y ' Y ⊕ X X ⊕ 0→ X X ⊕ X ⊕ Y → Y(X ⊕ Y ) ⊕ Z ' X ⊕ (Y ⊕ Z) X ⊕ X → 0
For our theoretical development, we consider an arbitrary but fixed shallowsubterm-convergent and well-formed rewrite theory (Σ,Ax,R) that includes thefunction symbols and rewrite rules for pairing and projections.
We denote by dom(g) and ran(g) the domain and range of a function g. Wenow define well-typed substitutions, which respect subtyping.
Definition 2 (Well-typed substitutions). A substitution θ is well-typed ifΓ ((Xθ)↓R,Ax) 4 Γ (X) for all X ∈ dom(θ).
2.3 Protocols
For a set of terms T , we define the set of events Evt(T ) = {snd(t), rcv(t) | t ∈ T}and term(ev(t))= t for event ev(t). A role is a sequence of events from Evt(M).
Definition 3 (Protocol). A protocol is a function P : Vα ⇀ Evt(M)∗ map-ping agent variables to roles. Let MP = term(ran(P )) be the set of protocolterms appearing in the roles of P , and let VP , AP , FP , and CP denote the setsof variables, agents, fresh values, and constants in MP .
Example 3 (IKEm protocol). We formalize the IKEm protocol from Section 1 inthe rewrite theory of Example 1 as follows, using upper-case (lower-case) iden-tifiers for variables (atoms). The atoms Σ0
cs are composed of constants C ={g, o, sA1 , sA2 , tSa, tSb} and fresh values F = {na,nb, x, y, sPIa, sPIb}. Thevariables and their types are A,B : α, Ga,Gb : msg , SPIa,SPIb,Na,Nb : noncewhere nonce is a user-defined type that satisfies βn 40 nonce for all n ∈ F . Weshow here the initiator role A. The responder role B is dual.
IKEm(A) = snd(sPIa, o, sA1 , exp(g, x ),na) · rcv(sPIa,SPIb, sA1 ,Gb,Nb)·snd(sPIa,SPIb, {|A,B,AUTHaa, sA2 , tSa, tSb|}SKa)·rcv(sPIa,SPIb, {|B,AUTHba, sA2 , tSa, tSb|}SKa)
where the terms SKa = kdf(na,Nb, exp(Gb, x ), sPIa,SPIb) and
AUTHaa = mac(sh(A,B), sPIa, o, sA1 , exp(g, x ),na,Nb, prf(SKa, A))AUTHba = mac(sh(A,B), sPIa,SPIb, sA1 ,Gb,Nb,na, prf(SKa, B)).
represent the initiator A’s view of the session key and of the authenticators.
6
u ∈ TT `E u
AxT `E t′ t′ =E t
T `E tEq
T `E t1 · · · T `E tnT `E f(t1, . . . , tn)
Comp (f ∈ Σ≥1pub)
Fig. 1. Intruder deduction rules (where Σ≥1pub = Σ≥1 ∩Σpub)
2.4 Operational semantics
Let TID be a countably infinite set of thread identifiers. When we instantiate arole into a thread for execution, we mark its variables and fresh values with thethread identifier i. We define the instantiation t#i of a term t for i ∈ TID asthe term where every variable or fresh value u is replaced by ui. Constants andagents remain unchanged. Instantiation does not affect the type of a term.
We define by T ] = {t#i | t ∈ T ∧ i ∈ TID} the set of instantiations ofterms in a set T and abbreviate T [ = T ∪ T ]. For example, M] is the set ofinstantiated message terms, which we will use to instantiate roles into threads.We define the set of network messages exchanged during protocol execution byN = T (V],A ∪ F ] ∪ F• ∪ C), where F• = {n•k | n ∈ F ∧ k ∈ N} is the set ofattacker-generated fresh values. Note thatM] ⊆ N . We abbreviate T =M∪N .
We use a Dolev-Yao attacker model parametrized by an equational theory E.Its judgements are of the form T `E t meaning that the intruder can derive termt from the set of terms T . The derivable judgements are defined in a standardway by the three deduction rules in Figure 1.
We define a transition system with states (tr, th, σ), where
– tr is a trace consisting of a sequence of pairs of thread identifiers and events,– th : TID ⇀ dom(P )× Evt(M]
P )∗ are threads executing role instances, and– σ : V] ⇀ N is a well-typed ground substitution from instantiated protocol
variables to network messages such that V]P ⊆ dom(σ).
The trace tr as well as the executing role instance are symbolic (with termsin M]). The separate substitution σ instantiates these messages to (ground)network messages. The ground trace associated with such a state is trσ.
The set InitP of initial states of protocol P contains all (ε, th, σ) satisfying
∀i ∈ dom(th). ∃R ∈ dom(P ). th(i) = (R,P (R)#i)
where all terms in the respective protocol roles are instantiated. The substitutionσ is chosen non-deterministically in the initial state.
The rules in Figure 2 define the transitions. In both rules, the first premisestates that a send or receive event heads thread i’s role. This event is removedand added together with the thread identifier i to the trace tr. The substitution σremains unchanged. The second premise of RECV requires that the network mes-sage tσ matching the term t in the receive event is derivable from the intruder’s(ground) knowledge IK (tr)σ∪IK0. Here, IK (tr) denotes the (symbolic) intruder
7
th(i) = (R, snd(t) · tl)(tr, th, σ)→ (tr · (i, snd(t)), th[i 7→ (R, tl)], σ)
SEND
th(i) = (R, rcv(t) · tl) IK (tr)σ ∪ IK0 `E tσ
(tr, th, σ)→ (tr · (i, rcv(t)), th[i 7→ (R, tl)], σ)RECV
Fig. 2. Operational semantics
knowledge derived from a trace tr as the set of terms in the send events on tr,i.e., IK (tr) = {t | ∃i. (i, snd(t)) ∈ tr} and IK0 denotes the intruder’s (ground)initial knowledge. We assume A ∪ C ∪ F• ⊆ IK0 and IK0 is R,Ax-normal. Notethat the SEND rule implicitly updates this intruder knowledge.
2.5 Property language
We use the same specification language as in [22] to express secrecy and authenti-cation properties. Hence, we only sketch some of its elements and give examples.There are atomic formulas to express equality (t = u), the secrecy of a term(secret(t)), the occurrence of an event e by thread i in the trace (steps(i, e)),that thread i executes role R, and the honesty of other agents in the view ofa thread i. Quantification is allowed over thread identifier variables. To achieveattack preservation, the predicate secret(t) may occur only positively.
Example 4 (Properties of IKEm). We express the secrecy of the Diffie-Hellmankey exp(Gb, x ) for role A of the protocol IKEm of Example 3 as follows.
φs=∀j. (role(j, A) ∧ honest(j, [A,B]) ∧ steps(j, rcv(t4)))⇒secret(exp(Gbj , x j)).
where t4 = 〈sPIa,SPIb, {|B,AUTHba, sA2 , tSa, tSb|}SKa〉 and honest(j, [A,B])means that A and B are honest. We formalize non-injective agreement of A withB on the nonces na and nb and the DH half-keys exp(g, x ) and exp(g, y) by
φa=∀j. (role(j, A) ∧ honest(j, [A,B]) ∧ steps(j, rcv(t4)))⇒(∃k. role(k,B) ∧ steps(k, snd(〈SPIa, sPIb, sA1 , exp(g, y),nb〉))∧〈Aj , Bj ,naj ,Nbj , exp(g, x j),Gbj〉=〈Ak, Bk,Nak,nbk,Gak, exp(g, yk)〉).
3 Security protocols abstractions
We introduce our security protocol abstractions and illustrate their usefulnesson our running example. We will present two types of protocol abstractions:
Typed abstractions transform a term’s structure by reordering or removingfields and by splitting or removing cryptographic operations. The same trans-formations are applied to all terms of a given type and its subtypes.
8
Untyped abstractions complement typed ones with additional simplifications:the removal of unprotected atoms and variables and of redundant subterms.
Our main results are soundness theorems for these abstractions. They ensurethat any attack on a given property of the original protocol translates to an at-tack on the abstracted protocol. As we will see, these results hold under certainconditions on the protocol and the property. Here, we will focus on typed ab-stractions, but we will also briefly introduce the untyped ones (for more details,see Appendices G.1 to G.3).
3.1 Typed protocol abstractions
Our typed abstractions are specified by a list of recursive equations subject tosome conditions on their shape. We define their semantics in terms of a simpleHaskell-style functional program. We use both pattern matching on terms andsubtyping on types to select the equation to be applied to a given term. Thisensures that terms of related types are transformed in a uniform manner.
Syntax LetW = {Wτ}τ∈Y be a family of pattern variables disjoint from V. Wedefine the set of patterns by P = T (W, ∅). A pattern p ∈ P is called linear ifeach (pattern) variable occurs at most once in p. We extend the typing functionΓ to patterns by setting Γ (X) = τ if and only if X ∈ Wτ and then lifting ithomomorphically to all patterns. Our typed message abstractions are instancesof the following recursive function specifications.
Definition 4. A function specification Ff = (f,Ef ) consists of an unary func-tion symbol f /∈ Σ1 and a list of equations
Ef = [f(p1) = u1, . . . , f(pn) = un],
where each pi ∈ P is a linear pattern such that ui ∈ TΣ≥1∪{f}(vars(pi)) for all
i ∈ n, i.e., ui consists of variables from pi and function symbols from Σ≥1∪{f}.
We use vectors (lists) of terms t = [t1, . . . , tn] for n > 0. We define set(t) =
{t1, . . . , tn} and f(t) = 〈f(t1), . . . , f(tn)〉, the elementwise application of a func-tion f to a vector where the result is converted to a tuple (with the convention〈t〉 = t). We extend split to vectors by split(t) = split(set(t)). We define threesets of function symbols occurring in R and Ax as follows.
CR = {c | d(c(x1, . . . , xn, t), u)→ xj ∈ R}CKey =
⋃{ct(t) ∪ ct(u) | d(c(x1, . . . , xn, t), u)→ xj ∈ R}
CAx =⋃{ct(s) ∪ ct(t) | {s, t} ∈ Ax}
The function pp(c) returns the set of extractable indices of a function symbol c,i.e., pp(c) = {j | d(c(x1, . . . , xn, t), u)→ xj ∈ R or d(c(x1, . . . , xn))→ xj ∈ R}.
9
Definition 5 (Typed abstraction). A function specification Ff = (f,Ef ) isa typed abstraction if each equation in Ef has the form
f(c(p1, . . . , pn)) = 〈e1, . . . , ed〉
where for each i ∈ d we have either
(a) ei = f(q) such that q ∈ split(pj) for some j ∈ n, or
(b) ei = c(f(q1), . . . , f(qn)) such that set(qj) ⊆ split(pj) for all j ∈ n, c 6= 〈·, ·〉,and c ∈ CR implies qn = [pn], i.e., f(qn) = f(pn).
Moreover, we require (i) for all j ∈ pp(c) we have split(pj) ⊆ Qj where
Qj =⋃{set(qj) | ∃i ∈ d. ei = c(f(q1), . . . , f(qn))} ∪ {q | ∃i ∈ d. ei = f(q)}.
and (ii) if c ∈ CAx ∪ CKey then pi = Xi : msg for all i ∈ n, d = 1 and e1 =c(f(X1), . . . , f(Xn)) is an instance of (b); we say Ff is homomorphic for c.
Intuitively, the abstractions can only weaken the cryptographic protection ofterms, but never strengthen it. Each equation in Ef maps a term with top-levelsymbol c to a tuple whose components have the form (a) or (b). Form (a) allowsus to pull fields out of the scope of c, hence removing c’s protection. Using form(b) we can reorder or remove fields in each argument of c. Form (b) is subject totwo conditions. First, we disallow this form for pairs to obtain the simple shapef(〈p1, p2〉) = f(q). Second, we cannot permit the reordering or removal of fieldsin key positions, i.e., in the last argument of c ∈ CR. Moreover, by point (i), allfields of extractable arguments, i.e., elements of split(pj) for j ∈ pp(c), must bepresent in some ei and point (ii) requires that the abstraction is homomorphicfor function symbols c occurring in axioms and in keys (c ∈ CAx ∪ CKey).
Example 5. We present a typed abstraction Ff = (f,Ef ) illustrating a repre-sentative selection of the possible message transformations. Suppose X : γc,Y : nonce, and Z,U, V : msg and let Ef consists of the following three equations:
f(〈X,Y, Z〉) = 〈f(Y ), f(X), f(Z)〉f(kdf(X,Y, U, V )) = 〈kdf(f(X), f(Y )), kdf(f(U))〉
f({|X,Y, Z|}U ) = 〈{|f(X), f(Y )|}f(U), f(Y ), {|f(Z)|}f(U)〉
The patterns’ types filter the matching terms:X and Y only match the constant cand a nonce, respectively. The first equation swaps the first two fields in n-tuplesfor n ≥ 3. The second one splits a kdf hash into two, removing the field V . Thelast equation splits an encryption: the pair 〈f(X), f(Y )〉 and f(Z) are encryptedseparately with the key f(U) and f(Y ) is pulled out of the encryption. Note thatby condition (i) of Definition 5, we cannot directly remove plaintext fields fromencryptions. To achieve this, we pull such fields out of encryptions to the top-level. This may require a combination of several abstractions if there are multiplelayers of cryptographic protection. At the top-level, the fields are no longerprotected and can be removed using untyped abstractions. In Section 4.1, wewill discuss our heuristics to determine sequences of abstractions automatically.
10
fun f(t) = case t of‖(f(p)=u)∈E+
fp | Γ (t) 4 Γ (p)⇒ u
Program 1. Functional program f resulting from Ff = (f,Ef ).
Semantics The semantics of a typed abstraction Ff is given by the Haskell-style functional program f (Program 1).1 To ensure totality, we use the ex-tended function specification (f,E+
f ) = (f,Ef · E0f ), where f(g(Z1, . . . , Zn)) =
g(f(Z1), . . . , f(Zn)) ∈ E0f for each g ∈ Σn with n ≥ 1 such that Zi : msg for all
i ∈ n, and f(Z) = Z with Z : msg is the last clause in E0f . We assume Ef and
E0f do not share variables. The case statement has a clause
p | Γ (t) 4 Γ (p)⇒ u
for each equation f(p) = u of E+f . Such a clause is enabled if (1) the term t
matches the pattern p, i.e., t = pθ for some substitution θ, and (2) its type Γ (t)is a subtype of Γ (p). The first enabled clause is executed. Hence, the equationsE0f serve as fall-back clauses, which cover the terms not handled by Ef . In
particular, the last clause f(Z) = Z handles exactly the atoms and variables.
We extend f to events, event sequences, and traces by applying f to the termsthey contain and to substitutions and protocols by applying f to the terms intheir range. Similarly, we extend f to formulas φ of our property language byapplying f to all terms occurring in φ.
Finding abstractions Finding abstractions is fully automated by our toolusing a heuristic that we will describe in Section 4.1. However, the resultingabstractions can be counterintuitive. Therefore, we present here a simplifiedstrategy that we apply to our running example below: We start by identifyingthe terms that appear in the secret(·) predicates and equations of the desiredproperties. Then we determine the cryptographic operations that are essentialto achieve these properties and try to remove all other terms and operations.
Example 6 (from IKEm to IKE1m). In order to preserve the secrecy of the DH key
exp(exp(g, x), y) and the agreement on na, nb, exp(g, x), and exp(g, y), we haveto keep either the mac or the symmetric encryption with SK (see Examples 3and 4). We want to remove as many other fields and operations as possible(e.g., prf). We choose to remove the encryption as this allows us to later removeadditional fields (e.g., sA2 ) using untyped abstractions. We keep o in AUTHa toprevent unifiability with AUTHb and hence potential false negatives. This leads
1 We are overloading the symbol f here, but no confusion should arise.
11
us to the typed abstraction F1 = (f1, E1) where E1 is defined by the equations
f1({|X,Y |}Z) = 〈f1(X), f1(Y )〉f1(mac(X1, . . . , X8)) = mac(f1([X1, X3, X5, X6, X7, X8]))
f1(mac(Y1, . . . , Y8)) = mac(f1([Y1, Y5, Y6, Y7, Y8]))f1(kdf(Z1, . . . , Z5)) = kdf(f1(Z3))
f1(prf(U,Z)) = f1(U)
(where we omitted the homomorphic clauses for exp and 〈·, ·〉) and X : α, X3 : γo,Y3 : nonce, Z3 : exp(msg ,msg), U : kdf(msg) and all remaining pattern variablesare of type msg . Applying f1 to IKEm we obtain IKE1
m. Here is the abstractedinitiator role.
SIKE1m(A) = snd(sPIa, o, sA1 , exp(g, x ),na) · rcv(sPIa,SPIb, sA1 ,Gb,Nb)·
snd(sPIa,SPIb, A,B,AUTHaa, sA2 , tSa, tSb)·rcv(sPIa,SPIb, B,AUTHba, sA2 , tSa, tSb)
with SKa = kdf(exp(Gb, x )), AUTHaa = mac(sh(A,B), o, exp(g, x ),na,Nb,SKa),and AUTHba = mac(sh(A,B),Gb,Nb,na,SKa). In a second step, we will removemost fields in the roles of IKE1
m using untyped abstractions.
3.2 Soundness of typed abstractions
To justify the soundness of our abstractions, we show that any attack on a prop-erty φ of the original protocol P is reflected as an attack on the property f(φ)of the abstracted protocol f(P ). We decompose this into reachability preserva-tion (RP) and an attack preservation (AP) as follows. We require that, for allreachable states (tr, th, σ) of P , there is a ground substitution σ′ such that
(RP) (f(tr), f(th), σ′) is a reachable state of f(P ), and(AP) (tr, th, σ) 6|= φ implies (f(tr), f(th), σ′) 6|= f(φ).
These properties will require some assumptions about the protocol P , the for-mula φ, and the abstraction f . Before we formally state the soundness theorem,we will introduce and motivate these assumptions while sketching its proof. Forthe remainder of this subsection we assume arbitrary but fixed P , φ, Ff .
We start with two basic properties of abstractions. The first one, whichwe call the substitution property, states that f(tθ) = f(t)f(θ) for well-typedR,Ax-normal substitutions θ. This does not hold in general. For example, sup-pose Ef contains the clauses f(h(Y :γc)) = f(X) and f(h(X: msg)) = h(f(X))in this order. Then the property is violated for t = h(Z : msg) and θ = [c/Z].Thus, we must ensure that t and all its instance tθ are transformed uniformly,i.e., match the same clauses of Ef . We therefore require that (i) the patternsin Ef must not overlap and (ii) all recursive calls of f on composed termsduring the transformation of t are handled by the clauses of Ef , without re-course to the fall-back clauses in E0
f . This is formalized in the following twodefinitions where we denote the set of pattern types of a list of equations L byΠ(L) = {Γ (p) | (f(p) = u) ∈ L}, we define Πf = Π(Ef ), and let Rec(Ff , t) bethe set of terms u such that f(u) is called in the computation of f(t).
12
Definition 6. A function specification Ff is pattern-disjoint if the types in Πfare pairwise disjoint, i.e., Γ (pi)↓ ∩ Γ (pj)↓ = ∅ for all i, j ∈ n such that i 6= j.
Definition 7 (Uniform domain). We define the uniform domain of Ff byudom(Ff ) = {t ∈ T | Γ (Rec(Ff , t)) ⊆ Πf↓ ∪ Yat}.
We will require that the protocol terms t ∈ MP belong to this set, which en-sures that their instances tθ with R,Ax-normal substitutions θ are transformeduniformly. We henceforth assume that Ff is pattern-disjoint. Note that the ab-stractions defined in Examples 5 and 6 are pattern-disjoint.
Theorem 1 (Substitution property). Let t ∈ udom(Ff ) and θ be a well-typed and R,Ax-normal substitution. Then f(tθ) = f(t)f(θ).
The second basic property needed in our soundness proof is that abstractionspreserve equality modulo E. We decompose this into the preservation of Ax-equality and of rewriting steps. Neither is preserved in general. To ensure thiswe need the following two definitions.
Definition 8 (R,Ax-closedness). Ff is R,Ax-closed if the following holds:t =Ax u implies τt 4 τ if and only if τu 4 τ , for all R,Ax-normal composedterms t : τt and u : τu and all τ ∈ Π(E+
f ).
We henceforth assume that Ff is R,Ax-closed. In Appendix F, we present asyntactic criterion for checking this. To achieve the preservation of rewritingsteps under abstraction, we must ensure that, for all positions p in t where arule l→ r ∈ R is applicable, the redex t|p in t is transformed into a redex f(t|p)in f(t) that still Ax-matches l. This is the purpose of the following definition.
Definition 9 (R,Ax-homomorphism). We say that f is R,Ax-homomorphicfor a term t if for all non-variable positions p in t and for all rules l → r ∈ Rsuch that there exists a well-typed Ax-unifier of t|p and l, it holds that
(i) f is homomorphic for all c ∈ ct(l),
(ii) f is homomorphic for top(t|p′) and top(t|p′) 6= top(l′) for all strict prefixesp′ of p and rewrite rules l′ → r′ ∈ R such that ct(l′) is not a singleton.
We define rdom(Ff ) to be the set of terms for which f is R,Ax-homomorphic.
Many interesting protocols P satisfyMP ⊆ rdom(Ff ), including those from ourcase studies. Since we must also cover redexes arising by instantiating protocolterms t ∈MP , this definition employs Ax-unification rather than Ax-matching.The definition ensures that instantiations with R,Ax-normal substitutions andrewriting steps both preserve the membership of terms in rdom(Ff ).
Theorem 2 (Equality preservation). Let t and u be terms such that t, u ∈rdom(Ff ). Then t =E u implies f(t) =E f(u).
13
Reachability preservation (RP) To achieve reachability preservation, weprove that every step of P can be simulated by a corresponding step of f(P ).In particular, to simulate receive events, we show that intruder deducibility ispreserved under abstractions f (cf. second premise of rule RECV ), i.e.,
Tθ, IK0 `E uθ ⇒ f(T )f(θ↓R,Ax), f(IK0) `E f(u)f(θ↓R,Ax). (1)
This property is also required to show the preservation of attacks on secrecy aspart of (AP). We first establish deducibility preservation for ground terms:
Theorem 3 (Deducibility preservation). Let T∪{t} ⊆ N be a set of groundnetwork messages such that C ⊆ T and T is R,Ax-normal. Then T `E t impliesf(T ) `E f(t↓R,Ax).
We can now derive (1) by applying Theorems 3, 2 and 1 in this order, combinedwith applications of rule Eq and a cut property of intruder deduction. Summa-rizing, reachability preservation (RP) holds for MP ⊆ udom(Ff ) ∩ rdom(Ff ).
Attack preservation (AP) We next define and explain the conditions onformulas needed to establish attack preservation. Let
– Secφ be the set of all terms t that occur in formulas secret(t) in φ,– Eqφ be the set of pairs (t, u) such that the equation t = u occurs in φ and
EqTermφ = {t, u | (t, u) ∈ Eqφ} is the set of underlying terms, and– Evtφ be the set of events occurring in φ.
Let Eq+φ the positively occurring equations in φ and similarly for Evtφ.
Definition 10 (Safe formulas). φ is safe for P and f if
(i) Secφ ∪ EqTermφ ⊆ udom(Ff ) ∩ rdom(Ff ),
(ii) f(tσ) =E f(uσ) implies tσ =E uσ for all (t, u) ∈ Eq+φ and for all well-typed
R,Ax-normal ground substitutions σ, and(iii) f(t) = f(u) implies t = u, for all e(t) ∈ Evt+φ and e(u) ∈ Evt(MP ).
Condition (i) requires that Ff is uniform and R,Ax-homomorphic for the termsin secrecy statements and equalities. Condition (ii) expresses the injectivity ofthe abstraction on the terms in positively occurring equalities. This condition isrequired to preserve attacks on agreement properties. In other words, it preventsabstractions from fixing attacks on agreement by identifying two terms thatdiffer in the original protocol. In Appendix F, we provide a syntactic criterion tocheck condition (ii) that avoids the universal quantification over substitutions.Condition (iii) is required for properties involving event orderings and stepspredicates. It states that the abstraction must not identify an event occurringpositively in the property with a distinct protocol event.
We now state the soundness theorem. Below, IK0 and IK ′0 respectively denotethe intruder’s initial knowledge associated with P and f(P ).
14
Theorem 4 (Soundness). Suppose P , φ, and Ff satisfy (i) f(IK0) ⊆ IK ′0, (ii)Ff is pattern-disjoint and R,Ax-closed, (iii) MP ⊆ udom(Ff ) ∩ rdom(Ff ), andφ is safe for P and f . Then, for all states (tr, th, σ) reachable in P , we have
1. (f(tr), f(th), f(σ↓R,Ax)) is a reachable state of f(P ), and2. (tr, th, σ) 2 φ implies (f(tr), f(th), f(σ↓R,Ax)) 2 f(φ).
3.3 Untyped abstractions
Typed abstractions offer a wide range of possibilities to transform cryptographicoperations including subterm removal, splitting, and pulling fields outside a cryp-tographic operation. We complement these abstractions with two kinds of un-typed abstractions that allow us to remove (1) unprotected atoms and variablesof any type and (2) redundancy in the form of intruder-derivable terms. Un-typed protocol abstractions are functions g : T → T ∪ {nil} where messages tobe removed are mapped to nil. We remove events with nil arguments from theroles. Here we have to content ourselves with an example and refer the readerto Appendix G for the details and soundness results.
Atom/variable removal The removal abstraction remT : T → T ∪ {nil} for aset T of atoms or variables is defined by
– remT (u) = nil if u ∈ T [,
– remT (〈t1, t2〉) =
{remT (ti) if remT (t3−i) = nil for some i ∈ 2
〈remT (t1), remT (t2)〉 otherwise
– remT (t) = t for all other terms.
In order to preserve attacks, we have to restrict the removal of atoms and vari-ables from a protocol term t to fields u ∈ split(t) that appear only unprotected(clear) in t, i.e., such that u /∈ subs(t) \ split(t).
Example 7 (IKE1m to IKE2
m). We use atom/variable removal to simplify the pro-tocol IKE1
m. First, we recall the specification of role A of IKE1m.
SIKE1m(A) = snd(sPIa, o, sA1 , exp(g, x ),na) · rcv(sPIa,SPIb, sA1 ,Gb,Nb)·
snd(sPIa,SPIb, A,B,AUTHaa, sA2 , tSa, tSb)·rcv(sPIa,SPIb, B,AUTHba, sA2 , tSa, tSb)
We remove the role names A and B, the constants o, sA1 , sA2 , tSa, tSb, the freshvalue sPIa, and the variable SPIb using an atom/variable removal abstraction.The result is the protocol IKE2
m whose initiator role is defined as follows.
SIKE2m(A) = snd(exp(g, x ),na) · rcv(Gb,Nb) · snd(AUTHaa) · rcv(AUTHba)
We also apply the typed abstraction from Example 6 and the untyped abstractionhere to the properties φs and φa of Example 4. These only affect the events inthe steps predicates. The relevant soundness conditions are satisfied.
15
Redundancy removal A redundancy removal abstraction rd enables the elimi-nation of redundancies within each role of a protocol. Intuitively, a protocol termt appearing in a role r can be abstracted to rd(t) if t and rd(t) are derivable fromeach other under the intruder knowledge T containing the terms preceding t in rand the initial knowledge IK0. For example, we can simplify r = snd(t)·rcv(〈t, u〉)to snd(t) · rcv(u). In contrast to atom/variable removal, redundancy removal canalso remove composed terms. It is therefore a very effective ingredient for auto-matic abstraction, which we describe next.
4 Implementation and experimental results
We have implemented our abstraction methodology for the Scyther tool andtested it on a variety of complex protocols, mainly stemming from the IKE andISO/IEC 9798 families. Scyther is an efficient verifier for security protocols. Itsupports verification for both a bounded and an unbounded number of threads.Protocols are specified by a set of linear role scripts. It also supports user-definedtypes. These features match our setting very well.
4.1 Abstraction heuristics
Our tool computes a series of successively more abstract protocols. Each ab-straction step consists of a typed abstraction followed by a redundancy and anatom/variable removal abstraction. A heuristic guides the automatic generationof the typed abstractions. These abstractions may be partially user-specified.
Central to our heuristic are the (sub)terms of Secφ and EqTermφ for a givenproperty φ, which we call essential terms. The heuristic assigns security labels,c for confidentiality and a for authenticity, to cryptographic primitives as theirintended security guarantees. These labels are inherited by subterms. Concretely,we label symmetric encryptions and MACs with c and a, asymmetric encryptionsand hashes with c, and signatures with a. Based on this labeling, we decidewhich fields are pulled outside of or removed from the topmost cryptographicoperations. The main criterion is that these transformations must preserve thefollowing labeling properties of each essential term t: the presence of an a labelon some occurrence of t and of c labels on all occurrences of t. The successiveabstractions work from the outside to the inside of the original protocol’s terms.The untyped abstractions simply remove all inessential top-level fields.
Example 8. We can simplify the term {|B,AUTHba, sA2 , tSa, tSb|}SKa whereAUTHba = mac(sh(A,B), sPIa,SPIb, sA1 ,Gb,Nb,na, prf(SKa, B)) of the IKEm
protocol from Example 3 in two successive abstraction steps as follows.
{|B,AUTHba, sA2 , tSa, tSb|}SKa 7→ 〈B,AUTHba, sA2 , tSa, tSb〉AUTHba 7→ mac(sh(A,B),Gb,Nb,na, prf(SKa, B))
In the first step, we pull the whole plaintext out of the encryption since thesecurity labels of essential terms (underlined) are preserved by the mac. In the
16
second step, we transform AUTHba by keeping essential and removing inessentialterms. Note that removing the term u = prf(SKa, B) or pulling it out of the macwould not preserve authenticity for the essential term x inside SKa. In a furtherstep, we can simplify u by deleting inessential subterms and dropping prf.
Our abstractions are sound, but not complete. Therefore, we may encounterfalse negatives, i.e., spurious attacks. We carefully try to avoid these, for instance,by checking that abstractions do not introduce new pairs of unifiable terms. Wecurrently do not check automatically whether an attack is spurious. Wheneveran attack on a protocol P is found, we proceed to analyze (only) the failedproperties on the next more concrete protocol in the series of abstractions.
4.2 Experimental results
We have validated the effectiveness of our abstractions on 22 members of theIKE and ISO/IEC 9798 protocol families and on the PANA-AKA protocol [3].We verify these protocols using five tools based on four different techniques:Scyther [10], CL-Atse [25], OFMC [5], SATMC [4], and ProVerif [6]. Only Scytherand ProVerif support verification of an unbounded number of threads. In Table 1,we present here a selection of the experimental results for Scyther and referto Appendix H for a complete account, including results for other tools. Ourmodels of the IKE and ISO/IEC 9798 protocols are based on Cremers’ [8,9].Since Scyther uses a fixed signature with standard cryptographic primitives andno equational theories, the IKE models approximate the DH theory by oracleroles.
We mark verified properties by X and falsified ones by ×. An entry X/×means the property holds for one role but not for the other. Each row consists oftwo lines, corresponding to the analysis time without (line 1) and with (line 2)abstraction for 3-8 or unboundedly many (∞) threads. The times were measuredon a cluster of 12-core AMD Opteron 6174 processors with 64 GB RAM each.They include computing the abstractions (4-20 ms) and the verification itself.
Verification For 8 of the 12 original protocols that are verified, an unboundedverification attempt results in a timeout (TO = 8h cpu time) or memory ex-haustion (ME). In 6 of these, our abstractions enabled a verification in less than0.4 seconds and in one case in 78 seconds. However, for the first two protocols,we still get a timeout. For the large majority of the bounded verification tasks,we significantly push the bound on the number of threads and achieve massivespeedups. For example, our abstractions enable the verification of the complexnested protocols IKEv2-eap and PANA-AKA. Scyther verifies an abstraction ofIKEv2-eap for up to 6 threads and, more strikingly, completes the unboundedverification of the simplified PANA-AKA in under 0.1 seconds whereas it canhandle only 4 threads of the original. We also achieve dramatic speedups formany other protocols, most notably for IKEv1-pk-a22, ISO/IEC 9798-2-6, andISO/IEC 9798-3-6-2. Moreover, the verification time for many abstracted pro-tocols increases much more slowly than for their originals. We obtain almost
17
protocol No S A W N 3 4 5 6 7 8 ∞
IKEv1-pk-a22 1 X X18.48 82.93 249.55 554.09 1006.04 1734.85 TO0.83 1.26 2.08 3.47 5.96 10.28 TO
IKEv2-eap 5 X XTO TO TO TO TO TO TO
78.35 798.44 4212.71 20911.20 TO TO TO
IKEv2-mac 5 X X1.85 4.91 6.72 8.07 8.42 8.49 8.700.62 1.77 1.83 1.73 1.73 1.80 1.74
IKEv2-mactosig 4 X X11.65 141.37 1075.46 7440.81 TO TO TO2.89 12.38 24.54 38.68 53.36 65.07 77.68
IKEv2-sigtomac 5 X X6.15 33.19 65.05 115.34 204.93 206.45 237.343.59 12.72 28.44 44.44 55.11 66.97 67.15
IKEv1-pk-m 2 × 48.62 269.92 507.40 869.23 16254.80 TO TO0.04 0.05 0.05 0.05 0.05 0.05 TO
IKEv1-pk-m2 2 X/× 18.26 274.87 4438.72 TO TO TO TO1.48 7.79 32.75 110.32 339.93 963.08 TO
IKEv1-sig-m 2 × 0.34 0.45 0.45 0.45 0.45 0.46 0.440.05 0.05 0.05 0.06 0.05 0.05 0.06
IKEv1-sig-m-perlman 2 × 2.86 13.99 40.78 67.83 72.08 72.15 109.030.05 0.05 0.05 0.05 0.05 0.05 0.05
ISO/IEC 9798-2-5 1 X0.78 8.96 73.87 564.67 4214.22 TO TO0.07 0.11 0.12 0.11 0.11 0.11 0.11
ISO/IEC 9798-2-6 1 X0.57 3.74 18.42 67.01 196.30 488.04 21278.580.05 0.04 0.05 0.05 0.05 0.05 0.05
ISO/IEC 9798-3-6-1 2 X X43.08 802.95 8903.70 ME ME ME ME0.13 0.18 0.19 0.19 0.19 0.19 0.19
ISO/IEC 9798-3-6-2 1 X X2.74 8.67 19.56 33.91 52.51 69.48 90.040.12 0.15 0.15 0.15 0.15 0.15 0.15
ISO/IEC 9798-3-7-1 2 X X40.43 740.47 7483.36 16631.42 ME ME ME0.13 0.18 0.19 0.19 0.19 0.19 0.19
ISO/IEC 9798-3-7-2 1 X X2.38 7.71 16.68 26.99 35.06 49.49 TO0.22 0.32 0.33 0.33 0.33 0.33 0.33
PANA-AKA 5 X X X X5769.53 TO TO TO TO TO TO
0.10 0.10 0.10 0.10 0.10 0.10 0.10
Table 1. Experimental results. The time is in seconds. No: Number of abstractions.Properties: Secrecy, Aliveness, Weak agreement, and Non-injective agreement.
constant verification times for the six ISO/IEC 9798 protocols, whereas the timesignificantly increases on some originals, e.g., for ISO/IEC 9798-3-6-1. For a fewprotocols, e.g., IKEv2-sigtomac and IKEv2-mac, the speedup is more modest.
Falsification For rows marked by ×, the second line corresponds to falsificationtime for the most abstract model, which is much faster than on the original one.For example, for 8 threads of the IKEv1-pk-m protocol, we reduce falsificationtime from a timeout to 0.05 seconds. In the unbounded case, the speedup factorsare 7 for IKEv1-sig-m and 2180 for IKEv1-sig-m-perlman. A manual analysis ofthe abstract attacks shows that none of them is spurious, suggesting that ourmeasures to prevent them are effective. We expect that fast automatic detectionof spurious attacks is feasible and will affect performance only negligibly.
18
Combination For the IKEv1-pk-m2 protocol, the tool verifies non-injective agree-ment for one role and falsifies it for the other one. Surprisingly, we obtain a re-markable speedup even though the analysis of this protocol is done three times(for two abstract and the original models). Our abstractions push the feasibilitybound from 5 to 8 threads. As the property is verified very quickly for one roleon the most abstract model, it needs to be analyzed only for the other role atlower abstraction levels. This explains the remarkable speedups we obtain andtherefore illustrates an advantage of our abstraction mechanism in this case.
5 Related work and conclusions
Hui and Lowe [18] define several kinds of abstractions similar to ours with theaim of improving the performance of the CASPER/FDR verifier. They establishsoundness only for ground messages and encryption with atomic keys. We work ina more general model, cover additional properties, and treat the non-trivial issueof abstracting the open terms in protocol specifications. Other works [24,13,12]also propose a set of syntactic transformations, however without formally es-tablishing their soundness. Using our results, we can, for instance, justify thesoundness of the refinements in [13, Section 3.3]. Guttman [16,15] studies thepreservation of security properties for a rich class of protocol transformations inthe strand space model. His approach to property preservation is based on thesimulation of protocol analysis steps instead of execution steps. Each such stepexplains the origin of a message. He does not have a syntactic soundness check.
In this work, we propose a set of syntactic protocol transformations thatallows us to abstract realistic protocols and capture a large class of attacks.Unlike previous work [22,18], our theory and soundness results accommodateequational theories, untyped variables, user-defined types, and subtyping. Thesefeatures allow us to accurately model protocols, capture type-flaw attacks, andadapt to different verification tools, e.g., those supporting equational theoriessuch as ProVerif and CL-atse. We have extended Scyther with an abstractionmodule, which we validated it on various IKE and ISO/IEC 9798 protocols. Wealso tested our technique (with manually produced abstractions) on ProVerif,CL-atse, OFMC, and SATMC. Our experiments clearly show that modern pro-tocol verifiers can substantially benefit from our abstractions, which often eitherenable previously unfeasible verification tasks or lead to dramatic speedups.
Our abstraction tool does not check for spurious attacks. We plan to add thisfunctionality to complete the automatic abstraction-refinement process. We arealso interested in generalizing the tool and supporting more protocol verifiers.
Acknowledgements We thank Mathieu Turuani and Michael Rusinowitch forour discussions on the topic of this paper, Cas Cremers for his help with Scyther,David Basin, Ognjen Maric, and Ralf Sasse for their careful proof-reading, andthe anonymous reviewers for their useful feedback. This work is partially sup-ported by the EU FP7-ICT-2009 Project No. 256980, NESSoS: Network of Ex-cellence on Engineering Secure Future Internet Software Services and Systems.
19
References
1. A. Armando et al.: The AVANTSSAR platform for the automated validation oftrust and security of service-oriented architectures. In: Flanagan, C., Konig, B.(eds.) TACAS. Lecture Notes in Computer Science, vol. 7214, pp. 267–282. Springer(2012)
2. Arapinis, M., Duflot, M.: Bounding messages for free in security protocols. In:Arvind, V., Prasad, S. (eds.) FSTTCS. Lecture Notes in Computer Science, vol.4855, pp. 376–387. Springer (2007)
3. Arkko, J., Haverinen, H.: RFC 4187: Extensible authentication protocol methodfor 3rd generation authentication and key agreement (EAP-AKA) (2006), http://www.ietf.org/rfc/rfc4187
4. Armando, A., Compagna, L.: SAT-based model-checking for security protocolsanalysis. International Journal of Information Security 7(1), 3–32 (2008)
5. Basin, D.A., Modersheim, S., Vigano, L.: OFMC: A symbolic model checker forsecurity protocols. Int. J. Inf. Sec. 4(3), 181–208 (2005)
6. Blanchet, B.: An efficient cryptographic protocol verifier based on Prolog rules. In:CSFW. pp. 82–96. IEEE Computer Society (2001)
7. Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for staticanalysis of programs by construction or approximation of fixpoints. In: Graham,R.M., Harrison, M.A., Sethi, R. (eds.) POPL. pp. 238–252. ACM (1977)
8. Cremers, C.: IKEv1 and IKEv2 protocol suites (2011), https://github.com/
cascremers/scyther/tree/master/gui/Protocols/IKE
9. Cremers, C.: ISO/IEC 9798 authentication protocols (2012), https://github.
com/cascremers/scyther/tree/master/gui/Protocols/ISO-9798
10. Cremers, C.J.F.: The Scyther tool: Verification, falsification, and analysis of secu-rity protocols. In: Gupta, A., Malik, S. (eds.) CAV. Lecture Notes in ComputerScience, vol. 5123, pp. 414–418. Springer (2008)
11. Cremers, C.J.F.: Key exchange in IPsec revisited: Formal analysis of IKEv1 andIKEv2. In: Atluri, V., Dıaz, C. (eds.) ESORICS. Lecture Notes in Computer Sci-ence, vol. 6879, pp. 315–334. Springer (2011)
12. Datta, A., Derek, A., Mitchell, J.C., Pavlovic, D.: Abstraction and refinement inprotocol derivation. In: Proc. 17th IEEE Computer Security Foundations Work-shop (CSFW) (2004)
13. Datta, A., Derek, A., Mitchell, J.C., Pavlovic, D.: A derivation system and com-positional logic for security protocols. Journal of Computer Security 13, 423–482(2005)
14. Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: Cryptographic protocol anal-ysis modulo equational properties. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.)FOSAD. Lecture Notes in Computer Science, vol. 5705, pp. 1–50. Springer (2007)
15. Guttman, J.D.: Transformations between cryptographic protocols. In: Degano, P.,Vigano, L. (eds.) ARSPA-WITS. LNCS, vol. 5511, pp. 107–123. Springer (2009)
16. Guttman, J.D.: Security goals and protocol transformations. In: Theory of Securityand Applications (TOSCA). LNCS, vol. 6993. Springer (2011)
17. Harkins, D., Carrel, D.: The Internet Key Exchange (IKE). IETF RFC 2409 (Pro-posed Standard) (Nov 1998), http://www.ietf.org/rfc/rfc2409.txt
18. Hui, M.L., Lowe, G.: Fault-preserving simplifying transformations for security pro-tocols. Journal of Computer Security 9(1/2), 3–46 (2001)
19. Jouannaud, J., Kirchner, H.: Completion of a set of rules modulo a set of equations.SIAM J. Comput. 15(4), 1155–1194 (1986)
20
20. Kaufman, C., Hoffman, P., Nir, Y., Eronen, P.: Internet Key Exchange ProtocolVersion 2 (IKEv2). IETF RFC 5996 (September 2010), http://tools.ietf.org/html/rfc5996
21. Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for thesymbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV.Lecture Notes in Computer Science, vol. 8044, pp. 696–701. Springer (2013)
22. Nguyen, B.T., Sprenger, C.: Sound security protocol transformations. In: Basin,D.A., Mitchell, J.C. (eds.) POST. Lecture Notes in Computer Science, vol. 7796,pp. 83–104. Springer (2013)
23. Paulson, L.: The inductive approach to verifying cryptographic protocols. J. Com-puter Security 6, 85–128 (1998)
24. Pavlovic, D., Meadows, C.: Deriving secrecy in key establishment protocols. In:Proc. 11th European Symposium on Research in Computer Security (ESORICS).pp. 384–403 (2006)
25. Turuani, M.: The CL-Atse protocol analyser. In: Pfenning, F. (ed.) RTA. LectureNotes in Computer Science, vol. 4098, pp. 277–286. Springer (2006)
21
A Basic lemmas about the auxiliary functions and thetype system
A.1 Lemma about splitting
Lemma 1. For all t, u ∈ T (V,Σ0) and all substitutions θ, split(t) ⊆ split(u)implies that split(tθ) ⊆ split(uθ)
Proof. Suppose that split(t) ⊆ split(u) and v ∈ split(tθ). To show that v ∈split(uθ) we distinguish two cases:
1. There is some t′ ∈ split(t) that is not a variable and v = t′θ. Then t′ ∈split(u) and thus t′ is not a pair. Since t′ is neither a variable nor a pair, wehave v ∈ split(uθ).
2. There is a variable X ∈ split(t) such that v ∈ split(Xθ). Then X ∈ split(u)and thus v ∈ split(uθ).
This completes the proof of the lemma. ut
A.2 Lemmas about the type system
The subtyping relation respects the types’ structures.
Lemma 2. Let τ, τ ′ ∈ Y be such that τ 4 τ ′ and τ ′ 6= msg. Then either
(i) τ and τ ′ are atomic and τ 6= msg, or(ii) τ and τ ′ are composed and there is n ≥ 1 and g ∈ Σn such that τ =
g(τ1, . . . , τn), τ ′ = g(τ ′1, . . . , τ′n), and τi 4 τ ′i for i ∈ n.
Proof. We prove this lemma by rule induction on the derivation of τ 4 τ ′,depending on the last rule R that has been applied.
– R = S(msg): we have τ ∈ Y and τ ′ = msg , contradicting our assumption.– R = S(40): we have τ 40 τ
′. Then it is clear that both τ and τ ′ are atomicand τ 6= msg by the definition of 40.
– R = S(refl): we have τ = τ ′ and thus the conclusion holds trivially.– R = S(trans): here, there is a τ ′′ such that τ 4 τ ′′ and τ ′′ 4 τ ′. Sinceτ ′ 6= msg , we derive (i) or (ii) from the induction hypothesis for τ ′′ 4 τ ′ tofor τ ′′ and τ . In both cases, we have τ ′′ 6= msg . Therefore, we can also applythe induction hypothesis to τ 4 τ ′′. Hence, we either have that τ , τ ′′, and τ ′
are all atomic and τ 6= msg or they all have the same top-level constructor gand the arguments of τ and τ ′′ and of τ ′′ and τ ′ are in the subtyping relationand we conclude by applying S(trans) on the argument types.
– R = S(Σn): In this case, the conclusion (ii) follows directly from the rules’premises and conclusions.
ut
The following lemma states that well-typed substitutions respect types.
22
Lemma 3. Let θ be an R,Ax-normal substitution that is well-typed. Then forall terms t ∈ T , we have Γ (tθ) 4 Γ (t).
Proof. The proof is proceeded by induction on t.
– If t is an atom then tθ = t and thus the lemma holds trivially.– If t is a variable X then we distinguish two cases. If X /∈ dom(θ) then we haveXθ = X and this case holds trivially. Otherwise, we have Γ (Xθ) 4 Γ (X),since θ is well-typed and R,Ax-normal.
– If t = c(t1, . . . , tn) for some c ∈ Σn and n ≥ 1 then we have tθ = c(t1θ, . . . , tnθ).Moreover, by induction hypothesis, we have Γ (tiθ) 4 Γ (ti) for all i ∈ n. Thisyields Γ (tθ) 4 Γ (t) as required.
ut
23
B Basic properties of typed abstractions
In this section, we prove several properties of typed abstractions. First, we showthat two terms whose types are in a subtyping relation must be transformed bythe same clause. Second, we describe the shapes of transformed terms in differentcases. At the end, we prove that type inference is preserved under abstractions.
B.1 Uniform matching
The following lemma states that a term t matches a linear pattern p whenevert’s type is a subtype of p’s type.
Lemma 4. Let p ∈ P be a linear pattern. Then, for all t ∈ T such that Γ (t) 4Γ (p) there exists a substitution σ : vars(p)→ T such that pσ = t.
Proof. We prove the lemma by induction on the structure of p. Below we usethe abbreviations τ = Γ (t) and π = Γ (p).
– If p is a pattern variable, then we define σ = {t/p}, hence pσ = t.– If p = g(p1, . . . , pn) for g ∈ Σn, n ≥ 1 then since Γ (p) = π, there existsπ1, . . . , πn such that
π = g(π1, . . . , πn) and Γ (pi) = πi for i ∈ n.
Since τ 4 π, by Lemma 2, we have
τ = g(τ1, . . . , τn) and τi 4 πi for i ∈ n.
Since Γ (t) = τ and τ is composed, t is not a variable. Therefore, we have
t = g(t1, . . . , tn) and Γ (ti) = τi for i ∈ n.
Hence, by induction hypothesis, there are σi : vars(pi) → T such that ti =piσi for i ∈ n. Since p is linear, we can thus define σ : vars(p) → T byσ =
⋃ni=1 σi. Hence, we obtain pσ = t.
This completes the proof of the lemma. ut
Lemma 5 (Uniform matching). Let Ef = [f(p1) = u1, . . . , f(pn) = un] and
matches(t) = {i ∈ n | ∃θ. t = piθ ∧ Γ (t) 4 Γ (pi)}.
Then, for all t, t′ ∈ T with Γ (t′) 4 Γ (t), we have
(i) matches(t) ⊆ matches(t′),(ii) matches(t) = matches(t′) = {i} for some i ∈ n if Γ (t) ∈ Πf↓.
In particular, matches(t) = matches(Γ (t)) for all terms t ∈ T .
24
Proof. Let t, t′ ∈ T , t : τ , t′ : τ ′, and τ ′ 4 τ . To see (i), suppose i ∈ matches(t),i.e., t = piθ and Γ (t) 4 Γ (pi) for some substitution θ. Since Γ (t′) 4 Γ (t), wealso have Γ (t′) 4 Γ (pi) and hence i ∈ matches(t′). This shows (i).
To see (ii), we first derive τ ′ ∈ Πf↓ from the assumptions τ ∈ Πf↓ and τ ′ 4 τ .Therefore, there are i, j ∈ n and {πi, πj} ⊆ Πf such that τ 4 πi and τ ′ 4 πj .Moreover, i and j are unique since Ff is pattern-disjoint. By Lemma 4 there aresubstitutions θ and θ′ (with domains vars(pi) and vars(pj)) such that t = piθand t′ = pjθ
′. Hence, matches(t) = {i} and matches(t′) = {j}. Using the resultin (i) derive i = j as required. ut
B.2 Shape lemma and termination
Lemma 6 (Shape lemma). If t ∈ T then the following holds
(i) If t is a variable or an atom, then f(t) = t.(ii) If t = c(t1, . . . , tn), c ∈ Σn \ (CAx ∪ CKey) then we have
f(c(t1, . . . , tn)) = 〈u1, . . . , ud〉
for some d > 0 and for all i ∈ d, ui is one of the following forms:(a) ui = c(f(v1), . . . , f(vn)) such that
split(vj) ⊆ split(tj) for all j ∈ n, c 6= 〈·, ·〉, andc ∈ CR ⇒ vn = [tn]
(b) ui = f(v) such that split(v) ⊆ split(tj) for some j ∈ n.and it holds that
∀j ∈ pp(c). split(tj) ⊆ split(P (j))∀j ∈ n. P (j) ⊆ subs(t) \ {t}
where
P (j) =⋃{set(vj) | c(f(v1), . . . , f(vn)) ∈ {u1, . . . , ud}}⋃{v | f(v) ∈ {u1, . . . , ud}}
(iii) If t = c(t1, . . . , tn) for c ∈ Σn ∩ (CAx ∪ CKey) and n ≥ 1 then
f(t) = c(f(t1), . . . , f(tn))
Proof. We prove this lemma by case distinction on the shape of the term t ∈ T .We know that there exists the first pattern f(p) = u in the list E1
f such thatΓ (t) 4 Γ (p). By Lemma 4, there is a substitution θ such that pθ = t. Hence, byProgram 1, we have
f(t) = uθ. (2)
Case (i) where t is a variable or an atom follows immediately from Program 1and the definition of E0
f . Suppose t is composed. We distinguish the followingcases.
25
– t = c(t1, . . . , tn) and c ∈ Σn \ (CAx ∪ CKey): since p is not a pattern variableand t = pθ, we must have p = c(p1, . . . , pn). By Definition 5, we have f(p) =
〈e1, . . . , ed〉 for some d > 0 and for all i ∈ d, ei is one of the following forms:
1. ei = c(f(q1), . . . , f(qn)) such that
set(qj) ⊆ split(pj) for all j ∈ n, c 6= 〈·, ·〉, andc ∈ CR ⇒ qn = [pn]
2. ei = f(q) such that q ∈ split(pj) for some j ∈ n.and it holds that ∀j ∈ pp(c). split(pj) ⊆ Q(j) where
Q(j) =⋃{set(qj) | c(f(q1), . . . , f(qn)) ∈ {e1, . . . , ed}}⋃{q | f(q) ∈ {e1, . . . , ed}}
Let ui = eiθ for all i ∈ d. For each i ∈ d, we distinguish two cases dependingon the shape of ei.• If ei = c(f(q1), . . . , f(qn)) for some vectors q1, . . . , qn, then let vi = qiθ.
We obtain that ui = c(f(v1), . . . , f(vn)). From the fact that
set(qj) ⊆ split(pj) for all j ∈ n,c ∈ CR ⇒ qn = [pn], and pjθ = tj for all j ∈ n.
we derive that c ∈ CR ⇒ vn = [tn]. Moreover, we also have
split(vj) ⊆ split(tj) for all j ∈ n. (3)
• If ei = f(q) and q ∈ split(pj) for some j ∈ n, then let v = qθ. We derivethat split(v) ⊆ split(pjθ). Since pjθ = tj , we obtain that
split(v) ⊆ split(tj) (4)
It remains to show that
∀j ∈ pp(c). split(tj) ⊆ split(P (j))∀j ∈ n. P (j) ⊆ subs(t) \ {t}
To see the first point, let j ∈ pp(c). By Definition 5, we have split(pj) ⊆ Q(j).This implies split(pjθ) ⊆ split(Q(j)θ). Since pjθ = tj and Pj = Qjθ, weobtain split(tj) ⊆ P (j) as required. The second point follows immediatelyfrom (3) and (4).
– t = c(t1, . . . , tn) for c ∈ Σn ∩ (CAx ∪ CKey) and n ≥ 1: Since pθ = t and p isnot a pattern-variable, we must have p = c(q1, . . . , qn) and qiθ = ti for alli ∈ n. By Definition 5, we have
f(pi) = c(f(q1), . . . , f(qn))
Hence we derive f(t) = uiθ = c(f(t1), . . . , f(tn)) as required.
This completes the proof of the lemma. ut
26
Proposition 1 (Termination). The function f defined by Program 1 termi-nates on all terms t ∈ T .
Proof. We prove this by induction on the size of t. If Γ (t) is an atom thenthe termination of f(t) is immediate. If Γ (t) is composed then from Lemma 6we know that that f is called recursively on subterms of t. Hence, these callsterminate by the induction hypothesis. Therefore, f(t) also terminates. Thiscompletes the proof of the proposition. ut
Next, we prove that all abstracted protocols are protocols. This result enableschaining different abstractions to obtain more complex one.
Proposition 2. f(P ) is also a protocol.
Proof. Note that f maps roles to roles and is an identity on variables. Hence byDefinition 3, it is clear that f(t) is a protocol. ut
B.3 Lemma about abstracted types
Lemma 7. Let σ be an R,Ax-normal ground substitution that is well-typed.Then f(σ) is well-typed.
Proof. Let X ∈ dom(f(σ)). Then we have X ∈ dom(σ) and f(X) = X. Since σis R,Ax-normal, so is Xσ. Let t be a term such that t =Ax (Xf(θ)) ↓R,Ax. Weneed to show that Γ (t) 4 Γ (X). We consider two cases.
– If Γ (X) = msg then it is trivial that Γ (t) 4 Γ (X).– If Γ (X) = τ for an atomic type τ , then since σ is well-typed and Xσ
is R,Ax-normal, it follows that Xσ is an atom. Thus, we have f(Xσ) =Xf(σ) = Xσ. Hence t = Xσ. This implies Γ (t) 4 Γ (X) as required.
This completes the proof of the lemma. ut
B.4 Lemma about splitting and intruder deducibility
Lemma 8. Let t, u ∈ T such that split(u) ⊆ split(t). Then we have
split(f(u)) ⊆ split(f(t)).
Proof. We proceed by induction on |u|+ |t|.
– If |split(u)| + |split(t)| = 2 then split(u) ⊆ split(t) implies that u = t. Thusthe lemma holds for this case.
– Now we assume that |split(u)|+ |split(t)| > 2. There are two cases.• If u is not a pair then split(u) = {u}. Hence we have
u ∈ split(t) (5)
Since |split(u)|+ |split(t)| > 2, we have t = 〈u1, u2〉. Hence by Lemma 6,
we have f(t) = f(v) for some vector v such that split(t) = split(v).
27
By (5), there is t′ ∈ set(v) such that u ∈ split(t′). Moreover, we have|t′| < |t|. Thus by induction hypothesis, we have
split(f(u)) ⊆ split(f(t′)).
Since split(f(t′)) ⊆ split(f(t)), this implies that
split(f(u)) ⊆ split(f(t)).
• If u = 〈u1, u2〉 then by Lemma 6, we have that f(u) = f(r) for some vec-tor r of length m such that split(u) = split(r). Since split(u) ⊆ split(t),we have split(ri) ⊆ split(t) for all i ∈ m. Moreover, we also havethat |ri| < |u|. Hence by induction hypothesis, we have split(f(ri)) ⊆split(f(t)). Therefore, we obtain split(f(u)) ⊆ split(f(t)) as required.
This completes the proof of the lemma. ut
The following lemma is an immediate corollary of Lemma 8.
Corollary 1. Let t ∈ T and u ∈ split(t). Then we have
f(t) `E f(u)
The following lemma shows that if the intruder learns all the transformedcomponents of a term, he can also learn the transformed term.
Lemma 9. Let T ∪ {u} ⊆ T . Suppose T `E f(t) for all t ∈ split(u). ThenT `E f(u).
Proof. We prove the lemma by induction on the size of u. If u is not a pairthen split(u) = {u} and T `E f(u) follows immediately from the assumption.Otherwise, u = 〈u1, u2〉. Then, by Lemma 6, we derive that
f(u) = f(r)
for some vector r = [r1, . . . , rm] such that split(r) = split(u) and set(r) ⊆subs(u) \ {u}. Since u is R,Ax-normal, so are the ri. Let i ∈ m. By assumptionand since split(ri) ⊆ split(u), we have T `E f(t) for all t ∈ split(ri). Sinceri ∈ subs(u) \ {u}, we obtain T `E f(ri) from the induction hypothesis. Hence,the desired T `E f(u) follows from T `E f(ri) for all i ∈ m. ut
The following lemma is a consequence of the two previous lemmas.
Lemma 10. For all terms t, u ∈ T , we have split(t) ⊆ split(u) implies thatf(u) `E f(t).
Proof. By Corollary 1, we have f(u) `E f(p) for all p ∈ split(u). Moreover, sincesplit(t) ⊆ split(u), we have f(u) `E f(q) for all q ∈ split(t). Hence, by Lemma 9,we have f(u) `E f(t). ut
28
C Substitution property
Theorem (Substitution property; Justification of Theorem 1). Let t ∈udom(Ff ) and θ be a well-typed and R,Ax-normal substitution. Then f(tθ) =f(t)f(θ).
Proof. We prove the theorem by induction on the size of t. Suppose Ef =[f(p1) = u1, . . . , f(pn) = un] and let t be a term such that t ∈ udom(Ff ). Wedistinguish two cases. If Γ (t) = msg then t is a variable and thus f(t) = t usingthe final identity fall-back clause of E0
f . It follows that f(t)f(θ) = tf(θ) = f(tθ)as required. Otherwise, we have Γ (t) 6= msg . Let t : τ and tθ : τ ′. Then, we haveτ ′ 4 τ by Lemma 3. Since t ∈ udom(Ff ), we have τ ∈ Πf↓. Hence, by Lemma 5,t and tθ are abstracted in the same way.
Since t ∈ udom(Ff ), we derive that there exists a unique pattern (f(p) =u) ∈ Ef and substitutions θ′ and θ′′ such that pθ′ = t and pθ′′ = tθ. Thus, wealso have tθ = pθ′′ = pθ′θ. By Program 1 (modulo renamings), we have
f(t) = u[f/f0]θ′ and f(tθ) = u[f/f0]θ′θ.
We distinguish two base cases.
– u = p and t = a is an atom. Then we obtain that f(aθ) = f(a) = a =af(θ) = f(a)f(θ) as required.
– u = p and t = X is a variable. Then we have f(X) = X. Let us consider twocases:• If X ∈ dom(θ), then we have
f(Xθ) = Xf(θ) = f(X)f(θ).
• IfX /∈ dom(θ), then since dom(f(θ)) = dom(θ), we haveX /∈ dom(f(θ)).Hence, we have
f(Xθ) = f(X) = X = Xf(θ) = f(X)f(θ).
For the inductive cases, note that recursive calls of f have subterms of tas arguments by Lemma 6. Moreover, since t ∈ udom(Ff ), we also have t′ ∈udom(Ff ) for each term t′ occurring as the argument of a recursive call of f inthe computation of f(t). This enables the application of the induction hypotheses(IH) below. We distinguish the following cases.
– p = c(p1, . . . , pn) for c ∈ Σn \ (CAx ∪ CKey), n ≥ 1. In this case, we have
f(c(p1, . . . , pn)) = 〈e1, . . . , ed〉
for some d > 0 and for all i ∈ d, ei is one of the following forms:1. ei = c(f(q1), . . . , f(qn)) such that
set(qj) ⊆ split(pj) for all j ∈ n, c 6= 〈·, ·〉, andc ∈ CR ⇒ qn = [pn]
29
2. ei = f(q) such that q ∈ split(pi) for some j ∈ n.and it holds that ∀j ∈ pp(c). split(pj) ⊆ Q(j) where
Q(j) =⋃{set(qj) | c(f(q1), . . . , f(qn)) ∈ {e1, . . . , ed}}⋃{q | f(q) ∈ {e1, . . . , ed}}
Therefore, we havef(t) = 〈e1θ′, . . . , edθ′〉f(tθ) = 〈e1θ′θ, . . . , edθ′θ)〉
This implies f(t)f(θ) = 〈e1θ′f(θ), . . . , edθ′f(θ)〉. To see that f(tθ) = f(t)f(θ),
it is sufficient to show that eiθ′θ = eiθ
′f(θ) for all i ∈ d. Let i ∈ d, we dis-tinguish two cases.• If ei = c(f(q1), . . . , f(qn)) then we have
eiθ′θ = c(f(q1θ
′θ), . . . , f(qnθ′θ))
Since set(qj) ⊆ split(pj) for all j ∈ n, we derive that set(qjθ′) ⊆
subs(pjθ′) for all j ∈ n. Moreover, we have pjθ
′ ∈ subs(t) \ {t}. There-
fore, by induction hypothesis, we derive that f(qjθ′θ) = f(qjθ
′)f(θ) for
all j ∈ n. Note that for all j ∈ n, we have f(qjθ′) = f(qj)θ
′. Hence, weconclude that eiθ
′θ = eiθ′f(θ) as desired.
– p = c(p1, . . . , pn) for c ∈ Σn ∩ (CAx ∪ CKey) and n ≥ 1. In this case, we have
f(p) = c(f(p1), . . . , f(pn))f(t) = c(f(p1θ
′), . . . , f(pnθ′))
Let vj = pjθ′ for j ∈ n. We prove this case by the following calculation:
f(tθ) = g(f(v1θ), . . . , f(vnθ))= g(f(v1)f(θ), . . . , f(vn)f(θ)) by IH= g(f(v1), . . . , f(vn))f(θ)= f(t)f(θ)
This completes the proof of the theorem. ut
30
D Deducibility preservation
Notation. For the sake of a lighter notation, we will omit set braces in intruderderivations and write, e.g., T, t `E u instead of T ∪ {t} `E u for a set of termsT and individual terms t and u. We also write T `E U for a set of terms U tomean that all terms in U are derivable from those in T . In the remainder of thissection, we assume that Ff is R,Ax-closed.
D.1 Preservation results for equality and reduction
We assume a standard derivation system for equational logic with an axiom ruleincluding substitution as well as reflexivity, transitivity, and congruence rules.
Proposition 3 (Ax-equality preservation). Let t, u ∈ T . Then t =Ax uimplies f(t) =Ax f(u).
Proof. By induction on the derivation of t =Ax u. The cases are:
– Axiom: In this case, there are a pair {s1, s2} ∈ Ax and a substitution σsuch that t = s1σ and u = s2σ. Since Ff is R,Ax-closed, we know thats1, s2 ∈ udom(Ff ). Moreover, by point (v) in Definition 5, we know that fis homomorphic for ct(s1) ∪ ct(s2). Therefore, we derive
f(t) = f(s1)f(σ) = s1f(σ)f(u) = f(s2)f(σ) = s2f(σ)
Thus by rule Axiom, we obtain that s1f(σ) =Ax s2f(σ). Therefore, we havef(t) =Ax f(u).
– Reflexivity: This case holds trivially, since we have t = u (syntactic identity).– Transitivity: Suppose there is a term t′ such that t =Ax t
′ and t′ =Ax u. Bythe induction hypothesis, we have f(t) =Ax f(t′) and f(t′) =Ax f(u). Hence,f(t) =Ax f(u) as required.
– Congruence: Suppose that t = c(t1, . . . , tn) and u = c(u1, . . . , un) for somec ∈ Σn and, for all i ∈ n, terms ti and ui such that
ti =Ax ui. (6)
Since Ff is R,Ax-closed, we know that t and u match the same clause f(p) =q in E+
f . Hence there are substitutions θ, θ′ such that t = pθ and u = pθ′.We consider different shapes of p.• p = c(p1, . . . , pn) for c ∈ Σn \ (CAx ∪ CKey) and n ≥ 1. In this case, we
havef(p) = 〈e1, . . . , ed〉
for some d > 0 for all i ∈ d, ei is one of the following forms:1. ei = c(f(q1), . . . , f(qn)) such that
set(qj) ⊆ split(pj) for all j ∈ n, c 6= 〈·, ·〉, andc ∈ CR ⇒ qn = [pn]
31
2. ei = f(q) such that q ∈ split(pi) for some j ∈ n.and it holds that ∀j ∈ pp(c). split(pj) ⊆ Q(j) where
Q(j) =⋃{set(qj) | c(f(q1), . . . , f(qn)) ∈ {e1, . . . , ed}}⋃{q | f(q) ∈ {e1, . . . , ed}}
Hence, we havef(t) = 〈e1θ, . . . , edθ〉f(u) = 〈e1θ′, . . . , edθ′〉
To see that f(t) =Ax f(u), it is sufficient to show that eiθ =Ax eiθ′ for
all i ∈ d. Let i ∈ d. We distinguish two cases depending on the shape ofei.∗ If ei = c(f(q1), . . . , f(qn)) then by (6), we derive that there is a sub-
derivation eθ =Ax eθ′, for all j ∈ d and all e ∈ set(qj). Hence, by
induction hypothesis, we know that f(eθ) =Ax f(eθ′) for all j ∈ dand all e ∈ set(qj). This implies eiθ =Ax eiθ
′ as desired.∗ If ei = f(q) where q ∈ split(pj) for some j ∈ n, then by a similar rea-
soning as before, we derive that there is a sub-derivation qθ =Ax qθ′.
By induction hypothesis, we have f(qθ) =Ax f(qθ′) which implieseiθ =Ax eiθ
′ as desired.• p = c(p1, . . . , pn) for c ∈ Σn ∩ (CAx ∪ CKey), n ≥ 1. Thus, we have
f(p) = c(f(p1), . . . , f(pn)),f(t) = c(f(t1), . . . , f(tn)),f(u) = c(f(u1), . . . , f(un)).
By the induction hypothesis, we have f(ti) =Ax f(ui) for all i ∈ n. Itfollows that f(t) =Ax f(u) as required.
This completes the proof of the lemma. ut
Proposition 4 (Reduction preservation). Let t ∈ rdom(Ff ) be a term. Sup-pose t→R,Ax u for some term u. Then f(t)→R,Ax f(u).
Proof. Suppose t ∈ rdom(Ff ) and t→R,Ax u for some term u. Then there are aposition p in t, a rewrite rule l→ r ∈ R, and substitution σ such that t|p =Ax lσand t→R,Ax t[rσ]p = u. By Proposition 3, we have f(t|p) =Ax f(lσ). Assumingwithout loss of generality that t|p and l have disjoint sets of variables, σ is alsoa R,Ax-unifier of t|p and l. Therefore, since t ∈ rdom(Ff ), we know from point(i) of Definition 9 that f(lσ) = lf(σ) and from point (ii) that f(t|p) = f(t)|p. Itfollows that f(t)|p =Ax lf(σ) and thus
f(t)→R,Ax f(t)[rf(σ)]p.
Since r is either a variable of l or a constant, we have rf(σ) = f(rσ). Finally,by Definition 9(ii), we have f(t)[f(rσ)]p = f(t[rσ]p). Hence, we have establishedf(t)→R,Ax f(u) as required. ut
32
Lemma 11. Let t ∈ rdom(Ff ) be a term and p a position such that all strictsubterms of t|p are R,Ax-normal. Suppose t =Ax t[lσ]p →R,Ax t[rσ]p = u forsome rewrite rule l→ r ∈ R and some substitution σ. Then u ∈ rdom(Ff ).
Proof. Suppose that there is a rule l′ → r′, a position p′ in u, and an Ax-unifierσ′ of l′ and u|p′ . We need to show two points.
(i) f is homomorphic for all c ∈ ct(l′),
(ii) f is homomorphic for top(u|p′′) and top(u|p′′) 6= top(l′′) for all strict prefixesp′′ of p′ and rewrite rules l′′ → r′′ ∈ R such that ct(l′′) is not a singleton.
Note that since all strict subterms of t|p are R,Ax-normal, so is rσ by R,Ax-coherence and the form of our rewrite rules. We distinguish two cases.
(a) p′ is not a strict prefix of p. Since p cannot be a prefix of p′ (since rσis R,Ax-normal) the redex u|p′ is also present in t. Therefore, (i) and (ii)follow from the assumption that t ∈ rdom(Ff ).
(b) p′ is a strict prefix of p. Then the redex u|p′ is a new one that was created bythe reduction t→R,Ax u. Point (ii) immediately follows from t ∈ rdom(Ff ),since p′ is a strict prefix of p and thus top(u|p′′) = top(t|p′′) for all prefixesp′′ of p′. In particular, we have that f is homomorphic for top(u|p′′) andtop(u|p′′) 6= top(l′′) for strict prefixes p′′ of p′ and rewrite rules l′′ → r′′ ∈R such that ct(l′′) is not a singleton. It remains to show point (i). Fromu|p′σ′ =Ax l
′σ′ and the well-formedness of the equational theory, we derivethat top(l′) = top(u|p′). Since p′ is a prefix of p and t ∈ rdom(Ff ), we derivethat ct(l′) is singleton. Therefore, point (i) follows from the fact that f ishomomorphic for top(u|p′).
This completes the proof of the lemma. ut
Lemma 12. Let t ∈ rdom(Ff ). Then f(t) =E f(t↓R,Ax).
Proof. Suppose that t →∗R,Ax u =Ax t ↓R,Ax. By R,Ax-convergence, we canassume without loss of generality that the rewriting in the sequence t →∗R,Ax uis done inside out, i.e., all strict subterms of the redexes in the sequence areR,Ax-normal. Hence, using Lemma 11 and Proposition 4 in a routine inductionon the length of the rewriting sequence, we can show that f(t) →∗R,Ax f(u).Moreover, we have f(u) =Ax f(t ↓R,Ax) by Proposition 3. Hence, we obtainf(t) =E f(t↓R,Ax) as required.
Theorem (Equality preservation; Justification of Theorem 2). Supposet, u ∈ rdom(Ff ). Then t =E u implies f(t) =E f(u).
Proof. Suppose t =E u. Then t ↓R,Ax=Ax u ↓R,Ax. By Proposition 3, we havef(t ↓R,Ax) =Ax f(u ↓R,Ax). From Lemma 12 we have f(t) =E f(t ↓R,Ax) andf(u) =E f(u↓R,Ax). Hence, f(t) =E f(u) as required. ut
33
D.2 Preservation results for deducibility
Theorem (Deducibility preservation; Justification of Theorem 3). LetT ∪ {t} ⊆ N be a set of ground network messages such that C ⊆ T and T isR,Ax-normal. Then T `E t implies f(T ) `E f(t↓R,Ax).
Proof. By induction on the derivation D of T `E t, depending on the last rulethat has been applied in this derivation.
– Ax: In this case, we have t ∈ T . Therefore f(t) ∈ f(T ) and thus f(T ) `E f(t).Moreover, since T is R,Ax-normal, so is t. Thus by Proposition 3, we havef(t) =Ax f(t↓R,Ax). Hence, we obtain f(T ) `E f(t↓R,Ax) as required.
– Eq: We have T `E t′ and t′ =E t. By induction hypothesis, we have f(T ) `Ef(t′ ↓R,Ax). Moreover, since t′ =E t, we derive t′ ↓R,Ax=Ax t ↓R,Ax. ByProposition 3, we have f(t′ ↓R,Ax) =Ax f(t ↓R,Ax). It follows that f(T ) `Ef(t↓R,Ax) as required.
– Comp: In this case, t = g(u1, . . . , um) for g ∈ Σm and the rule’s premises areT `E ui for i ∈ m. The induction hypotheses are f(T ) `E f(ui ↓R,Ax) fori ∈ m. Note that t↓R,Ax= (g(u1 ↓R,Ax, . . . , um ↓R,Ax))↓R,Ax. Hence withoutloss of generality, we can assume that ui are R,Ax-normal for all i ∈ m. Wedistinguish two cases depending on whether t is R,Ax-normal or not.
Case 1: t is not R,Ax-normal. Since ui are R,Ax-normal for all i ∈ m, somerewrite rule l→ r ∈ R can be applied at the root position of t, i.e., there is asubstitution σ such that t =Ax lσ. This rule is of one of the following types.• R4: In this case, we have t↓R,Ax= a for some constant a. Hence f(t) =f(a) = a. Since C ⊆ T and C = f(C), we have f(T ) `E f(t↓R,Ax).
• R3: We have t↓R,Ax=Ax uj for some j ∈ m. By Proposition 3, we havef(t↓R,Ax) =Ax f(uj) which implies f(T ) `E f(t↓R,Ax) by the inductionhypothesis.
• R1: We have m = 2 and
l = g(c(x1, . . . , xn−1, t′), u′)→ xj ,
r = xj for some j, 1 ≤ j ≤ n− 1,
where x1, . . . , xn−1 are variables and t′, u′ are terms.Let ti = xiσ for all i, 1 ≤ i ≤ n− 1 and tn = t′σ. Then we have
u1 = c(t1, . . . , tn−1, tn),u2 = u′σ.
Moreover, since u1 isR,Ax-normal, so is tj . Therefore, we have t↓R,Ax=Ax
tj . By Proposition 3, we know that f(t ↓R,Ax) =Ax f(tj). Therefore, tosee that f(T ) `E f(t↓R,Ax), it is sufficient to show that f(T ) `E f(tj).From the induction hypothesis, we know that f(T ) `E f(u1). By Lemma 6,we have
f(u1) = 〈w1, . . . , wd〉
for some d > 0 for all i ∈ d, wi is one of the following forms:
34
1. wi = c(f(v1), . . . , f(vn)) such that
split(vk) ⊆ split(tk) for all k ∈ n, c 6= 〈·, ·〉, andc ∈ CR ⇒ vn = [tn],
2. wi = f(v) where split(v) ⊆ split(tk) for some k ∈ nand it holds that
∀k ∈ pp(c). split(tk) ⊆ split(P (k))∀k ∈ n. P (k) ⊆ subs(u1) \ {u1}
(7)
where
P (k) =⋃{set(vk) | c(f(v1), . . . , f(vn)) ∈ {w1, . . . , wd}}⋃{v | f(v) ∈ {w1, . . . , wd}}
By (7) and Lemma 10, it is sufficient to establish f(T ) `E f(e) for alle ∈ P (j) in order to conclude the desired f(T ) `E f(tj).
Let e ∈ P (j). Note that there is k ∈ d such that one of the followingholds.
wk = c(f(v1), . . . , f(vn)) and e ∈ set(vj)wk = f(v) and e = v
Clearly, we can derive f(T ) `E wk from f(T ) `E f(u1) by projections.We have
f(T ) `E c(f(v1), . . . , f(vn)) (8)
In the second case, we immediately obtain f(T ) `E f(e). In the firstcase, we know that vn = [tn] by Lemma 6. Hence, we have
f(vn) = f(tn) = f(t′σ) (9)
We also have f(u2) = f(u′σ). Note that ct(t′)∪ct(u′) ⊆ CKey. Hence, byDefinition 5, we know that f is homomorphic for all c ∈ ct(t′) ∪ ct(u′).As before, we obtain
f(tn) = t′f(σ)f(u2) = u′f(σ)
(10)
Moreover, by induction hypothesis, we have f(T ) `E f(u2). Togetherwith (8), (9), and (10), we derive
f(T ) `E g(c(f(v1), . . . , f(vn−1), t′f(σ)), u′f(σ)))
Since (vars(t′) ∪ vars(u′)) ∩⋃n−1k=1 xk = ∅ and xp 6= xq for all p, q such
that 1 ≤ p 6= q ≤ n− 1, we can define a substitution θ as follows.
xqθ = f(vq) for 1 ≤ q ≤ n− 1,xθ = xf(σ) for all x ∈ vars(u′) ∪ vars(t′).
Then we have g(c(f(v1), . . . , f(vn−1), t′f(σ)), u′f(σ))) = lθ. Thus, we de-
rive g(c(f(v1), . . . , f(vn−1), t′f(σ)), u′f(σ))) →R,Ax f(vj). This implies
f(T ) `E f(vj). Together with e ∈ set(vj) and Lemma 10, we derive thatf(T ) `E f(e).
• R2: This case is treated similarly as the case for R1.
35
Case 2: t is R,Ax-normal. By Proposition 3, we have f(t) =Ax f(t ↓R,Ax).Hence, it is sufficient to show that f(T ) `E f(t). We do case analysis on g.• If g ∈ Σn \ (CAx ∪ CKey) then by Lemma 6, we know that
f(t) = 〈w1, . . . , wd〉
for some d > 0 and for all i ∈ d, wi is one of the following forms:1. wi = g(f(v1), . . . , f(vm)) such that
split(vk) ⊆ split(uk) for all k ∈ m, g 6= 〈·, ·〉,and g ∈ CR ⇒ vm = [um]
2. wi = f(v) such that split(v) ⊆ split(uk) for some k ∈ mand it holds that
∀k ∈ pp(g). split(uk) ⊆ split(P (k))∀k ∈ m. P (k) ⊆ subs(t) \ {t}
where
P (k) =⋃{set(vk) | g(f(v1), . . . , f(vm)) ∈ {w1, . . . , wd}}⋃{v | f(v) ∈ {w1, . . . , wd}}
To see that f(T ) `E f(t), it is sufficient to show that f(T ) `E wi for all
i ∈ d. Let i ∈ d. We do a case distinction on the shape of wi.∗ If wi = c(f(v1), . . . , f(vm)) then since split(vj) ⊆ split(uj) for all
j ∈ m, by Lemma 10, we derive that f(uj `E f(vj) for all j ∈ m.Moreover, by induction hypothesis, we have f(T ) `E f(uj) for all
j ∈ m. Therefore, we derive that f(T ) `E f(vj) for all j ∈ m. Thisimplies f(T ) `E wi as desired.
∗ If wi = f(v) for some term v such that split(v) ⊆ split(uk) forsome k ∈ m. By a similar reasoning as above, we conclude thatf(T ) `E wi.
• For the remaining cases, we have f(t) = g(f(u1), . . . , f(um)). Thenf(T ) `E f(t) follows immediately from the induction hypothesis.
This completes the proof of the theorem. ut
Lemma 13. Let θ be a well-typed R,Ax-normal ground substitution and t ∈rdom(Ff ). Then tθ ∈ rdom(Ff ).
Proof. Suppose p is a non-variable position in tθ and l→ r ∈ R is a rewrite rulesuch that there exists a well-typed Ax-unifier σ of tθ|p and l, i.e., tθ|pσ =Ax lσ.We need to show two points.
(i) f is homomorphic for all c ∈ ct(l),(ii) f is homomorphic for top(tθ|p′) and top(tθ|p′) 6= top(l′) for all strict prefixes
p′ of p and rewrite rules l′ → r′ ∈ R such that ct(l′) is not a singleton.
36
Since θ is ground, we have tθ|pσ = tθ|p. Since θ is R,Ax-normal, we derive thatp is a position in t and t|p is not a variable. Thus, we have tθ|p = t|pθ. Hence,t|pθ =Ax lσ. Assuming without loss of generality that t|p and l have disjointsets of variables, θ ∪ σ is an Ax-unifier of t|p and l. Since t|p is not a variable,we have top(t|p) = top(t|pθ) = top(tθ|p). Therefore, we derive (i) and (ii) fromDefinition 9 and t ∈ rdom(Ff ). Hence, tθ ∈ rdom(Ff ) as required. ut
We are now ready to establish deducibility preservation for open terms. Thisresult is crucial to for reachability preservation.
Proposition 5 (Deducibility preservation for open terms). Let σ be awell-typed R,Ax-normal ground substitution, T be a set of terms, and u be termsuch that
(i) f(IK0) ⊆ IK ′0,(ii) T ∪ {u} ⊆ udom(Ff ) ∩ rdom(Ff ).
Then Tσ, IK0 `E uσ implies f(T )f(σ), IK ′0 `E f(u)f(σ).
Proof. We have
Tσ, IK0 `E uσ by assumption⇒ (Tσ)↓R,Ax, IK0 `E (uσ)↓R,Ax by rule Eq⇒ f((Tσ)↓R,Ax), f(IK0) `E f((uσ)↓R,Ax) by Theorem 3⇒ f((Tσ)↓R,Ax), IK ′0 `E f((uσ)↓R,Ax) by assumption (i)⇒ f(Tσ), IK ′0 `E f(uσ) by Lemma 13, Theorem 2 and Eq⇒ f(T )f(σ), IK ′0 `E f(u)f(σ) by Theorem 1
This completes the proof of the proposition. ut
37
E Soundness of typed abstractions (Section 3.2)
E.1 Reachability preservation
Using the deducibility preservation for open terms, we show that each reachablestate in the original protocol can be simulated by one in the abstracted protocol.
Theorem 5 (Reachability preservation). Suppose that
(i) f(IK0) ⊆ IK ′0,(ii) Ff is R,Ax-closed,
(iii) MP ⊆ udom(Ff ) ∩ rdom(Ff ).
Let (tr, th, σ) be a reachable state of P such that σ is R,Ax-normal. Then(f(tr), f(th), f(σ)) is a reachable state of f(P ).
Proof. Note that f(σ) is a well-typed ground substitution by Lemma 7. We nowshow that (f(tr), f(th), f(σ)) is reachable in f(P ) by induction on the numbern of transitions leading to a state (tr, th, σ).
– Base case (n = 0): For all i ∈ dom(th), there exists R ∈ dom(P ) such thatth(i) = (R,P (R)). Hence we have
f(th)(i) = (R, f(P (R))) = (R, f(P )(R)) (11)
Since (ε, th, σ) is reachable, for all v ∈ dom(P ) and i ∈ TID we have v#iσ ∈A. Moreover, we have v#if(σ) = v#iσ, we also have
v#if(σ) ∈ A (12)
By (11), (12) and f(ε) = ε, it is obvious that (f(ε), f(th), f(σ)) is reachablein f(P ).
– Inductive case (n = k + 1): Suppose (tr′, th′, σ) is reachable in k steps andthere is a transition (tr′, th′, σ) → (tr, th, σ). By induction hypothesis, wehave
(f(tr′), f(th′), f(σ)) is reachable in f(P ) (13)
We consider two cases according to the rule r that has been applied in stepk + 1.• If r = SEND then there exists i ∈ TID and R ∈ dom(P ) such that
th′(i) = (R, snd(pt).tl)tr = tr′ · (i, snd(pt))th = th′[i 7→ (R, tl)]
(14)
By (14) we have
f(tr) = f(tr′) · (i, snd(f(pt)))f(th) = f(th′)[i 7→ (R, f(tl))]
(15)
38
By (14) we have
f(th′)(i) = (R, snd(f(pt)) · f(tl)) (16)
By (16), (14), (15) and rule SEND , we have
(f(tr′), f(th′), f(σ))→ (f(tr), f(th), f(σ))
Together with (13) this implies that (f(tr), f(th), f(σ)) is reachable inf(P ).
• If r = RECV then there exists i ∈ TID and R ∈ dom(P ) such that
th′(i) = (R, rcv(u) · tl)IK (tr′)σ, IK0 `E uσ
(17)
andtr = tr′ · (i, rcv(u))th = th′[i 7→ (R, tl)]
(18)
By (17) and (18) we have
f(tr) = f(tr′) · (i, rcv(f(u)))f(th) = f(th′)[i 7→ (R, f(tl))]
To justify (f(tr′), f(th′), f(σ)) → (f(tr), f(th), f(σ)), it is sufficient toestablish the following two premises of rule RECV :1. f(th′)(i) = (R, rcv(f(u)) · f(tl)), which follows from (17), and2. IK (f(tr′))f(σ), IK ′0 `E f(u)f(σ). This follows from (17), Proposi-
tion 5, and the fact that f(IK (tr′)) = IK (f(tr′)).Together with (13) this implies that (f(tr), f(th), f(σ)) is reachable inf(P ).
This completes the proof of the theorem. ut
E.2 Soundness
We show in the following lemma that whenever a protocol admits an attack thenthere is an R,Ax-normal attack.
Lemma 14. Let φ ∈ LP and let (tr, th, σ) be a reachable state of P . Then thefollowing holds.
(i) (tr, th, σ↓R,Ax) is a reachable state in P , and(ii) if (tr, th, σ) 2 φ then (tr, th, σ↓R,Ax) 2 φ.
Proof. Let σ′ = σ ↓R,Ax. Then σ′ is well-typed. Next, we show reachability forσ′, i.e., we need to show that (tr, th, σ′) is reachable in P . We prove this byinduction on the number n of transitions leading to (tr, th, σ).
– Base case (n = 0): Since (ε, th, σ) is reachable, so is (ε, th, σ′).
39
– Inductive case (n = k + 1): Suppose (tr′, th′, σ) is reachable in k steps andthere is a transition (tr′, th′, σ) → (tr, th, σ). By induction hypothesis, wehave
(tr′, th′, σ) is reachable in P. (19)
We consider two cases according to the rule r that has been applied in stepk + 1.
• If r = SEND then it is obvious that (tr′, th′, σ′) → (tr, th, σ′). Thisby (19) yields that (tr, th, σ′) is reachable in P .
• If r = RECV then there exists i ∈ TID and R ∈ dom(P ) such thatth′(i) = (R, rcv(u) · tl), tr = tr′ · (i, rcv(u)), th = th′[i 7→ (R, tl)], and
IK (tr′)σ, IK0 `E uσ
Hence, we have IK (tr′)σ′, IK0 `E uσ′. Thus the reachability of (tr, th, σ′)in P follows immediately.
Finally, we show attack preservation for σ′, i.e., we need to show that
∀ϑ. (tr, th, σ, ϑ) 2 φ⇒ (tr, th, σ′, ϑ) 2 φ
We prove this by induction on the structure of φ. Note that the base cases forthe literals that do not depend on σ are trivial. Hence, it is enough to considerthe following cases.
– φ ≡ m = m′ or φ ≡ ¬(m = m′).
(tr, th, σ, ϑ) � m = m′
⇔ mσ =E m′σ⇔ mσ′ =E m′σ′
⇔ (tr, th, σ↓R,Ax, ϑ) � m = m′
– φ ≡ honest(i, R) or φ ≡ ¬honest(i, R).
(tr, th, σ, ϑ) � honest(i, R)⇔ Rϑ(i)σ ∈ AH⇔ Rϑ(i)σ′ ∈ AH since Rϑ(i)σ = Rϑ(i)σ′
⇔ (tr, th, σ′, ϑ) � honest(i, R)
– φ ≡ secret(m).
(tr, th, σ, ϑ) 2 secret(m)⇔ IK (tr)σ, IK0 `E mσ⇒ IK (tr)σ′, IK0 `E mσ′
⇔ (tr, th, σ′, ϑ) 2 secret(m)
The inductive cases are routines. ut
40
E.3 Soundness of typed abstractions
Theorem (Soundness; Justification of Theorem 4). Suppose P , φ, andFf satisfy
– f(IK0) ⊆ IK ′0,– Ff is R,Ax-closed,– MP ⊆ udom(Ff ) ∩ rdom(Ff ), and– φ is safe for P and f .
Then, for all states (tr, th, σ) reachable in P , we have
(i) (f(tr), f(th), f(σ↓R,Ax)) is a reachable state of f(P ),(ii) (tr, th, σ) 2 φ implies (f(tr), f(th), f(σ↓R,Ax)) 2 f(φ).
Proof. Let (tr, th, σ) be a reachable state of P . By Lemma 14, we know that(a) (tr, th, σ ↓R,Ax) is a reachable state of P , and (b) (tr, th, σ) 2 φ implies(tr, th, σ ↓R,Ax) 2 φ. Let σ′ = f(σ ↓R,Ax). Then point (i) follows from (a) andTheorem 5. Using (b) we reduce point (ii) to showing that (tr, th, σ ↓R,Ax) 2 φimplies (f(tr), f(th), σ′) 2 f(φ), which we establish by proving the followinggeneralized statement by induction on the structure of φ (which may now containfree thread-id variables).
∀ϑ. (tr, th, σ↓R,Ax, ϑ) 2 φ⇒ (f(tr), f(th), σ′, ϑ) 2 f(φ)
Note that a formula is safe if and only if all its subformulas are safe. The literalsform the base cases of the induction. We cover all atoms and their negations(except secret(m)) in a single equivalence-based argument, where the right-to-left direction covers the positive literal and the other direction the correspond-ing negative literal. We remark that (tr, th, σ ↓R,Ax, ϑ) 2 A is equivalent to(tr, th, σ↓R,Ax, ϑ) � ¬A for all atoms A (but not for all formulas, since LP is notclosed under negation).
– φ ≡ i = j or φ ≡ ¬(i = j).
(tr, th, σ↓R,Ax, ϑ) � i = j⇔ ϑ(i) = ϑ(j)⇔ (f(tr), f(th), σ′, ϑ) � f(i = j)
– φ ≡ m = m′.
(tr, th, σ↓R,Ax, ϑ) � m = m′
⇒ mσ↓R,Ax=E m′σ↓R,Ax⇒ f(mσ↓R,Ax) =E f(m′σ↓R,Ax) by Theorem 2⇒ f(m)f(σ↓R,Ax) = f(m′)f(σ↓R,Ax) by Theorem 1⇔ f(m)σ′ = f(m′)σ′
⇔ (f(tr), f(th), σ′, ϑ) � f(m) = f(m′)
41
– φ ≡ ¬(m = m′).
(f(tr), f(th), σ′, ϑ) � f(m) = f(m′)⇒ f(m)σ′ =E f(m′)σ′
⇔ f(m)f(σ↓R,Ax) =E f(m′)f(σ↓R,Ax)⇒ f(mσ↓R,Ax) =E f(m′σ↓R,Ax) by Theorem 1⇒ mσ↓R,Ax=E m′σ↓R,Ax since φ is safe⇒ (tr, th, σ↓R,Ax, ϑ) � m = m′
– φ ≡ role(i, R) or φ ≡ ¬role(i, R).
(tr, th, σ↓R,Ax, ϑ) � role(i, R)⇔ ∃seq ∈ Evt∗. th(ϑ(i)) = (R, seq)⇔ ∃seq ∈ Evt∗. f(th)(ϑ(i)) = (R, f(seq))⇔ (f(tr), f(th), σ′, ϑ) � role(i, R)
– φ ≡ honest(i, R) or φ ≡ ¬honest(i, R).
(tr, th, σ↓R,Ax, ϑ) � honest(i, R)⇔ Rϑ(i)σ↓R,Ax∈ AH⇔ Rϑ(i)f(σ↓R,Ax) ∈ AH f is the identity on A⇔ Rϑ(i)σ′ ∈ AH since Rϑ(i)σ′ = Rϑ(i)f(σ↓R,Ax)⇔ (f(tr), f(th), σ′, ϑ) � honest(i, R)
– φ ≡ steps(i, s(m)) or φ ≡ ¬steps(i, s(m)), where s ∈ {snd, rcv}. We have
(tr, th, σ↓R,Ax, ϑ) � steps(i, s(m))⇔ (ϑ(i), s(m#ϑ(i))) ∈ tr⇔ (ϑ(i), s(f(m)#ϑ(i))) ∈ f(tr) justified below⇔ (f(tr), f(th), σ′, ϑ) � steps(i, s(f(m)))
We show the second equivalence. The left-to-right implication holds, since φis safe. For the inverse direction (covering the positive literal φ ≡ steps(i, s(m))),suppose that
(ϑ(i), s(f(m)#ϑ(i))) ∈ f(tr).
Then there exists s(m′) ∈ Evt(MP ) such that (ϑ(i), s(m′#ϑ(i))) ∈ tr andf(m′) = f(m). Since φ is safe, this impliesm = m′ and hence (ϑ(i), s(m#ϑ(i))) ∈tr.
– φ ≡ (i, s(m)) ≺ (j, s′(m′)) or φ ≡ ¬((i, s(m)) ≺ (j, s′(m′))), where s, s′ ∈{snd, rcv}.
(tr, th, σ↓R,Ax, ϑ) � (i, s(m)) ≺ (j, s′(m′))⇔ (ϑ(i), s(m#ϑ(i))) ≺tr (ϑ(j), s′(m′#ϑ(j)))⇔ (ϑ(i), s(f(m)#ϑ(i))) ≺f(tr) (ϑ(j), s′(f(m′)#ϑ(j))) justified below⇔ (f(tr), f(th), σ′, ϑ) � (i, s(f(m))) ≺ (j, s′(f(m′)))
We show the second equivalence. Note that, the if-direction immediatelyfollows, since φ is safe and f is order-preserving for events.
42
For the only-if direction (covering the case that φ ≡ (i, s(m)) ≺ (j, s′(m′))),suppose (ϑ(i), s(f(m)#ϑ(i))) ≺f(tr) (ϑ(j), s′(f(m′)#ϑ(j))). Since f is order-preserving for events, there are s(u), s′(u′) ∈ Evt(MP ) such that
(ϑ(i), s(u#ϑ(i))) ≺tr (ϑ(j), s′(u′#ϑ(j)))
with f(u) = f(m) and f(u′) = f(m′). Since φ is safe, we have u = m andu′ = m′, completing the proof of this direction.
– φ ≡ secret(m).
(tr, th, σ↓R,Ax, ϑ) 2 secret(m)⇔ IK (tr)σ↓R,Ax, IK 0 `E mσ↓R,Ax⇒ f(IK (tr))σ′, IK ′0 `E f(m)σ′ by Proposition 5⇒ IK (f(tr))σ′, IK ′0 `E f(m)σ′ since f(IK (tr)) = IK (f(tr)))⇔ (f(tr), f(th), σ′, ϑ) 2 secret(f(m))
The inductive cases are routines. This concludes the proof of the theorem.ut
43
F Syntactic criteria for soundness conditions
Conditions (i) in the definition of R,Ax-closedness (Definition 8) and (iii) inthe definition of safe formulas (Definition 10) are hard to check in practice,since they universally quantify over ground terms (the first condition) and well-typed R,Ax-normal ground substitutions (the second one). We therefore proposesyntactic criteria for verifying these conditions.
F.1 Syntactic criterion for R,Ax-closure
Lemma 15. Suppose for all types τ ∈ subs(Π(E+f )) and all {s, t} ∈ Ax such
that τ↓ ∩ (Γ (s)↓ ∪ Γ (t)↓) 6= ∅ implies Γ (s) 4 τ and Γ (t) 4 τ . Then Ff isR,Ax-closed.
Proof. Let τ ∈ Π(E+f ) and u, v be R,Ax-normal such that u =Ax v, u : τu,
v : τv. Because of symmetry, it is sufficient to show that τu 4 τ implies τv 4 τ .We show this by induction on the derivation u =Ax v depending on the last rulethat has been applied. Suppose τu 4 τ .
– Reflexivity: In this case, we have u = v. Hence it is clear that τv 4 τ .– Axiom: In this case, there is a pair {s, t} ∈ Ax and a substitution σ such thatu = sσ and v = tσ. Since τu 4 τ , we have Γ (sσ) 4 τ . Moreover, we haveΓ (sσ) 4 Γ (s). Hence, it holds that τ↓ ∩Γ (s)↓ 6= ∅. By assumption, we haveΓ (t) 4 τ . We also have Γ (tσ) 4 Γ (t). Therefore, we obtain that τv 4 τ .
– Congruence: Suppose that t = g(t1, . . . , tn) for some g ∈ Σn, n ≥ 1. Wehave u = g(u1, . . . , un) and ti =Ax ui. Since τt 4 τ , either τ = msg orτ = g(τ1, . . . , τn) and Γ (ti) 4 τi for all i ∈ n. In the first case, i.e., τ = msg ,it is obvious that τv 4 τ . In the latter case, by induction hypothesis, weknow that Γ (ui) 4 τi for all i ∈ n. This implies τu 4 τ as required.
– Transitivity: In this case, there is a term w such that t =Ax w and w =Ax u.By induction hypothesis, we have Γ (w) 4 τ and τu 4 τ which concludes thiscase.
This completes the proof of the lemma. ut
We demonstrate an application of Lemma 15 in the following example.
Example 9. Consider the function specification F1 = (f1, E1) in Example 6.We recall the list of equations E1 with variables X3 : γo, Y3 : nonce, Z3 :exp(msg ,msg), U : kdf(msg) and all remaining pattern variables are of typemsg .
f1({|X,Y |}Z) = 〈f1(X), f1(Y )〉f1(mac(X1, . . . , X8)) = mac(f1([X1, X3, X5, X6, X7, X8]))
f1(mac(Y1, . . . , Y8)) = mac(f1([Y1, Y5, Y6, Y7, Y8]))f1(kdf(Z1, . . . , Z5)) = kdf(f1(Z3))
f1(prf(U,Z)) = f1(U)f1(exp(U1, U2)) = exp(f1(U1), f1(U2)),f1(sh(U1, U2)) = sh(f1(U1), f1(U2)),f1(〈U3, U4〉) = 〈f1(U3), f1(U4)〉,
44
There are only two equations inAxcs, namely exp(exp(g,X), Y ) ' exp(exp(g, Y ), X)and sh(X,Y ) ' sh(Y,X) where X,Y : msg . Let τ ∈ subs(Π(Ef )). For both ax-ioms {s, t} ∈ Axcs, it is not hard to see that τ↓∩Γ (s)↓ 6= ∅ implies that τ = msgor τ = Γ (s) = Γ (t). Hence, it holds that Γ (s) 4 τ and Γ (t) 4 τ . Thus we con-clude that F1 is R,Ax-closed.
F.2 Syntactic criterion for injectiveness-like
In this subsection, we present a syntactic criterion to justify the satisfaction ofcondition I. More generally, we want to solve the following problem.
Problem 1. Suppose Ff is R,Ax-closed. Let t, u ∈ M] be terms and {t, u} ⊆udom(Ff ). Under which conditions it holds that f(tσ) =E f(uσ) implies thattσ =E uσ for all R,Ax-normal well-typed ground substitutions σ?
We assume arbitrary but fixed terms t and u such that t, u ∈ udom(Ff ) and aR,Ax-normal well-typed ground substitution σ. We intend to look for sufficientconditions under which f(tσ) =E f(uσ) implies tσ =E uσ. We also require thatthese conditions do not depend on σ. This is to ensure that our conditions workfor all such substitutions σ.
In the following paragraphs, we present criteria that can be applied wheneither no message variables are present in t and u or message variables occuronly in t or in u. The hardest case is when message variables are present in botht and u, for which we currently do not have a good criterion.
Criterion I Note that by the substitution property, we can derive the followingequalities:
f(tσ) = f(t)f(σ),f(uσ) = f(u)f(σ).
Hence, the equality tσ =E uσ immediately follows from f(t)f(σ) =E f(u)f(σ) ifit holds that f(t) = t, f(u) = u, and Xf(σ) = Xσ for all X ∈ vars(t)∪ vars(u).Clearly, we have that f(Xσ) = Xσ for all non-message variables X ∈ dom(σ).Therefore, in the case that t and u do not contain message variables, the followingsyntactic criterion is straightforward.
Proposition 6. Let t, u ∈M] be terms such that
(i) msg /∈ Γ (vars(t) ∪ vars(u)),
(ii) t, u ∈ udom(Ff ).
If f(t) = t and f(u) = u then for all ground substitutions σ that are well-typed,we have that f(tσ) =E f(uσ) implies tσ =E uσ.
Proof. Without loss of generality, we can assume that dom(σ) ⊆ vars(t) ∪vars(u). Since msg /∈ Γ (vars(t) ∪ vars(u)), we derive that Xσ is an atom for
45
all X ∈ dom(σ). This implies f(σ) = σ. Moreover, by Theorem 1, we havef(tσ) = f(t)f(σ) and f(uσ) = f(u)f(σ). From assumption, we derive
f(tσ) = tσf(uσ) = uσ
Since f(tσ) =E f(uσ), we obtain that tσ =E uσ as required. This completes theproof of the proposition.
Note that for criterion I to be applicable, we require that f is the identity for theterms in equalities. This is often the case, as these terms typically have simplestructures and therefore it is reasonable to keep them unchanged.
Criterion II Here, we consider the case where t or u contain message variables.Without loss of generality, we assume that message variables occur only in t.Using the same approach as above, we assume that f(t) = t, f(u) = u. We wantto be able to show that
f(σ)|vars(t)∪vars(u) = σ|vars(t)∪vars(u). (20)
Equivalently, we need to be able to show that Xf(σ) = Xσ for every variableX ∈ vars(t) ∪ vars(u). This holds trivially for X ∈ vars(u) as shown above.To prove that Xf(σ) = Xσ for each message variable X ∈ vars(t), we needto ensure that f(σ) is R,Ax-normal. Otherwise, equality (20) and injectivityproperty of Problem 1 may fail as illustrated in the following example.
Example 10. We consider the case that t = X is a message variable, u = a is anatom and Ef contains the following equations:
f({|X1|}Y1) = {|f(X1)|}f(Y1)
f({|X2|}−1Y2) = {|f(X2)|}−1f(Y2)
f(h(X2)) = f(X2)
where all pattern variables are of type msg . Intuitively, f is homomorphic for{| · |}· and {| · |}−1· and removes the hash function symbol h from terms. We definethe substitution σ = {{|{|a|}h(a)|}−1a /X}. Then we have tf(σ) =E uf(σ) becauseuf(σ) = a and
tf(σ) = f(Xσ) = f({|{|a|}h(a)|}−1a ) = {|{|a|}a|}−1a =E a.
But Xσ = {|{|a|}h(a)|}−1a 6=E a = uσ.
This example also highlights the difficulty of achieving R,Ax-normality for f(σ)without substantial restrictions. We therefore take the following approach. Weshow that for each R,Ax-normal attack σ on a property φ in P , there is anR,Ax-normal attack σ′ on φ such that f(σ′) is R,Ax-normal. We construct σ′
from σ by replacing a subterm v of the terms in ran(σ) such that f(v) is notR,Ax-normal with a new constant a. By applying this replacement exhaustively,
46
we eliminate all subterms in the range of σ whose corresponding abstracted termsare redexes. The resulting substitution σ′ satisfies that f(σ′) is R,Ax-normal.
We define the set of rewrite rules R3∗ such that l → r ∈ R3∗ if and only ifl is of the form c(u1, . . . , un) for some c ∈ Σn and u1, . . . , un are variables orconstants and pairwise distinct. We overload notation and define the followingsets:
subs(Ax) =⋃{s,t}∈Ax subs(s) ∪ subs(t),
ct(Ax) =⋃{s,t}∈Ax ct(s) ∪ ct(t),
lhs(R) = {l | l→ r ∈ R}
For terms v and v′, we use ρ[v′/v] to denote the mapping that replaces eachterm t′ such that t′ =Ax v by v′. We also define dom(ρ[v′/v]) = {t ∈ T |t =Ax v}. For a substitution σ, we denote by σρ[v′/v] the substitution suchthat dom(σρ[v′/v]) = dom(σ) and σρ[v′/v](X) = (Xσ)ρ[v′/v]. We call a term tR,Ax-stable if tσ is R,Ax-normal whenever σ is R,Ax-normal and well-typed. Aset of terms is R,Ax-stable if all its elements are. We also use Pos(t) to denotethe set of all positions in a given term t.
Before establishing our criterion, we prove some auxiliary results.
Lemma 16. Let u, t, v be ground terms and a be an atom such that a /∈ subs(u)∪subs(t) ∪ subs(Ax). Suppose that uρ[a/v] =Ax tρ[a/v]. Then u ∈ dom(ρ[a/v]) ifand only if t ∈ dom(ρ[a/v]).
Proof. By symmetry, it is sufficient to show that u ∈ dom(ρ[a/v]) implies t ∈dom(ρ[a/v]). Suppose that u ∈ dom(ρ[a/v]). Then we have uρ[a/v] = a. To-gether with uρ[a/v] =Ax tρ[a/v] and a is an atom, this implies tρ[a/v] = a. Ift ∈ dom(ρ[a/v]) then we are done. Otherwise, since a /∈ subs(t), there must bea strict subterm t′ of t such that t′ ∈ dom(ρ[a/v]). This implies a is a strictsubterm of tρ[a/v]. From the fact that a =Ax tρ[a/v] and a /∈ subs(Ax), we obtaina contradiction and thus complete the proof of the lemma. ut
Lemma 17. Let u, t, v be ground terms and a be an atom such that a /∈ subs(u)∪subs(t) ∪ subs(Ax). Then uρ[a/v] = tρ[a/v] implies u =Ax t.
Proof. We show this lemma by induction on u.
– If u is an atom we consider two cases.
• If u ∈ dom(ρ[a/v]) then by Lemma 16, we have that t ∈ dom(ρ[a/v]).This implies u =Ax v and t =Ax v. Hence, we obtain u =Ax t.
• If u /∈ dom(ρ[a/v]) then by Lemma 16, we have that t /∈ dom(ρ[a/v]).Thus, we have uρ[a/v] = u and tρ[a/v] = t. Therefore, we obtain u = tand hence u =Ax t.
– If u = g(u1, . . . , un) for some g ∈ Σn then we consider two cases.
• If u ∈ dom(ρ[a/v]) then by Lemma 16, we have t ∈ dom(ρ[a/v]). It followsthat tρ[a/v] = a. Together with the assumption that a /∈ subs(t), thisyields t ∈ dom(ρ[a/v]). Hence, we have u =Ax t as required.
47
• If u /∈ dom(ρ[a/v]) then by Lemma 16, we also have t /∈ dom(ρ[a/v]).Since top(tρ[a/v]) = g and t /∈ dom(ρ[a/v]), we must have top(t) = g.Therefore, we have t = g(t1, . . . , tn). We derive that
uρ[a/v] = g(u1ρ[a/v], . . . , unρ[a/v]),tρ[a/v] = g(t1ρ[a/v], . . . , tnρ[a/v]).
Since uρ[a/v] = tρ[a/v], we have uiρ[a/v] = tiρ[a/v] for all i ∈ n. By induc-tion hypothesis, we know that ui =Ax ti. Therefore, by the Congruencerule, we conclude that u =Ax t as required.
This completes the proof of the lemma. ut
Lemma 18. Let t, u, v be terms and a be an atom such that t, v are groundand a /∈ subs(t) ∪ subs(u) ∪ subs(Ax). Let σ be a ground substitution such thatdom(σ) = vars(u) and tρ[a/v] = uσ. Then there is a ground substitution σ′ suchthat the following holds.
(i) dom(σ′) = vars(u),(ii) a /∈ subs(ran(σ′)),
(iii) uσ′ =Ax t, and(iv) σ′ρ[a/v] = σ.
Proof. We prove this lemma by induction on u.
– If u is an atom then we have uσ = u and thus tρ[a/v] = u. Since a /∈ subs(u),we must have tρ[a/v] = t = u. Thus we set σ′ to the empty substitution andobtain uσ′ = t. Moreover, we also have dom(σ′) = ∅ = dom(σ). Hence, it isclear that σ′ρ[a/v] = σ.
– If u = X is a variable then let σ′ be such that dom(σ′) = {X} andXσ′ = t. Then we have uσ′ = t. By assumption, we have a /∈ subs(Xσ) =subs(ran(σ)). Moreover, since tρ[a/v] = Xσ, it follows that (Xσ′)ρ[a/v] =Xσ. Thus, we also have σ′ρ[a/v] = σ.
– If u = g(u1, . . . , un) for some g ∈ Σn then since tρ[a/v] = uσ and a is anatom, there must be terms t1, . . . , tn such that
t = g(t1, . . . , tn),tρ[a/v] = g(t1ρ[a/v], . . . , tnρ[a/v]).
Therefore, we have tiρ[a/v] = uiσ for all i ∈ n. By induction hypothesis,there are ground substitutions σ1, . . . , σn such that for all i ∈ n, we have
a /∈ subs(ran(σi)),dom(σi) = vars(ui),σiρ[a/v] = σ|vars(ui), anduiσi =Ax ti.
We define σ′ such that dom(σ′) = vars(u) and for all X ∈ dom(σ′), Xσ′ =Xσi where i ∈ n is the smallest index such that X ∈ dom(σi). It is clear that
48
σ′ρ[a/v] = σ and a /∈ subs(ran(σ′)). To see that uσ′ =Ax t, it is sufficientto show that for all i, j ∈ n and all X ∈ dom(σi) ∩ dom(σj), it holds thatXσi =Ax Xσj . Let i, j ∈ n and X ∈ dom(σi)∩dom(σj). From the inductionhypothesis, we know that (Xσi)ρ[a/v] = Xσ and (Xσj)ρ[a/v] = Xσ. Thus,we have (Xσi)ρ[a/v] = (Xσj)ρ[a/v]. This by Lemma 17 implies that Xσi =Ax
Xσj . We therefore conclude this case.ut
Lemma 19. Let t, u, v be ground terms and a be an atom such that t, v areground and a /∈ subs(t) ∪ subs(u) ∪ subs(Ax). Suppose that
(i) tρ[a/v] =Ax u, and(ii) top(v) /∈ ct(Ax).
Then there is a ground term t′ such that t =Ax t′ and t′ρ[a/v] = u.
Proof. We prove this lemma by induction on the derivation of tρ[a/v] =Ax udepending on the last rule that has been applied.
– Reflexivity: We have tρ[a/v] = u. Thus, we can pick t′ = t.– Axiom: In this case, there are {s, s′} ∈ Ax and a ground substitution σ
such that tρ[a/v] = sσ and u = s′σ. By Lemma 18, there exists a groundsubstitutions σ′ such that
dom(σ′) = vars(s),a /∈ subs(ran(σ′)),sσ′ =Ax t, andσ′ρ[a/v] = σ.
We pick t′ = s′σ′. Since vars(s) = vars(s′), we have s′σ′ is ground. Moreover,we have t′ =Ax t. By assumption (ii), we derive that s′σ = s′(σ′ρ[a/v]) =(s′σ′)ρ[a/v] = t′ρ[a/v]. Hence, we have u = t′ρ[a/v] as required.
– Congruence: In this case, there are c ∈ Σn and terms t1, . . . , tn, u1, . . . , unsuch that
t = c(t1, . . . , tn),u = c(u1, . . . , un),tiρ[a/v] =Ax ui for all i ∈ n.
By induction hypothesis, there is a term t′i such that ti =Ax t′i and ui =
t′iρ[a/v] for all i ∈ n. We define t′ = c(t′1, . . . , t′n) and derive that t′ =Ax t and
u = t′ρ[a/v] as required.– Transitivity: In this case, there is a term w such that tρ[a/v] =Ax w andw =Ax u. By induction hypothesis, there is a term w′ such that t =Ax w
′ andw = w′ρ[a/v]. Thus, we have w′ρ[a/v] =Ax u. Using the induction hypothesis,we derive that there exists a term t′ such that w′ =Ax t
′ and u = t′ρ[a/v]. Itfollows that t =Ax t
′ which concludes this case.ut
Lemma 20. Let u, t, v be ground terms and a be an atom. Suppose that for allpairs {s, s′} ∈ Ax, we have top(v) /∈ ct(Ax). Then u =Ax t implies uρ[a/v] =Ax
tρ[a/v].
49
Proof. We prove the direction from left to right by induction on the derivationu =Ax t depending on the last rule that has been applied.
– Reflexivity: In this case, we have u = t. Thus it is obvious that uρ[a/v] =tρ[a/v].
– Axiom: In this case, then there are a pair {s, s′} ∈ Ax and a substitution σsuch that u = sσ and t = s′σ. Let σ′ = σρ[a/v]. Since top(v) /∈ ct(Ax), wehave
(sσ)ρ[a/v] = sσ′,(s′σ)ρ[a/v] = s′σ′.
Therefore, we derive
uρ[a/v] = (sσ)ρ[a/v] = sσ′,tρ[a/v] = (s′σ)ρ[a/v] = s′σ′.
Using the Axiom rule, we derive that uρ[a/v] =Ax tρ[a/v] as required.– Congruence: In this case, we have that u = g(u1, . . . , un) and t = g(t1, . . . , tn)
for some g ∈ Σn, n ≥ 1. Moreover, we have ui =Ax ti for all i ∈ n. Sinceu =Ax t, it is clear that u ∈ dom(ρ[a/v]) if and only if t ∈ dom(ρ[a/v]). Weconsider two cases.• If u ∈ dom(ρ[a/v]) then t ∈ dom(ρ[a/v]). Thus, we have uρ[a/v] = a =tρ[a/v].
• If u /∈ dom(ρ[a/v]) then t /∈ dom(ρ[a/v]). Therefore, we have
uρ[a/v] = g(u1ρ[a/v], . . . , unρ[a/v]),tρ[a/v] = g(t1ρ[a/v], . . . , tnρ[a/v]).
Moreover, by induction hypothesis, we know that uiρ[a/v] =Ax tiρ[a/v]for all i ∈ n. Hence, we obtain uρ[a/v] =Ax tρ[a/v] as required.
– Transitivity: In this case, there is a term w such that u =Ax w and w =Ax t.By induction hypothesis, we have
uρ[a/v] =Ax wρ[a/v],wρ[a/v] =Ax tρ[a/v].
It follows that uρ[a/v] =Ax tρ[a/v] as required.
This completes the proof of the lemma. ut
Lemma 21. Let u, t, v be ground terms and a be an atom such that
(i) a /∈ subs(u) ∪ subs(t) ∪ subs(Ax),(ii) top(v) /∈ ct(Ax), and
(iii) for all {s, s′} ∈ Ax, we have vars(s) = vars(s′).
Then uρ[a/v] =Ax tρ[a/v] implies u =Ax t.
Proof. We prove this lemma by induction on the derivation uρ[a/v] =Ax tρ[a/v].
50
– Reflexivity: In this case, we have uρ[a/v] = tρ[a/v]. By Lemma 17, we haveu =Ax t as required.
– Axiom: In this case, there are a pair {s, s′} ∈ Ax and a ground substitutionσ such that dom(σ) = vars(s) ∪ vars(s′) and
uρ[a/v] = sσ,tρ[a/v] = s′σ.
Moreover, by Lemma 18, there is a ground substitution σ′ such that dom(σ′) =vars(s) and
u =Ax sσ′,
σ′ρ[a/v] = σ|vars(s).
Since vars(s) = vars(s′), we derive that σ|vars(s) = σ. Hence, we have
s′σ = s′(σ′ρ[a/v]).
By assumption, for all terms w ∈ dom(ρ[a/v]) ∩ subs(s′σ), we have w ∈subs(ran(σ)). Therefore, we must have s′σ = (s′σ′)ρ[a/v]. Hence, we obtain
tρ[a/v] = (s′σ′)ρ[a/v].
By Lemma 17, we derive that t =Ax s′σ′. Together with u =Ax sσ
′, we haveu =Ax t as required.
– Congruence: In this case, there is g ∈ Σn such that
uρ[a/v] = g(u1, . . . , un),tρ[a/v] = g(t1, . . . , tn).
Moreover, we have ui =Ax ti for all i ∈ n. We consider two cases.• If u ∈ dom(ρ[a/v]) then by Lemma 16, we have t ∈ dom(ρ[a/v]). There-
fore, we have u =Ax t as required.• If u /∈ dom(ρ[a/v]) then by Lemma 16, we also have t /∈ dom(ρ[a/v]).
Thus, there must be terms u′1, . . . , u′n and terms t′1, . . . , t
′n such that
u = g(u′1, . . . , u′n),
t = g(t′1, . . . , t′n),
u′iρ[a/v] = ui for all i ∈ n,t′iρ[a/v] = ti for all i ∈ n.
Hence, we have u′iρ[a/v] =Ax t′iρ[a/v] for all i ∈ n. By induction hypoth-
esis, we know that u′i =Ax t′i for all i ∈ n. This implies u =Ax t asrequired.
– Transitivity: In this case, there is a term w such that uρ[a/v] =Ax w andw =Ax tρ[a/v]. We consider two cases.• If a ∈ subs(uρ[a/v]) ∪ subs(tρ[a/v]) then since a /∈ subs(Ax), we derive
that a ∈ subs(w). Hence, there is a term w′ such that w = w′ρ[a/v].By induction hypothesis, we have u =Ax w
′ and w′ =Ax t. This impliesu =Ax t as required.
51
• If a /∈ subs(uρ[a/v])∪ subs(tρ[a/v]) then we have uρ[a/v] = u and tρ[a/v] =t. Thus, we obtain u =Ax t as required.
This completes the proof of the lemma. ut
Lemma 22. Let t, u, v be terms and a be an atom such that t, v are ground suchthat
(i) a /∈ subs(t) ∪ subs(u) ∪ subs(Ax),(ii) top(v) /∈ ct(Ax), and
(iii) for all {s, s′} ∈ Ax, we have that vars(s) = vars(s′).
Let σ be a ground substitution such that dom(σ) = vars(u) and tρ[a/v] =Ax uσ.Then there is a ground substitution σ′ such that the following holds.
– dom(σ′) = vars(u),– a /∈ subs(ran(σ′)),– uσ′ =Ax t, and– σ′ρ[a/v] = σ.
Proof. We prove this lemma by induction on the derivation tρ[a/v] =Ax uσ.
– Reflexivity: We have tρ[a/v] = uσ and thus the conclusion follows immediatelyfrom Lemma 18.
– Axiom: Suppose that there are a pair {s, s′} ∈ Ax and a ground substitutionθ such that dom(θ) = dom(s) ∪ dom(s′) and
tρ[a/v] = sθ,uσ = s′θ.
By Lemma 18, there is a ground substitution σ′′ such that
dom(σ′′) = vars(s),a /∈ subs(ran(σ′′)),σ′′ρ[a/v] = θ|vars(s), andt =Ax sσ
′′.
Since vars(s) = vars(s′), we have θ|vars(s) = θ. Hence, we derive that s′θ =s′(σ′′ρ[a/v]). This by assumption implies that s′θ = (s′σ′′)ρ[a/v]. Since a /∈subs(ran(σ′′)), from assumption (ii), we have a /∈ subs(s′σ′′). Moreover, wehave uσ = s′θ = (s′σ′′)ρ[a/v]. By Lemma 18, there is a ground substitutionσ′ such that
dom(σ′) = vars(u),a /∈ subs(ran(σ′)),σ′ρ[a/v] = σ, ands′σ′′ =Ax uσ
′.
Together with t =Ax sσ′′, we derive that uσ′ =Ax t.
52
– Congruence: We have t = c(t1, . . . , tn) and u = c(u1, . . . , un) for c ∈ Σn.Moreover, we have tiρ[a/v] =Ax uiσ for all i ∈ n. By induction hypothesis,there are ground substitutions σi for all i ∈ n such that
dom(σi) = vars(ui),a /∈ subs(ran(σi)),uiσi =Ax ti, andσiρ[a/v] = σ.
We can pick σ′ =⋃ni=1 σi that satisfies the desired properties.
– Transitivity: In this case, there is a term w such that tρ[a/v] =Ax w andw =Ax uσ. By Lemma 19, there is a ground term t′ such that t =Ax t
′ andw = t′ρ[a/v]. Hence, we have t′ρ[a/v] =Ax uσ. By induction hypothesis, thereexists a ground substitution σ′ such that
dom(σ′) = vars(u),a /∈ subs(ran(σ′)),uσi =Ax t
′, andσ′ρ[a/v] = σ.
Since t′ =Ax t, we derive that σ′ satisfies the desired properties.
This completes the proof of the lemma. ut
Lemma 23. Let t, v be ground terms and a be an atom such that a /∈ subs(t).Suppose that
(i) t is R,Ax-normal,(ii) a /∈ subs(Ax) ∪ subs(lhs(R)),
(iii) top(v) /∈ ct(Ax), and(iv) for all {s, s′} ∈ Ax, we have that vars(s) = vars(s′).
Then tρ[a/v] is R,Ax-normal.
Proof. We prove this lemma by induction on t.
– If t is an atom then we have tρ[a/v] = t and thus tρ[a/v] is R,Ax-normal.– If t = g(t1, . . . , tn) for some g ∈ Σn then we consider two cases.
• If t ∈ dom(ρ[a/v]) then we have tρ[a/v] = a and thus tρ[a/v] isR,Ax-normal.• If t /∈ dom(ρ[a/v]) then we have
tρ[a/v] = g(t1ρ[a/v], . . . , tnρ[a/v])
Since t is R,Ax-normal, so is ti for all i ∈ n. By induction hypothesis, wehave tiρ[a/v] is R,Ax-normal for all i ∈ n. There are two smaller cases.∗ If there is no rule l→ r ∈ R that is applicable to tρ[a/v] at the root,
then since tiρ[a/v] is R,Ax-normal for all i ∈ n, we derive that tρ[a/v]is R,Ax-normal.
53
∗ If there is a rule l → r ∈ R that is applicable to tρ[a/v] at the root,then there is a ground substitution σ such that dom(σ) = vars(l)and tρ[a/v] =Ax lσ. By Lemma 22, there is a ground substitution σ′
such that t =Ax lσ′. Thus means t is not R,Ax-normal which is a
contradiction.
This completes the proof of the lemma. ut
Lemma 24. Let t, v be ground terms such that v is R,Ax-normal and a be anatom. Suppose that
(i) a /∈ subs(t) ∪ subs(Ax) ∪ subs(lhs(R)),(ii) top(v) /∈ ct(Ax),
(iii) top(v) /∈ ct(l) \ {top(l)} for all l ∈ lhs(R), and(iv) for all {s, s′} ∈ Ax, we have that vars(s) = vars(s′).
Then (tρ[a/v])↓R,Ax=Ax t↓R,Ax ρ[a/v].
Proof. We prove this lemma by induction on the length ` of the derivationt→R,Ax t1 →R,Ax · · · →R,Ax t`−1 →R,Ax t↓R,Ax.
– If ` = 0 then t is R,Ax-normal. By Lemma 23, tρ[a/v] is R,Ax-normal.Therefore, we have tρ[a/v] =Ax (tρ[a/v]) ↓R,Ax. Moreover, by Lemma 20, wehave tρ[a/v] =Ax t↓R,Ax ρ[a/v]. Hence (tρ[a/v])↓R,Ax=Ax t↓R,Ax ρ[a/v].
– If ` > 0 then there are a position k, a rule l → r ∈ R, and a substitution σsuch that t|k =Ax lσ and (t[rσ]k)↓R,Ax=Ax t↓R,Ax. By Lemma 20, we havet|kρ[a/v] =Ax (lσ)ρ[a/v]. Let σ′ = σρ[a/v].Note that for all terms u ∈ subs(t) such that t|k ∈ subs(u), we must have
u /∈ dom(ρ[a/v]). (21)
Suppose that it is not the case, i.e., we have u =Ax v. Then since t|k ∈subs(u) and t|k →R,Ax rσ, we derive that v is not R,Ax-normal which isa contradiction. Therefore, we have established (21). In particular, we havelσ /∈ dom(ρ[a/v]). Moreover, there must not exist a non-variable term u ∈subs(l) \ {l} such that uσ =Ax v. Otherwise, by point (iii) in Definition 1,uσ =Ax v implies top(uσ) = top(v). This means top(u) = top(v) whichcontradicts assumption (iv). Therefore, we have (lσ)ρ[a/v] = l(σρ[a/v]) = lσ′.It follows that t|kρ[a/v] =Ax lσ
′. Hence, we obtain t[t|kρ[a/v]]k =Ax t[lσ′]k.
This yields the following.
tρ[a/v] = (t[t|kρ[a/v]]k)ρ[a/v]=Ax (t[lσ′]k)ρ[a/v] by Lemma 20.
Together with (21), we derive that (t[lσ′]k)ρ[a/v] →R,Ax (t[rσ′]k)ρ[a/v]. Thus,we have (tρ[a/v]) ↓R,Ax=Ax ((t[rσ′]k)ρ[a/v]) ↓R,Ax. Note that from assump-tion (iii) and the fact that r ∈ subs(l), we derive that rσ′ = r(σρ[a/v]) =(rσ)ρ[a/v]. Therefore, we have
(t[rσ′]k)ρ[a/v] = (t[(rσ)ρ[a/v]]k)ρ[a/v]= (t[rσ]k)ρ[a/v].
54
Hence we have
(tρ[a/v])↓R,Ax=Ax ((t[rσ]k)ρ[a/v])↓R,Ax (22)
Since (t[rσ]k)↓R,Ax=Ax t↓R,Ax, by Lemma 20, we have
(t[rσ]k)↓R,Ax ρ[a/v] =Ax t↓R,Ax ρ[a/v]. (23)
By induction hypothesis, we have
((t[rσ]k)ρ[a/v])↓R,Ax=Ax (t[rσ]k)↓R,Ax ρ[a/v].
This by (22) and (23) yields (tρ[a/v])↓R,Ax=Ax t↓R,Ax ρ[a/v] as required.
This completes the proof of the lemma. ut
Lemma 25. Let {t, u, a, v} be ground terms such that top(v) /∈ ct(Ax) and a isan atom. Then t =E u if and only if that tρ[a/v] =E uρ[a/v].
Proof. We present all the derivation steps as follows.
t =E u⇔ t↓R,Ax =Ax u↓R,Ax⇔ t↓R,Ax ρ[a/v] =Ax u↓R,Ax ρ[a/v] by Lemmas 20, 21⇔ t↓R,Ax ρ[a/v] =Ax u↓R,Ax ρ[a/v] by Lemma 24⇔ tρ[a/v] =E uρ[a/v].
This completes the proof of the lemma. ut
Lemma 26. Let T ∪{t, v} be a set of ground terms such that v is R,Ax-normaland a be a constant. Suppose that
(i) a /∈ subs(t) ∪ subs(Ax) ∪ subs(lhs(R)),(ii) top(v) /∈ ct(Ax),
(iii) top(v) /∈ ct(l) \ {top(l)} for all l ∈ lhs(R), and(iv) for all {s, s′} ∈ Ax, we have that vars(s) = vars(s′).
Then T `E t implies Tρ[a/v], IK0 `E tρ[a/v].
Proof. We prove this lemma induction on the derivation of T `E t dependingon the last rule that has been applied.
– Ax: We have t ∈ T and thus tρ[a/v] ∈ Tρ[a/v]. Therefore Tρ[a/v], IK0 `Etρ[a/v].
– Comp: We have t = g(u1, . . . , tn) and T `E ui for i ∈ n. There are two cases.
• If t =Ax v then we have tρ[a/v] = a. Since a ∈ IK0, we obtain that
Tρ[a/v], IK0 `E tρ[a/v].
55
• If t 6=Ax v then we have
tρ[a/v] = g(u1ρ[a/v], . . . , unρ[a/v]).
Moreover, by induction hypothesis, we have Tρ[a/v], IK0 `E uiρ[a/v] forall i ∈ n. Hence, we obtain Tρ[a/v], IK0 `E tρ[a/v] as required.
– Eq: In this case, there is a term t′ such that T `E t′ and t′ =E t. Sincea /∈ subs(t), from assumption (i), we derive that a /∈ subs(t′). Hence, we canapply the induction hypothesis and obtain Tρ[a/v] `E t′ρ[a/v]. By Lemma 25,we have that t′ρ[a/v] =E tρ[a/v]. Thus, we derive Tρ[a/v] `E tρ[a/v] as desired.
This completes the proof of the lemma. ut
Lemma 27. Let T ∪ {t, v, a} be terms such that v is ground, a is a constant,and a /∈ subs(t). Let σ be a ground R,Ax-normal well-typed substitution. Supposethat the following holds.
(i) T ∪ {t} ⊆ udom(Ff ),(ii) for all terms u ∈ subs(T ) ∪ subs(t), we have f(u) is R,Ax-stable,
(iii) for all non-variable t′ ∈ subs(T ) ∪ subs(t), we have t′σ 6=Ax v,(iv) a /∈ subs(Ax) ∪ subs(lhs(R)),(v) top(v) /∈ ct(Ax),
(vi) top(v) /∈ ct(l) \ {top(l)} for all l ∈ lhs(R), and(vii) for all {s, s′} ∈ Ax, we have that vars(s) = vars(s′).
Then Tσ, IK0 `E tσ implies T (σρ[a/v]), IK0 `E t(σρ[a/v]).
Proof. Suppose that Tσ, IK0 `E tσ. By Lemma 26, we have
(Tσ)ρ[a/v], IK0ρ[a/v], IK0 `E (tσ)ρ[a/v].
By assumption (iii), this implies
(Tσ)ρ[a/v] = T (σρ[a/v]),(tσ)ρ[a/v] = t(σρ[a/v]).
Therefore, we obtain
T (σρ[a/v]), IK0 `E t(σρ[a/v]).
This completes the proof of the lemma. ut
Lemma 28. Let t, v be ground term, and a be an atom. Assume that
(i) t is R,Ax-normal,(ii) v is composed and not a pair,
(iii) for all τ ∈ Π(E+f ) and all types τ ′ ∈ subs(τ) \ {τ ′}, we have top(τ ′) 6=
top(v),(iv) for all terms u ∈ Rec(Ff , t), u 6=Ax v,(v) a /∈ subs(Ax) ∪ subs(lhs(R)),
56
(vi) top(v) /∈ ct(Ax), and(vii) for all {s, s′} ∈ Ax, we have that vars(s) = vars(s′).
Then tρ[a/v] is R,Ax-normal and f(t) = f(tρ[a/v]).
Proof. The first conjunct, namely tρ[a/v] isR,Ax-normal, follows from Lemma 23.We now show that f(t) = f(tρ[a/v]) by induction on the size of t.
– If t is an atom then since v is composed, we have tρ[a/v] = t. Thus we obtainf(t) = f(tρ[a/v]).
– If t = c(t1, . . . , tn) for some c ∈ Σn and n ≥ 1, then let f(p) = q be thepattern in E+
f that is chosen for t. Let p : τ . Then we have Γ (t) 4 τ . Weshow that Γ (tρ[a/v]) 4 τ .Suppose there is a position k such that t|k =Ax v. It is sufficient to showthat Γ (t[a]k) 4 τ . Let us consider two cases.
• If k ∈ Pos(τ) then we have Γ (t|k) 4 τ|k. Since t|k =Ax v and v iscomposed, we derive that t|k is composed and
top(t|k) = top(v). (24)
Note that t ∈ Rec(Ff , t). By assumption (iii), we have t 6=Ax v. Sincet|k =Ax v and t 6=Ax v, we know that k is not the root of t. Thatmeans τ|k is a strict subterm of τ . Hence, by assumption (iii), we derivethat top(τ|k) 6= top(v). This by (24) implies that top(τ|k) 6= top(t|k).Moreover, we know that t|k is composed and Γ (t|k) 4 τ|k. Therefore, wemust have that τ|k = msg and obtain Γ (t[a]k) 4 τ as desired.
• If k /∈ Pos(τ) then there must be a position k′ above k such that τ|k =msg . This also yields Γ (t[a]k) 4 τ .
Hence, we have shown that Γ (tρ[a/v]) 4 τ . Similarly, it holds that whenevera pattern p′ matches tρ[a/v], it also matches t. This implies t and tρ[a/v] areabstracted under f by the same clause. Let θ and θ′ be substitutions suchthat t = pθ and tρ[a/v] = pθ′. We perform a case distinction on p.
• p = c(p1, . . . , pn) for c ∈ Σn \ {CAx ∪ CKey}. In this case, we have
f(c(p1, . . . , pn)) = 〈e1, . . . , ed〉
for some d > 0 and for all i ∈ d, ei is one of the following forms:1. ei = c(f(q1), . . . , f(qn)) such that
set(qj) ⊆ split(pj) for all j ∈ n, c 6= 〈·, ·〉, andc ∈ CR ⇒ qn = [pn].
2. ei = f(q) such that q ∈ split(pj) for some j ∈ n.and it holds that ∀j ∈ pp(c). split(pj) ⊆ Q(j) where
Q(j) =⋃{set(qj) | c(f(q1), . . . , f(qn)) ∈ {e1, . . . , ed}}⋃{q | f(q) ∈ {e1, . . . , ed}}.
57
Hence, we havef(t) = 〈e1θ, . . . , edθ〉,
f(tρ[a/v]) = 〈e1θ′, . . . , edθ′〉.
To see that f(tρ[a/v]) = f(t), it is sufficient to show that eiθ = eiθ′ for
all i ∈ d. Let i ∈ d. We consider two cases.∗ ei = c(f(q1), . . . , f(qn)). To show that eiθ = eiθ
′, it is sufficient to
show that f(qjθ) = f(qjθ′) for all j′ ∈ n. Let j ∈ n. Since v is not a
pair and the fact that (pθ)ρ[a/v] = pθ′, we have (wθ)ρ[a/v] = wθ′ forall w ∈ set(qj). Moreover, by assumption (iv), we have wθ 6=Ax v.Note that wθ ∈ subs(t) \ {t}. Hence, by induction hypothesis, we
have f(wθ′) = f(wθ). This yields f(qjθ) = f(qjθ′) as desired.
∗ ei = f(q) with q ∈ split(pj) for some j ∈ n. Since (pθ)ρ[a/v] = pθ′,we derive that qθ′ = (qθ)ρ[a/v]. Moreover, q ∈ split(pj) implies thatqθ ∈ subs(t) \ {t}. By induction hypothesis, we know that f(qθ′) =f(qθ). Therefore, we obtain eiθ = eiθ
′ as required.• p = c(p1, . . . , pn) for c ∈ Σn ∩ (CAx ∪ CKey). In this case, we have
f(p) = c(f(p1), . . . , f(pn)),f(t) = c(f(t1), . . . , f(tn)),
f(tρ[a/v]) = c(f(t1ρ[a/v]), . . . , f(tnρ[a/v])).
From assumption (iv), we have ti 6=Ax v for all i ∈ n. Thus by theinduction hypothesis, we have f(ti) = f(tiρ[a/v]). Thus we obtain f(t) =f(tρ[a/v]) as required.
This completes the proof of the lemma. ut
In the following lemma, we introduce the notion of composite-preserving. Wesay that f is composite-preserving if for all clauses (f(p) = u) ∈ Ef such thattop(p) ∈ Σn with n ≥ 1, we have either (i) top(q) ∈ Σm \ {f} with m ≥ 1,or (ii) q = f(q′) for some term q′ such that Γ (q′) is composed. Intuitively, f iscomposite-preserving if it cannot produce a non-composed term from a composedone.
Lemma 29. Let t be an R,Ax-normal term and f be composite-preserving andhomomorphic for top(t). Suppose that there exists a rewrite rule l→ r ∈ R anda substitution σ such that
(i) f(t) =Ax lσ,(ii) l is Ax-stable.
Then we have l→ r /∈ R3∗.
Proof. We prove this lemma by contradiction. Suppose that l → r ∈ R3∗ andt = c(t1, . . . , tn) for some c ∈ Σn. Since f is homomorphic for c, we have
f(t) = c(f(t1), . . . , f(tn)).
58
By assumption (i), we obtain that c(f(t1), . . . , f(tn)) =Ax lσ. Moreover, byassumption (ii), we derive that l = c(u1, . . . , un) for some terms u1, . . . , unand f(ti) =Ax uiσ for all i ∈ n. We also know that ui is either a variableor a constant. Let us define the substitution σ′ such that σ = {f(ti)/ui | i ∈n and ui is a variable}. We show that t = lσ′. To see this, it is sufficient to showthat ui is a constant implies ui = ti. Indeed, let i ∈ n such that ui is a constant.Since f(ti) =Ax uiσ, we derive that f(ti) = ui. This together with the assump-tion that f is composite-preserving implies ti is not composed. Therefore, wehave ti = ui. Hence, we have shown that t = lσ′. This contradicts our assump-tion that t is R,Ax-normal and thus completes the proof of the lemma. ut
In the following lemma, we define the set of terms Dec(σ) for a given substitutionσ as follows.
Dec(σ) = {t | t ∈ subs(ran(σ)) ∧ top(t) ∈ top(lhs(R)) ∧ f(t) is a redex}.
Lemma 30. Let φ ∈ LP , and (tr, th, σ) be a reachable state of P . Suppose that
(i) f is composite-preserving and homomorphic for top(lhs(R)),(ii) for all τ ∈ Π(E+
f ) and all types τ ′ ∈ subs(τ) \ {τ ′}, we have top(τ ′) /∈top(lhs(R)),
(iii) for all terms v ∈ subs(MP ∪Secφ∪EqTermφ), we have f(v) is R,Ax-stable,(iv) EqTermφ is R,Ax-stable,(v) MP ∪ Secφ ∪ EqTermφ ⊆ udom(Ff ),
(vi) 〈·, ·〉 /∈ top(lhs(R)),(vii) l is Ax-stable for all l ∈ lhs(R3∗),
(viii) top(lhs(R \R3∗)) ∩ ct(Ax) = ∅, and(ix) for all l ∈ lhs(R) and all non-variable positions p ∈ Pos(l) \ {ε}, we have
that top(l|p) /∈ top(lhs(R)), and(x) for all {s, s′} ∈ Ax, we have that vars(s) = vars(s′).
Then there is an R,Ax-normal ground well-typed substitution σ0 such that f(σ0)is R,Ax-normal and the following holds:
– |Dec(σ0)| < |Dec(σ)|,– (tr, th, σ0) is a reachable state in P , and– if (tr, th, σ) 2 φ then (tr, th, σ0) 2 φ.
Proof. Without loss of generality, we assume that σ is R,Ax-normal. By as-sumption (vi) and Lemma 6, we derive that f(σ) is not R,Ax-normal if andonly if Dec(σ) 6= ∅. Let v0 ∈ Dec(σ) and a0 be a constant that does not oc-cur in φ, ran(σ), R, and Ax. First, we show that top(v0) ∩ ct(Ax) = ∅. Sincef(v0) is a redex, there exists a rewrite rule l → r ∈ R and a substitution θsuch that f(v0) =Ax lθ. By assumptions (i),(vii) and Lemma 29, we derive thatl → r /∈ R3∗. This by assumption (viii) implies that top(l) ∩ ct(Ax) = ∅. More-over, by assumption (i), we have top(v0) = top(f(v0)). Since all equations s ' s′
59
in Ax satisfy that top(s) = top(s′), we derive that top(f(v0)) = top(lθ). Asl is not a variable, we also have top(l) = top(lθ). Therefore, we obtain thattop(v0) = top(l). This yields top(v0) ∩ ct(Ax) = ∅.
Second, we define σ0 = σρ[a0/v0] and show that σ0 is well-typed. Note thatσ is well-typed by assumption. Let X ∈ dom(σ0) and suppose that subs(Xσ) ∩dom(ρ[a0/v0]) 6= ∅. Then Xσ is composed. Since σ is well-typed, we must haveX : msg . Therefore, we have Γ ((Xσ0)↓R,Ax) 4 Γ (X). Hence σ0 is well-typed.
Third, we show that σ0 is R,Ax-normal. Let X ∈ dom(σ0). Since σ isR,Ax-normal, so is Xσ. By Lemma 23, we have (Xσ)ρ[a0/v0] is R,Ax-normal.Thus Xσ0 is R,Ax-normal. Hence σ0 is R,Ax-normal.
We now show that |Dec(σ0)| < |Dec(σ)|. For this purpose, it is sufficientto show that for all terms t ∈ subs(ran(σ)) such that f(t) is R,Ax-normal,we also have f(tρ[a0/v0]) is R,Ax-normal. Let t ∈ subs(ran(σ)) such that f(t) isR,Ax-normal. We claim that for all u ∈ Rec(Ff , t), it holds that u 6=Ax v0. To seethat, let us pick an arbitrary term u ∈ Rec(Ff , t). Since f(t) is R,Ax-normal, sois f(u). Suppose that u =Ax v0. By Proposition 3, we know that f(u) =Ax
f(v0). Since f(v0) is not R,Ax-normal, neither is f(u). This, together withu ∈ Rec(Ff , t), implies that f(t) is not R,Ax-normal which is a contradiction.Therefore, we must have u 6=Ax v0. Hence, we have established that u 6=Ax v0for all u ∈ Rec(Ff , t). Thus by Lemma 28, we have f(t) = f(tρ[a0/v0]). Since f(t)is R,Ax-normal, so is f(tρ[a0/v0]). Hence, we have just proved that
|Dec(σ0)| < |Dec(σ)|. (25)
Next, we show reachability for σ0, i.e., we need to show that (tr, th, σ0) isreachable in P . We prove this by induction on the number n of transitions leadingto (tr, th, σ).
– Base case (n = 0): Since (ε, th, σ) is reachable, so is (ε, th, σ0).– Inductive case (n = k + 1): Suppose (tr′, th′, σ) is reachable in k steps and
there is a transition (tr′, th′, σ) → (tr, th, σ). By induction hypothesis, wehave
(tr′, th′, σ) is reachable in P. (26)
We consider two non-trivial cases according to the rule r that has beenapplied in step k + 1.• If r = SEND then it is obvious that (tr′, th′, σ0) → (tr, th, σ0). This
by (26) yields that (tr, th, σ′) is reachable in P .• If r = RECV then there exists i ∈ TID and R ∈ dom(P ) such thatth′(i) = (R, rcv(u) · tl), tr = tr′ · (i, rcv(u)), th = th′[i 7→ (R, tl)], and
IK (tr′)σ, IK0 `E uσ.
Let T = subs(IK (tr) ∪ Secφ ∪ EqTermφ). We show the following result.
∀t′ ∈ T \ vars(T ). t′σ0 6=Ax v0. (27)
Suppose that it is not the case, then there is a term t′ ∈ T such thatt′σ =Ax v0. By Proposition 3, we have f(t′σ0) =Ax f(v0). By assumption
60
(v), we can apply Theorem 1 and obtain f(t′σ0) = f(t′)f(σ0). Thisby assumption (iii) implies that f(t′sigma0) is R,Ax-normal. This is acontradiction since f(t′σ0) =Ax f(v0) and f(v0) is not R,Ax-normal.Hence, we have shown (27). By (27) and Lemma 27, we derive that
IK (tr′)σ0, IK0 `E uσ0.
Thus the reachability of (tr, th, σ0) in P follows immediately.
Then, we show attack preservation for σ0, i.e., we need to show that
∀ϑ. (tr, th, σ, ϑ) 2 φ⇒ (tr, th, σ0, ϑ) 2 φ.
We prove this by induction on φ. It is enough to consider the following cases.
– φ ≡ m = m′ or φ ≡ ¬(m = m′).
(tr, th, σ, ϑ) � m = m′
⇔ mσ =E m′σ⇔ (mσ)ρ[a0/v0] =E (m′σ)ρ[a0/v0] by Lemmas 25⇔ m(σρ[a0/v0]) =E m′(σρ[a0/v0]) by (27)⇔ mσ0 =E mσ0⇔ (tr, th, σ0, ϑ) � m = m′
– φ ≡ honest(i, R) or φ ≡ ¬honest(i, R).
(tr, th, σ, ϑ) � honest(i, R)⇔ Rϑ(i)σ ∈ AH⇔ Rϑ(i)σ′ ∈ AH since Rϑ(i)σ = Rϑ(i)σ0⇔ (tr, th, σ0, ϑ) � honest(i, R)
– φ ≡ secret(m).
(tr, th, σ, ϑ) 2 secret(m)⇔ IK (tr)σ, IK0 `E mσ⇒ IK (tr)σ0, IK0 `E mσ0 by (27) and Lemma 27⇔ (tr, th, σ0, ϑ) 2 secret(m)
The inductive cases are routine. ut
Lemma 31. Let φ ∈ LP , and (tr, th, σ) be a reachable state of P . Suppose that
(i) f is composite-preserving and homomorphic for top(lhs(R)),(ii) for all τ ∈ Π(E+
f ) and all types τ ′ ∈ subs(τ) \ {τ ′}, we have top(τ ′) /∈top(lhs(R)),
(iii) for all terms v ∈ subs(MP ∪Secφ∪EqTermφ), we have f(v) is R,Ax-stable,(iv) EqTermφ is R,Ax-stable,(v) MP ∪ Secφ ∪ EqTermφ ⊆ udom(Ff ),
(vi) 〈·, ·〉 /∈ top(lhs(R)),
61
(vii) l is Ax-stable for all l ∈ lhs(R3∗),(viii) top(lhs(R \R3∗)) ∩ ct(Ax) = ∅, and
(ix) for all l ∈ lhs(R) and all non-variable positions p ∈ Pos(l) \ {ε}, we havethat top(l|p) /∈ top(lhs(R)), and
(x) for all {s, s′} ∈ Ax, we have that vars(s) = vars(s′).
Then there is an R,Ax-normal ground well-typed substitution σ′ such that f(σ′)is R,Ax-normal and the following holds:
– (tr, th, σ′) is a reachable state in P , and– if (tr, th, σ) 2 φ then (tr, th, σ′) 2 φ.
Proof. By Lemma 30, we know that there is a sequence of R,Ax-normal groundwell-typed substitution σ0 such that |Dec(σ)| > |Dec(σ0)| and
– (tr, th, σ0) is a reachable state in P , and– if (tr, th, σ) 2 φ then (tr, th, σ0) 2 φ.
We keep applying Lemma 30 to construct a sequence of R,Ax-normal groundwell-typed substitution σ0, σ1, . . . , σn for some n ≥ 0 such that |Dec(σn)| = 0and
– (tr, th, σn) is a reachable state in P , and– if (tr, th, σ) 2 φ then (tr, th, σn) 2 φ.
Since |Dec(σn)| = 0, we have that f(σk) is R,Ax-normal. By setting σ′ = σn,we complete the proof of the lemma. ut
We say that f is constructor-exclusive for the function symbol c if for all (f(p) =q) ∈ Ef we have top(q) = c implies top(p) = c. In the following lemma, we provethat every ground abstracted term with top-level constructor c can only beobtained by transforming a term of the same form provided that f is composite-preserving and constructor-exclusive for c.
Lemma 32. Let t be an R,Ax-normal ground term and c be a function symbol.Suppose that
(i) f is composite-preserving,(ii) f constructor-exclusive for c.
Then top(f(t)) = c implies top(t) = c.
Proof. The conclusion is trivial if t is an atom. Suppose that t is composed. Thenthere exists the first pattern (f(p) = q) ∈ E+
f such that Γ (t) 4 Γ (p) and pθ = tfor some substitution θ. We distinguish two cases:
– If (f(p) = q) ∈ E0f then we have that top(q) = top(p) = top(t) = g′. We also
have c = top(f(t)) = top(qθ) = top(t). This yields top(t) = c as required.
62
– If (f(p) = q) ∈ Ef then assumption (i), we obtain that
top(t) = top(p)top(f(t)) = top(q).
Moreover, by assumption (ii), we derive that top(t) = top(p) = top(q) = c.
This completes the proof of the lemma. ut
Lemma 33. Let t, u be ground terms and suppose that
(i) f is composite-preserving,(ii) f is constructor-exclusive for all c ∈ ct(u), and
(iii) f is homomorphic for ct(u).
Then f(t) = u implies t = u.
Proof. We prove this lemma by induction on u.
– If u is an atom then since f(t) = u and assumption (i), we derive that t mustbe an atom. Hence, we have f(t) = t and thus obtain t = u as required.
– If u = c(u1, . . . , un) for c ∈ Σn and some terms u1, . . . , un, then since f(t) =u, we have top(f(t)) = c. By Lemma 32, we derive that there are termst1, . . . , tn such that t = c(t1, . . . , tn). Moreover, by assumption (iii), we havef(t) = c(f(t1), . . . , f(tn)). Since f(t) = u, we obtain that f(ti) = ui for alli ∈ n. By induction hypothesis, we have that ti = ui for all i ∈ n. Therefore,we derive that t = u as required.
This completes the proof of the lemma. ut
Lemma 34. Let t, u be terms such that msg /∈ Γ (vars(u)) and σ be an R,Ax-normal ground well-typed substitution such that tf(σ) = uf(σ). Assume that thefollowing holds:
(i) f is composite-preserving,(ii) for all positions p ∈ Pos(t) ∩ Pos(u) such that t|p is a message variable,
we have
(a) f is constructor-exclusive for all c ∈ ct(u|p), and(b) f is homomorphic for ct(u|p).
Then we have f(σ)|vars(t) = σ|vars(t).
Proof. It is sufficient to show that Xf(σ) = Xσ for all X ∈ vars(t) such thatX : msg . Let X be a message variable at position p in t. Since tf(σ) = uf(σ),it is clear that p ∈ Pos(u). Moreover, we have Xf(σ) = u|pf(σ). Note thatXf(σ) = f(Xσ). Hence, by Lemma 33, we derive that Xσ = u|pf(σ). Thisimplies Xf(σ) = Xσ as required. ut
Finally, we are in a position to state our criterion.
63
Proposition 7. Let φ ∈ LP be a property formula, (t, u) ∈ Eqφ such that msg /∈Γ (vars(u)), and (tr, th, σ) be a reachable state of P such that σ is R,Ax-normaland (tr, th, σ) 2 φ. Assume that the following holds:
(i) f is composite-preserving and homomorphic for top(lhs(R)),
(ii) for all τ ∈ Π(E+f ) and all types τ ′ ∈ subs(τ) \ {τ ′}, we have top(τ ′) /∈
top(lhs(R)),
(iii) for all terms v ∈ subs(MP ∪Secφ∪EqTermφ), we have f(v) is R,Ax-stable,
(iv) EqTermφ is R,Ax-stable,
(v) MP ∪ Secφ ∪ EqTermφ ⊆ udom(Ff ),
(vi) f(t) = t and f(u) = u,
(vii) t and u are R,Ax-stable, and u is Ax-stable,
(viii) for all positions p ∈ Pos(t) ∩ Pos(u) such that t|p is a message variable,we have
(a) f is constructor-exclusive for all c ∈ ct(u|p) and
(b) f is homomorphic for ct(u|p),
(ix) 〈·, ·〉 /∈ top(lhs(R)),
(x) l is Ax-stable for all l ∈ lhs(R3∗),
(xi) top(lhs(R \R3∗)) ∩ ct(Ax) = ∅,(xii) for all l ∈ lhs(R) and all non-variable positions p ∈ Pos(l) \ {ε}, we have
that top(l|p) /∈ top(lhs(R)), and
(xiii) for all {s, s′} ∈ Ax, we have that vars(s) = vars(s′).
Then there is an R,Ax-normal ground substitution σ′ such that (tr, th, σ′) 2 φand f(σ′) is R,Ax-normal. Furthermore, if f(tσ′) =E f(uσ′) then tσ′ =E uσ′.
Proof. By points (i)-(v) and (ix)-(xiii), we apply Lemma 31 and derive thatthere is a ground R,Ax-normal substitution σ′ such that (tr, th, σ′) 2 φ andf(σ′) is R,Ax-normal. Suppose that f(tσ′) =E f(uσ′). We need to show thattσ′ =E uσ′. By assumption (v) and Theorem 1, we know that f(tσ) = f(t)f(σ)and f(uσ) = f(u)f(σ). By assumption (vi), we derive that tf(σ) =E uf(σ).Therefore, we obtain that (tf(σ))↓R,Ax=Ax (uf(σ))↓R,Ax. This by assumption(iv) and the R,Ax-normality of f(σ) implies tf(σ) =Ax uf(σ). By (viii), weknow that uf(σ) is Ax-stable. Therefore, we derive that tf(σ) = uf(σ). ByLemma 34, we have f(σ)|vars(t) = σ|vars(t). Note that since msg /∈ Γ (vars(u)),we also have that f(σ)|vars(u) = σ|vars(u). Hence, we obtain tσ = uσ which yieldstσ =E uσ.
In Proposition 7, checking conditions (iv), (vii), and (x) require that an Ax-unification algorithm exists. The other conditions can be effective checked. Notethat for the XOR theory in Example 2 and the Diffie-Hellman theory in Exam-ple 1, conditions (ix)-(xiii) are satisfied.
We now apply our criterion to justify condition I with respect to protocolIKEm and the typed abstraction specified in Example 6, and the property φaformalized in Example 4.
64
Example 11. First, we recall the typed abstraction F1 = (f1, E1) in Example 6,where E1 is defined by the equations:
f1({|X,Y |}Z) = 〈f1(X), f1(Y )〉f1(mac(X1, . . . , X8)) = mac(f1([X1, X3, X5, X6, X7, X8]))
f1(mac(Y1, . . . , Y8)) = mac(f1([Y1, Y5, Y6, Y7, Y8]))f1(kdf(Z1, . . . , Z5)) = kdf(f1(Z3))
f1(prf(U,Z)) = f1(U)f1(exp(U1, U2)) = exp(f1(U1), f1(U2)),f1(sh(U1, U2)) = sh(f1(U1), f1(U2)),f1({|V1, V2|}Z) = 〈f1(V1), f1(V2)〉f1(〈U3, U4〉) = 〈f1(U3), f1(U4)〉,
and V1 : α, X3 : γo, Y3 : nonce, Z3 : exp(msg ,msg), U : kdf(msg) and all remainingpattern variables are of type msg .
Second, we check conditions in Proposition 7. Conditions (ix)-(xii) hold forthe considered equational theory. Conditions (i), (ii), and (v) immediately followfrom the specification of Ef . Conditions (iii) and (iv) are also satisfied, sinceno term in the set subs(MIKEm
∪ EqTermφa) contains a function symbol from
top(lhs(R)) and f is constructor-preserving. To check the remaining conditions,note that this proposition is applied for the case that u = exp(g, x j) and t = Gak,where j, k ∈ TID and x is a nonce. Hence, we have f1(t) = t and f1(u) = u.Therefore, condition (vi) is satisfied. Note that t|p is a variable if and only ifp = ε. Since ct(u|ε) = ct(u) = {exp}. It is not hard to see that f is constructor-exclusive for exp and f is homomorphic for exp. Therefore, condition (viii) alsoholds.
In practice, syntactic criteria I (Proposition 6) and II (Proposition 7) aresufficient for many relevant case studies, e.g., all case studies in this thesis in-cluding those in Section 4 can be justified using these criteria. For authenticationproperties that involve agreement on atoms or variables of simple types such asnonces or timestamps, criterion I is applicable. Compared to I, criterion II hasa larger scope and can be applied for authentication properties that involvesmessage variables. The complexity of checking criterion II mostly contributes tocomputing Ax-unifiers. Nevertheless, an Ax-unification algorithm required forthis criterion needs not compute a complete set of most general Ax-unifiers.Computing an Ax-unifier of two given terms in the case that such a unifiersexists is adequate.
F.3 Soundness conditions for IKEm-to-IKE1m abstraction
Here, we establish the soundness conditions for the abstraction F1 = (f1, Ef1)in Example 6 with respect to the properties φs and φa expressed in Example 4.For simplicity, let φ represent both φs and φa. We assume that IK0 = IK ′0 =A ∪ C ∪ F• ∪
⋃a∈A,b∈AC
sh(a, b). We need to show that the conditions requiredfor Theorem 4 hold. These conditions are:
65
(i) f1(IK0) ⊆ IK ′0,(ii) F1 is R,Ax-closed and pattern-disjoint,
(iii) MIKEm⊆ udom(Ff1) ∩ rdom(Ff1),
(iv) Secφ ∪ EqTermφ ⊆ udom(Ff1) ∩ rdom(Ff1),
(v) Ff1(tσ) =E Ff1(uσ) implies tσ =E uσ for all (t, u) ∈ Eq+φ and for all
well-typed and R,Ax-normal ground substitutions σ, and(vi) Ff1(t) = Ff1(u) implies t = u, for all e(t) ∈ Evt+φ and e(u) ∈ Evt(MIKEm
).
Note that the last three conditions are an unfolding of condition (iv) in Theo-rem 4. To justify conditions (i)-(vi), we rely on the following observations.
(O1) f1(IK0) = IK0 = IK ′0.(O2) All terms in subs(MIKEm
∪ Secφ ∪ EqTermφ) are abstracted using onlyclauses in Ef1 .
(O3) No term in subs(MIKEm∪ Secφ ∪ EqTermφ) contains reducible function
symbols.(O4) for all terms t, u ∈MIKEm
such that t 6= u, we have Ff1(t) 6= Ff1(u).
Condition (i) follows from (O1). To see that Ff1 is pattern-disjoint, note thatexcept mac, each function symbol is handled by at most one clause in Ef1 .Moreover, the types of the mac patterns in the second and the third clauses, i.e.,
mac(msg ,msg , γo,msg ,msg ,msg ,msg ,msg) andmac(msg ,msg ,nonce,msg ,msg ,msg ,msg ,msg),
are disjoint. This shows that Ff1 is pattern-disjoint. In Example 9, we use asyntactic criterion to show that Ff1 is R,Ax-closed. Hence condition (ii) holds.Condition (iii) holds by (O2) and (O3). Condition (iv) follows from (O2) and(O3). Condition (vi) holds by (O4). To justify condition (ii), note that we canrewrite the equality on the tuples in φa as a conjunction of equalities on thetuples’ components. Since f1 is the identity on atoms and variables, it sufficesto establish condition (ii) for the two equalities of the form X = g(a) with X isof type msg and a is an atom. We formally justify these cases in Example 11.
66
G Untyped protocol abstractions
Typed protocol abstractions allows simplifying protocols by pulling fields out ofan encryptions or removing fields in a hash. However, they do not allow removinga term, e.g., a hash or a variable, completely. In order to abstract a protocolextensively, we introduce untyped protocol abstractions which are complementaryto typed ones. Informally, an untyped protocol abstraction is a function fu : T ⇀T ∪ {nil} which we extend to events, event sequences, traces, and protocols. LetP be a protocol, we define
(i) fu(ev(t)) = ev(fu(t)) for events ev(t) ∈ Evt(T ).(ii) for event sequences, f(ε) = ε and fu(e · tl) = fu(tl) if term(fu(e)) = nil
and fu(e · tl) = fu(e) · fu(tl) otherwise; the lifting to traces is definedanalogously.
(iii) f(P )(X) = P (X) for all X ∈ dom(P ) such that P (X) 6= ε.
G.1 Redundancy removal abstraction
In this section, we discuss protocol abstractions which allow us to remove redun-dancies in protocol specifications. For instance, we can remove intruder-derivableterms or repeated occurrences of a term. We call these abstractions redundancyremoval abstractions.
Definition 11. A function rd : MP → M ∪ {nil} is a redundancy removalabstraction RDP for a protocol P if, for all R ∈ dom(P ), we have rd(IK0)P (R)where the predicate rd(T )S is inductively defined by the following two rules(where rd(t) is removed from the deducibility conditions if it equals nil).
rd(T )ε
rd(T ∪ {t})r T,Vα, rd(t) `E t T,Vα, t `E rd(t)
rd(T )ev(t) · r
We define rd(t#i) = rd(t)#i and lift rd over roles, traces, protocols, and threadpools as expected.
Next, we define our class of redundancy removal abstractions for protocols.
Definition 12 (Redundancy removal abstractions for protocols). LetP = (ΓP , SP ) be a protocol. The set of redundancy removal abstractions RDPfor P is defined by
RDP = {rd :MP →M | ∀R ∈ dom(SP ). rd(ΓP )IK0SP (R)}.
For all rd ∈ RDP , t ∈MP , and i ∈ TID, we define rd(t#i) = rd(t)#i.
We overload the notation and use term(tr) to denote the set of terms occur-ring in trace tr. In the following theorem, we show reachability preservation forredundancy removal abstractions.
67
Lemma 35. Let P be a protocol and rd ∈ RDP . Then, for all states (tr, th, σ)reachable in P , we have IK (rd(tr))σ, IK0 `E term(tr)σ.
Proof. We proceed by induction on the number n of transitions leading to astate (tr, th, σ). The theorem trivially holds for base case (n = 0) where tr is theempty trace.
For the inductive case (n = k + 1), we assume that (tr′, th′, σ) is reachablein k steps and there is a transition (tr′, th′, σ) → (tr, th, σ). Suppose that thistransition is performed by thread i. From the transition rules, we know thattr = tr′ ·(i, ev(t)) for some ev ∈ {snd, rcv}. By the induction hypothesis, we have
IK (rd(tr′))σ, IK0 `E term(tr′)σ. (28)
Since it follows from the induction hypothesis that
IK (rd(tr))σ, IK0 `E term(tr′)σ
Moreover, we have term(tr) = term(tr′) ∪ {t}. Thus it is sufficient to show
IK (rd(tr))σ, IK0 `E tσ. (29)
We do this by case analysis on the rule that justifies transition k + 1.
– Rule SEND . We have rd(tr) = rd(tr′) · (i, snd(rd(t))) and thus IK (rd(tr)) =IK (rd(tr′))∪{rd(t)} if rd(t) 6= nil and rd(tr) = rd(tr′) otherwise. Hence, wecan derive
IK (rd(tr))σ, IK0 `E IK (rd(tr′))σ, rd(t)σ, IK0 by above`E term(tr′)σ, rd(t)σ, IK0 by induction hyp. (28)
Next, since the terms of all events preceding snd(t) on P (R) are containedin term(tr′) and rd ∈ RDP , we derive IK0, term(tr′),Vα, rd(t) `E t. Instan-tiating this with σ and observing that (Vα)σ ⊆ A ⊆ IK0 yields
term(tr′)σ, rd(t)σ, IK0 `E tσ.
Combining this with the derivation above yields the desired conclusion (29).– Rule RECV . In this case we can reason as follows.
IK (rd(tr))σ, IK0 `E term(tr′)σ, IK0 by induction hypothesis (28)`E IK (tr′)σ, IK0 since IK (tr) ⊆ term(tr′)`E tσ by second premise of rule RECV
This establishes (29) as required.
This concludes the proof of the lemma. ut
Proposition 8. Let P be a protocol and rd ∈ RDP . Suppose that IK0 ⊆ IK ′0.Then, for all states (tr, th, σ) reachable in P , (rd(tr), rd(th), σ) is a reachablestate of rd(P ).
68
Proof. We proceed by induction on the number n of transitions leading to astate (tr, th, σ). The theorem trivially holds for base case (n = 0) where tr is theempty trace. For the inductive case (n = k + 1), we assume that (tr′, th′, σ) isreachable in k steps and there is a transition (tr′, th′, σ) → (tr, th, σ). Supposethat this transition is performed by thread i. From the transition rules, we knowthat we have th′(i) = (R, ev(t) · tl) where R ∈ dom(P ), ev ∈ {snd, rcv}, and tl isa suffix of the role P (R)#i. We also have tr = tr′ · (i, ev(t)) and th = th′[i 7→ tl].
By the induction hypothesis, we have (rd(tr′), rd(th′), σ) is a reachable stateof rd(P ). If rd(t) = nil then we are done, since rd(tr′) = rd(tr) and rd(th′) =rd(th). Otherwise, we have rd(t) 6= nil. In this case, it is sufficient to show thatrd(P ) has a transition
(rd(tr′), rd(th′), σ)→ (rd(tr), rd(th), σ).
We proceed by case distinction on the rule applied to justify step k + 1 of P .
– SEND rule. The rule’s premise requires th′(i) = (R, snd(t) ·tl). Hence, by thedefinition of rd(th′), we have rd(th′)(i) = (R, ev(rd(t)) · rd(tl)) . Moreover,we have rd(tr) = rd(tr′) · (i, snd(rd(t))) and rd(th) = rd(th′)[i 7→ rd(tl)],which by the SEND rule justifies the transition above.
– RECV rule. This rule’s premises require that th′(i) = (R, rcv(t) · tl) and
IK (tr′)σ, IK0 `E tσ.
The rule’s conclusion implies that tr = tr′ · (i, rcv(t)) and th = th′[i 7→ tl]. Inorder to apply the RECV rule in the state (rd(tr′), rd(th′), σ) two premisesmust be satisfied: first, rd(th′)(i) = (R, rcv(rd(e)) · rd(tl)), which holds bythe definition of rd(th′), and, second,
IK (rd(tr′))σ, IK ′0 `E rd(t)σ, (30)
which we show now. Since rd ∈ RDP and term(tr′) contains the terms ofall events preceding rcv(t) on P (R), we have IK0, term(tr′),Vα, t `E rd(t).Noting that term(tr) = term(tr′) ∪ {t} and (Vα)σ ⊆ A ⊆ IK0 we derive
term(tr)σ, IK0 `E rd(t)σ.
Moreover, from Lemma 35, we have IK (rd(tr))σ, IK0 `E term(tr)σ. Com-bining these facts with the observation that IK (rd(tr)) = IK (rd(tr′)) andthe assumption that IK0 ⊆ IK ′0, we obtain (30) as required.
This completes the proof of the theorem. ut
Next, we extend rd to formulas φ ∈ LP as follows:
rd((i = i′)) = (i = i′) rd(secret(m)) = secret(m)rd((m = m′)) = (m = m′) rd(¬A) = ¬rd(A)rd(role(i, R)) = role(i, R) rd(φ1 ∧ φ2) = rd(φ1) ∧ rd(φ2)
rd(honest(i, R)) = honest(i, R) rd(φ1 ∨ φ2) = rd(φ1) ∨ rd(φ2)rd(steps(i, e)) = steps(i, rd(e)) rd(∀i. φ′) = ∀i. rd(φ′)
rd((i, e) ≺ (j, e′)) = (i, rd(e)) ≺ (j, rd(e′)) rd(∃i. φ′) = ∃i. rd(φ′)
69
Let rd ∈ RDP . In the following, we define the notion of (P, rd)-safe formulasfor which the attack preservation holds.
Definition 13 ((P, rd)-safe formulas). Let P be a protocol and rd a redun-dancy abstraction for P . A formula φ is (P, rd)-safe if
1. rd(t) = rd(u) implies t = u, for all e(t) ∈ Evt+φ and e(u) ∈ Evt(MP ),2. for all ev(t) ∈ Evtφ, we have rd(t) 6= nil.
Theorem 6 (Soundness for redundancy removal abstractions). Let Pbe a protocol, φ ∈ LP , and rd ∈ RDP be a (P, rd)-safe formula. Suppose thatIK0 ⊆ IK ′0. Then, for all states (tr, th, σ) reachable in P , we have
1. (rd(tr), rd(th), σ) is reachable in rd(P ) and2. (tr, th, σ) 2 φ implies (rd(tr), rd(th), σ) 2 rd(φ).
Proof. By Proposition 8, we have that (rd(tr), rd(th), σ) is reachable in rd(P ).It remains to show that
∀ϑ. (tr, th, σ, ϑ) 2 φ ⇒ (rd(tr), rd(th), σ) 2 rd(φ).
We proceed by induction on the structure of φ and consider the following cases.
– φ ≡ m = m′ or φ ≡ ¬(m = m′).
(tr, th, σ, ϑ) � m =E m′
⇔ mσ =E m′σ⇔ (rd(tr), rd(th), σ, ϑ) � rd((m = m′))
– φ = secret(m).
(tr, th, σ, ϑ) 2 secret(m)⇔ IK (tr)σ, IK0 `E mσ⇒ IK (rd(tr))σ, IK0 `E mσ by Lemma 35⇔ (rd(tr), rd(th), σ, ϑ) 2 rd(secret(m))
The remaining cases are routine. This completes the proof of the theorem. ut
70
G.2 Variable removal abstractions
Our typed abstractions do not allow us to remove message variables. This isbecause our framework heavily relies on the substitution property, which fails tohold for the removal of variables. In this section, we establish a soundness resultfor variable removal abstractions separately for a subclass of protocols, namelywell-formed protocols.
Definition 14. A protocol P is well-formed if all non-agent variables first occurin receive events, i.e., for all events e in a role P (R) and all variables X ∈vars(term(e)) such that Γ (X) 6= α, there is an event rcv(t) in P (R) such thatrcv(t) equals or precedes e in P (R) and X ∈ vars(t).
Below we identify some conditions under which the set of messages the intrudercan derive (and hence any potential attack) is preserved by variable removal.Before stating these assumptions, we introduce some auxiliary definitions.
First, we extend the notion of clearness to a set of terms T as expected, i.e.,T is clear in a term t if every term in T is. We also say that T is clear in a setof terms T ′ if every t ∈ T is clear in every t′ ∈ T ′. In the following lemma, weabuse the notation and use vars(tr) to denote the set of variables occurring intr.
Lemma 36. Let P be a well-formed protocol and (tr, th, σ) be a reachable stateof P . Let V ⊆ V be a set of variables such that V is clear in MP . Then we havethat remV (IK (tr))σ, IK0 `E (IK (tr) ∪ (vars(tr) ∩ V [))σ.
Proof. We proceed by induction on tr. For the base case, tr = ε, the lemmaholds trivially. For the inductive step, suppose (tr′, th′, σ) is reachable in P andthere is a transition (tr′, th′, σ) → (tr, th, σ) such that tr = tr′ · (i, ev(t)) forsome i ∈ TID and some term t. By induction hypothesis, we have
remV (IK (tr′))σ, IK0 `E (IK (tr′) ∪ (vars(tr′) ∩ V [))σ.
and we have to show remV (IK (tr))σ, IK0 `E (IK (tr) ∪ (vars(tr) ∩ V [))σ. Wereason by a case distinction on the rule r that has been applied in the last step.
– If r = RECV then we have that IK (tr′) = IK (tr). Thus by inductionhypothesis, we have remV (IK (tr))σ, IK0 `E IK (tr)σ. Therefore, it remainsto show that remV (IK (tr))σ, IK0 `E (vars(tr) ∩ V [)σ.Note that tr = tr′ · (i, rcv(t)). If vars(t) ∩ V [ ⊆ vars(tr′) then vars(tr) ∩V [ = vars(tr′) ∩ V [ and the conclusion follows directly from the inductionhypothesis. Otherwise, let Xi ∈ (vars(t)∩V [)\vars(tr′). Given the inductionhypothesis, it is sufficient to establish remV (IK (tr))σ, IK0 `E Xiσ.By the premises of the RECV rule, we know that IK (tr′)σ, IK0 `E tσ. SinceV is clear in t, we also have
IK (tr′)σ, IK0 `E Xiσ (31)
Since V is clear in IK (tr′), we have
IK0, (V[ ∩ vars(IK (tr′))), remV (IK (tr′)) `E IK (tr′).
71
By instantiating this with σ and using the fact that vars(IK (tr′)) ⊆ vars(tr′),we obtain
IK0, (V[ ∩ vars(tr′))σ, remV (IK (tr′))σ `E IK (tr′)σ
Together with the induction hypothesis and IK (tr) = IK (tr′), we derive
remV (IK (tr))σ, IK0 `E IK (tr′)σ.
Combining this with (31), we obtain remV (IK (tr))σ, IK0 `E Xiσ as re-quired.
– If r = SEND then we have tr = tr′ · (i, snd(t)). Thus, we have that IK (tr) =IK (tr′) ∪ {t}. By the well-formedness of P , we have vars(tr) = vars(tr′).Hence, it follows from the induction hypothesis that
remV (IK (tr))σ, IK0 `E (vars(tr) ∩ V [)σ. (32)
We are left to show that remV (IK (tr))σ, IK0 `E IK (tr)σ. Since V is clearin t, we obtain
IK0, (V[ ∩ vars(t))σ, remV (t)σ `E tσ. (33)
Since vars(t) ⊆ vars(tr). By (32), we have
remV (IK (tr))σ, IK0 `E (vars(t) ∩ V [)σ. (34)
Together with (34) and (33), we derive that
remV (IK (tr))σ, IK0, remV (t)σ `E tσ.
Since t ∈ IK (tr), we have that remV (t)σ ∈ remV (IK (tr))σ. Hence, weobtain that
remV (IK (tr))σ, IK0 `E tσ
By induction hypothesis, we have remV (IK (tr′)σ), IK0 `E IK (tr′)σ. Hence,we derive that remV (IK (tr))σ, IK0 `E IK (tr)σ as required.
This completes the proof of the lemma. ut
Proposition 9. Let P be a well-formed protocol. Suppose V is a set of variablesand u a term such that V is clear in MP . Suppose (tr, th, σ) is a reachable stateof P . Then IK (tr)σ, IK0 `E uσ implies IK (remV (tr))σ, IK0 `E remV (u)σ.
Proof. We derive
IK (remV (tr))σ, IK0 `E remV (IK (tr′))σ, IK0
`E IK (tr)σ, IK0 by Lemma 36`E uσ, IK0 by assumption`E remV (u)σ
The last step follows the assumption that V is clear in MP . ut
72
The following theorem states the reachability preservation result for variableremoval abstractions.
Theorem 7. Let P be a well-formed protocol. Suppose IK0 ⊆ IK ′0 and V ⊆ Vis a set of variables such that
1. V is clear in all terms t occurring in receive events in P ,2. V is clear in MP .
Let (tr, th, σ) be reachable in P . Then we have that (remV (tr), remT (th), σ) isreachable in remT (P ).
Proof. We prove the reachability of the state (remV (tr), remV (th), σ) by in-duction on the number n of transitions leading to a state (tr, th, σ). The the-orem holds trivially for the empty trace (n = 0). For the inductive case (n =k + 1), assume that (tr′, th′, σ) is reachable in k steps and there is a transition(tr′, th′, σ)→ (tr, th, σ). By induction hypothesis, state (remV (tr′), remV (th′), σ)is reachable in remV (P ).
We distinguish two cases according to the rule r used to justify the step k+1in P . We first treat the case of the receive rule (r = RECV ). The rule’s premisesrequire that there are i ∈ TID , R ∈ dom(P ), and a suffix tl of the role P (R)#i
such thatth′(i) = (R, rcv(t) · tl) and IK (tr′)σ, IK0 ` tσ (35)
The rule’s conclusion implies that tr = tr′ · (i, rcv(t)) and th = th′[i 7→ tl]. Weconsider two cases.
– If remV (t) = nil then we have that
remV (tr) = remV (tr′),remV (th) = remV (th′).
Hence, we conclude that (remV (tr), remV (th), σ) is reachable in remV (P )by the induction hypothesis.
– If remV (t) 6= nil then we show that remV (P ) has a transition
(remV (tr′), remV (th′), σ)→ (remV (tr), remV (th), σ).
In order to apply the RECV rule in the state (remV (tr′), remV (th′), σ) thefollowing two premises must be satisfied:
remV (th′)(i) = (R, rcv(remV (t)) · remV (tl)), andIK (remV (tr′)))σ, IK ′0 `E remV (t)σ.
The first premise holds by application of remT to th′. The second one followsfrom Proposition 9 and the assumption that IK0 ⊆ IK ′0. The successor statein the conclusion of the RECV rule is
(remV (tr′) · (i, rcv(remV (t))), remV (th′)[i 7→ (R, remV (tl))], σ),
which is identical to the state (remV (tr), remV (th), σ), whose reachabilityin remV (P ) we have hereby established.
73
The case of the send rule (r = SEND) is similar but simpler, since thededucibility condition falls away. This completes the proof of the theorem. ut
Definition 15 ((P, remT )-safe formulas). Let P be a protocol and let V ⊆ Vbe a set of variables. A formula φ ∈ LP is (P, remT )-safe if and only if thefollowing holds.
1. for all (m,m′) ∈ Eqφ, we have vars({m,m′}) ∩ V ] = ∅,2. for all terms t ∈ Secφ, we have vars(t) ∩ V ] = ∅,3. for all events e(t) ∈ Evtφ, we have remV (t) 6= nil, and4. remV (m) = remV (m′) implies m = m′ for all s(m) ∈ Evt+φ and s(m′) ∈
Evt(MP ).
We now state our soundness theorem as follows.
Theorem 8 (Soundness for variable removal abstractions). Let P be awell-formed protocol, V ⊆ V is a set of variables that is clear in MP . Let φ ∈LP be a (P, remT )-safe formula and (tr, th, σ) be reachable in P . Suppose thatIK0 ⊆ IK ′0. Then we have that (remV (tr), remV (th), σ) is a reachable state inremV (P ). Moreover, if (tr, th, σ) 2 φ then (remV (tr), remV (th), σ) 2 φ.
Proof. By Theorem 7, we have that (remV (tr), remV (th), σ) is a reachable statein remV (P ). It remains to show that
∀ϑ. (tr, th, σ, ϑ) 2 φ⇒ (remT (tr), remT (th), σ) 2 remT (φ).
We proceed by induction on the structure of φ and consider the following non-trivial cases.
– φ ≡ m = m′ or φ ≡ ¬(m = m′).
(tr, th, σ, ϑ) � m = m′
⇔ mσ =E m′σ⇔ remT (m)σ =E remT (m′)σ (since φ is (P, V, remT )-safe)⇔ (remT (tr), remT (th), σ, ϑ) � remT (m) = remT (m′)
– φ = secret(m).
(tr, th, σ, ϑ) 2 secret(m)⇔ IK (tr)σ, IK0 `E mσ⇒ remT (IK (tr))σ, IK0 `E mσ by Proposition 9⇔ remT (IK (tr))σ, IK0 `E remT (m)σ since remT (m) = m⇒ IK (remT (tr))σ, IK ′0 `E remT (m)σ⇔ (remT (tr), remT (th), σ, ϑ) 2 secret(remT (m))
This completes the proof of the theorem. ut
74
G.3 Atom removal abstraction
Atom removal abstractions allow us to eliminate atoms in clear. This cannotbe done by typed or variable removal abstractions. Before we prove deducibilitypreservation for our atom removal abstractions, we introduce some auxiliarydefinitions. For any term t, we use atoms(t) and fresh(t) to denote the set ofatoms and fresh values occurring in t, respectively. Recall that the attacker hasa countably infinite choice of nonces n•i ∈ F• for each type βn. Given a setof atoms At ⊆ A ∪ C ∪ F and a set of terms T , we define imap(At, T ) as theset of injective maps ρ : tID(At, T ) → N where tID(At, T ) = {i ∈ TID | f i ∈fresh(At]) ∩ split(T )}. We extend ρ to atoms and variables as follows.
– ρ(ni) = n•ρ(i) for all ni ∈ fresh(At]) ∩ split(T ),
– ρ(u) = u for all remaining atomic messages u ∈ A ∪ C ∪ V[ ∪ F [ ∪ F•.
We extend ρ homomorphically to all terms. For the sake of uniformity, we treatρ as a substitution. For terms t and u, we use [t/u] to denote the replacementof u by t.
Lemma 37. Let t, u be terms, a be an atom, and σ be a substitution such that
(i) vars(t) ∩ dom(σ) = ∅,(ii) a /∈ vars(u).
Then (uσ)[t/a] = (u[t/a])(σ[t/a]).
Proof. We prove this lemma by induction on u.
– If u is an atom then (uσ)[t/a] = u[t/a]. Moreover, by (i), it follows that(u[t/a])(σ[t/a]) = u[t/a]. Thus the lemma holds for this case.
– If u is a variable then by (ii), we have u[t/a] = u. Therefore, we have(uσ)[t/a] = u(σ[t/a]) = (u[t/a])(σ[t/a]).
– If u = g(u1, . . . , un) for g ∈ Σn, n ≥ 1, then we have
(uσ)[t/a] = g((u1σ)[t/a], . . . , (unσ)[t/a]) since a is an atom= g((u1[t/a])(σ[t/a]), . . . , (un[t/a])(σ[t/a])) by IH= (g(u1, . . . , un)[t/a])(σ[t/a]) since a is an atom= (u[t/a])(σ[t/a])
This completes the proof of the lemma. ut
Next, we prove a deducibility lemma for atom removal abstractions.
Lemma 38. Let T be set of normal-form terms, t a normal-form term, At aset of atoms such that
(i) At] is clear in T ∪ {t}, and(ii) At] ∩ fresh(IK0) = ∅.
Let σ be a substitution such that Tσ, IK0 `E tσ. Then, for all ρ ∈ imap(At, T ∪{t}), we have
remAt(T )(ρ ◦ σ), IK0 `E remAt(t)(ρ ◦ σ).
75
Proof. We start by observing that under assumption (i) we have
remAt(u),F• `E uρ and uρ `E remAt(u) (36)
for all terms u ∈ T ∪ {t} and ρ ∈ imap(At, T ∪ {t}).Suppose Tσ, IK0 `E tσ. We show that remAt(T )θ, IK0 `E remAt(t)θ where
θ = ρ ◦ σ. Together with F•θ = F• and F• ⊆ IK0, we can use Lemma 26 toderive the following from (36):
remAt(T )θ, IK0 `E (Tρ)θ and (tρ)θ `E remAt(t)θ (37)
Since IK0ρ = IK0 by assumption (ii), we can also apply Lemma 26 to the assump-tion Tσ, IK0 `E tσ and deduce (Tσ)ρ, IK0 `E (tσ)ρ. Next, we use Lemma 37 todeduce (Tρ)θ, IK0 `E (tρ)θ. Combining this with (37) above yields the desiredresult remAt(T )θ, IK0 `E remAt(t)θ. ut
Theorem 9 (Reachability preservation for atom removal abstractions).Let P be a protocol and At ⊆ atoms(MP ) a set of atoms such that
(i) At is clear in MP , and(ii) At] ∩ fresh(IK0) = ∅.
Let (tr, th, σ) be a reachable state of P and ρ ∈ imap(At, term(tr)). Then thestate (remAt(tr), remAt(th), ρ ◦ σ) is a reachable state of remAt(P ).
Proof. Let θ = ρ ◦ σ. It is clear that θ is well-typed. We now prove the first con-clusion by induction on the number n of transitions leading to a state (tr, th, σ).For the empty trace (n = 0), the theorem holds trivially. For the inductive case(n = k+ 1), assume that (tr′, th′, σ) is reachable in k steps and there is a transi-tion (tr′, th′, σ)→ (tr, th, σ). By induction hypothesis, (remAt(tr
′), remAt(th′), θ)
is reachable in remAt(P ).There are two cases according to the rule r that has been applied in the step
k+1 in P . The case of the send rule is easy. We consider the case of receive rule.The rule’s premises require that there are i ∈ TID , R ∈ dom(P ), and a suffix tlof the role P (R)#i such that
th′(i) = (R, rcv(t) · tl) and IK (tr′)σ, IK0 ` tσ (38)
The rule’s conclusion implies that tr = tr′ · (i, rcv(t)) and th = th′[i 7→ tl]. Inorder to apply the RECV rule in the state (remAt(tr
′), remAt(th′), θ), we must
show the following two premises
remAt(th′)(i) = (R, rcv(remAt(t)) · remAt(tl)), and
IK (remAt(tr′)))θ, IK ′0 `E remAt(t)θ.
Clearly, the first premise is satisfied by application of remAt to th′. We now showthe second one. Using Lemma 38, we deduce from (38) that
remAt(IK (tr′))θ, IK0 `E remAt(t)θ
76
Since remAt(IK (tr′)) = IK (remAt(tr′)), we obtain
IK (remAt(tr′))θ, IK0 `E remAt(t)θ.
Moreover, the successor state in the conclusion of the RECV rule is
(remAt(tr′) · (i, rcv(remAt(t))), remAt(th
′)[i 7→ (R, remAt(tl))], σ),
which is identical to the state (remAt(tr), remAt(th), σ). This concludes the proofof the theorem. ut
Definition 16 ((P, remAt)-safe formulas). Let P be a protocol. We assumea set of atoms At ⊆ atoms(MP ). A formula φ ∈ LP is (P, remAt)-safe if thefollowing conditions holds:
(i) At] ∩ fresh(Secφ ∪ EqTermφ) = ∅,(ii) for all e(t) ∈ Evtφ, we have remAt(t) 6= nil, and
(iii) remAt(m) = remAt(m′) implies m = m′ for all s(m) ∈ Evt+φ and s(m′) ∈
Evt(MP ).
We now show soundness for atom removal abstractions.
Theorem 10 (Soundness for atom removal abstractions). Let P be aprotocol, At ⊆ atoms(MP ) and φ ∈ LP a formula such that
(i) At is clear in MP ,(ii) At] ∩ fresh(IK0) = ∅, and
(iii) φ is (P, remAt)-safe
Then, for all reachable states (tr, th, σ) of P , there is a ground substitution θsuch that
1. the state (remAt(tr), remAt(th), θ) is reachable in remAt(P ), and2. (tr, th, σ) 2 φ implies (remAt(tr), remAt(th), θ) 2 remAt(φ).
Proof. Let ρ ∈ imap(At, term(tr)) such that
ρ is injective on fresh(ran(σ)). (39)
Let θ = ρ ◦σ. By Theorem 9, we have that (remAt(tr), remAt(th), θ) is reachablein remAt(P ) (and thus θ is well-typed). Hence, it remains to show that
∀ϑ. (tr, th, σ, ϑ) 2 φ⇒ (remAt(tr), remAt(th), θ) 2 remAt(φ).
We proceed by induction on the structure of φ and consider the following non-trivial cases.
– φ ≡ m = m′ or φ ≡ ¬(m = m′).
(tr, th, σ, ϑ) � m = m′
⇔ mσ =E m′σ⇔ (mσ)ρ =E (m′σ)ρ (by (39) and (iii))⇔ (mρ)θ =E (m′ρ)θ (by Lemma 37)⇔ remAt(m)θ =E remAt(m
′)θ (by Def 16(ii))⇔ (remAt(tr), remAt(th), θ, ϑ) � remAt(m) = remAt(m
′)
77
– φ = secret(m).
(tr, th, σ, ϑ) 2 secret(m)⇔ IK (tr)σ, IK0 `E mσ⇒ remAt(IK (tr))θ, IK0 `E remAt(m)θ (by Lemma 38, Def 16(i))⇒ IK (remAt(tr))θ, IK0 `E remAt(m)θ⇔ (remAt(tr), remAt(th), θ, ϑ) 2 secret(remAt(m))
This completes the proof of the theorem. ut
78
H Experimental results
H.1 Scyther tool
The Scyther tool is based on symbolic backwards search and supports veri-fication of both a bounded and an unbounded number of threads. We havedemonstrated our abstraction method on a variety of protocols, mostly fromthe IKE and ISO/IEC 9798 families. Our results with the Scyther tool (version1.1.2) are summarized in Table 2. Our experiments show substantial performancegains. The abstractions enable Scyther to verify seven protocols (four from theISO/IEC 9798, two from the IKE families, and the PANA-AKA protocol) foran unbounded number of threads. Remarkably, five of them were verified (atthe most abstract levels) within 0.4 seconds whereas it fails (TO) or runs out ofmemory (ME) on the original protocols.
For the IKE protocols, we approximate the Diffie-Hellman equations usingoracle roles in Scyther. This complicates the verification task and, as a con-sequence, the average performance gain appears to be smaller than with theISO/IEC protocols or the PANA-AKA protocol. In particular, the unboundedverification of (abstractions of) the first six IKE protocols in Table 2 still resultsin a timeout. However, we are able to either significantly improve the bounds onthe number of threads that can be covered for these protocols or, for IKEv2-eapand IKEv2-eap2, enable protocol verification for a bounded number of threadswhere it timed out before even for three threads.
Apart from the dramatic speedups we achieve in most cases, we also observethat for many protocols the verification time increases much slower than theiroriginals. For the last seven protocols in the table, this time is almost constantwhereas it can grow rapidly, e.g., for ISO/IEC 9798-3-6-1 and PANA-AKA.Moreover, our abstractions greatly reduce memory consumption. In particular,Scyther runs out of memory for ISO/IEC 9798-3-6-1 and ISO/IEC 9798-3-7-1after 5 and 6 threads, respectively. However, abstraction enables it to run up toan unbounded number of threads.
Scyther find attacks on the most abstract models much faster it does on theoriginals. Concretely, it falsifies the most abstract model of the IKEv1-sig-m andIKEv1-sig-m-perlman protocols for an unbounded number of threads within 0.06seconds, while finding the same attacks on the original protocols takes 0.44 and109 seconds, respectively.
79
protocol/prop./#threads No S A W N 3 4 5 6 7 8 ∞
IKEv1-pk2-a2 1 X X44.01 302.86 1843.80 10999.80 TO TO TO6.01 26.36 151.88 1014.63 6838.97 TO TO
IKEv1-pk2-a 1 X X1103.63 27808.72 TO TO TO TO TO133.65 3356.59 TO TO TO TO TO
IKEv1-pk-a2 1 X X10.95 61.47 125.25 237.76 409.35 744.75 TO0.84 1.79 2.43 3.63 6.01 9.61 TO
IKEv1-pk-a22 1 X X18.48 82.93 249.55 554.09 1006.04 1734.85 TO0.83 1.26 2.08 3.47 5.96 10.28 TO
IKEv2-eap 5 X XTO TO TO TO TO TO TO
78.35 798.44 4212.71 20911.20 TO TO TO
IKEv2-eap2 5 X XTO TO TO TO TO TO TO
70.18 690.26 4169.87 20071.45 TO TO TO
IKEv2-mac 5 X X1.85 4.91 6.72 8.07 8.42 8.49 8.700.62 1.77 1.83 1.73 1.73 1.80 1.74
IKEv2-mac2 5 X X2.16 4.09 6.43 9.41 8.16 8.44 8.690.81 1.60 1.73 1.75 1.73 1.74 1.73
IKEv2-mactosig 4 X X11.65 141.37 1075.46 7440.81 TO TO TO2.89 12.38 24.54 38.68 53.36 65.07 77.68
IKEv2-mactosig2 4 X X11.71 133.20 1064.30 7229.13 TO TO TO2.85 11.81 24.14 38.22 53.25 64.51 77.03
IKEv2-sigtomac 5 X X6.15 33.19 65.05 115.34 204.93 206.45 237.343.59 12.72 28.44 44.44 55.11 66.97 67.15
IKEv1-pk-m 2 × 48.62 269.92 507.40 869.23 16254.80 TO TO0.04 0.05 0.05 0.05 0.05 0.05 TO
IKEv1-pk-m2 2 X/× 18.26 274.87 4438.72 TO TO TO TO1.48 7.79 32.75 110.32 339.93 963.08 TO
IKEv1-sig-m 2 × 0.34 0.45 0.45 0.45 0.45 0.46 0.440.05 0.05 0.05 0.06 0.05 0.05 0.06
IKEv1-sig-m-perlman 2 × 2.86 13.99 40.78 67.83 72.08 72.15 109.030.05 0.05 0.05 0.05 0.05 0.05 0.05
ISO/IEC 9798-2-5 1 X0.78 8.96 73.87 564.67 4214.22 TO TO0.07 0.11 0.12 0.11 0.11 0.11 0.11
ISO/IEC 9798-2-6 1 X0.57 3.74 18.42 67.01 196.30 488.04 21278.580.05 0.04 0.05 0.05 0.05 0.05 0.05
ISO/IEC 9798-3-6-1 2 X X43.08 802.95 8903.70 ME ME ME ME0.13 0.18 0.19 0.19 0.19 0.19 0.19
ISO/IEC 9798-3-6-2 1 X X2.74 8.67 19.56 33.91 52.51 69.48 90.040.12 0.15 0.15 0.15 0.15 0.15 0.15
ISO/IEC 9798-3-7-1 2 X X40.43 740.47 7483.36 16631.42 ME ME ME0.13 0.18 0.19 0.19 0.19 0.19 0.19
ISO/IEC 9798-3-7-2 1 X X2.38 7.71 16.68 26.99 35.06 49.49 TO0.22 0.32 0.33 0.33 0.33 0.33 0.33
PANA-AKA 5 X X X X5769.53 TO TO TO TO TO TO
0.10 0.10 0.10 0.10 0.10 0.10 0.10
Table 2. Experimental results. The time is in seconds. No: Number of abstractions.Properties of interest are Secrecy, Aliveness, Weak agreement, and Non-injectiveagreement.
80
H.2 Avantssar tools
The AVANTSSAR platform is an integrated toolset for the formal specifica-tion and Automated VAlidatioN of Trust and Security of Service-orientedARchitectures. It provides three validation back-ends (CL-Atse, OFMC, andSATMC) which share the input languages for specifying protocols. The valida-tors are based on two different techniques. SATMC reduces protocol insecurityproblems to the satisfiability of propositional formulas which can then be checkedby modern SAT solvers. CL-Atse and OFMC both use constraint solving tech-niques to search for attacks. However, they use different optimization strategiesto reduce the search space. All these tools can verify protocols only for a boundednumber of threads.
We have experimented with CL-Atse (version 2.5-21), OFMC (version 2013b),and SATMC (version 3.4) on several protocols from IKE and ISO/IEC 9798 fam-ilies. Moreover, we have performed experiments on variants of the TLS and basicKerberos protocols. For TLS, we distinguish two instances according to differentsecurity properties of interest. So far, we have not modelled IKE protocols forSATMC, as this requires substantial effort to encode oracles for Diffie-Hellmanequations. We therefore defer extended experiments with SATMC to future work.
In our experiments, we measure the verification time for different numbersof sessions. Note that a session in CL-Atse, SATMC, and OFMC differs from athread in Scyther. CL-Atse and SATMC specify a session as an instantiation ofall protocol roles, not just a single role. For instance, a session of a protocol withthree different roles results in three role instances (or three threads in Scyther)where a concrete agent is assigned to each role. In contrast, OFMC works withsymbolic sessions where the agents executing the roles are not concretely speci-fied but kept as variables.
For the AVANTSSAR tools, our experimental results generally exhibit smallerspeedups than for Scyther. There is also a considerable variance between the dif-ferent tools.
CL-Atse (Table 3) CL-Atse shows minor performance gains for the two IKEv1protocols (pk2-a and pk-a2). However, abstraction enables the verifications offirst three IKEv2 protocols (eap, eap2, and mac) for four sessions in less than2 hours and dramatically speeds up the verification of three sessions of theeap and eap2 variants by factors greater than 690 and 900, respectively. Forthe last two IKEv2 protocols, the performance gains are still substantial: forfour sessions we achieve a speedup factor of 7 for IKEv2-mactosig and of 107for IKEv2-sigtomac. The best result in the ISO/IEC family is achieved for theISO/IEC 9798-2-5 protocol where we can turn a timeout for 10 sessions into atime less than 0.2 seconds. The speedup for the 2-5 variant is less impressiveand for the two 3-7 variants, we even observe an increase in verification timeas we do for the basic Kerberos protocol. For TLS, the verification time ofsecrecy up to five sessions drops from 260 minutes to 6 minutes (factor 42),whereas that of authentication is sped up by a factor of 1.5 for four sessions.
OFMC (Table 4) Surprisingly, the experimental results for OFMC are almostdual to those for CL-Atse. In particular, for the two IKEv1 protocols, OFMC
81
loses performance on the abstracted protocols compared to the originals.Nevertheless, the abstractions save a lot of effort for the remaining protocols.We are able to increase the number of tractable sessions for 8 protocols: for 2out of 7 from the IKE family, 5 out of 6 from the ISO/IEC 9798 family, andfor the basic Kerberos protocol. For TLS, the verification of authenticationis 1.7 times faster (up to 3 sessions). For secrecy, the tool achieves a 20-foldspeedup (up to 4 sessions). As a typical case, OFMC verifies an abstractionof ISO/IEC 9798-2-5 for 5 sessions within less than 4 seconds whereas ittimes out on the original for more than 2 sessions.
SATMC (Table 5) The abstractions enable the verification of the Kerberosand TLS protocols for 5 and even 10 sessions. In particular, the tool takesless than 21 seconds to verify the abstracted TLS protocol for 10 sessionswhereas it times out for 5 sessions of the original protocol. On the negativeside, SATMC loses performance for the protocols in the ISO/IEC family.
Apart from positive results, our experiments also provide an evidence thatprotocol abstractions are not always helpful. This is typically the case when anabstraction removes sensitive information. In particular, the performance degra-dation for the AVANTSSAR tools can possibly be attributed to an interferencewith the highly refined optimization techniques used in these tools. More pre-cisely, an abstraction may get rid of data that is crucial to eliminate redundan-cies (for CL-Atse) or to limit the number of branching nodes in the symbolicsearch tree (for OFMC). As a result, the search space becomes larger in theabstracted protocols than in the originals. However, the influence of abstractionon the SATMC’s performance is not clear. A further investigation is thereforedesirable.
H.3 ProVerif tool
ProVerif is an automated cryptographic protocol verifier in the standard Dolev-Yao model. It supports user-defined equational theories to model algebraic prop-erties of cryptographic primitives. In constrast with Scyther, it uses approxima-tions, e.g., translating protocol models in the applied pi calculus to a set of Hornclauses, to handle an unbounded number of sessions. These approximations aresound with respect to attacks, i.e., if the tool finds no attacks then the protocolis indeed secure.
We have validated our abstractions for ProVerif (version 1.88) on six pro-tocols from the IKE and ISO/IEC 9798 families (see Table 6). For all theseprotocols, we observe good speedups. In particular, for the IKEv1-pk-a2 andthe IKEv2-eap, the speedup factors are 6 and 5, respectively. The performancegains for the ISO/IEC 9798 protocols are less obvious than for the IKE ones.Concretely, the tool is roughly 1.5 times faster for these protocols.
82
protocol/prop./#sessions S A W N 3 4 5 10
IKEv1-pk2-a X X0.06 0.11 0.53 TO0.05 0.08 0.32 TO
IKEv1-pk-a2 X X0.05 0.09 1.79 TO0.05 0.07 1.17 TO
IKEv2-eap X X625.75 TO TO TO23.17 TO TO TO
IKEv2-eap2 X X1248.57 TO TO TO
37.93 TO TO TO
IKEv2-mac X X2.78 TO TO TO0.89 5830.38 TO TO
IKEv2-mactosig X X0.24 1056.31 TO TO0.12 149.19 TO TO
IKEv2-sigtomac X X2.52 16710.31 TO TO0.10 155.63 TO TO
ISO/IEC 9798-2-5 X20.05 TO TO TO0.52 4064.93 0.18 0.17
ISO/IEC 9798-2-6 X1639.32 TO TO TO703.55 TO TO TO
ISO/IEC 9798-3-7-1 X X1.21 4495.43 TO TO
1973.78 TO TO TO
ISO/IEC 9798-3-7-2 X X29.95 TO TO TO
TO TO TO TO
Kerb-basic X0.30 0.29 22473.21 TO0.18 0.18 TO TO
TLS-auth X0.10 60.02 TO TO0.08 39.42 TO TO
TLS-sec X0.07 8.63 15551.63 TO0.05 0.51 369.57 TO
Table 3. Experimental verification results for CL-Atse. The time is in seconds.
83
protocol/prop./#sessions S A W N 2 3 4 5
IKEv1-pk2-a X X36.28 27745.29 TO TO59.10 TO TO TO
IKEv1-pk-a2 X X4.28 849.46 TO TO
12.09 9192.14 TO TO
IKEv2-eap X X8920.57 TO TO TO
10.07 8942.94 TO TO
IKEv2-eap2 X X5407.00 TO TO TO
46.14 TO TO TO
IKEv2-mac X X18.59 22547.87 TO TO11.19 16139.98 TO TO
IKEv2-mactosig X X22.08 15561.69 TO TO9.27 10605.58 11782.39 TO
IKEv2-sigtomac X X18.58 13617.91 TO TO12.36 12408.54 TO TO
ISO/IEC 9798-2-5 X805.64 TO TO TO
3.61 3.43 3.85 3.59
ISO/IEC 9798-2-6 X7232.17 TO TO TO144.06 TO TO TO
ISO/IEC 9798-3-6-1 X X17941.80 TO TO TO
27.92 18019.32 TO TO
ISO/IEC 9798-3-6-2 X XTO TO TO TO
12.97 3673.20 TO TO
ISO/IEC 9798-3-7-1 X XTO TO TO TO
50.52 TO TO TO
ISO/IEC 9798-3-7-2 X XTO TO TO TO
11.61 4010.64 TO TO
Kerb-basic X20.63 TO TO TO8.07 28699.72 TO TO
TLS-auth X9.12 6002.38 TO TO8.88 3549.25 TO TO
TLS-sec X0.27 13.62 1304.21 TO0.15 1.97 59.87 TO
Table 4. Experimental verification results for OFMC. The time is in seconds.
84
number of sessions S A W N 3 4 5 10
ISO/IEC 9798-2-5 X0.44 0.42 0.45 0.500.58 0.64 0.90 3.70
ISO/IEC 9798-2-6 X0.45 0.46 0.48 0.50
35.36 247.67 2155.28 23740.06
ISO/IEC 9798-3-7-1 X X0.46 0.47 0.48 0.530.78 0.95 1.31 8.17
ISO/IEC 9798-3-7-2 X X0.47 0.47 0.64 0.602.64 5.83 11.61 121.17
Kerb-basic X100.88 107.66 ME TO
3.32 3.46 51.15 23396.15
TLS-auth X163.51 4464.73 TO TO
1.52 1.90 2.65 20.74
TLS-sec X148.21 4002.34 TO TO
1.71 1.90 2.30 8.85
Table 5. Experimental verification results for SATMC. The time is in seconds.
protocol/prop./#threads S A W N ∞
IKEv1-pk2-a X X43.5315.11
IKEv1-pk-a2 ?1.840.3
IKEv2-eap X X22.274.22
IKEv2-mactosig X X4.570.91
ISO/IEC 9798-2-5 X0.090.06
ISO/IEC 9798-3-7-1 X0.130.08
Table 6. Experimental verification results for ProVerif. The time is in seconds. The ?presents ProVerif verifies the property for one role and cannot prove it for the other.
85
