Deciding a Fragment of \((\alpha , \beta )\)-Privacy

Abstract

We show how to automate fragments of the logical framework \((\alpha , \beta )\)-privacy which provides an alternative to bisimilarity-based and trace-based definitions of privacy goals for security protocols. We consider the so-called message-analysis problem, which is at the core of \((\alpha , \beta )\)-privacy: given a set of concrete messages and their structure, which models can the intruder rule out? While in general this problem is undecidable, we give a decision procedure for a standard class of algebraic theories.

A Proofs

Theorem 1

(Correctness of \( composeUnder \)). Let \(\theta \) be a substitution, \( struct \) be a frame and \(t \in \mathcal {T}_\varSigma (\mathcal {V})\). Then

1. 1.

   \(\forall (r, \sigma ) \in composeUnder (\theta , struct , t), \sigma ( struct \{\!|\, r \,|\!\}) = \sigma (t)\).

2. 2.

   \(\forall r \in \mathcal {R}^c, \exists \tau , \tau ( struct \{\!|\, r \,|\!\}) = \tau (t) \implies \)

   \((\exists \sigma , (r, \sigma ) \in composeUnder (\theta , struct , t) \text { and } \tau \models \sigma )\).

Proof

(Sketch).

1. 1.

   The idea is to proceed by induction on the structure of \(t\). For the pairs found by comparing with labels or composing a variable, the property holds trivially. For the additional pairs found with terms \(f(t_1, \dots , t_n)\) composed with a public function, the point is that the pairs returned for the arguments are correct by induction. The property is then verified for composing \(t\) because it reduces to mapping the unifiers returned to all arguments.

2. 2.

   The idea is to proceed by induction on the structure of \(r \in \mathcal {R}^c\). For a label, there is a pair \((r, \varepsilon )\) returned so the property holds. For a recipe that is a composition, i.e., \(r = f(r_1, \dots , r_n)\) for some \(f\) and some \(r_1, \dots , r_n \in \mathcal {R}^c\), the point is that the recipes are paired with MGUs by induction. The property is then verified for \(r\) because a substitution \(\tau \) such that \(\tau ( struct \{\!|\, r \,|\!\}) = \tau (t)\) also unifies the arguments inside the function application, so the algorithm can compute an MGU from the results of the recursive calls.    \(\square \)

Theorem 2

(Correctness of \( analyze \)). Let \(\theta \) be a substitution, \( struct \) be a frame and \(( struct _ ana , \sigma , Ex ) = analyze (\theta , struct )\). Then

1. 1.

   \(\forall r \in \mathcal {R}, struct _ ana \{\!|\, r \,|\!\} \approx \sigma ( struct \{\!|\, r \,|\!\})\).

2. 2.

   \(\forall r \in \mathcal {R}, \exists r' \in \mathcal {R}^c_{ struct _ ana }, struct _ ana \{\!|\, r' \,|\!\} \approx \sigma ( struct \{\!|\, r \,|\!\})\).

3. 3.

   \(\forall \theta ' \in \varTheta , \theta '( struct ) \sim \theta ( struct ) \implies \theta ' \models \sigma \wedge \bigwedge _{\sigma ' \in Ex } \lnot \sigma '\).

4. 4.

   \(\forall \theta ' \in \varTheta , \theta ' \models \sigma \implies \)

   \( (\theta '( struct ) \sim \theta ( struct ) \iff \theta '( struct _ ana ) \sim \theta ( struct _ ana ))\)

Proof

1. 1.

   When analyzing \(\mathsf {l}\mapsto \mathsf {constr}(t_1, \dots , t_n)\), the frame is augmented with mappings of the form \(\mathsf {destr}(r, \mathsf {l}) \mapsto t_i\) following the destructor theory. Thus, the “labels” added are recipes over the domain of \( struct \). These shorthands are correct when applying \(\sigma \), which is required to compose the keys for decryption steps. The frame \( struct _ ana \) is the frame \(\sigma ( struct )\) with shorthands.

2. 2.

   We proceed by induction on the structure of \(r\). We consider the occurrence of a destructor \(\mathsf {destr}\) such that no subrecipe for the arguments of \(\mathsf {destr}\) contains destructors.

   • If the destructor is applied to a label and the decryption is successful, then a shorthand \(\mathsf {m} = \mathsf {destr}(r_k, \mathsf {l}) \mapsto t'\) has been added in the frame, i.e., \(\sigma ( struct \{\!|\, \mathsf {m} \,|\!\}) \approx t'\), where \(r_k\) is some recipe for the key \(k\) such that \(\mathsf {destr}(k, t) = t' \in E\).

   • If the destructor is applied to a constructor, i.e., for some \(r_k, r_1, \dots , r_n\), \(r=\mathsf {destr}(r_k, \mathsf {constr}(r_1, \dots , r_n))\), and the decryption is successful, then the recipe can be simplified to one of the \(r_i\) yielding the same term.

   • If the decryption is not successful, then we can replace the application of \(\mathsf {destr}\) by the constant \(\mathsf {error}\), which represents failed decryption

   We have covered all cases since the subrecipes do not contain destructors. By induction, we can replace all occurrences of destructors in the recipe, i.e., we can define a constructive recipe \(r'\) which is the same as \(r\) but all occurrences of destructors and have been replaced by the methods listed above.

3. 3.

   We first show that the intruder can exclude all models that are not instances of \(\sigma \). The substitution \(\sigma \) has been built from unification of some \(\sigma _i\) in successful analysis steps, i.e., where \((r_i,\sigma _i)\in composeUnder (\theta , struct ,k)\) was a possibility to compose a decryption key k, and \(r_i\in compose (\theta ( struct ),\theta (k))\) is also a recipe for the corresponding key \(\theta (k)\) in \(\theta ( struct )\). It suffices to show that \(\theta '\models \sigma _i\) for all \(\sigma _i\). From Theorem 1 follows that \(\sigma _i\) is the MGU under which k can be derived in \(\theta \), i.e., \(\theta '(struct\{\!|\, r_i \,|\!\})\not \approx \theta '(k)\) for any \(\theta '\) that is not an instance of \(\sigma _i\). Since the intruder can see that \(r_i\) produces the correct decryption key in \(\theta ( struct )\), all models that are not consistent with \(\sigma _i\) can be excluded.

   We next show that all models that are instances of a substitution \(\sigma '\in Ex\) can be excluded by the intruder as well. The substitution \(\sigma '\) has been found during analysis of some mapping \(\mathsf {l}\mapsto t\) where the key \(k\) can be composed in the current \( struct \) under some unifier but \(\theta (k)\) cannot be composed in \(\theta ( struct )\). There exists \((r_k, \sigma ') \in composeUnder (\theta , struct , k)\) for some recipe \(r_k\). There is a destructor \(\mathsf {destr}\) for the decryption under consideration. We define the recipe \(r = \mathsf {destr}(r_k, \mathsf {l})\) for this decryption step. The decryption fails in \(\theta ( struct )\), so \(\theta ( struct \{\!|\, r \,|\!\}) \approx \theta ( struct \{\!|\, \mathsf {error} \,|\!\})\). Since \(\theta '( struct ) \sim \theta ( struct )\), we also have that \(\theta '( struct \{\!|\, r \,|\!\}) \approx \theta '( struct \{\!|\, \mathsf {error} \,|\!\})\). However, the decryption is successful in \( struct \), so \(\sigma '( struct \{\!|\, r \,|\!\}) \not \approx \sigma '( struct \{\!|\, \mathsf {error} \,|\!\})\). Therefore, \(\theta '\) is not an instance of \(\sigma '\), because if it were there would be a pair of recipes, namely \((r, \mathsf {error})\), to distinguish the frames.

4. 4.

   Let \(\theta ' \in \varTheta \) such that \(\theta ' \models \sigma \). Using property 1. and the fact that \(\theta ' \models \sigma \), we have that for any recipe \(r\), \(\theta '( struct _ ana \{\!|\, r \,|\!\}) \approx \theta '( struct \{\!|\, r \,|\!\})\). This also holds in particular for \(\theta \). Therefore, \(\theta '( struct ) \sim \theta ( struct )\) if and only if \(\theta '( struct _ ana ) \sim \theta ( struct _ ana )\) because any pair of recipes distinguishing \(\theta '( struct )\) and \(\theta ( struct )\) would also distinguish the analyzed frames, and vice-versa.    \(\square \)

Theorem 3

(Termination of \( analyze \)). Let \(\theta \) be a substitution and \( struct \) be a frame. Then the call \( analyze (\theta , struct )\) terminates.

Proof

By definition, \( analyze \) calls \( analyzeRec \), so what we really want to show is that the call to \( analyzeRec \) terminates. We now consider that the frame \( struct \) has been split into three frames \(N, H, D\) and denote with \(\sigma \) and \( Ex \) the unifier and the set of substitutions passed as arguments to \( analyzeRec \), respectively. The size of a term \(t \in \mathcal {T}_\varSigma (\mathcal {V})\) is defined as 1 for a variable and \( size (f(t_1, \dots , t_n)) = 1 + \sum _{i = 1}^n size (t_i)\) for a function application. We abuse the notation and write \( size (N \cup H)\) to mean the sum of the size of all terms in \(N \cup H\). We consider the tuple \(( size (N \cup H), \#N)\). When analyzing the mapping \(\mathsf {l}\mapsto t \in N\):

• If the decryption of \(t\) fails, \(\mathsf {l}\mapsto t\) is removed from \(N\) and put in \(H\). Then \( size (N \cup H)\) stays the same but \(\#N\) has decreased by 1.

• If the decryption of \(t\) succeeds, \(\mathsf {l}\mapsto t\) is removed from \(N\) and put in \(D\). The new terms from the analysis and the terms that were on hold are put in \(N\). Then \( size (N \cup H)\) has decreased by at least 1 (\(t\) is not present anymore but some of its subterms might be).

The lexicographic order on \((\mathbb {N}, \le ) \times (\mathbb {N}, \le )\) forms a well-order and the sequence of tuples for the recursive calls is a strictly decreasing sequence bounded by \((0, 0)\), so such a sequence is finite and the call terminates.    \(\square \)

Theorem 4

(Correctness of \( findRelations \)). Let \((\alpha , \beta )\) be a message-analysis problem, where \( struct = \{\!|\, \mathsf {l}_1 \mapsto t_1, \dots , \mathsf {l}_k \mapsto t_k \,|\!\}\) for some \(t_1, \dots , t_k \in \mathcal {T}_\varSigma ( fv (\alpha ))\) and \( concr = \theta ( struct )\) for some \(\theta \in \varTheta \). Let \(\phi \equiv findRelations (\theta , struct )\). Then

$$(\alpha , \beta )\text {-privacy holds} \iff \forall \theta ' \in \varTheta , \theta ' \models \phi $$

Proof

Let \(( struct _ ana , \sigma , Ex ) = analyze (\theta , struct )\). First, recall that we have \((\alpha , \beta )\)-privacy holds \(\iff \forall \theta ' \in \varTheta , \theta '( struct ) \sim \theta ( struct )\). We show that \(\forall \theta ' \in \varTheta , \theta '( struct ) \sim \theta ( struct ) \iff \theta ' \models \phi \). The models that are not instances of \(\sigma \) can already be excluded and violate the privacy of \(\alpha \) because \(\phi \models \sigma \). We now consider \(\theta ' \in \varTheta \) such that \(\theta ' \models \sigma \).

• If \(\theta '( struct ) \not \sim \theta ( struct )\): then \(\theta '( struct _ ana ) \not \sim \theta ( struct _ ana )\) from Theorem 2, so there exists a pair of recipes \((r_1, r_2)\) that distinguishes the frames. From Theorem 2, we can assume without loss of generality that \(r_1, r_2\) are constructive. Moreover, either one the recipes is a label (or from a shorthand) or both recipes have the same constructor at the top-level and one pair of the recipes for the arguments distinguishes the frames. So we can further assume that \(r_1\) is a label (or from a shorthand). This justifies the fact that \( findRelations \) will perform a check for this pair of recipes.

  • If \(\theta '( struct _ ana \{\!|\, r_1 \,|\!\}) \not \approx \theta '( struct _ ana \{\!|\, r_2 \,|\!\})\) and for the concrete observation \(\theta ( struct _ ana \{\!|\, r_1 \,|\!\}) \approx \theta ( struct _ ana \{\!|\, r_2 \,|\!\})\): then \(\theta '\) cannot be an instance of the substitution \(\sigma \) unifying, among others, the following equation: \( struct _ ana \{\!|\, r_1 \,|\!\} = struct _ ana \{\!|\, r_2 \,|\!\}\). The algorithm returns \(\phi \) such that \(\phi \models \sigma \), so \(\theta ' \not \models \phi \).

  • If \(\theta '( struct _ ana \{\!|\, r_1 \,|\!\}) \approx \theta '( struct _ ana \{\!|\, r_2 \,|\!\})\) and for the concrete observation \(\theta ( struct _ ana \{\!|\, r_1 \,|\!\}) \not \approx \theta ( struct _ ana \{\!|\, r_2 \,|\!\})\): then \(\theta '\) is an instance of some substitution \(\sigma '\) found when checking inequations. The algorithm returns \(\phi \) such that \(\phi \models \lnot \sigma '\), so \(\theta ' \not \models \phi \).

• If \(\theta '( struct ) \sim \theta ( struct )\): then \(\theta '( struct _ ana ) \sim \theta ( struct _ ana )\) from Theorem 2. For every \(t \in \mathcal {T}_\varSigma \) and \((r_1, r_2) \in pairsEcs ( compose (\theta ( struct _ ana ), t))\), we have by definition of \( compose \) that \(\theta ( struct _ ana \{\!|\, r_1 \,|\!\}) \approx \theta ( struct _ ana \{\!|\, r_2 \,|\!\})\). Since \(\theta '( struct _ ana ) \sim \theta ( struct _ ana )\), then \(\theta '( struct _ ana \{\!|\, r_1 \,|\!\}) \approx \theta '( struct _ ana \{\!|\, r_2 \,|\!\})\). Therefore, \(\theta ' \models \sigma \), where \(\sigma \) unifies all equations found from calling \( compose \) on terms in \(\theta ( struct _ ana )\).

  Let \( ineqs \) be the set of substitutions \( Ex \) found during analysis union with the substitutions found by the \( findRelations \) algorithm. If \(\theta '\) were an instance of some \(\sigma ' \in ineqs \), then \(\theta '( struct _ ana ) \not \sim \theta ( struct _ ana )\) and thus \(\theta '( struct ) \not \sim \theta ( struct )\) following Theorem 2. This would contradict the assumption, so \(\theta ' \models \lnot \sigma '\). Therefore, \(\theta ' \models \sigma \wedge \bigwedge _{\sigma ' \in ineqs } \lnot \sigma '\) which is exactly \(\theta ' \models \phi \).    \(\square \)