Secrecy for bounded security protocols with freshness check is NEXPTIME-complete*

Abstract: The secrecy problem for security protocols is the problem to decide whether or not a given security protocol has leaky runs. In this paper, the (initial) secrecy problem for bounded protocols with freshness check is shown to be NEXPTIME-complete. Relating the formalism in this paper to the multiset rewriting (MSR) formalism we obtain that the initial secrecy problem for protocols in restricted form, with bounded length messages, bounded existentials, with or without disequality tests, and an intruder with no e… Show more

“…In [7] was proved that the initial secrecy problem for non-well-founded protocols, with bounded length messages, unbounded number of protocol sessions, bounded existentials, disequality tests, and an intruder with existentials is undecidable. In what follows, we will prove that the open left open in [2] is undecidable, by exhibiting a reduction from the halting problem for deterministic Turing machines.…”

“…Second, in the construction above, the main idea for which we obtain a well-founded protocol theory in restricted form is to send the encoding of Turing machine's configuration and the terms used in the uniqueness checking process, by the network predicates. In this way, we avoid using a predicate L as in [7] and thus no persistent fact are needed. Third, to simulate a transition t of M , we included two role theories in P M,w : for example R A (t) = {a t 1 , a t 2 }, trough which the current configuration of M is received and the new configuration is send, and R B (t) = {b t 1 }, which is iterated in the uniqueness checking process without violating the well-foundedness and restrictedness.…”

“…The main idea of the construction from the Theorem 3.1 is from [7], but some essential differences are present in the construction above. First, we encode the configuration of M using short-term keys and not nonces what allows to define a new list of short-term keys for any computation step from M .…”

“…The NP-completeness of the initial secrecy problem for security protocols under bounded number of sessions, unbounded message length, was obtained in [6]. In [7] was shown that the secrecy problem for bounded security protocols with freshness check is NEXPTIME-complete. In [2], under MSR formalism, the initial secrecy problem for protocols in restricted form, with bounded length messages, unbounded number of protocol sessions, bounded existentials, disequality tests and an intruder with existentials, was left open.…”

Secrecy for Bounded Security Protocols: Disequality Tests and an Intruder with Existentials Lead to Undecidability

“…In [7] was proved that the initial secrecy problem for non-well-founded protocols, with bounded length messages, unbounded number of protocol sessions, bounded existentials, disequality tests, and an intruder with existentials is undecidable. In what follows, we will prove that the open left open in [2] is undecidable, by exhibiting a reduction from the halting problem for deterministic Turing machines.…”

“…Second, in the construction above, the main idea for which we obtain a well-founded protocol theory in restricted form is to send the encoding of Turing machine's configuration and the terms used in the uniqueness checking process, by the network predicates. In this way, we avoid using a predicate L as in [7] and thus no persistent fact are needed. Third, to simulate a transition t of M , we included two role theories in P M,w : for example R A (t) = {a t 1 , a t 2 }, trough which the current configuration of M is received and the new configuration is send, and R B (t) = {b t 1 }, which is iterated in the uniqueness checking process without violating the well-foundedness and restrictedness.…”

“…The main idea of the construction from the Theorem 3.1 is from [7], but some essential differences are present in the construction above. First, we encode the configuration of M using short-term keys and not nonces what allows to define a new list of short-term keys for any computation step from M .…”

“…The NP-completeness of the initial secrecy problem for security protocols under bounded number of sessions, unbounded message length, was obtained in [6]. In [7] was shown that the secrecy problem for bounded security protocols with freshness check is NEXPTIME-complete. In [2], under MSR formalism, the initial secrecy problem for protocols in restricted form, with bounded length messages, unbounded number of protocol sessions, bounded existentials, disequality tests and an intruder with existentials, was left open.…”

Secrecy for Bounded Security Protocols: Disequality Tests and an Intruder with Existentials Lead to Undecidability

“…In [7][1] several complexity results for (I)SP for bounded security protocols has been obtained. Thus, in [7] [1] was shown that (I)SP for bounded security protocols with freshness check is NEXPTIME-complete, and additionally in [1] was shown NPcompleteness of (I)SP for bounded security protocols with or without freshness check under bounded number of sessions.…”

Secrecy for Bounded Security Protocols without Freshness Check

Complexity of Anonymity for Security Protocols