    

A Metanotation for Protocol Analysis
by Dr. Patrick Lincoln, I. Cervesato, N.A. Durgin, J.C. Mitchell & A. Scedrov.
Abstract
Most formal approaches to security protocol analysis are based on a set of assumptions commonly referred to as the "DolevYao model." In this paper, we use a multiset rewriting formalism, based on linear logic, to state the basic assumptions of this model. A characteristic of our formalism is the way that existential quantification provides a succinct way of choosing new values, such as new keys or nonces. We define a class of theories in this formalism that correspond to finitelength protocols, with a bounded initialization phase but allowing unboundedly many instances of each protocol role (e.g., client, server, initiator, or responder). Undecidability is proved for a restricted class of these protocols, and PSPACEcompleteness is claimed for a class further restricted to have no new data (nonces). Since it is a fragment of linear logic, we can use our notation directly as input to linear logic tools, allowing us to do proof search for attacks with relatively little programming effort, and to formally verify protocol transformations and optimizations.
Files


