Protocol insecurity with a finite number of sessions and composed keys is NP-complete

Michaël Rusinowitch, Mathieu Turuani
2003 Theoretical Computer Science  
We investigate the complexity of the protocol insecurity problem for a ÿnite number of sessions (ÿxed number of interleaved runs). We show that this problem is NP-complete with respect to a Dolev-Yao model of intruders. The result does not assume a limit on the size of messages and supports non-atomic symmetric encryption keys. We also prove that in order to build an attack with a ÿxed number of sessions the intruder needs only to forge messages of linear size, provided that they are
more » ... as dags. (M. Rusinowitch), turuani@loria.fr (M. Turuani). 0304-3975/03/$ -see front matter c 2002 Elsevier Science B.V. All rights reserved. PII: S 0 3 0 4 -3 9 7 5 ( 0 2 ) 0 0 4 9 0 -5 Names and messages The messages exchanged during the protocol execution are built using pairing ; and encryption operators { } s , { } p . We add a superscript to distinguish between public key ( p ) and symmetric key ( s ) encryptions. The set of basic messages is ÿnite and denoted by Atoms. It contains names for principals and atomic keys from the set Keys. Since we have a ÿnite number of sessions we also assume any nonce is a basic message: we consider that it has been created before the session and belongs to the initial knowledge of the principal that generates it. Any message can be used as a key for symmetric encryption. Only elements from Keys are used for public key encryption. Given a public key (resp. private key) k, k −1 denotes the associated private key (resp. public key) and it is an element of Keys. Given a symmetric key k then, k −1 will denote the same key. The messages are then generated by the following (tree) grammar: msg ::= Atoms | msg; msg |{msg} p Keys | {msg} s msg : For conciseness we denote by m 1 ; m 2 ; : : : ; m n the set of messages {m 1 ; m 2 ; : : : ; m n }. Given two sets of messages M and M we denote by M; M the union of their elements and given a set of messages M and a message t, we denote by M; t the set M ∪ {t}.
doi:10.1016/s0304-3975(02)00490-5 fatcat:tfob6dmzevfypogzneix5247tq