Deducibility Constraints, Equational Theory and Electronic Money [chapter]

Sergiu Bursuc, Hubert Comon-Lundh, Stéphanie Delaune
Lecture Notes in Computer Science  
The starting point of this work is a case study (from France Télécom) of an electronic purse protocol. The goal was to prove that the protocol is secure or that there is an attack. Modeling the protocol requires algebraic properties of a fragment of arithmetic, typically containing modular exponentiation. The usual equational theories described in papers on security protocols are too weak: the protocol cannot even be executed in these models. We consider here an equational theory which is
more » ... ul enough for the protocol to be executed, and for which unification is still decidable. Our main result is the decidability of the so-called intruder deduction problem, i.e. security in presence of a passive attacker, taking the algebraic properties into account. Our equational theory is a combination of several equational theories over non-disjoint signatures.
doi:10.1007/978-3-540-73147-4_10 fatcat:siochmxjibgy7cr3xfzk562h2q