A Formal Theory of Key Conjuring eronique Cortier LORI - PDF document

ruleswhichintroducefreshnonces.AprecisecomparisoncanbefoundinSection6.5.Intherestofthepaper,werstexplainthepurposeandoperationofsecurityAPIs,anddeneourformalismfordescribingthem(Section2).Wethenproposeatransfor-mationforkeyconjuringinSection3.InSection4,weex-plainthesecurityproblemweareinterestedin,anddenearestrictedclassofAPIs,arguingthattheserestrictionsarequitenatural.InSection5weshowthatcertainclassesofkeyconjuringoperationsareofnousetotheintruder,andneednotbeconsideredinaformalmodel.Wethenshow(Section6)thatsecurityforourclassofAPIsisdecidableinthepresenceofkeyconjuringoperations.Theclassin-cludesourmotivatingexample,thekeymanagementAPIoftheIBM4758HardwareSecurityModule,whichwasshowntobevulnerabletokeyconjuringattacksbyBondin[1].Weconclude,withadiscussionoffuturework,inSection7.Duetolackofspace,someproofsareomittedandcanbefoundin[7].2BackgroundInthissection,werstexplainwhatasecurityAPIis,beforegoingontodenetheconceptmoreformally.2.1SecurityAPIsThepurposeofasecurityapplicationprograminter-face(API)istoallowuntrustedcodetoaccesssensitiveresourcesinasecureway.Hardwaresecuritymodules(HSMs),forexample,havesecurityAPIswhichcontrolac-cesstothecryptoprocessorandmemoryinsidethemod-ule.ThisallowstheAPItomanageaccesstocryptographickeys.HSMsaredeployedinsecuritycriticalenvironmentssuchasthecashmachinenetwork,wheretheyareusedtoprotectcustomersPINsandothersensitivedata.Theytypicallyconsistofacryptoprocessorandasmallamountofmemoryinsideatamper-proofenclosure.Theyarede-signedsothatshouldanintruderopenthecasingorinsertprobes,thememorywillauto-eraseinamatterofnanosec-onds.InatypicalATMnetworkapplication,allencryp-tion,decryptionandvericationofPINstakesplaceinsidetheHSM.Manydifferentcryptographickeyswillbeusedfortheseoperations.IBM's4758CCA1API[2]partitionskeysintovarioustypes,suchasdatakeys,PINderivationkeys,importkeysandexportkeys.Eachtypehasanas-sociatedpubliccontrolvector.TheHSMstoresamasterkeyinitstamper-proofmemory.ThekeystheHSMusesforitsvariousoperations,calledworkingkeys,arestoredoutsidetheHSMencryptedunderthemasterkeyXORed 1CCAstandsfor`CommonCryptographicArchitecture',while4758isthemodelnumberoftheHSM.Seehttp://www-3.ibm.com/security/cryptocards/pcicc.shtmlagainsttheappropriatecontrolvectorforthekeytype.Forexample,adatakeywouldbeencryptedunderkmdata.2WorkingkeyscanthenonlybeusedbysendingthembackintotheHSMunderanappropriateAPIcommand.OnlyparticulartypesofkeyswillbeacceptedbytheHSMforparticularoperations.Forexample,datakeyscanbeusedtoencryptarbitrarymessages,butso-calledPINDerivationKeys(PDKs,withcontrolvectorpin)cannot.Thisiscriti-calforsecurity:acustomer'sPINisjusthisaccountnumberencryptedunderaPINderivationkey.In2001,Bonddis-coveredattacksinwhichtheintruderusesAPIcommandstochangethetypeofakey,exploitingthealgebraicproper-tiesofXOR[1].TheattackallowsaPINderivationkeytobeconvertedintoadatakey,whichcanthenbeusedtoen-cryptdata.HencetheattackallowstheintrudertogenerateaPINforanyaccountnumber.FormalworkontheCCArstconcentratedonrediscov-eringtheattacksontheoriginalversionoftheAPI[12,14],andthenonprovingbothBond'sproposedxes[9],andthexesIBMactuallyimplemented[8],tobesecure.However,theseworksmadeaninformalapproximationoftheabilityoftheintruderto`conjure'keys,atrickusedseveraltimesinBond'sattacks.Toexplainpreciselywhatkeyconjuringis,werstneedtodenesomenotation.2.2DenitionsWenowdeneour(mostlystandard)notationforreason-ingaboutAPIs,andthendenetheclassofAPIsconsideredinthispaper.Cryptographicprimitivesarerepresentedbyfunctionalsymbols.Morespecically,weconsiderasignaturewhichconsistsofaninnitenumberofconstantsincludingaspecialconstant0andthreenonconstantsymbolsf g (encryption),dec(decryption)and(XORing)ofarity2.WealsoassumeaninnitesetofvariablesX.Thesetofterms,denotedbyT(;X),isdenedinductivelybyT::=termsxvariablexjf(T1;:::;Tn)functionapplicationwherefrangesoverthefunctionsofandnmatchesthearityoff.Forinstance,thetermfmgkisintendedtorep-resentthemessagemencryptedwiththekeyk(usingsym-metricencryption)whereasthetermm1m2representsthemessagem1XORedwiththemessagem2.Thecon-stantsmayrepresentcontrolvectorsorkeysforexample.Werelyonasortsystemforterms.Termswhichrespectthissort-systemaresaidtobewell-typed.ItincludesasetofbasetypeBaseandasetofciphertexttypeCipher.Wehavevariablesandconstantsofbothtypes.Moreoverwe 2representsbitwiseXOR. KeyPartImp.1:xk1;xtype!fxk1gkmkpxtypechkOdd(xk1);chkEven(xtype)KeyPartImp.2:chkEven(xtype);y;xk2;xtype!fdec(y;kmkpxtype)xk2gkmkpxtypechkOdd(dec(y;kmkpxtype))chkEven(xk2)KeyPartImp.3:chkEven(xtype);y;xk3;xtype!fdec(y;kmkpxtype)xk3gkmxtypechkOdd(dec(y;kmkpxtype))chkEven(xk3)KeyImport:chkEven(xtype);y;xtype;z!fdec(y;dec(z;kmimp)xtype)gkmxtypechkOdd(dec(z;kmimp))chkOdd(dec(y;dec(z;kmimp)xtype))KeyExport:chkOdd(dec(z;kmexp));y;xtype;z!fdec(y;kmxtype)gdec(z;kmexp)xtypechkOdd(dec(y;kmxtype))chkEven(xtype)EncryptData:chkOdd(dec(y;kmdata));x;y!fxgdec(y;kmdata)DecryptData:chkOdd(dec(y;kmdata));x;y!dec(x;dec(y;kmdata))TranslateKey:chkEven(xtype);x;xtype;y1;y2!fdec(x;dec(y1;kmimp)xtype)gdec(y2;kmexp)xtypechkOdd(dec(y1;kmimp))chkOdd(dec(y2;kmexp))chkOdd(dec(x;dec(y1;kmimp)xtype))Figure1.IBMCCASymmetricKeyManagementTransactionSet3.1KeyConjuringAswehaveseen,keymanagementAPIsliketheCCAkeepworkingkeysoutsidetheHSM,safelyencrypted,sothattheycanonlybeusedbysendingthembackintotheHSMunderthetermsoftheAPI.Whathappenswhenanintruderwantstouseaparticularcommandinanattack,butdoesnothaveaccesstoanappropriatekey?Forex-ample,supposehehasnodatakeys(termsoftheformfd1gkmdata),butwantstousetheEnciphercommand.Inanimplicitdecryptionformalism,thecommandisdenedlikethisx;fxkeygkmdata!fxgxkeyThissuggeststhatthecommandcannotbeusediftheintruderdoesnothaveadatakey.However,inreality,anintrudercouldjustguessa64bitvalueandusethatinplaceofthedatakey.TheHSMwilldecrypttheguessedvalueunderkmdata,andchecktheparityoftheresulting64bittermtoseeifitisavalidkeybefore,encipheringthedata.Usually,thecheckwillfailandtheHSMwillrefusetoprocessthecommand,butiftheintruderguessesrandomly,hecanexpectthat1inevery256guessedvalueswillresultinavalidkey.Thisnotioniscapturedbyourformalism,inwhichwewritetheEnciphercommandlikethis:chkOdd(dec(y;kmdata));x;y!fxgdec(y;kmdata)Itmayseemuselessfortheintrudertosimplyguessval-ues,sincetheresultisatermheknowsencipheredun-deranunknownkey,butusedcleverly,thistechniquecanresultinseriousattacks.Forexample,Bond'ssocalledimport-exportattack[1],useskeyconjuringtoconvertaPINderivationkeyintoanencryptionkey,allowinganin-trudertogeneratethePINforanygivenaccountnumber.DescriptionofBond'sattack.WegiveBond'sattackinFigure2,writteninourformalism,withexplicitdecryp-tionandparitychecking.Weassumethattheattackerinitialknowledgecontainsfpdkgkmpin(aPINkeyencryptedfortransfer),thecontrolvectorspin,data,imp,exp,kp,andtheconstant0.Moreover,wemodelthefactthatcontrolvectorsareofevenparityandsecretkeyskmandpdkareofoddparitybyconsideringthecorrespondingfacts(e.g.chkEven(pin)).WewillshowhowthePINderivationkeypdkcanbeconvertedintoadatakey,whichthencanbeusedtoencryptdata.HencetheattackallowsacriminaltogenerateaPINforanyaccountnumber.Forthis,weshowthattheattackerisabletoderivefpdkgkmdata.Step1isakeyconjuringstep.TheattackerisusingtheKeyPartImport3command,usingthecontrolvec-torimp(forxtype)andthekeypart0(forxk3)butwith-outatermoftheformfmgkmkpimp.Instead,here-peatedlytriesrandomvaluesuntilsomevaluen1decryptsunderkmkpimptogiveavalidkey,i.e.atermof keyconjuringsteps,leadingtofalseattacks.Forexample,foracommandlikeKeyImport(seeExample2),anexplicitdecryptionmodelwithoutparitycheckingwouldallowanintrudertoconjurevaluesforbothyandz,whichinprac-ticeishighlyunlikely:only1inevery216pairsofvalueswillpass.Ourtransformensuresthattheintruderhastoguessvaluesforatmostoneparitycheck.3.2TransformationontheAPIrulesWeproposeatransformationallowingustomodelkeyconjuring.ThistransformationisgenericenoughtodealwithanyAPImadeupofrulessatisfyingtheconditionsgiveninDenition1.Werstintroduceasetofnonces,denotedbyN,asub-setofthesetofconstantsthatdoesnotcontainthespecialconstant0.Weassumeaninnitenumberofnoncesofbothtypes.Anoncerepresentsafreshvaluethathasbeenneverusedbefore.Rulesobtainedaftertransformationarecalledkeyconjuringrulesandhavethefollowingform:x1;:::;xnnewn!t;nchk1(u1);:::;chkk(uk)chk01(v1);[chk02(n)]Thenotation[chk02(n)]isusedtoexpressthefactthatchk02(n)isoptional.LetRl!Rr=chk1(u1);:::;chkk(uk);x1;:::;xn!tbeanAPIrule.Foreachisuchthat1ik,sinceuiisatermofBasetypenotheadedwithandwhichcontainsnoencryptionsymbol,wehavethatuiiseitheraconstant,avariableoratermoftheformdec(z;t).Inthislastcase,wecomputethekeyconjuringrulesassociatedtoRl!Rrasfollows:1.Let=fz7!ng,weconsiderthenewrule(Rlrfz;chkj(uj)gnewn!Rr[fz;chkj(uj)g)2.Moreover,wehavethatt=pMi=1yi`Mi=1ciqMi=1dec(zi;ti):forsomevariablesyi;zi,someconstantsciandsometermsti.Foreachjsuchthat1jp,welet=fyj7!ngandweconsiderthenewrule(Rlrfyj;chkj(uj)gnewn!Rr[fyj;chkj(uj)g)Moreover,wepushalsoontherighthand-sidethecheckperformedonyjifsuchacheckexists.GivenanAPIruleR,wedenotebyKeyCj(R)thesetofrulesobtainedafterapplyingthetransformationdescribedabove.ThisnotationisextendedasexpectedtosetsofAPIrules.Example3ConsidertheruleR,namelyKeyPartImport3describedbelow.y;xk3;xtype!fdec(y;kmkpxtype)xk3gkmxtypechkEven(xtype)chkEven(xk3)chkOdd(dec(y;kmkpxtype))Thepurposeofthisruleistoallowausertoaddanalkeypartxk3toapartialkeyywithcontrolvectorxtype.Af-terapplyingourtransformation,thesetKeyCj(R)containsthetworulesdescribedbelow:xk3;xtypenewn!fdec(n;kmkpxtype)xk3gkmxtypechkEven(xtype)chkOdd(dec(n;kmkpxtype))chkEven(xk3)y;xk3newn!fdec(y;kmkpn)xk3gkmnchkEven(xk3)chkOdd(dec(y;kmkpn))chkEven(n)Thisrepresentsthetwowaystheintrudercanusetheruleforkeyconjuring.Intherst,heconjuresapartiallycompletedkey(thisistheruleusedinstep1oftheBondattackinFigure2).Inthesecond,foraxedconstanty,heconjuresacontrolvectorthatwillallowytobedecryptedtoformavalidpartialkey.Notethattheconjuredcontrolvectorisofevenparity,sotheintruderlearnstwoparityfactsinthiscase.Ourtransformallowsthiskindofconjur-ingbecauseitisassumedtheintrudercansettheparityofthetermsheusesasguesses.Thevaluethatischeckedforevenparityisunderhiscontrol.Hencetheprobabilityofsuccessisthesameasfortherstconjuringvariant.Therulesobtainedbyapplyingourkeyconjuringtrans-formationontheIBMCCASymmetricKeyManagementTransactionSetisfullydescribedinAppendix(Figure3).Notethatourtransformationwillsometimesproduceruleswhichtheintrudercannotuse.Thishappenswhenthefreshnonceappearsinaparitycheckontheleft,asintherstruleforKeyImportinFigure3.Theintrudercannotusethisrule,sincehedoesnotknowanyparityinformationaboutthenewnoncebeforethecommandisused.Thiscor-respondstoacasewheretheintruderwouldhavetoguessavaluethatdecryptstogiveavalidkey,k,suchthatkalsodecryptssomeothervaluetogiveavalidkey.ForsinglelengthDESkeys,thisgivestheintrudera1in216chanceofsuccess,whichweconsiderunrealistic.However,ifthein-truderhasextendedaccesstoaliveHSMrunningtheAPI,webelieveourtransformationcouldbequitenaturallyex-tendedtothesemorecostlyoperations(seeSection7).3.3IntruderrulesWedenotebyIthethreeAPIrulesrepresentingtheca-pabilitiesoftheintruder(seeExample1).Weobservethat Notethatthisattackinvolvestwoonlinekeyconjuringsteps.Eachkeyconjuringattempthasa1in256chanceofsuccess,duetotheparitychecks.Eachtimetheadversarywantstoconjureakey,itrequiresasignicantamountofac-cesstotheAPI.Weassumeinwhatfollowsthattheuseoftheserulesbytheadversaryislimited.Thisismodelledbyintroducingaparameterkthatboundsthemaximumnum-berofapplicationsofthekeyconjuringrulesinducedbytheprotocol.ThevalueofkcouldbesetbasedontheamountoftimeanattackermayhaveaccesstoaliveHSM,basedonphysicalsecuritymeasures,auditingproceduresinplace,etc.Notehoweverthatwedonotboundthenumberofof-inekeyconjuringsinceitismucheasierforanadversarytotrynumerousvaluesoff-line.Formally,wewriteS`A2kA1;EAPIuifuisdeduciblefromSbyusingtherulesinA1andatmostkinstancesoftheruleinA2(moduloEAPI).Inthispaperwerelyonaxedequa-tionaltheory,denotedbyEAPI(seeSection2.2)andaxedsetofintruderrulesdenotedbyI+.Henceourproblemisthefollowingone:SecurityProblemEntries:AnitesetAofAPIrules,asetSofpuregroundfactsthatisconsistent(theinitialknowledgeoftheat-tacker),apuregroundterms(thesecret)andaboundk2N(numberofkeyconjuringsteps).Question:IsthesecretsdeduciblefromSbyusingtherulesinA[I+andatmostkinstancesofrulesinKeyCj(A)(moduloEAPI),i.e.doesS`KeyCj(A)kA[I+;EAPIs?4.2Well-formedAPIAPI-rulesasdenedinDenition1areslightlytoogen-eralforourdecidabilityresult.Henceweintroducefurtherassumptions,thatwebelieveareveryreasonableinprac-tice.NotethatthesehypothesesarecheckedontheAPIrulesbeforeperformingthekeyconjuringtransformation.Denition4LetS0beasetofpuregroundfactthatiscon-sistent.LetR=Rlnewn!RrbearuleandtbeatermofBasetype.WesaythattischeckedinRw.r.t.S0ifchkX(t)2SatChk(S0[Rl[Rr).Denition5LetRbearule.KeyTerm(R)arethesub-termsofRwhichappearatakeyposition.Moreformally,KeyTerm(R)=fKeyTerm(t)jt2RorchkX(t)2RgwhereKeyTerm(t)isdenedasfollows:KeyTerm(t)=fu2jdec(u1;u2)2st(t)forsomeu1g[fu2jfu1gu22st(t)forsomeu1g:WewillrestrictourattentiontoAPIssuchthatatermwhichappearsatakeypositionhastobeparitychecked.Thishypothesisisnatural,sinceitcorrespondstotheAPIdesignerbeingconsistentaboutcheckingtheparityofkeysbeforetheyareused.Example7LetV=fimp;kp;exp;pin;datag.andS0beasetthatisconsistentandwhichcontainsatleastchkEven(t)foranyt2VandchkOdd(km).TherulesgiveninFigure1aresuchthateachtermwhichappearsatakeypositionischeckedw.r.t.S0.Denition6(dec-property)LetTbeasetofterms.WesaythatThasthedec-propertyifdec(x;v1);dec(x;v2)2st(T))v1=v2:WesaythataruleRhasthedec-propertyifthesetoftermsT=ftjt2RorchkX(t)2Rgsatisesthedec-property.IntheAPIweconsider,wewillassumethatalltherulessatisfythedec-property.Thishypothesisisnatural,sinceitonlyforbidstheAPIfromdecryptingthesameinputun-dertwodifferentkeys.Notethatthedec-propertyisclearlysatisedbytherulesgiveninFigure1.Denition7(well-formedAPIrule)LetS0beasetofpuregroundfactthatisconsistent.LetRbeanAPIrule.chk1(u1);:::;chkk(uk);x1;:::;xn!tWesaythatRiswell-formedw.r.t.S0if:forallisuchthat1ik,wehavethatui2st(t),Rsatisesthedec-property,forallv2KeyTerm(R),vischeckedinRw.r.t.S0.AnAPIrulesatisfyingonlythetworstpointsissaidtobeweaklywell-formed.TherstpointrequiresthattheAPIonlychecksthepar-ityofobjectsthataretobeusedingeneratingtheoutput.Sincetheformofourruleshasonlyvariablesontheleft,andalldecryptionexplicitlystatedontheright,thisisquitenatural.WewouldnotexpectanAPItochecktheparityofatermthatissubsequentlydiscarded.Forinstance,theAPIrulesgiveninFigure1arewell-formed.However,therulesdescribingthecapabilitiesoftheattacker(seeExample1)arenotwell-formed,butonlyweaklywell-formed.4.3DecidabilityTheorem1(Mainresult)LetPbeaninstanceofthese-curityproblem(asstatedattheendofSection4.1)wherethesetAofAPIrulesiswell-formedw.r.t.thesetS moduloACequations.Theideaistopre-computevariantsoftherulessothatthereisnoneedtoapplythefullequa-tionaltheoryanymore.LetRbeatermrewritingsystem(TRS)andE0beanequationaltheory,wewriteu!R;E0vwhenvcanbewrit-tenintovmoduloE0.AdecompositionofanequationaltheoryEisapair(R;E0)suchthatRisanE0-convergentsystemforE,i.e.u=EAPIvifandonlyifu#=v#whereu#denotesthenormalisedformofuw.r.t.!R;E0.Forinstance,fortheequationaltheoryEAPI,wecanshowthat(R;AC)isadecompositionofEAPIwhereR=8:dec(fxgy;y)!xxx!0fdec(x;y)gy!xx0!0x(xy)!yDenition8(nitevariantproperty)Adecomposition(R;E0)ofagiventheoryEhasthenitevariantpropertyifforeverytermt,thereisanitesetofsubstitutions(t)suchthat892(t);9suchthat#=E0^(t)#=E0(t)#:Inotherwords,allpossiblereductionsinanin-stanceoftcanbecomputedinadvance.Givenatermt,wedenotebyVar(t)thesetofitsvariants,i.e.Var(t)=f(t)#j2(t)g.In[6],theauthorsgivesuf-cientconditiontoestablishthatagivenpresentationsat-isesthenitevariantproperty.Moreovertheygiveanal-gorithmallowingustocomputethevariantsassociatedtoagiventerm.Byusingtheirresult,itiseasytoestablishthat(R;AC)isadecompositionofEAPIwhichsatisesthe-nitevariantproperty.Theso-calledvariantsofaruleRareobtainedbyperformingnarrowingwithRmoduloAC.Narrowing.Thesubtermoftatpositionp2O(t)iswrit-tentjp.Thetermobtainedbyreplacingtjpwithuisdenotedt[u]p.WedenotebyO(t)thesetofnon-variablepositionoft.GivenaTRSR,wesaythatatermtnarrowstot0withthesubstitution,atp2O(t),byl!r2Rifthereexistsarenamingl0!r0ofl!r2Rsuchthatisaunieroftjpandl0andt0=(t[r]p).Inthiscase,wewritet t0.Wewritet t0ifthereexistsanarrow-ingderivationt=t1 1t2::: n�1tn=t0suchthat=1:::n�1.IfE0isasetofequationssuchthatanE0-unicationalgorithmexists,wedeneE0-narrowingasexpected(isanE0-unieroftjpandl).Inparticular,thisallowsustodeneAC-narrowing.Computationofthevariants.LetRbeanAPIruleandkbethenumberofoccurrencesoff g ,decand.Accordingto[6],wehavethatVar(R)=fR0jR R0byaderivationoflengthatmostkgNowthepropositionbelowisaneasyconsequenceofthefactthatEAPIsatisesthenitevariantproperty.Proposition3LetA1,A2betwosetsofrules,Sbeasetofgroundfactsandsbeagroundterm(innormalform).S`KeyCj(A1)kA1[A2;EAPIuifandonlyifS`Var(KeyCj(A1))kVar(A1[A2);ACuMoreover,weonlyneedtoconsiderinstancesoftheruleswhichinvolvetermsinnormalform.Example8Forinstance,considerthefollowingruleR=x;y!dec(x;y).WehavethatVar(R)=fR;R0gwhereR0=fzgy;y!z.NotethatR0isanormalisedinstanceofR.IndeedR0=R#where=fx7!fzgyg.6.2ControllingtheformoftherulesWeneedtocontroltheformoftherulesaftercomputa-tionofthekeyconjuringtransformationandcomputationofthevariants.WeshowthatthesetVar(A[KeyCj(A))obtainedfromasetAwhichonlycontains(weakly)well-formedrulesw.r.t.Sis(weakly)well-adaptedw.r.t.S.Denition9(well-adapted)LetS0beasetofpuregroundfactthatisconsistent.LetR=Rl[newn]!Rr.WesaythatRiswell-adaptedw.r.t.S0if1.Riswell-typedandvars(Rr)vars(Rl),2.atermoftypeCipherappearingasastrictsubtermpositioninRiseitheranonceoravariable,3.forallt2KeyTerm(R),tischeckedinRw.r.t.S0,4.thereisatmostonetermuinacheckinRrnotequaltonandweareinoneofthefollowingcases:u=dec(y;nu0),u=dec(n;u0),ornoccursinRlandhencetheruleRisuseless.Asetofruleswhichsatisesthetworstpointsissaidtobeweaklywell-adapted.Proposition4LetS0beasetofpuregroundfactthatisconsistent.LetAbeasetof(weakly)well-formedAPIrulesw.r.t.S0.LetA0=Var(A[KeyCj(A)).WehavethatA0isasetof(weakly)well-adaptedrulesw.r.t.S0.Thenotionofwell-adaptedreliesonfourconditions(seeDenition9).Theconditions1,3and4areestablishedbyusingthefactthatavariantR0isjustanormalisedinstanceofwell-formedAPIruleR,thatisR0=R#forsome. termMwhereanyoccurrenceofNinkeypositionisre-placedbyN0.Lemma3(Replacementofdec-termsinkeyposition)LetAbeasetofwell-adaptedrulesandSbeasetofpuregroundfactssuchthatnodectermsoccursinKeyTerm(S).LetwbeapuregroundtermdeduciblefromSandF1;:::;FnbeaproofthatS`A[Var(I);ACwthatinvolvesonlypurefacts.Weassumethatthereisnodec-termsubtermofw.Lettbeatermsuchthatt2Fjforsome1jnandletpbesomekeypositionoftsuchthattjp=dec(u;v)t0(t0beingpossiblyemptyinwhichcasebyconvention,tjp=dec(u;v)).Eitherthetermdec(u;v)islegal.OrF1(dec(u;v)t0;0);:::;Fj(dec(u;v)t0;0)isapureproofofS`R[Var(I);ACt(dec(u;v)t0;0).Thelemmaisprovedbyinduction.Now,weareabletoproveourmainresult(Theorem1).Proof.LetPbeaninstanceofthesecurityproblemwherethesetAofAPIrulesiswell-formedw.r.t.Sand02S.LetS0bethesetoffactsobtainedfromSbyadding1(constantoftypeCipher),c1,c2,c01,c02,c03,c04constantsofBasetype,chkOdd(c1),chkOdd(c01),chkOdd(c03),chkEven(c2),chkEven(c02),chkEven(c04),chkOdd(dec(1;c01)),chkOdd(dec(1;c02)),chkOdd(dec(1;c03)),chkOdd(dec(1;c04)).NotethatnodectermsoccursinKeyTerm(S0).ThankstoPropositions1and2,weeasilydeducethatS`KeyCj(A)kA[I+;EAPIu,S0`KeyCj(A)kA[I;EAPIuProposition3givesusS0`KeyCj(A)kA[I;EAPIu,S0`Var(KeyCj(A))kVar(A[I);ACuThankstothewell-formednessoftherulesinA,wede-duce(Proposition4)thattherulesinVar(KeyCj(A))arewell-adapted,therulesinVar(A)arewell-adapted,therulesinVar(I)areweaklywell-adapted.NotealsothatVar(A[I)=Var(A)[Var(I).Now,weapplyCorollary1andwededucethatifS0`Var(KeyCj(A))kVar(A[I);ACuthenthereexistsaproofwitnessingthisfactwhichinvolvesonlypureterms.Lastly,Lemmas2and3allowustoboundthenumberofdec-termswhichcanappearinsuchaproof.Thisallowsustoconsideronlya-nitenumberofterms:wehaveanitenumberofconstantsandnonceswhichcanonlybecombinedtoproducepuretermsinvolvingsomeprecisedec-terms.Complexity.Ourdecisionprocedureworksasfollows.WerstguesstheklegaltermsthatareproducedbykeyconjuringrulesandthensaturatethesetS0withallde-ducibletermsthatarepuretermswithnoillegaldectermsunderkeyposition.Letnbythenumberofconstantsoc-curringinS0plusk.Illegaldectermscannotoccurnestedthusitiseasytoseethatthereareatmostn2nillegaldecterms.ThesedectermscanbearbitrarilyXORedinplain-textpositionbutcannotoccurunderkeyposition.Thuswehavetoconsideratmost22O(n)terms.Thusourprocedureterminatesafteratmost22O(n)steps.Altogether,wecanshowthatouralgorithmisnon-deterministic2-EXPTIME.6.5RelatedworkTheclassofwell-formedAPIrulesisrelatedtotheclassproposedin[8].Thereitisshownthatsecrecypreserva-tionofprotocolsisdecidableforanunboundednumberofsessionsforprotocolswithXOR,providedtheycanbeex-pressedwithrulesintheWFX-class,thatis,asetofrulesoftheformt1;:::;tn!tn+1whereeachtjiseitheraxortermthatistj=Lni=1ui,n1whereeachuiisavariableoraconstant.ortj=fugvwhereuandvarexorterms.Thisisintuitivelyrelatedtoournotionofwell-typedtermsthatensuresinparticularthatatmostoneencryptionsym-bolcanappearinaterm.However,therearetwomaindif-ferencesbetweentheclassofwell-formedAPIrulesintro-ducedinthispaperandtheWFX-class.1.Weconsiderhereanequationaltheorywithexplicitdecryption.Thisisnecessaryformodellingkey-conjuring.Addingthetwoequationsforencryptionanddecryptionrequiresamuchmorecarefultreatmentwhenprovingthatwheneverthereisanattack,thereisanattackthatinvolvesonlypureterms.2.Intheworkpresentedhere,itisnotsufcienttoboundthenumberofencryptionsymbols,asin[8].In-deed,thereareaninnitenumberofwell-typedtermssincethenumberofnesteddecryptionsymbolsisnot [14]P.Youn,B.Adida,M.Bond,J.Clulow,J.Herzog,A.Lin,R.Rivest,andR.Anderson.Robbingthebankwithatheo-remprover.TechnicalReportUCAM-CL-TR-644,Univer-sityofCambridge,August2005.AExistenceofapureattackLemma1LetAbeasetofweaklywell-adaptedrulesandSbeasetofpuregroundfactsthatisconsistentandwhichcontains0.LetubeagroundtermdeduciblefromSandF1;:::;FnbeaproofthatS`A;ACu.Letpbeanim-purepositionofu.Wehavethatujp2S[F1[:::[Fn.Proof.Theproofisbyinductiononthenumberofstepsneededtoobtainu.Thebasecase,i.e.u2S,istriv-ial.Fortheinductionstep,wehavethatthereexistsaweaklywell-adaptedruleRlnewn!Rrandagroundsub-stitutionsuchthatRlSatChk(S[F1[:::[Fn�1)andu2Fn=Rr(moduloAC).Letpbeanimpureposi-tioninu.eitherp=andinsuchacasewehavethatujp2S[F1[:::[Fn,orujpisastrictsubtermofu.SinceRlnewn!Rrisaweaklywell-adaptedrule,ujpmustbeasub-termofxforsomevariablex2Rr.Sincevars(Rr)vars(Rl),wehavethatthereexistst2Rlsuchthatt2S[F1[:::[Fn�1andujp2st(t).Moreover,wecaneasilycheckthatujpappearsatanimpurepositionint.Byinductionhypothesis,wededucethatujp2S[F1[:::[Fn�1andthusujp2S[F1[:::[Fn.Proposition5LetAbeasetofweaklywell-adaptedrulesandSbeasetofpuregroundfactsthatisconsistentandwhichcontains0.Letubeapuregroundterm.IfS`A;ACuthenthereisaproofofS`A;ACuwhichonlyinvolvepureterms.Wedenethefunction
overgroundtermsthatre-placesanytermatanimpurepositionby0(neutralelementof)or1(constantoftypeCipher).Moreformally
isinductivelydenedasfollows: u=uifuisavariableoraconstant u1u2= u10 u20 dec(u1;u2)=dec(u1; u20)ifu12NoftypeCipher dec(u1;u2)=dec(1; u20)otherwise fu1gu2=f u10g u20where
0aredenedby: u0=uifuisavariableoraconstantofbasetype u1u20= u10 u20 dec(u1;u2)0=dec(u1; u20)ifu12NoftypeCipher dec(u1;u2)0=dec(1; u20)otherwise u0=0otherwiseThefunctions
0and
areextendedtosetsoffactsasex-pected.Moreover,thefunction
0isalsodenedonchecksasfollows: chkX(t)0=chkX( t0):Proof.ConsideraproofF1;:::;FnofS`u.WeshowbyinductiononnthatwecanconstructsetsG1;:::;GpwhichonlyinvolvepurefactssuchthatG1;:::;GpisaproofofS` tforanyt2S[F1[:::[Fn, chkX(t)02SatChk(S[G1:::[Gp)foranychkX(t)2SatChk(S[F1[:::[Fn).Thiswouldconcludetheproofsinceu2Fnand u=u.Thebasecaseu2Sistrivial.Fortheinductionstep,weassumethattherearesetsofpuregroundfactsG1;:::GpsuchthatG1;:::;GpisaproofofS` tforanyt2S[F1[:::[Fi, chkX(t)02SatChk(S[G1[:::[Gp)foranycheckchkX(t)2SatChk(S[F1[:::[Fi).andweshowthatwecanconstructasetofpuregroundfactsGp+1suchthatG1;:::;Gp+1isaproofofS` tforanyt2S[F1[:::[Fi+1, chkX(t)02SatChk(S[G1[:::[Gp+1)foranychkX(t)2SatChk(S[F1[:::[Fi+1).ThesetofgroundfactsFi+1isone-stepdeduciblefromS[F1[:::Fi,thusthereexistsaweaklywell-adaptedruleRlnewn!Rr2AandagroundsubstitutionsuchthatRlSatChk(S[F1[:::[Fi)andFi+1=Rr(mod-uloAC).Let0bethesubstitutiondenedbyx0= x0foranyx2dom()oftypeBase,x0=xwhenxisaconstantoranonceoftypeCipherand1otherwise.WecanshowthatGp+1=Rr0satisestherequiredconditions.