An Experiment in Ping-Pong Protocol Verification by Nondeterministic Pushdown Automata
JJohn P. Gallagher, Rob van Glabbeek and Wendelin Serwe (Eds):Models for Formal Analysis of Real Systems (MARS’18)and Verification and Program Transformation (VPT’18)EPTCS 268, 2018, pp. 169–184, doi:10.4204/EPTCS.268.6 c (cid:13)
R. Gl¨uckThis work is licensed under theCreative Commons Attribution License.
An Experiment in Ping-Pong Protocol Verificationby Nondeterministic Pushdown Automata
Robert Gl¨uck
DIKU, Department of Computer Science, University of Copenhagen
An experiment is described that confirms the security of a well-studied class of cryptographic pro-tocols (Dolev-Yao intruder model) can be verified by two-way nondeterministic pushdown automata(2NPDA). A nondeterministic pushdown program checks whether the intersection of a regular lan-guage (the protocol to verify) and a given Dyck language containing all canceling words is empty. Ifit is not, an intruder can reveal secret messages sent between trusted users. The verification is guaran-teed to terminate in cubic time at most on a 2NPDA-simulator. The interpretive approach used in thisexperiment simplifies the verification, by separating the nondeterministic pushdown logic and pro-gram control, and makes it more predictable. We describe the interpretive approach and the knowntransformational solutions, and show they share interesting features. Also noteworthy is how abstractresults from automata theory can solve practical problems by programming language means.
Keywords protocol verification, ping-pong protocols, cryptographic protocols, nondeterministicprogramming, two-way pushdown automata, memoizing interpreters
Soon after the introduction of public-key encryption [26], it was found that an adversary can obtain asecret message sent on a network between trusted users, not by breaking the cryptographic algorithm,but by breaking the communication protocol through complex interactions with the users. A key findingby Dolev and Yao [8, 9] was that the security problem of cryptographic ping-pong protocols can bemapped onto a decidable grammar problem. They gave an algorithm for constructing, for any givenping-pong protocol, a nondeterministic finite-state automaton (regular language) representing all possibleinteractions between the trusted users and the adversary, and a special-purpose algorithm for decidingthe security question by computing the collapsing-state relation by a closure algorithm. Their originalalgorithm decided the security question in time O ( n ) , where n is the size of the automaton [8, 9]. Thiswas later improved to O ( n ) [7]. The security of protocols is very important because public-key cryptosystems are widely used for electronic communication and underpin various Internet standards.Recently, Nepeivoda [24] showed that the security of ping-pong protocols can also be verified byprogram transformation. Instead of regular expressions, the protocol in question is mapped onto a prefixgrammar encoded as a first-order functional program in such a way that it can be used to decide thesecurity question by a program transformer, specifically a supercompiler. This method builds upon worksolving other verification problems by general-purpose program transformation ( e.g. , [2, 22]). The mainsteps of these two methods are shown on the left- and right-most branches in Fig. 1.This paper takes another programming language approach — an interpreter for a nondeterministiclanguage is used instead of a program transformer. We show how to write a two-way nondeterminis-tic pushdown (2NPDA) program that searches for insecure communications in a finite-state automatonconstructed by the Dolev-Yao algorithm, and interpret the program by an existing simulator for nondeter-ministic pushdown programs, which decides the security question in time O ( n ) . This approach leads to70 AnExperiment inPing-Pong Protocol Verification by Nondeterministic Pushdown Automataping-pongprotocol mapping mapping finite-stateautomaton edge set edges on tape prefixgrammar program text state-relationclosure algo. answer pathfinder ndet SIM ndetdet answer interpreter transformer
SCP detdet answer y/n acceptreject resid.pgmFigure 1: Three verification approaches for cryptographic ping-pong protocols: Dolev-Yao’s originalmethod [9] (left) and two programming language approaches — an interpretive method by pushdownsimulation (SIM) described in this paper (in bold) and a transformative method by supercompilation(SCP) [24] (right).a surprisingly straightforward solution that is asymptotically as efficient as any of the other verificationmethods above. The verification is simplified by separating the problem into an easy-to-write pushdownlogic that specifies the solution in terms of finding a path in a directed graph and a control componentthat calculates the actual solution; such separation is known in logic programming as “algorithm = logic+ control” [21]. Herein, a nondeterministic pushdown program and a simulator that embeds memo-ization as a control component are used. The simulator guarantees termination and polynomial-timeperformance on a random-access machine with a uniform cost model [3, 14]. The simulators that we usesimulate one machine by another; in programming language terms these are interpreters. This experi-ment also shows how, relying on proven results from automata theory, a class of cryptographic protocolscan be verified by means of nondeterministic programming. The method is shown by the bold shapesin Fig. 1. The deterministic (det) and nondeterministic (ndet) source and implementation languages ofthe simulator (SIM) and the supercompiler (SCP) are discussed in a later section. The interpretation andtransformation approaches are two sides of the same coin, and we show they share interesting features.The approach taken here is similar to other resource-bounded computation models [18] where certainproperties are guaranteed for all programs regardless of how they are written ( e.g. , all programs written ina reversible language are easily invertible [5]). Even though the nondeterministic pushdown computationmodel used here is subuniversal (not Turing-complete), it is not particularly weak. The multihead 2NPDAcharacterize the polynomial-time (“tractable”) algorithms. Pushdown programming is a technique forsolving problems that may deserve more attention, perhaps supported by program transformation.In Sect. 2, we briefly review ping-pong protocols and the security problem. In Sect. 3, we introducethe nondeterministic pushdown language and, in Sect. 4, we present the protocol verifier. In Sect. 5and 6, we discuss the methods and related work, respectively..Gl¨uck 171
Ping-pong protocols are a class of two-party cryptographic protocols. Their purpose is to transmit secrettext between two users in a network. The initiator of a communication applies an initial sequence ofoperators to the text of a message and sends the message to the intended recipient. In each step of theircommunication, a participant applies an operator sequence to the text most recently received and returnsthe result. This ping-pong action continues several times as specified by the protocol. Operators that canbe applied to a text include name stamps and cryptographic operators (see [7] for more information).Public-key encryption is a cryptographic system that allows an encryption key to be revealed to thepublic without revealing the corresponding decryption key ( e.g. , RSA [26]). Consequently, a text can beenciphered by anyone using the encryption key publicly revealed by the intended recipient of the text,but only the intended recipient can decipher the text because only this recipient has the correspondingdecryption key. There is no need to secretly exchange keys between the participants. Protocol Operators.
A network is assumed to have three legitimate users ( X , Y , Z ) with equal rights.Each user can initiate a communication with another user by sending an initial message. A message sentin the network consists of three fields: the sender’s name, the receiver’s name and the text. The text isthe part of a message to which a user can apply operators as specified by the communication protocol.All users have the same set of operators ( Σ ) that they can apply to the text of a message and each useralso has a private operator ( D X , D Y , D Z ) for decrypting a text with their private key. Definition 1
The operator sets of users X , Y , Z are Σ X = Σ ∪ { D X } decrypt by private key of X , (1) Σ Y = Σ ∪ { D Y } decrypt by private key of Y , (2) Σ Z = Σ ∪ { D Z } decrypt by private key of Z , (3) where Σ is the common operator set available to every user: Σ = { E X , E Y , E Z , encrypt by public key of X , Y , Z (4) P X , P Y , P Z , prepend name of X , Y , ZM X , M Y , M Z , match and delete prepended name of X , Y , ZM } delete any prepended name . Operators E X , E Y , E Z encrypt a text with the public key of a user, operators P X , P Y , P Z prepend a username to a text, operators M X , M Y , M Z delete a prepended user name if the name matches, and M deletesany prepended user name from a text. The cryptographic operators are defined for any text. If the keysmismatch, they return just gibberish ( e.g. decryption of an encoded text with the wrong key: D Y E X ).The cryptographic operators of public-key encryption are inverse to each other ( e.g. D X E X = E X D X = ε where ε denotes the empty sequence of operators). A protocol aborts when prepended names mismatch( e.g. expecting another name stamp: M Y P X ). The order of applying the operators is from right to left. Definition 2
Cryptographic operators of public-key encryption [26] have the following identities for anyuser U , as have the operators for matching and deleting prepended user names [7].D U E U = E U D U = M U P U = MP U = ε . (5)72 AnExperiment inPing-Pong Protocol Verification by Nondeterministic Pushdown Automata E Y D Y D X Σ Z E Y E Z E X E Z Figure 2: FSA of Protocol 1.Consider a Dolev-Yao ping-pong protocol [7] as an example that is defined between two users A , B ∈{ X , Y , Z } where A is the initiator and B the recipient. The protocol consists of two operator words, α ∈ Σ ∗ A and α ∈ Σ ∗ B . In each step one of the two participants applies an operator word to the text andsends the result to the other participant. The following two words define the protocol’s ping-pong action.Protocol 1: α ( A , B ) = E B α ( A , B ) = E A D B Initially, A sends a message to B after encrypting the secret text by B ’s public key, that is A applies α ( A , B ) = E B to the text. Recipient B sends a message back to A after decrypting the received text by B ’s private key D B and encrypting the result by A ’s public key E A , that is B applies α ( A , B ) = E A D B to thetext it received. The second step completes this ping-pong protocol. The complete operator word appliedto the text is α ( A , B ) ◦ α ( A , B ) = E A D B E B . Under this cryptographic protocol, recipient B can read A ’ssecret text and initiator A can compare the original text with the text echoed by B . The communicationbetween A and B is performed without sending any plain text in the network. This cryptographic protocolappears to be a secure way of exchanging messages but, as we shall see, it is not. Dolev-Yao Intruder Model.
Assume that two of the users on the network are well-behaved ( X , Y ),which means they only apply the operations specified by the protocol. The third user is a saboteur ( Z )who can apply any operator sequence Σ ∗ Z to a message text. The saboteur waits patiently for a chanceto crack the communication between the well-behaved users by listening to the network, interceptingand altering any message. This scenario is sufficient for checking the security of two-party ping-pongprotocols in the Dolev-Yao intruder model.A single saboteur is sufficient in this model because a single saboteur can do whatever a group ofsaboteurs can do [7]. The model assumes only a few limitations on the behavior of the saboteur. Thesaboteur can impersonate any sender ( X , Y , Z ), apply any operator sequence Σ ∗ Z to a text, and send analtered message to any user. It is assumed that private keys cannot be stolen from the users.Consider as an example how Protocol 1 can be cracked by saboteur Z . Let X initiate the commu-nication with Y by sending a text encrypted by α ( X , Y ) in the network. Assume that Z intercepts X ’sinitial message, changes the sender to Z , and sends the unchanged text to Y , who believes Z initiated acommunication by sending the initial α ( Z , Y ) . As specified by the protocol, the well-behaved user Y responds to Z by applying α ( Z , Y ) to the received text, that is after decrypting the text by E X and en-crypting it by E Z for the perceived sender Z . The saboteur Z can now simply decrypt the message by D Z .The secret has been revealed, not by cracking the public-key encryption algorithm, but the protocol! The.Gl¨uck 173entire operator sequence applied to the original text is reduced to ε by the operator identities: D Z ◦ α ( Z , Y ) ◦ α ( X , Y ) = D Z E Z D X E X = ε . (6) The Security Question.
The Dolev-Yao intruder model formalizes the interaction of the well-behavedusers ( X , Y ) and the saboteur ( Z ) using a nondeterministic finite-state automaton (FSA). The FSA forProtocol 1 in Fig. 2 generates all operator sequences that can be applied to a text sent by initiator X .Assuming that the initiator is X is sufficient for checking the security of the protocol. The initial state is 0,the accepting state is 1, and the edges are labeled with operators. X starts by sending a message to Y thatthe saboteur tries to obtain by cracking the protocol. After the initial operator sequence α ( X , Y ) = E Y is applied to the text, Z can intercept the message and apply to it an arbitrary operator sequence Σ ∗ Z , or X and Y can apply α ( X , Y ) , α ( X , Z ) , α ( Y , X ) or α ( Y , Z ) to the text in response to a message receivedfrom X , Y , Z . The FSA can be constructed for any ping-pong protocol by an algorithm [7]. The security question translates into the following grammar problem: A protocol is secure if the in-tersection of L ( FSA ) , the regular language defined by its FSA, and L ( G ) , the context-free language ofall reducible operator words, is empty. Thus, the security question of ping-pong protocols is a decidablegrammar problem, namely the emptiness of the intersection of a regular language and a context-language: L ( FSA ) ∩ L ( G ) ? = /0 . (7)The context-free grammar G generating all reducible words is the same for all ping-pong protocols:G :: = D U G E U | E U G D U | M U G P U | M G P U | G G | ε for all U ∈ { X , Y , Z } . (8)The saboteur in the Dolev-Yao intruder model can apply any operator sequence Σ ∗ Z to a message text, soG must generate all reducible words. A word in G is balanced with respect to “opening” and “closing”pairs of operators. Any word in L ( G ) can be reduced to ε by repeatedly applying the identity rules inDef. 2, i.e. by substituting ε successively for every occurrence of pairs to which the identity rules apply.It can easily be shown that these reductions can be performed in any order without changing the result.The reduction strategy we are going to use later is to repeatedly apply the identity rules to the rightmost,innermost pair to which they apply. There is no difference between handling a mismatch of keys and ofprepended names (the operator pair does not reduce).
Definition 3
A ping-pong protocol is secure iff there is no accepting path in its FSA representation whoseword is reducible to ε by the operator identities; otherwise, the protocol is insecure [7]. Protocol 1 can be made secure by prepending the name of initiator A to the text before encryptingit with B ’s public key, that is A applies α ( A , B ) = E B P A to the text. Recipient B now encrypts using A ’s public key only if the text has A ’s name prepended, as checked by match M A , that is B applies α ( A , B ) = E A M A D B to the text it received. The FSA of Protocol 2 in Fig. 3 has no accepting path whoseword is reducible [7].Protocol 2: α ( A , B ) = E B P A α ( A , B ) = E A M A D B Protocol 3: α ( A , B ) = E B P A E B α ( A , B ) = E A D B M A D B We use the reversed and simplified version of the FSA constructed by the algorithm. L ( G ) is an ambiguous language: parenthesizing is not necessarily unique, e.g. E X D X E X D X or E X D X E X D X .
74 AnExperiment inPing-Pong Protocol Verification by Nondeterministic Pushdown Automata P X E Y D Y D X Σ Z M Y M Z M X M Z E Y E Z E X E Z E Y P X E Y D Y D X Σ Z M X M Z D Y D Y M Y M Z D X D X E Y E Z E X E Z Figure 3: FSA of Protocol 2 (secure) and Protocol 3 (insecure).One may think that extra encryption makes a protocol even more secure, but this is not necessarilythe case. Suppose we want to improve Protocol 2 by encrypting the text once more. Let initiator A ,before prepending the name to the text by P A , encrypt it with B ’s public key, that is α ( A , B ) = E B P A E B .Receiver B now decrypts the text before encrypting it with A ’s public key, that is α ( A , B ) = E A D B M A D B .This innocent looking “improvement” makes the protocol insecure! This shows that informal argumentsare error prone. A formal way to decide the security of ping-pong protocols is needed. The operatorswhich a saboteur can inject into the communication are not immediately obvious in Fig. 3 in the FSAof Protocol 3 [7]. For example, it can be cracked by a patient saboteur who twice injects operators andfakes senders and receivers: D Z ◦ α ( Z , Y ) ◦ E Y P Z M X D Z ◦ α ( Z , Y ) ◦ E Y P Z ◦ α ( X , Y ) = D Z E Z D Y M Z D Y E Y P Z M X D Z E Z D Y M Z D Y E Y P Z E Y P X E Y = ε . (9) Two-way nondeterministic pushdown automata (2NPDA) will be our programming model. Pushdownautomata are simple versatile devices comprising three components: a read-only input tape, a potentiallyinfinite stack, and a finite-state control. They can move the head on the tape in both directions, push andpop symbols to and from the stack, and test the symbol on top of the stack and the symbol read on thetape. The alphabets of tape symbols, stack symbols and states are finite.
Multihead pushdown automata can read and move multiple heads independently on the tape.Even though these devices are subuniversal, they are not particularly weak. The multihead 2NPDA are equivalent to the polynomial-time algorithms [30]. Any k -head 2NPDA can be simulated in at most O ( n k ) steps on a random-access machine with a uniform cost model where n is the length of the tape [3].We shall see that a single head ( k =
1) is sufficient to check the security of ping-pong protocols, whichmeans this takes at most cubic time.Instead of using a traditional multi-valued transition function for defining the operation of a 2NPDA,we introduce the multihead nondeterministic pushdown language , shown in Fig. 4, with commands tomove the head ( left , right ), push and pop symbols ( push , pop ), and halt in an accepting or rejectingfinal state ( accept , reject ). Predicates can compare two symbols ( = ), test the emptiness of the stack( bottom ) and the ends of the tape ( leftend , rightend ). Global variables contain the symbol currently.Gl¨uck 175 Pgm :: = ( Label : Seq ) + Seq :: = Cmd | Cmd ; SeqTest :: = bottom | leftend | leftend2 | . . . | rightend | rightend2 | . . . | Sym = SymSym :: = Const | top | hd | hd2 | . . . Cmd :: = pop | push Sym | left | left2 | . . . | right | right2 | . . . | choice Seq or Seq end | if Test then
Seq else
Seq end | goto Label | skip | accept | reject Figure 4: Syntax of the multihead nondeterministic pushdown language.on top of the stack ( top ) and read by the tape head ( hd ). The variables are updated when the stacktop changes or the head moves. Similarly, additional tape heads ( hd2 , hd3 , . . . ) can be moved ( left2 , left3 , . . . ) and tested ( leftend2 , leftend3 , . . . ). The deterministic control-flow operators are as usual( if , goto ). A program consists of labeled command sequences. Execution begins at the first commandof a program. The left and right ends of the tape are marked with the tape symbols > and < , respectively.The language resembles flowchart languages except for its additional choice command [18] whichnondeterministically executes either command sequence Seq or Seq , that is, the next state after thechoice is not uniquely determined by the current state: choice Seq or Seq end Initially, the stack is empty and the tape heads scan the left end of the tape containing the inputword. An input word is accepted by a nondeterministic pushdown program if there exists at least onecomputation sequence for the program that terminates in an accept command. The nondeterministicoperation allows the simultaneous construction of every computation sequence for a given input. Theformal language accepted by a program is the set of all input words it accepts. This is the usual definitionfor nondeterministic pushdown automata. The semantics of the pushdown language will not be formallydefined here due to lack of space and the semantics being straightforward.A program that contains no left command is one way ; one that contains no choice commandis deterministic . One-head programs accept important classes of formal languages. For example, theone-way nondeterministic pushdown (1NPDA) programs accept the context-free languages.A textbook interpretation of a pushdown program may not terminate ( e.g. , push forever on the stack)or take exponential time before terminating. However, memoizing simulation methods ensure termi-nation and polynomial-time performance for all pushdown programs, because the number of possiblesurface configurations is polynomially bounded. Thus, every pushdown program has a definite answer(accept, reject). We refer the reader to [3, 14] for a presentation of the simulation methods, and to [6, 17]for the deterministic case. Accordingly, we shall be programming in a resource-bounded and decidablenondeterministic programming language, following the approach marked bold in Fig. 1.
Combinatorial search problems may often be simply written using nondeterministic programs. Beforewe show how to verify the security of ping-pong protocols, we show how to find a path between twonodes in a directed graph by a pushdown program. We then extend the pathfinding program into thedesired protocol verifier, discuss the nondeterministic programs and report on simulation results for theDolev-Yao protocols. Verification by program transformation is discussed in the next section.76 AnExperiment inPing-Pong Protocol Verification by Nondeterministic Pushdown Automata init: push ’0’; right (* push start node, pos 1st edge *)loop: if top = hd (* both nodes match? *)then choice (* make a guess: traverse or skip *)pop; right; (* traverse edge *)if hd = ’1’ then accept end; (* path 0 -> 1 found *)push hd; right (* push next node, pos next edge *)or2-right end; (* skip edge *)else 2-right end; (* mismatch: skip edge *)if rightend then move-to-leftend end; (* return to 1st edge *)goto loop
Figure 5: Finding a path in a directed graph by a nondeterministic PDA-program. The graph is given byits edges on the input tape.
Given a directed graph G = ( V , E ) with nodes u , v ∈ V and directed edges E = { ( u , v ) , . . . , ( u n , v n ) } ,where an edge ( u i , v i ) leads from node u i to node v i , the task of the pushdown program is to checkwhether there exists a path from a source node s ∈ V to a target node t ∈ V in G .Let the names of the source and target nodes be fixed as s = t =
1. For simplicity, we assumethat the node names in V are included in the tape- and stack-symbol alphabets of the automaton. G canbe represented by a tape of length O ( n ) that lists all edges in E , where > and < mark the two tape ends: > u v . . . u n v n < The nondeterministic program shown in Fig. 5 guesses a path in G from 0 to 1, if it exists. Initially,the stack is empty and the head is positioned at the left end ( > ) of the tape, so 0 is pushed on the emptystack by push ’0’ and the head is positioned at u of the first edge ( u v ) on the tape by right in thefirst line of the program. The invariant of the main loop that follows, is that the current node of the paththat the program is exploring is kept on top of the stack. This node is updated by the main loop when anedge is traversed to a new node. No other nodes are pushed on the stack, so a stack of height 1 sufficesfor following a path in G . Furthermore, a single head suffices for scanning the edges on the tape.The main loop moves the head hd over the sequence of edges on the tape, until an edge originating inthe current node on top of the stack is found ( top = hd ). The nondeterministic choice at this point is toeither traverse the edge originating in top or to continue the search for another edge originating in top .If the edge ( top , v ) is traversed and v =
1, then a path from 0 to 1 exists and the computation halts with accept ; otherwise, the search continues with v as the new current node. When the right end ( < ) of thetape is reached during the search, that is predicate rightend is true, the head is repositioned at the firstedge by move-to-leftend , and the search continues with the first edge. The main loop cycles over theedges on the tape traversing or skipping edges nondeterministically. An edge takes two positions on thetape, so two right moves skip an edge (shorthand notation ).Command move-to-leftend is assumedly built-in. It can be implemented by commands repeat: left; if leftend then right else goto repeat end The nondeterministic logic of finding a path in a directed graph is straightforward: Follow all pathsstarting from 0 and accept if 1 is reached. The nondeterministic program describes how to follow all paths.Gl¨uck 177 init: push ’0’; right (* push start node, pos 1st edge *)loop: if top = hd (* both nodes match? *)then choice (* make a guess: traverse or skip *)pop; right; (* traverse edge, check identities *)if (hd = ’DX’ ∧ top = ’EX’) ∨ (hd = ’EX’ ∧ top = ’DX’) ∨ (hd = ’DY’ ∧ top = ’EY’) ∨ (hd = ’EY’ ∧ top = ’DY’) ∨ (hd = ’DZ’ ∧ top = ’EZ’) ∨ (hd = ’EZ’ ∧ top = ’DZ’) ∨ (hd = ’MX’ ∧ top = ’PX’) ∨ (hd = ’M’ ∧ top = ’PX’) ∨ (hd = ’MY’ ∧ top = ’PY’) ∨ (hd = ’M’ ∧ top = ’PY’) ∨ (hd = ’MZ’ ∧ top = ’PZ’) ∨ (hd = ’M’ ∧ top = ’PZ’)then pop (* reduce operator pair to ε *)else push hd end; (* trace unreducible operator *)right; (* move to next node *)if hd = ’1’ ∧ bottom then accept end; (* insecure path *)push hd; right (* push next node, pos next edge *)or3-right end; (* skip edge *)else 3-right end; (* mismatch: skip edge *)if rightend then move-to-leftend end; (* return to 1st edge *)goto loop Figure 6: Protocol security checking by a nondeterministic 2-way PDA-program. The operator-labeleddirected graph representing the security problem of the protocol is given on the input tape.in a pushdown computation model without concern for efficiency and termination ( e.g. , cycles in graph).The control is separate (in the simulator). Both of the simulation methods for nondeterministic pushdownautomata [3, 14] perform a universal search in the space of nondeterministic computations (find allcomputation sequences), even though an existential search (halt after first accept) decides the problem.Both use a control component consisting of memoization for avoiding redundant computations. Together,the pushdown program and the simulator constitute the algorithm for finding a path in a directed graph.
To verify ping-pong protocols, we extend the nondeterministic pathfinding program (Fig. 5) to operator-labeled graphs that represent the security problem of a ping-pong protocol ( e.g. , Figs. 2 and 3).Given an operator-labeled directed graph G = ( V , E ) with nodes u , v ∈ V and directed edges E = { ( u , o , v ) , . . . , ( u n , o n , v n ) } labeled with the operators o i ∈ Σ XYZ = Σ X ∪ Σ Y ∪ Σ Z of Def. 1, the task ofthe pushdown program is to decide whether there exists a path from a source node s ∈ V to a target node t ∈ V in G along which the operator word is reducible to ε by the operator identities of Def. 2.As above, let the names of the source and target nodes be fixed as s = t =
1. Assume the nodenames in V and the operator names in Σ XYZ are included in the tape- and stack-symbol alphabets of theautomaton. G can be represented by a tape of length O ( n ) that lists all edges in E : > u o v . . . u n o n v n < An edge is represented by three symbols on the tape. As with pathfinding, the main loop of the pushdown78 AnExperiment inPing-Pong Protocol Verification by Nondeterministic Pushdown Automataprogram cycles over the edges on the tape and guesses a path from 0 to 1, if it exists. In addition, theprogram collects the operators labeling the edges along the path and tries to reduce the operator word to ε by applying the operator identities. The program is shown in Fig. 6. The main parts are as follows: • Main loop with nondeterministic choice to guess a path. • Applying the operator identities.The current node of the path being explored is kept on top of the stack while searching for matchingedges. The operators that could not be reduced so far along the current path are on the stack below thecurrent node. The task of the main loop is to find edges originating in the current node by cycling over theedges on the tape. An edge takes three positions on the tape, so three right moves skip an edge (shorthandnotation 3-right). When an edge ( top , o , v ) originating in the current node top is nondeterministicallyselected for traversal by choice , the current node is popped and an attempt is made to reduce the oper-ator o labeling the selected edge and the last unreduced operator o top , now on top of the stack, by tryingall operator identities of Def. 2. If an operator identity applies, o o top = ε , then o top is popped fromthe stack in the then-branch of the second conditional if ( e.g. , hd = ’MX’ ∧ top = ’PX’ in the test).Otherwise, the new operator o is pushed on the stack in the else-branch because the operator pair is notreducible. This is the rightmost, innermost reduction strategy discussed in Sect. 2. Next, v is pushed andthe search continues with v as the new current node, unless v = ε , which means the stackis empty (predicate bottom is true) at the target node, the program halts with accept . This tells usthat the protocol is insecure . The protocol is secure if no path from 0 to 1 is labeled with a reducibleword, that is, the input is rejected. The program defines how to search for an insecure path using anondeterministic choice. Tape Representation.
The representation of the protocol graphs in Figs. 2 and 3 on the tape of thepushdown program is shown in Fig. 7. The node names ( , , ...) and operator names ( EX , EY , ...) areincluded in the tape symbols, so each takes one position on the tape. The length of the tape is O ( | E | ) given a graph G = ( V , E ) . The representation of the 18 edges of Protocol 1 takes 56 symbols, the 23edges of Protocol 2 take 71 symbols, and the 28 edges of Protocol 3 take 86 symbols including the twoendmarkers. Names are introduced for intermediate nodes because each edge can only be labeled by asingle operator. For example, the initial word of user X in Protocol 3 between source node and targetnode takes three labeled edges with two intermediate nodes, which we call and .(If node names are encoded as numbers in a fixed set of tape symbols ( e.g. , , ), the tape lengthwould be O ( | E | · log | V | ) , and the program would need to be adapted to deal with the encoding andseparators between the edges on the tape, e.g. , edge ( , E X , ) = .) Experiments and Implementation.
The pushdown program in Fig. 6 defines a 1-head, 2-way andnondeterministic pushdown automaton (1-head 2NPDA). This is easy to see because the program has asingle head variable ( hd ), moves in both directions ( left , right ), and has a nondeterministic choice( choice ). Because a k -head 2NPDA can be simulated in at most O ( n k ) steps where n is the length ofthe tape, checking the security of ping-pong protocols by a 1-head 2NPDA takes at most O ( n ) steps.The pushdown simulator [14] takes a set of transition rules as the definition of a pushdown automaton.It takes 690 transition rules to define the program shown in Fig. 6 as a 1-head 2NPDA with 8 controlstates, 30 tape symbols, and 30 stack symbols. The number of transition steps and surface configurations(state × stack-top symbol × tape symbol) the simulator takes to verify the three Dolev-Yao protocols.Gl¨uck 179 Protocol 1: > 0 EY 1 initial word of trusted user X ( α ) words of attacker Z ( Σ ∗ Z ) words of trusted users X,Y ( α )Protocol 2: > 0 PX 8 8 EY 1 initial word of trusted user X ( α ) words of attacker Z ( Σ ∗ Z ) words of trusted users X,Y ( α ) Protocol 3: > 0 EY 8 8 PX 9 9 EY 1 initial word of trusted user X ( α ) words of attacker Z ( Σ ∗ Z ) words of trusted users X,Y ( α ) Figure 7: Tape representation of the protocol graphs in Figs. 2 and 3 (nodes and operators are representedby tape symbols , , ..., EX , EY , ...).are listed in Table 1. The simulator looks for a universal solution, exploring all computation sequencesleading to an accept (insecure protocol) and not halting at the first accept being found. Thus, the outcomeand the order of the edges on the tape have no significant influence on the performance of the simulation.Table 1: Simulation of the pushdown program as 2NPDA with the Dolev-Yao example protocols. verification edges tape configs steps answer Protocol 1 18 56 584 8100 accept (insecure)Protocol 2 23 71 740 6031 reject (secure)Protocol 3 28 86 1184 11412 accept (insecure)
Discussion.
The nondeterministic pushdown verifier is surprisingly simple (in the author’s opinion),especially when considering that Dolev and Yao’s first algorithm took O ( n ) steps [8, 9], while theverifier in Fig. 6 is guaranteed to take at most O ( n ) steps thanks to fundamental results of automatatheory. The verifier checks whether the intersection of a regular language represented on the tape asFSA (the protocol to verify) and a fixed Dyck-like language containing all canceling (insecure) wordsis empty. Clearly, the verifier is not limited to protocol graphs constructed by the algorithm [7]. Anyoperator-labeled FSA can be placed on the tape and the operator identities tested in the program can beadapted easily to other identities. Thus, any security question that can be captured by an operator-labeledFSA (any regular language) intersected with a Dyck-like language induced by a fixed set of operatoridentities can be decided by the verifier after adaption to the specific operator identities.The experiment also supports the proposition that programming languages can make abstract the-oretical results more accessible and applicable [18, 25] (other examples are reversible programming80 AnExperiment inPing-Pong Protocol Verification by Nondeterministic Pushdown Automatalanguages [5]). The simulation approach is also amenable to optimization by program specialization,which typically reduces the interpretive overhead by an order of magnitude. However, a memoizinginterpreter for a nondeterministic language may pose additional challenges to non-trivial specialization.A downside, from a programming perspective, is that the pushdown language has no convenient datastructures, just a linear tape with symbols. A search for matching edges needs to cycle over all edges onthe tape and to return the head from the right end to the left end. Verification by general-purpose program transformers is another approach that has been proposed andused successfully to check the security of cryptographic protocols by supercompilation [2, 24].Typically, the security problem of a protocol ( e.g. , a ping-pong protocol) is encoded as a functionalprogram with an additional trace parameter that constrains all nondeterministic choices such that theybecome deterministic. Given a trace, the functional program maps an initial state into a final state whichcan then be tested for validity ( e.g. , whether the state is insecure). By specializing the program withrespect to a static (known) initial state and a dynamic (unknown) trace, a supercompiler will explore thecontrol flow of all possible traces for the given initial state. If the program is specialized into a residualprogram from which it is immediately seen that no trace can steer the residual program into an invalidfinal state then the original protocol is considered secure.A difficulty with this approach is the preparation of a functional program that specializes well, whichmay require considerable knowledge about supercompilation. There are obstacles, namely finding theright encoding of the security problem in a universal source language and taming the power of the super-compiler with folding, generalization and other sophisticated optimizations, especially if success dependson the way the program is written. The nondeterminism inherent in the security problem is first mappedinto a deterministic program and then reintroduced by specializing the deterministic program with re-spect to a dynamic trace, which can make the transformation hard to predict. A nondeterministic choicein the original problem does not necessarily correspond to a nondeterministic (dynamic) choice takenby the supercompiler when exploring all possible control flows in the program. The control over thesechoices is therefore indirect. On the other hand, case studies [2, 22] have shown that a supercompiler [29]can solve a variety of security problems, including cryptographic ping-pong protocols [24].In our case study, the protocol verifier is a pushdown program that explores all paths in a protocolgraph by nondeterministic means. The security problem is not encoded as a functional program, butgiven as input data (Fig. 7) to the verifier (Fig. 6). The verifier is the same for all protocols. A branchingin the graph on the tape is directly modeled by a nondeterministic choice in the pushdown program. Theverifier has exactly one nondeterministic choice point; all other choices in the program are deterministic( if ). The nondeterministic choice is an integral part of the language semantics and gives direct controlof the problem-specific nondeterminism inherent in the security problem. The verifier is written in alanguage for which decidability is guaranteed, which is a major advantage of this approach. To thebest of the author’s knowledge, this is the first study in which the pushdown programming model hasbeen applied to ping-pong protocols, but the model’s practicality for verifying a larger class of protocolshas not yet been demonstrated. At least in principle, the multihead pushdown programs can decide anycomputationally “tractable” verification problem.Both approaches explore all possible paths of a security problem regardless of its representation.In one approach, this is achieved by a supercompiler specializing a program representing the problem The trace program may have additional parameters depending on the particular class of protocols and the desired answer. .Gl¨uck 181Table 2: Pushdown simulation and supercompilation characteristics. method
SIM SCP approach interpretation transformation sound answer yes yes complete answer yes case by case time complexity class = polynomial exponential? space complexity class ⊆ polynomial unknownsubuniversal universal source language nondeterministic deterministictail-recursive recursiveand building an internal process graph, whereas in the other approach it is achieved by a simulator ofpushdown programs using memoization. The nondeterministic choice is an integral part of the pushdownlanguage semantics, while in the case of supercompilation the nondeterminism is induced into the sourceprogram by the supercompiler’s non-standard “transformation semantics” [1], not the standard semanticsof the source language. Neither approach shows why a protocol is insecure or how to fix it, but a step inthis direction has been taken by building attack models [24].Table 2 summarizes the two approaches. The entries in the table are for a general-purpose supercom-piler [29], bearing in mind there are different supercompiler variants ( e.g. , [22, 24, 27]). The simulator(SIM) interprets a pushdown program for a given protocol graph (sequence of edges) on the input tapeand the supercompiler (SCP) transforms the program representation of the security problem into a resi-dual program. Provided that SIM is correct, the answer (accept/reject) is sound and complete (multihead2NPDA are decidable). Provided that SCP is correct, the generated residual program is a sound answer,but depending on the particular protocol encoding, the residual program may not always answer the se-curity question ( e.g. , due to overgeneralization it contains valid and invalid final states even though theprotocol is secure, or due to infinite specialization no program is generated at all). Thus, completenessof the answer is marked as ‘case by case’ in the table. (An exception is the verification of ping-pongprotocols which was shown to be decidable for all multi-party ping-pong protocols [24].)Exponential time complexity was conjectured for ping-pong protocol verification by supercompi-lation [24], while the space complexity class is unknown. The time and space complexity classes ofmultihead 2NPDA are guaranteed [30]. The source language of SIM is a subuniversal (not Turing-complete), nondeterministic and tail-recursive pushdown language (Sect. 3), while the source languageof SCP is a universal (Turing-complete), deterministic and recursive first-order functional language. Thedeterministic and nondeterministic property of their source languages is also indicated in Fig. 1. It has been know for several decades that nondeterministic programs are well suited for combinatorialsearch problems, and in many cases even easier to write than deterministic ones [11]. An obstacle isthe effective control of the often exponential-time complexity of straightforward runs and nontermi-nating computation paths. For two-way nondeterministic pushdown automata, a polynomial-time andterminating bottom-up simulation algorithm could be given [3]. Another simulation algorithm [14] fol-lows top-down, all reachable computation paths, as does the one for two-way deterministic pushdown82 AnExperiment inPing-Pong Protocol Verification by Nondeterministic Pushdown Automataautomata [17]. In these algorithms, exponential time is converted into polynomial time by sharing com-putations. A linear-time simulation by instrumented two-way deterministic pushdown programs is givenin [23]. Certain methods of model checking [4] also make use of pushdown systems. A classic casewhere investigations in pure theory of pushdown automata led to a practically significant algorithm ispattern matching [20]. The case study presented here appears to be one of the first to show how a nonde-terministic pushdown language can be used as a decidable programming model for protocol verification.A series of case studies examined the verification of protocols by program transformation ( e.g. , [22]),and in particular cryptographic protocols by supercompilation ( e.g. , [2, 24]). A few orthogonal super-compilation principles [29] were shown to solve a number of seemingly different verification problems.Related approaches for specific verification problems have been investigated ( e.g. , [16, 19]) and compa-rable results can be conjectured ( e.g. , [12]). Interpreters have been used to improve the transformationof programs ( e.g. , [13, 15]), which is another way to factorize supercompilation-based verification. Theliterature on transformation-based verification is larger than the one cited here, including approachesbased on unfold/fold rules ( e.g. , [10]). The present study examined a related, but different programminglanguage solution, namely nondeterministic programs in a decidable computation model with guaran-teed resource bounds. Related principles underlying both approaches, verification by transformation andinterpretation, were discussed above (Sect. 5). Extensions of logic languages with tabulation can ensuretermination and optimal known complexity for queries to a large class of practical programs [28].
This study broadens previous studies on the verification of security by program transformation in thatanother programming language approach, namely program interpretation, is used. We confirmed thatthe security of a well-studied class of cryptographic protocols can be verified by a 1-head 2NPDA.The interpretive approach used in this experiment considerably simplified the verification, by separatingnondeterministic pushdown logic from control concerns, which shows again the power of a declarativestyle of programming.Program transformation and interpretation are two sides of the same coin, and we identified princi-ples that both verification approaches share ( e.g. , explore all possible paths of a security problem). Alsonoteworthy is how abstract results from automata theory can be applied to practical problems when com-bined with a programming language approach, and that this can yield more natural and simple solutions.This study is one of the few examples in the literature where pushdown automata have been used to an-swer questions other than those of formal language theory. This situation is perhaps surprising becausethe multihead 2NPDA programming model is equivalent to the class of polynomial-time algorithms anddecidable within guaranteed time and space bounds determined by the number of heads.Though we showed how a class of cryptographic protocols can be verified by nondeterministic pro-gramming, further work is needed before a more complete picture emerges as to the practicality of theinterpretive pushdown approach. The pushdown computation model is subuniversal, and thus cannot beexpected to be capable of solving all verification problems in reach of a general-purpose program trans-former, such as a supercompiler using sophisticated generalization techniques and capable of generatingcomplex recursive programs as answers. On the other hand, the multihead nondeterministic pushdownmodel is theoretically powerful enough to decide all polynomial-time verification problems, but whetherthis is as straightforward as in the case of ping-pong protocols, only further investigations will show.Verification of multi-party extended protocols [24] in further studies is warranted.From a programming perspective, the “machine-code” transition rules of classic presentations of.Gl¨uck 183pushdown automata are too low-level. A step towards a more user-friendly abstraction was undertakenin this paper by employing an imperative flowchart language with deterministic and nondeterministiccontrol-flow operators. Still, the language inherits the linear input tape from automata theory. Morepractical data structures and languages abstractions could be considered, e.g. arrays and index calcula-tions [23], tree-structured data or cons-free functional programming languages [18].
Acknowledgements.
Thanks to Antonina Nepeivoda for a concise explanation of the Dolev-Yao modeland to the anonymous reviewers for their constructive feedback.
References [1] Sergei M. Abramov & Robert Gl¨uck (2000):
Combining semantics with non-standard interpreter hierarchies .In Sanjiv Kapoor & Sanjiva Prasad, editors: FoundationsofSoftwareTechnologyandTheoreticalComputerScience.Proceedings, LNCS 1974, Springer-Verlag, pp. 201–213, doi: .[2] Abdulbasit Ahmed, Alexei P. Lisitsa & Andrei P. Nemytykh (2013):
Cryptographic protocol verificationvia supercompilation (a case study) . In Alexei P. Lisitsa & Andrei P. Nemytykh, editors: Verification andProgramTransformation.Proceedings, EPiCSeriesinComputing 16, pp. 16–29, doi: .[3] Alfred V. Aho, John E. Hopcroft & Jeffrey D. Ullman (1968):
Time and tape complexity of pushdown au-tomaton languages . InformationandControl13(3), pp. 186–206, doi: .[4] Rajeev Alur, Ahmed Bouajjani & Javier Esparza (2018):
Model checking procedural programs . In Ed-mund M. Clarke, Thomas A. Henzinger, Helmut Veith & Roderick Bloem, editors: Handbook of ModelChecking, Springer-Verlag. To appear.[5] Holger B. Axelsen & Robert Gl¨uck (2011):
What do reversible programs compute?
In Martin Hofmann,editor: Foundations of Software Science and Computation Structures. Proceedings, LNCS 6604, Springer-Verlag, pp. 42–56, doi: .[6] Stephen A. Cook (1972):
Linear time simulation of deterministic two-way pushdown automata . In Charles V.Freiman, John E. Griffith & Jack L. Rosenfeld, editors: InformationProcessing71, North-Holland, pp. 75–80.[7] Danny Dolev, Shimon Even & Richard M. Karp (1982):
On the security of ping-pong protocols . InformationandControl55(1-3), pp. 57–68, doi: .[8] Danny Dolev & Andrew C. Yao (1981):
On the security of public key protocols (extended abstract) . In:FoundationsofComputerScience.Proceedings, IEEE Computer Society, pp. 350–357, doi: .[9] Danny Dolev & Andrew C. Yao (1983):
On the security of public key protocols . IEEE Transactions onInformationTheory 29(2), pp. 198–207, doi: .[10] Fabio Fioravanti, Alberto Pettorossi & Maurizio Proietti (2002):
Verification of sets of infinite state processesusing program transformation . In Alberto Pettorossi, editor: LogicBased ProgramSynthesisand Transfor-mation.Proceedings, LNCS 2372, Springer-Verlag, pp. 111–128, doi: .[11] Robert W. Floyd (1967):
Nondeterministic algorithms . Journal of the ACM 14(4), pp. 636–644, doi: .[12] Yoshihiko Futamura, Zenjiro Konishi & Robert Gl¨uck (2002):
Program transformation system based ongeneralized partial computation . NewGenerationComputing20(1), pp. 75–99, doi: .[13] Robert Gl¨uck (1994):
On the generation of specializers . Journalof FunctionalProgramming 4(4), pp. 499–514, doi: .[14] Robert Gl¨uck (2016):
A practical simulation result for two-way pushdown automata . In Yo-Sub Han & KaiSalomaa, editors: ImplementationandApplicationofAutomata.Proceedings, LNCS 9705, Springer-Verlag,pp. 113–124, doi: .
84 AnExperiment inPing-Pong Protocol Verification by Nondeterministic Pushdown Automata [15] Robert Gl¨uck & Jesper Jørgensen (1994):
Generating transformers for deforestation and supercompilation .In Baudouin Le Charlier, editor: Static Analysis. Proceedings, LNCS 864, Springer-Verlag, pp. 432–448,doi: .[16] Robert Gl¨uck & Michael Leuschel (2000):
Abstraction-based partial deduction for solving inverse problems:a transformational approach to software verification . In Dines Bjørner, Manfred Broy & Alexandre V.Zamulin, editors: Perspectives of System Informatics. Proceedings, LNCS 1755, Springer-Verlag, pp. 93–100, doi: .[17] Neil D. Jones (1977):
A note on linear time simulation of deterministic two-way pushdown automata . Infor-mationProcessingLetters 6(4), pp. 110–112, doi: .[18] Neil D. Jones (1997):
Computability and Complexity: From a Programming Language Perspective . Founda-tions of Computing, MIT Press, Cambridge, Massachusetts.[19] Andrei V. Klimov (2012):
Solving coverability problem for monotonic counter systems by supercompilation .In Edmund M. Clarke, Irina Virbitskaite & Andrei Voronkov, editors: Perspectivesof Systems Informatics.Proceedings, LNCS 7162, Springer-Verlag, pp. 193–209, doi: .[20] Donald E. Knuth, James H. Morris & Vaughan R. Pratt (1977):
Fast pattern matching in strings . SIAMJournalonComputing6(2), pp. 323–350, doi: .[21] Robert Kowalski (1979):
Algorithm = logic + control . Communications of the ACM 22(7), pp. 424–436,doi: .[22] Alexei P. Lisitsa & Andrei P. Nemytykh (2007):
Verification as a parameterized testing (experimentswith the SCP4 supercompiler) . Programming and Computer Software 33(1), pp. 14–23, doi: .[23] Torben Æ. Mogensen (1994):
WORM-2DPDAs: an extension to 2DPDAs that can be simulated in lineartime . InformationProcessingLetters 52(1), pp. 15–22, doi: .[24] Antonina N. Nepeivoda (2016):
Ping-pong protocols as prefix grammars: modelling and verification viaprogram transformation . Journal of Logical and Algebraic Methods in Programming 85(5), pp. 782–804,doi: .[25] Bernhard Reus (2016):
Limits of Computation . Springer-Verlag, doi: .[26] Ronald L. Rivest, Adi Shamir & Leonard M. Adleman (1978):
A method for obtaining digital signatures andpublic-key cryptosystems . CommunicationsoftheACM21(2), pp. 120–126, doi: .[27] Morten H. Sørensen & Robert Gl¨uck (1999):
Introduction to supercompilation . In John Hatcliff, Torben Æ.Mogensen & Peter Thiemann, editors: PartialEvaluation.PracticeandTheory, LNCS 1706, Springer-Verlag,pp. 246–270, doi: .[28] Terrance Swift & David S. Warren (2012):
XSB: extending Prolog with tabled logic programming . TheoryandPracticeofLogicProgramming12(1-2), pp. 157–187, doi: .[29] Valentin F. Turchin (1986):
The concept of a supercompiler . ACM TOPLAS 8(3), pp. 292–325, doi: .[30] Klaus Wagner & Gerd Wechsung (1986):