Verification of Security Protocols with Lists: from Length One to Unbounded Length

Verification of Security Protocols wit Lists: from Lengt One to Unbounded Lengt INRIA, Miriam Paiola and Bruno Blancet École Normale Supérieure, CNRS, Paris {paiola,blancet}@di.ens.fr Abstract. We present a novel, simple tecnique for proving secrecy properties for security protocols tat manipulate lists of unbounded lengt, for an unbounded number of sessions. More specifically, our tecnique relies on te Horn clause approac used in te automatic verifier ProVerif: we sow tat if a protocol is proven secure by our tecnique wit lists of lengt one, ten it is secure for lists of unbounded lengt. Interestingly, tis teorem relies on approximations made by our verification tecnique: in general, secrecy for lists of lengt one does not imply secrecy for lists of unbounded lengt. Our result can be used in particular to prove secrecy properties for group protocols wit an unbounded number of participants and for some XML protocols (web services) wit ProVerif. 1 Introduction Security protocols are protocols tat rely on cryptograpic primitives suc as encryption and signatures for securing communication between several parties. Tey aim at ensuring security properties suc as secrecy or autentication. Historically, attacks were often found against protocols tat were tougt correct. Furtermore, security flaws cannot be detected by testing since tey appear only in te presence of an attacker. Te confidence in tese protocols can ten be increased by a formal analysis tat proves te desired security properties. To ease formal verification, one often uses te symbolic, so-called Dolev-Yao model [8], wic abstracts from te details of cryptograpic primitives and considers messages as terms. In tis work, we also rely on tis model. Te formal verification of security protocols wit fixed-size data structures as been extensively studied. However, te formal verification of protocols tat manipulate more complex data structures, suc as lists, as been less studied and presents additional difficulties: tese complex data structures add anoter cause of undecidability. In tis work, we present a tecnique for proving secrecy properties for security protocols tat manipulate lists of unbounded lengt. Tis tecnique is based on te Horn clause approac used in te automatic verifier ProVerif [1,4]. ProVerif is an automatic protocol verifier tat takes as input a protocol, translates it into a representation in Horn clauses, and uses a resolution algoritm to determine weter a fact is derivable from te clauses. One can ten infer

2 Miriam Paiola and Bruno Blancet security properties of te protocol. For instance, we use a fact att(m) to mean tat te attacker may ave te message M. If att(s) is not derivable from te clauses, ten s is secret. Te main goal of tis approac is to prove security properties of protocols witout bounding te number of sessions of te protocol. Like oter protocol verifiers, ProVerif can analyze protocols wit lists if we fix te lengts of te lists a priori. However, if te protocol is verified only for some lengts, attacks may exist for oter values. So our goal is to prove te protocols for lists of any lengt. To reac tis goal, we extend te language of Horn clauses, introducing a new kind of clauses, generalized Horn clauses, to be able to represent lists of any lengt. We consider a class of protocols tat manipulate list elements in a uniform way. Because of tis uniformity, one migt intuitively tink tat secrecy for lists of lengt one implies secrecy for lists of any lengt. We sow tat tis intuition is not exactly true: in general, secrecy for lists of lengt one does not imply secrecy for lists of any lengt, as demonstrated in Sect. 4.2. However, we sow tat, for a certain class of Horn clauses, if secrecy is proved by our Horn clause tecnique for lists of lengt one, ten secrecy also olds for lists of unbounded lengt. Tis result relies on te sound abstractions made by te translation into Horn clauses. Additionally, we provide an approximation algoritm tat can transform generalized Horn clauses into clauses of te class on wic our result olds. All facts derivable from te initial clauses are also derivable from te clauses generated by te approximation algoritm, so tat we can prove secrecy on te latter clauses, and conclude secrecy for te initial clauses. Our result terefore provides an easy way of obtaining a strong security guarantee: we prove using ProVerif tat att(s) is not derivable from te clauses for lists of lengt one, and we can ten immediately conclude tat secrecy olds for lists of unbounded lengt, wit an unbounded number of sessions. Applications of our results include in particular proving secrecy properties for some group protocols tat manipulate unbounded lists, wit an unbounded number of participants. In tis paper, we focus mainly on group protocols and illustrate our work on te Asokan-Ginzboorg protocol [2]. We prove secrecy of te session key excanged in tis protocol by verifying wit ProVerif its version wit lists of lengt one and te size of te group equal to one. Anoter possible application is te treatment of XML protocols suc as web services, XML documents being modeled using possibly nested lists. Related Work Te first approac considered for proving protocols wit recursive data structures was interactive teorem proving: Paulson [17] and Bryans et al [5] study a recursive autentication protocol for an unbounded number of participants, using Isabelle/HOL for [17], and rank functions and PVS for [5]. However, tis approac requires considerable uman effort. Meadows et al [15] used te NRL protocol analyzer (NPA), based on a combination of model cecking and teorem-proving tecniques, to verify te Group Domain of Interpretation (GDOI) protocol suite. NPA could not andle te infinite data structures required for modeling general group protocols, so a single key was used instead of a key ierarcy. Several problems including type flaw

Verification of Security Protocols wit Lists 3 attacks were found in te protocol and fixed in later versions of GDOI. Te early verification of te A.GDH-2 protocol using NPA [14] seems to ave missed attacks [18], altoug te tool supports te Diffie-Hellman exponentiation [16]. Steel and Bundy [20] ave used CORAL, a tool for finding counterexamples to incorrect inductive conjectures, to model protocols for group key agreement and group key management, witout any restrictions on te scenario. Tey ave discovered new attacks against several group protocols, but cannot prove tat protocols are correct. Kremer, Mercier, and Treinen [11] verify secrecy for group protocols wit modular exponentiation and XOR, for any number of participants and an unbounded number of sessions, but only for a passive adversary (eavesdropper). Several works consider te case of a bounded number of sessions. Pereira and Quisquater [18] discovered several attacks on te CLIQUES protocol suite [21], wic extends te Diffie-Hellman key agreement metod to support dynamic group operations (A-GDH). Tey converted te problem of te verification of security properties to te resolution of linear equation systems. In [19], tey proved a first generic insecurity result for autentication protocols sowing tat it is impossible to design a correct autenticated group key agreement protocol based on te A-GDH. Truderung [22] sowed a decidability result (in NEXP- TIME) for secrecy in recursive protocols. Tis result was extended to a class of recursive protocols wit XOR [13] in 3-NEXPTIME. Cridi et al [6,7] present an extension of te constraint-based approac in symbolic protocol verification to andle a class of protocols (Well-Tagged protocols wit Autonomous keys) wit unbounded lists in messages. Tey prove tat te insecurity problem for Well- Tagged protocols wit Autonomous keys is decidable for a bounded number of sessions. We consider a class of protocols tat includes te one of [6,7] but, instead of proving decidability for a bounded number of sessions, we provide a tecnique tat can prove protocols for an unbounded number of sessions and any number of protocol participants, using abstractions. Outline Te next section recalls te tecnique used by ProVerif. In Sect. 3, we formally define generalized Horn clauses, and teir semantics by giving teir translation into Horn clauses. Additionally, we introduce our running example and motivate te introduction of tis new type of clauses. In Sect. 4, we sow our main teorem: for a class of generalized Horn clauses, if att(s) is not derivable for lists of lengt one, ten it is also not derivable for lists of any lengt. In Sect. 5, we provide an approximation algoritm for transforming generalized Horn clauses into clauses tat satisfy te ypotesis of our main teorem. Te proofs are postponed to te appendix. 2 A Reminder on ProVerif ProVerif translates te initial protocol into a set of Horn clauses. Te syntax of tese clauses is defined in Fig. 1. Te patterns represent messages tat are

4 Miriam Paiola and Bruno Blancet p ::= patterns x, y, z, v, w variable a[p 1,..., p n] name f(p 1,..., p n) constructor application F ::= att(p) facts R ::= F 1 F n F Horn clause Fig. 1. Syntax of Horn clauses excanged between participants of te protocol. A variable can represent any pattern. Names represent atomic values, suc as keys and nonces. Eac participant can create new names. Instead of creating a fres name at eac run of te protocol, te created names are considered as functions of te messages previously received by te principal tat creates it, represented by te pattern a[p 1,..., p n ]. Hence names are distinguised only wen tey are created after receiving different messages. As sown in, e.g., [1], tis is a sound approximation. Wen a name as no arguments, we write a instead of a[ ]. We use v, w, x, y, z for variables and oter identifiers a, b, c, e, L, pw, r, s,... for names. Te fact att(p) means tat te attacker may ave te pattern (message) p. A clause F 1 F n F means tat if all facts F i are true ten te conclusion F is also true. We use R for a clause, H for its ypotesis, and C for its conclusion. Te ypotesis of a clause is considered as a multiset of facts. A clause wit no ypotesis F is written simply F. Cryptograpic primitives are represented by functions and perfect cryptograpy is assumed. Tere are two kinds of functions: constructors and destructors. A constructor f is a function tat explicitly appears in te patterns tat represent messages and builds new patterns of te form f(p 1,..., p n ). Destructors manipulate patterns. A destructor g is defined by a set def (g) of rewrite rules of te form g(p 1,..., p n ) p were p 1,..., p n, p are patterns wit only variables and constructors and te variables of p appear in p 1,..., p n. Using constructors and destructors, one can represent data structures and cryptograpic operations. For instance, senc(x, y) is te constructor tat represents te symmetric key encryption of te message x under te key y. Te corresponding destructor sdec(x, y) returns te decryption of x if x is a message encrypted under y. Te rewrite rule tat defines sdec is sdec(senc(x, y), y) x. A protocol is represented by tree sets of Horn clauses: 1. initial knowledge of te attacker: we ave a fact att(p) for eac p initially known by te attacker. 2. abilities of te attacker: att(a) for eac constructor f of arity n: att(x 1 ) att(x n ) att(f(x 1,... x n ))

Verification of Security Protocols wit Lists 5 for eac destructor g, for eac rule g(p 1,..., p n ) p in def (g): att(p 1 ) att(p n ) att(p) Te first clause represents te ability of te attacker to create fres names a: all fres names tat te adversary may create are represented by te single name a. Te oter clauses mean tat if te attacker as some messages, ten e can apply constructors and destructors to tem. 3. te protocol itself: for eac message p of te protocol sent by agent A, we create te clause att(p 1 ) att(p n ) att(p), were p 1,..., p n are patterns representing te messages received by A before sending message p. Indeed, if te attacker as p 1,..., p n, ten it can send tem to A and intercept A s reply p. Tis representation of protocols by Horn clauses is approximate, in particular because Horn clauses tat represent te protocol itself can be applied any number of times instead of exactly once per session. However, it is sound: if att(p) cannot be derived from te clauses, ten te protocol preserves te secrecy of p. (Tis is proved by [1, Teorem 7.2.3] wen te clauses are generated from a pi calculus model of te protocol.) ProVerif determines weter att(p) is derivable from te clauses using resolution wit free selection [3]: we combine pairs of clauses by resolution; te literals upon wic we perform resolution are cosen by a selection function. Next, we define wen a given fact is derivable from a given set of clauses. Definition 1 (Subsumption). We say tat R 1 = H 1 C 1 subsumes R 2 = H 2 C 2, and we write R 1 R 2, if and only if tere exists a substitution σ suc tat σc 1 = C 2 and σh 1 H 2 (multiset inclusion). We say tat R 1 subsumes R 2 wen R 2 can be obtained by adding ypoteses to a particular instance of R 1. In tis case, all facts tat can be derived by R 2 can also be derived by R 1, so R 2 can be eliminated. Definition 2 (Derivability). Let F be a closed fact, tat is, a fact witout variable. Let R be a set of clauses. F is derivable from R if and only if tere exists a derivation of F from R, tat is, a finite tree defined as follows: 1. Its nodes (except te root) are labeled by clauses R R; 2. Its edges are labeled by closed facts; 3. If te tree contains a node labeled R wit one incoming edge labeled by F 0 and n outgoing edges labeled by F 1,..., F n, ten R F 1 F n F 0. 4. Te root as one outgoing edge labeled by F. Te unique son of te root is named te subroot.... R η F 1... F R η F 0 F n......... Fig. 2. Derivation of F root subroot...

6 Miriam Paiola and Bruno Blancet Tis definition is illustrated in Fig. 2. In a derivation, if tere is a node labeled by R wit one incoming edge labeled by F 0 and n outgoing edges F 1,..., F n ten F 0 can be derived by F 1,..., F n by te clause R. Terefore tere exists a derivation of F from R if and only if F can be derived from clauses in R (in classical logic). 3 Abstract Representation of Protocols by Generalized Horn Clauses Tis section is devoted to te abstract representation of protocols by generalized Horn clauses. After introducing a running example and motivating our coices, we give te syntax and semantics of generalized Horn clauses. 3.1 Running Example As a running example, we use a version of te Asokan-Ginzboorg protocol [2] for key agreement, also used in [7,20]. Let te set of players be {a i, i = 1,..., N } for N 1 and L be te leader. Te protocol describes te establisment of a session key between te leader and te oter N participants. (1) L ALL : (L, { e } pw ) (2) a i L : (a i, { (r i, s i ) } e ) (3) L a i : { (s 1,..., s N, s ) } ri (4) a i L : (a i, { (s i, (s 1,..., s N, s )) } K ), for some i, were K = f(s 1,..., s N, s ) At te beginning, te participants sare te knowledge of a password pw and of two N + 1-input as functions f and. (In tis paper, we ignore dictionary attacks against pw and consider pw as a strong key.) First, te leader sends to all oter participants is identity paired wit a fres key e encrypted wit te password pw. Eac participant a i for i {1,..., N } decrypts { e } pw and ten creates a fres key r i and a fres nonce s i wic will be is contribution to te final session key. Ten e sends { (r i, s i ) } e paired wit is identity. Wen L receives tis message, e decrypts it and assumes tat it as been created by a i. After receiving all N messages, te leader creates is contribution s to te final key and sends to eac participant a i for i {1,..., N } te list of all contributions encrypted wit te key r i tat a i previously sent. If step 3 is completed successfully, eac participant can compute te session key K = f(s 1,..., s N, s ). In te end, te leader randomly picks one of te oter players and asks im for step 4. 3.2 Need for Generalizing Horn Clauses We would like to model te example protocol of Sect. 3.1 by Horn clauses and use ProVerif to verify it. Since we consider a parametric group size, we encounter

Verification of Security Protocols wit Lists 7 several problems. First, we ave to deal wit lists wose lengt is not fixed but is te size N of te group, suc as s 1,..., s N in message 3 of te example. Next, we need conjunctions of N facts (and N is again not fixed) to represent tat some agents receive one message from eac group member. For example, wen translating message 3 into Horn clauses, te leader L expects messages 2 of te form (a i, { (v i, w i ) } e ) from eac a i. (Te leader cannot verify te incoming values of r i, s i so tey become variables v i, w i.) Ten L replies wit message 3 { (w 1,..., w N, s ) } vi were s is a fres name generated by L, modeled as a function of te previously received messages s [v 1, w 1,..., v N, w N ]. Te attacker can send te incoming messages and intercept L s reply, so we find te clause att((a 1, senc((v 1, w 1 ), e))) att((a N, senc((v N, w N ), e))) att(senc((w 1,..., w N, s [v 1, w 1,..., v N, w N ]), v i )). (1) were senc is te encryption function. We solve tose two problems by adding two new constructs to te syntax of Horn clauses: list(i N, p i ) for te list of elements p i wit index i in te set {1,..., N }, tat is, list(i N, p i ) stands for p 1,..., p N (inspired by te mpair construct of [7]) and i 1 N,...,i N F for te conjunction of facts F wit indices i 1,..., i in {1,..., N }. 3.3 Syntax Tis section formally defines te syntax and semantics of generalized Horn clauses. p G, s, t ::= patterns x i1,...,i variable ( 0) f(p G 1,..., p G l ) function application a i[p G 1,..., p G l ] indexed names list(i M, p G ) list constructor F G ::= i 1 M 1,...,i M att(p G ) facts R G ::= F1 G Fn G att(p G ) generalized Horn clause Fig. 3. Syntax of our protocol representation Te syntax of tese new clauses is defined in Fig. 3. Te patterns p G tat represent messages are enriced wit several new constructs. Te variables may ave indices x i1,...,i. Te pattern for function application f(p G 1,..., p G l ) includes not only constructor application but also names a[p G 1,..., p G l ] were a is a name witout index. Te indexed name a i [p G 1,..., p G l ] represents a name created by te group member number i. We added a particular constructor list(i M, p G ) to represent lists of lengt M, were M is an unknown bound. In te Asokan-Ginzboorg protocol, we can write, for example, at message 3: senc((list(j N, s j ), s ), r i ) for senc((s 1,..., s N, s ), r i ). Te last element s

8 Miriam Paiola and Bruno Blancet is not included in te list list(j N, s j ), to distinguis s tat as just been created by te leader from s i wit i = 1,..., N tat as just been received by im: s 1,..., s N are treated in a uniform way wile s is treated differently. We extend facts to model te possibility of aving a conjunction of facts depending on indices, so tat te syntax for facts becomes i 1 M 1,...,i M att(p G ). For example, intuitively, i M att(pg ) represents att(p G {i 1}) att(p G {i M}), were p G {i i } denotes p G in wic i as been replaced wit i. Te conjunction i 1 M 1,...,i M wit = 0 is omitted: te fact is ten simply att(p G ). Te generalized Horn clause F1 G Fn G att(p G ) means tat, if te facts F1 G,..., Fn G old, ten te fact att(p G ) also olds. Te conclusion of a clause does not contain a conjunction i 1 M 1,...,i M : we can simply leave te indices of att(p G ) free to mean tat att(p G ) can be concluded for any value of tese indices. 3.4 Representation of te Protocol Te representation of te abilities of te attacker includes te clauses given in Sect. 2. For our running example, att(a i ) and att(l) represent tat te attacker initially knows a i and L, and te clauses att(a) att(x) att(y) att(senc(x, y)) att(x) att(f(x)) att(senc(x, y)) att(y) att(x) att(x) att((x)) att(x) att(y) att((x, y)) att((x, y)) att(x) att((x, y)) att(y) represent tat te attacker can create fres names, encrypt and decrypt messages, apply as functions, compose and decompose pairs. In addition, we ave clauses for list, wic generalize clauses for pairs: i M att(x i) att(list(j M, x j )) (2) att(list(j M, x j )) att(x i ) (3) Let us now give te clauses tat represent te protocol itself. We suppose tat eac principal always plays te same role in te protocol; we could build a more complex model in wic te same principal can play several roles by adding clauses. Te leader L sends te first message (L, { e } pw ) and te attacker intercepts it, so we ave te fact: att((l, senc(e, pw))). Eac agent a i wit i = 1,..., N expects a message 1 of te form (L, { y } pw ). (a i cannot verify te value of te key e, so it becomes a variable y.) Agent a i replies wit message 2: (a i, { (r i, s i ) } y ), were te new names r i and s i are encoded as functions of te key y just received. If te attacker sends te first message

Verification of Security Protocols wit Lists 9 (L, { y } pw ) to a i, a i replies wit (a i, { (r i, s i ) } y ), and te attacker can intercept tis reply, so we obtain te clause: att((l, senc(y, pw))) att((a i, senc((r i [y], s i [y]), y))) (4) For te output of message 3, te leader replies wit { (w 1,..., w N, s ) } vi were s is a fres name generated by L modeled as a function of te previously received messages s [v 1, w 1,..., v N, w N ]: te clause (1) was already given in Sect. 3.2; we adapt it using list and conjunctions over te set of participants: j N att((a j, senc((v j, w j ), e))) (5) att(senc((list(j N, w j ), s [list(j N, (v j, w j ))]), v i )) Finally, if a i as received a message 1 of te form (L, { y } pw ) and a message 3 of te form { (z 1,..., z N, z ) } ri[y], encoded as { (list(j N, z j ), z ) } ri[y], 1 ten a i computes te session key K = f((list(j N, z j ), z )) and one a i sends to te leader message 4: (a i, { (s i [y], ((list(j N, z j ), z ))) } K ). att((l, senc(y, pw))) att(senc((list(j N, z j ), z ), r i [y])) att((a i, senc((s i [y], ((list(j N, z j ), z ))), K))) were K = f((list(j N, z j ), z )) We want to prove te secrecy of te session key K. However, tis key depends on data received by protocol participants, so we cannot simply test te derivability of att(k). We can use te following trick: to test te secrecy of te key K tat participant a i as, we consider tat a i sends te encryption { s } K of a secret s under K. If K is secret, te adversary will not be able to decrypt te message, so s will remain secret. Terefore, we add te clause att(senc((list(j N, z j ), z ), r i [y])) att(senc(s, f((list(j N, z j ), z )))) to model te output of { s } K, and we test te derivability of att(s ). We ave also used a similar clause to prove te secrecy of te key K tat L as. 3.5 Type System for te New Clauses In Fig. 4, we define a simple type system for te generalized Horn clauses. Te goal of tis type system is to guarantee tat all variables use indices tat vary 1 In te protocol, te participant a i can ceck weter te component z i of te list is is own contribution s i[y], but cannot ceck te oter components. Our representation of lists does not allow us to model suc a test: in fact, we cannot substitute a i directly because, in te construct for lists list(j N, z j), all elements z j need to ave te same form. Moreover, we ave built examples of protocols wit suc tests, for wic our result does not old: intuitively, te test breaks te uniform treatment of te elements of lists, so proving secrecy by te Horn clause tecnique for lists of lengt one does not imply secrecy for lists of unbounded lengt. We sall prove secrecy witout te test on z i; tis implies a fortiori secrecy wit tis test, because te clause witout test subsumes te one wit te test. In general, removing tese tests may obviously lead to false attacks. (6)

10 Miriam Paiola and Bruno Blancet i : [1, M] Γ Γ i : [1, M] (EnvIndex) x : [1, M 1] [1, M ] Γ Γ x : [1, M 1] [1, M ] (EnvVar) Γ x : [1, M 1] [1, M ] Γ i 1 : [1, M 1]... Γ i : [1, M ] (Var) Γ x i1,...,i Γ p G 1... Γ p G Γ f(p G 1,..., pg ) (Fun) Γ p G 1... Γ p G Γ i : [1, N] Γ a i[p G 1,..., pg ] (Name) Γ, i : [1, M] p G Γ list(i M, p G ) (List) Γ, i 1 : [1, M 1],..., i : [1, M ] p G Γ (Fact) i 1 M 1,...,i M att(p G ) Γ F G 1... Γ F G n Γ F G Γ F G 1 F G n F G (Clause) Fig. 4. Type system for generalized Horn clauses in te appropriate interval. We sall see in Sect. 4 tat tis type system is also very elpful in order to establis our main result. Definition 3. An index i is bound if: it appears as an index of a conjunction defining a fact, so, for instance, in te fact i 1 M 1,...,i M att(p G ), i 1,..., i are bound in att(p G ). it appears as an index for a list constructor, tat is, in te pattern list(i M, p G ), i is bound in p G. Indices tat are not bound are free. For simplicity, we suppose tat te bound indices of clauses ave pairwise distinct names, and names distinct from te names of free indices. Tis can easily be guaranteed by renaming te bound indices if needed. In te type system, te type environment Γ is a list of type declarations: i : [1, M] means tat i is of type [1, M], tat is, intuitively, te value of index i can vary between 1 and te value of te bound M. x : [1, M 1 ] [1, M ] means tat te variable x expects indices of types [1, M 1 ],..., [1, M ]. Te type system defines te judgments: Γ i : [1, M], wic means tat i as type [1, M] in environment Γ, by rule (EnvIndex); Γ x : [1, M 1 ] [1, M ], wic means tat x expects indices of types [1, M 1 ],..., [1, M ] according to environment Γ, by rule (EnvVar); Γ p G, Γ F G, Γ R G, wic mean tat p G, F G, R G, respectively, are well typed in environment Γ.

Verification of Security Protocols wit Lists 11 Most type rules are straigtforward. For instance, te rule (Var) means tat x i1,...,i is well typed wen te types expected by x for its indices matc te types of i 1,..., i. Te rule (Name) deserves an additional explanation: we ave no information in Γ to set te type of te index of name a, and ence te index of a can ave any type. A priori, it is obviously expected tat te index of a certain name a always as te same type. However, te additional freedom given by te type rule will be useful in te rest of te paper: te transformations of Sect. 5 can create clauses in wic te same name a as indices of different types. Te formal meaning of suc clauses can be defined by assuming tat te name a exists for indices up to te value of te largest bound. It is easy to verify tat te clauses of Sect. 3.4 are well typed in our type system. Clause (2) is well typed in te environment x : [1, M], (3) in te environment x : [1, M], i : [1, M], and te oter clauses in te environment in wic all free indices ave type [1, N] and te variables expect indices of type [1, N]. 3.6 Translation from Generalized Horn Clauses to Horn Clauses A generalized Horn clause represents several Horn clauses: for eac value of te bounds M and of te free indices i tat occur in a generalized Horn clause R G, R G corresponds to a certain Horn clause. Tis section formally defines tis correspondence. p ::= patterns x ı1,...,ı variable a ı[p 1,..., p ] name f(p 1,..., p ) constructor application p 1,..., p list F ::= att(p) facts R ::= F 1... F n F Horn clauses Fig. 5. Syntax of Horn clauses Te syntax of Horn clauses obtained by translation of generalized Horn clauses is given in Fig. 5. Tis syntax is similar to tat of initial Horn clauses (Fig. 1) except tat variables and names can now ave indices ı, wic are integer values, and tat we include a pattern p 1,..., p for representing lists (wic will be generated by translation of list). Definition 4. Given a generalized Horn clause R G well typed in Γ, an environment T for R G is a function tat associates to eac bound M a fixed integer M T and to eac free index i tat appears in R G, an index i T {1,..., M T }, if Γ i : [1, M]. Given an environment T and values ı 1,..., ı, we write T [i 1 ı 1,..., i ı ] for te environment tat associates to indices i 1,..., i te values ı 1,..., ı respectively and tat maps all oter indices as in T.

12 Miriam Paiola and Bruno Blancet Given an environment T, a generalized Horn clause R G is translated into te standard Horn clause R GT defined next. We denote respectively p GT, F GT,... te translation of p G, F G,... using te environment T. Te translation of a pattern p G is defined as follows: (x i1,...,i ) T = x i T 1,...,i T. f(p G 1,..., p G l )T = f(p GT 1,..., p GT l ). a i [p G 1,..., p G l ]T = a i T [p GT 1,..., p GT l ]. list(i M, p G ) T = p GT [i 1],..., p GT [i M T ]. Te translation of list is a list; we stress tat tis translation uses a list symbol... different from te tuple symbol (...): list is te only construct tat can introduce te list symbol.... Tis is important to make sure tat confusions between tuples tat may occur in te protocol and list do not occur for particular list lengts. In te implementation of te protocol, one must also make sure to use distinct encodings for list and for tuples. Te translation of a fact F G = i 1 M 1,...,i M att(p G ) is F GT = att(p 1 )... att(p k ) were {p 1,..., p k } = {p GT T = T [i 1 ı 1,..., i ı ] were ı j {1,..., Mj T } for all j in {1,..., }}, and (F 1 G Fn G ) T = F1 GT Fn GT. Finally, we define te translation of te generalized Horn clause R G = H G att(p G ) as R GT = H GT att(p GT ). For instance, te translation of te clause (5) in te environment T = {N 1, i 1} is att((a 1, senc((v 1, w 1 ), e))) att(senc(( w 1, s [ (v 1, w 1 ) ]), v 1 )). Wen R G is a set of generalized Horn clauses, we define R GT = {R GT R G R G, T is an environment for R G }. In terms of abstract interpretation, te sets of generalized Horn clauses ordered by inclusion constitute te abstract domain, te sets of Horn clauses ordered by inclusion te concrete domain, and R GT is te concretization of R G. Te set R GT includes clauses translated for any values of te bounds. In our running example, for instance, tis allows one to consider several sessions of te protocol tat ave different group sizes N, and interactions between suc sessions. 4 From Any Lengt to Lengt One In tis section, we define a mapping from lists of any lengt to lists of lengt one, and sow tat derivability for lists of any lengt implies derivability for lists of lengt one, for a particular class of Horn clauses. 4.1 Main Result Given a generalized Horn clause R G, tere exists only one environment T for R G suc tat all bounds are equal to 1. Hence by now we use R G1 for te only

Verification of Security Protocols wit Lists 13 possible translation of R G wen all bounds are 1. We define R G1 = {R G1 R G R G }. Next, we define a translation from clauses in wic bounds can ave any value, following te syntax of Fig. 5, to clauses in wic te bounds are fixed to 1: {x 1,...,1 } if p = x ı1,...,ı I(p) = {f(p 1,..., p ) p 1 I(p 1 ),..., p I(p )} if p = f(p 1,..., p ) {a 1 [p 1,..., p ] p 1 I(p 1 ),..., p I(p )} if p = a ı [p 1,..., p ] { p p I(p 1 ) I(p )} if p = p 1,..., p Tis translation maps all indices of variables and names to 1. Te translation of a list is a list wit one element, containing te translation of any element of te initial list. Several coices are possible for te translation of a list; I(p) returns te set of all possible patterns. Given a fact F = att(p), its translation wen te bounds are fixed to 1 is I(att(p)) = {att(p) p I(p)} Given a conjunction of facts F 1 F, its translation wen te bounds are fixed to 1 is I(F 1 F ) = I(F 1 ) I(F ). We say tat a term or fact is linear wen it contains at most one occurrence of eac variable x (wit any indices, so it cannot contain x i and x j for instance). Finally, we can state te main teorem of our paper: Teorem 1. Let R G be a set of generalized Horn clauses suc tat, for eac clause R G R G, R G is well typed, tat is, tere exists Γ suc tat Γ R G, wit te following conditions: 1. te free indices of R G ave pairwise distinct types in Γ ; 2. te conclusion of R G is linear and te bound indices in te conclusion of R G ave pairwise distinct bounds, and bounds different from te bounds of free indices of R G in Γ. For all facts F, if F is derivable from R GT, ten for all F I(F ), F is derivable from R G1. If we sow tat, for some F I(F ), F is not derivable from R G1, ten using tis teorem, F is not derivable from R GT. Suppose tat we want to sow tat s is secret in a protocol represented by te clauses R G. We sow using for instance ProVerif tat att(s) is not derivable from R G1, tat is, we prove secrecy wen te bounds are all fixed to 1. By Teorem 1, we conclude tat att(s) is not derivable from R GT, so we obtain secrecy for any bounds. Unfortunately, tis teorem does not apply to all Horn clauses: Hypoteses 1 and 2 ave to be satisfied. Te clauses of our running example do not satisfy tese ypoteses. We sall see in Sect. 5 ow to transform te clauses so tat tey satisfy te required ypoteses.

14 Miriam Paiola and Bruno Blancet 4.2 Examples To illustrate wy te ypoteses of te teorem are necessary, we provide examples for wic te teorem does not old because some ypoteses are not satisfied. Consider te following protocol: (1) A B : {(a, a)} k (2) B A : ({(b, b)} k, {s} f(a,b) ) (3) A C : {(a 1, a 1)} k,..., {(a N, a N )} k (4) C A : f(a 1, a 1),..., f(a 1, a N ),..., f(a N, a 1),..., f(a N, a N ) At te beginning, te participants A, B, C sare a key k. A first sends to B a fres nonce a paired wit itself and encrypted under k. Wen B receives it, e creates a fres nonce b, computes te as f(a, b) and sends te pair ({(b, b)} k, {s} f(a,b) ), were s is some secret. A can ten decrypt {(b, b)} k, obtain b, compute f(a, b), decrypt {s} f(a,b), and obtain s, but an adversary sould be unable to compute s. In te second part of te protocol (Messages 3 and 4), A sends to C a list of N fres pairs (a i, a i ) encrypted wit k and C replies wit te matrix of te ases f(a i, a j ). Now, if an attacker sends {(a, a)} k, {(b, b)} k to C as Message 3, e obtains f(a, b) by decomposition of te list f(a, a), f(a, b), f(b, a), f(b, b) and can now decrypt {s} f(a,b) and obtain te secret s. However, if we consider only lists of one element, tere is no attack: te last message consists of f(a, a ) if Message 3 was {(a, a )} k, so te adversary would need to ave {(a, b)} k in order to obtain f(a, b). Te generalized Horn clause for Message 4 is: att(list(i N, senc((x i, y i ), k))) att(list(i N, list(j N, f(x j, y i )))) In tis clause, te Hypotesis 2 of Teorem 1 is not satisfied, because te bound indices i and j ave te same bound N. If we translate tis clause for lists of one element, we obtain att( senc((x 1, y 1 ), k) ) att( f(x 1, y 1 ) ) and wit tis clause (and oter clauses representing tis protocol), att(s) is not derivable because att(f(a, b)) is not derivable, wile wit lists of lengt two, as we previously sowed, tere is an attack: att(s) is derivable. Tis example confirms tat bound indices in te conclusion must ave pairwise distinct bounds. Similarly, we can define a group protocol between a participant B, a leader L, and N group members A i : (1) L B : {(a, a)} p (2) B L : ({(b, b)} p, {s} f(a,b) ) (3) L A i : {(a 1, a 1)} p,..., {(a N, a N )} p (4) A i L : f(a 1, a i ),..., f(a N, a i ) In tis case, te generalized Horn clause for Message 4 is: att(list(i N, senc((x i, y i ), p))) att(list(j N, f(x j, y i )))

Verification of Security Protocols wit Lists 15 were again te Hypotesis 2 of Teorem 1 is not satisfied: te bound index j as te same bound N as te free index i, because tey index te same variable x. As above, att(s) is derivable from te clauses for lists of lengt 2 but not for lists of lengt one. Tere are similar examples regarding Hypotesis 1, for instance wit te clause att(list(i N, senc((x i, y i ), p))) att(f(x j, y i )) in wic te free indices i and j ave te same type [1, N], but it is more difficult to find a concrete protocol tat would generate suc a clause. (Typically, te protocol participants are indexed by a single index i, so clauses often ave a single free index.) Next, we consider a different kind of example: for te following protocol, te set of Horn clauses satisfies te ypotesis of Teorem 1, so we can apply te teorem. However, te protocol preserves secrecy for lists of lengt one but not for lists of unbounded lengt. Tis illustrates tat te approximations made in te translation to Horn clauses are key for our teorem to old: att(s) is derivable from te clauses, even for lists of lengt one. Let A and B be te two participants of te protocol tat sare a key k. Let be a as function. (1) A B : {e} k, (b 1, b 2 ), {s} ({b1} e,{b 2} e) (2) B A : x 1,..., x M (3) A B : {x 1 } e,..., {x M } e A cooses a fres key e and two random nonces b 1, b 2, and sends to B te message {e} k, (b 1, b 2 ), {s} ({b1} e,{b 2} e) were s is a secret. B obtains e by decryption, computes te key ({b 1 } e, {b 2 } e ), and obtains s by decrypting wit tis key. Later, B sends a list x 1,..., x M and A returns tat list wit all components encrypted under e. Clearly, if we consider tis protocol for lists of lengt M 2, tere is an attack: te attacker can send to A te list b 1, b 2,... and e obtains at Message 3 te list {b 1 } e, {b 2 } e, {... } e. He can ten compute te as ({b 1 } e, {b 2 } e ) and decrypt {s} ({b1} e,{b 2} e) to obtain te secret s. However, if we translate tis protocol to lists of lengt one, we do not find te attack: te attacker can only ask for {b 1 } e or {b 2 } e, but cannot obtain bot. For tis point to old, it is important tat te participants do not repeat te Messages 2-3 more tan once for eac session. ProVerif finds an attack against tis protocol (wic is a false attack for lists of lengt one): te abstraction done wit te representation by Horn clauses in fact allows te participants to repeat teir messages more tan once. Te translation of te protocol into clauses for lists of lengt one contains: A sends te first message: att((senc(e, k), (b 1, b 2 ), senc(s, (senc(b 1, e), senc(b 2, e))))) (7) A receives message 2 and sends message 3: att( x ) att( senc(x, e) ) (8) plus clauses for tuples, encryption, and te as function, were is a unary function suc tat att( x ) att(x) and att(x) att( x ). Now, if we query

16 Miriam Paiola and Bruno Blancet for te secrecy of s, ProVerif will find te attack: att(s) is derivable from tese clauses. Indeed, we get b 1 and b 2 from (7), ten obtain senc(b 1, e) and senc(b 2, e) by two applications of (8) (note tat we apply tis clause twice for te same e, wile te corresponding action can in fact be applied only once in te protocol itself), ten compute (senc(b 1, e), senc(b 2, e)), and finally obtain s by decrypting senc(s, (senc(b 1, e), senc(b 2, e))). 4.3 Proof of Teorem 1 Tis section sketces te proof of Teorem 1. Lemmas and details of te proof can be found in Appendix A. Te proof proceeds by building a derivation of F from R G1, from a derivation of F from R GT, by induction on tis derivation. Informally, te derivation of F from R G1 is obtained by applying I to te derivation of F from R GT. If F is derived by R GT = H GT C GT, F is an instance of C GT by a substitution σ: F = σc GT ; we sow tat any F I(F ) is an instance of C G1 by a substitution σ obtained from σ(lemma 1 and Corollary 1 in appendix) : F = σ C G1. Hence, in order to derive F using R G1 = H G1 C G1, we need to derive σ H G1 from R G1, knowing a derivation of σh GT from R GT. Informally, to sow tat tis is possible, we prove tat σ H G1 I(σH GT ) (Lemma 3 and Corollary 2 in appendix) and conclude by induction. 5 An Approximation Algoritm In Sect. 3.4, we gave te representation of te Asokan-Ginzboorg protocol wit generalized Horn clauses. However, some of tem do not satisfy te ypoteses of Teorem 1. For example, te clause (6) does not ave a linear conclusion and te same bound appears twice in te conclusion. 5.1 Approximation Algoritm Here we give an algoritm for transforming generalized Horn clauses into clauses tat satisfy te ypotesis of Teorem 1. We suppose tat te initial set of clauses R G satisfies: Hypotesis 1 For eac clause R G R G, R G is well-typed, tat is, tere exists Γ suc tat Γ R G, and eac variable as indices of pairwise distinct types, tat is, if Γ x : [1, N 1 ]..., [1, N ], ten N 1,..., N are pairwise distinct. Tis ypotesis on te initial clauses is often satisfied in practice. In particular, it is satisfied by our running example, and it sould generally be satisfied by group protocols. Indeed, te variables typically ave only one index (te number of te group member). Given a clause R G well typed in Γ, te approximation algoritm performs te following tree steps, until it reaces a fixpoint:

Verification of Security Protocols wit Lists 17 1. Suppose R G = H G att(p G ), were H G contains a free index i suc tat Γ i : [1, N] and p G contains a bound index j wit bound N, or R G contains two free indices i, j suc tat Γ i : [1, N] and Γ j : [1, N]. Te algoritm cooses a fres variable y = ρx for eac variable x tat occurs in R G wit index i, and replaces all occurrences of variables x tat ave index i wit ρx (te indices remain te same). Te obtained clause can ten be typed in an environment Γ equal to Γ except tat Γ i : [1, M] for some fres bound M and tat Γ y : [1, M 1 ] [1, M ] if y = ρx, Γ x : [1, N 1 ] [1, N ], and for eac k = 1,...,, M k = N k if N k N and M k = M if N k = N. Te indices i and j ten ave different types in te obtained clause. 2. Suppose R G = H1 G H2 G att(p G ), were p G contains a pattern list(i N, p G 1 ) as well as a pattern list(j N, p G 2 ) or a free index j suc tat Γ j : [1, N], H1 G contains all ypoteses of R G in wic te bound N appears or a free index of type [1, N] appears, and H2 G contains te oter ypoteses of R G. Te algoritm cooses a fres bound M and replaces R G wit H G 1 H G 1 H G 2 att(p G ) were: ρ is a substitution tat replaces eac variable x of H1 G and p G 1 suc tat Γ x : [1, N 1 ] [1, N ] wit N k = N for some k {1,..., } wit a fres variable y (te indices remain te same); te obtained clause will be typed in an environment Γ obtained from Γ by adding Γ y : [1, M 1 ] [1, M ] were, for eac k = 1,...,, M k = N k if N k N and M k = M if N k = N; H 1 G is obtained from ρh1 G by replacing te bound N wit M; p G is obtained from p G by replacing list(i N, p G 1 ) wit list(i M, p G 1 ), were p G 1 is p G 1 in wic all occurrences of variables x tat ave index i ave been replaced wit ρx. 3. Suppose R G = H1 G H2 G att(p G ) were p G contains at least two occurrences of a variable x, H1 G contains all ypoteses of R G in wic x appears, and H2 G contains te oter ypoteses of R G. Te algoritm cooses a fres variable y and replaces R G wit H G 1 H G 1 H G 2 att(p G ) were H G 1 is obtained from H G 1 by replacing eac occurence of x wit y (te indices remain te same), and p G is obtained from p G by replacing one occurrence of x wit y. Step 1 is applied first, until it cannot be applied. Ten step 2 is applied, until tere are no list constructors tat matc te condition. Step 2 may already rename some variables tat occur more tan once in te conclusion of te clause. Ten, wen a fixpoint is reaced wit step 2, we start applying step 3, until no variable occurs more tan once in te conclusion. Step 1 ensures tat free

18 Miriam Paiola and Bruno Blancet indices ave pairwise distinct types and tat free indices of te ypotesis ave types distinct from tose of bound indices in te conclusion. Step 2 ensures tat te bound indices in te conclusion ave pairwise distinct bounds and bounds distinct from te bounds of free indices in te conclusion. Step 3 ensures tat te conclusion is linear. Tis algoritm is similar to te algoritm tat transforms any Horn clauses into Horn clauses of te class H 1 [10]. Bot algoritms ensure te linearity of te conclusion in te same way (step 3). Step 2 uses an idea similar to step 3 to guarantee tat te types of te indices are distinct. We illustrate tis algoritm on an example below. Te next teorem sows its correctness. Its proof can be found in Appendix B. Teorem 2. Let R G be a set of clauses tat satisfies Hypotesis 1. Te approximation algoritm terminates on R G and te final set of clauses R G satisfies te ypotesis of Teorem 1. Moreover, for any fact F, if F is derivable from R GT, ten F is also derivable from R GT. 5.2 Examples We apply te approximation algoritm to our running example. For instance, let us transform te clause (6): att((l, senc(y, pw))) att(senc((list(j N, z j ), z ), r i [y])) att((a i, senc((s i [y], ((list(j N, z j ), z ))), f((list(j N, z j ), z ))))) First, as tere are two list constructors wit te same bound N in te conclusion, we apply step 2 of te algoritm: we rename te bound and variables of one of te two occurrences of list(j N, z j ) in te conclusion, so we obtain: att((l, senc(y, pw))) att(senc((list(j N, z j ), z ), r i [y])) att(senc((list(j M, x j ), z ), r i [y])) att((a i, senc((s i [y], ((list(j N, z j ), z ))), f((list(j M, x j ), z ))))) Next, as variable z appears twice in te conclusion, we apply step 3 and obtain: att((l, senc(y, pw))) att(senc((list(j N, z j ), z ), r i [y])) att(senc((list(j M, x j ), z ), r i [y])) att(senc((list(j N, z j ), x ), r i [y])) att(senc((list(j M, x j ), x ), r i [y])) att((a i, senc((s i [y], ((list(j N, z j ), z ))), f((list(j M, x j ), x ))))) Finally, tis clause satisfies te ypotesis of Teorem 1. All clauses R G given in Sect. 3.4, wic represent our running example, can be transformed in a similar way, yielding clauses R G. We ave ten sown tat att(s) is not derivable from R G1, using ProVerif wit te input file given at ttp://www.di.ens. fr/~paiola/publications/paiolablancetpost12.tml. By Teorem 1, we conclude tat att(s) is not derivable from R GT, so by Teorem 2, att(s) is not

Verification of Security Protocols wit Lists 19 derivable from R GT. Terefore, te Azokan-Ginzboorg protocol preserves te secrecy of s, tat is, it preserves te secrecy of te key K tat a i as. We ave sown in a similar way tat it preserves te secrecy of te key K tat L as. We ave also considered a basic XML encryption [9] protocol. It is a very simple protocol between two principals A and B tat sare an encryption key k and a MAC key k. In order to encrypt a list a 1,..., a M using te encryptten-mac sceme, one encrypts eac component of te list, and computes a MAC of te list of cipertexts: A B : ( {a 1 } k,..., {a M } k, mac(k, sa1({a 1 } k ),..., sa1({a M } k ) )). We ave used ProVerif to sow tat att(a 1 ) is not derivable from te set of Horn clauses for te protocol wit lists of lengt one. Terefore, tis protocol preserves te secrecy of eac a j, for j = 1,..., M. 6 Conclusions and Future Work We ave proposed a new type of clauses, generalized Horn clauses, useful to represent protocols tat manipulate lists of unbounded lengt, as well as group protocols wit an unbounded number of participants. We ave sown tat, for a subclass of generalized Horn clauses, if secrecy is proved by te Horn clause tecnique for lists of lengt one, ten we ave secrecy for lists of any lengt. We ave also provided an approximation algoritm tat transforms a set of generalized Horn clauses for satisfying te ypotesis of our main teorem. Using tese results, one can prove secrecy for lists of any lengt for some group protocols, as we did for te Azokan-Ginzboorg protocol, and for simple XML protocols. Future work includes supporting more general data structures and protocols, including more realistic XML protocols (web services). Tis will probably require a new extension of Horn clauses and of te resolution algoritm, since tese protocols may not fit in a class for wic secrecy for lists of any lengt can be proved from underivability for lists of lengt one. In particular, as we mentioned in Sect. 3.4, our tecnique does not support equality tests on certain components of lists, because in te representation of unbounded lists, all elements need to ave te same form. We plan to support suc tests in te future. Moreover, some group protocols (e.g. A.GDH-2) use te Diffie-Hellman key agreement, wic we cannot andle yet. We believe tat it could be andled by combining our result wit [12]. ProVerif supports a variant of te applied pi calculus for modeling protocols. However, our result models group protocols wit generalized Horn clauses. We plan to extend te input language of ProVerif to model group protocols, and to translate it automatically to generalized Horn clauses. Finally, we plan to consider oter security properties, suc as autentication, peraps using lists of lengt two instead of one. Acknowledgments Tis work was partly supported by te ANR project ProSe (decision number ANR-2010-VERS-004-01).

20 Miriam Paiola and Bruno Blancet References 1. Abadi, M., Blancet, B.: Analyzing Security Protocols wit Secrecy Types and Logic Programs. Journal of te ACM 52(1), 102 146 (2005) 2. Asokan, N., Ginzboorg, P.: Key agreement in ad oc networks. Computer Communications 23(17), 1627 1637 (2000) 3. Bacmair, L., Ganzinger, H.: Resolution teorem proving. In: Handbook of Automated Reasoning, vol. 1, cap. 2, pp. 19 100. Nort Holland (2001) 4. Blancet, B.: Using Horn clauses for analyzing security protocols. In: Cortier, V., Kremer, S. (eds.) Formal Models and Tecniques for Analyzing Security Protocols, Cryptology and Information Security Series, vol. 5, pp. 86 111. IOS Press, Amsterdam (2011) 5. Bryans, J., Scneider, S.: CSP, PVS and recursive autentication protocol. In: DIMACS Worksop on Formal Verification of Security Protocols (1997) 6. Cridi, N., Turuani, M., Rusinowitc, M.: Constraints-based Verification of Parameterized Cryptograpic Protocols. Researc Report RR-6712, INRIA (2008), ttp://al.inria.fr/inria-00336539/en/ 7. Cridi, N., Turuani, M., Rusinowitc, M.: Decidable analysis for a class of cryptograpic group protocols wit unbounded lists. In: CSF 09. pp. 277 289. IEEE, Los Alamitos (2009) 8. Dolev, D., Yao, A.C.: On te security of public key protocols. IEEE Transactions on Information Teory IT-29(12), 198 208 (1983) 9. Eastlake, D., Reagle, J.: XML encryption syntax and processing. W3C Candidate Recommendation (2002), ttp://www.w3.org/tr/2002/ CR-xmlenc-core-20020802/ 10. Goubault-Larrecq, J.: Une fois qu on n a pas trouvé de preuve, comment le faire comprendre à un assistant de preuve? In: JFLA 04. pp. 1 20. INRIA (2004) 11. Kremer, S., Mercier, A., Treinen, R.: Proving group protocols secure against eavesdroppers. In: IJCAR 08. LNAI, vol. 5195, pp. 116 131. Springer, Heidelberg (2008) 12. Küsters, R., Truderung, T.: Using ProVerif to analyze protocols wit Diffie- Hellman exponentiation. In: CSF 09. pp. 157 171. IEEE, Los Alamitos (2009) 13. Küsters, R., Truderung, T.: On te automatic analysis of recursive security protocols wit XOR. In: Tomas, W., Weil, P. (eds.) STACS 07. LNCS, vol. 4393, pp. 646 657. Springer, Heidelberg (2007) 14. Meadows, C.: Extending formal cryptograpic protocol analysis tecniques for group protocols and low-level cryptograpic primitives. In: WITS 00 (2000) 15. Meadows, C., Syverson, P., Cervesato, I.: Formal specification and analysis of te Group Domain of Interpretation protocol using NPATRL and te NRL protocol analyzer. Journal of Computer Security 12(6), 893 931 (2004) 16. Meadows, C., Narendran, P.: A unification algoritm for te group Diffie-Hellman protocol. In: WITS 02 (2002) 17. Paulson, L.C.: Mecanized proofs for a recursive autentication protocol. In: CSFW 97. pp. 84 95. IEEE, Los Alamitos (1997) 18. Pereira, O., Quisquater, J.J.: Some attacks upon autenticated group key agreement protocols. Journal of Computer Security 11(4), 555 580 (2003) 19. Pereira, O., Quisquater, J.J.: Generic insecurity of cliques-type autenticated group key agreement protocols. In: CSFW 04. pp. 16 19. IEEE, Los Alamitos (2004) 20. Steel, G., Bundy, A.: Attacking group protocols by refuting incorrect inductive conjectures. Journal of Automated Reasoning 36(1-2), 149 176 (2006)