Equational Cryptographic Reasoning in the Maude-NRL Protocol Analyzer
Electronic Notes in Theoretical Computer Science (ENTCS)
An E-unification algorithm for analyzing protocols that use modular exponentiation
RTA'03 Proceedings of the 14th international conference on Rewriting techniques and applications
| Hi-index | 0.00 |
Multiplication and exponentiation modulo a prime are common operations in modern cryptography. Unification problems modulo some equational theories that these operations satisfy are investigated. The algorithms for some of these unification problems are expected to be integrated into Naval Research Lab.''s Protocol Analyzer (NPA), a tool developed by Catherine Meadows, which has been successfully used to analyze cryptographic protocols, particularly emerging standards such as the Internet Engineering Task Force''s (IETF) Internet Key Exchange [11] and Group Domain of Interpretation [12] protocols. Currently, for equational unification, NPA uses narrowing procedures which work only for terminating and confluent rewrite systems. Given that modular multiplication is associative and commutative, NPA cannot be effectively applied for protocols that use these operations. Two different but related equational theories are analyzed here. A unification algorithm is given for one of the theories which relies on solving syzygies over multivariate integral polynomials with noncommuting indeterminates. For the other theory, in which the distributivity property of exponentiation over multiplication is assumed, the unifiability problem is shown to be undecidable by adapting a construction developed by one of the authors to reduce Hilbert''s 10th problem to the solvability problem for linear equations over semi-rings. A new algorithm for computing strong \Groebner\ basis of right ideals over the polynomial ring Z is proposed; unlike earlier algorithms proposed by Baader as well as by Madlener and Reinert which work only for right admissible term orderings with the boundedness property, this algorithm works for {\em any\/} right admissible term ordering. Techniques from several different fields -- particularly symbolic computation (ideal theory and \Groebner\ basis algorithms) and unification theory --- are used to address problems arising in state-based cryptographic protocol analysis.