Extending Formal Cryptographic Protocol Analysis Techniques for Group Protocols and Low-Level Cryptographic Primitives

We have recently seen the development of a number of new tools for the analysis of cryptographic protocols. Many of them are based on state exploration, that is, they try to find as many paths through the protocol as possible, in the hope that, if there is an error, it will be discovered. But, since the search space offered by a cryptographic protocol is infinite, this search alone cannot guarantee security if no attack is found. However, some state exploration tools do offer the ability to prove security results as well as find flaws by the use of theoretical results about the system that they are examining. In particular, the NRL Protocol Analyzer [4] allows its user to interactively prove lemmas that limit the size of its search space. If the resulting search space is finite, then it too can guarantee that a protocol is secure by performing an exhaustive search. However, the ability to make such guarantees brings with it certain limitations. In particular, most of the systems developed so far model only a very limited set of cryptographic primitives, often only encryption (public and shared key) and concatenation. They also avoid low-level features of cryptographic algorithms, such as the commutativity and distributivity properties of RSA. Most importantly, there has as yet been no attempt to use state exploration techniques to reason about group protocols, that is, protocols that involve com