A method for unbounded verification of privacy-type properties

In this paper, we consider the problem of verifying anonymity and unlinkability in the symbolic model,where protocols are represented as processes in a variant of the applied pi calculus, notably used in the ProVeriftool. Existing tools and techniques do not allow to verify directly these properties, expressed as behavioral equiv-alences. We propose a di erent approach: we design two conditions on protocols which are su cient to ensureanonymity and unlinkability, and which can then be e ectively checked automatically using ProVerif. Our twoconditions correspond to two broad classes of attacks on unlinkability, i.e. data and controlow leaks. This the-oretical result is general enough that it applies to a wide class of protocols based on a variety of cryptographicprimitives. In particular, using our tool, UKano, we provide the rst formal security proofs of protocols such asBAC and PACE (e-passport), Hash-Lock (RFID authentication), etc. Our work has also lead to the discoveryof new attacks, including one on the LAK protocol (RFID authentication) which was previously claimed to beunlinkable (in a weak sense).