A Reduction for Automated Veri cation of Authentication Protocols

Authentication protocols (including protocols that provide key establishment) are designed to work correctly in the presence of an adversary that can prompt honest principals to engage in an unbounded number of concurrent runs of the protocol. The amount of local state maintained by a single run of an authentication protocol is bounded. Intuitively, this suggests that there is a bound on the resources needed to attack the protocol. Such bounds clarify the nature of attacks on and provide a rigorous basis for automated veri cation of authentication protocols. However, few such bounds are known. This paper de nes a domain-speci c language for authentication protocols and establishes an upper bound on the resources needed to attack a large subset of the protocols expressible in that language, including versions of the Yahalom, Otway-Rees, and Needham-Schroeder public-key protocols.