S . Delaune , P . Lafourcade , D . Lugiez , R . Treinen Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive Or Research Report LSV - 05 - 20 November 2005

The symbolic verification of the security property of a cryptographic protocol for a bounded number of sessions is usually expressed as a symbolic trace reachability problem. Such a problem can be expressed as a constraint system for deducibility constraints for a certain inference system describing the possible actions of an attacker. We show that symbolic trace reachability for well-defined protocols is decidable in presence of both the exclusive or operator and a homomorphism over this operator. The exclusive or operator is often used in security protocols as a symmetric encryption operation. The homomorphism may model a hash function, or may be used to model a special situation in asymmetric encryption where an intruder may encrypt a message but can never learn about the corresponding decryption key. One main step of our proof consists in reducing the constraint system for deducibility into a constraint system for deducibility in one step and using one particular rule of the constraint system. This constraint system, in turn, can be expressed as a system of quadratic equations of a particular form over the ring of polynomials in one indeterminate over the finite field Z/2Z[h]. We show that satisfiability of these systems of equations is decidable.