Decidable Inductive Invariants for Verification of Cryptographic Protocols with Unbounded Sessions

TL;DR

This paper introduces a decidable method for verifying security properties of cryptographic protocols with unbounded sessions by using depth-bounded protocols and inductive invariants, enabling automatic and sound analysis.

Contribution

The paper develops a new theory of decidable inductive invariants for an infinite-state calculus, extending previous classes with a sound and complete analysis method.

Findings

Decidable verification for depth-bounded protocols.

Automatic inference of security invariants.

Prototype implementation demonstrates practical effectiveness.

Abstract

We develop a theory of decidable inductive invariants for an infinite-state variant of the Applied pi-calculus, with applications to automatic verification of stateful cryptographic protocols with unbounded sessions/nonces. Since the problem is undecidable in general, we introduce depth-bounded protocols, a strict generalisation of a class from the literature, for which our decidable analysis is sound and complete. Our core contribution is a procedure to check that an invariant is inductive, which implies that every reachable configuration satisfies it. Our invariants can capture security properties like secrecy, can be inferred automatically, and represent an independently checkable certificate of correctness. We provide a prototype implementation and we report on its performance on some textbook examples.