Claremont Colleges

Scholarship @ Claremont
HMC Senior Theses HMC Student Scholarship

2001

Structure Attacks in Cryptographic Protocols

Karl Mahlburg
Harvey Mudd College

Recommended Citation
Mahlburg, Karl, "Structure Attacks in Cryptographic Protocols" (2001). HMC Senior Theses. 130.
https://scholarship.claremont.edu/hmc_theses/130

This Open Access Senior Thesis is brought to you for free and open access by the HMC Student Scholarship at Scholarship @ Claremont. It has been
accepted for inclusion in HMC Senior Theses by an authorized administrator of Scholarship @ Claremont. For more information, please contact
[email protected].
Structured Attacks on Cryptographic Protocols

by
Karl Mahlburg
Everett Bull, Advisor

Advisor:

Second Reader:
(Francis Su)

May 2001
Department of Mathematics
 Abstract

Structured Attacks on Cryptographic Protocols

by Karl Mahlburg
May 2001

Cryptographic protocols are in general difficult to analyze, and complicated at-

tacks exposing security flaws have remained hidden years after a protocol is de-
veloped. Recently developed tools such as strand spaces and inductive logical
proofs provide mechanical procedures for analyzing protocols. The key to these
methods is that a generous upper bound on the activity of a malicious penetrator
is often much easier to work with than a tighter bound.
However, these formalizations make strong assumptions about the algebraic
structure of the cryptosystem that are never met in a real application. In this work,
we show that an extended form of the strand space machinery can be used to ana-
lyze protocols which contain nontrivial algebraic structure, specifically that which
arises from the XOR operation.
This work also serves as one of the first steps in reconciling computational and
formal methods of analyzing cryptographic security.
 Table of Contents

Chapter 1: Introduction and Background 1

1.1 Cryptographic Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Strand Spaces and Security Properties . . . . . . . . . . . . . . . . . . 10

Chapter 2: XOR 21
2.1 XOR Exchange Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 3: Conclusion 44
3.1 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Bibliography 47
 Acknowledgments

I would like to thank my advisor Rett Bull and my second reader Francis Su for
their helpful discussions and patience.

ii
 Chapter 1

Introduction and Background

There are two primary branches in modern cryptography. One branch is con-
cerned with encryption itself, encoding data in a secure way. The goal is to design
cryptographic algorithms (or cryptosystems) that can be implemented efficiently but
are difficult to reverse; or, in a complementary role, to search for weaknesses in
existing methods. The other branch of study is concerned with using these algo-
rithms to communicate securely. This is achieved with cryptographic protocols, in
which parties exchange encrypted messages to ensure secure communication. The
study of protocols includes the design of safe protocols, proofs that they function
correctly, and the search for attacks on existing protocols.
These two branches have had little communication or collaboration, which has
led to the misuse of encryption by both parties. A secure algorithm is useless when
used in a flawed protocol, and a provably secure protocol may be vulnerable to
simplistic attacks if a poor cryptosystem is implemented. This paper serves as
one of the first steps to combine the two branches. We take an algebraic view
of the structure of messages, and analyze protocols that use explicit encryption
algorithms.
The discussion in this chapter is background material for the XOR protocols of
chapter 2, and the strand space machinery is taken from [1]. See this work also for
a more complete bibliography of sources for the study of protocols.
 2

1.1 Cryptographic Protocols

A security protocol is, loosely speaking, a sequence of messages between two or

more parties (or principals), in which a publicly available encryption algorithm is
used to ensure safe communication over a potentially insecure network. All ad-
versarial activity on the network can be attributed to a single ubiquitous penetrator.
The desired result of running a protocol is typically the authentication of identities
or the distribution of new cryptographic keys. Each of the honest, or regular partici-
pants must follow a specific pattern of sent and received messages. Any deviations
from the expected pattern of messages are interpreted as a security violation, and
lead to the immediate termination of the protocol.

1.1.1 Message structure

Before defining protocols more carefully, we need a clear view of the messages
that may be used. Let A denote the set of all possible messages, or terms. This set
represents all messages that can be constructed within a specified cryptosystem.
The following algebraic properties are typically associated with A:

• There is a set T ⊂ A of texts, or atomic messages. T is the set of generators

used that are used to construct all of the messages in A. This set includes the
names of all available principals, which are represented by A1 , A2 , . . . , or by
A, B, . . . when there are a small number of parties. The texts T also includes
all nonces, or randomly chosen integers. A nonce is typically represented by
Na , where the subscript indicates that the nonce was generated by A; how-
ever, a nonce contains no identifying information.

• There is a set K ⊂ A of cryptographic keys, which are disjoint from T. Every

key has an inverse key, which allows an encrypted message to be easily de-
crypted. The bijective key inverse operator inv : K → K is typically written as
 3

inv(K) = K −1 . The inverse operator is idempotent, so that (K −1 )−1 = K. If

a key is its own inverse it is known as a symmetric key; in asymmetric cryp-
tosystems keys exist in pairs (K, K −1 ). A key consists of all data that are
necessary to decrypt or encrypt a message for example. However, even a key
that consists of multiple values is treated as a single unit.

• There is an encryption operation, encr : K × A → A that is available to all

participants. The operation is denoted by encr(K, g) = {g}K . There is a cor-
responding decryption operation that calculates g from the inputs {g}K and
K −1 .

• There is a concatenation operation, join : A × A → A that is available to all

participants. The operation is denoted by join(g, h) = gh. A concatenation can
be decomposed into its components by either of two separation operations:
left-separation and right-separation. Therefore, either g or h can be obtained
from g h.

• A is a free algebra with respect to encryption and concatenation. This means

that if g1 g2 = h1 h2 , then g1 = h1 and g2 = h2 , and if {g1 }K1 = {g2 }K2 , then
g1 = g2 and K1 = K2 . The freeness of concatenation is violated in our intu-
itive notion of associativity in conjoined messages, but viewed formally, the
order in which the terms were concatenated affects the resulting message.
For example, join(join(g, h), m) is different from join(g, join(h, m)). However,
the parenthetical groupings of concatenated terms is unimportant in our con-
text. Therefore, the groupings are ignored in our shorthand notation (both of
the examples above are written as g h m).

A message that isn’t of the form g h is known as simple. This includes the atomic
messages T, the keys K, and all messages {g}K that are encrypted at the outer level.
 4

There is also a special subset of AP ⊂ A associated with the penetrator. This

set contains all the terms in A that the penetrator has knowledge of, including
the names of regular participants, and any messages that are sent on the network.
We denote the set of penetrator keys as KP = AP ∩ K and the penetrator texts as
TP = AP ∩ T. It is assumed that these are small proper subsets of K and T, as we
will need a supply of unguessable keys and nonces. The sets KP and TP also serve
as a sort of generating set for AP , for we assume that the penetrator’s knowledge is
closed under encryption and concatenation, as he can freely use these operations.
However, the penetrator may also know messages that aren’t generated in this
way, such as encrypted messages emitted by regular participants.
When the cryptosystem uses public-private key pairs, we assume that there is a
trusted key server that stores principal names and their associated long-term pub-
lic keys. Any party on the network can contact the server and look up the public
key of a registered principal. The penetrator can exploit this server by registering
false names and the associated keys. He cannot usurp the identity of an honest
principal through the server however. If the penetrator registers the name C, his
actions under this guise are denoted by P (C).
A subterm relation on A in the natural way: a term g is a subterm of g 0 , denoted
by g @ g 0 , if g 0 can be constructed from g through repeated concatenations and
encryptions with other elements of A. Specifically, for any terms a, g, h ∈ A, and
any key K ∈ K, we have the following inductive definition:

1. a @ a

2. If a @ g, then a @ g h and a @ h g

3. If a @ g, then a @ {g}K

Note that encryption keys are not considered subterms of a message, so that K 0 @
{g}K only if K 0 @ g. In some models, the encryption key is treated as a subterm,
 5

but in most cryptosystems, it is difficult to learn anything about the key from an
encrypted message. We use the restricted definition because it will help us distin-
guish dangerous methods. Note that the order of concatenation is irrelevant when
searching for an atomic subterm, such as a key or nonce. This is why we don’t
carefully track the structure of concatenations, as we are primarily concerned with
messages that contain simple subterms. Examples of the subterm relation include:
g @ {g}K and {g}K @ {g}K {{h}K }K 0 , but K 6@ {g}K .
A is a well-founded partially ordered set under the subterm relation, since the
relation is clearly transitive and any subset of terms S ⊂ A has one or more minimal
elements. For any term g ∈ S, we can apply at most a finite number of decryptions
and separations to find its subterms, since g was constructed by a finite number
of concatenations and encryptions. Therefore, there cannot be infinite decreasing
chains of messages.
We are now ready to formally define cryptographic protocols, and carefully
state conditions for security.

1.1.2 Protocol Security

A protocol is a finite ordered sequence of triples, {(Ai , Bi , gi )|1 ≤ i ≤ k}, where

each element represents a message gi ∈ A from the principal Ai to the principal
Bi at each step. As mentioned earlier, protocols are used to guarantee secure com-
munication, but there are many possible definitions of security. The two common
security goals are:

• Secrecy: Keys and nonces can be known only by the regular participants who
use them, and are therefore trusted. In other words, the penetrator cannot
learn decryption keys or randomly chosen values.

• Authentication: Every regular participant is communicating with whom they

 6

intend. In other words, the penetrator cannot successfully masquerade as a

regular participant or reroute communication in a harmful way.

These two security goals are often complementary: If secrecy is violated, then
the penetrator may be able to use secret values to impersonate the regular partici-
pant that chose these values; if authentication is violated, then the penetrator may
intercept and read secret data that was intended for an honest participant. In our
proofs of security properties, secrecy usually implies authentication, for partici-
pants can use values that they know to be secret to deduce the identity of the party
that could send a message with such values.
To illustrate the problems that arise in protocol security, consider a simple ex-
ample: suppose that we would like to find a protocol that allows two principals
to share a secure, random session key. A session key is a key shared between two
principals that is only used for a limited time. Session keys are necessary because
the long-term public-private key pairs are much more computationally expensive
than many symmetric cryptosystems. Therefore, secure communication is usually
established using the long-term keys, but the bulk of the messages are sent using
session keys. These must be refreshed periodically, because the encryption is sim-
ple enough that brute-force guessing may be successful within several days. When
the encryption key is constantly changing, and the penetrator is unaware of the
changes, he cannot know which messages use the same key. The distribution of a
session key is often accomplished by exchanging one or more nonces, for session
keys can be easily generated using an algorithm that takes a random value as a
seed.
A first attempt at such a protocol might consist of a single message sent from
one principal to the other that contains the new key,

B→A: {BK}KA
 7

After this protocol runs, both principals know K, since it was generated by B, and
A can read the encrypted message. Therefore, it might seem reasonable to use K
as a session key for communication between A and B. However, the penetrator
can easily impersonate an honest principal and send a similar message to A. All
principal names are publicly available, as are the public encryption keys of the
asymmetric key pairs, Thus, the penetrator uses the name B and key KA to dis-
tribute a key of his choice, Kp , as follows

P →A: {BKp }KA

Session keys usually contain no identifying information, so A accepts any value

and assumes that the name B in the message was the sender. Since the penetrator
can impersonate B, the protocol has no authentication guarantee.
Such a simple protocol fails because authentication requires messages that al-
low each principal to be confident in the identity of the other parties. Therefore,
some of the messages must contain identifying information. The following exam-
ple of a flawed protocol attempts to verify identities, but its failure illustrates some
of the difficulties in designing and analyzing protocols.
The Needham-Schroeder protocol was designed to authenticate two principals by
exchanging randomly chosen nonces in encrypted form [4].

A→B: {Na A}KB

B→A: {Na Nb }KA
A→B: {Nb }KB

Both A and B have a public-private key pair registered with the key server; (KA , KA−1 )
and (KB , KB−1 ) respectively. To construct the first message, the initiator A gener-
ates a nonce Na , looks up B’s public key KB , and then encrypts the nonce and his
own name. The responder B decrypts this message using KB−1 , selects a nonce Nb
of his own, and looks up the public key KA to construct the second message. A
 8

decrypts this message with KA−1 and send out the final message in a similar way.
For simplicity, we assume that nonces are always chosen uniquely, so that Na 6= Nb
(this is a reasonable assumption, as the space of nonces is typically very large).
If the security goals of this protocol are met, then Na and Nb will be secret val-
ues, while A and B each have an authentication guarantee for the other. Secrecy
is easy to verify, since each message can only be read using the private key of an
asymmetric key pair, and by assumption the penetrator cannot compromise the
key server. Authentication requires more careful analysis. The initiator A obtains
the public key KB from the trusted key server, knowing that a message encrypted
with KB can only be read by someone with knowledge of KB−1 . This decryption
key is known solely by B. Similarly, B believes that a message encrypted with KA
can only be read by A. Since A sent out the nonce Na in an encrypted form, and
received it back encrypted with another key, it may seem reasonable for A to con-
clude that B must have received and decrypted the first message to construct the
second message, and similarly B might conclude that A read the second message
to learn the value Nb that he sent back in the third message. However, this con-
clusion is only partially correct, for the second message of the protocol contains no
identifying information for B.
The Needham-Schroeder protocol in fact has an incomplete authentication guar-
antee for the initiator, since the penetrator can use messages sent by A to commu-
nicate with another principal to make the following attack found by Gavin Lowe
[2]:

A → P (C) : {Na A}KC

P (C) → B : {Na A}KB
B→A: {Na Nb }KA
A → P (C) : {Nb }KC
P (C) → B : {Nb }KB
 9

The penetrator has registered the false name C, and uses it to perform a “man-
in-the-middle” attack. The messages sent and received by A are {Na A}KC sent,
{Na Nb }KA received, and {Nb }KC sent. The nonce Nb does not identify the principal
who chose it, so A assumes that it is also from C, and A concludes that he has
completed a run of the protocol with C. However, the messages received by A
were actually generated by B, which violates the expected authentication (we will
define authentication more carefully later).
The penetrator cannot perform this attack in a slightly altered version, known
as the Needham-Schroeder-Lowe protocol [3]:

A→B: {Na A}KB

B→A: {Na Nb B}KA
A→B: {Nb }KB

The only difference is the addition of the name in the second message. This addi-
tional information is enough to prevent the previous attack, where the penetrator
uses a run of the protocol A and P (C) to establish communication between A and
B. The penetrator can again trick B into sending the message {Na Nb B}KA to A, but
since A is expecting the name C, he immediately halts the protocol. However, this
doesn’t prove that the protocol has an authentication guarantee, for we have only
seen how one possible attack fails. It is possible that there is another attack that
does successfully compromise this protocol, and it is clearly not feasible to test all
possible attacks. In the next section, we develop the additional machinery needed
to prove the security of the protocol.
Lest the reader believe that the Needham-Schroeder protocol is just another
trivial example, it bears noting that the protocol was introduced in 1977, but Gavin
Lowe’s attack was not published until 1995. Before that time, the protocol was
used in many commercial software packages.
 10

Another common attack is a “replay attack,” where the penetrator remembers

the messages that were sent in an honest run of a protocol and then establishes
another run by sending the same messages. Such an attack can be prevented by
using the fresh nonces seen in the Needham-Schroeder protocol, where each par-
ticipant generates a new nonce for every run of the protocol and expects to get that
same nonce back in encrypted form. If the penetrator tries to make a replay attack
on the Needham-Schroeder protocol by resending the message {Na A}KB to B, the
new run cannot be completed, for B chooses a nonce Nb0 that is different from the
nonces he had previously used. Thus the penetrator is unable to construct {Nb0 }KB ,
and the protocol run can only be completed by contacting A. Then it becomes ap-
parent to both parties that the penetrator is involved, for A receives a message in
the middle of a protocol run that he never initiated.
There is another type of replay attack that is available when a protocol has too
many messages with a similar structure. For example, if two regular participants
both transmit a nonce encrypted with a public key at some point in the protocol, the
penetrator may be able to use such a message to impersonate an honest principal.
As the above examples illustrate, intuitive arguments about protocol security
are often incorrect. The strand space machinery (and other similar methods) allow
formal representation and analysis of protocol security.

1.2 Strand Spaces and Security Properties

The communication in cryptographic protocols lends itself to a graphlike represen-

tation with directed edges that is ased on causal relationships. Since each step of a
protocol must occur in order, and each received message must have a sender, we
can follow these relationships to track messages. Specifically, we are interested in
finding the origination of messages that contain secret values, for it is the penetra-
tor’s knowledge of such values that violates security.
 11

1.2.1 Strand Spaces

With each principal in a protocol we associate a strand, which is a directed path

containing one node for each step of the protocol involving that principal. Each
node is labeled by a signed term, where the term is the message at the step of the
protocol that corresponds to the node. The terms are given a + sign for transmit-
ted messages and a − sign for received messages. We denote the label of node n
as term(n). The edges are denoted by n0 ⇒ n when n0 is the unique node that im-
mediately precedes n on a strand. If n follows n̄ at some point on the strand (not
necessarily immediate precedence), then n̄ ⇒+ n.
The trace of a strand is just the sequence of signed terms seen by the princi-
pal. For a given protocol, the regular strands correspond to the actions of regular
participants. In the Needham-Schroeder protocol, there are two types of regular
strands:

1. “Initiator strands” s ∈ Init [A, B, Na , Nb ] with trace:

h+{Na A}KB , −{Na Nb }KA , +{Nb }KB i

where A, B are names in T, and Na , Nb are nonces. Since principal names are
mapped injectively into public-private key pairs by the key server, KA and
KB are uniquely determined by the choice of A and B and are therefore not
included as parameters. The principal A is associated with these strands, and
is known as the “initiator.”

2. “Responder strands” s ∈ Resp [A, B, Na , Nb ] with trace:

h−{Na A}KB , +{Na Nb }KA , −{Nb }KB i

As before, A, B ∈ T, and Na , Nb are nonces. The principal B is associated

with these strands, and is known as the “responder.”
 12

In a specific run of the protocol, the names and values of the nonces on the ini-
tiator and responder strand correspond; however, an arbitrary collection of strands
need not form a valid protocol run.
When we wish to consider the collection of strands with all possible values
in one of the parameters, we write ∗ in place of a specified value. For example,
Init [A, ∗, ∗, N ] is the set of initiator strands in which the initiator A receives the
nonce N , with all possible principals as the responder, and all possible nonces
chosen by A. When all the parameters are free, we shorten the notation to just Init
or Resp. The collection of all possible initiator and responder strands is called a NS
strand space, and is denoted by ΣN S ; in general, the collection of all strands for an
unspecified protocol is just a strand space Σ.
It will be useful to have concepts of message origination shortly:

• A term g originates on a node n if g @ term(n) and g 6@ term(n0 ) for any node

n0 such that n0 ⇒+ n. Thus n is the first node of some strand that such that n
contains g as a subterm.

• For a set of messages M ⊂ A, a node n is an entry point to M if term(n) ∈ M

but term(n0 ) 6∈ M for any n0 such that n0 ⇒+ n. Thus n is the first node of
some strand such that n contains any g ∈ M as a subterm.

To help us model protocol runs, we also need to represent communication be-

tween strands. Therefore we add an additional type of connecting edge between
nodes of different strands, representing communication over the network. Specif-
ically, if n is a node with a negative signed term, then there must be some unique
node on another strand that sent the message, i.e. there is a unique n0 with the
same term and positive sign, where n0 6⇒+ n. Then there is an edge n0 → n.
The directed graph of ⇒ and → edges has the property that each node is at the
end of at most one edge of both types, since there is a unique causal precursor and a
 13

unique sender if the node received a message. Each node is also the beginning of at
most one ⇒ edge, since the protocols run deterministically; however, a node may
be the beginning of any number of → edges, for there may be multiple recipients
of a message.
The actions of the penetrator are modelled through a collection P of penetra-
tor strands. These penetrator strands apply to every protocol, since the penetrator
actions are assumed to be universal. The strands in P have one of the following
traces:

• M. Text message: h+ti where t ∈ TP .

• C. Concatenation: h−g, −h, +g hi.

• S. Separation: h−g h, +g, +hi.

• K. Key: h+Ki where K ∈ KP .

• E. Encryption: h−K, −g, +{g}K i.

• D. Decryption: h−K −1 , −{g}K , +gi.

A penetrator node is a node on some penetrator strand. Unlike regular participants,

who have exactly one strand associated with each run of the protocol, all of the
penetrator strands are associated with the omnipresent penetrator. An infiltrated
strand space is the union of a strand space Σ and the penetrator strands P.
The definition of the key and text strands illuminates the use of the sets TP
and KP . These penetrator strands represent random guesses of keys and nonces
made by the penetrator, and also the public values that he can access. Therefore,
TP contains some collection of principal names and all of the nonce values that the
penetrator guesses during the run of the protocol, and KP contains any collection
of public keys and all of the random keys that the penetrator guesss. Any keys and
 14

nonces (secret or otherwise) that the penetrator can only learn from the protocol
are not included in the penetrator set. This restriction is made because we do not
have a precise concept of time in the strand model, and causality is a problem if
the penetrator has prior knowledge of a secret key before any messages have even
been transmitted. Instead, we require the penetrator to derive any subsequent use
of a value learned from a regular participant from the original message. Then all
penetrator activity involving this value can be traced back to the origination point
on a regular node, which reflects causality.
Now we can define a useful set of logically connected nodes. A bundle is a finite
set of nodes and edges C such that:

• For every node n ∈ C, the precedence n̄ ⇒+ n implies that n̄ ∈ C as well.

• For every node n ∈ C with term(n) = −g there is a unique corresponding

node n0 ∈ C (on another strand) such that term(n) = +g.

In words, if some node is in the bundle, then all of the preceding steps on that
node’s strand must also be included; and every time a message is received there
must have been a sender. However, a node that transmits a message in a bundle
isn’t required to find a recipient, and the communication may just disappear into
the network.
A bundle contains only the penetrator nodes that directly affect the commu-
nication between regular participants. The effects of the penetrator’s interference
may be trivial, so that even for a flawed protocol there exist bundles in which the
regular participants behave correctly. For example, the penetrator may intercept a
message g, apply a E-strand with some key K to get {g}K , and then immediately
run a D-strand to send the original message g to its intended recipient. In fact,
in most bundles the penetrator’s actions are ineffective. However, if there is an
attack possible on the protocol, then for each set of parameter values on the regu-
 15

lar strands, there is at least one bundle in the infiltrated strand space in which the
penetrator successfully performs the attack.
Bundles are useful because formal security properties can be easily stated in
terms of the strands contained in some bundle. For example, a protocol preserves
the secrecy of some set of terms S ⊂ A if and only if there is no bundle in the
infiltrated strand space Σ, P such that a penetrator node contains a term g ∈ S
in unencrypted form. Conversely, if the protocol is flawed and there exists an
attack in which the penetrator learns some secret value g ∈ S, then there must be
some regular node that transmits a term h with g @ h such that the penetrator
can deconstruct h to obtain g. Then there is a bundle in which a penetrator node
has term g, for the penetrator need only intercept h from the network and send it
through the appropriate sequence of D and S-strands.
Authentication guarantees can also be formalized with bundles. In a secure
protocol each regular participant should be able to conclude the existence of the
other principals. As with secrecy, the authentication guarantees are stated in terms
of strands in a bundle. For example, an authentication guarantee for the initiator
in the Needham-Schroeder protocol can be stated as follows: for any bundle C ∈
ΣN S , P that contains an initiator strand s ∈ Init [A, B, Na , Nb ] there is also exactly
one responder strand s0 ∈ Resp [A, B, Nb ].
We need one more piece of machinery before proving security properties in the
strand space context.

1.2.2 Honest Ideals

The security properties of protocols describe the honest actions that function cor-
rectly regardless of penetrator activity. However, it is not possible to consider all
possible sequences of penetrator actions, for an arbitrary finite number of strands
may be involved. Even with small bounds on the extent of penetrator actions, the
 16

number of random keys and nonces create a prohibitively large set of activities.
Instead, we use the algebraic structure of messages to place an upper bound on
all finite sequences of penetrator actions. Fortunately, the security properties often
hold even when the penetrator is at the limit of these bounds.
First, define an ideal I = Ik [S], constructed from a subset of keys k ⊂ K and a set
of secret terms S ⊂ T ∪ A. The name is no accident; the structure is similar to an
algebraic ring ideal. The ideal I is defined to be the smallest set containing S that
is constructed inductively in the following way: If g ∈ I, h ∈ A and K ∈ k, then

• h g ∈ I and g h ∈ I

• {h}K ∈ I.

Now let S be a set of simple terms such that S ∩ AP = ∅, and if g ∈ S has the form
{h}K , then K ∈ S. The secret set usually contains just keys and nonces, which is
of this form. Define the key set k−1 = K \ S. This final condition ensures that if
the private key K −1 of a public-private key pair (K, K −1 ) is secret, then K −1 ∈ k.
If there is a symmetric key KAB ∈ S, the condition gives KAB 6∈ k. This definition
of k is used because a carefully chosen ideal is meant to bound the set of messages
that are potentially dangerous. The ideal is constructed from the secret set, and
loosely speaking, if a message can be deconstructed to some value in S, then it’s
dangerous. Therefore, when the private key K −1 is secret and thus K is public,
the penetrator could use K to decrypt a message of the form {g}K −1 . If g contains
information about S, then this a dangerous message, so we include such messages
in the ideal. However, a symmetric key can only be decrypted by itself, so if KAB
is secret, we need not worry about messages encrypted with this key.
We have now reached the most important result of our analysis, which uses the
ideal construction to prove secrecy:

Claim. Let S be the secret set, k−1 = K\S, and I = Ik [S]. Then the complement I c = A\I
 17

is closed under penetrator actions and is disjoint from S.

Proof. We will show that any penetrator node p that is an entry point to I must have
negative sign, i.e. term(p) = −g. This means that the penetrator can only construct
a message in I after receiving some other message in I. The contrapositive of this
result gives the closure of I c on penetrator strands.
Suppose to the contrary that p is a penetrator entry node to I with positive term.
This is not possible on any of the penetrator strands:

• M. The trace h+ti has an entry point to I only if t ∈ S ∩ T. But then t 6∈ TP

as required by the definition of the text strand, since S ∩ TP = ∅.

• C. This has trace h−g, −h, +g hi, so we must have the positive term gh ∈ I
but g 6∈ I and h 6∈ I. But the set S contains only simple terms, so g h 6∈ S, and
therefore one of g or h must be in S ⊂ I, so one of the negative terms is the
entry point instead.

• S. One of g or h must be in I, since they are the positive terms in the trace
h−g h, +g, +hi. However, by the definition of an ideal, the concatenated
term is also in I, so it is the entry point.

• K. The trace h+Ki has an entry point to I only if K ∈ S ∩ K. But then

K 6∈ KP , violating the definition of the key strand.

• E. For the trace h−K, −g, +{g}K i, we must have the encrypted term {g}K ∈
I and g, K 6∈ I. However, if K 6∈ S, then {g}K 6∈ S, so g ∈ I, and otherwise
K ∈ S ⊂ I. Therefore one of the negative terms is an entry point to I.

• D. With trace h−K −1 , −{g}K , +gi, we must have g ∈ I. If K −1 6∈ S, then

K ∈ k and hence {g}K ∈ I; otherwise K −1 ∈ S ⊂ I, so one of the negative
terms is the entry point.
 18

This result is used to prove the security for a protocol that has no regular entry
point to the set I, as long as the penetrator has no prior knowledge, so I ∩ AP = ∅.
Then the S remains secret because all of the terms available to the penetrator are
in I c , which is closed under penetrator actions. Therefore he is unable to construct
any term g ∈ I, and specifically no g ∈ S ⊂ I. Thus, the protocol preserves the
secrecy of S.
Authentication guarantees are proved using the secrecy of certain values and
the structure of regular messages. Any message that is encrypted with a secret
key was generated a regular participant who knew that key. Recall that to prove
authentication, we assume the existence of one type of strand and deduce the ex-
istence of another corresponding strand. This is accomplished by using the graph
structure and tracing back the received messages. A demonstration of this secrecy
and authentication analysis on the Needham-Schroeder protocol follows.

1.2.3 Needham-Schroeder-Lowe security

Recall the protocol

A→B: {Na A}KB

B→A: {Na Nb B}KA
A→B: {Nb }KB

The goal of the protocol is to validate identities and share the nonces Na and Nb .
The secret set is thus S = {Na , Nb , KA−1 , KB−1 }, and the key set k is defined as k =
K \ {KA , KB }. Consider the ideal I = Ik [S], and assume that AP ⊂ I c (equivalently,
assume that KP ∩ S = TP ∩ S = ∅). In every bundle C ∈ ΣN SL,P , each regular
node n has term(n) ∈ I c . The penetrator’s specific actions are irrelevant, since I c is
closed under his available strands. Therefore, in every bundle C, each penetrator
 19

node p ∈ C has term(p) ∈ I c , so term(p) 6∈ S ⊂ I. Hence, the protocol preserves the

secrecy of S.
Now we prove the initiator’s authentication guarantee. This guarantee is stated
as follows: In any bundle C ∈ ΣN SL , P, if there exists a strand s ∈ Init [A, B, Na , Nb ],
then there exists a strand r ∈ Resp [A, B, Na , Nb ] such that at least the first two
nodes of r are in C. We know nothing about the final node of r, since the bundle is
still valid even if the initiator’s final message {Nb }KB disappears into the network.
To prove this guarantee, we first use the closure of I c and claim that there is
no message g ∈ I that originates on a penetrator node. By the closure of I c , any
such term must originate negatively since the penetrator has no initial knowledge
of I. But no terms in I are emitted by a regular node in the protocol, so there are
no entry points to I anywhere in the bundle. Thus, all of the penetrator nodes are
in I c . Now consider the message {Na Nb B}KA , which is received by A after he
sends the first message of the protocol. If the message had been constructed by a
penetrator, then he would have a node containing KA ∈ I, but this contradicts the
argument just made.
Therefore, when the initiator receives the message {Na Nb B}KA , he knows
that it must have originated on a regular node. Furthermore, it must have been
the second node of a responder strand r, since no other regular nodes generate
messages of this form. The values and names used in the message imply that
r ∈ Resp [A, B, Na , Nb ], which is the guarantee we desired.
Recall that the original Needham-Schroeder protocol lacked such a guarantee.
We argued before that the deficiency is because the second message of the protocol
is {Na Nb }KA , which contains no identifying information. We can now see more
precisely why this protocol is flawed. The arguments above show that this message
must have been sent by a responder strand r, but the initiator can only conclude
that r ∈ Resp [A, X, Na , Nb ] for some principal X. This deficiency is reflected in the
attack seen earlier, since the penetrator was able to establish a different responder
 20

strand than the initiator expected.

Slightly more sophisticated arguments show that the responder has a full au-
thentication guarantee in both the NS and NSL protocols. It is not especially illumi-
nating to present them in detail. Briefly, the responder receives two messages, and
he must show that they both originated on the same initiator strand. He knows
that since his nonce Nb was sent in encrypted form, it only could have been read
by A. But B also knows that the nonce Na was read by A and matched the nonce
sent in the first message (since otherwise the protocol would have halted and the
third message wouldn’t have been sent). Since nonces are uniquely originating,
the initiator strand on which Na was initially chosen is the same strand as the one
that received Na and Nb in encrypted form, which proves the authentication result.
The above arguments also illustrate why a protocol is more likely to be flawed
when it has several messages of the same form. Authentication guarantees are
more difficult to prove in this case, as there may be many possible origination
points for some messages. This makes it more difficult to deduce that the other
strands in the bundle have the expected form.
This strand space machinery works well on unstructured protocols, where the
message space is a free algebra. However, it isn’t clear how effective it will be in
structured protocols, where the algebra isn’t free. In our original work of the next
chapter, we develop extensions to the ideal structure that allow us to prove the
security properties of an important class of structured protocols.
 Chapter 2

XOR

The XOR operation, ⊕, is defined on two bit strings of the same length by per-
forming the binary XOR operation pairwise on the bits of each string (which is a
function on two bits that evaluates as true when exactly one of the inputs is true,
and evaluates false otherwise). Thus, for bit strings m = b1 b2 . . . bk and n = c1 c2 . . . ck
where bi , ci ∈ {0, 1}, XOR is defined by m ⊕ n = (b1 ⊕ c1 )(b2 ⊕ c2 ) . . . (bk ⊕ ck ). This
operation inherits commutativity and associativity from the binary XOR operation,
since the bit strings use what is essentially an exterior product of the bit structure.
Additionally, XOR has the identity (m ⊕ n) ⊕ n = m for any bit strings m, n.
There are several cryptosystems that use XOR by transmitting a message m as
m ⊕ K for some secret K. The safest methods use one-time encryption, where a new
key is used for each encryption. If the key is chosen randomly each time, then
the encryption is provably unbreakable. However, the recipient must know every
encryption key to obtain the original message, and distributing a large number
of keys is potentially dangerous. XOR can also be used effectively in an iterated
encryption system, where the first message m1 is encrypted as m1 ⊕ K, and each
successive message is combined with the previous message, so that m2 is encrypted
as m2 ⊕ m1 , m3 as m3 ⊕ m2 , and so on. Unraveling this sequence to get the original
messages requires the receipt of all of the encrypted terms and the knowledge of
K. It is usually necessary to use varied keys when XOR is used for encryption, for
if the same key were used repeatedly to encrypt many different messages, then a
malicious penetrator may be able to determine portions of the messages or even the
encryption key itself. For example, if m, n both contain similar file-type identifiers,
 22

then the penetrator could compute (m ⊕ K) ⊕ (n ⊕ K) = m ⊕ n. This result will

contain long strings of 0-bits where m and n share identifying codes, which the
penetrator can use to guess the filetype. If his guess is correct, then he can use that
file-type identifier and analyze m ⊕ K to deduce portions of K.
The structure of XOR cannot easily be analyzed in the current strand space
model. To illustrate the issues that arise, consider the following protocol that al-
lows A to distribute a secret value Na without relying on a key server:

A→B: {Na }KA

B→A: {{Na }KA }KB
A→B: {Na }KB

This protocol is similar to ones that are used in public key exchange software. Note
that this protocol doesn’t operate in a free algebra of messages, as the encryption is
assumed to be commutative; i.e., the interior encryption can be removed without
affecting the exterior. Regardless of whether the encryption is symmetric or asym-
metric, this protocol is known to be vulnerable to an attack where the penetrator
receives {Na }KA and just sends it back to A without adding another layer of en-
cryption. Then A is tricked into sending out Na unencrypted in the final step. This
attack is prevented if A can distinguish the layers of encryption and realize that the
message he received has the wrong form, but since the algebra is no longer free,
this may not be possible. Fortunately, this attack can also be prevented if A just
checks that he received a different message than the one he sent out. However, if
XOR is used for encryption, then this protocol has a deeper exploitable structure.
The sequence of protocol messages with XOR encryption is

A→B: Na ⊕ K A
B→A: Na ⊕ KA ⊕ KB
A→B: Na ⊕ KB
 23

The penetrator can calculate (Na ⊕ KA ) ⊕ (Na ⊕ KA ⊕ KB ) ⊕ (Na ⊕ KB ) = Na ,

violating the secrecy of the value Na . This attack is not possible if the encryption is
merely commutative, as the structure of XOR enables the penetrator to create new
keys that are closely related to old keys.
The strand space machinery has proven to be a powerful method of analyzing
protocols, and we do not wish to abandon it, but it must be extended to include
the structure of XOR. Our eventual goal is to use modified forms of the ideal con-
struction to analyze protocols that use XOR.

2.1 XOR Exchange Protocols

An XOR exchange protocol is a protocol in which the symmetric cryptosystem is as-

sumed to be unbreakable, and the only nontrivial identities on the message algebra
are due to the use of XOR on a subset of keys. An example of such a protocol is
an altered version of the TMN protocol [5], in which a trusted server uses XOR to
distribute a two-party session key

A→S: {m1 B Ka }KAS

S→B: Areq
B→S: {m3 A Kb }KBS
S→B: Ka ⊕ Kb
A→B: {A}Kb
B→A: {A B}Kb

The messages m1 , m3 are just identifiers that prevent the penetrator from switching
the order of the messages in a replay attack, and KAS , KBS are symmetric keys
shared between the server and a regular participant. The goal of the protocol is to
establish a session key Kb . The reader may question why XOR is used at all, for
the protocol would be provably secure if the XOR term were replaced by {Ka }KAS .
 24

The reason is that XOR can be calculated very efficiently, and if the protocol can be
proven secure with XOR, then computation is saved.
Although this may seem like a limited use of XOR, such protocols still have se-
curity concerns beyond those covered by the current ideal theory. To demonstrate
the problem, consider a protocol with a secret symmetric key K, and a symmet-
ric key K 0 known by the penetrator. Further, suppose that the key K ⊕ K 0 is not
a secret key. If we construct an ideal I around the secret set, then K ∈ I, and
K 0 , K ⊕ K 0 6∈ I. However, if a regular participant emits the key K ⊕ K 0 ∈ I c , the
penetrator can calculate K = (K ⊕ K 0 ) ⊕ K 0 . This means that the current definition
of ideal no longer satisfies the closure properties that allowed us to prove security,
and the structure of XOR needs to be included.
We would like to prove that if Ka and Kb are secret from the penetrator in the
TMN protocol, then the secrecy is maintained even when Ka ⊕ Kb is transmitted.
We need a better understanding of the XOR structure in order to formalize this
notion.

2.1.1 XOR Group Structure

Suppose there is a subset of keys X ⊂ K on which the XOR operation is defined

and closed. Thus K1 , K2 ∈ X implies that K1 ⊕ K2 ∈ X. All of the keys in this
set must have the same bit-length l, and we assume that the converse is also true,
so that all bit strings of this length are necessarily in X. This assumption is made
to avoid type ambiguities, and since keys are involved in encryption and other
message types are not, we consider the most interesting structure. Generalizations
are discussed in section 2.1.6, where XOR is allowed to act on texts as well. The
XOR product of two sets of keys is defined in the natural way: if A, B ⊂ X, then
A ⊕ B = {a ⊕ b | a ∈ A, b ∈ B}.
Since XOR preserves bit length, X is closed and has a group structure under the
 25

XOR operation. Note that every element is nilpotent with degree two, and that
the group operation is commutative. Therefore, the XOR structure is isomorphic
to the abelian group (Z2 )l , with the natural isomorphism that maps each bit from
the bit string to the corresponding element in the the product. This space is also
isomorphic to a vector space of dimension l over the field of two elements. We
allude to the group structure and call the result of combining the two keys under
XOR the product of the keys.
Suppose SX ⊂ X is a subset of n keys, with SX = {K1 , K2 , . . . , Kn }. Since X is a
vector space, the span of SX is a vector subspace given by:
( m
)
 M
hSX i = K ∈ X  K = Kik , 1 ≤ m ≤ n, ik ∈ [1, . . . , n]

k=1

This is the set of all product keys that can be calculated from SX . Note that we
don’t require the indices ik to be distinct. In fact, the trivial or identity key (all
0-bits) is contained in the span as the product K1 ⊕ K1 , and is a vital component
in the group structure. However, the identity key is implicitly excluded whenever
we discuss encryption keys, and it is never chosen as a random key. The identity
key is denoted by Kid . Every nontrivial key in hSX i can be represented as a product
with no repeated keys, since any repeated keys cancel (e.g., K1 ⊕ K2 ⊕ K1 = K2 ).
As a subspace, hSX i is closed, which can also be seen by considering the product
of any two elements. Such a product is again a product of some sequence of keys
in SX , and we are again left with either zero or one copies of each Ki in the final
product.
The span of a more general subset H ⊂ A can also be defined as hHi = H ∪
hH ∩ Xi. The span of the XOR keys is included, and the terms without XOR struc-
ture are present without adding any additional terms.
The set SX is independent if no key in SX can be written as a product of other keys
in SX . Since the span of a set of keys contains all possible products, the condition
of independence for SX is equivalent to K 6∈ hSX − {K}i for all K ∈ SX . It is easier
 26

to describe hSX i when SX is independent, for then each distinct product in hSX i
is distinct. SX need not be independent, and there may be intentional relations
between terms of SX . However, if each of the n keys in SX are chosen randomly,
and n is small compared to l, then the keys are likely to be independent. This is
because after K1 is chosen freely, we must choose K2 ∈ X \ h{K1 }i, then choose
K3 ∈ X \ h{K1 , K2 }i, and so on. If SX isn’t independent, then there is some basis
B ⊂ SX such that hSX i = hBi, for a vector subspace always has an independent
basis. If n > l, then SX is dependent.
We make the following important assumption: a key that is randomly chosen
by a principal is independent from all other keys being used by active principals
in the protocol. This assumption requires that the dimension of the keyspace be
much larger than the number of keys used in the protocol, which means that the
logarithm of the size of X must be large relative to the number of keys used in
the protocol. Fortunately, a typical protocol uses only a handful of keys, so the
keyspace can be of reasonable size. This is a stronger version of the assumption of
uniquely originating nonces in previous work. This assumption serves the same
purpose; namely, that there aren’t any unexpected relations between the values
chosen by regular participants.

2.1.2 XOR Strand

The XOR operation is available to all parties, so that any principal can calculate
K ⊕ K 0 if he knows K, K 0 ∈ X. We define the XOR strand in a way that restricts the
penetrator strongly, and may seem counter-intuitive.

X. XOR: h−K, −K 0 , +K ⊕ K 0 i where K, K 0 ∈ X \ KP .

The necessity of this definition will be clearer after a discussion of the use of the
strand in modeling penetrator actions.
 27

First, notice that the algebra of terms with XOR is no longer free, and therefore
has more complicated structure than encryptions and concatenations. Recall that
before, the subterm relation was defined by a @ b if b can be constructed from a
through some sequence of concatenations or encryptions. However, if this defini-
tion is extended to XOR, then K would be a subterm of (K ⊕ K 0 ) ⊕ K 0 for any K 0 ,
and thus each key would be a subterm of every other key. This would collapse the
XOR keys and diminish the usefulness of the subterm relation in tracing messages.
Instead, we define K @ K ⊕ K 0 if and only if K 0 = Kid . The product K ⊕ K 0 is just
another key, which is distinct from K.
As before, we have introduced the X-strand to model the penetrator’s actions.
Our goal is to bound the penetrator activitiy by constructing an ideal I around
a secret set of messages, and we would like to prove that the complement of the
ideal I c is closed under penetrator actions. If the X-strand were defined so that the
penetrator had free use of XOR, then we would be making the incorrect assump-
tion that the penetrator can efficiently guess the value of any random, secret key.
This is because the penetrator is free to make random guesses of secret keys, and
he could easily guess a set of keys that form a basis for all bit strings of length l,
such as KP = {1000 . . . , 0100 . . . , 0010 . . . , . . . }. Then, since our penetrator bound
I c is closed under penetrator actions and this flawed X-strand allows arbitrary use
of XOR, all of X is within the penetrator’s bound. But then there are no XOR keys
that are guaranteed to remain secret, for (S ∩ X) ⊂ (I ∩ X) = ∅. This bound on the
penetrator is much too large, as it’s trivially true that the set of keys known by the
penetrator is contained in the set of all keys. The ideal model assumes that if the
penetrator can possibly deconstruct a message and obtain a secret value, then that
message is dangerous. This is a good model for encryptions and concatenations,
because there are a small number of possible deconstructions, all of which termi-
nate after a certain number of steps, and if any one of them leads to a secret value,
the penetrator could feasibly find it. However, XOR products can be deconstructed
 28

in many ways, and may continue for an arbitrary number of steps. Choosing a set
of basis keys really does the penetrator no more good that making random guesses
of keys, even though a secret key can be constructed as some product of the basis.
The difficulty is in knowing which keys to include in the product, and if the pen-
etrator does manage to calculate a secret key from the basis, then he must have
made the correct decision of whether or not to include each of the l basis keys in
the product. This is equivalent to guessing correctly a bit string of length l, which
is a random guess in X.
Therefore, the penetrator’s actions are bounded in a way that treats penetrator
guesses as such. Notice that if at least one of K, K 0 is chosen randomly according
to a uniform distribution, then the product K ⊕ K 0 also has a uniform distribution.
This is because the mapping K 0 7→ K ⊕ K 0 is a bijection between finite, discrete
spaces, so the uniform probability distribution of K 0 is transfered to the product.
Therefore, if the penetrator calculates an XOR product with at least one random
key, the result is again random. Thus, any such XOR Tree is effectively just a guess,
and the key is contained in the set XP of penetrator guesses of XOR keys. The only
interesting use of XOR occurs when the penetrator acts only on keys emitted by
the regular participants.

2.1.3 XOR Ideals

The following construction of ideals mimics that of ideals in unstructured proto-

cols, taking into account the additional structure of XOR. Recall that the purpose
of constructing an ideal is to bound penetrator activity away from secret data.
Denote the subset of XOR keys known by the penetrator as XP = X ∩ AP ; the
penetrator sets KP and TP are previously defined. Suppose that for a certain pro-
tocol there is a finite secret set S ⊂ T ∪ K. The secret XOR keys are SX = S ∩ X,
and we assume that SX is an independent set. Therefore, SX = {K1 , K2 , . . . , Kn }
 29

where the Ki form a basis of hSX i. We wish to find a set of messages that bound
the penetrator actions.
To that end, consider the set H of all even keys in hSi,

H = Even(§)
( 2m
)
 M n
= K ∈ hSX i  K = Kik , 1 ≤ m ≤ , ik ∈ [1, . . . , n] .

k=1
2
The ik need not be distinct in this representation, for repeated keys will cancel
in pairs and leave an even number of distinct keys. Every key in Even(§) can be
written as the product of an even number of distinct keys in SX . The even keys form
a subgroup/subspace of hSX i, since the repeated keys cancel in pairs and therefore
preserve the parity of the number of basis keys in a product. An independent basis
of Even(§) is the set {K1 ⊕ Ki | 2 ≤ i ≤ n}. The complement of Even(§) in hSX i is
the odd keys Odd(§) = hSX i \ Even(§). Every key in Odd(§) can be written as the
product of an odd number of distinct keys from SX .
The keys in Even(§) and Odd(§) are equivalent to subsets of keys chosen from
SX of even and odd size, respectively. Recall the well-known fact from combina-
torics that there are an equal number of even and odd subsets for any finite set.
Therefore, both Even(§) and Odd(§) contain exactly half of the keys in the span of
S, i.e. |Even(§)| = |Odd(§)| = |hSX i| /2. This can also be seen by considering the ba-
sis for Even(§) given above. There are exactly n − 1 independent basis keys, which
is one less than the number of basis keys for hSX i. Since Even(§) is a subspace of
the vector field hSX i, and the underlying field of binary bits has two elements, the
subspace of even keys is half the size of the overall space.
Note the following properties of Even(§) and Odd(§), which also serve as an
inductive definition of the sets:

• Ki ∈ Odd(§) for i ∈ [n], so SX ⊂ Odd(§);

• If K, K 0 ∈ Odd(§), then K ⊕ K 0 ∈ Even(§);

 30

• If K, K 0 ∈ Even(§), then K ⊕ K 0 ∈ Even(§);

• If K ∈ Even(§) and K 0 ∈ Odd(§), then K ⊕ K 0 ∈ Odd(§).

These properties can be shown through parity arguments on the number of distinct
basis keys in the representation of K and K 0 . For example, if K, K 0 ∈ Odd(§), then
both keys are the product of an odd number of distinct keys. In their product
K ⊕ K 0 , there are an even number of total keys, and again the parity is preserved
when key pairs are canceled. For example, (K1 ⊕ K2 ⊕ K3 ) ⊕ (K2 ) = K1 ⊕ K3 ∈
Even(§).
The product K ⊕ K 0 ∈ Odd(§) if and only if exactly one of K and K 0 is also
in Odd(§). Therefore, if the penetrator can learn only keys in Even(§), then no
keys in Odd(§) can be calculated, including the secret keys SX . This means that a
protocol is secure if the regular participants only emit keys whose span is disjoint
from Odd(§). This condition prevents the honest parties from emitting pairs of
messages like K ⊕ K1 ⊕ K2 and K ⊕ K1 , for the product of the messages is the
secret key K2 . However, requiring the messages to be outside of Odd(§) is more
restrictive than necessary, for it is admissible for the penetrator to learn a triple
product such as K1 ⊕ K2 ⊕ K3 as long as he cannot use it to learn a secret key. The
important condition is that the span of the messages from regular participants is
disjoint from the secret set SX . It is usually easiest to use Odd(§) and Even(§), for
then the relationships between the keys only involve simple parity arguments.
Recall that an ideal represents the set of dangerous messages in a protocol. Sup-
pose for simplicity that we have an XOR protocol in which all of the secret values
are XOR keys, so that SX = S, and the span of messages emitted by regular par-
ticipants is contained in Even(§). Define the ideal I = Ik [hSX i \ Even(§)] where
k = K \ (hSX i \ Even(§)). Then, since I is an ideal, its complement is closed un-
der all of the old penetrator actions. Since the penetrator can only use XOR on
the keys emitted by regular participants, and all of these keys are in XOR keys
 31

in Even(§) ⊂ I c , the complement is also closed under XOR. Therefore, the ideal
construction shows the secrecy of S.
This is shown more carefully in the following proof of closure in general ideals.

Theorem. Let H be the span of messages emitted by regular participants, and k = K \

(hSi \ H). Construct the ideal I = Ik [hSi \ H]; its complement I c is then closed under
penetrator actions.

Proof. The definition of H is analogous to Even(§), and H c to Odd(§), however, H

may contain keys and nonces not in X. The complement is taken in the texts and
keys, so H c = K ∪ T \ H. Also, the XOR keys in H are not necessarily all in hSX i, as
a regular participant may send an XOR key in unencrypted form. Recall that if S
contains some value not in X, then hSi also contains this value.
Since I is an ideal, I c is still closed relative to C, S, E and D-strands. It re-
mains to show closure under X-strands. XOR is only defined on the set X, so we
need only consider XOR keys. But the X-strand is restricted further, and operates
only on keys learned from regular participants, so that XOR is actually used only
keys from H. By definition, H ⊂ I c , and H is closed. Now we show that if the
node p is an entry point to I on an X-strand, then p has negative sign. The trace
h−K, −K 0 , +K ⊕ K 0 i is defined only when K, K 0 ∈ H, and since H is closed,
K ⊕ K 0 ∈ H. Thus, there are no entry points to I on any XOR strand, and I c is
closed under XOR, and all other penetrator actions.

In this theorem, H may contain some of the secret keys, and the closure has
been proved for ideals in general, regardless of whether they truly represent the
dangerous messages. To prove secrecy, we need a corollary

Corollary. Let H be defined as before. If H ∩ S = AP ∩ S = ∅, then the protocol preserves

the secrecy of S.
 32

Proof. Construct the ideal I as in the theorem. Then I c is closed under penetrator
actions, and since he only has access to terms from H ⊂ I c and AP ⊂ I c , every
penetrator node has term in I c , and is disjoint from S ⊂ I.

This result holds for any bundle of nodes, and thus in a protocol that satisfies
the corollary conditions, there is no attack that compromises the secrecy of S.

2.1.4 Other key subspaces

The ideal construction above is a general method for proving the secrecy of pro-
tocols, but it is easier to work with even and odd keys, for then we can use parity
arguments as well as working in the vector space. Fortunately, a clever change of
basis allows us to use even and odd sets.
For example, consider a protocol for distributing a fresh pair of keys. Two prin-
cipals A and B share the keys K1 , K2 and use them to communicate in some cryp-
tosystem. To prevent the penetrator from guessing one of the keys through brute
force methods, the principals wish to securely exchange a pair of new keys K3 , K4 .
The secret set is thus SX = {K1 , K2 , K3 , K4 }, and we assume that this is an inde-
pendent set. Disregarding authentication for the moment (authentication steps can
easily be added to the end of a key exchange), the following two messages are sent:

A→B: K1 ⊕ K2 ⊕ K3
B→A: K1 ⊕ K2 ⊕ K4

Here we have A choose the new key K3 , and B choose K4 . Since they both know K1
and K2 , each can calculate the key chosen by the other. Neither message is a secret
key, and their product K3 ⊕ K4 isn’t either, so the penetrator clearly cannot learn a
secret key. However, to prove the secrecy, we construct an ideal around the com-
plement of the span of the emitted keys. This ideal is larger than one constructed
around Odd(§), and more complicated.
 33

Consider what happens if we use the basis S 0 = {K1,2 , K2 , K3 , K4 }, where K1,2

is shorthand for K1 ⊕ K2 . Since these keys form an independent set, the set of
products contains every key in hSX i. The protocol can then be written as:

A→B: K1,2 ⊕ K3
B→A: K1,2 ⊕ K4

Both of the transmitted messages are now in Even(S 0 ), so we can conclude the
secrecy of S 0 using the ideal Ik [Odd(S 0 )]. The secret key K1 isn’t in SX0 though, or
even in Odd(S 0 ), since K1 = K1,2 ⊕ K2 . However, all of the secret keys are in the
complement of Even({K1,2 , K3 , K4 }). We observed earlier that it is easier to work
with even keys than an arbitrary subspace. It appears to be true that any subspace
is in fact the even keys for some set of independent vectors. However, it seems to
difficult to find these vectors, and it is yet unclear how to prove even the existence
of such vectors.
Instead, we prove the following:

Claim. The n-dimensional vector space hSX i with basis {K1 , . . . , Kn } has exactly one
subset H of dimension n − 1 that satisfies Ki 6∈ H for each i ∈ [1, n]. In particular,
H = Even(§).

Proof. First we show that a closed subspace H ⊂ X is either a proper subset of

Even(§), or H contains equal numbers of even and odd keys. The first case occurs
whenever H is a subspace of Even(§). Now suppose that there is some odd key
KO ∈ H ∩ Odd(§). Then the mapping φ(K) = K ⊕ KO gives a bijection between
H ∩ Even(§) and H ∩ Odd(§), so the finite sets of even and odd keys in H are equal
in size.
Now suppose that H has dimension n−1; we show that H = Even(§). Consider
the partition of hSX i into classes of the form {K, K ⊕ K1 }. The closed subspace H
contains at most one element from any of these classes, since the secret key K1
 34

is calculable from K and K ⊕ K1 . The underlying field has two elements, so H

contains half of the elements of hSX i, and therefore exactly one element from each
of the classes. This includes the classes of the form {Ki , Ki ⊕ K1 } where i 6= 1. The
key Ki is secret, so Ki 6∈ H and instead Ki ⊕ K1 ∈ H. The set {Ki ⊕ K1 | 2 ≤ i ≤ n}
is a basis for Even(§), and thus Even(§) ⊂ H. However, since Even(§) also has
dimension n − 1, it must be true that H = Even(§).

This result on subspaces of the XOR space also follows from a more general
theorem on finite fields:

Theorem. The n-dimensional vector field over the finite field of k elements (with k prime),
V = Fnk , with basis B = {B1 , . . . , Bn }, has exactly (k − 1)n−1 subspaces of dimension
n − 1 that are disjoint from B.
Pn
Proof. Define a bilinear product for pairs of vectors x, y ∈ V by hx, yi = i=1 xi yi .
Since k is prime, the field Fk ∼
= Z/Zk . For some x ∈ V , with x not equal to the zero
vector, define the set Hx = {y | hx, yi = 0}. Note that it’s possible that x ∈ Hx ; for
example, if x has exactly k 1’s and n − k 0’s. By linearity, Hx is a closed subspace
of V . The dimension of Hx is at most n − 1, since if x is nonzero in coordinate i,
then hx, ei i, where ei is the standard basis element in the ith coordinate. We now
construct an independent basis to show that the dimension is in fact n − 1. Again,
find some i such that xi 6= 0. Then for all j 6= i, there are two cases. If xj = 0, then
let Aj = ej ∈ Hx , since the only nonzero coordinate in Aj is multiplied by the zero
in x. If xj 6= 0, then let Aj = (xi )−1 ei + (−xj )−1 ej , where the inverses are uniquely
found in the field. This choice gives hx, Aj i = 1 − 1 = 0. These n − 1 vectors are
independent, since Aj is nonzero in coordinate j and zero in coordinate l for all
l 6= j, i. Thus Hx has dimension n − 1.
For simplicity, make a change of coordinates in V so that B is the standard
basis, B = {e1 , . . . , en }. Such a change of coordinates preserves the independence
of subspaces, so the desired count is unaffected. We now wish to characterize the
 35

subspaces of V that are disjoint from the standard basis. Note that if x is zero in
some coordinate i, then hx, ei i = 0, and ei ∈ Hx . Thus the Hx we seek are generated
by vectors x that are nonzero in every coordinate. There are (k − 1)n such vectors
in V . However, by the linearity of the vector product, Hx = H2x = · · · = H(k−1)x .
Since the characteristic of the field is prime, each of these multiples are distinct for
any x. Thus we group the nonzero vectors into (k − 1)n−1 classes, giving an upper
bound on the number of distinct subspaces of dimension n−1 that satisfy the given
property. It remains to show that the Hx is unique for the class generated from x.
Suppose that Hx = Hy for some x and y that are nonzero in each coordinate. We
show that x is a multiple of y. There exists some g ∈ [1, k − 1] such that x1 = gy1 ,
since both are nonzero. Then, for any i ∈ [2, k − 1], the vector vi = (y1 )−1 e1 +
(−yi )−1 ei ∈ Hy , since the product hy, vi i = 1 − 1 = 0. Thus vi ∈ Hx as well, so
hx, vi i = 0. Expanding the product, 0 = x1 (y1 )−1 +xi (−yi )−1 = gy1 (y1 )−1 −xi (yi )−1 =
g − xi (yi )−1 . This implies that xi = gyi for all i, and thus x = gy, so each class of
vectors generates a unique subspace.

The vector field that arises due to the XOR structure is over the two-element
field, so the theorem states that there is exactly 1 (n − 1)-dimensional subspace
disjoint from the basis.
We now have a good understanding of how to prove secrecy for XOR proto-
cols. However, authentication of XOR protocols proves to be a thornier issue, as
illustrated by the involved analysis of the TMN protocol in the next section.

2.1.5 TMN Protocol

Recall the TMN protocol, seen previously in section 2.1:

A→S: {m1 B Ka }KAS

S→B: Areq
B→S: {m3 A Kb }KBS
 36

S→A: Ka ⊕ Kb
A→B: {A}Kb
B→A: {A B}Kb

where Ka , Kb are XOR keys in X. The cryptosystem is symmetric, and the keys KAS
and KBS are shared between the server and a principal. The messages m1 and m3
contain identifying information to prevent certain types of replay attacks. A new
key Ka is by A each time the protocol is run to prevent a brute-force attack by the
penetrator, for if the same key were used repeatedly the penetrator could spend a
long time analyzing a group of messages.
An infiltrated strand space ΣT M N , P is a TMN space if ΣT M N is the union of
four types of strands:

1. Penetrator strands s ∈ P.

2. “Initiator strands” s ∈ Init [A, B, Ka , Kb ] with trace:


+ {m1 B Ka }KAS , −Ka ⊕ Kb , + {A}Kb , − {A B}Kb

where A, B ∈ Tname andKa , Kb ∈ X. The initiator A is the principal associated

with these strands.

3. “Responder strands” s ∈ Resp [A, B, Ka , Kb ] with trace:


−Areq, + {m3 A Kb }KBS , − {A}Kb , + {A B}Kb

The responder B is the principal associated with these strands.

4. “Server strands” s ∈ Serv [A, B, Ka , Kb ] with trace:


− {m1 B Ka }KAS , +Areq, − {m3 A Kb }KBS , +Ka ⊕ Kb
 37

The secret values for the TMN protocol are S = {Ka , Kb , KAS , KBS }. The subset
H is given by the span of the XOR terms emitted by regular participants, so H =
{Ka ⊕ Kb } = Even(§), since Even(§) contains only XOR keys. Define k = K \ H c =
K \ {Ka , Kb , KS−1 , KAS , KBS }. Then the ideal I = Ik [H c ] proves the secrecy of the
TMN protocol, since all of the terms emitted by regular participants are in I c , and
I contains no publicly known terms.
This version of the TMN protocol has an initiator guarantee for a responder
strand. The initiator knows that Kb is a secret key, and when he receives the mes-
sage {A B}Kb , he knows that it must have originated on the final node of a respon-
der strand in Resp[A, B, Kb ]. If we assume that Kb uniquely originates, then the
responder strand is unique.
To prove a responder guarantee for the initiator, we start with the message
{A}Kb and trace its path, hopefully ending at the desired initiator strand. We
know by the secrecy of Kb that this message originated on an initiator strand in
Init[A, X, Ka , Kb ], where X is some principal. We want to show that X = B, and
it seems that this may be done by considering the two messages at the beginning
of the strand, {m1 X Ka }KAS and Ka ⊕ Kb . The key Ka must be the same in both
of these messages, and since the server will only send out the product Ka ⊕ Kb
when the principal names match, we conclude that A intended to talk to B, so the
initiator strand has the correct form. However, this argument requires the use of
a server strand, and there is a flawed server strand guarantee for both the initia-
tor and responder. In the following replay attack, the initiator A and responder B
both participate in two concurrent runs of the protocol, and the penetrator exploits
the XOR structure to impersonate the server. The two runs are differentiated by
subscript.
First, the penetrator copies the messages sent to the server by A1 and B1 , and
intercepts the key emitted by the server:
 38

A1 → S: {m1 B Ka }KAS
S → B1 : Areq
B1 → S: {m3 A Kb }KBS
S → P (A1 ): Ka ⊕ Kb .

Then he performs the same actions in the second run of the protocol:

A2 → S: {m1 B Ka0 }KAS

S → B2 : Areq
B2 → S: {m3 A Kb0 }KBS
S → P (A2 ): Ka0 ⊕ Kb0

The penetrator now uses the messages he has read to present a third protocol run
to the server, and learn another key product:

P (A) → S: {m1 B Ka0 }KAS

S → P (B): Areq
P (B) → S: {m3 A Kb }KBS
S → P (A): Ka0 ⊕ Kb

Finally, the penetrator uses the product Ka0 ⊕ Kb to establish communication be-
tween A2 and B1 . He also calculates Ka ⊕ Kb0 = (Ka ⊕ Kb ) ⊕ (Ka0 ⊕ Kb0 ) ⊕ (Ka0 ⊕ Kb ),
to complete the protocol between A1 and B2 :

P (S) → A1 : Ka ⊕ Kb0
A1 → B2 : {A}K 0
b

B2 → A1 : {B}K 0
b

P (S) → A2 : Ka0 ⊕ Kb
 39

A2 → B1 : {A}Kb
B1 → A2 : {B}Kb

But the communication between A2 and B1 violates server authentication, since

there was no server strand that generated the product Ka0 ⊕ Kb .
For this attack to succeed, there were several server strands, and the penetrator
couldn’t do this alone. However, none of the strands had the form that the prin-
cipals would expect. It could also be problematic that the order of protocol runs
was swapped between the initiator and responder, but protocols usually operate
independently. The communication established between B1 and A2 is still secure.
It isn’t clear how to proceed in the proof of a responder guarantee without
knowing the exact form of the server strands that are present in some protocol run.
To help us understand the interactions between the server and the other principals,
we consider a simpler protocol similar to TMN without a server. The responder B
acts as the key distributor:

A→B: {Areq Ka }KAB

S→B: Ka ⊕ Kb
A→B: {A}Kb
B→A: {A B}Kb

Here we assume that A and B already share the symmetric key KAB . This protocol
maintains the secrecy of S = {Ka , Kb , KAB } by similar arguments to those made for
the TMN protocol, and as before, the initator has a full guarantee on the responder.
Now examine what happens when the penetrator tries to impersonate the re-
sponder/server as before. The only possible replay is for the penetrator to send a
request from A to B multiple times. In this protocol, the penetrator doesn’t have
as much control over which keys are combined by the server, for B chooses a new
key for each run of the protocol. For example, if the penetrator repeatedly sends
the message {Areq Ka }KAB , the responder will emit the products Ka ⊕ Kb , Ka ⊕
 40

Kb0 , Ka ⊕ Kb00 , . . . . Each of the keys from the responder are randomly chosen and
therefore the key products learned by the penetrator are also random and most
likely independent. Any additional product containing Ka that the penetrator cal-
culates is the product of at least four keys, so he cannot imitate a regular party
unless there are other dependencies in the keys. Since any such dependencies oc-
cur randomly, the penetrator is effectively reduced to guessing when he tries to
exploit his knowledge. This is a limited capability compared to the TMN protocol.
The problem we had when trying to prove a responder guarantee for the TMN
protocol was that the responder had no way of knowing whether the expected
server strand was actually present. However, in this protocol, the responder acts
as the server. Therefore when the responder receives the message {A}Kb , he knows
that he sent out Ka ⊕ Kb and that the penetrator could not have constructed this
message. Therefore, the initiator strand is in Init[A, B, Ka , Kb ], as needed for the
authentication guarantee.
It is possible to analyze the penetrator’s actions more formally when the keyspace
is large compared to the number of principals and the maximum number of pro-
tocol runs we will allow. First we change our approach to randomly chosen keys.
The random choice of Kb is viewed as the choice of Kb from some finite set of keys
representing the possible random choices. This is similar to the way penetrator
guesses are modeled. Define the sets P Q as the set of keys chosen by P as the ini-
tiator chooses for communication with Q as the responder, and similarly, QP as the
set of keys chosen by Q as the responder for communication with P as the initiator
for all pairs (possibly identical) of principals Q and P .
Since the keyspace is larger compared to these sets, we can safely assume that
randomly chosen keys are all independent. We make the further assumption that
the sets of protocol keys defined above are also independent, so that QP ∩ C D 6= ∅
if and only if Q = C and P = D. This condition also holds for the initiator and
responder sets, so that QP ∩ CD = ∅, even for identical sets of principals.
 41

Using this notation, we can place further restrictions on the simplified TMN
protocol. In the initiator message {Areq Ka }KAB , the key Ka must be chosen from
AB , and the responder must choose some Kb ∈ BA to calculate the product Ka ⊕Kb .
Therefore, the key products emitted by a responder strand in Resp[A, B, Ka , Kb ] are
always in AB ⊕ BA , where the XOR product of two sets is defined in the obvious
way: if X, Y ⊂ X, then X ⊕ Y = {x ⊕ y | x ∈ X, y ∈ Y }.
Note that AB ⊕ BA ⊂ Even(AB ∪ BA ) ⊂ Even(§) for all pairs of principals, so ev-
ery key that the penetrator can learn is an even products in SX . In fact, the penetra-
DS  E
Aj
tor’s knowledge can be bounded more tightly, by XP ∩hSX i ⊂ i,j Even Ai ⊕ Aj Ai .
To prove the responder’s guarantee, we consider a strand r ∈ Resp[A, B, Ka , Kb ].
We want to show that if the message {A}Kb received by r originated on a strand
s ∈ Init[A, X, K, Kb ], then X = B and K = Ka , so that the expected initiator strand
is in the bundle. Since Kb is secret, A must have calculated it from the key received
in the second step of the protocol. He used the key K to undo the XOR, so K must
satisfy K ⊕ (Ka ⊕ Kb ) = Kb . This implies that K ⊕ Ka = Kid , so K = Ka .
Now suppose that X 6= B. Then since Ka ∈ AX and Kb ∈ BA , the product
Ka ⊕ Kb isn’t calculated by a server strand. The only other possibility is that the
key was generated through penetrator actions. However, any key generated by
the penetrator must have an even number of keys from each set of the form P Q ∪
QP , and the product Ka ⊕ Kb contains one key from each of AX ∪ XA and AB ∪
BA . Therefore the message Ka ⊕ Kb couldn’t have been generated by any party
if X 6= B, and it therefore must be that X = B. This completes the proof of the
authentication guarantee for the responder, since he can deduce that the initiator
strand s is in Init[A, B, Ka , Kb ].
At no point in this analysis did we use the fact that the responder acts as the
server. In the TMN protocol the product keys emitted by the server are also in sets
of the form AB ∪BA , so this approach also proves the responder’s guarantee for the
TMN protocol. In fact, this works for any protocol in which the party that emits
 42

the XOR product requires verification of identities. If the emitted XOR product has
more than two keys, then the group structure is more complicated. In this case,
we again use the span of all the possible products and show that only the desired
principal could have generated a certain product. Also, if one party selects several
keys for use with another party in a protocol, there should be a key set associated
with each distinctly chosen key. For example, if A chooses a random key Ka and
sends it to B, and at a later point in the protocol chooses another random key Ka0 ,

0
then Ka ∈ AB and Ka0 ∈ AB .
The problem with this method is that it requires either a very large keyspace or
a limited amount of action by the principals. As we saw when constructing XOR
ideals (section 2.1.3), considering all possible products overestimates the abilities of
the penetrator. Thus, even when the key sets are possibly dependent, it is unlikely
that the penetrator will discover the dependencies (again, it reduces to a lucky
guess), so the analysis is valid.
We would like to find a more general method for proving the authentication
properties of XOR protocols. For unstructured protocols, it was enough to trace a
path to the origination point of a received message; however, the XOR structure
makes it more difficult to do this precisely.

2.1.6 XOR on larger sets

In the preceding sections, we have discussed protocols in which XOR is used only
on a subset of keys. We now show that these results also apply to protocols in
which both keys and nonces have XOR structure. Suppose that the set of XOR
terms can contain both keys and nonces, so that X ⊂ K ∪ T. The set of texts con-
tains both names and nonces; however, it is unreasonable to include the names in
the XOR structure. Principal names are all the same data type and contain iden-
tifying bits in their representation and are therefore not be part of a closed XOR
 43

set. Furthermore, since names are public and may be large in number, their XOR
closure could be a significant portion of all XOR strings.
When X ⊂ K ∪ T, with principal names excluded, then we construct an ideal
just as before, except for this case, the additional XOR structure is included. Recall
that an ideal contains the potentially dangerous messages, and is constructed from
the complement of the closure of the emitted messages. This closure now contains
products of nonces and keys. We have already proved that the complement of an
ideal is closed under penetrator actions when there are XOR keys. Therefore, even
if each nonce were a key, the ideal complement would be closed. The penetrator
has fewer available actions with the nonces, so the bound of the ideal still holds,
and proves the secrecy of S. Thus, when there are both XOR nonces and keys, we
assume in our analysis that the two data types are indistinguishable.
However, the two sets are truly identical only in certain situations. If at least one
of KX and TX (the XOR keys and nonces, respectively) are not closed under XOR,
then the sets are free to intersect in any way. In this case, it is impossible to predict
the data type of a product, and in a sense, the keys and nonces are indistinguishable
again. If both KX and TX are closed under XOR, then one of the sets contains the
other, and at least one of the sets is equal to X itself. Suppose that KX 6⊂ TX . Then
there is some K ∈ KX such that K 6∈ TX . Thus, for any T ∈ TX , the identity
T ⊕(K ⊕T ) = K implies that K ⊕T 6∈ TX , since TX is closed and K 6∈ TX . Therefore,
for each T ∈ TX , both K, K ⊕ T ∈ KX so T ∈ KX as well, and TX ⊂ KX . One of the
sets must be equal to X itself, since X is just the union of the two sets.
The general problem of XOR on an arbitrary closed set of unencrypted terms
is more difficult. It isn’t clear what assumptions are needed so that the ideal con-
struction can still be used to prove secrecy. However, this problem is important, as
it would allow the analysis of protocols in which XOR is used as the cryptosystem.
 Chapter 3

Conclusion

We have shown how to extend the strand space machinery to analyze XOR
protocols, using extensions of previous results that take into account the structure
of XOR.
The most important construction for analyzing unstructured protocols is the
bound on the penetrator’s actions that arises from ideal complements. A carefully
constructed bound is used to prove that in a well-designed protocol the penetrator
is unable to learn certain secret values, no matter how cleverly he proceeds. That
such a bound exists is proved by modeling penetrator actions as algebraic opera-
tions on the message space, and then using honest ideals to construct sets that are
closed relative to these operations. Ideals are used directly to prove the secrecy of
nonces and both randomly chosen and private keys. Then the secrecy of certain
terms is used to prove authentication guarantees, since upon receiving a secret
term in encrypted form, a principal can deduce which party could have possibly
sent such a message. In a good protocol, that party must be the expected principal.
In XOR protocols, the new operation adds additional algebraic structure to the
messages. However, the structure is that of a well understood group or vector
space, and the penetrator actions are again bounded by taking a closed subgroup
generated from the messages emitted by regular participants. Again, an ideal con-
struction based on such a subgroup is used to prove secrecy in an XOR protocol.
Authentication is more difficult to prove, since it isn’t always clear how a message
may have been manipulated with XOR. There is a subtle challenge in bounding the
penetrator’s actions, as it is difficult to distinguish between random guessing and
 45

more knowledgeable manipulations.

3.1 Future Work

There are many useful directions in which this research can continue. The study
of XOR protocols is incomplete, as we do not have general methods for proving
authentication results. Another important extension is the study of protocols in
which XOR is used as the symmetric encryption algorithm. It may be worthwhile
to use the machinery we have developed to analyze such protocols, keeping in
mind that every message is now a product.
Protocols that use modular functions instead of XOR to aid in distributing fresh
keys are also widely used. For example, in the well known Diffie-Helman key-
exchange protocol, two regular participants choose nonces x and y, and transmit
g x mod p and g y mod p, where g is a generator of the multiplicative group modulo
the prime p. Both principals can then calculate g xy , and presumably the penetrator
can only obtain this value by either calculating the discrete logarithm or exploiting
a protocol flaw. The goal in studying such protocols would be to understand the
group structure and contain the penetrator actions as we did with XOR in this
paper. Through preliminary investigations of this problem, we believe that for
certain choices of the base prime p, most of the penetrator actions are equivalent to
random guesses, and therefore the ideal construction should be applicable.
Many of the assumptions of the strand space model and other similar systems
are based on the fact the message space is very large, and random guesses of keys
and nonces are very unlikely to be correct. We made similar assumptions when
considering protocols with algebraic structure in the message space. These as-
sumptions depend on the “sparseness” of the additional structures, so that we
could reasonably assume that distinct random values are independent in a useful
sense. We would like to see rigorous justification of the assumptions. One possible
 46

approach is using nonstandard analysis to prove asymptotic results. It is easier

to consider guesses when the spaces are infinitely large. If useful results could
be shown in this context, then the overspill property of nonstandard sets would
guarantee the existence of large, finitie spaces for which the results also hold.
Finally, our method for extending strand spaces relies primarily on finding
closed subsets of messages and using them to bound the penetrator’s actions. This
should be applicable to a variety of different algebraic structures, and it is natural
to consider message algebras with arbitrary identities. However, given the com-
plexities that arose in ideal construction even in the simple case of XOR, the general
case seems to require a more powerful method.
 Bibliography

[1] F. Javier Thayer Fabrega, Joshua D. Guttman, and Jonathan C. Herzog. Strand
spaces: Proving security protocols correct. Journal of Computer Security, (7):191–
230, 1999.

[2] Gavin Lowe. An attack on the Needham-Schroeder public key authentication

protocol. Information Processing Letters, 56(3):131–136, Nov 1995.

[3] Gavin Lowe. Breaking and fixing the Needham-Schoeder public-key protocol
using FDR. Lecture Notes in Computer Science, (1005):147–166, 1996.

[4] Roger Needham and Michael Schroeder. Using encryption for authentication
in large networks of computers. Communications of the ACM, 21(12), Dec 1978.

[5] Makoto Tatebayashi, Natsume Matsuzaki, and David B. Newman, Jr. Key dis-
tribution protocol for digital mobile communication systems. In Giles Brassard,
editor, Advances in Cryptology – CRYPTO ’89, number 435 in Lecture Notes in
Computer Science, pages 324–334, New York, 1990. Springer-Verlag.