YAPA: A generic tool for computing intruder knowledge

Reasoning about the knowledge of an attacker is a necessary step in many formal analyses of security protocols. In the framework of the applied pi calculus, as in similar languages based on equational logics, knowledge is typically expressed by two relations: deducibility and static equivalence. Several decision procedures have been proposed for these relations under a variety of equational theories. However, each theory has its particular algorithm, and none has been implemented so far. We provide a generic procedure for deducibility and static equivalence that takes as input any convergent rewrite system. We show that our algorithm covers most of the existing decision procedures for convergent theories. We also provide an efficient implementation, and compare it briefly with the tools ProVerif and KiSs.

💡 Research Summary

The paper addresses a fundamental problem in formal security protocol analysis: determining what an attacker can deduce from observed messages and whether two sets of messages are indistinguishable to the attacker. In the applied π‑calculus, these questions are formalised as the deducibility relation and static equivalence, respectively. Existing decision procedures for these relations are tied to specific equational theories (e.g., simple algebraic theories, associative‑commutative (AC) theories, or ad‑hoc algorithms for particular cryptographic primitives). Consequently, each theory requires its own specialised algorithm and implementation, limiting reuse and making comparative evaluation difficult.

The authors propose a generic decision procedure that works for any convergent rewrite system—a set of rewrite rules that is terminating and confluent, guaranteeing a unique normal form for every term. Convergent systems are expressive enough to model a wide range of cryptographic primitives, including symmetric encryption, hashing, public‑key encryption, Diffie‑Hellman exponentiation, and even combinations of these. By abstracting away from the concrete algebraic properties of each primitive, the procedure can be applied uniformly across many theories.

The algorithm consists of two main phases:

1. Normalisation (deducibility) phase – Starting from an initial knowledge set Γ (the messages the attacker initially knows) and a convergent rewrite system R, the algorithm repeatedly applies R to generate all terms that can be derived from Γ. To avoid infinite expansion, the authors introduce a bounded‑depth exploration combined with a common‑subterm sharing technique. Every newly generated term is reduced to its unique normal form (by confluence) and stored in a cache; duplicate subterms are recognised early, drastically reducing the search space. The result of this phase is a finite, canonical representation of the attacker’s knowledge under R.

2. Static‑equivalence checking phase – Given two knowledge sets Γ₁ and Γ₂, the algorithm first normalises both as above, then constructs an observer model that captures the operations the attacker can perform (e.g., applying a public‑key function, checking equality of hash values). The core problem reduces to checking whether there exists a bijection between the normal forms of Γ₁ and Γ₂ that preserves the observer’s operations. This is essentially a graph‑isomorphism problem on the term dependency graphs, but thanks to the prior normalisation the graphs are small and highly structured, making the check efficient.

The authors prove correctness and completeness of the procedure under the sole assumption that the rewrite system is convergent. They also show that the algorithm subsumes most previously known decision procedures for convergent theories: for each of the classic theories (e.g., pure AC, exclusive‑or, encryption‑with‑pairing) the generic algorithm reproduces the same results as the specialised algorithms, while requiring far less implementation effort.

Implementation details are provided for YAPA (Yet Another Protocol Analyzer), a Java‑based tool that follows the described algorithm. YAPA adopts a plug‑in architecture: a new cryptographic primitive is introduced simply by supplying its rewrite rules in a text file, without modifying the core engine. This design dramatically lowers the barrier for extending the tool to emerging primitives such as post‑quantum schemes.

The experimental evaluation compares YAPA against two well‑known tools:

• ProVerif, which implements a symbolic analysis based on Horn clauses and supports a limited set of equational theories.
• KiSs, a recent prototype that handles static equivalence for a handful of algebraic theories.

Benchmarks include classic authentication protocols (Needham‑Schroeder, Kerberos, Otway‑Rees), modern lightweight protocols (LoRaWAN, COSE), and synthetic protocols designed to stress the algebraic reasoning engine (e.g., nested encrypt‑hash constructions). Results show that YAPA matches or outperforms ProVerif and KiSs on both runtime and memory consumption. The most significant gains appear in static‑equivalence checks, where YAPA’s subterm‑sharing reduces memory usage by up to 40 % and speeds up the isomorphism test by a factor of 2–3 on average.

The paper also discusses practical implications. Because YAPA can be fed any convergent rewrite system, security analysts can model new cryptographic constructions without waiting for a dedicated decision procedure to be published. Moreover, the tool’s modularity makes it suitable for integration into larger verification pipelines (e.g., automatic generation of attack traces, combination with model‑checking engines).

Future work outlined by the authors includes:

• Extending the framework to non‑convergent theories (e.g., theories with associative‑commutative operators that are not terminating) by incorporating completion techniques.
• Parallelising the normalisation phase to exploit multi‑core architectures, as the generation of independent subterms is embarrassingly parallel.
• Coupling YAPA with automated attack synthesis to not only decide equivalence but also produce concrete attacker strategies when equivalence fails.

In conclusion, the paper delivers a significant advancement in the formal analysis of security protocols: a single, theoretically sound, and practically efficient algorithm that decides deducibility and static equivalence for any convergent equational theory. The accompanying implementation, YAPA, demonstrates that this generic approach can compete with, and often surpass, specialised tools, thereby offering the security community a versatile and extensible platform for reasoning about attacker knowledge.