Proving Security Goals With Shape Analysis Sentences

The paper that introduced shape analysis sentences presented a method for extracting a sentence in first-order logic that completely characterizes a run of CPSA. Logical deduction can then be used to determine if a security goal is satisfied. This paper presents a method for importing shape analysis sentences into a proof assistant on top of a detailed theory of strand spaces. The result is a semantically rich environment in which the validity of a security goal can be determined using shape analysis sentences and the foundation on which they are based.

💡 Research Summary

The paper addresses the longstanding challenge in cryptographic protocol analysis of determining whether a formally expressed security goal holds for all executions compatible with a given protocol. Building on Guttman’s strand‑space model, the authors treat a security goal as a quantified implication of the form ∀ ~x. Φ₀ ⊃ ∃ ~yᵢ. Φᵢ, where Φ₀ describes regular (honest) behavior and each Φᵢ describes a desired regular behavior. In the original strand‑space setting, a skeleton k together with a variable assignment α satisfies a formula Φ (written k,α ⊨ Φ) when the conjunction of atomic formulas in Φ holds in k under α. A realized skeleton contains enough regular behavior plus all possible adversarial actions to explain every reception event.

The Cryptographic Protocol Shapes Analyzer (CPSA) operates on skeletons rather than bundles. Starting from an initial skeleton k₀, CPSA computes all minimal realized skeletons kᵢ that are homomorphic images of k₀, together with the homomorphisms δᵢ : k₀ → kᵢ. These minimal, essentially different skeletons are called the “shapes” of the analysis. CPSA can then emit a shape analysis sentence: a first‑order logical formula that completely characterizes the set of shapes and the associated homomorphisms. This sentence encodes everything learnable from the analysis, and a security goal is achieved if it can be deduced from the sentence.

However, CPSA’s built‑in support for logical deduction (via a Prolog translation to the automated prover Prover9) lacks certain logical facts that are useful for proving goals, such as the transitivity of the “precedes” relation on nodes. Consequently, a goal may be undecidable from the shape analysis sentence even when it is true, simply because the necessary background lemmas are unavailable.

The core contribution of the paper is a method for importing shape analysis sentences into the PVS (Prototype Verification System) proof assistant, which already hosts a detailed, higher‑order, typed formalization of strand spaces. The authors first formalize the message algebra as an order‑sorted initial term algebra with sorts for asymmetric keys (A), symmetric keys (S), data (D), and the generic message sort (>). Encryption, pairing, and key‑inverse operations are defined, together with the carrier sets and the “carried‑by” relation v.

Strands are modeled as sequences of events (+t for transmission, –t for reception) and bundles as directed acyclic graphs whose vertices are strand nodes, with edges representing either communication (→) or strand succession (⇒). The causal order ≺ is the transitive closure of these edges. Roles are defined as templates (C,N,U) where C is a trace, N a sequence of non‑origination assumptions, and U a sequence of unique‑origination assumptions. An instance of a role must respect these assumptions at each prefix of the trace.

To bridge CPSA and PVS, the authors observe that CPSA’s skeletons are built over a free algebra generated by a finite set of variables X, denoted Θ_X. By treating these variables as logical variables in PVS, the need to manipulate explicit homomorphisms disappears; instead, the homomorphic relationship is captured by logical substitution. CPSA role templates r = (C_X, N_X, U_X) become PVS role items σ(r) for each algebra homomorphism σ : A_X → A. Consequently, a CPSA shape analysis sentence can be directly expressed as a PVS theorem about the existence of appropriate instantiations of role items and the satisfaction of the carried‑by and non‑origination constraints.

The paper demonstrates the approach with a concrete example: a simple two‑message authentication protocol originally due to Blanchet. In the insecure version, Alice encrypts a freshly generated symmetric key s with Bob’s public key b, signs it with her private key a⁻¹, and sends it to Bob; Bob then returns data d encrypted under s. A man‑in‑the‑middle attack using a compromised key b′ allows an adversary to intercept and replace the encrypted key, breaking authentication. The security goal is that whenever a responder role (Bob) completes, there must have been an initiator role (Alice) that sent the first message, and the keys used for signing and encryption must agree.

Running CPSA on the insecure protocol yields a shape analysis sentence that guarantees the existence of the initiator’s first message but does not guarantee key agreement. In PVS, the authors add a lemma expressing the transitivity of the node order and another lemma stating that if the initiator’s first message is present, then the key used for signing must be the same as the one used for encryption. With these lemmas, the goal cannot be proved, and a counterexample bundle can be constructed, confirming the protocol’s flaw.

When the protocol is amended to include Bob’s public key in the signed payload, CPSA’s shape analysis sentence now includes the key‑agreement information. Importing this sentence into PVS, together with the same lemmas, allows the security goal to be proved automatically. This illustrates how the combination of shape analysis sentences (capturing the exhaustive results of CPSA) and the expressive power of PVS (providing additional logical background) yields a robust verification workflow.

The authors compare their approach with related tools. Scyther integrates goal checking with protocol analysis but does not produce a characterization of the analysis; its goals must be expressed in a predefined vocabulary. Protocol Composition Logic adds an operational semantics and a temporal logic over runs, but it does not provide the same level of abstraction as shape analysis sentences. The present work uniquely offers a complete logical characterization of the analysis (via shape analysis sentences) and leverages a mature theorem prover to supply missing logical facts, thereby achieving both automation and rigor.

In conclusion, the paper presents a method for importing CPSA’s shape analysis sentences into a PVS formalization of strand spaces, enabling the proof (or disproof) of security goals with full access to the underlying algebraic and causal structure. By doing so, it bridges the gap between automated protocol analysis and interactive theorem proving, offering a powerful, semantically rich environment for cryptographic protocol verification.