Efﬁcient Veriﬁcation of Cryptographic Protocols with Dynamic Epistemic Logic

: The security of cryptographic protocols has always been an important issue. Although there are various veriﬁcation schemes of protocols in the literature, efﬁciently and accurately verifying cryptographic protocols is still a challenging research task. In this work, we develop a formal method based on dynamic epistemic logic to analyze and describe cryptographic protocols. In particular, we adopt the action model to depict the execution process of the protocol. To verify the security, the intruder’s actions are analyzed. We model exactly the protocol applying our formal language and give the veriﬁcation models according to the security requirements of this cryptographic protocol. With analysis and proof on a selected example, we show the usefulness of our method. The result indicates that the selected protocol meets the security requirements.


Introduction
The security of cryptographic protocols is crucial in the design of the protocols as cryptographic protocols need to consider attacks from attackers. If there is any security flaw in a cryptographic protocol, the protocol can be attacked by attackers or intruders. Therefore, the security verification of cryptographic protocols is particularly important for checking whether the protocol meets security goals. To verify the security of cryptographic protocols, there are many methods. In these methods, logic-based methods play an important role. There are many works of literature (e.g., [1][2][3][4][5]) on the application of logical methods to analyze and verify cryptographic protocols. The earliest analysis method of logic is based on the Dolev-Yao model [6]. It is well known that the Dolev-Yao model opens the way for the study of formalization. Since then, a variety of cryptographic protocol analysis methods based on logic have come out. Most of the protocols analyzed by epistemic logic are authentication protocols in the existing literature. They use the method of model checking to analyze. For example, in the paper [7], the researchers propose two virtual agents to complete encryption and decryption, and construct a model checker to check the protocol. In other papers, KD45 system's belief logic is used. It needs to describe the belief logic of the protocol, and then establish reasoning rules to infer the security of the protocol.
In particular, the cryptographic protocol we mentioned here refers to the protocol using classical cryptography. With the research of quantum computer, quantum cryptography is a research trend. The latest development of quantum cryptography was given in the paper [8]. This article introduced a lot about quantum key distribution (QKD). Similarly, Davide Bacco and Beatrice Da Lio et al. were also doing research on quantum key distribution [9]. They illustrated how to use QKD technology to break through the limitation of low key rate and produce high key rate on a 37-core fiber. At present, the wide application of quantum technology has great challenges. Security verification of quantum cryptography protocol may be more challenging. It will be our next research content. Now, we construct an accurate dynamic epistemic logic language to describe the protocol with classical cryptography and give the action model according to the action characteristics. The action model is used to accurately describe the protocol action, and the execution process of the protocol action is the operation process of the protocol. The execution process of action is also expressed clearly and intuitively, so the whole operation process of the cryptographic protocol is completely formalized. Our verification does not need complex rules and reasoning, only through the action description table can get the results.
We summarize our work as follows: • Applying dynamic epistemic logic, a formal language is developed to describe the cryptographic protocol. The syntax and semantics of this language are given. Cryptographic primitives and special propositions are built.

•
The action model is constructed to display action elements. Through update execution, the model is updated. The execution of actions results in changes between models. We model the protocol accurately. In a sense, the logic description is the logic analysis for cryptographic protocols.
• With a logical language and the action model, a specific example is verified. The protocol is that a secret message is transmitted between two users who only have their own key. The goal of the protocol is that only the two users know the secret message and the outside intruder can not know the secret message after the execution of the protocol. We give the goal models. Through analysis and proof, we show that the protocol meets the intended requirements and the protocol is secure.
The rest of the paper is arranged as follows. The second section displays related work about verification and analysis of the cryptographic protocol. The third section demonstrates a logic language we develop and the related basic knowledge. In Section 4, we present a specific cryptographic protocol and formalize it. Section 5 presents the verification process of the cryptographic protocol. In Section 6, we give our conclusion and expectation.

Related Work
Since the Dolev-Yao model created a way of logical analysis for the cryptographic protocol, all kinds of logical analysis methods for cryptographic protocol have been introduced. The BAN (Burrows, Abadi and Needham) logic [1] is a pioneer. BAN logic verifies the security of cryptographic protocol by the formal method. This initiative has greatly stimulated the interest of researchers in the formal analysis of cryptographic protocols, and has become a milestone in the analysis of cryptographic protocols. The formalization of BAN logic is built on multiple types of model logic. In the paper [1], they gave a set of reasoning rules firstly based on the BAN logic. They analyzed the security of protocols by beliefs deduction. In the follow up research, many drawbacks in the BAN logic were found. So, the BAN logic is extended to GNY logic [10], VO logic [11] and MB logic [12]. BAN logic is constantly improved in application. Today, BAN logic is still used as a verification tool for security protocols or authentication protocols in radio frequency identification systems [13], Internet of things systems [14,15], and remote authentication protocols [16].
AT logic [17] was proposed by Abadi and Tuttle. The problem of BAN logic is improved in the AT logic in terms of syntax, semantics and rules. The paper [18] and the book [19] employed SVO logic to analyze cryptographic protocols. The SVO logic has more strict definitions about the protocol logic. The protocol model based on the SVO logic has a wider range of applications.
There still are many logics for analyzing cryptographic protocols, such as non-monotonic logic [20], time-dependent cryptographic protocol logic [21], protocol composition logic [22] and so on. In all logic analysis, there are four analysis types to find attacks in cryptographic protocols.
Finding a new attack by inductive proof, the authors of [2] analyzed three protocols: a recursive protocol, Needham-Schroeder protocol, and Otway-Rees. Lowea's attack and a new attack were discovered. Another paper [23] also analyzed two variants of Yahalom.
The authors of [4] used rewriting calculus to display the Needham-Schroeder Public-Key protocol. With rewrite rules, they gave all actions in the protocol for all agents, including attackers. By these strategies and a set of rewrite rules, they could find attacks in the protocol.
There have been many works of literature (e.g., [24][25][26][27][28]) that employ process calculus. Typed process calculus displays security information (e.g., [29][30][31][32][33]) by the idea of standard static-analysis. On operating cryptographic data, static-analysis has some inadequacies. So, the work in [34] improved the solution of these operations. They described the protocols and gave proof for the security of the protocols based on the typed process calculus.
Model checking is still a widely used method to verify protocol security. The authors of [3] proposed a method that uses abstract data and deductive rules to prove the results of model checkers. Hans van Ditmarsch et al. [7] developed a dynamic epistemic model checker. In the follow-up work (e.g., [7,35,36]), many researchers verified and analyzed security protocols with dynamic epistemic logic. The authors of [37] proposed a variant of epistemic logic methods to verify authentication protocols.
Although many scholars have done a lot of work in this field, none of them is once and for all. Different protocols need different methods to analyze or verify. In this paper, dynamic epistemic logic is used to describe and analyze a specific cryptographic protocol, so as to effectively verify the security of the protocol.

A Dynamic Epistemic Language for Cryptographic Protocols
We develop a language based on the dynamic epistemic logic to describe cryptographic protocols. We extend the epistemic logic with the action model (that refers to the paper [49]). The structure of propositions is refined by three predicates 'has', 'const' and 'tg' ('has' denotes an agent has a certain message, 'const' denotes a certain message can be derived from the agent's information set and 'tg' denotes to tag an action in the cryptographic protocol that has been performed).
We define this language as L A,B cryp , where cryp means cryptography, A is a set of agents, and the set B ⊆ A of the agents at epistemic states who are participants in the protocol we want to analyze. We use A to denote a set of actions.

Syntax of the Language L A,B cryp
Before giving the syntax of the language, we define some basic concepts about this language.

Definition 1 (Message). M is taken as the set of messages.
Message m in the protocol as logic term is defined by: where n is a nonce or encoding of a message in ASCII; generally, n denotes a plain message. Also, k is crypto-key. {m} k is the encryption of m with key k (ciphertext message) and (m, m ) intuitively, represents concatenating of m and m .
Definition 2 (Propositions). In this system, the set Φ A cryp as the set of basic propositions p that is defined by: where a ∈ A, m ∈ M and σ ∈ A. has a m means agent a possesses message m (the message is received by agent a or initial distribution). const a m means agent a can construct m from the messages he possesses. tg(σ) denotes action σ is tagged. Let Φ I , Φ I , Φ tg , be subsets of Φ A cryp that contain the above three propositions, respectively. Then, we will define action models.
We will give a definition of about action models according to the idea of the paper [49,50]. The condition of an action execution is called precondition. Without corresponding preconditions, the action can not be executed. In this system, all preconditions belong to Φ A cryp , which is a part of the language L A,B cryp . Facts that will hold after the execution of an action are called postcondition. Postcondition displays the changing of basic facts after running the action. Postcondition is divided into two parts: the one is Pos I that shows changes for the information sets including messages that are sent by the agents, another is Pos AL , which illustrates the changes for action labels that show the actions have been performed by the agents.
Definition 3 (Action model). Based on the logical language L A,B cryp , an action model A is a structure: A = (A, ∼ a a∈B , Pre, Pos I , Pos AL ), where A is non-empty and finite set of actions, ∼ a is an equivalence relation (reflexive, symmetric and transitive) on A for all a ∈ B. Pre : A → Φ A cryp assigns a propositional precondition for every action. We employ the idea of paper [49] to deal with the postcondition. Φ is a set of propositions for the language L A,B cryp . For the sake of simplicity of description, we will use a substitution in this model structure. Function Φ → L is a substitution for L. It maps basic propositions of the language to their variant. The SUB(L) is taken as a set of substitutions from Φ to L. So, Pos I : A → SUB(L A,B cryp ) gives a substitution for L that has property Pos I (σ)(p) ∈ Φ I ∪ { , ⊥} for all p ∈ Φ I and σ ∈ A. Pos AL : A → SUB(L A,B cryp ) gives a substitution for L, which has the property that Pos AL (σ)(p) ∈ Φ AL ∪ { , ⊥} for all p ∈ Φ AL and σ ∈ A.
We replace 'has a m' with 'm ∈ I a ' for the substitution mapping to . Meanwhile, the message m is added to the information set of agent a after the execution of the action.
We write 'σ + ' to tag current action for the substitution mapping tg(σ) to , and similarly, we use 'σ − ' to tag premise action for the substitution mapping tg(σ) to ⊥. This will label (unlabel) σ after the execution of the action. We will use these substitutions to formalize all postconditions in the protocol.
is an action in the action model A. The meaning of the formulas is the same as that of ordinary dynamic epistemic logic. K a ϕ means agent a knows ϕ. [A, σ]ϕ means after the execution of action σ in A, ϕ holds. where W is a non-empty set of a possible world, R a is binary equivalence relations on W for all a ∈ B, I means information sets, I w,a means that agent a possesses the set of information at the world w, that is I : W × A → P (M). AL denotes the action label that is AL : W → P (A). For σ ∈ A, tg(σ) means action σ in the set A has been tagged. I and AL correspond to the valuation of basic propositions. If m ∈ I w,a , has a m is satisfied at the world w. The m is the message that agent a possesses by receiving or by some initial distribution. Message m is also constructed by the agent from messages in his information set. That is const a m. In the following, we cite the idea of the paper [51] and give the construction rules. (m, m) denotes concatenation of two messages. In these expressions, above the line is the condition, below the line is the result. The first one says, if an agent has message m and a key k in his information set, he should be able to construct m k . The others are similar and will not be described.
The satisfaction relations of basic propositions are defined as follows. Having different basic propositions at the different world displays the transformation between models. This updating execution is defined as follows.

Definition 8 (Updated model).
Let M be a model for L A,B cryp and A be an action model, the updated model

The Verification Problem of the Cryptographic Protocol
Protocol description: We use Crypto to denote the cryptographic protocol. Actually, the execution process of a protocol is a sequence of actions. In cryptography, a protocol is described as the form A → B : m (agent 'A sends message m to B'), where m ∈ M is a message that has a certain pattern. These patterns have been defined as definition 1 in the specific system.
Instantiations: Action pattern is an important part in the execution of the cryptography. We usually instantiate action patterns by instantiation θ. Instantiation θ is a map from the parameters of the protocol to their respective domain. An execution of a protocol can have several instantiations interleaving. In this system, we employ Θ to denote a set of all instantiations. In this protocol, the number of parameters is finite, and Θ is too.
Network environment: We assume that the network on which the protocol can be run consists of an input-buffer and an output-buffer just as that defined in the work [52]. We take the two parts as two special agents In and Out. In the protocol, the trusted agents can only send a message to In. The attacker or intruder could eavesdrop messages from In. The trusted agents receive messages from Out.
The verification model: The verification model is the model for this protocol to archive the goal pattern. After running of the protocol Crypto, a requirement φ (φ ∈ L A,B cryp ) should hold. So, we formalize the verification model as below: M is a model that we have defined previously, including all assumptions at the initial state, and all epistemic information for all the agents.

Modeling Action Models
The changes of the language model depend on the action execution in the protocol. That is to say, the action execution results in a change of model. So, we firstly give the action model. We have given the initial model M and the action model Crypto Intr . Assuming set Ag be the set of agents in this protocol, we will take T (T ∈ Ag) as the intruder's name that performs the intruder's actions. So, in this system, A = Ag ∪ {In, Out}, and B = Ag.
We give the action model Crypto Intr . Intruder's actions and actions of the protocol requirement are conducted according to the intruder model and the protocol specification from the set of the actions A in Crypto Intr .
In the protocol, a → b : m means that agent a sends message m to agent b. We split the action into two parts: 'send' (σ) a → In : m and 'receive' (δ) Out → b : m. The preconditions of actions for execution are that agent a can construct m from his information set: Pre(σ) = const a m. Postcondition of the action σ is Pos I (σ) = m ∈ I In . We use σ + or σ − to mark or unmark actions. Similarly, the precondition of action δ is: Pre(δ) = has Out m. We stipulate that the buffer can not construct any new message. Postcondition of δ is: Pos I = m ∈ I b and a possible action marking. A specific action in A is transformed into a parameterized set of the action model. We will model the intruder's actions.
Intruder's actions: In the network model, we assume the intruder can eavesdrop all information from the buffer. So, the form of intruder's actions is either In → T : m or T → Out : m. That is to say, on the one hand, the intruder can take any message from the in-buffer; on the other hand, the intruder can construct any message and put it into the out-buffer. These actions are described as parameterized actions in the action model as Table 1. Epistemic relations between actions: In the system, an agent can only distinguish the actions that he has performed. The other actions are indistinguishable for the agent. We use ∼ a to denote indistinguishable epistemic relation between actions for all agent a. We will construct ∼ T to display indistinguishable actions for the intruder.
Initial Model: In the protocol, at the initial state, details in the model M = (W, {R a } a∈B , I, AL) can be described as below.
• W: a non-empty set of worlds. • R a : Let wR a v if and only if I (w,a) = I (v,a) (R a is equivalence relations for a or a can not distinguish w from v). • I: I is the set of information for the agents. We say an agent's information set is always based on a certain world. So, any agent a (except the buffer) and its information set I define a world w. Generally, we write it as I w,a . In the initial state, we stipulate the buffer is empty. Therefore, I (w,In) = I (w,Out) = ∅. • AL: In the initial model, we let AL(w) = ∅, for all w ∈ W.
In the following, we will analyze a specific cryptographic protocol with the formalization method on the above-mentioned.

Analysis of a Specific Cryptographic Protocol
In an insecure network, Alice has a secret message m and wants to send it to Bob. They only have their own key. We call Alice as Sender (S) and Bob as Receiver (R). The Sender has her own key k s . The Receiver has his own key k r . They only can decrypt data that is encrypted by himself. This protocol is as below.
At the first step, Sender encrypts m with k s and gets {m} k s . For simplicity, we write {m} k s as m s . Then, the Sender sends m s to Receiver. After it is recieved, the Receiver encrypts m s with k r and gets m sr . m sr is sent back to Sender. Sender decrypts m sr and gets m r . At the last step, Sender sends m r to Receiver. Receiver can decrypt m r and gets m. Finally, m is transmitted from S to R. We apply the encryption that is commutative: m sr = m rs . Here, the key can be a symmetric key or asymmetric key. We formalize this protocol. In this protocol, M = {m, m s , m sr , m r }, Ag = {S, R, T}, where, S is the Sender, R is the Receiver, T is an intruder. At first, we give the initial model figure and then formalize the execution of the protocol according to the actions of the protocol itself.
In the protocol, we have M = {m, m s , m sr , m r }. However, in the initial state, only S has m, others do not have m. We give a figure to display which agent has secret message m. According to I w,S , I w,R , I w,T , we draw the picture. Each world w is expressed by the agent name that has m. The initial model is shown in Figure 1. In Figure 1, the solid lines present the worlds at both ends are distinguishable for S, and the dotted lines are for R. The dashed lines are for T. Accordingly, the dotted lines and the dashed lines are indistinguishably a relation for S. The solid lines and the dashed lines are indistinguishably a relation for R. The solid lines and the dotted lines are indistinguishability relation for T.
So, we have M, S |= has S m ∧ ¬has R m ∧ ¬has T m in the initial state. Table 2 describes actions that are stipulated in the protocol. Now, we add actions from intruder(T) in Table 3. We assume the intruder is a weak intruder. He can not do anything but eavesdropping. He only can get all messages from In-buffer and forward it to Out-buffer. He can not construct any other message because he does not have any key.

The Protocol Targets
In the initial state, S and R have their own key. Only S has a secret message m. Our goal is that R will have m but T can not have m after the execution of all actions. So, we give the target formulas.  Proof. From the construction rules, if an agent has m k and corresponding k then he can compute m. Without k, if m can not be derived form M, then m can not be constructed even if m k is added, because of lacking a premise condition. According to this proposition, T can not compute secret message m, because all messages he has from the In-buffer are encrypted data and he does not have the corresponding k.
In this system, messages in the information set for any agent are always increasing and never decreasing or deleting. So, we have: In the initial state, only S has the secret message m and others do not have m. Of course, the intruder has m impossibly because any action is not done yet. Now, we prove that Target 2 is still true after the execution of the sequence of the actions.

Proof.
We assume there exists a world w that satisfies the below case: So, the assumption contradicts it. The intruder only can get the messages from the In-buffer. So, if m ∈ I In then m ∈ I T . We list the information in the In-buffer 1≤i≤n I (w i ,In) = {m s , m sr , m r }. Therefore, all the information T has is encrypted. Without corresponding k, he can not compute and get secret message m. Therefore, Target 2 is satisfied. Proof. In the initial state, R does not have m and R only has his own key k r (that is assumed in the protocol). According to Table 3, the information set of R is 1≤i≤n I (w i ,R) = {m s , m sr , m r }. Also, R has k r and m r . According to the construction rules, R can construct m, namely, const R m. which conforms to Target 1 (and everybody in the protocol knows that R has an encrypted message and corresponding key and R can construct m).
Therefore, this protocol is secure.

Conclusions and Expectation
We have introduced a formal language based on dynamic epistemic logic to verify the security of the cryptographic protocol. Especially, we use the action model to describe the execution process of a protocol. The updated model displays transformation between models. We have given the verification model and proved that this protocol meets these requirements. Compared with papers [7,48], our method does not need to establish complex models or rules to derive the security of the protocol. We can formalize the whole protocol running process only through an action model. This process is simple, intuitive and efficient.
In the future research, we will extend the frame of the language L A,B cryp to make it more expressive and able to express different cryptographic protocols. We should build a complete and sound axiomatization for the extended language. In this protocol, we assumed the attacker is a passive attacker who only can eavesdrop the messages from the network. In the future study, we will assume the attacker is an active attacker and he has more abilities to launch active attacks against the cryptographic protocol, and we plan to build an automatic detection system for security verification including protocols with quantum cryptography as a general modeling tool.