Protocol Insecurity with Assertions

In the study of symbolic verification of cryptographic protocols, a central result due to Rusinowitch and Turuani [2003] is that the insecurity problem (deciding whether a protocol admits an execution which leaks a designated secret to the intruder) for security protocols with finitely many sessions is NP-complete. Central to their proof strategy is the observation that any execution of a protocol can be simulated by one where the intruder only communicates terms of bounded size. They prove this by analyzing how variables used in the protocol can be instantiated in different contexts by the intruder. However, when we consider protocols where, in addition to terms, some logical statements or "assertions" about the terms (as presented by Ramanujam, Sundararajan, and Suresh [2017]) are also communicated, the analysis of the insecurity problem becomes tricky. In this paper we consider the insecurity problem for protocols with a class of assertions that includes equality on terms and existential quantification. The intruder can potentially exploit the fact that witnesses for existential quantifiers may be unbounded, and obtaining small witness terms while maintaining equality proofs complicates the analysis considerably. We use a notion of well-typed equality proofs that helps in bounding the sizes of the terms involved, and show that the insecurity problem for assertions is in NP.