Hybrid post-quantum Transport Layer Security formal analysis in Maude-NPA and its parallel version

Functional modules

A functional module $\mathcal{M}$ specifies an order-sorted equational logic theory (Σ, E) with the syntax:

 
fmod    

 
is 

 
endfm 

• importations of previously defined modules (

   
  protecting    

  … or

   
  extending 

  … or

   
  including 

  …)

• sorts and subsorts (

   
  sort    

  s

   
  . 

  or

   
  sorts 

  s s′

   
  . 

  or

   
  subsort 

  s

   
  < 

  s′

   
  . 

  )

• function symbols (

   
  op    

  f

   
  : 

  s₁ … s_n  →  s [att₁ …  att_k]

   
  . 

  )

• variables (

   
  vars    

  v v′

   
  . 

  )

where s and s′ are sort names; v and v′ are variable names; and att₁, …, att_k are equational attributes, such as

 
assoc    

 
comm 

E may contain a collection of equations, which may be either unconditional (

 
eq    

 
= 

 
. 

 
ceq 

 
= 

 
if 

 
. 

  
= 

System modules

A system module $\mathcal{R}$ specifies a rewrite theory (Σ, E, R) with the syntax:

 
mod    

 
is 

 
endm 

 
rl [ 

 
] 

 
: 

 
=> 

  
. 

 
crl [ 

 
] 

 
: 

 
=> 

 
if 

 
. 

 
=>  

Narrowing

Narrowing is a generalization of term rewriting that allows logical variables in terms and replaces pattern matching by unification. To describe how narrowing works, in the following, we use a classical example in the Maude book (Clavel et al., 2007). The following system module specifies a concurrent machine to buy cakes (

 
c    

 
a 

 
q 

 
buy-c 

 
buy-a 

 
change 

 
 
mod NARROWING-VENDING-MACHINE is 
  sorts Coin Item Marking Money State . 
  subsort Coin < Money . 
  op empty : -> Money . 
  op __ : Money Money -> Money [assoc comm id: empty] . 
  subsort Money Item < Marking . 
  op __ : Marking Marking -> Marking [assoc comm id: empty] . 
  op <_> : Marking -> State . 
  ops $ q : -> Coin . 
  ops c a : -> Item . 
  var M : Marking . 
  rl [buy-a] : < M $ > => < M a q > [narrowing] . 
  rl [buy-c] : < M $ > => < M c > [narrowing] . 
  eq [change] : q q q q M = $ M [variant] . 
endm    

where the operator

 
<_>    

 
__ 

 
empty 

 
narrowing 

 
variant 

 
< M1 > 

 
Money 

  
< M1 > 

 
 
< M1 > ⇝σ1,  buy-a  < a q M2 > 
< M1 > ⇝σ′ 
1,  buy-c  < c M2’ >    

where

 
M2 

 
M2’ 

 
Money 

 
M1 

 
M2, M ↦→ M2 and σ′1   = M1 ↦→ M2’ 

 
M 

 
M2’ 

  
buy-a 

 
buy-c 

 
M 

 
< a q M2 > 

 
 
< M1 > ⇝σ1,  buy-a  < a q M2 > ⇝σ2,  buy-c  < a c q M3 > ⇝σ3,  buy-a  < a a c q M4 >    

where

 
M3 

 
M4 

 
Money 

 
 
   {M2 ↦→ M3, M ↦→ a q M3} and σ3  =  { M3 ↦→ q q q M4, M ↦→ a c M4} with 
the rewrite rules buy-c and buy-a, respectively.  In the third nar- 
rowing step, when we apply the substitution σ3, the two obtained in- 
stances of < a c q M3 > and the left-hand side of the rewrite rule buy-a 
are < a c q q q q M4 > and < a c M4 > 

 
change 

 
buy-a 

 
< a a c q M4 >  

 
State 

Par-Maude-NPA

Par-Maude-NPA (Do et al., 2022) has been developed in order to improve the running performance of Maude-NPA by the parallel mechanism. Maude-NPA basically uses a breadth-first search (BFS) to explore the state space backwardly from a given insecure attack pattern. Given a set of states in layer l, for each state in the set, the backward narrowing can be performed independently to obtain its successor states in layer l + 1. Par-Maude-NPA makes use of this point to parallelize the backward narrowing tasks for states at the same layer, so that successor states are generated in parallel at each layer. Generally speaking, the breadth-first search in Maude-NPA is transformed into a parallel breadth-first search in Par-Maude-NPA without altering the number or form of the states in the state space. Par-Maude-NPA uses a master-worker model with one master and multiple workers, where the master distributes (or assigns) jobs to each worker in a well-balanced way. The tool uses a shared cache maintained by the master and a local cache maintained by each worker to avoid making unnecessary duplications of jobs.

Formal specification by strands

Maude-NPA uses strands (Thayer, Herzog & Guttman, 1998) to specify the execution of the protocol under analysis as well as the capabilities of the intruder. Each strand is a sequence of positive and negative messages and possibly with some unique fresh data as follows: ${\displaystyle ::r_1,\dots ,r_k::\left[+\left(ms{g}_1\right),-\left(ms{g}_2\right),\dots ,-\left(ms{g}_i\right)|+\left(ms{g}_{i+1}\right),\dots \right]}$

where r₁, …, r_k denote unique fresh data consumed by the principal performing the strand (they would be, for example, secret keys, unique random numbers, and session identifiers). A positive message +(msg) and a negative message −(msg) denote sending and receiving the message msg, respectively. The vertical bar is used to distinguish between present and future when the strand appears in a state description. Messages appearing before the bar were sent/received in the past, while messages appearing after the bar will be sent/received in the future. Let us consider a classical security protocol, namely Needham-Schroeder-Lowe Public Key (NSLPK) protocol (Lowe, 1995), to illustrate how strands would be used to specify the protocol execution. The protocol consists of the following three exchange messages:

1. P → Q:pk(Q, P; N_P)

2. Q → P:pk(P, N_P; N_Q; Q)

3. P → Q:pk(Q, N_Q)

where P and Q denote two principal identifiers, N_P and N_Q are nonces (unguessable values) generated by P and Q, respectively, and pk(P, m) denotes the encryption of message m by the public key of P. The three messages exchanged can be explained as follows. P first generates a nonce N_P and sends it together with P’s identifiers encrypted by Q’s public key to Q. Upon receiving that message, Q decrypts it and obtains a nonce. Q generates a new nonce N_Q, encrypts the nonce received, the new nonce, and Q’s identifiers under P’s public key, and sends the result back to P. Upon receiving the response message, P decrypts it, checking if one of the nonces is exactly the one that P has sent before in the first message. If that is the case, P responds to Q with the other nonce encrypted under Q’s public key.

Maude-NPA provides some built-in sorts, such as the sort

 
Msg    

 
Fresh 

 
Name 

 
Nonce 

 
Msg 

 
 
sorts Name Nonce . 
subsort Name Nonce < Msg .    

The nonce constructor is specified by the following operator:

 
 
op n : Name Fresh -> Nonce [frozen] .    

where the

 
frozen 

 
P 

 
r 

 
Name 

 
Fresh 

 
n(P,r) 

 
P 

 
r 

 
 
op pk : Name Msg -> Msg [frozen] .    

Let

 
Q 

 
N 

 
Name 

 
Nonce 

 
 
:: r :: 
[ nil | +(pk(Q, P ; n(P,r))), -(pk(P, n(P,r) ; N ; Q)), +(pk(Q, N)), nil ]    

The strand says that initially, given a unique fresh

 
r 

 
P 

 
n(P,r) 

 
Q 

 
P 

 
Q 

 
P 

 
n(P,r) 

  
N 

 
Q 

 
P 

 
P 

 
Q 

 
N 

 
Q 

 
:: r:: 

 
r 

  
; 

 
 
op _;_ : Msg Msg -> Msg [frozen] .    

In the same manner, the strand that describes how the protocol is executed from the Q side can be specified as follows:

 
 
:: r :: 
[ nil | -(pk(Q, P ; N)), +(pk(P, N ; n(Q,r) ; Q)), -(pk(Q, n(Q,r))), nil ]    

Strands are also used for the specification of the intruder capabilities. But in this case, such an intruder strand is limited to be in the form of a sequence of negative messages (possibly empty) followed by one positive message combining all previous variables under a function symbol. For example, the intruder’s capability in encrypting any message by any public key is specified as follows:

 
 
:: nil :: [ nil | -(M), +pk(P,M), nil ]    

where

 
M 

 
Msg 

 
M 

 
P 

Protocol formal specification

This section describes the Maude-NPA formal specification of the Hybrid PS TLS protocol. We start with the definition of KEMs and how to model them in Maude-NPA.

 
KeyGen    

 
Encaps 

 
Decaps 

 
KeyGen    

 
Encaps 

 
Decaps    

 
Decaps    

 
Encaps 

 
Decaps 

 
Decaps 

 
Decaps 

 
PqSk    

 
PqPk 

 
Cipher 

 
PqKey 

 
 
op pqSk : Name Fresh -> PqSk [frozen] .    

 
Fresh 

 
Name 

 
Decaps    

 
 
op decap : Cipher PqSk -> PqKey [frozen] .    

 
Decaps 

 
KeyGen 

 
Encaps 

 
PqSk 

 
Encaps 

 
encapCipher 

 
encapKey 

 
 
op pqPk         : PqSk       -> PqPk    [frozen] . 
op encapCipher : PqPk PqSk -> Cipher [frozen] . 
op encapKey     : PqPk PqSk -> PqKey  [frozen] .    

 
KeyGen 

 
Encaps 

 
 
op $pqKey : PqSk PqSk -> PqKey [frozen] . 
eq encapKey(pqPk(S:PqSk), S2:PqSk) = $pqKey(S:PqSk, S2:PqSk) [variant] . 
eq decap(encapCipher(pqPk(S:PqSk),S2:PqSk), S:PqSk) 
    = $pqKey(S:PqSk, S2:PqSk) [variant] .    

 
variant 

 
$pqKey 

 
encapKey 

 
decap 

 
Encaps 

 
Decaps 

  
Decaps 

 
Encaps 

 
 
sort Scalar Point ECKey . 
subsort Point < ECKey .    

 
Point    

 
Scalar 

 
ECKey 

 
 
op p    : -> Point . 
op scl : Name Fresh     -> Scalar [frozen] . 
op gen : Point Scalar   -> Point  [frozen] . 
op _*_ : Scalar Scalar -> Scalar [frozen assoc comm] .    

 
p 

 
scl 

 
gen 

 
assoc 

 
comm 

 
 
eq gen(gen(P:Point, S:Scalar), S2:Scalar) 
  = gen(P:Point, S:Scalar * S2:Scalar) [variant] .    

 
PreMasterSecret 

 
MasterSecret 

 
 
op pms : ECKey PqKey -> PreMasterSecret [frozen] . 
op ms  : PreMasterSecret Rand Rand Point Cipher -> MasterSecret [frozen] .    

 
Rand 

 
rd    

 
sess 

 
cert 

 
sig 

 
enc 

 
 
op rd    : Name Fresh -> Rand [frozen] . 
op sess : Name Fresh -> Session [frozen] . 
op cert : Name -> Cert [frozen] . 
op sig  : Name Msg -> Msg [frozen] . 
op enc  : MasterSecret Msg -> Msg [frozen] .    

 
S    

 
M 

 
MS 

 
enc(MS,M) 

 
M 

 
MS 

 
sig(S,M) 

 
M 

 
S 

  
sig(priKey(S),M) 

 
cert(S) 

 
S 

 
S 

 
r1    

 
r2 

 
r3 

 
Fresh 

 
C 

 
S 

 
Name 

 
N 

 
SS 

  
Rand 

 
Session 

 
PK1 

 
PK2 

 
Point 

 
PqPk 

 
 
:: r1,r2,r3 :: 
[ nil | 
 +(ch ; rd(C,r1)), 
 -(sh ; N ; SS), 
 -(sc ; cert(S)), 
 -(ske ; PK1 ; PK2 ; sig(S, PK1 ; PK2 ; rd(C,r1) ; N)), 
 +(cke ; gen(p,scl(C,r2)) ; encapCipher(PK2, pqSk(C,r3))), 
 +(cf ; enc(ms(pms(gen(PK1,scl(C,r2)), encapKey(PK2, pqSk(C,r3))), 
          rd(C,r1), N, gen(p,scl(C,r2)), encapCipher(PK2, pqSk(C,r3))), 
     (ch ; rd(C,r1)) ++ 
     (sh ; N ; SS) ++ 
     (sc ; cert(S)) ++ 
     (ske ; PK1 ; PK2 ; sig(S, PK1 ; PK2 ; rd(C,r1) ; N)) ++ 
     (cke ; gen(p,scl(C,r2)) ; encapCipher(PK2, pqSk(C,r3)))) 
  ), 
nil ]    

 
ch 

 
sh 

 
sc 

 
ske 

 
cke 

  
cf 

 
Msg 

 
++ 

 
C 

 
S 

 
rd(C,r1) 

 
PK1 

 
PK2  

 
PK2 

 
++ 

 
++ 

 
++ 

 
(sh ; N ; SS) ++ (sc ; cert(S)) 

 
(sh ; N ; SS ; sc ; cert(S)) 

  
++ 

 
 
:: r1,r2,r3,r4 :: 
[ nil | 
 -(ch ; N), 
 +(sh ; rd(S,r1) ; sess(S,r2)), 
 +(sc ; cert(S)), 
 +(ske ; gen(p,scl(S,r3)) ; pqPk(pqSk(S,r4)) ; 
      sig(S, gen(p,scl(S,r3)) ; pqPk(pqSk(S,r4)) ; N ; rd(S,r1))), 
 -(cke ; PK1 ; CP), 
 -(cf ; enc(ms(pms(gen(PK1,scl(S,r3)), decap(CP, pqSk(S,r4))), 
             N, rd(S,r1), PK1, CP), 
         (ch ; N) ++ 
         (sh ; rd(S,r1) ; sess(S,r2)) ++ 
         (sc ; cert(S)) ++ 
         (ske ; gen(p,scl(S,r3)) ; pqPk(pqSk(S,r4)) ; 
             sig(S, gen(p,scl(S,r3)) ; pqPk(pqSk(S,r4)) ; N ; rd(S,r1))) ++ 
         (cke ; PK1 ; CP)) 
  ), 
nil ]    

 
CP 

 
Cipher 

 
X    

 
Y 

 
Msg 

 
 
:: nil :: [ nil | -(X), -(Y), +(X ; Y), nil ] & 
:: nil :: [ nil | -(X ; Y), +(X), nil ] & 
:: nil :: [ nil | -(X ; Y), +(Y), nil ] &    

 
 
:: r :: [ nil | +(rd(i,r)), nil ] & 
:: r :: [ nil | +(scl(i,r)), nil ] &    

 
i 

 
PK2    

 
SK 

 
CP 

 
 
:: nil :: [ nil | -(PK2), -(SK), +(encapCipher(PK2,SK)), nil ] & 
:: nil :: [ nil | -(PK2), -(SK), +(encapKey(PK2,SK)), nil ] & 
:: nil :: [ nil | -(CP), -(SK), +(decap(CP,SK)), nil ] &    

 
 
:: nil :: [ nil | -(gen(p,S)), -(gen(p,S2)), +(gen(p,S * S2)), nil ]    

 
S 

 
S2 

 
Scalar 

Checking the specification

To increase trust in the correctness of what has been formally specified, a state pattern is defined proving that it is possible to successfully complete a protocol handshake between two principals. This must be fulfilled, otherwise, the analysis coming later would be meaningless. Let

 
c    

 
s 

 
Name 

 
ATTACK-STATE 

 
 
eq ATTACK-STATE(10) = 
:: r1,r2,r3 :: 
[ nil, 
 +(ch ; rd(c,r1)), 
 -(sh ; N ; SS), 
 -(sc ; cert(s)), 
 -(ske ; PK1 ; PK2 ; sig(s, PK1 ; PK2 ; rd(c,r1) ; N)), 
 +(cke ; gen(p, scl(c,r2)) ; encapCipher(PK2, pqSk(c,r3))), 
 +(cf ; enc(ms(pms(gen(PK1, scl(c,r2)), encapKey(PK2, pqSk(c,r3))), 
     rd(c,r1), N, gen(p, scl(c,r2)), encapCipher(PK2, pqSk(c,r3))), 
    (ch ; rd(c,r1)) ++ 
    (sh ; N ; SS) ++ 
    (sc ; cert(s)) ++ 
    (ske ; PK1 ; PK2 ; sig(s, PK1 ; PK2 ; rd(c,r1) ; N)) ++ 
    (cke ; gen(p, scl(c,r2)) ; encapCipher(PK2, pqSk(c,r3))))), 
 -(sf ; ... ) 
 | nil ] 
|| empty 
|| nil    || nil    || nil 
[nonexec] .    

where

 
10    

 
ATTACK-STATE(10) 

 
... 

 
Msg 

 
nil 

 
c 

 
s 

Secrecy property of ECDH shared secret key

The first property we would like to check is whether the intruder can glean the ECDH shared secret key when a client and a server have completed the handshake. To check that property, we specify another Maude-NPA attack pattern, i.e.,

 
ATTACK-STATE(0)    

 
ATTACK-STATE(10) 

 
empty 

 
 
  gen(PK1, scl(c,r2)) inI, empty    

Recall that

 
PK1    

 
c 

 
s 

 
scl(c,r2) 

 
_inI 

 
_!inI 

 
PK1 

 
gen(p, scl(c,r2)) 

 
gen(PK1, scl(s,r2)) 

We have checked the attack pattern with both the original Maude-NPA and Par-Maude-NPA. Par-Maude-NPA found a counterexample for the attack pattern in about 1,722 h (nearly 72 days), meaning that the intruder can learn the ECDH shared secret key established between the honest client and the honest server. That counterexample state contains four sections: (1) state ID, (2) set of current protocol and intruder strands, (3) intruder knowledge, and (4) sequence of messages. To understand how the attack can happen, we show (4)—the message sequence leading to the counterexample as follows:

 
 
1  +(ch ; rd(c,#3:Fresh)), 
2  -(ch ; rd(c,#3:Fresh)), 
3  +(sh ; rd(s,#4:Fresh) ; sess(s,#6:Fresh)), 
4  +(sc ; cert(s)), 
5  +(ske ; gen(p, scl(s,#0:Fresh)) ; pqPk(pqSk(s,#2:Fresh)) ; 
sig(s, gen(p, scl(s,#0:Fresh)) ; pqPk(pqSk(s,#2:Fresh)) ; 
rd(c,#3:Fresh) ; rd(s,#4:Fresh))), 
6  -(ske ; ...), 
7  +(gen(p, scl(s,#0:Fresh)) ; pqPk(pqSk(s,#2:Fresh)) ; 
sig(s, gen(p, scl(s,#0:Fresh)) ; pqPk(pqSk(s,#2:Fresh)) ; 
rd(c,#3:Fresh) ; rd(s,#4:Fresh))), 
8  -(sh ; rd(s,#4:Fresh) ; sess(s,#6:Fresh)), 
9  -(sc ; cert(s)), 
10 -(ske ; ...), 
11 +(cke ; gen(p, scl(c,#1:Fresh)) ; 
encapCipher(pqPk(pqSk(s,#2:Fresh)), pqSk(c,#5:Fresh))), 
12 -(cke ; ...), 
13 +(gen(p, scl(c,#1:Fresh)) ; 
encapCipher(pqPk(pqSk(s,#2:Fresh)),pqSk(c,#5:Fresh))), 
14 -(gen(p, scl(c,#1:Fresh)) ; 
encapCipher(pqPk(pqSk(s,#2:Fresh)),pqSk(c,#5:Fresh))), 
15 +(gen(p, scl(c,#1:Fresh))), 
16 -(gen(p, scl(s,#0:Fresh)) ; 
pqPk(pqSk(s,#2:Fresh)) ; sig(s, gen(p, scl(s,#0:Fresh)) ; 
pqPk(pqSk(s,#2:Fresh)) ; rd(c,#3:Fresh) ; rd(s,#4:Fresh))), 
17 +(gen(p, scl(s,#0:Fresh))), 
18 -(gen(p, scl(s,#0:Fresh))), 
19 -(gen(p, scl(c,#1:Fresh))), 
20 +(gen(p, scl(s,#0:Fresh) * scl(c,#1:Fresh))), 
21 +(cf ; ...), 
22 -(cke ; gen(p, scl(c,#1:Fresh)) ; 
encapCipher(pqPk(pqSk(s,#2:Fresh)), pqSk(c,#5:Fresh))), 
23 -(cf ; ...), 
24 +(sf ; ...), 
25 -(sf ; ...)    

We insert line numbers on the left side for easy reference in the following explanation. Client

 
c 

  
s 

 
#3:Fresh 

 
s 

 
c 

 
gen(p, scl(s,#0:Fresh)) 

 
... 

 
c 

 
s 

  
c 

 
s 

 
gen(p, scl(s,#1:Fresh)) 

 
 
:: nil :: [ nil | -(gen(p,S)), -(gen(p,S2)), +(gen(p,S * S2)), nil ]    

the intruder learns the ECDH shared secret between

 
c 

 
s 

 
c 

 
s 

 
s 

 
c 

The counterexample was found by Par-Maude-NPA at depth 12. It means that the found state is located at depth 12 from the root of the backward reachability tree constructed by the tool. In this tree, the root is the attack pattern, and a child node is connected to its parent node by an action of an honest principal or the intruder. With Maude-NPA, it did not find the counterexample in the same amount of time T. The detail of the experimental results is discussed in Section ‘Experimental results’.

Secrecy property of PQ KEM shared secret key

Another attack pattern namely

 
ATTACK-STATE(1)    

 
ATTACK-STATE(0) 

 
ATTACK-STATE(1) 

 
ATTACK-STATE(10) 

 
 
  encapKey(PK2, pqSk(c,r3)) inI, empty    

 
ATTACK-STATE(1)    

 
PK2 

 
encapCipher(PK2, pqSk(c,r3)) 

 
encapKey(PK2, pqSk(c,r3)) 

Par-Maude-NPA did not find any counterexample up to depth 12, confirming that the intruder cannot learn the PQ KEM shared secret established between the client and the server up to the bounded depth. Together with the previous analysis experiment, it follows that even though the intruder can learn the ECDH shared secret, the intruder cannot learn the master secret. We leave a detailed discussion about the analysis result in Section ‘Experimental results’.

Authentication property

The next property we would like to check is the authentication property, i.e., if client A has completed the handshake apparently with server B, then B is indeed the principal who has communicated with A. We define the following

 
ATTACK-STATE(2)    

 
 
eq ATTACK-STATE(2) = 
:: r1,r2,r3 :: 
[ nil, 
 +(ch ; rd(c,r1)), 
 -(sh ; N ; SS), 
 -(sc ; cert(s)), 
 -(ske ; PK1 ; PK2 ; sig(s, PK1 ; PK2 ; rd(c,r1) ; N)), 
 +(cke ; gen(p,pt(c,r2)) ; encapCipher(PK2, pqSk(c,r3))), 
 +(cf ; enc(ms(pms(gen(PK1, pt(c,r2)), encapKey(PK2, pqSk(c,r3))), 
     rd(c,r1),N,gen(p,pt(c,r2)),encapCipher(PK2, pqSk(c,r3))), 
    (ch ; rd(c,r1)) ++ 
    (sh ; N ; SS) ++ 
    (sc ; cert(s)) ++ 
    (ske ; PK1 ; PK2 ; sig(s, PK1 ; PK2 ; rd(c,r1) ; N)) ++ 
    (cke ; gen(p,pt(c,r2)) ; encapCipher(PK2, pqSk(c,r3))))), 
 -(sf ; ... ) 
 | nil ] 
|| empty 
|| nil 
|| nil 
|| never( 
  :: r’,r1’,r2’,r3’ :: 
  [ nil | 
    -(ch ; rd(c,r1)), 
    +(sh ; N ; SS), 
    +(sc ; cert(s)), 
    +(ske ; PK1 ; PK2 ; sig(s, PK1 ; PK2 ; rd(c,r1) ; N)), 
    -(cke ; gen(p,pt(c,r2)) ; encapCipher(PK2, pqSk(c,r3))), 
    -(cf ; enc(ms(pms(gen(PK1,pt(c,r2)), encapKey(PK2, pqSk(c,r3))), 
       rd(c,r1),N,gen(p,pt(c,r2)),encapCipher(PK2, pqSk(c,r3))), 
      (ch ; rd(c,r1)) ++ 
      (sh ; N ; SS) ++ 
      (sc ; cert(s)) ++ 
      (ske ; PK1 ; PK2 ; sig(s, PK1 ; PK2 ; rd(c,r1) ; N)) ++ 
      (cke ; gen(p,pt(c,r2)) ; encapCipher(PK2, pqSk(c,r3))))), 
    +(sf ; ... ), 
    nil ] 
  & STR:StrandSet 
  || IK:IntruderKnowledge) 
[nonexec] .    

Recall that

 
...    

 
Msg 

 
empty 

 
never 

 
c 

 
s 

 
s 

 
c 

  
s 

 
c 

 
never 

Experimental results

We have conducted experiments for the three above-mentioned attack patterns with Maude-NPA and Par-Maude-NPA on a supercomputer that carries 1.5 TB of memory and four 2.8 GHz microprocessors, where each microprocessor has 16 cores. Because we were only able to use one such supercomputer for our experiments and could have predicted that it would take a long time to complete each of the total six experiments, we started the six experiments on the supercomputer simultaneously. With Par-Maude-NPA, we used one master and eight workers with at most 256 GB of memory and 16 microprocessor cores for each experiment. With Maude-NPA, at most 256 GB of memory and 4 microprocessor cores were used for each experiment. This resource allocation is reasonably fair because of 1.5 TB memory (=6 × 256 GB memory) and 4 × 16 cores (>3 × 16 cores + 3 × 4 cores), although the OS uses some resources, which should be negligible. Note that Maude-NPA uses one core for each experiment and the six experiments may use a total of about 1.5 TB of memory for about 1,722 h. Table 1 shows the experimental results for the three attack patterns with Maude-NPA and Par-Maude-NPA. The first column denotes the attack number corresponding to each attack pattern. The next three columns denote the running time, the depth at which Maude-NPA reaches, and the result of each analysis, respectively, with Maude-NPA and similarly for Par-Maude-NPA with the last three columns. In the Result column, the symbol ∅ denotes no counterexample is found up to a bounded depth; while the symbol × denotes a counterexample is found and the protocol is insecure against the attack. In the Depth column, “H x” denotes the analysis is still running at depth x and has not been completed, where “H” stands for “Handling”. On the other hand, “F x” denotes the analysis is completed at depth x, where “F” stands for “Finished”.

With attack pattern number 0, as T = 1,722 h, 20 min, and 23 s (nearly 72 days), Par-Maude-NPA completed the analysis at depth 12 and found a counterexample. We decided to stop all of the six experiments as the time T because the long time had been spent. We report the results of the five other experiments as the same time T. Also with attack pattern number 0, as the same time T, Maude-NPA only reached depth 11 and was handling it. Therefore, no counterexample was found by Maude-NPA in T.

With attack pattern number 1, as the same time T, both Par-Maude-NPA and Maude-NPA did not find any counterexample. Par-Maude-NPA and Maude-NPA were handling depth 13 and depth 11, respectively. Observing the number of reachable states at each depth, we see that it is increased after each layer depth. The number of reachable states at each depth of the three analysis experiments is depicted in Table 2, where the hyphen symbol denotes the data is not available because the analysis with that given attack is not conducted at that given depth. Note that the data shown in Table 2 are exactly the same up to depths 10, 10, and 17 for the three attack patterns 0, 1, and 2, respectively, with Maude-NPA and Par-Maude-NPA.

With attack pattern number 2, similarly, both Par-Maude-NPA and Maude-NPA did not find any counterexample, and were handling at depth 19 and depth 18, respectively, in the time T. The number of reachable states at each depth from 1 to 13 is reasonably small. However, it quickly increases at the deeper depths, especially depths 17 and 18. Therefore, we guess that the experiments would not converge at depth 19 or a bit deeper depth.

The six experiments show that using Par-Maude-NPA helped us to significantly reduce the analysis time in this Hybrid PQ TLS case study. To measure precisely how much Par-Maude-NPA is faster than Maude-NPA, we conduct some more experiments with attack number 0, bounded depths 8 and 9, numbers of workers 8, 12, and 16, and show the results in Table 3. For example, when the bounded depth is 8, we can increase the running performance of Maude-NPA with Par-Maude-NPA as 3.8x, 4.2x, and 4.6x faster than that with Maude-NPA, respectively. The improvement of the running performance of Maude-NPA with Par-Maude-NPA for the bounded depth 9 is better than that for the bounded depth 8 in this case study. That is because the number of states at the bounded depth 9 is larger than that at the bounded depth 8. It says that the more states located at a depth, the more improvement will be obtained by using Par-Maude-NPA. Indeed, the number of states at deeper depths (see Table 2) increases quickly, and then the use of Par-Maude-NPA will achieve a better improvement compared to Maude-NPA in terms of running performance, which was partially shown in these experiments and also in the six experiments described above.