Santiago Escobar

• Doctor in Computer Science
• Professor at Polytechnic University of Valencia

A protocol dialect is a lightweight method to obfuscate the communication exchanges between legitimate protocol users to make it hard for malicious users to interact with legitimate ones. So far, dialects have been based on a single obfuscation transformation, which we call a lingo. In this work dialects are generalized to become protocol and lingo...

Facing the potential threat raised by quantum computing, a great deal of research from many groups and industrial giants has gone into building public-key post-quantum cryptographic primitives that are resistant to the quantum attackers. Among them, there is a large number of post-quantum key encapsulation mechanisms (KEMs), whose purpose is to pro...

This article presents a security formal analysis of the hybrid post-quantum Transport Layer Security (TLS) protocol, a quantum-resistant version of the TLS protocol proposed by Amazon Web Services as a precaution in dealing with future attacks from quantum computers. In addition to a classical key exchange algorithm, the proposed protocol uses a po...

Communication and information technologies shape the world’s systems of today, and those systems shape our society. The security of those systems relies on mathematical problems that are hard to solve for classical computers, that is, the available current computers. Recent advances in quantum computing threaten the security of our systems and the...

Narrowing and unification are very useful tools for symbolic analysis of rewrite theories, and thus for any model that can be specified in that way. A very clear example of their application is the field of formal cryptographic protocol analysis, which is why narrowing and unification are used in tools such as Maude-NPA, Tamarin and Akiss. In this...

We develop an automated specialization framework for rewrite theories that model concurrent systems. A rewrite theory \(\mathscr {R}=(\Sigma ,E\uplus B,R)\) consists of two main components: an order-sorted equational theory \(\mathscr {E}=(\Sigma ,E\uplus B)\) that defines the system states as terms of an algebraic data type and a term rewriting sy...

Roles in cryptographic protocols do not always have a linear execution, but may include choice points causing the protocol to continue along different paths. In this paper we address the problem of representing choice in the strand space model of cryptographic protocols, particularly as it is used in the Maude-NPA cryptographic protocol analysis to...

This work provides a general mechanism for safety enforcement in rewriting logic computations. Our technique relies on an assertion-guided model transformation that leverages the newly defined Maude strategy lan-guage for ensuring rich safety policies in non-deterministic programs. The transformed system is guaranteed to comply with user-defined in...

Facing the quantum attack threat, a quantum-resistant version of the SSH Transport Layer protocol has been proposed and been standardized by an IETF working group. This standardization process has been motivated by the fact that if practical quantum computers become available, classical key exchange algorithms used today will no longer be safe beca...

This paper presents a formal specification of the Hybrid Post-Quantum TLS protocol in Maude-NPA, toward a security analysis of the protocol, where Hybrid Post-Quantum TLS is a quantum-resistant version of TLS proposed by AWS as a preparation against future attacks from quantum computers. The proposed protocol uses a hybrid key exchange mode: one is...

Maude currently supports many symbolic reasoning features such as order-sorted equational unification and order-sorted narrowing-based symbolic reachability analysis. There have been many advances and new features added to improve narrowing in Maude but only at a theoretical level. In this paper, we provide a very elegant, transparent, and extremel...

The dual of most general equational unifiers is that of least general equational anti-unifiers, i.e., most specific anti-instances modulo equations. This work aims to provide a general mechanism for equational anti-unification that leverages the recent advances in variant-based symbolic computation in Maude. Symbolic computation in Maude equational...

Equational unification and matching are fundamental mechanisms in many automated deduction applications. Supporting them efficiently for as wide as possible a class of equational theories, and in a typed manner supporting type hierarchies, benefits many applications; but this is both challenging and nontrivial. We present Maude 3.2’s efficient supp...

Partial evaluation (PE) is a branch of computer science that achieves code optimization via specialization. This article describes a PE methodology for optimizing rewrite theories that encode concurrent as well as nondeterministic systems by means of the Maude language. The main advantages of the proposed methodology can be summarized as follows: •...

Generalization, also called anti-unification, is the dual of unification. A generalizer of two terms t and t′\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$t^{\prime }$...

This paper introduces $\tt{{Presto}}$ , a symbolic partial evaluator for Maude’s rewriting logic theories that can improve system analysis and verification. In $\tt{{Presto}}$ , the automated optimization of a conditional rewrite theory $\mathcal{R}$ (whose rules define the concurrent transitions of a system) is achieved by partially evaluating, wi...

This paper introduces Presto, a symbolic partial evaluator for Maude's rewriting logic theories that can improve system analysis and verification. In Presto, the automated optimization of a conditional rewrite theory R (whose rules define the concurrent transitions of a system) is achieved by partially evaluating, with respect to the rules of R, an...

We present a formal framework for the analysis of cryptographic protocols that make use of time and space in their execution. In a previous work we provided a timed process algebra syntax and a timed transition semantics. The timed process algebra only made message sending-and-reception times available to processes whereas the timed transition sema...

In this paper, we develop an automated optimization framework for rewrite theories that supports sorts, subsort overloading, equations and algebraic axioms with free/non-free constructors, and rewrite rules modeling concurrent system transitions whose state structure is defined by means of the equations. The main idea of the framework is to make th...

The Homeomorphic Embedding relation has been amply used for defining termination criteria of symbolic methods for program analysis, transformation, and verification. However, homeomorphic embedding has never been investigated in the context of order-sorted rewrite theories that support symbolic execution methods modulo equational axioms. This paper...

We present a framework suited to the analysis of cryptographic protocols that make use of time in their execution. We provide a process algebra syntax that makes time information available to processes, and a transition semantics that takes account of fundamental properties of time. Additional properties can be added by the user if desirable. This...

We present a framework suited to the analysis of cryptographic protocols that make use of time in their execution. We provide a process algebra syntax that makes time information available to processes, and a transition semantics that takes account of fundamental properties of time. Additional properties can be added by the user if desirable. This...

Equational unification of two terms consists of finding a substitution that, when applied to both terms, makes them equal modulo some equational properties. A narrowing-based equational unification algorithm relying on the concept of the variants of a term is available in the most recent version of Maude, version 3.0, which provides quite sophistic...

Maude-NPA is an analysis tool for cryptographic security protocols that takes into account the algebraic properties of the cryptosystem. Maude-NPA can reason about a wide range of cryptographic properties. However, some algebraic properties, and protocols using them, have been beyond Maude-NPA capabilities, either because the cryptographic properti...

This book constitutes selected papers from the 12th International Workshop on Rewriting Logic and Its Applications, WRLA 2020, held in Dublin, Ireland, in April 2020. Due to the COVID-19 pandemic the workshop took place virtually. The 11 full papers presented in this volume were carefully reviewed and selected from 16 submissions Rewriting logic is...

Rewriting logic is both a flexible semantic framework within which widely different concurrent systems can be naturally specified and a logical framework in which widely different logics can be specified. Maude programs are exactly rewrite theories. Maude has also a formal environment of verification tools. Symbolic computation is a powerful techni...

Rewriting logic is both a flexible semantic framework within which widely different concurrent systems can be naturally specified and a logical framework in which widely different logics can be specified. Maude programs are exactly rewrite theories. Maude has also a formal environment of verification tools. Symbolic computation is a powerful techni...

Partial evaluation is a powerful and general program optimization technique with many successful applications. Existing PE schemes do not apply to expressive rule-based languages like Maude, CafeOBJ, OBJ, ASF+SDF, and ELAN, which support: 1) rich type structures with sorts, subsorts, and overloading; and 2) equational rewriting modulo various combi...

Equational unification of two terms consists of finding a substitution that, when applied to both terms, makes them equal modulo some equational properties. Equational unification is of special relevance to automated deduction, theorem proving, protocol analysis, partial evaluation, model checking, etc. Several algorithms have been developed in the...

Equational unification of two terms consists of finding a substitution that, when applied to both terms, makes them equal modulo some equational properties. Equational unification is of special relevance to automated deduction, theorem proving, protocol analysis, partial evaluation, model checking, etc. Several algorithms have been developed in the...

Concurrent functional languages that are endowed with symbolic reasoning capabilities such as Maude offer a high-level, elegant, and efficient approach to programming and analyzing complex, highly nondeterministic software systems. Maude’s symbolic capabilities are based on equational unification and narrowing in rewrite theories, and provide Maude...

Concurrent functional languages that are endowed with symbolic reasoning capabilities such as Maude offer a high-level, elegant, and efficient approach to programming and analyzing complex, highly nondeterministic software systems. Maude's symbolic capabilities are based on equational unification and narrowing in rewrite theories, and provide Maude...

Generalization in order-sorted theories with any combination of associativity (A), commutativity (C), and unity (U) algebraic axioms is finitary. However, existing tools for computing generalizers (also called “anti-unifiers”) of two typed structures in such theories do not currently scale to real size problems. This paper describes the \({\textsf...

This work proposes canonical constrained narrowing, a new symbolic reachability analysis technique applicable to topmost rewrite theories where the equational theory has the finite variant property. Our experiments suggest that canonical constrained narrowing is more efficient than both standard narrowing and the previously studied contextual narro...

Roles in cryptographic protocols do not always have a linear execution, but may include choice points causing the protocol to continue along different paths. In this paper we address the problem of representing choice in the strand space model of cryptographic protocols, particularly as it is used in the Maude-NPA cryptographic protocol analysis to...

This paper gives a modular verification methodology in which, given parametric specifications of a key establishment protocol P and a protocol Q providing private channel communication, security and authenticity properties of their sequential composition \(P\; ;\; Q\) can be reduced to: (i) verification of corresponding properties for P, and (ii) v...

Modern multi-paradigm programming languages combine the most important features of functional programming, logic programming, concurrent programming, and constraint programming. Multi-paradigm programming applied to the Maude specification language would replace the functional viewpoint by an equational viewpoint while retaining and extending the o...

We have added support for associative unification to Maude 2.7.1. Associative unification is infinitary, i.e., there are unification problems \(u =^? v\) such that there is an infinite minimal set of unifiers, whereas associative-commutative unification is finitary. A unique feature of the associative unification algorithm implemented in Maude is t...

The Homeomorphic Embedding relation has been amply used for defining termination criteria of symbolic methods for program analysis, transformation, and verification. However, homeomorphic embedding has never been investigated in the context of order-sorted rewrite theories that support symbolic execution methods modulo equational axioms. This paper...

In this paper, we perform an automated analysis of two devices developed by Yubico: YubiKey, designed to authenticate a user to network-based services, and YubiHSM, Yubicos hardware security module. Both are analyzed using the Maude-NPA cryptographic protocol analyzer. Although previous work has been done applying automated tools to these devices,...

Partial evaluation (PE) is a powerful and general program optimization technique with many successful applications. However, it has never been investigated in the context of expressive rule-based languages like Maude, CafeOBJ, OBJ, ASF+SDF, and ELAN, which support: rich type structures with sorts, subsorts and overloading; and equational rewriting...

This paper introduces GLINTS, a graphical tool for exploring variant narrowing computations in Maude. The most recent version of Maude, version 2.7.1, provides quite sophisticated unification features, including order-sorted equational unification for convergent theories modulo axioms such as associativity, commutativity, and identity (ACU). This n...

This paper introduces GLINTS, a graphical tool for exploring variant narrowing computations in Maude. The most recent version of Maude, version 2.7.1, provides quite sophisticated unification features, including order-sorted equational unification for convergent theories modulo axioms such as associativity, commutativity, and identity (ACU). This n...

This volume contains the formal proceedings of the Third International Workshop on Rewriting Techniques for Program Transformations and Evaluation (WPTE 2016), held on 23rd June 2016 in Porto, Portugal, as a satellite event of the First International Conference on Formal Structures for Computation and Deduction (FSCD 2016). The workshop brought tog...

This volume contains the formal proceedings of the Third International Workshop on Rewriting Techniques for Program Transformations and Evaluation (WPTE 2016), held on 23rd June 2016 in Porto, Portugal, as a satellite event of the First International Conference on Formal Structures for Computation and Deduction (FSCD 2016). The workshop brought tog...

Roles in cryptographic protocols do not always have a linear execution, but may include choice points causing the protocol to continue along different paths. In this paper we address the problem of representing choice in the strand space model of cryptographic protocols, particularly as it is used in the Maude-NPA cryptographic protocol analysis to...

Partial evaluation (PE) is a powerful and general program optimization technique with many successful applications. However, it has never been investigated in the context of expressive rule-based languages like Maude, CafeOBJ, OBJ, ASF+SDF, and ELAN, which support: 1) rich type structures with sorts, subsorts and overloading; 2) equational rewritin...

This paper introduces some novel features of Maude 2.7. We have added support for: (i) built-in order-sorted unification modulo associativity, commutativity, and identity, (ii) built-in variant generation, (iii) built-in order-sorted unification modulo a finite variant theory, and (iv) symbolic reachability modulo a finite variant theory.

Protocols do not work alone, but together, one protocol relying on another to provide needed services. Many of the problems in cryptographic protocols arise when such composition is done incorrectly or is not well understood. In this paper we discuss an extension to the Maude-NPA syntax and its operational semantics to support dynamic sequential co...

Cryptographic Application Programmer Interfaces (Crypto APIs) are designed to allow a secure interoperation between applications and cryptographic devices such as smartcards and Hardware Security Modules (HSMs). However, several Crypto APIs have been shown to be subject to attacks in which sensitive information is disclosed to an attacker, such as...

Research in the formal analysis of cryptographic protocols has produced much good work in the solving of equality constraints, developing new methods for unification, matching, and deducibility. However, considerably less attention has been paid to disequality constraints. These also arise quite naturally in cryptographic protocol analysis, in part...

This paper is a tribute to José Meseguer, from the rest of us in the Maude team, reviewing the past, the present, and the future of the language and system with which we have been working for around two decades under his leadership. After reviewing the origins and the language’s main features, we present the latest additions to the language and som...

For an unconditional equational theory whose oriented equations are confluent and terminating, narrowing provides an E-unification algorithm. This has been generalized by various authors in two directions: (i) by considering unconditional equational theories where the are confluent, terminating and coherent modulo axioms B, and (ii) by considering...

This volume contains a selection of the papers presented at the XIV Jornadas sobre Programaci\'on y Lenguajes (PROLE 2014), held at C\'adiz, Spain, during September 17th-19th, 2014. Previous editions of the workshop were held in Madrid (2013), Almer\'ia (2012), A Coru\~na (2011), Val\'encia (2010), San Sebasti\'an (2009), Gij\'on (2008), Zaragoza (...

Standardsforcryptographicprotocolshavelongbeenattrac- tive candidates for formal verification. It is important that such standards be correct, and cryptographic protocols are tricky to design and subject to non-intuitive attacks even when the underlying cryptosystems are se- cure. Thus a number of general-purpose cryptographic protocol analysis too...

Computing generalizers is relevant in a wide spectrum of automated reasoning areas where analogical reasoning and inductive inference are needed. The ACUOS system computes a complete and minimal set of semantic generalizers (also called “anti-unifiers”) of two structures in a typed language modulo a set of equational axioms. By supporting types and...

Intuitively, two protocols \({\mathcal P}_1\) and \({\mathcal P}_2\) are indistinguishable if an attacker cannot tell the difference between interactions with \({\mathcal P}_1\) and with \({\mathcal P}_2\). In this paper we: (i) propose an intuitive notion of indistinguishability in Maude-NPA; (ii) formalize such a notion in terms of state unreacha...

Recent advances in the automated analysis of cryptographic protocols have aroused new interest in the practical application of unification modulo theories, especially theories that describe the algebraic properties of cryptosystems. However, this application requires unification algorithms that can be easily implemented and easily extended to combi...

Natural Language (NL) processing tools, such as tokenizers, part-of speech taggers or syntactic processors obtain knowledge from a set of documents (e.g., tokens, syntactic patterns, etc.) and produce the different elements that will take part on the discourse universe in a NL text (e.g., noun phrases, verbs, sentences, etc.). In this paper, we pre...

The Maude-NRL Protocol Analyzer (Maude-NPA) is a tool for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It tries to find secrecy or authentication attacks by searching backwards from an insecure attack state pattern that may contain logical variables, in such a way that l...

Generalization, also called anti-unification, is the dual of unification. Given terms t and t , a generalization is a term t of which t and t are substitution instances. The dual of a most general unifier (mgu) is that of least general generalization (lgg). In this work, we extend the known untyped generalization algorithm to, first, an order-sorte...

The series of workshops on functional and (constraint) logic programming (WFLP) attempts to stimulate and promote research and progress in these two relevant fields and their combination. This issue contains revised and extended versions of a selection of papers that appeared in two editions of the workshop: • WFLP 2008: 17th Int’l workshop on func...

Functional logic programming languages combine the most important features of functional programming languages and logic programming languages. Functional logic programming applied to the Maude specification language would replace the functional viewpoint by an equational viewpoint while retaining the logic features. This paper tries to bridge the...

We present a new paradigm for unification arising out of a technique commonly used in cryptographic protocol analysis tools that employ unification modulo equational theories. This paradigm relies on: (i) a decomposition of an equational theory into (R,E) where R is confluent, terminating, and coherent modulo E, and (ii) on reducing unification pro...

A concurrent system can be naturally specified as a rewrite theory R = (∑,E,R) where states are elements of the initial algebra T∑/E and concurrent transitions are axiomatized by the rewrite rules R. Under simple conditions, narrowing with rules R modulo equations E can be used to symbolically represent the system's state space by means of terms wi...

We address a problem that arises in cryptographic protocol analysis when the equational properties of the cryptosystem are taken into account: in many situations it is necessary to guarantee that certain terms generated during a state exploration are in normal form with re-spect to the equational theory. We give a tool-independent methodology for s...

We define an efficient rewriting strategy for general term rewriting systems. Several strategies have been proposed over the last two decades for rewriting, the most efficient of all being the natural rewriting strategy of Escobar. All the strategies so far, including natural rewriting, assume that the given term rewriting system is left-linear and...

This volume contains a selection of the papers presented at the 10th International Workshop on Reduction Strategies in Rewriting and Programming (WRS'2011), held on 29 May 2011 in Novi Sad, Serbia. Previous editions of the workshop were held in Utrecht (2001), Copenhagen (2002), Valencia (2003), Aachen (2004), Nara (2005), Seattle (2006), Paris (20...

We discuss the use of type systems in a non-strict sense when designing unification algorithms. We first give a new (rule-based) algorithm for an equational theory which represents a property of El-Gamal signature schemes and show how a type system can be used to prove termination of the algorithm. Lastly, we reproduce termination result for theory...

Basic narrowing is a restricted form of narrowing which constrains narrowing steps to a set of unblocked (or basic) positions. In this work, we study the modularity of termination of basic narrowing in hierarchical combinations of TRSs, which provides new algorithmic criteria to prove termination of basic narrowing. Basic narrowing has a number of...

A number of new cryptographic protocols are being designed to secure applications such as video-conferencing and electronic voting. Many of them rely upon cryptographic functions with complex algebraic properties that must be accounted for in order to be correctly analyzed by automated tools. Maude-NPA is a cryptographic protocol analysis tool base...

The Maude-NRL Protocol Analyzer (Maude-NPA) is a tool and inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It both extends and provides a formal framework for the original NRL Protocol Analyzer, which supported equational reasoning in a more limited way....

This paper introduces some novel features of Maude 2.6 focusing on the variants of a term. Given an equational theory (Σ,Ax∪E), the E,Ax-variants of a term t are understood as the set of all pairs consisting of a substitution sigma and the E,Ax-canonical form of tσ. The equational theory (Ax∪E) has the finite variant property if there is a finite s...

If a set of equations E ∪ Ax is such that E is confluent, terminating, and coherent modulo Ax, narrowing with E modulo Ax provides a complete E ∪ Ax-unification algorithm. However, except for the hopelessly inefficient case of full narrowing, nothing seems to be known about effective narrowing strategies in the general modulo case beyond the quite...

Non-interference is a semantic program property that assigns confidentiality levels to data objects and prevents illicit information flows to occur from high to low security levels. Erasure is a way of strengthening confidentiality by upgrading data confidentiality levels, up to the extreme of demanding the removal of secret data from the system. I...

This work is motivated by the fact that a "compact" semantics for term rewriting systems, which is essential for the development of effec-tive semantics-based program manipulation tools (e.g. automatic pro-gram analyzers and debuggers), does not exist. The big-step rewriting semantics that is most commonly considered in functional program-ming is t...

For narrowing with a set of rules \Delta modulo a set of axioms B almost nothing is known about terminating narrowing strategies, and basic narrowing is known to be incomplete for B=AC. In this work we ask and answer the question: Is there such a thing as an extremely terminating narrowing strategy modulo B? where we call a narrowing strategy S enj...

Non-interference is a semantic program property that assigns confidentiality levels to data objects and prevents illicit information flows from occurring from high to low security levels. In this paper, we present a novel security model for global non-interference which approximates non-interference as a safety property. We also propose a certifica...

In functional languages such as OBJ*, CafeOBJ, and Maude, symbols are given strategy annotations that specify (the order in) which subterms are evaluated. Syntactically, strategy annotations are given either as lists of natural numbers or as lists of integers associated to function symbols whose (absolute) values refer to the arguments of the corre...

There is a growing interest in formal methods and tools to analyze cryptographic protocols modulo algebraic properties of their underlying cryptographic functions. It is well-known that an intruder who uses algebraic equivalences of such functions can mount attacks that would be impossible if the cryptographic functions did not satisfy such equival...

Protocols do not work alone, but together, one protocol relying on another to provide needed services. Many of the problems in cryptographic protocols arise when such composition is done incorrectly or is not well understood. In this paper we discuss an extension to the Maude-NPA syntax and operational semantics to support dynamic sequential compos...