Analysing Unlinkability and Anonymity Using the Applied Pi Calculus

Arapinis, Myrto; Chothia, Tom; Ritter, Eike; Ryan, Mark

doi:10.1109/csf.2010.15

Cited by 106 publications

(190 citation statements)

References 19 publications

Supporting

Mentioning

188

Contrasting

Order By: Relevance

“…Trace equivalence can be used to formalise many interesting security properties, in particular privacy-type properties, such as those studied for instance in [1,6]. We first introduce a notion of intruder's knowledge well-suited to cryptographic primitives for which the success of decrypting or checking a signature is visible.…”

Section: Trace Equivalencementioning

confidence: 99%

See 1 more Smart Citation

From Security Protocols to Pushdown Automata

Chrétien

Cortier

Delaune

2013

Automata, Languages, and Programming

View full text Add to dashboard Cite

Abstract. Formal methods have been very successful in analyzing security protocols for reachability properties such as secrecy or authentication. In contrast, there are very few results for equivalence-based properties, crucial for studying e.g. privacy-like properties such as anonymity or vote secrecy. We study the problem of checking equivalence of security protocols for an unbounded number of sessions. Since replication leads very quickly to undecidability (even in the simple case of secrecy), we focus on a limited fragment of protocols (standard primitives but pairs, one variable per protocol's rules) for which the secrecy preservation problem is known to be decidable. Surprisingly, this fragment turns out to be undecidable for equivalence. Then, restricting our attention to deterministic protocols, we propose the first decidability result for checking equivalence of protocols for an unbounded number of sessions. This result is obtained through a characterization of equivalence of protocols in terms of equality of languages of (generalized, real-time) deterministic pushdown automata.

show abstract

Section: Trace Equivalencementioning

confidence: 99%

“…However, privacy properties such as vote secrecy, anonymity, or untraceability cannot be expressed as such. They are instead defined as indistinguishability properties in [1,6]. For example, Alice's identity remains private if an attacker cannot distinguish a session where Alice is talking from a session where Bob is talking.…”

Section: Introductionmentioning

confidence: 99%

From Security Protocols to Pushdown Automata

Chrétien

Cortier

Delaune

2013

Automata, Languages, and Programming

View full text Add to dashboard Cite

show abstract

“…A typical example is real-or-random secrecy: after interacting with a protocol, an adversary is unable to distinguish the real secret used in the protocol from a random value. Privacy-type properties can also be expressed as such: anonymity may be modeled as the adversary's inability to distinguish two instances of a protocol executed by different agents; vote privacy [DKR09] has been expressed as indistinguishability of the situations where the votes of two agents have been swapped or not; unlinkability [ACRR10] is seen as indistinguishability of two sessions, either both executed by the same agent A, or by two different agents A and B.…”

Section: Introductionmentioning

confidence: 99%

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

Cheval

Kremer

Rakotonirina

2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

We study the automated verification of behavioural equivalences in the applied pi calculus, an essential problem in formal, symbolic analysis of cryptographic protocols. We establish new complexity results for static equivalence, trace equivalence and labelled bisimilarity and propose a new decision procedure for these equivalences. Our procedure is the first tool to decide trace equivalence and labelled bisimilarity exactly for a family of equational theories, namely those that can be represented by a subterm convergent destructor rewrite system. Finally, we implement the procedure in a new tool, called Deepsec and demonstrate the applicability of the tool on several case studies.

show abstract

“…In this paper, we bring the privacy analysis of location-based services into the world of formal methods, leveraging previous work on privacy for vehicular mix-zones [10], electronic voting [11,15], and RFID tags [3,8]. In particular, we concentrate on VPriv [7], a proposed scheme for building location-based services using zero-knowledge techniques, designed to ensure that the paths of drivers are not revealed to the service providers, while nonetheless preventing drivers from reporting fake paths.…”

Section: Introductionmentioning

confidence: 99%

Formal Analysis of Privacy for Anonymous Location Based Services

Dahl

Delaune

Steel

2012

Theory of Security and Applications

View full text Add to dashboard Cite

Abstract. We propose a framework for formal analysis of privacy in location based services such as anonymous electronic toll collection. We give a formal definition of privacy, and apply it to the VPriv scheme for vehicular services. We analyse the resulting model using the ProVerif tool, concluding that our privacy property holds only if certain conditions are met by the implementation. Our analysis includes some novel features such as the formal modelling of privacy for a protocol that relies on interactive zero-knowledge proofs of knowledge and list permutations.

show abstract

Analysing Unlinkability and Anonymity Using the Applied Pi Calculus

Cited by 106 publications

References 19 publications

From Security Protocols to Pushdown Automata

From Security Protocols to Pushdown Automata

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

Formal Analysis of Privacy for Anonymous Location Based Services

Contact Info

Product

Resources

About