Automated Verification of Equivalence Properties of Cryptographic Protocols

Chadha, Rohit; Ciobâcă, Ștefan; Kremer, Steve

doi:10.1007/978-3-642-28869-2_6

Cited by 52 publications

(52 citation statements)

References 38 publications

(80 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…First, we wish to lift the restriction of subterm convergent equational theories. Even though the problem becomes quickly undecidable for more general rewrite theories, we plan to design a partially correct, i.e., sound, complete, but not necessarily terminating, procedure, as the procedure underlying the Akiss tool [CCCK16]. Second, we plan to avoid the restriction to destructor rewrite systems to more general ones.…”

Section: Discussionmentioning

confidence: 99%

“…The Apte tool [Che14] covers the same primitives but allows else branches and decides trace equivalence exactly. On the contrary, the Akiss tool [CCCK16] allows for user-defined cryptographic primitives. Partial correctness of Akiss is shown for primitives modelled by an arbitrary convergent rewrite system that has the finite variant property [CD05].…”

Section: Related Workmentioning

confidence: 99%

“…Let us also highlight one small, yet substantial difference with existing work: we do not consider cryptographic primitives (rewrite systems) as constants of the problem. As most modern verification tools allow for user-specified primitives [BSC16,SMCB13,SEMM14,CCCK16], our approach seems to better fit this reality. Typically, all existing procedures for static equivalence can only be claimed ptime because of this difference and are actually exponential in the sizes of signature or equational theory.…”

Section: Complexitymentioning

confidence: 99%

See 2 more Smart Citations

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

Cheval

Kremer

Rakotonirina

2018

2018 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

We study the automated verification of behavioural equivalences in the applied pi calculus, an essential problem in formal, symbolic analysis of cryptographic protocols. We establish new complexity results for static equivalence, trace equivalence and labelled bisimilarity and propose a new decision procedure for these equivalences. Our procedure is the first tool to decide trace equivalence and labelled bisimilarity exactly for a family of equational theories, namely those that can be represented by a subterm convergent destructor rewrite system. Finally, we implement the procedure in a new tool, called Deepsec and demonstrate the applicability of the tool on several case studies.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Complexitymentioning

confidence: 99%

See 1 more Smart Citation

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

Cheval

Kremer

Rakotonirina

2018

2018 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

show abstract

“…AKiSs supports a larger variety of cryptographic primitives than ProVerif and the current version of the Inductive Method. In (Chadha et al, 2012), Chadha et al conjecture that all those which can be modelled in a rewrite system with a specific convergence property are supported. Notably, trapdoor commitments can be modelled.…”

Section: Discussionmentioning

confidence: 99%

“…In (Chadha et al, 2012), a new cryptographic process calculus is introduced alongside a novel procedure for checking equivalence. Specifically, under-and overapproximations of ≈ t are introduced, the fine-grained trace equivalence ≈ f t and the coarse trace equivalence ≈ ct .…”

Section: Proverifmentioning

confidence: 99%

Verifying Privacy by Little Interaction and No Process Equivalence

Butin

Bella

2012

Proceedings of the International Conference on Security and Cryptography

View full text Add to dashboard Cite

Abstract:While machine-assisted verification of classical security goals such as confidentiality and authentication is well-established, it is less mature for recent ones. Electronic voting protocols claim properties such as voter privacy. The most common modelling involves indistinguishability, and is specified via trace equivalence in cryptographic extensions of process calculi. However, it has shown restrictions. We describe a novel model, based on unlinkability between two pieces of information. Specifying it as an extension to the Inductive Method allows us to establish voter privacy without the need for approximation or session bounding. The two models and their latest specifications are contrasted.

show abstract

Electronic Voting: How Logic Can Help

Cortier

2014

Automated Reasoning

View full text Add to dashboard Cite

Electronic voting should offer at least the same guarantees than traditional paper-based voting systems. In order to achieve this, electronic voting protocols make use of cryptographic primitives, as in the more traditional case of authentication or key exchange protocols. All these protocols are notoriously difficult to design and flaws may be found years after their first release. Formal models, such as process algebra, Horn clauses, or constraint systems, have been successfully applied to automatically analyze traditional protocols and discover flaws. Electronic voting protocols however significantly increase the difficulty of the analysis task. Indeed, they involve for example new and sophisticated cryptographic primitives, new dedicated security properties, and new execution structures. After an introduction to electronic voting, we describe the current techniques for e-voting protocols analysis and review the key challenges towards a fully automated verification. 1 Context Electronic voting promises a convenient and efficient way for collecting and tallying votes, avoiding human counting errors. Several countries now use electronic voting for politically binding elections. This is for example the case of Argentina, United States, Norway, Canada, or France. However electronic voting also causes controversy. Indeed these systems have been shown to be vulnerable to attacks. For example, the Diebold machines as well as the electronic machines used in India have been attacked [44, 58]. Consequently, some countries like Germany, Netherlands, or the United Kingdom have stopped electronic voting, at least momentarily [47]. Electronic voting covers two distinct families of voting systems: voting machines and Internet voting. Voting machines are computers placed at polling stations. They provide an interface for the voters to cast their vote and they process the ballots. Internet voting do not need physical polling stations: voters may simply vote using their own device (computers, smartphones, etc.) from home. In this paper we focus on Internet voting. Internet voting raises several security challenges. Firstly, since votes need to be sent through the Internet, they obviously cannot be sent in clear. A simple solution would therefore to have all the voters encrypt their votes with the key of the voting server. At the end of the election, the server can then simply decrypt all the votes and announce the The research leading to these results has received funding from the European Research Council under the European Union's Seventh Framework Programme (FP7/2007-2013) / ERC grant agreement no 258865, project ProSecure.

show abstract

Automated Verification of Equivalence Properties of Cryptographic Protocols

Cited by 52 publications

References 38 publications

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

Verifying Privacy by Little Interaction and No Process Equivalence

Electronic Voting: How Logic Can Help

Contact Info

Product

Resources

About