DOI: 10.29007/gpsh
|View full text |Cite
|
Sign up to set email alerts
|

Cryptographic Protocol Verification via Supercompilation (A Case Study)

Abstract: It has been known for a while [35,36,12] that program transformation techniques, in particular, program specialization, can be used to prove the properties of programs automatically. For example, if a program actually implements (in a given context of use) a constant function sufficiently powerful and semantics preserving program transformation may reduce the program to a syntactically trivial "constant" program, pruning unreachable branches and proving thereby the property. Viability of such an approach to ve… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
18
0

Publication Types

Select...
4
2

Relationship

0
6

Authors

Journals

citations
Cited by 7 publications
(18 citation statements)
references
References 26 publications
0
18
0
Order By: Relevance
“…The reduction strategy we are going to use later is to repeatedly apply the identity rules to the rightmost, innermost pair to which they apply. 2 There is no difference between handling a mismatch of keys and of prepended names (the operator pair does not reduce).…”
Section: Definitionmentioning
confidence: 99%
See 2 more Smart Citations
“…The reduction strategy we are going to use later is to repeatedly apply the identity rules to the rightmost, innermost pair to which they apply. 2 There is no difference between handling a mismatch of keys and of prepended names (the operator pair does not reduce).…”
Section: Definitionmentioning
confidence: 99%
“…The control over these choices is therefore indirect. On the other hand, case studies [2,22] have shown that a supercompiler [29] can solve a variety of security problems, including cryptographic ping-pong protocols [24].…”
Section: Protocol Verification By Transformation and Pushdown Simulationmentioning
confidence: 99%
See 1 more Smart Citation
“…For example, in the Needham-Shroeder protocol P N S [x 1 , x 2 ] (which also can be verified by supercompilation [2]) the fact of the intruder receiving the initial random number generated by x 1 does not point to an attack on the protocol. In P N S [x 1 , x 2 ], an attack is a sequence of transmissions that allows an intruder to get the random number generated by x 2 in response to x 1 .…”
Section: Multi-party Ping-pong Protocolsmentioning
confidence: 99%
“…Let us consider G 2EXP = {a, b, c, A, B, C, e}, R 2EXP , e with the following R 2EXP : R [1] : e → aA R [5] : AA → Λ R [9] : Ba → bB R [2] : Λ → aA R [6] : BB → Λ R [10] : Cb → cC R [3] : Λ → bB R [7] : CC → Λ R [4] : Λ → cC R [8] : c → Λ…”
Section: Prefix Grammars and Empty Word Problem Solutionmentioning
confidence: 99%