Deciding Knowledge in Security Protocols Under Equational Theories

Abadi, Martı́n; Cortier, Véronique

doi:10.1007/978-3-540-27836-8_7

Cited by 88 publications

(241 citation statements)

References 21 publications

Supporting

Mentioning

239

Contrasting

Order By: Relevance

“…While many complexity results are known for trace properties [DLM04,RT03], the case of behavioural equivalences remains mostly open. When the attacker is an eavesdropper and cannot interact with the protocol, the indistinguishability problem-static equivalence-has been shown ptime for large classes of cryptographic primitives [AC06,CDK12,CBC10]. For active attackers, bounding the number of protocol sessions is often sufficient to obtain decidability [RT03] and is of practical interest: most real-life attacks indeed only require a small number of sessions.…”

Section: Related Workmentioning

confidence: 99%

“…This notion has been extensively studied (see e.g. [AC06]). Intuitively, two frames are in static equivalence if an attacker cannot distinguish them, even when applying arbitrary primitives to the messages in the frames.…”

Section: Static Equivalencementioning

confidence: 99%

“…In [AC06], it was first shown that for an arbitrary convergent rewriting system R, and signature F the problem Equiv ∼ R,F is undecidable, but for any subterm convergent rewriting system R, Equiv ∼ R,F can be solved in polynomial time. We note that in Equiv R,F , R and F are not part of the input and that all previously proposed procedures in [AC06,CDK12,CBC10] are actually exponential in R or F. Moreover, this definition does not allow to give a lower bound for the whole class of subterm convergent rewriting system (the lower bounds may be different for particular rewriting systems).…”

Section: Decision Problems For Equivalencesmentioning

confidence: 99%

“…We note that in Equiv R,F , R and F are not part of the input and that all previously proposed procedures in [AC06,CDK12,CBC10] are actually exponential in R or F. Moreover, this definition does not allow to give a lower bound for the whole class of subterm convergent rewriting system (the lower bounds may be different for particular rewriting systems). We therefore define an alternate problem which takes R and F as additional inputs.…”

Section: Decision Problems For Equivalencesmentioning

confidence: 99%

“…The problem of static equivalence for subterm convergent equational theories has first been studied by [AC06]. It is proven ptime provided that the rewrite system is a constant of the problem.…”

Section: Static Equivalencementioning

confidence: 99%

See 4 more Smart Citations

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

Cheval

Kremer

Rakotonirina

2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

We study the automated verification of behavioural equivalences in the applied pi calculus, an essential problem in formal, symbolic analysis of cryptographic protocols. We establish new complexity results for static equivalence, trace equivalence and labelled bisimilarity and propose a new decision procedure for these equivalences. Our procedure is the first tool to decide trace equivalence and labelled bisimilarity exactly for a family of equational theories, namely those that can be represented by a subterm convergent destructor rewrite system. Finally, we implement the procedure in a new tool, called Deepsec and demonstrate the applicability of the tool on several case studies.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Static Equivalencementioning

confidence: 99%

Section: Decision Problems For Equivalencesmentioning

confidence: 99%

Section: Decision Problems For Equivalencesmentioning

confidence: 99%

Section: Static Equivalencementioning

confidence: 99%

See 3 more Smart Citations

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

Cheval

Kremer

Rakotonirina

2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

Computationally Sound Implementations of Equational Theories Against Passive Adversaries

Baudet

Cortier

Kremer

2005

Automata, Languages and Programming

Self Cite

View full text Add to dashboard Cite

In this paper we study the link between formal and cryptographic models for security protocols in the presence of passive adversaries. In contrast to other works, we do not consider a fixed set of primitives but aim at results for arbitrary equational theories. We define a framework for comparing a cryptographic implementation and its idealization with respect to various security notions. In particular, we concentrate on the computational soundness of static equivalence, a standard tool in cryptographic pi calculi. We present a soundness criterion, which for many theories is not only sufficient but also necessary. Finally, to illustrate our framework, we establish the soundness of static equivalence for the exclusive OR and a theory of ciphers and lists.

show abstract

Limits of the Cryptographic Realization of Dolev-Yao-Style XOR

Backes

Pfitzmann

2005

Computer Security – ESORICS 2005

View full text Add to dashboard Cite

Deciding Knowledge in Security Protocols Under Equational Theories

Cited by 88 publications

References 21 publications

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

Computationally Sound Implementations of Equational Theories Against Passive Adversaries

Limits of the Cryptographic Realization of Dolev-Yao-Style XOR

Contact Info

Product

Resources

About