Efficient Decision Procedures for Message Deducibility and Static Equivalence

Conchinha, Bruno; Basin, David; Caleiro, Carlos

doi:10.1007/978-3-642-19751-2_3

Cited by 10 publications

(10 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While many complexity results are known for trace properties [DLM04,RT03], the case of behavioural equivalences remains mostly open. When the attacker is an eavesdropper and cannot interact with the protocol, the indistinguishability problem-static equivalence-has been shown ptime for large classes of cryptographic primitives [AC06,CDK12,CBC10]. For active attackers, bounding the number of protocol sessions is often sufficient to obtain decidability [RT03] and is of practical interest: most real-life attacks indeed only require a small number of sessions.…”

Section: Related Workmentioning

confidence: 99%

“…We note that in Equiv R,F , R and F are not part of the input and that all previously proposed procedures in [AC06,CDK12,CBC10] are actually exponential in R or F. Moreover, this definition does not allow to give a lower bound for the whole class of subterm convergent rewriting system (the lower bounds may be different for particular rewriting systems). We therefore define an alternate problem which takes R and F as additional inputs.…”

Section: Decision Problems For Equivalencesmentioning

confidence: 99%

See 1 more Smart Citation

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

Cheval

Kremer

Rakotonirina

2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

We study the automated verification of behavioural equivalences in the applied pi calculus, an essential problem in formal, symbolic analysis of cryptographic protocols. We establish new complexity results for static equivalence, trace equivalence and labelled bisimilarity and propose a new decision procedure for these equivalences. Our procedure is the first tool to decide trace equivalence and labelled bisimilarity exactly for a family of equational theories, namely those that can be represented by a subterm convergent destructor rewrite system. Finally, we implement the procedure in a new tool, called Deepsec and demonstrate the applicability of the tool on several case studies.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Decision Problems For Equivalencesmentioning

confidence: 99%

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

Cheval

Kremer

Rakotonirina

2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…[36,37,38]), and some of these procedures have even been implemented (e.g. KISS [39], YAPA [40], FAST [41]). These results cover a wide class of cryptographic primitives as long as they are modelled through convergent equational theories (i.e., theories in which equations can be oriented and form a convergent rewriting system).…”

Section: Assembling Terms Into Framesmentioning

confidence: 99%

A survey of symbolic methods for establishing equivalence-based properties in cryptographic protocols

Delaune¹,

Hirschi²

2017

Journal of Logical and Algebraic Methods in Programming

View full text Add to dashboard Cite

Cryptographic protocols aim at securing communications over insecure networks such as the Internet, where dishonest users may listen to communications and interfere with them. A secure communication has a different meaning depending on the underlying application. It ranges from the confidentiality of a data to e.g. verifiability in electronic voting systems. Another example of a security notion is privacy.Formal symbolic models have proved their usefulness for analysing the security of protocols. Until quite recently, most results focused on trace properties like confidentiality or authentication. There are however several security properties, which cannot be defined (or cannot be naturally defined) as trace properties and require a notion of behavioural equivalence. Typical examples are anonymity, and privacy related properties. During the last decade, several results and verification tools have been developed to analyse equivalence-based security properties.We propose here a synthesis of decidability and undecidability results for equivalence-based security properties. Moreover, we give an overview of existing verification tools that may be used to verify equivalence-based security properties.

show abstract

“…Indeed, the algorithm for deciding static equivalence presented in [36] effectively computes equational verifiers as part of the decision procedure. Computing type verifiers is a less direct extension of existing algorithms.…”

Section: and There Are No P ∈ N * \ { } T T ∈ T T Such That These mentioning

confidence: 99%

Symbolic Probabilistic Analysis of Off-Line Guessing

Conchinha

Basin

Caleiro

2013

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. We introduce a probabilistic framework for the automated analysis of security protocols. Our framework provides a general method for expressing properties of cryptographic primitives, modeling an attacker who is more powerful than conventional Dolev-Yao attackers. Within our framework, we can model equational properties of cryptographic primitives as well as property statements about their weaknesses, e.g. primitives leaking partial information about messages or the use of weak algorithms for random number generation. Moreover, we can use these properties to find attacks and estimate their success probability. Existing symbolic methods can neither model such properties nor find such attacks. We show that the probability estimates we obtain are negligibly different from those yielded by a generalized random oracle model based on sampling (the random variables associated to symbolic) terms into bitstrings, while respecting the stipulated properties of cryptographic primitives. As case studies, we use a prototype implementation of our framework to model non-trivial properties of RSA encryption and automatically estimate the probability of off-line guessing attacks on the EKE protocol.

show abstract

Efficient Decision Procedures for Message Deducibility and Static Equivalence

Cited by 10 publications

References 27 publications

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

A survey of symbolic methods for establishing equivalence-based properties in cryptographic protocols

Symbolic Probabilistic Analysis of Off-Line Guessing

Contact Info

Product

Resources

About