A calculus for cryptographic protocols: the spi calculus
Proceedings of the 4th ACM conference on Computer and communications security
Mobile values, new names, and secure communication
POPL '01 Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Constraint solving for bounded-process cryptographic protocol analysis
CCS '01 Proceedings of the 8th ACM conference on Computer and Communications Security
An Efficient Cryptographic Protocol Verifier Based on Prolog Rules
CSFW '01 Proceedings of the 14th IEEE workshop on Computer Security Foundations
Protocol Insecurity with Finite Number of Sessions is NP-Complete
CSFW '01 Proceedings of the 14th IEEE workshop on Computer Security Foundations
Automatic testing equivalence verification of spi calculus specifications
ACM Transactions on Software Engineering and Methodology (TOSEM)
Theoretical Computer Science - Special issue: Foundations of wide area network computing
Deciding security of protocols against off-line guessing attacks
Proceedings of the 12th ACM conference on Computer and communications security
Deciding knowledge in security protocols under equational theories
Theoretical Computer Science - Automated reasoning for security protocol analysis
On the security of public key protocols
SFCS '81 Proceedings of the 22nd Annual Symposium on Foundations of Computer Science
Verifying privacy-type properties of electronic voting protocols
Journal of Computer Security
A Method for Proving Observational Equivalence
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
Symbolic bisimulation for the applied Pi calculus
FSTTCS'07 Proceedings of the 27th international conference on Foundations of software technology and theoretical computer science
Journal of Computer Security - Digital Identity Management (DIM 2007)
Analysing Unlinkability and Anonymity Using the Applied Pi Calculus
CSF '10 Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium
Automating Open Bisimulation Checking for the Spi Calculus
CSF '10 Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium
Decidability of Equivalence of Symbolic Derivations
Journal of Automated Reasoning
The AVISPA tool for the automated validation of internet security protocols and applications
CAV'05 Proceedings of the 17th international conference on Computer Aided Verification
The finite variant property: how to get rid of some algebraic properties
RTA'05 Proceedings of the 16th international conference on Term Rewriting and Applications
Automating security analysis: symbolic equivalence of constraint systems
IJCAR'10 Proceedings of the 5th international conference on Automated Reasoning
Automated verification of equivalence properties of cryptographic protocols
ESOP'12 Proceedings of the 21st European conference on Programming Languages and Systems
Security protocol verification: symbolic and computational models
POST'12 Proceedings of the First international conference on Principles of Security and Trust
A formal analysis of the norwegian e-voting protocol
POST'12 Proceedings of the First international conference on Principles of Security and Trust
POST'12 Proceedings of the First international conference on Principles of Security and Trust
Proving more observational equivalences with proverif
POST'13 Proceedings of the Second international conference on Principles of Security and Trust
From security protocols to pushdown automata
ICALP'13 Proceedings of the 40th international conference on Automata, Languages, and Programming - Volume Part II
Lengths may break privacy: or how to check for equivalences with length
CAV'13 Proceedings of the 25th international conference on Computer Aided Verification
Hi-index | 0.00 |
We consider security properties of cryptographic protocols that can be modeled using the notion of trace equivalence. The notion of equivalence is crucial when specifying privacy-type properties, like anonymity, vote-privacy, and unlinkability. In this paper, we give a calculus that is close to the applied pi calculus and that allows one to capture most existing protocols that rely on classical cryptographic primitives. First, we propose a symbolic semantics for our calculus relying on constraint systems to represent infinite sets of possible traces, and we reduce the decidability of trace equivalence to deciding a notion of symbolic equivalence between sets of constraint systems. Second, we develop an algorithm allowing us to decide whether two sets of constraint systems are in symbolic equivalence or not. Altogether, this yields the first decidability result of trace equivalence for a general class of processes that may involve else branches and/or private channels (for a bounded number of sessions).