A calculus for cryptographic protocols: the spi calculus
Proceedings of the 4th ACM conference on Computer and communications security
Mobile values, new names, and secure communication
POPL '01 Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Relations between secrets: two formal analyses of the Yahalom protocol
Journal of Computer Security
On the Reachability Problem in Cryptographic Protocols
CONCUR '00 Proceedings of the 11th International Conference on Concurrency Theory
Protocol insecurity with a finite number of sessions and composed keys is NP-complete
Theoretical Computer Science
An Efficient Cryptographic Protocol Verifier Based on Prolog Rules
CSFW '01 Proceedings of the 14th IEEE workshop on Computer Security Foundations
Verification of cryptographic Protocols: tagging enforces termination
FOSSACS'03/ETAPS'03 Proceedings of the 6th International conference on Foundations of Software Science and Computation Structures and joint European conference on Theory and practice of software
RTA'03 Proceedings of the 14th international conference on Rewriting techniques and applications
Computationally sound, automated proofs for security protocols
ESOP'05 Proceedings of the 14th European conference on Programming Languages and Systems
A formal model of identity mixer
FMICS'10 Proceedings of the 15th international conference on Formal methods for industrial critical systems
Analysing TLS in the strand spaces model
Journal of Computer Security
Hi-index | 0.00 |
Two styles of definitions are usually considered to express that a security protocol preserves the confidentiality of a data s. Reachability-based secrecy means that s should never be disclosed while equivalence-based secrecy states that two executions of a protocol with distinct instances for s should be indistinguishable to an attacker. Although the second formulation ensures a higher level of security and is closer to cryptographic notions of secrecy, decidability results and automatic tools have mainly focused on the first definition so far. This paper initiates a systematic investigation of situations where syntactic secrecy entails strong secrecy. We show that in the passive case, reachability-based secrecy actually implies equivalence-based secrecy for signatures, symmetric and asymmetric encryption provided that the primitives are probabilistic. For active adversaries in the case of symmetric encryption, we provide sufficient (and rather tight) conditions on the protocol for this implication to hold.