Handbook of theoretical computer science (vol. B)
A calculus for cryptographic protocols
Information and Computation
Mobile values, new names, and secure communication
POPL '01 Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Automatic testing equivalence verification of spi calculus specifications
ACM Transactions on Software Engineering and Methodology (TOSEM)
Deciding security of protocols against off-line guessing attacks
Proceedings of the 12th ACM conference on Computer and communications security
Deciding knowledge in security protocols under equational theories
Theoretical Computer Science - Automated reasoning for security protocol analysis
A survey of algebraic properties used in cryptographic protocols
Journal of Computer Security
YAPA: A Generic Tool for Computing Intruder Knowledge
RTA '09 Proceedings of the 20th International Conference on Rewriting Techniques and Applications
Verifying privacy-type properties of electronic voting protocols
Journal of Computer Security
Using ProVerif to Analyze Protocols with Diffie-Hellman Exponentiation
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
A Method for Proving Observational Equivalence
CSF '09 Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium
Analysing Password Protocol Security Against Off-line Dictionary Attacks
Electronic Notes in Theoretical Computer Science (ENTCS)
Security properties: two agents are sufficient
ESOP'03 Proceedings of the 12th European conference on Programming
Analysing Unlinkability and Anonymity Using the Applied Pi Calculus
CSF '10 Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium
Automating Open Bisimulation Checking for the Spi Calculus
CSF '10 Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium
Reducing Protocol Analysis with XOR to the XOR-Free Case in the Horn Theory Based Approach
Journal of Automated Reasoning
A Survey of Symbolic Methods in Computational Analysis of Cryptographic Systems
Journal of Automated Reasoning
Trace equivalence decision: negative tests and non-determinism
Proceedings of the 18th ACM conference on Computer and communications security
Attacking and Fixing Helios: An Analysis of Ballot Secrecy
CSF '11 Proceedings of the 2011 IEEE 24th Computer Security Foundations Symposium
Reducing Equational Theories for the Decision of Static Equivalence
Journal of Automated Reasoning
Computing Knowledge in Security Protocols Under Convergent Equational Theories
Journal of Automated Reasoning
The finite variant property: how to get rid of some algebraic properties
RTA'05 Proceedings of the 16th international conference on Term Rewriting and Applications
Prêt à voter with re-encryption mixes
ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security
Automating security analysis: symbolic equivalence of constraint systems
IJCAR'10 Proceedings of the 5th international conference on Automated Reasoning
Decidability and Combination Results for Two Notions of Knowledge in Security Protocols
Journal of Automated Reasoning
Diffie-Hellman without difficulty
FAST'11 Proceedings of the 8th international conference on Formal Aspects of Security and Trust
| Hi-index | 0.00 |
Verification of trace equivalence is difficult to automate in general because it requires relating two infinite sets of traces. The problem becomes even more complex when algebraic properties of cryptographic primitives are taken in account in the formal model. For example, no verification tool or technique can currently handle automatically a realistic model of re-encryption or associative-commutative operators. In this setting, we propose a general technique for reducing the set of traces that have to be analyzed to a set of local traces. A local trace restricts the way in which some function symbols are used, and this allows us to perform a second reduction, by showing that some algebraic properties can be safely ignored in local traces. In particular, local traces for re-encryption will contain only a bounded number of re-encryptions for any given ciphertext, leading to a sound elimination of equations that model re-encryption. For associativity and commutativity, local traces will determine a canonical use of the associative-commutative operator, where reasoning modulo AC is no stronger than reasoning without AC. We illustrate these results by considering a non-disjoint combination of equational theories for the verification of vote privacy in Prêt à Voter. ProVerif can not handle the input theory as it is, but it does terminate with success on the theory obtained using our reduction result.