Results 1  10
of
72
Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)
, 2000
"... Two distinct, rigorous views of cryptography have developed over the years, in two mostly separate communities. One of the views relies on a simple but effective formal approach; the other, on a detailed computational model that considers issues of complexity and probability. ..."
Abstract

Cited by 392 (18 self)
 Add to MetaCart
Two distinct, rigorous views of cryptography have developed over the years, in two mostly separate communities. One of the views relies on a simple but effective formal approach; the other, on a detailed computational model that considers issues of complexity and probability.
Mobile Values, New Names, and Secure Communication
, 2001
"... We study the interaction of the "new" construct with a rich but common form of (firstorder) communication. This interaction is crucial in security protocols, which are the main motivating examples for our work; it also appears in other programminglanguage contexts. Specifically, we intro ..."
Abstract

Cited by 378 (18 self)
 Add to MetaCart
We study the interaction of the "new" construct with a rich but common form of (firstorder) communication. This interaction is crucial in security protocols, which are the main motivating examples for our work; it also appears in other programminglanguage contexts. Specifically, we introduce a simple, general extension of the pi calculus with value passing, primitive functions, and equations among terms. We develop semantics and proof techniques for this extended language and apply them in reasoning about some security protocols.
Deciding knowledge in security protocols under equational theories
 In Proc. 31st International Colloquium on Automata, Languages and Programming (ICALP’04), volume 3142 of LNCS
, 2004
"... Abstract. The analysis of security protocols requires precise formulations of the knowledge of protocol participants and attackers. In formal approaches, this knowledge is often treated in terms of message deducibility and indistinguishability relations. In this paper we study the decidability of th ..."
Abstract

Cited by 111 (9 self)
 Add to MetaCart
(Show Context)
Abstract. The analysis of security protocols requires precise formulations of the knowledge of protocol participants and attackers. In formal approaches, this knowledge is often treated in terms of message deducibility and indistinguishability relations. In this paper we study the decidability of these two relations. The messages in question may employ functions (encryption, decryption, etc.) axiomatized in an equational theory. Our main positive results say that, for a large and useful class of equational theories, deducibility and indistinguishability are both decidable in polynomial time. 1
Automated verification of selected equivalences for security protocols
 IN 20TH IEEE SYMPOSIUM ON LOGIC IN COMPUTER SCIENCE (LICS’05
, 2005
"... In the analysis of security protocols, methods and tools for reasoning about protocol behaviors have been quite effective. We aim to expand the scope of those methods and tools. We focus on proving equivalences P ≈ Q in which P and Q are two processes that differ only in the choice of some terms. Th ..."
Abstract

Cited by 105 (12 self)
 Add to MetaCart
In the analysis of security protocols, methods and tools for reasoning about protocol behaviors have been quite effective. We aim to expand the scope of those methods and tools. We focus on proving equivalences P ≈ Q in which P and Q are two processes that differ only in the choice of some terms. These equivalences arise often in applications. We show how to treat them as predicates on the behaviors of a process that represents P and Q at the same time. We develop our techniques in the context of the applied pi calculus and implement them in the tool ProVerif.
On the Reachability Problem in Cryptographic Protocols
, 2000
"... We study the verification of secrecy and authenticity properties for cryptographic protocols which rely on symmetric shared keys. The verification can be reduced to check whether a certain parallel program which models the protocol and the specification can reach an erroneous state while interacting ..."
Abstract

Cited by 101 (0 self)
 Add to MetaCart
We study the verification of secrecy and authenticity properties for cryptographic protocols which rely on symmetric shared keys. The verification can be reduced to check whether a certain parallel program which models the protocol and the specification can reach an erroneous state while interacting with the environment. Assuming finite principals, we present a simple decision procedure for the reachability problem which is based on a `symbolic' reduction system.
Symbolic Trace Analysis of Cryptographic Protocols
"... A cryptographic protocol can be described as a system of concurrent processes, and analysis ..."
Abstract

Cited by 100 (9 self)
 Add to MetaCart
(Show Context)
A cryptographic protocol can be described as a system of concurrent processes, and analysis
Information Hiding, Anonymity and Privacy: A Modular Approach
 Journal of Computer Security
, 2002
"... We propose a new specification framework for information hiding properties such as anonymity and privacy. The framework is based on the concept of a function view, which is a concise representation of the attacker's partial knowledge about a function. We describe system behavior as a set of fun ..."
Abstract

Cited by 60 (0 self)
 Add to MetaCart
We propose a new specification framework for information hiding properties such as anonymity and privacy. The framework is based on the concept of a function view, which is a concise representation of the attacker's partial knowledge about a function. We describe system behavior as a set of functions, and formalize different information hiding properties in terms of views of these functions. We present an extensive case study, in which we use the function view framework to systematically classify and rigorously define a rich domain of identityrelated properties, and to demonstrate that privacy and anonymity are independent.
A bisimulation for dynamic sealing
 In Proceedings 31st Annual ACM Symposium on Principles of Programming Languages
, 2004
"... We define λseal, an untyped callbyvalue λcalculus with primitives for protecting abstract data by sealing, and develop a bisimulation proof method that is sound and complete with respect to contextual equivalence. This provides a formal basis for reasoning about data abstraction in open, dynamic ..."
Abstract

Cited by 59 (9 self)
 Add to MetaCart
We define λseal, an untyped callbyvalue λcalculus with primitives for protecting abstract data by sealing, and develop a bisimulation proof method that is sound and complete with respect to contextual equivalence. This provides a formal basis for reasoning about data abstraction in open, dynamic settings where static techniques such as type abstraction and logical relations are not applicable.
A bisimulation for type abstraction and recursion
 SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES
, 2005
"... We present a bisimulation method for proving the contextual equivalence of packages in λcalculus with full existential and recursive types. Unlike traditional logical relations (either semantic or syntactic), our development is “elementary, ” using only sets and relations and avoiding advanced mach ..."
Abstract

Cited by 54 (6 self)
 Add to MetaCart
(Show Context)
We present a bisimulation method for proving the contextual equivalence of packages in λcalculus with full existential and recursive types. Unlike traditional logical relations (either semantic or syntactic), our development is “elementary, ” using only sets and relations and avoiding advanced machinery such as domain theory, admissibility, and ⊤⊤closure. Unlike other bisimulations, ours is complete even for existential types. The key idea is to consider sets of relations—instead of just relations—as bisimulations.
Bisimulations in the joincalculus
 Theoretical Computer Science
, 1998
"... We propose an objectoriented calculus with internal concurrency and classbased inheritance that is built upon the join calculus. Method calls, locks, and states are handled in a uniform manner, using asynchronous messages. Classes are partial message definitions that can be combined and transforme ..."
Abstract

Cited by 53 (7 self)
 Add to MetaCart
We propose an objectoriented calculus with internal concurrency and classbased inheritance that is built upon the join calculus. Method calls, locks, and states are handled in a uniform manner, using asynchronous messages. Classes are partial message definitions that can be combined and transformed. We design operators for behavioral and synchronization inheritance. We also give a type system that statically enforces basic safety properties. Our model is compatible with the JoCaml implementation