Results 1  10
of
31
Hierarchical combination of intruder theories
 In Proc. 17th International Conference on Term Rewriting and Applications, (RTA’06), volume 4098 of LNCS
, 2006
"... Abstract. Recently automated deduction tools have proved to be very effective for detecting attacks on cryptographic protocols. These analysis can be improved, for finding more subtle weaknesses, by a more accurate modelling of operators employed by protocols. Several works have shown how to handle ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
Abstract. Recently automated deduction tools have proved to be very effective for detecting attacks on cryptographic protocols. These analysis can be improved, for finding more subtle weaknesses, by a more accurate modelling of operators employed by protocols. Several works have shown how to handle a single algebraic operator (associated with a fixed intruder theory) or how to combine several operators satisfying disjoint theories. However several interesting equational theories, such as exponentiation with an abelian group law for exponents remain out of the scope of these techniques. This has motivated us to introduce a new notion of hierarchical combination for intruder theories and to show decidability results for the deduction problem in these theories. Under a simple hypothesis, we were able to simplify this deduction problem. This simplification is then applied to prove the decidability of constraint systems w.r.t. an intruder relying on exponentiation theory. 1
Algebraic intruder deductions
 In Proceedings of LPAR’05, LNAI 3835
, 2005
"... Abstract. Many security protocols fundamentally depend on the algebraic properties of cryptographic operators. It is however difficult to handle these properties when formally analyzing protocols, since basic problems like the equality of terms that represent cryptographic messages are undecidable, ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
Abstract. Many security protocols fundamentally depend on the algebraic properties of cryptographic operators. It is however difficult to handle these properties when formally analyzing protocols, since basic problems like the equality of terms that represent cryptographic messages are undecidable, even for relatively simple algebraic theories. We present a framework for security protocol analysis that can handle algebraic properties of cryptographic operators in a uniform and modular way. Our framework is based on two ideas: the use of modular rewriting to formalize a generalized equational deduction problem for the DolevYao intruder, and the introduction of two parameters that control the complexity of the equational unification problems that arise during protocol analysis by bounding the depth of message terms and the operations that the intruder can perform when analyzing messages. We motivate the different restrictions made in our model by highlighting different ways in which undecidability arises when incorporating algebraic properties of cryptographic operators into formal protocol analysis. 1
Trace equivalence decision: Negative tests and nondeterminism
 IN: CCS’11
, 2011
"... We consider security properties of cryptographic protocols that can be modeled using the notion of trace equivalence. The notion of equivalence is crucial when specifying privacytype properties, like anonymity, voteprivacy, and unlinkability. In this paper, we give a calculus that is close to the ..."
Abstract

Cited by 11 (5 self)
 Add to MetaCart
We consider security properties of cryptographic protocols that can be modeled using the notion of trace equivalence. The notion of equivalence is crucial when specifying privacytype properties, like anonymity, voteprivacy, and unlinkability. In this paper, we give a calculus that is close to the applied pi calculus and that allows one to capture most existing protocols that rely on classical cryptographic primitives. First, we propose a symbolic semantics for our calculus relying on constraint systems to represent infinite sets of possible traces, and we reduce the decidability of trace equivalence to deciding a notion of symbolic equivalence between sets of constraint systems. Second, we develop an algorithm allowing us to decide whether two sets of constraint systems are in symbolic equivalence or not. Altogether, this yields the first decidability result of trace equivalence for a general class of processes that may involve else branches and/or private channels (for a bounded number of sessions).
Deducibility constraints
, 2009
"... Abstract. In their work on tractable deduction systems, D. McAllester and later D. Basin and H. Ganzinger have identified a property of inference systems (the locality property) that ensures the tractability of the Entscheidungsproblem. On the other hand, deducibility constraints are sequences of de ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Abstract. In their work on tractable deduction systems, D. McAllester and later D. Basin and H. Ganzinger have identified a property of inference systems (the locality property) that ensures the tractability of the Entscheidungsproblem. On the other hand, deducibility constraints are sequences of deduction problems in which some parts (formulas) are unknown. The problem is to decide their satisfiability and to represent the set of all possible solutions. Such constraints have also been used for deciding some security properties of cryptographic protocols. In this paper we show that local inference systems (actually a slight modification of such systems) yield not only a tractable deduction problem, but also decidable deducibility constraints. Our algorithm not only allows to decide the existence of a solution, but also gives a representation of all solutions. 1
Intruders with Caps
"... Abstract. In the analysis of cryptographic protocols, a treacherous set of terms is one from which an intruder can get access to what was intended to be secret, by adding on to the top of a sequence of elements of this set, a cap formed of symbols legally part of his/her knowledge. In this paper, we ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
Abstract. In the analysis of cryptographic protocols, a treacherous set of terms is one from which an intruder can get access to what was intended to be secret, by adding on to the top of a sequence of elements of this set, a cap formed of symbols legally part of his/her knowledge. In this paper, we give sufficient conditions on the rewrite system modeling the intruder’s abilities, such as using encryption and decryption functions, to ensure that it is decidable if such caps exist. The following classes of intruder systems are studied: linear, dwindling, ∆strong, and optimally reducing; and depending on the class considered, the cap problem (“find a cap for a given set of terms”) is shown respectively to be in P, NPcomplete, decidable, and undecidable. 1
Variant Narrowing and Equational Unification
 In Proc. of WRLA 2008, ENTCS
, 2009
"... Abstract. Narrowing is a wellknown complete procedure for equational Eunification when E can be decomposed as a union E = ∆ ⊎ B with B a set of axioms for which a finitary unification algorithm exists, and ∆ a set of confluent, terminating, and Bcoherent rewrite rules. However, when B ̸ = ∅, ef ..."
Abstract

Cited by 7 (5 self)
 Add to MetaCart
Abstract. Narrowing is a wellknown complete procedure for equational Eunification when E can be decomposed as a union E = ∆ ⊎ B with B a set of axioms for which a finitary unification algorithm exists, and ∆ a set of confluent, terminating, and Bcoherent rewrite rules. However, when B ̸ = ∅, efficient narrowing strategies such as basic narrowing easily fail to be complete and cannot be used. This poses two challenges to narrowingbased equational unification: (i) finding efficient narrowing strategies that are complete modulo B under mild assumptions on B, and (ii) finding sufficient conditions under which such narrowing strategies yield finitary Eunification algorithms. Inspired by Comon and Delaune’s notion of Evariant for a term, we propose a new narrowing strategy called variant narrowing that has a search space potentially much smaller than full narrowing, is complete, and yields a finitary Eunification algorithm when E has the finite variant property. We furthermore identify a class of equational theories for which the finite bound ensuring the finite variant property can be effectively computed by a generic algorithm. We also discuss applications to the formal analysis of cryptographic protocols modulo the algebraic properties of the underlying cryptographic functions. 1
A formal theory of key conjuring
 In Proceedings of the 20th IEEE Computer Security Foundations Symposium (CSF’07
, 2007
"... apport de recherche ISSN 02496399 ISRN INRIA/RR6134FR+ENG ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
apport de recherche ISSN 02496399 ISRN INRIA/RR6134FR+ENG
Termination Modulo Combinations of Equational Theories
"... Abstract. Rewriting with rules R modulo axioms E is a widely used technique in both rulebased programming languages and in automated deduction. Termination methods for rewriting systems modulo specific axioms E (e.g., associativitycommutativity) are known. However, much less seems to be known abou ..."
Abstract

Cited by 6 (5 self)
 Add to MetaCart
Abstract. Rewriting with rules R modulo axioms E is a widely used technique in both rulebased programming languages and in automated deduction. Termination methods for rewriting systems modulo specific axioms E (e.g., associativitycommutativity) are known. However, much less seems to be known about termination methods that can be modular in the set E of axioms. In fact, current termination tools and proof methods cannot be applied to commonly occurring combinations of axioms that fall outside their scope. This work proposes a modular termination proof method based on semantics and terminationpreserving transformations that can reduce the proof of termination of rules R modulo E to an equivalent proof of termination of the transformed rules modulo a typically much simpler set B of axioms. Our method is based on the notion of variants of a term recently proposed by Comon and Delaune. We illustrate its practical usefulness by considering the very common case in which E is an arbitrary combination of associativity, commutativity, left and rightidentity axioms for various function symbols. 1
Normal proofs in intruder theories
 In Revised Selected Papers of the 11th Asian Computing Science Conference (ASIAN’06), volume 4435 of Lecture Notes in Computer Science
, 2008
"... Abstract. Given an arbitrary intruder deduction capability, modeled as an inference system S and a protocol, we show how to compute an inference system b S such that the security problem for an unbounded number of sessions is equivalent to the deducibility of some message in bS. Then, assuming that ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
Abstract. Given an arbitrary intruder deduction capability, modeled as an inference system S and a protocol, we show how to compute an inference system b S such that the security problem for an unbounded number of sessions is equivalent to the deducibility of some message in bS. Then, assuming that S has some subformula property, we lift such a property to b S, thanks to a proof normalisation theorem. In general, for an unbounded number of sessions, this provides with a complete deduction strategy. In case of a bounded number of sessions, our theorem implies that the security problem is coNPcomplete. As an instance of our result we get a decision algorithm for the theory of blindsignatures, which, to our knowledge, was not known before. 1