## A calculus for cryptographic protocols: The spi calculus (1999)

### Cached

### Download Links

Venue: | Information and Computation |

Citations: | 815 - 55 self |

### BibTeX

@ARTICLE{Abadi99acalculus,

author = {Martin Abadi and Andrew D. Gordon},

title = {A calculus for cryptographic protocols: The spi calculus},

journal = {Information and Computation},

year = {1999},

volume = {148},

pages = {36--47}

}

### Years of Citing Articles

### OpenURL

### Abstract

We introduce the spi calculus, an extension of the pi calculus designed for the description and analysis of cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the spi calculus enables us to consider cryptographic issues in more detail. We represent protocols as processes in the spi calculus and state their security properties in terms of coarsegrained notions of protocol equivalence.

### Citations

3360 |
Communication and Concurrency
- Milner
- 1989
(Show Context)
Citation Context ...s of the process. Channels may be restricted, so that only certain processes may communicate on them. In this respect the pi calculus is similar to earlier process calculi such as CSP [Hoa85] and CCS =-=[Mil89]-=-. What sets the pi calculus apart from earlier calculi is that the scope of a restriction|the program text in which a channel may be used|may change during computation. When a process sends a restrict... |

3136 | A Method for Obtaining Digital Signatures and Public-Key Cryptosystems - Rivest, Shamir, et al. - 1978 |

2904 | New Directions in Cryptography - Diffie, Hellman - 1976 |

1200 | A Logic of Authentication
- Burrows, Abadi, et al.
- 1989
(Show Context)
Citation Context ...ended implementations of those protocols (see, e.g., [NS78, Lie93]). Their main shortcoming is that they do not provide a precise and solid basis for reasoning about protocols. Other notations (e.g., =-=[BAN89]-=-) are more formal, but their relation to implementations may be more tenuous or subtle. The spi calculus is a middle ground: it is directly executable and it has a precise semantics. Because the seman... |

1109 | On the security of public key protocols - Dolev, Yao - 1983 |

916 | Using encryption for authentication in large networks of computers - Needham - 1978 |

841 | Applied Cryptography: Protocols, Algorithms and Source Code in C
- Schneier
- 1996
(Show Context)
Citation Context ... the properties that it is very expensive to recover an input from its image or tosnd two inputs with the same image. Functions such as SHA and RIPE-MD are generally believed to have these properties =-=[Sch94]-=-. When we represent hash functions in the spi calculus, we pretend that operations that are very expensive are altogether impossible. We simply add a construct to the syntax of terms of the spi calcul... |

635 | Breaking and fixing the needham-schroeder public-key protocol using fdr - Lowe - 1996 |

480 | The chemical abstract machine
- Berry, Boudol
- 1992
(Show Context)
Citation Context ...ses. 4.1 The Reaction Relation The reaction relation is a concise account of computation in the pi calculus introduced by Milner [Mil92], inspired by the Chemical Abstract Machine of Berry and Boudol =-=[BB90]-=-. One thinks of a process as consisting of a chemical solution of molecules waiting to react. A reaction step arises from the interaction of the adjacent molecules mhNi:P and m(x):Q, as follows: (Reac... |

463 | Authentication in distributed systems: Theory and practice - Lampson, Abadi, et al. - 1992 |

430 | Testing Equivalence for Processes
- Nicola, Hennessy
- 1984
(Show Context)
Citation Context ... on the set Proc of closed processes: P v Q = for any test (R;), if (P j R) +sthen (Q j R) +sP ' Q = P v Q and Q v P The idea of testing equivalence comes from the work of De Nicola and Hennessy =-=[DH84]-=-. In that work, tests are processes that contain the distinguished name ! (instead of being parameterised by a barbs). This is only a supercial dierence, and we can show that our relation ' is a ver... |

372 | A calculus for access control in distributed systems - Abadi, Burrows, et al. - 1993 |

370 | Prudent engineering practice for cryptographic protocols
- Abadi, Needham
- 1996
(Show Context)
Citation Context ...ce must not have been used before for this purpose. Obviously the nonce is not secret, but it must be unpredictable (for otherwise an attacker could simulate a challenge and later replay the response =-=[AN96]-=-). In Message 3, A says that A and B can communicate under K AB , sometime after receipt of N S . All the components A, B, K AB , N S appear explicitly in the message, for safety [AN96], but A could p... |

330 |
Functions as processes
- Milner
- 1992
(Show Context)
Citation Context ...ree names.) The set Proc = fP j fv(P ) = ;g is the set of closed processes. 4.1 The Reaction Relation The reaction relation is a concise account of computation in the pi calculus introduced by Milner =-=[Mil92]-=-, inspired by the Chemical Abstract Machine of Berry and Boudol [BB90]. One thinks of a process as consisting of a chemical solution of molecules waiting to react. A reaction step arises from the inte... |

266 | New directions in cryptography - Die, Hellman - 1976 |

266 |
Expressing Mobility in Process Algebras: First-Order and Higher-Order Paradigms
- Sangiorgi
- 1992
(Show Context)
Citation Context ...arbed congruence coincides with strong bisimilarity [MS92]. On the other 36 hand, the spi calculus is like the higher-order pi calculus where strong bisimilarity issner-grained than barbed congruence =-=[San92]-=-. Thirdly, testing equivalence does not imply barbed congruence. Setting :P = (m)(mhi j m(x):P ) for m =2 fn(P ), x =2 fv (P ), we obtain the testing equivalence P ' :P . (We prove this equivale... |

246 | Typing and Subtyping for Mobile Process
- Pierce, Sangiorgi
- 1996
(Show Context)
Citation Context ...f~ng are not free in P . This completes the proof of part (3). 2 Intuitively, part (3) states that any reaction of !P can be obtained from two copies of P running in parallel. As Pierce and Sangiorgi =-=[PS93]-=- have remarked, we can strengthen part (3) to require only one copy of P , but this stronger property would fail for an extended language with a choice construct. The claim with two copies would remai... |

230 | Barbed bisimulation
- Sangiorgi, Milner
- 1992
(Show Context)
Citation Context ... denes the commitment relation, providing in particular a characterisation of the reaction relation. Section 5.2 reviews the notions of strong bisimulation, barbed equivalence, and barbed congruence =-=[MS92]-=-. Finally, Section 5.3 introduces the underpinning relation and shows its use for proofs of secrecy. In order to prove a testing equivalence directly, we need to consider arbitrary tests and arbitrary... |

219 | Provably secure session key distributionâ€”the three party case
- BELLARE, ROGAWAY
- 1995
(Show Context)
Citation Context ...epresentation of security properties, both integrity and secrecy, as equivalences. Our model of protocols is simpler, but poorer, than some models developed for informal mathematical arguments (e.g., =-=[BR95]-=-) because the spi calculus does not include any notion of probability or complexity. It would be interesting to bridge the gap between the spi calculus and those models, perhaps by giving a probabilis... |

197 | A calculus of mobile processes, part
- Milner, Parrow, et al.
- 1992
(Show Context)
Citation Context ...rbed Congruence . . . . . . . . . . . . . . . . . . . . . . . . 105 E Proofs about Underpinning 108 References 112 3 1 Security and the Pi Calculus The spi calculus is an extension of the pi calculus =-=[MPW92]-=- with cryptographic primitives. It is designed for the description and analysis of security protocols, such as those for authentication and for electronic commerce. These protocols rely on cryptograph... |

124 |
Bisimilarity as a theory of functional programming
- Gordon
(Show Context)
Citation Context ...tible renement c R be the relation on open processes given by the rules in Figure 3. Lemma 33 Suppose thatR is a preorder. Then R is a precongruence (closed under arbitrary contexts) i c R R. See =-=[Gor95]-=- for the proof of a similar proposition. Lemma 34 The open extension of testing equivalence, ' , is a congruence. Proof Since v is clearly a preorder, it suces to show that c v v . Given tw... |

119 | Security Properties and CSP - Schneider - 1996 |

112 | The Interrogator: protocol security analysis - Millen, Clark, et al. - 1987 |

88 | Applying formal methods to the analysis of a key management protocol - Meadows - 1992 |

85 | On the Bisimulation Proof Method
- Sangiorgi
- 1998
(Show Context)
Citation Context ... up to , then S . Proof We prove the proposition using a generalisation of the standard technique [MPW92]; an alternative would be to use the modular framework recently developed by Sangiorgi =-=[San94]-=-. We construct a relation S larger than S and show that S is a barbed bisimulation. The relation S is dened by: S 0 = S S k+1 = f((m)P; (m)Q) j P S k Q;m is any nameg S = [ k<! ( ... |

66 | An attack on the Needham-Schroeder public key protocol - Lowe - 1995 |

65 | Testing equivalence for mobile processes
- Boreale, Nicola
- 1995
(Show Context)
Citation Context ... to the choice of language. Two processes that are testing equivalent in our calculus may not be testing equivalent after new constructs are added to the calculus. As Boreale and De Nicola have shown =-=[BN95]-=-, testing equivalence becomessner-grained in the presence of a mismatch construct ([M is not N ] P ). Our calculus does not include a mismatch construct because we have not found a need for it in writ... |

62 | Analysing Encryption Protocols Using Formal Verification Techniques - Kemmerer - 1989 |

32 | Authentication in distributed systems: A bibliography - Liebl - 1993 |

32 | The Interrogator model - Millen - 1995 |

29 | Using temporal logic to specify and verify cryptographic protocols (progress report - Gray, McLean - 1995 |

7 |
The -calculus. Undergraduate lecture notes
- Milner
- 1995
(Show Context)
Citation Context ...MPW92]) is not based on the notion of reaction, but rather on a labelled transition system. Here we dene a labelled-transition semantics for the spi calculus, imitating Milner's recent lecture notes =-=[Mil95b]-=-. Despite dierences in style, this semantics is essentially equivalent to the one of Section 4, so it can be used in proofs about that semantics. We need some new syntactic forms. An abstraction is a... |

3 | On two proposals for on-line bankcard payments using open networks: Problems and solutions
- Mao
- 1996
(Show Context)
Citation Context ...ulty in writing other kinds of examples, such as protocols for electronic commerce. Unfortunately, the specications for those protocols do not yet seem to be fully understood, even in informal terms =-=[Mao96]-=-. In both the pi calculus and the spi calculus, restriction and scope extrusion play a central role. The pi calculus provides an abstract treatment of channels, while the spi calculus expresses the cr... |