## Proof Techniques for Cryptographic Processes (1999)

### Cached

### Download Links

- [rap.dsi.unifi.it]
- [rap.dsi.unifi.it]
- [basics.sjtu.edu.cn]
- DBLP

### Other Repositories/Bibliography

Venue: | in 14th Annual IEEE Symposium on Logic in Computer Science |

Citations: | 63 - 8 self |

### BibTeX

@INPROCEEDINGS{Boreale99prooftechniques,

author = {Michele Boreale and Rocco De Nicola and Rosario Pugliese},

title = {Proof Techniques for Cryptographic Processes},

booktitle = {in 14th Annual IEEE Symposium on Logic in Computer Science},

year = {1999},

pages = {157--166},

publisher = {Society Press}

}

### Years of Citing Articles

### OpenURL

### Abstract

Contextual equivalences for cryptographic process calculi, like the spi-calculus, can be used to reason about correctness of protocols, but their definition suffers from quantification over all possible contexts. Here, we focus on two such equivalences, namely may-testing and barbed equivalence, and investigate tractable proof methods for them. To this aim, we design an enriched labelled transition system, where transitions are constrained by the knowledge the environment has of names and keys. The new transition system is then used to define a trace equivalence and a weak bisimulation equivalence, that avoid quantification over contexts. Our main results are soundness and completeness of trace and weak bisimulation equivalence with respect to may-testing and barbed equivalence, respectively. They lead to more direct proof methods for equivalence checking. The use of these methods is illustrated with a few examples, concerning implementation of secure channels and verification of proto...

### Citations

3360 |
Communication and Concurrency
- Milner
- 1989
(Show Context)
Citation Context ...ions of the new trace preorder, , and of the new bisim0 ulation equivalence, , remain formally unchanged. It is 0 not difficult to prove that coincides with < , and, for 0 image-finite processes (see =-=[12]-=-), that coincides with =. We omit the details and state: Theorem 3.8 Let 1 2. Then ( 1; 2) ` P 0 Q iff ( 1; 2) ` P < Q. For image-finite processes P and Q, ( 1; 2) ` P 0 Q iff ( 1; 2) ` P = Q. For the... |

1048 | A Calculus of Mobile Processes
- Milner, Parrow, et al.
- 1992
(Show Context)
Citation Context ...us on a specific approach, which aims at modelling protocols as concurrent processes, described as terms of a process calculus (e.g. the spi-calculus [7, 5], a cryptographic version of the π-calculus =-=[17]-=-). As an example, consider the very simple protocol where two principals A and B share a private key k, and A wants to send B a datum d encrypted under k, through a public channel c: Message 1 A → B: ... |

815 | A calculus for cryptographic protocols: The spi calculus
- Abadi, Gordon
- 1999
(Show Context)
Citation Context ... out the analysis with it. Of course, there is always a certain amount of arbitrarity in determining the attacker; any modification of the attacker would require a new analysis. In our paper, like in =-=[7]-=-, a more radical approach is taken: the attacker may be be any process that can be defined in spi-calculus. In [2], Abadi presents an approach to secrecy that combines the spi-calculus and the use of ... |

635 | Breaking and fixing the needham-schroeder public-key protocol using fdr
- Lowe
- 1996
(Show Context)
Citation Context ...ng. Finally, as shown in Example 6.2, framed bisimulation is not complete for barbed equivalence. The process algebraic approach to cryptographic protocols has also been followed by Roscoe [19], Lowe =-=[14]-=- and Schneider [22], that consider model-checking of security protocols in a CSP-based framework. This approach requires explicitly designing a specific (powerful enough) attacker and carrying out the... |

430 | Testing Equivalence for Processes
- Nicola, Hennessy
- 1984
(Show Context)
Citation Context ...nuing with the example above, a way of asserting that P (d) keeps d secret is requiring that P (d) be equivalent to P (d ′ ), for every other d ′ . An appropriate notion of equivalence is may-testing =-=[11, 8, 7]-=-; its intuition is precisely that no external context (which in the present setting can be read as ‘attacker’) may notice any difference when running in parallel with P (d ′ ) or P (d). A similar intu... |

278 |
The Polyadic -calculus: a tutorial
- Milner
- 1991
(Show Context)
Citation Context ...ntraction’, permits to discard environments entries that give redundant information, while a third one, ‘up to structural congruence’, permits freely identifying processes up to structural congruence =-=[13]-=-. Due to lack of space, we omit formal definitions of these techniques. It can be proven that each ‘bisimulation up-to’ defined above, and any combination of them2 ,isincluded in . We shall see an exa... |

253 | Secrecy by typing in security protocols
- Abadi
- 1999
(Show Context)
Citation Context ... any modification of the attacker would require a new analysis. In our paper, like in [7], a more radical approach is taken: the attacker may be be any process that can be defined in spi-calculus. In =-=[2]-=-, Abadi presents an approach to secrecy that combines the spi-calculus and the use of type systems: the idea is that a process P (d) that type-checks guarantees secrecy of d (in a sense made precise v... |

230 | Barbed bisimulation
- Sangiorgi, Milner
- 1992
(Show Context)
Citation Context ...etting can be read as ‘attacker’) may notice any difference when running in parallel with P (d ′ ) or P (d). A similar intuition is supported by other contextual equivalences, like barbed equivalence =-=[18]-=-. While rigorous and intuitive, the definitions of these equivalences suffer from universal quantification over contexts (attackers), that makes equivalence checking very hard. It is then important to... |

181 | The polyadic π-calculus: A tutorial
- Milner
- 1991
(Show Context)
Citation Context ...a few basic ingredients for the proofs of soundness and completeness, which we list below. First, it is technically convenient to introduce a notion of structural equivalence, ≡ , in the same vein of =-=[16]-=-. Definition 4.1 (structural equivalence) Structural equivalence is the least equivalence relation ≡ over processes that is preserved by parallel composition and restriction, and satisfies the structu... |

114 | A probabilistic polytime framework for protocol analysis
- Lincoln, Mitchell, et al.
- 1998
(Show Context)
Citation Context ...is prevents the attacker from, for example, randomly guessing some bits of a secret key, or performing statistical analysis of messages. A first step towards relaxing this hypothesis has been made in =-=[13]-=-, where probabilistic versions of the spi-calculus and of testing equivalence are introduced. Further research is required for a fuller understanding of these notions and for devising techniques to re... |

85 | A bisimulation method for cryptographic protocols
- Abadi, Gordon
- 1998
(Show Context)
Citation Context ...e 4: Some congruence rules for ≪ and ≈. (b) there are i ∈ I and a tupleej ⊆ I such that: Ó ζσ = {Ni}eN[ej ] andd ζσ ′ = {N ′ i }fN ′ [ej ] . We end this subsection with a small example (borrowed from =-=[6]-=-) that shows the use of our congruence laws. Example 5.5 Let us consider the processes P def = (ν k)c{d}k. c(x). [x = k]c{d}k and Q def = (ν k)c{d}k. c(x). Process P creates a private key k, sends d e... |

85 | On the Bisimulation Proof Method
- Sangiorgi
- 1998
(Show Context)
Citation Context ...metimes preferrable because it embodies a notion of fairness and is supported by a nice, purely coinductive proof technique. The latter can be enhanced by tailoring, as we do, some ‘up-to’ techniques =-=[21, 10]-=- to the cryptographic setting. Another advantage of our semantics are the congruence rules that make compositional proofs possible. The use of trace and bisimulation semantics as proof techniques is i... |

83 |
Verifying Authentication Protocols in CSP
- Schneider
- 1998
(Show Context)
Citation Context ...ing formal methods for analysing cryptographic protocols. Here, we focus on a specific approach, which consists in modelling them as concurrent processes, described in some process calculus (like CSP =-=[11, 17]-=- or the spi-calculus [3, 4], a cryptographic version of the -calculus [14]). As an example, consider the very simple protocol where two principals A and B shareaprivatekeyk, andAwants to send B a datu... |

81 | Secure implementation of channel abstractions
- Abadi, Fournet, et al.
- 1998
(Show Context)
Citation Context ...e of trace and bisimulation semantics as proof techniques is illustrated with a few examples; some of them concern the problem of implementing secure channels using encrypted public channels (like in =-=[4]-=-). Some of the equalities we establish are hard and lengthy to prove if relying on the original, contextual definitions (see, e.g., the secure channel implementations in Section 5). The rest of the pa... |

80 | Protection in programming-language translations
- Abadi
- 1998
(Show Context)
Citation Context ...ing and then (C-Res). 265.2 Secure channels implementation In the following examples, we show the use of our framework for proving security properties of communication protocols. In the same vein of =-=[1, 4]-=-, the idea is that of implementing communication on secure (private) channels by means of encrypted communication on public channels. Let us consider the π-calculus process: P def = (ν c)(cd | c(z). R... |

68 |
On bisimulations for the asynchronous π-calculus
- Amadio, Castellani, et al.
- 1998
(Show Context)
Citation Context ...o a class of processes that have an imagefiniteness property (defined below). This property makes the proof relatively simple (and not far from, e.g., the proof for asynchronous bisimilarity given in =-=[3]-=-). On the other hand, the class of processes enjoying the property is broad enough to ensure that ≈ is a fairly general proof technique. At present, we do not know whether the proof can be extended to... |

65 | On bisimulations for the asynchronous -calculus - Amadio, Castellani, et al. - 1996 |

65 | Testing equivalence for mobile processes
- Boreale, Nicola
- 1995
(Show Context)
Citation Context ...nuing with the example above, a way of asserting that P (d) keeps d secret is requiring that P (d) be equivalent to P (d ′ ), for every other d ′ . An appropriate notion of equivalence is may-testing =-=[11, 8, 7]-=-; its intuition is precisely that no external context (which in the present setting can be read as ‘attacker’) may notice any difference when running in parallel with P (d ′ ) or P (d). A similar intu... |

52 | Reasoning about cryptographic protocols in the Spi calculus
- Abadi, Gordon
- 1997
(Show Context)
Citation Context ...or analysing cryptographic protocols. Here, we focus on a specific approach, which aims at modelling protocols as concurrent processes, described as terms of a process calculus (e.g. the spi-calculus =-=[7, 5]-=-, a cryptographic version of the π-calculus [17]). As an example, consider the very simple protocol where two principals A and B share a private key k, and A wants to send B a datum d encrypted under ... |

28 |
Bisimulation in name-passing calculi without matching
- Boreale, Sangiorgi
- 1998
(Show Context)
Citation Context ...metimes preferrable because it embodies a notion of fairness and is supported by a nice, purely coinductive proof technique. The latter can be enhanced by tailoring, as we do, some ‘up-to’ techniques =-=[21, 10]-=- to the cryptographic setting. Another advantage of our semantics are the congruence rules that make compositional proofs possible. The use of trace and bisimulation semantics as proof techniques is i... |

7 |
Modelling and verifying key-exchange using CSP and FDR
- Roscoe
(Show Context)
Citation Context ...their setting. Finally, as shown in Example 6.2, framed bisimulation is not complete for barbed equivalence. The process algebraic approach to cryptographic protocols has also been followed by Roscoe =-=[19]-=-, Lowe [14] and Schneider [22], that consider model-checking of security protocols in a CSP-based framework. This approach requires explicitly designing a specific (powerful enough) attacker and carry... |

7 |
Proof Techniques for CCS
- Sanderson
(Show Context)
Citation Context ...σ ′ 2 ) ≤ i and (σ′ 1 , σ′ 2 ) ⊢ P ′ ≈i−1 Q ′, and the converse on the transitions of Q and P . We let ≈ω def = ∩i≥0 ≈i. ✸ The following is a variation on a standard result for bisimulation (see e.g. =-=[15, 20]-=-). Lemma 4.20 Let P and Q be structurally image-finite processes. Then (σ1, σ2) ⊢ P ≈ Q if and only if (σ1, σ2) ⊢ P ≈ω Q. We show now that ∼ = implies ≈ω, from which completeness of ≈ for structurally... |

7 | A filter model for mobile processes
- Damiani, Dezani-Ciancaglini, et al.
(Show Context)
Citation Context ...to the analysis of security properties has been first discussed by Abadi and Gordon in [3]. May-testing was originally introduced for CCS in [9], and subsequently studied for the -calculus in [6]; in =-=[8]-=- a precise relationship is established for may-testing between the notions of observer and intersection type. Acknowledgments We would like to thank the anonymous referees for helpful comments. Discus... |

5 | A Probabilistic Poly-Time Framework for - Lincoln, Mitchell, et al. - 1998 |

2 |
Towards Automatic Bisimilarity Checking
- Elkjaer, Höhle, et al.
- 1999
(Show Context)
Citation Context ...finite–control processes, finitely many. In the case of [6], one must also build a new frame-theory pair that relates N to M and consistently extends the old one: this might be not completely trivial =-=[12]-=-. Moreover, in [6] there seems to be very few tools for compositional reasoning (congruence laws) and no obvious way of tailoring the ‘up to’ techniques to their setting. Finally, as shown in Example ... |