In this paper we present an extension of Dolev-Yao models for security protocols with a notion of random polynomial-time (Las Vegas) computability. First we notice that Dolev-Yao models can be seen as transition systems, possibly infinite. We then extend these transition systems with computation

Keywords: Cryptographic protocols, random polynomial time, Dolev-Yao model, Markov de-cision processes. 1 Introduction Proving the security of cryptographic protocols has been a major concern ever since flaws werefirst discovered in some established protocols, the most well-known example being [20

We show that all attacks that can be mounted by a traditional Dolev-Yao intruder against common cryptographic protocols can be enacted by an apparently weaker `Machiavellian' adversary in which compromised principals will not share long-term secrets and will not send arbitrary messages. We

1 1 LORIA-INRIA-Universit'es Henri Poincar'e, Nancy 2

Automated tools such as model checkers and theorem provers for the analysis of security protocols typically abstract from cryptography by Dolev-Yao models, i.e., abstract term algebras replace the real cryptographic operations. Recently it was shown that in essence this approach

The Dolev{Yao model is a simple and useful framework in which to analyze security protocols, but it assumes an extremely limited adversary. It is unclear if the results of this model would remain valid were the adversary to be given additional power. In this work, we show that there exist

(usually, transition sys-tems) and models for control systems (differential or recurrent equations). To bind these two realms, we translate control systems into transition systems by means of an abstraction with variable time granularity and compose them with a channel model that is controlled by Dolev-Yao

terminating procedure to decide recognizability under the stan-dard Dolev-Yao model. By incorporating the proposed procedure with Athena, a well-know security protocol verifier, our experiments succeed in finding potential type flaw attacks.

Liveness properties do, in general, not hold in the Dolev-Yao attacker model, unless we assume that certain communica-tion channels are resilient, i.e. they do not lose messages. The resilient channels assumption can be seen as a fairness constraint for the Dolev-Yao attacker model. Here we study

logic, and it is proved semantically correct. We then apply our CFA to check security properties; in particular, we show that secrecy à la Dolev-Yao can be expressed in terms of the CFA.