Results 1  10
of
218
A calculus for cryptographic protocols: The spi calculus
 Information and Computation
, 1999
"... We introduce the spi calculus, an extension of the pi calculus designed for the description and analysis of cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the ..."
Abstract

Cited by 898 (50 self)
 Add to MetaCart
(Show Context)
We introduce the spi calculus, an extension of the pi calculus designed for the description and analysis of cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the spi calculus enables us to consider cryptographic issues in more detail. We represent protocols as processes in the spi calculus and state their security properties in terms of coarsegrained notions of protocol equivalence.
Secrecy by Typing in Security Protocols
 Journal of the ACM
, 1998
"... We develop principles and rules for achieving secrecy properties in security protocols. Our approach is based on traditional classification techniques, and extends those techniques to handle concurrent processes that use sharedkey cryptography. The rules have the form of typing rules for a basic co ..."
Abstract

Cited by 273 (10 self)
 Add to MetaCart
(Show Context)
We develop principles and rules for achieving secrecy properties in security protocols. Our approach is based on traditional classification techniques, and extends those techniques to handle concurrent processes that use sharedkey cryptography. The rules have the form of typing rules for a basic concurrent language with cryptographic primitives, the spi calculus. They guarantee that, if a protocol typechecks, then it does not leak its secret inputs.
Higherorder logic programming
 HANDBOOK OF LOGIC IN AI AND LOGIC PROGRAMMING, VOLUME 5: LOGIC PROGRAMMING. OXFORD (1998
"... ..."
(Show Context)
The reflexive CHAM and the joincalculus
 IN PROCEEDINGS OF THE 23RD ACM SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES
"... By adding reflexion to the chemical machine of Berry and Boudol, we obtain a formal model of concurrency that is consistent with mobility and distribution. Our model provides the foundations of a programming language with functional and objectoriented features. It can also be seen as a process calc ..."
Abstract

Cited by 137 (0 self)
 Add to MetaCart
By adding reflexion to the chemical machine of Berry and Boudol, we obtain a formal model of concurrency that is consistent with mobility and distribution. Our model provides the foundations of a programming language with functional and objectoriented features. It can also be seen as a process calculus, the joincalculus, which we prove equivalent to the picalculus of Milner, Parrow and Walker.
A Probabilistic PolyTime Framework for Protocol Analysis
, 1998
"... We develop a framework for analyzing security protocols in which protocol adversaries may be arbitrary probabilistic polynomialtime processes. In this framework, protocols are written in a form of process calculus where security may be expressed in terms of observational equivalence, a standard rel ..."
Abstract

Cited by 114 (6 self)
 Add to MetaCart
We develop a framework for analyzing security protocols in which protocol adversaries may be arbitrary probabilistic polynomialtime processes. In this framework, protocols are written in a form of process calculus where security may be expressed in terms of observational equivalence, a standard relation from programming language theory that involves quantifying over possible environments that might interact with the protocol. Using an asymptotic notion of probabilistic equivalence, we relate observational equivalence to polynomialtime statistical tests and discuss some example protocols to illustrate the potential of this approach.
The πcalculus as a theory in linear logic: Preliminary results
 3rd Workshop on Extensions to Logic Programming, LNCS 660
, 1993
"... The agent expressions of the πcalculus can be translated into a theory of linear logic in such a way that the reflective and transitive closure of πcalculus (unlabeled) reduction is identified with “entailedby”. Under this translation, parallel composition is mapped to the multiplicative disjunct ..."
Abstract

Cited by 113 (18 self)
 Add to MetaCart
(Show Context)
The agent expressions of the πcalculus can be translated into a theory of linear logic in such a way that the reflective and transitive closure of πcalculus (unlabeled) reduction is identified with “entailedby”. Under this translation, parallel composition is mapped to the multiplicative disjunct (“par”) and restriction is mapped to universal quantification. Prefixing, nondeterministic choice (+), replication (!), and the match guard are all represented using nonlogical constants, which are specified using a simple form of axiom, called here a process clause. These process clauses resemble Horn clauses except that they may have multiple conclusions; that is, their heads may be the par of atomic formulas. Such multiple conclusion clauses are used to axiomatize communications among agents. Given this translation, it is nature to ask to what extent proof theory can be used to understand the metatheory of the πcalculus. We present some preliminary results along this line for π0, the “propositional ” fragment of the πcalculus, which lacks restriction and value passing (π0 is a subset of CCS). Using ideas from prooftheory, we introduce coagents and show that they can specify some testing equivalences for π0. If negationasfailuretoprove is permitted as a coagent combinator, then testing equivalence based on coagents yields observational equivalence for π0. This latter result follows from observing that coagents directly represent formulas in the HennessyMilner modal logic. 1
A Bisimulation Method for Cryptographic Protocols
, 1998
"... We introduce a definition of bisimulation for cryptographic protocols. The definition includes a simple and precise model of the knowledge of the environment with which a protocol interacts. Bisimulation is the basis of an effective proof technique, which yields proofs of classical security properti ..."
Abstract

Cited by 89 (5 self)
 Add to MetaCart
We introduce a definition of bisimulation for cryptographic protocols. The definition includes a simple and precise model of the knowledge of the environment with which a protocol interacts. Bisimulation is the basis of an effective proof technique, which yields proofs of classical security properties of protocols and also justifies certain protocol optimizations. The setting for our work is the spi calculus, an extension of the pi calculus with cryptographic primitives. We prove the soundness of the bisimulation proof technique within the spi calculus.
A Concurrent Object Calculus: Reduction and Typing
 HLCL'98 TO APPEAR
, 1998
"... We obtain a new formalism for concurrent objectoriented languages by extending Abadi and Cardelli's imperative object calculus with operators for concurrency from thecalculus and with operators for synchronisation based on mutexes. Our syntax of terms is extremely expressive; in a precise sen ..."
Abstract

Cited by 87 (4 self)
 Add to MetaCart
We obtain a new formalism for concurrent objectoriented languages by extending Abadi and Cardelli's imperative object calculus with operators for concurrency from thecalculus and with operators for synchronisation based on mutexes. Our syntax of terms is extremely expressive; in a precise sense it unifies notions of expression, process, store, thread, and configuration. We present a chemicalstyle reduction semantics, and prove it equivalent to a structural operational semantics. We identify a deterministic fragment that is closed under reduction and show that it includes the imperative object calculus. A collection of type systems for objectoriented constructs is at the heart of Abadi and Cardelli's work. We recast one of Abadi and Cardelli's firstorder type systems with object types and subtyping in the setting of our calculus and prove subject reduction. Since our syntax of terms includes both stores and running expressions, we avoid the need to separate store typing from typing of expressions. We translate asynchronous communication channels and the choicefree asynchronouscalculus into our calculus to illustrate its expressiveness; the types of readonly and writeonly channels are supertypes of readwrite channels.
Secure Implementation of Channel Abstractions
, 2000
"... Communication in distributed systems often relies on useful abstractions such as channels, remote procedure calls, and remote method invocations. The ..."
Abstract

Cited by 81 (25 self)
 Add to MetaCart
Communication in distributed systems often relies on useful abstractions such as channels, remote procedure calls, and remote method invocations. The
The Join Calculus: A Language for Distributed Mobile Programming
 In Proceedings of the Applied Semantics Summer School (APPSEM), Caminha
, 2000
"... In these notes, we give an overview of the join calculus, its semantics, and its equational theory. The join calculus is a language that models distributed and mobile programming. It is characterized by an explicit notion of locality, a strict adherence to local synchronization, and a direct emb ..."
Abstract

Cited by 76 (2 self)
 Add to MetaCart
In these notes, we give an overview of the join calculus, its semantics, and its equational theory. The join calculus is a language that models distributed and mobile programming. It is characterized by an explicit notion of locality, a strict adherence to local synchronization, and a direct embedding of the ML programming language. The join calculus is used as the basis for several distributed languages and implementations, such as JoCaml and functional nets.