• Aucun résultat trouvé

Explicit Randomness is not Necessary when Modeling Probabilistic Encryption

N/A
N/A
Protected

Academic year: 2021

Partager "Explicit Randomness is not Necessary when Modeling Probabilistic Encryption"

Copied!
16
0
0

Texte intégral

(1)

HAL Id: inria-00078825

https://hal.inria.fr/inria-00078825v2

Submitted on 8 Jun 2006

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of

sci-entific research documents, whether they are

pub-lished or not. The documents may come from

teaching and research institutions in France or

abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est

destinée au dépôt et à la diffusion de documents

scientifiques de niveau recherche, publiés ou non,

émanant des établissements d’enseignement et de

recherche français ou étrangers, des laboratoires

publics ou privés.

Explicit Randomness is not Necessary when Modeling

Probabilistic Encryption

Véronique Cortier, Heinrich Hördegen, Bogdan Warinschi

To cite this version:

Véronique Cortier, Heinrich Hördegen, Bogdan Warinschi. Explicit Randomness is not Necessary

when Modeling Probabilistic Encryption. [Research Report] RR-5928, INRIA. 2006, pp.12.

�inria-00078825v2�

(2)

inria-00078825, version 2 - 8 Jun 2006

a p p o r t

d e r e c h e r c h e

IS

S

N

0

2

4

9

-6

3

9

9

IS

R

N

IN

R

IA

/R

R

--5

9

2

8

--F

R

+

E

N

G

Thèmes COM et SYM

INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE

Explicit Randomness is not Necessary when

Modeling Probabilistic Encryption

Véronique Cortier — Heinrich Hördegen — Bogdan Warinschi

N° 5928

(3)
(4)

Unité de recherche INRIA Lorraine

LORIA, Technopôle de Nancy-Brabois, Campus scientifique,

615, rue du Jardin Botanique, BP 101, 54602 Villers-Lès-Nancy (France)

Téléphone : +33 3 83 59 30 00 — Télécopie : +33 3 83 27 83 19

En ryption

Véronique Cortier, Heinri hHördegen ,Bogdan Warins hi ThèmesCOMetSYMSystèmes ommuni antsetSystèmessymboliques

ProjetCassis

Rapportdere her he n°5928 Juin200612pages

Abstra t: Although good en ryption fun tionsare probabilisti ,mostsymboli modelsdo not apturethis aspe t expli itly. A typi al solution, re ently used to prove the soundness of su h models with respe t to omputationalones,istoexpli itlyrepresentthedependen yof iphertextsonrandom oinsaslabels.

Inordertomaketheselabel-basedmodelsuseful,itseemsnaturaltotrytoextendtheunderlying de ision pro edures andthe implementation of existing tools. Inthis paperwe put forth amorepra ti al alternative basedonthefollowingsoundnesstheorem. Weprovethatforalarge lassofse urityproperties(thatin ludes ratherstandardformulationsforse re yandauthenti ityproperties),se urityofproto olsinthesimplermodel impliesse urityin thelabel-basedmodel. Combinedwiththesoundnessresultof (?) ourtheoremenablesthe translationofse urityresultsin unlabeledsymboli modelsto omputationalse urity.

(5)

représentation expli ite de l'aléa

Résumé : Bien que de nombreusesfon tions ryptographiquessoient probabilistes, la plupart de modèles symboliquesne prennent pasexpli itementen ompte etaspe t. Pourprouverla orre tionde es modèles parrapportauxmodèles omputationnels,ilestpourtantsouventné essairedereprésenterexpli itementl'aléa utilisédansle hirement,àl'aideparexempled'étiquettes.

Ilsemble alorsné essaire d'étendreles pro édures de dé isionsous-ja entes et l'implémentation desoutils existantsauxmodèlesbaséssurdesétiquettes. Dans etarti le,nousproposonsunealternativepluspratique, baséesurlethéorèmede orre tionsuivant. Nousprouvonsque,pourunegrande lassedepropriétésdesé urité ( omme lespropriétésstandardsdese retetd'authenti ation),lasé uritédeproto olesdansunmodèlesans étiquettesimplique lasé urité danslesmodèlesave étiquettes. En ombinaisonave lerésultatde orre tion de (?), notre théorèmepermet de transférerles résultatsde sé uritédes modèles symboliquessans étiquettes verslasé urité omputationnelle.

(6)

1 INTRODUCTION

Designers of mathemati almodels for omputational systemsneedto ndappropriatetrade-os betweentwo seemingly ontradi tory requirements. Automati veri ation (and thus usability) typi ally requires a high levelof abstra tion whereas predi tiona ura y requires ahigh level ofdetails. >From this perspe tive, the useofsymboli modelsforse urityanalysisisparti ularlydeli atesin eitseemsthattheinherenthighlevelof abstra tion at whi h su h modelsoperateis notableto aptureallaspe ts thatarerelevantto se urity. This paper is on erned with oneparti ular su h aspe t, namely the use of randomization in the onstru tion of ryptosystems[GoldwasserandMi ali,1984℄.

A entralfeatureofthe omputational, omplexity-basedmodelsistheabilityto aptureandreasonexpli itly abouttheuseof randomness. Moreover,randomnessis essentialto a hieveanymeaningfulnotionofse urity for en ryption. In ontrast, symboli models rarely represent randomness dire tly. For example, a typi al representationfortheen ryptionofmessage

m

underthepubli keyofentity

B

istheterm

{m}

ek(B)

. Noti ethat thesymboli representationdoesnot apturethedependen yontherandomnessusedtogeneratethis iphertext. Whilethisabstra tionmaybesu ientlya uratein ertainsettings[Mi ian ioandWarins hi,2004℄,insome othersettings itisnotsu ient.

Considerthefollowingowin sometoyproto ol:

A → B : {m}

ek(B)

, {{m}

ek(B)

}

ek(B)

To implement this ow, ea h o urren e of

{m}

ek(B)

is mapped to a iphertext. Noti e however that the pi torialdes riptiondoesnotspe ifyifthetwoo urren esof

{m}

ek(B)

areequal( reatedwithidenti al oins) or dierent ( reated with dierent oins). In ri h enough proto ol spe i ation languages disambiguating onstru ts as above an be easily done. For instan e, in a language that has expli it assignments, the two dierentinterpretationfortherstmessageoftheproto ol anbeobtainedas

x := {m}

ek(B)

; send(x, {x}

ek(B)

)

and

send({m}

ek(B)

, {{m}

ek(B)

}

ek(B)

)

Here,ea hdistin to urren eof

{m}

ek(B)

isinterpretedwithdierentrandomness. Otherapproa hesadopta more dire t solution and represent the randomness used for en ryption expli itly[Herzog,2004,AbadiandJürjens,2001,Lowe,2004,CortierandWarins hi,2005℄. Ifwewrite

{m}

l

ek(B)

fortheen ryptionof

m

under thepubli keyof

B

withrandom oins

l

,thetwodierentinterpretationsofthe oware:

send({m}

l

1

ek(B)

, {{m}

l

1

ek(B)

}

l

2

ek(B)

)

and

send({m}

l

1

ek(B)

, {{m}

l

2

ek(B)

}

l

3

ek(B)

)

Amodelthatemployslabelsto apturetherandomnessusedin iphertexts(andsignatures)hasre entlybeen used to establish soundness of symboli analysis with respe t to omputational models[CortierandWarins hi,2005℄. Theirresultsarebasedonanemulationlemma: forproto olexe utions, every omputational tra e an be mapped to a valid symboli tra e. The mappingis then used to translate se uritypropertiesthatholdinthesymboli modelto omputationalanalogues.Thenextsteptowardsmaking thesoundnessresultrelevanttopra ti eis to arryoutthese urityproofsusingsome(semi-)automatedtools forthesymboli model.

However, to the best of our knowledge, none of the popular tools (ProVerif [Blan het,2001℄, CASPER [Lowe,1997a℄, Athenta [Song,1999℄, AVISPA [Armando etal.,2005℄), oers apabilities for auto-mati allyreasoninginmodelsthatuselabels. Thereareatleasttwosolutionstothisproblem. Onepossibility istoenhan ethesymboli modelsthatunderlieexistingtools. Unfortunatelysu hamodi ationwould proba-bly requiresigni anteortthatinvolvesadaptingexisting de isionpro edures,provingtheir orre tness,and verifyingandmodifyingthousandsoflinesof ode.

Inthispaperweputforthand larifyanalternativesolution,usedimpli itlyin[CortierandWarins hi,2005℄. Theideaistokeepexistingtoolsun hanged,usetheirunderlying(unlabeled)modeltoprovese urityproperties, and thenshowthattheresultsarein fa tmeaningfulforthemodelwithlabels. Themainresultofthispaper isto provethatforalarge lassofse uritypropertiestheapproa hthat weproposeisindeed feasible.

Weare urrently implementing anAVISPA module for omputationallysound automati proofsbasedon theresultsofthispaper.

Results. We onsider the proto ol spe i ation language and the exe ution model developed in [CortierandWarins hi,2005℄. The languageis for proto ols that use random non es, publi key en ryp-tionanddigitalsignatures,anduseslabelstomodeltherandomnessusedbytheseprimitives. Toea hproto ol

(7)

Π

withlabels,wenaturallyasso iateaproto ol

Π

obtainedbyerasingalllabels,andextendthetransformation toexe utiontra es. Toea htra e

tr

of

Π

weasso iateatra e

tr

obtainedbyerasinglabelsandweextendthis mappingtosetsoftra es. Therst ontributionofthispaperisaproofthatthetransformationissound. More pre isely weprovethat if

tr

is avalid tra eof

Π

(obtained by Dolev-Yao operations)then

tr

is avalid tra e of

Π

. Importantly,thisresultreliesonthefa tthat thespe i ationlanguagethatwe onsiderdoesnotallow equality tests between iphertexts. Webelievethat asimilar result holdsfor most(if not all)proto ol spe i- ation languagesthat satisfythe above ondition. The languageforspe ifying proto ols (with and without labels)aswellastherelationbetweentheirasso iatedexe utionmodelsarein Se tion2.

InSe tion3wegivetwologi s,

L

l

1

and

L

1

,thatweusetoexpressse uritypropertiesforproto olswithand withoutlabels,respe tively. Informally,theformulasof

L

1

areobtainedbyremovingthelabelsfromformulas of

L

l

1

. Bothlogi sarequiteexpressive.Forexample,it anbeusedtoexpressstandardformulationsforse re y and authenti ityproperties.

Next we fo us ourattention ontranslatingse urity properties betweenthetwomodels. First,noti e that themappingbetweenthemodelwithandthatwithoutlabelsisnotfaithfulsin eitloosesinformationregarding inequalityof iphertexts. Toformalizethisintuitionwegiveaproto ol

Π

andaformula

φ

su hthat

Π

satises

φ

(theformulathat orrespondsto

φ

inthemodelwithoutlabels),butforwhi h

Π

doesnotsatisfy

φ

. Anti ipating, ourexampleindi atesthatthesour eofproblemsisthat

φ

may ontainequalitytestsbetween iphertexts,and su htestsmaynotbetranslatedfaithfully. The ounterexampleisinSe tion 4.

Themainresultof thepaperisasoundness theorem. Weshowthat foralarge lassofse urityproperties itispossibleto arryouttheproofinthemodelwithoutlabelsandinferse uritypropertiesinthemodelwith labels. More pre isely, we identify

L

l

2

and

L

2

, fragmentsof

L

l

1

and

L

1

respe tively, su h that the following theorem holds.

Consideranarbitrary proto ol

Π

andformula

φ

in

L

l

2

. Let

φ

beaformulain

L

2

obtainedbyerasing the labelsthato urin

φ

. Then,itholds that:

Π |= φ =⇒ Π |= φ

The logi s

L

l

2

and

L

2

are still expressive enough to ontain the se re y and authenti ation formulas. The theorem anditsproofarein inSe tion 4.

2 PROTOCOL

In this se tion we provide the syntax of proto ols with labels. The presentation is adapted from [CortierandWarins hi,2005℄. The spe i ation language is similar to the one of Casrul[Rusinowit h andTuruani,2001℄; itallowsparties to ex hange messagesbuiltfrom identities and ran-domly generated non es using publi keyen ryption and digital signatures. Proto ols that do not uselabels areobtainedstraightforwardly.

2.1 Syntax

Consider analgebrai signature

Σ

with the followingsorts. A sort

ID

for agent identities, sorts

SKey

,

VKey

,

EKey

,

DKey

ontainingkeysforsigning, verifying,en ryption,and de ryptionrespe tively. Thealgebrai sig-naturealso ontainssorts

Nonce

,

Label

,

Ciphertext

,

Signature

and

Pair

fornon es,labels, iphertexts,signatures and pair, respe tively. The sort

Label

is used in en ryption and signatures to distinguish between dierent en ryption/signatureofthesameplaintext. Thesort

Term

isasupersort ontainingallothersorts,ex ept

SKey

and

DKey

. There are nine operations: the four operations

ek, dk, sk, vk

are dened on thesort

ID

and return theen ryption key,de ryption key,signingkey, andveri ationkeyasso iatedto theinputidentity. Thetwo operations

ag

and

adv

aredenedonnaturalnumbersand returnlabels. Asexplainedintheintrodu tion,the labelsareusedtodierentiatebetweendierenten ryptions(andsignatures)ofthesameplaintext, reatedby thehonest agentsortheadversary. Wedistinguishbetweenlabelsforagentsandforthe adversarysin ethey donotusethesamerandomness. Theotheroperationsthatwe onsiderarepairing,publi keyen ryption,and signing.

Wealso onsidersetsofsortedvariables

X

= X.n∪X.a∪X.c∪X.s

and

X

l

= X∪X.l

. Here,

X.n, X.a, X.c, X.s, X.l

are sets of variables of sort non e,agent, iphertext, signature and labels, respe tively. Thesets of variables

X.a

and

X.n

are as follows. If

k ∈ N

is somexed onstant representingthe numberofproto olparti ipants, w.l.o.g. wexthesetofagentvariablestobe

X.a = {A

1

, A

2

, . . . , A

k

}

,andpartitionthesetofnon evariables, by thepartythat generates them. Formally:

X.n = ∪

A∈X.a

X

n

(A)

and

X

n

(A) = {X

j

(8)

avoidstospe ifylater, forea hrole, whi h variablesstandforgenerated non esandwhi hvariablesstandfor expe tednon es.

Labeledmessagesthat aresentbyparti ipantsarespe iedusingtermsin

T

l

L

::=

X.l | ag(i) | adv(j)

T

l

::=

X

| a | ek(a) | dk(a) | sk(a) | vk(a) | n(a, j, s) | hT

l

, T

l

i | {T

l

}

L

ek(a)

| [T

l

]

L

sk(a)

where

i, j ∈ N

,

a ∈ ID

,

j, s ∈ N

,

a ∈ ID

.

Unlabeledmessagesarespe iedsimilarlyastermsin thealgebra

T

dened by

T

::= X | a | ek(a) | dk(a) | sk(a) | vk(a) | n(a, j, s) | hT , T i | {T }

ek(a)

| [T ]

sk(a)

where

a ∈ ID

,

j, s ∈ N

,

a ∈ ID

. A mapping

· : T

l

→ T

from labeled to unlabeledterms isdened byremoving thelabels:

{k}

l

m

= {k}

m

,

[k]

l

m

= [k]

m

,

f (t

1

, . . . , t

n

) = f (t

1

, . . . , t

n

)

otherwise. The mapping fun tion is extended to sets of terms as expe ted.

Theindividualbehaviorofea hproto olparti ipantisdenedbyarolethatdes ribesasequen eofmessage re eptions/transmissions. A

k

-partyproto olisgivenby

k

su h roles.

Denition 1(Labeled roles and proto ols) The set

Roles

l

of roles for labeled proto ol parti ipants is de-nedby

Roles

l

= (({init} ∪ T

l

) × (T

l

∪ {stop}))

. A

k

-partylabeledproto ol isamapping

Π : [k] → Roles

l

,where

[k]

denotes the set

{1, 2, . . . , k}

.

Unlabeled roles and proto ols are dened very similarly. The mapping fun tion is extended from labeled proto olstounlabeledproto olsasexpe ted.

Weassumethataproto olspe i ationissu hthat

Π(j) = ((l

j

1

, r

j

1

), (l

j

2

, r

2

j

), . . .)

,the

j

'throleinthedenition oftheproto olbeingexe utedbyplayer

A

j

. Ea hsequen e

((l

1

, r

1

), (l

2

, r

2

), . . .) ∈ Roles

l

spe iesthemessages tobesent/re eivedbythepartyexe utingtherole: atstep

i

,thepartyexpe tstore eiveamessage onforming to

l

i

and returnsmessage

r

i

. Wewishtoemphasizethatterms

l

j

i

, r

j

i

arenota tualmessages,butspe ifyhow themessagethatisre eivedandthemessagethatisoutputshouldlook like.

Example1 The Needham-S hroeder-Lowe proto ol [Lowe,1996℄ is spe ied as follows: there are two roles

Π(1)

and

Π(2)

orrespondingtothesender'sandre eiver'srole.

A → B :

{N

a

, A}

ek(B)

B → A :

{N

a

, N

b

, B}

ek(A)

A → B :

{N

b

}

ek(B)

Π(1) =

(init, {X

A

1

1

, A

1

}

ag(1)

ek(A

2

)

),

({X

1

A

1

, X

1

A

2

, A

2

}

L

ek(A

1

)

, {X

1

A

2

}

ag(1)

ek(A

2

)

)

Π(2) =

({X

A

1

1

, A

1

}

ek(A

L

1

2

)

, {X

A

1

1

, X

1

A

2

, A

2

}

ag(1)

ek(A

1

)

),

({X

1

A

2

}

L

2

ek(A

2

)

, stop)

Clearly, not all proto ols written using the syntax above are meaningful. In parti ular, some proto ols mightbenotexe utable. Thisisa tuallynotrelevantforourresult(ourtheoremalsoholdsfornonexe utable proto ols).

2.2 Exe ution Model

Wedene theexe utionmodelonlyforlabeledproto ols. Thedenition oftheexe utionmodel forunlabeled proto olsisthenstraightforward.

If

A

isavariableor onstantofsortagent,wedeneitsknowledgeby

kn(A) = {dk(A), sk(A)} ∪ X

n

(A)

,i.e. anagentknowsitsse retde ryptionandsigningkeyaswellasthenon esitgeneratesduringtheexe ution. The formal exe utionmodel isastatetransition system. A global state ofthesystemis givenby

(SId, f, H)

where

H

isasetoftermsof

T

l

representingthemessagessentonthenetworkand

f

maintainsthelo alstatesofall sessionids

SId

. Werepresentsessionidsastuplesoftheform

(n, j, (a

1

, a

2

, . . . , a

k

)) ∈ (N× N× ID

k

)

,where

n ∈ N

identiesthesession,

a

1

, a

2

, . . . , a

k

aretheidentities ofthepartiesthat areinvolvedin thesession and

j

is the index oftherolethatisexe utedinthissession. Mathemati ally,

f

isafun tion

f : SId → ([X → T

l

] × N × N),

where

f (sid) = (σ, i, p)

isthelo al stateofsession

sid

. Thefun tion

σ

isapartialinstantiationofthevariables o urringin role

Π(i)

and

p ∈ N

isthe ontrolpointoftheprogram. Threetransitionsareallowed.

(9)

m ∈ S

S ⊢

l

m

S ⊢

l

b, ek(b), vk(b)

b ∈ X.a

Initialknowledge

S ⊢

l

m

1

S ⊢

l

m

2

S ⊢

l

hm

1

, m

2

i

S ⊢

l

hm

1

, m

2

i

i ∈ {1, 2}

S ⊢

l

m

i

Pairingandunpairing

S ⊢

l

ek(b) S ⊢

l

m

i ∈ N

S ⊢

l

{m}

adv(i)

ek(b)

S ⊢

l

{m}

l

ek(b)

S ⊢

l

dk(b)

S ⊢

l

m

En ryptionandde ryption

S ⊢

l

sk(b) S ⊢

l

m

i ∈ N

S ⊢

l

[m]

adv(i)

sk(b)

S ⊢

l

[m]

l

sk(b)

S ⊢

l

m

Signature

Figure1: Dedu tionrules. ˆ

(SId, f, H)

corrupt(a

1

,...,a

l

)

−−−−−−−−−−−→ (SId, f, ∪

1≤j≤l

kn(a

j

) ∪ H)

. Theadversary orrupts parties by outputting a set of identities. He re eivesin returnthe se retkeys orrespondingto theidentities. It happens only on eatthebeginningoftheexe ution.

ˆ Theadversary aninitiatenewsessions:

(SId, f, H)

new(i,a

1

,...,a

k

)

−−−−−−−−−−→ (SId

, f

, H

)

where

H

,

f

and

SId

are dened asfollows. Let

s = |SId| + 1

,bethesession identierofthenewsession,where

|SId|

denotes the ardinality of

SId

.

H

is dened by

H

= H

and

SId

= SId ∪ {(s, i, (a

1

, . . . , a

k

))}

. The fun tion

f

is denedasfollows. 

f

(sid) = f (sid)

forevery

sid

∈ SId

. 

f

(s, i, (a

1

, . . . , a

k

)) = (σ, i, 1)

where

σ

isapartialfun tion

σ : X → T

l

and:



σ(A

j

)

= a

j

1 ≤ j ≤ k

σ(X

A

j

i

) = n(a

i

, j, s)

j ∈ N

Were allthattheprin ipalexe utingtherole

Π(i)

isrepresentedby

A

i

thus,inthat role,everyvariable oftheform

X

j

A

i

representsanon egeneratedby

A

i

. ˆ The adversary an send messages:

(SId, f, H)

send(sid,m)

−−−−−−−→ (SId, f

, H

)

where

sid

∈ SId

,

m ∈ T

l

,

H

, and

f

are dened as follows. We dene

f

(sid

) = f (sid

)

for every

sid

6= sid

. We denote

Π(j) =

((l

j

1

, r

j

1

), . . . , (l

j

k

j

, r

k

j

j

))

.

f (sid) = (σ, j, p)

forsome

σ, j, p

. Therearetwo ases.  Either there exists a least general unier

θ

of

m

and

l

j

p

σ

. Then

f

(sid) = (σ ∪ θ, j, p + 1)

and

H

= H ∪ {r

j

p

σθ}

.  Orwedene

f

(sid) = f (sid)

and

H

= H

(thestateremainsun hanged). If wedenote by

SID

= N × N × ID

k

theset ofallsessionsids, theset ofsymboli exe utiontra es is

SymbTr

l

=

(SID×(SID → ([X → T

l

]×N×N))×2

T

l

)

. Thesetof orrespondingunlabeledsymboli exe utiontra esisdenoted by

SymbTr

. The mappingfun tion

·

isextendedasfollows: if

tr = (SId

0

, f

0

, H

0

), . . . , (SId

n

, f

n

, H

n

)

is atra e of

SymbTr

l

,

tr = (SId

0

, f

0

, H

0

), . . . , (SId

n

, f

n

, H

n

) ∈ SymbTr

where

SId

i

simplyequal

SId

i

and

f

i

: SID → ([X →

T ]×N×N))

with

f

i

(sid) = (σ, i, p)

if

f

i

(sid) = (σ, i, p)

and

σ(X) = σ(X)

.

Theadversaryinter eptsmessagesbetweenhonest parti ipantsand omputesnewmessagesusing the de-du tion relation

l

dened in Figure 1. Intuitively,

S ⊢

l

m

means that theadversaryis ableto ompute the message

m

fromtheset ofmessages

S

. All dedu tionrulesare ratherstandardwiththeex eptionof thelast one: The last rule statesthat the adversary anre overthe orrespondingmessage outof agivensignature. This rule ree ts apabilities that donot ontradi t thestandard omputational se urity denition of digital signatures,maypotentiallybeavailableto omputationaladversariesandareimportantforthesoundnessresult of[CortierandWarins hi,2005℄.

(10)

Next,wesket htheexe utionmodelforunlabeledproto ols. Asabove,theexe utionisbasedonadedu tion relation

that aptures adversarial apabilities. Thededu tionrulesthat dene

areobtainedfrom thoseof

l

(Figure 1)asfollows. Thesetsof rulesInitialknowledge and Pairing andunpairing in arekeptun hanged (repla ing

l

by

,of ourse). Foren ryptionandsignatureswesuppressthelabels

adv(i)

and

l

intheen ryption fun tion

{

_

}

_ _

andthesignaturefun tion

[

_

]

_ _

forrulesEn ryption andde ryption and rulesSignature. That is, therulesforen ryptionare:

S ⊢ ek(b) S ⊢ m

S ⊢ {m}

ek(b)

S ⊢ {m}

ek(b)

S ⊢ dk(b)

S ⊢ m

and thoseforsignaturesare:

S ⊢ sk(b) S ⊢ m

S ⊢ [m]

sk(b)

S ⊢ [m]

sk(b)

S ⊢ m

We use the dedu tion relations to hara terize the set of valid exe ution tra es. We say that the tra e

(SId

1

, f

1

, H

1

), . . . , (SId

n

, f

n

, H

n

)

is valid ifthemessagessentby theadversary anbe omputed byDolev-Yao operations.Morepre isely,werequirethatinavalidtra ewhenever

(SId

i

, f

i

, H

i

)

send(s,m)

−−−−−−−→ (SId

i+1

, f

i+1

, H

i+1

)

, wehave

H

i

l

m

. Given aproto ol

Π

, theset ofvalid symboli exe ution tra esis denoted by

Exec(Π)

. The set

Exec(Π)

ofexe utiontra esinthemodelwithoutlabelsisdenedsimilarly. Wethusrequirethateverysent message

m

satises

H

i

⊢ m

.

Example2 PlayingwiththeNeedham-S hroeder-Loweproto oldes ribedinExample1,anadversary an or-ruptanagent

a

3

,startanewsessionforthese ondrolewithplayers

a

1

, a

2

andsendthemessage

{n(a

3

, 1, 1), a

1

}

adv(1)

ek(a

2

)

to theplayerofthese ondrole. The orrespondingvalidtra eexe utionis:

(∅, f

1

, ∅)

corrupt(a

3

)

−−−−−−−−→ (∅, f

1

, kn(a

3

))

new(2,a

1

,a

2

)

−−−−−−−−→

({sid

1

}, f

2

, kn(a

3

))

send(sid

1

,{n

3

,a

1

}

adv(1)

ek

(a2)

)

−−−−−−−−−−−−−−−→



{sid

1

}, f

3

, kn(a

3

) ∪ {{n

3

, n

2

, a

2

}

ag(1)

ek(a

1

)

}



,

where

sid

1

= (1, 2, (a

1

, a

2

))

,

n

2

= n(a

2

, 1, 1)

,

n

3

= n(a

3

, 1, 1)

, and

f

2

, f

3

are dened as follows:

f

2

(sid

1

) =

1

, 2, 1)

,

f

3

(sid

1

) = (σ

2

, 2, 2)

where

σ

1

(A

1

) = a

1

,

σ

1

(A

2

) = a

2

,

σ

1

(X

1

A

2

) = n

2

,and

σ

2

extends

σ

1

by

σ

2

(X

1

A

1

) =

n

3

and

σ

2

(L

1

) = adv(1)

.

2.3 Relating the labeled and unlabeled exe ution models

First noti e that by indu tion on the dedu tion rules, it an be easily shown that whenever a message is dedu ible,thenthe orrespondingunlabeledmessageisalsodedu ible. Formally,wehavethefollowinglemma.

Lemma1

S ⊢

l

m ⇒ S ⊢ m

Note thatourmainresultholdsfor anydedu tionrulesprovidedthislemmaholds.

Basedontheabovepropertyweshowthat wheneveratra e orrespondstoanexe utionofaproto ol,the orrespondingunlabeledtra e orrespondsalsoto anexe utionofthe orrespondingunlabeledproto ol. Lemma2

tr ∈ Exec(Π) ⇒ tr ∈ Exec(Π).

Proof. Thekeyargumentisthatonlypatternmat hingisperformedinproto olsandwhenatermwithlabels mat hessomepattern, theunlabeledtermmat hesthe orrespondingunlabeledpattern. Theproofisdoneby indu tion onthelengthofthetra e.

ˆ Let

tr = (SId

0

, f

0

, H

0

)

, where

SId

0

and

H

0

are emptysets. Wehave

H

0

= H

0

.

f

0

is dened nowhere, andsois

f

0

. Clearly,

tr = (SId

0

, f

0

, H

0

)

isin

Exec(Π)

.

ˆ Let

tr ∈ Exec(Π)

,

tr = e

0

, ..., e

n

= (SId

0

, f

0

, H

0

), ..., (SId

n

, f

n

, H

n

)

, su h that

tr ∈ Exec(Π)

. We have to show that if

tr

= tr, (SId

n+1

, f

n+1

, H

n+1

) ∈ Exec(Π)

, then we have

tr

∈ Exec(Π)

. There are three possibleoperations.

(11)

1.

corrupt(a

1

, ..., a

k

)

. It means that

tr = (SId

0

, f

0

, H

0

), (SId

1

, f

1

, H

1

)

. In this ase, we have

SId

1

=

SId

0

= ∅

,

f

1

= f

0

and

H

1

= H

0

S

1≤i≤k

kn(a

i

)

. We an on ludethat

tr = (SId

0

, f

0

, H

0

), (SId

1

, f

1

, H

1

)

isin

Exec(Π)

,be ausethere arenolabelsin

H

1

and

f

1

isstillnotdened.

2.

new(i, a

1

, ..., a

k

)

. Nolabelsareinvolvedinthisoperation. Theextensionmadeto

f

n

isthesameas ismadeto

f

n

. Neither

H

n

nor

H

n

aremodied.

tr

= tr, (SId

n+1

, f

n+1

, H

n+1

)

is avalidtra e. 3.

send(s, m)

.

First,wehavetobesurethatif

m

anbededu edfrom

H

n

,then

m

anbededu edfrom

H

n

. This isLemma1.

Notethat

SId

n

= SId

n+1

thus

SId

n

= SId

n+1

. Let

f

n

(s) = (σ, i, p)

and

Π(i) = (..., (l

p

, r

p

), ...)

. We havetwo ases.

 Eitherthereis asubstitution

θ

with

m = l

p

σθ

. Then

f

n+1

(s) = (σ ∪ θ, i, p + 1)

. Thus

f

n

(s) =

(σ, i, p)

and

f

n+1

(s) = (σ ∪ θ, i, p + 1)

. By indu tion hypothesis,

tr

is a valid tra e. From

m = l

p

σθ

follows

m = l

p

σθ

. We on lude that

tr, (SId

n+1

, f

n+1

, H

n+1

) = tr

is a valid tra e, thusamemberof

Exec(Π)

.

 Or no substitution

θ

with

m = l

p

σθ

exists. Then

tr

= e

0

, ..., e

n

, e

n+1

with

e

n

= e

n+1

. We mustshowthat it is alwayspossibleto onstru tamessage

m

∈ T

, su h that thereexists no substitution

θ

with

m

= l

p

σθ

. Then,fromthevalidityof

tr

and

tr

we andedu ethevalidity of

tr

,be ause

e

n

= e

n+1

.

Eitherthereexistsnosubstitution

θ

su hthat

m = l

p

σθ

. Inthat ase,we hoose

m

= m

. Orlet

θ

beasubstitutionsu hthat

m = l

p

σθ

. Thenthemat hingfor

m

failsbe auseoflabels. This an be shown by ontradi tion. Assume

m

ontain no label, i. e.

m

doesnot ontain subterms of the form

{t}

l

ek(a

i

)

or

[t]

l

sk(a

i

)

,

t ∈ T

. Inthat ase, wehave

m = m

by denition. >From

m = l

p

σθ

,wededu ethat

m = l

p

σθ

, ontradi tion. Wededu ethat

m

ontainssomesubtermof theform

{t}

ek(a

i

)

or

[t]

sk(a

i

)

. The fa t

m = l

p

σθ

impliesthat

l

p

hasto ontainoneofthefollowingsubterms:

{t

}

ek(A

i

)

,

[t

]

sk(A

i

)

with

t

∈ T

or, avariableofsort iphertextorsignature.

Then,we hoose

m

= a

forsomeagentidentity

a ∈ X.a

. Theterm

a

isdedu iblefrom

H

n

. Now, themat hing of

m

with

l

p

alwaysfails,either be auseoftheen ryption orsignatureo urring in

l

p

or be auseoftypemismat hforavariableoftype iphertextorsignaturein

l

p

.

3 A LOGIC FOR SECURITY PROPERTIES

Inthisse tionwedenealogi forspe ifyingse urityproperties. Wethenshowthatthelogi isquiteexpressive and, inparti ular,it anbeusedtospe ifyratherstandardse re yandauthenti ityproperties.

3.1 Preliminary denitions

Toatra e

tr = e

1

, ..., e

n

= (SId

1

, f

1

, H

1

), ..., (SId

n

, f

n

, H

n

) ∈ SymbTr

weasso iateits set of indi es

I(tr) =

{i | e

i

appearsinthetra e

tr}

.

Wealso dene the set of lo al states

LS

i,p

(tr)

for role

i

at step

p

that appearin tra e

tr

by

LS

i,p

(tr) =

{(σ, i, p) | ∃s ∈ SId

k

, k ∈ I(tr),

su hthat

f

k

(s) = (σ, i, p)}.

We assume an innite set

Sub

of meta-variables for substitutions. We extend the term algebra to allow substitution appli ation. Moreformally,let

T

l

Sub

bethealgebradened by:

L

::= ς(x

l

) | ag(i) | adv(j)

T

l

Sub

::= ς(x) | a | ek(a) | dk(a) | sk(a) | vk(a) | hT

Sub

l

, T

Sub

l

i | {T

Sub

l

}

L

ek(a)

| [T

Sub

l

]

L

sk(a)

where

x

l

∈ X.l

,

ς ∈ Sub

,

i, j ∈ N

,

x ∈ X

,

a ∈ ID

. Theunlabeledalgebra

T

Sub

is denedsimilarly. Themapping fun tion between the two algebras is dened by:

ς(x) = ς(x)

,

{k}

l

m

= {k}

m

,

[k]

l

m

= [k]

m

,

f (t

1

, . . . , t

n

) =

f (t

1

, . . . , t

n

)

otherwise. 3.2 Se urity Logi

Inthis se tionwedes ribealogi forse urityproperties. Besidesstandardpropositional onne tors,thelogi hasapredi atetospe ifyhonestagents,equalitytestsbetweenterms,andexistentialanduniversalquantiers overthelo alstatesofagents.

(12)

[[N C(tr, t)]]

=

1

if

t ∈ ID

and

t

doesnotappearina orrupta tion,i.e.

tr = e

1

, e

2

, ..., e

n

and

∀a

1

, . . . , a

k

,s.t.

e

1

corrupt(a

1

,...,a

k

)

−−−−−−−−−−−→ e

2

, t 6= a

i

0

otherwise

[[(t

1

= t

2

)]]

=



1

if

t

1

= t

2

(synta ti equality)

0

otherwise

[[¬F (tr)]]

= ¬[[F (tr)]]

[[F

1

(tr) ∧ F

2

(tr)]]

= [[F

1

(tr)]] ∧ [[F

2

(tr)]]

[[F

1

(tr) ∨ F

2

(tr)]]

= [[F

1

(tr)]] ∨ [[F

2

(tr)]]

[[∀LS

i,p

(tr).ς F (tr)]]

=



1

if

∀(θ, i, p) ∈ LS

i,p

(tr),

wehave

[[F (tr)[θ/ς]]] = 1,

0

otherwise

.

[[∃LS

i,p

(tr).ς F (tr)]]

=



1

if

∃(θ, i, p) ∈ LS

i,p

(tr),

s.t.

[[F (tr)[θ/ς]]] = 1,

0

otherwise

.

Figure2: Interpretation. Denition 2 Theformulas ofthe logi

L

l

1

aredenedasfollows:

F (tr)

::=

N C(tr, t

1

) | (t

1

= t

2

) | ¬F (tr) | F (tr) ∧ F (tr) | F (tr) ∨ F (tr) |

∀LS

i,p

(tr).ς F (tr) | ∃LS

i,p

(tr).ς F (tr)

where

tr

isaparameter of the formula,

i, p ∈ N

,

ς ∈ Sub

,

t

1

and

t

2

aretermsof

T

l

Sub

. Notethatformulas are parametrizedby atra e

tr

. As usual,wemay use

φ

1

→ φ

2

asashort utfor

¬φ

1

∨ φ

2

.

Wesimilarly denethe orrespondingunlabeled logi

L

1

: thetests

(t

1

= t

2

)

arebetweenunlabeled terms

t

1

, t

2

over

T

sub

. Themappingfun tion

·

isextendedasexpe ted. Inparti ular

N C(tr, t) = N C(tr, t)

,

(t

1

= t

2

) =

(t

1

= t

2

)

,

∀LS

i,p

(tr).ς F (tr) = ∀LS

i,p

(tr).ς F (tr)

and

∃LS

i,p

(tr).ς F (tr) = ∃LS

i,p

(tr).ς F (tr)

.

Here, the predi ate

N C(tr, t)

of arity 2 is used to spe ify non orrupted agents. The quanti ations

∀LS

i,p

(tr).ς

and

∃LS

i,p

(tr).ς

are over the lo al states in the tra e that orrespond to agent

i

at ontrol point

p

. Thesemanti sofourlogi isdenedfor losed formulaasshownin Figure2.

Next wedene when a proto ol

Π

satises a formula

φ ∈ L

l

1

. The denition for the unlabeled exe ution model isobtainedstraightforwardly. Informally, aproto ol

Π

satises

φ

if

φ(tr)

istruefor alltra es

tr

of

Π

. Formally:

Denition 3 Let

φ

be aformula and

Π

be aproto ol. We say that

Π

satises se urity property

φ

, and write

Π |= φ

iffor any tra e

tr ∈ Exec(Π)

,

[[φ(tr)]] = 1

.

Abusing notation, we o asionally write

φ

for the set

{tr | [[φ(tr)]] = 1}

. Then,

Π |= φ

pre isely when

Exec(Π) ⊆ φ

.

3.3 Examples of se urity properties

Inthisse tionweexemplifytheuseofthelogi byspe ifyingse re yandauthenti ityproperties. 3.3.1 A se re yproperty

Let

Π(1)

and

Π(2)

bethesender'sandre eiver'sroleof atwo-partyproto ol. Tospe ifyourse re yproperty weuse astandarden oding. Namely, weadd athird role to the proto ol,

Π(3) = (X

1

A

3

, stop)

, whi h anbe seenassomesortofwitness.

Informally, thedenition of these re y property

φ

s

states that, fortwonon orruptedagents

A

1

and

A

2

, where

A

1

plays role

Π(1)

and

A

2

playsrole

Π(2)

, athird agentplayingrole

Π(3)

annotgainanyknowledge onnon e

X

1

A

1

sentbyrole

Π(1)

.

φ

s

(tr) = ∀LS

1,1

(tr).ς ∀LS

3,2

(tr).ς

[N C(tr, ς(A

1

)) ∧ N C(tr, ς(A

2

)) → ¬(ς

(X

A

1

3

) = ς(X

1

A

2

))]

(13)

3.3.2 Anauthenti ation property

Consideratworoleproto ol,su hthatrole1nishesitsexe utionafter

n

stepsandrole2nishesitsexe ution after

p

steps. For this kind of proto ols we give a variant of the week agreement property [Lowe,1997b℄. Informally, this propertystates thatwheneveraninstantiation ofrole 2nishes,there exists an instantiation ofrole1thathasnishedandtheyagreeonsomevalueforsomevariableandtheyhaveindeed talkedto ea h other. Inourexamplewe hoosethis variable tobe

X

1

A

1

. Note that we apture that someagenthasnished itsexe utionbyquantifyingappropriatelyoverthelo al statesofthatagent. Morepre isely,wequantify only overthestateswhereitindeedhasnisheditsexe ution.

φ

a

(tr) = ∀LS

2,p

(tr).ς ∃LS

1,n

(tr).ς

[N C(tr, ς(A

1

)) ∧ N C(tr, ς

(A

2

)) → (ς(X

A

1

1

) = ς

(X

1

A

1

)) ∧ (ς(A

2

) = ς

(A

2

)) ∧ (ς(A

1

) = ς

(A

1

))]

Noti ethat although in its urrentversionourlogi is notpowerfulenoughtospe ifystrongerversionsof agreement (like inje tive or bije tive agreement), it ould be appropriately extended to deal with this more omplexformsofauthenti ation.

4 MAIN RESULT

Re all that our goal is to prove that

Π |= φ ⇒ Π |= φ

. However, as explained in the introdu tion this propertydoesnotholdingeneral. Thefollowingexampleshedssomelightonthereasonsthat ausethedesired impli ation tofail.

Example3 Considertherststepofsomeproto olwhere

A

sendsamessageto

B

wheresomepartisintended forsomethirdagent.

A → B : {N

a

, {N

a

}

ek(C)

, {N

a

}

ek(C)

}

ek(B)

Thespe i ationoftheprogramsof

A

and

B

that orrespondstothisrststepisasfollows(inthedenition below

C

1

A

2

and

C

2

A

2

arevariablesofsort iphertext).

Π(1) =

(init, {hX

1

A

1

, h{X

1

A

1

}

ag(1)

ek(A

3

)

, {X

1

A

1

}

ag(2)

ek(A

3

)

ii}

ag(3)

ek(A

2

)

)

Π(2) =

({hX

1

A

1

, hC

1

A

2

, C

2

A

2

ii}

L

ek(A

2

)

, stop)

We assume that

A

generates twi e the message

{N

a

}

ek(C)

. Noti e that we stop the exe ution of

B

after it re eivestherstmessagesin ethisissu ientfor ourpurpose,but itsexe utionmightbe ontinuedto form amorerealisti example.

Considerthese urityproperty

φ

1

that statesthat if

A

and

B

agree onthenon e

X

1

A

1

then

B

should have re eivedtwi ethesame iphertext.

φ

1

(tr) = ∀LS

1,2

(tr).ς ∀LS

2,2

(tr).ς

N C(tr, ς(A

1

)) ∧ N C(tr, ς(A

2

)) ∧ (ς(X

A

1

1

) = ς

(X

1

A

1

)) → (ς

(C

1

A

2

) = ς

(C

2

A

2

))

This property learly does not hold for any normal exe ution of the labeled proto ol sin e

A

always sends iphertextswithdistin tlabels. Thus

Π 6|= φ

1

.

Ontheother hand,one an showthat wehave

Π |= φ

1

in theunlabeledexe utionmodel. Intuitively,this holdsbe auseif

A

and

B

arehonestagentsandagreeon

X

1

A

1

,thenthemessagere eivedby

B

hasbeenemitted by

A

andthusshould ontainidenti al iphertexts(after havingremovedtheirlabels).

4.1 Logi

L

l

2

The ounterexample aboverelies on thefa t that two iphertexts that are equalin the model withoutlabels may have been derived from distin t iphertexts in the model with labels. Hen e, it may be the ase that although

t

1

6= t

2

⇒ t

1

6= t

2

, the ontrapositiveimpli ation

t

1

= t

2

⇒ t

1

= t

2

does not hold, whi h in turn entailsthatformulasthat ontainequalitytests between iphertextsmaybetruein themodelwithoutlabels, but false in themodel with labels. Inthis se tion weidentify afragmentof

L

l

1

,whi h we all

L

l

2

where su h testsareprohibited. Formally,weavoidequalitytestsbetweenarbitrarytermsbyforbiddingarbitrarynegation overformulasandallowingequalitytestsonlybetweensimple terms.

(14)

Denition 4 A term

t

is said simple if

t ∈ X.a ∪ X.n

or

t = a

for some

a ∈ ID

or

t = n(a, j, s)

for some

a ∈ ID

,

j, s ∈ N

.

An importantobservationisthatforanysimpleterm

t

itholdsthat

t = t

. Denition 5 Theformulas ofthe logi

L

l

2

aredenedasfollows:

F (tr)

::=

N C(tr, t

1

) | ¬N C(tr, t

1

) | F (tr) ∧ F (tr) | F (tr) ∨ F (tr) | (t

1

6= t

2

) | (u

1

= u

2

) |

∀LS

i,p

(tr).ς F (tr) | ∃LS

i,p

(tr).ς F (tr),

where

tr ∈ SymbTr

isaparameter,

i, p ∈ N

,

t

1

, t

2

∈ T

l

Sub

and

u

1

, u

2

are simpleterms. Sin esimpletermsalsobelongto

T

l

Sub

,bothequalityandinequalitytestsareallowedbetweensimpleterms. The orrespondingunlabeledlogi

L

2

isdened asexpe ted. Notethat

L

l

2

⊂ L

l

1

and

L

2

⊂ L

1

.

4.2 Theorem

Informally,ourmain theoremsaysthattoverifyifaproto olsatisessomese urityformula

φ

inlogi

L

l

2

,itis su ienttoverifythattheunlabeledversionoftheproto olsatises

φ

.

Theorem1 Let

Π

beaproto oland

φ ∈ L

l

2

,then

Π |= φ ⇒ Π |= φ

.

Proof. Assume

Π |= φ

. We haveto show that forany tra e

tr ∈ Exec(Π)

,

[[φ(tr)]] = 1

. >From lemma 2it followsthat

tr ∈ Exec(Π)

,thus

[[φ(tr)]] = 1

, sin e

Π |= φ

. Thus, itissu ientto showthat

[[φ(tr)]] ⇒ [[φ(tr)]]

. Thefollowinglemmaoersthedesiredproperty.

Lemma3 Let

φ(tr) ∈ L

l

2

for some

tr ∈ SymbTr

,

[[φ(tr)]]

implies

[[φ(tr)]]

. Proof. Theproofofthelemmaisbyindu tiononthestru tureof

φ(tr)

.

ˆ

φ(tr) = N C(tr, t)

or

φ(tr) = ¬N C(tr, t)

.

[[N C(tr, t)]] = 1

,ifandonlyif

t ∈ ID

and

t

doesnoto urin a

corrupt

eventforthetra e

tr

. This isequivalentto

t ∈ ID

and

t

doesnoto urin a

corrupt

eventfor thetra e

tr

. Thus

[[N C(tr, t)]] = 1

ifandonlyif

[[N C(tr, t)]] = [[N C(tr, t)]] = 1

.

ˆ

φ(tr) = (t

1

6= t

2

)

. Wehavethat

φ(tr) = (t

1

6= t

2

)

holds. Assume by ontradi tionthat

φ(tr)

does not hold,i.e

t

1

= t

2

. Thisimplies

t

1

= t

2

, ontradi tion.

ˆ

φ(tr) = (u

1

= u

2

)

with

u

1

, u

2

simpleterms. Wehavethat

φ(tr) = (u

1

= u

2

)

holds. Sin e

u

1

and

u

2

are simpleterms,wehave

u

i

= u

i

, thus

u

1

= u

2

. We on ludethat

φ(tr)

holds.

ˆ The ases

φ(tr) = φ

1

(tr) ∨ φ

2

(tr)

or

φ(tr) = φ

1

(tr) ∧ φ

2

(tr)

arestraightforward.

ˆ

φ(tr) = ∀LS

i

(tr).ς F (tr)

. If

φ(tr)

holds, thismeansthat forall

(θ, i, p)) ∈ LS

i,p

(tr)

,

[[F (tr)[θ/ς]]] = 1

. Let

, i, p) ∈ LS

i,p

(tr)

. We onsider

[[F (tr)[θ

/ς]]]

. Sin e

tr ∈ Exec(Π)

implies

tr ∈ Exec(Π)

(Lemma2), wehave

, i, p) ∈ LS

i,p

(tr)

. Byindu tionhypothesis,

[[F (tr)[θ

/ς]]] = 1

impliesthat

[[F (tr)[θ

/ς]]] = 1

. It followsthat

∀(θ

, i, p) ∈ LS

i,p

(tr) [[F (tr)[θ

/ς]]] = 1.

Thus,

φ(tr)

holds.

ˆ

φ(tr) = ∃LS

i

(tr).ς F (tr)

. If

φ(tr)

holds, this means that there exists

(θ, i, p)) ∈ LS

i,p

(tr)

, su h that

[[F (tr)[θ/ς]]] = 1

.

Bydenition of the mappingfun tion,there exists

, i, p) ∈ LS

i,p

(tr)

su h that

θ

= θ

. Byindu tion hypothesis,

[[F (tr)[θ

/ς]]] = 1

. Thusthereexists

θ

,su hthat

[[F (tr)[θ

/ς]]] = 1

(15)

5 DISCUSSION

We on ludewithabriefdis ussionoftwointerestingaspe tsofourresult. First,asmentionedinthe introdu -tion, theonlypropertyneeded forourmain theoremto holdis thattheunderlying dedu tionsystemsatises the onditionin Lemma 1, that is

S ⊢

l

m ⇒ S ⊢ m

. Infa t,an interestingresultwould be to proveamore abstra t andmodularversionofourtheorem.

Se ondly, anaturalquestioniswhether the onverseof ourmain theoremholds. Weprovethat thisis not the ase. Morepre isely,weshowthat thereexists aproto ol

Π

andaproperty

φ

su hthat

Π |= φ

but

Π 6|= φ

. Let

Π

betheproto oldened in Example3. Considerase urityproperty

φ

2

that statesonthe ontrarythat whenever

A

and

B

agreeonthenon e

X

1

A

1

then

B

should havere eivedtwodistin t iphertexts. Formally:

φ

2

(tr) = ∀LS

1,2

(tr).ς ∀LS

2,2

(tr).ς

N C(tr, ς(A

1

)) ∧ N C(tr, ς(A

2

)) ∧ (ς(X

A

1

1

) = ς

(X

1

A

1

)) → (ς

(C

1

A

2

) 6= ς

(C

2

A

2

))

where

C

1

A

2

and

C

2

A

2

arevariablesofsort iphertext.

Thisproperty learlydoesnotholdforanyhonestexe utionoftheunlabeledproto olsin e

A

alwayssends twi ethesame iphertext,andthus

Π 6|= φ

2

. Ontheotherhandhowever,one anshowthatthispropertyholds forlabeledproto olssin e,if

A

and

B

arehonestagentsandagreeon

X

1

A

1

,itmeansthatthemessagere eived by

B

hasbeenemittedby

A

and thus ontainstwodistin t iphertexts. Thus,

Π |= φ

2

. We on ludethat,in general,

Π |= φ

doesnotimply

Π |= φ

.

Referen es

[AbadiandJürjens,2001℄ Abadi,M.andJürjens,J.(2001).Formaleavesdroppingandits omputationalinterpretation. InPro .of Theoreti al Aspe ts of Computer Software (TACS 2001), volume 2215 ofLNCS, pages 8294. Springer-Verlag.

[Armandoetal.,2005℄ Armando,A.,Basin,D.,Boi hut,Y.,Chevalier,Y.,Compagna,L.,Cuellar,J.,HankesDrielsma, P.,Héam,P.-C.,Kou hnarenko,O.,Mantovani,J.,Mödersheim,S., vonOheimb,D.,Rusinowit h,M., Santiago, J., Turuani,M.,Viganò,L.,andVigneron,L.(2005).TheAVISPAToolfortheautomatedvalidationofinternetse urity proto olsandappli ations.In17thInternationalConferen eonComputerAidedVeri ation,CAV'2005,volume3576 ofLNCS,pages281285.Springer.

[Blan het,2001℄ Blan het,B.(2001). Ane ient ryptographi proto olverierbasedonprologrules. InPro .ofthe 14thComputer Se urityFoundations Workshop(CSFW'01).

[CortierandWarins hi,2005℄ Cortier, V. and Warins hi, B. (2005). Computationally Sound, Automated Proofs for Se urityProto ols. InPro .14thEuropeanSymposiumonProgramming(ESOP'05),volume3444ofLe tureNotesin ComputerS ien e,pages157171,Edinburgh,U.K.Springer.

[GoldwasserandMi ali,1984℄ Goldwasser,S.andMi ali,S.(1984).Probabilisti en ryption.J.ofComputerandSystem S ien es,28:270299.

[Herzog, 2004℄ Herzog,J.C.(2004). ComputationalSoundnessforStandardAsumptionsof FormalCryptography. PhD thesis,Massa husetts InstituteofTe hnology.

[Lowe,1996℄ Lowe,G.(1996). BreakingandxingtheNeedham-S hroederpubli -keyproto olusingFDR.InPro .of Toolsandalgoritmsforthe onstru tionandanalysisfofsystems(TACAS'96),volume1055ofLNCS,pages147166. Springer-Verlag.

[Lowe,1997a℄ Lowe,G.(1997a). Casper: A ompiler forthe analysisofse urityproto ols. InPro .of 10thComputer Se urityFoundations Workshop(CSFW'97).IEEEComputerSo ietyPress.

[Lowe,1997b℄ Lowe,G.(1997b). Ahierar hyofauthenti ationspe i ations. InPro . ofthe 10thComputer Se urity FoundationsWorkshop(CSFW'97).IEEEComputerSo ietyPress.

[Lowe,2004℄ Lowe,G.(2004). Analysingproto olssubje ttoguessingatta ks.Journalof ComputerSe urity,12(1). [Mi ian ioandWarins hi,2004℄ Mi ian io,D.andWarins hi,B.(2004). Soundnessofformalen ryptioninthe

pres-en eofa tiveadversaries. InTheory ofCryptographyConferen e(TCC2004),pages133151,Cambridge,MA,USA. Springer-Verlag.

[Rusinowit handTuruani,2001℄ Rusinowit h, M. and Turuani, M. (2001). Proto ol inse urity withnite numberof sessionsisNP- omplete. InPro .of the14thComputerSe urityFoundations Workshop(CSFW'01),pages174190. IEEEComputerSo ietyPress.

[Song,1999℄ Song,D.X. (1999). Athena: A newe ientautomati he kerfor se urity proto olanalysis. InPro .of the12thComputer Se urityFoundations Workshop(CSFW'99).IEEEComputerSo ietyPress.

(16)

Unité de recherche INRIA Lorraine

LORIA, Technopôle de Nancy-Brabois - Campus scientifique

615, rue du Jardin Botanique - BP 101 - 54602 Villers-lès-Nancy Cedex (France)

Unité de recherche INRIA Futurs : Parc Club Orsay Université - ZAC des Vignes

4, rue Jacques Monod - 91893 ORSAY Cedex (France)

Unité de recherche INRIA Rennes : IRISA, Campus universitaire de Beaulieu - 35042 Rennes Cedex (France)

Unité de recherche INRIA Rhône-Alpes : 655, avenue de l’Europe - 38334 Montbonnot Saint-Ismier (France)

Unité de recherche INRIA Rocquencourt : Domaine de Voluceau - Rocquencourt - BP 105 - 78153 Le Chesnay Cedex (France)

Unité de recherche INRIA Sophia Antipolis : 2004, route des Lucioles - BP 93 - 06902 Sophia Antipolis Cedex (France)

Éditeur

INRIA - Domaine de Voluceau - Rocquencourt, BP 105 - 78153 Le Chesnay Cedex (France)

http://www.inria.fr

Figure

Figure 1: Dedution rules.

Références

Documents relatifs

Proof PrXML {mux,det} poly o PrXML {ind,mux} is trivial, because a det node is a special case of an ind node (i.e., every child is chosen with probability 1).. We efficiently

Keywords: Dynamical systems; Diophantine approximation; holomorphic dynam- ics; Thue–Siegel–Roth Theorem; Schmidt’s Subspace Theorem; S-unit equations;.. linear recurrence

So, the second step to ensure that our work reaches the right audience is drawing attention to our work, creating a community, and engaging the public.. As written by

In principle, this reduces the problem of finding all doubly translation type manifolds S to the algebraic problem of classifying all curves C satisfying all

In summary, the absence of lipomatous, sclerosing or ®brous features in this lesion is inconsistent with a diagnosis of lipo- sclerosing myxo®brous tumour as described by Ragsdale

Formally, a non-probabilistic simulation model is a Turing machine 2 , and a probabilistic simulation model is a probabilistic Turing machine, i.e., a deterministic Turing machine

candidates however the working group will be exploring the opportunity to use an alternative exam should the CAPR exams not launch in September 2021.. While Council has the

When a number is to be multiplied by itself repeatedly,  the result is a power    of this number.