HAL Id: inria-00078825
https://hal.inria.fr/inria-00078825v2
Submitted on 8 Jun 2006
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of
sci-entific research documents, whether they are
pub-lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diffusion de documents
scientifiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
Explicit Randomness is not Necessary when Modeling
Probabilistic Encryption
Véronique Cortier, Heinrich Hördegen, Bogdan Warinschi
To cite this version:
Véronique Cortier, Heinrich Hördegen, Bogdan Warinschi. Explicit Randomness is not Necessary
when Modeling Probabilistic Encryption. [Research Report] RR-5928, INRIA. 2006, pp.12.
�inria-00078825v2�
inria-00078825, version 2 - 8 Jun 2006
a p p o r t
d e r e c h e r c h e
IS
S
N
0
2
4
9
-6
3
9
9
IS
R
N
IN
R
IA
/R
R
--5
9
2
8
--F
R
+
E
N
G
Thèmes COM et SYM
INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE
Explicit Randomness is not Necessary when
Modeling Probabilistic Encryption
Véronique Cortier — Heinrich Hördegen — Bogdan Warinschi
N° 5928
Unité de recherche INRIA Lorraine
LORIA, Technopôle de Nancy-Brabois, Campus scientifique,
615, rue du Jardin Botanique, BP 101, 54602 Villers-Lès-Nancy (France)
Téléphone : +33 3 83 59 30 00 — Télécopie : +33 3 83 27 83 19
En ryptionVéronique Cortier, Heinri hHördegen ,Bogdan Warins hi ThèmesCOMetSYMSystèmes ommuni antsetSystèmessymboliques
ProjetCassis
Rapportdere her he n°5928 Juin200612pages
Abstra t: Although good en ryption fun tionsare probabilisti ,mostsymboli modelsdo not apturethis aspe t expli itly. A typi al solution, re ently used to prove the soundness of su h models with respe t to omputationalones,istoexpli itlyrepresentthedependen yof iphertextsonrandom oinsaslabels.
Inordertomaketheselabel-basedmodelsuseful,itseemsnaturaltotrytoextendtheunderlying de ision pro edures andthe implementation of existing tools. Inthis paperwe put forth amorepra ti al alternative basedonthefollowingsoundnesstheorem. Weprovethatforalarge lassofse urityproperties(thatin ludes ratherstandardformulationsforse re yandauthenti ityproperties),se urityofproto olsinthesimplermodel impliesse urityin thelabel-basedmodel. Combinedwiththesoundnessresultof (?) ourtheoremenablesthe translationofse urityresultsin unlabeledsymboli modelsto omputationalse urity.
représentation expli ite de l'aléa
Résumé : Bien que de nombreusesfon tions ryptographiquessoient probabilistes, la plupart de modèles symboliquesne prennent pasexpli itementen ompte etaspe t. Pourprouverla orre tionde es modèles parrapportauxmodèles omputationnels,ilestpourtantsouventné essairedereprésenterexpli itementl'aléa utilisédansle hirement,àl'aideparexempled'étiquettes.
Ilsemble alorsné essaire d'étendreles pro édures de dé isionsous-ja entes et l'implémentation desoutils existantsauxmodèlesbaséssurdesétiquettes. Dans etarti le,nousproposonsunealternativepluspratique, baséesurlethéorèmede orre tionsuivant. Nousprouvonsque,pourunegrande lassedepropriétésdesé urité ( omme lespropriétésstandardsdese retetd'authenti ation),lasé uritédeproto olesdansunmodèlesans étiquettesimplique lasé urité danslesmodèlesave étiquettes. En ombinaisonave lerésultatde orre tion de (?), notre théorèmepermet de transférerles résultatsde sé uritédes modèles symboliquessans étiquettes verslasé urité omputationnelle.
1 INTRODUCTION
Designers of mathemati almodels for omputational systemsneedto ndappropriatetrade-os betweentwo seemingly ontradi tory requirements. Automati veri ation (and thus usability) typi ally requires a high levelof abstra tion whereas predi tiona ura y requires ahigh level ofdetails. >From this perspe tive, the useofsymboli modelsforse urityanalysisisparti ularlydeli atesin eitseemsthattheinherenthighlevelof abstra tion at whi h su h modelsoperateis notableto aptureallaspe ts thatarerelevantto se urity. This paper is on erned with oneparti ular su h aspe t, namely the use of randomization in the onstru tion of ryptosystems[GoldwasserandMi ali,1984℄.
A entralfeatureofthe omputational, omplexity-basedmodelsistheabilityto aptureandreasonexpli itly abouttheuseof randomness. Moreover,randomnessis essentialto a hieveanymeaningfulnotionofse urity for en ryption. In ontrast, symboli models rarely represent randomness dire tly. For example, a typi al representationfortheen ryptionofmessage
m
underthepubli keyofentityB
istheterm{m}
ek(B)
. Noti ethat thesymboli representationdoesnot apturethedependen yontherandomnessusedtogeneratethis iphertext. Whilethisabstra tionmaybesu ientlya uratein ertainsettings[Mi ian ioandWarins hi,2004℄,insome othersettings itisnotsu ient.Considerthefollowingowin sometoyproto ol:
A → B : {m}
ek(B)
, {{m}
ek(B)
}
ek(B)
To implement this ow, ea h o urren e of
{m}
ek(B)
is mapped to a iphertext. Noti e however that the pi torialdes riptiondoesnotspe ifyifthetwoo urren esof{m}
ek(B)
areequal( reatedwithidenti al oins) or dierent ( reated with dierent oins). In ri h enough proto ol spe i ation languages disambiguating onstru ts as above an be easily done. For instan e, in a language that has expli it assignments, the two dierentinterpretationfortherstmessageoftheproto ol anbeobtainedasx := {m}
ek(B)
; send(x, {x}
ek(B)
)
and
send({m}
ek(B)
, {{m}
ek(B)
}
ek(B)
)
Here,ea hdistin to urren eof
{m}
ek(B)
isinterpretedwithdierentrandomness. Otherapproa hesadopta more dire t solution and represent the randomness used for en ryption expli itly[Herzog,2004,AbadiandJürjens,2001,Lowe,2004,CortierandWarins hi,2005℄. Ifwewrite{m}
l
ek(B)
fortheen ryptionof
m
under thepubli keyofB
withrandom oinsl
,thetwodierentinterpretationsofthe oware:send({m}
l
1
ek(B)
, {{m}
l
1
ek(B)
}
l
2
ek(B)
)
and
send({m}
l
1
ek(B)
, {{m}
l
2
ek(B)
}
l
3
ek(B)
)
Amodelthatemployslabelsto apturetherandomnessusedin iphertexts(andsignatures)hasre entlybeen used to establish soundness of symboli analysis with respe t to omputational models[CortierandWarins hi,2005℄. Theirresultsarebasedonanemulationlemma: forproto olexe utions, every omputational tra e an be mapped to a valid symboli tra e. The mappingis then used to translate se uritypropertiesthatholdinthesymboli modelto omputationalanalogues.Thenextsteptowardsmaking thesoundnessresultrelevanttopra ti eis to arryoutthese urityproofsusingsome(semi-)automatedtools forthesymboli model.
However, to the best of our knowledge, none of the popular tools (ProVerif [Blan het,2001℄, CASPER [Lowe,1997a℄, Athenta [Song,1999℄, AVISPA [Armando etal.,2005℄), oers apabilities for auto-mati allyreasoninginmodelsthatuselabels. Thereareatleasttwosolutionstothisproblem. Onepossibility istoenhan ethesymboli modelsthatunderlieexistingtools. Unfortunatelysu hamodi ationwould proba-bly requiresigni anteortthatinvolvesadaptingexisting de isionpro edures,provingtheir orre tness,and verifyingandmodifyingthousandsoflinesof ode.
Inthispaperweputforthand larifyanalternativesolution,usedimpli itlyin[CortierandWarins hi,2005℄. Theideaistokeepexistingtoolsun hanged,usetheirunderlying(unlabeled)modeltoprovese urityproperties, and thenshowthattheresultsarein fa tmeaningfulforthemodelwithlabels. Themainresultofthispaper isto provethatforalarge lassofse uritypropertiestheapproa hthat weproposeisindeed feasible.
Weare urrently implementing anAVISPA module for omputationallysound automati proofsbasedon theresultsofthispaper.
Results. We onsider the proto ol spe i ation language and the exe ution model developed in [CortierandWarins hi,2005℄. The languageis for proto ols that use random non es, publi key en ryp-tionanddigitalsignatures,anduseslabelstomodeltherandomnessusedbytheseprimitives. Toea hproto ol
Π
withlabels,wenaturallyasso iateaproto olΠ
obtainedbyerasingalllabels,andextendthetransformation toexe utiontra es. Toea htra etr
ofΠ
weasso iateatra etr
obtainedbyerasinglabelsandweextendthis mappingtosetsoftra es. Therst ontributionofthispaperisaproofthatthetransformationissound. More pre isely weprovethat iftr
is avalid tra eofΠ
(obtained by Dolev-Yao operations)thentr
is avalid tra e ofΠ
. Importantly,thisresultreliesonthefa tthat thespe i ationlanguagethatwe onsiderdoesnotallow equality tests between iphertexts. Webelievethat asimilar result holdsfor most(if not all)proto ol spe i- ation languagesthat satisfythe above ondition. The languageforspe ifying proto ols (with and without labels)aswellastherelationbetweentheirasso iatedexe utionmodelsarein Se tion2.InSe tion3wegivetwologi s,
L
l
1
andL
1
,thatweusetoexpressse uritypropertiesforproto olswithand withoutlabels,respe tively. Informally,theformulasofL
1
areobtainedbyremovingthelabelsfromformulas ofL
l
1
. Bothlogi sarequiteexpressive.Forexample,it anbeusedtoexpressstandardformulationsforse re y and authenti ityproperties.Next we fo us ourattention ontranslatingse urity properties betweenthetwomodels. First,noti e that themappingbetweenthemodelwithandthatwithoutlabelsisnotfaithfulsin eitloosesinformationregarding inequalityof iphertexts. Toformalizethisintuitionwegiveaproto ol
Π
andaformulaφ
su hthatΠ
satisesφ
(theformulathat orrespondstoφ
inthemodelwithoutlabels),butforwhi hΠ
doesnotsatisfyφ
. Anti ipating, ourexampleindi atesthatthesour eofproblemsisthatφ
may ontainequalitytestsbetween iphertexts,and su htestsmaynotbetranslatedfaithfully. The ounterexampleisinSe tion 4.Themainresultof thepaperisasoundness theorem. Weshowthat foralarge lassofse urityproperties itispossibleto arryouttheproofinthemodelwithoutlabelsandinferse uritypropertiesinthemodelwith labels. More pre isely, we identify
L
l
2
andL
2
, fragmentsofL
l
1
andL
1
respe tively, su h that the following theorem holds.Consideranarbitrary proto ol
Π
andformulaφ
inL
l
2
. Letφ
beaformulainL
2
obtainedbyerasing the labelsthato urinφ
. Then,itholds that:Π |= φ =⇒ Π |= φ
The logi s
L
l
2
andL
2
are still expressive enough to ontain the se re y and authenti ation formulas. The theorem anditsproofarein inSe tion 4.2 PROTOCOL
In this se tion we provide the syntax of proto ols with labels. The presentation is adapted from [CortierandWarins hi,2005℄. The spe i ation language is similar to the one of Casrul[Rusinowit h andTuruani,2001℄; itallowsparties to ex hange messagesbuiltfrom identities and ran-domly generated non es using publi keyen ryption and digital signatures. Proto ols that do not uselabels areobtainedstraightforwardly.
2.1 Syntax
Consider analgebrai signature
Σ
with the followingsorts. A sortID
for agent identities, sortsSKey
,VKey
,EKey
,DKey
ontainingkeysforsigning, verifying,en ryption,and de ryptionrespe tively. Thealgebrai sig-naturealso ontainssortsNonce
,Label
,Ciphertext
,Signature
andPair
fornon es,labels, iphertexts,signatures and pair, respe tively. The sortLabel
is used in en ryption and signatures to distinguish between dierent en ryption/signatureofthesameplaintext. ThesortTerm
isasupersort ontainingallothersorts,ex eptSKey
andDKey
. There are nine operations: the four operationsek, dk, sk, vk
are dened on thesortID
and return theen ryption key,de ryption key,signingkey, andveri ationkeyasso iatedto theinputidentity. Thetwo operationsag
andadv
aredenedonnaturalnumbersand returnlabels. Asexplainedintheintrodu tion,the labelsareusedtodierentiatebetweendierenten ryptions(andsignatures)ofthesameplaintext, reatedby thehonest agentsortheadversary. Wedistinguishbetweenlabelsforagentsandforthe adversarysin ethey donotusethesamerandomness. Theotheroperationsthatwe onsiderarepairing,publi keyen ryption,and signing.Wealso onsidersetsofsortedvariables
X
= X.n∪X.a∪X.c∪X.s
andX
l
= X∪X.l
. Here,
X.n, X.a, X.c, X.s, X.l
are sets of variables of sort non e,agent, iphertext, signature and labels, respe tively. Thesets of variablesX.a
andX.n
are as follows. Ifk ∈ N
is somexed onstant representingthe numberofproto olparti ipants, w.l.o.g. wexthesetofagentvariablestobeX.a = {A
1
, A
2
, . . . , A
k
}
,andpartitionthesetofnon evariables, by thepartythat generates them. Formally:X.n = ∪
A∈X.a
X
n
(A)
andX
n
(A) = {X
j
avoidstospe ifylater, forea hrole, whi h variablesstandforgenerated non esandwhi hvariablesstandfor expe tednon es.
Labeledmessagesthat aresentbyparti ipantsarespe iedusingtermsin
T
l
L
::=
X.l | ag(i) | adv(j)
T
l
::=
X
| a | ek(a) | dk(a) | sk(a) | vk(a) | n(a, j, s) | hT
l
, T
l
i | {T
l
}
L
ek(a)
| [T
l
]
L
sk(a)
where
i, j ∈ N
,a ∈ ID
,j, s ∈ N
,a ∈ ID
.Unlabeledmessagesarespe iedsimilarlyastermsin thealgebra
T
dened byT
::= X | a | ek(a) | dk(a) | sk(a) | vk(a) | n(a, j, s) | hT , T i | {T }
ek(a)
| [T ]
sk(a)
where
a ∈ ID
,j, s ∈ N
,a ∈ ID
. A mapping· : T
l
→ T
from labeled to unlabeledterms isdened byremoving thelabels:
{k}
l
m
= {k}
m
,[k]
l
m
= [k]
m
,f (t
1
, . . . , t
n
) = f (t
1
, . . . , t
n
)
otherwise. The mapping fun tion is extended to sets of terms as expe ted.Theindividualbehaviorofea hproto olparti ipantisdenedbyarolethatdes ribesasequen eofmessage re eptions/transmissions. A
k
-partyproto olisgivenbyk
su h roles.Denition 1(Labeled roles and proto ols) The set
Roles
l
of roles for labeled proto ol parti ipants is de-nedby
Roles
l
= (({init} ∪ T
l
) × (T
l
∪ {stop}))
∗
. A
k
-partylabeledproto ol isamappingΠ : [k] → Roles
l
,where
[k]
denotes the set{1, 2, . . . , k}
.Unlabeled roles and proto ols are dened very similarly. The mapping fun tion is extended from labeled proto olstounlabeledproto olsasexpe ted.
Weassumethataproto olspe i ationissu hthat
Π(j) = ((l
j
1
, r
j
1
), (l
j
2
, r
2
j
), . . .)
,thej
'throleinthedenition oftheproto olbeingexe utedbyplayerA
j
. Ea hsequen e((l
1
, r
1
), (l
2
, r
2
), . . .) ∈ Roles
l
spe iesthemessages tobesent/re eivedbythepartyexe utingtherole: atstep
i
,thepartyexpe tstore eiveamessage onforming tol
i
and returnsmessager
i
. Wewishtoemphasizethattermsl
j
i
, r
j
i
arenota tualmessages,butspe ifyhow themessagethatisre eivedandthemessagethatisoutputshouldlook like.Example1 The Needham-S hroeder-Lowe proto ol [Lowe,1996℄ is spe ied as follows: there are two roles
Π(1)
andΠ(2)
orrespondingtothesender'sandre eiver'srole.A → B :
{N
a
, A}
ek(B)
B → A :
{N
a
, N
b
, B}
ek(A)
A → B :
{N
b
}
ek(B)
Π(1) =
(init, {X
A
1
1
, A
1
}
ag(1)
ek(A
2
)
),
({X
1
A
1
, X
1
A
2
, A
2
}
L
ek(A
1
)
, {X
1
A
2
}
ag(1)
ek(A
2
)
)
Π(2) =
({X
A
1
1
, A
1
}
ek(A
L
1
2
)
, {X
A
1
1
, X
1
A
2
, A
2
}
ag(1)
ek(A
1
)
),
({X
1
A
2
}
L
2
ek(A
2
)
, stop)
Clearly, not all proto ols written using the syntax above are meaningful. In parti ular, some proto ols mightbenotexe utable. Thisisa tuallynotrelevantforourresult(ourtheoremalsoholdsfornonexe utable proto ols).
2.2 Exe ution Model
Wedene theexe utionmodelonlyforlabeledproto ols. Thedenition oftheexe utionmodel forunlabeled proto olsisthenstraightforward.
If
A
isavariableor onstantofsortagent,wedeneitsknowledgebykn(A) = {dk(A), sk(A)} ∪ X
n
(A)
,i.e. anagentknowsitsse retde ryptionandsigningkeyaswellasthenon esitgeneratesduringtheexe ution. The formal exe utionmodel isastatetransition system. A global state ofthesystemis givenby(SId, f, H)
whereH
isasetoftermsofT
l
representingthemessagessentonthenetworkand
f
maintainsthelo alstatesofall sessionidsSId
. Werepresentsessionidsastuplesoftheform(n, j, (a
1
, a
2
, . . . , a
k
)) ∈ (N× N× ID
k
)
,where
n ∈ N
identiesthesession,a
1
, a
2
, . . . , a
k
aretheidentities ofthepartiesthat areinvolvedin thesession andj
is the index oftherolethatisexe utedinthissession. Mathemati ally,f
isafun tionf : SId → ([X → T
l
] × N × N),
where
f (sid) = (σ, i, p)
isthelo al stateofsessionsid
. Thefun tionσ
isapartialinstantiationofthevariables o urringin roleΠ(i)
andp ∈ N
isthe ontrolpointoftheprogram. Threetransitionsareallowed.m ∈ S
S ⊢
l
m
S ⊢
l
b, ek(b), vk(b)
b ∈ X.a
InitialknowledgeS ⊢
l
m
1
S ⊢
l
m
2
S ⊢
l
hm
1
, m
2
i
S ⊢
l
hm
1
, m
2
i
i ∈ {1, 2}
S ⊢
l
m
i
Pairingandunpairing
S ⊢
l
ek(b) S ⊢
l
m
i ∈ N
S ⊢
l
{m}
adv(i)
ek(b)
S ⊢
l
{m}
l
ek(b)
S ⊢
l
dk(b)
S ⊢
l
m
En ryptionandde ryption
S ⊢
l
sk(b) S ⊢
l
m
i ∈ N
S ⊢
l
[m]
adv(i)
sk(b)
S ⊢
l
[m]
l
sk(b)
S ⊢
l
m
SignatureFigure1: Dedu tionrules.
(SId, f, H)
corrupt(a
1
,...,a
l
)
−−−−−−−−−−−→ (SId, f, ∪
1≤j≤l
kn(a
j
) ∪ H)
. Theadversary orrupts parties by outputting a set of identities. He re eivesin returnthe se retkeys orrespondingto theidentities. It happens only on eatthebeginningoftheexe ution. Theadversary aninitiatenewsessions:
(SId, f, H)
new(i,a
1
,...,a
k
)
−−−−−−−−−−→ (SId
′
, f
′
, H
′
)
whereH
′
,f
′
andSId
′
are dened asfollows. Lets = |SId| + 1
,bethesession identierofthenewsession,where|SId|
denotes the ardinality ofSId
.H
′
is dened byH
′
= H
andSId
′
= SId ∪ {(s, i, (a
1
, . . . , a
k
))}
. The fun tionf
′
is denedasfollows.f
′
(sid) = f (sid)
forevery
sid
∈ SId
.f
′
(s, i, (a
1
, . . . , a
k
)) = (σ, i, 1)
whereσ
isapartialfun tionσ : X → T
l
and:
σ(A
j
)
= a
j
1 ≤ j ≤ k
σ(X
A
j
i
) = n(a
i
, j, s)
j ∈ N
Were allthattheprin ipalexe utingtherole
Π(i)
isrepresentedbyA
i
thus,inthat role,everyvariable oftheformX
j
A
i
representsanon egeneratedby
A
i
. The adversary an send messages:(SId, f, H)
send(sid,m)
−−−−−−−→ (SId, f
′
, H
′
)
where
sid
∈ SId
,m ∈ T
l
,H
′
, andf
′
are dened as follows. We dene
f
′
(sid
′
) = f (sid
′
)
for every
sid
′
6= sid
. We denote
Π(j) =
((l
j
1
, r
j
1
), . . . , (l
j
k
j
, r
k
j
j
))
.f (sid) = (σ, j, p)
forsomeσ, j, p
. Therearetwo ases. Either there exists a least general unierθ
ofm
andl
j
p
σ
. Thenf
′
(sid) = (σ ∪ θ, j, p + 1)
andH
′
= H ∪ {r
j
p
σθ}
. Orwedenef
′
(sid) = f (sid)
andH
′
= H
(thestateremainsun hanged). If wedenote by
SID
= N × N × ID
k
theset ofallsessionsids, theset ofsymboli exe utiontra es is
SymbTr
l
=
(SID×(SID → ([X → T
l
]×N×N))×2
T
l
)
∗
. Thesetof orrespondingunlabeledsymboli exe utiontra esisdenoted by
SymbTr
. The mappingfun tion·
isextendedasfollows: iftr = (SId
0
, f
0
, H
0
), . . . , (SId
n
, f
n
, H
n
)
is atra e ofSymbTr
l
,
tr = (SId
0
, f
0
, H
0
), . . . , (SId
n
, f
n
, H
n
) ∈ SymbTr
whereSId
i
simplyequalSId
i
andf
i
: SID → ([X →
T ]×N×N))
withf
i
(sid) = (σ, i, p)
iff
i
(sid) = (σ, i, p)
andσ(X) = σ(X)
.Theadversaryinter eptsmessagesbetweenhonest parti ipantsand omputesnewmessagesusing the de-du tion relation
⊢
l
dened in Figure 1. Intuitively,
S ⊢
l
m
means that theadversaryis ableto ompute the message
m
fromtheset ofmessagesS
. All dedu tionrulesare ratherstandardwiththeex eptionof thelast one: The last rule statesthat the adversary anre overthe orrespondingmessage outof agivensignature. This rule ree ts apabilities that donot ontradi t thestandard omputational se urity denition of digital signatures,maypotentiallybeavailableto omputationaladversariesandareimportantforthesoundnessresult of[CortierandWarins hi,2005℄.Next,wesket htheexe utionmodelforunlabeledproto ols. Asabove,theexe utionisbasedonadedu tion relation
⊢
that aptures adversarial apabilities. Thededu tionrulesthat dene⊢
areobtainedfrom thoseof⊢
l
(Figure 1)asfollows. Thesetsof rulesInitialknowledge and Pairing andunpairing in arekeptun hanged (repla ing
⊢
l
by
⊢
,of ourse). Foren ryptionandsignatureswesuppressthelabelsadv(i)
andl
intheen ryption fun tion{
_}
_ _
andthesignaturefun tion
[
_]
_ _forrulesEn ryption andde ryption and rulesSignature. That is, therulesforen ryptionare:
S ⊢ ek(b) S ⊢ m
S ⊢ {m}
ek(b)
S ⊢ {m}
ek(b)
S ⊢ dk(b)
S ⊢ m
and thoseforsignaturesare:
S ⊢ sk(b) S ⊢ m
S ⊢ [m]
sk(b)
S ⊢ [m]
sk(b)
S ⊢ m
We use the dedu tion relations to hara terize the set of valid exe ution tra es. We say that the tra e
(SId
1
, f
1
, H
1
), . . . , (SId
n
, f
n
, H
n
)
is valid ifthemessagessentby theadversary anbe omputed byDolev-Yao operations.Morepre isely,werequirethatinavalidtra ewhenever(SId
i
, f
i
, H
i
)
send(s,m)
−−−−−−−→ (SId
i+1
, f
i+1
, H
i+1
)
, wehaveH
i
⊢
l
m
. Given aproto ol
Π
, theset ofvalid symboli exe ution tra esis denoted byExec(Π)
. The setExec(Π)
ofexe utiontra esinthemodelwithoutlabelsisdenedsimilarly. Wethusrequirethateverysent messagem
′
satises
H
i
⊢ m
′
.
Example2 PlayingwiththeNeedham-S hroeder-Loweproto oldes ribedinExample1,anadversary an or-ruptanagent
a
3
,startanewsessionforthese ondrolewithplayersa
1
, a
2
andsendthemessage{n(a
3
, 1, 1), a
1
}
adv(1)
ek(a
2
)
to theplayerofthese ondrole. The orrespondingvalidtra eexe utionis:
(∅, f
1
, ∅)
corrupt(a
3
)
−−−−−−−−→ (∅, f
1
, kn(a
3
))
new(2,a
1
,a
2
)
−−−−−−−−→
({sid
1
}, f
2
, kn(a
3
))
send(sid
1
,{n
3
,a
1
}
adv(1)
ek
(a2)
)
−−−−−−−−−−−−−−−→
{sid
1
}, f
3
, kn(a
3
) ∪ {{n
3
, n
2
, a
2
}
ag(1)
ek(a
1
)
}
,
where
sid
1
= (1, 2, (a
1
, a
2
))
,n
2
= n(a
2
, 1, 1)
,n
3
= n(a
3
, 1, 1)
, andf
2
, f
3
are dened as follows:f
2
(sid
1
) =
(σ
1
, 2, 1)
,f
3
(sid
1
) = (σ
2
, 2, 2)
whereσ
1
(A
1
) = a
1
,σ
1
(A
2
) = a
2
,σ
1
(X
1
A
2
) = n
2
,andσ
2
extendsσ
1
byσ
2
(X
1
A
1
) =
n
3
andσ
2
(L
1
) = adv(1)
.2.3 Relating the labeled and unlabeled exe ution models
First noti e that by indu tion on the dedu tion rules, it an be easily shown that whenever a message is dedu ible,thenthe orrespondingunlabeledmessageisalsodedu ible. Formally,wehavethefollowinglemma.
Lemma1
S ⊢
l
m ⇒ S ⊢ m
Note thatourmainresultholdsfor anydedu tionrulesprovidedthislemmaholds.
Basedontheabovepropertyweshowthat wheneveratra e orrespondstoanexe utionofaproto ol,the orrespondingunlabeledtra e orrespondsalsoto anexe utionofthe orrespondingunlabeledproto ol. Lemma2
tr ∈ Exec(Π) ⇒ tr ∈ Exec(Π).
Proof. Thekeyargumentisthatonlypatternmat hingisperformedinproto olsandwhenatermwithlabels mat hessomepattern, theunlabeledtermmat hesthe orrespondingunlabeledpattern. Theproofisdoneby indu tion onthelengthofthetra e.
Let
tr = (SId
0
, f
0
, H
0
)
, whereSId
0
andH
0
are emptysets. WehaveH
0
= H
0
.f
0
is dened nowhere, andsoisf
0
. Clearly,tr = (SId
0
, f
0
, H
0
)
isinExec(Π)
. Let
tr ∈ Exec(Π)
,tr = e
0
, ..., e
n
= (SId
0
, f
0
, H
0
), ..., (SId
n
, f
n
, H
n
)
, su h thattr ∈ Exec(Π)
. We have to show that iftr
′
= tr, (SId
n+1
, f
n+1
, H
n+1
) ∈ Exec(Π)
, then we havetr
′
∈ Exec(Π)
. There are three possibleoperations.
1.
corrupt(a
1
, ..., a
k
)
. It means thattr = (SId
0
, f
0
, H
0
), (SId
1
, f
1
, H
1
)
. In this ase, we haveSId
1
=
SId
0
= ∅
,f
1
= f
0
andH
1
= H
0
∪
S
1≤i≤k
kn(a
i
)
. We an on ludethattr = (SId
0
, f
0
, H
0
), (SId
1
, f
1
, H
1
)
isinExec(Π)
,be ausethere arenolabelsinH
1
andf
1
isstillnotdened.2.
new(i, a
1
, ..., a
k
)
. Nolabelsareinvolvedinthisoperation. Theextensionmadetof
n
isthesameas ismadetof
n
. NeitherH
n
norH
n
aremodied.tr
′
= tr, (SId
n+1
, f
n+1
, H
n+1
)
is avalidtra e. 3.send(s, m)
.First,wehavetobesurethatif
m
anbededu edfromH
n
,thenm
anbededu edfromH
n
. This isLemma1.Notethat
SId
n
= SId
n+1
thusSId
n
= SId
n+1
. Letf
n
(s) = (σ, i, p)
andΠ(i) = (..., (l
p
, r
p
), ...)
. We havetwo ases.Eitherthereis asubstitution
θ
withm = l
p
σθ
. Thenf
n+1
(s) = (σ ∪ θ, i, p + 1)
. Thusf
n
(s) =
(σ, i, p)
andf
n+1
(s) = (σ ∪ θ, i, p + 1)
. By indu tion hypothesis,tr
is a valid tra e. Fromm = l
p
σθ
followsm = l
p
σθ
. We on lude thattr, (SId
n+1
, f
n+1
, H
n+1
) = tr
′
is a valid tra e, thusamemberof
Exec(Π)
.Or no substitution
θ
withm = l
p
σθ
exists. Thentr
′
= e
0
, ..., e
n
, e
n+1
withe
n
= e
n+1
. We mustshowthat it is alwayspossibleto onstru tamessagem
′
∈ T
, su h that thereexists no substitution
θ
′
with
m
′
= l
p
σθ
′
. Then,fromthevalidityoftr
′
and
tr
we andedu ethevalidity oftr
′
,be ause
e
n
= e
n+1
.Eitherthereexistsnosubstitution
θ
′
su hthat
m = l
p
σθ
′
. Inthat ase,we hoose
m
′
= m
. Orlet
θ
′
beasubstitutionsu hthat
m = l
p
σθ
′
. Thenthemat hingfor
m
failsbe auseoflabels. This an be shown by ontradi tion. Assumem
ontain no label, i. e.m
doesnot ontain subterms of the form{t}
l
ek(a
i
)
or
[t]
l
sk(a
i
)
,
t ∈ T
. Inthat ase, wehavem = m
by denition. >Fromm = l
p
σθ
′
,wededu ethat
m = l
p
σθ
′
, ontradi tion. Wededu ethat
m
ontainssomesubtermof theform{t}
ek(a
i
)
or[t]
sk(a
i
)
. The fa tm = l
p
σθ
′
impliesthat
l
p
hasto ontainoneofthefollowingsubterms:{t
′
}
ek(A
i
)
,[t
′
]
sk(A
i
)
witht
′
∈ T
or, avariableofsort iphertextorsignature.Then,we hoose
m
′
= a
forsomeagentidentity
a ∈ X.a
. Theterma
isdedu iblefromH
n
. Now, themat hing ofm
′
with
l
p
alwaysfails,either be auseoftheen ryption orsignatureo urring inl
p
or be auseoftypemismat hforavariableoftype iphertextorsignatureinl
p
.3 A LOGIC FOR SECURITY PROPERTIES
Inthisse tionwedenealogi forspe ifyingse urityproperties. Wethenshowthatthelogi isquiteexpressive and, inparti ular,it anbeusedtospe ifyratherstandardse re yandauthenti ityproperties.
3.1 Preliminary denitions
Toatra e
tr = e
1
, ..., e
n
= (SId
1
, f
1
, H
1
), ..., (SId
n
, f
n
, H
n
) ∈ SymbTr
weasso iateits set of indi esI(tr) =
{i | e
i
appearsinthetra etr}
.Wealso dene the set of lo al states
LS
i,p
(tr)
for rolei
at stepp
that appearin tra etr
byLS
i,p
(tr) =
{(σ, i, p) | ∃s ∈ SId
k
, k ∈ I(tr),
su hthatf
k
(s) = (σ, i, p)}.
We assume an innite set
Sub
of meta-variables for substitutions. We extend the term algebra to allow substitution appli ation. Moreformally,letT
l
Sub
bethealgebradened by:L
::= ς(x
l
) | ag(i) | adv(j)
T
l
Sub
::= ς(x) | a | ek(a) | dk(a) | sk(a) | vk(a) | hT
Sub
l
, T
Sub
l
i | {T
Sub
l
}
L
ek(a)
| [T
Sub
l
]
L
sk(a)
where
x
l
∈ X.l
,ς ∈ Sub
,i, j ∈ N
,x ∈ X
,a ∈ ID
. TheunlabeledalgebraT
Sub
is denedsimilarly. Themapping fun tion between the two algebras is dened by:ς(x) = ς(x)
,{k}
l
m
= {k}
m
,[k]
l
m
= [k]
m
,f (t
1
, . . . , t
n
) =
f (t
1
, . . . , t
n
)
otherwise. 3.2 Se urity LogiInthis se tionwedes ribealogi forse urityproperties. Besidesstandardpropositional onne tors,thelogi hasapredi atetospe ifyhonestagents,equalitytestsbetweenterms,andexistentialanduniversalquantiers overthelo alstatesofagents.
[[N C(tr, t)]]
=
1
ift ∈ ID
andt
doesnotappearina orrupta tion,i.e.tr = e
1
, e
2
, ..., e
n
and∀a
1
, . . . , a
k
,s.t.e
1
corrupt(a
1
,...,a
k
)
−−−−−−−−−−−→ e
2
, t 6= a
i
0
otherwise[[(t
1
= t
2
)]]
=
1
ift
1
= t
2
(synta ti equality)0
otherwise[[¬F (tr)]]
= ¬[[F (tr)]]
[[F
1
(tr) ∧ F
2
(tr)]]
= [[F
1
(tr)]] ∧ [[F
2
(tr)]]
[[F
1
(tr) ∨ F
2
(tr)]]
= [[F
1
(tr)]] ∨ [[F
2
(tr)]]
[[∀LS
i,p
(tr).ς F (tr)]]
=
1
if∀(θ, i, p) ∈ LS
i,p
(tr),
wehave[[F (tr)[θ/ς]]] = 1,
0
otherwise.
[[∃LS
i,p
(tr).ς F (tr)]]
=
1
if∃(θ, i, p) ∈ LS
i,p
(tr),
s.t.[[F (tr)[θ/ς]]] = 1,
0
otherwise.
Figure2: Interpretation. Denition 2 Theformulas ofthe logiL
l
1
aredenedasfollows:F (tr)
::=
N C(tr, t
1
) | (t
1
= t
2
) | ¬F (tr) | F (tr) ∧ F (tr) | F (tr) ∨ F (tr) |
∀LS
i,p
(tr).ς F (tr) | ∃LS
i,p
(tr).ς F (tr)
where
tr
isaparameter of the formula,i, p ∈ N
,ς ∈ Sub
,t
1
andt
2
aretermsofT
l
Sub
. Notethatformulas are parametrizedby atra etr
. As usual,wemay useφ
1
→ φ
2
asashort utfor¬φ
1
∨ φ
2
.Wesimilarly denethe orrespondingunlabeled logi
L
1
: thetests(t
1
= t
2
)
arebetweenunlabeled termst
1
, t
2
overT
sub
. Themappingfun tion·
isextendedasexpe ted. Inparti ularN C(tr, t) = N C(tr, t)
,(t
1
= t
2
) =
(t
1
= t
2
)
,∀LS
i,p
(tr).ς F (tr) = ∀LS
i,p
(tr).ς F (tr)
and∃LS
i,p
(tr).ς F (tr) = ∃LS
i,p
(tr).ς F (tr)
.Here, the predi ate
N C(tr, t)
of arity 2 is used to spe ify non orrupted agents. The quanti ations∀LS
i,p
(tr).ς
and∃LS
i,p
(tr).ς
are over the lo al states in the tra e that orrespond to agenti
at ontrol pointp
. Thesemanti sofourlogi isdenedfor losed formulaasshownin Figure2.Next wedene when a proto ol
Π
satises a formulaφ ∈ L
l
1
. The denition for the unlabeled exe ution model isobtainedstraightforwardly. Informally, aproto olΠ
satisesφ
ifφ(tr)
istruefor alltra estr
ofΠ
. Formally:Denition 3 Let
φ
be aformula andΠ
be aproto ol. We say thatΠ
satises se urity propertyφ
, and writeΠ |= φ
iffor any tra etr ∈ Exec(Π)
,[[φ(tr)]] = 1
.Abusing notation, we o asionally write
φ
for the set{tr | [[φ(tr)]] = 1}
. Then,Π |= φ
pre isely whenExec(Π) ⊆ φ
.3.3 Examples of se urity properties
Inthisse tionweexemplifytheuseofthelogi byspe ifyingse re yandauthenti ityproperties. 3.3.1 A se re yproperty
Let
Π(1)
andΠ(2)
bethesender'sandre eiver'sroleof atwo-partyproto ol. Tospe ifyourse re yproperty weuse astandarden oding. Namely, weadd athird role to the proto ol,Π(3) = (X
1
A
3
, stop)
, whi h anbe seenassomesortofwitness.Informally, thedenition of these re y property
φ
s
states that, fortwonon orruptedagentsA
1
andA
2
, whereA
1
plays roleΠ(1)
andA
2
playsroleΠ(2)
, athird agentplayingroleΠ(3)
annotgainanyknowledge onnon eX
1
A
1
sentbyroleΠ(1)
.φ
s
(tr) = ∀LS
1,1
(tr).ς ∀LS
3,2
(tr).ς
′
[N C(tr, ς(A
1
)) ∧ N C(tr, ς(A
2
)) → ¬(ς
′
(X
A
1
3
) = ς(X
1
A
2
))]
3.3.2 Anauthenti ation property
Consideratworoleproto ol,su hthatrole1nishesitsexe utionafter
n
stepsandrole2nishesitsexe ution afterp
steps. For this kind of proto ols we give a variant of the week agreement property [Lowe,1997b℄. Informally, this propertystates thatwheneveraninstantiation ofrole 2nishes,there exists an instantiation ofrole1thathasnishedandtheyagreeonsomevalueforsomevariableandtheyhaveindeed talkedto ea h other. Inourexamplewe hoosethis variable tobeX
1
A
1
. Note that we apture that someagenthasnished itsexe utionbyquantifyingappropriatelyoverthelo al statesofthatagent. Morepre isely,wequantify only overthestateswhereitindeedhasnisheditsexe ution.φ
a
(tr) = ∀LS
2,p
(tr).ς ∃LS
1,n
(tr).ς
′
[N C(tr, ς(A
1
)) ∧ N C(tr, ς
′
(A
2
)) → (ς(X
A
1
1
) = ς
′
(X
1
A
1
)) ∧ (ς(A
2
) = ς
′
(A
2
)) ∧ (ς(A
1
) = ς
′
(A
1
))]
Noti ethat although in its urrentversionourlogi is notpowerfulenoughtospe ifystrongerversionsof agreement (like inje tive or bije tive agreement), it ould be appropriately extended to deal with this more omplexformsofauthenti ation.
4 MAIN RESULT
Re all that our goal is to prove that
Π |= φ ⇒ Π |= φ
. However, as explained in the introdu tion this propertydoesnotholdingeneral. Thefollowingexampleshedssomelightonthereasonsthat ausethedesired impli ation tofail.Example3 Considertherststepofsomeproto olwhere
A
sendsamessagetoB
wheresomepartisintended forsomethirdagent.A → B : {N
a
, {N
a
}
ek(C)
, {N
a
}
ek(C)
}
ek(B)
Thespe i ationoftheprogramsof
A
andB
that orrespondstothisrststepisasfollows(inthedenition belowC
1
A
2
andC
2
A
2
arevariablesofsort iphertext).Π(1) =
(init, {hX
1
A
1
, h{X
1
A
1
}
ag(1)
ek(A
3
)
, {X
1
A
1
}
ag(2)
ek(A
3
)
ii}
ag(3)
ek(A
2
)
)
Π(2) =
({hX
1
A
1
, hC
1
A
2
, C
2
A
2
ii}
L
ek(A
2
)
, stop)
We assume that
A
generates twi e the message{N
a
}
ek(C)
. Noti e that we stop the exe ution ofB
after it re eivestherstmessagesin ethisissu ientfor ourpurpose,but itsexe utionmightbe ontinuedto form amorerealisti example.Considerthese urityproperty
φ
1
that statesthat ifA
andB
agree onthenon eX
1
A
1
thenB
should have re eivedtwi ethesame iphertext.φ
1
(tr) = ∀LS
1,2
(tr).ς ∀LS
2,2
(tr).ς
′
N C(tr, ς(A
1
)) ∧ N C(tr, ς(A
2
)) ∧ (ς(X
A
1
1
) = ς
′
(X
1
A
1
)) → (ς
′
(C
1
A
2
) = ς
′
(C
2
A
2
))
This property learly does not hold for any normal exe ution of the labeled proto ol sin e
A
always sends iphertextswithdistin tlabels. ThusΠ 6|= φ
1
.Ontheother hand,one an showthat wehave
Π |= φ
1
in theunlabeledexe utionmodel. Intuitively,this holdsbe auseifA
andB
arehonestagentsandagreeonX
1
A
1
,thenthemessagere eivedby
B
hasbeenemitted byA
andthusshould ontainidenti al iphertexts(after havingremovedtheirlabels).4.1 Logi
L
l
2
The ounterexample aboverelies on thefa t that two iphertexts that are equalin the model withoutlabels may have been derived from distin t iphertexts in the model with labels. Hen e, it may be the ase that although
t
1
6= t
2
⇒ t
1
6= t
2
, the ontrapositiveimpli ationt
1
= t
2
⇒ t
1
= t
2
does not hold, whi h in turn entailsthatformulasthat ontainequalitytests between iphertextsmaybetruein themodelwithoutlabels, but false in themodel with labels. Inthis se tion weidentify afragmentofL
l
1
,whi h we allL
l
2
where su h testsareprohibited. Formally,weavoidequalitytestsbetweenarbitrarytermsbyforbiddingarbitrarynegation overformulasandallowingequalitytestsonlybetweensimple terms.Denition 4 A term
t
is said simple ift ∈ X.a ∪ X.n
ort = a
for somea ∈ ID
ort = n(a, j, s)
for somea ∈ ID
,j, s ∈ N
.An importantobservationisthatforanysimpleterm
t
itholdsthatt = t
. Denition 5 Theformulas ofthe logiL
l
2
aredenedasfollows:F (tr)
::=
N C(tr, t
1
) | ¬N C(tr, t
1
) | F (tr) ∧ F (tr) | F (tr) ∨ F (tr) | (t
1
6= t
2
) | (u
1
= u
2
) |
∀LS
i,p
(tr).ς F (tr) | ∃LS
i,p
(tr).ς F (tr),
where
tr ∈ SymbTr
isaparameter,i, p ∈ N
,t
1
, t
2
∈ T
l
Sub
andu
1
, u
2
are simpleterms. Sin esimpletermsalsobelongtoT
l
Sub
,bothequalityandinequalitytestsareallowedbetweensimpleterms. The orrespondingunlabeledlogiL
2
isdened asexpe ted. NotethatL
l
2
⊂ L
l
1
andL
2
⊂ L
1
.4.2 Theorem
Informally,ourmain theoremsaysthattoverifyifaproto olsatisessomese urityformula
φ
inlogiL
l
2
,itis su ienttoverifythattheunlabeledversionoftheproto olsatisesφ
.Theorem1 Let
Π
beaproto olandφ ∈ L
l
2
,thenΠ |= φ ⇒ Π |= φ
.Proof. Assume
Π |= φ
. We haveto show that forany tra etr ∈ Exec(Π)
,[[φ(tr)]] = 1
. >From lemma 2it followsthattr ∈ Exec(Π)
,thus[[φ(tr)]] = 1
, sin eΠ |= φ
. Thus, itissu ientto showthat[[φ(tr)]] ⇒ [[φ(tr)]]
. Thefollowinglemmaoersthedesiredproperty.Lemma3 Let
φ(tr) ∈ L
l
2
for sometr ∈ SymbTr
,[[φ(tr)]]
implies[[φ(tr)]]
. Proof. Theproofofthelemmaisbyindu tiononthestru tureofφ(tr)
.
φ(tr) = N C(tr, t)
orφ(tr) = ¬N C(tr, t)
.[[N C(tr, t)]] = 1
,ifandonlyift ∈ ID
andt
doesnoto urin acorrupt
eventforthetra etr
. This isequivalenttot ∈ ID
andt
doesnoto urin acorrupt
eventfor thetra etr
. Thus[[N C(tr, t)]] = 1
ifandonlyif[[N C(tr, t)]] = [[N C(tr, t)]] = 1
.
φ(tr) = (t
1
6= t
2
)
. Wehavethatφ(tr) = (t
1
6= t
2
)
holds. Assume by ontradi tionthatφ(tr)
does not hold,i.et
1
= t
2
. Thisimpliest
1
= t
2
, ontradi tion.
φ(tr) = (u
1
= u
2
)
withu
1
, u
2
simpleterms. Wehavethatφ(tr) = (u
1
= u
2
)
holds. Sin eu
1
andu
2
are simpleterms,wehaveu
i
= u
i
, thusu
1
= u
2
. We on ludethatφ(tr)
holds. The ases
φ(tr) = φ
1
(tr) ∨ φ
2
(tr)
orφ(tr) = φ
1
(tr) ∧ φ
2
(tr)
arestraightforward.
φ(tr) = ∀LS
i
(tr).ς F (tr)
. Ifφ(tr)
holds, thismeansthat forall(θ, i, p)) ∈ LS
i,p
(tr)
,[[F (tr)[θ/ς]]] = 1
. Let(θ
′
, i, p) ∈ LS
i,p
(tr)
. We onsider[[F (tr)[θ
′
/ς]]]
. Sin e
tr ∈ Exec(Π)
impliestr ∈ Exec(Π)
(Lemma2), wehave(θ
′
, i, p) ∈ LS
i,p
(tr)
. Byindu tionhypothesis,[[F (tr)[θ
′
/ς]]] = 1
impliesthat[[F (tr)[θ
′
/ς]]] = 1
. It followsthat∀(θ
′
, i, p) ∈ LS
i,p
(tr) [[F (tr)[θ
′
/ς]]] = 1.
Thus,φ(tr)
holds.
φ(tr) = ∃LS
i
(tr).ς F (tr)
. Ifφ(tr)
holds, this means that there exists(θ, i, p)) ∈ LS
i,p
(tr)
, su h that[[F (tr)[θ/ς]]] = 1
.Bydenition of the mappingfun tion,there exists
(θ
′
, i, p) ∈ LS
i,p
(tr)
su h thatθ
′
= θ
. Byindu tion hypothesis,
[[F (tr)[θ
′
/ς]]] = 1
. Thusthereexists
θ
′
,su hthat
[[F (tr)[θ
′
/ς]]] = 1
5 DISCUSSION
We on ludewithabriefdis ussionoftwointerestingaspe tsofourresult. First,asmentionedinthe introdu -tion, theonlypropertyneeded forourmain theoremto holdis thattheunderlying dedu tionsystemsatises the onditionin Lemma 1, that is
S ⊢
l
m ⇒ S ⊢ m
. Infa t,an interestingresultwould be to proveamore abstra t andmodularversionofourtheorem.
Se ondly, anaturalquestioniswhether the onverseof ourmain theoremholds. Weprovethat thisis not the ase. Morepre isely,weshowthat thereexists aproto ol
Π
andapropertyφ
su hthatΠ |= φ
butΠ 6|= φ
. LetΠ
betheproto oldened in Example3. Considerase uritypropertyφ
2
that statesonthe ontrarythat wheneverA
andB
agreeonthenon eX
1
A
1
thenB
should havere eivedtwodistin t iphertexts. Formally:φ
2
(tr) = ∀LS
1,2
(tr).ς ∀LS
2,2
(tr).ς
′
N C(tr, ς(A
1
)) ∧ N C(tr, ς(A
2
)) ∧ (ς(X
A
1
1
) = ς
′
(X
1
A
1
)) → (ς
′
(C
1
A
2
) 6= ς
′
(C
2
A
2
))
whereC
1
A
2
andC
2
A
2
arevariablesofsort iphertext.Thisproperty learlydoesnotholdforanyhonestexe utionoftheunlabeledproto olsin e
A
alwayssends twi ethesame iphertext,andthusΠ 6|= φ
2
. Ontheotherhandhowever,one anshowthatthispropertyholds forlabeledproto olssin e,ifA
andB
arehonestagentsandagreeonX
1
A
1
,itmeansthatthemessagere eived byB
hasbeenemittedbyA
and thus ontainstwodistin t iphertexts. Thus,Π |= φ
2
. We on ludethat,in general,Π |= φ
doesnotimplyΠ |= φ
.Referen es
[AbadiandJürjens,2001℄ Abadi,M.andJürjens,J.(2001).Formaleavesdroppingandits omputationalinterpretation. InPro .of Theoreti al Aspe ts of Computer Software (TACS 2001), volume 2215 ofLNCS, pages 8294. Springer-Verlag.
[Armandoetal.,2005℄ Armando,A.,Basin,D.,Boi hut,Y.,Chevalier,Y.,Compagna,L.,Cuellar,J.,HankesDrielsma, P.,Héam,P.-C.,Kou hnarenko,O.,Mantovani,J.,Mödersheim,S., vonOheimb,D.,Rusinowit h,M., Santiago, J., Turuani,M.,Viganò,L.,andVigneron,L.(2005).TheAVISPAToolfortheautomatedvalidationofinternetse urity proto olsandappli ations.In17thInternationalConferen eonComputerAidedVeri ation,CAV'2005,volume3576 ofLNCS,pages281285.Springer.
[Blan het,2001℄ Blan het,B.(2001). Ane ient ryptographi proto olverierbasedonprologrules. InPro .ofthe 14thComputer Se urityFoundations Workshop(CSFW'01).
[CortierandWarins hi,2005℄ Cortier, V. and Warins hi, B. (2005). Computationally Sound, Automated Proofs for Se urityProto ols. InPro .14thEuropeanSymposiumonProgramming(ESOP'05),volume3444ofLe tureNotesin ComputerS ien e,pages157171,Edinburgh,U.K.Springer.
[GoldwasserandMi ali,1984℄ Goldwasser,S.andMi ali,S.(1984).Probabilisti en ryption.J.ofComputerandSystem S ien es,28:270299.
[Herzog, 2004℄ Herzog,J.C.(2004). ComputationalSoundnessforStandardAsumptionsof FormalCryptography. PhD thesis,Massa husetts InstituteofTe hnology.
[Lowe,1996℄ Lowe,G.(1996). BreakingandxingtheNeedham-S hroederpubli -keyproto olusingFDR.InPro .of Toolsandalgoritmsforthe onstru tionandanalysisfofsystems(TACAS'96),volume1055ofLNCS,pages147166. Springer-Verlag.
[Lowe,1997a℄ Lowe,G.(1997a). Casper: A ompiler forthe analysisofse urityproto ols. InPro .of 10thComputer Se urityFoundations Workshop(CSFW'97).IEEEComputerSo ietyPress.
[Lowe,1997b℄ Lowe,G.(1997b). Ahierar hyofauthenti ationspe i ations. InPro . ofthe 10thComputer Se urity FoundationsWorkshop(CSFW'97).IEEEComputerSo ietyPress.
[Lowe,2004℄ Lowe,G.(2004). Analysingproto olssubje ttoguessingatta ks.Journalof ComputerSe urity,12(1). [Mi ian ioandWarins hi,2004℄ Mi ian io,D.andWarins hi,B.(2004). Soundnessofformalen ryptioninthe
pres-en eofa tiveadversaries. InTheory ofCryptographyConferen e(TCC2004),pages133151,Cambridge,MA,USA. Springer-Verlag.
[Rusinowit handTuruani,2001℄ Rusinowit h, M. and Turuani, M. (2001). Proto ol inse urity withnite numberof sessionsisNP- omplete. InPro .of the14thComputerSe urityFoundations Workshop(CSFW'01),pages174190. IEEEComputerSo ietyPress.
[Song,1999℄ Song,D.X. (1999). Athena: A newe ientautomati he kerfor se urity proto olanalysis. InPro .of the12thComputer Se urityFoundations Workshop(CSFW'99).IEEEComputerSo ietyPress.