, Mobile Values, New Names, and Secure Communication, 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'01, pp.104-115, 2001.
DOI : 10.1145/373243.360213
URL : https://hal.archives-ouvertes.fr/hal-01423924
, Private authentication, Theoretical Computer Science, vol.322, issue.3, pp.427-476, 2004.
DOI : 10.1016/j.tcs.2003.12.023
URL : http://cs.ucsb.edu/~ravenben/papers/prelims/logicofauth.pdf
, Helios: web-based open-audit voting, 17th conference on Security symposium, pp.335-348, 2008.
, Analysing Unlinkability and Anonymity Using the Applied Pi Calculus, 2010 23rd IEEE Computer Security Foundations Symposium
DOI : 10.1109/CSF.2010.15
URL : http://www.cs.bham.ac.uk/%7Etpc/Papers/csf10.pdf
, The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications, 17th International Conference on Computer Aided Verification, CAV'2005. LNCS, pp.281-285
DOI : 10.1007/11513988_27
URL : https://hal.archives-ouvertes.fr/inria-00000408
, Union, intersection and refinement types and reasoning about type disjointness for secure protocol implementations, Journal of Computer Security, vol.22, issue.2, pp.301-353, 2014.
DOI : 10.3233/JCS-130493
URL : https://hal.archives-ouvertes.fr/hal-01102192
, Automated Verification of Remote Electronic Voting Protocols in the Applied Pi-Calculus, 2008 21st IEEE Computer Security Foundations Symposium, pp.195-20908, 2008.
DOI : 10.1109/CSF.2008.26
, Zero-Knowledge in the Applied Pi-calculus and Automated Verification of the Direct Anonymous Attestation Protocol, 2008 IEEE Symposium on Security and Privacy (sp 2008), pp.202-21508, 2008.
DOI : 10.1109/SP.2008.23
, Partial order reduction for security protocols, Proc. 26th International Conference on Concurrency Theory (CONCUR'15). LIPIcs, pp.497-510, 2015.
, Automated Symbolic Proofs of Observational Equivalence, Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, pp.1144-1155, 2015.
DOI : 10.1007/978-3-540-79966-5_1
URL : https://hal.archives-ouvertes.fr/hal-01337409
, Refinement types for secure implementations, ACM Transactions on Programming Languages and Systems, vol.33, issue.2, pp.1-845, 2011.
DOI : 10.1145/1890028.1890031
URL : https://hal.archives-ouvertes.fr/hal-01294973
, An efficient cryptographic protocol verifier based on prolog rules, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001., pp.82-96, 2001.
DOI : 10.1109/CSFW.2001.930138
URL : http://www.mpi-sb.mpg.de/~blanchet/publications/./BlanchetCSFW01.ps.gz
, Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif, Foundations and Trends?? in Privacy and Security, vol.1, issue.1-2, pp.1-135, 2016.
DOI : 10.1561/3300000004
URL : https://hal.archives-ouvertes.fr/hal-01423760
, Automated verification of selected equivalences for security protocols, The Journal of Logic and Algebraic Programming, vol.75, issue.1, pp.3-51, 2008.
DOI : 10.1016/j.jlap.2007.06.002
, Resource-Aware Authorization Policies for Statically Typed Cryptographic Protocols, 2011 IEEE 24th Computer Security Foundations Symposium, pp.83-98, 2011.
DOI : 10.1109/CSF.2011.13
, Logical Foundations of Secure Resource Management in Protocol Implementations, 2nd International Conference on Principles of Security and Trust, pp.105-125, 2013.
DOI : 10.1007/978-3-642-36830-1_6
, Affine Refinement Types for Secure Distributed Programming, ACM Transactions on Programming Languages and Systems, vol.37, issue.4, pp.1-1166, 2015.
DOI : 10.1007/978-3-642-11957-6_29
URL : https://iris.unive.it/bitstream/10278/3661939/1/toplas15.pdf
, Authenticity by tagging and typing, Proceedings of the 2004 ACM workshop on Formal methods in security engineering , FMSE '04, pp.1-12, 2004.
DOI : 10.1145/1029133.1029135
, Analysis of Typed Analyses of Authentication Protocols, 18th IEEE Computer Security Foundations Workshop (CSFW'05), 2005.
DOI : 10.1109/CSFW.2005.8
, Dynamic types for authentication*, Journal of Computer Security, vol.15, issue.6, pp.563-617, 2007.
DOI : 10.3233/JCS-2007-15602
, Automated verification of equivalence properties of cryptographic protocols, Programming Languages and Systems ?Proceedings of the 21th European Symposium on Programming (ESOP'12). LNCS, pp.108-127, 2012.
URL : https://hal.archives-ouvertes.fr/inria-00632564
, APTE: An Algorithm for Proving Trace Equivalence, Proceedings of the 20th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'14). LNCS, pp.587-592, 2014.
DOI : 10.1007/978-3-642-54862-8_50
URL : http://www.loria.fr/%7Echevalvi/files/Cheval-tacas14.pdf
, Deciding equivalence-based properties using constraint solving, Theoretical Computer Science, vol.492, pp.1-39, 2013.
DOI : 10.1016/j.tcs.2013.04.016
URL : https://hal.archives-ouvertes.fr/hal-00881060
, Lengths May Break Privacy ??? Or How to Check for Equivalences with Length, 25th International Conference on Computer Aided Verification (CAV'13). LNCS, pp.708-723, 2013.
DOI : 10.1007/978-3-642-39799-8_50
URL : https://hal.archives-ouvertes.fr/hal-00881065
, SAT-Equiv: An Efficient Tool for Equivalence Properties, 2017 IEEE 30th Computer Security Foundations Symposium (CSF), 2017.
DOI : 10.1109/CSF.2017.15
URL : https://hal.archives-ouvertes.fr/hal-01624274
, A Type System for Privacy Properties, Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security , CCS '17, pp.409-423, 2017.
DOI : 10.1145/2908080.2908092
URL : https://hal.archives-ouvertes.fr/hal-01626109
, Attacking and fixing Helios: An analysis of ballot secrecy, Journal of Computer Security, vol.21, issue.1, pp.89-148, 2013.
DOI : 10.3233/JCS-2012-0458
URL : https://hal.archives-ouvertes.fr/inria-00638556
, The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols, Computer Aided Verification, 20th International Conference Proc. LNCS, pp.414-418, 2008.
DOI : 10.1007/978-3-540-70545-1_38
, Automating open bisimulation checking for the spi-calculus, IEEE Computer Security Foundations Symposium, 2010.
, Verifying privacy-type properties of electronic voting protocols, Journal of Computer Security, vol.17, issue.4, pp.435-487, 2009.
DOI : 10.3233/JCS-2009-0340
, Differential Privacy by Typing in Security Protocols, 2013 IEEE 26th Computer Security Foundations Symposium, 2013.
DOI : 10.1109/CSF.2013.25
, A rewriting-based inference system for the NRL Protocol Analyzer and its meta-logical properties, Theoretical Computer Science, vol.367, issue.1-2, pp.1-2, 2006.
DOI : 10.1016/j.tcs.2006.08.035
, Types for Security Protocols, Cryptology and Information Security Series, pp.143-181, 2011.
DOI : 10.4204/EPTCS.7.0.1
URL : http://www.lbs.cs.uni-saarland.de/resources/ios2010.pdf
, Authenticity by typing for security protocols, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001., pp.451-519, 2003.
DOI : 10.1109/CSFW.2001.930143
URL : http://research.microsoft.com/~adg/Publications/MSR-TR-2001-49.ps
, The TAMARIN Prover for the Symbolic Analysis of Security Protocols, Computer Aided Verification, 25th International Conference, CAV 2013 Proc. LNCS, pp.696-701, 2013.
DOI : 10.1007/978-3-642-39799-8_48
, A Formal Definition of Protocol Indistinguishability and Its Verification Using Maude-NPA, STM 2014. pp. 162?177 the second point implies that R(? ? LL ? ? l (c ?,? )) ?= R (? ? LL ? ? l (c ?,? )). Similarly, R(? ? LL ? ? r (c ?,? )) ?= R (? ? LL ? ? r (c ?,? )), and the claim holds, 2014.
DOI : 10.1007/978-3-319-11851-2_11
, ?= enc(M, k), where M = R(? ? LL ? ? l (c ?,? )) ?. Similarly, there exists k ? K such that K(? ? LL ?? r (c ?,? )) ?= k and S(? ? LL ?? r (c ?,? )) ?= enc(N, k ), where N = R(? ? LL ? ? r (c ?,? )) ?. In addition, by Lemma 37, there exists c such that ? ? ? LL ?? l (c ?,? ) ? ? ? LL ?? r (c ?,? ) : LL ? c, Thus by Lemma 23, there exists c such that ? K(? ? LL ? ? l (c ?,? )) ?? K(? ? LL ? ? r (c ?,? )) ?: LL ? c , which is to say ? k ? k : LL ? c . Hence by Lemma 20 and by well-formedness of ? , k = k and ? (k, k) <: key LL (T ) for some type T
, We have already shown that ? (k, k) <: key LL (T ) In addition, It is then clear that either, p.2
, Since S (? ? LL ? ? l (c ?,? )) = enc(M, k), we have S (? ? LL ? ? l, and similarly for ? r (c ?,? ). Moreover, S being a subterm of S itd also satisfies the conditions on the domains, and thus the property holds with R = S
, (c ?,? )) ?? = ?, we have K(? ? LL ? ? l (c ?,? )) ?= vk(k) for some, ?= sign where M = R(? ? LL ? ? l (c ?,? )) ?
, ?,? )) ?= vk(k ) and S(? ? LL ? ? r (c ?,? )) ?= sign, where N = R(? ? LL ? ? r (c ?,? )) ?
, ?= sign(M, k) = ?, by the induction hypothesis, there exists S such that vars(S ) ? vars, ?= sign(M, k), and S (? ? LL ? ? r (c ?,? )) = S(? ? LL ? ? r (c ?,? )) ?= sign(N, k)
, it is clear from the definition of ? that either S = x for some x ? AX , or S = sign ? In the first case, we therefore have sign(M, k) ? sign(N, k ) ? c ?,? . In addition, by Lemma 37, there exists c ? c ?,? such that ? ? ? LL ? ? l (c ?,? ) ? ? ? LL ? ? r (c ?,? ) : LL ? c . Thus there exists c ? c such that ? sign(M, k) ? sign(N, k ) : LL ? c . Hence by Lemma 18, there exists c ? c ? c such that ? M ? N : LL ? c . Moreover M , N are ground, since by assumption ? l (c ?,? ) and ? r (c ?,? ) restricted to vars(R) are ground, Therefore, by Lemma 26, there exists a recipe R without destructors such that M = R (? ? LL ? ? l (c )) and N = R (? ? LL ? ? r (c )). Since c ? c ?,? , this proves the claim for this case
, Since S (? ? LL ? ? l (c ?,? )) = sign(M, k), we have S (? ? LL ? ? l, ? In the second case and similarly for ? r (c ?,? ). Moreover, S being a subterm of S it also satisfies the conditions on the domains, and thus the property holds with R = S
, 1 (S) for some recipe S then since R(? ? LL ? ? l (c ?,? )) ?? = ?, we have S(? ? LL ? ? l
, it is clear from the definition of ? that either S = x for some x ? AX , or S = S 1 , S 2 for some S 1 , S 2 . The first case is impossible, since by Lemma 35, step2 ? (c ?,? ) = true, and thus c ?,? does not contain pairs In the second case, there exist S 1 , S 2 such that S = S 1 , S 2 . Since S (? ? LL ? ? l (c ?,? )) = M 1 , M 2 , we have S 1 (? ? LL ? ? l (c ?,? )) = M 1, Hence R(? ? LL ? ? l (c ?,? )) ?= M 1 = S 1 (? ? LL ? ? l (c ?,? )), and similarly for ? r (c ?,? ). Moreover, S 1 being a subterm of S it also satisfies the conditions on the domains, and thus the property holds with R = S 1
, S) for some S: this case is similar to the ? 1 case
, For all term t and substitution ? containing only messages, if t ?? = ?, then (t?) ?= (t ?)?
, For all ground ?, ? , for all recipe R such that ?
, c)), if R(? ? LL ? ? l (c ?,? )) = (? ? LL ? ? l (c ?,? ))(x) then R is a variable y ? dom(? ? LL ? ? l (c)), or
, We only detail the proof for ? l (c ?,? ), as the proof for ? r (c ?,? ) is similar. We distinguish several cases for R
, or sign(S, K) for some recipes S, K: these two cases are similar, we only detail the encryption case. (? ? LL ? ? l (c ?,? ))(x) is then an encrypted message, step2 ? (c ?,? ) = true. Hence there exist k, k ? K and T such that K(? ? LL ? ? l (c ?,? )) = k and ? (k, k ) <: key HH (T )
, the head symbol of R cannot be ·, ··, dec, adec, checksign, ? 1 , ? 2 since step2 ? (c ?,? ) = true by Lemma 35
, For all ground ?, ? , for all recipes R, S such that ? ?? ? ? . ?c ? ? c ?
, By assumption, in that case we also have S(? ? LL ? ? l (c ?,? )) ?= ?, and thus S(? ? LL ? ? r (c ?,? )) ?= ?, and the claim holds. Let us now assume that R(? ? LL ? ? l (c ?,? )) ?? = ?, i.e., by assumption, that S(? ? LL ? ? l (c ?,? )) ?? = ?. We then have R(? ? LL ? ? r (c ?,? )) ?? = ? and S(? ? LL ? ? r (c ?,? )) ?? = ?
, Let us denote R = x. By Lemma 37, there exists c x such that ? (? ? LL ? ? l (c ?,? ))(x) ? (? ? LL ? ? r (c ?,? ))(x), we have (? ? LL ? ? r (c ?,? ))(x) = S (? ? LL ? ? l (c ?,? )), i.e. R (? ? LL ? ? r (? c)) = S (? ? LL ? ? r (? c))
, We can then prove Indeed: ? if x, y ? dom(? ? LL ), this follows from the definition of ? ? LL . ? if x ? dom(? ? LL ) and y ? dom(? l (? c ?,? )): then by definition of ? ? LL , R (? ? LL ? ? l (c ?,? )) = ? ? LL (x) is a nonce, key, public key, or verification key. Hence ? l (c ?,? )(y) is also a nonce, key, public key or verification key. This is not possible, as by Lemma 35, step2 ? (c ?,? ) = true. ? if x, y ? dom(? l (c ?,? )): then there exist M ? M ? c, N ? N ? c such that ? l (c ?,? )(x) = M ?, ? r (c ?,? )(x) = M ? , ? l (c ?,? )(y) = N ?, ? r (c ?,? )(y) = N ?, Since M ? = N ?, M , N are unifiableM ) ? vars(N ) | ? (x) = LL ? µ(x) ? N is a nonce}. By step3 ? (c), we have M ? = N ?
, such that ? ?c ? ? c ?, ), the frames ? ? LL ? ? l (c ?,? ) and ? ? LL ? ? r (c ?,? ) are statically equivalent
, This is a direct consequence of Lemma 41, by unfolding the definition of static equivalence