, Deciding knowledge in security protocols under equational theories, Theoretical Computer Science, vol.387, issue.12, pp.2-32, 2006.
URL : https://hal.archives-ouvertes.fr/inria-00000554
, Mobile values, new names, and secure communication, Proc. 28th ACM Symposium on Principles of Programming Languages (POPL'01, 2001.
URL : https://hal.archives-ouvertes.fr/hal-01423924
, Private authentication, Theoretical Computer Science, vol.322, issue.3, pp.427-476, 2004.
DOI : 10.1016/j.tcs.2003.12.023
, A calculus for cryptographic protocols, Proceedings of the 4th ACM conference on Computer and communications security , CCS '97, pp.1-70, 1999.
DOI : 10.1145/266420.266432
, Verification of security protocols with a bounded number of sessions based on resolution for rigid variables State-of-the-Art Survey, Formal to Practical Security, pp.1-20, 2009.
, Intruders with Caps, Proc. 18th International Conference on Term Rewriting and Applications (RTA'07), 2007.
DOI : 10.1007/978-3-540-73449-9_4
URL : https://hal.archives-ouvertes.fr/hal-00144178
, Analysing Unlinkability and Anonymity Using the Applied Pi Calculus, 2010 23rd IEEE Computer Security Foundations Symposium, pp.107-121, 2010.
DOI : 10.1109/CSF.2010.15
, Practical Everlasting Privacy, Proc. 2nd Conference on Principles of Security and Trust (POST'13), pp.21-40, 2013.
DOI : 10.1007/978-3-642-36830-1_2
URL : https://hal.archives-ouvertes.fr/hal-00878630
, The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications, Proc. 17th International Conference on Computer Aided Verification (CAV'05), Lecture Notes in Computer Science, pp.281-285, 2005.
DOI : 10.1007/11513988_27
URL : https://hal.archives-ouvertes.fr/inria-00000408
, Combining Algorithms for Deciding Knowledge in Security Protocols, Proc. 6th International Symposium on Frontiers of Combining Systems (FroCoS'07), pp.103-117, 2007.
DOI : 10.1007/978-3-540-74621-8_7
URL : https://hal.archives-ouvertes.fr/inria-00129418
, Term rewriting and all that, 1998.
, Unification theory In Handbook of Automated Reasoning, volume I, chapter 8, pp.445-532, 2001.
, Automated Verification of Remote Electronic Voting Protocols in the Applied Pi-Calculus, 2008 21st IEEE Computer Security Foundations Symposium, 2008.
DOI : 10.1109/CSF.2008.26
, Deciding security of protocols against off-line guessing attacks, Proceedings of the 12th ACM conference on Computer and communications security , CCS '05, 2005.
DOI : 10.1145/1102120.1102125
, YAPA, Proc. 20th International Conference on Rewriting Techniques and Applications (RTA'09), pp.148-163, 2009.
DOI : 10.1145/2422085.2422089
URL : https://hal.archives-ouvertes.fr/inria-00426624
, Encrypted key exchange: Password-based protocols secure against dictionary attacks, Symposium on Security and Privacy (S&P'92), pp.72-84, 1992.
, An efficient cryptographic protocol verifier based on prolog rules, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001., pp.82-96, 2001.
DOI : 10.1109/CSFW.2001.930138
, Automatic proof of strong secrecy for security protocols, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004, pp.86-100, 2004.
DOI : 10.1109/SECPRI.2004.1301317
, Automated Verification of Selected Equivalences for Security Protocols, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05), pp.331-340, 2005.
DOI : 10.1109/LICS.2005.8
, Equivalences and Calculi for Formal Verifiation of Cryptographic Protocols, 2008.
, Symbolic Bisimulation in the Spi Calculus, Proc. 15th Int. Conference on Concurrency Theory, pp.161-176, 2004.
DOI : 10.1007/3-540-58179-0_73
, Analysing unlinkability and anonymity using the applied pi calculus, Proc. 23rd Computer Security Foundations Symposium (CSF'10), pp.107-121
, Automated Verification of Equivalence Properties of Cryptographic Protocols, 21st European Symposium on Programming, ESOP 2012, pp.108-127, 2012.
DOI : 10.1007/978-3-642-28869-2_6
URL : https://hal.archives-ouvertes.fr/inria-00632564
, Automating Security Analysis: Symbolic Equivalence of Constraint Systems, Proc. International Joint Conference on Automated Reasoning (IJCAR'10), 2010.
DOI : 10.1007/978-3-642-14203-1_35
, Trace equivalence decision, Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, 2011.
DOI : 10.1145/2046707.2046744
, Decidability of Equivalence of Symbolic Derivations, Journal of Automated Reasoning, vol.17, issue.3, 2010.
DOI : 10.1007/s10817-010-9199-5
URL : https://hal.archives-ouvertes.fr/inria-00527630
, A Framework for Automatically Checking Anonymity with ??CRL, 2nd Symposium on Trustworthy Global Computing, pp.301-318, 2007.
DOI : 10.1007/978-3-540-75336-0_19
, Computing finite variants for subterm convergent rewrite systems, 2011.
, Computing knowledge in security protocols under convergent equational theories, Proc. 22nd International Conference on Automated Deduction (CADE'09), pp.355-370, 2009.
, Computing knowledge in security protocols under convergent equational theories, Journal of Automated Reasoning, 2011.
, The Finite Variant Property: How to Get Rid of Some Algebraic Properties, Proceedings of the 16th International Conference on Rewriting Techniques and Applications (RTA'05), pp.294-307, 2005.
DOI : 10.1007/978-3-540-32033-3_22
, Deciding Knowledge in Security Protocols for Monoidal Equational Theories, Proc. 14th Int. Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR'07), LNAI, 2007.
DOI : 10.1007/978-3-540-75560-9_16
URL : https://hal.archives-ouvertes.fr/inria-00181620
, A Method for Proving Observational Equivalence, 2009 22nd IEEE Computer Security Foundations Symposium, pp.266-276, 2009.
DOI : 10.1109/CSF.2009.9
URL : https://hal.archives-ouvertes.fr/inria-00426622
, The Scyther Tool: Verification, falsification, and analysis of security protocols, Proc. 20th International Conference on Computer Aided Verification, pp.414-418, 2008.
, Formal Analysis of Privacy for Vehicular Mix-Zones, Proc. 15th European Symposium on Research in Computer Security (ESORICS'10), pp.55-70, 2010.
DOI : 10.1007/978-3-642-15497-3_4
, Formal Analysis of Privacy for Anonymous Location Based Services, Proc. Workshop on Theory of Security and Applications (TOSCA'11), 2011.
DOI : 10.1007/978-3-642-27375-9_6
, Simulation based security in the applied pi calculus, Proceedings of the 29th Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS'09), volume 4 of Leibniz International Proceedings in Informatics Leibniz-Zentrum für Informatik, pp.169-180, 2009.
, Symbolic bisimulation for the applied pi calculus, Journal of Computer Security, 2009.
, Verifying privacy-type properties of electronic voting protocols, Journal of Computer Security, vol.17, issue.4, pp.435-487, 2009.
DOI : 10.3233/JCS-2009-0340
, Automatic Verification of Privacy Properties in the Applied pi Calculus, Proceedings of the 2nd Joint iTrust and PST Conferences on Privacy, Trust Management and Security (IFIPTM'08), volume 263 of IFIP Conference Proceedings, pp.263-278, 2008.
DOI : 10.1007/978-0-387-09428-1_17
, On the security of public key protocols, Proc. of the 22nd Symp. on Foundations of Computer Science, pp.350-357, 1981.
, Automatic testing equivalence verification of spi calculus specifications, ACM Transactions on Software Engineering and Methodology, vol.12, issue.2, pp.222-284, 2003.
DOI : 10.1145/941566.941570
, Maude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties, Foundations of Security Analysis and Design V, pp.1-50, 2009.
DOI : 10.1007/s10990-007-9000-6
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.226.3197
, Folding variant narrowing and optimal variant termination, The Journal of Logic and Algebraic Programming, vol.81, issue.7-8, pp.898-928, 2012.
DOI : 10.1016/j.jlap.2012.01.002
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.226.3740
, A practical secret voting scheme for large scale elections, Advances in Cryptology ? AUSCRYPT '92, pp.244-251
DOI : 10.1007/3-540-57220-1_66
, Deciding by resolution, Information Processing Letters, vol.95, issue.3, pp.401-408, 2005.
DOI : 10.1016/j.ipl.2005.04.007
, Deciding framed bisimilarity, Proc. 4th International Workshop on Verification of Infinite-State Systems (INFINITY'02), pp.1-20, 2002.
, Analysis of an Electronic Voting Protocol in the Applied Pi Calculus, 14th European Symposium on Programming (ESOP'05), pp.186-200, 2005.
DOI : 10.1007/978-3-540-31987-0_14
, A Complete Symbolic Bisimulation for Full Applied Pi Calculus, Proc. 36th Conference on Current Trends in Theory and Practice of Computer Science (SOFSEM'10), pp.552-563, 2010.
DOI : 10.1007/978-3-642-11266-9_46
, Breaking and fixing the Needham-Schroeder Public-Key Protocol using FDR, Tools and Algorithms for the Construction and Analysis of Systems (TACAS'96), pp.147-166, 1996.
DOI : 10.1007/3-540-61042-1_43
, Abstract, The Journal of Symbolic Logic, vol.32, issue.02, pp.636-647, 1997.
DOI : 10.1007/BF01084396
, Receipt-free electronic voting schemes for large scale elections, Proc. 5th Int. Security Protocols Workshop, 1997.
DOI : 10.1007/BFb0028157
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.30.287
, A Formal Definition of Protocol Indistinguishability and Its Verification Using Maude-NPA, Proc. 10th International Workshop on Security and Trust Management (STM'14), pp.162-177, 2014.
DOI : 10.1007/978-3-319-11851-2_11
, Automating Open Bisimulation Checking for the Spi Calculus, 2010 23rd IEEE Computer Security Foundations Symposium, pp.307-321, 2010.
DOI : 10.1109/CSF.2010.28
, Towards an Automatic Analysis of Security Protocols in First-Order Logic, Proc. 16th International Conference on Automated Deduction (CADE'99), pp.314-328, 1999.
DOI : 10.1007/3-540-48660-7_29
, Thus there exists f ? F ? E such that u ? st(f ) By Lemma 26, we know that vars(u) ? vars(w(f )). By construction of ? and ?, w?? = w? ? implies that for all x ? vars(w(f )), x?? = x? ? and so u?? = u? ? . We do a similar proof to show that for
, and img(?) ? (vars(w) ? vars(IPC(S))) = ? directly allows us to conclude that ? completes (w, ? )
, |: In such a case, since vars(?) ? vars(IPC(S))?vars(w), we deduce that vars(img
, We first show (w, ?) is maximal 1. (w 0 , ?) is maximal for ? in S. 2. w = w 0 ?? 3. for all x ? dom(?) vars(w 0 ), vars(x?) ? vars(t 1 , . . . , t n ). 4. for all x ? dom(?) ? vars(w 0 ), x? ? X , x? ? vars(t, t 1 , . . . , t n ) and x? occurs only once in w. 5. for all x ? dom(?), x? ? X implies that either x? ? st(t 1 , . . . , t n ) or there exists T such that k w (T, x?) ? k w1 (X 1 , t 1 ), . . . , k wn (X n , t n ) ? conseq
, We prove the result on g with (w 0 , ?) and ?. By hypothesis on f , we know that g verifies properties 1 and 2. Moreover, since t i = t j , we also know that vars(t 1 Therefore, g verifies properties 3 and 4. Let x ? dom(?) such that x? ? X . By hypothesis on f , we know that either x? ? st(t 1 , . . . , t n ) or there exists T such that k w (T, x?) ? k w1 (X 1 , t 1 ), . . . , k wn (X n , t n ) ? conseq(K solved ), the former case, we directly have that x? ? st(t 1 , . . . , t j?1 , t j+1 , . . . , t n ) since t i = t j . In the later case, a simple induction on the number of rules applied 3. there exist y ? dom(?) and r ? st(y?) such that r? = x? and y? ? X : By Property f.5, we know that either y? ? st(t 1 , . . . , t n ) or there exists T such that k w (T, y?) ? k w1 (X 1 , t 1 ), . . . , k wn (X n , t n ) ? conseq, pp.1-1
, n}. By Property f.6.a, we have for all , n}, t i is well formed in f w.r.t. (w 0 , ?) and ?. Hence, there exists u 1 , . . . , u k ? st IS (S, ? 0 ), i 1 , n} and a context C built on function symbols such that t i0 = C[t i1, C, there exists T such that k w (T, t i0 | p ) ? k w1 (X 1 , t 1 ), . . . , k wn (X n , t n ) ? conseq
URL : https://hal.archives-ouvertes.fr/in2p3-00522368
, n}, t i is well formed in f w.r.t. (w 0 , ?) and ? (Prop f.6.a), we obtain that there exist u 1 , . . . , u k ? st IS (S, ? 0 ), i 1 , n} and a context C built on function symbols such that y? = C[t i1, C, there exists T such that k w (T, y?| p ) ? k w1 (X 1 , t 1 ), . . . , k wn (X n , t n ) ? conseq
, ? st(y? ) such that r? = x? and y? ? X : ? If the Reachability test fails, we have that r l1,...,ln ? {k wi (X i , x i )} i?{1, we have that there exists T , ? such that
, T , ?) we have (R? = R ?)?. By Theorem 3, we have however that that there exists T , ? such that
, and (R = R )? i and 1. either for all U ? P, V we have