Deciding knowledge in security protocols under equational theories, Theoretical Computer Science, vol.387, issue.12, pp.2-32, 2006. ,
URL : https://hal.archives-ouvertes.fr/inria-00000554
Mobile values, new names, and secure communication, Proc. 28th ACM Symposium on Principles of Programming Languages (POPL'01, 2001. ,
URL : https://hal.archives-ouvertes.fr/hal-01423924
Private authentication, Theoretical Computer Science, vol.322, issue.3, pp.427-476, 2004. ,
DOI : 10.1016/j.tcs.2003.12.023
A calculus for cryptographic protocols, Proceedings of the 4th ACM conference on Computer and communications security , CCS '97, pp.1-70, 1999. ,
DOI : 10.1145/266420.266432
Verification of security protocols with a bounded number of sessions based on resolution for rigid variables State-of-the-Art Survey, Formal to Practical Security, pp.1-20, 2009. ,
Intruders with Caps, Proc. 18th International Conference on Term Rewriting and Applications (RTA'07), 2007. ,
DOI : 10.1007/978-3-540-73449-9_4
URL : https://hal.archives-ouvertes.fr/hal-00144178
Analysing Unlinkability and Anonymity Using the Applied Pi Calculus, 2010 23rd IEEE Computer Security Foundations Symposium, pp.107-121, 2010. ,
DOI : 10.1109/CSF.2010.15
Practical Everlasting Privacy, Proc. 2nd Conference on Principles of Security and Trust (POST'13), pp.21-40, 2013. ,
DOI : 10.1007/978-3-642-36830-1_2
URL : https://hal.archives-ouvertes.fr/hal-00878630
The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications, Proc. 17th International Conference on Computer Aided Verification (CAV'05), Lecture Notes in Computer Science, pp.281-285, 2005. ,
DOI : 10.1007/11513988_27
URL : https://hal.archives-ouvertes.fr/inria-00000408
Combining Algorithms for Deciding Knowledge in Security Protocols, Proc. 6th International Symposium on Frontiers of Combining Systems (FroCoS'07), pp.103-117, 2007. ,
DOI : 10.1007/978-3-540-74621-8_7
URL : https://hal.archives-ouvertes.fr/inria-00129418
Term rewriting and all that, 1998. ,
Unification theory In Handbook of Automated Reasoning, volume I, chapter 8, pp.445-532, 2001. ,
Automated Verification of Remote Electronic Voting Protocols in the Applied Pi-Calculus, 2008 21st IEEE Computer Security Foundations Symposium, 2008. ,
DOI : 10.1109/CSF.2008.26
Deciding security of protocols against off-line guessing attacks, Proceedings of the 12th ACM conference on Computer and communications security , CCS '05, 2005. ,
DOI : 10.1145/1102120.1102125
YAPA, Proc. 20th International Conference on Rewriting Techniques and Applications (RTA'09), pp.148-163, 2009. ,
DOI : 10.1145/2422085.2422089
URL : https://hal.archives-ouvertes.fr/inria-00426624
Encrypted key exchange: Password-based protocols secure against dictionary attacks, Symposium on Security and Privacy (S&P'92), pp.72-84, 1992. ,
An efficient cryptographic protocol verifier based on prolog rules, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001., pp.82-96, 2001. ,
DOI : 10.1109/CSFW.2001.930138
Automatic proof of strong secrecy for security protocols, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004, pp.86-100, 2004. ,
DOI : 10.1109/SECPRI.2004.1301317
Automated Verification of Selected Equivalences for Security Protocols, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05), pp.331-340, 2005. ,
DOI : 10.1109/LICS.2005.8
Equivalences and Calculi for Formal Verifiation of Cryptographic Protocols, 2008. ,
Symbolic Bisimulation in the Spi Calculus, Proc. 15th Int. Conference on Concurrency Theory, pp.161-176, 2004. ,
DOI : 10.1007/3-540-58179-0_73
Analysing unlinkability and anonymity using the applied pi calculus, Proc. 23rd Computer Security Foundations Symposium (CSF'10), pp.107-121 ,
Automated Verification of Equivalence Properties of Cryptographic Protocols, 21st European Symposium on Programming, ESOP 2012, pp.108-127, 2012. ,
DOI : 10.1007/978-3-642-28869-2_6
URL : https://hal.archives-ouvertes.fr/inria-00632564
Automating Security Analysis: Symbolic Equivalence of Constraint Systems, Proc. International Joint Conference on Automated Reasoning (IJCAR'10), 2010. ,
DOI : 10.1007/978-3-642-14203-1_35
Trace equivalence decision, Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, 2011. ,
DOI : 10.1145/2046707.2046744
Decidability of Equivalence of Symbolic Derivations, Journal of Automated Reasoning, vol.17, issue.3, 2010. ,
DOI : 10.1007/s10817-010-9199-5
URL : https://hal.archives-ouvertes.fr/inria-00527630
A Framework for Automatically Checking Anonymity with ??CRL, 2nd Symposium on Trustworthy Global Computing, pp.301-318, 2007. ,
DOI : 10.1007/978-3-540-75336-0_19
Computing finite variants for subterm convergent rewrite systems, 2011. ,
Computing knowledge in security protocols under convergent equational theories, Proc. 22nd International Conference on Automated Deduction (CADE'09), pp.355-370, 2009. ,
Computing knowledge in security protocols under convergent equational theories, Journal of Automated Reasoning, 2011. ,
The Finite Variant Property: How to Get Rid of Some Algebraic Properties, Proceedings of the 16th International Conference on Rewriting Techniques and Applications (RTA'05), pp.294-307, 2005. ,
DOI : 10.1007/978-3-540-32033-3_22
Deciding Knowledge in Security Protocols for Monoidal Equational Theories, Proc. 14th Int. Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR'07), LNAI, 2007. ,
DOI : 10.1007/978-3-540-75560-9_16
URL : https://hal.archives-ouvertes.fr/inria-00181620
A Method for Proving Observational Equivalence, 2009 22nd IEEE Computer Security Foundations Symposium, pp.266-276, 2009. ,
DOI : 10.1109/CSF.2009.9
URL : https://hal.archives-ouvertes.fr/inria-00426622
The Scyther Tool: Verification, falsification, and analysis of security protocols, Proc. 20th International Conference on Computer Aided Verification, pp.414-418, 2008. ,
Formal Analysis of Privacy for Vehicular Mix-Zones, Proc. 15th European Symposium on Research in Computer Security (ESORICS'10), pp.55-70, 2010. ,
DOI : 10.1007/978-3-642-15497-3_4
Formal Analysis of Privacy for Anonymous Location Based Services, Proc. Workshop on Theory of Security and Applications (TOSCA'11), 2011. ,
DOI : 10.1007/978-3-642-27375-9_6
Simulation based security in the applied pi calculus, Proceedings of the 29th Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS'09), volume 4 of Leibniz International Proceedings in Informatics Leibniz-Zentrum für Informatik, pp.169-180, 2009. ,
Symbolic bisimulation for the applied pi calculus, Journal of Computer Security, 2009. ,
Verifying privacy-type properties of electronic voting protocols, Journal of Computer Security, vol.17, issue.4, pp.435-487, 2009. ,
DOI : 10.3233/JCS-2009-0340
Automatic Verification of Privacy Properties in the Applied pi Calculus, Proceedings of the 2nd Joint iTrust and PST Conferences on Privacy, Trust Management and Security (IFIPTM'08), volume 263 of IFIP Conference Proceedings, pp.263-278, 2008. ,
DOI : 10.1007/978-0-387-09428-1_17
On the security of public key protocols, Proc. of the 22nd Symp. on Foundations of Computer Science, pp.350-357, 1981. ,
Automatic testing equivalence verification of spi calculus specifications, ACM Transactions on Software Engineering and Methodology, vol.12, issue.2, pp.222-284, 2003. ,
DOI : 10.1145/941566.941570
Maude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties, Foundations of Security Analysis and Design V, pp.1-50, 2009. ,
DOI : 10.1007/s10990-007-9000-6
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.226.3197
Folding variant narrowing and optimal variant termination, The Journal of Logic and Algebraic Programming, vol.81, issue.7-8, pp.898-928, 2012. ,
DOI : 10.1016/j.jlap.2012.01.002
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.226.3740
A practical secret voting scheme for large scale elections, Advances in Cryptology ? AUSCRYPT '92, pp.244-251 ,
DOI : 10.1007/3-540-57220-1_66
Deciding by resolution, Information Processing Letters, vol.95, issue.3, pp.401-408, 2005. ,
DOI : 10.1016/j.ipl.2005.04.007
Deciding framed bisimilarity, Proc. 4th International Workshop on Verification of Infinite-State Systems (INFINITY'02), pp.1-20, 2002. ,
Analysis of an Electronic Voting Protocol in the Applied Pi Calculus, 14th European Symposium on Programming (ESOP'05), pp.186-200, 2005. ,
DOI : 10.1007/978-3-540-31987-0_14
A Complete Symbolic Bisimulation for Full Applied Pi Calculus, Proc. 36th Conference on Current Trends in Theory and Practice of Computer Science (SOFSEM'10), pp.552-563, 2010. ,
DOI : 10.1007/978-3-642-11266-9_46
Breaking and fixing the Needham-Schroeder Public-Key Protocol using FDR, Tools and Algorithms for the Construction and Analysis of Systems (TACAS'96), pp.147-166, 1996. ,
DOI : 10.1007/3-540-61042-1_43
Abstract, The Journal of Symbolic Logic, vol.32, issue.02, pp.636-647, 1997. ,
DOI : 10.1007/BF01084396
Receipt-free electronic voting schemes for large scale elections, Proc. 5th Int. Security Protocols Workshop, 1997. ,
DOI : 10.1007/BFb0028157
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.30.287
A Formal Definition of Protocol Indistinguishability and Its Verification Using Maude-NPA, Proc. 10th International Workshop on Security and Trust Management (STM'14), pp.162-177, 2014. ,
DOI : 10.1007/978-3-319-11851-2_11
Automating Open Bisimulation Checking for the Spi Calculus, 2010 23rd IEEE Computer Security Foundations Symposium, pp.307-321, 2010. ,
DOI : 10.1109/CSF.2010.28
Towards an Automatic Analysis of Security Protocols in First-Order Logic, Proc. 16th International Conference on Automated Deduction (CADE'99), pp.314-328, 1999. ,
DOI : 10.1007/3-540-48660-7_29
Thus there exists f ? F ? E such that u ? st(f ) By Lemma 26, we know that vars(u) ? vars(w(f )). By construction of ? and ?, w?? = w? ? implies that for all x ? vars(w(f )), x?? = x? ? and so u?? = u? ? . We do a similar proof to show that for ,
and img(?) ? (vars(w) ? vars(IPC(S))) = ? directly allows us to conclude that ? completes (w, ? ) ,
|: In such a case, since vars(?) ? vars(IPC(S))?vars(w), we deduce that vars(img ,
We first show (w, ?) is maximal 1. (w 0 , ?) is maximal for ? in S. 2. w = w 0 ?? 3. for all x ? dom(?) vars(w 0 ), vars(x?) ? vars(t 1 , . . . , t n ). 4. for all x ? dom(?) ? vars(w 0 ), x? ? X , x? ? vars(t, t 1 , . . . , t n ) and x? occurs only once in w. 5. for all x ? dom(?), x? ? X implies that either x? ? st(t 1 , . . . , t n ) or there exists T such that k w (T, x?) ? k w1 (X 1 , t 1 ), . . . , k wn (X n , t n ) ? conseq ,
We prove the result on g with (w 0 , ?) and ?. By hypothesis on f , we know that g verifies properties 1 and 2. Moreover, since t i = t j , we also know that vars(t 1 Therefore, g verifies properties 3 and 4. Let x ? dom(?) such that x? ? X . By hypothesis on f , we know that either x? ? st(t 1 , . . . , t n ) or there exists T such that k w (T, x?) ? k w1 (X 1 , t 1 ), . . . , k wn (X n , t n ) ? conseq(K solved ), the former case, we directly have that x? ? st(t 1 , . . . , t j?1 , t j+1 , . . . , t n ) since t i = t j . In the later case, a simple induction on the number of rules applied 3. there exist y ? dom(?) and r ? st(y?) such that r? = x? and y? ? X : By Property f.5, we know that either y? ? st(t 1 , . . . , t n ) or there exists T such that k w (T, y?) ? k w1 (X 1 , t 1 ), . . . , k wn (X n , t n ) ? conseq, pp.1-1 ,
n}. By Property f.6.a, we have for all , n}, t i is well formed in f w.r.t. (w 0 , ?) and ?. Hence, there exists u 1 , . . . , u k ? st IS (S, ? 0 ), i 1 , n} and a context C built on function symbols such that t i0 = C[t i1, C, there exists T such that k w (T, t i0 | p ) ? k w1 (X 1 , t 1 ), . . . , k wn (X n , t n ) ? conseq ,
URL : https://hal.archives-ouvertes.fr/in2p3-00522368
n}, t i is well formed in f w.r.t. (w 0 , ?) and ? (Prop f.6.a), we obtain that there exist u 1 , . . . , u k ? st IS (S, ? 0 ), i 1 , n} and a context C built on function symbols such that y? = C[t i1, C, there exists T such that k w (T, y?| p ) ? k w1 (X 1 , t 1 ), . . . , k wn (X n , t n ) ? conseq ,
? st(y? ) such that r? = x? and y? ? X : ? If the Reachability test fails, we have that r l1,...,ln ? {k wi (X i , x i )} i?{1, we have that there exists T , ? such that ,
T , ?) we have (R? = R ?)?. By Theorem 3, we have however that that there exists T , ? such that ,
and (R = R )? i and 1. either for all U ? P, V we have ,