Relating Two Standard Notions of Secrecy

  • Véronique Cortier
  • Michaël Rusinowitch
  • Eugen Zălinescu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4207)


Two styles of definitions are usually considered to express that a security protocol preserves the confidentiality of a data s. Reachability-based secrecy means that s should never be disclosed while equivalence-based secrecy states that two executions of a protocol with distinct instances for s should be indistinguishable to an attacker. Although the second formulation ensures a higher level of security and is closer to cryptographic notions of secrecy, decidability results and automatic tools have mainly focused on the first definition so far.

This paper initiates a systematic investigation of situations where syntactic secrecy entails strong secrecy. We show that in the passive case, reachability-based secrecy actually implies equivalence-based secrecy for signatures, symmetric and asymmetric encryption provided that the primitives are probabilistic. For active adversaries in the case of symmetric encryption, we provide sufficient (and rather tight) conditions on the protocol for this implication to hold.


Security Protocol Parallel Composition Extended Process Cryptographic Protocol Standard Notion 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: 28th Symp. on Principles of Programming Languages (POPL 2001). ACM Press, New York (2001)Google Scholar
  2. 2.
    Abadi, M., Gordon, A.D.: A calculus for cryptographic protocols: The spi calculus. In: 4th Conf. on Computer and Communications Security (CCS 1997), pp. 36–47. ACM Press, New York (1997)CrossRefGoogle Scholar
  3. 3.
    Amadio, R., Lugiez, D.: On the reachability problem in cryptographic protocols. In: Palamidessi, C. (ed.) CONCUR 2000. LNCS, vol. 1877. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    The AVISPA Project,
  5. 5.
    Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Computer Security Foundations Workshop (CSFW 2001), pp. 82–96. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  6. 6.
    Blanchet, B.: Automatic Proof of Strong Secrecy for Security Protocols. In: IEEE Symposium on Security and Privacy (SP 2004), pp. 86–100 (2004)Google Scholar
  7. 7.
    Blanchet, B., Podelski, A.: Verification of cryptographic protocols: Tagging enforces termination. In: Gordon, A.D. (ed.) FOSSACS 2003. LNCS, vol. 2620, pp. 136–152. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Borgström, J., Briais, S., Nestmann, U.: Symbolic bisimulation in the SPI calculus. In: Gardner, P., Yoshida, N. (eds.) CONCUR 2004. LNCS, vol. 3170, pp. 161–176. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Bozga, L., Lakhnech, Y., Périn, M.: HERMES: An automatic tool for verification of secrecy in security protocols. In: Hunt Jr., W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 219–222. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Comon-Lundh, H., Cortier, V.: New decidability results for fragments of first-order logic and application to cryptographic protocols. In: Nieuwenhuis, R. (ed.) RTA 2003. LNCS, vol. 2706, pp. 148–164. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Cortier, V., Warinschi, B.: Computationally Sound, Automated Proofs for Security Protocols. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 157–171. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Denker, G., Millen, J., Rueß, H.: The CAPSL Integrated Protocol Environment. Technical Report SRI-CSL-2000-02, SRI International, Menlo Park, CA (2000)Google Scholar
  13. 13.
    Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: Undecidability of bounded security protocols. In: Workshop on Formal Methods and Security Protocols (1999)Google Scholar
  14. 14.
    Hüttel, H.: Deciding framed bisimilarity. In: INFINITY 2002 (August 2002)Google Scholar
  15. 15.
    Paulson, L.C.: Relations between secrets: Two formal analyses of the Yahalom protocol. Journal of Computer Security 9(3), 197–216 (2001)MathSciNetGoogle Scholar
  16. 16.
    Ramanujam, R., Suresh, S.P.: Tagging makes secrecy decidable with unbounded nonces as well. In: Pandya, P.K., Radhakrishnan, J. (eds.) FSTTCS 2003. LNCS, vol. 2914, pp. 363–374. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Rusinowitch, M., Turuani, M.: Protocol Insecurity with Finite Number of Sessions and Composed Keys is NP-complete. Theoretical Computer Science 299, 451–475 (2003)MATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Zalinescu, E., Cortier, V., Rusinowitch, M.: Relating two standard notions of secrecy. Research Report 5908, INRIA (April 2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Véronique Cortier
    • 1
  • Michaël Rusinowitch
    • 1
  • Eugen Zălinescu
    • 1
  1. 1.Loria, UMR 7503 & INRIA Lorraine projet Cassis & CNRSFrance

Personalised recommendations