Security Protocol Verification: Symbolic and Computational Models

  • Bruno Blanchet
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7215)


Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementations rather than specifications. Additionally, we briefly describe our symbolic security protocol verifier ProVerif and situate it among these approaches.


Security Protocol Security Property Computer Security Symbolic Model Horn Clause 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M.: Secrecy by typing in security protocols. Journal of the ACM 46(5), 749–786 (1999)MathSciNetzbMATHGoogle Scholar
  2. 2.
    Abadi, M., Blanchet, B.: Analyzing security protocols with secrecy types and logic programs. Journal of the ACM 52(1), 102–146 (2005)MathSciNetzbMATHGoogle Scholar
  3. 3.
    Abadi, M., Blanchet, B.: Computer-assisted verification of a protocol for certified email. Science of Computer Programming 58(1-2), 3–27 (2005)MathSciNetzbMATHGoogle Scholar
  4. 4.
    Abadi, M., Blanchet, B., Fournet, C.: Just Fast Keying in the pi calculus. ACM TISSEC 10(3), 1–59 (2007)Google Scholar
  5. 5.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: POPL 2001, pp. 104–115. ACM, New York (2001)Google Scholar
  6. 6.
    Abadi, M., Gordon, A.D.: A bisimulation method for cryptographic protocols. Nordic Journal of Computing 5(4), 267–303 (1998)MathSciNetzbMATHGoogle Scholar
  7. 7.
    Abadi, M., Gordon, A.D.: A calculus for cryptographic protocols: The spi calculus. Information and Computation 148(1), 1–70 (1999)MathSciNetzbMATHGoogle Scholar
  8. 8.
    Abadi, M., Rogaway, P.: Reconciling two views of cryptography (the computational soundness of formal encryption). Journal of Cryptology 15(2), 103–127 (2002)MathSciNetzbMATHGoogle Scholar
  9. 9.
    Abdalla, M., Fouque, P.A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting. IEE Proceedings Information Security 153(1), 27–39 (2006)Google Scholar
  10. 10.
    Adão, P., Bana, G., Herzog, J., Scedrov, A.: Soundness of Formal Encryption in the Presence of Key-Cycles. In: de Capitani di Vimercati, S., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 374–396. Springer, Heidelberg (2005)Google Scholar
  11. 11.
    Affeldt, R., Nowak, D., Yamada, K.: Certifying assembly with formal cryptographic proofs: the case of BBS. In: AVoCS 2009. Electronic Communications of the EASST, vol. 23. EASST (2009)Google Scholar
  12. 12.
    Aizatulin, M., Gordon, A.D., Jürjens, J.: Extracting and verifying cryptographic models from C protocol code by symbolic execution. In: CCS 2011, pp. 331–340. ACM, New York (2011)Google Scholar
  13. 13.
    Allamigeon, X., Blanchet, B.: Reconstruction of attacks against cryptographic protocols. In: CSFW 2005, pp. 140–154. IEEE, Los Alamitos (2005)Google Scholar
  14. 14.
    Arapinis, M., Duflot, M.: Bounding Messages for Free in Security Protocols. In: Arvind, V., Prasad, S. (eds.) FSTTCS 2007. LNCS, vol. 4855, pp. 376–387. Springer, Heidelberg (2007)Google Scholar
  15. 15.
    Arapinis, M., Ritter, E., Ryan, M.D.: StatVerif: Verification of stateful processes. In: CSF 2011, pp. 33–47. IEEE, Los Alamitos (2011)Google Scholar
  16. 16.
    Armando, A., Compagna, L., Ganty, P.: SAT-Based Model-Checking of Security Protocols Using Planning Graph Analysis. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, vol. 2805, pp. 875–893. Springer, Heidelberg (2003)Google Scholar
  17. 17.
    Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P.H., Heám, P.C., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)Google Scholar
  18. 18.
    Bachmair, L., Ganzinger, H.: Resolution theorem proving. In: Handbook of Automated Reasoning, vol. 1, ch. 2, pp. 19–100. North-Holland (2001)Google Scholar
  19. 19.
    Backes, M., Cortesi, A., Maffei, M.: Causality-based abstraction of multiplicity in security protocols. In: CSF 2007, pp. 355–369. IEEE, Los Alamitos (2007)Google Scholar
  20. 20.
    Backes, M., Hofheinz, D., Unruh, D.: CoSP: A general framework for computational soundness proofs. In: CCS 2009, pp. 66–78. ACM, New York (2009)Google Scholar
  21. 21.
    Backes, M., Hritcu, C., Maffei, M.: Automated verification of remote electronic voting protocols in the applied pi-calculus. In: CSF 2008, pp. 195–209. IEEE, Los Alamitos (2008)Google Scholar
  22. 22.
    Backes, M., Laud, P.: Computationally sound secrecy proofs by mechanized flow analysis. In: CCS 2006, pp. 370–379. ACM, New York (2006)Google Scholar
  23. 23.
    Backes, M., Maffei, M., Unruh, D.: Zero-knowledge in the applied pi-calculus and automated verification of the direct anonymous attestation protocol. In: IEEE Symposium on Security and Privacy, pp. 202–215. IEEE, Los Alamitos (2008)Google Scholar
  24. 24.
    Backes, M., Maffei, M., Unruh, D.: Computationally sound verification of source code. In: CCS 2010, pp. 387–398. ACM, New York (2010)Google Scholar
  25. 25.
    Backes, M., Pfitzmann, B.: Symmetric encryption in a simulatable Dolev-Yao style cryptographic library. In: CSFW 2004, pp. 204–218. IEEE, Los Alamitos (2004)Google Scholar
  26. 26.
    Backes, M., Pfitzmann, B.: Relating symbolic and cryptographic secrecy. IEEE Transactions on Dependable and Secure Computing 2(2), 109–123 (2005)Google Scholar
  27. 27.
    Backes, M., Pfitzmann, B., Waidner, M.: A composable cryptographic library with nested operations. In: CCS 2003, pp. 220–230. ACM, New York (2003)Google Scholar
  28. 28.
    Backes, M., Pfiztmann, B., Scedrov, A.: Key-dependent message security under active attacks—BRSIM/UC soundness of symbolic encryption with key cycles. In: CSF 2007, pp. 112–124. IEEE, Los Alamitos (2007)Google Scholar
  29. 29.
    Backes, M., Unruh, D.: Computational soundness of symbolic zero-knowledge proofs against active attackers. In: CSF 2008, pp. 255–269. IEEE, Los Alamitos (2008)Google Scholar
  30. 30.
    Barthe, G., Daubignard, M., Kapron, B., Lakhnech, Y.: Computational indistinguishability logic. In: CCS 2010, pp. 375–386. ACM, New York (2010)Google Scholar
  31. 31.
    Barthe, G., Grégoire, B., Lakhnech, Y., Zanella Béguelin, S.: Beyond Provable Security Verifiable IND-CCA Security of OAEP. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 180–196. Springer, Heidelberg (2011)Google Scholar
  32. 32.
    Barthe, G., Grégoire, B., Heraud, S., Zanella Béguelin, S.: Formal Certification of ElGamal Encryption. A Gentle Introduction to CertiCrypt. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 1–19. Springer, Heidelberg (2009)Google Scholar
  33. 33.
    Barthe, G., Grégoire, B., Heraud, S., Béguelin, S.Z.: Computer-Aided Security Proofs for the Working Cryptographer. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 71–90. Springer, Heidelberg (2011)Google Scholar
  34. 34.
    Barthe, G., Grégoire, B., Zanella, S.: Formal certification of code-based cryptographic proofs. In: POPL 2009, pp. 90–101. ACM, New York (2009)Google Scholar
  35. 35.
    Basin, D., Mödersheim, S., Viganò, L.: An On-the-Fly Model-Checker for Security Protocol Analysis. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 253–270. Springer, Heidelberg (2003)Google Scholar
  36. 36.
    Baudet, M.: Sécurité des protocoles cryptographiques: aspects logiques et calculatoires. Ph.D. thesis, Ecole Normale Supérieure de Cachan (2007)Google Scholar
  37. 37.
    Béguelin, S.Z., Barthe, G., Heraud, S., Grégoire, B., Hedin, D.: A machine-checked formalization of sigma-protocols. In: CSF 2010, pp. 246–260. IEEE, Los Alamitos (2010)Google Scholar
  38. 38.
    Béguelin, S.Z., Grégoire, B., Barthe, G., Olmedo, F.: Formally certifying the security of digital signature schemes. In: IEEE Symposium on Security and Privacy, pp. 237–250. IEEE, Los Alamitos (2009)Google Scholar
  39. 39.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: FOCS 1997, pp. 394–403. IEEE, Los Alamitos (1997)Google Scholar
  40. 40.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated Key Exchange Secure against Dictionary Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)Google Scholar
  41. 41.
    Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  42. 42.
    Bellare, M., Rogaway, P.: The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006)Google Scholar
  43. 43.
    Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A., Maffeis, S.: Refinement types for secure implementations. ACM TOPLAS 33(2) (2011)Google Scholar
  44. 44.
    Bhargavan, K., Corin, R., Fournet, C., Zălinescu, E.: Cryptographically verified implementations for TLS. In: CCS 2008, pp. 459–468. ACM, New York (2008)Google Scholar
  45. 45.
    Bhargavan, K., Fournet, C., Gordon, A.: Modular verification of security protocol code by typing. In: POPL 2010, pp. 445–456. ACM, New York (2010)Google Scholar
  46. 46.
    Bhargavan, K., Fournet, C., Gordon, A., Tse, S.: Verified interoperable implementations of security protocols. ACM TOPLAS 31(1) (2008)Google Scholar
  47. 47.
    Bhargavan, K., Fournet, C., Gordon, A.D., Pucella, R.: TulaFale: A Security Tool for Web Services. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2003. LNCS, vol. 3188, pp. 197–222. Springer, Heidelberg (2004)Google Scholar
  48. 48.
    Blanchet, B.: Automatic verification of cryptographic protocols: A logic programming approach. In: PPDP 2003, pp. 1–3. ACM, New York (2003)Google Scholar
  49. 49.
    Blanchet, B.: Automatic proof of strong secrecy for security protocols. In: IEEE Symposium on Security and Privacy, pp. 86–100. IEEE, Los Alamitos (2004)Google Scholar
  50. 50.
    Blanchet, B.: Security protocols: From linear to classical logic by abstract interpretation. Information Processing Letters 95(5), 473–479 (2005)MathSciNetzbMATHGoogle Scholar
  51. 51.
    Blanchet, B.: Computationally sound mechanized proofs of correspondence assertions. In: CSF 2007, pp. 97–111. IEEE, Los Alamitos (2007)Google Scholar
  52. 52.
    Blanchet, B.: A computationally sound mechanized prover for security protocols. IEEE Transactions on Dependable and Secure Computing 5(4), 193–207 (2008)Google Scholar
  53. 53.
    Blanchet, B.: Automatic verification of correspondences for security protocols. Journal of Computer Security 17(4), 363–434 (2009)Google Scholar
  54. 54.
    Blanchet, B.: Using Horn clauses for analyzing security protocols. In: Cortier, V., Kremer, S. (eds.) Formal Models and Techniques for Analyzing Security Protocols. Cryptology and Information Security Series, vol. 5, pp. 86–111. IOS Press, Amsterdam (2011)Google Scholar
  55. 55.
    Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. Journal of Logic and Algebraic Programming 75(1), 3–51 (2008)MathSciNetzbMATHGoogle Scholar
  56. 56.
    Blanchet, B., Chaudhuri, A.: Automated formal analysis of a protocol for secure file sharing on untrusted storage. In: IEEE Symposium on Security and Privacy, pp. 417–431. IEEE, Los Alamitos (2008)Google Scholar
  57. 57.
    Blanchet, B., Jaggard, A.D., Scedrov, A., Tsay, J.K.: Computationally sound mechanized proofs for basic and public-key Kerberos. In: ASIACCS 2008, pp. 87–99. ACM, New York (2008)Google Scholar
  58. 58.
    Blanchet, B., Podelski, A.: Verification of cryptographic protocols: Tagging enforces termination. Theoretical Computer Science 333(1-2), 67–90 (2005)MathSciNetzbMATHGoogle Scholar
  59. 59.
    Blanchet, B., Pointcheval, D.: Automated Security Proofs with Sequences of Games. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 537–554. Springer, Heidelberg (2006)Google Scholar
  60. 60.
    Bodei, C., Buchholtz, M., Degano, P., Nielson, F., Nielson, H.R.: Automatic validation of protocol narration. In: CSFW 2003, pp. 126–140. IEEE, Los Alamitos (2003)Google Scholar
  61. 61.
    Bodei, C., Buchholtz, M., Degano, P., Nielson, F., Nielson, H.R.: Static validation of security protocols. Journal of Computer Security 13(3), 347–390 (2005)Google Scholar
  62. 62.
    Bodei, C., Degano, P., Nielson, F., Nielson, H.R.: Flow logic for Dolev-Yao secrecy in cryptographic processes. Future Generation Comp. Syst. 18(6), 747–756 (2002)zbMATHGoogle Scholar
  63. 63.
    Boichut, Y., Kosmatov, N., Vigneron, L.: Validation of Prouvé protocols using the automatic tool TA4SP. In: TFIT 2006, pp. 467–480 (2006)Google Scholar
  64. 64.
    Bolignano, D.: Towards a Mechanization of Cryptographic Protocol Verification. In: Grumberg, O. (ed.) CAV 1997. LNCS, vol. 1254, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  65. 65.
    Borgström, J., Briais, S., Nestmann, U.: Symbolic Bisimulation in the Spi Calculus. In: Gardner, P., Yoshida, N. (eds.) CONCUR 2004. LNCS, vol. 3170, pp. 161–176. Springer, Heidelberg (2004)Google Scholar
  66. 66.
    Bozga, L., Lakhnech, Y., Périn, M.: Pattern-based abstraction for verifying secrecy in protocols. International Journal on Software Tools for Technology Transfer (STTT) 8(1), 57–76 (2006)Google Scholar
  67. 67.
    Broadfoot, P.J., Roscoe, A.W.: Embedding agents within the intruder to detect parallel attacks. Journal of Computer Security 12(3/4), 379–408 (2004)Google Scholar
  68. 68.
    Broadfoot, P., Lowe, G., Roscoe, B.: Automating Data Independence. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 175–190. Springer, Heidelberg (2000)Google Scholar
  69. 69.
    Brusó, M., Chatzikokolakis, K., den Hartog, J.: Formal verification of privacy for RFID systems. In: CSF 2010, pp. 75–88. IEEE, Los Alamitos (2010)Google Scholar
  70. 70.
    Burrows, M., Abadi, M., Needham, R.: A logic of authentication. Proceedings of the Royal Society of London A 426(1871), 233–271 (1989)MathSciNetzbMATHGoogle Scholar
  71. 71.
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: FOCS 2001, pp. 136–145. IEEE, Los Alamitos (2001)Google Scholar
  72. 72.
    Canetti, R., Herzog, J.: Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 380–403. Springer, Heidelberg (2006)Google Scholar
  73. 73.
    Cervesato, I., Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: A meta-notation for protocol analysis. In: CSFW 1999, pp. 55–69. IEEE, Los Alamitos (1999)Google Scholar
  74. 74.
    Chaki, S., Datta, A.: ASPIER: An automated framework for verifying security protocol implementations. In: CSF 2009, pp. 172–185. IEEE, Los Alamitos (2009)Google Scholar
  75. 75.
    Chen, L., Ryan, M.: Attack, Solution and Verification for Shared Authorisation Data in TCG TPM. In: Degano, P., Guttman, J.D. (eds.) FAST 2009. LNCS, vol. 5983, pp. 201–216. Springer, Heidelberg (2010)Google Scholar
  76. 76.
    Cheval, V., Comon-Lundh, H., Delaune, S.: Automating Security Analysis: Symbolic Equivalence of Constraint Systems. In: Giesl, J., Hähnle, R. (eds.) IJCAR 2010. LNCS (LNAI), vol. 6173, pp. 412–426. Springer, Heidelberg (2010)Google Scholar
  77. 77.
    Cheval, V., Comon-Lundh, H., Delaune, S.: Trace equivalence decision: Negative tests and non-determinism. In: CCS 2011, pp. 321–330. ACM, New York (2011)Google Scholar
  78. 78.
    Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: Deciding the Security of Protocols with Diffie-Hellman Exponentiation and Products in Exponents. In: Pandya, P.K., Radhakrishnan, J. (eds.) FSTTCS 2003. LNCS, vol. 2914, pp. 124–135. Springer, Heidelberg (2003)Google Scholar
  79. 79.
    Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: An NP decision procedure for protocol insecurity with XOR. In: LICS 2003, pp. 261–270. IEEE, Los Alamitos (2003)Google Scholar
  80. 80.
    Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: An NP decision procedure for protocol insecurity with XOR. Theoretical Computer Science 338(1-3), 247–274 (2005)MathSciNetzbMATHGoogle Scholar
  81. 81.
    Chevalier, Y., Vigneron, L.: A tool for lazy verification of security protocols. In: ASE 2001, pp. 373–376. IEEE, Los Alamitos (2001)Google Scholar
  82. 82.
    Ciobâcă, Ş.: Automated Verification of Security Protocols with Appplications to Electronic Voting. Ph.D. thesis, ENS Cachan (2011)Google Scholar
  83. 83.
    Comon, H., Cortier, V.: Tree automata with one memory, set constraints and cryptographic protocols. Theoretical Computer Science 331(1), 143–214 (2005)MathSciNetzbMATHGoogle Scholar
  84. 84.
    Comon-Lundh, H., Cortier, V.: New Decidability Results for Fragments of First-Order Logic and Application to Cryptographic Protocols. In: Nieuwenhuis, R. (ed.) RTA 2003. LNCS, vol. 2706, pp. 148–164. Springer, Heidelberg (2003)Google Scholar
  85. 85.
    Comon-Lundh, H., Cortier, V.: Security properties: two agents are sufficient. Science of Computer Programming 50(1-3), 51–71 (2004)MathSciNetzbMATHGoogle Scholar
  86. 86.
    Comon-Lundh, H., Cortier, V.: Computational soundness of observational equivalence. In: CCS 2008, pp. 109–118. ACM, New York (2008)Google Scholar
  87. 87.
    Comon-Lundh, H., Shmatikov, V.: Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In: LICS 2003, pp. 271–280. IEEE, Los Alamitos (2003)Google Scholar
  88. 88.
    Cortier, V., Delaune, S.: A method for proving observational equivalence. In: CSF 2009, pp. 266–276. IEEE, Los Alamitos (2009)Google Scholar
  89. 89.
    Cortier, V., Hördegen, H., Warinschi, B.: Explicit randomness is not necessary when modeling probabilistic encryption. In: Dima, C., Minea, M., Tiplea, F. (eds.) ICS 2006. ENTCS, vol. 186, pp. 49–65. Elsevier, Amsterdam (2006)Google Scholar
  90. 90.
    Cortier, V., Kremer, S., Küsters, R., Warinschi, B.: Computationally Sound Symbolic Secrecy in the Presence of Hash Functions. In: Arun-Kumar, S., Garg, N. (eds.) FSTTCS 2006. LNCS, vol. 4337, pp. 176–187. Springer, Heidelberg (2006)Google Scholar
  91. 91.
    Cortier, V., Kremer, S., Warinschi, B.: A survey of symbolic methods in computational analysis of cryptographic systems. Journal of Automated Reasoning 46(3-4), 225–259 (2011)MathSciNetzbMATHGoogle Scholar
  92. 92.
    Cortier, V., Rusinowitch, M., Zălinescu, E.: Relating two standard notions of secrecy. Logical Methods in Computer Science 3(3) (2007)Google Scholar
  93. 93.
    Cortier, V., Warinschi, B.: Computationally Sound, Automated Proofs for Security Protocols. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 157–171. Springer, Heidelberg (2005)Google Scholar
  94. 94.
    Cortier, V., Warinschi, B.: A composable computational soundness notion. In: CCS 2011, pp. 63–74. ACM, New York (2011)Google Scholar
  95. 95.
    Cortier, V., Zălinescu, E.: Deciding Key Cycles for Security Protocols. In: Hermann, M., Voronkov, A. (eds.) LPAR 2006. LNCS (LNAI), vol. 4246, pp. 317–331. Springer, Heidelberg (2006)Google Scholar
  96. 96.
    Courant, J., Daubignard, M., Ene, C., Lafourcade, P., Lakhnech, Y.: Towards automated proofs for asymmetric encryption schemes in the random oracle model. In: CCS 2008, pp. 371–380. ACM, New York (2008)Google Scholar
  97. 97.
    Courant, J., Daubignard, M., Ene, C., Lafourcade, P., Lakhnech, Y.: Automated Proofs for Asymmetric Encryption. In: Dams, D., Hannemann, U., Steffen, M. (eds.) de Roever Festschrift. LNCS, vol. 5930, pp. 300–321. Springer, Heidelberg (2010)Google Scholar
  98. 98.
    Courant, J., Ene, C., Lakhnech, Y.: Computationally Sound Typing for Non-interference: The Case of Deterministic Encryption. In: Arvind, V., Prasad, S. (eds.) FSTTCS 2007. LNCS, vol. 4855, pp. 364–375. Springer, Heidelberg (2007)Google Scholar
  99. 99.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: POPL 1979, pp. 269–282. ACM, New York (1979)Google Scholar
  100. 100.
    Cremers, C.J.F.: Scyther - Semantics and Verification of Security Protocols. Ph.D. thesis, Eindhoven University of Technology (2006)Google Scholar
  101. 101.
    Datta, A., Derek, A., Mitchell, J.C., Pavlovic, D.: A derivation system and compositional logic for security protocols. Journal of Computer Security 13(3), 423–482 (2005)Google Scholar
  102. 102.
    Datta, A., Derek, A., Mitchell, J.C., Turuani, M.: Probabilistic Polynomial-Time Semantics for a Protocol Security Logic. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 16–29. Springer, Heidelberg (2005)Google Scholar
  103. 103.
    Datta, A., Derek, A., Mitchell, J.C., Warinschi, B.: Computationally sound compositional logic for key exchange protocols. In: CSFW 2006, pp. 321–334. IEEE, Los Alamitos (2006)Google Scholar
  104. 104.
    Delaune, S., Kremer, S., Ryan, M.D.: Symbolic Bisimulation for the Applied Pi Calculus. In: Arvind, V., Prasad, S. (eds.) FSTTCS 2007. LNCS, vol. 4855, pp. 133–145. Springer, Heidelberg (2007)Google Scholar
  105. 105.
    Delaune, S., Kremer, S., Ryan, M.D.: Verifying privacy-type properties of electronic voting protocols. Journal of Computer Security 17(4), 435–487 (2009)Google Scholar
  106. 106.
    Delaune, S., Kremer, S., Ryan, M.D., Steel, G.: Formal analysis of protocols based on TPM state registers. In: CSF 2011, pp. 66–82. IEEE, Los Alamitos (2011)Google Scholar
  107. 107.
    Denker, G., Meseguer, J., Talcott, C.: Protocol specification and analysis in Maude. In: FMSP 1998 (1998)Google Scholar
  108. 108.
    Denker, G., Millen, J.: CAPSL integrated protocol environment. In: DISCEX 2000, pp. 207–221. IEEE, Los Alamitos (2000)Google Scholar
  109. 109.
    Denning, D.E., Sacco, G.M.: Timestamps in key distribution protocols. Commun. ACM 24(8), 533–536 (1981)Google Scholar
  110. 110.
    Dierks, T., Rescorla, E.: RFC 4346: The Transport Layer Security (TLS) protocol, version 1.1 (2006),
  111. 111.
    Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Transactions on Information Theory IT-29(12), 198–208 (1983)MathSciNetGoogle Scholar
  112. 112.
    Dupressoir, F., Gordon, A.D., Jürjens, J., Naumann, D.A.: Guiding a general-purpose C verifier to prove cryptographic protocols. In: CSF 2011, pp. 3–17. IEEE, Los Alamitos (2011)Google Scholar
  113. 113.
    Durante, L., Sisto, R., Valenzano, A.: Automatic testing equivalence verification of spi calculus specifications. ACM TOSEM 12(2), 222–284 (2003)Google Scholar
  114. 114.
    Durgin, N.A., Lincoln, P.D., Mitchell, J.C., Scedrov, A.: Undecidability of bounded security protocols. In: FMSP 1999 (1999)Google Scholar
  115. 115.
    Durgin, N., Lincoln, P., Mitchell, J.C., Scedrov, A.: Multiset rewriting and the complexity of bounded security protocols. Journal of Computer Security 12(2), 247–311 (2004)Google Scholar
  116. 116.
    Durgin, N., Mitchell, J.C., Pavlovic, D.: A compositional logic for proving security properties of protocols. Journal of Computer Security 11(4), 677–721 (2003)Google Scholar
  117. 117.
    Escobar, S., Meadows, C., Meseguer, J.: A rewriting-based inference system for the NRL protocol analyzer and its meta-logical properties. Theoretical Computer Science 367(1-2), 162–202 (2006)MathSciNetzbMATHGoogle Scholar
  118. 118.
    Fábrega, F.J.T., Herzog, J.C., Guttman, J.D.: Strand spaces: Proving security protocols correct. Journal of Computer Security 7(2/3), 191–230 (1999)Google Scholar
  119. 119.
    Feret, J.: Analysis of mobile systems by abstract interpretation. Ph.D. thesis, École Polytechnique (2005)Google Scholar
  120. 120.
    Fournet, C., Kohlweiss, M.: Modular cryptographic verification by typing. In: FCC 2011 (2011)Google Scholar
  121. 121.
  122. 122.
    Galindo, D., Garcia, F.D., van Rossum, P.: Computational Soundness of Non-Malleable Commitments. In: Chen, L., Mu, Y., Susilo, W. (eds.) ISPEC 2008. LNCS, vol. 4991, pp. 361–376. Springer, Heidelberg (2008)Google Scholar
  123. 123.
    Genet, T., Klay, F.: Rewriting for Cryptographic Protocol Verification. In: McAllester, D. (ed.) CADE 2000. LNCS, vol. 1831, pp. 271–290. Springer, Heidelberg (2000)Google Scholar
  124. 124.
    Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Sciences 28, 270–299 (1984)MathSciNetzbMATHGoogle Scholar
  125. 125.
    Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptative chosen-message attacks. SIAM Journal of Computing 17(2), 281–308 (1988)MathSciNetzbMATHGoogle Scholar
  126. 126.
    Gordon, A.D., Jeffrey, A.: Typing One-to-One and One-to-Many Correspondences in Security Protocols. In: Okada, M., Babu, C.S., Scedrov, A., Tokuda, H. (eds.) ISSS 2002. LNCS, vol. 2609, pp. 263–282. Springer, Heidelberg (2003)Google Scholar
  127. 127.
    Gordon, A., Jeffrey, A.: Authenticity by typing for security protocols. Journal of Computer Security 11(4), 451–521 (2003)Google Scholar
  128. 128.
    Gordon, A., Jeffrey, A.: Types and effects for asymmetric cryptographic protocols. Journal of Computer Security 12(3/4), 435–484 (2004)Google Scholar
  129. 129.
    Goubault-Larrecq, J.: A Method for Automatic Cryptographic Protocol Verification (Extended Abstract). In: Rolim, J.D.P. (ed.) IPDPS 2000 Workshops. LNCS, vol. 1800, pp. 977–984. Springer, Heidelberg (2000)Google Scholar
  130. 130.
    Goubault-Larrecq, J.: Deciding \({\cal H}_1\) by resolution. Information Processing Letters 95(3), 401–408 (2005)MathSciNetzbMATHGoogle Scholar
  131. 131.
    Goubault-Larrecq, J., Parrennes, F.: Cryptographic Protocol Analysis on Real C Code. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 363–379. Springer, Heidelberg (2005)Google Scholar
  132. 132.
    Halevi, S.: A plausible approach to computer-aided cryptographic proofs. Cryptology ePrint Archive, Report 2005/181 (2005),
  133. 133.
    Heather, J., Lowe, G., Schneider, S.: How to prevent type flaw attacks on security protocols. In: CSFW 2000, pp. 255–268. IEEE, Los Alamitos (2000)Google Scholar
  134. 134.
    Heather, J., Schneider, S.: A decision procedure for the existence of a rank function. Journal of Computer Security 13(2), 317–344 (2005)Google Scholar
  135. 135.
    Hüttel, H.: Deciding framed bisimilarity. In: INFINITY 2002, pp. 1–20 (2002)Google Scholar
  136. 136.
    Janvier, R., Lakhnech, Y., Mazaré, L.: Completing the Picture: Soundness of Formal Encryption in the Presence of Active Adversaries. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 172–185. Springer, Heidelberg (2005)Google Scholar
  137. 137.
    Janvier, R., Lakhnech, Y., Mazaré, L.: Relating the symbolic and computational models of security protocols using hashes. In: Degano, P., Küsters, R., Viganò, L., Zdancewic, S. (eds.) FCS-ARSPA 2006, pp. 67–89 (2006)Google Scholar
  138. 138.
    Jürjens, J.: Security analysis of crypto-based Java programs using automated theorem provers. In: ASE 2006, pp. 167–176. IEEE, Los Alamitos (2006)Google Scholar
  139. 139.
    Kremer, S., Ryan, M.D.: Analysis of an Electronic Voting Protocol in the Applied Pi Calculus. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 186–200. Springer, Heidelberg (2005)Google Scholar
  140. 140.
    Küsters, R., Truderung, T.: Reducing protocol analysis with XOR to the XOR-free case in the Horn theory based approach. In: CCS 2008, pp. 129–138. ACM, New York (2008)Google Scholar
  141. 141.
    Küsters, R., Truderung, T.: Using ProVerif to analyze protocols with Diffie-Hellman exponentiation. In: CSF 2009, pp. 157–171. IEEE, Los Alamitos (2009)Google Scholar
  142. 142.
    Laud, P.: Handling Encryption in an Analysis for Secure Information Flow. In: Degano, P. (ed.) ESOP 2003. LNCS, vol. 2618, pp. 159–173. Springer, Heidelberg (2003)Google Scholar
  143. 143.
    Laud, P.: Symmetric encryption in automatic analyses for confidentiality against active adversaries. In: IEEE Symposium on Security and Privacy, pp. 71–85. IEEE, Los Alamitos (2004)Google Scholar
  144. 144.
    Laud, P.: Secrecy types for a simulatable cryptographic library. In: CCS 2005, pp. 26–35. ACM, New York (2005)Google Scholar
  145. 145.
    Laud, P., Tšahhirov, I.: A User Interface for a Game-Based Protocol Verification Tool. In: Degano, P., Guttman, J. (eds.) FAST 2009. LNCS, vol. 5983, pp. 263–278. Springer, Heidelberg (2010)Google Scholar
  146. 146.
    Laud, P., Vene, V.: A Type System for Computationally Secure Information Flow. In: Liśkiewicz, M., Reischuk, R. (eds.) FCT 2005. LNCS, vol. 3623, pp. 365–377. Springer, Heidelberg (2005)Google Scholar
  147. 147.
    Liu, J., Lin, H.: A Complete Symbolic Bisimulation for Full Applied Pi Calculus. In: van Leeuwen, J., Muscholl, A., Peleg, D., Pokorný, J., Rumpe, B. (eds.) SOFSEM 2010. LNCS, vol. 5901, pp. 552–563. Springer, Heidelberg (2010)Google Scholar
  148. 148.
    Lowe, G.: Breaking and Fixing the Needham-Schroeder Public-Key Protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)Google Scholar
  149. 149.
    Lowe, G.: A hierarchy of authentication specifications. In: CSFW 1997, pp. 31–43. IEEE, Los Alamitos (1997)Google Scholar
  150. 150.
    Lux, K.D., May, M.J., Bhattad, N.L., Gunter, C.A.: WSEmail: Secure internet messaging based on web services. In: ICWS 2005, pp. 75–82. IEEE, Los Alamitos (2005)Google Scholar
  151. 151.
    Meadows, C.A.: The NRL protocol analyzer: An overview. Journal of Logic Programming 26(2), 113–131 (1996)zbMATHGoogle Scholar
  152. 152.
    Micciancio, D., Warinschi, B.: Soundness of Formal Encryption in the Presence of Active Adversaries. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 133–151. Springer, Heidelberg (2004)Google Scholar
  153. 153.
    Milicia, G.: χ-spaces: Programming security protocols. In: NWPT 2002 (2002)Google Scholar
  154. 154.
    Millen, J.: A necessarily parallel attack. In: FMSP 1999 (1999)Google Scholar
  155. 155.
    Millen, J., Shmatikov, V.: Constraint solving for bounded-process cryptographic protocol analysis. In: CCS 2001, pp. 166–175. ACM, New York (2001)Google Scholar
  156. 156.
    Millen, J.K.: The Interrogator model. In: IEEE Symposium on Security and Privacy, pp. 251–260. IEEE, Los Alamitos (1995)Google Scholar
  157. 157.
    Millen, J.K., Clark, S.C., Freedman, S.B.: The Interrogator: Protocol security analysis. IEEE Transactions on Software Engineering SE-13(2), 274–288 (1987)Google Scholar
  158. 158.
    Milner, R.: Communicating and mobile systems: the π-calculus. Cambridge University Press (1999)Google Scholar
  159. 159.
    Mitchell, J.C., Mitchell, M., Stern, U.: Automated analysis of cryptographic protocols using Murϕ. In: IEEE Symposium on Security and Privacy, pp. 141–151. IEEE, Los Alamitos (1997)Google Scholar
  160. 160.
    Monniaux, D.: Abstracting cryptographic protocols with tree automata. Science of Computer Programming 47(2-3), 177–202 (2003)MathSciNetzbMATHGoogle Scholar
  161. 161.
    Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM 21(12), 993–999 (1978)zbMATHGoogle Scholar
  162. 162.
    Nowak, D.: A Framework for Game-Based Security Proofs. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 319–333. Springer, Heidelberg (2007)Google Scholar
  163. 163.
    Nowak, D.: On Formal Verification of Arithmetic-Based Cryptographic Primitives. In: Lee, P.J., Cheon, J.H. (eds.) ICISC 2008. LNCS, vol. 5461, pp. 368–382. Springer, Heidelberg (2009)Google Scholar
  164. 164.
    O’Shea, N.: Using Elyjah to analyse Java implementations of cryptographic protocols. In: FCS-ARSPA-WITS 2008 (2008)Google Scholar
  165. 165.
    Paulson, L.C.: The inductive approach to verifying cryptographic protocols. Journal of Computer Security 6(1-2), 85–128 (1998)Google Scholar
  166. 166.
    Pironti, A., Sisto, R.: Provably correct Java implementations of spi calculus security protocols specifications. Computers and Security 29(3), 302–314 (2010)Google Scholar
  167. 167.
    Poll, E., Schubert, A.: Verifying an implementation of SSH. In: WITS 2007 (2007)Google Scholar
  168. 168.
    Pozza, D., Sisto, R., Durante, L.: Spi2Java: Automatic cryptographic protocol Java code generation from spi calculus. In: AINA 2004, vol. 1, pp. 400–405. IEEE, Los Alamitos (2004)Google Scholar
  169. 169.
    Sarukkai, S., Suresh, S.P.: Tagging Makes Secrecy Decidable with Unbounded Nonces as Well. In: Pandya, P.K., Radhakrishnan, J. (eds.) FSTTCS 2003. LNCS, vol. 2914, pp. 363–374. Springer, Heidelberg (2003)Google Scholar
  170. 170.
    Roscoe, A.W., Broadfoot, P.J.: Proving security protocols with model checkers by data independence techniques. Journal of Computer Security 7(2, 3), 147–190 (1999)Google Scholar
  171. 171.
    Rusinowitch, M., Turuani, M.: Protocol insecurity with finite number of sessions is NP-complete. Theoretical Computer Science 299(1-3), 451–475 (2003)MathSciNetzbMATHGoogle Scholar
  172. 172.
    Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332 (2004),
  173. 173.
    Smith, G., Alpízar, R.: Secure information flow with random assignment and encryption. In: FMSE 2006, pp. 33–43 (2006)Google Scholar
  174. 174.
    Song, D., Perrig, A., Phan, D.: AGVI - Automatic Generation, Verification, and Implementation of Security Protocols. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, pp. 241–245. Springer, Heidelberg (2001)Google Scholar
  175. 175.
    Song, D.X., Berezin, S., Perrig, A.: Athena: a novel approach to efficient automatic security protocol analysis. Journal of Computer Security 9(1/2), 47–74 (2001)Google Scholar
  176. 176.
    Sprenger, C., Backes, M., Basin, D., Pfitzmann, B., Waidner, M.: Cryptographically sound theorem proving. In: CSFW 2006, pp. 153–166. IEEE, Los Alamitos (2006)Google Scholar
  177. 177.
    Swamy, N., Chen, J., Fournet, C., Strub, P.Y., Bharagavan, K., Yang, J.: Secure distributed programming with value-dependent types. In: Chakravarty, M.M.T., Hu, Z., Danvy, O. (eds.) ICFP 2011, pp. 266–278. ACM, New York (2011)Google Scholar
  178. 178.
    Tšahhirov, I., Laud, P.: Application of Dependency Graphs to Security Protocol Analysis. In: Barthe, G., Fournet, C. (eds.) TGC 2007. LNCS, vol. 4912, pp. 294–311. Springer, Heidelberg (2008)Google Scholar
  179. 179.
    Weidenbach, C.: Towards an Automatic Analysis of Security Protocols in First-Order Logic. In: Ganzinger, H. (ed.) CADE 1999. LNCS (LNAI), vol. 1632, pp. 314–328. Springer, Heidelberg (1999)Google Scholar
  180. 180.
    Woo, T.Y.C., Lam, S.S.: A semantic model for authentication protocols. In: IEEE Symposium on Security and Privacy, pp. 178–194. IEEE, Los Alamitos (1993)Google Scholar
  181. 181.
    Yao, A.C.: Theory and applications of trapdoor functions. In: FOCS 1982, pp. 80–91. IEEE, Los Alamitos (1982)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Bruno Blanchet
    • 1
  1. 1.INRIA, École Normale Supérieure, CNRSParisFrance

Personalised recommendations