Proofs of security protocols revisited

Guillaume Scerri 1, 2
2 CASSIS - Combination of approaches to the security of infinite states systems
FEMTO-ST - Franche-Comté Électronique Mécanique, Thermique et Optique - Sciences et Technologies (UMR 6174), Inria Nancy - Grand Est, LORIA - FM - Department of Formal Methods
Abstract : With the rise of the Internet the use of cryptographic protocols became ubiquitous. Considering the criticality and complexity of these protocols, there is an important need of formal verification. In order to obtain formal proofs of cryptographic protocols, two main attacker models have been developed: the symbolic model and the computational model. The symbolic model defines the attacker capabilities as a fixed set of rules. On the other hand, the computational model describes only the attacker’s limitations by stating that it may break some hard problems. While the former is quite abstract and convenient for automating proofs the later offers much stronger guarantees. There is a gap between the guarantees offered by these two models due to the fact the symbolic model defines what the adversary may do while the computational model describes what it may not do. Since Abadi and Rogaway in 2000 a lot of results aimed at bridging this gap, in order to have symbolic proofs yielding computational guarantees. They however all come at the cost of very strong and often unrealistic hypotheses, due to the fact that attacker capabilities are defined in a fundamentally different way in the two models. In order to overcome this problem, in 2012 Bana and Comon devised a new symbolic model in which the attacker’s limitations are axiomatised. Proving security in this new model amounts to checking – for every trace of the protocol – the unsatisfiability of a set of formulae corresponding to the trace, together with the negation of the security property and some axioms representing the attacker’s limitations. In addition, provided that the (computational semantics) of the axioms follows from the cryptographic hypotheses, proving security in this symbolic model yields security in the computational model. The possibility of automating proofs in this model (and finding axioms general enough to prove a large class of protocols) was left open in the original paper from Bana and Comon. In this thesis we provide with an efficient decision procedure for a general class of axioms. In addition we propose a tool (SCARY) implementing this decision procedure. Experimental results of our tool shows that the axioms we designed for modelling security of encryption are general enough to prove a large class of protocols.
Document type :
Complete list of metadatas

Cited literature [43 references]  Display  Hide  Download
Contributor : Guillaume Scerri <>
Submitted on : Wednesday, March 18, 2015 - 2:37:44 PM
Last modification on : Tuesday, December 18, 2018 - 4:38:25 PM
Long-term archiving on : Monday, April 17, 2017 - 6:36:36 PM



  • HAL Id : tel-01133067, version 1


Guillaume Scerri. Proofs of security protocols revisited. Cryptography and Security [cs.CR]. Ecole Normale Supérieure de Cachan, 2015. English. ⟨NNT : ENSC-2015-no 561⟩. ⟨tel-01133067⟩



Record views


Files downloads