@incollection{jgl-encyc06,
author = {Goubault{-}Larrecq, Jean},
title = {Preuve et v{\'e}rification pour la s{\'e}curit{\'e}
et la s{\^u}ret{\'e}},
booktitle = {Encyclop{\'e}die de l'informatique et des syst{\e}mes
d'information},
editor = {Akoka, Jacky and Comyn-Wattiau, Isabelle},
pages = {683-703},
publisher = {Vuibert},
year = 2006,
month = dec,
chapter = {I.6},
url = {http://www.vuibert.com/livre12401.html},
abstract = {La s\^uret\'e, comme la s\'ecurit\'e, \'enonce qu'un mal n'arrive
jamais.  Le but de cet article est de d\'efinir la notion de propri\'et\'e
de s\^uret\'e, et d'en d\'ecrire quelques techniques de v\'erification et de
preuve~: model-checking, interpr\'etation abstraite notamment.  Apr\es
avoir remarqu\'e qu'il n'y avait pas de s\'ecurit\'e sans s\^uret\'e, il est
expliqu\'e que l'analyse de s\'ecurit\'e d'un syst\eme repose sur un
mod\ele, des hypoth\eses, des propri\'et\'es \a v\'erifier, et une
architecture de s\'ecurit\'e.  Finalement, il est donn\'e un aper\c{c}u de
quelques mod\eles et m\'ethodes de preuve de protocoles
cryptographiques.}
}

@inproceedings{BJ-secret06,
month = jul,
year = 2006,
editor = {Fern{\'a}ndez, Maribel and Kirchner, Claude},
acronym = {{SecReT}'06},
booktitle = {{P}reliminary {P}roceedings of the 1st
{I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques
({SecReT}'06)},
author = {Bouhoula, Adel and Jacquemard, Florent},
title = {Security Protocols Verification with Implicit Induction and
Explicit Destructors},
pages = {37-44},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BJ-secret06.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BJ-secret06.pdf},
abstract = {We present a new method for automatic implicit induction theorem
proving, and its application for the verification of a key distribution
cryptographic protocol. The~method can handle axioms between constructor
terms, a~feature generally not supported by other induction procedure. We~use
such axioms in order to specify explicit destructors representing
cryptographic operators.}
}

@inproceedings{BC-asian06,
month = jan,
year = 2008,
volume = 4435,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Okada, Mitsu and Satoh, Ichiro},
acronym = {{ASIAN}'06},
booktitle = {{R}evised {S}elected {P}apers of the 11th {A}sian
{C}omputing {S}cience {C}onference
({ASIAN}'06)},
author = {Bernat, Vincent and Comon{-}Lundh, Hubert},
title = {Normal proofs in intruder theories},
pages = {151-166},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BC-asian06.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BC-asian06.pdf},
doi = {10.1007/978-3-540-77505-8_12},
abstract = {Given an arbitrary intruder deduction capability, modeled as an
inference system~$$\mathcal{S}$$ and a protocol, we show how to
compute an inference system~$$\widehat{\mathcal{S}}$$ such that
the security problem for an unbounded number of sessions is
equivalent to the deducibility of some message
in~$$\widehat{\mathcal{S}}$$. Then, assuming that
$$\mathcal{S}$$~has some subformula property, we lift such a
property to~$$\widehat{\mathcal{S}}$$, thanks to a proof
normalisation theorem. In~general, for an unbounded number of
sessions, this provides with a complete deduction strategy. In
case of a bounded number of sessions, our theorem implies that
the security problem is co-NP-complete. As an instance of our
result we get a decision algorithm for the theory of
blind-signatures, which, to our knowledge, was not known
before.}
}

@inproceedings{LNZ-asian06,
month = jan,
year = 2008,
volume = 4435,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Okada, Mitsu and Satoh, Ichiro},
acronym = {{ASIAN}'06},
booktitle = {{R}evised {S}elected {P}apers of the 11th {A}sian
{C}omputing {S}cience {C}onference
({ASIAN}'06)},
author = {Lasota, S{\l}awomir and Nowak, David and Yu, Zhang},
title = {On completeness of logical relations for monadic types},
pages = {223-230},
nmnote = {autc parce que c'est un short paper, pas ant pour Zhang Yu},
doi = {10.1007/978-3-540-77505-8_17},
abstract = {Software security can be ensured by specifying and verifying
security properties of software using formal methods with
strong theoretical bases. In~particular, programs can be
modeled in the framework of lambda-calculi, and interesting
properties can be expressed formally by contextual
equivalence (a.k.a.~observational equivalence). Furthermore,
imperative features, which exist in most real-life software,
can be nicely expressed in the so-called computational
lambda-calculus. Contextual equivalence is difficult to
prove directly, but we can often use logical relations as a
tool to establish it in lambda-calculi. We~have already
defined logical relations for the computational
lambda-calculus in previous work. We~devote this paper to
the study of their completeness w.r.t.~contextual
equivalence in the computational lambda-calculus.}
}

@inproceedings{abw-fossacs2006,
month = mar,
year = 2006,
volume = 3921,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Aceto, Luca and Ing{\'o}lfsd{\'o}ttir, Anna},
acronym = {{FoSSaCS}'06},
booktitle = {{P}roceedings of the 9th {I}nternational
{C}onference on {F}oundations of {S}oftware {S}cience
and {C}omputation {S}tructures
({FoSSaCS}'06)},
author = {Abadi, Mart{\'\i}n and Baudet, Mathieu and
Warinschi, Bogdan},
title = {Guessing Attacks and the Computational Soundness of
Static Equivalence},
pages = {398-412},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ABW_Fossacs06.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ABW_Fossacs06.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/ABW_Fossacs06.ps},
doi = {10.1007/11690634_27},
abstract = {The indistinguishability of two pieces of
data (or two lists of pieces of data) can be
represented formally in terms of a relation called
static equivalence. Static equivalence depends on an
underlying equational theory. The choice of an
inappropriate equational theory can lead to overly
pessimistic or overly optimistic notions of
indistinguishability, and in turn to security criteria
that require protection against impossible attacks
or ---worse yet--- that ignore feasible ones.  In this
paper, we define and justify an equational theory for
standard, fundamental cryptographic operations. This
equational theory yields a notion of static equivalence
that implies computational indistinguishability. Static
equivalence remains liberal enough for use in
applications. In particular, we develop and analyze a
principled formal account of guessing attacks in terms
of static equivalence.}
}

@inproceedings{edos2006wsl,
month = apr,
year = 2006,
editor = {Berger, Olivier},
acronym = {{IWFS}'06},
booktitle = {{P}roceedings of the {I}nternational
{W}orkshop on {F}ree {S}oftware
({IWFS}'06)},
author = {Boender, Jaap and Di Cosmo, Roberto and Durak, Berke and Leroy, Xavier
and Mancinelli, Fabio and Morgado, Mario and Pinheiro, David and
Treinen, Ralf and  Trezentos, Paulo and Vouillon, J{\'e}r{\^o}me},
title = {News from the {EDOS} project: improving the maintenance of free
software distributions},
pages = {199-207},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/wsl06.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/wsl06.pdf},
abstract = {The EDOS research project aims
at contributing to the quality assurance of free software
distributions. This is a major technical and engineering
challenge, due to the size and complexity of these
distributions (tens of thousands of software packages). We
present here some of the challenges that we have tackled so
available to the community as an outcome of the first year
of work. }
}

@inproceedings{edos2006ase,
month = sep,
year = 2006,
publisher = {{IEEE} Computer Society Press},
acronym = {{ASE}'06},
booktitle = {{P}roceedings of the 21st {IEEE}/{ACM} {I}nternational
{C}onference on {A}utomated {S}oftware {E}ngineering
({ASE}'06)},
author = {Mancinelli, Fabio and Boender, Jaap and Di Cosmo, Roberto and
Vouillon, J{\'e}r{\^o}me and Durak, Berke and Leroy, Xavier
and Treinen, Ralf},
title = {Managing the Complexity of Large Free and Open Source
Package-Based Software Distributions},
pages = {199-208},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/edos-ase06.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/edos-ase06.pdf},
doi = {10.1109/ASE.2006.49},
in many strategic contexts of the information technology society has drawn the
attention on the issues regarding how to handle the complexity of assembling
and managing a huge number of (packaged) components in a consistent and
effective~way. FOSS~distributions (and~in particular GNU\slash Linux-based~ones)
have always provided tools for managing the tasks of installing, removing and
provide a (not always effective) way to handle these tasks on the client side,
there is still a lack of tools that could help the distribution editors to
maintain, on the server side, large and high-quality distributions. In~this
paper we present our research whose main goal is to fill this gap: we~show our
approach, the tools we have developed and their application with experimental
results. Our~contribution provides an effective and automatic way to support
distribution editors in handling those issues that were, until now, mostly
}

@inproceedings{CKKW-fsttcs2006,
month = dec,
year = 2006,
volume = 4337,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Garg, Naveen and Arun-Kumar, S.},
acronym = {{FSTTCS}'06},
booktitle = {{P}roceedings of the 26th {C}onference on
{F}oundations of {S}oftware {T}echnology and
{T}heoretical {C}omputer {S}cience
({FSTTCS}'06)},
author = {Cortier, V{\'e}ronique and Kremer, Steve and
K{\"u}sters, Ralf and Warinschi, Bogdan},
title = {Computationally Sound Symbolic Secrecy in the Presence of Hash Functions},
pages = {176-187},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CKKW-fsttcs06.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CKKW-fsttcs06.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/CKKW-fsttcs06.ps},
doi = {10.1007/11944836_18},
abstract = {The standard symbolic, deducibility-based notions of secrecy are
in general insufficient from a cryptographic point of view, especially in
presence of hash functions. In~this paper we devise and motivate a more
appropriate secrecy criterion which exactly captures a standard cryptographic
notion of secrecy for protocols involving public-key enryption and hash
functions: protocols that satisfy it are computationally secure while any
violation of our criterion directly leads to an attack. Furthermore, we prove
that our criterion is decidable via an NP decision procedure. Our~results hold
for standard security notions for encryption and hash functions modeled as
random oracles.}
}

@article{CDL05-survey,
publisher = {{IOS} Press},
journal = {Journal of Computer Security},
author = {Cortier, V{\'e}ronique and Delaune, St{\'e}phanie
title = {A Survey of Algebraic Properties Used in Cryptographic
Protocols},
year = {2006},
volume = 14,
number = 1,
pages = {1-43},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/surveyCDL.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/surveyCDL.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/surveyCDL.ps},
abstract = {Cryptographic protocols are
successfully analyzed using formal methods.
However, formal approaches usually consider the
encryption schemes as black boxes and assume that
an adversary cannot learn anything from an
encrypted message except if he has the key. Such an
assumption is too strong in general since some
attacks exploit in a clever way the interaction
between protocol rules and properties of
cryptographic operators. Moreover, the executability of some
protocols relies explicitly on some algebraic
properties of cryptographic primitives such as
commutative encryption. We give a list of some
relevant algebraic properties of cryptographic
operators, and for each of them, we provide
examples of protocols or attacks using these
properties. We also give an overview of the
existing methods in formal approaches for analyzing
cryptographic protocols.}
}

@article{delaune-tcs06,
publisher = {Elsevier Science Publishers},
journal = {Theoretical Computer Science},
author = {Delaune, St{\'e}phanie},
title = {An Undecidability Result for~{\textsf{\MakeUppercase{AG}h}}},
volume = 368,
number = {1-2},
pages = {161-167},
year = 2006,
month = dec,
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/delaune-tcs06.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/delaune-tcs06.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/delaune-tcs06.ps},
doi = {10.1016/j.tcs.2006.08.018},
abstract = {We present an undecidability result for
the verification of security protocols. Since the
\emph{perfect cryptography assumption} is unrealistic
for cryptographic primitives with visible algebraic
properties, several recent works relax this assumption,
allowing the intruder to exploit these properties. We
are interested in the \emph{Abelian groups} theory in
combination with the homomorphism axiom. We show that
satisfaisability of symbolic deducibility constraints
is undecidable, obtaining in this way the first
undecidability result concerning a theory for which
unification is known to be decidable~[F.~Baader, Unification
in commutative theories, Hilbert's basis theorem, and
Gr{\"{o}}bner
bases, J.~ACM~40(3) (1993)~477-503].}
}

@inproceedings{DKR-wote06,
month = jun,
year = 2006,
acronym = {{WOTE}'06},
booktitle = {{P}roceedings of the {IAVoSS} {W}orkshop {O}n {T}rustworthy {E}lections
({WOTE}'06)},
author = {Delaune, St{\'e}phanie and Kremer, Steve and
Ryan, Mark D.},
title = {Verifying Properties of Electronic Voting Protocols},
pages = {45-52},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-wote06.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-wote06.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DKR-wote06.ps},
abstract = {In this paper we report on some recent work to formally specify
and verify electronic voting protocols. In particular, we use the formalism of
the applied pi calculus: the applied pi calculus is a formal language
similar to the pi calculus but with useful extensions for modelling
cryptographic protocols. We model several important properties, namely
fairness, eligibility, privacy, receipt-freeness and coercion-resistance.
Verification of these properties is illustrated on two cases studies and has
been partially automated using the Blanchet's ProVerif tool.}
}

@inproceedings{DKR-csfw06,
month = jul,
year = 2006,
publisher = {{IEEE} Computer Society Press},
acronym = {{CSFW}'06},
booktitle = {{P}roceedings of the
19th {IEEE} {C}omputer {S}ecurity {F}oundations
{W}orkshop ({CSFW}'06)},
author = {Delaune, St{\'e}phanie and Kremer, Steve and
Ryan, Mark D.},
title = {Coercion-Resistance and Receipt-Freeness in
Electronic Voting},
pages = {28-39},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-csfw06.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-csfw06.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DKR-csfw06.ps},
doi = {10.1109/CSFW.2006.8},
abstract = {In this paper we formally study
important properties of electronic voting protocols.
In particular we are interested in
coercion-resistance and receipt-freeness.
Intuitively, an election protocol is
coercion-resistant if a voter $$A$$ cannot prove to a
potential coercer~$$C$$ that she voted in a particular
way.  We assume that $$A$$ cooperates with~$$C$$ in an
interactive way. Receipt-freeness is a weaker
property, for which we assume that $$A$$ and~$$C$$
cannot interact during the protocol, but $$A$$ later
provides evidence (the receipt) of how she voted.
While receipt-freeness can be expressed using
observational equivalence from the applied pi
calculus, we need to introduce a new relation to
capture coercion-resistance. Our formalization of
coercion-resistance and receipt-freeness are quite
different. Nevertheless, we show in accordance with
intuition that coercion-resistance implies
receipt-freeness, which implies privacy, the basic
anonymity property of voting protocols, as defined
in previous work. Finally we illustrate the
definitions on a simplified version of the
Lee~\emph{et~al.}\ voting protocol.}
}

@inproceedings{DLLT-ICALP2006,
month = jul,
year = 2006,
volume = 4052,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Buglesi, Michele and Preneel, Bart and Sassone, Vladimiro and Wegener, Ingo},
acronym = {{ICALP}'06},
booktitle = {{P}roceedings of the 33rd {I}nternational
{C}olloquium on {A}utomata, {L}anguages and
{P}rogramming ({ICALP}'06)~--- {P}art~{II}},
author = {Delaune, St{\'e}phanie and Lafourcade, Pascal and
Lugiez, Denis and Treinen, Ralf},
title = {Symbolic Protocol Analysis in Presence of a Homomorphism
Operator and {\emph{Exclusive~Or}}},
pages = {132-143},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLLT-icalp06.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLLT-icalp06.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DLLT-icalp06.ps},
doi = {10.1007/11787006_12},
abstract = {Security of a cryptographic
protocol for a bounded number of sessions is
usually expressed as a symbolic trace
reachability problem. We show that symbolic
trace reachability for well-defined protocols
is decidable in presence of the exclusive or
theory in combination with the homomorphism
axiom. These theories allow us to model basic
properties of important cryptographic
operators. This trace reachability problem
can be expressed as a system of symbolic
deducibility constraints for a certain
inference system describing the capabilities
of the attacker. One main step of our proof
consists in reducing deducibility constraints
to constraints for deducibility in one step
of the inference system. This constraint
system, in turn, can be expressed as a system
of quadratic equations of a particular form
over $$\mathbb{Z}/2\mathbb{Z}[h]$$, the ring
of polynomials in one indeterminate over the
finite field $$\mathbb{Z}/2\mathbb{Z}$$. We
show that satisfiability of such systems is
decidable. }
}

@proceedings{CK-fcc2006,
editor = {Cortier, V{\'e}ronique and Kremer, Steve},
booktitle = {{P}roceedings of the 2nd {W}orkshop on {F}ormal and
{C}omputational {C}ryptography ({FCC}'06)},
title = {{P}roceedings of the 2nd {W}orkshop on {F}ormal and
{C}omputational {C}ryptography ({FCC}'06)},
year = 2006,
month = jul,
url = {http://hal.inria.fr/FCC2006/}
}

@article{CKS-jar2005,
publisher = {Springer},
journal = {Journal of Automated Reasoning},
author = {Chadha, Rohit and Kremer, Steve and Scedrov, Andre},
title = {Formal Analysis of Multi-Party Contract Signing},
volume = 36,
number = {1-2},
pages = {39-83},
year = 2006,
month = jan,
nmnote = {Special Issue on Automated Reasoning for Security Protocol Analysis},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/mpcs-CKS.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/mpcs-CKS.pdf},
doi = {10.1007/s10817-005-9019-5},
abstract = {We analyze the multi-party contract-signing protocols
of Garay and MacKenzie (GM) and of Baum and Waidner
(BW). We use a finite-state tool, {\scshape Mocha},
which allows specification of protocol properties in
a branching-time temporal logic with game semantics.
While our analysis does not reveal any errors in the
BW protocol, in the GM protocol we discover serious
problems with fairness for four signers and an
oversight regarding abuse-freeness for three signers.
We propose a complete revision of the GM subprotocols
in order to restore fairness.}
}

@article{dj-jar05,
publisher = {Springer},
journal = {Journal of Automated Reasoning},
author = {Delaune, St{\'e}phanie and Jacquemard, Florent},
title = {Decision Procedures for the Security of
Protocols with Probabilistic Encryption against
Offline Dictionary Attacks},
volume = 36,
number = {1-2},
year = 2006,
month = jan,
pages = {85-124},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DJ-jar05.ps},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DJ-jar05.ps},
doi = {10.1007/s10817-005-9017-7},
abstract = {We consider the problem of formal
automatic verification of cryptographic protocols
when some data, like poorly chosen passwords, can
be guessed by dictionary attacks. First, we define
a theory of these attacks and propose an inference
system modeling the deduction capabilities of an
intruder. This system extends a set of well
studied deduction rules for symmetric and public
key encryption often called Dolev-Yao rules with
the introduction of a probabilistic encryption
operator and guessing abilities for the intruder.
Then, we show that the intruder deduction problem
in this extended model is decidable in~PTIME. The
proof is based on a locality lemma for our
inference system. This first result yields to an
NP decision procedure for the protocol insecurity
problem in presence of a passive intruder. In the
active case, the same problem is proved to be
NP-complete: we give a procedure for
simultaneously solving symbolic constraints with
variables which represent intruder deductions. We
illustrate the procedure with examples of
published protocols and compare our model to other
recent formal definitions of dictionary attacks.}
}

@article{SD-ipl05,
publisher = {Elsevier Science Publishers},
journal = {Information Processing Letters},
author = {Delaune, St{\'e}phanie},
title = {Easy Intruder Deduction Problems with Homomorphisms},
volume = 97,
number = 6,
pages = {213-218},
month = mar,
year = 2006,
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/SD-ipl05.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/SD-ipl05.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/SD-ipl05.ps},
doi = {10.1016/j.ipl.2005.11.008},
abstract = {We present complexity results for
the verification of security protocols. Since
the perfect cryptography assumption is
unrealistic for cryptographic primitives with
visible algebraic properties, we extend the
classical \emph{Dolev-Yao} model by permitting
the intruder to exploit these properties. More
precisely, we are interested in theories such
as \emph{Exclusive or} and \emph{Abelian
groups} in combination with the homomorphism
axiom. We show that the intruder deduction
problem is in PTIME in both cases, improving
the EXPTIME complexity results presented
}

@inproceedings{JRV-ijcar06,
month = aug,
year = 2006,
volume = 4130,
series = {Lecture Notes in Artificial Intelligence},
publisher = {Springer-Verlag},
editor = {Furbach, Ulrich and Shankar, Natarajan},
acronym = {{IJCAR}'06},
booktitle = {{P}roceedings of the 3rd {I}nternational {J}oint
{C}onference on {A}utomated {R}easoning
({IJCAR}'06)},
author = {Jacquemard, Florent and Rusinowitch, Micha{\"e}l
and Vigneron, Laurent},
title = {Tree automata with equality constraints modulo equational
theories},
pages = {557-571},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2006-07.pdf},
doi = {10.1007/11814771_45},
abstract = {This paper presents new classes
of tree automata combining automata with
equality test and automata modulo equational
theories. We believe that this class has a
good potential for application in
\emph{e.g.}~software verification. These tree
automata are obtained by extending the
standard Horn clause representations with
equational conditions and rewrite systems.
We show in particular that a generalized
membership problem (extending the emptiness
problem) is decidable by proving that the
saturation of tree automata presentations
with suitable paramodulation strategies
terminates. Alternatively our results can be
viewed as new decidable classes of
first-order formula.}
}

@inproceedings{Laf-secret06,
month = jul,
year = 2007,
number = 4,
volume = 171,
series = {Electronic Notes in Theoretical Computer Science},
publisher = {Elsevier Science Publishers},
editor = {Fern{\'a}ndez, Maribel and Kirchner, Claude},
acronym = {{SecReT}'06},
booktitle = {{P}roceedings of the 1st
{I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques
({SecReT}'06)},
title = {Intruder Deduction for the Equational Theory of
{\emph{Exclusive-or}}
with Commutative and Distributive Encryption},
pages = {37-57},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Laf-secret06-long.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Laf-secret06-long.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/Laf-secret06-long.ps},
nomorelongpdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/
rr-lsv-2005-21.pdf},
nomorelongps = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PS/
rr-lsv-2005-21.ps},
nomorelongpsgz = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PSGZ/
rr-lsv-2005-21.ps.gz},
doi = {10.1016/j.entcs.2007.02.054},
abstract = {The first step in the verification of cryptographic protocols is
to decide the intruder deduction problem, that is the vulnerability to a
so-called passive attacker. We~extend the Dolev-Yao model in order to
model this problem in presence of the equational theory of a commutative
encryption operator which distributes over the \emph{exclusive-or}
operator. The~interaction between the commutative distributive law of the
encryption and \emph{exclusive-or} offers more possibilities to decrypt an
encrypted message than in the non-commutative case, which imply a more
careful analysis of the proof system. We~prove decidability of the
intruder deduction problem for a commutative encryption which distributes
over \emph{exclusive-or} with a DOUBLE-EXPTIME procedure. And~we obtain
that this problem is EXPSPACE-hard in the binary case.}
}

@inproceedings{LLT-unif2006,
month = aug,
year = 2006,
editor = {Levy, Jordi},
acronym = {{UNIF}'06},
booktitle = {{P}roceedings of the 20th {I}nternational
{W}orkshop on {U}nification
({UNIF}'06)},
author = {Lafourcade, Pascal and Lugiez, Denis and Treinen, Ralf},
title = {{ACUNh}: Unification and Disunification Using Automata Theory},
pages = {6-20},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/LLT-unif06.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/LLT-unif06.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/LLT-unif06.ps},
abstract = {We show several results about unification problems in the
equational theory~ACUNh consisting of the theory of exclusive or with one
homomorphism. These results are shown using only techniques of automata and
combinations of unification problems. We~show how to construct a most-general
unifier for ACUNh-unification problems with constants using automata. We also
prove that the first-order theory of ground terms modulo~ACUNh is decidable if
the signature does not contain free non-constant function symbols, and that
the existential fragment is decidable in the general case. Furthermore, we
show a technical result about the set of most-general unifiers obtained for
general unification problems.}
}

@inproceedings{BJ-unif2006,
month = aug,
year = 2006,
editor = {Levy, Jordi},
acronym = {{UNIF}'06},
booktitle = {{P}roceedings of the 20th {I}nternational
{W}orkshop on {U}nification
({UNIF}'06)},
author = {Bouhoula, Adel and Jacquemard, Florent},
title = {Automating Sufficient Completeness Check for Conditional
and Constrained~{TRS}},
nopages = {},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BJ-unif06.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BJ-unif06.pdf},
abstract = {We present a procedure for checking sufficient completeness for
conditional and constrained term rewriting systems containing axioms for
constructors which may be constrained (by~e.g.~equalities, disequalities,
ordering, membership...). Such axioms allow to specify complex data structures
like e.g.~sets, sorted lists or powerlists. Our approach is integrated in a
framework for inductive theorem proving based on tree grammars with
constraints, a formalism which permits an exact representation of languages of
ground constructor terms in normal form. The key technique used in the
procedure is a generalized form of narrowing where, given a term, instead of
unifying it with left members of rewrite rules, we instantiate it, at selected
variables, following the productions of a constrained tree grammar, and test
whether it can be rewritten. Our~procedure is sound and complete and has been
successfully applied to several examples, yielding very natural proofs and, in
case of negative answer, a counter example suggesting how to complete the
specification. Moreover, it is a decision procedure when the TRS is
unconditional but constrained, for a large class of constrained constructor
axioms.}
}

@inproceedings{MOJ-aisc2006,
month = sep,
year = 2006,
volume = 4120,
series = {Lecture Notes in Artificial Intelligence},
publisher = {Springer},
editor = {Calmet, Jacques and Ida, Tetsuo and Wang, Dongming},
acronym = {{AISC}'06},
booktitle = {{P}roceedings of the 8th {I}nternational {C}onference
on {A}rtificial {I}ntelligence and {S}ymbolic {C}omputation
({AISC}'06)},
author = {Mitsuhashi, Ichiro and Oyamaguchi, Michio and Jacquemard, Florent},
title = {The Confluence Problem for Flat~{TRSs}},
pages = {68-81},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/MOJ-aisc06.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/MOJ-aisc06.pdf},
doi = {10.1007/11856290_8},
abstract = {We prove that the properties of reachability, joinability and
confluence are undecidable for flat~TRSs. Here, a~TRS is flat if the heights
of the left and right-hand sides of each rewrite rule are at most one.}
}

@phdthesis{THESE-bernat06,
author = {Bernat, Vincent},
title = {Th{\'e}ories de l'intrus pour la v{\'e}rification
des protocoles cryptographiques},
year = 2006,
month = jun,
type = {Th{\e}se de doctorat},
school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-bernat.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-bernat.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/these-bernat.ps}
}

@phdthesis{THESE-delaune06,
author = {Delaune, St{\'e}phanie},
title = {V{\'e}rification des protocoles cryptographiques
et propri{\'e}t{\'e}s alg{\'e}briques},
year = 2006,
month = jun,
type = {Th{\e}se de doctorat},
school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-delaune.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-delaune.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/these-delaune.ps},
abstract = {Cryptographic protocols are small concurrent programs designed
to guarantee the security of exchanges between participants using non-secure
medium. Establishing the correctness of these protocols is crucial given the
increasing number of applications, such as electronic commerce, that exchange
information on the Internet. Unfortunately, the existence of cryptographic
primitives such as encryption is not sufficient to ensure security. The
security of exchanges is ensured by cryptographic protocols which are
notoriously error-prone.\par
The formal verification of cryptographic protocols is a difficult problem that
can be seen as a particular model-checking problem in an hostile environment.
To verify such protocols, a line of research consists in considering
encryption as a black box and assuming that an adversary can't learn anything
from an encrypted message except if he has the key. This is called the
\emph{perfect cryptography} assumption. Many results have been obtained under
this assumption, but such an assumption is too strong in general. Some attacks
exploit in a clever way the interaction between protocol rules and properties
of cryptographic operators. \par
In this thesis, we relax the perfect cryptography assumption by taking into
account some algebraic properties of cryptographic primitives. We give
decision procedures for the security problem in presence of several algebraic
operators.}
}

@phdthesis{THESE-lafourcade06,
title = {V{\'e}rification des protocoles cryptographiques
en pr{\'e}sence de th{\'e}ories {\'e}quationnelles},
year = 2006,
month = sep,
type = {Th{\e}se de doctorat},
school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
note = {209~pages},
abstract = {The rise of the internet of new technologies has reinforced the
key role of computer science in communication technology. The recent progress
in these technologies has brought a dramatic change in the ways how we
communicate and consume. All these communication activities are subject to
complex communication protocols that a user does not control completely. Users
of communication protocols require that their communications are {"}secure{"}.
The developers of these communication protocols aim to secure communications
in a hostile environment by cryptographic means. Such an environment consists
of a dishonest communication participant, called an {"}intruder{"} or
{"}attacker{"}... We suppose that the intruder controls the network on which
the messages are exchanged.\par
The verification of a cryptographic protocol either ensures that no attack is
possible against the execution of the protocol in presence of a certain
intruder, or otherwise exhibits an attack. One important assumption in the
verification of cryptographic protocols is the so-called {"}perfect
cryptography assumption{"}, which states that the only way to obtain knowledge
about an encrypted message is to know its decryption key. This hypothesis is
not sufficient to guarantee security in reality. It is possible that certain
properties used in the protocol allow the intruder to obtain some
information.\par
One way to weaken this perfect cryptography assumption is to take into account
in the model certain algebraic properties. We develop a formal approach for
verifying the so-called secrecy property of cryptographic protocols in the
presence of equational theories and of homomorphism.}
}

@mastersthesis{bursuc-master,
author = {Bursuc, Sergiu},
title = {Contraintes de d{\'e}ductibilit{\'e} modulo
Associativit{\'e}-Commutativit{\'e}},
school = {{M}aster {P}arisien de {R}echerche en
{I}nformatique, Paris, France},
type = {Rapport de {M}aster},
month = sep,
year = 2006,
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bursuc-M2.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bursuc-M2.pdf}
}

@techreport{LSV:06:13,
author = {Olivain, Julien and Goubault{-}Larrecq, Jean},
title = {Detecting Subverted Cryptographic Protocols by Entropy Checking},
institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
year = 2006,
month = jun,
type = {Research Report},
number = {LSV-06-13},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2006-13.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2006-13.pdf},
note = {19~pages},
abstract = {What happens when your implementation of SSL or some other
cryptographic protocol is subverted through a buffer overflow
attack?  You have been hacked, right.  Unfortunately, you may be
unaware of~it: since normal traffic is encrypted, most IDSs cannot
monitor~it.  We propose a simple, yet efficient technique to detect
such attacks, by computing the entropy of the flow and comparing it
against known thresholds.  This was implemented in the Net-Entropy
sensor.}
}

@inproceedings{Gou-fossacs08b,
month = mar # {-} # apr,
year = 2008,
volume = 4962,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
acronym = {{FoSSaCS}'08},
booktitle = {{P}roceedings of the 11th {I}nternational
{C}onference on {F}oundations of {S}oftware {S}cience
and {C}omputation {S}tructures
({FoSSaCS}'08)},
author = {Goubault{-}Larrecq, Jean},
title = {Simulation Hemi-Metrics Between Infinite-State Stochastic Games},
pages = {50-65},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-34.pdf},
doi = {10.1007/978-3-540-78499-9_5},
abstract = {We investigate simulation hemi-metrics between certain forms
of turn-based $$2\frac{1}{2}$$-player games played on infinite
topological spaces. They have the desirable property of bounding the
difference in payoffs obtained by starting from one state or another.
All
constructions are described as the special case of a unique one, which we
call the Hutchinson hemi-metric on various spaces of continuous
previsions. We show a directed form of the Kantorovich-Rubinstein theorem,
stating that the Hutchinson hemi-metric on spaces of continuous
probability valuations coincides with a notion of trans-shipment
hemi-metric. We also identify the class of so-called sym-compact spaces as
the right class of topological spaces, where the theory works out as
nicely as possible.}
}

@inproceedings{Gou-fossacs08a,
month = mar # {-} # apr,
year = 2008,
volume = 4962,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
acronym = {{FoSSaCS}'08},
booktitle = {{P}roceedings of the 11th {I}nternational
{C}onference on {F}oundations of {S}oftware {S}cience
and {C}omputation {S}tructures
({FoSSaCS}'08)},
author = {Goubault{-}Larrecq, Jean},
title = {Prevision Domains and Convex Powercones},
pages = {318-333},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-33.pdf},
doi = {10.1007/978-3-540-78499-9_23},
abstract = {Two recent semantic families of models for mixed
probabilistic and non-deterministic choice over a space~$$X$$ are the
convex powercone models, due independently to Mislove, and to Tix,
Keimel, and Plotkin, and the continuous prevision model of the
author. We show that, up to some minor details, these models are
isomorphic whenever $$X$$ is a continuous, coherent cpo, and whether
the particular brand of non-determinism we focus on is demonic,
angelic, or chaotic. The construction also exhibits domains of
continuous previsions as retracts of well-known continuous cpos,
providing simple bases for the various continuous cpos of continuous
previsions. This has practical relevance to computing approximations
of operations on previsions.}
}

@inproceedings{Kremer-tgc07,
year = 2008,
volume = 4912,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Barthe, Gilles and Fournet, C{\'e}dric},
acronym = {{TGC}'07},
booktitle = {{R}evised {S}elected {P}apers from the 3rd {S}ymposium on {T}rustworthy {G}lobal
{C}omputing ({TGC}'07)},
author = {Kremer, Steve},
title = {Computational soundness of equational theories (Tutorial)},
pages = {363-382},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Kremer-tgc07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Kremer-tgc07.pdf},
doi = {10.1007/978-3-540-78663-4},
abstract = {We study the link between formal and cryptographic models for
first describe the seminal result by Abadi and Rogaway and shortly discuss
some of its extensions. Then we describe a general model for reasoning
about the soundness of implementations of equational theories. We
illustrate this model on several examples of computationally sound
implementations of equational theories.}
}

@article{JRV-jlap07,
publisher = {Elsevier Science Publishers},
journal = {Journal of Logic and Algebraic Programming},
author = {Jacquemard, Florent and Rusinowitch, Micha{\"e}l and Vigneron, Laurent},
title = {Tree automata with equality constraints modulo equational
theories},
year = 2008,
month = apr,
volume = 75,
number = 2,
pages = {182-208},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JRV-jlap08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JRV-jlap08.pdf},
doi = {10.1016/j.jlap.2007.10.006},
abstract = {This paper presents new classes of tree automata combining
automata with equality test and automata modulo equational theories.
We believe that these classes have a good potential for application in
\emph{e.g.} software verification. These tree automata are obtained by
extending the standard Horn clause representations with equational
conditions and rewrite systems. We~show in particular that a
generalized membership problem (extending the emptiness problem) is
decidable by proving that the saturation of tree automata
presentations with suitable paramodulation strategies terminates.
Alternatively our results can be viewed as new decidable classes of
first-order formula.}
}

@inproceedings{BJ-arspa07,
month = jul,
year = 2007,
editor = {Degano, Pierpaolo and K{\"u}sters, Ralf and Vigan{\o}, Luca and
Zdancewic, Steve},
acronym = {{FCS-ARSPA}'07},
booktitle = {{P}roceedings of the {J}oint {W}orkshop on {F}oundations of
{C}omputer {S}ecurity  and {A}utomated {R}easoning
for {S}ecurity {P}rotocol {A}nalysis ({FCS-ARSPA}'07)},
author = {Adel Bouhoula and Florent Jacquemard},
title = {Verifying Regular Trace Properties of Security Protocols
with Explicit Destructors and Implicit Induction},
pages = {27-44},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BJ-arspa07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BJ-arspa07.pdf},
abstract = {We present a procedure for the verification of
cryptographic protocols based on a new method for automatic implicit
induction theorem proving for specifications made of conditional and
constrained rewrite rules. The~method handles axioms between constructor
terms which are used to introduce explicit destructor symbols for the
specification of cryptographic operators. Moreover, it can deal with
non-confluent rewrite systems. This is required in the context of the
verification of security protocols because of the non-deterministic
behavior of attackers. Our~induction method makes an intensive use of
constrained tree grammars, which are used in proofs both as induction
schemes and as oracles for checking validity and redundancy criteria by
reduction to an emptiness problem. The grammars make possible the
development of a generic framework for the specification and verification
of protocols, where the specifications can be parametrized with (possibly
infinite) regular sets of user names or attacker's initial knowledge and
complex security properties can be expressed, referring to some fixed
regular sets of bad traces representing potential vulnerabilities.
We present some case studies giving very promising results, for the detection
of attacks (our~procedure is complete for refutation), and also for the
validation of protocols.}
}

@inproceedings{Bur-nordsec07,
month = oct,
year = 2007,
editor = {Erlingsson, {\'U}lfar and Sabelfeld, Andrei},
acronym = {{NordSec}'07},
booktitle = {{P}roceedings of the 12th {N}ordic {W}orkshop on {S}ecure {IT}
{S}ystems ({NordSec}'07)},
author = {Bursztein, Elie},
translation},
nopages = {},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bur-nordsec07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bur-nordsec07.pdf},
abstract = { In this paper we introduce a new technique to count the number
of host behind a~NAT. This technique based on TCP timestamp option, work
with Linux and BSD system and therefore is complementary to the previous
one base on IPID than does not work for those systems. Our~implementation
demonstrates the practicability of this method.}
}

@techreport{Prouve:rap10,
author = {Delaune, St{\'e}phanie and Klay, Francis},
title = {Synth{\e}se des exp{\'e}rimentations},
institution = {projet RNTL PROUV{\'E}},
month = may,
year = 2007,
type = {Technical Report},
number = 10,
note = {10~pages},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/prouve-rap10.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/prouve-rap10.pdf},
abstract = {Dans ce document nous pr{\'e}sentons une synth{\e}se des deux
cas d'{\'e}tude trait{\'e}s durant le projet. Rappelons qu'il s'agit d'une
part d'un protocole de commerce {\'e}lectronique et d'autre part d'un
protocole de vote. Pour chacun de ces protocoles, nous analysons les
r{\'e}sultats obtenus afin de d{\'e}gager l'apport des travaux issus du
projet et les aspects qui n'ont pas pu etre compl{\e}tement trait{\'e}s.
Compte tenu des enseignements tir{\'e}s, dans la derni{\e}re partie nous
mettons en perspectives les axes de recherches envisageables pour traiter
compl{\e}tement des protocoles aussi complexes que celui du vote
{\'e}lectronique.}
}

@techreport{Prouve:rap9,
author = {Klay, Francis and Bozga, Liana and Lakhnech, Yassine and
Mazar{\'e}, Laurent and Delaune, St{\'e}phanie and
Kremer, Steve},
title = {Retour d'exp{\'e}rience sur la validation du vote {\'e}lectronique},
institution = {projet RNTL PROUV{\'E}},
month = nov,
year = 2006,
type = {Technical Report},
number = 9,
note = {47~pages},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/prouve-rap9.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/prouve-rap9.pdf},
abstract = {Dans ce rapport, nous pr{\'e}sentons le travail de
v{\'e}rification qui a {\'e}t{\'e} r{\'e}alis{\'e} sur le protocole de
vote {\'e}lectronique que nous avons introduit et formalis{\'e} dans le
rapport RNTL Prouv{\'e} num{\'e}ro~$$6$$. Ce protocole a {\'e}t{\'e} mis au
point par J.~Traor{\'e}, ing{\'e}nieur de recherche chez France
T{\'e}l{\'e}com. Il est bas{\'e} sur le m{\'e}canisme de signature en
aveugle et peut {\^e}tre consid{\'e}r{\'e} comme un d{\'e}riv{\'e} du
protocole de Fujioka, Okamoto et~Ohta.\par
La formalisation de ce protocole {\a} mis en {\'e}vidence une grande
complexit{\'e} due en particulier aux structures de donn{\'e}es et aux
primitives cryptographiques manipul{\'e}es. D'un autre c{\^o}t{\'e} ce
travail a {\'e}galement r{\'e}v{\'e}l{\'e} que les propri{\'e}t{\'e}s de
s{\^u}ret{\'e} {\a} garantir sont particuli{\e}rement subtiles.
Ce~document pr{\'e}sente les r{\'e}sultats qui ont {\'e}t{\'e} obtenus
lors de la v{\'e}rification de ce protocole. En particulier nous montrons
que certaines propri{\'e}t{\'e}s de s{\^u}ret{\'e} ont pu {\^e}tre
prouv{\'e}es automatiquement alors que pour d'autres une preuve manuelle
s'est av{\'e}r{\'e}e n{\'e}cessaire.}
}

@techreport{LSV:07:31,
author = {Jacquemard, Florent and Rusinowitch, Micha{\"e}l},
title = {Rewrite Closure of {H}edge-Automata Languages},
institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
year = 2007,
month = oct,
type = {Research Report},
number = {LSV-07-31},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-31.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-31.pdf},
note = {22~pages},
abstract = {We investigate some preservation properties for classes of
regular languages of unranked ordered terms under an appropriate
generalization of term rewriting subsuming both standard term rewriting
and word rewriting.\par
The considered classes include languages of hedge automata (HA) and some
extension (called CF-HA) with context-free languages in transitions,
instead of regular languages. In~particular, we~show, with a HA completion
procedure, that the set of unranked terms reachable from a given HA
language, using a so called inverse context-free rewrite system, is an HA
language. Moreover, we~prove, using different techniques, the closure of
CF-HA languages with respect to context-free rewrite systems, the
symmetric case of the above rewrite systems. As~a consequence,
the~problems of ground reachability and regular hedge model checking are
decidable in both cases. We~give several several counter examples showing
that we cannot relax the restrictions.}
}

@mastersthesis{vacher-master,
author = {Vacher, Camille},
title = {Accessibilit{\'e} inverse dans les automates d'arbres {\a}
m{\'e}moire d'ordre sup{\'e}rieur},
school = {{M}aster {P}arisien de {R}echerche en
{I}nformatique, Paris, France},
type = {Rapport de {M}aster},
year = 2007,
month = sep,
oldurl = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/vacher-m2.pdf},
oldpdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/vacher-m2.pdf},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-35.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-35.pdf}
}

@inproceedings{CL-avocs07,
month = sep,
year = {2007},
editor = {Goldsmith, Michael and Roscoe, Bill},
acronym = {{AVoCS}'07},
booktitle = {{P}re-proceedings of the 7th {I}nternational
{W}orkshop on {A}utomated {V}erification
of {C}ritical {S}ystems
({AVoCS}'07)},
author = {Cremers, Cas and Lafourcade, Pascal},
title = {Comparing State Spaces in Automatic Security Protocol Verification},
nmnote = {Pas paru dans les proceedings ENTCS},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CL-avocs07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CL-avocs07.pdf},
abstract = {Many tools exist for automatic security protocol verification,
and most of them have their own particular language for specifying
protocols and properties. Several protocol specification models and
security properties have been already formally related to each other.
However, there is a further difference between verification tools, which
has not been investigated in depth before: the~explored state space. Some
tools explore all possible behaviors, whereas others explore strict
subsets, often by using so-called scenarios. Ignoring such differences can
lead to wrong interpretations of the output of a tool. We~relate the
explored state spaces to each other and find previously unreported
differences between the various approaches. We~apply our study of state
space relations in a performance comparison of several well-known
automatic tools for security protocol verification. We~model a set of
protocols and their properties as homogeneous as possible for each tool.
We~analyze the performance of the tools over comparable state spaces. This
work allows us for the first time to compare these automatic tools fairly,
i.e.,~using the same protocol description and exploring the same state
space. We~also propose some explanations for our experimental results,
leading to a better understanding of the tools.}
}

@inproceedings{BG-asian07,
month = dec,
year = 2007,
volume = 4846,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Cervesato, Iliano},
acronym = {{ASIAN}'07},
booktitle = {{P}roceedings of the 12th {A}sian
{C}omputing {S}cience {C}onference
({ASIAN}'07)},
author = {Bursztein, Elie and Goubault{-}Larrecq, Jean},
title = {A Logical Framework for Evaluating Network Resilience Against
Faults and Attacks},
pages = {212-227},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BGL-asian07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BGL-asian07.pdf},
doi = {10.1007/978-3-540-76929-3_20},
abstract = {We present a logic-based framework to evaluate the resilience of
computer networks in the face of incidents, i.e., attacks
from malicious intruders as well as random faults. Our model
uses a two-layered presentation of dependencies between
files and services, and of timed games to represent not just
incidents, but also the dynamic responses from
administrators and their respective delays. We demonstrate
that a variant TATL$$\Diamond$$ of timed alternating-time temporal
logic is a convenient language to express several desirable
properties of networks, including several forms of
survivability. We illustrate this on a simple redundant Web
service architecture, and show that checking such timed
games against the so-called TATL$$\Diamond$$ variant of the timed
alternating time temporal logic TATL is EXPTIME-complete.}
}

@inproceedings{GPT-aplas07,
month = nov # {-} # dec,
year = 2007,
volume = 4807,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Shao, Zhong},
acronym = {{APLAS}'07},
booktitle = {{P}roceedings of the 5th {A}sian {S}ymposium
on {P}rogramming {L}anguages and {S}ystems
({APLAS}'07)},
author = {Goubault{-}Larrecq, Jean and Palamidessi, Catuscia and
Troina, Angelo},
title = {A Probabilistic Applied Pi-Calculus},
pages = {175-290},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/GPT-aplas07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/GPT-aplas07.pdf},
doi = {10.1007/978-3-540-76637-7_12},
abstract = {We propose an extension of the Applied Pi-calculus by
introducing nondeterministic and probabilistic choice operators. The
semantics of the resulting model, in which probability and nondeterminism
are combined, is given by Segala's Probabilistic Automata driven by
schedulers which resolve the nondeterministic choice among the probability
distributions over target states. Notions of static and observational
equivalence are given for the enriched calculus. In order to model the
possible interaction of a process with its surrounding environment a
labeled semantics is given together with a notion of weak bisimulation
which is shown to coincide with the observational equivalence. Finally, we
prove that results in the probabilistic framework are preserved in a
purely nondeterministic setting.}
}

@inproceedings{CDD-fsttcs07,
month = dec,
year = 2007,
volume = 4855,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Arvind, V. and Prasad, Sanjiva},
acronym = {{FSTTCS}'07},
booktitle = {{P}roceedings of the 27th {C}onference on
{F}oundations of {S}oftware {T}echnology and
{T}heoretical {C}omputer {S}cience
({FSTTCS}'07)},
author = {Cortier, V{\'e}ronique and Delaitre, J{\'e}r{\'e}mie and
Delaune, St{\'e}phanie},
title = {Safely Composing Security Protocols},
pages = {352-363},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDD-fsttcs07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDD-fsttcs07.pdf},
doi = {10.1007/978-3-540-77050-3_29},
abstract = {Security protocols are small programs that are executed in
hostile environments. Many results and tools have been developed to
formally analyze the security of a protocol in the presence of active
attackers that may block, intercept and send new messages. However even
when a protocol has been proved secure, there is absolutely no guarantee
if the protocol is executed in an environment where other protocols,
possibly sharing some common identities and keys like public keys or
long-term symmetric keys, are executed.\par
In this paper, we show that security of protocols can be easily composed.
More precisely, we show that whenever a protocol is secure, it remains
secure even in an environment where arbitrary protocols are executed,
provided each encryption contains some tag identifying each protocol, like
e.g.~the name of the protocol.}
}

@inproceedings{DKR-fsttcs07,
month = dec,
year = 2007,
volume = 4855,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Arvind, V. and Prasad, Sanjiva},
acronym = {{FSTTCS}'07},
booktitle = {{P}roceedings of the 27th {C}onference on
{F}oundations of {S}oftware {T}echnology and
{T}heoretical {C}omputer {S}cience
({FSTTCS}'07)},
author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D.},
title = {Symbolic Bisimulation for the Applied Pi-Calculus},
pages = {133-145},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-fsttcs07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-fsttcs07.pdf},
doi = {10.1007/978-3-540-77050-3_11},
abstract = {We propose a symbolic semantics for the finite applied pi
calculus, which is a variant of the pi calculus with extensions for
modelling cryptgraphic protocols. By~treating inputs symbolically, our
semantics avoids potentially infinite branching of execution trees due to
inputs from the environment. Correctness is maintained by associating with
each process a set of constraints on symbolic terms. Based on the
semantics, we~define a sound symbolic labelled bisimulation relation.
This~is an important step towards automation of observational equivalence
for the finite applied pi calculus, \emph{e.g.}, for verification of
anonymity or strong secrecy properties of protocols with a bounded number
of sessions.}
}

@inproceedings{DLL-lpar07,
month = oct,
year = 2007,
volume = 4790,
series = {Lecture Notes in Artificial Intelligence},
publisher = {Springer},
editor = {Dershowitz, Nachum and Voronkov, Andrei},
acronym = {{LPAR}'07},
booktitle = {{P}roceedings of the 14th {I}nternational
{C}onference on {L}ogic for {P}rogramming,
{A}rtificial {I}ntelligence, and {R}easoning
({LPAR}'07)},
author = {Delaune, St{\'e}phanie and Lin, Hai and Lynch, {\relax Ch}ristopher},
title = {Protocol verification via rigid{\slash}flexible resolution},
pages = {242-256},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLL-lpar07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLL-lpar07.pdf},
doi = {10.1007/978-3-540-75560-9_19},
abstract = {In this paper we propose a decision procedure,
i.e., an~inference system for clauses containing rigid and
flexible variables. Rigid variables are only allowed to have
one instantiation, whereas flexible variables are allowed as
many instantiations as desired. We~assume a set of clauses
containing only rigid variables together with a set of clauses
containing only flexible variables. When the flexible clauses
fall into a particular class, we propose an inference system
based on ordered resolution that is sound and complete and for
which the inference procedure will halt.\par
An interest in this form of problem is for cryptographic
protocol verification for a bounded number of protocol
instances. Our class allows us to obtain a generic decidability
result for a large class of cryptographic protocols that may
use for instance~CBC (Cipher Block Chaining) encryption and
blind signature. }
}

@inproceedings{CD-lpar07,
month = oct,
year = 2007,
volume = 4790,
series = {Lecture Notes in Artificial Intelligence},
publisher = {Springer},
editor = {Dershowitz, Nachum and Voronkov, Andrei},
acronym = {{LPAR}'07},
booktitle = {{P}roceedings of the 14th {I}nternational
{C}onference on {L}ogic for {P}rogramming,
{A}rtificial {I}ntelligence, and {R}easoning
({LPAR}'07)},
author = {Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
title = {Deciding Knowledge in Security Protocols for
Monoidal Equational Theories},
pages = {196-210},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CD-lpar07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CD-lpar07.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/CD-lpar07.ps},
doi = {10.1007/978-3-540-75560-9_16},
abstract = {In formal approaches, messages sent over a
network are usually modeled by terms together with an
equational theory, axiomatizing the properties of the
cryptographic functions (encryption, exclusive or,~...).
The~analysis of cryptographic protocols requires a
precise understanding of the attacker knowledge. Two
standard notions are usually used: deducibility and
indistinguishability. Only few results have been obtained
(in~an ad-hoc~way) for equational theories with
associative and commutative properties, especially in the
case of static equivalence. The~main contribution of this
paper is to propose a general setting for solving
deducibility and indistinguishability for an important
class (called monoidal) of these theories. Our~setting
relies on the correspondence between a monoidal
theory~{$$E$$} and a semiring~{$$S_E$$} which allows us
to give an algebraic characterization of the deducibility
and indistinguishability problems. As~a consequence we
recover easily existing decidability results and obtain
several new ones.}
}

@article{DLLT-IC07,
publisher = {Elsevier Science Publishers},
journal = {Information and Computation},
author = {Delaune, St{\'e}phanie and Lafourcade, Pascal and
Lugiez, Denis and Treinen, Ralf},
title = {Symbolic protocol analysis for monoidal equational theories},
pages = {312-351},
volume = 206,
number = {2-4},
year = 2008,
month = feb # {-} # apr,
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLLT-ic07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLLT-ic07.pdf},
doi = {10.1016/j.ic.2007.07.005},
abstract = {We are interested in the design of
automated procedures for analyzing the (in)security of
cryptographic protocols in the Dolev-Yao model for a
bounded number of sessions when we take into account some
algebraic properties satisfied by the operators involved
in the protocol. This~leads to a more realistic model
than what we get under the perfect cryptography
assumption, but it implies that protocol analysis deals
with terms modulo some equational theory instead of terms
in a free algebra. The main goal of this paper is to set
up a general approach that works for a whole class of
monoidal theories which contains many of the specific
cases that have been considered so far in an ad-hoc way
(e.g.~exclusive~or, Abelian groups, exclusive or in
combination with the homomorphism axiom). We~follow a
classical schema for cryptographic protocol analysis
which proves first a locality result and then reduces the
insecurity problem to a symbolic constraint solving
problem. This approach strongly relies on the
correspondence between a monoidal theory~{$$E$$} and a
semiring~{$$S_E$$} which we use to deal with the symbolic
constraints. We~show that the well-defined symbolic
constraints that are generated by reasonable protocols
can be solved provided that unification in the monoidal
The~resolution process boils down to solving particular
quadratic Diophantine equations that are reduced to
linear Diophantine equations, thanks to linear algebra
results and the well-definedness of the problem. Examples
of theories that do not satisfy our additional properties
appear to be undecidable, which suggests that our
characterization is reasonably tight.}
}

@proceedings{secret2007-pre,
title = {{P}reliminary {P}roceedings of the 2nd
{I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques
({SecReT}'07)},
booktitle = {{P}reliminary {P}roceedings of the 2nd
{I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques
({SecReT}'07)},
editor = {Nesi, Monica and Treinen, Ralf},
year = 2007,
month = jul,
}

@inproceedings{BCD-jouannaud,
month = jun,
year = 2007,
volume = 4600,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
acronym = {{R}ewriting, {C}omputation and {P}roof},
booktitle = {{R}ewriting, {C}omputation and {P}roof~--- {E}ssays {D}edicated to
{J}ean-{P}ierre {J}ouannaud on the {O}ccasion of his 60th {B}irthday},
editor = {Comon{-}Lundh, Hubert and Kirchner, Claude and Kirchner,
H{\'e}l{\e}ne},
author = {Bursuc, Sergiu and Comon{-}Lundh, Hubert and Delaune,
St{\'e}phanie},
title = {Deducibility Constraints, Equational Theory and Electronic Money},
pages = {196-212},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/BCD-jpj07.ps},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/BCD-jpj07.ps},
doi = {10.1007/978-3-540-73147-4_10},
abstract = {The starting point of this work is a case study (from France
T\'el\'ecom) of an electronic purse protocol. The~goal was to prove that
the protocol is secure or that there is an attack. Modeling the protocol
requires algebraic properties of a fragment of arithmetic, typically
containing modular exponentiation. The~usual equational theories described
in papers on security protocols are too weak: the~protocol cannot even be
executed in these models. We~consider here an equational theory which is
powerful enough for the protocol to be executed, and for which unification
is still decidable.\par
Our main result is the decidability of the so-called intruder deduction
problem, i.e.,~security in presence of a passive attacker, taking the
algebraic properties into account. Our~equational theory is a combination
of several equational theories over non-disjoint signatures.}
}

@proceedings{CLKK-jouannaud07,
editor = {Comon{-}Lundh, Hubert and Kirchner, Claude and Kirchner,
H{\'e}l{\e}ne},
booktitle = {Rewriting, Computation and Proof~--- Essays Dedicated to
Jean-Pierre Jouannaud on the Occasion of his 60th Birthday},
title = {Rewriting, Computation and Proof~--- Essays Dedicated to
Jean-Pierre Jouannaud on the Occasion of his 60th Birthday},
publisher = {Springer},
series = {Lecture Notes in Computer Science},
volume = 4600,
year = 2007,
month = jun,
doi = {10.1007/978-3-540-73147-4},
isbn = {978-3-540-73146-7}
}

@techreport{LSV:07:20,
author = {Bresciani, Riccardo},
title = {The {ZRTP} Protocol~--- Security Considerations},
institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
year = 2007,
month = may,
type = {Research Report},
number = {LSV-07-20},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-20.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-20.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PS/
rr-lsv-2007-20.ps},
note = {23~pages},
abstract = {ZRTP is draft of key agreement protocol by Phil~Zimmermann,
which relies on a Diffie-Hellman exchange to generate SRTP session
parameters, providing confidentiality and protecting against
\emph{Man-in-the-Middle} attacks even without a public key infrastructure or
endpoint certificates. This is an analysis of the protocol performed with
AVISPA and ProVerif, which tests security properties of ZRTP; in~order to
perform the analysis, the protocol has been modeled in HLPSL (for~AVISPA)
and in the applied $$\pi$$-calculus (for~Proverif). An improvement to gather
some extra resistance against \emph{Man-in-the-Middle} attacks is also proposed.}
}

@inproceedings{ACD-frocos07,
month = sep,
year = 2007,
volume = 4720,
series = {Lecture Notes in Artificial Intelligence},
publisher = {Springer},
editor = {Wolter, Franck},
acronym = {{FroCoS}'07},
booktitle = {{P}roceedings of the 6th {I}nternational {S}ymposium on {F}rontiers of
{C}ombining {S}ystems ({FroCoS}'07)},
author = {Arnaud, Mathilde and Cortier, V{\'e}ronique and Delaune,
St{\'e}phanie},
title = {Combining algorithms for deciding knowledge in security
protocols},
pages = {103-117},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ACD-frocos07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ACD-frocos07.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/ACD-frocos07.ps},
doi = {10.1007/978-3-540-74621-8_7},
abstract = {In formal approaches, messages sent over a network are
usually modeled by terms together with an equational theory,
axiomatizing the properties of the cryptographic functions
(encryption, exclusive or,~...). The analysis of
cryptographic protocols requires a precise understanding of
the attacker knowledge. Two standard notions are usually
used: deducibility and indistinguishability. Those notions
are well-studied and a lot of decidability results already
exist to deal with a variety of equational theories.\par
We~show that decidability results can be easily combined for
any disjoint equational theories: if the deducibility and
indistinguishability relations are decidable for two
disjoint theories, they are also decidable for their union.
As~an application, new decidability results can be obtained
using this combination theorem.}
}

@inproceedings{KM-esorics07,
month = sep,
year = 2007,
volume = 4734,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Biskup, Joachim and Lopez, Javier},
acronym = {{ESORICS}'07},
booktitle = {{P}roceedings of the 12th {E}uropean {S}ymposium on
{R}esearch in {C}omputer {S}ecurity ({ESORICS}'07)},
author = {Kremer, Steve and Mazar{\'e}, Laurent},
title = {Adaptive Soundness of Static Equivalence},
pages = {610-625},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KM-esorics07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KM-esorics07.pdf},
doi = {10.1007/978-3-540-74835-9_40},
abstract = {We define a framework to reason about implementations of
particularly focus on soundess of static equivalence. We illustrate our
framework on several equational theories: symmetric encryption, XOR,
modular exponentiation and also joint theories of encryption and modular
exponentiation. This last example relies on a combination result for
reusing proofs for the separate theories. Finally, we~define a model for
symbolic analysis of dynamic group key exchange protocols, and show its
computational soundness.}
}

@inproceedings{Gou-csl07,
month = sep,
year = 2007,
volume = 4646,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Duparc, Jacques and Henzinger, {\relax Th}omas A.},
acronym = {{CSL}'07},
booktitle = {{P}roceedings of the 16th {A}nnual {EACSL} {C}onference on
{C}omputer {S}cience {L}ogic ({CSL}'07)},
author = {Goubault{-}Larrecq, Jean},
title = {Continuous Previsions},
pages = {542-557},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-csl07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-csl07.pdf},
doi = {10.1007/978-3-540-74915-8_40},
abstract = {We define strong monads of continuous (lower, upper) previsions,
and of forks, modeling both probabilistic and non-deterministic choice.
This is an elegant alternative to recent proposals by Mislove, Tix,
Keimel, and Plotkin. We show that our monads are sound and complete, in
the sense that they model exactly the interaction between probabilistic
and (demonic, angelic, chaotic) choice.}
}

@techreport{DGA:rap3,
title = {Rapport final d'activit{\'e} {\a}~{$$11$$}~mois, contrat~{CNRS/DGA}
r{\'e}f{\'e}rence~: 06~60~019~00~470~75~01
<<~{U}tilisation et exploitation des th{\'e}ories {\'e}quationnelles
dans l'analyse des protocoles cryptographiques~>>},
type = {Contract Report},
institution = {DGA},
year = {2007},
month = oct,
note = {6~pages},
url = {http://www.lsv.ens-cachan.fr/Publis/PS/DGA-rap3.ps},
ps = {http://www.lsv.ens-cachan.fr/Publis/PS/DGA-rap3.ps}
}

@techreport{DGA:rap2,
title = {Rapport d'activit{\'e}s {\a}~{$$6$$}~mois, contrat~{CNRS/DGA}
r{\'e}f{\'e}rence~: 06~60~019~00~470~75~01
<<~{U}tilisation et exploitation des th{\'e}ories {\'e}quationnelles
dans l'analyse des protocoles cryptographiques~>>},
type = {Contract Report},
institution = {DGA},
year = {2007},
month = apr,
note = {5~pages},
url = {http://www.lsv.ens-cachan.fr/Publis/PS/DGA-rap2.ps},
ps = {http://www.lsv.ens-cachan.fr/Publis/PS/DGA-rap2.ps}
}

@techreport{DGA:rap1,
title = {Rapport d'activit{\'e}s {\a}~{$$3$$}~mois, contrat~{CNRS/DGA}
r{\'e}f{\'e}rence~: 06~60~019~00~470~75~01
<<~{U}tilisation et exploitation des th{\'e}ories {\'e}quationnelles
dans l'analyse des protocoles cryptographiques~>>},
type = {Contract Report},
institution = {DGA},
year = {2007},
month = jan,
note = {3~pages},
url = {http://www.lsv.ens-cachan.fr/Publis/PS/DGA-rap1.ps},
ps = {http://www.lsv.ens-cachan.fr/Publis/PS/DGA-rap1.ps}
}

@inproceedings{JGL-icalp07,
month = jul,
year = 2007,
volume = 4596,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Arge, Lars and Cachin, {\relax Ch}ristian and Jurdzi{\'n}ski, Tomasz
and Tarlecki, Andrzej},
acronym = {{ICALP}'07},
booktitle = {{P}roceedings of the 34th {I}nternational
{C}olloquium on {A}utomata, {L}anguages and
{P}rogramming ({ICALP}'07)},
author = {Goubault{-}Larrecq, Jean},
title = {Continuous Capacities on Continuous State Spaces},
pages = {764-776},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-icalp07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-icalp07.pdf},
doi = {10.1007/978-3-540-73420-8_66},
abstract = {We propose axiomatizing some stochastic games, in a
continuous state
space setting, using continuous belief functions, resp.
plausibilities, instead of measures.  Then, stochastic games are
just variations on continuous Markov chains.  We argue that drawing
at random along a belief function is the same as letting the
probabilistic player~$$P$$ play first, then letting the
non-deterministic player~$$C$$ play demonically.  The same
holds for an angelic~$$C$$, using plausibilities instead.
We then define a simple modal logic, and characterize simulation in
terms of formulae of this logic.  Finally, we show that (discounted)
payoffs are defined and unique, where in the demonic case,
$$P$$~maximizes payoff, while $$C$$~minimizes it}
}

@inproceedings{CDS-csf07,
month = jul,
year = 2007,
publisher = {{IEEE} Computer Society Press},
acronym = {{CSF}'07},
booktitle = {{P}roceedings of the
20th {IEEE} {C}omputer {S}ecurity {F}oundations
{S}ymposium ({CSF}'07)},
author = {Cortier, V{\'e}ronique and Delaune, St{\'e}phanie and Steel, Graham},
title = {A Formal Theory of Key Conjuring},
pages = {79-93},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDS-csf07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDS-csf07.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/CDS-csf07.ps},
doi = {10.1109/CSF.2007.5},
abstract = {We describe a formalism for \emph{key conjuring}, the process by
which an attacker obtains an unknown, encrypted key by repeatedly calling
a cryptographic API function with random values in place of keys. This
technique has been used to attack the security APIs of several Hardware
Security Modules~(HSMs), which are widely deployed in the ATM (cash
machine) network. We~propose a formalism for detecting computationally
feasible key conjuring operations, incorporated into a Dolev-Yao style
model of the security~API. We~show that security in the presence of key
conjuring operations is decidable for a particular class of~APIs, which
includes the key management~API of IBM's Common Cryptographic
Architecture~(CCA).}
}

@inproceedings{Gou-lics07,
month = jul,
year = 2007,
publisher = {{IEEE} Computer Society Press},
acronym = {{LICS}'07},
booktitle = {{P}roceedings of the 22nd
{A}nnual {IEEE} {S}ymposium on
{L}ogic in {C}omputer {S}cience
({LICS}'07)},
author = {Goubault{-}Larrecq, Jean},
title = {On {N}oetherian Spaces},
pages = {453-462},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-lics07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-lics07.pdf},
doi = {10.1109/LICS.2007.34},
abstract = {A topological space is Noetherian iff every open is compact.
Our~starting point is that this notion generalizes that of
well-quasi order, in the sense that an Alexandroff-discrete space is
Noetherian iff its specialization quasi-ordering is well.  For~more
general spaces, this opens the way to verifying infinite transition
systems based on non-well quasi ordered sets, but where the preimage
operator satisfies an additional continuity assumption.  The
technical development rests heavily on techniques arising from
topology and domain theory, including sobriety and the de Groot dual
of a stably compact space.  We~show that the category Nthr of
Noetherian spaces is finitely complete and finitely cocomplete.
Finally, we note that if $$X$$~is a Noetherian space, then the set of
all (even infinite) subsets of~$$X$$ is again Noetherian, a~result
that fails for well-quasi orders.}
}

@techreport{LSV:07:10,
author = {Bouhoula, Adel and Jacquemard, Florent},
title = {Tree Automata, Implicit Induction and Explicit Destructors for
Security Protocol Verification},
institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
year = 2007,
month = feb,
type = {Research Report},
number = {LSV-07-10},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-10.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-10.pdf},
note = {21~pages},
abstract = {We present a new method for automatic implicit induction theorem
proving, and its application for the verification of cryptographic
protocols. The~method is based on constrained tree grammars and handles
non-confluent rewrite systems which are required in the context of the
verification of security protocols because of the non-deterministic
behavior of attackers. It~also handles axioms between constructor terms
which allows us to specify explicit destructors representing cryptographic
operators. Constrained tree grammars are used in our procedure both as
induction schemes and as oracles for checking validity and redundancy by
reduction to an emptiness problem. They also permit to characterize
security failure of cryptographic protocols as sets of execution traces
corresponding to an attack. This~way, we obtain a generic framework for
the verification of protocols, in~which we can verify reachability
properties like confidentiality, but also more complex properties like
authentication. We present three case studies which gave very promising
results.}
}

@techreport{KL-eth07,
author = {Ksi{\k e}{\. z}opolski, Bogdan and Lafourcade, Pascal},
title = {Attack and Revison of an Electronic Auction Protocol using~{OFMC}},
institution = {Department of Computer Science, ETH Zurich, Switzerland},
year = 2007,
month = feb,
type = {Technical Report},
number = {549},
note = {13~pages},
nmnote = {on peut pas dire que ce soit un papier du labo... Si en fait,
car Pascal etait la-bas sur un contrat gere par le LSV},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KL-eth549.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KL-eth549.pdf},
abstract = {In the article we show an attack on the cryptographic protocol
of electronic auction with extended requirements
[Ksiezopolski and Kotulski, \textit{Cryptographic protocol
for electronic auctions with extended requirements},~2004].
The found attack consists of authentication breach and
secret retrieval. It~is a kind of {"}man-in-the-middle
attack{"}. The intruder impersonates an agent and learns some
secret information. We have discovered this flaw unsing OFMC
an automatic tool of cryptographic protocol verification.
After a description of this attack, we propose a new version
of the e-auction protocol. We also check with OFMC the
secrecy for the new protocol and give an informal proof of
the other properties that this new e-auction protocol has to
guarantee.}
}

@inproceedings{Maz-wits07,
month = mar,
year = 2007,
editor = {Focardi, Riccardo},
acronym = {{WITS}'07},
booktitle = {{P}reliminary {P}roceedings of the 7th {I}nternational {W}orkshop
on {I}ssues in the {T}heory of {S}ecurity ({WITS}'07)},
author = {Mazar{\'e}, Laurent},
title = {Computationally Sound Analysis of Protocols using Bilinear Pairings},
pages = {6-21},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Maz-wits07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Maz-wits07.pdf},
abstract = {In this paper, we introduce a symbolic model to analyse
protocols that use a bilinear pairing between two cyclic groups. This
model consists in an extension of the Abadi-Rogaway logic and we prove
that the logic is still computationally sound: symbolic
indistinguishability implies computational indistinguishability provided
that the Bilinear Decisional Diffie-Hellman assumption is verified and
that the encryption scheme is IND-CPA secure. We~illustrate our results on
classical protocols using bilinear pairing like Joux tripartite
Diffie-Hellman protocol or the TAK-2 and TAK-3 protocols.}
}

@techreport{LSV:07:03,
author = {Goubault{-}Larrecq, Jean},
title = {Believe It Or Not, {GOI}~is a Model of Classical Linear Logic},
institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
year = 2007,
month = jan,
type = {Research Report},
number = {LSV-07-03},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-03.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-03.pdf},
note = {18~pages},
othernote = {a draft of the longer version of this report is available at
http://www.lsv.ens-cachan.fr/~goubault/isg.pdf},
abstract = {We introduce the Danos-R\'egnier category $$\mathcal{DR}(M)$$ of a linear
inverse monoid~$$M$$, a categorical description of geometries of
interaction~(GOI).  The usual setting for GOI is that of a weakly
Cantorian linear inverse monoid.  It is well-known that GOI is
perfectly suited to describe the multiplicative fragment of linear
logic, and indeed $$\mathcal{DR}(M)$$ will be a $$*$$-autonomous category in this
case.  It is also well-known that the categorical interpretation of
the other linear connectives conflicts with GOI interpretations.  We
make this precise, and show that $$\mathcal{DR}(M)$$ has no terminal object, no
cartesian product, and no exponential---whatever $$M$$ is, unless $$M$$
is trivial.  However, a form of coherence completion of~$$\mathcal{DR}(M)$$ \a
la Hu-Joyal provides a model of full classical linear logic, as soon
as $$M$$ is weakly Cantorian.}
}

@phdthesis{THESE-baudet07,
author = {Baudet, Mathieu},
title = {S{\'e}curit{\'e} des protocoles cryptographiques~:
aspects logiques et calculatoires},
year = 2007,
month = jan,
type = {Th{\e}se de doctorat},
school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-baudet.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-baudet.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/these-baudet.ps},
abstract = {This thesis is dedicated to the automatic verification of
cryptographic protocols in the logical and computational settings. \par
The~first part concerns the security of procotols in the logical
({"}formal{"}) framework. To~begin with, we show how to specify various
security properties of protocols in a concurrent language, and how to
analyze them automatically for a bounded number of sessions.
The~properties under consideration include notably simple secrecy,
authentication and resistance to dictionary attacks. \par
The~second part deals with the computational soundness of logical models.
The~main question here is to what extent the fact that no logical attack
exists on a protocol implies that it is provably secure in the usual
cryptographic model (called the computational model). We~concentrate on
static equivalence, applied notably to several kinds of encryption and
data vulnerable to dictionary attacks (such as passwords). We~show that
under simple conditions, any (logical) proof of static equivalence between
two messages implies their (computational) indistinguishability. This
entails computational soundness in the passive case for the notion of
dictionary attacks developped in the first part.}
}

@article{VG-icomp2007,
publisher = {Elsevier Science Publishers},
journal = {Information and Computation},
author = {Verma, Kumar N. and Goubault{-}Larrecq, Jean},
title = {Alternating Two-Way {AC}-Tree Automata},
pages = {817-869},
year = {2007},
month = jun,
volume = 205,
number = 6,
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/VG-icomp07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/VG-icomp07.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/VG-icomp07.ps},
doi = {10.1016/j.ic.2006.12.006},
abstract = {We explore the notion of alternating two-way tree automata
modulo the theory of finitely many associative-commutative
(AC) symbols. This was prompted by questions arising in
cryptographic protocol verification, in~particular in
modeling group key agreement schemes based on
Diffie-Hellman-like functions, where the emptiness question
for intersections of such automata is fundamental. This also
has independent interest. We~show that the use of general
push clauses, or of alternation, leads to undecidability,
already in the case of one AC symbol, with only functions of
arity zero. On~the other hand, emptiness is decidable in the
general case of several function symbols, including several
AC symbols, provided push clauses are unconditional and
intersection clauses are final. This class of automata is
also shown to be closed under intersection.}
}

@inproceedings{CJP-fossacs07,
month = mar,
year = 2007,
volume = 4423,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Seidl, Helmut},
acronym = {{FoSSaCS}'07},
booktitle = {{P}roceedings of the 10th {I}nternational
{C}onference on {F}oundations of {S}oftware {S}cience
and {C}omputation {S}tructures
({FoSSaCS}'07)},
author = {Comon{-}Lundh, Hubert and Jacquemard, Florent and
Perrin, Nicolas},
title = {Tree Automata with Memory, Visibility and Structural
Constraints},
pages = {168-182},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CJP-fossacs07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CJP-fossacs07.pdf},
doi = {10.1007/978-3-540-71389-0_13},
abstract = {Tree automata with one memory have been introduced in~2001. They
generalize both pushdown (word) automata and the tree automata with
constraints of equality between brothers of Bogaert and Tison. Though it has a
decidable emptiness problem, the main weakness of this model is its lack of
good closure properties. We~propose a generalization of the visibly pushdown
automata of Alur and Madhusudan to a family of tree recognizers which carry
along their (bottom-up) computation an auxiliary unbounded memory with a tree
structure (instead of a symbol stack). In~other words, these recognizers,
called visibly Tree Automata with Memory~(VTAM) define a subclass of tree
automata with one memory enjoying Boolean closure properties. We show in
particular that they can be determinized and the problems like emptiness,
inclusion and universality are decidable for~VTAM. Moreover, we propose an
extension of VTAM whose transitions may be constrained by structural equality
and disequality tests between memories, and show that this extension preserves
the good closure and decidability properties. }
}

@inproceedings{BCD-stacs2007,
month = feb,
year = 2007,
volume = 4393,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Thomas, Wolfgang and Weil, Pascal},
acronym = {{STACS}'07},
booktitle = {{P}roceedings of the 24th {A}nnual
{S}ymposium on {T}heoretical {A}spects of
{C}omputer {S}cience
({STACS}'07)},
author = {Bursuc, Sergiu and Comon{-}Lundh, Hubert and Delaune,
St{\'e}phanie},
title = {Associative-Commutative Deducibility Constraints},
pages = {634-645},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCD-stacs07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCD-stacs07.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/BCD-stacs07.ps},
doi = {10.1007/978-3-540-70918-3_54},
abstract = {We consider deducibility constraints, which are equivalent to
particular Diophantine systems, arising in the automatic verification of
security protocols, in presence of associative and commutative symbols. We
show that deciding such Diophantine systems is, in general, undecidable. Then,
we consider a simple subclass, which we show decidable. Though the solutions
of these problems are not necessarily semi-linear sets, we show that there are
(computable) semi-linear sets whose minimal solutions are not too far from the
minimal solutions of the system. Finally, we consider a small variant of the
problem, for which there is a much simpler decision algorithm. }
}

@article{Baudet05jalc,
journal = {Journal of Automata, Languages and Combinatorics},
author = {Baudet, Mathieu},
title = {Random Polynomial-Time Attacks and {D}olev-{Y}ao Models},
year = 2006,
volume = 11,
number = 1,
pages = {7-21},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bau05-jalc.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bau05-jalc.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/Bau05-jalc.ps},
abstract = {In this paper we present an extension of
Dolev-Yao models for security protocols with a notion
of random polynomial-time (Las Vegas) computability.
First we notice that Dolev-Yao models can be seen as
transition systems, possibly infinite. We then extend
these transition systems with computation times and
probabilities. The extended models can account for
normal Dolev-Yao transitions as well as nonstandard
operations such as inverting a one-way function. Our
main contribution consists of showing that under
reasonable assumptions the extended models are
equivalent to standard Dolev-Yao models as far as
(safety) security properties are concerned.}
}

@article{LLT-icomp07,
publisher = {Elsevier Science Publishers},
journal = {Information and Computation},
author = {Lafourcade, Pascal and Lugiez, Denis and Treinen, Ralf},
title = {Intruder Deduction for the Equational Theory of {A}belian Groups with
Distributive Encryption},
year = 2007,
volume = 205,
number = 4,
pages = {581-623},
month = apr,
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/LLT-icomp07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/LLT-icomp07.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/LLT-icomp07.ps},
doi = {10.1016/j.ic.2006.10.008},
abstract = {Cryptographic protocols are small programs which involve a high
level of concurrency and which are difficult to analyze by hand. The~most
successful methods to verify such protocols are based on rewriting
techniques and automated deduction in order to implement or mimic the
process calculus describing the execution of a protocol. We~are interested
in the intruder deduction problem, that is vulnerability to passive attacks
in presence of equational theories which model the protocol specification
and properties of the cryptographic operators.\par
In the present paper we consider the case where the encryption distributes
over the operator of an Abelian group or over an exclusive-or
operator. We~prove decidability of the intruder deduction problem in both
cases. We~obtain a PTIME decision procedure in a restricted case, the
so-called binary case.\par
These decision procedures are based on a careful analysis of the proof
system modeling the deductive power of the intruder, taking into account the
algebraic properties of the equational theories under consideration.
The~analysis of the deduction rules interacting with the equational theory
relies on the manipulation of $$\mathbb{Z}$$-modules in the general case,
and on results from prefix rewriting in the binary case.}
}

@book{TATA07,
author = {Comon{-}Lundh, Hubert and Dauchet, Max and Gilleron, R{\'e}mi  and
L{\"o}ding, Cristof and Jacquemard, Florent and
Lugiez, Denis and Tison, Sophie and  Tommasi, Marc},
title = {Tree Automata Techniques and Applications},
year = 2007,
month = nov,
url = {http://www.grappa.univ-lille3.fr/tata/},
nmhowpublished = {Available on: \url{http://www.grappa.univ-lille3.fr/tata}},
nmnote = {release October, 12th 2007}
}

@inproceedings{HCL-fsttcs08,
month = dec,
year = 2008,
volume = 2,
series = {Leibniz International Proceedings in Informatics},
publisher = {Leibniz-Zentrum f{\"u}r Informatik},
editor = {Hariharan, Ramesh and Mukund, Madhavan and Vinay, V.},
acronym = {{FSTTCS}'08},
booktitle = {{P}roceedings of the 28th {C}onference on
{F}oundations of {S}oftware {T}echnology and
{T}heoretical {C}omputer {S}cience
({FSTTCS}'08)},
author = {Comon{-}Lundh, Hubert},
title = {About  models of security protocols},
nopages = {},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/HCL-fsttcs08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/HCL-fsttcs08.pdf},
abstract = {In this paper, mostly consisting of definitions, we~revisit the
models of security protocols: we~show that the symbolic and the
computational models (as~well as others) are instances of a same generic
model. Our definitions are also parametrized by the security primitives,
the notion of attacker and, to some extent, the process calculus.}
}

@article{GLLN-mscs08,
publisher = {Cambridge University Press},
journal = {Mathematical Structures in Computer Science},
author = {Goubault{-}Larrecq, Jean and Lasota, S{\l}awomir
and Nowak, David},
title = {Logical Relations for Monadic Types},
volume = 18,
number = 6,
pages = {1169-1217},
month = dec,
year = 2008,
note = {81~pages},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/GLLN-arxiv05.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/GLLN-arxiv05.pdf},
doi = {10.1017/S0960129508007172},
abstract = {Logical relations and their generalisations are a fundamental
tool in proving properties of lambda calculi, for example,
for yielding sound principles for observational equivalence.
We propose a natural notion of logical relations that is
able to deal with the monadic types of Moggi's computational
lambda calculus. The treatment is categorical, and is based
on notions of subsconing, mono factorisation systems and
monad morphisms. Our approach has a number of interesting
applications, including cases for lambda calculi with
non-determinism (where being in a logical relation means
being bisimilar), dynamic name creation and probabilistic
systems.}
}

@phdthesis{bursztein-these2008,
author = {Bursztein, Elie},
title = {Anticipation games. Th{\'e}orie des jeux appliqu{\'e}s {\a} la
s{\'e}curit{\'e} r{\'e}seau},
year = 2008,
month = nov,
type = {Th{\e}se de doctorat},
school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-EB08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-EB08.pdf},
futureslides = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/SLIDES/
these-AS07-slides.pdf}
}

@phdthesis{arapinis-these2008,
author = {Arapinis, Myrto},
title = {S{\'e}curit{\'e} des protocoles cryptographiques~:
d{\'e}cidabilit{\'e} et r{\'e}sultats de r{\'e}duction},
year = 2008,
month = nov,
type = {Th{\e}se de doctorat},
school = {Universit{\'e} Paris~12, Cr{\'e}teil, France},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-MA07.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-MA07.pdf},
futureslides = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/SLIDES/
these-FC07-slides.pdf}
}

@article{CD-fmsd08,
publisher = {Springer},
journal = {Formal Methods in System Design},
author = {Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
title = {Safely Composing Security Protocols},
volume = 34,
number = 1,
pages = {1-36},
month = feb,
year = 2009,
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CD-fmsd08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CD-fmsd08.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/CD-fmsd08.ps},
doi = {10.1007/s10703-008-0059-4},
abstract = {Security protocols are small programs that are executed in
hostile environments. Many results and tools have been developed to
formally analyze the security of a protocol in the presence of an active
attacker that may block, intercept and send new messages. However even
when a protocol has been proved secure, there is absolutely no guarantee
if the protocol is executed in an environment where other protocols are
executed, possibly sharing some common keys like public keys or long-term
symmetric keys.\par
In this paper, we show that security of protocols can be easily composed.
More precisely, we show that whenever a protocol is secure, it remains
secure even in an environment where arbitrary protocols satisfying a
reasonable (syntactic) condition are executed. This result holds for a
large class of security properties that encompasses secrecy and various
formulations of authentication.}
}

@misc{PhS-AV2008,
author = {Schnoebelen, {\relax Ph}ilippe},
title = {The complexity of lossy channel systems},
year = 2008,
month = aug,
noslides = {},
howpublished = {Invited talk, Workshop {A}utomata and {V}erification
({AV}'08), Mons, Belgium}
}

@inproceedings{EB-fast08,
month = apr,
year = 2009,
volume = 5491,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Degano, Pierpaolo and Guttman,  Joshua and
Martinelli, Fabio},
acronym = {{FAST}'08},
booktitle = {{R}evised {S}elected {P}apers of the 5th {I}nternational {W}orkshop on
{F}ormal {A}spects in {S}ecurity and {T}rust ({FAST}'08)},
author = {Bursztein, Elie},
title = {Extending Anticipation Games with Location, Penalty and
Timeline},
pages = {272-286},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/eb-fast08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/eb-fast08.pdf},
doi = {10.1007/978-3-642-01465-9_18},
abstract = {Over the last few years, attack graphs have became a well
recognized tool to analyze and model complex network attack. The most
advanced evolution of attack graphs, called anticipation games, is based
on game theory. However even if anticipation games allow to model time,
collateral effects and player interactions with the network, there is
still key aspects of the network security that cannot be modeled in this
framework. Theses aspects are network cooperation to fight unknown attack,
the cost of attack based on its duration and the introduction of new
attack over the time. In this paper we address these needs, by introducing
a three-fold extension to anticipation games. We prove that this extension
does not change the complexity of the framework. We illustrate the
usefulness of this extension by presenting how it can be used to find a
defense strategy against 0 days that use an honey net. Finally, we have
implemented this extension into a prototype, to show that it can be used
to analyze large networks security.}
}

@inproceedings{CLC-ccs08,
month = oct,
year = 2008,
publisher = {ACM Press},
acronym = {{CCS}'08},
booktitle = {{P}roceedings of the 15th {ACM} {C}onference
on {C}omputer and {C}ommunications {S}ecurity
({CCS}'08)},
author = {Comon{-}Lundh, Hubert and Cortier, V{\'e}ronique},
title = {Computational Soundness of Observational Equivalence},
pages = {109-118},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CLC-ccs08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CLC-ccs08.pdf},
doi = {10.1145/1455770.1455786},
abstract = {Many security properties are naturally expressed as
indistinguishability between two versions of a protocol. In
this paper, we show that computational proofs of
indistinguishability can be considerably simplified, for a
class of processes that covers most existing protocols. More
precisely, we show a soundness theorem, following the line
of research launched by Abadi and Rogaway in~2000:
computational indistinguishability in presence of an active
attacker is implied by the observational equivalence of the
corresponding symbolic processes. We prove our result for
symmetric encryption, but the same techniques can be applied
to other security primitives such as signatures and
public-key encryption. The proof requires the introduction
of new concepts, which are general and can be reused in
other settings.}
}

@mastersthesis{ciobaca-master,
author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan},
title = {Verification of anonymity properties in e-voting protocols},
school = {{M}aster {P}arisien de {R}echerche en
{I}nformatique, Paris, France},
type = {Rapport de {M}aster},
year = {2008},
month = sep,
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/master-ciobaca.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/master-ciobaca.pdf}
}

@inproceedings{ADK-lpar08,
month = nov,
year = 2008,
volume = {5330},
series = {Lecture Notes in Artificial Intelligence},
publisher = {Springer},
editor = {Cervesato, Iliano and Veith, Helmut and Voronkov, Andrei},
acronym = {{LPAR}'08},
booktitle = {{P}roceedings of the 15th {I}nternational
{C}onference on {L}ogic for {P}rogramming,
{A}rtificial {I}ntelligence, and {R}easoning
({LPAR}'08)},
author = {Arapinis, Myrto and Delaune, St{\'e}phanie and Kremer, Steve},
title = {From One Session to Many: Dynamic Tags for Security Protocols},
pages = {128-142},
doi = {10.1007/978-3-540-89439-1_9},
abstract = {The design and verification of cryptographic
protocols is a notoriously difficult task, even in abstract
Dolev-Yao models. This is mainly due to several sources of
unboundedness (size of messages, number of sessions,~...).
In~this paper, we~present a transformation which maps a protocol
that is secure for a single session to a protocol that is secure
for an unbounded number of sessions. The~transformation is
surprisingly simple, computationally light and works for
arbitrary protocols that rely on usual cryptographic primitives,
such as symmetric and asymmetric encryption as well as digital
signatures. Our~result provides an effective strategy to design
secure protocols: (i)~design a protocol intended to be secure
for one session (this can be verified with existing automated
tools); (ii)~apply our transformation and obtain a protocol
which is secure for an unbounded number of sessions.
A~side-effect of this result is that we characterize a class of
protocols for which secrecy for an unbounded number of sessions
is decidable.}
}

@inproceedings{HCL-ijcar08,
month = aug,
year = 2008,
volume = {5195},
series = {Lecture Notes in Artificial Intelligence},
publisher = {Springer-Verlag},
editor = {Armando, Alessandro and Baumgartner, Peter and
Dowek, Gilles},
acronym = {{IJCAR}'08},
booktitle = {{P}roceedings of the 4th {I}nternational {J}oint
{C}onference on {A}utomated {R}easoning
({IJCAR}'08)},
author = {Comon{-}Lundh, Hubert},
title = {Challenges in the Automated Verification of Security
Protocols},
pages = {396-409},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/HCL-ijcar08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/HCL-ijcar08.pdf},
doi = {10.1007/978-3-540-71070-7_34},
abstract = {The application area of security protocols raises several
problems that are relevant to automated deduction. We
describe in this note some of these challenges.}
}

@article{DKR-jcs08,
publisher = {{IOS} Press},
journal = {Journal of Computer Security},
author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D.},
title = {Verifying Privacy-type Properties of Electronic Voting
Protocols},
volume = 17,
number = 4,
month = jul,
year = 2009,
pages = {435-487},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-jcs08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-jcs08.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DKR-jcs08.ps},
doi = {10.3233/JCS-2009-0340},
abstract = {Electronic voting promises the possibility of a convenient,
efficient and secure facility for recording and tallying votes in an
election. Recently highlighted inadequacies of implemented systems have
demonstrated the importance of formally verifying the underlying voting
protocols. We study three privacy-type properties of electronic voting
protocols: in increasing order of strength, they are vote-privacy,
receipt-freeness, and coercion-resistance.\par
We use the applied pi calculus, a formalism well adapted to modelling such
protocols, which has the advantages of being based on well-understood
concepts. The privacy-type properties are expressed using observational
equivalence and we show in accordance with intuition that
coercion-resistance implies receipt-freeness, which implies vote-privacy.\par
We illustrate our definitions on three electronic voting protocols from
the literature. Ideally, these three properties should hold even if the
election officials are corrupt. However, protocols that were designed to
satisfy receipt-freeness or coercion-resistance may not do so in the
presence of corrupt officials. Our model and definitions allow us to
specify and easily change which authorities are supposed to be
trustworthy.}
}

@inproceedings{Bur-atva08,
month = oct,
year = {2008},
volume = 5311,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Cha, Sungdeok and Choi, Jin-Young and Kim, Moonzoo
and Lee, Insup and Viswanathan, Mahesh},
acronym = {{ATVA}'08},
booktitle = {{P}roceedings of the 6th {I}nternational
{S}ymposium on {A}utomated {T}echnology
for {V}erification and {A}nalysis
({ATVA}'08)},
author = {Bursztein, Elie},
title = {Net{Q}i: A~Model Checker for Anticipation Game},
pages = {246-251},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bur-atva08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bur-atva08.pdf},
doi = {10.1007/978-3-540-88387-6_22},
abstract = {NetQi is a freely available model-checker designed to analyze
network incidents such as intrusion. This tool is an implementation of the
anticipation game framework, a variant of timed game tailored for network
analysis. The main purpose of NetQi is to find, given a network initial
state and a set of rules, the best strategy that fulfills player
objectives by model-checking the anticipation game and comparing the
outcome of each play that fulfills strategy constraints. For instance, it
can be used to find the best patching strategy. NetQi has been
successfully used to analyze service failure due to hardware, network
intrusion, worms and multiple-site intrusion defense cooperation.}
}

@techreport{LSV:08:18,
author = {Goubault{-}Larrecq, Jean},
title = {A Cone-Theoretic {K}rein-{M}ilman Theorem},
institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
year = 2008,
month = jun,
type = {Research Report},
number = {LSV-08-18},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2008-18.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2008-18.pdf},
note = {8~pages},
abstract = {We prove the following analogue of the Krein-Milman
Theorem: in any locally convex $$T_{0}$$ topological cone, every
convex compact saturated subset is the compact saturated convex hull
of its extreme points.}
}

@article{CJP-lmcs08,
journal = {Logical Methods in Computer Science},
author = {Comon{-}Lundh, Hubert and Jacquemard, Florent and Perrin, Nicolas},
title = {Visibly Tree Automata with Memory and Constraints},
year = 2008,
month = jun,
volume = 4,
number = {2\string:8},
nopages = {},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CJP-lmcs08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CJP-lmcs08.pdf},
doi = {10.2168/LMCS-4(2:8)2008},
abstract = {Tree automata with one memory have been introduced in~2001. They
generalize both pushdown (word) automata and the tree automata with
constraints of equality between brothers of Bogaert and Tison. Though it
has a decidable emptiness problem, the main weakness of this model is its
lack of good closure properties.\par
We propose a generalization of the visibly pushdown automata of Alur
and~Madhusudan to a family of tree recognizers which carry along their
(bottom-up) computation an auxiliary unbounded memory with a tree
structure (instead of a symbol stack). In~other words, these recognizers,
called Visibly Tree Automata with Memory~(VTAM) define a subclass of tree
automata with one memory enjoying Boolean closure properties. We~show in
particular that they can be determinized and the problems like emptiness,
membership, inclusion and universality are decidable for VTAM. Moreover,
we propose several extensions of VTAM whose transitions may be constrained
by different kinds of tests between memories and also constraints
\emph{{\a}~la} Bogaert and~Tison. We~show that some of these classes of
constrained VTAM keep the good closure and decidability properties, and we
demonstrate their expressiveness with relevant examples of tree
languages.}
}

@inproceedings{KMT-ijcar08,
month = aug,
year = 2008,
volume = {5195},
series = {Lecture Notes in Artificial Intelligence},
publisher = {Springer-Verlag},
editor = {Armando, Alessandro and Baumgartner, Peter and
Dowek, Gilles},
acronym = {{IJCAR}'08},
booktitle = {{P}roceedings of the 4th {I}nternational {J}oint
{C}onference on {A}utomated {R}easoning
({IJCAR}'08)},
author = {Kremer, Steve and Mercier, Antoine and Treinen, Ralf},
title = {Proving Group Protocols Secure Against Eavesdroppers},
pages = {116-131},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KMT-ijcar08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KMT-ijcar08.pdf},
doi = {10.1007/978-3-540-71070-7_9},
abstract = {Security protocols are small programs
designed to ensure properties such as secrecy of messages
or authentication of parties in a hostile environment. In
this paper we investigate automated verification of a
particular type of security protocols, called \emph{group
protocols}, in the presence of an eavesdropper, i.e., a
passive attacker. The specificity of group protocols is
that the number of participants is not bounded.\par
Our approach consists in representing an infinite set of
messages exchanged during an unbounded number of sessions,
one session for each possible number of participants, as
well as the infinite set of associated secrets. We use
so-called visibly tree automata with memory and structural
constraints (introduced recently by Comon-Lundh
\textit{et~al.})  to represent over-approximations of these
two sets. We~identify restrictions on the specification of
protocols which allow us to reduce the attacker
capabilities guaranteeing that the above mentioned class of
automata is closed under the application of the remaining
attacker rules. The class of protocols respecting these
restrictions is large enough to cover several existing
protocols, such as the GDH family, GKE, and others.}
}

@proceedings{CKR-dagstuhl07,
editor = {Chen, Liqun and Kremer, Steve and Ryan, Mark D.},
booktitle = {Formal Protocol Verification Applied},
title = {Formal Protocol Verification Applied},
year = 2008,
series = {Dagstuhl Seminar Proceedings},
volume = {07421},
url = {http://drops.dagstuhl.de/portals/index.php?semnr=07421}
}

@inproceedings{JGL:badweeds,
month = mar,
year = 2008,
volume = 5289,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Leucker, Martin},
acronym = {{RV}'08},
booktitle = {{P}roceedings of the 8th {W}orkshop on {R}untime {V}erification ({RV}'08)},
author = {Goubault{-}Larrecq, Jean and Olivain, Julien},
title = {A Smell of Orchids},
pages = {1-20},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/go-rv08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/go-rv08.pdf},
doi = {10.1007/978-3-540-89247-2_1},
abstract = {Orchids is an intrusion detection tool based on techniques for
fast, on-line model-checking. Orchids detects complex, correlated strands
of events with very low overhead in practice, although its detec- tion
algorithm has worst-case exponential time complexity.\par
The purpose of this paper is twofold. First, we explain the salient
features of the basic model-checking algorithm in an intuitive way, as a
form of dynamically-spawned monitors. One distinctive feature of the
Orchids algorithm is that fresh monitors need to be spawned at a pos-
sibly alarming rate.\par
The second goal of this paper is therefore to explain how we tame the
complexity of the procedure, using abstract interpretation techniques to
safely kill useless monitors. This includes monitors which will provably
detect nothing, but also monitors that are subsumed by others, in the
sense that they will definitely fail the so-called shortest run criterion.
We take the opportunity to show how the Orchids algorithm maintains its
monitors sorted in such a way that the subsumption operation is effected
with no overhead, and we correct a small, but definitely annoying bug in
its core algorithm, as it was published in~2001.}
}

@inproceedings{JGL-csf08,
month = jun,
year = 2008,
publisher = {{IEEE} Computer Society Press},
acronym = {{CSF}'08},
booktitle = {{P}roceedings of the
21st {IEEE} {C}omputer {S}ecurity {F}oundations
{S}ymposium ({CSF}'08)},
author = {Goubault{-}Larrecq, Jean},
title = {Towards Producing Formally Checkable Security Proofs, Automatically},
pages = {224-238},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2008-15.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2008-15.pdf},
doi = {10.1109/CSF.2008.21},
abstract = {First-order logic models of security for cryptographic protocols,
based on variants of the Dolev-Yao model, are now well-established
tools.  Given that we have checked a given security protocol~$$\pi$$
using a given first-order prover, how hard is it to extract a
formally checkable proof of~it, as~required in, e.g., common
criteria at evaluation level~$$7$$?  We~demonstrate that this is
surprisingly hard: the problem is non-recursive in general.
On~the practical side, we show how we can extract finite models~$$\mathcal{M}$$
from a set~$$\mathcal{S}$$ of clauses representing~$$\pi$$,
automatically, in two ways.  We~then define a model-checker
testing $$\mathcal{M} \models \mathcal{S}$$, and show how we can instrument it
to output a formally checkable proof, e.g., in~Coq.  This was
implemented in the \texttt{h1} tool suite.  Experience on a number of
protocols shows that this is practical.}
}

@inproceedings{DKR-csf08,
month = jun,
year = 2008,
publisher = {{IEEE} Computer Society Press},
acronym = {{CSF}'08},
booktitle = {{P}roceedings of the
21st {IEEE} {C}omputer {S}ecurity {F}oundations
{S}ymposium ({CSF}'08)},
author = {Delaune, St{\'e}phanie and Kremer, Steve and
Ryan, Mark D.},
title = {Composition of Password-based Protocols},
pages = {239-251},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-csf08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-csf08.pdf},
doi = {10.1109/CSF.2008.6},
abstract = {We investigate the composition of protocols that share a common
secret.  This situation arises when users employ the same password
on different services.  More precisely we study whether resistance
against guessing attacks composes when the same password is used.
We model guessing attacks using a common definition based on static
equivalence in a cryptographic process calculus close to the applied
pi calculus. We show that resistance against guessing attacks
composes in the presence of a passive attacker. However, composition
does not preserve resistance against guessing attacks for an active
attacker. We therefore propose a simple syntactic criterion under
which we show this composition to hold. Finally, we present a
protocol transformation that ensures this syntactic criterion and
preserves resistance against guessing attacks.}
}

@inproceedings{DKS-csf08,
month = jun,
year = 2008,
publisher = {{IEEE} Computer Society Press},
acronym = {{CSF}'08},
booktitle = {{P}roceedings of the
21st {IEEE} {C}omputer {S}ecurity {F}oundations
{S}ymposium ({CSF}'08)},
author = {Delaune, St{\'e}phanie and Kremer, Steve and
Steel, Graham},
title = {Formal Analysis of {PKCS}\#11},
pages = {331-344},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKS-csf08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKS-csf08.pdf},
doi = {10.1109/CSF.2008.16},
abstract = {PKCS\#11 defines an API for cryptographic devices that has
been widely adopted in industry. However, it~has been shown to be
vulnerable to a variety of attacks that could, for example, compromise
the sensitive keys stored on the device. In~this paper, we~set out a
formal model of the operation of the API, which differs from previous
security API models notably in that it accounts for non-monotonic
mutable global state. We~give decidability results for our formalism,
and describe an implementation of the resulting decision procedure
using a model checker. We~report some new attacks and prove the safety
of some configurations of the API in our model.}
}

@inproceedings{DKS-TFIT2008,
month = mar,
year = 2008,
editor = {Kuo, Tei-Wei and Cruz-Lara, Samuel},
acronym = {{TFIT}'08},
booktitle = {{P}roceedings of the 4th {T}aiwanese-{F}rench
{C}onference on {I}nformation {T}echnology ({TFIT}'08)},
author = {Delaune, St{\'e}phanie and Kremer, Steve and
Steel, Graham},
title = {Formal Analysis of {PKCS}\#11},
pages = {267-278},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKS-tfit08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKS-tfit08.pdf},
abstract = {PKCS\#11 defines an API for cryptographic devices that has been
widely adopted in industry. However, it~has been shown to be vulnerable to
a variety of attacks that could, for~example, compromise the sensitive
keys stored on the device. In~this paper, we~set out a formal model of the
operation of the API, which differs from previous security API models
notably in that it accounts for non-monotonic mutable global state. We
give decidability results for our formalism, and describe an
implementation of the resulting decision procedure using a model checker.
We report some new attacks and prove the safety of some configurations of
the API in our model.}
}

@inproceedings{DRS-ifiptm08,
month = jun,
year = 2008,
volume = 263,
series = {IFIP Conference Proceedings},
publisher = {Springer},
editor = {Karabulut, Yuecel and Mitchell, John and Herrmann, Peter and
Jensen, Christian Damsgaard},
acronym = {IFIPTM'08},
booktitle = {{P}roceedings of the 2nd {J}oint i{T}rust and {PST}
{C}onferences on {P}rivacy, {T}rust {M}anagement and
{S}ecurity (IFIPTM'08)},
author = {Delaune, St{\'e}phanie and Ryan, Mark D. and Smyth, Ben},
title = {Automatic verification of privacy properties in the applied pi-calculus},
pages = {263-278},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DRS-ifiptm08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DRS-ifiptm08.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DRS-ifiptm08.ps},
abstract = {We develop a formal method verification technique for
cryptographic protocols. We~focus on proving observational equivalences of
the kind $$P \sim Q$$, where the processes $$P$$ and~$$Q$$ have the same
structure and differ only in the choice of terms. The calculus of
ProVerif, a variant of the applied pi-calculus, makes some progress in
this direction. We~expand the scope of ProVerif, to provide reasoning
about further equivalences. We~also provide an extension which allows
modelling of protocols which require global synchronisation. Finally we
develop an algorithm to enable automated reasoning.\par
We demonstrate the practicality of our work with two case studies.}
}

@inproceedings{Bur-wistp08,
month = may,
year = 2008,
volume = 5019,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Onieva, Jose A. and Sauveron, Damien and
Chaumette, Serge  and Gollmann, Dieter and
Markantonakis, Konstantinos},
acronym = {{WISTP}'08},
booktitle = {{P}roceedings of the
2nd {I}nternational {W}orkshop
on {I}nformation {S}ecurity {T}heory and {P}ractices
({WISTP}'08)},
author = {Bursztein, Elie},
title = {Probabilistic Protocol Identification for Hard to Classify Protocol},
pages = {49-63},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bur-wistp08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bur-wistp08.pdf},
doi = {10.1007/978-3-540-79966-5_4},
note = {Best paper award},
abstract = {With the  growing  use  of  protocols obfuscation  techniques,
protocol  identification for Q.O.S  enforcement, traffic  prohibition, and
issue with a probabilistic identification analysis that combines multiples
advanced identification techniques and returns an ordered list of probable
protocols.  It~combines a  payload  analysis with  a  classifier based  on
several discriminators,  including packet  entropy and size.  We~show with
its  implementation,  that it  overcomes  the  limitations of  traditional
port-based  protocol identification  when  dealing with  hard to  classify
protocol such as peer to peer protocols. We also details how it deals with
tunneled session and covert channel.}
}

@techreport{LSV:08:02,
author = {Bursztein, Elie},
title = {Network Administrator and Intruder Strategies},
institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
year = 2008,
month = feb,
type = {Research Report},
number = {LSV-08-02},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2008-02.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2008-02.pdf},
note = {23~pages},
abstract = {The anticipation game framework is an
extension of attack graphs based on game theory. It
is used to anticipate and analyze intruder and
administrator interactions with the network. In this
paper we extend this framework with cost and reward
in order to analyze and find player strategies.
Additionally this extension allows to take into
account the financial aspect of network security in
the analysis. Intuitively a strategy is the best
succession of actions that the administrator or the
intruder can perform to achieve his objectives.
Player objectives range from patching the network
efficiently to compromising the most valuable
network assets. We prove that finding the optimal
strategy is decidable and only requires a linear
memory space. Finally we show that finding strategy
can be done in practice by evaluating the
performance of our analyzer called NetQi.}
}

@misc{hcl:lecture07,
author = {Comon{-}Lundh, Hubert},
title = {Soundness of abstract cryptography},
oldhowpublished = {Lecture notes, part 1.
Available at \url{http://staff.aist.go.jp/h.comon-lundh/}},
year = {2007},
note = {Course notes (part~1), Symposium on Cryptography and
Information Security (SCIS2008), Tokai, Japan},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CL-sac08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CL-sac08.pdf}
}

@article{PPSLBCH-commag08,
publisher = {{IEEE} Communications Society},
journal = {IEEE Communications Magazine},
author = {Papadimitratos, Panos and Poturalski, Marcin and Schaller,
Patrick and Lafourcade, Pascal and Basin, David and
{\v{C}}apkun, Srdjan and Hubaux, Jean-Pierre},
title = {Secure Neighborhood Discovery: A~Fundamental
Element for Mobile Ad Hoc Networking},
year = 2008,
month = feb,
volume = 46,
number = 2,
pages = {132-139},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/PPSLBCH-commag08.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/PPSLBCH-commag08.pdf},
doi = {10.1109/MCOM.2008.4473095},
abstract = {Pervasive computing systems will likely be deployed in the near
future, with the proliferation of wireless devices and the emergence of ad
hoc networking as key enablers. Coping with mobility and the volatility of
wireless communications in such systems is critical. Neighborhood
Discovery~(ND), namely, the discovery of devices directly reachable for
communication or in physical proximity, becomes a fundamental requirement
and a building block for various applications. However, the very nature of
wireless mobile networks makes it easy to abuse ND and thereby compromise
the overlying protocols and applications. Thus, providing methods to
we~focus on this problem and provide definitions of neighborhood types and
ND protocol properties, as well as a broad classification of attacks. Our
ND literature survey reveals that securing ND is indeed a difficult and
largely open problem. Moreover, given the severity of the problem, we
advocate the need to formally model neighborhood and to analyze ND
schemes.}
}

@unpublished{JLC-rc,
author = {Carr{\'e}, Jean-Loup},
title = {R{\'e}{\'e}criture, confluence},
year = {2007},
month = dec,
note = {Course notes, {P}r{\'e}paration {\a} l'agr{\'e}gation,
ENS Cachan, France}
}

@misc{pronobis-final,
author = {ARC ProNoBis},
title = {ProNoBis: Probability and Nondeterminism, Bisimulations and
Security~-- {R}apport Final},
year = 2007,
month = oct,
type = {Contract Report},
nonote = {78~slides},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/SLIDES/pronobis-final.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/SLIDES/pronobis-final.pdf}
}

@misc{netanalyser-v0.7.5,
author = {Bursztein, Elie},
title = {NetAnalyzer~v0.7.5},
year = {2008},
month = jan,
nohowpublished = {Available at .... },
note = {Written in~C and Perl (about 25000 lines)},
note-fr = {\'Ecrit en~C et en Perl (environ 25000 lignes)}
}

@misc{netqi-v1,
author = {Bursztein, Elie},
title = {NetQi~v1rc1},
year = {2007},
month = dec,
howpublished = {Available at \url{http://www.netqi.org/}},
note = {Written in~C and Java (about 10000 lines)},
note-fr = {\'Ecrit en~C et en Java (environ 10000 lignes)},
url = {http://www.netqi.org}
}

@phdthesis{mercier-phd2009,
author = {Mercier, Antoine},
title = {Contributions {\a} l'analyse automatique des protocoles
cryptographiques en pr{\'e}sence de propri{\'e}t{\'e}s
alg{\'e}briques : protocoles de groupe, {\'e}quivalence
statique},
school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
type = {Th{\e}se de doctorat},
year = 2009,
month = dec,
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/AM-these09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/AM-these09.pdf}
}

@phdthesis{bursuc-phd2009,
author = {Bursuc, Sergiu},
title = {Contraintes de d{\'e}ductibilit{\'e} dans une alg{\e}bre
quotient: r{\'e}duction de mod{\e}les et applications {\a}
la s{\'e}curit{\'e}},
school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
type = {Th{\e}se de doctorat},
year = 2009,
month = dec,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/SB-these09.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/SB-these09.pdf}
}

@article{JGL-mscs09,
publisher = {Cambridge University Press},
journal = {Mathematical Structures in Computer Science},
author = {Goubault{-}Larrecq, Jean},
title = {{D}e~{G}root Duality and Models of Choice: Angels, Demons, and Nature},
volume = {20},
number = 2,
pages = {169-237},
month = apr,
year = 2010,
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-mscs09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-mscs09.pdf},
doi = {10.1017/S0960129509990363},
abstract = {We introduce convex-concave duality for various models of
non-deterministic choice, probabilistic choice, and the two of them
together. This complements the well-known duality of stably compact spaces
in a pleasing way: convex-concave duality swaps angelic and demonic
choice, and leaves probabilistic choice invariant.}
}

@inproceedings{JGL-asian09,
month = dec,
year = 2009,
volume = 5913,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Datta, Anupam},
acronym = {{ASIAN}'09},
booktitle = {{P}roceedings of the 13th {A}sian
{C}omputing {S}cience {C}onference
({ASIAN}'09)},
author = {Goubault{-}Larrecq, Jean},
title = {{\textquotedbl}{L}ogic Wins!{\textquotedbl}},
pages = {1-16},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-asian09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-asian09.pdf},
doi = {10.1007/978-3-642-10622-4_1},
abstract = {Clever algorithm design is sometimes superseded by simple
encodings into logic. We apply this motto to a few case studies in the
formal verification of security properties. In particular, we examine
confidentiality objectives in hardware circuit descriptions written in
VHDL.}
}

@inproceedings{SRKK-wissec09,
month = nov,
year = 2009,
editor = {Pereira, Olivier and Quisquater, Jean-Jacques and
Standaert, Fran\c{c}ois-Xavier},
acronym = {{WISSEC}'09},
booktitle = {{P}roceedings of the 4th {B}enelux {W}orkshop on
{I}nformation and {S}ystem {S}ecurity ({WISSEC}'09)},
author = {Smyth, Ben and Ryan, Mark D. and Kremer, Steve and
Kourjieh, Mounira},
title = {Election verifiability in electronic voting protocols
(Preliminary version)},
nopages = {},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/SRKK-wissec09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/SRKK-wissec09.pdf},
abstract = {We~present a symbolic definition of election verifiability for
electronic voting protocols. Our definition is given in terms of
reachability assertions in the applied pi calculus and is amenable to
automated reasoning using the tool ProVerif. The~definition distinguishes
three aspects of verifiability, which we call individual, universal, and
eligibility verifiability. It also allows us to determine precisely what
aspects of the system are required to be trusted. We demonstrate our
formalism by analysing the protocols due to Fujioka, Okamoto \&~Ohta and
Juels, Catalano \&~Jakobsson; the~latter of which has been implemented by
Clarkson, Chong \&~Myers. }
}

@inproceedings{CCD-secco09,
month = oct,
year = 2009,
editor = {Boreale, Michele and Kremer, Steve},
acronym = {{SecCo}'09},
booktitle = {{P}reliminary {P}roceedings of the 7th {I}nternational
{W}orkshop on {S}ecurity {I}ssues in
{C}oordination {M}odels, {L}anguages and
{S}ystems ({SecCo}'09)},
author = {Cheval, Vincent and Comon{-}Lundh, Hubert and Delaune, St{\'e}phanie},
title = {A~decision procedure for proving observational equivalence},
nmnote = {did not appear in postproceedings EPTCS7},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CCD-secco09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CCD-secco09.pdf}
}

@proceedings{BK-secco2009,
title = {{P}roceedings of the 7th {I}nternational {W}orkshop on
{S}ecurity {I}ssues in {C}oncurrency ({S}ec{C}o'09)},
booktitle = {{P}roceedings of the 7th {I}nternational {W}orkshop on
{S}ecurity {I}ssues in {C}oncurrency ({S}ec{C}o'09)},
acronym = {{S}ec{C}o'09},
editor = {Boreale, Michele and Kremer, Steve},
doi = {10.4204/EPTCS.7},
url = {http://eptcs.web.cse.unsw.edu.au/content.cgi?SECCO2009},
series = {Electronic Proceedings in Theoretical Computer Science},
volume = 7,
year = 2009,
month = aug,
}

@mastersthesis{cheval-master,
author = {Cheval, Vincent},
title = {Algorithme de d{\'e}cision de l'{\'e}quivalence symbolique de
syst{\e}mes de contraintes},
school = {{M}aster {P}arisien de {R}echerche en
{I}nformatique, Paris, France},
type = {Rapport de {M}aster},
year = {2009},
month = sep,
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/master-cheval.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/master-cheval.pdf}
}

@inproceedings{DKP-fsttcs09,
month = dec,
year = 2009,
volume = 4,
series = {Leibniz International Proceedings in Informatics},
publisher = {Leibniz-Zentrum f{\"u}r Informatik},
editor = {Kannan, Ravi and Narayan Kumar, K.},
acronym = {{FSTTCS}'09},
booktitle = {{P}roceedings of the 29th {C}onference on
{F}oundations of {S}oftware {T}echnology and
{T}heoretical {C}omputer {S}cience
({FSTTCS}'09)},
author = {Delaune, St{\'e}phanie and Kremer, Steve and Pereira,
Olivier},
title = {Simulation based security in the applied pi calculus},
pages = {169-180},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/DKP-fsttcs09.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DKP-fsttcs09.pdf},
doi = {10.4230/LIPIcs.FSTTCS.2009.2316},
abstract = {We present a symbolic framework for refinement and composition
of security protocols. The framework uses the notion of ideal
functionalities. These are abstract systems which are secure by
construction and which can be combined into larger systems. They can be
separately refined in order to obtain concrete protocols implementing
them. Our work builds on ideas from computational models such as the
universally composable security and reactive simulatability frameworks.
The underlying language we use is the applied pi calculus which is a
general language for specifying security protocols. In our framework we
can express the different standard flavours of simulation-based security
which happen to all coincide. We illustrate our framework on an
authentication functionality which can be realized using the
Needham-Schroeder-Lowe protocol. For this we need to define an ideal
functionality for asymmetric encryption and its realization. We also show
a joint state result for this functionality which allows composition (even
though the same key material is reused) using a tagging mechanism.}
}

@inproceedings{FLS-nordsec09,
month = oct,
year = 2009,
volume = 5838,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {J{\o}sang, Audun and Maseng, Torleiv and Knapskog, Svein Johan},
acronym = {{NordSec}'09},
booktitle = {{P}roceedings of the 14th {N}ordic {W}orkshop on {S}ecure {IT}
{S}ystems ({NordSec}'09)},
author = {Focardi, Riccardo and Luccio, Flaminia L. and
Steel, Graham},
title = {Blunting Differential Attacks on {PIN} Processing {API}s},
pages = {88-103},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FLS-nordsec09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FLS-nordsec09.pdf},
doi = {10.1007/978-3-642-04766-4_7},
abstract = {We~propose a countermeasure for a class of known attacks on the
PIN processing API used in the ATM (cash machine) network. This API
PIN encryption, decryption and verification takes place. The~attacks are
differential attacks, whereby an attacker gains information about the
plaintext values of encrypted customer PINs by making changes to the
non-confidential inputs to a command. Our~proposed fix adds an integrity
check to the parameters passed to the command. It~is novel in that it
involves very little change to the existing ATM network infrastructure.}
}

@inproceedings{KMT-asian09,
month = dec,
year = 2009,
volume = 5913,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Datta, Anupam},
acronym = {{ASIAN}'09},
booktitle = {{P}roceedings of the 13th {A}sian
{C}omputing {S}cience {C}onference
({ASIAN}'09)},
author = {Kremer, Steve and Mercier, Antoine and Treinen, Ralf},
title = {Reducing Equational Theories for the Decision of Static
Equivalence},
pages = {94-108},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KMT-asian09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KMT-asian09.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/KMT-asian09.ps},
doi = {10.1007/978-3-642-10622-4_8},
abstract = {Static equivalence is a well established notion of
indistinguishability of sequences of terms which is useful in the symbolic
analysis of cryptographic protocols. Static equivalence modulo equational
theories allows a more accurate representation of cryptographic primitives
by modelling properties of operators by equational axioms. We develop a
method that allows in some cases to simplify the task of deciding static
equivalence in a multi-sorted setting, by removing a symbol from the term
signature and reducing the problem to several simpler equational theories.
We illustrate our technique at hand of bilinear pairings.}
}

@article{DKS-jcs09,
publisher = {{IOS} Press},
journal = {Journal of Computer Security},
author = {Delaune, St{\'e}phanie and Kremer, Steve and Steel, Graham},
title = {Formal Analysis of {PKCS\#11} and Proprietary Extensions},
volume = 18,
number = 6,
pages = {1211-1245},
year = 2010,
month = nov,
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKS-jcs09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKS-jcs09.pdf},
doi = {10.3233/JCS-2009-0394},
abstract = {PKCS\#11 denes an API for cryptographic devices that has been
widely adopted in industry. However, it has been shown to be vulnerable to
a variety of attacks that could, for example, compromise the sensitive
keys stored on the device. In this paper, we set out a formal model of the
operation of the API, which diers from previous security API models
notably in that it accounts for non-monotonic mutable global state. We
give decidability results for our formalism, and describe an
implementation of the resulting decision procedure using the model checker
NuSMV. We report some new attacks and prove the safety of some
congurations of the API in our model. We also analyse proprietary
extensions proposed by nCipher (Thales) and Eracom (Safenet), designed to
}

@techreport{LSV:09:15,
author = {H{\'e}am, Pierre-Cyrille and Nicaud, Cyril},
title = {Seed: an Easy-to-Use Random Generator of Recursive Data Structures for Testing},
institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
year = {2009},
month = jul,
type = {Research Report},
number = {LSV-09-15},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2009-15.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2009-15.pdf},
note = {16~pages},
abstract = {Random testing represents a simple and tractable way for software
assessment. This paper presents the Seed tool dedicated to the
uniform random generation of recursive data structures as labelled
trees or logical formulas.  We show how Seed can be used in several
testing contexts, from model based testing to performance
testing. Generated data structures are defined by grammar-like rules,
given in an XML format, multiplying Seed possible applications.
Seed is based on combinatorial techniques, and can generate uniformly
at random $$k$$~structures of size~$$n$$ with a
time complexity in $$O(n^{2}+ kn\cdot \log(n))$$. Finally, Seed is available as a free
java application and a great effort has been made to make it
easy-to-use.}
}

@inproceedings{BCLD-asian09,
month = dec,
year = 2009,
volume = 5913,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Datta, Anupam},
acronym = {{ASIAN}'09},
booktitle = {{P}roceedings of the 13th {A}sian
{C}omputing {S}cience {C}onference
({ASIAN}'09)},
author = {Bursuc, Sergiu and Delaune, St{\'e}phanie and Comon{-}Lundh,
Hubert},
title = {Deducibility constraints},
pages = {24-38},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCD-asian09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCD-asian09.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/BCD-asian09.ps},
doi = {10.1007/978-3-642-10622-4_3},
abstract = {In their work on tractable deduction systems, D.~McAllester and
later D.~Basin and H.~Ganzinger have identified a property of inference
systems (the~locality property) that ensures the tractability of the
\textit{Entscheidungsproblem}.\par
On~the other hand, deducibility constraints are sequences of deduction
problems in which some parts (formulas) are unknown. The~problem is to
decide their satisfiability and to represent the set of all possible
solutions. Such constraints have also been used for deciding some security
properties of cryptographic protocols.\par
In this paper we show that local inference systems (actually a slight
modification of such systems) yield not only a tractable deduction
problem, but also decidable deducibility constraints. Our algorithm not
only allows to decide the existence of a solution, but also gives a
representation of all solutions.}
}

@incollection{ACL-fps09,
month = may,
year = 2009,
volume = 5458,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
noacronym = {},
booktitle = {{F}ormal to {P}ractical {S}ecurity},
editor = {Cortier, V{\'e}ronique and Kirchner, Claude and
author = {Affeldt, Reynald and Comon{-}Lundh, Hubert},
title = {Verification of Security Protocols with a Bounded Number of
Sessions Based on Resolution for Rigid Variables},
pages = {1-20},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ACL-fps09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ACL-fps09.pdf},
doi = {10.1007/978-3-642-02002-5_1},
abstract = {First-order logic resolution is a standard way to automate the
verification of security protocols. However, it sometimes fails to produce
security proofs for secure protocols because of the detection of false
attacks. For the verification of a bounded number of sessions, false
attacks can be avoided by introducing rigid variables. Unfortunately, this
yields complicated resolution procedures. We show here that there is a
simple translation of the security problem for a bounded number of
sessions into first-order logic, that does not introduce false attacks.
This is shown by translating clauses involving rigid variables into
classical first-order clauses, while preserving satisfiability. We
illustrate this approach by giving a complete and terminating strategy for
a first-order logic fragment resulting from the above translation, that
yields a decision procedure for a bounded number of sessions.}
}

@inproceedings{ABC-cav09,
month = jun # {-} # jul,
year = 2009,
volume = 5643,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Bouajjani, Ahmad and Maler, Oded},
acronym = {{CAV}'09},
booktitle = {{P}roceedings of the 21st
{I}nternational {C}onference on
{C}omputer {A}ided {V}erification
({CAV}'09)},
author = {Abadi, Mart{\'\i}n and Blanchet, Bruno and Comon{-}Lundh,
Hubert},
title = {Models and Proofs of Protocol Security: A~Progress Report},
pages = {35-49},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ABC-cav09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ABC-cav09.pdf},
doi = {10.1007/978-3-642-02658-4_5},
abstract = {This paper discusses progress in the verification of security
protocols. Focusing on a small, classic example, it stresses
the use of program-like representations of protocols, and
their automatic analysis in symbolic and computational
models.}
}

@inproceedings{CFLS-esorics09,
month = sep,
year = 2009,
volume = 5789,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Backes, Michael and Ning, Peng},
acronym = {{ESORICS}'09},
booktitle = {{P}roceedings of the 14th {E}uropean {S}ymposium on
{R}esearch in {C}omputer {S}ecurity ({ESORICS}'09)},
author = {Centenaro, Matteo and Focardi, Riccardo and
Luccio, Flaminia L. and Steel, Graham},
title = {Type-based Analysis of {PIN} Processing {API}s},
pages = {53-68},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CFLS-esorics09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CFLS-esorics09.pdf},
doi = {10.1007/978-3-642-04444-1_4},
abstract = {We examine some known attacks on the PIN verification framework,
based on weaknesses of the security API for the tamper-resistant Hardware
Security Modules used in the network. We specify this API in an imperative
language with cryptographic primitives, and show how its flaws are
captured by a notion of robustness that extends the one of Myers,
Sabelfeld and Zdancewic to our cryptographic setting. We~propose an
improved API, give an extended type system for assuring integrity and for
preserving confidentiality via randomized and non-randomized encryptions,
and show our new API to be type-checkable.}
}

@inproceedings{CS-esorics09,
month = sep,
year = 2009,
volume = 5789,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Backes, Michael and Ning, Peng},
acronym = {{ESORICS}'09},
booktitle = {{P}roceedings of the 14th {E}uropean {S}ymposium on
{R}esearch in {C}omputer {S}ecurity ({ESORICS}'09)},
author = {Cortier, V{\'e}ronique and Steel, Graham},
title = {A~generic security {API} for symmetric key management on
cryptographic devices},
pages = {605-620},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CS-esorics09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CS-esorics09.pdf},
doi = {10.1007/978-3-642-04444-1_37},
abstract = {Security APIs are used to define the boundary between trusted
and untrusted code. The security properties of existing APIs are not
always clear. In~this paper, we~give a new generic API for managing
symmetric keys on a trusted cryptographic device. We state and prove
security properties for our API. In~particular, our API offers a high
level of security even when the host machine is controlled by an attacker.
Our API is generic in the sense that it can implement a wide variety of
(symmetric~key) protocols. As a proof of concept, we give an algorithm for
automatically instantiating the API commands for a given key management
protocol. We demonstrate the algorithm on a set of key establishment
protocols from the Clark-Jacob suite.}
}

@inproceedings{KAS-arspawits09,
month = aug,
year = 2009,
volume = 5511,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Degano, Pierpaolo and Vigan{\o}, Luca},
acronym = {{ARSPA-WITS}'09},
booktitle = {{R}evised {S}elected {P}apers of the {J}oint {W}orkshop
on {A}utomated {R}easoning for {S}ecurity {P}rotocol {A}nalysis and
{I}ssues in the {T}heory of {S}ecurity ({ARSPA-WITS}'09)},
author = {Keighren, Gavin and Aspinall, David and Steel, Graham},
title = {Towards a Type System for Security {API}s},
pages = {173-192},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KAS-arspawits09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KAS-arspawits09.pdf},
doi = {10.1007/978-3-642-03459-6_12},
abstract = {Security API analysis typically only considers a subset of an
API's functions, with results bounded by the number of function calls.
Furthermore, attacks involving partial leakage of sensitive information
are usually not covered. Type-based static analysis has the potential to
alleviate these shortcomings. To that end, we present a type system for
secure information flow based upon the one of Volpano, Smith and Irvine,
extended with types for cryptographic keys and ciphertext similar to those
in Sumii and Pierce. In~contrast to some other type systems, the
encryption and decryption of keys does not require special treatment. We
show that a well-typed sequence of commands is non-interferent, based upon
a definition of indistinguishability where, in certain circumstances, the
adversary can distinguish between ciphertexts that correspond to encrypted
public data.}
}

@inproceedings{FS-arspawits09,
month = aug,
year = 2009,
volume = 5511,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Degano, Pierpaolo and Vigan{\o}, Luca},
acronym = {{ARSPA-WITS}'09},
booktitle = {{R}evised {S}elected {P}apers of the {J}oint {W}orkshop
on {A}utomated {R}easoning for {S}ecurity {P}rotocol {A}nalysis and
{I}ssues in the {T}heory of {S}ecurity ({ARSPA-WITS}'09)},
author = {Fr{\"o}schle, Sibylle and Steel, Graham},
title = {Analysing {PKCS}\#11 Key Management {API}s with Unbounded
Fresh Data},
pages = {92-106},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FS-arspawits09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FS-arspawits09.pdf},
doi = {10.1007/978-3-642-03459-6_7},
abstract = {We extend Delaune, Kremer and Steel's framework for analysis of
PKCS#11-based APIs from bounded to unbounded fresh data. We achieve this
by: formally defining the notion of an \emph{attribute policy}; showing
that a well-designed API should have a certain class of policy we call
\emph{complete}; showing that APIs with complete policies may be safely
abstracted to APIs where the attributes are fixed; and proving that these
\emph{static} APIs can be analysed in a small bounded model such that
security properties will hold for the unbounded case. We automate analysis
in our framework using the SAT-based security protocol model checker
SATMC. We show that a symmetric key management subset of the Eracom
PKCS#11 API, used in their ProtectServer product, preserves the secrecy of
sensitive keys for unbounded numbers of fresh keys and \emph{handles},
i.e.~pointers to keys. We also show that this API is not robust: if~an
encryption key is lost to the intruder, SATMC finds an attack whereby all
the keys may be compromised.}
}

@inproceedings{CDK-secret09,
address = {Port Jefferson, New~York, USA},
month = jul,
year = 2009,
editor = {Comon{-}Lundh, Hubert and Meadows, Catherine},
acronym = {{SecReT}'09},
booktitle = {{P}reliminary {P}roceedings of the 4th
{I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques
({SecReT}'09)},
author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Delaune, St{\'e}phanie and
Kremer, Steve},
title = {Computing knowledge in security protocols under convergent
equational theories},
pages = {47-58},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDK-secret09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDK-secret09.pdf},
abstract = {We propose a procedure for the intruder deduction problem and
for the static equivalence problem, in the case where cryptographic
primitives are modeled by a convergent equational theory. Our~procedure
terminates on a wide range of equational theories. In~particular,
we~obtain a new decidability result for a theory of trapdoor commitment
that we encountered in the study of e-voting protocols. We~also provide a
prototype implementation.}
}

@inproceedings{ACD-secret09,
address = {Port Jefferson, New~York, USA},
month = jul,
year = 2009,
editor = {Comon{-}Lundh, Hubert and Meadows, Catherine},
acronym = {{SecReT}'09},
booktitle = {{P}reliminary {P}roceedings of the 4th
{I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques
({SecReT}'09)},
author = {Arnaud, Mathilde and Cortier, V{\'e}ronique and
Delaune, St{\'e}phanie},
title = {Modeling and Verifying Ad Hoc Routing Protocol},
pages = {33-46},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ACD-secret09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ACD-secret09.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/ACD-secret09.ps},
abstract = {Mobile ad hoc networks consist of mobile wireless devices which
autonomously organize their infrastructure. In~such a network, a~central
issue, ensured by routing protocols, is to find a route from one device to
another. Those protocols use cryptographic mechanisms in order to prevent
a malicious node from compromising the discovered route.\par
We present a calculus for modeling and reasoning about security protocols,
including in particular secured routing protocols. Our calculus extends
standard symbolic models to take into account the characteristics of
routing protocols and to model wireless communication in a more accurate
way. Then, by using constraint solving techniques, we propose a decision
procedure for analyzing routing protocols for a bounded number of sessions
and for a fixed network topology. We~demonstrate the usage and usefulness
of our approach by analyzing the protocol SRP applied to~DSR.}
}

@inproceedings{KMT-secret09,
address = {Port Jefferson, New~York, USA},
month = jul,
year = 2009,
editor = {Comon{-}Lundh, Hubert and Meadows, Catherine},
acronym = {{SecReT}'09},
booktitle = {{P}reliminary {P}roceedings of the 4th
{I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques
({SecReT}'09)},
author = {Kremer, Steve and Mercier, Antoine and Treinen, Ralf},
title = {Reducing Equational Theories for the Decision of Static
Equivalence (Preliminary Version)},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KMT-secret09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KMT-secret09.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/KMT-secret09.ps},
abstract = {Static equivalence is a well established notion of
indistinguishability of sequences of terms which is useful in the symbolic
analysis of cryptographic protocols. Static equivalence modulo equational
theories allows a more accurate representation of cryptographic primitives
by modelling properties of operators by equational axioms. We develop a
method that allows in some cases to simplify the task of deciding static
equivalence in a multi-sorted setting, by removing a symbol from the term
signature and reducing the problem to several simpler equational theories.
We illustrate our technique at hand of bilinear pairings.}
}

@techreport{LSV:09:09,
author = {Goubault{-}Larrecq, Jean},
title = {On a Generalization of a Result by {V}alk and {J}antzen},
institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
year = {2009},
month = may,
type = {Research Report},
number = {LSV-09-09},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2009-09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2009-09.pdf},
note = {18~pages},
abstract = {We~show that, under mild assumptions on the effective, well
quasi-ordered set~$$X$$, one~can compute a finite basis of an
upward-closed subset~$$U$$ of~$$X$$ if and only if one can decide whether
$$U \cap \downarrow z$$ is empty for every $$z \in \widehat{X}$$. Here
$$\widehat{X}$$ is the completion of $$X$$ as defined in Finkel and
Goubault-Larrecq, {\em Forward Analysis for WSTS, Part~{I:} Completions},
STACS'09, pages 433-444, 2009. This generalizes a useful result proved by
Valk and Jantzen in~1985, which is the case $$X = \\mathbb{N}^k$$.}
}

@inproceedings{CDK-cade09,
month = aug,
year = 2009,
volume = {5663},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Schmidt, Renate},
booktitle = {{P}roceedings of the 22nd {I}nternational
{C}onference on {A}utomated {D}eduction
author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Delaune, St{\'e}phanie and
Kremer, Steve},
title = {Computing knowledge in security protocols under convergent
equational theories},
pages = {355-370},
doi = {10.1007/978-3-642-02959-2_27},
abstract = {In the symbolic analysis of security protocols, two classical
notions of knowledge, deducibility and indistinguishability, yield
corresponding decision problems. We~propose a procedure for both problems
under arbitrary convergent equational theories. Our~procedure terminates
on a wide range of equational theories. In~particular, we~obtain a new
decidability result for a theory we encountered when studying electronic
voting protocols. We~also provide a prototype implementation.}
}

@article{goubault-jcs09,
publisher = {{IOS} Press},
journal = {Journal of Computer Security},
author = {Goubault{-}Larrecq, Jean},
title = {Finite Models for Formal Security Proofs},
volume = 18,
number = 6,
pages = {1247-1299},
year = 2010,
month = nov,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-jcs09.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-jcs09.pdf},
doi = {10.3233/JCS-2009-0395},
abstract = {First-order logic models of security for cryptographic
protocols, based on variants of the Dolev-Yao model, are now
well-established tools. Given that we have checked a given security
protocol using a given first-order prover, how hard is it to extract a
formally checkable proof of it, as required in, \textit{e.g.}, common
criteria at the highest evaluation level~(EAL7)? We~demonstrate that this
is surprisingly hard in the general case: the problem is non-recursive.
Nonetheless, we show that we can instead extract finite
models~$$\mathcal{M}$$ from a set~$$S$$ of clauses representing~$$\pi$$,
automatically, and give two ways of doing~so. We~then define a
model-checker testing $$\mathcal{M} \models S$$, and show how we can
instrument it to output a formally checkable proof, \textit{e.g.}, in~Coq.
Experience on a number of protocols shows that this is practical, and that
even complex (secure) protocols modulo equational theories have small
finite models, making our approach suitable.}
}

@inproceedings{FGL-icalp09,
month = jul,
year = 2009,
volume = 5556,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Albers, Susanne and Marchetti-Spaccamela, Alberto and
Matias, Yossi and Thomas, Wolfgang},
acronym = {{ICALP}'09},
booktitle = {{P}roceedings of the 36th {I}nternational
{C}olloquium on {A}utomata, {L}anguages and
{P}rogramming ({ICALP}'09)},
author = {Finkel, Alain and Goubault{-}Larrecq, Jean},
title = {Forward Analysis for {WSTS}, Part~{II}: Complete {WSTS}},
pages = {188-199},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FGL-icalp09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FGL-icalp09.pdf},
doi = {10.1007/978-3-642-02930-1_16},
abstract = {We~describe a simple, conceptual forward analysis procedure for
$$\infty$$-complete WSTS~$$\mathcal{S}$$. This computes the \emph{clover}
of a state~$$s_0$$ , \textit{i.e.}, a~finite description of the closure of
the cover of~$$s_0$$ . When $$S$$ is the completion of a
WSTS~$$\mathcal{X}$$, the clover in~$$\mathcal{S}$$ is a finite
description of the cover in~$$\mathcal{X}$$. We~show that this applies
exactly when $$\mathcal{X}$$ is an $$\omega^2$$-WSTS, a~new robust class
of WSTS. We~show that our procedure terminates in more cases than the
generalized Karp-Miller procedure on extensions of Petri nets. We
characterize the WSTS where our procedure terminates as those that are
\emph{clover-flattable}. Finally, we~apply this to well-structured counter
systems.}
}

@inproceedings{CD-csf09,
address = {Port Jefferson, New York, USA},
month = jul,
year = 2009,
publisher = {{IEEE} Computer Society Press},
acronym = {{CSF}'09},
booktitle = {{P}roceedings of the
22nd {IEEE} {C}omputer {S}ecurity {F}oundations
{S}ymposium ({CSF}'09)},
author = {Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
title = {A~method for proving observational equivalence},
pages = {266-276},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CD-csf09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CD-csf09.pdf},
doi = {10.1109/CSF.2009.9},
abstract = {Formal methods have proved their usefulness for analyzing the
security of protocols. Most existing results focus on trace properties
like secrecy or authentication. There are however several security
properties, which cannot be defined (or cannot be naturally defined) as
trace properties and require the notion of \emph{observational
equivalence}. Typical examples are anonymity, privacy related properties
or statements closer to security properties used in cryptography.\par
In this paper, we consider the applied pi calculus and we show that for
\emph{determinate} processes, observational equivalence actually coincides
with trace equivalence, a notion simpler to reason with. We~exhibit a
large class of determinate processes, called \emph{simple processes}, that
capture most existing protocols and cryptographic primitives. Then, for
simple processes without replication, we~reduce the decidability of trace
equivalence to deciding an equivalence relation introduced by M.~Baudet.
Altogether, this yields the first decidability result of observational
equivalence for a general class of equational theories.}
}

@inproceedings{CDK-forte09,
month = jun,
year = 2009,
volume = {5522},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Lee, David and Lopes, Ant{\'o}nia and Poetzsch-Heffter, Arnd},
acronym = {{FMOODS/FORTE}'09},
booktitle = {{P}roceedings of {IFIP} {I}nternational {C}onference on {F}ormal
{T}echniques for {D}istributed {S}ystems ({FMOODS/FORTE}'09)},
author = {Chadha, Rohit and Delaune, St{\'e}phanie and
Kremer, Steve},
title = {Epistemic Logic for the Applied Pi Calculus},
pages = {182-197},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/cdk-forte09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/cdk-forte09.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/cdk-forte09.ps},
doi = {10.1007/978-3-642-02138-1_12},
abstract = {We propose an epistemic logic for the applied pi calculus, which
is a variant of the pi calculus with extensions for modeling cryptographic
protocols. In such a calculus, the security guarantees are usually stated
as equivalences. While process calculi provide a natural means to describe
the protocols themselves, epistemic logics are often better suited for
expressing certain security properties such as secrecy and anonymity.\par
We intend to bridge the gap between these two approaches: using the set of
traces generated by a process as models, we define a logic which has
constructs for reasoning about both intruder's epistemic knowledge and the
set of messages in possession of the intruder. As an example we consider
two formalizations of privacy in electronic voting and study the
relationship between them.}
}

@inproceedings{BCL-rta09,
month = jun # {-} # jul,
year = 2009,
volume = 5595,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Treinen, Ralf},
acronym = {{RTA}'09},
booktitle = {{P}roceedings of the 20th {I}nternational
{C}onference on {R}ewriting {T}echniques
and {A}pplications
({RTA}'09)},
author = {Bursuc, Sergiu and Comon{-}Lundh, Hubert},
title = {Protocol security and algebraic properties: decision results
for a bounded number of sessions},
pages = {133-147},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCL-rta09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCL-rta09.pdf},
doi = {10.1007/978-3-642-02348-4_10},
abstract = {We consider the problem of deciding the security of
cryptographic protocols for a bounded number of sessions, taking into
account some algebraic properties of the security primitives, for instance
Abelian group properties. We propose a general method for deriving
decision algorithms, splitting the task into 4 properties of the rewriting
system describing the intruder capabilities: locality, conservativity,
finite variant property and decidability of one-step deducibility
constraints. We illustrate this method on a non trivial example, combining
several Abelian Group properties, exponentiation and a homomorphism,
showing a decidability result for this combination. }
}

@inproceedings{BCD-rta09,
month = jun # {-} # jul,
year = 2009,
volume = 5595,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Treinen, Ralf},
acronym = {{RTA}'09},
booktitle = {{P}roceedings of the 20th {I}nternational
{C}onference on {R}ewriting {T}echniques
and {A}pplications
({RTA}'09)},
author = {Baudet, Mathieu and Cortier, V{\'e}ronique and Delaune,
St{\'e}phanie},
title = {{YAPA}: A~generic tool for computing intruder knowledge},
pages = {148-163},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCD-rta09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCD-rta09.pdf},
doi = {10.1007/978-3-642-02348-4_11},
abstract = {Reasoning about the knowledge of an attacker is a necessary step
in many formal analyses of security protocols. In the framework of the
applied pi calculus, as in similar languages based on equational logics,
knowledge is typically expressed by two relations: deducibility and static
equivalence. Several decision procedures have been proposed for these
relations under a variety of equational theories. However, each theory has
its particular algorithm, and none has been implemented so~far.\par
We provide a generic procedure for deducibility and static equivalence
that takes as input any convergent rewrite system. We show that our
algorithm covers all the existing decision procedures for convergent
theories. We also provide an efficient implementation, and compare it
briefly with the more general tool ProVerif.}
}

@techreport{LSV:09:02,
author = {Bursuc, Sergiu and Comon{-}Lundh, Hubert},
title = {Protocols, insecurity decision and combination of equational theories},
institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
year = {2009},
month = feb,
type = {Research Report},
number = {LSV-09-02},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2009-02.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2009-02.pdf},
note = {43~pages},
abstract = {We consider the problem of finding attacks for a bounded number
of sessions of security protocols. We~contribute to this field, showing
how to decompose the problem into pieces for a class of equational
theories, which includes the hierarchical combinations, as well as
non-hierarchical ones. We apply this result to an electronic purse case
study: we~show the decidability in co-NP of the insecurity problem for a
complex equational theory mixing three Abelian groups, exponentiation and
homomorphism properties.\par
The main technical contributions rely on equational logic, term rewriting
and combination of theories.}
}

@article{CCZ-tocl08,
publisher = {ACM Press},
journal = {ACM Transactions on Computational Logic},
author = {Comon{-}Lundh, Hubert and Cortier, V{\'e}ronique and
Z{\u{a}}linescu, Eugen},
title = {Deciding security properties for cryptographic
protocols. Application to key cycles},
volume = 11,
number = 2,
nopages = {},
month = jan,
year = 2010,
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CCZ-tocl09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CCZ-tocl09.pdf},
doi = {10.1145/1656242.1656244},
abstract = {There is a large amount of work dedicated to the formal
verification of security protocols. In~this paper, we~revisit and extend
the NP-complete decision procedure for a bounded number of sessions. We
use a, now standard, deducibility constraint formalism for modeling
security protocols. Our~first contribution is to give a simple set of
constraint simplification rules, that allows to reduce any deducibility
constraint to a set of solved forms, representing all solutions (within
the bound on sessions).\par
As a consequence, we prove that deciding the existence of key cycles is
NP-complete for a bounded number of sessions. The problem of key-cycles
has been put forward by recent works relating computational and symbolic
models. The so-called soundness of the symbolic model requires indeed that
no key cycle (\textit{e.g.},~enc$$(k, k)$$) ever occurs in the
execution of the protocol. Otherwise, stronger security assumptions (such
as KDM-security) are required.\par
We show that our decision procedure can also be applied to prove again the
decidability of authentication-like properties and the decidability of a
significant fragment of protocols with timestamps.}
}

@inproceedings{JKV-lata09,
month = apr,
year = 2009,
volume = 5457,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Dediu, Adrian Horia and Mihai Ionescu, Armand and Mart{\'\i}n-Vide, Carlos},
acronym = {{LATA}'09},
booktitle = {{P}roceedings of the 3rd {I}nternational {C}onference on {L}anguage
and {A}utomata {T}heory and {A}pplications ({LATA}'09)},
author = {Jacquemard, Florent and Klay, Francis and Vacher, Camille},
title = {Rigid Tree Automata},
pages = {446-457},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JKV-lata09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JKV-lata09.pdf},
doi = {10.1007/978-3-642-00982-2_38},
abstract = {We introduce the class of Rigid Tree Automata (RTA), an
extension of standard bottom-up automata on ranked trees with
distinguished states called rigid. Rigid states define a restriction on
the computation of RTA on trees: RTA can test for equality in subtrees
reaching the same rigid state. RTA are able to perform local and global
tests of equality between subtrees, non-linear tree pattern matching, and
restricted disequality tests as well. Properties like determinism, pumping
lemma, boolean closure, and several decision problems are studied in
detail. In particular, the emptiness problem is shown decidable in linear
time for RTA whereas membership of a given tree to the language of a given
RTA is NP-complete. Our main result is the decidability of whether a given
tree belongs to the rewrite closure of a RTA language under a restricted
family of term rewriting systems, whereas this closure is not a RTA
language. This result, one of the first on rewrite closure of languages of
tree automata with constraints, is enabling the extension of model
checking procedures based on finite tree automata techniques. Finally, a
comparison of RTA with several classes of tree automata with local and
global equality tests, and with dag automata is also provided.}
}

@proceedings{KP-secco2008,
title = {{P}roceedings of the 6th {I}nternational {W}orkshop on
{S}ecurity {I}ssues in {C}oncurrency ({S}ec{C}o'08)},
booktitle = {{P}roceedings of the 6th {I}nternational {W}orkshop on
{S}ecurity {I}ssues in {C}oncurrency ({S}ec{C}o'08)},
editor = {Kremer, Steve and Panangaden, Prakash},
publisher = {Elsevier Science Publishers},
doi = {10.1016/j.entcs.2009.07.077},
url = {http://www.sciencedirect.com/science/journal/15710661/242/3},
series = {Electronic Notes in Theoretical Computer Science},
volume = 242,
number = 3,
year = 2009,
month = aug,
}

@article{BCK-IC09,
publisher = {Elsevier Science Publishers},
journal = {Information and Computation},
author = {Baudet, Mathieu and Cortier, V{\'e}ronique and Kremer, Steve},
title = {Computationally Sound Implementations of Equational Theories
year = {2009},
month = apr,
volume = 207,
number = 4,
pages = {496-520},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCK-ic09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCK-ic09.pdf},
doi = {10.1016/j.ic.2008.12.005},
abstract = {In~this paper we study the link between formal and cryptographic
models for security protocols in the presence of passive adversaries.
In~contrast to other works, we~do not consider a fixed set of primitives
but aim at results for arbitrary equational theories. We~define a
framework for comparing a cryptographic implementation and its
idealization with respect to various security notions. In~particular, we
concentrate on the computational soundness of static equivalence, a
standard tool in cryptographic pi calculi. We~present a soundness
criterion, which for many theories is not only sufficient but also
necessary. Finally, to~illustrate our framework, we~establish the
soundness of static equivalence for the exclusive OR and a theory of
ciphers and lists.}
}

@article{KM-jcs09,
publisher = {{IOS} Press},
journal = {Journal of Computer Security},
author = {Kremer, Steve and Mazar{\'e}, Laurent},
title = {Computationally Sound Analysis of Protocols using
Bilinear Pairings},
year = 2010,
month = nov,
volume = 18,
number = 6,
pages = {999-1033},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KM-jcs09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KM-jcs09.pdf},
doi = {10.3233/JCS-2009-0388},
abstract = {In this paper, we introduce a symbolic model to analyse
protocols that use a bilinear pairing between two cyclic groups. This
model consists in an extension of the Abadi-Rogaway logic and we prove
that the logic is still computationally sound: symbolic
indistinguishability implies computational indistinguishability provided
that the Bilinear Decisional Diffie-Hellman assumption holds and that the
encryption scheme is \textsf{IND-CPA} secure. We~illustrate our results on
classical protocols using bilinear pairing like Joux tripartite
Diffie-Hellman protocol or the TAK-2 and TAK-3 protocols. We also
investigate the security of a newly designed variant of the
Burmester-Desmedt protocol using bilinear pairings. More precisely, we
show for each of these protocols that the generated key is
indistinguishable from a random element.}
}

@article{DKR-jcs09,
publisher = {{IOS} Press},
journal = {Journal of Computer Security},
author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D.},
title = {Symbolic bisimulation for the applied pi~calculus},
year = 2010,
month = mar,
volume = 18,
number = 2,
pages = {317-377},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-jcs09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-jcs09.pdf},
doi = {10.3233/JCS-2010-0363},
abstract = {We propose a symbolic semantics for the finite applied
pi~calculus. The~applied pi calculus is a variant of the pi~calculus with
extensions for modelling cryptographic protocols. By~treating inputs
symbolically, our semantics avoids potentially infinite branching of
execution trees due to inputs from the environment. Correctness is
maintained by associating with each process a set of constraints on terms.
We~define a symbolic labelled bisimulation relation, which is shown to be
sound but not complete with respect to standard bisimulation. We explore
the lack of completeness and demonstrate that the symbolic bisimulation
relation is sufficient for many practical examples. This~work is an
important step towards automation of observational equivalence for the
finite applied pi calculus, \textit{e.g.}~for verification of anonymity or
strong secrecy properties.}
}

@inproceedings{FGL-stacs2009,
month = feb,
year = 2009,
volume = 3,
series = {Leibniz International Proceedings in Informatics},
publisher = {Leibniz-Zentrum f{\"u}r Informatik},
editor = {Albers, Susanne and Marion, Jean-Yves},
acronym = {{STACS}'09},
booktitle = {{P}roceedings of the 26th {A}nnual
{S}ymposium on {T}heoretical {A}spects of
{C}omputer {S}cience
({STACS}'09)},
author = {Finkel, Alain and Goubault{-}Larrecq, Jean},
title = {Forward Analysis for~{WSTS}, Part~{I}: Completions},
pages = {433-444},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FGL-stacs2009.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FGL-stacs2009.pdf},
abstract = {Well-structured transition systems provide the right foundation
to compute a finite basis of the set of predecessors of the upward closure
of a state. The~dual problem, to compute a finite representation of the
set of successors of the downward closure of a state, is~harder: Until
now, the theoretical framework for manipulating downward-closed sets was
missing. We~answer this problem, using insights from domain theory (dcpos
and ideal completions), from topology (sobrifications), and shed new light
on the notion of adequate domains of limits.}
}

@article{JKV-icomp10,
publisher = {Elsevier Science Publishers},
journal = {Information and Computation},
author = {Jacquemard, Florent and Klay, Francis and Vacher, Camille},
title = {Rigid Tree Automata},
volume = {209},
number = 3,
pages = {486-512},
year = 2011,
month = mar,
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JKV-icomp11.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JKV-icomp11.pdf},
doi = {10.1016/j.ic.2010.11.015},
abstract = {We introduce the class of Rigid Tree Automata (RTA), an
extension of standard bottom-up automata on ranked trees with
distinguished states called rigid. Rigid states define a restriction on
the computation of RTA on trees: RTA can test for equality in subtrees
reaching the same rigid state. RTA are able to perform local and global
tests of equality between subtrees, non-linear tree pattern matching, and
restricted disequality tests as well. Properties like determinism, pumping
lemma, boolean closure, and several decision problems are studied in
detail. In particular, the emptiness problem is shown decidable in linear
time for RTA whereas membership of a given tree to the language of a given
RTA is NP-complete. Our main result is the decidability of whether a given
tree belongs to the rewrite closure of a RTA language under a restricted
family of term rewriting systems, whereas this closure is not a RTA
language. This result, one of the first on rewrite closure of languages of
tree automata with constraints, is enabling the extension of model
checking procedures based on finite tree automata techniques. Finally, a
comparison of RTA with several classes of tree automata with local and
global equality tests, and with dag automata is also provided.}
}

@inproceedings{CSV-vmcai11,
month = jan,
year = 2011,
volume = 6538,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Jhala, Ranjit and Schmidt, David},
acronym = {{VMCAI}'11},
booktitle = {{P}roceedings of the 12th {I}nternational {C}onference on
{V}erification, {M}odel {C}hecking and {A}bstract {I}nterpretation
({VMCAI}'11)},
title = {Probabilistic {B}{\"u}chi automata with non-extremal acceptance
thresholds},
pages = {103-117},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CSV-vmcai11.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CSV-vmcai11.pdf},
doi = {10.1007/978-3-642-18275-4_9},
abstract = {This paper investigates the power of Probabilistic
B{\"u}chi Automata~(PBA) when the threshold probability of acceptance is
non-extremal, i.e., is a value strictly between 0 and 1. Many practical
randomized algorithms are designed to work under non-extremal threshold
probabilities and thus it is important to study power of PBAs for such
cases.\par
The paper presents a number of surprising expressiveness and decidability
results for PBAs when the threshold probability is non-extremal. Some of
these results sharply contrast with the results for extremal threshold
probabilities. The paper also presents results for Hierarchical PBAs and
for an interesting subclass of them called simple PBAs.}
}

@inproceedings{steel-escar09,
month = nov,
year = 2009,
editor = {Paar, Christof and Wollinger, Thomas},
acronym = {{ESCAR}'09},
booktitle = {{P}roceedings of the 7th
{C}onference on {E}mbedded {S}ecurity in {C}ars
({ESCAR}'09)},
author = {Steel, Graham},
title = {Towards a Formal Analysis of the {S}e{V}e{C}o{M}~{API}},
nopages = {},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/steel-escar09.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/steel-escar09.pdf}
}

@inproceedings{steel-fcc09,
address = {Port Jefferson, New York, USA},
month = jul,
year = 2009,
editor = {K{\"u}sters, Ralf},
acronym = {{FCC}'09},
booktitle = {{P}roceedings of the 5th {W}orkshop on {F}ormal and
{C}omputational {C}ryptography ({FCC}'09)},
author = {Steel, Graham},
title = {Computational Soundness for {API}s},
nopages = {},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/steel-fcc09.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/steel-fcc09.pdf}
}

@inproceedings{SC-fcc07,
month = jul,
year = 2007,
editor = {Backes, Michael and Lakhnech, Yassine},
acronym = {{FCC}'07},
booktitle = {{P}roceedings of the 3rd {W}orkshop on {F}ormal and
{C}omputational {C}ryptography ({FCC}'07)},
author = {Steel ,Graham and Courant, Judica{\"e}l},
title = {A formal model for detecting parallel key search attacks},
nopages = {},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/SC-fcc07.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/SC-fcc07.pdf}
}

@mastersthesis{scerri-master,
author = {Scerri, Guillaume},
title = {Mod{\'e}lisation des cl{\'e}s de l'intrus},
school = {{M}aster {P}arisien de {R}echerche en
{I}nformatique, Paris, France},
type = {Rapport de {M}aster},
year = {2010},
month = sep,
nmnote = {Hubert prefere ne pas diffuser le rapport, et prepare une version 'conf'}
}

@article{LMT-tcs10,
publisher = {Elsevier Science Publishers},
journal = {Theoretical Computer Science},
author = {Lanotte, Ruggero and Maggiolo{-}Schettini, Andrea and Troina, Angelo},
title = {Weak bisimulation for Probabilistic Timed Automata?},
volume = 411,
number = 50,
year = 2010,
month = nov,
pages = {4291-4322},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/LMT-tcs10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/LMT-tcs10.pdf},
doi = {10.1016/j.tcs.2010.09.003},
abstract = {We are interested in describing timed systems that exhibit
probabilistic behaviour. To this purpose, we consider a
model of Probabilistic Timed Automata and introduce a
concept of weak bisimulation for these automata, together
with an algorithm to decide it. The weak bisimulation
relation is shown to be preserved when either time, or
probability is abstracted away. As an application, we use
weak bisimulation for Probabilistic Timed Automata to model
and analyze a timing attack on the dining cryptographers protocol.}
}

@article{CD-jar10,
publisher = {Springer},
journal = {Journal of Automated Reasoning},
author = {Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
title = {Decidability and combination results for two notions of
knowledge in security protocols},
volume = 48,
number = {4},
pages = {441-487},
month = apr,
year = 2012,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-jar10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-jar10.pdf},
doi = {10.1007/s10817-010-9208-8},
abstract = {In formal approaches, messages sent over a network are usually
modeled by terms together with an equational theory, axiomatizing the
properties of the cryptographic functions (encryption, exclusive~or,~...).
The analysis of cryptographic protocols requires a precise understanding
of the attacker knowledge. Two standard notions are usually considered:
deducibility and indistinguishability. Those notions are well-studied and
several decidability results already exist to deal with a variety of
equational theories. Most of the existing results are dedicated to
specific equational theories and only few results, especially in the case
of indistinguishability, have been obtained for equational theories with
associative and commutative properties~(AC).\par
In this paper, we show that existing decidability results can be easily
combined for any disjoint equational theories: if the deducibility and
indistinguishability relations are decidable for two disjoint theories,
they are also decidable for their union. We also propose a general setting
for solving deducibility and indistinguishability for an important class
(called \emph{monoidal}) of equational theories involving AC operators.\par
As a consequence of these two results, new decidability and complexity
results can be obtained for many relevant equational theories.}
}

@inproceedings{BGGLP-scan10,
month = sep,
year = 2010,
noeditor = {},
acronym = {SCAN'10},
booktitle = {{P}roceedings of the 14th {GAMM}-{IMACS} {I}nternational
{S}ymposium on {S}cientific {C}omputing, {C}omputer
{A}rithmetic and {V}alidated {N}umerics ({SCAN}'10)},
author = {Bouissou, Olivier and Goubault, {\'E}ric and
Goubault{-}Larrecq, Jean and Putot, Sylvie},
title = {A Generalization of {P}-boxes to Affine Arithmetic, and Applications to
Static Analysis of Programs},
nopages = {}
}

@article{GLK-mscs10,
publisher = {Cambridge University Press},
journal = {Mathematical Structures in Computer Science},
author = {Goubault{-}Larrecq, Jean and Keimel, Klaus},
title = {{C}hoquet-{K}endall-{M}atheron Theorems for Non-{H}ausdorff
Spaces},
volume = 21,
number = 3,
pages = {511-561},
month = jun,
year = 2011,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/GLK-mscs10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLK-mscs10.pdf},
doi = {10.1017/S0960129510000617},
abstract = {We establish Choquet-Kendall-Matheron theorems on non-Hausdorff
topological spaces. This typical result of random set theory is profitably
recast in purely topological terms, using intuitions and tools from domain
theory. We obtain three variants of the theorem, each one characterizing
distributions, in the form of continuous valuations, over relevant
powerdomains of demonic, resp. angelic, resp. erratic non-determinism.}
}

@inproceedings{CSV-fsttcs10,
month = dec,
year = 2010,
volume = 8,
series = {Leibniz International Proceedings in Informatics},
publisher = {Leibniz-Zentrum f{\"u}r Informatik},
editor = {Lodaya, Kamal and Mahajan, Meena},
acronym = {{FSTTCS}'10},
booktitle = {{P}roceedings of the 30th {C}onference on
{F}oundations of {S}oftware {T}echnology and
{T}heoretical {C}omputer {S}cience
({FSTTCS}'10)},
title = {Model Checking Concurrent Programs with Nondeterminism and Randomization},
pages = {364-375},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CSV-fsttcs10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CSV-fsttcs10.pdf},
doi = {10.4230/LIPIcs.FSTTCS.2010.364},
abstract = {For concurrent probabilistic programs having process-level
nondeterminism, it is often necessary to restrict the class of schedulers
that resolve nondeterminism to obtain sound and precise model checking
algorithms. In this paper, we introduce two classes of schedulers called
\emph{view consistent} and \emph{locally Markovian} schedulers and
consider the model checking problem of concurrent, probabilistic programs
under these alternate semantics. Specifically, given a B{\"u}chi
automaton~$$\textsf{Spec}$$, a~threshold~$$x\in[0,1]$$, and a concurrent
program~$$\mathbb{P}$$, the model checking problem asks if the measure of
computations of~$$\mathbb{P}$$ that satisfy~$$\textsf{Spec}$$ is at
least~$$x$$, under all view consistent (or locally Markovian) schedulers.
We give precise complexity results for the model checking problem (for
different classes of B{\"u}chi automata specifications) and contrast it
with the complexity under the standard semantics that considers all
schedulers. }
}

@inproceedings{DKRS-fast10,
month = sep,
year = 2010,
volume = 6561,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Degano, Pierpaolo and Etalle, Sandro and Guttman, Joshua},
acronym = {{FAST}'10},
booktitle = {{R}evised {S}elected {P}apers of the 7th {I}nternational {W}orkshop on
{F}ormal {A}spects in {S}ecurity and {T}rust ({FAST}'10)},
author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D. and
Steel, Graham},
title = {A~Formal Analysis of Authentication in the {TPM}},
pages = {111-125},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/DKRS-fast10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DKRS-fast10.pdf},
ps = {DKRS-fast10.ps},
doi = {10.1007/978-3-642-19751-2_8},
abstract = {The Trusted Platform Module~(TPM) is a hardware chip designed to
enable computers to achieve a greater level of security than is possible
in software alone. To this end, the TPM provides a way to store
cryptographic keys and other sensitive data in its shielded memory.
Through its API, one can use those keys to achieve some security goals.
The TPM is a complex security component, whose specification consists of
more than $$700$$~pages.\par
We model a collection of four TPM commands, and we identify and formalise
their security properties. Using the tool ProVerif, we rediscover some
known attacks and some new variations on them. We propose modifications to
the API and verify our properties for the modified API.}
}

@inproceedings{DKRS-secco10,
month = aug,
year = 2010,
editor = {Cortier, V{\'e}ronique and Chatzikokolakis, Kostas},
acronym = {{SecCo}'10},
booktitle = {{P}reliminary {P}roceedings of the 8th {I}nternational
{W}orkshop on {S}ecurity {I}ssues in
{C}oordination {M}odels, {L}anguages and
{S}ystems ({SecCo}'10)},
author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D. and
Steel, Graham},
title = {A~Formal Analysis of Authentication in the~{TPM} (short paper)},
nopages = {},
nmnote = {did not appear in postproc. EPTCS 51},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/DKRS-secco10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DKRS-secco10.pdf},
ps = {DKRS-secco10.ps}
}

@article{bwa-jcs10,
publisher = {{IOS} Press},
journal = {Journal of Computer Security},
author = {Baudet, Mathieu and Warinschi,
title = {Guessing Attacks and the Computational Soundness of Static
Equivalence},
volume = 18,
number = 5,
pages = {909-968},
month = sep,
year = 2010,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/bwa-jcs10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/bwa-jcs10.pdf},
doi = {10.3233/JCS-2009-0386},
abstract = {The indistinguishability of two pieces of data (or two lists of
pieces of data) can be represented formally in terms of a relation called
static equivalence. Static equivalence depends on an underlying equational
theory. The choice of an inappropriate equational theory can lead to
overly pessimistic or overly optimistic notions of indistinguishability,
and in turn to security criteria that require protection against
impossible attacks or---worse yet---that ignore feasible ones. In this
paper, we define and justify an equational theory for standard,
fundamental cryptographic operations. This equational theory yields a
notion of static equivalence that implies computational
indistinguishability. Static equivalence remains liberal enough for use in
applications. In particular, we develop and analyze a principled formal
account of guessing attacks in terms of static equivalence.}
}

@inproceedings{bgl-setop10,
month = sep,
year = 2010,
volume = 6514,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Cavalli, Ana and Leneutre, Jean},
acronym = {{DPM}{{\slash}}{SETOP}'10},
booktitle = {{R}evised {S}elected {P}apers of the 5th {I}nternational {W}orkshop
on {D}ata {P}rivacy {M}anagement and {A}utonomous
{S}pontaneous {S}ecurity ({DPM}'10) and 3rd {I}nternational
{W}orkshop on {A}utonomous
and {S}pontaneous {S}ecurity ({SETOP}'10)},
author = {Benzina, Hedi and Goubault{-}Larrecq, Jean},
title = {Some Ideas on Virtualized Systems Security, and Monitors},
pages = {244-258},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/bgl-setop10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/bgl-setop10.pdf},
doi = {10.1007/978-3-642-19348-4_18},
abstract = {Virtualized systems such as Xen, VirtualBox, VMWare or QEmu have
been proposed to increase the level of security achievable on personal
computers. On the other hand, such virtualized systems are now targets for
attacks. We propose an intrusion detection architecture for virtualized
systems, and discuss some of the security issues that arise. We argue that
a weak spot of such systems is domain zero administration, which is left
entirely under the administrator's responsibility, and is in particular
vulnerable to trojans. To~avert some of the risks, we~propose to install a
role-based access control model with possible role delegation, and to
describe all undesired activity ows through simple temporal formulas. We
show how the latter are compiled into Orchids rules, via a fragment of
linear temporal logic, through a generalization of the so-called history
variable mechanism.}
}

@phdthesis{carre-phd2010,
author = {Carr{\'e}, Jean-Loup},
title = {Analyse statique de programmes multi-thread pour l'embarqu{\'e}},
school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
type = {Th{\e}se de doctorat},
year = 2010,
month = jul,
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/carre-these10.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/carre-these10.pdf}
}

@article{KMT-jar10,
publisher = {Springer},
journal = {Journal of Automated Reasoning},
author = {Kremer, Steve and Mercier, Antoine and Treinen, Ralf},
title = {Reducing Equational Theories for the Decision of Static
Equivalence},
year = 2012,
month = feb,
pages = {197-217},
number = 48,
volume = 2,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/KMT-jar10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/KMT-jar10.pdf},
doi = {10.1007/s10817-010-9203-0},
abstract = {Static equivalence is a well established notion of
indistinguishability of sequences of terms which is useful in the symbolic
analysis of cryptographic protocols. Static equivalence modulo equational
theories allows for a more accurate representation of cryptographic
primitives by modelling properties of operators by equational axioms. We
develop a method that allows us in some cases to simplify the task of
deciding static equivalence in a multi-sorted setting, by removing a
symbol from the term signature and reducing the problem to several simpler
equational theories. We illustrate our technique at hand of bilinear
pairings.}
}

@article{CDK-jar10,
publisher = {Springer},
journal = {Journal of Automated Reasoning},
author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Delaune, St{\'e}phanie
and Kremer, Steve},
title = {Computing knowledge in security protocols under convergent
equational theories},
year = 2012,
month = feb,
pages = {219-262},
number = 2,
volume = 48,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDK-jar10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDK-jar10.pdf},
doi = {10.1007/s10817-010-9197-7},
abstract = {The analysis of security protocols requires reasoning about the
knowledge an attacker acquires by eavesdropping on network traffic. In
formal approaches, the messages exchanged over the network are modeled by
a term algebra equipped with an equational theory axiomatizing the
properties of the cryptographic primitives (e.g. encryption, signature).
In this context, two classical notions of knowledge, deducibility and
indistinguishability, yield corresponding decision problems.\par
We propose a procedure for both problems under arbitrary convergent
equational theories. Since the underlying problems are undecidable we
cannot guarantee termination. Nevertheless, our procedure terminates on a
wide range of equational theories. In particular, we obtain a new
decidability result for a theory we encountered when studying electronic
voting protocols. We also provide a prototype implementation.}
}

@inproceedings{BCFS-ccs10,
month = oct,
year = 2010,
publisher = {ACM Press},
acronym = {{CCS}'10},
booktitle = {{P}roceedings of the 17th {ACM} {C}onference
on {C}omputer and {C}ommunications {S}ecurity
({CCS}'10)},
author = {Bortolozzo, Matteo and Centenaro, Matteo and Focardi,
Riccardo and Steel, Graham},
title = {Attacking and Fixing {PKCS}\#11 Security Tokens},
pages = {260-269},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/BCFS-ccs10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BCFS-ccs10.pdf},
doi = {10.1145/1866307.1866337},
abstract = {We show how to extract sensitive cryptographic keys from a
variety of commercially available tamper resistant cryptographic security
tokens, exploiting vulnerabilities in their RSA PKCS\#11 based APIs. The
attacks are performed by Tookan, an automated tool we have developed,
which reverse-engineers the particular token in use to deduce its
functionality, constructs a model of its API for a model checker, and then
executes any attack trace found by the model checker directly on the
token. We describe the operation of Tookan and give results of testing the
tool on 17 commercially available tokens: 9~were vulnerable to attack,
while the other 8 had severely restricted functionality. One of the
attacks found by the model checker has not previously appeared in the
literature. We show how Tookan may be used to verify patches to insecure
devices, and give a secure configuration that we have implemented in a
patch to a software token simulator. This is the first such configuration
to appear in the literature that does not require any new cryptographic
mechanisms to be added to the standard. We comment on lessons for future
key management APIs.}
}

@article{CKW-jar2010,
publisher = {Springer},
journal = {Journal of Automated Reasoning},
author = {Cortier, V{\'e}ronique and Kremer, Steve and  Warinschi, Bogdan},
title = {A~Survey of Symbolic Methods in Computational Analysis of
Cryptographic Systems},
year = 2010,
month = apr,
pages = {225-259},
number = {3-4},
volume = {46},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CKW-jar10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CKW-jar10.pdf},
doi = {10.1007/s10817-010-9187-9},
abstract = {Since the 1980s, two approaches have been developed for
analyzing security protocols. One of the approaches relies on a
computational model that considers issues of complexity and probability.
This approach captures a strong notion of security, guaranteed against all
probabilistic polynomial-time attacks. The other approach relies on a
symbolic model of protocol executions in which cryptographic primitives
are treated as black boxes. Since the seminal work of Dolev and Yao, it
has been realized that this latter approach enables significantly simpler
and often automated proofs. However, the guarantees that it offers with
respect to the more detailed computational models have been quite
unclear.\par
For more than twenty years the two approaches have coexisted but evolved
mostly independently. Recently, significant research efforts attempt to
develop paradigms for cryptographic systems analysis that combines the
best of both worlds. There are two broad directions that have been
followed. Computational soundness aims to establish sufficient conditions
under which results obtained using symbolic models imply security under
computational models. The direct approach aims to apply the principles and
the techniques developed in the context of symbolic models directly to
computational ones.\par
In this paper we survey existing results along both of these directions.
Our goal is to provide a rather complete summary that could act as a quick
reference for researchers who want to contribute to the field, want to
make use of existing results, or just want to get a better picture of what
}

@inproceedings{KRS-esorics10,
month = sep,
year = 2010,
volume = {6345},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Gritzalis, Dimitris and Preneel, Bart},
acronym = {{ESORICS}'10},
booktitle = {{P}roceedings of the 15th {E}uropean {S}ymposium on
{R}esearch in {C}omputer {S}ecurity ({ESORICS}'10)},
author = {Kremer, Steve and Ryan, Mark D. and  Smyth, Ben},
title = {Election verifiability in electronic voting protocols},
pages = {389-404},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/KRS-esorics10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/KRS-esorics10.pdf},
doi = {10.1007/978-3-642-15497-3_24},
abstract = {We present a formal, symbolic definition of election
verifiability for electronic voting protocols in the context of the
applied pi calculus. Our definition is given in terms of boolean tests
which can be performed on the data produced by an election. The definition
distinguishes three aspects of verifiability: individual, universal and
eligibility verifiability. It also allows us to determine precisely which
aspects of the system's hardware and software must be trusted for the
purpose of election verifiability. In contrast with earlier work our
definition is compatible with a large class of electronic voting schemes,
including those based on blind signatures, homomorphic encryption and
mixnets. We demonstrate the applicability of our formalism by analysing
three protocols: FOO, Helios~2.0, and Civitas (the latter two have been
deployed).}
}

@inproceedings{DDS-esorics10,
month = sep,
year = 2010,
volume = {6345},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Gritzalis, Dimitris and Preneel, Bart},
acronym = {{ESORICS}'10},
booktitle = {{P}roceedings of the 15th {E}uropean {S}ymposium on
{R}esearch in {C}omputer {S}ecurity ({ESORICS}'10)},
author = {Dahl, Morten and Delaune, St{\'e}phanie and Steel, Graham},
title = {Formal Analysis of Privacy for Vehicular Mix-Zones},
pages = {55-70},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/DDS-esorics10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DDS-esorics10.pdf},
ps = {DDS-esorics10.ps},
doi = {10.1007/978-3-642-15497-3_4},
abstract = {Safety critical applications for recently proposed vehicle to
vehicle ad-hoc networks~(VANETs) rely on a beacon signal, which poses a
threat to privacy since it could allow a vehicle to be tracked. Mix-zones,
where vehicles encrypt their transmissions and then change their
identifiers, have been proposed as a solution to this problem. \par
In this work, we~describe a formal analysis of mix-zones. We~model a
mix-zone and propose a formal definition of privacy for such a zone.
We~give a set of necessary conditions for any mix-zone protocol to preserve
privacy. We~analyse, using the tool ProVerif, a~particular proposal for key
distribution in mix-zones, the CMIX protocol. We~report attacks on privacy
and we propose a fix.}
}

@inproceedings{DDS-fcsprivmod10,
month = jul,
year = 2010,
editor = {Cortier, V{\'e}ronique and Ryan, Mark D. and
Shmatikov, Vitaly},
acronym = {{FCS-PrivMod}'10},
booktitle = {{P}roceedings of the {W}orkshop on {F}oundations of {S}ecurity
and {P}rivacy ({FCS-PrivMod}'10)},
author = {Dahl, Morten and Delaune, St{\'e}phanie and Steel, Graham},
title = {Formal Analysis of Privacy for Vehicular Mix-Zones},
pages = {55-70},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2010-10.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2010-10.pdf},
ps = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PS/
rr-lsv-2010-10.ps},
doi = {10.1007/978-3-642-15497-3_4},
abstract = {Safety critical applications for recently proposed vehicle to
vehicle ad-hoc networks (VANETs) rely on a beacon signal, which poses a
threat to privacy since it could allow a vehicle to be tracked. Mix-zones,
where vehicles encrypt their transmissions and then change their
identifiers, have been proposed as a solution to this problem.\par
In this work, we describe a formal analysis of mix-zones. We model a
mix-zone and propose a formal definition of privacy for such a zone. We
give a set of necessary conditions for any mix-zone protocol to preserve
privacy. We analyse, using the tool ProVerif, a particular proposal for
key distribution in mix-zones, the CMIX protocol. We report attacks on
privacy and we propose a fix.}
}

@incollection{DKR-lncs6000,
month = may,
year = 2010,
volume = 6000,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
noacronym = {},
booktitle = {{T}owards {T}rustworthy {E}lections -- {N}ew {D}irections in
{E}lectronic {V}oting},
editor = {Chaum, David and Jakobsson, Markus and Rivest, Ronald L. and
Ryan, Peter Y. A. and Benaloh, Josh and Kuty{\l}owski, Miros{\l}aw
author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D.},
title = {Verifying Privacy-Type Properties of Electronic Voting
Protocols: A~Taster},
pages = {289-309},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/DKR-lncs6000.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DKR-lncs6000.pdf},
doi = {10.1007/978-3-642-12980-3_18},
abstract = {While electronic elections promise the possibility of
convenient, efficient and secure facilities for recording and tallying
formal methods to the validation of electronic voting protocols.\par
In this paper we report on some of our recent efforts in using the applied
pi calculus to model and analyse properties of electronic elections. We
particularly focus on anonymity properties, namely vote-privacy and
receipt-freeness. These properties are expressed using observational
equivalence and we show in accordance with intuition that receipt-freeness
implies vote-privacy.\par
We illustrate our definitions on two electronic voting protocols from the
literature. Ideally, these properties should hold even if the election
officials are corrupt. However, protocols that were designed to satisfy
privacy or receipt-freeness may not do so in the presence of corrupt
officials. Our model and definitions allow us to specify and easily change
which authorities are supposed to be trustworthy.}
}

@inproceedings{CCD-ijcar10,
month = jul,
year = 2010,
volume = {6173},
series = {Lecture Notes in Artificial Intelligence},
publisher = {Springer-Verlag},
editor = {Giesl, J{\"u}rgen and Haehnle, Reiner},
acronym = {{IJCAR}'10},
booktitle = {{P}roceedings of the 5th {I}nternational {J}oint
{C}onference on {A}utomated {R}easoning
({IJCAR}'10)},
author = {Cheval, Vincent and Comon{-}Lundh, Hubert and Delaune, St{\'e}phanie},
title = {Automating security analysis: symbolic equivalence of
constraint systems},
pages = {412-426},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-ijcar10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-ijcar10.pdf},
doi = {10.1007/978-3-642-14203-1_35},
abstract = {We consider security properties of cryptographic protocols, that
are either trace properties (such as confidentiality or authenticity) or
equivalence properties (such as anonymity or strong secrecy).\par
Infinite sets of possible traces are symbolically represented using
\emph{deducibility constraints}. We give a new algorithm that decides the
trace equivalence for the traces that are represented using such
constraints, in the case of signatures, symmetric and asymmetric
encryptions. Our algorithm is implemented and performs well on typical
benchmarks. This is the first implemented algorithm, deciding symbolic
trace equivalence.}
}

@inproceedings{JGL-icalp10,
month = jul,
year = 2010,
volume = 6199,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Abramsky, Samson and Meyer{ }auf{ }der{ }Heide, Friedhelm
and Spirakis, Paul},
acronym = {{ICALP}'10},
booktitle = {{P}roceedings of the 37th {I}nternational
{C}olloquium on {A}utomata, {L}anguages and
{P}rogramming ({ICALP}'10)~-- {P}art~{II}},
author = {Goubault{-}Larrecq, Jean},
title = {Noetherian Spaces in Verification},
pages = {2-21},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-icalp10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-icalp10.pdf},
doi = {10.1007/978-3-642-14162-1_2},
abstract = {Noetherian spaces are a topological concept that generalizes
well quasiorderings. We explore applications to infinite-state
verification problems, and show how this stimulated the search for
infinite procedures \a la Karp-Miller.}
}

@inproceedings{CC-csf10,
month = jul,
year = 2010,
publisher = {{IEEE} Computer Society Press},
acronym = {{CSF}'10},
booktitle = {{P}roceedings of the
23rd {IEEE} {C}omputer {S}ecurity {F}oundations
{S}ymposium ({CSF}'10)},
author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Cortier, V{\'e}ronique},
title = {Protocol composition for arbitrary primitives},
pages = {322-336},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2010-09.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2010-09.pdf},
doi = {10.1109/CSF.2010.29},
abstract = {We study the composition of security protocols when protocols
share secrets such as keys. We show (in a Dolev-Yao model)
that if two protocols use disjoint cryptographic primitives,
their composition is secure if the individual protocols are
secure, even if they share data. Our result holds for any
cryptographic primitives that can be modeled using
equational theories, such as encryption, signature, MAC,
exclusive-or, and Diffie-Hellman. Our main result transforms
any attack trace of the combined protocol into an attack
trace of one of the individual protocols. This allows
various ways of combining protocols such as sequentially or
in parallel, possibly with inner replications. As an
application, we show that a protocol using preestablished
keys may use any (secure) key-exchange protocol without
jeopardizing its security, provided that they do not use the
same primitives. This allows us, for example, to securely
compose a Diffie-Hellman key exchange protocol with any
other protocol using the exchanged key, provided that the
second protocol does not use the Diffie-Hellman primitives.
We also explore tagging, which is a way of forcing the
disjointness of two protocols that share cryptographic
primitives We explain why composing protocols which use
tagged cryptographic primitives like encryption and hash
functions is secure by reducing this problem to the previous
one.}
}

@inproceedings{ACD-csf10,
month = jul,
year = 2010,
publisher = {{IEEE} Computer Society Press},
acronym = {{CSF}'10},
booktitle = {{P}roceedings of the
23rd {IEEE} {C}omputer {S}ecurity {F}oundations
{S}ymposium ({CSF}'10)},
author = {Arnaud, Mathilde and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
title = {Modeling and Verifying Ad Hoc Routing Protocols},
pages = {59-74},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-csf10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-csf10.pdf},
doi = {10.1109/CSF.2010.12},
abstract = {Mobile ad hoc networks consist of mobile wireless devices which
autonomously organize their infrastructure. In such networks, a central
issue, ensured by routing protocols, is to find a route from one device to
another. Those protocols use cryptographic mechanisms in order to prevent
malicious nodes from compromising the discovered route.\par
Our contribution is twofold. We first propose a calculus for modeling and
reasoning about security protocols, including in particular secured
routing protocols. Our calculus extends standard symbolic models to take
into account the characteristics of routing protocols and to model
wireless communication in a more accurate way. Our second main
contribution is a decision procedure for analyzing routing protocols for
any network topology. By using constraint solving techniques, we show that
it is possible to automatically discover (in NPTIME) whether there exists
a network topology that would allow malicious nodes to mount an attack
against the protocol, for a bounded number of sessions. We also provide a
decision procedure for detecting attacks in case the network topology is
given a priori. We demonstrate the usage and usefulness of our approach by
analyzing the protocol \textsf{SRP} applied to~\textsf{DSR}.}
}

@inproceedings{JGL-lics10,
month = jul,
year = 2010,
publisher = {{IEEE} Computer Society Press},
acronym = {{LICS}'10},
booktitle = {{P}roceedings of the 25th
{A}nnual {IEEE} {S}ymposium on
{L}ogic in {C}omputer {S}cience
({LICS}'10)},
author = {Goubault{-}Larrecq, Jean},
title = {{{$$\omega$$}}{\textbf{\MakeUppercase{QRB}}}-Domains and the
Probabilistic Powerdomain},
pages = {352-361},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-lics10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-lics10.pdf},
doi = {10.1109/LICS.2010.50},
abstract = {Is there any cartesian-closed category of continuous domains
that would be closed under Jones and Plotkin's probabilistic powerdomain
construction? This is a major open problem in the area of denotational
semantics of probabilistic higher-order languages. We relax the question,
and look for quasi-continuous dcpos instead. We introduce a natural class
of such quasi-continuous dcpos, the $$\omega\textbf{QRB}$$-domains. We
show that they form a category $$\omega\textbf{QRB}$$ with pleasing
properties: $$\omega\textbf{QRB}$$ is closed under the probabilistic
powerdomain functor, has all finite products, all bilimits, and is stable
under retracts, and even under so-called quasiretracts. But...
$$\omega\textbf{QRB}$$ is not cartesian closed.}
}

@inproceedings{SRKK-arspawits10,
month = oct,
year = 2010,
volume = 6186,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Armando, Alessandro and Lowe, Gavin},
acronym = {{ARSPA-WITS}'10},
booktitle = {{P}roceedings of the {J}oint {W}orkshop
on {A}utomated {R}easoning for {S}ecurity {P}rotocol {A}nalysis and
{I}ssues in the {T}heory of {S}ecurity ({ARSPA-WITS}'10)},
author = {Smyth, Ben and Ryan, Mark D. and Kremer, Steve and
Kourjieh, Mounira},
title = {Towards automatic analysis of election verifiability properties},
pages = {146-163},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/SRKK-arspawits10.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/SRKK-arspawits10.pdf},
doi = {10.1007/978-3-642-16074-5_11},
abstract = {We present a symbolic definition that captures some
cases of election verifiability for electronic voting protocols. Our
definition is given in terms of reachability assertions in the applied pi
calculus and is amenable to automated reasoning using the software tool
ProVerif. The definition distinguishes three aspects of verifiability,
which we call individual, universal, and eligibility verifiability. We
demonstrate the applicability of our formalism by analysing the protocols
due to Fujioka, Okamoto~\& Ohta and a variant of the one by Juels,
Catalano~\& Jakobsson (implemented as Civitas by Clarkson, Chong~\& Myers).}
}

@misc{avote-D21,
nocontributor = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Delaune,
St{\'e}phanie and Kremer, Steve},
author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Cortier, V{\'e}ronique},
title = {Algorithmes pour l'{\'e}quivalence statique},
year = 2009,
month = sep,
type = {Contract Report},
howpublished = {Deliverable AVOTE~2.1 (ANR-07-SESU-002)},
note = {17~pages},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/avote-d21.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/avote-d21.pdf}
}

@misc{JGL-tacl11,
author = {Jean Goubault{-}Larrecq},
title = {A Few Pearls in the Theory of Quasi-Metric Spaces},
year = {2011},
month = jul,
howpublished = {Invited talk, Fifth International Conference on Topology,
Algebra, and Categories in Logic (TACL'11), Marseilles,
France, July~2011}
}

@article{FG-lmcs12,
journal = {Logical Methods in Computer Science},
author = {Finkel, Alain and Goubault{-}Larrecq, Jean},
title = {Forward Analysis for {WSTS}, Part~{II}: Complete {WSTS}},
year = 2012,
month = sep,
volume = 8,
number = {3:28},
nopages = {},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/FG-lmcs12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/FG-lmcs12.pdf},
doi = {10.2168/LMCS-8(3:28)2012},
abstract = {We describe a simple, conceptual forward analysis procedure for
$$\infty$$-complete WSTS~$$\mathfrak{S}$$. This computes the so-called
\emph{clover} of a state. When $$\mathfrak{S}$$ is the completion of a
WSTS~$$\mathfrak{X}$$, the clover in~$$\mathfrak{S}$$ is a finite
description of the downward closure of the reachability set. We show
that such completions are infinity-complete exactly when
$$\mathfrak{X}$$ is an $$\omega^2$$-WSTS, a~new robust class of WSTS.
We show that our procedure terminates in more cases than the
generalized Karp-Miller procedure on extensions of Petri nets and on
lossy channel systems. We characterize the WSTS where our procedure
terminates as those that are \emph{clover-flattable}. Finally, we
apply this to well-structured counter systems.}
}

@article{JGL-lmcs12,
journal = {Logical Methods in Computer Science},
author = {Goubault{-}Larrecq, Jean},
title = {{QRB}-Domains and the Probabilistic Powerdomain},
year = 2012,
volume = 8,
number = {1:14},
nopages = {},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-lmcs12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-lmcs12.pdf},
doi = {10.2168/LMCS-8(1:14)2012},
abstract = {Is there any Cartesian-closed category of continuous
domains that would be closed under Jones and Plotkin's
probabilistic powerdomain construction?  This is a major open
problem in the area of denotational semantics of probabilistic
higher-order languages.  We relax the question, and look for
We introduce a natural class of such quasi-continuous dcpos, the
omega-QRB-domains.  We show that they form a category omega-QRB
with pleasing properties: omega-QRB is closed under the
probabilistic powerdomain functor, under finite products, under
taking bilimits of expanding sequences, under retracts, and
even under so-called quasi-retracts.  But... omega-QRB is
not Cartesian closed.  We conclude by showing that the QRB
domains are just one half of an FS-domain, merely lacking
control.}
}

@article{BGGLP-comp11,
publisher = {Springer},
journal = {Computing},
author = {Bouissou, Olivier and Goubault, {\'E}ric and
Goubault{-}Larrecq, Jean and Putot, Sylvie},
title = {A Generalization of {P}-boxes to Affine Arithmetic, and Applications to
Static Analysis of Programs},
year = 2012,
month = mar,
volume = 94,
number = {2-4},
pages = {189-201},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/BGGLP-comp11.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BGGLP-comp11.pdf},
doi = {10.1007/s00607-011-0182-8},
abstract = {We often need to deal with information that contains
both interval and probabilistic uncertainties. P-boxes and
Dempster-Shafer structures are models that unify both kind of
information, but they suffer from the main defect of intervals,
the wrapping effect. We present here a new arithmetic that
mixes, in a  guaranteed manner, interval uncertainty with
probabilities, while using some information about variable
dependencies, hence limiting the loss from not accounting for
correlations.  This increases the precision of the result and
decreases the computation time compared to standard p-box
arithmetic.}
}

@inproceedings{BC-post12,
month = mar,
year = 2012,
volume = {7215},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Degano, Pierpaolo and Guttman, Joshua D.},
acronym = {{POST}'12},
booktitle = {{P}roceedings of the 1st {I}nternational {C}onference on
{P}rinciples of {S}ecurity and {T}rust
({POST}'12)},
author = {Bana, Gergei and Comon{-}Lundh, Hubert},
title = {Towards Unconditional Soundness: Computationally Complete Symbolic Attacker},
pages = {189-208},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/BC-post12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BC-post12.pdf},
doi = {10.1007/978-3-642-28641-4_11},
abstract = {We consider the question of the adequacy of symbolic models
versus computational models for the verification of security protocols. We
neither try to include properties in the symbolic model that reflect the
properties of the computational primitives nor add computational
requirements that enforce the soundness of the symbolic model. We propose
in this paper a different approach: everything is possible in the symbolic
model, unless it contradicts a computational assumption. In this way, we
obtain unconditional soundness almost by construction. And we do not need
to assume the absence of dynamic corruption or the absence of key-cycles,
which are examples of hypotheses that are always used in related works. We
set the basic framework, for arbitrary cryptographic primitives and
arbitrary protocols, however for trace security properties only.}
}

@inproceedings{CCS-post12,
month = mar,
year = 2012,
volume = {7215},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Degano, Pierpaolo and Guttman, Joshua D.},
acronym = {{POST}'12},
booktitle = {{P}roceedings of the 1st {I}nternational {C}onference on
{P}rinciples of {S}ecurity and {T}rust
({POST}'12)},
author = {Comon{-}Lundh, Hubert and Cortier, V{\'e}ronique and Scerri, Guillaume},
title = {Security proof with dishonest keys},
pages = {149-168},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCS-post12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCS-post12.pdf},
doi = {10.1007/978-3-642-28641-4_9},
abstract = {Symbolic and computational models are the two families of models
for rigorously analysing security protocols. Symbolic models are abstract
but offer a high level of automation while computational models are more
precise but security proof can be tedious. Since the seminal work of Abadi
and Rogaway, a new direction of research aims at reconciling the two views
and many soundness results establish that symbolic models are actually
sound w.r.t. computational models.\par
This is however not true for the prominent case of encryption. Indeed, all
existing soundness results assume that the adversary only uses honestly
generated keys. While this assumption is acceptable in the case of
asymmetric encryption, it is clearly unrealistic for symmetric encryption.
In this paper, we provide with several examples of attacks that do not
show-up in the classical Dolev-Yao model, and that do not break the
IND-CPA nor INT-CTXT properties of the encryption scheme.\par
Our main contribution is to show the first soundness result for symmetric
encryption and arbitrary adversaries. We consider arbitrary
indistinguishability properties and an unbounded number of sessions. This
result relies on an extension of the symbolic model, while keeping
standard security assumptions: IND-CPA and IND-CTXT for the encryption
scheme.}
}

@inproceedings{CDD-post12,
month = mar,
year = 2012,
volume = {7215},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Degano, Pierpaolo and Guttman, Joshua D.},
acronym = {{POST}'12},
booktitle = {{P}roceedings of the 1st {I}nternational {C}onference on
{P}rinciples of {S}ecurity and {T}rust
({POST}'12)},
author = {Cortier, V{\'e}ronique and Degrieck, Jan and Delaune, St{\'e}phanie},
title = {Analysing routing protocols: four nodes topologies are sufficient},
pages = {30-50},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDD-post12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDD-post12.pdf},
doi = {10.1007/978-3-642-28641-4_3},
abstract = {Routing protocols aim at establishing a route between nodes on a
network. Secured versions of routing protocols have been proposed in order
to provide more guarantees on the resulting routes. Formal methods have
proved their usefulness when analysing standard security protocols such as
confidentiality or authentication protocols. However, existing results and
tools do not apply to routing protocols. This is due in particular to the
fact that all possible topologies (infinitely many) have to be considered.\par
In this paper, we propose a simple reduction result: when looking for
attacks on properties such as the validity of the route, it is sufficient
to consider topologies with only four nodes, resulting in a number of just
five distinct topologies to consider. As an application, we analyse the
SRP applied to DSR and the SDMSR protocols using the ProVerif tool.}
}

@techreport{LSV-11-24,
author = {Arnaud, Mathilde and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
title = {Modeling and Verifying Ad~Hoc Routing Protocols},
institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
year = {2011},
month = dec,
type = {Research Report},
number = {LSV-11-24},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/rr-lsv-2011-24.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/rr-lsv-2011-24.pdf},
versions = {http://www.lsv.fr/Publis/PAPERS/PDF/rr-lsv-2011-24-v1.pdf, 20111220},
note = {66~pages},
abstract = {Mobile ad hoc networks consist of mobile wireless devices which
autonomously organize their infrastructure. In such networks, a central
issue, ensured by routing protocols, is to find a route from one device to
another. Those protocols use cryptographic mechanisms in order to prevent
malicious nodes from compromising the discovered route.\par
Our contribution is twofold. We first propose a calculus for modeling and
reasoning about security protocols, including in particular secured
routing protocols. Our calculus extends standard symbolic models to take
into account the characteristics of routing protocols and to model
wireless communication in a more accurate way. Our second main
contribution is a decision procedure for analyzing routing protocols for
any network topology. By using constraint solving techniques, we show that
it is possible to automatically discover (in~NPTIME) whether there exists
a network topology that would allow malicious nodes to mount an attack
against the protocol, for a bounded number of sessions. We also provide a
decision procedure for detecting attacks in case the network topology is
given a priori. We demonstrate the usage and usefulness of our approach by
analyzing protocols of the literature, such as SRP applied to DSR and
SDMSR.}
}

@inproceedings{CMV-tacas12,
month = mar,
year = 2012,
volume = {7214},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Flanagan, Cormac and K{\"o}nig, Barbara},
acronym = {{TACAS}'12},
booktitle = {{P}roceedings of the 18th {I}nternational
{C}onference on {T}ools and {A}lgorithms for
{C}onstruction and {A}nalysis of {S}ystems
({TACAS}'12)},
title = {Reachability under Contextual Locking},
pages = {437-450},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CMV-tacas12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CMV-tacas12.pdf},
doi = {10.1007/978-3-642-28756-5_30},
abstract = {The pairwise reachability problem for a multi-threaded program
simultaneously reached in an execution of the program. The problem is
important for static analysis and is used to detect statements that are
concurrently enabled. This problem is in general undecidable even when
data is abstracted and when the threads (with recursion) synchronize only
using a finite set of locks. Popular programming paradigms that limit the
lock usage patterns have been identified under which the pairwise
reachability problem becomes decidable. In this paper, we consider a new
natural programming paradigm, called contextual locking, which ties the
lock usage to calling patterns in each thread: we assume that locks are
released in the same context that they were acquired and that every lock
acquired by a thread in a procedure call is released before the procedure
returns. Our main result is that the pairwise reachability problem is
polynomial-time decidable for this new programming paradigm as well.}
}

@phdthesis{arnaud-phd2011,
author = {Arnaud, Mathilde},
title = {Formal verification of secured routing protocols},
school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
type = {Th{\e}se de doctorat},
year = 2011,
month = dec,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/arnaud-these11.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/arnaud-these11.pdf}
}

@phdthesis{ciobaca-phd2011,
author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan},
title = {Automated Verification of Security Protocols
with Appplications to Electronic Voting},
school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
type = {Th{\e}se de doctorat},
year = 2011,
month = dec,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/ciobaca-these11.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ciobaca-these11.pdf}
}

@article{BCJST-ijis11,
publisher = {Springer},
journal = {International Journal on Information Security},
author = {Backes, Michael and Cervesato, Iliano and Jaggard, Aaron and
Scedrov, Andre and Tsay, Joe-Kai},
title = {Cryptographically sound security proofs for basic and public-key
{K}erberos},
pages = {107-134},
volume = {10},
number = {2},
year = {2011},
month = jun,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/BCJST-ijis11.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BCJST-ijis11.pdf},
doi = {10.1007/s10207-011-0125-6}
}

@inproceedings{ILV-imacc11,
month = dec,
year = 2011,
volume = {7089},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Chen, Liqun},
acronym = {{IMACC}'11},
booktitle = {{P}roceedings of the 13th {IMA} {I}nternational {C}onference
on {C}ryptography and {C}oding
({IMACC}'11)},
author = {Izabach{\e}ne, Malika and Libert, Beno{\^\i}t and
Vergnaud, Damien},
title = {Block-wise {P}-Signatures and Non-Interactive Anonymous
Credentials with Efficient Attributes},
pages = {431-450},
doi = {10.1007/978-3-642-25516-8_26},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/ILV-imacc11.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ILV-imacc11.pdf},
abstract = {Anonymous credentials are protocols in which users obtain
certificates from organizations and subsequently demonstrate their
possession in such a way that transactions carried out by the same user
cannot be linked. We present an anonymous credential scheme with
non-interactive proofs of credential possession where credentials are
associated with a number of attributes. Following recent results of
Camenisch and Gro\ss{} (CCS~2008), the proof simultaneously convinces the
verifier that certified attributes satisfy a certain predicate. Our
construction relies on a new kind of P-signature, termed \emph{block-wise
P-signature}, that allows a user to obtain a signature on a committed
vector of messages and makes it possible to generate a short witness that
serves as a proof that the signed vector satisfies the predicate.
A~non-interactive anonymous credential is obtained by combining our
\emph{block-wise} P-signature scheme with the Groth-Sahai proof system. It
allows efficiently proving possession of a credential while simultaneously
demonstrating that underlying attributes satisfy a predicate corresponding
to the evaluation of inner products (and therefore disjunctions or
polynomial evaluations). The security of our scheme is proved in the
standard model under non-interactive assumptions.}
}

@book{LPS-book11,
author = {Luccio, Fabrizio and Pagli, Linda and Steel, Graham},
title = {Mathematical and Algorithmic Foundations of the Internet},
publisher = {CRC Press},
year = 2011,
month = jul,
url = {https://www.crcpress.com/9781439831380}
}

@incollection{steel-crypt2011,
author = {Steel, Graham},
title = {Formal Analysis of Security~{API}s},
booktitle = {Encyclopedia of Cryptography and Security},
edition = {2nd},
editor = {van Tilborg, Henk C. A. and Jajodia, Sushil},
year = {2011},
pages = {492-494},
publisher = {Springer},
doi = {10.1007/978-1-4419-5906-5_873}
}

@article{CSV-lmcs11,
journal = {Logical Methods in Computer Science},
title = {Power of Randomization in Automata on Infinite Strings},
year = {2011},
month = sep,
volume = {7},
number = {3:22},
nopages = {},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CSV-lmcs11.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CSV-lmcs11.pdf},
doi = {10.2168/LMCS-7(3:22)2011},
abstract = {Probabilistic B{\"u}chi Automata~(PBA) are randomized,
finite state automata that process input strings of
infinite length. Based on the threshold chosen for
the acceptance probability, different classes of
languages can be defined. In this paper, we present
a number of results that clarify the power of such
machines and properties of the languages they
define. The broad themes we focus on are as
follows. We present results on the decidability and
precise complexity of the emptiness, universality
and language containment problems for such machines,
thus answering questions central to the use of these
models in formal verification. Next, we characterize
the languages recognized by PBAs topologically,
demonstrating that though general PBAs can recognize
languages that are not regular, topologically the
languages are as simple as $$\omega$$-regular
languages. Finally, we introduce Hierarchical PBAs,
which are syntactically restricted forms of PBAs
that are tractable and capture exactly the class of
$$\omega$$-regular languages.}
}

@mastersthesis{pasaila-master,
author = {Pasail{\u{a}}, Daniel},
title = {Verifying equivalence properties of security protocols},
school = {{M}aster {P}arisien de {R}echerche en
{I}nformatique, Paris, France},
type = {Rapport de {M}aster},
year = {2011},
month = sep,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/dp11-m2.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/dp11-m2.pdf}
}

@mastersthesis{degriek-master,
author = {Degrieck, Jan},
title = {R{\'e}duction de graphes pour l'analyse de protocoles de routage
s{\'e}curis{\'e}s},
school = {{M}aster {P}arisien de {R}echerche en
{I}nformatique, Paris, France},
type = {Rapport de {M}aster},
year = {2011},
month = sep,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/jd11-m2.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/jd11-m2.pdf}
}

@inproceedings{CDK-fsttcs11,
month = dec,
year = 2011,
volume = 13,
series = {Leibniz International Proceedings in Informatics},
publisher = {Leibniz-Zentrum f{\"u}r Informatik},
editor = {Chakraborty, Supratik and Kumar, Amit},
acronym = {{FSTTCS}'11},
booktitle = {{P}roceedings of the 31st {C}onference on
{F}oundations of {S}oftware {T}echnology and
{T}heoretical {C}omputer {S}cience
({FSTTCS}'11)},
author = {Chevalier, C{\'e}line and Delaune, St{\'e}phanie and Kremer, Steve},
title = {Transforming Password Protocols to Compose},
pages = {204-216},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDK-fsttcs11.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDK-fsttcs11.pdf},
doi = {10.4230/LIPIcs.FSTTCS.2011.204},
abstract = {Formal, symbolic techniques are extremely useful for modelling
and analysing security protocols. They improved our understanding of
security protocols, allowed to discover flaws, and also provide support for
protocol design. However, such analyses usually consider that the protocol
is executed in isolation or assume a bounded number of protocol sessions.
Hence, no security guarantee is provided when the protocol is executed in a
more complex environment.\par
In this paper, we study whether password protocols can be safely composed,
even when a same password is reused. More precisely, we present a
transformation which maps a password protocol that is secure for a single
protocol session (a~decidable problem) to a protocol that is secure for an
unbounded number of sessions. Our result provides an effective strategy to
design secure password protocols: (i)~design a protocol intended to be
secure for one protocol session; (ii)~apply our transformation and obtain a
protocol which is secure for an unbounded number of sessions. Our technique
also applies to compose different password protocols allowing us to obtain
both inter-protocol and inter-session composition.}
}

@incollection{FLS-fosad11,
month = sep,
year = 2011,
volume = 6858,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Aldini, Alessandro and Gorrieri, Roberto},
booktitle = {{F}oundations of {S}ecurity {A}nalysis and {D}esign~-- {FOSAD}
author = {Focardi, Riccardo and Luccio, Flaminia L. and Steel, Graham},
title = {An Introduction to Security {API} Analysis},
pages = {35-65},
doi = {10.1007/978-3-642-23082-0_2},
abstract = {A~security API is an Application Program Interface that allows
untrusted code to access sensitive resources in a secure way. Examples of
security APIs include the interface between the tamper-resistant chip on a
smartcard (trusted) and the card reader (untrusted), the~interface between
a~cryptographic Hardware Security Module, or~HSM (trusted) and the client
machine (untrusted), and the Google maps API (an~interface between a
server, trusted by Google, and the rest of the Internet).}
}

@inproceedings{CCD-ccs11,
month = oct,
year = 2011,
publisher = {ACM Press},
editor = {Chen, Yan and Danezis, George and Shmatikov, Vitaly},
acronym = {{CCS}'11},
booktitle = {{P}roceedings of the 18th {ACM} {C}onference
on {C}omputer and {C}ommunications {S}ecurity
({CCS}'11)},
author = {Cheval, Vincent and Comon{-}Lundh, Hubert and
Delaune, St{\'e}phanie},
title = {Trace Equivalence Decision: Negative Tests and Non-determinism},
pages = {321-330},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-ccs11.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-ccs11.pdf},
doi = {10.1145/2046707.2046744},
abstract = {We consider security properties of cryptographic protocols that
can be modeled using the notion of trace equivalence. The notion of
equivalence is crucial when specifying privacy-type properties, like
In this paper, we give a calculus that is close to the applied pi calculus
and that allows one to capture most existing protocols that rely on
classical cryptographic primitives. First, we propose a symbolic semantics
for our calculus relying on constraint systems to represent infinite sets
of possible traces, and we reduce the decidability of trace equivalence to
deciding a notion of symbolic equivalence between sets of constraint
systems. Second, we develop an algorithm allowing us to decide whether two
sets of constraint systems are in symbolic equivalence or not. Altogether,
this yields the first decidability result of trace equivalence for a
general class of processes that may involve else branches and\slash or private
channels (for a bounded number of sessions).}
}

@inproceedings{SC-unif11,
month = jul,
year = 2011,
acronym = {{UNIF}'11},
booktitle = {{P}roceedings of the 25th {I}nternational
{W}orkshop on {U}nification
({UNIF}'11)},
author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan},
title = {Computing finite variants for subterm convergent rewrite systems},
nopages = {},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/SC-unif11.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/SC-unif11.pdf},
abstract = {Driven by an application in the verification of security
protocols, we introduce the strong finite variant property, an extention
of the finite variant property, and we show that subterm convergent
rewrite systems enjoy the strong finite variant property modulo the empty
equational theory.\par
We argue that the strong finite variant property is more natural and more
useful in practice than the finite variant property. We also compare the
two properties and we provide a prototype implementation of an algorithm
that computes a finite strongly complete set of variants for any term t
with respect to a subterm convergent rewrite system.}
}

@inproceedings{CKVAK-qest11,
month = sep,
year = 2011,
publisher = {{IEEE} Computer Society Press},
acronym = {{QEST}'11},
booktitle = {{P}roceedings of the 8th {I}nternational
{C}onference on {Q}uantitative
{E}valuation of {S}ystems
({QEST}'11)},
author = {Chadha, Rohit and Korthikranthi, Vijay and Viswanathan,
Mahesh and Agha, Gul and Kwon, Youngmin},
title = {Model Checking {MDP}s with a Unique Compact Invariant Set of
Distributions},
pages = {121-130},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CKVAK-qest11.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CKVAK-qest11.pdf},
doi = {10.1109/QEST.2011.22},
abstract = {The semantics of Markov Decision Processes (MDPs), when viewed
as transformers of probability distributions, can described as a labeled
transition system over the probability distributions over the states of
the MDP. The MDP can be seen as defining a set of executions, where each
execution is a sequence of probability distributions. Reasoning about
sequences of distributions allows one to express properties not
expressible in logics like PCTL; examples include expressing bounds on
transient rewards and expected values of random variables, as well as
comparing the probability of being in one set of states at a given time
with another set of states. With respect to such a semantics, the problem
of checking that the MDP never reaches a bad distribution is undecidable.
In this paper, we identify a special class of MDPs called
\emph{semi-regular} MDPs that have a unique non-empty, compact, invariant
set of distributions, for which we show that checking any
$$\omega$$-regular property is decidable. Our decidability result also
implies that for semi-regular probabilistic finite automata with isolated
cut-points, the emptiness problem is decidable.}
}

@inproceedings{benzina-iccans11,
month = may,
year = 2011,
noeditor = {},
acronym = {{ICCANS}'11},
booktitle = {{P}roceedings of the {I}nternational {C}onference on {C}omputer {A}pplications
and {N}etwork {S}ecurity ({ICCANS}'11)},
author = {Benzina, Hedi},
title = {Logic in Virtualized Systems},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/benzina-iccans11.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/benzina-iccans11.pdf},
abstract = {As virtualized systems grow in complexity, they are
increasingly vulnerable to denial-of-service (DoS)
attacks involving resource exhaustion. A malicious
exhausting CPU time or stack space and making the
whole system unavailable. Virtualized systems such
as Xen or VirtualBox have been proposed to increase
the level of security on computers. On the other
hand, such virtualized systems are now targets for
attacks. The weak spot of such systems is domain
zero administration, which is left entirely under
the administrator's responsibility, and is in
particular vulnerable to attacks.  \par
We propose to let
the administrator write and deploy security policies
and rely on RuleGen, a policy compiler, and Orchids'
fast, real-time monitoring engine to raise alerts in
case any policy violation, expressed in a fragment
of linear temporal logic, is detected. This approach
has shown its efficiency against real DoS exploits.
}
}

@incollection{CDM-fmtasp11,
author = {Comon{-}Lundh, Hubert and Delaune, St{\'e}phanie and Millen, Jonathan K.},
title = {Constraint solving techniques and enriching the model with
equational theories},
booktitle = {Formal Models and Techniques for Analyzing Security Protocols},
editor = {Cortier, V{\'e}ronique and Kremer, Steve},
series = {Cryptology and Information Security Series},
volume = 5,
publisher = {{IOS} Press},
nochapter = {},
pages = {35-61},
year = 2011,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDM-fmtasp11.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDM-fmtasp11.pdf},
abstract = {Derivability constraints represent in a symbolic way the
infinite set of possible executions of a finite protocol, in presence of
an arbitrary active attacker. Solving a derivability constraint consists
in computing a simplified representation of such executions, which is
amenable to the verification of any (trace) security property. Our goal is
to explain this method on a non-trivial combination of primitives.\par
In this chapter we explain how to model the protocol executions using
derivability constraints, and how such constraints are interpreted,
depending on the cryptographic primitives and the assumed attacker
capabilities. Such capabilities are represented as a deduction system that
has some specific properties. We choose as an example the combination of
exclusive-or, symmetric encryption{\slash}decryption and pairing{\slash}unpairing. We
explain the properties of the deduction system in this case and give a
complete and terminating set of rules that solves derivability
constraints. A similar set of rules has been already published for the
classical Dolev-Yao attacker, but it is a new result for the combination
of primitives that we consider. This allows to decide trace security
properties for this combination of primitives and arbitrary finite
protocols.}
}

@inproceedings{ACD-cade11,
month = jul,
year = 2011,
volume = {6803},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Bj{\o}rner, Nikolaj and Sofronie-Stokkermans, Viorica},
booktitle = {{P}roceedings of the 23rd {I}nternational
{C}onference on {A}utomated {D}eduction
author = {Arnaud, Mathilde and Cortier, V{\'e}ronique and Delaune,
St{\'e}phanie},
title = {Deciding security for protocols with recursive tests},
pages = {49-63},
doi = {10.1007/978-3-642-22438-6_6},
abstract = {Security protocols aim at securing communications over public
networks. Their design is notoriously dicult and error-prone. Formal
methods have shown their usefulness for providing a careful security
analysis in the case of standard authentication and condentiality
protocols. However, most current techniques do not apply to protocols that
perform recursive computation e.g. on a list of messages received from the
network.\par
While considering general recursive input{\slash}output actions very quickly
yields undecidability, we focus on protocols that perform recursive tests
on received messages but output messages that depend on the inputs in a
standard way. This is in particular the case of secured routing protocols,
distributed right delegation or PKI certication paths. We provide NPTIME
decision procedures for protocols with recursive tests and for a bounded
number of sessions. We also revisit constraint system solving, providing a
complete symbolic representation of the attacker knowledge.}
}

@inproceedings{KSW-csf11,
month = jun,
year = 2011,
publisher = {{IEEE} Computer Society Press},
acronym = {{CSF}'11},
booktitle = {{P}roceedings of the
24th {IEEE} {C}omputer {S}ecurity {F}oundations
{S}ymposium ({CSF}'11)},
author = {Kremer, Steve and Steel, Graham and Warinschi, Bogdan},
title = {Security for Key Management Interfaces},
pages = {266-280},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/KSW-csf11.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/KSW-csf11.pdf},
nolongps = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PS/
rr-lsv-2011-07.ps},
nolongpsgz = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PSGZ/
rr-lsv-2011-07.ps.gz},
doi = {10.1109/CSF.2011.25},
abstract = {We propose a much-needed formal definition of security
for cryptographic key management APIs. The
advantages of our definition are that it is general,
intuitive, and applicable to security proofs in both
symbolic and computational models of
cryptography. Our definition relies on an idealized
API which allows only the most essential functions
for generating, exporting and importing keys, and
takes into account dynamic corruption of keys.
Based on this we can define the security of more
expressive APIs which support richer
functionality. We illustrate our approach by showing
the security of APIs both in symbolic and
computational models.}
}

@inproceedings{DKRS-csf11,
month = jun,
year = 2011,
publisher = {{IEEE} Computer Society Press},
acronym = {{CSF}'11},
booktitle = {{P}roceedings of the
24th {IEEE} {C}omputer {S}ecurity {F}oundations
{S}ymposium ({CSF}'11)},
author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D. and
Steel, Graham},
title = {Formal analysis of protocols based on {TPM} state registers},
pages = {66-82},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/DKRS-csf11.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DKRS-csf11.pdf},
doi = {10.1109/CSF.2011.12},
abstract = {We~present a Horn-clause-based framework for analysing security
protocols that use platform configuration registers~(PCRs), which are
registers for maintaining state inside the Trusted Platform Module~(TPM).
In~our model, the~PCR state space is unbounded, and our experience shows
that a na{\"i}ve analysis using ProVerif or SPASS does not terminate. To
address this, we extract a set of instances of the Horn clauses of our
model, for which ProVerif does terminate on our examples. We~prove the
soundness of this extraction process: no~attacks are lost, that~is, any
query derivable in the more general set of clauses is also derivable from
the extracted instances. The~effectiveness of our framework is
demonstrated in two case studies: a~simplified version of Microsoft
Bitlocker, and a digital envelope protocol that allows a user to choose
whether to perform a decryption, or to verifiably renounce the ability to
perform the decryption.}
}

@inproceedings{CLC-stacs11,
month = mar,
year = 2011,
volume = 9,
series = {Leibniz International Proceedings in Informatics},
publisher = {Leibniz-Zentrum f{\"u}r Informatik},
editor = {D{\"u}rr, Christoph and Schwentick, {\relax Th}omas},
acronym = {{STACS}'11},
booktitle = {{P}roceedings of the 28th {A}nnual
{S}ymposium on {T}heoretical {A}spects of
{C}omputer {S}cience
({STACS}'11)},
author = {Comon{-}Lundh, Hubert and Cortier, V{\'e}ronique},
title = {How to prove security of communication protocols?
A~discussion on the soundness of formal models w.r.t. computational ones},
pages = {29-44},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CLC-stacs11.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CLC-stacs11.pdf},
doi = {10.4230/LIPIcs.STACS.2011.29},
abstract = {Security protocols are short programs that aim at
securing communication over a public network. Their
design is known to be error-prone with flaws found
years later. That is why they deserve a careful
security analysis, with rigorous proofs. Two main
lines of research have been (independently)
developed to analyse the security of protocols. On
the one hand, formal methods provide with symbolic
models and often automatic proofs. On the other
hand, cryptographic models propose a tighter
modeling but proofs are more difficult to write and
to check. An approach developed during the last
decade consists in bridging the two approaches,
showing that symbolic models are sound
w.r.t. symbolic ones, yielding strong security
guarantees using automatic tools. These results have
been developed for several cryptographic primitives
(e.g. symmetric and asymmetric encryption,
signatures, hash) and security properties. While
proving soundness of symbolic models is a very
promising approach, several technical details are
often not satisfactory. Focusing on symmetric
encryption, we describe the difficulties and
limitations of the available results.}
}

@phdthesis{kremer-HDR11,
author = {Kremer, Steve},
title = {Modelling and analyzing security protocols in cryptographic process calculi},
year = 2011,
month = mar,
type = {M{\'e}moire d'habilitation},
school = {{\'E}cole Normale Sup{\'e}rieure de Cachan, France},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/hdr-SK.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/hdr-SK.pdf},
noslides = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/SLIDES/}
}

@phdthesis{steel-HDR11,
author = {Steel, Graham},
title = {Formal Analysis of Security {API}s},
year = 2011,
month = mar,
type = {M{\'e}moire d'habilitation},
school = {{\'E}cole Normale Sup{\'e}rieure de Cachan, France},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/hdr-GS.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/hdr-GS.pdf},
noslides = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/SLIDES/}
}

@phdthesis{delaune-HDR11,
author = {Delaune, St{\'e}phanie},
title = {Verification of security protocols: from confidentiality to privacy},
year = 2011,
month = mar,
type = {M{\'e}moire d'habilitation},
school = {{\'E}cole Normale Sup{\'e}rieure de Cachan, France},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/hdr-SD.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/hdr-SD.pdf},
abstract = {Security is a very old concern, which until quite recently was
mostly of interest for military purposes. The deployment of electronic
commerce changes this drastically. The security of exchanges is ensured by
cryptographic protocols which are notoriously error prone. The formal
verification of cryptographic protocols is a difficult problem that can be
seen as a particular model-checking problem in an hostile environment.
Many results and tools have been developed to automatically verify
cryptographic protocols.\par
Recently, new type of applications have emerged, in order to face new
technological and societal challenges, e.g. electronic voting protocols,
secure routing protocols for mobile ad hoc networks,~... These
applications involve some features that are not taken into account by the
existing verification tools, e.g. complex cryptographic primitives,
privacy-type security properties,~... This prevents us from modelling
these protocols in an accurate way. Moreover, protocols are often analysed
in isolation and this is well-known to be not sufficient. In this thesis,
we use formal methods to study these aspects concerning the verification
of cryptographic protocols.}
}

@inproceedings{ACGP-rsa11,
address = {San Francisco, California, USA},
month = feb,
year = 2011,
volume = 6558,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Kiayias, Aggelos},
acronym = {{CT-RSA}'11},
booktitle = {{P}roceedings of the {C}ryptographers' {T}rack at the {RSA}
{C}onference 2011 ({CT-RSA}'11)},
author = {Abdalla, Michel and Chevalier, C{\'e}line and Granboulan, Louis and
Pointcheval, David},
title = {Contributory Password-Authenticated Group Key Exchange with
Join Capability},
pages = {142-160},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/ACGP-rsa11.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ACGP-rsa11.pdf},
doi = {10.1007/978-3-642-19074-2_11},
abstract = {Password-based authenticated group key exchange allows any group
of users in possession of a low-entropy secret key to establish a common
session key even in the presence of adversaries. In this paper, we propose
a new generic construction of password-authenticated group key exchange
protocol from any two-party password-authenticated key exchange with
explicit authentication. Our new construction has several advantages when
compared to existing solutions. First, our construction only assumes a
common reference string and does not rely on any idealized models. Second,
our scheme enjoys a simple and intuitive security proof in the universally
composable framework and is optimal in the sense that it allows at most
one password test per user instance. Third, our scheme also achieves a
strong notion of security against insiders in that the adversary cannot
bias the distribution of the session key as long as one of the players
involved in the protocol is honest. Finally, we show how to easily extend
our protocol to the dynamic case in a way that the costs of establishing a
common key between two existing groups is significantly smaller than
computing a common key from scratch.}
}

@inproceedings{GLV-lics2011,
month = jun,
year = 2011,
publisher = {{IEEE} Computer Society Press},
acronym = {{LICS}'11},
booktitle = {{P}roceedings of the 26th
{A}nnual {IEEE} {S}ymposium on
{L}ogic in {C}omputer {S}cience
({LICS}'11)},
author = {Goubault{-}Larrecq, Jean and Varacca, Daniele},
title = {Continuous Random Variables},
pages = {97-106},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/GLV-lics2011.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLV-lics2011.pdf},
corrigendumpdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLV-lics2011-errata.pdf},
doi = {10.1109/LICS.2011.23},
abstract = {We introduce the domain of continuous random variables (CRV)
over a domain, as an alternative to Jones and Plotkin's probabilistic
powerdomain. While no known Cartesian-closed category is stable under the
latter, we show that the so-called thin (uniform) CRVs define a strong
monad on the Cartesian-closed category of bc-domains. We also characterize
their inequational theory, as (fair-)coin algebras. We apply this to solve
a recent problem posed by M. Escard{\'o}: testing is semi-decidable for
EPCF terms. CRVs arose from the study of the second author's (layered)
Hoare indexed valuations, and we also make the connection apparent.}
}

@book{CK-ios2011,
editor = {Cortier, V{\'e}ronique and Kremer, Steve},
title = {Formal Models and Techniques for Analyzing Security Protocols},
publisher = {{IOS} Press},
year = {2011},
series = {Cryptology and Information Security Series},
volume = 5,
}

@inproceedings{DDS-tosca11,
month = jan,
year = 2012,
volume = 6993,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {M{\"o}dersheim, Sebastian A. and Palamidessi, Catuscia},
acronym = {{TOSCA}'11},
booktitle = {{R}evised {S}elected {P}apaers of the {W}orkshop on {T}heory of {S}ecurity and
{A}pplications ({TOSCA}'11)},
author = {Dahl, Morten and Delaune, St{\'e}phanie and Steel, Graham},
title = {Formal Analysis of Privacy for Anonymous Location Based Services},
pages = {98-112},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/DDS-tosca11.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DDS-tosca11.pdf},
doi = {10.1007/978-3-642-27375-9_6},
abstract = {We propose a framework for formal analysis of privacy in
location based services such as anonymous electronic toll collection. We
give a formal definition of privacy, and apply it to the VPriv scheme for
vehicular services. We analyse the resulting model using the ProVerif
tool, concluding that our privacy property holds only if certain
conditions are met by the implementation. Our analysis includes some novel
features such as the formal modelling of privacy for a protocol that
relies on interactive zero-knowledge proofs of knowledge and list
permutations. }
}

@article{JGL-jyg10,
publisher = {Elsevier Science Publishers},
journal = {Theoretical Computer Science},
author = {Goubault{-}Larrecq, Jean},
title = {Musings Around the Geometry of Interaction, and Coherence},
volume = 412,
number = 20,
pages = {1998-2014},
year = 2011,
month = apr,
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/jgl-jyg10.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/jgl-jyg10.pdf},
doi = {10.1016/j.tcs.2010.12.023},
abstract = {We introduce the Danos-R{\'e}gnier category $$\mathcal{DR}(M)$$
of a linear inverse monoid~$$M$$, as~a categorical description of
geometries of interaction~(GOI) inspired from the weight algebra. The
natural setting for GOI is that of a so-called weakly Cantorian linear
inverse monoid, in which case $$\mathcal{DR}(M)$$ is a kind of symmetrized
version of the classical Abramsky-Haghverdi-Scott construction of a weak
linear category from a GOI situation. It is well-known that GOI is
perfectly suited to describe the multiplicative fragment of linear logic,
and indeed $$\mathcal{DR}(M)$$ will be a $$\star$$-autonomous category in
this case. It is also well-known that the categorical interpretation of
the other linear connectives conflicts with GOI interpretations. We make
this precise, and show that $$\mathcal{DR}(M)$$ has no terminal object, no
cartesian product of any two objects, and no exponential---whatever
$$M$$~is, unless $$M$$~is trivial. However, a form of coherence completion
of $$\mathcal{DR}(M)$$ \textit{{\a} la} Hu-Joyal (which for additives
resembles a layered approach \textit{{\a} la} Hughes-van Glabbeek),
provides a model of full classical linear logic, as soon as $$M$$ is
weakly Cantorian. One finally notes that Girard's notion of \emph{coherence} is
pervasive, and instrumental in every aspect of this work.}
}

@inproceedings{CU-fsttcs12,
month = dec,
year = 2012,
volume = 18,
series = {Leibniz International Proceedings in Informatics},
publisher = {Leibniz-Zentrum f{\"u}r Informatik},
editor = {D'Souza, Deepak and Radhakrishnan, Jaikumar and Telikepalli, Kavitha},
acronym = {{FSTTCS}'12},
booktitle = {{P}roceedings of the 32nd {C}onference on
{F}oundations of {S}oftware {T}echnology and
{T}heoretical {C}omputer {S}cience
({FSTTCS}'12)},
author = {Chadha, Rohit and Ummels, Michael},
title = {The complexity of quantitative information flow in recursive
programs},
pages = {534-545},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2012-15.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2012-15.pdf},
doi = {10.4230/LIPIcs.FSTTCS.2012.534},
abstract = {Information-theoretic measures based upon mutual information can
be employed to quantify the information that an \emph{execution} of a
program reveals about its \emph{secret inputs}. The \emph{information
leakage bounding problem} asks whether the information leaked by a program
does not exceed a certain amount. We consider this problem for two
scenarios: a)~the \emph{outputs} of the program are revealed, and b)~the
\emph{timing} (measured in the number of execution steps) of the program
is revealed. For both scenarios, we establish complexity results in the
context of deterministic boolean programs, both for programs with and
without recursion. In particular, we prove that for recursive programs the
information leakage bounding problem is no harder than checking
reachability.}
}

@inproceedings{CB-post13,
month = mar,
year = 2013,
volume = {7796},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Basin,  David  and Mitchell, John},
acronym = {{POST}'13},
booktitle = {{P}roceedings of the 2nd {I}nternational {C}onference on
{P}rinciples of {S}ecurity and {T}rust
({POST}'13)},
author = {Cheval, Vincent and Blanchet, Bruno},
title = {Proving More Observational Equivalences with ProVerif},
pages = {226-246},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CB-post13.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CB-post13.pdf},
doi = {10.1007/978-3-642-36830-1_12},
abstract = {This paper presents an extension of the automatic protocol
verifier ProVerif in order to prove more observational
equivalences. ProVerif can prove observational equivalence
between processes that have the same structure but differ by
the messages they contain. In order to extend the class of
equivalences that ProVerif handles, we extend the language
of terms by defining more functions (destructors) by rewrite
rules. In particular, we allow rewrite rules with
inequalities as side-conditions, so that we can express
tests {"}if then else{"} inside terms. Finally,
we provide an automatic procedure that translates a process
into an equivalent process that performs as many actions as
possible inside terms, to allow ProVerif to prove the
desired equivalence. These extensions have been implemented
in ProVerif and allow us to automatically prove anonymity in
the private authentication protocol by Abadi and Fournet.}
}

@inproceedings{CD-post13,
month = mar,
year = 2013,
volume = {7796},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Basin,  David  and Mitchell, John},
acronym = {{POST}'13},
booktitle = {{P}roceedings of the 2nd {I}nternational {C}onference on
{P}rinciples of {S}ecurity and {T}rust
({POST}'13)},
author = {Chr{\'e}tien, R{\'e}my and Delaune, St{\'e}phanie},
title = {Formal analysis of privacy for routing protocols in mobile ad~hoc networks},
pages = {1-20},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-post13.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-post13.pdf},
doi = {10.1007/978-3-642-36830-1_1},
abstract = {Routing protocols aim at establishing a route between
distant nodes in ad hoc networks. Secured versions
of routing protocols have been proposed to provide
more guarantees on the resulting routes, and some of
them have been designed to protect the privacy of
the users. In this paper, we propose a framework for
analysing privacy-type properties for routing
protocols. We use a variant of the applied-pi
calculus as our basic modelling formalism.  More
precisely, using the notion of equivalence between
traces, we formalise three security properties
related to privacy, namely indistinguishability,
unlinkability, and anonymity. We study the
relationship between these definitions and we
illustrate them using two versions of the ANODR
routing protocol.}
}

@phdthesis{benzina-phd2012,
author = {Benzina, Hedi},
title = {Enforcing Virtualized Systems Security},
school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
type = {Th{\e}se de doctorat},
year = 2012,
month = dec,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/benzina-these12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/benzina-these12.pdf}
}

@mastersthesis{m2-chretien,
author = {Chr{\'e}tien, R{\'e}my},
title = {Trace equivalence of protocols for an unbounded number of sessions},
school = {{M}aster {P}arisien de {R}echerche en
{I}nformatique, Paris, France},
type = {Rapport de {M}aster},
year = {2012},
month = sep,
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2012-22.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2012-22.pdf},
note = {30~pages},
abstract = {The problem of deciding reachability for cryptographic protocols
has been thoroughly studied for an unbounded number of sessions and proven
to be undecidable in general. Nevertheless some fragments were shown to be
decidable, either by tagging or by restricting the number of blind-copies.
On the other hand, trace equivalenc has only been proven to be decidable
for a bounded number of sessions. The objective of this talk is to provide
the first results of decidability of trace equivalence for an unbounded
number of sessions by lifting the approach followed by Comon-Lundh and
Cortier to trace equivalence.\par
Trace equivalence for a first class of protocols was shown undecidable
under scarce restrictions one variable and symmetric encryption are indeed
enough. Consequently, we restrained our class of protocols a step further
by making the protocols deterministic in some sense and preventing it from
disclosing secret keys. This tighter class of protocols was then shown to
be decidable after reduction to an equivalence between deterministic
pushdown automata.}
}

@phdthesis{cheval-phd2012,
author = {Cheval, Vincent},
title = {Automatic verification of cryptographic protocols: privacy-type properties},
school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
type = {Th{\e}se de doctorat},
year = 2012,
month = dec,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/cheval-these12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/cheval-these12.pdf}
}

@techreport{AGL-arxiv12,
author = {Adj{\'e}, Assal{\'e} and Goubault{-}Larrecq, Jean},
title = {Concrete Semantics of Programs with Non-Deterministic and
Random Inputs},
year = {2012},
month = oct,
type = {Research Report},
institution = {Computing Research Repository},
number = {cs.LO/1210.2605},
url = {http://arxiv.org/abs/1210.2605},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/AGL-arxiv12.pdf},
originalpdf = {http://arxiv.org/pdf/1210.2605},
note = {19~pages},
abstract = {This document gives semantics to programs written in a C-like
programming language, featuring interactions with an external environment
with noisy and imprecise data.}
}

@inproceedings{KS-stm12,
month = sep,
year = 2012,
volume = 7783,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {J{\o}sang, Audun and Samarati, Pierangela and Petrocchi, Marinella},
acronym = {{STM}'12},
booktitle = {{R}evised {S}elected {P}apers of the 8th {W}orkshop
on {S}ecurity and {T}rust {M}anagement
({STM}'12)},
author = {K{\"u}nnemann, Robert and Steel, Graham},
title = {{Y}ubi{S}ecure? Formal Security Analysis Results for the
{Y}ubikey and {Y}ubi{HSM}},
pages = {257-272 },
url = {http://www.lsv.fr/Publis/PAPERS/PDF/KS-stm12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/KS-stm12.pdf},
doi = {10.1007/978-3-642-38004-4_17},
abstract = {The Yubikey is a small hardware device designed to authenticate
(over a million devices have been shipped by Yubico to more than 20~000
customers including Google and Microsoft), the Yubikey protocols have
In the first part of this paper, we give a formal model for the operation
of the Yubikey one-time password (OTP) protocol. We prove security
properties of the protocol for an unbounded number of fresh OTPs using a
protocol analysis tool, tamarin.\par
In the second part of the paper, we analyze the security of the protocol
authentication server. To address this scenario, Yubico offers a small
Hardware Security Module (HSM) called the YubiHSM, intended to protect
keys even in the event of server compromise. We show if the same YubiHSM
configuration is used both to set up Yubikeys and run the authentication
protocol, then there is inevitably an attack that leaks all of the keys to
the attacker. Our discovery of this attack lead to a Yubico security
advisory in February 2012. For the case where separate servers are used
for the two tasks, we give a configuration for which we can show using the
same verification tool that if an adversary that can compromise the server
running the Yubikey-protocol, but not the server used to set up new
Yubikeys, then he cannot obtain the keys used to produce one-time
}

@inproceedings{BFKSST-crypto12,
address = {Santa Barbara, California, USA},
month = aug,
year = 2012,
volume = 7417,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Safavi-Naini, Reihaneh and Canetti, Ran},
acronym = {{CRYPTO}'12},
booktitle = {{P}roceedings of the 32nd {A}nnual {I}nternational
{C}ryptology {C}onference ({CRYPTO}'12)},
author = {Bardou, Romain and Focardi, Riccardo and Kawamoto, Yusuke and
Simionato, Lorenzo and Steel, Graham and Tsay, Joe-Kai},
title = {Efficient Padding Oracle Attacks on Cryptographic Hardware},
pages = {608-625},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/BFKSST-crypto12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BFKSST-crypto12.pdf},
doi = {10.1007/978-3-642-32009-5_36},
abstract = {We show how to exploit the encrypted key import functions of a
variety of different cryptographic devices to reveal the imported key. The
attacks are padding oracle attacks, where error messages resulting from
incorrectly padded plaintexts are used as a side channel. In the
asymmetric encryption case, we modify and improve Bleichenbacher's attack
on RSA PKCS\#1v1.5 padding, giving new cryptanalysis that allows us to
carry out the 'million message attack' in a mean of 49 000 and median of
14 500 oracle calls in the case of cracking an unknown valid ciphertext
under a 1024 bit key (the original algorithm takes a mean of 215 000 and a
median of 163 000 in the same case). We show how implementation details of
certain devices admit an attack that requires only 9 400 operations on
average (3 800 median). For the symmetric case, we adapt Vaudenay's CBC
attack, which is already highly efficient. We demonstrate the
vulnerabilities on a number of commercially available cryptographic
devices, including security tokens, smartcards and the Estonian electronic
ID card. The attacks are efficient enough to be practical: we give timing
details for all the devices found to be vulnerable, showing how our
optimisations make a qualitative difference to the practicality of the
attack. We give mathematical analysis of the effectiveness of the attacks,
extensive empirical results, and a discussion of countermeasures.}
}

@article{AGG-lmcs12,
journal = {Logical Methods in Computer Science},
author = {Adj{\'e}, Assal{\'e} and Gaubert, St{\'e}phane and Goubault,
{\'E}ric},
title = {Coupling policy iteration with semi-definite relaxation to compute
accurate numerical invariants in static analysis},
year = 2012,
month = jan,
volume = {8},
number = {1:1},
nopages = {},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/AGG-lmcs12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/AGG-lmcs12.pdf},
doi = {10.2168/LMCS-8(1:01)2012},
abstract = {We introduce a new domain for finding precise numerical
invariants of programs by abstract interpretation. This domain, which
consists of level sets of non-linear functions, generalizes the domain of
linear {"}templates{"} introduced by Manna, Sankaranarayanan, and Sipma.
In the case of quadratic templates, we use Shor's semi-definite relaxation
to derive computable yet precise abstractions of semantic functionals, and
we show that the abstract fixpoint equation can be solved accurately by
coupling policy iteration and semi-definite programming. We demonstrate
the interest of our approach on a series of examples (filters, integration
schemes) including a degenerate one (symplectic scheme).}
}

@inproceedings{IL-pairing12,
month = may,
year = 2012,
volume = 7708,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Abdalla, Michel and Lange, Tanja},
acronym = {{PAIRING}'12},
booktitle = {{P}roceedings of the 5th {I}nternational
{C}onference on {P}airing-Based {C}ryptography
({PAIRING}'12)},
author = {Izabach{\e}ne, Malika and Libert, Beno{\^\i}t},
title = {Divisible E-Cash in the Standard Model},
pages = {314-332},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/IL-pairing12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/IL-pairing12.pdf},
doi = {10.1007/978-3-642-36334-4_20},
abstract = {Off-line e-cash systems are the digital analogue of regular
cash. One of the main desirable properties is anonymity: spending a coin
should not reveal the identity of the spender and, at the same time, users
should not be able to double-spend coins without being detected. Compact
e-cash systems make it possible to store a wallet of $$O(2^{L})$$ coins
using $$O(L + \lambda)$$ bits, where $$\lambda$$ is the security
parameter. They are called \emph{divisible} whenever the user has the
flexibility of spending an amount of~$$2^{\ell}$$, for some $$\ell\leq L$$, more efficiently than by repeatedly spending individual coins. This
paper presents the first construction of divisible e-cash in the standard
model (i.e., without the random oracle heuristic). The scheme allows a
user to obtain a wallet of~$$2^{L}$$ coins by running a withdrawal
protocol with the bank. Our construction is built on the traditional
binary tree approach, where the wallet is organized in such a way that the
monetary value of a coin depends on how deep the coin is in the tree.}
}

@inproceedings{benzina-dictap12,
month = may,
year = 2012,
publisher = {{IEEE} Computer Society Press},
acronym = {{DICTAP}'12},
booktitle = {{P}roceedings of the 2nd {I}nternational {C}onference on {D}igital
{I}nformation and {C}ommunication {T}echnology and its
{A}pplication ({DICTAP}'12)},
author = {Benzina, Hedi},
title = {Towards Designing Secure Virtualized Systems},
pages = {250-255},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/HB-dictap12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/HB-dictap12.pdf},
doi = {10.1109/DICTAP.2012.6215385},
abstract = {Virtual machine technology is rapidly gaining acceptance as a
fundamental building block in enterprise data centers. It is most known
for improving efficiency and ease of management. However, it also provides
a compelling approach to enhancing system security, offering new ways to
rearchitect todays systems and opening the door for a wide range of future
security technologies. While this technology is meant to enhance the
security of computer systems, some recent attacks show that virtual
machine technology has many weaknesses and becomes exposed to many
security threats. In this paper we present some of these threats and show
how we protect these systems through intrusion detection and security
policies mechanisms.}
}

@inproceedings{ACD-csf12,
month = jun,
year = 2012,
publisher = {{IEEE} Computer Society Press},
acronym = {{CSF}'12},
booktitle = {{P}roceedings of the
25th {IEEE} {C}omputer {S}ecurity {F}oundations
{S}ymposium ({CSF}'12)},
author = {Arapinis, Myrto and Cheval, Vincent and Delaune, St{\'e}phanie},
title = {Verifying privacy-type properties in a modular way},
pages = {95-109},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-csf12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-csf12.pdf},
doi = {10.1109/CSF.2012.16},
abstract = {Formal methods have proved their usefulness for analysing the
security of protocols. In this setting, privacy-type security properties
(e.g. vote-privacy, anonymity, unlinkability) that play an important role
in many modern applications are formalised using a notion of
equivalence.\par
In this paper, we study the notion of trace equivalence and we show how to
establish such an equivalence relation in a modular way. It is well-known
that composition works well when the processes do not share secrets.
However, there is no result allowing us to compose processes that rely on
some shared secrets such as long term keys. We show that composition works
even when the processes share secrets provided that they satisfy some
reasonable conditions. Our composition result allows us to prove various
equivalence-based properties in a modular way, and works in a quite
general setting. In particular, we consider arbitrary cryptographic
primitives and processes that use non-trivial else branches.\par
As an example, we consider the ICAO e-passport standard, and we show how
the privacy guarantees of the whole application can be derived from the
privacy guarantees of its sub-protocols.}
}

@inproceedings{benzina-iscc12,
month = jul,
year = 2012,
publisher = {{IEEE} Computer Society Press},
noeditor = {},
acronym = {{ISCC}'12},
booktitle = {{P}roceedings of the 17th {IEEE} {S}ymposium on {C}omputers and
{C}ommunications ({ISCC}'12)},
author = {Benzina, Hedi},
title = {A~Network Policy Model for Virtualized Systems},
pages = {680-683},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/benzina-iscc12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/benzina-iscc12.pdf},
doi = {10.1109/ISCC.2012.6249376},
abstract = {Modern hypervisors offer the ability to build virtual networks
between virtual machines. These networks are very useful in both personal
and professional activities since they offer the same opportunities as
physical networks, but in a much lower cost in terms of hardware and time.
On the other hand, these networks are facing many security threats due to
the absence of rigourous security policies that protect the sensitive
ressources of the network. In this paper, we propose a multilevel security
policy model for these networks, this policy covers not only network
operations, but also operations related to the management of the virtual
architecture.}
}

@inproceedings{DKP-ijcar12,
month = jun,
year = 2012,
volume = {7364},
series = {Lecture Notes in Artificial Intelligence},
publisher = {Springer-Verlag},
editor = {Gramlich, Bernhard and Miller, Dale and Sattler, Uli},
acronym = {{IJCAR}'12},
booktitle = {{P}roceedings of the 6th {I}nternational {J}oint
{C}onference on {A}utomated {R}easoning
({IJCAR}'12)},
author = {Delaune, St{\'e}phanie and Kremer, Steve and Pasail{\u{a}}, Daniel},
title = {Security protocols, constraint systems, and
group theories},
pages = {164-178},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/DKP-ijcar12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DKP-ijcar12.pdf},
doi = {10.1007/978-3-642-31365-3_15},
abstract = {When formally analyzing security protocols it is often
important to express properties in terms of an
protocols. It has been shown that this problem
amounts to deciding the equivalence of two
constraint systems, i.e., whether they have the same
set of solutions. In this paper we study this
equivalence problem when cryptographic primitives
are modeled using a group equational theory, a
special case of monoidal equational theories. The
results strongly rely on the isomorphism between
group theories and rings. This allows us to reduce
the problem under study to the problem of solving
systems of equations over rings.\par We provide
several new decidability and complexity results,
notably for equational theories which have
applications in security protocols, such as
exclusive or and Abelian groups which may
}

@article{BCD-tocl12,
publisher = {ACM Press},
journal = {ACM Transactions on Computational Logic},
author = {Baudet, Mathieu and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
title = {{YAPA}: A~generic tool for computing intruder knowledge},
year = 2013,
month = feb,
nopages = {},
number = {1:4},
volume = 14,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/BCD-tocl12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BCD-tocl12.pdf},
doi = {10.1145/2422085.2422089},
abstract = {Reasoning about the knowledge of an attacker is a
necessary step in many formal analyses of security
protocols. In the framework of the applied pi
calculus, as in similar languages based on
equational logics, knowledge is typically expressed
by two relations: deducibility and static
equivalence. Several decision procedures have been
proposed for these relations under a variety of
equational theories. However, each theory has its
particular algorithm, and none has been implemented
so far.  \par We provide a generic procedure for
deducibility and static equivalence that takes as
input any convergent rewrite system.  We show that
our algorithm covers most of the existing decision
procedures for convergent theories. We also provide
an efficient implementation, and compare it briefly
with the tools ProVerif and KiSs.}
}

@book{JGL-topology,
author = {Goubault{-}Larrecq, Jean},
title = {Non-{H}ausdorff Topology and Domain Theory---Selected Topics
in Point-Set Topology},
publisher = {Cambridge University Press},
series = {New Mathematical Monographs},
volume = {22},
year = {2013},
month = mar,
url = {http://www.cambridge.org/9781107034136},
isbn = {9781107034136}
}

@inproceedings{CCK-esop12,
month = mar,
year = 2012,
volume = {7211},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Seidl, Helmut},
acronym = {{ESOP}'12},
booktitle = {{P}rogramming {L}anguages and {S}ystems~---
{P}roceedings of the 22nd
{E}uropean {S}ymposium on {P}rogramming
({ESOP}'12)},
author = {Chadha, Rohit and Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Kremer, Steve},
title = {Automated verification of equivalence properties of
cryptographic protocols},
pages = {108-127},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCK-esop12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCK-esop12.pdf},
doi = {10.1007/978-3-642-28869-2_6},
abstract = {Indistinguishability properties are essential in formal
verification of cryptographic protocols. They are needed to model
anonymity properties, strong versions of confidentiality and resistance to
offline guessing attacks, and can be conveniently modeled using process
equivalences. We present a novel procedure to verify equivalence
properties for bounded number of sessions. Our procedure is able to verify
trace equivalence for determinate cryptographic protocols. On determinate
protocols, trace equivalence coincides with observational equivalence
which can therefore be automatically verified for such processes. When
protocols are not determinate our procedure can be used for both under-
and over-approximations of trace equivalence, which proved successful on
examples. The procedure can handle a large set of cryptographic
primitives, namely those which can be modeled by an optimally reducing
convergent rewrite system. Although, we were unable to prove its
termination, it has been implemented in a prototype tool and has been
effectively tested on examples, some of which were outside the scope of
existing tools.}
}

@article{CD-pourlascience13,
publisher = {Belin},
journal = {Pour La Science},
author = {Chr{\'e}tien, R{\'e}my and Delaune, St{\'e}phanie},
title = {La protection des informations sensibles},
volume = {433},
month = nov,
year = 2013,
pages = {70-77},
url = {http://www.pourlascience.fr/ewb_pages/a/article-la-protection-des-informations-sensibles-32228.php}
}

@techreport{rr-lsv-13-13,
author = {Hirschi, Lucca},
title = {R{\'e}duction d'entrelacements pour l'{\'e}quivalence de traces},
institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
year = {2013},
month = sep,
type = {Research Report},
number = {LSV-13-13},
url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2013-13.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2013-13.pdf},
versions = {http://www.lsv.fr/Publis/PAPERS/PDF/rr-lsv-2013-13-v1.pdf, 20130910},
note = {22~pages},
abstract = {La trace \'equivalence permet notamment de mod\'eliser l'anonymat de
protocoles cryptographiques. Cette propri\'et\'e est d\'ecidable pour de
nombreuses classes de protocoles et quelques outils permettent de la
prouver automatiquement. Mais malheureusement, tous ces outils sont tr\es
lents et peu de protocoles r\'eellement int\'eressants peuvent \^etre analys\'es
dans un temps raisonnable. Ces outils doivent r\'ealiser un parcours
exhaustif des traces (symboliques) possibles. Mais le parall\ele introduit
de nombreux entrelacements dont un grand nombre sont peu pertinents. Cette
explosion combinatoire est une des causes de cette inefficacit\'e.\par
Une optimisation dont l'id\'ee est emprunt\'ee \a la POR (Partial Order
Reduction) permet de r\'eduire significativement l'espace de recherche en
reconnaissant certaines redondances entre les traces. Elle a \'et\'e
d\'evelopp\'ee dans le cas des propri\'et\'es d'accessibilit\'e.
L'objectif est de l'adapter au cas de l'\'equivalence, de l'automatiser,
d'augmenter son champ d'action et de l'introduire dans un outil
existant.}
}

@inproceedings{JGL-mfcs13,
month = aug,
year = 2013,
volume = {8087},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Chatterjee, Krishnendu and Sgall, Ji{\v{r}}{\'\i}},
acronym = {{MFCS}'13},
booktitle = {{P}roceedings of the 38th
{I}nternational {S}ymposium on
{M}athematical {F}oundations of
{C}omputer {S}cience
({MFCS}'13)},
author = {Goubault{-}Larrecq, Jean},
title = {A Constructive Proof of the Topological {K}ruskal Theorem},
pages = {22-41},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-mfcs13.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-mfcs13.pdf},
doi = {10.1007/978-3-642-40313-2_3},
abstract = {We give a constructive proof of Kruskal's Tree
Theorem---precisely, of a topological extension of~it. The proof is in the
style of a constructive proof of Higman's Lemma due to Murthy and
Russell~(1990), and illuminates the role of regular expressions there. In
the process, we discover an extension of Dershowitz' recursive path
ordering to a form of cyclic terms which we call $$\mu$$-terms. This all came
from recent research on Noetherian spaces, and serves as a teaser for
their theory.}
}

@article{CCD-tcs13,
publisher = {Elsevier Science Publishers},
journal = {Theoretical Computer Science},
author = {Cheval, Vincent and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
title = {Deciding equivalence-based properties using constraint solving},
year = {2013},
month = jun,
volume = {492},
pages = {1-39},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-tcs13.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-tcs13.pdf},
doi = {10.1016/j.tcs.2013.04.016},
abstract = {Formal methods have proved their usefulness for analyzing the
security of protocols. Most existing results focus on trace properties
like secrecy or authentication. There are however several security
properties, which cannot be defined (or cannot be naturally defined) as
trace properties and require a notion of behavioural equivalence. Typical
examples are anonymity, privacy related properties or statements closer to
security properties used in cryptography.\par
In this paper, we consider three notions of equivalence defined in the
applied pi calculus: observational equivalence, may-testing equivalence,
and trace equivalence. First, we study the relationship between these
three notions. We show that for determinate processes, observational
equivalence actually coincides with trace equivalence, a notion simpler to
reason with. We exhibit a large class of determinate processes, called
simple processes, that capture most existing protocols and cryptographic
primitives. While trace equivalence and may-testing equivalence seem very
similar, we show that may-testing equivalence is actually strictly
stronger than trace equivalence. We prove that the two notions coincide
for image-finite processes, such as processes without replication.\par
Second, we reduce the decidability of trace equivalence (for finite
processes) to deciding symbolic equivalence between sets of constraint
systems. For simple processes without replication and with trivial else
branches, it turns out that it is actually sufficient to decide symbolic
equivalence between pairs of positive constraint systems. Thanks to this
reduction and relying on a result first proved by M. Baudet, this yields
the first decidability result of observational equivalence for a general
class of equational theories (for processes without else branch nor
replication). Moreover, based on another decidability result for deciding
equivalence between sets of constraint systems, we get decidability of
trace equivalence for processes with else branch for standard
primitives.}
}

@inproceedings{CCS-cade2013,
address = {Lake Placid, New~York, USA},
month = jun,
year = 2013,
volume = 7898,
series = {Lecture Notes in Artificial Intelligence},
publisher = {Springer},
editor = {Bonacina, Maria Paola},
booktitle = {{P}roceedings of the 24th {I}nternational
{C}onference on {A}utomated {D}eduction
author = {Comon{-}Lundh, Hubert and Cortier, V{\'e}ronique and
Scerri,  Guillaume},
title = {Tractable inference systems: an extension with a
deducibility predicate},
pages = {91-108},
doi = {10.1007/978-3-642-38574-2_6},
abstract = {The main contribution of the paper is a PTIME decision procedure
for the satisfiability problem in a class of first-order Horn clauses. Our
result is an extension of the tractable classes of Horn clauses of Basin &
Ganzinger in several respects. For instance, our clauses may contain
atomic formulas $$S \vdash t$$ where $$\vdash$$ is a predicate symbol and
$$S$$ is a finite set of terms instead of a term. $$\vdash$$~is used to
represent any possible computation of an attacker, given a set of
messages~$$S$$. The class of clauses that we consider encompasses the
clauses designed by Bana~\& Comon-Lundh for security proofs of protocols
in a computational model. \par
Because of the (variadic) $$\vdash$$ predicate symbol, we cannot use
ordered resolution strategies only, as in Basin~\& Ganzinger: given $$S \vdash t$$, we must avoid computing $$S' \vdash t$$ for all subsets $$S'$$
of~$$S$$. Instead, we design PTIME entailment procedures for increasingly
expressive fragments, such procedures being used as oracles for the next
fragment. \par
Finally, we obtain a PTIME procedure for arbitrary ground clauses and
saturated Horn clauses (as in Basin~\& Ganzinger), together with a
particular class of (non saturated) Horn clauses with the $$\vdash$$
predicate and constraints (which are necessary to cover the
application).}
}

@inproceedings{KKS-esorics13,
month = sep,
year = 2013,
volume = {8134},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Crampton, Jason and Jajodia, Sushil and Mayes, Keith},
acronym = {{ESORICS}'13},
booktitle = {{P}roceedings of the 18th {E}uropean {S}ymposium on
{R}esearch in {C}omputer {S}ecurity ({ESORICS}'13)},
author = {Kremer, Steve and K{\"u}nnemann, Robert and Steel, Graham},
title = {Universally Composable Key-Management},
pages = {327-344},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/KKS-esorics13.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/KKS-esorics13.pdf},
doi = {10.1007/978-3-642-40203-6_19},
abstract = {We present the first universally composable key-management
functionality, formalized in the GNUC framework by Hofheinz and Shoup. It
allows the enforcement of a wide range of security policies and can be
extended by diverse key usage operations with no need to repeat the
security proof. We illustrate its use by proving an implementation of a
security token secure with respect to arbitrary key-usage operations and
explore a proof technique that allows the storage of cryptographic keys
externally, a novel development in simulation-based security frameworks.}
}

@inproceedings{CCD-icalp13,
month = jul,
year = 2013,
volume = {7966},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Fomin, Fedor V. and Freivalds, R{\=u}si{\c{n}}{\v{s}}
and Kwiatkowska, Marta and Peleg, David},
acronym = {{ICALP}'13},
booktitle = {{P}roceedings of the 40th {I}nternational
{C}olloquium on {A}utomata, {L}anguages and
{P}rogramming ({ICALP}'13)~-- {P}art~{II}},
author = {Chr{\'e}tien, R{\'e}my and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
title = {From security protocols to pushdown automata},
pages = {137-149},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-icalp13.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-icalp13.pdf},
doi = {10.1007/978-3-642-39212-2_15},
abstract = {Formal methods have been very successful in analyzing
security protocols for reachability properties such as secrecy or
authentication. In contrast, there are very few results for
equivalence-based properties, crucial for studying
e.g. privacy-like properties such as anonymity or vote
secrecy.\par
We study the problem of checking equivalence of security protocols
for an unbounded number of sessions. Since replication leads very
quickly to undecidability (even in the simple case of secrecy), we
focus on a limited fragment of protocols (standard primitives but
pairs, one variable per protocol's rules) for which the secrecy
preservation problem is known to be decidable. Surprisingly, this
fragment turns out to be undecidable for equivalence. Then,
restricting our attention to deterministic protocols, we propose
the first decidability result for checking equivalence of
protocols for an unbounded number of sessions. This result is
obtained through a characterization of equivalence of protocols in
terms of equality of languages of (generalized, real-time)
deterministic pushdown automata.}
}

@inproceedings{ABGGP-vstte13,
year = 2014,
volume = 8164,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Cohen, Ernie and Rybalchenko, Andrey},
acronym = {{VSTTE}'13},
booktitle = {{R}evised {S}elected {P}apers of the
5th {IFIP} {TC2}\slash{WG2.3} {C}onference {V}erified
{S}oftware---{T}heories, {T}ools, and {E}xperiments
({VSTTE}'13)},
author = {Adj{\'e}, Assal{\'e} and Bouissou, Olivier and
Goubault{-}Larrecq, Jean and
Goubault, {\'E}ric and Putot, Sylvie},
title = {Static Analysis of Programs with Imprecise Probabilistic Inputs},
pages = {22-47},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/ABGGP-vstte13.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ABGGP-vstte13.pdf},
doi = {10.1007/978-3-642-54108-7},
abstract = {Having a precise yet sound abstraction of the inputs of
numerical programs is important to analyze their behavior. For many
programs, these inputs are probabilistic, but the actual distribution used
is only partially known. We present a static analysis framework for
reasoning about programs with inputs given as imprecise probabilities: we
define a collecting semantics based on the notion of previsions and an
abstract semantics based on an extension of Dempster-Shafer structures. We
prove the correctness of our approach and show on some realistic examples
the kind of invariants we are able to infer.}
}

@inproceedings{CCP-cav13,
month = jul,
year = 2013,
volume = {8044},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Sharygina, Natasha and Veith, Helmut},
acronym = {{CAV}'13},
booktitle = {{P}roceedings of the 25th
{I}nternational {C}onference on
{C}omputer {A}ided {V}erification
({CAV}'13)},
author = {Cheval, Vincent and Cortier, V{\'e}ronique and Plet, Antoine},
title = {Lengths may break privacy~---or~how to check for
equivalences with length},
pages = {708-723},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCP-cav13.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCP-cav13.pdf},
doi = {10.1007/978-3-642-39799-8_50},
abstract = {Security protocols have been successfully analyzed using
symbolic models, where messages are represented by terms and protocols by
processes. Privacy properties like anonymity or untraceability are
typically expressed as equivalence between processes. While some decision
procedures have been proposed for automatically deciding process
equivalence, all existing approaches abstract away the information an
attacker may get when observing the length of messages.\par In this paper, we
study process equivalence with length tests. We first show that, in the
static case, almost all existing decidability results (for static
equivalence) can be extended to cope with length tests. In the active
case, we prove decidability of trace equivalence with length tests, for a
bounded number of sessions and for standard primitives. Our result relies
on a previous decidability result from Cheval~\emph{et~al.} (without
length tests). Our procedure has been implemented and we have discovered a
new flaw against privacy in the biometric passport protocol.}
}

@article{CDKR-fmsd13,
publisher = {Springer},
journal = {Formal Methods in System Design},
author = {Chevalier, C{\'e}line and Delaune, St{\'e}phanie and
Kremer, Steve and Ryan, Mark D.},
title = {Composition of Password-based Protocols},
volume = {43},
number = {3},
pages = {369-413},
month = dec,
year = 2013,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDKR-fmsd13.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDKR-fmsd13.pdf},
doi = {10.1007/s10703-013-0184-6},
abstract = {Formal and symbolic techniques are extremely useful for
modelling and analysing security protocols. They have helped to improve
our understanding of such protocols, allowed us to discover flaws, and
they also provide support for protocol design. However, such analyses
usually consider that the protocol is executed in isolation or assume a
bounded number of protocol sessions. Hence, no security guarantee is
provided when the protocol is executed in a more complex environment.\par
In this paper, we study whether password protocols can be safely composed,
even when a same password is reused. More precisely, we present a
transformation which maps a password protocol that is secure for a single
protocol session (a~decidable problem) to a protocol that is secure for an
unbounded number of sessions. Our result provides an effective strategy to
design secure password protocols: (i)~design a protocol intended to be
secure for one protocol session; (ii)~apply our transformation and obtain
a protocol which is secure for an unbounded number of sessions. Our
technique also applies to compose different password protocols allowing us
to obtain both inter-protocol and inter-session composition.}
}

@incollection{GLJ-hg13,
month = jan,
year = 2013,
volume = 7797,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
noacronym = {},
booktitle = {Programming Logics~-- Essays in Memory of {H}arald {G}anzinger},
editor = {Voronkov, Andrei and Weidenbach, Christoph},
author = {Goubault{-}Larrecq, Jean and Jouannaud, Jean-Pierre},
title = {The Blossom of Finite Semantic Trees},
pages = {90-122},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/GLJ-hg13.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLJ-hg13.pdf}
}

@mastersthesis{m2-lefaucheux,
author = {Lefaucheux, Engel},
title = {D{\'e}tection de fautes dans les syst{\e}mes probabilistes},
school = {{M}aster {P}arisien de {R}echerche en
{I}nformatique, Paris, France},
type = {Rapport de {M}aster},
year = {2014},
month = sep,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-lefaucheux.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-lefaucheux.pdf},
note = {35~pages}
}

@mastersthesis{m2-dubut,
author = {Dubut, J{\'e}r{\'e}my},
title = {{H}omologie dirig{\'e}e},
school = {{M}aster {P}arisien de {R}echerche en
{I}nformatique, Paris, France},
type = {Rapport de {M}aster},
year = {2014},
month = sep,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-dubut.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-dubut.pdf},
note = {35~pages}
}

@inproceedings{BC-ccs14,
month = nov,
year = 2014,
publisher = {ACM Press},
editor = {Ahn, Gail-Joon and Yung, Moti and Li, Ninghui},
acronym = {{CCS}'14},
booktitle = {{P}roceedings of the 21st {ACM} {C}onference
on {C}omputer and {C}ommunications {S}ecurity
({CCS}'14)},
author = {Bana, Gergei and Comon{-}Lundh, Hubert},
title = {A~Computationally Complete Symbolic Attacker for
Equivalence Properties},
pages = {609-620},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/BC-ccs14.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BC-ccs14.pdf},
doi = {10.1145/2660267.2660276},
abstract = {We consider the problem of computational indistinguishability of
protocols. We design a symbolic model, amenable to automated deduction,
such that a successful inconsistency proof implies computational
indistinguishability. Conversely, symbolic models of distinguishability
provide clues for likely computational attacks. We follow the idea we
introduced earlier for reachability properties, axiomatizing what an
attacker cannot violate. This results a computationally complete symbolic
attacker, and ensures unconditional computational soundness for the
symbolic analysis. We present a small library of computationally sound,
modular axioms, and test our technique on an example protocol. Despite
additional difficulties stemming from the equivalence properties, the
models and the soundness proofs turn out to be simpler than they were for
reachability properties.}
}

@inproceedings{GLJ-mfps30,
month = jun,
year = 2014,
volume = 308,
series = {Electronic Notes in Theoretical Computer Science},
publisher = {Elsevier Science Publishers},
editor = {Jacobs, Bart and Silva, Alexandra and Staton, Sam},
acronym = {{MFPS}'14},
booktitle = {{P}roceedings of the 30th {C}onference on
{M}athematical {F}oundations of {P}rogramming
{S}emantics ({MFPS}'14)},
author = {Goubault{-}Larrecq, Jean and Jung, Achim},
title = {{QRB}, {QFS}, and the Probabilistic Powerdomain},
pages = {167-182},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/GLJ-mfps14.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLJ-mfps14.pdf},
doi = {10.1016/j.entcs.2014.10.010},
abstract = {We show that the first author's QRB-domains coincide with Li and
Xu's QFS-domains, and also with Lawson-compact quasi-continuous dcpos,
with stably-compact locally finitary compact spaces, with sober
QFS-spaces, and with sober QRB-spaces. The first three coincidences were
discovered independently by Lawson and~Xi. The equivalence with sober
QFS-spaces is then applied to give a novel, direct proof that the
probabilistic powerdomain of a QRB-domain is a QRB-domain. This improves
upon a previous, similar result, which was limited to pointed,
second-countable QRB-domains.}
}

@article{jgl-jlap14,
publisher = {Elsevier Science Publishers},
journal = {Journal of Logic and Algebraic Methods in Programming},
author = {Goubault{-}Larrecq, Jean},
title = {Full Abstraction for Non-Deterministic and Probabilistic
Extensions of {PCF}~{I}: the~Angelic Cases},
volume = 84,
number = 1,
year = 2015,
month = jan,
pages = {155-184},
opteditor = {Berger, Ulrich},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/jgl-jlap14.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/jgl-jlap14.pdf},
doi = {10.1016/j.jlamp.2014.09.003},
abstract = {We examine several extensions and variants of Plotkin's
language~PCF, including non-deterministic and probabilistic choice
constructs. For~each, we give an operational and a denotational semantics,
and compare them. In each case, we show soundness and computational
adequacy: the two semantics compute the same values at ground types.
Beyond this, we establish full abstraction (the~observational preorder
coincides with the denotational preorder) in a number of cases. In~the
probabilistic cases, this requires the addition of so-called statistical
termination testers to the language.}
}

@article{CD-interstices14,
publisher = {INRIA},
journal = {Interstices},
author = {Chr{\'e}tien, R{\'e}my and Delaune, St{\'e}phanie},
title = {Le~bitcoin, une monnaie $$100\%$$ num{\'e}rique},
month = sep,
year = {2014},
url = {https://interstices.info/jcms/ni_78681/le-bitcoin-une-monnaie-100-numerique},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-interstices14.pdf}
}

@inproceedings{CDR-tgc14,
month = dec,
year = 2014,
volume = {8902},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Maffei, Matteo and Tuosto, Emilio},
acronym = {{TGC}'14},
booktitle = {{R}evised {S}elected {P}apers of the 9th {S}ymposium on {T}rustworthy {G}lobal
{C}omputing ({TGC}'14)},
author = {Cheval, Vincent and Delaune, St{\'e}phanie and Ryan, Mark
D.},
title = {Tests for establishing security properties},
pages = {82-96},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDR-tgc14.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDR-tgc14.pdf},
doi = {10.1007/978-3-662-45917-1_6},
abstract = {Ensuring strong security properties in some cases requires
participants to carry out tests during the execution of a protocol.
A~classical example is electronic voting: participants are required to
verify the presence of their ballots on a bulletin board, and to verify
the computation of the election outcome. The notion of certificate
transparency is another example, in which participants in the protocol are
required to perform tests to verify the integrity of a certificate log.\par
We present a framework for modelling systems with such testable
properties', using the applied pi calculus. We model the tests that are
made by participants in order to obtain the security properties.
Underlying our work is an attacker model called {"}malicious but cautious{"},
which lies in between the Dolev-Yao model and the {"}honest but curious{"}
model. The malicious-but-cautious model is appropriate for cloud computing
providers that are potentially malicious but are assumed to be cautious
about launching attacks that might cause user tests to fail.}
}

@inproceedings{GLS-pp14,
year = 2014,
volume = 8464,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {van Breugel, Franck and Kashefi, Elham and Palamidessi,
Catuscia and Rutten, Jan},
booktitle = {Horizons of the Mind. A~Tribute to Prakash Panangaden},
author = {Goubault{-}Larrecq, Jean and Segala, Roberto},
title = {Random Measurable Selections},
pages = {343-362},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/GLS-pp14.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLS-pp14.pdf},
doi = {10.1007/978-3-319-06880-0_18},
abstract = {We make the first steps towards showing a general {"}randomness
for free{"} theorem for stochastic automata. The goal of such theorems is
to replace randomized schedulers by averages of pure schedulers. Here, we
explore the case of measurable multifunctions and their measurable
selections. This involves constructing probability measures on the
measurable space of measurable selections of a given measurable
multifunction, which seems to be a fairly novel problem. We then extend
this to the case of IT automata, namely, non-deterministic (infinite)
automata with a history-dependent transition relation. Throughout, we
strive to make our assumptions minimal.}
}

@article{ADK-lmcs14,
journal = {Logical Methods in Computer Science},
author = {Arapinis, Myrto and Delaune, St{\'e}phanie and Kremer, Steve},
title = {Dynamic Tags for Security Protocols},
volume = 10,
number = {2:11},
nopages = {},
month = jun,
year = 2014,
doi = {10.2168/LMCS-10(2:11)2014},
abstract = {The design and verification of cryptographic protocols is a
notoriously difficult task, even in symbolic models which take an abstract
view of cryptography. This is mainly due to the fact that protocols may
interact with an arbitrary attacker which yields a verification problem
that has several sources of unboundedness (size of messages, number of
sessions, etc. In this paper, we characterize a class of protocols for
which deciding security for an unbounded number of sessions is decidable.
More precisely, we present a simple transformation which maps a protocol
that is secure for a bounded number of protocol sessions (a~decidable
problem) to a protocol that is secure for an unbounded number of sessions.
The precise number of sessions that need to be considered is a function of
the security property and we show that for several classical security
properties a single session is sufficient. Therefore, in many cases our
results yields a design strategy for security protocols: (i)~design a
protocol intended to be secure for a {single session}; and (ii)~apply our
transformation to obtain a protocol which is secure for an unbounded
number of sessions.}
}

@inproceedings{CCD-concur14,
month = sep,
year = 2014,
volume = 8704,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Baldan, Paolo and Gorla, Daniele},
acronym = {{CONCUR}'14},
booktitle = {{P}roceedings of the 25th
{I}nternational {C}onference on
{C}oncurrency {T}heory
({CONCUR}'14)},
author = {Chr{\'e}tien, R{\'e}my and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
the~case of equivalence properties},
pages = {372-386},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-concur14.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-concur14.pdf},
doi = {10.1007/978-3-662-44584-6_26},
abstract = {Privacy properties such as untraceability, vote secrecy, or
anonymity are typically expressed as behavioural equivalence in a process
algebra that models security protocols. In this paper, we study how to
decide one particular relation, namely trace equivalence, for an unbounded
number of sessions.\par
Our first main contribution is to reduce the search space for attacks.
Specifically, we show that if there is an attack then there is one that is
well-typed. Our result holds for a large class of typing systems and a
large class of determinate security protocols. Assuming finitely many
nonces and keys, we can derive from this result that trace equivalence is
decidable for an unbounded number of sessions for a class of tagged
protocols, yielding one of the first decidability results for the
unbounded case. As an intermediate result, we also provide a novel
decision procedure in the case of a bounded number of sessions.}
}

@incollection{CD-nato12,
author = {Comon{-}Lundh, Hubert and Delaune, St{\'e}phanie},
title = {Formal Security Proofs},
booktitle = {Software Safety and Security},
pages = {26-63},
editor = {Nipkow, Tobias and Grumberg, Orna and Hauptmann, Benedikt},
series = {NATO Science for Peace and Security Series~-- D:~Information and
Communication Security},
volume = {33},
publisher = {{IOS} Press},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-nato12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-nato12.pdf},
year = 2012,
month = may
}

@inproceedings{CLHKS-ispec12,
year = 2012,
month = apr,
volume = 7232,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Ryan, Mark D. and Smyth,  Ben and Wang, Guilin},
acronym = {{ISPEC}'12},
booktitle = {{P}roceedings of the 8th {I}nternational {C}onference on
{I}nformation {S}ecurity {P}ractice and {E}xperience
({ISPEC}'12)},
author = {Comon{-}Lundh, Hubert and Hagiya, Masami and Kawamoto, Yusuke
title = {Computational Soundness of Indistinguishability
Properties without Computable Parsing},
pages = {63-79},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CHKS-ispec12.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CHKS-ispec12.pdf},
doi = {10.1007/978-3-642-29101-2_5},
abstract = {We provide a symbolic model for protocols using public-key
encryption and hash function, and prove that this model is computationally
sound: if there is an attack in the computational world, then there is an
attack in the symbolic (abstract) model. Our original contribution is that
we deal with the security properties, such as anonymity, which cannot be
described using a single execution trace, while considering an unbounded
number of sessions of the protocols in the presence of active and adaptive
adversaries. Our soundness proof is different from all existing studies in
that it does not require a computable parsing function from bit strings to
terms. This allows us to deal with more cryptographic primitives, such as
a preimage-resistant and collision-resistant hash function whose input may
have different lengths.}
}

@inproceedings{BDH-post14,
month = apr,
year = 2014,
volume = {8414},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Abadi, Mart{\'\i}n and Kremer, Steve},
acronym = {{POST}'14},
booktitle = {{P}roceedings of the 3rd {I}nternational {C}onference on
{P}rinciples of {S}ecurity and {T}rust
({POST}'14)},
author = {Baelde, David and Delaune, St{\'e}phanie and Hirschi, Lucca},
title = {A~reduced semantics for deciding trace equivalence using constraint systems},
pages = {1-21},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/BDH-post14.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BDH-post14.pdf},
doi = {10.1007/978-3-642-54792-8_1},
abstract = {Many privacy-type properties of security protocols can be
modelled using trace equivalence properties in suitable process algebras.
It has been shown that such properties can be decided for interesting
classes of finite processes (i.e.,~without replication) by means of symbolic
execution and constraint solving. However, this does not suffice to obtain
practical tools. Current prototypes suffer from a classical combinatorial
explosion problem caused by the exploration of many interleavings in the
behaviour of processes. Modersheim et~al. have tackled this problem for
reachability properties using partial order reduction techniques. We
revisit their work, generalize it and adapt it for equivalence checking.
We obtain an optimization in the form of a reduced symbolic semantics that
eliminates redundant interleavings on the fly.}
}

@article{ACD-icomp13,
publisher = {Elsevier Science Publishers},
journal = {Information and Computation},
author = {Arnaud, Mathilde and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
title = {Modeling and Verifying Ad~Hoc Routing Protocols},
volume = 238,
pages = {30-67},
month = nov,
year = 2014,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-icomp13.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-icomp13.pdf},
doi = {10.1016/j.ic.2014.07.004},
abstract = {Mobile ad hoc networks consist of mobile wireless devices which
autonomously organize their infrastructure. In such networks, a central
issue, ensured by routing protocols, is to find a route from one device to
another. Those protocols use cryptographic mechanisms in order to prevent
malicious nodes from compromising the discovered route.\par
Our contribution is twofold. We first propose a calculus for modeling and
reasoning about security protocols, including in particular secured
routing protocols. Our calculus extends standard symbolic models to take
into account the characteristics of routing protocols and to model
wireless communication in a more accurate way. Our second main
contribution is a decision procedure for analyzing routing protocols for
any network topology. By using constraint solving techniques, we show that
it is possible to automatically discover (in~NPTIME) whether there exists
a network topology that would allow malicious nodes to mount an attack
against the protocol, for a bounded number of sessions. We also provide a
decision procedure for detecting attacks in case the network topology is
given a priori. We demonstrate the usage and usefulness of our approach by
analyzing protocols of the literature, such as SRP applied to DSR and
SDMSR.}
}

@article{GL-acs13,
publisher = {Springer},
journal = {Applied Categorical Structures},
author = {Goubault{-}Larrecq, Jean},
title = {Exponentiable streams and prestreams},
volume = {22},
number = {3},
year = 2014,
month = jun,
pages = {515-549},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/GL-acs13.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GL-acs13.pdf},
corrigendumpdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GL-acs13-erratum.pdf},
doi = { 10.1007/s10485-013-9315-x},
note = {Errata 1: \url{http://www.lsv.fr/Publis/PAPERS/PDF/GL-acs13-erratum.pdf};
Errata 2: \url{http://www.lsv.fr/Publis/PAPERS/PDF/GL-acs13-erratum2.pdf}},
abstract = {Inspired by a construction of Escard{\'o}, Lawson, and Simpson,
we give a general construction of $$\mathcal C$$-generated objects in a
topological construct. When $$\mathcal C$$ consists of exponentiable
objects, the resulting category is Cartesian-closed. This generalizes the
familiar construction of compactly-generated spaces, and we apply this to
Krishnan's categories of streams and prestreams, as well as to Haucourt
streams. For that, we need to identify the exponentiable objects in these
categories: for prestreams, we show that these are the preordered
core-compact topological spaces, and for streams, these are the
core-compact streams.}
}

@article{GL-mscs13,
publisher = {Cambridge University Press},
journal = {Mathematical Structures in Computer Science},
author = {Goubault{-}Larrecq, Jean},
title = {A~short proof of the {S}chr{\"o}der-{S}impson theorem},
volume = 25,
number = 1,
year = 2015,
month = jan,
pages = {1-5},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/GL-mscs13.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GL-mscs13.pdf},
doi = {10.1017/S0960129513000467},
abstract = {We give a short and elementary proof of the
Schr{\"o}der-Simpson Theorem, which states that the space of all
continuous maps from a given space~$$X$$ to the non-negative reals with their
Scott topology is the cone-theoretic dual of the probabilistic powerdomain
on~$$X$$.}
}

@article{BCD-icomp13,
publisher = {Elsevier Science Publishers},
journal = {Information and Computation},
author = {Bursuc, Sergiu and Comon{-}Lundh, Hubert and Delaune,
St{\'e}phanie},
title = {Deducibility constraints and blind signatures},
year = {2014},
month = nov,
volume = 238,
pages = {106-127},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/BCD-icomp13.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BCD-icomp13.pdf},
nonote = {32~pages},
doi = {10.1016/j.ic.2014.07.006},
abstract = {Deducibility constraints represent in a symbolic way the
infinite set of possible executions of a finite protocol. Solving a
deducibility constraint amounts to finding all possible ways of filling
the gaps in a proof. For finite local inference systems, there is an
algorithm that reduces any deducibility constraint to a finite set of
solved forms. This allows one to decide any trace security property of
cryptographic protocols.\par
We investigate here the case of infinite local inference systems, through
the case study of blind signatures. We show that, in this case again, any
deducibility constraint can be reduced to finitely many solved forms
(hence we can decide trace security properties). We sketch also another
example to which the same method can be applied.}
}

@mastersthesis{m2-dallon,
author = {Dallon, Antoine},
title = {Verification of Cryptographic Protocols : a bound on the number
of agents},
school = {{M}aster {P}arisien de {R}echerche en
{I}nformatique, Paris, France},
type = {Rapport de {M}aster},
year = {2015},
month = sep,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-dallon.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-dallon.pdf},
note = {38~pages}
}

@article{CCD-tocl15,
publisher = {ACM Press},
journal = {ACM Transactions on Computational Logic},
author = {Chr{\'e}tien, R{\'e}my and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
title = {From security protocols to pushdown automata},
volume = {17},
number = {1:3},
nopages = {},
year = 2015,
month = sep,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-tocl15.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-tocl15.pdf},
doi = {10.1145/2811262},
abstract = {Formal methods have been very successful in analyzing security
protocols for reachability properties such as secrecy or authentication.
In contrast, there are very few results for equivalence-based properties,
crucial for studying e.g. privacy-like properties such as anonymity or
vote secrecy.\par
We study the problem of checking equivalence of security protocols for an
unbounded number of sessions. Since replication leads very quickly to
undecidability (even in the simple case of secrecy), we focus on a limited
fragment of protocols (standard primitives but pairs, one variable per
protocol's rules) for which the secrecy preservation problem is known to
be decidable. Surprisingly, this fragment turns out to be undecidable for
equivalence. Then, restricting our attention to deterministic protocols,
we propose the first decidability result for checking equivalence of
protocols for an unbounded number of sessions. This result is obtained
through a characterization of equivalence of protocols in terms of
equality of languages of (generalized, real-time) deterministic pushdown
automata. We further show that checking for equivalence of protocols is
actually equivalent to checking for equivalence of generalized, real-time
deterministic pushdown automata.\par
Very recently, the algorithm for checking for equivalence of deterministic
pushdown automata has been implemented. We have implemented our
translation from protocols to pushdown automata, yielding the first tool
that decides equivalence of (some class of) protocols, for an unbounded
number of sessions. As an application, we have analyzed some protocols of
the literature including a simplified version of the basic access control
(BAC) protocol used in biometric passports.}
}

@inproceedings{CCD-esorics15,
month = sep,
year = 2015,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Ryan, Peter and Weippl, Edgar},
acronym = {{ESORICS}'15},
booktitle = {{P}roceedings of the 20th {E}uropean {S}ymposium on
{R}esearch in {C}omputer {S}ecurity ({ESORICS}'15)},
author = {Chr{\'e}tien, R{\'e}my and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
title = {Checking trace equivalence: How to get rid of nonces?},
pages = {230-251},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-esorics15.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-esorics15.pdf},
doi = {10.1007/978-3-319-24177-7_12},
abstract = {Security protocols can be successfully analysed using formal
methods. When proving security in symbolic settings for an unbounded
number of sessions, a typical technique consists in abstracting away fresh
nonces and keys by a bounded set of constants. While this abstraction is
clearly sound in the context of secrecy properties (for protocols without
else branches), this is no longer the case for equivalence properties.\par
In this paper, we study how to soundly get rid of nonces in the context of
equivalence properties. We show that nonces can be replaced by constants
provided that each nonce is associated to two constants (instead of
typically one constant for secrecy properties). Our result holds for
deterministic (simple) protocols and a large class of primitives that
includes e.g. standard primitives, blind signatures, and zero-knowledge
proofs.}
}

@article{BCGMNTW-jfr14,
publisher = {University of Bologna},
journal = {Journal of Formalized Reasoning},
author = {Baelde, David and Chaudhuri, Kaustuv and Gacek, Andrew and
Miller, Dale and Nadathur, Gopalan and Tiu, Alwen and Wang,
Yuting},
title = {Abella: A~System for Reasoning about Relational Specifications},
volume = {7},
number = {2},
year = {2014},
pages = {1-89},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/BCGMNTW-jfr14.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BCGMNTW-jfr14.pdf},
doi = {10.6092/issn.1972-5787/4650},
abstract = {The Abella interactive theorem prover is based on an
intuitionistic logic that allows for inductive and co-inductive reasoning
over relations. Abella supports the $$\lambda$$-tree approach to treating
syntax containing binders: it~allows simply typed $$\lambda$$-terms to be
used to represent such syntax and it provides higher-order (pattern)
unification, the $$\nabla$$ quantifier, and nominal constants for
reasoning about these representations. As such, it is a suitable vehicle
for formalizing the meta-theory of formal systems such as logics and
programming languages. This tutorial exposes Abella incrementally,
starting with its capabilities at a first-order logic level and gradually
presenting more sophisticated features, ending with the support it offers
to the \emph{two-level logic approach} to meta-theoretic reasoning. Along
the way, we show how Abella can be used prove theorems involving natural
numbers, lists, and automata, as well as involving typed and untyped
$$\lambda$$-calculi and the $$\pi$$-calculus.}
}

@inproceedings{BDS-csl15,
month = sep,
year = 2015,
volume = {41},
series = {Leibniz International Proceedings in Informatics},
publisher = {Leibniz-Zentrum f{\"u}r Informatik},
editor = {Kreuzer, Stephan},
acronym = {{CSL}'15},
booktitle = {{P}roceedings of the 24th {A}nnual {EACSL} {C}onference on
{C}omputer {S}cience {L}ogic ({CSL}'15)},
author = {Baelde, David and Doumane, Amina and Saurin, Alexis},
title = {Least and Greatest Fixed Points in Ludics},
pages = {549-566},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/BDS-csl15.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BDS-csl15.pdf},
doi = {10.4230/LIPIcs.CSL.2015.549},
abstract = {Various logics have been introduced in order to reason over
(co)inductive specifications and, through the Curry-Howard correspondence,
to study computation over inductive and coinductive data. The logic mu-MALL
is one of those logics, extending multiplicative and additive linear logic
with least and greatest fixed point operators.\par
In this paper, we investigate the semantics of mu-MALL proofs in
(computational) ludics. This framework is built around the notion of
design, which can be seen as an analogue of the strategies of game
semantics. The infinitary nature of designs makes them particularly well
suited for representing computations over infinite data.\par
We provide mu-MALL with a denotational semantics, interpreting proofs by
designs and formulas by particular sets of designs called behaviours. Then
we prove a completeness result for the class of {"}essentially finite
designs{"}, which are those designs performing a finite computation followed
by a copycat. On the way to completeness, we investigate semantic
inclusion, proving its decidability (given two formulas, we can decide
whether the semantics of one is included in the other's) and completeness
(if semantic inclusion holds, the corresponding implication is provable in
mu-MALL).}
}

@inproceedings{BDH-concur15,
month = sep,
year = 2015,
volume = {42},
series = {Leibniz International Proceedings in Informatics},
publisher = {Leibniz-Zentrum f{\"u}r Informatik},
editor = {Aceto, Luca and de Frutos-Escrig, David},
acronym = {{CONCUR}'15},
booktitle = {{P}roceedings of the 26th
{I}nternational {C}onference on
{C}oncurrency {T}heory
({CONCUR}'15)},
author = {Baelde, David and Delaune, St{\'e}phanie and Hirschi,
Lucca},
title = {Partial Order Reduction for Security Protocols},
pages = {497-510},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/BDH-concur15.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BDH-concur15.pdf},
doi = {10.4230/LIPIcs.CONCUR.2015.497},
abstract = {Security protocols are concurrent processes that communicate
using cryptography with the aim of achieving various security properties.
Recent work on their formal verification has brought procedures and tools
for deciding trace equivalence properties (\textit{e.g.},~anonymity,
unlinkability, vote secrecy) for a bounded number of sessions. However,
these procedures are based on a naive symbolic exploration of all traces
of the considered processes which, unsurprisingly, greatly limits the
scalability and practical impact of the verification tools.\par
In this paper, we mitigate this difficulty by developing partial order
reduction techniques for the verification of security protocols. We
provide reduced transition systems that optimally elim- inate redundant
traces, and which are adequate for model-checking trace equivalence
properties of protocols by means of symbolic execution. We have
implemented our reductions in the tool \textsf{Apte}, and demonstrated
that it achieves the expected speedup on various protocols.}
}

@inproceedings{CCD-csf15,
month = jul,
year = 2015,
publisher = {{IEEE} Computer Society Press},
acronym = {{CSF}'15},
booktitle = {{P}roceedings of the
28th {IEEE} {C}omputer {S}ecurity {F}oundations
{S}ymposium ({CSF}'15)},
author = {Chr{\'e}tien, R{\'e}my and Cortier, V{\'e}ronique and
Delaune, St{\'e}phanie},
title = {Decidability of trace equivalence for protocols with nonces},
pages = {170-184},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-csf15.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-csf15.pdf},
doi = {10.1109/CSF.2015.19},
abstract = {Privacy properties such as anonymity, unlinkability, or vote
secrecy are typically expressed as equivalence properties.\par
In this paper, we provide the first decidability result for trace
equivalence of security protocols, for an unbounded number of sessions and
unlimited fresh nonces. Our class encompasses most symmetric key protocols
of the literature, in their tagged variant.}
}

@inproceedings{DGGL-icalp15,
month = jul,
year = 2015,
volume = {9135},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Halld{\'o}rsson, Magnus M. and Iwama, Kazuo and Kobayashi,
Naoki and Speckmann, Bettina},
acronym = {{ICALP}'15},
booktitle = {{P}roceedings of the 42nd {I}nternational
{C}olloquium on {A}utomata, {L}anguages and
{P}rogramming ({ICALP}'15)~-- {P}art~{II}},
author = {Dubut, J{\'e}r{\'e}my and Goubault, {\'E}ric and
Goubault{-}Larrecq, Jean},
title = {Natural Homology},
pages = {171-183},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/DGGL-icalp15.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DGGL-icalp15.pdf},
doi = {10.1007/978-3-662-47666-6_14},
abstract = {We propose a notion of homology for directed algebraic topology,
based on so-called natural systems of abelian groups, and which we call
natural homology. Contrarily to previous proposals, and as we show,
natural homology has many desirable properties: it~is invariant under
isomorphisms of directed spaces, it is invariant under refinement
(subdivision), and it is computable on cubical complexes.}
}

@inproceedings{ACD-post15,
month = apr,
year = 2015,
volume = {9036},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Focardi, Riccardo and Myers, Andrew},
acronym = {{POST}'15},
booktitle = {{P}roceedings of the 4th {I}nternational {C}onference on
{P}rinciples of {S}ecurity and {T}rust
({POST}'15)},
author = {Arapinis, Myrto and Cheval, Vincent and Delaune, St{\'e}phanie},
title = {Composing security protocols: from confidentiality to privacy},
pages = {324-343},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-post15.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-post15.pdf},
doi = {10.1007/978-3-662-46666-7_17},
abstract = {Security protocols are used in many of our daily-life
applications, and our privacy largely depends on their design. Formal
verification techniques have proved their usefulness to analyse these
protocols, but they become so complex that modular techniques have to be
developed. We propose several results to safely compose security
protocols. We consider arbitrary primitives modeled using an equational
theory, and a rich process algebra close to the applied pi calculus.\par
Relying on these composition results, we derive some security properties
on a protocol from the security analysis performed on each of its
sub-protocols individually. We consider parallel composition and the case
of key-exchange protocols. Our results apply to deal with confidentiality
but also privacy-type properties (e.g. anonymity) expressed using a notion
of equivalence. We illustrate the usefulness of our composition results on
protocols from the 3G phone application and electronic passport.}
}

@phdthesis{scerri-phd15,
author = {Scerri, Guillaume},
title = {Proofs of security protocols revisited},
school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
type = {Th{\e}se de doctorat},
year = 2015,
month = jan,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/scerri-phd15.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/scerri-phd15.pdf}
}

@article{AFG-sif15,
publisher = {SIF},
journal = {1024~-- Bulletin de la soci{\'e}t{\'e} informatique de France},
author = {Abiteboul, Serge and Fribourg, Laurent and
Goubault{-}Larrecq, Jean},
title = {{G}{\'e}rard {B}erry~: un~informaticien m{\'e}daille d'or du {CNRS}~2014},
volume = 4,
pages = {139-142},
month = oct,
year = 2014,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/AFG-sif15.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/AFG-sif15.pdf},
abstract = {C'est un chercheur en informatique qui vient de recevoir la
m{\'e}daille d'or du CNRS, la plus haute distinction scientifique fran{\c
c}aise toutes disciplines confondues. Les informaticiens sont rares {\a}
avoir {\'e}t{\'e} ainsi honor{\'e}s : ce n'est que la seconde fois
apr{\e}s Jacques Stern en~2006.}
}

@inproceedings{GLO-fps13,
month = oct,
year = 2013,
volume = 8352,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Danger, Jean-Luc and Debbabi, Mourad and Marion, Jean-Yves and
Garcia{-}Alfaro, Joaquin and Zincir{-}Heywood,Nur},
acronym = {{FPS}'13},
booktitle = {{R}evised {S}elected {P}apers of the 6th {I}nternational {S}ymposium on
{F}oundations and {P}ractice of {S}ecurity ({FPS}'13)},
author = {Goubault{-}Larrecq, Jean and Olivain, Julien},
title = {On~the Efficiency of Mathematics in Intrusion
Detection: The NetEntropy Case.},
pages = {3-16},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/GLO-fps13.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLO-fps13.pdf},
doi = {10.1007/978-3-319-05302-8_1},
abstract = {NetEntropy is a plugin to the Orchids intrusion detection tool
that is originally meant to detect some subtle attacks on implementations
of cryptographic protocols such as {SSL\slash TLS}. NetEntropy compares
the sample entropy of a data stream to a known profile, and flags any
significant variation. Our point is to stress the \emph{mathematics} behind
NetEntropy: the reason of the rather incredible precision of NetEntropy is
to be found in theorems due to Paninski and Moddemeijer.}
}

@mastersthesis{m2-jacomme,
author = {Jacomme, Charlie},
title = {Automated applications of Cryptographic Assumptions},
school = {{M}aster {P}arisien de {R}echerche en
{I}nformatique, Paris, France},
type = {Rapport de {M}aster},
year = {2016},
month = sep,
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-jacomme.pdf}
}

@article{DH-jlamp16,
publisher = {Elsevier Science Publishers},
journal = {Journal of Logic and Algebraic Methods in Programming},
author = {Delaune, St{\'e}phanie and Hirschi, Lucca},
title = {A survey of symbolic methods for establishing equivalence-based properties in cryptographic protocols},
volume = {87},
year = {2016},
pages = {127-144},
url = {http://www.sciencedirect.com/science/article/pii/S235222081630133X},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DH-jlamp16.pdf},
doi = {10.1016/j.jlamp.2016.10.005},
note = {To~appear},
abstract = {Cryptographic protocols aim at securing communications over insecure networks such as the Internet, where dishonest users may listen to communications and interfere with them. A secure communication has a different meaning depending on the underlying application. It ranges from the confidentiality of a data to e.g. verifiability in electronic voting systems. Another example of a security notion is privacy. Formal symbolic models have proved their usefulness for analysing the security of protocols. Until quite recently, most results focused on trace properties like confidentiality or authentication. There are however several security properties, which cannot be defined (or cannot be naturally defined) as trace properties and require a notion of behavioural equivalence. Typical examples are anonymity, and privacy related properties. During the last decade, several results and verification tools have been developed to analyse equivalence-based security properties. We propose here a synthesis of decidability and undecidability results for equivalence-based security properties. Moreover, we give an overview of existing verification tools that may be used to verify equivalence-based security properties.}
}

@article{GLSSW-dagrep16,
publisher = {Leibniz-Zentrum f{\"u}r Informatik},
journal = {Dagstuhl Reports},
author = {Goubault{-}Larrecq, Jean and Seisenberger, Monika and Selivanov, Victor and Weiermann, Andreas},
title = {Well {Q}uasi-{O}rders in {C}omputer {S}cience ({D}agstuhl {S}eminar
16031)},
year = 2016,
month = jan,
volume = {6},
number = {1},
pages = {69-98},
url = {http://dx.doi.org/10.4230/DagRep.6.1.69},
pdf = {http://dx.doi.org/10.4230/DagRep.6.1.69},
doi = {10.4230/DagRep.6.1.69},
abstract = {This report documents the program and the outcomes of Dagstuhl Seminar 16031 {"}Well Quasi{-}Orders in Computer
Science{"}, the first seminar devoted to the multiple and deep interactions between the theory of Well quasi{-}orders
(known as the Wqo{-}Theory) and several fields of Computer Science (Verification and Termination of Infinite-State Systems,
Automata and Formal Languages, Term Rewriting and Proof Theory, topological complexity of computational problems on continuous
functions). Wqo{-}Theory is a highly developed part of Combinatorics with ever-growing number of applications in Mathematics and
Computer Science, and Well quasi-orders are going to become an important unifying concept of Theoretical Computer Science.
In this seminar, we brought together several communities from Computer Science and Mathematics in order to facilitate the
knowledge transfer between Mathematicians and Computer Scientists as well as between established and younger researchers and thus
to push forward the interaction between Wqo{-}Theory and Computer Science.}
}

@inproceedings{GLL-rv16,
volume = 10012,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
acronym = {{RV}'16},
booktitle = {{P}roceedings of the 16th {C}onference on {R}untime {V}erification ({RV}'16)},
author = {Goubault{-}Larrecq, Jean and Lachance,  Jean{-}Philippe},
title = {On the {C}omplexity of {M}onitoring {O}rchids {S}ignatures},
year = 2016,
month = sep,
pages = {169-164},
doi = {10.1007/978-3-319-46982-9_11},
abstract = {Modern monitoring tools such as our intrusion detection tool Orchids work by firing new monitor instances dynamically. Given an Orchids signature (a.k.a. a rule, a specification), what is the complexity of checking that specification, that signature? In other words, let f(n) be the maximum number of monitor instances that can be fired on a sequence of n events: we design an algorithm that decides whether f(n) is asymptotically exponential or polynomial, and in the latter case returns an exponent d such that  f(n)=Theta(n^d) . Ultimately, the problem reduces to the following mathematical question, which may have other uses in other domains: given a system of recurrence equations described using the operators + and max, and defining integer sequences u_n, what is the asymptotic behavior of  u_n as n tends to infinity? We show that, under simple assumptions,  u_n  is either exponential or polynomial, and that this can be decided, and the exponent computed, using a simple modification of Tarjanâ€™s strongly connected components algorithm, in linear time.}
}

@misc{vip-D42,
author = {Delaune, St{\'e}phanie and Gazeau, Ivan},
howpublished = {Deliverable VIP~4.2 (ANR-11-JS02-0006)},
month = jun,
note = {5~pages},
type = {Contract Report},
title = {Combination issues},
year = {2016},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/vip-d42.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/vip-d42.pdf}
}

@misc{vip-D22,
author = {Delaune, St{\'e}phanie and Gazeau, Ivan},
howpublished = {Deliverable VIP~2.2 (ANR-11-JS02-0006)},
month = jun,
note = {8~pages},
type = {Contract Report},
title = {Results on the case studies},
year = {2016},
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/vip-d22.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/vip-d22.pdf}
}

@inproceedings{DGGL-csl16,
month = sep,
year = 2016,
volume = {62},
series = {Leibniz International Proceedings in Informatics},
publisher = {Leibniz-Zentrum f{\"u}r Informatik},
editor = {Regnier, Laurent and Talbot, Jean-Marc},
acronym = {{CSL}'16},
booktitle = {{P}roceedings of the 25th {A}nnual {EACSL} {C}onference on
{C}omputer {S}cience {L}ogic ({CSL}'16)},
author = {Dubut, J{\'e}r{\'e}my and Goubault, {\'E}ric and
Goubault{-}Larrecq, Jean},
title = {The Directed Homotopy Hypothesis},
pages = {9:1-9:16},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/DBS-csl16.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DBS-csl16.pdf},
doi = {10.4230/LIPIcs.CSL.2016.9},
abstract = {The homotopy hypothesis was originally stated by Grothendieck: topological spaces should be {"}equivalent{"} to (weak) infinite-groupoids, which give algebraic representatives of homotopy types. Much later, several authors developed geometrizations of computational models, e.g., for rewriting, distributed systems, (homotopy) type theory etc. But an essential feature in the work set up in concurrency theory, is that time should be considered irreversible, giving rise to the field of directed algebraic topology. Following the path proposed by Porter, we state here a directed homotopy hypothesis: Grandis' directed topological spaces should be {"}equivalent{"} to a weak form of topologically enriched categories, still very close to (infinite,1)-categories. We develop, as in ordinary algebraic topology, a directed homotopy equivalence and a weak equivalence, and show invariance of a form of directed homology.}
}

@inproceedings{DBS-csl16,
month = sep,
year = 2016,
volume = {62},
series = {Leibniz International Proceedings in Informatics},
publisher = {Leibniz-Zentrum f{\"u}r Informatik},
editor = {Regnier, Laurent and Talbot, Jean-Marc},
acronym = {{CSL}'16},
booktitle = {{P}roceedings of the 25th {A}nnual {EACSL} {C}onference on
{C}omputer {S}cience {L}ogic ({CSL}'16)},
author = {Amina Doumane and David Baelde and Alexis Saurin},
title = {Infinitary proof theory: the multiplicative additive case},
pages = {42:1-42:17},
doi = {10.4230/LIPIcs.CSL.2016.42},
abstract = {Infinitary and regular proofs are commonly used in fixed point logics. Being natural intermediate devices between semantics and traditional finitary proof systems, they are commonly found in completeness arguments, automated deduction, verification, etc. However, their proof theory is surprisingly underdeveloped. In particular, very little is known about the computational behavior of such proofs through cut elimination. Taking such aspects into account has unlocked rich developments at the intersection of proof theory and programming language theory. One would hope that extending this to infinitary calculi would lead, e.g., to a better understanding of recursion and corecursion in programming languages. Structural proof theory is notably based on two fundamental properties of a proof system: cut elimination and focalization. The first one is only known to hold for restricted (purely additive) infinitary calculi, thanks to the work of Santocanale and Fortier; the second one has never been studied in infinitary systems. In this paper, we consider the infinitary proof system muMALLi for multiplicative and additive linear logic extended with least and greatest fixed points, and prove these two key results. We thus establish muMALLi as a satisfying computational proof system in itself, rather than just an intermediate device in the study of finitary proof systems.}
}

@inproceedings{BLS-hal15,
month = sep,
year = 2016,
volume = {62},
series = {Leibniz International Proceedings in Informatics},
publisher = {Leibniz-Zentrum f{\"u}r Informatik},
editor = {Regnier, Laurent and Talbot, Jean-Marc},
acronym = {{CSL}'16},
booktitle = {{P}roceedings of the 25th {A}nnual {EACSL} {C}onference on
{C}omputer {S}cience {L}ogic ({CSL}'16)},
author = {Baelde, David and Lunel, Simon and Schmitz, Sylvain},
title = {A~Sequent Calculus for a Modal Logic on Finite Data
Trees},
pages = {32:1-32:16},
url = {https://hal.inria.fr/hal-01191172},
doi = {10.4230/LIPIcs.CSL.2016.32},
abstract = {We investigate the proof theory of a modal fragment of XPath
equipped with data (in)equality tests over finite data
trees, i.e. over finite unranked trees where nodes are
labelled with both a symbol from a finite alphabet and a
single data value from an infinite domain.  We present a
sound and complete sequent calculus for this logic, which
yields the optimal PSPACE complexity bound for its validity
problem.}
}

@inproceedings{DGGL-concur16,
month = aug,
year = 2016,
volume = {59},
series = {Leibniz International Proceedings in Informatics},
publisher = {Leibniz-Zentrum f{\"u}r Informatik},
acronym = {{CONCUR}'16},
booktitle = {{P}roceedings of the 27th
{I}nternational {C}onference on
{C}oncurrency {T}heory
({CONCUR}'16)},
author = {Dubut, J{\'e}r{\'e}my and Goubault, {\'E}ric and Goubault{-}Larrecq, Jean},
title = {Bisimulations and unfolding in {{$$\mathcal{P}$$}}-accessible categorical models},
pages = {25:1-25:14},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/DGGL-concur16.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DGGL-concur16.pdf},
doi = {10.4230/LIPIcs.CONCUR.2016.25},
abstract = {We propose a categorical framework for bisimulations and
unfoldings that unifies the classical approach from Joyal
\emph{et~al.} via open maps and unfoldings. This is based on a
notion of categories accessible with respect to a subcategory of
path shapes, i.e., for which one can define a nice notion of trees
as glueings of paths. We show that transition systems and presheaf
models are instances of our framework. We also prove that in our
framework, several notions of bisimulation coincide, in particular
an {"}operational~one{"} akin to the standard definition in
transition systems. Also, our notion of accessibility is preserved
by coreflections. This also leads us to a notion of unfolding that
behaves well in the accessible case: it~is a right adjoint and is a
universal covering, i.e., it is initial among the morphisms that
have the unique lifting property with respect to path shapes. As an
application, we prove that the universal covering of a groupoid, a
standard construction in algebraic topology, is an unfolding, when
the category of path shapes is well chosen.}
}

@article{DGG-acs16,
publisher = {Springer},
journal = {Applied Categorical Structures},
author = {Dubut, J{\'e}r{\'e}my and Goubault, {\'E}ric and
Goubault{-}Larrecq, Jean},
title = {Directed homology theories and {E}ilenberg-{S}teenrod
axioms},
year = 2017,
month = oct,
volume = {25},
number = {5},
pages = {775-807},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/DGG-acs16.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DGG-acs16.pdf},
doi = {doi:10.1007/s10485-016-9438-y},
abstract = {In this paper, we define and study a homology theory, that
we call {"}natural homology{"}, which associates a natural system of
abelian groups to every space in a large class of directed spaces
and precubical sets. We show that this homology theory enjoys many
important properties, as an invariant for directed homotopy. Among
its properties, we show that subdivided precubical sets have the
same homology type as the original ones ; similarly, the natural
homology of a precubical set is of the same type as the natural
homology of its geometric realization. By same type we mean
equivalent up to some form of bisimulation, that we define using the
notion of open map. Last but not least, natural homology, for the
class of spaces we consider, exhibits very important properties such
as Hurewicz theorems, and most of Eilenberg-Steenrod axioms, in
particular the dimension, homotopy, additivity and exactness axioms.
This last axiom is studied in a general framework of (generalized)
exact sequences.}
}

@inproceedings{GLS-icalp16,
month = jul,
year = 2016,
volume = {55},
series = {Leibniz International Proceedings in Informatics},
publisher = {Leibniz-Zentrum f{\"u}r Informatik},
editor = {Chatzigiannakis, Ioannis and Mitzenmacher,
Michael and Rabani, Yuval and Sangiorgi, Davide},
acronym = {{ICALP}'16},
booktitle = {{P}roceedings of the 43rd {I}nternational
{C}olloquium on {A}utomata, {L}anguages and
{P}rogramming ({ICALP}'16)},
author = {Goubault{-}Larrecq, Jean and Schmitz, Sylvain},
title = {Deciding Piecewise Testable Separability for Regular
Tree Languages},
pages = {97:1-97:15},
url = {https://hal.inria.fr/hal-01276119/},
optpdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLS-icalp16.pdf},
doi = {10.4230/LIPIcs.ICALP.2016.97},
abstract = {The piecewise testable separability problem asks, given
two input languages, whether there exists a piecewise testable
language that contains the first input language and is disjoint from
the second. We prove a general characterisation of piecewise
testable separability on languages in a well-quasi-order, in terms
of ideals of the ordering. This subsumes the known characterisations
in the case of finite words. In the case of finite ranked trees
ordered by homeomorphic embedding, we show using effective
representations for tree ideals that it entails the decidability of
piecewise testable separability when the input languages are
regular. A~final byproduct is a new proof of the decidability of
whether an input regular language of ranked trees is piecewise
testable, which was first shown in the unranked case by Boja{\'n}czyk,
Segoufin, and Straubing (Log.~Meth. in Comput.~Sci.,~8(3:26),
2012).}
}

@inproceedings{DBHS-lics16,
address = {New York City, USA},
month = jul,
year = 2016,
publisher = {ACM Press},
editor = {Grohe, Martin and Koskinen, Eric and Shankar, Natarajan},
acronym = {{LICS}'16},
booktitle = {{P}roceedings of the 31st {A}nnual {ACM\slash
IEEE} {S}ymposium on {L}ogic {I}n {C}omputer {S}cience ({LICS}'16)},
author = {Amina Doumane and David Baelde and Lucca Hirschi
and Alexis Saurin},
title = {Towards Completeness via Proof Search in the Linear
Time {{$$\mu$$}}-calculus},
pages = {377-386},
url = {https://hal.archives-ouvertes.fr/hal-01275289/},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DBHS-lics16.pdf},
doi = {10.1145/2933575.2933598},
abstract = {Modal $$\mu$$-calculus is one of the central
languages of logic and verification, whose study
involves notoriously complex objects: automata over
infinite structures on the model-theoretical side;
infinite proofs and proofs by (co)induction on the
proof-theoretical side.  Nevertheless,
axiomatizations have been given for both linear and
branching time $$\mu$$-calculi, with quite involved
completeness arguments.  We come back to this
central problem, considering it from a proof search
viewpoint, and provide some new completeness
arguments in the linear time $$\mu$$-calculus.  Our
results only deal with restricted classes of
formulas that closely correspond to
(non-alternating) $$\omega$$-automata but, compared
to earlier proofs, our completeness arguments are
direct and constructive.  We first consider a
natural circular proof system based on sequent
calculus, and show that it is complete for
inclusions of parity automata directly expressed as
formulas, making use of Safra's construction
directly in proof search.  We then consider the
corresponding finitary proof system, featuring
(co)induction rules, and provide a partial
translation result from circular to finitary
proofs. This yields completeness of the finitary
proof system for inclusions of sufficiently
deterministic parity automata, and finally for
arbitrary B{\"u}chi automata.}
}

@inproceedings{HBD-sp16,
address = {San Jose, California, USA},
month = may,
year = 2016,
publisher = {IEEECSP},
editor = {Locasto, Michael and Shmatikov, Vitaly and Erlingsson, {\'U}lfar},
acronym = {{S\&P}'16},
booktitle = {{P}roceedings of the 37th {IEEE} {S}ymposium
on {S}ecurity and {P}rivacy ({S\&P}'16)},
author = {Hirschi, Lucca and Baelde, David and Delaune, St{\'e}phanie},
title = {A~method for verifying privacy-type properties:
the~unbounded case},
pages = {564-581},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/HBD-sp16.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/HBD-sp16.pdf},
doi = {10.1109/SP.2016.40},
abstract = {In~this paper, we~consider the problem of verifying
anonymity and unlinkability in the symbolic model, where protocols
are represented as processes in a variant of the applied pi calculus
notably used in the Proverif tool. Existing tools and techniques do
not allow one to verify directly these properties, expressed as
behavioral equivalences. We propose a different approach: we design
two conditions on protocols which are sufficient to ensure anonymity
and unlinkability, and which can then be effectively checked
automatically using Proverif. Our two conditions correspond to two
control-flow leaks.\par
This theoretical result is general enough to apply to a wide class
of protocols. In particular, we apply our techniques to provide the
first formal security proof of the BAC protocol (e-passport). Our
work has also lead to the discovery of new attacks, including one on
the LAK protocol (RFID authentication) which was previously claimed
to be unlinkable (in~a weak sense) and one on the PACE protocol
(e-passport).}
}

@comment{{B-arxiv16,
author =		Bollig, Benedikt,
affiliation = 	aff-LSVmexico,
title =    		One-Counter Automata with Counter Visibility,
institution = 	Computing Research Repository,
number =    		1602.05940,
month = 		feb,
nmonth =     		2,
year = 		2016,
type = 		RR,
axeLSV = 		mexico,
NOcontrat = 		"",

url =			http://arxiv.org/abs/1602.05940,
PDF =			"http://www.lsv.fr/Publis/PAPERS/PDF/B-arxiv16.pdf",
lsvdate-new =  	20160222,
lsvdate-upd =  	20160222,
lsvdate-pub =  	20160222,
lsv-category = 	"rapl",
wwwpublic =    	"public and ccsb",
note = 		18~pages,

abstract = "In a one-counter automaton (OCA), one can read a letter
from some finite alphabet, increment and decrement the counter by
one, or test it for zero. It is well-known that universality and
language inclusion for OCAs are undecidable. We consider here OCAs
with counter visibility: Whenever the automaton produces a letter,
it outputs the current counter value along with~it. Hence, its
language is now a set of words over an infinite alphabet. We show
that universality and inclusion for that model are in PSPACE, thus
no harder than the corresponding problems for finite automata, which
can actually be considered as a special case. In fact, we show that
OCAs with counter visibility are effectively determinizable and
closed under all boolean operations. As~a~strict generalization, we
subsequently extend our model by registers. The general nonemptiness
problem being undecidable, we impose a bound on the number of
register comparisons and show that the corresponding nonemptiness
problem is NP-complete.",
}}

@misc{vip-D32,
author = {Baelde, David and Delaune, St{\'e}phanie and Kremer, Steve},
title = {Decision procedures for equivalence based properties (part~{II})},
howpublished = {Deliverable VIP~3.2 (ANR-11-JS02-0006)},
month = sep,
year = {2015},
note = {9~pages},
type = {Contract Report},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/vip-d32.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/vip-d32.pdf}
}

@misc{vip-D41,
author = {Delaune, St{\'e}phanie and Kremer, Steve},
title = {Composition results for equivalence-based security properties},
howpublished = {Deliverable VIP~3.1 (ANR-11-JS02-0006)},
month = sep,
year = {2015},
note = {6~pages},
type = {Contract Report},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/vip-d41.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/vip-d41.pdf}
}

@phdthesis{rc-phd2016,
author = {Chr{\'e}tien, R{\'e}my},
title = {Analyse automatique de propri{\'e}t{\'e}s d'{\'e}quivalence pour
les protocoles cryptographiques},
school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
type = {Th{\e}se de doctorat},
year = 2016,
month = jan,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/rc-phd16.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/rc-phd16.pdf}
}

@inproceedings{CDD-post16,
month = apr,
year = 2016,
volume = { 9635},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Piessens, Frank and Vigan{\'o}, Luca},
acronym = {{POST}'16},
booktitle = {{P}roceedings of the 5th {I}nternational {C}onference on
{P}rinciples of {S}ecurity and {T}rust
({POST}'16)},
author = {Cortier, V{\'e}ronique and Dallon, Antoine and
Delaune, St{\'e}phanie},
title = {Bounding the number of agents, for equivalence~too},
pages = {211-232},
url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDD-post16.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDD-post16.pdf},
doi = {10.1007/978-3-662-49635-0_11},
abstract = {Bounding the number of agents is a current practice when
modeling a protocol. In~2003, it has been shown that one honest agent and
one dishonest agent are indeed sufficient to find all possible attacks,
for secrecy properties. This is no longer the case for equivalence
properties, crucial to express many properties such as vote privacy or
untraceability.\par
In this paper, we show that it is sufficient to consider two honest agents
and two dishonest agents for equivalence properties, for deterministic
processes with standard primitives and without else branches. More
generally, we show how to bound the number of agents for arbitrary
constructor theories and for protocols with simple else branches. We show
that our hypotheses are tight, providing counter-examples for non
actiondeterministic processes, non constructor theories, or protocols with
complex else branches.}
}

@article{JGL-mscs16,
publisher = {Cambridge University Press},
journal = {Mathematical Structures in Computer Science},
author = {Goubault{-}Larrecq, Jean},
title = {Isomorphism theorems between models of mixed choice},
volume = {27},
number = {6},
pages = {1032-1067},
month = sep,
year = 2017,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-mscs16.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-mscs16.pdf},
doi = {10.1017/S0960129515000547},
abstract = {We relate the so-called powercone models of mixed
non-deterministic and probabilistic choice proposed by Tix, Keimel,
Plotkin, Mislove, Ouaknine, Worrell, Morgan, and McIver, to our own models
of previsions. Under suitable topological assumptions, we show that they
are isomorphic. We rely on Keimel's cone-theoretic variants of the
classical Hahn-Banach separation theorems, using functional analytic
methods, and on the Schr{\"o}der-Simpson Theorem.}
}

@inproceedings{D-lics17,
month = jun,
publisher = {{IEEE} Press},
editor = {Ouaknine, Jo{\"e}l},
acronym = {{LICS}'17},
booktitle = {{P}roceedings of the 32nd {A}nnual {ACM\slash
IEEE} {S}ymposium on {L}ogic {I}n {C}omputer {S}cience ({LICS}'17)},
author = {Doumane, Amina},
title = {Constructive completeness for the linear-time {$$\mu$$}-calculus},
pages = {1-12},
year = {2017},
doi = {10.1109/LICS.2017.8005075},
abstract = {Modal $$\mu$$-calculus is one of the central logics for verification. In his seminal paper, Kozen proposed an axiomatization for this logic, which was proved to be complete, 13 years later, by Kaivola for the linear-time case and by Walukiewicz for the branching-time one. These proofs are based on complex, non-constructive arguments, yielding no reasonable algorithm to construct proofs for valid formulas. The problematic of constructiveness becomes central when we consider proofs as certificates, supporting the answers of verification tools. In our paper, we provide a new completeness argument for the linear-time $$\mu$$-calculus which is constructive, i.e. it builds a proof for every valid formula. To achieve this, we decompose this difficult problem into several easier ones, taking advantage of the correspondence between the $$\mu$$-calculus and automata theory. More precisely, we lift the well-known automata transformations (non-determinization for instance) to the logical level. To solve each of these smaller problems, we perform first a proof-search in a circular proof system, then we transform the obtained circular proofs into proofs of Kozen's axiomatization.}
}

@article{JGL-minimax17,
publisher = {Heldermann Verlag},
journal = {Minimax Theory and its Applications},
author = {Goubault{-}Larrecq, Jean},
title = {A Non-{H}ausdorff Minimax Theorem},
volume = {3},
number = {1},
year = {2017},
pages = {73-80}
}

@techreport{CDD-hal17,
author = {Cortier, V{\'e}ronique and Dallon, Antoine and Delaune, St{\'e}phanie},
institution = {HAL},
month = oct,
number = {hal-01615265},
type = {Research Report},
title = {A typing result for trace inclusion (for pair and symmetric encryption only)},
year = {2017},
url = {https://hal.archives-ouvertes.fr/hal-01615265},
pdf = {https://hal.archives-ouvertes.fr/hal-01615265/document},
abstract = {Privacy-type properties such as vote secrecy, anonymity, or untraceability are typically expressed using the notion of trace equivalence in a process algebra that models security protocols. In this paper, we propose some results to reduce the search space when we are looking for an attack regarding trace equivalence. Our work is strongly inspired from [10], which establishes that, if there is a witness of non trace equivalence, then there is one that is well-typed.\par
Our main contribution is to establish a similar result for trace inclusion. Our motivation is twofolds: first, this small attack property is needed for proving soundness of the tool SatEquiv [13]. Second, we revisit the proof in order to simplify it. Specifically, we show two results. First, if there is a witness of non-inclusion then there is one that is well-typed. We establish this result by providing a decision procedure for trace inclusion similar to the one proposed in [10] for trace equivalence. We also show that we can reduce the search space when considering the notion of static inclusion. Acutally, if there is a witness of static non-inclusion there is one of a specific shape.\par
Even if our setting slightly differs from the one considered in [10], our proofs essentially follow the same ideas than the existing proof for trace equivalence. Nevertheless, we hope that this proof will be easier to extend to other primitives such as asymmetric encryption or signatures.}
}

@article{GLL-fmsd17,
publisher = {Springer},
journal = {Formal Methods in System Design},
author = {Goubault{-}Larrecq, Jean and Lachance, Jean-Philippe},
title = {On the Complexity of Monitoring {O}rchids Signatures, and Recurrence Equations},
volume = {53},
number = {1},
year = {2018},
month = aug,
pages = {6-32},
doi = {10.1007/s10703-017-0303-x},
url = {https://doi.org/10.1007/s10703-017-0303-x},
abstract = {Modern monitoring tools such as our intrusion detection tool Orchids work by firing new monitor instances dynamically. Given an Orchids signature (a.k.a. a rule, a specification), what is the complexity of checking that specification, that signature? In other words, let $$f(n)$$ be the maximum number of monitor instances that can be fired on a sequence of $$n$$ events: we design an algorithm that decides whether $$f(n)$$ is asymptotically exponential or polynomial, and in the latter case returns an exponent $$d$$ such that $$f(n)=\Theta(n^d)$$. Ultimately, the problem reduces to the following mathematical question, which may have other uses in other domains: given a system of recurrence equations described using the operators $$+$$ and $$\max$$, and defining integer sequences $$u_n$$, what is the asymptotic behavior of $$u_n$$ as $$n$$ tends to infinity? We show that, under simple assumptions, $$u_n$$ is either exponential or polynomial, and that this can be decided, and the exponent computed, using a simple modification of Tarjan's strongly connected components algorithm, in linear time.},
note = {Special issue of RV'16, to appear}
}

@article{GLN-lmcs17,
journal = {Logical Methods in Computer Science},
author = {Goubault{-}Larrecq, Jean and Ng, Kok Min},
title = {A Few Notes on Formal Balls},
volume = {13},
number = {4},
year = {2017},
month = nov,
pages = {1-34},
doi = {10.23638/LMCS-13(4:18)2017},
url = {https://lmcs.episciences.org/4100},
pdf = {https://lmcs.episciences.org/4100/pdf},
note = {Special Issue of the Domains XII Workshop}
}

@article{BCMW-fi17,
publisher = {{IOS} Press},
journal = {Fundamenta Informaticae},
author = {David Baelde and Arnaud Carayol and Ralph Matthes and Igor Walukiewicz},
title = {Preface: Special Issue of {Fixed Points in Computer Science} ({FICS}'13)},
volume = {150},
number = {3-4},
pages = {i-ii},
year = {2017},
url = {https://doi.org/10.3233/FI-2017-1468},
doi = {10.3233/FI-2017-1468}
}

@inproceedings{BDGK-csf17,
address = {Santa Barbara, California, USA},
month = aug,
publisher = {{IEEE} Computer Society Press},
editor = {K{\"o}pf, Boris and Chong, Steve},
acronym = {{CSF}'17},
booktitle = {{P}roceedings of the
30th {IEEE} {C}omputer {S}ecurity {F}oundations
{S}ymposium ({CSF}'17)},
author = {Baelde, David and Delaune, St{\'e}phanie and Gazeau, Ivan and Kremer, Steve},
title = {Symbolic Verification of Privacy-Type Properties for Security Protocols with {XOR}},
pages = {234-248},
year = {2017},
doi = {10.1109/CSF.2017.22},
pdf = {https://hal.inria.fr/hal-01533694/document},
url = {https://hal.inria.fr/hal-01533694},
abstract = {In symbolic verification of security protocols, process equivalences have recently been used extensively to model strong secrecy, anonymity and unlinkability properties. However, tool support for automated analysis of equivalence properties is limited compared to trace properties, e.g., modeling authentication and weak notions of secrecy. In this paper, we present a novel procedure for verifying equivalences on finite processes, i.e., without replication, for protocols that rely on various cryptographic primitives including exclusive or (xor). We have implemented our procedure in the tool AKISS, and successfully used it on several case studies that are outside the scope of existing tools, e.g., unlinkability on various RFID protocols, and resistance against guessing attacks on protocols that use xor.}
}

@inproceedings{CDD-csf17,
address = {Santa Barbara, California, USA},
month = aug,
publisher = {{IEEE} Computer Society Press},
editor = {K{\"o}pf, Boris and Chong, Steve},
acronym = {{CSF}'17},
booktitle = {{P}roceedings of the
30th {IEEE} {C}omputer {S}ecurity {F}oundations
{S}ymposium ({CSF}'17)},
author = {Cortier, V{\'e}ronique and Dallon, Antoine and Delaune, St{\'e}phanie},
title = {{SAT-Equiv}: An Efficient Tool for Equivalence Properties},
pages = {481-494},
year = {2017},
doi = {10.1109/CSF.2017.15},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDD-csf17.pdf},
url = {http://ieeexplore.ieee.org/document/8049740/},
abstract = {Automatic tools based on symbolic models have been successful in analyzing security protocols. Such tools are particularly adapted for trace properties (e.g. secrecy or authentication), while they often fail to analyse equivalence properties.Equivalence properties can express a variety of security properties, including in particular privacy properties (vote privacy, anonymity, untraceability). Several decision procedures have already been proposed but the resulting tools are rather inefficient.In this paper, we propose a novel algorithm, based on graph planning and SAT-solving, which significantly improves the efficiency of the analysis of equivalence properties. The resulting implementation, SAT-Equiv, can analyze several sessions where most tools have to stop after one or two sessions.}
}

@mastersthesis{m2-hirschi,
author = {Hirschi, Lucca},
title = {Reduction of interleavings for trace equivalence checking of security protocols},
school = {{M}aster {P}arisien de {R}echerche en
{I}nformatique, Paris, France},
type = {Rapport de {M}aster},
year = {2013},
month = aug
}

@phdthesis{doumane-phd2017,
author = {Doumane, Amina},
title = {On the infinitary proof theory of logics with fixed points},
school = {Universit{\'e} Paris-Diderot, Paris, France},
type = {Th{\e}se de doctorat},
year = 2017,
month = jun,
url = {https://www.irif.fr/~doumane/these.pdf},
pdf = {https://www.irif.fr/~doumane/these.pdf}
}

@inproceedings{BFG-fsttcs17,
month = dec,
year = 2017,
volume = {93},
series = {Leibniz International Proceedings in Informatics},
publisher = {Leibniz-Zentrum f{\"u}r Informatik},
editor = {Satya Lokam and R. Ramanujam},
acronym = {{FSTTCS}'17},
booktitle = {{P}roceedings of the 37th {C}onference on
{F}oundations of {S}oftware {T}echnology and
{T}heoretical {C}omputer {S}cience
({FSTTCS}'17)},
author = {Michael Blondin and Alain Finkel and Jean Goubault{-}Larrecq},
title = {Forward Analysis for {WSTS}, {Part III}: {Karp-Miller} Trees},
pages = {16:1-16:15},
url = {https://hal.archives-ouvertes.fr/hal-01736704/},
pdf = {http://drops.dagstuhl.de/opus/volltexte/2018/8403/pdf/LIPIcs-FSTTCS-2017-16.pdf},
doi = {10.4230/LIPIcs.FSTTCS.2017.16},
abstract = {This paper is a sequel of ''Forward Analysis for WSTS, Part I: Completions'' [STACS 2009, LZI Intl. Proc. in Informatics 3, 433-444] and ''Forward Analysis for WSTS, Part II: Complete WSTS'' [Logical Methods in Computer Science 8(3), 2012]. In these two papers, we provided a framework to conduct forward reachability analyses of WSTS, using finite representations of downwards-closed sets. We further develop this framework to obtain a generic Karp-Miller algorithm for the new class of very-WSTS. This allows us to show that coverability sets of very-WSTS can be computed as their finite ideal decompositions. Under natural assumptions on positive sequences, we also show that LTL model checking for very-WSTS is decidable. The termination of our procedure rests on a new notion of acceleration levels, which we study. We characterize those domains that allow for only finitely many accelerations, based on ordinal ranks.}
}

@phdthesis{dubut-phd2017,
author = {Dubut, J{\'e}r{\'e}my},
title = {Directed homotopic and homologic theories for geometric models of true concurrency},
school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
type = {Th{\e}se de doctorat},
year = 2017,
month = sep,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/dubut-phd17.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/dubut-phd17.pdf}
}

@article{BDH-lmcs17,
journal = {Logical Methods in Computer Science},
author = {Baelde, David and Delaune, St{\'e}phanie and Hirschi, Lucca},
title = {{A Reduced Semantics for Deciding Trace Equivalence}},
volume = {13},
number = {2:8},
year = {2017},
pages = {1-48},
doi = {10.23638/LMCS-13(2:8)2017},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BDH-lmcs17.pdf},
url = {https://lmcs.episciences.org/3703},
abstract = {Many privacy-type properties of security protocols can be modelled using trace equivalence properties in suitable process algebras. It has been shown that such properties can be decided for interesting classes of finite processes (i.e. without replication) by means of symbolic execution and constraint solving. However, this does not suffice to obtain practical tools. Current prototypes suffer from a classical combinatorial explosion problem caused by the exploration of many interleavings in the behaviour of processes. M{\"o}dersheim et al. [40] have tackled this problem for reachability properties using partial order reduction techniques. We revisit their work, generalize it and adapt it for equivalence checking. We obtain an optimisation in the form of a reduced symbolic semantics that eliminates redundant interleavings on the fly. The obtained partial order reduction technique has been integrated in a tool called Apte. We conducted complete benchmarks showing dramatic improvements.}
}

@phdthesis{hirschi-phd2017,
author = {Hirschi, Lucca},
title = {{Automated Verification of Privacy in Security Protocols: Back and Forth Between Theory \& Practice}},
school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
ENS Cachan, France},
type = {Th{\e}se de doctorat},
year = 2017,
month = apr,
url = {http://www.lsv.fr/Publis/PAPERS/PDF/hirschi-phd17.pdf},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/hirschi-phd17.pdf}
}

@inproceedings{CK-csf17,
address = {Santa Barbara, California, USA},
month = aug,
publisher = {{IEEE} Computer Society Press},
editor = {K{\"o}pf, Boris and Chong, Steve},
acronym = {{CSF}'17},
booktitle = {{P}roceedings of the
30th {IEEE} {C}omputer {S}ecurity {F}oundations
{S}ymposium ({CSF}'17)},
author = {Comon, Hubert and Koutsos, Adrien},
title = {Formal Computational Unlinkability Proofs of RFID Protocols},
pages = {100-114},
year = {2017},
doi = {10.1109/CSF.2017.9},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CK-csf17.pdf},
url = {http://ieeexplore.ieee.org/document/8049714/},
abstract = {We set up a framework for the formal proofs of
RFID protocols in the computational model. We rely on the
so-called computationally complete symbolic attacker model. Our
contributions are:
1) To design (and prove sound) axioms reflecting the proper-
ties of hash functions (Collision-Resistance, PRF).
2) To formalize computational unlinkability in the model.
3) To illustrate the method, providing the first formal proofs
of unlinkability of RFID protocols, in the computational
model.}
}

@inproceedings{CGKM-csf17,
address = {Santa Barbara, California, USA},
month = aug,
publisher = {{IEEE} Computer Society Press},
editor = {K{\"o}pf, Boris and Chong, Steve},
acronym = {{CSF}'17},
booktitle = {{P}roceedings of the
30th {IEEE} {C}omputer {S}ecurity {F}oundations
{S}ymposium ({CSF}'17)},
author = {Calzavara, Stefano and Grishchenko, Ilya and Koutsos, Adrien and Maffei, Matteo},
title = {A Sound Flow-Sensitive Heap Abstraction for the Static Analysis of Android Applications},
pages = {22-36},
year = {2017},
doi = {10.1109/CSF.2017.19},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CGKM-csf17.pdf},
url = {http://ieeexplore.ieee.org/document/8049649/},
abstract = {The present paper proposes the first static analysis
for Android applications which is both flow-sensitive on the heap
abstraction and provably sound with respect to a rich formal
model of the Android platform. We formulate the analysis as a
set of Horn clauses defining a sound over-approximation of the
semantics of the Android application to analyse, borrowing ideas
from recency abstraction and extending them to our concurrent
setting. Moreover, we implement the analysis in HornDroid, a
state-of-the-art information flow analyser for Android applica-
tions. Our extension allows HornDroid to perform strong updates
on heap-allocated data structures, thus significantly increasing its
precision, without sacrificing its soundness guarantees. We test
our implementation on DroidBench, a popular benchmark of
Android applications developed by the research community, and
we show that our changes to HornDroid lead to an improvement
in the precision of the tool, while having only a moderate cost in
terms of efficiency. Finally, we assess the scalability of our tool
to the analysis of real applications.}
}

@article{KV-jcss17,
publisher = {Elsevier Science Publishers},
journal = {Journal of Computer and System Sciences},
author = {Koutsos, Adrien and Vianu, Victor},
title = {{Process-centric views of data-driven business artifacts}},
volume = {86},
number = {1},
year = {2017},
pages = {82-107},
doi = {10.1016/j.jcss.2016.11.012},
month = jun,
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/KV-jcss17.pdf},
url = {http://dx.doi.org/10.1016/j.jcss.2016.11.012},
abstract = {Declarative, data-aware workflow models are becoming increasingly pervasive. While these have numerous benefits, classical process-centric specifications retain certain advantages. Workflow designers are used to development tools such as BPMN or UML diagrams, that focus on control flow. Views describing valid sequences of tasks are also useful to provide stakeholders with high-level descriptions of the workflow, stripped of the accompanying data. In this paper we study the problem of recovering process-centric views from declarative, data-aware workflow specifications in a variant of IBM's business artifact model. We focus on the simplest process-centric views, specified by finite-state transition systems, describing regular languages. The results characterize when process-centric views of artifact systems are regular, using both linear and branching-time semantics. We also study the impact of data dependencies on regularity of the views. As a side effect, we obtain several new results on verification of business artifacts, including a decidability result for branching-time properties.}
}

@inproceedings{OBH-most17,
address = {San Jose, CA, USA},
month = may,
editor = {Chen, Hao and Koved, Larry},
booktitle = {{P}roceedings of Mobile Security Technologies (MoST'17), held as part of the {IEEE} Computer Society Security and Privacy Workshops},
author = {{O'Hanlon}, Piers and Borgaonkar, Ravishankar and Hirschi, Lucca},
title = {Mobile subscriber WiFi privacy},
todopages = {252-261},
year = {2017},
tododoi = {},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/OBH-most17.pdf},
abstract = {This paper investigates and analyses the insufficient protections afforded to mobile identities when using today?s operator backed WiFi services. Specifically we detail a range of attacks, on a set of widely deployed authentication protocols, that enable a malicious user to obtain and track a user?s International Mobile Subscriber Identity (IMSI) over WiFi. These attacks are possible due to a lack of sufficient privacy protection measures, which are exacerbated by preconfigured device profiles. We provide a formal analysis of the protocols involved, examine their associated configuration profiles, and document our experiences with reporting the issues to the relevant stakeholders. We detail a range of potential countermeasures to tackle these issues to ensure that privacy is better protected in the future.}
}

@misc{JGL:pls16,
author = {Goubault{-}Larrecq, Jean},
howpublished = {Encart dans l'article ''S'adapter {\a} la cyberguerre'', de Karen Elazari, Pour La Science 459},
month = jan,
title = {Les m{\'e}thodes formelles: l'autre arme de la cybers{\'e}curit{\'e}},
year = {2016},
pages = {50-55}
}

@misc{JGL:stc16,
author = {Goubault{-}Larrecq, Jean},
howpublished = {Invited talk (plenary speaker), Summer Topology Conference, Leicester, UK},
month = aug,
title = {A few things on Noetherian spaces},
year = {2016}
}

@misc{JGL:gs16,
author = {Goubault{-}Larrecq, Jean},
howpublished = {Invited talk, Galway Symposium, Leicester, UK},
month = aug,
title = {An introduction to asymmetric topology and domain theory: why, what, and how},
year = {2016}
}

@misc{JGL:dom15,
author = {Goubault{-}Larrecq, Jean},
howpublished = {Invited talk, Domains XII workshop, Cork, Ireland},
month = aug,
title = {Formal balls},
year = {2015}
}

@misc{JGL:lls14,
author = {Goubault{-}Larrecq, Jean},
howpublished = {Matinale de l'innovation Logiciels Libres et S{\'e}curit{\'e}, Paris, France},
month = dec,
title = {D{\'e}tection d'intrusions avec {OrchIDS}},
year = {2014}
}

@misc{JGL:ccc14,
author = {Goubault{-}Larrecq, Jean},
howpublished = {Invited talk, Continuity, Computability, Constructivity workshop (CCC), Ljubljana, Slovenia},
month = sep,
title = {Noetherian spaces},
year = {2014}
}

@misc{JGL:cps14,
author = {Goubault{-}Larrecq, Jean},
howpublished = {CPS Summer School, Grenoble, France},
month = jul,
title = {{OrchIDS}: on the value of rigor in intrusion detection},
year = {2014}
}

@misc{JGL:stc13,
author = {Goubault{-}Larrecq, Jean},
howpublished = {Invited talk (semi-plenary speaker), Summer Topology Conference, North Bay, Ontario, CA},
month = jul,
title = {A few pearls in the theory of quasi-metric spaces},
year = {2013}
}

@misc{JGL:dga13,
author = {Goubault{-}Larrecq, Jean},
howpublished = {S{\'e}minaire DGA Innosciences. DGA, Bagneux},
month = jun,
title = {{OrchIDS}, ou : de l'importance de la s{\'e}mantique},
year = {2013}
}

@misc{JGL:at13,
author = {Goubault{-}Larrecq, Jean},
howpublished = {Invited talk, Workshop on Asymmetric Topology, Summer Topology Conference, North Bay, Ontario, CA},
month = jul,
title = {A short proof of the {Schr{\"o}der-Simpson} theorem},
year = {2013}
}

@misc{JGL:dm16,
author = {Goubault{-}Larrecq, Jean},
howpublished = {Invited talk, Dale Miller Festschrift, Paris Diderot University, Paris},
month = dec,
title = {A semantics for {{$$\nabla$$}}},
year = {2016}
}

@misc{GSHM:dga-inria16,
author = {Goubault-Larrecq, Jean and Sentucq, Pierre-Arnaud and Hulin-Hubard, Francis and Majorczyk, Fr{\'e}d{\'e}ric},
howpublished = {Rapport final et fourniture 4 du contrat DGA-INRIA Orchids},
month = may,
title = {Etat final des travaux engag{\'e}s sur {Orchids}},
year = {2016}
}

@misc{GM:dga-inria16,
author = {Goubault-Larrecq, Jean and Majorczyk, Fr{\'e}d{\'e}ric},
howpublished = {Fourniture 3 du contrat DGA-INRIA Orchids},
month = may,
title = {G{\'e}n{\'e}ration de signatures pour le suivi de flux d'informations},
year = {2016}
}

@misc{GSM:dga-inria15,
author = {Goubault-Larrecq, Jean and Sentucq, Pierre-Arnaud and Majorczyk, Fr{\'e}d{\'e}ric},
howpublished = {Rapport interm{\'e}diaire du contrat DGA-INRIA Orchids},
month = may,
title = {Etat d'avancement interm{\'e}diaire des travaux engag{\'e}s sur {OrchIDS}},
year = {2015}
}

@misc{GSM:dga-inria-2-14,
author = {Goubault-Larrecq, Jean and Sentucq, Pierre-Arnaud and Majorczyk, Fr{\'e}d{\'e}ric},
howpublished = {Fourniture 2 du contrat DGA-INRIA Orchids},
month = may,
title = {Techniques et m{\'e}thodes de g{\'e}n{\'e}ration de signatures pour la d{\'e}tection d'intrusions},
year = {2014}
}

@misc{GSM:dga-inria-1-14,
author = {Goubault-Larrecq, Jean and Sentucq, Pierre-Arnaud and Majorczyk, Fr{\'e}d{\'e}ric},
howpublished = {Fourniture 1 du contrat DGA-INRIA Orchids},
month = may,
title = {Politiques de s{\'e}curit{\'e} syst{\e}me},
year = {2014}
}

@misc{AG:anr-cpp12,
author = {Adj{\'e}, Assal{\'e} and Goubault-Larrecq, Jean},
howpublished = {Fourniture du projet ANR CPP (Confidence, Proofs, and Probabilities), WP 2, version 1},
month = oct,
title = {Concrete semantics of programs with non-deterministic and random inputs},
year = {2012},
url = {http://arxiv.org/abs/1210.2605}
}

@misc{GL:ARC-ProNoBis-16,
author = {Goubault-Larrecq, Jean},
howpublished = {Rapport final ARC ProNoBis},
month = oct,
title = {{Pronobis: Probability and nondeterminism,
bisimulations and security}},
year = {2007}
}

@phdthesis{dallon-phd2018,
author = {Dallon, Antoine},
title = {{Verification of indistinguishability properties in cryptographic protocols} -- {Small attacks and efficient decision with SAT-Equiv}},
school = {{\'E}cole Normale Sup{\'e}rieure Paris-Saclay, France},
type = {Th{\e}se de doctorat},
year = 2018,
month = nov,
url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/dallon-phd18.pdf},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/dallon-phd18.pdf}
}

@inproceedings{BDH-esorics18,
month = sep,
year = 2018,
volume = {11098},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Javier L{\'{o}}pez and
Jianying Zhou and
Miguel Soriano},
acronym = {{ESORICS}'18},
booktitle = {{P}roceedings of the 23rd {E}uropean {S}ymposium on
{R}esearch in {C}omputer {S}ecurity ({ESORICS}'18)},
author = {David Baelde and St{\'e}phanie Delaune and Lucca Hirschi},
title = {{POR} for Security Protocol Equivalences - Beyond Action-Determinism},
pages = {385-405},
url = {https://arxiv.org/abs/1804.03650},
doi = {10.1007/978-3-319-99073-6\_19},
abstract = {Formal methods have proved effective to automatically analyse protocols. Recently, much research has focused on verifying trace equivalence on protocols, which is notably used to model interesting privacy properties such as anonymity or unlinkability. Several tools for checking trace equivalence rely on a naive and expensive exploration of all interleavings of concurrent actions, which calls for partial-order reduction (POR) techniques. In this paper, we present the first POR technique for protocol equivalences that does not rely on an action-determinism assumption: we recast trace equivalence as a reachability problem, to which persistent and sleep set techniques can be applied, and we show how to effectively apply these results in the context of symbolic execution. We report on a prototype implementation, improving the tool DeepSec.}
}

@inproceedings{CDD-esorics18,
month = sep,
year = 2018,
volume = {11098},
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {Javier L{\'{o}}pez and
Jianying Zhou and
Miguel Soriano},
acronym = {{ESORICS}'18},
booktitle = {{P}roceedings of the 23rd {E}uropean {S}ymposium on
{R}esearch in {C}omputer {S}ecurity ({ESORICS}'18)},
author = {V{\'e}ronique Cortier and Antoine Dallon and St{\'e}phanie Delaune},
title = {Efficiently Deciding Equivalence for Standard Primitives and Phases},
pages = {491-511},
url = {https://hal.archives-ouvertes.fr/hal-01819366},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDD-esorics18.pdf},
doi = {10.1007/978-3-319-99073-6\_24},
abstract = {Privacy properties like anonymity or untraceability are now
well identified, desirable goals of many security protocols. Such properties
are typically stated as equivalence properties. However, automatically
checking equivalence of protocols often yields efficiency issues.\par
We propose an efficient algorithm, based on graph planning and SATsolving.
It can decide equivalence for a bounded number of sessions, for
protocols with standard cryptographic primitives and phases (often necessary
to specify privacy properties), provided protocols are well-typed,
that is encrypted messages cannot be confused. The resulting implementation,
SAT-Equiv, demonstrates a significant speed-up w.r.t. other
existing tools that decide equivalence, covering typically more than 100
sessions. Combined with a previous result, SAT-Equiv can now be used to
prove security, for some protocols, for an unbounded number of sessions.}
}

@inproceedings{JK-ccs18,
month = oct,
publisher = {ACM Press},
editor = {Backes, Michael and Wang, XiaoFeng},
acronym = {{CCS}'18},
booktitle = {{P}roceedings of the 25th {ACM} {C}onference
on {C}omputer and {C}ommunications {S}ecurity
({CCS}'18)},
author = {Barthe, Gilles and Fan, Xiong and Gancher, Joshua and Gr{\'e}goire, Benjamin and Jacomme, Charlie and Shi, Elaine},
title = {Symbolic Proofs for Lattice-Based Cryptography},
pages = {538-555},
year = {2018},
pdf = {https://eprint.iacr.org/2018/765.pdf},
url = {https://dl.acm.org/citation.cfm?doid=3243734.3243825}
}

@inproceedings{BLS-pods19,
month = jun # {-} # jul,
publisher = {ACM Press},
editor = {Christoph Koch},
acronym = {{PODS}'19},
booktitle = {{P}roceedings of the 38th {A}nnual
{ACM} {SIGACT}-{SIGMOD}-{SIGART} {S}ymposium
on {P}rinciples of {D}atabase {S}ystems
({PODS}'19)},
author = {Baelde, David and Lick, Anthony and Schmitz, Sylvain},
title = {Decidable {XP}ath Fragments in the Real World},
pages = {285-302},
year = 2019,
doi = {10.1145/3294052.3319685},
url = {https://hal.inria.fr/hal-01852475},
abstract = {XPath is arguably the most popular query language for selecting elements in XML documents.  Besides query evaluation, query satisfiability and containment are the main computational problems for XPath; they are useful, for instance, to detect dead code or validate query optimisations.  These problems are undecidable in general, but several fragments have been identified over time for which satisfiability (or query containment) is decidable: CoreXPath 1.0 and 2.0 without so-called data joins, fragments with data joins but limited navigation, etc.  However, these fragments are often given in a simplified syntax, and sometimes wrt. a simplified XPath semantics.  Moreover, they have been studied mostly with theoretical motivations, with little consideration for the practically relevant features of XPath.  To investigate the practical impact of these theoretical fragments, we design a benchmark compiling thousands of real-world XPath queries extracted from open-source projects.  These queries are then matched against syntactic fragments from the literature.  We investigate how to extend these fragments with seldom-considered features such as free variables, data tests, data joins, and the last() and id() functions, for which we provide both undecidability and decidability results.  We analyse the coverage of the original and extended fragments, and further provide a glimpse at which other practically-motivated features might be worth investigating in the future.}
}

@inproceedings{BLS-aiml18,
month = aug,
year = 2018,
publisher = {College Publications},
editor = {Guram Bezhanishvili and Giovanna D'Agostino and
George Metcalfe and Thomas Studer},
acronym = {{AiML}'18},
booktitle = {{P}roceedings of the 10th
{C}onference on {A}dvances in {M}odal {L}ogics
({AiML}'18)},
author = {Baelde, David and Lick, Anthony and Schmitz, Sylvain},
title = {A Hypersequent Calculus with Clusters for Linear Frames},
pages = {36-55},
url = {https://hal.inria.fr/hal-01756126},
abstract = {The logic Kt4.3 is the basic modal logic of linear frames. Along with its extensions, it is found at the core of linear-time temporal logics and logics on words.  In this paper, we consider the problem of designing proof systems for these logics, in such a way that proof search yields decision procedures for validity with an optimal complexity---coNP in this case.  In earlier work, Indrzejczak has proposed an ordered hypersequent calculus that is sound and complete for Kt4.3 but does not yield any decision procedure.  We refine his approach, using a hypersequent structure that corresponds to weak rather than strict total orders, and using annotations that reflect the model-theoretic insights given by small models for Kt4.3.  We obtain a sound and complete calculus with an associated coNP proof search algorithm.  These results extend naturally to the cases of unbounded and dense frames, and to the complexity of the two-variable fragment of first-order logic over total orders.}
}

@article{JGL-mscs18,
publisher = {Cambridge University Press},
journal = {Mathematical Structures in Computer Science},
author = {Goubault{-}Larrecq, Jean},
title = {A semantics for nabla},
pages = {1-25},
year = {2018},
doi = {10.1017/S0960129518000063},
url = {https://www.cambridge.org/core/journals/mathematical-structures-in-computer-science/article/semantics-for-nabla/A3337AB54DC58CBDDEC78116F4390777},
note = {To appear}
}

@inproceedings{JKS-eurosp17,
month = apr,
publisher = {{IEEE} Press},
editor = {Andrei Sabelfeld and Matthew Smith},
acronym = {{EuroS\&P}'17},
booktitle = {{P}roceedings of the 2nd IEEE European Symposium on
Security and Privacy ({EuroS\&P}'17)},
author = {Jacomme, Charlie and Kremer, Steve and Scerri, Guillaume},
title = {Symbolic Models for Isolated Execution Environments},
pages = {530-545},
year = {2018},
doi = {10.1109/EuroSP.2017.16},
url = {https://ieeexplore.ieee.org/document/7962001/},
abstract = {Isolated Execution Environments (IEEs), such as ARM
TrustZone and Intel SGX, offer the possibility to
execute sensitive code in isolation from other
malicious programs, running on the same machine, or
a potentially corrupted OS. A key feature of IEEs is
the ability to produce reports binding
cryptographically a message to the program that
produced it, typically ensuring that this message is
the result of the given program running on an
IEE. We present a symbolic model for specifying and
verifying applications that make use of such
features. For this we introduce the S{$$\ell$$}APIC
process calculus, that allows to reason about
reports issued at given locations. We also provide
tool support, extending the SAPIC/TAMARIN toolchain
and demonstrate the applicability of our framework
on several examples implementing secure outsourced
computation (SOC), a secure licensing protocol and a
one-time password protocol that all rely on such
IEEs.}
}

@inproceedings{JK-csf18,
month = jul,
publisher = {{IEEE} Computer Society Press},
editor = {Chong, Steve and Delaune, St{\'e}phanie},
acronym = {{CSF}'18},
booktitle = {{P}roceedings of the
31st {IEEE} {C}omputer {S}ecurity {F}oundations
{S}ymposium ({CSF}'18)},
author = {Jacomme, Charlie and Kremer, Steve},
title = {An extensive formal analysis of multi-factor authentication protocols},
pages = {1-15},
year = {2018},
doi = {10.1109/CSF.2018.00008},
pdf = {https://easychair.org/publications/preprint/m89p},
url = {https://ieeexplore.ieee.org/document/8429292/},
abstract = {Passwords are still the most widespread means for authenticating users, even though they have been shown to create huge security problems. This motivated the use of additional authentication mechanisms used in so-called multi-factor authentication protocols. In this paper we define a detailed threat model for this kind of protocols: while in classical protocol analysis attackers control the communication network, we take into account that many communications are performed over TLS channels, that computers may be infected by different kinds of malwares, that attackers could perform phishing, and that humans may omit some actions.  We formalize this model in the applied pi calculus and perform an extensive analysis and comparison of several widely used protocols - variants of Google 2-step and FIDO's U2F. The analysis is completely automated, generating systematically all combinations of threat scenarios for each of the protocols and using the ProVerif tool for automated protocol analysis. Our analysis highlights weaknesses and strengths of the different protocols, and allows us to suggest several small modifications of the existing protocols which are easy to implement, yet improve their security in several threat scenarios.}
}

@article{CCD-ic17,
publisher = {Elsevier Science Publishers},
journal = {Information and Computation},
author = {Vincent Cheval and Hubert Comon{-}Lundh and St{\'e}phanie Delaune},
title = {{A procedure for deciding symbolic equivalence between sets of constraint systems}},
volume = {255},
year = {2017},
pages = {94-125},
doi = {10.1016/j.ic.2017.05.004},
url = {https://www.sciencedirect.com/science/article/pii/S0890540117300949},
abstract = {We consider security properties of cryptographic protocols that can be modelled using trace equivalence, a crucial notion when specifying privacy-type properties, like anonymity, vote-privacy, and unlinkability. Infinite sets of possible traces are symbolically represented using deducibility constraints. We describe an algorithm that decides trace equivalence for protocols that use standard primitives and that can be represented using such constraints. More precisely, we consider symbolic equivalence between sets of constraint systems, and we also consider disequations. Considering sets and disequations is actually crucial to decide trace equivalence for processes that may involve else branches and/or private channels (for a bounded number of sessions). Our algorithm for deciding symbolic equivalence between sets of constraint systems is implemented and performs well in practice. Unfortunately, it does not scale up well for deciding trace equivalence between processes. This is however the first implemented algorithm deciding trace equivalence on such a large class of processes.}
}

@article{HGJX-lmcs18,
journal = {Logical Methods in Computer Science},
author = {Ho, Weng Kin and Goubault-Larrecq, Jean and Jung, Achim and Xi, Xiaoyong},
title = {{The Ho-Zhao Problem}},
volume = {14},
number = {1},
year = {2018},
month = jan,
pages = {1-19},
doi = {10.23638/LMCS-14(1:7)2018},
url = {https://lmcs.episciences.org/4218},
pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/HGJX-lmcs18.pdf}
}

@inproceedings{JGL-lncs11760,
volume = 11760,
series = {Lecture Notes in Computer Science},
publisher = {Springer},
editor = {M{\'a}rio S. Alvim and Kostas Chatzikokolakis and Carlos Olarte and Franck Valencia},
acronym = {{The Art of Modelling Computational Systems: A Journey from Logic and Concurrency to Security and Privacy}},
booktitle = {The Art of Modelling Computational Systems: A Journey from Logic and Concurrency to Security and Privacy---Essays Dedicated to Catuscia Palamidessi on the Occasion of Her 60th Birthday},
author = {Goubault{-}Larrecq, Jean},
title = {Fooling the Parallel or Tester with Probability $8/27$},
pages = {313--328},
year = 2019,
note = {Updated version on arXiv:1903.12653},
url = {https://arxiv.org/abs/1903.12653},
abstract = {It is well-known that the higher-order language PCF is not fully abstract: there is a program - the so-called parallel or tester, meant to test whether its input behaves as a parallel or - which never terminates on any input, operationally, but is denotationally non-trivial. We explore a probabilistic variant of PCF, and ask whether the parallel or tester exhibits a similar behavior there. The answer is no: operationally, one can feed the parallel or tester an input that will fool it into thinking it is a parallel or. We show that the largest probability of success of such would-be parallel ors is exactly 8/27. The bound is reached by a very simple probabilistic program. The difficult part is to show that that bound cannot be exceeded.}
}

@inproceedings{DGJL-isdt19,
month = jun,
volume = 345,
series = {Electronic Notes in Theoretical Computer Science},
publisher = {Elsevier Science Publishers},
editor = {Jung, Achim and Li, Qingguo and Xu, Luoshan and Zhang, Guo-Qiang},
acronym = {{ISDT}'19},
booktitle = {{P}roceedings of the {I}nternational {S}ymposium on {D}omain {T}heory ({ISDT}'19)},
author = {de Brecht, Matthew and Goubault{-}Larrecq, Jean and Jia, Xiaodong and Lyu, Zhenchao},
title = {Domain-complete and LCS-complete Spaces},
pages = {3-35},
doi = {10.1016/j.entcs.2019.07.014},
year = 2019
}

@inproceedings{GJ-isdt19,
month = jun,
volume = 345,
series = {Electronic Notes in Theoretical Computer Science},
publisher = {Elsevier Science Publishers},
editor = {Jung, Achim and Li, Qingguo and Xu, Luoshan and Zhang, Guo-Qiang},
acronym = {{ISDT}'19},
booktitle = {{P}roceedings of the {I}nternational {S}ymposium on {D}omain {T}heory ({ISDT}'19)},
author = {Goubault{-}Larrecq, Jean and Jia, Xiaodong},
title = {Algebras of the Extended Probabilistic Powerdomain Monad},
pages = {37-61},
doi = {10.1016/j.entcs.2019.07.015},
year = 2019
}

@article{GM-hjm19,
publisher = {University of Houston},
journal = {Houston Journal of Mathematics},
author = {Goubault{-}Larrecq, Jean and Mynard, Fr{\'e}d{\'e}ric},
title = {Convergence without Points},
year = 2019,
note = {To appear}
}

@inproceedings{K-csf19,
month = jul,
publisher = {{IEEE} Computer Society Press},
editor = {Delaune, St{\'e}phanie and Jia, Limin},
acronym = {{CSF}'19},
booktitle = {{P}roceedings of the
31st {IEEE} {C}omputer {S}ecurity {F}oundations
{S}ymposium ({CSF}'19)},
title = {Decidability of a Sound Set of Inference Rules for Computational Indistinguishability},
pages = {48-61},
year = 2019,
doi = {10.1109/CSF.2019.00011},
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/K-csf19.pdf},
abstract = {Computational indistinguishability is a key property in cryptography and verification of security protocols. Current tools for proving it rely on cryptographic game transformations. We follow Bana and Comon's approach, axiomatizing what an adversary cannot distinguish. We prove the decidability of a set of first-order axioms which are computationally sound, though incomplete, for protocols with a bounded number of sessions whose security is based on an IND-CCA_2 encryption scheme. Alternatively, our result can be viewed as the decidability of a family of cryptographic game transformations. Our proof relies on term rewriting and automated deduction techniques.}
}

@inproceedings{K-eurosp19,
month = jun,
publisher = {{IEEE} Press},
editor = {Frank Piessens and Frank Stajano},
acronym = {{EuroS\&P}'19},
booktitle = {{P}roceedings of the 4th IEEE European Symposium on
Security and Privacy ({EuroS\&P}'19)},
title = {The {5G-AKA} Authentication Protocol Privacy},
pages = {464-479},
year = 2019,
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/K-eurosp19.pdf},
doi = {10.1109/EuroSP.2019.00041},
abstract = {We study the 5G-AKA authentication protocol described in the 5G mobile communication standards. This version of AKA tries to achieve a better privacy than the 3G and 4G versions through the use of asymmetric randomized encryption. Nonetheless, we show that except for the IMSI-catcher attack, all known attacks against 5G-AKA privacy still apply. Next, we modify the 5G-AKA protocol to prevent these attacks, while satisfying 5G-AKA efficiency constraints as much as possible. We then formally prove that our protocol is sigma-unlinkable. This is a new security notion, which allows for a fine-grained quantification of a protocol privacy. Our security proof is carried out in the Bana-Comon indistinguishability logic. We also prove mutual authentication as a secondary result.}
}

@article{JGL-topa19,
publisher = {Elsevier Science Publishers},
journal = {Topology and its Applications},
author = {Goubault{-}Larrecq, Jean},
year = 2019,
note = {To appear},
doi = {10.1016/j.topol.2019.06.044},
url = {http://www.sciencedirect.com/science/article/pii/S0166864119302160},
abstract = {The formal ball construction B is a central tool of
quasi-metric space theory. We show that it induces monads on certain
natural categories of quasi-metric spaces, with 1-Lipschitz maps as
morphisms, or with 1-Lipschitz continuous maps as morphisms. Those are
left Kock-Zöberlein monads, and that allows us to characterize their
algebras exactly. As an application, we study so-called Lipschitz
regular spaces, a natural class of spaces that contain all standard
algebraic quasi-metric spaces with relatively compact balls, in
particular all metric spaces whose closed balls are compact. There are
other Lipschitz regular spaces, as we show, and notably all B-algebras.
That includes all spaces of formal balls, with their d+-Scott topology.
The value of Lipschitz regularity is that, for a Lipschitz regular
standard quasi-metric space X,d, the space LX of lower semicontinuous
maps from X to the extended non-negative reals, with the Scott topology,
retracts onto each of the spaces L_alpha(X,d) of alpha-Lipschitz
continuous maps, and that the subspace topology on the latter coincides
with the Scott topology.}
}

@article{HBD-jcs19,
publisher = {{IOS} Press},
journal = {Journal of Computer Security},
author = {Hirschi, Lucca and Baelde, David and Delaune, St{\'e}phanie},
title = {A method for unbounded verification of privacy-type properties},
volume = {27},
number = {3},
pages = {277-342},
year = 2019,
pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/HBD-jcs19.pdf},
doi = {10.3233/JCS-171070},
url = {https://content.iospress.com/articles/journal-of-computer-security/jcs171070}
}

@inproceedings{BGJKS-csf19,
month = jul,
publisher = {{IEEE} Computer Society Press},
editor = {Delaune, St{\'e}phanie and Jia, Limin},
acronym = {{CSF}'19},
booktitle = {{P}roceedings of the
31st {IEEE} {C}omputer {S}ecurity {F}oundations
{S}ymposium ({CSF}'19)},
author = {Barthe, Gilles and Gr{\'e}goire, Benjamin and Jacomme, Charlie and Kremer, Steve and Strub, Pierre-Yves},
title = {Symbolic methods in computational cryptography proofs},
pages = {136-151},
year = 2019,
doi = {10.1109/CSF.2019.00017},
pdf = {https://hal.inria.fr/hal-02117794/document},
url = {https://hal.inria.fr/hal-02117794},
abstract = {Code-based game-playing is a popular methodology for proving security of cryptographic constructions and side-channel countermeasures. This methodology relies on treating cryptographic proofs as an instance of relational program verification (between probabilistic programs), and decomposing the latter into a series of elementary relational program verification steps. In this paper, we develop principled methods for proving such elementary steps for probabilistic programs that operate over finite fields and related algebraic structures. We focus on three essential properties: program equivalence, information flow, and uniformity. We give characterizations of these properties based on deducibility and other notions from symbolic cryptography. We use (sometimes improve) tools from symbolic cryptography to obtain decision procedures or sound proof methods for program equivalence, information flow, and uniformity. Finally, we evaluate our approach using examples drawn from provable security and from side-channel analysis-for the latter, we focus on the masking countermeasure against differential power analysis. A partial implementation of our approach is integrated in EASYCRYPT, a proof assistant for provable security, and in MASKVERIF, a fully automated prover for masked implementations.}
}

@inproceedings{JGL-lics19,
month = jun,
publisher = {{IEEE} Press},
editor = {Bouyer, Patricia},
acronym = {{LICS}'19},
booktitle = {{P}roceedings of the 34th {A}nnual {ACM\slash
IEEE} {S}ymposium on {L}ogic {I}n {C}omputer {S}cience ({LICS}'19)},
author = {Goubault{-}Larrecq, Jean},
title = {A Probabilistic and Non-Deterministic Call-by-Push-Value Language},
pages = {1-13},
year = 2019,
doi = {10.1109/LICS.2019.8785809},
abstract = {There is no known way of giving a domain-theoretic semantics to higher-order probabilistic languages, in such a way that the involved domains are continuous or quasi-continuous. We argue that the problem naturally disappears for languages with two kinds of types, where one kind is interpreted in a Cartesian-closed category of continuous dcpos, and the other is interpreted in a category that is closed under the probabilistic powerdomain functor. Such a setting is provided by Paul B. Levy's call-by-push-value paradigm. Following this insight, we define a call-by-push-value language, with probabilistic choice sitting inside the value types, and where conversion from a value type to a computation type involves demonic non-determinism. We give both a domain-theoretic semantics and an operational semantics for the resulting language, and we show that they are sound and adequate. With the addition of statistical termination testers and parallel if, we show that the language is even fully abstract-and those two primitives are required for that.}
}


This file was generated by bibtex2html 1.98.