@incollection{jgl-encyc06,
  author = {Goubault{-}Larrecq, Jean},
  title = {Preuve et v{\'e}rification pour la s{\'e}curit{\'e} 
	  et la s{\^u}ret{\'e}},
  booktitle = {Encyclop{\'e}die de l'informatique et des syst{\`e}mes 
	  d'information},
  editor = {Akoka, Jacky and Comyn-Wattiau, Isabelle},
  pages = {683-703},
  publisher = {Vuibert},
  year = 2006,
  month = dec,
  chapter = {I.6},
  url = {http://www.vuibert.com/livre12401.html},
  abstract = {La s\^uret\'e, comme la s\'ecurit\'e, \'enonce qu'un mal n'arrive
  jamais.  Le but de cet article est de d\'efinir la notion de propri\'et\'e
  de s\^uret\'e, et d'en d\'ecrire quelques techniques de v\'erification et de
  preuve~: model-checking, interpr\'etation abstraite notamment.  Apr\`es
  avoir remarqu\'e qu'il n'y avait pas de s\'ecurit\'e sans s\^uret\'e, il est
  expliqu\'e que l'analyse de s\'ecurit\'e d'un syst\`eme repose sur un
  mod\`ele, des hypoth\`eses, des propri\'et\'es \`a v\'erifier, et une
  architecture de s\'ecurit\'e.  Finalement, il est donn\'e un aper\c{c}u de
  quelques mod\`eles et m\'ethodes de preuve de protocoles
  cryptographiques.}
}
@inproceedings{BJ-secret06,
  address = {Venice, Italy},
  month = jul,
  year = 2006,
  editor = {Fern{\'a}ndez, Maribel and Kirchner, Claude},
  acronym = {{SecReT}'06},
  booktitle = {{P}reliminary {P}roceedings of the 1st 
           {I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques
           ({SecReT}'06)},
  author = {Bouhoula, Adel and Jacquemard, Florent},
  title = {Security Protocols Verification with Implicit Induction and 
		  Explicit Destructors},
  pages = {37-44},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BJ-secret06.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BJ-secret06.pdf},
  abstract = {We present a new method for automatic implicit induction theorem
proving, and its application for the verification of a key distribution
cryptographic protocol. The~method can handle axioms between constructor
terms, a~feature generally not supported by other induction procedure. We~use
such axioms in order to specify explicit destructors representing
cryptographic operators.}
}
@inproceedings{BC-asian06,
  address = {Tokyo, Japan},
  month = jan,
  year = 2008,
  volume = 4435,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Okada, Mitsu and Satoh, Ichiro},
  acronym = {{ASIAN}'06},
  booktitle = {{R}evised {S}elected {P}apers of the 11th {A}sian
               {C}omputing {S}cience {C}onference
               ({ASIAN}'06)},
  author = {Bernat, Vincent and Comon{-}Lundh, Hubert},
  title = {Normal proofs in intruder theories},
  pages = {151-166},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BC-asian06.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BC-asian06.pdf},
  doi = {10.1007/978-3-540-77505-8_12},
  abstract = {Given an arbitrary intruder deduction capability, modeled as an
              inference system~\(\mathcal{S}\) and a protocol, we show how to
              compute an inference system~\(\widehat{\mathcal{S}}\) such that
              the security problem for an unbounded number of sessions is
              equivalent to the deducibility of some message
              in~\(\widehat{\mathcal{S}}\). Then, assuming that
              \(\mathcal{S}\)~has some subformula property, we lift such a
              property to~\(\widehat{\mathcal{S}}\), thanks to a proof
              normalisation theorem. In~general, for an unbounded number of
              sessions, this provides with a complete deduction strategy. In
              case of a bounded number of sessions, our theorem implies that
              the security problem is co-NP-complete. As an instance of our
              result we get a decision algorithm for the theory of
              blind-signatures, which, to our knowledge, was not known
              before.}
}
@inproceedings{LNZ-asian06,
  address = {Tokyo, Japan},
  month = jan,
  year = 2008,
  volume = 4435,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Okada, Mitsu and Satoh, Ichiro},
  acronym = {{ASIAN}'06},
  booktitle = {{R}evised {S}elected {P}apers of the 11th {A}sian
               {C}omputing {S}cience {C}onference
               ({ASIAN}'06)},
  author = {Lasota, S{\l}awomir and Nowak, David and Yu, Zhang},
  title = {On completeness of logical relations for monadic types},
  pages = {223-230},
  nmnote = {autc parce que c'est un short paper, pas ant pour Zhang Yu},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/LNZ-monad-complete.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/LNZ-monad-complete.pdf},
  doi = {10.1007/978-3-540-77505-8_17},
  abstract = {Software security can be ensured by specifying and verifying
                  security properties of software using formal methods with
                  strong theoretical bases. In~particular, programs can be
                  modeled in the framework of lambda-calculi, and interesting
                  properties can be expressed formally by contextual
                  equivalence (a.k.a.~observational equivalence). Furthermore,
                  imperative features, which exist in most real-life software,
                  can be nicely expressed in the so-called computational
                  lambda-calculus. Contextual equivalence is difficult to
                  prove directly, but we can often use logical relations as a
                  tool to establish it in lambda-calculi. We~have already
                  defined logical relations for the computational
                  lambda-calculus in previous work. We~devote this paper to
                  the study of their completeness w.r.t.~contextual
                  equivalence in the computational lambda-calculus.}
}
@inproceedings{abw-fossacs2006,
  address = {Vienna, Austria},
  month = mar,
  year = 2006,
  volume = 3921,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Aceto, Luca and Ing{\'o}lfsd{\'o}ttir, Anna},
  acronym = {{FoSSaCS}'06},
  booktitle = {{P}roceedings of the 9th {I}nternational
               {C}onference on {F}oundations of {S}oftware {S}cience
               and {C}omputation {S}tructures
               ({FoSSaCS}'06)},
  author = {Abadi, Mart{\'\i}n and Baudet, Mathieu and 
		Warinschi, Bogdan},
  title = {Guessing Attacks and the Computational Soundness of 
		Static Equivalence},
  pages = {398-412},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ABW_Fossacs06.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ABW_Fossacs06.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/ABW_Fossacs06.ps},
  doi = {10.1007/11690634_27},
  abstract = {The indistinguishability of two pieces of 
	data (or two lists of pieces of data) can be 
	represented formally in terms of a relation called 
	static equivalence. Static equivalence depends on an 
	underlying equational theory. The choice of an 
	inappropriate equational theory can lead to overly 
	pessimistic or overly optimistic notions of 
	indistinguishability, and in turn to security criteria 
	that require protection against impossible attacks 
	or ---worse yet--- that ignore feasible ones.  In this 
	paper, we define and justify an equational theory for 
	standard, fundamental cryptographic operations. This 
	equational theory yields a notion of static equivalence 
	that implies computational indistinguishability. Static 
	equivalence remains liberal enough for use in 
	applications. In particular, we develop and analyze a 
	principled formal account of guessing attacks in terms 
	of static equivalence.}
}
@inproceedings{edos2006wsl,
  address = {Porto Allegre, Brazil},
  month = apr,
  year = 2006,
  editor = {Berger, Olivier},
  acronym = {{IWFS}'06},
  booktitle = {{P}roceedings of the {I}nternational
           {W}orkshop on {F}ree {S}oftware
           ({IWFS}'06)},
  author = {Boender, Jaap and Di Cosmo, Roberto and Durak, Berke and Leroy, Xavier
            and Mancinelli, Fabio and Morgado, Mario and Pinheiro, David and
	   Treinen, Ralf and  Trezentos, Paulo and Vouillon, J{\'e}r{\^o}me},
  title = {News from the {EDOS} project: improving the maintenance of free
               software distributions},
  pages = {199-207},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/wsl06.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/wsl06.pdf},
  abstract = {The EDOS research project aims 
	at contributing to the quality assurance of free software 
	distributions. This is a major technical and engineering 
	challenge, due to the size and complexity of these 
	distributions (tens of thousands of software packages). We 
	present here some of the challenges that we have tackled so 
	far, and some of the advanced tools that are already 
	available to the community as an outcome of the first year 
	of work. }
}
@inproceedings{edos2006ase,
  address = {Tokyo, Japan},
  month = sep,
  year = 2006,
  publisher = {{IEEE} Computer Society Press},
  acronym = {{ASE}'06},
  booktitle = {{P}roceedings of the 21st {IEEE}/{ACM} {I}nternational
           {C}onference on {A}utomated {S}oftware {E}ngineering
           ({ASE}'06)},
  author = {Mancinelli, Fabio and Boender, Jaap and Di Cosmo, Roberto and
            Vouillon, J{\'e}r{\^o}me and Durak, Berke and Leroy, Xavier 
	    and Treinen, Ralf},
  title = {Managing the Complexity of Large Free and Open Source
           Package-Based Software Distributions},
  pages = {199-208},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/edos-ase06.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/edos-ase06.pdf},
  doi = {10.1109/ASE.2006.49},
  abstract = {The widespread adoption of Free and Open Source Software~(FOSS)
in many strategic contexts of the information technology society has drawn the
attention on the issues regarding how to handle the complexity of assembling
and managing a huge number of (packaged) components in a consistent and
effective~way. FOSS~distributions (and~in particular GNU\slash Linux-based~ones)
have always provided tools for managing the tasks of installing, removing and
upgrading the (packaged) components they were made~of. While these tools
provide a (not always effective) way to handle these tasks on the client side,
there is still a lack of tools that could help the distribution editors to
maintain, on the server side, large and high-quality distributions. In~this
paper we present our research whose main goal is to fill this gap: we~show our
approach, the tools we have developed and their application with experimental
results. Our~contribution provides an effective and automatic way to support
distribution editors in handling those issues that were, until now, mostly
addressed using ad-hoc tools and manual techniques.}
}
@inproceedings{CKKW-fsttcs2006,
  address = {Kolkata, India},
  month = dec,
  year = 2006,
  volume = 4337,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Garg, Naveen and Arun-Kumar, S.},
  acronym = {{FSTTCS}'06},
  booktitle = {{P}roceedings of the 26th {C}onference on
               {F}oundations of {S}oftware {T}echnology and
               {T}heoretical {C}omputer {S}cience
               ({FSTTCS}'06)},
  author = {Cortier, V{\'e}ronique and Kremer, Steve and 
		 K{\"u}sters, Ralf and Warinschi, Bogdan},
  title = {Computationally Sound Symbolic Secrecy in the Presence of Hash Functions},
  pages = {176-187},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CKKW-fsttcs06.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CKKW-fsttcs06.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/CKKW-fsttcs06.ps},
  doi = {10.1007/11944836_18},
  abstract = {The standard symbolic, deducibility-based notions of secrecy are
in general insufficient from a cryptographic point of view, especially in
presence of hash functions. In~this paper we devise and motivate a more
appropriate secrecy criterion which exactly captures a standard cryptographic
notion of secrecy for protocols involving public-key enryption and hash
functions: protocols that satisfy it are computationally secure while any
violation of our criterion directly leads to an attack. Furthermore, we prove
that our criterion is decidable via an NP decision procedure. Our~results hold
for standard security notions for encryption and hash functions modeled as
random oracles.}
}
@article{CDL05-survey,
  publisher = {{IOS} Press},
  journal = {Journal of Computer Security},
  author = {Cortier, V{\'e}ronique and Delaune, St{\'e}phanie
                 and Lafourcade, Pascal},
  title = {A Survey of Algebraic Properties Used in Cryptographic
                 Protocols},
  year = {2006},
  volume = 14,
  number = 1,
  pages = {1-43},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/surveyCDL.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/surveyCDL.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/surveyCDL.ps},
  abstract = {Cryptographic protocols are 
	successfully analyzed using formal methods. 
	However, formal approaches usually consider the 
	encryption schemes as black boxes and assume that 
	an adversary cannot learn anything from an 
	encrypted message except if he has the key. Such an 
	assumption is too strong in general since some 
	attacks exploit in a clever way the interaction 
	between protocol rules and properties of 
	cryptographic operators. Moreover, the executability of some 
	protocols relies explicitly on some algebraic 
	properties of cryptographic primitives such as 
	commutative encryption. We give a list of some 
	relevant algebraic properties of cryptographic 
	operators, and for each of them, we provide 
	examples of protocols or attacks using these 
	properties. We also give an overview of the 
	existing methods in formal approaches for analyzing 
	cryptographic protocols.}
}
@article{delaune-tcs06,
  publisher = {Elsevier Science Publishers},
  journal = {Theoretical Computer Science},
  author = {Delaune, St{\'e}phanie},
  title = {An Undecidability Result for~{\textsf{\MakeUppercase{AG}h}}},
  volume = 368,
  number = {1-2},
  pages = {161-167},
  year = 2006,
  month = dec,
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/delaune-tcs06.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/delaune-tcs06.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/delaune-tcs06.ps},
  doi = {10.1016/j.tcs.2006.08.018},
  abstract = {We present an undecidability result for 
	the verification of security protocols. Since the 
	\emph{perfect cryptography assumption} is unrealistic 
	for cryptographic primitives with visible algebraic 
	properties, several recent works relax this assumption, 
	allowing the intruder to exploit these properties. We 
	are interested in the \emph{Abelian groups} theory in 
	combination with the homomorphism axiom. We show that 
	satisfaisability of symbolic deducibility constraints 
	is undecidable, obtaining in this way the first 
	undecidability result concerning a theory for which 
	unification is known to be decidable~[F.~Baader, Unification 
        in commutative theories, Hilbert's basis theorem, and 
        Gr{\"{o}}bner 
        bases, J.~ACM~40(3) (1993)~477-503].}
}
@inproceedings{DKR-wote06,
  address = {Cambridge, UK},
  month = jun,
  year = 2006,
  acronym = {{WOTE}'06},
  booktitle = {{P}roceedings of the {IAVoSS} {W}orkshop {O}n {T}rustworthy {E}lections
               ({WOTE}'06)},
  author = {Delaune, St{\'e}phanie and Kremer, Steve and 
		 Ryan, Mark D.},
  title = {Verifying Properties of Electronic Voting Protocols},
  pages = {45-52},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-wote06.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-wote06.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DKR-wote06.ps},
  abstract = {In this paper we report on some recent work to formally specify
and verify electronic voting protocols. In particular, we use the formalism of
the applied pi calculus: the applied pi calculus is a formal language
similar to the pi calculus but with useful extensions for modelling
cryptographic protocols. We model several important properties, namely
fairness, eligibility, privacy, receipt-freeness and coercion-resistance.
Verification of these properties is illustrated on two cases studies and has
been partially automated using the Blanchet's ProVerif tool.}
}
@inproceedings{DKR-csfw06,
  address = {Venice, Italy},
  month = jul,
  year = 2006,
  publisher = {{IEEE} Computer Society Press},
  acronym = {{CSFW}'06},
  booktitle = {{P}roceedings of the 
               19th {IEEE} {C}omputer {S}ecurity {F}oundations
               {W}orkshop ({CSFW}'06)},
  author = {Delaune, St{\'e}phanie and Kremer, Steve and 
		 Ryan, Mark D.},
  title = {Coercion-Resistance and Receipt-Freeness in
		Electronic Voting},
  pages = {28-39},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-csfw06.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-csfw06.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DKR-csfw06.ps},
  doi = {10.1109/CSFW.2006.8},
  abstract = {In this paper we formally study 
	important properties of electronic voting protocols. 
	In particular we are interested in 
	coercion-resistance and receipt-freeness. 
	Intuitively, an election protocol is 
	coercion-resistant if a voter \(A\) cannot prove to a 
	potential coercer~\(C\) that she voted in a particular 
	way.  We assume that \(A\) cooperates with~\(C\) in an 
	interactive way. Receipt-freeness is a weaker 
	property, for which we assume that \(A\) and~\(C\) 
	cannot interact during the protocol, but \(A\) later 
	provides evidence (the receipt) of how she voted. 
	While receipt-freeness can be expressed using 
	observational equivalence from the applied pi 
	calculus, we need to introduce a new relation to 
	capture coercion-resistance. Our formalization of 
	coercion-resistance and receipt-freeness are quite 
	different. Nevertheless, we show in accordance with 
	intuition that coercion-resistance implies 
	receipt-freeness, which implies privacy, the basic 
	anonymity property of voting protocols, as defined 
	in previous work. Finally we illustrate the 
	definitions on a simplified version of the 
	Lee~\emph{et~al.}\ voting protocol.}
}
@inproceedings{DLLT-ICALP2006,
  address = {Venice, Italy},
  month = jul,
  year = 2006,
  volume = 4052,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Buglesi, Michele and Preneel, Bart and Sassone, Vladimiro and Wegener, Ingo},
  acronym = {{ICALP}'06},
  booktitle = {{P}roceedings of the 33rd {I}nternational 
               {C}olloquium on {A}utomata, {L}anguages and 
               {P}rogramming ({ICALP}'06)~--- {P}art~{II}},
  author = {Delaune, St{\'e}phanie and Lafourcade, Pascal and 
		Lugiez, Denis and Treinen, Ralf},
  title = {Symbolic Protocol Analysis in Presence of a Homomorphism 
		Operator and {\emph{Exclusive~Or}}},
  pages = {132-143},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLLT-icalp06.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLLT-icalp06.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DLLT-icalp06.ps},
  doi = {10.1007/11787006_12},
  abstract = {Security of a cryptographic 
	protocol for a bounded number of sessions is 
	usually expressed as a symbolic trace 
	reachability problem. We show that symbolic 
	trace reachability for well-defined protocols 
	is decidable in presence of the exclusive or 
	theory in combination with the homomorphism 
	axiom. These theories allow us to model basic 
	properties of important cryptographic 
	operators. This trace reachability problem 
	can be expressed as a system of symbolic 
	deducibility constraints for a certain 
	inference system describing the capabilities 
	of the attacker. One main step of our proof 
	consists in reducing deducibility constraints 
	to constraints for deducibility in one step 
	of the inference system. This constraint 
	system, in turn, can be expressed as a system 
	of quadratic equations of a particular form 
	over \(\mathbb{Z}/2\mathbb{Z}[h]\), the ring 
	of polynomials in one indeterminate over the 
	finite field \(\mathbb{Z}/2\mathbb{Z}\). We 
	show that satisfiability of such systems is 
	decidable. }
}
@proceedings{CK-fcc2006,
  editor = {Cortier, V{\'e}ronique and Kremer, Steve},
  booktitle = {{P}roceedings of the 2nd {W}orkshop on {F}ormal and
		 {C}omputational {C}ryptography ({FCC}'06)},
  title = {{P}roceedings of the 2nd {W}orkshop on {F}ormal and
		 {C}omputational {C}ryptography ({FCC}'06)},
  address = {Venice, Italy},
  year = 2006,
  month = jul,
  url = {http://hal.inria.fr/FCC2006/}
}
@article{CKS-jar2005,
  publisher = {Springer},
  journal = {Journal of Automated Reasoning},
  author = {Chadha, Rohit and Kremer, Steve and Scedrov, Andre},
  title = {Formal Analysis of Multi-Party Contract Signing},
  volume = 36,
  number = {1-2},
  pages = {39-83},
  year = 2006,
  month = jan,
  nmnote = {Special Issue on Automated Reasoning for Security Protocol Analysis},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/mpcs-CKS.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/mpcs-CKS.pdf},
  doi = {10.1007/s10817-005-9019-5},
  abstract = {We analyze the multi-party contract-signing protocols
   of Garay and MacKenzie (GM) and of Baum and Waidner
   (BW). We use a finite-state tool, {\scshape Mocha},
   which allows specification of protocol properties in
   a branching-time temporal logic with game semantics.
   While our analysis does not reveal any errors in the
   BW protocol, in the GM protocol we discover serious
   problems with fairness for four signers and an
   oversight regarding abuse-freeness for three signers.
   We propose a complete revision of the GM subprotocols
   in order to restore fairness.}
}
@article{dj-jar05,
  publisher = {Springer},
  journal = {Journal of Automated Reasoning},
  author = {Delaune, St{\'e}phanie and Jacquemard, Florent},
  title = {Decision Procedures for the Security of
		Protocols with Probabilistic Encryption against 
		Offline Dictionary Attacks},
  volume = 36,
  number = {1-2},
  year = 2006,
  month = jan,
  pages = {85-124},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DJ-jar05.ps},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DJ-jar05.ps},
  doi = {10.1007/s10817-005-9017-7},
  abstract = {We consider the problem of formal 
	automatic verification of cryptographic protocols 
	when some data, like poorly chosen passwords, can 
	be guessed by dictionary attacks. First, we define 
	a theory of these attacks and propose an inference 
	system modeling the deduction capabilities of an 
	intruder. This system extends a set of well 
	studied deduction rules for symmetric and public 
	key encryption often called Dolev-Yao rules with 
	the introduction of a probabilistic encryption 
	operator and guessing abilities for the intruder. 
	Then, we show that the intruder deduction problem 
	in this extended model is decidable in~PTIME. The 
	proof is based on a locality lemma for our 
	inference system. This first result yields to an 
	NP decision procedure for the protocol insecurity 
	problem in presence of a passive intruder. In the 
	active case, the same problem is proved to be 
	NP-complete: we give a procedure for 
	simultaneously solving symbolic constraints with 
	variables which represent intruder deductions. We 
	illustrate the procedure with examples of 
	published protocols and compare our model to other 
	recent formal definitions of dictionary attacks.}
}
@article{SD-ipl05,
  publisher = {Elsevier Science Publishers},
  journal = {Information Processing Letters},
  author = {Delaune, St{\'e}phanie},
  title = {Easy Intruder Deduction Problems with Homomorphisms},
  volume = 97,
  number = 6,
  pages = {213-218},
  month = mar,
  year = 2006,
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/SD-ipl05.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/SD-ipl05.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/SD-ipl05.ps},
  doi = {10.1016/j.ipl.2005.11.008},
  abstract = {We present complexity results for 
	the verification of security protocols. Since 
	the perfect cryptography assumption is 
	unrealistic for cryptographic primitives with 
	visible algebraic properties, we extend the 
	classical \emph{Dolev-Yao} model by permitting 
	the intruder to exploit these properties. More 
	precisely, we are interested in theories such 
	as \emph{Exclusive or} and \emph{Abelian 
	groups} in combination with the homomorphism 
	axiom. We show that the intruder deduction 
	problem is in PTIME in both cases, improving 
	the EXPTIME complexity results presented 
	in~(Lafourcade, Lugiez, Treinen,~2005).}
}
@inproceedings{JRV-ijcar06,
  address = {Seattle, Washington, USA},
  month = aug,
  year = 2006,
  volume = 4130,
  series = {Lecture Notes in Artificial Intelligence},
  publisher = {Springer-Verlag},
  editor = {Furbach, Ulrich and Shankar, Natarajan},
  acronym = {{IJCAR}'06},
  booktitle = {{P}roceedings of the 3rd {I}nternational {J}oint
           {C}onference on {A}utomated {R}easoning
           ({IJCAR}'06)},
  author = {Jacquemard, Florent and Rusinowitch, Micha{\"e}l
            and Vigneron, Laurent},
  title = {Tree automata with equality constraints modulo equational
                theories},
  pages = {557-571},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2006-07.pdf},
  doi = {10.1007/11814771_45},
  abstract = {This paper presents new classes
        of tree automata combining automata with
        equality test and automata modulo equational
        theories. We believe that this class has a
        good potential for application in
        \emph{e.g.}~software verification. These tree
        automata are obtained by extending the
        standard Horn clause representations with
        equational conditions and rewrite systems.
        We show in particular that a generalized
        membership problem (extending the emptiness
        problem) is decidable by proving that the
        saturation of tree automata presentations
        with suitable paramodulation strategies
        terminates. Alternatively our results can be
        viewed as new decidable classes of
        first-order formula.}
}
@inproceedings{Laf-secret06,
  address = {Venice, Italy},
  month = jul,
  year = 2007,
  number = 4,
  volume = 171,
  series = {Electronic Notes in Theoretical Computer Science},
  publisher = {Elsevier Science Publishers},
  editor = {Fern{\'a}ndez, Maribel and Kirchner, Claude},
  acronym = {{SecReT}'06},
  booktitle = {{P}roceedings of the 1st 
           {I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques
           ({SecReT}'06)},
  author = {Lafourcade, Pascal},
  title = {Intruder Deduction for the Equational Theory of 
                {\emph{Exclusive-or}}
                with Commutative and Distributive Encryption},
  pages = {37-57},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Laf-secret06-long.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Laf-secret06-long.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/Laf-secret06-long.ps},
  nomorelongpdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/
        rr-lsv-2005-21.pdf},
  nomorelongps = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PS/
        rr-lsv-2005-21.ps},
  nomorelongpsgz = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PSGZ/
        rr-lsv-2005-21.ps.gz},
  doi = {10.1016/j.entcs.2007.02.054},
  abstract = {The first step in the verification of cryptographic protocols is
    to decide the intruder deduction problem, that is the vulnerability to a
    so-called passive attacker. We~extend the Dolev-Yao model in order to
    model this problem in presence of the equational theory of a commutative
    encryption operator which distributes over the \emph{exclusive-or}
    operator. The~interaction between the commutative distributive law of the
    encryption and \emph{exclusive-or} offers more possibilities to decrypt an
    encrypted message than in the non-commutative case, which imply a more
    careful analysis of the proof system. We~prove decidability of the
    intruder deduction problem for a commutative encryption which distributes
    over \emph{exclusive-or} with a DOUBLE-EXPTIME procedure. And~we obtain
    that this problem is EXPSPACE-hard in the binary case.}
}
@inproceedings{LLT-unif2006,
  address = {Seattle, Washington, USA},
  month = aug,
  year = 2006,
  editor = {Levy, Jordi},
  acronym = {{UNIF}'06},
  booktitle = {{P}roceedings of the 20th {I}nternational
               {W}orkshop on {U}nification
               ({UNIF}'06)},
  author = {Lafourcade, Pascal and Lugiez, Denis and Treinen, Ralf},
  title = {{ACUNh}: Unification and Disunification Using Automata Theory},
  pages = {6-20},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/LLT-unif06.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/LLT-unif06.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/LLT-unif06.ps},
  abstract = {We show several results about unification problems in the
equational theory~ACUNh consisting of the theory of exclusive or with one
homomorphism. These results are shown using only techniques of automata and
combinations of unification problems. We~show how to construct a most-general
unifier for ACUNh-unification problems with constants using automata. We also
prove that the first-order theory of ground terms modulo~ACUNh is decidable if
the signature does not contain free non-constant function symbols, and that
the existential fragment is decidable in the general case. Furthermore, we
show a technical result about the set of most-general unifiers obtained for
general unification problems.}
}
@inproceedings{BJ-unif2006,
  address = {Seattle, Washington, USA},
  month = aug,
  year = 2006,
  editor = {Levy, Jordi},
  acronym = {{UNIF}'06},
  booktitle = {{P}roceedings of the 20th {I}nternational
               {W}orkshop on {U}nification
               ({UNIF}'06)},
  author = {Bouhoula, Adel and Jacquemard, Florent},
  title = {Automating Sufficient Completeness Check for Conditional 
                and Constrained~{TRS}},
  nopages = {},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BJ-unif06.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BJ-unif06.pdf},
  abstract = {We present a procedure for checking sufficient completeness for
conditional and constrained term rewriting systems containing axioms for
constructors which may be constrained (by~e.g.~equalities, disequalities,
ordering, membership...). Such axioms allow to specify complex data structures
like e.g.~sets, sorted lists or powerlists. Our approach is integrated in a
framework for inductive theorem proving based on tree grammars with
constraints, a formalism which permits an exact representation of languages of
ground constructor terms in normal form. The key technique used in the
procedure is a generalized form of narrowing where, given a term, instead of
unifying it with left members of rewrite rules, we instantiate it, at selected
variables, following the productions of a constrained tree grammar, and test
whether it can be rewritten. Our~procedure is sound and complete and has been
successfully applied to several examples, yielding very natural proofs and, in
case of negative answer, a counter example suggesting how to complete the
specification. Moreover, it is a decision procedure when the TRS is
unconditional but constrained, for a large class of constrained constructor
axioms.}
}
@inproceedings{MOJ-aisc2006,
  address = {Beijing, China},
  month = sep,
  year = 2006,
  volume = 4120,
  series = {Lecture Notes in Artificial Intelligence},
  publisher = {Springer},
  editor = {Calmet, Jacques and Ida, Tetsuo and Wang, Dongming},
  acronym = {{AISC}'06},
  booktitle = {{P}roceedings of the 8th {I}nternational {C}onference
           on {A}rtificial {I}ntelligence and {S}ymbolic {C}omputation
           ({AISC}'06)},
  author = {Mitsuhashi, Ichiro and Oyamaguchi, Michio and Jacquemard, Florent},
  title = {The Confluence Problem for Flat~{TRSs}},
  pages = {68-81},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/MOJ-aisc06.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/MOJ-aisc06.pdf},
  doi = {10.1007/11856290_8},
  abstract = {We prove that the properties of reachability, joinability and
confluence are undecidable for flat~TRSs. Here, a~TRS is flat if the heights
of the left and right-hand sides of each rewrite rule are at most one.}
}
@phdthesis{THESE-bernat06,
  author = {Bernat, Vincent},
  title = {Th{\'e}ories de l'intrus pour la v{\'e}rification 
                 des protocoles cryptographiques},
  year = 2006,
  month = jun,
  type = {Th{\`e}se de doctorat},
  school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-bernat.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-bernat.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/these-bernat.ps}
}
@phdthesis{THESE-delaune06,
  author = {Delaune, St{\'e}phanie},
  title = {V{\'e}rification des protocoles cryptographiques 
                 et propri{\'e}t{\'e}s alg{\'e}briques},
  year = 2006,
  month = jun,
  type = {Th{\`e}se de doctorat},
  school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-delaune.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-delaune.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/these-delaune.ps},
  abstract = {Cryptographic protocols are small concurrent programs designed
to guarantee the security of exchanges between participants using non-secure
medium. Establishing the correctness of these protocols is crucial given the
increasing number of applications, such as electronic commerce, that exchange
information on the Internet. Unfortunately, the existence of cryptographic
primitives such as encryption is not sufficient to ensure security. The
security of exchanges is ensured by cryptographic protocols which are
notoriously error-prone.\par
The formal verification of cryptographic protocols is a difficult problem that
can be seen as a particular model-checking problem in an hostile environment.
To verify such protocols, a line of research consists in considering
encryption as a black box and assuming that an adversary can't learn anything
from an encrypted message except if he has the key. This is called the
\emph{perfect cryptography} assumption. Many results have been obtained under
this assumption, but such an assumption is too strong in general. Some attacks
exploit in a clever way the interaction between protocol rules and properties
of cryptographic operators. \par
In this thesis, we relax the perfect cryptography assumption by taking into
account some algebraic properties of cryptographic primitives. We give
decision procedures for the security problem in presence of several algebraic
operators.}
}
@phdthesis{THESE-lafourcade06,
  author = {Lafourcade, Pascal},
  title = {V{\'e}rification des protocoles cryptographiques 
                 en pr{\'e}sence de th{\'e}ories {\'e}quationnelles},
  year = 2006,
  month = sep,
  type = {Th{\`e}se de doctorat},
  school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-lafourcade.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-lafourcade.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/these-lafourcade.ps},
  note = {209~pages},
  abstract = {The rise of the internet of new technologies has reinforced the
key role of computer science in communication technology. The recent progress
in these technologies has brought a dramatic change in the ways how we
communicate and consume. All these communication activities are subject to
complex communication protocols that a user does not control completely. Users
of communication protocols require that their communications are {"}secure{"}.
The developers of these communication protocols aim to secure communications
in a hostile environment by cryptographic means. Such an environment consists
of a dishonest communication participant, called an {"}intruder{"} or
{"}attacker{"}... We suppose that the intruder controls the network on which
the messages are exchanged.\par
The verification of a cryptographic protocol either ensures that no attack is
possible against the execution of the protocol in presence of a certain
intruder, or otherwise exhibits an attack. One important assumption in the
verification of cryptographic protocols is the so-called {"}perfect
cryptography assumption{"}, which states that the only way to obtain knowledge
about an encrypted message is to know its decryption key. This hypothesis is
not sufficient to guarantee security in reality. It is possible that certain
properties used in the protocol allow the intruder to obtain some
information.\par
One way to weaken this perfect cryptography assumption is to take into account
in the model certain algebraic properties. We develop a formal approach for
verifying the so-called secrecy property of cryptographic protocols in the
presence of equational theories and of homomorphism.}
}
@mastersthesis{bursuc-master,
  author = {Bursuc, Sergiu},
  title = {Contraintes de d{\'e}ductibilit{\'e} modulo
                 Associativit{\'e}-Commutativit{\'e}},
  school = {{M}aster {P}arisien de {R}echerche en 
	{I}nformatique, Paris, France},
  type = {Rapport de {M}aster},
  month = sep,
  year = 2006,
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bursuc-M2.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bursuc-M2.pdf}
}
@techreport{LSV:06:13,
  author = {Olivain, Julien and Goubault{-}Larrecq, Jean},
  title = {Detecting Subverted Cryptographic Protocols by Entropy Checking},
  institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  year = 2006,
  month = jun,
  type = {Research Report},
  number = {LSV-06-13},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2006-13.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2006-13.pdf},
  note = {19~pages},
  abstract = {What happens when your implementation of SSL or some other
  cryptographic protocol is subverted through a buffer overflow
  attack?  You have been hacked, right.  Unfortunately, you may be
  unaware of~it: since normal traffic is encrypted, most IDSs cannot
  monitor~it.  We propose a simple, yet efficient technique to detect
  such attacks, by computing the entropy of the flow and comparing it
  against known thresholds.  This was implemented in the Net-Entropy
  sensor.}
}
@inproceedings{Gou-fossacs08b,
  address = {Budapest, Hungary},
  month = mar # {-} # apr,
  year = 2008,
  volume = 4962,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Amadio, Roberto},
  acronym = {{FoSSaCS}'08},
  booktitle = {{P}roceedings of the 11th {I}nternational
               {C}onference on {F}oundations of {S}oftware {S}cience
               and {C}omputation {S}tructures
               ({FoSSaCS}'08)},
  author = {Goubault{-}Larrecq, Jean},
  title = {Simulation Hemi-Metrics Between Infinite-State Stochastic Games},
  pages = {50-65},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-34.pdf},
  doi = {10.1007/978-3-540-78499-9_5},
  abstract = {We investigate simulation hemi-metrics between certain forms
    of turn-based \(2\frac{1}{2}\)-player games played on infinite 
    topological spaces. They have the desirable property of bounding the
    difference in payoffs obtained by starting from one state or another. 
    All 
    constructions are described as the special case of a unique one, which we 
    call the Hutchinson hemi-metric on various spaces of continuous 
    previsions. We show a directed form of the Kantorovich-Rubinstein theorem, 
    stating that the Hutchinson hemi-metric on spaces of continuous 
    probability valuations coincides with a notion of trans-shipment 
    hemi-metric. We also identify the class of so-called sym-compact spaces as 
    the right class of topological spaces, where the theory works out as 
    nicely as possible.}
}
@inproceedings{Gou-fossacs08a,
  address = {Budapest, Hungary},
  month = mar # {-} # apr,
  year = 2008,
  volume = 4962,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Amadio, Roberto},
  acronym = {{FoSSaCS}'08},
  booktitle = {{P}roceedings of the 11th {I}nternational
               {C}onference on {F}oundations of {S}oftware {S}cience
               and {C}omputation {S}tructures
               ({FoSSaCS}'08)},
  author = {Goubault{-}Larrecq, Jean},
  title = {Prevision Domains and Convex Powercones},
  pages = {318-333},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-33.pdf},
  doi = {10.1007/978-3-540-78499-9_23},
  abstract = {Two recent semantic families of models for mixed 
probabilistic and non-deterministic choice over a space~\(X\) are the 
convex powercone models, due independently to Mislove, and to Tix, 
Keimel, and Plotkin, and the continuous prevision model of the 
author. We show that, up to some minor details, these models are 
isomorphic whenever \(X\) is a continuous, coherent cpo, and whether 
the particular brand of non-determinism we focus on is demonic, 
angelic, or chaotic. The construction also exhibits domains of 
continuous previsions as retracts of well-known continuous cpos, 
providing simple bases for the various continuous cpos of continuous 
previsions. This has practical relevance to computing approximations 
of operations on previsions.}
}
@inproceedings{Kremer-tgc07,
  address = {Sophia-Antipolis, France},
  year = 2008,
  volume = 4912,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Barthe, Gilles and Fournet, C{\'e}dric},
  acronym = {{TGC}'07},
  booktitle = {{R}evised {S}elected {P}apers from the 3rd {S}ymposium on {T}rustworthy {G}lobal 
	   {C}omputing ({TGC}'07)},
  author = {Kremer, Steve},
  title = {Computational soundness of equational theories (Tutorial)},
  pages = {363-382},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Kremer-tgc07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Kremer-tgc07.pdf},
  doi = {10.1007/978-3-540-78663-4},
  abstract = {We study the link between formal and cryptographic models for
    security protocols in the presence of passive and adaptive adversaries. We
    first describe the seminal result by Abadi and Rogaway and shortly discuss
    some of its extensions. Then we describe a general model for reasoning
    about the soundness of implementations of equational theories. We
    illustrate this model on several examples of computationally sound
    implementations of equational theories.}
}
@article{JRV-jlap07,
  publisher = {Elsevier Science Publishers},
  journal = {Journal of Logic and Algebraic Programming},
  author = {Jacquemard, Florent and Rusinowitch, Micha{\"e}l and Vigneron, Laurent},
  title = {Tree automata with equality constraints modulo equational
		  theories},
  year = 2008,
  month = apr,
  volume = 75,
  number = 2,
  pages = {182-208},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JRV-jlap08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JRV-jlap08.pdf},
  doi = {10.1016/j.jlap.2007.10.006},
  abstract = {This paper presents new classes of tree automata combining 
    automata with equality test and automata modulo equational theories. 
    We believe that these classes have a good potential for application in 
    \emph{e.g.} software verification. These tree automata are obtained by 
    extending the standard Horn clause representations with equational 
    conditions and rewrite systems. We~show in particular that a 
    generalized membership problem (extending the emptiness problem) is 
    decidable by proving that the saturation of tree automata 
    presentations with suitable paramodulation strategies terminates. 
    Alternatively our results can be viewed as new decidable classes of 
    first-order formula.}
}
@inproceedings{BJ-arspa07,
  address = {Wroc{\l}aw, Poland},
  month = jul,
  year = 2007,
  editor = {Degano, Pierpaolo and K{\"u}sters, Ralf and Vigan{\`o}, Luca and
                  Zdancewic, Steve},
  acronym = {{FCS-ARSPA}'07},
  booktitle = {{P}roceedings of the {J}oint {W}orkshop on {F}oundations of
                  {C}omputer {S}ecurity  and {A}utomated {R}easoning 
		  for {S}ecurity {P}rotocol {A}nalysis ({FCS-ARSPA}'07)},
  author = {Adel Bouhoula and Florent Jacquemard},
  title = {Verifying Regular Trace Properties of Security Protocols
		  with Explicit Destructors and Implicit Induction},
  pages = {27-44},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BJ-arspa07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BJ-arspa07.pdf},
  abstract = {We present a procedure for the verification of
    cryptographic protocols based on a new method for automatic implicit
    induction theorem proving for specifications made of conditional and
    constrained rewrite rules. The~method handles axioms between constructor
    terms which are used to introduce explicit destructor symbols for the
    specification of cryptographic operators. Moreover, it can deal with
    non-confluent rewrite systems. This is required in the context of the
    verification of security protocols because of the non-deterministic
    behavior of attackers. Our~induction method makes an intensive use of
    constrained tree grammars, which are used in proofs both as induction
    schemes and as oracles for checking validity and redundancy criteria by
    reduction to an emptiness problem. The grammars make possible the
    development of a generic framework for the specification and verification
    of protocols, where the specifications can be parametrized with (possibly
    infinite) regular sets of user names or attacker's initial knowledge and
    complex security properties can be expressed, referring to some fixed
    regular sets of bad traces representing potential vulnerabilities. 
    We present some case studies giving very promising results, for the detection
    of attacks (our~procedure is complete for refutation), and also for the
    validation of protocols.}
}
@inproceedings{Bur-nordsec07,
  address = {Reykjavik, Iceland},
  month = oct,
  year = 2007,
  editor = {Erlingsson, {\'U}lfar and Sabelfeld, Andrei},
  acronym = {{NordSec}'07},
  booktitle = {{P}roceedings of the 12th {N}ordic {W}orkshop on {S}ecure {IT}
                  {S}ystems ({NordSec}'07)},
  author = {Bursztein, Elie},
  title = {Time has something to tell us about network address
                  translation},
  nopages = {},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bur-nordsec07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bur-nordsec07.pdf},
  abstract = { In this paper we introduce a new technique to count the number
    of host behind a~NAT. This technique based on TCP timestamp option, work
    with Linux and BSD system and therefore is complementary to the previous
    one base on IPID than does not work for those systems. Our~implementation
    demonstrates the practicability of this method.}
}
@techreport{Prouve:rap10,
  author = {Delaune, St{\'e}phanie and Klay, Francis},
  title = {Synth{\`e}se des exp{\'e}rimentations},
  institution = {projet RNTL PROUV{\'E}},
  month = may,
  year = 2007,
  type = {Technical Report},
  number = 10,
  note = {10~pages},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/prouve-rap10.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/prouve-rap10.pdf},
  abstract = {Dans ce document nous pr{\'e}sentons une synth{\`e}se des deux
    cas d'{\'e}tude trait{\'e}s durant le projet. Rappelons qu'il s'agit d'une
    part d'un protocole de commerce {\'e}lectronique et d'autre part d'un
    protocole de vote. Pour chacun de ces protocoles, nous analysons les
    r{\'e}sultats obtenus afin de d{\'e}gager l'apport des travaux issus du
    projet et les aspects qui n'ont pas pu etre compl{\`e}tement trait{\'e}s.
    Compte tenu des enseignements tir{\'e}s, dans la derni{\`e}re partie nous
    mettons en perspectives les axes de recherches envisageables pour traiter
    compl{\`e}tement des protocoles aussi complexes que celui du vote
    {\'e}lectronique.}
}
@techreport{Prouve:rap9,
  author = {Klay, Francis and Bozga, Liana and Lakhnech, Yassine and
		 Mazar{\'e}, Laurent and Delaune, St{\'e}phanie and 
		 Kremer, Steve},
  title = {Retour d'exp{\'e}rience sur la validation du vote {\'e}lectronique},
  institution = {projet RNTL PROUV{\'E}},
  month = nov,
  year = 2006,
  type = {Technical Report},
  number = 9,
  note = {47~pages},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/prouve-rap9.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/prouve-rap9.pdf},
  abstract = {Dans ce rapport, nous pr{\'e}sentons le travail de
    v{\'e}rification qui a {\'e}t{\'e} r{\'e}alis{\'e} sur le protocole de
    vote {\'e}lectronique que nous avons introduit et formalis{\'e} dans le
    rapport RNTL Prouv{\'e} num{\'e}ro~\(6\). Ce protocole a {\'e}t{\'e} mis au
    point par J.~Traor{\'e}, ing{\'e}nieur de recherche chez France
    T{\'e}l{\'e}com. Il est bas{\'e} sur le m{\'e}canisme de signature en
    aveugle et peut {\^e}tre consid{\'e}r{\'e} comme un d{\'e}riv{\'e} du
    protocole de Fujioka, Okamoto et~Ohta.\par
    La formalisation de ce protocole {\`a} mis en {\'e}vidence une grande
    complexit{\'e} due en particulier aux structures de donn{\'e}es et aux
    primitives cryptographiques manipul{\'e}es. D'un autre c{\^o}t{\'e} ce
    travail a {\'e}galement r{\'e}v{\'e}l{\'e} que les propri{\'e}t{\'e}s de
    s{\^u}ret{\'e} {\`a} garantir sont particuli{\`e}rement subtiles.
    Ce~document pr{\'e}sente les r{\'e}sultats qui ont {\'e}t{\'e} obtenus
    lors de la v{\'e}rification de ce protocole. En particulier nous montrons
    que certaines propri{\'e}t{\'e}s de s{\^u}ret{\'e} ont pu {\^e}tre
    prouv{\'e}es automatiquement alors que pour d'autres une preuve manuelle
    s'est av{\'e}r{\'e}e n{\'e}cessaire.}
}
@techreport{LSV:07:31,
  author = {Jacquemard, Florent and Rusinowitch, Micha{\"e}l},
  title = {Rewrite Closure of {H}edge-Automata Languages},
  institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  year = 2007,
  month = oct,
  type = {Research Report},
  number = {LSV-07-31},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-31.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-31.pdf},
  note = {22~pages},
  abstract = {We investigate some preservation properties for classes of
    regular languages of unranked ordered terms under an appropriate
    generalization of term rewriting subsuming both standard term rewriting
    and word rewriting.\par
    The considered classes include languages of hedge automata (HA) and some
    extension (called CF-HA) with context-free languages in transitions,
    instead of regular languages. In~particular, we~show, with a HA completion
    procedure, that the set of unranked terms reachable from a given HA
    language, using a so called inverse context-free rewrite system, is an HA
    language. Moreover, we~prove, using different techniques, the closure of
    CF-HA languages with respect to context-free rewrite systems, the
    symmetric case of the above rewrite systems. As~a consequence,
    the~problems of ground reachability and regular hedge model checking are
    decidable in both cases. We~give several several counter examples showing
    that we cannot relax the restrictions.}
}
@mastersthesis{vacher-master,
  author = {Vacher, Camille},
  title = {Accessibilit{\'e} inverse dans les automates d'arbres {\`a}
	 	 m{\'e}moire d'ordre sup{\'e}rieur},
  school = {{M}aster {P}arisien de {R}echerche en 
	{I}nformatique, Paris, France},
  type = {Rapport de {M}aster},
  year = 2007,
  month = sep,
  oldurl = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/vacher-m2.pdf},
  oldpdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/vacher-m2.pdf},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-35.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-35.pdf}
}
@inproceedings{CL-avocs07,
  address = {Oxford, UK},
  month = sep,
  year = {2007},
  editor = {Goldsmith, Michael and Roscoe, Bill},
  acronym = {{AVoCS}'07},
  booktitle = {{P}re-proceedings of the 7th {I}nternational
               {W}orkshop on {A}utomated {V}erification
               of {C}ritical {S}ystems
               ({AVoCS}'07)},
  author = {Cremers, Cas and Lafourcade, Pascal},
  title = {Comparing State Spaces in Automatic Security Protocol Verification},
  nmnote = {Pas paru dans les proceedings ENTCS},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CL-avocs07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CL-avocs07.pdf},
  abstract = {Many tools exist for automatic security protocol verification,
    and most of them have their own particular language for specifying
    protocols and properties. Several protocol specification models and
    security properties have been already formally related to each other.
    However, there is a further difference between verification tools, which
    has not been investigated in depth before: the~explored state space. Some
    tools explore all possible behaviors, whereas others explore strict
    subsets, often by using so-called scenarios. Ignoring such differences can
    lead to wrong interpretations of the output of a tool. We~relate the
    explored state spaces to each other and find previously unreported
    differences between the various approaches. We~apply our study of state
    space relations in a performance comparison of several well-known
    automatic tools for security protocol verification. We~model a set of
    protocols and their properties as homogeneous as possible for each tool.
    We~analyze the performance of the tools over comparable state spaces. This
    work allows us for the first time to compare these automatic tools fairly,
    i.e.,~using the same protocol description and exploring the same state
    space. We~also propose some explanations for our experimental results,
    leading to a better understanding of the tools.}
}
@inproceedings{BG-asian07,
  address = {Doha, Qatar},
  month = dec,
  year = 2007,
  volume = 4846,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Cervesato, Iliano},
  acronym = {{ASIAN}'07},
  booktitle = {{P}roceedings of the 12th {A}sian
               {C}omputing {S}cience {C}onference
               ({ASIAN}'07)},
  author = {Bursztein, Elie and Goubault{-}Larrecq, Jean},
  title = {A Logical Framework for Evaluating Network Resilience Against
                  Faults and Attacks},
  pages = {212-227},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BGL-asian07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BGL-asian07.pdf},
  doi = {10.1007/978-3-540-76929-3_20},
  abstract = {We present a logic-based framework to evaluate the resilience of
                  computer networks in the face of incidents, i.e., attacks
                  from malicious intruders as well as random faults. Our model
                  uses a two-layered presentation of dependencies between
                  files and services, and of timed games to represent not just
                  incidents, but also the dynamic responses from
                  administrators and their respective delays. We demonstrate
                  that a variant TATL\(\Diamond\) of timed alternating-time temporal
                  logic is a convenient language to express several desirable
                  properties of networks, including several forms of
                  survivability. We illustrate this on a simple redundant Web
                  service architecture, and show that checking such timed
                  games against the so-called TATL\(\Diamond\) variant of the timed
                  alternating time temporal logic TATL is EXPTIME-complete.}
}
@inproceedings{GPT-aplas07,
  address = {Singapore},
  month = nov # {-} # dec,
  year = 2007,
  volume = 4807,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Shao, Zhong},
  acronym = {{APLAS}'07},
  booktitle = {{P}roceedings of the 5th {A}sian {S}ymposium
               on {P}rogramming {L}anguages and {S}ystems
               ({APLAS}'07)},
  author = {Goubault{-}Larrecq, Jean and Palamidessi, Catuscia and
                  Troina, Angelo},
  title = {A Probabilistic Applied Pi-Calculus},
  pages = {175-290},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/GPT-aplas07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/GPT-aplas07.pdf},
  doi = {10.1007/978-3-540-76637-7_12},
  abstract = {We propose an extension of the Applied Pi-calculus by
    introducing nondeterministic and probabilistic choice operators. The
    semantics of the resulting model, in which probability and nondeterminism
    are combined, is given by Segala's Probabilistic Automata driven by
    schedulers which resolve the nondeterministic choice among the probability
    distributions over target states. Notions of static and observational
    equivalence are given for the enriched calculus. In order to model the
    possible interaction of a process with its surrounding environment a
    labeled semantics is given together with a notion of weak bisimulation
    which is shown to coincide with the observational equivalence. Finally, we
    prove that results in the probabilistic framework are preserved in a
    purely nondeterministic setting.}
}
@inproceedings{CDD-fsttcs07,
  address = {New~Delhi, India},
  month = dec,
  year = 2007,
  volume = 4855,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Arvind, V. and Prasad, Sanjiva},
  acronym = {{FSTTCS}'07},
  booktitle = {{P}roceedings of the 27th {C}onference on
               {F}oundations of {S}oftware {T}echnology and
               {T}heoretical {C}omputer {S}cience
               ({FSTTCS}'07)},
  author = {Cortier, V{\'e}ronique and Delaitre, J{\'e}r{\'e}mie and
                  Delaune, St{\'e}phanie},
  title = {Safely Composing Security Protocols},
  pages = {352-363},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDD-fsttcs07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDD-fsttcs07.pdf},
  addendumpdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/
  		CDD-fsttcs07-addendum.pdf},
  doi = {10.1007/978-3-540-77050-3_29},
  abstract = {Security protocols are small programs that are executed in
    hostile environments. Many results and tools have been developed to
    formally analyze the security of a protocol in the presence of active
    attackers that may block, intercept and send new messages. However even
    when a protocol has been proved secure, there is absolutely no guarantee
    if the protocol is executed in an environment where other protocols,
    possibly sharing some common identities and keys like public keys or
    long-term symmetric keys, are executed.\par
    In this paper, we show that security of protocols can be easily composed.
    More precisely, we show that whenever a protocol is secure, it remains
    secure even in an environment where arbitrary protocols are executed,
    provided each encryption contains some tag identifying each protocol, like
    e.g.~the name of the protocol.}
}
@inproceedings{DKR-fsttcs07,
  address = {New~Delhi, India},
  month = dec,
  year = 2007,
  volume = 4855,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Arvind, V. and Prasad, Sanjiva},
  acronym = {{FSTTCS}'07},
  booktitle = {{P}roceedings of the 27th {C}onference on
               {F}oundations of {S}oftware {T}echnology and
               {T}heoretical {C}omputer {S}cience
               ({FSTTCS}'07)},
  author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D.},
  title = {Symbolic Bisimulation for the Applied Pi-Calculus},
  pages = {133-145},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-fsttcs07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-fsttcs07.pdf},
  doi = {10.1007/978-3-540-77050-3_11},
  abstract = {We propose a symbolic semantics for the finite applied pi
    calculus, which is a variant of the pi calculus with extensions for
    modelling cryptgraphic protocols. By~treating inputs symbolically, our
    semantics avoids potentially infinite branching of execution trees due to
    inputs from the environment. Correctness is maintained by associating with
    each process a set of constraints on symbolic terms. Based on the
    semantics, we~define a sound symbolic labelled bisimulation relation.
    This~is an important step towards automation of observational equivalence
    for the finite applied pi calculus, \emph{e.g.}, for verification of
    anonymity or strong secrecy properties of protocols with a bounded number
    of sessions.}
}
@inproceedings{DLL-lpar07,
  address = {Yerevan, Armenia},
  month = oct,
  year = 2007,
  volume = 4790,
  series = {Lecture Notes in Artificial Intelligence},
  publisher = {Springer},
  editor = {Dershowitz, Nachum and Voronkov, Andrei},
  acronym = {{LPAR}'07},
  booktitle = {{P}roceedings of the 14th {I}nternational
               {C}onference on {L}ogic for {P}rogramming,
               {A}rtificial {I}ntelligence, and {R}easoning
               ({LPAR}'07)},
  author = {Delaune, St{\'e}phanie and Lin, Hai and Lynch, {\relax Ch}ristopher},
  title = {Protocol verification via rigid{\slash}flexible resolution},
  pages = {242-256},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLL-lpar07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLL-lpar07.pdf},
  doi = {10.1007/978-3-540-75560-9_19},
  abstract = {In this paper we propose a decision procedure, 
	i.e., an~inference system for clauses containing rigid and 
	flexible variables. Rigid variables are only allowed to have 
	one instantiation, whereas flexible variables are allowed as 
	many instantiations as desired. We~assume a set of clauses 
	containing only rigid variables together with a set of clauses 
	containing only flexible variables. When the flexible clauses 
	fall into a particular class, we propose an inference system 
	based on ordered resolution that is sound and complete and for 
	which the inference procedure will halt.\par
	    An interest in this form of problem is for cryptographic 
	protocol verification for a bounded number of protocol 
	instances. Our class allows us to obtain a generic decidability 
	result for a large class of cryptographic protocols that may 
	use for instance~CBC (Cipher Block Chaining) encryption and 
	blind signature. }
}
@inproceedings{CD-lpar07,
  address = {Yerevan, Armenia},
  month = oct,
  year = 2007,
  volume = 4790,
  series = {Lecture Notes in Artificial Intelligence},
  publisher = {Springer},
  editor = {Dershowitz, Nachum and Voronkov, Andrei},
  acronym = {{LPAR}'07},
  booktitle = {{P}roceedings of the 14th {I}nternational
               {C}onference on {L}ogic for {P}rogramming,
               {A}rtificial {I}ntelligence, and {R}easoning
               ({LPAR}'07)},
  author = {Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
  title = {Deciding Knowledge in Security Protocols for 
		 Monoidal Equational Theories},
  pages = {196-210},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CD-lpar07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CD-lpar07.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/CD-lpar07.ps},
  doi = {10.1007/978-3-540-75560-9_16},
  abstract = {In formal approaches, messages sent over a 
	network are usually modeled by terms together with an 
	equational theory, axiomatizing the properties of the 
	cryptographic functions (encryption, exclusive or,~...). 
	The~analysis of cryptographic protocols requires a 
	precise understanding of the attacker knowledge. Two 
	standard notions are usually used: deducibility and 
	indistinguishability. Only few results have been obtained 
	(in~an ad-hoc~way) for equational theories with 
	associative and commutative properties, especially in the 
	case of static equivalence. The~main contribution of this 
	paper is to propose a general setting for solving 
	deducibility and indistinguishability for an important 
	class (called monoidal) of these theories. Our~setting 
	relies on the correspondence between a monoidal 
	theory~{\(E\)} and a semiring~{\(S_E\)} which allows us 
	to give an algebraic characterization of the deducibility 
	and indistinguishability problems. As~a consequence we 
	recover easily existing decidability results and obtain 
	several new ones.}
}
@article{DLLT-IC07,
  publisher = {Elsevier Science Publishers},
  journal = {Information and Computation},
  author = {Delaune, St{\'e}phanie and Lafourcade, Pascal and 
		 Lugiez, Denis and Treinen, Ralf},
  title = {Symbolic protocol analysis for monoidal equational theories},
  pages = {312-351},
  volume = 206,
  number = {2-4},
  year = 2008,
  month = feb # {-} # apr,
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLLT-ic07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLLT-ic07.pdf},
  doi = {10.1016/j.ic.2007.07.005},
  abstract = {We are interested in the design of 
	automated procedures for analyzing the (in)security of 
	cryptographic protocols in the Dolev-Yao model for a 
	bounded number of sessions when we take into account some 
	algebraic properties satisfied by the operators involved 
	in the protocol. This~leads to a more realistic model 
	than what we get under the perfect cryptography 
	assumption, but it implies that protocol analysis deals 
	with terms modulo some equational theory instead of terms 
	in a free algebra. The main goal of this paper is to set 
	up a general approach that works for a whole class of 
	monoidal theories which contains many of the specific 
	cases that have been considered so far in an ad-hoc way 
	(e.g.~exclusive~or, Abelian groups, exclusive or in 
	combination with the homomorphism axiom). We~follow a 
	classical schema for cryptographic protocol analysis 
	which proves first a locality result and then reduces the 
	insecurity problem to a symbolic constraint solving 
	problem. This approach strongly relies on the 
	correspondence between a monoidal theory~{\(E\)} and a 
	semiring~{\(S_E\)} which we use to deal with the symbolic 
	constraints. We~show that the well-defined symbolic 
	constraints that are generated by reasonable protocols 
	can be solved provided that unification in the monoidal 
	theory satisfies some additional properties. 
	The~resolution process boils down to solving particular 
	quadratic Diophantine equations that are reduced to 
	linear Diophantine equations, thanks to linear algebra 
	results and the well-definedness of the problem. Examples 
	of theories that do not satisfy our additional properties 
	appear to be undecidable, which suggests that our 
	characterization is reasonably tight.}
}
@proceedings{secret2007-pre,
  title = {{P}reliminary {P}roceedings of the 2nd 
           {I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques
           ({SecReT}'07)},
  booktitle = {{P}reliminary {P}roceedings of the 2nd 
           {I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques
           ({SecReT}'07)},
  editor = {Nesi, Monica and Treinen, Ralf},
  year = 2007,
  month = jul,
  address = {Paris, France}
}
@inproceedings{BCD-jouannaud,
  address = {Cachan, France},
  month = jun,
  year = 2007,
  volume = 4600,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  acronym = {{R}ewriting, {C}omputation and {P}roof},
  booktitle = {{R}ewriting, {C}omputation and {P}roof~--- {E}ssays {D}edicated to
                  {J}ean-{P}ierre {J}ouannaud on the {O}ccasion of his 60th {B}irthday},
  editor = {Comon{-}Lundh, Hubert and Kirchner, Claude and Kirchner,
                  H{\'e}l{\`e}ne},
  author = {Bursuc, Sergiu and Comon{-}Lundh, Hubert and Delaune,
                  St{\'e}phanie},
  title = {Deducibility Constraints, Equational Theory and Electronic Money},
  pages = {196-212},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/BCD-jpj07.ps},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/BCD-jpj07.ps},
  doi = {10.1007/978-3-540-73147-4_10},
  abstract = {The starting point of this work is a case study (from France
    T\'el\'ecom) of an electronic purse protocol. The~goal was to prove that
    the protocol is secure or that there is an attack. Modeling the protocol
    requires algebraic properties of a fragment of arithmetic, typically
    containing modular exponentiation. The~usual equational theories described
    in papers on security protocols are too weak: the~protocol cannot even be
    executed in these models. We~consider here an equational theory which is
    powerful enough for the protocol to be executed, and for which unification
    is still decidable.\par
    Our main result is the decidability of the so-called intruder deduction
    problem, i.e.,~security in presence of a passive attacker, taking the
    algebraic properties into account. Our~equational theory is a combination
    of several equational theories over non-disjoint signatures.}
}
@proceedings{CLKK-jouannaud07,
  editor = {Comon{-}Lundh, Hubert and Kirchner, Claude and Kirchner,
                  H{\'e}l{\`e}ne},
  booktitle = {Rewriting, Computation and Proof~--- Essays Dedicated to
                  Jean-Pierre Jouannaud on the Occasion of his 60th Birthday},
  title = {Rewriting, Computation and Proof~--- Essays Dedicated to
                  Jean-Pierre Jouannaud on the Occasion of his 60th Birthday},
  publisher = {Springer},
  series = {Lecture Notes in Computer Science},
  volume = 4600,
  year = 2007,
  month = jun,
  address = {Cachan, France},
  url = {http://www.springerlink.com/content/p0p40764x486/},
  doi = {10.1007/978-3-540-73147-4},
  isbn = {978-3-540-73146-7}
}
@techreport{LSV:07:20,
  author = {Bresciani, Riccardo},
  title = {The {ZRTP} Protocol~--- Security Considerations},
  institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  year = 2007,
  month = may,
  type = {Research Report},
  number = {LSV-07-20},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-20.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-20.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PS/
        rr-lsv-2007-20.ps},
  note = {23~pages},
  abstract = {ZRTP is draft of key agreement protocol by Phil~Zimmermann,
    which relies on a Diffie-Hellman exchange to generate SRTP session
    parameters, providing confidentiality and protecting against
    \emph{Man-in-the-Middle} attacks even without a public key infrastructure or
    endpoint certificates. This is an analysis of the protocol performed with
    AVISPA and ProVerif, which tests security properties of ZRTP; in~order to
    perform the analysis, the protocol has been modeled in HLPSL (for~AVISPA)
    and in the applied \(\pi\)-calculus (for~Proverif). An improvement to gather
    some extra resistance against \emph{Man-in-the-Middle} attacks is also proposed.}
}
@inproceedings{ACD-frocos07,
  address = {Liverpool, UK},
  month = sep,
  year = 2007,
  volume = 4720,
  series = {Lecture Notes in Artificial Intelligence},
  publisher = {Springer},
  editor = {Wolter, Franck},
  acronym = {{FroCoS}'07},
  booktitle = {{P}roceedings of the 6th {I}nternational {S}ymposium on {F}rontiers of
                  {C}ombining {S}ystems ({FroCoS}'07)},
  author = {Arnaud, Mathilde and Cortier, V{\'e}ronique and Delaune,
                  St{\'e}phanie},
  title = {Combining algorithms for deciding knowledge in security
                  protocols},
  pages = {103-117},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ACD-frocos07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ACD-frocos07.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/ACD-frocos07.ps},
  doi = {10.1007/978-3-540-74621-8_7},
  abstract = {In formal approaches, messages sent over a network are
                  usually modeled by terms together with an equational theory,
                  axiomatizing the properties of the cryptographic functions
                  (encryption, exclusive or,~...). The analysis of
                  cryptographic protocols requires a precise understanding of
                  the attacker knowledge. Two standard notions are usually
                  used: deducibility and indistinguishability. Those notions
                  are well-studied and a lot of decidability results already
                  exist to deal with a variety of equational theories.\par
                  We~show that decidability results can be easily combined for
                  any disjoint equational theories: if the deducibility and
                  indistinguishability relations are decidable for two
                  disjoint theories, they are also decidable for their union.
                  As~an application, new decidability results can be obtained
                  using this combination theorem.}
}
@inproceedings{KM-esorics07,
  address = {Dresden, Germany},
  month = sep,
  year = 2007,
  volume = 4734,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Biskup, Joachim and Lopez, Javier},
  acronym = {{ESORICS}'07},
  booktitle = {{P}roceedings of the 12th {E}uropean {S}ymposium on
		{R}esearch in {C}omputer {S}ecurity ({ESORICS}'07)},
  author = {Kremer, Steve and Mazar{\'e}, Laurent},
  title = {Adaptive Soundness of Static Equivalence},
  pages = {610-625},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KM-esorics07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KM-esorics07.pdf},
  doi = {10.1007/978-3-540-74835-9_40},
  abstract = {We define a framework to reason about implementations of 
   equational theories in the presence of an adaptive adversary. We 
   particularly focus on soundess of static equivalence. We illustrate our 
   framework on several equational theories: symmetric encryption, XOR, 
   modular exponentiation and also joint theories of encryption and modular 
   exponentiation. This last example relies on a combination result for 
   reusing proofs for the separate theories. Finally, we~define a model for 
   symbolic analysis of dynamic group key exchange protocols, and show its 
   computational soundness.}
}
@inproceedings{Gou-csl07,
  address = {Lausanne, Switzerland},
  month = sep,
  year = 2007,
  volume = 4646,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Duparc, Jacques and Henzinger, {\relax Th}omas A.},
  acronym = {{CSL}'07},
  booktitle = {{P}roceedings of the 16th {A}nnual {EACSL} {C}onference on
                  {C}omputer {S}cience {L}ogic ({CSL}'07)},
  author = {Goubault{-}Larrecq, Jean},
  title = {Continuous Previsions},
  pages = {542-557},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-csl07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-csl07.pdf},
  doi = {10.1007/978-3-540-74915-8_40},
  abstract = {We define strong monads of continuous (lower, upper) previsions,
    and of forks, modeling both probabilistic and non-deterministic choice.
    This is an elegant alternative to recent proposals by Mislove, Tix,
    Keimel, and Plotkin. We show that our monads are sound and complete, in
    the sense that they model exactly the interaction between probabilistic
    and (demonic, angelic, chaotic) choice.}
}
@techreport{DGA:rap3,
  author = {Lafourcade, Pascal},
  title = {Rapport final d'activit{\'e} {\`a}~{\(11\)}~mois, contrat~{CNRS/DGA} 
         r{\'e}f{\'e}rence~: 06~60~019~00~470~75~01
         <<~{U}tilisation et exploitation des th{\'e}ories {\'e}quationnelles 
	    dans l'analyse des protocoles cryptographiques~>>},
  type = {Contract Report},
  institution = {DGA},
  year = {2007},
  month = oct,
  note = {6~pages},
  url = {http://www.lsv.ens-cachan.fr/Publis/PS/DGA-rap3.ps},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PS/DGA-rap3.ps}
}
@techreport{DGA:rap2,
  author = {Lafourcade, Pascal},
  title = {Rapport d'activit{\'e}s {\`a}~{\(6\)}~mois, contrat~{CNRS/DGA} 
         r{\'e}f{\'e}rence~: 06~60~019~00~470~75~01
         <<~{U}tilisation et exploitation des th{\'e}ories {\'e}quationnelles 
	    dans l'analyse des protocoles cryptographiques~>>},
  type = {Contract Report},
  institution = {DGA},
  year = {2007},
  month = apr,
  note = {5~pages},
  url = {http://www.lsv.ens-cachan.fr/Publis/PS/DGA-rap2.ps},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PS/DGA-rap2.ps}
}
@techreport{DGA:rap1,
  author = {Lafourcade, Pascal},
  title = {Rapport d'activit{\'e}s {\`a}~{\(3\)}~mois, contrat~{CNRS/DGA} 
         r{\'e}f{\'e}rence~: 06~60~019~00~470~75~01
         <<~{U}tilisation et exploitation des th{\'e}ories {\'e}quationnelles 
	    dans l'analyse des protocoles cryptographiques~>>},
  type = {Contract Report},
  institution = {DGA},
  year = {2007},
  month = jan,
  note = {3~pages},
  url = {http://www.lsv.ens-cachan.fr/Publis/PS/DGA-rap1.ps},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PS/DGA-rap1.ps}
}
@inproceedings{JGL-icalp07,
  address = {Wroc{\l}aw, Poland},
  month = jul,
  year = 2007,
  volume = 4596,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Arge, Lars and Cachin, {\relax Ch}ristian and Jurdzi{\'n}ski, Tomasz
	 	and Tarlecki, Andrzej},
  acronym = {{ICALP}'07},
  booktitle = {{P}roceedings of the 34th {I}nternational 
               {C}olloquium on {A}utomata, {L}anguages and 
               {P}rogramming ({ICALP}'07)},
  author = {Goubault{-}Larrecq, Jean},
  title = {Continuous Capacities on Continuous State Spaces},
  pages = {764-776},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-icalp07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-icalp07.pdf},
  doi = {10.1007/978-3-540-73420-8_66},
  abstract = {We propose axiomatizing some stochastic games, in a
    continuous state
    space setting, using continuous belief functions, resp.
    plausibilities, instead of measures.  Then, stochastic games are
    just variations on continuous Markov chains.  We argue that drawing
    at random along a belief function is the same as letting the
    probabilistic player~\(P\) play first, then letting the
    non-deterministic player~\(C\) play demonically.  The same
    holds for an angelic~\(C\), using plausibilities instead.
    We then define a simple modal logic, and characterize simulation in
    terms of formulae of this logic.  Finally, we show that (discounted)
    payoffs are defined and unique, where in the demonic case, 
    \(P\)~maximizes payoff, while \(C\)~minimizes it}
}
@inproceedings{CDS-csf07,
  address = {Venice, Italy},
  month = jul,
  year = 2007,
  publisher = {{IEEE} Computer Society Press},
  acronym = {{CSF}'07},
  booktitle = {{P}roceedings of the 
               20th {IEEE} {C}omputer {S}ecurity {F}oundations
               {S}ymposium ({CSF}'07)},
  author = {Cortier, V{\'e}ronique and Delaune, St{\'e}phanie and Steel, Graham},
  title = {A Formal Theory of Key Conjuring},
  pages = {79-93},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDS-csf07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDS-csf07.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/CDS-csf07.ps},
  doi = {10.1109/CSF.2007.5},
  abstract = {We describe a formalism for \emph{key conjuring}, the process by
    which an attacker obtains an unknown, encrypted key by repeatedly calling
    a cryptographic API function with random values in place of keys. This
    technique has been used to attack the security APIs of several Hardware
    Security Modules~(HSMs), which are widely deployed in the ATM (cash
    machine) network. We~propose a formalism for detecting computationally
    feasible key conjuring operations, incorporated into a Dolev-Yao style
    model of the security~API. We~show that security in the presence of key
    conjuring operations is decidable for a particular class of~APIs, which
    includes the key management~API of IBM's Common Cryptographic
    Architecture~(CCA).}
}
@inproceedings{Gou-lics07,
  address = {Wroc{\l}aw, Poland},
  month = jul,
  year = 2007,
  publisher = {{IEEE} Computer Society Press},
  acronym = {{LICS}'07},
  booktitle = {{P}roceedings of the 22nd
               {A}nnual {IEEE} {S}ymposium on
               {L}ogic in {C}omputer {S}cience
               ({LICS}'07)},
  author = {Goubault{-}Larrecq, Jean},
  title = {On {N}oetherian Spaces},
  pages = {453-462},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-lics07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-lics07.pdf},
  doi = {10.1109/LICS.2007.34},
  abstract = {A topological space is Noetherian iff every open is compact.
  Our~starting point is that this notion generalizes that of
  well-quasi order, in the sense that an Alexandroff-discrete space is
  Noetherian iff its specialization quasi-ordering is well.  For~more
  general spaces, this opens the way to verifying infinite transition
  systems based on non-well quasi ordered sets, but where the preimage
  operator satisfies an additional continuity assumption.  The
  technical development rests heavily on techniques arising from
  topology and domain theory, including sobriety and the de Groot dual
  of a stably compact space.  We~show that the category Nthr of
  Noetherian spaces is finitely complete and finitely cocomplete.
  Finally, we note that if \(X\)~is a Noetherian space, then the set of
  all (even infinite) subsets of~\(X\) is again Noetherian, a~result
  that fails for well-quasi orders.}
}
@techreport{LSV:07:10,
  author = {Bouhoula, Adel and Jacquemard, Florent},
  title = {Tree Automata, Implicit Induction and Explicit Destructors for 
	    Security Protocol Verification},
  institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  year = 2007,
  month = feb,
  type = {Research Report},
  number = {LSV-07-10},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-10.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-10.pdf},
  note = {21~pages},
  abstract = {We present a new method for automatic implicit induction theorem
    proving, and its application for the verification of cryptographic
    protocols. The~method is based on constrained tree grammars and handles
    non-confluent rewrite systems which are required in the context of the
    verification of security protocols because of the non-deterministic
    behavior of attackers. It~also handles axioms between constructor terms
    which allows us to specify explicit destructors representing cryptographic
    operators. Constrained tree grammars are used in our procedure both as
    induction schemes and as oracles for checking validity and redundancy by
    reduction to an emptiness problem. They also permit to characterize
    security failure of cryptographic protocols as sets of execution traces
    corresponding to an attack. This~way, we obtain a generic framework for
    the verification of protocols, in~which we can verify reachability
    properties like confidentiality, but also more complex properties like
    authentication. We present three case studies which gave very promising
    results.}
}
@techreport{KL-eth07,
  author = {Ksi{\k e}{\. z}opolski, Bogdan and Lafourcade, Pascal},
  title = {Attack and Revison of an Electronic Auction Protocol using~{OFMC}},
  institution = {Department of Computer Science, ETH Zurich, Switzerland},
  year = 2007,
  month = feb,
  type = {Technical Report},
  number = {549},
  note = {13~pages},
  nmnote = {on peut pas dire que ce soit un papier du labo... Si en fait,
                  car Pascal etait la-bas sur un contrat gere par le LSV},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KL-eth549.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KL-eth549.pdf},
  abstract = {In the article we show an attack on the cryptographic protocol
                  of electronic auction with extended requirements
                  [Ksiezopolski and Kotulski, \textit{Cryptographic protocol
                  for electronic auctions with extended requirements},~2004].
                  The found attack consists of authentication breach and
                  secret retrieval. It~is a kind of {"}man-in-the-middle
                  attack{"}. The intruder impersonates an agent and learns some
                  secret information. We have discovered this flaw unsing OFMC
                  an automatic tool of cryptographic protocol verification.
                  After a description of this attack, we propose a new version
                  of the e-auction protocol. We also check with OFMC the
                  secrecy for the new protocol and give an informal proof of
                  the other properties that this new e-auction protocol has to
                  guarantee.}
}
@inproceedings{Maz-wits07,
  address = {Braga, Portugal},
  month = mar,
  year = 2007,
  editor = {Focardi, Riccardo},
  acronym = {{WITS}'07},
  booktitle = {{P}reliminary {P}roceedings of the 7th {I}nternational {W}orkshop 
           on {I}ssues in the {T}heory of {S}ecurity ({WITS}'07)},
  author = {Mazar{\'e}, Laurent},
  title = {Computationally Sound Analysis of Protocols using Bilinear Pairings},
  pages = {6-21},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Maz-wits07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Maz-wits07.pdf},
  abstract = {In this paper, we introduce a symbolic model to analyse
    protocols that use a bilinear pairing between two cyclic groups. This
    model consists in an extension of the Abadi-Rogaway logic and we prove
    that the logic is still computationally sound: symbolic
    indistinguishability implies computational indistinguishability provided
    that the Bilinear Decisional Diffie-Hellman assumption is verified and
    that the encryption scheme is IND-CPA secure. We~illustrate our results on
    classical protocols using bilinear pairing like Joux tripartite
    Diffie-Hellman protocol or the TAK-2 and TAK-3 protocols.}
}
@techreport{LSV:07:03,
  author = {Goubault{-}Larrecq, Jean},
  title = {Believe It Or Not, {GOI}~is a Model of Classical Linear Logic},
  institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  year = 2007,
  month = jan,
  type = {Research Report},
  number = {LSV-07-03},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-03.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2007-03.pdf},
  note = {18~pages},
  othernote = {a draft of the longer version of this report is available at 
          http://www.lsv.ens-cachan.fr/~goubault/isg.pdf},
  abstract = {We introduce the Danos-R\'egnier category \(\mathcal{DR}(M)\) of a linear
  inverse monoid~\(M\), a categorical description of geometries of
  interaction~(GOI).  The usual setting for GOI is that of a weakly
  Cantorian linear inverse monoid.  It is well-known that GOI is
  perfectly suited to describe the multiplicative fragment of linear
  logic, and indeed \(\mathcal{DR}(M)\) will be a \(*\)-autonomous category in this
  case.  It is also well-known that the categorical interpretation of
  the other linear connectives conflicts with GOI interpretations.  We
  make this precise, and show that \(\mathcal{DR}(M)\) has no terminal object, no
  cartesian product, and no exponential---whatever \(M\) is, unless \(M\)
  is trivial.  However, a form of coherence completion of~\(\mathcal{DR}(M)\) \`a
  la Hu-Joyal provides a model of full classical linear logic, as soon
  as \(M\) is weakly Cantorian.}
}
@phdthesis{THESE-baudet07,
  author = {Baudet, Mathieu},
  title = {S{\'e}curit{\'e} des protocoles cryptographiques~: 
	 	  aspects logiques et calculatoires},
  year = 2007,
  month = jan,
  type = {Th{\`e}se de doctorat},
  school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-baudet.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-baudet.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/these-baudet.ps},
  abstract = {This thesis is dedicated to the automatic verification of
    cryptographic protocols in the logical and computational settings. \par
    The~first part concerns the security of procotols in the logical
    ({"}formal{"}) framework. To~begin with, we show how to specify various
    security properties of protocols in a concurrent language, and how to
    analyze them automatically for a bounded number of sessions.
    The~properties under consideration include notably simple secrecy,
    authentication and resistance to dictionary attacks. \par
    The~second part deals with the computational soundness of logical models.
    The~main question here is to what extent the fact that no logical attack
    exists on a protocol implies that it is provably secure in the usual
    cryptographic model (called the computational model). We~concentrate on
    static equivalence, applied notably to several kinds of encryption and
    data vulnerable to dictionary attacks (such as passwords). We~show that
    under simple conditions, any (logical) proof of static equivalence between
    two messages implies their (computational) indistinguishability. This
    entails computational soundness in the passive case for the notion of
    dictionary attacks developped in the first part.}
}
@article{VG-icomp2007,
  publisher = {Elsevier Science Publishers},
  journal = {Information and Computation},
  author = {Verma, Kumar N. and Goubault{-}Larrecq, Jean},
  title = {Alternating Two-Way {AC}-Tree Automata},
  pages = {817-869},
  year = {2007},
  month = jun,
  volume = 205,
  number = 6,
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/VG-icomp07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/VG-icomp07.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/VG-icomp07.ps},
  doi = {10.1016/j.ic.2006.12.006},
  abstract = {We explore the notion of alternating two-way tree automata
                  modulo the theory of finitely many associative-commutative
                  (AC) symbols. This was prompted by questions arising in
                  cryptographic protocol verification, in~particular in
                  modeling group key agreement schemes based on
                  Diffie-Hellman-like functions, where the emptiness question
                  for intersections of such automata is fundamental. This also
                  has independent interest. We~show that the use of general
                  push clauses, or of alternation, leads to undecidability,
                  already in the case of one AC symbol, with only functions of
                  arity zero. On~the other hand, emptiness is decidable in the
                  general case of several function symbols, including several
                  AC symbols, provided push clauses are unconditional and
                  intersection clauses are final. This class of automata is
                  also shown to be closed under intersection.}
}
@inproceedings{CJP-fossacs07,
  address = {Braga, Portugal},
  month = mar,
  year = 2007,
  volume = 4423,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Seidl, Helmut},
  acronym = {{FoSSaCS}'07},
  booktitle = {{P}roceedings of the 10th {I}nternational
               {C}onference on {F}oundations of {S}oftware {S}cience
               and {C}omputation {S}tructures
               ({FoSSaCS}'07)},
  author = {Comon{-}Lundh, Hubert and Jacquemard, Florent and
		  Perrin, Nicolas},
  title = {Tree Automata with Memory, Visibility and Structural 
		  Constraints},
  pages = {168-182},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CJP-fossacs07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CJP-fossacs07.pdf},
  doi = {10.1007/978-3-540-71389-0_13},
  abstract = {Tree automata with one memory have been introduced in~2001. They
generalize both pushdown (word) automata and the tree automata with
constraints of equality between brothers of Bogaert and Tison. Though it has a
decidable emptiness problem, the main weakness of this model is its lack of
good closure properties. We~propose a generalization of the visibly pushdown
automata of Alur and Madhusudan to a family of tree recognizers which carry
along their (bottom-up) computation an auxiliary unbounded memory with a tree
structure (instead of a symbol stack). In~other words, these recognizers,
called visibly Tree Automata with Memory~(VTAM) define a subclass of tree
automata with one memory enjoying Boolean closure properties. We show in
particular that they can be determinized and the problems like emptiness,
inclusion and universality are decidable for~VTAM. Moreover, we propose an
extension of VTAM whose transitions may be constrained by structural equality
and disequality tests between memories, and show that this extension preserves
the good closure and decidability properties. }
}
@inproceedings{BCD-stacs2007,
  address = {Aachen, Germany},
  month = feb,
  year = 2007,
  volume = 4393,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Thomas, Wolfgang and Weil, Pascal},
  acronym = {{STACS}'07},
  booktitle = {{P}roceedings of the 24th {A}nnual
               {S}ymposium on {T}heoretical {A}spects of
               {C}omputer {S}cience
               ({STACS}'07)},
  author = {Bursuc, Sergiu and Comon{-}Lundh, Hubert and Delaune,
                  St{\'e}phanie},
  title = {Associative-Commutative Deducibility Constraints},
  pages = {634-645},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCD-stacs07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCD-stacs07.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/BCD-stacs07.ps},
  doi = {10.1007/978-3-540-70918-3_54},
  abstract = {We consider deducibility constraints, which are equivalent to
  particular Diophantine systems, arising in the automatic verification of
  security protocols, in presence of associative and commutative symbols. We
  show that deciding such Diophantine systems is, in general, undecidable. Then,
  we consider a simple subclass, which we show decidable. Though the solutions
  of these problems are not necessarily semi-linear sets, we show that there are
  (computable) semi-linear sets whose minimal solutions are not too far from the
  minimal solutions of the system. Finally, we consider a small variant of the
  problem, for which there is a much simpler decision algorithm. }
}
@article{Baudet05jalc,
  journal = {Journal of Automata, Languages and Combinatorics},
  author = {Baudet, Mathieu},
  title = {Random Polynomial-Time Attacks and {D}olev-{Y}ao Models},
  year = 2006,
  volume = 11,
  number = 1,
  pages = {7-21},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bau05-jalc.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bau05-jalc.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/Bau05-jalc.ps},
  abstract = {In this paper we present an extension of 
	Dolev-Yao models for security protocols with a notion 
	of random polynomial-time (Las Vegas) computability. 
	First we notice that Dolev-Yao models can be seen as 
	transition systems, possibly infinite. We then extend 
	these transition systems with computation times and 
	probabilities. The extended models can account for 
	normal Dolev-Yao transitions as well as nonstandard 
	operations such as inverting a one-way function. Our 
	main contribution consists of showing that under 
	reasonable assumptions the extended models are 
	equivalent to standard Dolev-Yao models as far as 
	(safety) security properties are concerned.}
}
@article{LLT-icomp07,
  publisher = {Elsevier Science Publishers},
  journal = {Information and Computation},
  author = {Lafourcade, Pascal and Lugiez, Denis and Treinen, Ralf},
  title = {Intruder Deduction for the Equational Theory of {A}belian Groups with 
                  Distributive Encryption},
  year = 2007,
  volume = 205,
  number = 4,
  pages = {581-623},
  month = apr,
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/LLT-icomp07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/LLT-icomp07.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/LLT-icomp07.ps},
  doi = {10.1016/j.ic.2006.10.008},
  abstract = {Cryptographic protocols are small programs which involve a high
  level of concurrency and which are difficult to analyze by hand. The~most
  successful methods to verify such protocols are based on rewriting
  techniques and automated deduction in order to implement or mimic the
  process calculus describing the execution of a protocol. We~are interested
  in the intruder deduction problem, that is vulnerability to passive attacks
  in presence of equational theories which model the protocol specification
  and properties of the cryptographic operators.\par
  In the present paper we consider the case where the encryption distributes
  over the operator of an Abelian group or over an exclusive-or 
  operator. We~prove decidability of the intruder deduction problem in both 
  cases. We~obtain a PTIME decision procedure in a restricted case, the  
  so-called binary case.\par
  These decision procedures are based on a careful analysis of the proof
  system modeling the deductive power of the intruder, taking into account the
  algebraic properties of the equational theories under consideration.
  The~analysis of the deduction rules interacting with the equational theory
  relies on the manipulation of \(\mathbb{Z}\)-modules in the general case,
  and on results from prefix rewriting in the binary case.}
}
@book{TATA07,
  author = {Comon{-}Lundh, Hubert and Dauchet, Max and Gilleron, R{\'e}mi  and
                L{\"o}ding, Cristof and Jacquemard, Florent and 
		Lugiez, Denis and Tison, Sophie and  Tommasi, Marc},
  title = {Tree Automata Techniques and Applications},
  year = 2007,
  month = nov,
  url = {http://www.grappa.univ-lille3.fr/tata/},
  nmhowpublished = {Available on: \url{http://www.grappa.univ-lille3.fr/tata}},
  nmnote = {release October, 12th 2007}
}
@inproceedings{HCL-fsttcs08,
  address = {Bangalore, India},
  month = dec,
  year = 2008,
  volume = 2,
  series = {Leibniz International Proceedings in Informatics},
  publisher = {Leibniz-Zentrum f{\"u}r Informatik},
  editor = {Hariharan, Ramesh and Mukund, Madhavan and Vinay, V.},
  acronym = {{FSTTCS}'08},
  booktitle = {{P}roceedings of the 28th {C}onference on
               {F}oundations of {S}oftware {T}echnology and
               {T}heoretical {C}omputer {S}cience
               ({FSTTCS}'08)},
  author = {Comon{-}Lundh, Hubert},
  title = {About  models of security protocols},
  nopages = {},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/HCL-fsttcs08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/HCL-fsttcs08.pdf},
  abstract = {In this paper, mostly consisting of definitions, we~revisit the
    models of security protocols: we~show that the symbolic and the
    computational models (as~well as others) are instances of a same generic
    model. Our definitions are also parametrized by the security primitives,
    the notion of attacker and, to some extent, the process calculus.}
}
@article{GLLN-mscs08,
  publisher = {Cambridge University Press},
  journal = {Mathematical Structures in Computer Science},
  author = {Goubault{-}Larrecq, Jean and Lasota, S{\l}awomir
                  and Nowak, David},
  title = {Logical Relations for Monadic Types},
  volume = 18,
  number = 6,
  pages = {1169-1217},
  month = dec,
  year = 2008,
  note = {81~pages},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/GLLN-arxiv05.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/GLLN-arxiv05.pdf},
  doi = {10.1017/S0960129508007172},
  abstract = {Logical relations and their generalisations are a fundamental
                  tool in proving properties of lambda calculi, for example,
                  for yielding sound principles for observational equivalence.
                  We propose a natural notion of logical relations that is
                  able to deal with the monadic types of Moggi's computational
                  lambda calculus. The treatment is categorical, and is based
                  on notions of subsconing, mono factorisation systems and
                  monad morphisms. Our approach has a number of interesting
                  applications, including cases for lambda calculi with
                  non-determinism (where being in a logical relation means
                  being bisimilar), dynamic name creation and probabilistic
                  systems.}
}
@phdthesis{bursztein-these2008,
  author = {Bursztein, Elie},
  title = {Anticipation games. Th{\'e}orie des jeux appliqu{\'e}s {\`a} la 
  		s{\'e}curit{\'e} r{\'e}seau},
  year = 2008,
  month = nov,
  type = {Th{\`e}se de doctorat},
  school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-EB08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-EB08.pdf},
  futureslides = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/SLIDES/
                these-AS07-slides.pdf}
}
@phdthesis{arapinis-these2008,
  author = {Arapinis, Myrto},
  title = {S{\'e}curit{\'e} des protocoles cryptographiques~:
                  d{\'e}cidabilit{\'e} et r{\'e}sultats de r{\'e}duction},
  year = 2008,
  month = nov,
  type = {Th{\`e}se de doctorat},
  school = {Universit{\'e} Paris~12, Cr{\'e}teil, France},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-MA07.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/these-MA07.pdf},
  futureslides = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/SLIDES/
                these-FC07-slides.pdf}
}
@article{CD-fmsd08,
  publisher = {Springer},
  journal = {Formal Methods in System Design},
  author = {Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
  title = {Safely Composing Security Protocols},
  volume = 34,
  number = 1,
  pages = {1-36},
  month = feb,
  year = 2009,
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CD-fmsd08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CD-fmsd08.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/CD-fmsd08.ps},
  doi = {10.1007/s10703-008-0059-4},
  abstract = {Security protocols are small programs that are executed in
    hostile environments. Many results and tools have been developed to
    formally analyze the security of a protocol in the presence of an active
    attacker that may block, intercept and send new messages. However even
    when a protocol has been proved secure, there is absolutely no guarantee
    if the protocol is executed in an environment where other protocols are
    executed, possibly sharing some common keys like public keys or long-term
    symmetric keys.\par
    In this paper, we show that security of protocols can be easily composed.
    More precisely, we show that whenever a protocol is secure, it remains
    secure even in an environment where arbitrary protocols satisfying a
    reasonable (syntactic) condition are executed. This result holds for a
    large class of security properties that encompasses secrecy and various
    formulations of authentication.}
}
@misc{PhS-AV2008,
  author = {Schnoebelen, {\relax Ph}ilippe},
  title = {The complexity of lossy channel systems},
  year = 2008,
  month = aug,
  noslides = {},
  howpublished = {Invited talk, Workshop {A}utomata and {V}erification
                  ({AV}'08), Mons, Belgium}
}
@inproceedings{EB-fast08,
  address = {Malaga, Spain},
  month = apr,
  year = 2009,
  volume = 5491,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Degano, Pierpaolo and Guttman,  Joshua and 
		Martinelli, Fabio},
  acronym = {{FAST}'08},
  booktitle = {{R}evised {S}elected {P}apers of the 5th {I}nternational {W}orkshop on 
	   {F}ormal {A}spects in {S}ecurity and {T}rust ({FAST}'08)},
  author = {Bursztein, Elie},
  title = {Extending Anticipation Games with Location, Penalty and
        Timeline},
  pages = {272-286},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/eb-fast08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/eb-fast08.pdf},
  doi = {10.1007/978-3-642-01465-9_18},
  abstract = {Over the last few years, attack graphs have became a well
    recognized tool to analyze and model complex network attack. The most
    advanced evolution of attack graphs, called anticipation games, is based
    on game theory. However even if anticipation games allow to model time,
    collateral effects and player interactions with the network, there is
    still key aspects of the network security that cannot be modeled in this
    framework. Theses aspects are network cooperation to fight unknown attack,
    the cost of attack based on its duration and the introduction of new
    attack over the time. In this paper we address these needs, by introducing
    a three-fold extension to anticipation games. We prove that this extension
    does not change the complexity of the framework. We illustrate the
    usefulness of this extension by presenting how it can be used to find a
    defense strategy against 0 days that use an honey net. Finally, we have
    implemented this extension into a prototype, to show that it can be used
    to analyze large networks security.}
}
@inproceedings{CLC-ccs08,
  address = {Alexandria, Virginia, USA},
  month = oct,
  year = 2008,
  publisher = {ACM Press},
  acronym = {{CCS}'08},
  booktitle = {{P}roceedings of the 15th {ACM} {C}onference
               on {C}omputer and {C}ommunications {S}ecurity
               ({CCS}'08)},
  author = {Comon{-}Lundh, Hubert and Cortier, V{\'e}ronique},
  title = {Computational Soundness of Observational Equivalence},
  pages = {109-118},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CLC-ccs08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CLC-ccs08.pdf},
  doi = {10.1145/1455770.1455786},
  abstract = {Many security properties are naturally expressed as
                  indistinguishability between two versions of a protocol. In
                  this paper, we show that computational proofs of
                  indistinguishability can be considerably simplified, for a
                  class of processes that covers most existing protocols. More
                  precisely, we show a soundness theorem, following the line
                  of research launched by Abadi and Rogaway in~2000:
                  computational indistinguishability in presence of an active
                  attacker is implied by the observational equivalence of the
                  corresponding symbolic processes. We prove our result for
                  symmetric encryption, but the same techniques can be applied
                  to other security primitives such as signatures and
                  public-key encryption. The proof requires the introduction
                  of new concepts, which are general and can be reused in
                  other settings.}
}
@mastersthesis{ciobaca-master,
  author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan},
  title = {Verification of anonymity properties in e-voting protocols},
  school = {{M}aster {P}arisien de {R}echerche en 
	{I}nformatique, Paris, France},
  type = {Rapport de {M}aster},
  year = {2008},
  month = sep,
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/master-ciobaca.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/master-ciobaca.pdf}
}
@inproceedings{ADK-lpar08,
  address = {Doha, Qatar},
  month = nov,
  year = 2008,
  volume = {5330},
  series = {Lecture Notes in Artificial Intelligence},
  publisher = {Springer},
  editor = {Cervesato, Iliano and Veith, Helmut and Voronkov, Andrei},
  acronym = {{LPAR}'08},
  booktitle = {{P}roceedings of the 15th {I}nternational
               {C}onference on {L}ogic for {P}rogramming,
               {A}rtificial {I}ntelligence, and {R}easoning
               ({LPAR}'08)},
  author = {Arapinis, Myrto and Delaune, St{\'e}phanie and Kremer, Steve},
  title = {From One Session to Many: Dynamic Tags for Security Protocols},
  pages = {128-142},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ADK-lpar08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ADK-lpar08.pdf},
  doi = {10.1007/978-3-540-89439-1_9},
  abstract = {The design and verification of cryptographic 
	protocols is a notoriously difficult task, even in abstract 
	Dolev-Yao models. This is mainly due to several sources of 
	unboundedness (size of messages, number of sessions,~...). 
	In~this paper, we~present a transformation which maps a protocol 
	that is secure for a single session to a protocol that is secure 
	for an unbounded number of sessions. The~transformation is 
	surprisingly simple, computationally light and works for 
	arbitrary protocols that rely on usual cryptographic primitives, 
	such as symmetric and asymmetric encryption as well as digital 
	signatures. Our~result provides an effective strategy to design 
	secure protocols: (i)~design a protocol intended to be secure 
	for one session (this can be verified with existing automated 
	tools); (ii)~apply our transformation and obtain a protocol 
	which is secure for an unbounded number of sessions. 
	A~side-effect of this result is that we characterize a class of 
	protocols for which secrecy for an unbounded number of sessions 
	is decidable.}
}
@inproceedings{HCL-ijcar08,
  address = {Sydney, Australia},
  month = aug,
  year = 2008,
  volume = {5195},
  series = {Lecture Notes in Artificial Intelligence},
  publisher = {Springer-Verlag},
  editor = {Armando, Alessandro and Baumgartner, Peter and 
		Dowek, Gilles},
  acronym = {{IJCAR}'08},
  booktitle = {{P}roceedings of the 4th {I}nternational {J}oint
           {C}onference on {A}utomated {R}easoning
           ({IJCAR}'08)},
  author = {Comon{-}Lundh, Hubert},
  title = {Challenges in the Automated Verification of Security
                  Protocols},
  pages = {396-409},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/HCL-ijcar08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/HCL-ijcar08.pdf},
  doi = {10.1007/978-3-540-71070-7_34},
  abstract = {The application area of security protocols raises several
                  problems that are relevant to automated deduction. We
                  describe in this note some of these challenges.}
}
@article{DKR-jcs08,
  publisher = {{IOS} Press},
  journal = {Journal of Computer Security},
  author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D.},
  title = {Verifying Privacy-type Properties of Electronic Voting 
		 Protocols},
  volume = 17,
  number = 4,
  month = jul,
  year = 2009,
  pages = {435-487},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-jcs08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-jcs08.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DKR-jcs08.ps},
  doi = {10.3233/JCS-2009-0340},
  abstract = {Electronic voting promises the possibility of a convenient,
    efficient and secure facility for recording and tallying votes in an
    election. Recently highlighted inadequacies of implemented systems have
    demonstrated the importance of formally verifying the underlying voting
    protocols. We study three privacy-type properties of electronic voting
    protocols: in increasing order of strength, they are vote-privacy,
    receipt-freeness, and coercion-resistance.\par
    We use the applied pi calculus, a formalism well adapted to modelling such
    protocols, which has the advantages of being based on well-understood
    concepts. The privacy-type properties are expressed using observational
    equivalence and we show in accordance with intuition that
    coercion-resistance implies receipt-freeness, which implies vote-privacy.\par
    We illustrate our definitions on three electronic voting protocols from
    the literature. Ideally, these three properties should hold even if the
    election officials are corrupt. However, protocols that were designed to
    satisfy receipt-freeness or coercion-resistance may not do so in the
    presence of corrupt officials. Our model and definitions allow us to
    specify and easily change which authorities are supposed to be
    trustworthy.}
}
@inproceedings{Bur-atva08,
  address = {Seoul, Korea},
  month = oct,
  year = {2008},
  volume = 5311,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Cha, Sungdeok and Choi, Jin-Young and Kim, Moonzoo 
		and Lee, Insup and Viswanathan, Mahesh},
  acronym = {{ATVA}'08},
  booktitle = {{P}roceedings of the 6th {I}nternational
               {S}ymposium on {A}utomated {T}echnology
               for {V}erification and {A}nalysis
               ({ATVA}'08)},
  author = {Bursztein, Elie},
  title = {Net{Q}i: A~Model Checker for Anticipation Game},
  pages = {246-251},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bur-atva08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bur-atva08.pdf},
  doi = {10.1007/978-3-540-88387-6_22},
  abstract = {NetQi is a freely available model-checker designed to analyze
    network incidents such as intrusion. This tool is an implementation of the
    anticipation game framework, a variant of timed game tailored for network
    analysis. The main purpose of NetQi is to find, given a network initial
    state and a set of rules, the best strategy that fulfills player
    objectives by model-checking the anticipation game and comparing the
    outcome of each play that fulfills strategy constraints. For instance, it
    can be used to find the best patching strategy. NetQi has been
    successfully used to analyze service failure due to hardware, network
    intrusion, worms and multiple-site intrusion defense cooperation.}
}
@techreport{LSV:08:18,
  author = {Goubault{-}Larrecq, Jean},
  title = {A Cone-Theoretic {K}rein-{M}ilman Theorem},
  institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  year = 2008,
  month = jun,
  type = {Research Report},
  number = {LSV-08-18},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2008-18.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2008-18.pdf},
  note = {8~pages},
  abstract = {We prove the following analogue of the Krein-Milman 
    Theorem: in any locally convex \(T_{0}\) topological cone, every 
    convex compact saturated subset is the compact saturated convex hull 
    of its extreme points.}
}
@article{CJP-lmcs08,
  journal = {Logical Methods in Computer Science},
  author = {Comon{-}Lundh, Hubert and Jacquemard, Florent and Perrin, Nicolas},
  title = {Visibly Tree Automata with Memory and Constraints},
  year = 2008,
  month = jun,
  volume = 4,
  number = {2\string:8},
  nopages = {},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CJP-lmcs08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CJP-lmcs08.pdf},
  doi = {10.2168/LMCS-4(2:8)2008},
  abstract = {Tree automata with one memory have been introduced in~2001. They
    generalize both pushdown (word) automata and the tree automata with
    constraints of equality between brothers of Bogaert and Tison. Though it
    has a decidable emptiness problem, the main weakness of this model is its
    lack of good closure properties.\par
    We propose a generalization of the visibly pushdown automata of Alur 
    and~Madhusudan to a family of tree recognizers which carry along their
    (bottom-up) computation an auxiliary unbounded memory with a tree
    structure (instead of a symbol stack). In~other words, these recognizers,
    called Visibly Tree Automata with Memory~(VTAM) define a subclass of tree
    automata with one memory enjoying Boolean closure properties. We~show in
    particular that they can be determinized and the problems like emptiness,
    membership, inclusion and universality are decidable for VTAM. Moreover,
    we propose several extensions of VTAM whose transitions may be constrained
    by different kinds of tests between memories and also constraints
    \emph{{\`a}~la} Bogaert and~Tison. We~show that some of these classes of
    constrained VTAM keep the good closure and decidability properties, and we
    demonstrate their expressiveness with relevant examples of tree
    languages.}
}
@inproceedings{KMT-ijcar08,
  address = {Sydney, Australia},
  month = aug,
  year = 2008,
  volume = {5195},
  series = {Lecture Notes in Artificial Intelligence},
  publisher = {Springer-Verlag},
  editor = {Armando, Alessandro and Baumgartner, Peter and 
		Dowek, Gilles},
  acronym = {{IJCAR}'08},
  booktitle = {{P}roceedings of the 4th {I}nternational {J}oint
           {C}onference on {A}utomated {R}easoning
           ({IJCAR}'08)},
  author = {Kremer, Steve and Mercier, Antoine and Treinen, Ralf},
  title = {Proving Group Protocols Secure Against Eavesdroppers},
  pages = {116-131},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KMT-ijcar08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KMT-ijcar08.pdf},
  doi = {10.1007/978-3-540-71070-7_9},
  abstract = {Security protocols are small programs 
	designed to ensure properties such as secrecy of messages 
	or authentication of parties in a hostile environment. In 
	this paper we investigate automated verification of a 
	particular type of security protocols, called \emph{group 
	protocols}, in the presence of an eavesdropper, i.e., a 
	passive attacker. The specificity of group protocols is 
	that the number of participants is not bounded.\par
	Our approach consists in representing an infinite set of 
	messages exchanged during an unbounded number of sessions, 
	one session for each possible number of participants, as 
	well as the infinite set of associated secrets. We use 
	so-called visibly tree automata with memory and structural 
	constraints (introduced recently by Comon-Lundh 
	\textit{et~al.})  to represent over-approximations of these 
	two sets. We~identify restrictions on the specification of 
	protocols which allow us to reduce the attacker 
	capabilities guaranteeing that the above mentioned class of 
	automata is closed under the application of the remaining 
	attacker rules. The class of protocols respecting these 
	restrictions is large enough to cover several existing 
	protocols, such as the GDH family, GKE, and others.}
}
@proceedings{CKR-dagstuhl07,
  editor = {Chen, Liqun and Kremer, Steve and Ryan, Mark D.},
  booktitle = {Formal Protocol Verification Applied},
  title = {Formal Protocol Verification Applied},
  year = 2008,
  address = {Dagstuhl, Germany},
  series = {Dagstuhl Seminar Proceedings},
  volume = {07421},
  url = {http://drops.dagstuhl.de/portals/index.php?semnr=07421}
}
@inproceedings{JGL:badweeds,
  address = {Budapest, Hungary},
  month = mar,
  year = 2008,
  volume = 5289,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Leucker, Martin},
  acronym = {{RV}'08},
  booktitle = {{P}roceedings of the 8th {W}orkshop on {R}untime {V}erification ({RV}'08)},
  author = {Goubault{-}Larrecq, Jean and Olivain, Julien},
  title = {A Smell of Orchids},
  pages = {1-20},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/go-rv08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/go-rv08.pdf},
  doi = {10.1007/978-3-540-89247-2_1},
  abstract = {Orchids is an intrusion detection tool based on techniques for
    fast, on-line model-checking. Orchids detects complex, correlated strands
    of events with very low overhead in practice, although its detec- tion
    algorithm has worst-case exponential time complexity.\par
    The purpose of this paper is twofold. First, we explain the salient
    features of the basic model-checking algorithm in an intuitive way, as a
    form of dynamically-spawned monitors. One distinctive feature of the
    Orchids algorithm is that fresh monitors need to be spawned at a pos-
    sibly alarming rate.\par
    The second goal of this paper is therefore to explain how we tame the
    complexity of the procedure, using abstract interpretation techniques to
    safely kill useless monitors. This includes monitors which will provably
    detect nothing, but also monitors that are subsumed by others, in the
    sense that they will definitely fail the so-called shortest run criterion.
    We take the opportunity to show how the Orchids algorithm maintains its
    monitors sorted in such a way that the subsumption operation is effected
    with no overhead, and we correct a small, but definitely annoying bug in
    its core algorithm, as it was published in~2001.}
}
@inproceedings{JGL-csf08,
  address = {Pittsburgh, Pennsylvania, USA},
  month = jun,
  year = 2008,
  publisher = {{IEEE} Computer Society Press},
  acronym = {{CSF}'08},
  booktitle = {{P}roceedings of the 
               21st {IEEE} {C}omputer {S}ecurity {F}oundations
               {S}ymposium ({CSF}'08)},
  author = {Goubault{-}Larrecq, Jean},
  title = {Towards Producing Formally Checkable Security Proofs, Automatically},
  pages = {224-238},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2008-15.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2008-15.pdf},
  doi = {10.1109/CSF.2008.21},
  abstract = {First-order logic models of security for cryptographic protocols,
    based on variants of the Dolev-Yao model, are now well-established
    tools.  Given that we have checked a given security protocol~\(\pi\)
    using a given first-order prover, how hard is it to extract a
    formally checkable proof of~it, as~required in, e.g., common
    criteria at evaluation level~\(7\)?  We~demonstrate that this is
    surprisingly hard: the problem is non-recursive in general. 
    On~the practical side, we show how we can extract finite models~\(\mathcal{M}\)
    from a set~\(\mathcal{S}\) of clauses representing~\(\pi\),
    automatically, in two ways.  We~then define a model-checker
    testing \(\mathcal{M} \models \mathcal{S}\), and show how we can instrument it
    to output a formally checkable proof, e.g., in~Coq.  This was
    implemented in the \texttt{h1} tool suite.  Experience on a number of
    protocols shows that this is practical.}
}
@inproceedings{DKR-csf08,
  address = {Pittsburgh, Pennsylvania, USA},
  month = jun,
  year = 2008,
  publisher = {{IEEE} Computer Society Press},
  acronym = {{CSF}'08},
  booktitle = {{P}roceedings of the 
               21st {IEEE} {C}omputer {S}ecurity {F}oundations
               {S}ymposium ({CSF}'08)},
  author = {Delaune, St{\'e}phanie and Kremer, Steve and
		  Ryan, Mark D.},
  title = {Composition of Password-based Protocols},
  pages = {239-251},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-csf08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-csf08.pdf},
  doi = {10.1109/CSF.2008.6},
  abstract = {We investigate the composition of protocols that share a common
  secret.  This situation arises when users employ the same password
  on different services.  More precisely we study whether resistance
  against guessing attacks composes when the same password is used.
  We model guessing attacks using a common definition based on static
  equivalence in a cryptographic process calculus close to the applied
  pi calculus. We show that resistance against guessing attacks
  composes in the presence of a passive attacker. However, composition
  does not preserve resistance against guessing attacks for an active
  attacker. We therefore propose a simple syntactic criterion under
  which we show this composition to hold. Finally, we present a
  protocol transformation that ensures this syntactic criterion and
  preserves resistance against guessing attacks.}
}
@inproceedings{DKS-csf08,
  address = {Pittsburgh, Pennsylvania, USA},
  month = jun,
  year = 2008,
  publisher = {{IEEE} Computer Society Press},
  acronym = {{CSF}'08},
  booktitle = {{P}roceedings of the 
               21st {IEEE} {C}omputer {S}ecurity {F}oundations
               {S}ymposium ({CSF}'08)},
  author = {Delaune, St{\'e}phanie and Kremer, Steve and
		  Steel, Graham},
  title = {Formal Analysis of {PKCS}\#11},
  pages = {331-344},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKS-csf08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKS-csf08.pdf},
  doi = {10.1109/CSF.2008.16},
  abstract = {PKCS\#11 defines an API for cryptographic devices that has 
    been widely adopted in industry. However, it~has been shown to be 
    vulnerable to a variety of attacks that could, for example, compromise 
    the sensitive keys stored on the device. In~this paper, we~set out a 
    formal model of the operation of the API, which differs from previous 
    security API models notably in that it accounts for non-monotonic 
    mutable global state. We~give decidability results for our formalism, 
    and describe an implementation of the resulting decision procedure 
    using a model checker. We~report some new attacks and prove the safety 
    of some configurations of the API in our model.}
}
@inproceedings{DKS-TFIT2008,
  address = {Taipei, Taiwan},
  month = mar,
  year = 2008,
  editor = {Kuo, Tei-Wei and Cruz-Lara, Samuel},
  acronym = {{TFIT}'08},
  booktitle = {{P}roceedings of the 4th {T}aiwanese-{F}rench
	   {C}onference on {I}nformation {T}echnology ({TFIT}'08)},
  author = {Delaune, St{\'e}phanie and Kremer, Steve and
                 Steel, Graham},
  title = {Formal Analysis of {PKCS}\#11},
  pages = {267-278},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKS-tfit08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKS-tfit08.pdf},
  abstract = {PKCS\#11 defines an API for cryptographic devices that has been
    widely adopted in industry. However, it~has been shown to be vulnerable to
    a variety of attacks that could, for~example, compromise the sensitive
    keys stored on the device. In~this paper, we~set out a formal model of the
    operation of the API, which differs from previous security API models
    notably in that it accounts for non-monotonic mutable global state. We
    give decidability results for our formalism, and describe an
    implementation of the resulting decision procedure using a model checker.
    We report some new attacks and prove the safety of some configurations of
    the API in our model.}
}
@inproceedings{DRS-ifiptm08,
  address = {Trondheim, Norway},
  month = jun,
  year = 2008,
  volume = 263,
  series = {IFIP Conference Proceedings},
  publisher = {Springer},
  editor = {Karabulut, Yuecel and Mitchell, John and Herrmann, Peter and 
  		Jensen, Christian Damsgaard},
  acronym = {IFIPTM'08},
  booktitle = {{P}roceedings of the 2nd {J}oint i{T}rust and {PST}
                  {C}onferences on {P}rivacy, {T}rust {M}anagement and
                  {S}ecurity (IFIPTM'08)},
  author = {Delaune, St{\'e}phanie and Ryan, Mark D. and Smyth, Ben},
  title = {Automatic verification of privacy properties in the applied pi-calculus},
  pages = {263-278},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DRS-ifiptm08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DRS-ifiptm08.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/DRS-ifiptm08.ps},
  abstract = {We develop a formal method verification technique for
    cryptographic protocols. We~focus on proving observational equivalences of
    the kind \(P \sim Q\), where the processes \(P\) and~\(Q\) have the same
    structure and differ only in the choice of terms. The calculus of
    ProVerif, a variant of the applied pi-calculus, makes some progress in
    this direction. We~expand the scope of ProVerif, to provide reasoning
    about further equivalences. We~also provide an extension which allows
    modelling of protocols which require global synchronisation. Finally we
    develop an algorithm to enable automated reasoning.\par
    We demonstrate the practicality of our work with two case studies.}
}
@inproceedings{Bur-wistp08,
  address = {Sevilla, Spain},
  month = may,
  year = 2008,
  volume = 5019,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Onieva, Jose A. and Sauveron, Damien and
		Chaumette, Serge  and Gollmann, Dieter and
		Markantonakis, Konstantinos},
  acronym = {{WISTP}'08},
  booktitle = {{P}roceedings of the 
           2nd {I}nternational {W}orkshop 
	   on {I}nformation {S}ecurity {T}heory and {P}ractices
           ({WISTP}'08)},
  author = {Bursztein, Elie},
  title = {Probabilistic Protocol Identification for Hard to Classify Protocol},
  pages = {49-63},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bur-wistp08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/Bur-wistp08.pdf},
  doi = {10.1007/978-3-540-79966-5_4},
  note = {Best paper award},
  abstract = {With the  growing  use  of  protocols obfuscation  techniques,
    protocol  identification for Q.O.S  enforcement, traffic  prohibition, and
    intrusion detection  has became  a complex task.  This paper  address this
    issue with a probabilistic identification analysis that combines multiples
    advanced identification techniques and returns an ordered list of probable
    protocols.  It~combines a  payload  analysis with  a  classifier based  on
    several discriminators,  including packet  entropy and size.  We~show with
    its  implementation,  that it  overcomes  the  limitations of  traditional
    port-based  protocol identification  when  dealing with  hard to  classify
    protocol such as peer to peer protocols. We also details how it deals with
    tunneled session and covert channel.}
}
@techreport{LSV:08:02,
  author = {Bursztein, Elie},
  title = {Network Administrator and Intruder Strategies},
  institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  year = 2008,
  month = feb,
  type = {Research Report},
  number = {LSV-08-02},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2008-02.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2008-02.pdf},
  note = {23~pages},
  abstract = {The anticipation game framework is an 
	extension of attack graphs based on game theory. It 
	is used to anticipate and analyze intruder and 
	administrator interactions with the network. In this 
	paper we extend this framework with cost and reward 
	in order to analyze and find player strategies. 
	Additionally this extension allows to take into 
	account the financial aspect of network security in 
	the analysis. Intuitively a strategy is the best 
	succession of actions that the administrator or the 
	intruder can perform to achieve his objectives. 
	Player objectives range from patching the network 
	efficiently to compromising the most valuable 
	network assets. We prove that finding the optimal 
	strategy is decidable and only requires a linear 
	memory space. Finally we show that finding strategy 
	can be done in practice by evaluating the 
	performance of our analyzer called NetQi.}
}
@misc{hcl:lecture07,
  author = {Comon{-}Lundh, Hubert},
  title = {Soundness of abstract cryptography},
  oldhowpublished = {Lecture notes, part 1. 
         Available at \url{http://staff.aist.go.jp/h.comon-lundh/}},
  year = {2007},
  note = {Course notes (part~1), Symposium on Cryptography and
                  Information Security (SCIS2008), Tokai, Japan},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CL-sac08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CL-sac08.pdf}
}
@article{PPSLBCH-commag08,
  publisher = {{IEEE} Communications Society},
  journal = {IEEE Communications Magazine},
  author = {Papadimitratos, Panos and Poturalski, Marcin and Schaller,
                  Patrick and Lafourcade, Pascal and Basin, David and
		  {\v{C}}apkun, Srdjan and Hubaux, Jean-Pierre},
  title = {Secure Neighborhood Discovery: A~Fundamental
		 Element for Mobile Ad Hoc Networking},
  year = 2008,
  month = feb,
  volume = 46,
  number = 2,
  pages = {132-139},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/PPSLBCH-commag08.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/PPSLBCH-commag08.pdf},
  doi = {10.1109/MCOM.2008.4473095},
  abstract = {Pervasive computing systems will likely be deployed in the near
    future, with the proliferation of wireless devices and the emergence of ad
    hoc networking as key enablers. Coping with mobility and the volatility of
    wireless communications in such systems is critical. Neighborhood
    Discovery~(ND), namely, the discovery of devices directly reachable for
    communication or in physical proximity, becomes a fundamental requirement
    and a building block for various applications. However, the very nature of
    wireless mobile networks makes it easy to abuse ND and thereby compromise
    the overlying protocols and applications. Thus, providing methods to
    mitigate this vulnerability and to secure ND is crucial. In~this article,
    we~focus on this problem and provide definitions of neighborhood types and
    ND protocol properties, as well as a broad classification of attacks. Our
    ND literature survey reveals that securing ND is indeed a difficult and
    largely open problem. Moreover, given the severity of the problem, we
    advocate the need to formally model neighborhood and to analyze ND
    schemes.}
}
@unpublished{JLC-rc,
  author = {Carr{\'e}, Jean-Loup},
  title = {R{\'e}{\'e}criture, confluence},
  year = {2007},
  month = dec,
  note = {Course notes, {P}r{\'e}paration {\`a} l'agr{\'e}gation, 
	 ENS Cachan, France}
}
@misc{pronobis-final,
  author = {ARC ProNoBis},
  title = {ProNoBis: Probability and Nondeterminism, Bisimulations and
                  Security~-- {R}apport Final},
  year = 2007,
  month = oct,
  type = {Contract Report},
  nonote = {78~slides},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/SLIDES/pronobis-final.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/SLIDES/pronobis-final.pdf}
}
@misc{netanalyser-v0.7.5,
  author = {Bursztein, Elie},
  title = {NetAnalyzer~v0.7.5},
  year = {2008},
  month = jan,
  nohowpublished = {Available at .... },
  note = {Written in~C and Perl (about 25000 lines)},
  note-fr = {\'Ecrit en~C et en Perl (environ 25000 lignes)}
}
@misc{netqi-v1,
  author = {Bursztein, Elie},
  title = {NetQi~v1rc1},
  year = {2007},
  month = dec,
  howpublished = {Available at \url{http://www.netqi.org/}},
  note = {Written in~C and Java (about 10000 lines)},
  note-fr = {\'Ecrit en~C et en Java (environ 10000 lignes)},
  url = {http://www.netqi.org}
}
@phdthesis{mercier-phd2009,
  author = {Mercier, Antoine},
  title = {Contributions {\`a} l'analyse automatique des protocoles
                  cryptographiques en pr{\'e}sence de propri{\'e}t{\'e}s
                  alg{\'e}briques : protocoles de groupe, {\'e}quivalence
                  statique},
  school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  type = {Th{\`e}se de doctorat},
  year = 2009,
  month = dec,
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/AM-these09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/AM-these09.pdf}
}
@phdthesis{bursuc-phd2009,
  author = {Bursuc, Sergiu},
  title = {Contraintes de d{\'e}ductibilit{\'e} dans une alg{\`e}bre
                  quotient: r{\'e}duction de mod{\`e}les et applications {\`a}
                  la s{\'e}curit{\'e}},
  school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  type = {Th{\`e}se de doctorat},
  year = 2009,
  month = dec,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/SB-these09.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/SB-these09.pdf}
}
@article{JGL-mscs09,
  publisher = {Cambridge University Press},
  journal = {Mathematical Structures in Computer Science},
  author = {Goubault{-}Larrecq, Jean},
  title = {{D}e~{G}root Duality and Models of Choice: Angels, Demons, and Nature},
  volume = {20},
  number = 2,
  pages = {169-237},
  month = apr,
  year = 2010,
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-mscs09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-mscs09.pdf},
  doi = {10.1017/S0960129509990363},
  abstract = {We introduce convex-concave duality for various models of
    non-deterministic choice, probabilistic choice, and the two of them
    together. This complements the well-known duality of stably compact spaces
    in a pleasing way: convex-concave duality swaps angelic and demonic
    choice, and leaves probabilistic choice invariant.}
}
@inproceedings{JGL-asian09,
  address = {Seoul, Korea},
  month = dec,
  year = 2009,
  volume = 5913,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Datta, Anupam},
  acronym = {{ASIAN}'09},
  booktitle = {{P}roceedings of the 13th {A}sian
               {C}omputing {S}cience {C}onference
               ({ASIAN}'09)},
  author = {Goubault{-}Larrecq, Jean},
  title = {{\textquotedbl}{L}ogic Wins!{\textquotedbl}},
  pages = {1-16},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-asian09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JGL-asian09.pdf},
  doi = {10.1007/978-3-642-10622-4_1},
  abstract = {Clever algorithm design is sometimes superseded by simple
    encodings into logic. We apply this motto to a few case studies in the
    formal verification of security properties. In particular, we examine
    confidentiality objectives in hardware circuit descriptions written in
    VHDL.}
}
@inproceedings{SRKK-wissec09,
  address = {Louvain-la-Neuve, Belgium},
  month = nov,
  year = 2009,
  editor = {Pereira, Olivier and Quisquater, Jean-Jacques and
		Standaert, Fran\c{c}ois-Xavier},
  acronym = {{WISSEC}'09},
  booktitle = {{P}roceedings of the 4th {B}enelux {W}orkshop on
		{I}nformation and {S}ystem {S}ecurity ({WISSEC}'09)},
  author = {Smyth, Ben and Ryan, Mark D. and Kremer, Steve and
		   Kourjieh, Mounira},
  title = {Election verifiability in electronic voting protocols
		  (Preliminary version)},
  nopages = {},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/SRKK-wissec09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/SRKK-wissec09.pdf},
  abstract = {We~present a symbolic definition of election verifiability for
    electronic voting protocols. Our definition is given in terms of
    reachability assertions in the applied pi calculus and is amenable to
    automated reasoning using the tool ProVerif. The~definition distinguishes
    three aspects of verifiability, which we call individual, universal, and
    eligibility verifiability. It also allows us to determine precisely what
    aspects of the system are required to be trusted. We demonstrate our
    formalism by analysing the protocols due to Fujioka, Okamoto \&~Ohta and
    Juels, Catalano \&~Jakobsson; the~latter of which has been implemented by
    Clarkson, Chong \&~Myers. }
}
@inproceedings{CCD-secco09,
  address = {Bologna, Italy},
  month = oct,
  year = 2009,
  editor = {Boreale, Michele and Kremer, Steve},
  acronym = {{SecCo}'09},
  booktitle = {{P}reliminary {P}roceedings of the 7th {I}nternational
               {W}orkshop on {S}ecurity {I}ssues in
               {C}oordination {M}odels, {L}anguages and
               {S}ystems ({SecCo}'09)},
  author = {Cheval, Vincent and Comon{-}Lundh, Hubert and Delaune, St{\'e}phanie},
  title = {A~decision procedure for proving observational equivalence},
  nmnote = {did not appear in postproceedings EPTCS7},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CCD-secco09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CCD-secco09.pdf}
}
@proceedings{BK-secco2009,
  title = {{P}roceedings of the 7th {I}nternational {W}orkshop on
	  {S}ecurity {I}ssues in {C}oncurrency ({S}ec{C}o'09)},
  booktitle = {{P}roceedings of the 7th {I}nternational {W}orkshop on
	  {S}ecurity {I}ssues in {C}oncurrency ({S}ec{C}o'09)},
  acronym = {{S}ec{C}o'09},
  editor = {Boreale, Michele and Kremer, Steve},
  doi = {10.4204/EPTCS.7},
  url = {http://eptcs.web.cse.unsw.edu.au/content.cgi?SECCO2009},
  series = {Electronic Proceedings in Theoretical Computer Science},
  volume = 7,
  year = 2009,
  month = aug,
  address = {Bologna, Italy}
}
@mastersthesis{cheval-master,
  author = {Cheval, Vincent},
  title = {Algorithme de d{\'e}cision de l'{\'e}quivalence symbolique de
                  syst{\`e}mes de contraintes},
  school = {{M}aster {P}arisien de {R}echerche en 
	{I}nformatique, Paris, France},
  type = {Rapport de {M}aster},
  year = {2009},
  month = sep,
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/master-cheval.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/master-cheval.pdf}
}
@inproceedings{DKP-fsttcs09,
  address = {Kanpur, India},
  month = dec,
  year = 2009,
  volume = 4,
  series = {Leibniz International Proceedings in Informatics},
  publisher = {Leibniz-Zentrum f{\"u}r Informatik},
  editor = {Kannan, Ravi and Narayan Kumar, K.},
  acronym = {{FSTTCS}'09},
  booktitle = {{P}roceedings of the 29th {C}onference on
               {F}oundations of {S}oftware {T}echnology and
               {T}heoretical {C}omputer {S}cience
               ({FSTTCS}'09)},
  author = {Delaune, St{\'e}phanie and Kremer, Steve and Pereira,
                 Olivier},
  title = {Simulation based security in the applied pi calculus},
  pages = {169-180},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/DKP-fsttcs09.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DKP-fsttcs09.pdf},
  doi = {10.4230/LIPIcs.FSTTCS.2009.2316},
  abstract = {We present a symbolic framework for refinement and composition
    of security protocols. The framework uses the notion of ideal
    functionalities. These are abstract systems which are secure by
    construction and which can be combined into larger systems. They can be
    separately refined in order to obtain concrete protocols implementing
    them. Our work builds on ideas from computational models such as the
    universally composable security and reactive simulatability frameworks.
    The underlying language we use is the applied pi calculus which is a
    general language for specifying security protocols. In our framework we
    can express the different standard flavours of simulation-based security
    which happen to all coincide. We illustrate our framework on an
    authentication functionality which can be realized using the
    Needham-Schroeder-Lowe protocol. For this we need to define an ideal
    functionality for asymmetric encryption and its realization. We also show
    a joint state result for this functionality which allows composition (even
    though the same key material is reused) using a tagging mechanism.}
}
@inproceedings{FLS-nordsec09,
  address = {Oslo, Norway},
  month = oct,
  year = 2009,
  volume = 5838,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {J{\o}sang, Audun and Maseng, Torleiv and Knapskog, Svein Johan},
  acronym = {{NordSec}'09},
  booktitle = {{P}roceedings of the 14th {N}ordic {W}orkshop on {S}ecure {IT}
                  {S}ystems ({NordSec}'09)},
  author = {Focardi, Riccardo and Luccio, Flaminia L. and
		 Steel, Graham},
  title = {Blunting Differential Attacks on {PIN} Processing {API}s},
  pages = {88-103},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FLS-nordsec09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FLS-nordsec09.pdf},
  doi = {10.1007/978-3-642-04766-4_7},
  abstract = {We~propose a countermeasure for a class of known attacks on the
    PIN processing API used in the ATM (cash machine) network. This API
    controls access to the tamper-resistant Hardware Security Modules where
    PIN encryption, decryption and verification takes place. The~attacks are
    differential attacks, whereby an attacker gains information about the
    plaintext values of encrypted customer PINs by making changes to the
    non-confidential inputs to a command. Our~proposed fix adds an integrity
    check to the parameters passed to the command. It~is novel in that it
    involves very little change to the existing ATM network infrastructure.}
}
@inproceedings{KMT-asian09,
  address = {Seoul, Korea},
  month = dec,
  year = 2009,
  volume = 5913,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Datta, Anupam},
  acronym = {{ASIAN}'09},
  booktitle = {{P}roceedings of the 13th {A}sian
               {C}omputing {S}cience {C}onference
               ({ASIAN}'09)},
  author = {Kremer, Steve and Mercier, Antoine and Treinen, Ralf},
  title = {Reducing Equational Theories for the Decision of Static
                  Equivalence},
  pages = {94-108},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KMT-asian09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KMT-asian09.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/KMT-asian09.ps},
  doi = {10.1007/978-3-642-10622-4_8},
  abstract = {Static equivalence is a well established notion of
    indistinguishability of sequences of terms which is useful in the symbolic
    analysis of cryptographic protocols. Static equivalence modulo equational
    theories allows a more accurate representation of cryptographic primitives
    by modelling properties of operators by equational axioms. We develop a
    method that allows in some cases to simplify the task of deciding static
    equivalence in a multi-sorted setting, by removing a symbol from the term
    signature and reducing the problem to several simpler equational theories.
    We illustrate our technique at hand of bilinear pairings.}
}
@article{DKS-jcs09,
  publisher = {{IOS} Press},
  journal = {Journal of Computer Security},
  author = {Delaune, St{\'e}phanie and Kremer, Steve and Steel, Graham},
  title = {Formal Analysis of {PKCS\#11} and Proprietary Extensions},
  volume = 18,
  number = 6,
  pages = {1211-1245},
  year = 2010,
  month = nov,
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKS-jcs09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKS-jcs09.pdf},
  doi = {10.3233/JCS-2009-0394},
  abstract = {PKCS\#11 denes an API for cryptographic devices that has been
    widely adopted in industry. However, it has been shown to be vulnerable to
    a variety of attacks that could, for example, compromise the sensitive
    keys stored on the device. In this paper, we set out a formal model of the
    operation of the API, which diers from previous security API models
    notably in that it accounts for non-monotonic mutable global state. We
    give decidability results for our formalism, and describe an
    implementation of the resulting decision procedure using the model checker
    NuSMV. We report some new attacks and prove the safety of some
    congurations of the API in our model. We also analyse proprietary
    extensions proposed by nCipher (Thales) and Eracom (Safenet), designed to
    address the shortcomings of PKCS\#11.}
}
@techreport{LSV:09:15,
  author = {H{\'e}am, Pierre-Cyrille and Nicaud, Cyril},
  title = {Seed: an Easy-to-Use Random Generator of Recursive Data Structures for Testing},
  institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  year = {2009},
  month = jul,
  type = {Research Report},
  number = {LSV-09-15},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2009-15.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2009-15.pdf},
  note = {16~pages},
  abstract = {Random testing represents a simple and tractable way for software
 assessment. This paper presents the Seed tool dedicated to the
 uniform random generation of recursive data structures as labelled
 trees or logical formulas.  We show how Seed can be used in several
 testing contexts, from model based testing to performance
 testing. Generated data structures are defined by grammar-like rules,
 given in an XML format, multiplying Seed possible applications.
 Seed is based on combinatorial techniques, and can generate uniformly
 at random \(k\)~structures of size~\(n\) with a
 time complexity in \(O(n^{2}+ kn\cdot \log(n))\). Finally, Seed is available as a free
 java application and a great effort has been made to make it
 easy-to-use.}
}
@inproceedings{BCLD-asian09,
  address = {Seoul, Korea},
  month = dec,
  year = 2009,
  volume = 5913,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Datta, Anupam},
  acronym = {{ASIAN}'09},
  booktitle = {{P}roceedings of the 13th {A}sian
               {C}omputing {S}cience {C}onference
               ({ASIAN}'09)},
  author = {Bursuc, Sergiu and Delaune, St{\'e}phanie and Comon{-}Lundh,
                  Hubert},
  title = {Deducibility constraints},
  pages = {24-38},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCD-asian09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCD-asian09.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/BCD-asian09.ps},
  doi = {10.1007/978-3-642-10622-4_3},
  abstract = {In their work on tractable deduction systems, D.~McAllester and
    later D.~Basin and H.~Ganzinger have identified a property of inference
    systems (the~locality property) that ensures the tractability of the
    \textit{Entscheidungsproblem}.\par
    On~the other hand, deducibility constraints are sequences of deduction
    problems in which some parts (formulas) are unknown. The~problem is to
    decide their satisfiability and to represent the set of all possible
    solutions. Such constraints have also been used for deciding some security
    properties of cryptographic protocols.\par
    In this paper we show that local inference systems (actually a slight
    modification of such systems) yield not only a tractable deduction
    problem, but also decidable deducibility constraints. Our algorithm not
    only allows to decide the existence of a solution, but also gives a
    representation of all solutions.}
}
@incollection{ACL-fps09,
  noaddress = {},
  month = may,
  year = 2009,
  volume = 5458,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  noacronym = {},
  booktitle = {{F}ormal to {P}ractical {S}ecurity},
  editor = {Cortier, V{\'e}ronique and Kirchner, Claude and
		 Okada, Mitsuhiro and Sakurada, Hideki},
  author = {Affeldt, Reynald and Comon{-}Lundh, Hubert},
  title = {Verification of Security Protocols with a Bounded Number of
                  Sessions Based on Resolution for Rigid Variables},
  pages = {1-20},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ACL-fps09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ACL-fps09.pdf},
  doi = {10.1007/978-3-642-02002-5_1},
  abstract = {First-order logic resolution is a standard way to automate the
    verification of security protocols. However, it sometimes fails to produce
    security proofs for secure protocols because of the detection of false
    attacks. For the verification of a bounded number of sessions, false
    attacks can be avoided by introducing rigid variables. Unfortunately, this
    yields complicated resolution procedures. We show here that there is a
    simple translation of the security problem for a bounded number of
    sessions into first-order logic, that does not introduce false attacks.
    This is shown by translating clauses involving rigid variables into
    classical first-order clauses, while preserving satisfiability. We
    illustrate this approach by giving a complete and terminating strategy for
    a first-order logic fragment resulting from the above translation, that
    yields a decision procedure for a bounded number of sessions.}
}
@inproceedings{ABC-cav09,
  address = {Grenoble, France},
  month = jun # {-} # jul,
  year = 2009,
  volume = 5643,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Bouajjani, Ahmad and Maler, Oded},
  acronym = {{CAV}'09},
  booktitle = {{P}roceedings of the 21st
               {I}nternational {C}onference on 
               {C}omputer {A}ided {V}erification
               ({CAV}'09)},
  author = {Abadi, Mart{\'\i}n and Blanchet, Bruno and Comon{-}Lundh,
                  Hubert},
  title = {Models and Proofs of Protocol Security: A~Progress Report},
  pages = {35-49},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ABC-cav09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ABC-cav09.pdf},
  doi = {10.1007/978-3-642-02658-4_5},
  abstract = {This paper discusses progress in the verification of security
                  protocols. Focusing on a small, classic example, it stresses
                  the use of program-like representations of protocols, and
                  their automatic analysis in symbolic and computational
                  models.}
}
@inproceedings{CFLS-esorics09,
  address = {Saint~Malo, France},
  month = sep,
  year = 2009,
  volume = 5789,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Backes, Michael and Ning, Peng},
  acronym = {{ESORICS}'09},
  booktitle = {{P}roceedings of the 14th {E}uropean {S}ymposium on
		{R}esearch in {C}omputer {S}ecurity ({ESORICS}'09)},
  author = {Centenaro, Matteo and Focardi, Riccardo and 
		 Luccio, Flaminia L. and Steel, Graham},
  title = {Type-based Analysis of {PIN} Processing {API}s},
  pages = {53-68},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CFLS-esorics09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CFLS-esorics09.pdf},
  doi = {10.1007/978-3-642-04444-1_4},
  abstract = {We examine some known attacks on the PIN verification framework,
    based on weaknesses of the security API for the tamper-resistant Hardware
    Security Modules used in the network. We specify this API in an imperative
    language with cryptographic primitives, and show how its flaws are
    captured by a notion of robustness that extends the one of Myers,
    Sabelfeld and Zdancewic to our cryptographic setting. We~propose an
    improved API, give an extended type system for assuring integrity and for
    preserving confidentiality via randomized and non-randomized encryptions,
    and show our new API to be type-checkable.}
}
@inproceedings{CS-esorics09,
  address = {Saint~Malo, France},
  month = sep,
  year = 2009,
  volume = 5789,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Backes, Michael and Ning, Peng},
  acronym = {{ESORICS}'09},
  booktitle = {{P}roceedings of the 14th {E}uropean {S}ymposium on
		{R}esearch in {C}omputer {S}ecurity ({ESORICS}'09)},
  author = {Cortier, V{\'e}ronique and Steel, Graham},
  title = {A~generic security {API} for symmetric key management on
                  cryptographic devices},
  pages = {605-620},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CS-esorics09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CS-esorics09.pdf},
  doi = {10.1007/978-3-642-04444-1_37},
  abstract = {Security APIs are used to define the boundary between trusted
    and untrusted code. The security properties of existing APIs are not
    always clear. In~this paper, we~give a new generic API for managing
    symmetric keys on a trusted cryptographic device. We state and prove
    security properties for our API. In~particular, our API offers a high
    level of security even when the host machine is controlled by an attacker.
    Our API is generic in the sense that it can implement a wide variety of
    (symmetric~key) protocols. As a proof of concept, we give an algorithm for
    automatically instantiating the API commands for a given key management
    protocol. We demonstrate the algorithm on a set of key establishment
    protocols from the Clark-Jacob suite.}
}
@inproceedings{KAS-arspawits09,
  address = {York, UK},
  month = aug,
  year = 2009,
  volume = 5511,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Degano, Pierpaolo and Vigan{\`o}, Luca},
  acronym = {{ARSPA-WITS}'09},
  booktitle = {{R}evised {S}elected {P}apers of the {J}oint {W}orkshop
	   on {A}utomated {R}easoning for {S}ecurity {P}rotocol {A}nalysis and
           {I}ssues in the {T}heory of {S}ecurity ({ARSPA-WITS}'09)},
  author = {Keighren, Gavin and Aspinall, David and Steel, Graham},
  title = {Towards a Type System for Security {API}s},
  pages = {173-192},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KAS-arspawits09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KAS-arspawits09.pdf},
  doi = {10.1007/978-3-642-03459-6_12},
  abstract = {Security API analysis typically only considers a subset of an
    API's functions, with results bounded by the number of function calls.
    Furthermore, attacks involving partial leakage of sensitive information
    are usually not covered. Type-based static analysis has the potential to
    alleviate these shortcomings. To that end, we present a type system for
    secure information flow based upon the one of Volpano, Smith and Irvine,
    extended with types for cryptographic keys and ciphertext similar to those
    in Sumii and Pierce. In~contrast to some other type systems, the
    encryption and decryption of keys does not require special treatment. We
    show that a well-typed sequence of commands is non-interferent, based upon
    a definition of indistinguishability where, in certain circumstances, the
    adversary can distinguish between ciphertexts that correspond to encrypted
    public data.}
}
@inproceedings{FS-arspawits09,
  address = {York, UK},
  month = aug,
  year = 2009,
  volume = 5511,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Degano, Pierpaolo and Vigan{\`o}, Luca},
  acronym = {{ARSPA-WITS}'09},
  booktitle = {{R}evised {S}elected {P}apers of the {J}oint {W}orkshop
	   on {A}utomated {R}easoning for {S}ecurity {P}rotocol {A}nalysis and
           {I}ssues in the {T}heory of {S}ecurity ({ARSPA-WITS}'09)},
  author = {Fr{\"o}schle, Sibylle and Steel, Graham},
  title = {Analysing {PKCS}\#11 Key Management {API}s with Unbounded
                  Fresh Data},
  pages = {92-106},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FS-arspawits09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FS-arspawits09.pdf},
  doi = {10.1007/978-3-642-03459-6_7},
  abstract = {We extend Delaune, Kremer and Steel's framework for analysis of
    PKCS#11-based APIs from bounded to unbounded fresh data. We achieve this
    by: formally defining the notion of an \emph{attribute policy}; showing
    that a well-designed API should have a certain class of policy we call
    \emph{complete}; showing that APIs with complete policies may be safely
    abstracted to APIs where the attributes are fixed; and proving that these
    \emph{static} APIs can be analysed in a small bounded model such that
    security properties will hold for the unbounded case. We automate analysis
    in our framework using the SAT-based security protocol model checker
    SATMC. We show that a symmetric key management subset of the Eracom
    PKCS#11 API, used in their ProtectServer product, preserves the secrecy of
    sensitive keys for unbounded numbers of fresh keys and \emph{handles},
    i.e.~pointers to keys. We also show that this API is not robust: if~an
    encryption key is lost to the intruder, SATMC finds an attack whereby all
    the keys may be compromised.}
}
@inproceedings{CDK-secret09,
  address = {Port Jefferson, New~York, USA},
  month = jul,
  year = 2009,
  editor = {Comon{-}Lundh, Hubert and Meadows, Catherine},
  acronym = {{SecReT}'09},
  booktitle = {{P}reliminary {P}roceedings of the 4th 
           {I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques
           ({SecReT}'09)},
  author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Delaune, St{\'e}phanie and
		 Kremer, Steve},
  title = {Computing knowledge in security protocols under convergent
                  equational theories},
  pages = {47-58},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDK-secret09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDK-secret09.pdf},
  abstract = {We propose a procedure for the intruder deduction problem and
    for the static equivalence problem, in the case where cryptographic
    primitives are modeled by a convergent equational theory. Our~procedure
    terminates on a wide range of equational theories. In~particular,
    we~obtain a new decidability result for a theory of trapdoor commitment
    that we encountered in the study of e-voting protocols. We~also provide a
    prototype implementation.}
}
@inproceedings{ACD-secret09,
  address = {Port Jefferson, New~York, USA},
  month = jul,
  year = 2009,
  editor = {Comon{-}Lundh, Hubert and Meadows, Catherine},
  acronym = {{SecReT}'09},
  booktitle = {{P}reliminary {P}roceedings of the 4th 
           {I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques
           ({SecReT}'09)},
  author = {Arnaud, Mathilde and Cortier, V{\'e}ronique and
		Delaune, St{\'e}phanie},
  title = {Modeling and Verifying Ad Hoc Routing Protocol},
  pages = {33-46},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ACD-secret09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/ACD-secret09.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/ACD-secret09.ps},
  abstract = {Mobile ad hoc networks consist of mobile wireless devices which
    autonomously organize their infrastructure. In~such a network, a~central
    issue, ensured by routing protocols, is to find a route from one device to
    another. Those protocols use cryptographic mechanisms in order to prevent
    a malicious node from compromising the discovered route.\par
    We present a calculus for modeling and reasoning about security protocols,
    including in particular secured routing protocols. Our calculus extends
    standard symbolic models to take into account the characteristics of
    routing protocols and to model wireless communication in a more accurate
    way. Then, by using constraint solving techniques, we propose a decision
    procedure for analyzing routing protocols for a bounded number of sessions
    and for a fixed network topology. We~demonstrate the usage and usefulness
    of our approach by analyzing the protocol SRP applied to~DSR.}
}
@inproceedings{KMT-secret09,
  address = {Port Jefferson, New~York, USA},
  month = jul,
  year = 2009,
  editor = {Comon{-}Lundh, Hubert and Meadows, Catherine},
  acronym = {{SecReT}'09},
  booktitle = {{P}reliminary {P}roceedings of the 4th 
           {I}nternational {W}orkshop on {S}ecurity and {R}ewriting {T}echniques
           ({SecReT}'09)},
  author = {Kremer, Steve and Mercier, Antoine and Treinen, Ralf},
  title = {Reducing Equational Theories for the Decision of Static
                  Equivalence (Preliminary Version)},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KMT-secret09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KMT-secret09.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/KMT-secret09.ps},
  abstract = {Static equivalence is a well established notion of
    indistinguishability of sequences of terms which is useful in the symbolic
    analysis of cryptographic protocols. Static equivalence modulo equational
    theories allows a more accurate representation of cryptographic primitives
    by modelling properties of operators by equational axioms. We develop a
    method that allows in some cases to simplify the task of deciding static
    equivalence in a multi-sorted setting, by removing a symbol from the term
    signature and reducing the problem to several simpler equational theories.
    We illustrate our technique at hand of bilinear pairings.}
}
@techreport{LSV:09:09,
  author = {Goubault{-}Larrecq, Jean},
  title = {On a Generalization of a Result by {V}alk and {J}antzen},
  institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  year = {2009},
  month = may,
  type = {Research Report},
  number = {LSV-09-09},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2009-09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2009-09.pdf},
  note = {18~pages},
  abstract = {We~show that, under mild assumptions on the effective, well
    quasi-ordered set~\(X\), one~can compute a finite basis of an
    upward-closed subset~\(U\) of~\(X\) if and only if one can decide whether
    \(U \cap \downarrow z\) is empty for every \(z \in \widehat{X}\). Here
    \(\widehat{X}\) is the completion of \(X\) as defined in Finkel and
    Goubault-Larrecq, {\em Forward Analysis for WSTS, Part~{I:} Completions},
    STACS'09, pages 433-444, 2009. This generalizes a useful result proved by
    Valk and Jantzen in~1985, which is the case \(X = \\mathbb{N}^k\).}
}
@inproceedings{CDK-cade09,
  address = {Montreal, Canada},
  month = aug,
  year = 2009,
  volume = {5663},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Schmidt, Renate},
  acronym = {{CADE}'09},
  booktitle = {{P}roceedings of the 22nd {I}nternational 
               {C}onference on {A}utomated {D}eduction
               ({CADE}'09)},
  author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Delaune, St{\'e}phanie and 
		Kremer, Steve},
  title = {Computing knowledge in security protocols under convergent
		 equational theories},
  pages = {355-370},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDK-cade09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CDK-cade09.pdf},
  doi = {10.1007/978-3-642-02959-2_27},
  abstract = {In the symbolic analysis of security protocols, two classical
    notions of knowledge, deducibility and indistinguishability, yield
    corresponding decision problems. We~propose a procedure for both problems
    under arbitrary convergent equational theories. Our~procedure terminates
    on a wide range of equational theories. In~particular, we~obtain a new
    decidability result for a theory we encountered when studying electronic
    voting protocols. We~also provide a prototype implementation.}
}
@article{goubault-jcs09,
  publisher = {{IOS} Press},
  journal = {Journal of Computer Security},
  author = {Goubault{-}Larrecq, Jean},
  title = {Finite Models for Formal Security Proofs},
  volume = 18,
  number = 6,
  pages = {1247-1299},
  year = 2010,
  month = nov,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-jcs09.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-jcs09.pdf},
  doi = {10.3233/JCS-2009-0395},
  abstract = {First-order logic models of security for cryptographic
    protocols, based on variants of the Dolev-Yao model, are now
    well-established tools. Given that we have checked a given security
    protocol using a given first-order prover, how hard is it to extract a
    formally checkable proof of it, as required in, \textit{e.g.}, common
    criteria at the highest evaluation level~(EAL7)? We~demonstrate that this
    is surprisingly hard in the general case: the problem is non-recursive.
    Nonetheless, we show that we can instead extract finite
    models~\(\mathcal{M}\) from a set~\(S\) of clauses representing~\(\pi\),
    automatically, and give two ways of doing~so. We~then define a
    model-checker testing \(\mathcal{M} \models S\), and show how we can
    instrument it to output a formally checkable proof, \textit{e.g.}, in~Coq.
    Experience on a number of protocols shows that this is practical, and that
    even complex (secure) protocols modulo equational theories have small
    finite models, making our approach suitable.}
}
@inproceedings{FGL-icalp09,
  address = {Rhodes, Greece},
  month = jul,
  year = 2009,
  volume = 5556,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Albers, Susanne and Marchetti-Spaccamela, Alberto and 
                  Matias, Yossi and Thomas, Wolfgang},
  acronym = {{ICALP}'09},
  booktitle = {{P}roceedings of the 36th {I}nternational 
               {C}olloquium on {A}utomata, {L}anguages and 
               {P}rogramming ({ICALP}'09)},
  author = {Finkel, Alain and Goubault{-}Larrecq, Jean},
  title = {Forward Analysis for {WSTS}, Part~{II}: Complete {WSTS}},
  pages = {188-199},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FGL-icalp09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FGL-icalp09.pdf},
  doi = {10.1007/978-3-642-02930-1_16},
  abstract = {We~describe a simple, conceptual forward analysis procedure for
    \(\infty\)-complete WSTS~\(\mathcal{S}\). This computes the \emph{clover}
    of a state~\(s_0\) , \textit{i.e.}, a~finite description of the closure of
    the cover of~\(s_0\) . When \(S\) is the completion of a
    WSTS~\(\mathcal{X}\), the clover in~\(\mathcal{S}\) is a finite
    description of the cover in~\(\mathcal{X}\). We~show that this applies
    exactly when \(\mathcal{X}\) is an \(\omega^2\)-WSTS, a~new robust class
    of WSTS. We~show that our procedure terminates in more cases than the
    generalized Karp-Miller procedure on extensions of Petri nets. We
    characterize the WSTS where our procedure terminates as those that are
    \emph{clover-flattable}. Finally, we~apply this to well-structured counter
    systems.}
}
@inproceedings{CD-csf09,
  address = {Port Jefferson, New York, USA},
  month = jul,
  year = 2009,
  publisher = {{IEEE} Computer Society Press},
  acronym = {{CSF}'09},
  booktitle = {{P}roceedings of the 
               22nd {IEEE} {C}omputer {S}ecurity {F}oundations
               {S}ymposium ({CSF}'09)},
  author = {Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
  title = {A~method for proving observational equivalence},
  pages = {266-276},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CD-csf09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CD-csf09.pdf},
  doi = {10.1109/CSF.2009.9},
  abstract = {Formal methods have proved their usefulness for analyzing the
    security of protocols. Most existing results focus on trace properties
    like secrecy or authentication. There are however several security
    properties, which cannot be defined (or cannot be naturally defined) as
    trace properties and require the notion of \emph{observational
    equivalence}. Typical examples are anonymity, privacy related properties
    or statements closer to security properties used in cryptography.\par
    In this paper, we consider the applied pi calculus and we show that for
    \emph{determinate} processes, observational equivalence actually coincides
    with trace equivalence, a notion simpler to reason with. We~exhibit a
    large class of determinate processes, called \emph{simple processes}, that
    capture most existing protocols and cryptographic primitives. Then, for
    simple processes without replication, we~reduce the decidability of trace
    equivalence to deciding an equivalence relation introduced by M.~Baudet.
    Altogether, this yields the first decidability result of observational
    equivalence for a general class of equational theories.}
}
@inproceedings{CDK-forte09,
  address = {Lisbon, Portugal},
  month = jun,
  year = 2009,
  volume = {5522},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Lee, David and Lopes, Ant{\'o}nia and Poetzsch-Heffter, Arnd},
  acronym = {{FMOODS/FORTE}'09},
  booktitle = {{P}roceedings of {IFIP} {I}nternational {C}onference on {F}ormal
                  {T}echniques for {D}istributed {S}ystems ({FMOODS/FORTE}'09)},
  author = {Chadha, Rohit and Delaune, St{\'e}phanie and 
		Kremer, Steve},
  title = {Epistemic Logic for the Applied Pi Calculus},
  pages = {182-197},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/cdk-forte09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/cdk-forte09.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PS/cdk-forte09.ps},
  doi = {10.1007/978-3-642-02138-1_12},
  abstract = {We propose an epistemic logic for the applied pi calculus, which
    is a variant of the pi calculus with extensions for modeling cryptographic
    protocols. In such a calculus, the security guarantees are usually stated
    as equivalences. While process calculi provide a natural means to describe
    the protocols themselves, epistemic logics are often better suited for
    expressing certain security properties such as secrecy and anonymity.\par
    We intend to bridge the gap between these two approaches: using the set of
    traces generated by a process as models, we define a logic which has
    constructs for reasoning about both intruder's epistemic knowledge and the
    set of messages in possession of the intruder. As an example we consider
    two formalizations of privacy in electronic voting and study the
    relationship between them.}
}
@inproceedings{BCL-rta09,
  address = {Bras{\'\i}lia, Brazil},
  month = jun # {-} # jul,
  year = 2009,
  volume = 5595,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Treinen, Ralf},
  acronym = {{RTA}'09},
  booktitle = {{P}roceedings of the 20th {I}nternational
               {C}onference on {R}ewriting {T}echniques
               and {A}pplications
               ({RTA}'09)},
  author = {Bursuc, Sergiu and Comon{-}Lundh, Hubert},
  title = {Protocol security and algebraic properties: decision results
                  for a bounded number of sessions},
  pages = {133-147},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCL-rta09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCL-rta09.pdf},
  doi = {10.1007/978-3-642-02348-4_10},
  abstract = {We consider the problem of deciding the security of
    cryptographic protocols for a bounded number of sessions, taking into
    account some algebraic properties of the security primitives, for instance
    Abelian group properties. We propose a general method for deriving
    decision algorithms, splitting the task into 4 properties of the rewriting
    system describing the intruder capabilities: locality, conservativity,
    finite variant property and decidability of one-step deducibility
    constraints. We illustrate this method on a non trivial example, combining
    several Abelian Group properties, exponentiation and a homomorphism,
    showing a decidability result for this combination. }
}
@inproceedings{BCD-rta09,
  address = {Bras{\'\i}lia, Brazil},
  month = jun # {-} # jul,
  year = 2009,
  volume = 5595,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Treinen, Ralf},
  acronym = {{RTA}'09},
  booktitle = {{P}roceedings of the 20th {I}nternational
               {C}onference on {R}ewriting {T}echniques
               and {A}pplications
               ({RTA}'09)},
  author = {Baudet, Mathieu and Cortier, V{\'e}ronique and Delaune,
                  St{\'e}phanie},
  title = {{YAPA}: A~generic tool for computing intruder knowledge},
  pages = {148-163},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCD-rta09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCD-rta09.pdf},
  doi = {10.1007/978-3-642-02348-4_11},
  abstract = {Reasoning about the knowledge of an attacker is a necessary step
    in many formal analyses of security protocols. In the framework of the
    applied pi calculus, as in similar languages based on equational logics,
    knowledge is typically expressed by two relations: deducibility and static
    equivalence. Several decision procedures have been proposed for these
    relations under a variety of equational theories. However, each theory has
    its particular algorithm, and none has been implemented so~far.\par
    We provide a generic procedure for deducibility and static equivalence
    that takes as input any convergent rewrite system. We show that our
    algorithm covers all the existing decision procedures for convergent
    theories. We also provide an efficient implementation, and compare it
    briefly with the more general tool ProVerif.}
}
@techreport{LSV:09:02,
  author = {Bursuc, Sergiu and Comon{-}Lundh, Hubert},
  title = {Protocols, insecurity decision and combination of equational theories},
  institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  year = {2009},
  month = feb,
  type = {Research Report},
  number = {LSV-09-02},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2009-02.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2009-02.pdf},
  note = {43~pages},
  abstract = {We consider the problem of finding attacks for a bounded number
    of sessions of security protocols. We~contribute to this field, showing
    how to decompose the problem into pieces for a class of equational
    theories, which includes the hierarchical combinations, as well as
    non-hierarchical ones. We apply this result to an electronic purse case
    study: we~show the decidability in co-NP of the insecurity problem for a
    complex equational theory mixing three Abelian groups, exponentiation and
    homomorphism properties.\par
    The main technical contributions rely on equational logic, term rewriting
    and combination of theories.}
}
@article{CCZ-tocl08,
  publisher = {ACM Press},
  journal = {ACM Transactions on Computational Logic},
  author = {Comon{-}Lundh, Hubert and Cortier, V{\'e}ronique and        
		Z{\u{a}}linescu, Eugen},
  title = {Deciding security properties for cryptographic
		 protocols. Application to key cycles},
  volume = 11,
  number = 2,
  nopages = {},
  month = jan,
  year = 2010,
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CCZ-tocl09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/CCZ-tocl09.pdf},
  doi = {10.1145/1656242.1656244},
  abstract = {There is a large amount of work dedicated to the formal
    verification of security protocols. In~this paper, we~revisit and extend
    the NP-complete decision procedure for a bounded number of sessions. We
    use a, now standard, deducibility constraint formalism for modeling
    security protocols. Our~first contribution is to give a simple set of
    constraint simplification rules, that allows to reduce any deducibility
    constraint to a set of solved forms, representing all solutions (within
    the bound on sessions).\par
    As a consequence, we prove that deciding the existence of key cycles is
    NP-complete for a bounded number of sessions. The problem of key-cycles
    has been put forward by recent works relating computational and symbolic
    models. The so-called soundness of the symbolic model requires indeed that
    no key cycle (\textit{e.g.},~enc\((k, k)\)) ever occurs in the
    execution of the protocol. Otherwise, stronger security assumptions (such
    as KDM-security) are required.\par
    We show that our decision procedure can also be applied to prove again the
    decidability of authentication-like properties and the decidability of a
    significant fragment of protocols with timestamps.}
}
@inproceedings{JKV-lata09,
  address = {Tarragona, Spain},
  month = apr,
  year = 2009,
  volume = 5457,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Dediu, Adrian Horia and Mihai Ionescu, Armand and Mart{\'\i}n-Vide, Carlos},
  acronym = {{LATA}'09},
  booktitle = {{P}roceedings of the 3rd {I}nternational {C}onference on {L}anguage 
	    and {A}utomata {T}heory and {A}pplications ({LATA}'09)},
  author = {Jacquemard, Florent and Klay, Francis and Vacher, Camille},
  title = {Rigid Tree Automata},
  pages = {446-457},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JKV-lata09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JKV-lata09.pdf},
  doi = {10.1007/978-3-642-00982-2_38},
  abstract = {We introduce the class of Rigid Tree Automata (RTA), an
    extension of standard bottom-up automata on ranked trees with
    distinguished states called rigid. Rigid states define a restriction on
    the computation of RTA on trees: RTA can test for equality in subtrees
    reaching the same rigid state. RTA are able to perform local and global
    tests of equality between subtrees, non-linear tree pattern matching, and
    restricted disequality tests as well. Properties like determinism, pumping
    lemma, boolean closure, and several decision problems are studied in
    detail. In particular, the emptiness problem is shown decidable in linear
    time for RTA whereas membership of a given tree to the language of a given
    RTA is NP-complete. Our main result is the decidability of whether a given
    tree belongs to the rewrite closure of a RTA language under a restricted
    family of term rewriting systems, whereas this closure is not a RTA
    language. This result, one of the first on rewrite closure of languages of
    tree automata with constraints, is enabling the extension of model
    checking procedures based on finite tree automata techniques. Finally, a
    comparison of RTA with several classes of tree automata with local and
    global equality tests, and with dag automata is also provided.}
}
@proceedings{KP-secco2008,
  title = {{P}roceedings of the 6th {I}nternational {W}orkshop on
	  {S}ecurity {I}ssues in {C}oncurrency ({S}ec{C}o'08)},
  booktitle = {{P}roceedings of the 6th {I}nternational {W}orkshop on
	  {S}ecurity {I}ssues in {C}oncurrency ({S}ec{C}o'08)},
  editor = {Kremer, Steve and Panangaden, Prakash},
  publisher = {Elsevier Science Publishers},
  doi = {10.1016/j.entcs.2009.07.077},
  url = {http://www.sciencedirect.com/science/journal/15710661/242/3},
  series = {Electronic Notes in Theoretical Computer Science},
  volume = 242,
  number = 3,
  year = 2009,
  month = aug,
  address = {Toronto, Canada}
}
@article{BCK-IC09,
  publisher = {Elsevier Science Publishers},
  journal = {Information and Computation},
  author = {Baudet, Mathieu and Cortier, V{\'e}ronique and Kremer, Steve},
  title = {Computationally Sound Implementations of Equational Theories
		 against Passive Adversaries},
  year = {2009},
  month = apr,
  volume = 207,
  number = 4,
  pages = {496-520},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCK-ic09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/BCK-ic09.pdf},
  doi = {10.1016/j.ic.2008.12.005},
  abstract = {In~this paper we study the link between formal and cryptographic
    models for security protocols in the presence of passive adversaries.
    In~contrast to other works, we~do not consider a fixed set of primitives
    but aim at results for arbitrary equational theories. We~define a
    framework for comparing a cryptographic implementation and its
    idealization with respect to various security notions. In~particular, we
    concentrate on the computational soundness of static equivalence, a
    standard tool in cryptographic pi calculi. We~present a soundness
    criterion, which for many theories is not only sufficient but also
    necessary. Finally, to~illustrate our framework, we~establish the
    soundness of static equivalence for the exclusive OR and a theory of
    ciphers and lists.}
}
@article{KM-jcs09,
  publisher = {{IOS} Press},
  journal = {Journal of Computer Security},
  author = {Kremer, Steve and Mazar{\'e}, Laurent},
  title = {Computationally Sound Analysis of Protocols using
		Bilinear Pairings},
  year = 2010,
  month = nov,
  volume = 18,
  number = 6,
  pages = {999-1033},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KM-jcs09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/KM-jcs09.pdf},
  doi = {10.3233/JCS-2009-0388},
  abstract = {In this paper, we introduce a symbolic model to analyse
    protocols that use a bilinear pairing between two cyclic groups. This
    model consists in an extension of the Abadi-Rogaway logic and we prove
    that the logic is still computationally sound: symbolic
    indistinguishability implies computational indistinguishability provided
    that the Bilinear Decisional Diffie-Hellman assumption holds and that the
    encryption scheme is \textsf{IND-CPA} secure. We~illustrate our results on
    classical protocols using bilinear pairing like Joux tripartite
    Diffie-Hellman protocol or the TAK-2 and TAK-3 protocols. We also
    investigate the security of a newly designed variant of the
    Burmester-Desmedt protocol using bilinear pairings. More precisely, we
    show for each of these protocols that the generated key is
    indistinguishable from a random element.}
}
@article{DKR-jcs09,
  publisher = {{IOS} Press},
  journal = {Journal of Computer Security},
  author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D.},
  title = {Symbolic bisimulation for the applied pi~calculus},
  year = 2010,
  month = mar,
  volume = 18,
  number = 2,
  pages = {317-377},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-jcs09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-jcs09.pdf},
  doi = {10.3233/JCS-2010-0363},
  abstract = {We propose a symbolic semantics for the finite applied
    pi~calculus. The~applied pi calculus is a variant of the pi~calculus with
    extensions for modelling cryptographic protocols. By~treating inputs
    symbolically, our semantics avoids potentially infinite branching of
    execution trees due to inputs from the environment. Correctness is
    maintained by associating with each process a set of constraints on terms.
    We~define a symbolic labelled bisimulation relation, which is shown to be
    sound but not complete with respect to standard bisimulation. We explore
    the lack of completeness and demonstrate that the symbolic bisimulation
    relation is sufficient for many practical examples. This~work is an
    important step towards automation of observational equivalence for the
    finite applied pi calculus, \textit{e.g.}~for verification of anonymity or
    strong secrecy properties.}
}
@inproceedings{FGL-stacs2009,
  address = {Freiburg, Germany},
  month = feb,
  year = 2009,
  volume = 3,
  series = {Leibniz International Proceedings in Informatics},
  publisher = {Leibniz-Zentrum f{\"u}r Informatik},
  editor = {Albers, Susanne and Marion, Jean-Yves},
  acronym = {{STACS}'09},
  booktitle = {{P}roceedings of the 26th {A}nnual
               {S}ymposium on {T}heoretical {A}spects of
               {C}omputer {S}cience
               ({STACS}'09)},
  author = {Finkel, Alain and Goubault{-}Larrecq, Jean},
  title = {Forward Analysis for~{WSTS}, Part~{I}: Completions},
  pages = {433-444},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FGL-stacs2009.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/FGL-stacs2009.pdf},
  abstract = {Well-structured transition systems provide the right foundation
    to compute a finite basis of the set of predecessors of the upward closure
    of a state. The~dual problem, to compute a finite representation of the
    set of successors of the downward closure of a state, is~harder: Until
    now, the theoretical framework for manipulating downward-closed sets was
    missing. We~answer this problem, using insights from domain theory (dcpos
    and ideal completions), from topology (sobrifications), and shed new light
    on the notion of adequate domains of limits.}
}
@article{JKV-icomp10,
  publisher = {Elsevier Science Publishers},
  journal = {Information and Computation},
  author = {Jacquemard, Florent and Klay, Francis and Vacher, Camille},
  title = {Rigid Tree Automata},
  volume = {209},
  number = 3,
  pages = {486-512},
  year = 2011,
  month = mar,
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JKV-icomp11.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/JKV-icomp11.pdf},
  doi = {10.1016/j.ic.2010.11.015},
  abstract = {We introduce the class of Rigid Tree Automata (RTA), an
    extension of standard bottom-up automata on ranked trees with
    distinguished states called rigid. Rigid states define a restriction on
    the computation of RTA on trees: RTA can test for equality in subtrees
    reaching the same rigid state. RTA are able to perform local and global
    tests of equality between subtrees, non-linear tree pattern matching, and
    restricted disequality tests as well. Properties like determinism, pumping
    lemma, boolean closure, and several decision problems are studied in
    detail. In particular, the emptiness problem is shown decidable in linear
    time for RTA whereas membership of a given tree to the language of a given
    RTA is NP-complete. Our main result is the decidability of whether a given
    tree belongs to the rewrite closure of a RTA language under a restricted
    family of term rewriting systems, whereas this closure is not a RTA
    language. This result, one of the first on rewrite closure of languages of
    tree automata with constraints, is enabling the extension of model
    checking procedures based on finite tree automata techniques. Finally, a
    comparison of RTA with several classes of tree automata with local and
    global equality tests, and with dag automata is also provided.}
}
@inproceedings{CSV-vmcai11,
  address = {Austin, Texas, USA},
  month = jan,
  year = 2011,
  volume = 6538,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Jhala, Ranjit and Schmidt, David},
  acronym = {{VMCAI}'11},
  booktitle = {{P}roceedings of the 12th {I}nternational {C}onference on
   	       {V}erification, {M}odel {C}hecking and {A}bstract {I}nterpretation
	       ({VMCAI}'11)},
  author = {Chadha, Rohit and Sistla, A. Prasad and Viswanathan, Mahesh},
  title = {Probabilistic {B}{\"u}chi automata with non-extremal acceptance
                  thresholds},
  pages = {103-117},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CSV-vmcai11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CSV-vmcai11.pdf},
  doi = {10.1007/978-3-642-18275-4_9},
  abstract = {This paper investigates the power of Probabilistic
    B{\"u}chi Automata~(PBA) when the threshold probability of acceptance is
    non-extremal, i.e., is a value strictly between 0 and 1. Many practical
    randomized algorithms are designed to work under non-extremal threshold
    probabilities and thus it is important to study power of PBAs for such
    cases.\par
    The paper presents a number of surprising expressiveness and decidability
    results for PBAs when the threshold probability is non-extremal. Some of
    these results sharply contrast with the results for extremal threshold
    probabilities. The paper also presents results for Hierarchical PBAs and
    for an interesting subclass of them called simple PBAs.}
}
@inproceedings{steel-escar09,
  address = {D{\"u}sseldorf, Germany},
  month = nov,
  year = 2009,
  editor = {Paar, Christof and Wollinger, Thomas},
  acronym = {{ESCAR}'09},
  booktitle = {{P}roceedings of the 7th 
           {C}onference on {E}mbedded {S}ecurity in {C}ars
           ({ESCAR}'09)},
  author = {Steel, Graham},
  title = {Towards a Formal Analysis of the {S}e{V}e{C}o{M}~{API}},
  nopages = {},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/steel-escar09.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/steel-escar09.pdf}
}
@inproceedings{steel-fcc09,
  address = {Port Jefferson, New York, USA},
  month = jul,
  year = 2009,
  editor = {K{\"u}sters, Ralf},
  acronym = {{FCC}'09},
  booktitle = {{P}roceedings of the 5th {W}orkshop on {F}ormal and
		 {C}omputational {C}ryptography ({FCC}'09)},
  author = {Steel, Graham},
  title = {Computational Soundness for {API}s},
  nopages = {},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/steel-fcc09.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/steel-fcc09.pdf}
}
@inproceedings{SC-fcc07,
  address = {Venice, Italy},
  month = jul,
  year = 2007,
  editor = {Backes, Michael and Lakhnech, Yassine},
  acronym = {{FCC}'07},
  booktitle = {{P}roceedings of the 3rd {W}orkshop on {F}ormal and
		 {C}omputational {C}ryptography ({FCC}'07)},
  author = {Steel ,Graham and Courant, Judica{\"e}l},
  title = {A formal model for detecting parallel key search attacks},
  nopages = {},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/SC-fcc07.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/SC-fcc07.pdf}
}
@mastersthesis{scerri-master,
  author = {Scerri, Guillaume},
  title = {Mod{\'e}lisation des cl{\'e}s de l'intrus},
  school = {{M}aster {P}arisien de {R}echerche en 
	{I}nformatique, Paris, France},
  type = {Rapport de {M}aster},
  year = {2010},
  month = sep,
  nmnote = {Hubert prefere ne pas diffuser le rapport, et prepare une version 'conf'}
}
@article{LMT-tcs10,
  publisher = {Elsevier Science Publishers},
  journal = {Theoretical Computer Science},
  author = {Lanotte, Ruggero and Maggiolo{-}Schettini, Andrea and Troina, Angelo},
  title = {Weak bisimulation for Probabilistic Timed Automata?},
  volume = 411,
  number = 50,
  year = 2010,
  month = nov,
  pages = {4291-4322},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/LMT-tcs10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/LMT-tcs10.pdf},
  doi = {10.1016/j.tcs.2010.09.003},
  abstract = {We are interested in describing timed systems that exhibit
                  probabilistic behaviour. To this purpose, we consider a
                  model of Probabilistic Timed Automata and introduce a
                  concept of weak bisimulation for these automata, together
                  with an algorithm to decide it. The weak bisimulation
                  relation is shown to be preserved when either time, or
                  probability is abstracted away. As an application, we use
                  weak bisimulation for Probabilistic Timed Automata to model
                  and analyze a timing attack on the dining cryptographers protocol.}
}
@article{CD-jar10,
  publisher = {Springer},
  journal = {Journal of Automated Reasoning},
  author = {Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
  title = {Decidability and combination results for two notions of
		  knowledge in security protocols},
  volume = 48,
  number = {4},
  pages = {441-487},
  month = apr,
  year = 2012,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-jar10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-jar10.pdf},
  doi = {10.1007/s10817-010-9208-8},
  abstract = {In formal approaches, messages sent over a network are usually
    modeled by terms together with an equational theory, axiomatizing the
    properties of the cryptographic functions (encryption, exclusive~or,~...).
    The analysis of cryptographic protocols requires a precise understanding
    of the attacker knowledge. Two standard notions are usually considered:
    deducibility and indistinguishability. Those notions are well-studied and
    several decidability results already exist to deal with a variety of
    equational theories. Most of the existing results are dedicated to
    specific equational theories and only few results, especially in the case
    of indistinguishability, have been obtained for equational theories with
    associative and commutative properties~(AC).\par
    In this paper, we show that existing decidability results can be easily
    combined for any disjoint equational theories: if the deducibility and
    indistinguishability relations are decidable for two disjoint theories,
    they are also decidable for their union. We also propose a general setting
    for solving deducibility and indistinguishability for an important class
    (called \emph{monoidal}) of equational theories involving AC operators.\par
    As a consequence of these two results, new decidability and complexity
    results can be obtained for many relevant equational theories.}
}
@inproceedings{BGGLP-scan10,
  address = {Lyon, France},
  month = sep,
  year = 2010,
  noeditor = {},
  acronym = {SCAN'10},
  booktitle = {{P}roceedings of the 14th {GAMM}-{IMACS} {I}nternational
                  {S}ymposium on {S}cientific {C}omputing, {C}omputer 
		  {A}rithmetic and {V}alidated {N}umerics ({SCAN}'10)},
  author = {Bouissou, Olivier and Goubault, {\'E}ric and
                  Goubault{-}Larrecq, Jean and Putot, Sylvie},
  title = {A Generalization of {P}-boxes to Affine Arithmetic, and Applications to
  		 Static Analysis of Programs},
  nopages = {}
}
@article{GLK-mscs10,
  publisher = {Cambridge University Press},
  journal = {Mathematical Structures in Computer Science},
  author = {Goubault{-}Larrecq, Jean and Keimel, Klaus},
  title = {{C}hoquet-{K}endall-{M}atheron Theorems for Non-{H}ausdorff
                  Spaces},
  volume = 21,
  number = 3,
  pages = {511-561},
  month = jun,
  year = 2011,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/GLK-mscs10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLK-mscs10.pdf},
  doi = {10.1017/S0960129510000617},
  abstract = {We establish Choquet-Kendall-Matheron theorems on non-Hausdorff
    topological spaces. This typical result of random set theory is profitably
    recast in purely topological terms, using intuitions and tools from domain
    theory. We obtain three variants of the theorem, each one characterizing
    distributions, in the form of continuous valuations, over relevant
    powerdomains of demonic, resp. angelic, resp. erratic non-determinism.}
}
@inproceedings{CSV-fsttcs10,
  address = {Chennai, India},
  month = dec,
  year = 2010,
  volume = 8,
  series = {Leibniz International Proceedings in Informatics},
  publisher = {Leibniz-Zentrum f{\"u}r Informatik},
  editor = {Lodaya, Kamal and Mahajan, Meena},
  acronym = {{FSTTCS}'10},
  booktitle = {{P}roceedings of the 30th {C}onference on
               {F}oundations of {S}oftware {T}echnology and
               {T}heoretical {C}omputer {S}cience
               ({FSTTCS}'10)},
  author = {Chadha, Rohit and Sistla, A. Prasad and Viswanathan, Mahesh},
  title = {Model Checking Concurrent Programs with Nondeterminism and Randomization},
  pages = {364-375},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CSV-fsttcs10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CSV-fsttcs10.pdf},
  doi = {10.4230/LIPIcs.FSTTCS.2010.364},
  abstract = {For concurrent probabilistic programs having process-level
    nondeterminism, it is often necessary to restrict the class of schedulers
    that resolve nondeterminism to obtain sound and precise model checking
    algorithms. In this paper, we introduce two classes of schedulers called
    \emph{view consistent} and \emph{locally Markovian} schedulers and
    consider the model checking problem of concurrent, probabilistic programs
    under these alternate semantics. Specifically, given a B{\"u}chi
    automaton~\(\textsf{Spec}\), a~threshold~\(x\in[0,1]\), and a concurrent
    program~\(\mathbb{P}\), the model checking problem asks if the measure of
    computations of~\(\mathbb{P}\) that satisfy~\(\textsf{Spec}\) is at
    least~\(x\), under all view consistent (or locally Markovian) schedulers.
    We give precise complexity results for the model checking problem (for
    different classes of B{\"u}chi automata specifications) and contrast it
    with the complexity under the standard semantics that considers all
    schedulers. }
}
@inproceedings{DKRS-fast10,
  address = {Pisa, Italy},
  month = sep,
  year = 2010,
  volume = 6561,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Degano, Pierpaolo and Etalle, Sandro and Guttman, Joshua},
  acronym = {{FAST}'10},
  booktitle = {{R}evised {S}elected {P}apers of the 7th {I}nternational {W}orkshop on 
	   {F}ormal {A}spects in {S}ecurity and {T}rust ({FAST}'10)},
  author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D. and
                  Steel, Graham},
  title = {A~Formal Analysis of Authentication in the {TPM}},
  pages = {111-125},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/DKRS-fast10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DKRS-fast10.pdf},
  ps = {DKRS-fast10.ps},
  doi = {10.1007/978-3-642-19751-2_8},
  abstract = {The Trusted Platform Module~(TPM) is a hardware chip designed to
    enable computers to achieve a greater level of security than is possible
    in software alone. To this end, the TPM provides a way to store
    cryptographic keys and other sensitive data in its shielded memory.
    Through its API, one can use those keys to achieve some security goals.
    The TPM is a complex security component, whose specification consists of
    more than \(700\)~pages.\par
    We model a collection of four TPM commands, and we identify and formalise
    their security properties. Using the tool ProVerif, we rediscover some
    known attacks and some new variations on them. We propose modifications to
    the API and verify our properties for the modified API.}
}
@inproceedings{DKRS-secco10,
  address = {Paris, France},
  month = aug,
  year = 2010,
  editor = {Cortier, V{\'e}ronique and Chatzikokolakis, Kostas},
  acronym = {{SecCo}'10},
  booktitle = {{P}reliminary {P}roceedings of the 8th {I}nternational
               {W}orkshop on {S}ecurity {I}ssues in
               {C}oordination {M}odels, {L}anguages and
               {S}ystems ({SecCo}'10)},
  author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D. and
                  Steel, Graham},
  title = {A~Formal Analysis of Authentication in the~{TPM} (short paper)},
  nopages = {},
  nmnote = {did not appear in postproc. EPTCS 51},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/DKRS-secco10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DKRS-secco10.pdf},
  ps = {DKRS-secco10.ps}
}
@article{bwa-jcs10,
  publisher = {{IOS} Press},
  journal = {Journal of Computer Security},
  author = {Baudet, Mathieu and Warinschi,
                  Bogdan and Abadi, Mart{\'\i}n},
  title = {Guessing Attacks and the Computational Soundness of Static
                  Equivalence},
  volume = 18,
  number = 5,
  pages = {909-968},
  month = sep,
  year = 2010,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/bwa-jcs10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/bwa-jcs10.pdf},
  doi = {10.3233/JCS-2009-0386},
  abstract = {The indistinguishability of two pieces of data (or two lists of
    pieces of data) can be represented formally in terms of a relation called
    static equivalence. Static equivalence depends on an underlying equational
    theory. The choice of an inappropriate equational theory can lead to
    overly pessimistic or overly optimistic notions of indistinguishability,
    and in turn to security criteria that require protection against
    impossible attacks or---worse yet---that ignore feasible ones. In this
    paper, we define and justify an equational theory for standard,
    fundamental cryptographic operations. This equational theory yields a
    notion of static equivalence that implies computational
    indistinguishability. Static equivalence remains liberal enough for use in
    applications. In particular, we develop and analyze a principled formal
    account of guessing attacks in terms of static equivalence.}
}
@inproceedings{bgl-setop10,
  address = {Athens, Greece},
  month = sep,
  year = 2010,
  volume = 6514,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Cavalli, Ana and Leneutre, Jean},
  acronym = {{DPM}{{\slash}}{SETOP}'10},
  booktitle = {{R}evised {S}elected {P}apers of the 5th {I}nternational {W}orkshop
                  on {D}ata {P}rivacy {M}anagement and {A}utonomous
                  {S}pontaneous {S}ecurity ({DPM}'10) and 3rd {I}nternational 
 		  {W}orkshop on {A}utonomous
                  and {S}pontaneous {S}ecurity ({SETOP}'10)},
  author = {Benzina, Hedi and Goubault{-}Larrecq, Jean},
  title = {Some Ideas on Virtualized Systems Security, and Monitors},
  pages = {244-258},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/bgl-setop10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/bgl-setop10.pdf},
  doi = {10.1007/978-3-642-19348-4_18},
  abstract = {Virtualized systems such as Xen, VirtualBox, VMWare or QEmu have
    been proposed to increase the level of security achievable on personal
    computers. On the other hand, such virtualized systems are now targets for
    attacks. We propose an intrusion detection architecture for virtualized
    systems, and discuss some of the security issues that arise. We argue that
    a weak spot of such systems is domain zero administration, which is left
    entirely under the administrator's responsibility, and is in particular
    vulnerable to trojans. To~avert some of the risks, we~propose to install a
    role-based access control model with possible role delegation, and to
    describe all undesired activity ows through simple temporal formulas. We
    show how the latter are compiled into Orchids rules, via a fragment of
    linear temporal logic, through a generalization of the so-called history
    variable mechanism.}
}
@phdthesis{carre-phd2010,
  author = {Carr{\'e}, Jean-Loup},
  title = {Analyse statique de programmes multi-thread pour l'embarqu{\'e}},
  school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  type = {Th{\`e}se de doctorat},
  year = 2010,
  month = jul,
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/carre-these10.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/carre-these10.pdf}
}
@article{KMT-jar10,
  publisher = {Springer},
  journal = {Journal of Automated Reasoning},
  author = {Kremer, Steve and Mercier, Antoine and Treinen, Ralf},
  title = {Reducing Equational Theories for the Decision of Static
  		 Equivalence},
  year = 2012,
  month = feb,
  pages = {197-217},
  number = 48,
  volume = 2,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/KMT-jar10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/KMT-jar10.pdf},
  doi = {10.1007/s10817-010-9203-0},
  abstract = {Static equivalence is a well established notion of
    indistinguishability of sequences of terms which is useful in the symbolic
    analysis of cryptographic protocols. Static equivalence modulo equational
    theories allows for a more accurate representation of cryptographic
    primitives by modelling properties of operators by equational axioms. We
    develop a method that allows us in some cases to simplify the task of
    deciding static equivalence in a multi-sorted setting, by removing a
    symbol from the term signature and reducing the problem to several simpler
    equational theories. We illustrate our technique at hand of bilinear
    pairings.}
}
@article{CDK-jar10,
  publisher = {Springer},
  journal = {Journal of Automated Reasoning},
  author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Delaune, St{\'e}phanie
  	 	and Kremer, Steve},
  title = {Computing knowledge in security protocols under convergent
  		equational theories},
  year = 2012,
  month = feb,
  pages = {219-262},
  number = 2,
  volume = 48,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDK-jar10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDK-jar10.pdf},
  doi = {10.1007/s10817-010-9197-7},
  abstract = {The analysis of security protocols requires reasoning about the
    knowledge an attacker acquires by eavesdropping on network traffic. In
    formal approaches, the messages exchanged over the network are modeled by
    a term algebra equipped with an equational theory axiomatizing the
    properties of the cryptographic primitives (e.g. encryption, signature).
    In this context, two classical notions of knowledge, deducibility and
    indistinguishability, yield corresponding decision problems.\par
    We propose a procedure for both problems under arbitrary convergent
    equational theories. Since the underlying problems are undecidable we
    cannot guarantee termination. Nevertheless, our procedure terminates on a
    wide range of equational theories. In particular, we obtain a new
    decidability result for a theory we encountered when studying electronic
    voting protocols. We also provide a prototype implementation.}
}
@inproceedings{BCFS-ccs10,
  address = {Chicago, Illinois, USA},
  month = oct,
  year = 2010,
  publisher = {ACM Press},
  acronym = {{CCS}'10},
  booktitle = {{P}roceedings of the 17th {ACM} {C}onference
               on {C}omputer and {C}ommunications {S}ecurity
               ({CCS}'10)},
  author = {Bortolozzo, Matteo and Centenaro, Matteo and Focardi,
                  Riccardo and Steel, Graham},
  title = {Attacking and Fixing {PKCS}\#11 Security Tokens},
  pages = {260-269},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/BCFS-ccs10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BCFS-ccs10.pdf},
  doi = {10.1145/1866307.1866337},
  abstract = {We show how to extract sensitive cryptographic keys from a
    variety of commercially available tamper resistant cryptographic security
    tokens, exploiting vulnerabilities in their RSA PKCS\#11 based APIs. The
    attacks are performed by Tookan, an automated tool we have developed,
    which reverse-engineers the particular token in use to deduce its
    functionality, constructs a model of its API for a model checker, and then
    executes any attack trace found by the model checker directly on the
    token. We describe the operation of Tookan and give results of testing the
    tool on 17 commercially available tokens: 9~were vulnerable to attack,
    while the other 8 had severely restricted functionality. One of the
    attacks found by the model checker has not previously appeared in the
    literature. We show how Tookan may be used to verify patches to insecure
    devices, and give a secure configuration that we have implemented in a
    patch to a software token simulator. This is the first such configuration
    to appear in the literature that does not require any new cryptographic
    mechanisms to be added to the standard. We comment on lessons for future
    key management APIs.}
}
@article{CKW-jar2010,
  publisher = {Springer},
  journal = {Journal of Automated Reasoning},
  author = {Cortier, V{\'e}ronique and Kremer, Steve and  Warinschi, Bogdan},
  title = {A~Survey of Symbolic Methods in Computational Analysis of
  	    Cryptographic Systems},
  year = 2010,
  month = apr,
  pages = {225-259},
  number = {3-4},
  volume = {46},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CKW-jar10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CKW-jar10.pdf},
  doi = {10.1007/s10817-010-9187-9},
  abstract = {Since the 1980s, two approaches have been developed for
    analyzing security protocols. One of the approaches relies on a
    computational model that considers issues of complexity and probability.
    This approach captures a strong notion of security, guaranteed against all
    probabilistic polynomial-time attacks. The other approach relies on a
    symbolic model of protocol executions in which cryptographic primitives
    are treated as black boxes. Since the seminal work of Dolev and Yao, it
    has been realized that this latter approach enables significantly simpler
    and often automated proofs. However, the guarantees that it offers with
    respect to the more detailed computational models have been quite
    unclear.\par 
    For more than twenty years the two approaches have coexisted but evolved
    mostly independently. Recently, significant research efforts attempt to
    develop paradigms for cryptographic systems analysis that combines the
    best of both worlds. There are two broad directions that have been
    followed. Computational soundness aims to establish sufficient conditions
    under which results obtained using symbolic models imply security under
    computational models. The direct approach aims to apply the principles and
    the techniques developed in the context of symbolic models directly to
    computational ones.\par
    In this paper we survey existing results along both of these directions.
    Our goal is to provide a rather complete summary that could act as a quick
    reference for researchers who want to contribute to the field, want to
    make use of existing results, or just want to get a better picture of what
    results already exist.}
}
@inproceedings{KRS-esorics10,
  address = {Athens, Greece},
  month = sep,
  year = 2010,
  volume = {6345},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Gritzalis, Dimitris and Preneel, Bart},
  acronym = {{ESORICS}'10},
  booktitle = {{P}roceedings of the 15th {E}uropean {S}ymposium on
		{R}esearch in {C}omputer {S}ecurity ({ESORICS}'10)},
  author = {Kremer, Steve and Ryan, Mark D. and  Smyth, Ben},
  title = {Election verifiability in electronic voting protocols},
  pages = {389-404},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/KRS-esorics10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/KRS-esorics10.pdf},
  doi = {10.1007/978-3-642-15497-3_24},
  abstract = {We present a formal, symbolic definition of election
    verifiability for electronic voting protocols in the context of the
    applied pi calculus. Our definition is given in terms of boolean tests
    which can be performed on the data produced by an election. The definition
    distinguishes three aspects of verifiability: individual, universal and
    eligibility verifiability. It also allows us to determine precisely which
    aspects of the system's hardware and software must be trusted for the
    purpose of election verifiability. In contrast with earlier work our
    definition is compatible with a large class of electronic voting schemes,
    including those based on blind signatures, homomorphic encryption and
    mixnets. We demonstrate the applicability of our formalism by analysing
    three protocols: FOO, Helios~2.0, and Civitas (the latter two have been
    deployed).}
}
@inproceedings{DDS-esorics10,
  address = {Athens, Greece},
  month = sep,
  year = 2010,
  volume = {6345},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Gritzalis, Dimitris and Preneel, Bart},
  acronym = {{ESORICS}'10},
  booktitle = {{P}roceedings of the 15th {E}uropean {S}ymposium on
		{R}esearch in {C}omputer {S}ecurity ({ESORICS}'10)},
  author = {Dahl, Morten and Delaune, St{\'e}phanie and Steel, Graham},
  title = {Formal Analysis of Privacy for Vehicular Mix-Zones},
  pages = {55-70},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/DDS-esorics10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DDS-esorics10.pdf},
  ps = {DDS-esorics10.ps},
  doi = {10.1007/978-3-642-15497-3_4},
  abstract = {Safety critical applications for recently proposed vehicle to
   vehicle ad-hoc networks~(VANETs) rely on a beacon signal, which poses a
   threat to privacy since it could allow a vehicle to be tracked. Mix-zones,
   where vehicles encrypt their transmissions and then change their
   identifiers, have been proposed as a solution to this problem. \par 
   In this work, we~describe a formal analysis of mix-zones. We~model a
   mix-zone and propose a formal definition of privacy for such a zone.
   We~give a set of necessary conditions for any mix-zone protocol to preserve
   privacy. We~analyse, using the tool ProVerif, a~particular proposal for key
   distribution in mix-zones, the CMIX protocol. We~report attacks on privacy
   and we propose a fix.}
}
@inproceedings{DDS-fcsprivmod10,
  address = {Edinburgh, Scotland, UK},
  month = jul,
  year = 2010,
  editor = {Cortier, V{\'e}ronique and Ryan, Mark D. and
		Shmatikov, Vitaly},
  acronym = {{FCS-PrivMod}'10},
  booktitle = {{P}roceedings of the {W}orkshop on {F}oundations of {S}ecurity 
		and {P}rivacy ({FCS-PrivMod}'10)},
  author = {Dahl, Morten and Delaune, St{\'e}phanie and Steel, Graham},
  title = {Formal Analysis of Privacy for Vehicular Mix-Zones},
  pages = {55-70},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2010-10.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2010-10.pdf},
  ps = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PS/
        rr-lsv-2010-10.ps},
  doi = {10.1007/978-3-642-15497-3_4},
  abstract = {Safety critical applications for recently proposed vehicle to
    vehicle ad-hoc networks (VANETs) rely on a beacon signal, which poses a
    threat to privacy since it could allow a vehicle to be tracked. Mix-zones,
    where vehicles encrypt their transmissions and then change their
    identifiers, have been proposed as a solution to this problem.\par
    In this work, we describe a formal analysis of mix-zones. We model a
    mix-zone and propose a formal definition of privacy for such a zone. We
    give a set of necessary conditions for any mix-zone protocol to preserve
    privacy. We analyse, using the tool ProVerif, a particular proposal for
    key distribution in mix-zones, the CMIX protocol. We report attacks on
    privacy and we propose a fix.}
}
@incollection{DKR-lncs6000,
  noaddress = {},
  month = may,
  year = 2010,
  volume = 6000,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  noacronym = {},
  booktitle = {{T}owards {T}rustworthy {E}lections -- {N}ew {D}irections in
                  {E}lectronic {V}oting},
  editor = {Chaum, David and Jakobsson, Markus and Rivest, Ronald L. and
                  Ryan, Peter Y. A. and Benaloh, Josh and Kuty{\l}owski, Miros{\l}aw
                  and Adida, Ben},
  author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D.},
  title = {Verifying Privacy-Type Properties of Electronic Voting
                  Protocols: A~Taster},
  pages = {289-309},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/DKR-lncs6000.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DKR-lncs6000.pdf},
  doi = {10.1007/978-3-642-12980-3_18},
  abstract = {While electronic elections promise the possibility of
    convenient, efficient and secure facilities for recording and tallying
    votes, recent studies have highlighted inadequacies in implemented
    systems. These inadequacies provide additional motivation for applying
    formal methods to the validation of electronic voting protocols.\par
    In this paper we report on some of our recent efforts in using the applied
    pi calculus to model and analyse properties of electronic elections. We
    particularly focus on anonymity properties, namely vote-privacy and
    receipt-freeness. These properties are expressed using observational
    equivalence and we show in accordance with intuition that receipt-freeness
    implies vote-privacy.\par
    We illustrate our definitions on two electronic voting protocols from the
    literature. Ideally, these properties should hold even if the election
    officials are corrupt. However, protocols that were designed to satisfy
    privacy or receipt-freeness may not do so in the presence of corrupt
    officials. Our model and definitions allow us to specify and easily change
    which authorities are supposed to be trustworthy.}
}
@inproceedings{CCD-ijcar10,
  address = {Edinburgh, Scotland, UK},
  month = jul,
  year = 2010,
  volume = {6173},
  series = {Lecture Notes in Artificial Intelligence},
  publisher = {Springer-Verlag},
  editor = {Giesl, J{\"u}rgen and Haehnle, Reiner},
  acronym = {{IJCAR}'10},
  booktitle = {{P}roceedings of the 5th {I}nternational {J}oint
           {C}onference on {A}utomated {R}easoning
           ({IJCAR}'10)},
  author = {Cheval, Vincent and Comon{-}Lundh, Hubert and Delaune, St{\'e}phanie},
  title = {Automating security analysis: symbolic equivalence of
                  constraint systems},
  pages = {412-426},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-ijcar10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-ijcar10.pdf},
  doi = {10.1007/978-3-642-14203-1_35},
  abstract = {We consider security properties of cryptographic protocols, that
    are either trace properties (such as confidentiality or authenticity) or
    equivalence properties (such as anonymity or strong secrecy).\par
    Infinite sets of possible traces are symbolically represented using
    \emph{deducibility constraints}. We give a new algorithm that decides the
    trace equivalence for the traces that are represented using such
    constraints, in the case of signatures, symmetric and asymmetric
    encryptions. Our algorithm is implemented and performs well on typical
    benchmarks. This is the first implemented algorithm, deciding symbolic
    trace equivalence.}
}
@inproceedings{JGL-icalp10,
  address = {Bordeaux, France},
  month = jul,
  year = 2010,
  volume = 6199,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Abramsky, Samson and Meyer{ }auf{ }der{ }Heide, Friedhelm
  	    and Spirakis, Paul},
  acronym = {{ICALP}'10},
  booktitle = {{P}roceedings of the 37th {I}nternational 
               {C}olloquium on {A}utomata, {L}anguages and 
               {P}rogramming ({ICALP}'10)~-- {P}art~{II}},
  author = {Goubault{-}Larrecq, Jean},
  title = {Noetherian Spaces in Verification},
  pages = {2-21},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-icalp10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-icalp10.pdf},
  doi = {10.1007/978-3-642-14162-1_2},
  abstract = {Noetherian spaces are a topological concept that generalizes
    well quasiorderings. We explore applications to infinite-state
    verification problems, and show how this stimulated the search for
    infinite procedures \`a la Karp-Miller.}
}
@inproceedings{CC-csf10,
  address = {Edinburgh, Scotland, UK},
  month = jul,
  year = 2010,
  publisher = {{IEEE} Computer Society Press},
  acronym = {{CSF}'10},
  booktitle = {{P}roceedings of the 
               23rd {IEEE} {C}omputer {S}ecurity {F}oundations
               {S}ymposium ({CSF}'10)},
  author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Cortier, V{\'e}ronique},
  title = {Protocol composition for arbitrary primitives},
  pages = {322-336},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2010-09.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2010-09.pdf},
  doi = {10.1109/CSF.2010.29},
  abstract = {We study the composition of security protocols when protocols
                  share secrets such as keys. We show (in a Dolev-Yao model)
                  that if two protocols use disjoint cryptographic primitives,
                  their composition is secure if the individual protocols are
                  secure, even if they share data. Our result holds for any
                  cryptographic primitives that can be modeled using
                  equational theories, such as encryption, signature, MAC,
                  exclusive-or, and Diffie-Hellman. Our main result transforms
                  any attack trace of the combined protocol into an attack
                  trace of one of the individual protocols. This allows
                  various ways of combining protocols such as sequentially or
                  in parallel, possibly with inner replications. As an
                  application, we show that a protocol using preestablished
                  keys may use any (secure) key-exchange protocol without
                  jeopardizing its security, provided that they do not use the
                  same primitives. This allows us, for example, to securely
                  compose a Diffie-Hellman key exchange protocol with any
                  other protocol using the exchanged key, provided that the
                  second protocol does not use the Diffie-Hellman primitives.
                  We also explore tagging, which is a way of forcing the
                  disjointness of two protocols that share cryptographic
                  primitives We explain why composing protocols which use
                  tagged cryptographic primitives like encryption and hash
                  functions is secure by reducing this problem to the previous
                  one.}
}
@inproceedings{ACD-csf10,
  address = {Edinburgh, Scotland, UK},
  month = jul,
  year = 2010,
  publisher = {{IEEE} Computer Society Press},
  acronym = {{CSF}'10},
  booktitle = {{P}roceedings of the 
               23rd {IEEE} {C}omputer {S}ecurity {F}oundations
               {S}ymposium ({CSF}'10)},
  author = {Arnaud, Mathilde and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
  title = {Modeling and Verifying Ad Hoc Routing Protocols},
  pages = {59-74},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-csf10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-csf10.pdf},
  doi = {10.1109/CSF.2010.12},
  abstract = {Mobile ad hoc networks consist of mobile wireless devices which
    autonomously organize their infrastructure. In such networks, a central
    issue, ensured by routing protocols, is to find a route from one device to
    another. Those protocols use cryptographic mechanisms in order to prevent
    malicious nodes from compromising the discovered route.\par
    Our contribution is twofold. We first propose a calculus for modeling and
    reasoning about security protocols, including in particular secured
    routing protocols. Our calculus extends standard symbolic models to take
    into account the characteristics of routing protocols and to model
    wireless communication in a more accurate way. Our second main
    contribution is a decision procedure for analyzing routing protocols for
    any network topology. By using constraint solving techniques, we show that
    it is possible to automatically discover (in NPTIME) whether there exists
    a network topology that would allow malicious nodes to mount an attack
    against the protocol, for a bounded number of sessions. We also provide a
    decision procedure for detecting attacks in case the network topology is
    given a priori. We demonstrate the usage and usefulness of our approach by
    analyzing the protocol \textsf{SRP} applied to~\textsf{DSR}.}
}
@inproceedings{JGL-lics10,
  address = {Edinburgh, Scotland, UK},
  month = jul,
  year = 2010,
  publisher = {{IEEE} Computer Society Press},
  acronym = {{LICS}'10},
  booktitle = {{P}roceedings of the 25th
               {A}nnual {IEEE} {S}ymposium on
               {L}ogic in {C}omputer {S}cience
               ({LICS}'10)},
  author = {Goubault{-}Larrecq, Jean},
  title = {{{\(\omega\)}}{\textbf{\MakeUppercase{QRB}}}-Domains and the
                  Probabilistic Powerdomain},
  pages = {352-361},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-lics10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-lics10.pdf},
  doi = {10.1109/LICS.2010.50},
  abstract = {Is there any cartesian-closed category of continuous domains
    that would be closed under Jones and Plotkin's probabilistic powerdomain
    construction? This is a major open problem in the area of denotational
    semantics of probabilistic higher-order languages. We relax the question,
    and look for quasi-continuous dcpos instead. We introduce a natural class
    of such quasi-continuous dcpos, the \(\omega\textbf{QRB}\)-domains. We
    show that they form a category \(\omega\textbf{QRB}\) with pleasing
    properties: \(\omega\textbf{QRB}\) is closed under the probabilistic
    powerdomain functor, has all finite products, all bilimits, and is stable
    under retracts, and even under so-called quasiretracts. But...
    \(\omega\textbf{QRB}\) is not cartesian closed.}
}
@inproceedings{SRKK-arspawits10,
  address = {Paphos, Cyprus},
  month = oct,
  year = 2010,
  volume = 6186,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Armando, Alessandro and Lowe, Gavin},
  acronym = {{ARSPA-WITS}'10},
  booktitle = {{P}roceedings of the {J}oint {W}orkshop
	   on {A}utomated {R}easoning for {S}ecurity {P}rotocol {A}nalysis and
           {I}ssues in the {T}heory of {S}ecurity ({ARSPA-WITS}'10)},
  author = {Smyth, Ben and Ryan, Mark D. and Kremer, Steve and 
		  Kourjieh, Mounira},
  title = {Towards automatic analysis of election verifiability properties},
  pages = {146-163},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/SRKK-arspawits10.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/SRKK-arspawits10.pdf},
  doi = {10.1007/978-3-642-16074-5_11},
  abstract = {We present a symbolic definition that captures some
    cases of election verifiability for electronic voting protocols. Our
    definition is given in terms of reachability assertions in the applied pi
    calculus and is amenable to automated reasoning using the software tool
    ProVerif. The definition distinguishes three aspects of verifiability,
    which we call individual, universal, and eligibility verifiability. We
    demonstrate the applicability of our formalism by analysing the protocols
    due to Fujioka, Okamoto~\& Ohta and a variant of the one by Juels,
    Catalano~\& Jakobsson (implemented as Civitas by Clarkson, Chong~\& Myers).}
}
@misc{avote-D21,
  nocontributor = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Delaune,
                  St{\'e}phanie and Kremer, Steve},
  author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Cortier, V{\'e}ronique},
  title = {Algorithmes pour l'{\'e}quivalence statique},
  year = 2009,
  month = sep,
  type = {Contract Report},
  howpublished = {Deliverable AVOTE~2.1 (ANR-07-SESU-002)},
  note = {17~pages},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/avote-d21.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/avote-d21.pdf}
}
@misc{JGL-tacl11,
  author = {Jean Goubault{-}Larrecq},
  title = {A Few Pearls in the Theory of Quasi-Metric Spaces},
  year = {2011},
  month = jul,
  howpublished = {Invited talk, Fifth International Conference on Topology,
                  Algebra, and Categories in Logic (TACL'11), Marseilles,
                  France, July~2011}
}
@article{FG-lmcs12,
  journal = {Logical Methods in Computer Science},
  author = {Finkel, Alain and Goubault{-}Larrecq, Jean},
  title = {Forward Analysis for {WSTS}, Part~{II}: Complete {WSTS}},
  year = 2012,
  month = sep,
  volume = 8,
  number = {3:28},
  nopages = {},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/FG-lmcs12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/FG-lmcs12.pdf},
  doi = {10.2168/LMCS-8(3:28)2012},
  abstract = {We describe a simple, conceptual forward analysis procedure for
        \(\infty\)-complete WSTS~\(\mathfrak{S}\). This computes the so-called
        \emph{clover} of a state. When \(\mathfrak{S}\) is the completion of a
        WSTS~\(\mathfrak{X}\), the clover in~\(\mathfrak{S}\) is a finite
        description of the downward closure of the reachability set. We show
        that such completions are infinity-complete exactly when
        \(\mathfrak{X}\) is an \(\omega^2\)-WSTS, a~new robust class of WSTS.
        We show that our procedure terminates in more cases than the
        generalized Karp-Miller procedure on extensions of Petri nets and on
        lossy channel systems. We characterize the WSTS where our procedure
        terminates as those that are \emph{clover-flattable}. Finally, we
        apply this to well-structured counter systems.}
}
@article{JGL-lmcs12,
  journal = {Logical Methods in Computer Science},
  author = {Goubault{-}Larrecq, Jean},
  title = {{QRB}-Domains and the Probabilistic Powerdomain},
  year = 2012,
  volume = 8,
  number = {1:14},
  nopages = {},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-lmcs12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-lmcs12.pdf},
  doi = {10.2168/LMCS-8(1:14)2012},
  abstract = {Is there any Cartesian-closed category of continuous
        domains that would be closed under Jones and Plotkin's
        probabilistic powerdomain construction?  This is a major open
        problem in the area of denotational semantics of probabilistic
        higher-order languages.  We relax the question, and look for
        quasi-continuous dcpos instead.\par
        We introduce a natural class of such quasi-continuous dcpos, the
        omega-QRB-domains.  We show that they form a category omega-QRB
        with pleasing properties: omega-QRB is closed under the
        probabilistic powerdomain functor, under finite products, under
        taking bilimits of expanding sequences, under retracts, and
        even under so-called quasi-retracts.  But... omega-QRB is
        not Cartesian closed.  We conclude by showing that the QRB
        domains are just one half of an FS-domain, merely lacking
        control.}
}
@article{BGGLP-comp11,
  publisher = {Springer},
  journal = {Computing},
  author = {Bouissou, Olivier and Goubault, {\'E}ric and
                  Goubault{-}Larrecq, Jean and Putot, Sylvie},
  title = {A Generalization of {P}-boxes to Affine Arithmetic, and Applications to
  		 Static Analysis of Programs},
  year = 2012,
  month = mar,
  volume = 94,
  number = {2-4},
  pages = {189-201},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/BGGLP-comp11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BGGLP-comp11.pdf},
  doi = {10.1007/s00607-011-0182-8},
  abstract = {We often need to deal with information that contains
        both interval and probabilistic uncertainties. P-boxes and
        Dempster-Shafer structures are models that unify both kind of
        information, but they suffer from the main defect of intervals,
        the wrapping effect. We present here a new arithmetic that
        mixes, in a  guaranteed manner, interval uncertainty with
        probabilities, while using some information about variable
        dependencies, hence limiting the loss from not accounting for
        correlations.  This increases the precision of the result and
        decreases the computation time compared to standard p-box
        arithmetic.}
}
@inproceedings{BC-post12,
  address = {Tallinn, Estonia},
  month = mar,
  year = 2012,
  volume = {7215},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Degano, Pierpaolo and Guttman, Joshua D.},
  acronym = {{POST}'12},
  booktitle = {{P}roceedings of the 1st {I}nternational {C}onference on
  	   {P}rinciples of {S}ecurity and {T}rust 
           ({POST}'12)},
  author = {Bana, Gergei and Comon{-}Lundh, Hubert},
  title = {Towards Unconditional Soundness: Computationally Complete Symbolic Attacker},
  pages = {189-208},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/BC-post12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BC-post12.pdf},
  doi = {10.1007/978-3-642-28641-4_11},
  abstract = {We consider the question of the adequacy of symbolic models
    versus computational models for the verification of security protocols. We
    neither try to include properties in the symbolic model that reflect the
    properties of the computational primitives nor add computational
    requirements that enforce the soundness of the symbolic model. We propose
    in this paper a different approach: everything is possible in the symbolic
    model, unless it contradicts a computational assumption. In this way, we
    obtain unconditional soundness almost by construction. And we do not need
    to assume the absence of dynamic corruption or the absence of key-cycles,
    which are examples of hypotheses that are always used in related works. We
    set the basic framework, for arbitrary cryptographic primitives and
    arbitrary protocols, however for trace security properties only.}
}
@inproceedings{CCS-post12,
  address = {Tallinn, Estonia},
  month = mar,
  year = 2012,
  volume = {7215},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Degano, Pierpaolo and Guttman, Joshua D.},
  acronym = {{POST}'12},
  booktitle = {{P}roceedings of the 1st {I}nternational {C}onference on
  	   {P}rinciples of {S}ecurity and {T}rust 
           ({POST}'12)},
  author = {Comon{-}Lundh, Hubert and Cortier, V{\'e}ronique and Scerri, Guillaume},
  title = {Security proof with dishonest keys},
  pages = {149-168},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCS-post12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCS-post12.pdf},
  doi = {10.1007/978-3-642-28641-4_9},
  abstract = {Symbolic and computational models are the two families of models
    for rigorously analysing security protocols. Symbolic models are abstract
    but offer a high level of automation while computational models are more
    precise but security proof can be tedious. Since the seminal work of Abadi
    and Rogaway, a new direction of research aims at reconciling the two views
    and many soundness results establish that symbolic models are actually
    sound w.r.t. computational models.\par
    This is however not true for the prominent case of encryption. Indeed, all
    existing soundness results assume that the adversary only uses honestly
    generated keys. While this assumption is acceptable in the case of
    asymmetric encryption, it is clearly unrealistic for symmetric encryption.
    In this paper, we provide with several examples of attacks that do not
    show-up in the classical Dolev-Yao model, and that do not break the
    IND-CPA nor INT-CTXT properties of the encryption scheme.\par
    Our main contribution is to show the first soundness result for symmetric
    encryption and arbitrary adversaries. We consider arbitrary
    indistinguishability properties and an unbounded number of sessions. This
    result relies on an extension of the symbolic model, while keeping
    standard security assumptions: IND-CPA and IND-CTXT for the encryption
    scheme.}
}
@inproceedings{CDD-post12,
  address = {Tallinn, Estonia},
  month = mar,
  year = 2012,
  volume = {7215},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Degano, Pierpaolo and Guttman, Joshua D.},
  acronym = {{POST}'12},
  booktitle = {{P}roceedings of the 1st {I}nternational {C}onference on
  	   {P}rinciples of {S}ecurity and {T}rust 
           ({POST}'12)},
  author = {Cortier, V{\'e}ronique and Degrieck, Jan and Delaune, St{\'e}phanie},
  title = {Analysing routing protocols: four nodes topologies are sufficient},
  pages = {30-50},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDD-post12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDD-post12.pdf},
  doi = {10.1007/978-3-642-28641-4_3},
  abstract = {Routing protocols aim at establishing a route between nodes on a
    network. Secured versions of routing protocols have been proposed in order
    to provide more guarantees on the resulting routes. Formal methods have
    proved their usefulness when analysing standard security protocols such as
    confidentiality or authentication protocols. However, existing results and
    tools do not apply to routing protocols. This is due in particular to the
    fact that all possible topologies (infinitely many) have to be considered.\par
    In this paper, we propose a simple reduction result: when looking for
    attacks on properties such as the validity of the route, it is sufficient
    to consider topologies with only four nodes, resulting in a number of just
    five distinct topologies to consider. As an application, we analyse the
    SRP applied to DSR and the SDMSR protocols using the ProVerif tool.}
}
@techreport{LSV-11-24,
  author = {Arnaud, Mathilde and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
  title = {Modeling and Verifying Ad~Hoc Routing Protocols},
  institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  year = {2011},
  month = dec,
  type = {Research Report},
  number = {LSV-11-24},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/rr-lsv-2011-24.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/rr-lsv-2011-24.pdf},
  versions = {http://www.lsv.fr/Publis/PAPERS/PDF/rr-lsv-2011-24-v1.pdf, 20111220},
  note = {66~pages},
  abstract = {Mobile ad hoc networks consist of mobile wireless devices which
    autonomously organize their infrastructure. In such networks, a central
    issue, ensured by routing protocols, is to find a route from one device to
    another. Those protocols use cryptographic mechanisms in order to prevent
    malicious nodes from compromising the discovered route.\par
    Our contribution is twofold. We first propose a calculus for modeling and
    reasoning about security protocols, including in particular secured
    routing protocols. Our calculus extends standard symbolic models to take
    into account the characteristics of routing protocols and to model
    wireless communication in a more accurate way. Our second main
    contribution is a decision procedure for analyzing routing protocols for
    any network topology. By using constraint solving techniques, we show that
    it is possible to automatically discover (in~NPTIME) whether there exists
    a network topology that would allow malicious nodes to mount an attack
    against the protocol, for a bounded number of sessions. We also provide a
    decision procedure for detecting attacks in case the network topology is
    given a priori. We demonstrate the usage and usefulness of our approach by
    analyzing protocols of the literature, such as SRP applied to DSR and
    SDMSR.}
}
@inproceedings{CMV-tacas12,
  address = {Tallinn, Estonia},
  month = mar,
  year = 2012,
  volume = {7214},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Flanagan, Cormac and K{\"o}nig, Barbara},
  acronym = {{TACAS}'12},
  booktitle = {{P}roceedings of the 18th {I}nternational 
               {C}onference on {T}ools and {A}lgorithms for
               {C}onstruction and {A}nalysis of {S}ystems
               ({TACAS}'12)},
  author = {Chadha, Rohit and Madhusudan, P. and Viswanathan, Mahesh},
  title = {Reachability under Contextual Locking},
  pages = {437-450},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CMV-tacas12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CMV-tacas12.pdf},
  doi = {10.1007/978-3-642-28756-5_30},
  abstract = {The pairwise reachability problem for a multi-threaded program
    asks, given control locations in two threads, whether they can be
    simultaneously reached in an execution of the program. The problem is
    important for static analysis and is used to detect statements that are
    concurrently enabled. This problem is in general undecidable even when
    data is abstracted and when the threads (with recursion) synchronize only
    using a finite set of locks. Popular programming paradigms that limit the
    lock usage patterns have been identified under which the pairwise
    reachability problem becomes decidable. In this paper, we consider a new
    natural programming paradigm, called contextual locking, which ties the
    lock usage to calling patterns in each thread: we assume that locks are
    released in the same context that they were acquired and that every lock
    acquired by a thread in a procedure call is released before the procedure
    returns. Our main result is that the pairwise reachability problem is
    polynomial-time decidable for this new programming paradigm as well.}
}
@phdthesis{arnaud-phd2011,
  author = {Arnaud, Mathilde},
  title = {Formal verification of secured routing protocols},
  school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  type = {Th{\`e}se de doctorat},
  year = 2011,
  month = dec,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/arnaud-these11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/arnaud-these11.pdf}
}
@phdthesis{ciobaca-phd2011,
  author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan},
  title = {Automated Verification of Security Protocols 
	    with Appplications to Electronic Voting},
  school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  type = {Th{\`e}se de doctorat},
  year = 2011,
  month = dec,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/ciobaca-these11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ciobaca-these11.pdf}
}
@article{BCJST-ijis11,
  publisher = {Springer},
  journal = {International Journal on Information Security},
  author = {Backes, Michael and Cervesato, Iliano and Jaggard, Aaron and
   	  	 Scedrov, Andre and Tsay, Joe-Kai},
  title = {Cryptographically sound security proofs for basic and public-key
   	 	 {K}erberos},
  pages = {107-134},
  volume = {10},
  number = {2},
  year = {2011},
  month = jun,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/BCJST-ijis11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BCJST-ijis11.pdf},
  doi = {10.1007/s10207-011-0125-6}
}
@inproceedings{ILV-imacc11,
  address = {Oxford, UK},
  month = dec,
  year = 2011,
  volume = {7089},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Chen, Liqun},
  acronym = {{IMACC}'11},
  booktitle = {{P}roceedings of the 13th {IMA} {I}nternational {C}onference
  	   on {C}ryptography and {C}oding
           ({IMACC}'11)},
  author = {Izabach{\`e}ne, Malika and Libert, Beno{\^\i}t and
  	 	 Vergnaud, Damien},
  title = {Block-wise {P}-Signatures and Non-Interactive Anonymous
                 Credentials with Efficient Attributes},
  pages = {431-450},
  doi = {10.1007/978-3-642-25516-8_26},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/ILV-imacc11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ILV-imacc11.pdf},
  abstract = {Anonymous credentials are protocols in which users obtain
    certificates from organizations and subsequently demonstrate their
    possession in such a way that transactions carried out by the same user
    cannot be linked. We present an anonymous credential scheme with
    non-interactive proofs of credential possession where credentials are
    associated with a number of attributes. Following recent results of
    Camenisch and Gro\ss{} (CCS~2008), the proof simultaneously convinces the
    verifier that certified attributes satisfy a certain predicate. Our
    construction relies on a new kind of P-signature, termed \emph{block-wise
    P-signature}, that allows a user to obtain a signature on a committed
    vector of messages and makes it possible to generate a short witness that
    serves as a proof that the signed vector satisfies the predicate.
    A~non-interactive anonymous credential is obtained by combining our
    \emph{block-wise} P-signature scheme with the Groth-Sahai proof system. It
    allows efficiently proving possession of a credential while simultaneously
    demonstrating that underlying attributes satisfy a predicate corresponding
    to the evaluation of inner products (and therefore disjunctions or
    polynomial evaluations). The security of our scheme is proved in the
    standard model under non-interactive assumptions.}
}
@book{LPS-book11,
  author = {Luccio, Fabrizio and Pagli, Linda and Steel, Graham},
  title = {Mathematical and Algorithmic Foundations of the Internet},
  publisher = {CRC Press},
  year = 2011,
  month = jul,
  url = {https://www.crcpress.com/9781439831380}
}
@incollection{steel-crypt2011,
  author = {Steel, Graham},
  title = {Formal Analysis of Security~{API}s},
  booktitle = {Encyclopedia of Cryptography and Security},
  edition = {2nd},
  editor = {van Tilborg, Henk C. A. and Jajodia, Sushil},
  year = {2011},
  pages = {492-494},
  publisher = {Springer},
  doi = {10.1007/978-1-4419-5906-5_873}
}
@article{CSV-lmcs11,
  journal = {Logical Methods in Computer Science},
  author = {Chadha, Rohit and Sistla, A. Prasad and Viswanathan, Mahesh},
  title = {Power of Randomization in Automata on Infinite Strings},
  year = {2011},
  month = sep,
  volume = {7},
  number = {3:22},
  nopages = {},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CSV-lmcs11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CSV-lmcs11.pdf},
  doi = {10.2168/LMCS-7(3:22)2011},
  abstract = {Probabilistic B{\"u}chi Automata~(PBA) are randomized,
                  finite state automata that process input strings of
                  infinite length. Based on the threshold chosen for
                  the acceptance probability, different classes of
                  languages can be defined. In this paper, we present
                  a number of results that clarify the power of such
                  machines and properties of the languages they
                  define. The broad themes we focus on are as
                  follows. We present results on the decidability and
                  precise complexity of the emptiness, universality
                  and language containment problems for such machines,
                  thus answering questions central to the use of these
                  models in formal verification. Next, we characterize
                  the languages recognized by PBAs topologically,
                  demonstrating that though general PBAs can recognize
                  languages that are not regular, topologically the
                  languages are as simple as \(\omega\)-regular
                  languages. Finally, we introduce Hierarchical PBAs,
                  which are syntactically restricted forms of PBAs
                  that are tractable and capture exactly the class of
                  \(\omega\)-regular languages.}
}
@mastersthesis{pasaila-master,
  author = {Pasail{\u{a}}, Daniel},
  title = {Verifying equivalence properties of security protocols},
  school = {{M}aster {P}arisien de {R}echerche en 
	{I}nformatique, Paris, France},
  type = {Rapport de {M}aster},
  year = {2011},
  month = sep,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/dp11-m2.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/dp11-m2.pdf}
}
@mastersthesis{degriek-master,
  author = {Degrieck, Jan},
  title = {R{\'e}duction de graphes pour l'analyse de protocoles de routage
  		s{\'e}curis{\'e}s},
  school = {{M}aster {P}arisien de {R}echerche en 
	{I}nformatique, Paris, France},
  type = {Rapport de {M}aster},
  year = {2011},
  month = sep,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/jd11-m2.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/jd11-m2.pdf}
}
@inproceedings{CDK-fsttcs11,
  address = {Mumbai, India},
  month = dec,
  year = 2011,
  volume = 13,
  series = {Leibniz International Proceedings in Informatics},
  publisher = {Leibniz-Zentrum f{\"u}r Informatik},
  editor = {Chakraborty, Supratik and Kumar, Amit},
  acronym = {{FSTTCS}'11},
  booktitle = {{P}roceedings of the 31st {C}onference on
               {F}oundations of {S}oftware {T}echnology and
               {T}heoretical {C}omputer {S}cience
               ({FSTTCS}'11)},
  author = {Chevalier, C{\'e}line and Delaune, St{\'e}phanie and Kremer, Steve},
  title = {Transforming Password Protocols to Compose},
  pages = {204-216},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDK-fsttcs11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDK-fsttcs11.pdf},
  doi = {10.4230/LIPIcs.FSTTCS.2011.204},
  abstract = {Formal, symbolic techniques are extremely useful for modelling
  and analysing security protocols. They improved our understanding of
  security protocols, allowed to discover flaws, and also provide support for
  protocol design. However, such analyses usually consider that the protocol
  is executed in isolation or assume a bounded number of protocol sessions.
  Hence, no security guarantee is provided when the protocol is executed in a
  more complex environment.\par
  In this paper, we study whether password protocols can be safely composed,
  even when a same password is reused. More precisely, we present a
  transformation which maps a password protocol that is secure for a single
  protocol session (a~decidable problem) to a protocol that is secure for an
  unbounded number of sessions. Our result provides an effective strategy to
  design secure password protocols: (i)~design a protocol intended to be
  secure for one protocol session; (ii)~apply our transformation and obtain a
  protocol which is secure for an unbounded number of sessions. Our technique
  also applies to compose different password protocols allowing us to obtain
  both inter-protocol and inter-session composition.}
}
@incollection{FLS-fosad11,
  noaddress = {},
  month = sep,
  year = 2011,
  volume = 6858,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Aldini, Alessandro and Gorrieri, Roberto},
  acronym = {{FOSAD}'{VI}},
  booktitle = {{F}oundations of {S}ecurity {A}nalysis and {D}esign~-- {FOSAD}
                  {T}utorial {L}ectures ({FOSAD}'{VI})},
  author = {Focardi, Riccardo and Luccio, Flaminia L. and Steel, Graham},
  title = {An Introduction to Security {API} Analysis},
  pages = {35-65},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/FLS-fosad11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/FLS-fosad11.pdf},
  doi = {10.1007/978-3-642-23082-0_2},
  abstract = {A~security API is an Application Program Interface that allows
    untrusted code to access sensitive resources in a secure way. Examples of
    security APIs include the interface between the tamper-resistant chip on a
    smartcard (trusted) and the card reader (untrusted), the~interface between
    a~cryptographic Hardware Security Module, or~HSM (trusted) and the client
    machine (untrusted), and the Google maps API (an~interface between a
    server, trusted by Google, and the rest of the Internet).}
}
@inproceedings{CCD-ccs11,
  address = {Chicago, Illinois, USA},
  month = oct,
  year = 2011,
  publisher = {ACM Press},
  editor = {Chen, Yan and Danezis, George and Shmatikov, Vitaly},
  acronym = {{CCS}'11},
  booktitle = {{P}roceedings of the 18th {ACM} {C}onference
               on {C}omputer and {C}ommunications {S}ecurity
               ({CCS}'11)},
  author = {Cheval, Vincent and Comon{-}Lundh, Hubert and 
   	    	Delaune, St{\'e}phanie},
  title = {Trace Equivalence Decision: Negative Tests and Non-determinism},
  pages = {321-330},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-ccs11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-ccs11.pdf},
  doi = {10.1145/2046707.2046744},
  abstract = {We consider security properties of cryptographic protocols that
    can be modeled using the notion of trace equivalence. The notion of
    equivalence is crucial when specifying privacy-type properties, like
    anonymity, vote-privacy, and unlinkability.\par
    In this paper, we give a calculus that is close to the applied pi calculus
    and that allows one to capture most existing protocols that rely on
    classical cryptographic primitives. First, we propose a symbolic semantics
    for our calculus relying on constraint systems to represent infinite sets
    of possible traces, and we reduce the decidability of trace equivalence to
    deciding a notion of symbolic equivalence between sets of constraint
    systems. Second, we develop an algorithm allowing us to decide whether two
    sets of constraint systems are in symbolic equivalence or not. Altogether,
    this yields the first decidability result of trace equivalence for a
    general class of processes that may involve else branches and\slash or private
    channels (for a bounded number of sessions).}
}
@inproceedings{SC-unif11,
  address = {Wroc{\l}aw, Poland},
  month = jul,
  year = 2011,
  editor = {Baader, Franz},
  acronym = {{UNIF}'11},
  booktitle = {{P}roceedings of the 25th {I}nternational
               {W}orkshop on {U}nification
               ({UNIF}'11)},
  author = {Ciob{\^a}c{\u{a}}, {\c{S}}tefan},
  title = {Computing finite variants for subterm convergent rewrite systems},
  nopages = {},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/SC-unif11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/SC-unif11.pdf},
  abstract = {Driven by an application in the verification of security
    protocols, we introduce the strong finite variant property, an extention
    of the finite variant property, and we show that subterm convergent
    rewrite systems enjoy the strong finite variant property modulo the empty
    equational theory.\par
    We argue that the strong finite variant property is more natural and more
    useful in practice than the finite variant property. We also compare the
    two properties and we provide a prototype implementation of an algorithm
    that computes a finite strongly complete set of variants for any term t
    with respect to a subterm convergent rewrite system.}
}
@inproceedings{CKVAK-qest11,
  address = {Aachen, Germany},
  month = sep,
  year = 2011,
  publisher = {{IEEE} Computer Society Press},
  acronym = {{QEST}'11},
  booktitle = {{P}roceedings of the 8th {I}nternational
               {C}onference on {Q}uantitative 
               {E}valuation of {S}ystems
               ({QEST}'11)},
  author = {Chadha, Rohit and Korthikranthi, Vijay and Viswanathan,
                  Mahesh and Agha, Gul and Kwon, Youngmin},
  title = {Model Checking {MDP}s with a Unique Compact Invariant Set of
                  Distributions},
  pages = {121-130},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CKVAK-qest11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CKVAK-qest11.pdf},
  doi = {10.1109/QEST.2011.22},
  abstract = {The semantics of Markov Decision Processes (MDPs), when viewed
    as transformers of probability distributions, can described as a labeled
    transition system over the probability distributions over the states of
    the MDP. The MDP can be seen as defining a set of executions, where each
    execution is a sequence of probability distributions. Reasoning about
    sequences of distributions allows one to express properties not
    expressible in logics like PCTL; examples include expressing bounds on
    transient rewards and expected values of random variables, as well as
    comparing the probability of being in one set of states at a given time
    with another set of states. With respect to such a semantics, the problem
    of checking that the MDP never reaches a bad distribution is undecidable.
    In this paper, we identify a special class of MDPs called
    \emph{semi-regular} MDPs that have a unique non-empty, compact, invariant
    set of distributions, for which we show that checking any
    \(\omega\)-regular property is decidable. Our decidability result also
    implies that for semi-regular probabilistic finite automata with isolated
    cut-points, the emptiness problem is decidable.}
}
@inproceedings{benzina-iccans11,
  address = {Republic of Maldives},
  month = may,
  year = 2011,
  noeditor = {},
  acronym = {{ICCANS}'11},
  booktitle = {{P}roceedings of the {I}nternational {C}onference on {C}omputer {A}pplications 
            and {N}etwork {S}ecurity ({ICCANS}'11)},
  author = {Benzina, Hedi},
  title = {Logic in Virtualized Systems},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/benzina-iccans11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/benzina-iccans11.pdf},
  abstract = {As virtualized systems grow in complexity, they are
                  increasingly vulnerable to denial-of-service (DoS)
                  attacks involving resource exhaustion. A malicious
                  driver downloaded and installed by the system
                  administrator can trigger high-complexity behavior
                  exhausting CPU time or stack space and making the
                  whole system unavailable. Virtualized systems such
                  as Xen or VirtualBox have been proposed to increase
                  the level of security on computers. On the other
                  hand, such virtualized systems are now targets for
                  attacks. The weak spot of such systems is domain
                  zero administration, which is left entirely under
                  the administrator's responsibility, and is in
                  particular vulnerable to attacks.  \par
                  We propose to let
                  the administrator write and deploy security policies
                  and rely on RuleGen, a policy compiler, and Orchids'
                  fast, real-time monitoring engine to raise alerts in
                  case any policy violation, expressed in a fragment
                  of linear temporal logic, is detected. This approach
                  has shown its efficiency against real DoS exploits.
                  }
}
@incollection{CDM-fmtasp11,
  author = {Comon{-}Lundh, Hubert and Delaune, St{\'e}phanie and Millen, Jonathan K.},
  title = {Constraint solving techniques and enriching the model with
  		equational theories},
  booktitle = {Formal Models and Techniques for Analyzing Security Protocols},
  editor = {Cortier, V{\'e}ronique and Kremer, Steve},
  series = {Cryptology and Information Security Series},
  volume = 5,
  publisher = {{IOS} Press},
  nochapter = {},
  pages = {35-61},
  year = 2011,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDM-fmtasp11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDM-fmtasp11.pdf},
  abstract = {Derivability constraints represent in a symbolic way the
    infinite set of possible executions of a finite protocol, in presence of
    an arbitrary active attacker. Solving a derivability constraint consists
    in computing a simplified representation of such executions, which is
    amenable to the verification of any (trace) security property. Our goal is
    to explain this method on a non-trivial combination of primitives.\par
    In this chapter we explain how to model the protocol executions using
    derivability constraints, and how such constraints are interpreted,
    depending on the cryptographic primitives and the assumed attacker
    capabilities. Such capabilities are represented as a deduction system that
    has some specific properties. We choose as an example the combination of
    exclusive-or, symmetric encryption{\slash}decryption and pairing{\slash}unpairing. We
    explain the properties of the deduction system in this case and give a
    complete and terminating set of rules that solves derivability
    constraints. A similar set of rules has been already published for the
    classical Dolev-Yao attacker, but it is a new result for the combination
    of primitives that we consider. This allows to decide trace security
    properties for this combination of primitives and arbitrary finite
    protocols.}
}
@inproceedings{ACD-cade11,
  address = {Wroc{\l}aw, Poland},
  month = jul,
  year = 2011,
  volume = {6803},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Bj{\o}rner, Nikolaj and Sofronie-Stokkermans, Viorica},
  acronym = {{CADE}'11},
  booktitle = {{P}roceedings of the 23rd {I}nternational 
               {C}onference on {A}utomated {D}eduction
               ({CADE}'11)},
  author = {Arnaud, Mathilde and Cortier, V{\'e}ronique and Delaune,
  	 	St{\'e}phanie},
  title = {Deciding security for protocols with recursive tests},
  pages = {49-63},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-cade11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-cade11.pdf},
  doi = {10.1007/978-3-642-22438-6_6},
  abstract = {Security protocols aim at securing communications over public
    networks. Their design is notoriously dicult and error-prone. Formal
    methods have shown their usefulness for providing a careful security
    analysis in the case of standard authentication and condentiality
    protocols. However, most current techniques do not apply to protocols that
    perform recursive computation e.g. on a list of messages received from the
    network.\par
    While considering general recursive input{\slash}output actions very quickly
    yields undecidability, we focus on protocols that perform recursive tests
    on received messages but output messages that depend on the inputs in a
    standard way. This is in particular the case of secured routing protocols,
    distributed right delegation or PKI certication paths. We provide NPTIME
    decision procedures for protocols with recursive tests and for a bounded
    number of sessions. We also revisit constraint system solving, providing a
    complete symbolic representation of the attacker knowledge.}
}
@inproceedings{KSW-csf11,
  address = {Cernay-la-Ville, France},
  month = jun,
  year = 2011,
  publisher = {{IEEE} Computer Society Press},
  acronym = {{CSF}'11},
  booktitle = {{P}roceedings of the 
               24th {IEEE} {C}omputer {S}ecurity {F}oundations
               {S}ymposium ({CSF}'11)},
  author = {Kremer, Steve and Steel, Graham and Warinschi, Bogdan},
  title = {Security for Key Management Interfaces},
  pages = {266-280},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/KSW-csf11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/KSW-csf11.pdf},
  nolongps = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PS/
        rr-lsv-2011-07.ps},
  nolongpsgz = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PSGZ/
        rr-lsv-2011-07.ps.gz},
  doi = {10.1109/CSF.2011.25},
  abstract = {We propose a much-needed formal definition of security
                  for cryptographic key management APIs. The
                  advantages of our definition are that it is general,
                  intuitive, and applicable to security proofs in both
                  symbolic and computational models of
                  cryptography. Our definition relies on an idealized
                  API which allows only the most essential functions
                  for generating, exporting and importing keys, and
                  takes into account dynamic corruption of keys.
                  Based on this we can define the security of more
                  expressive APIs which support richer
                  functionality. We illustrate our approach by showing
                  the security of APIs both in symbolic and
                  computational models.}
}
@inproceedings{DKRS-csf11,
  address = {Cernay-la-Ville, France},
  month = jun,
  year = 2011,
  publisher = {{IEEE} Computer Society Press},
  acronym = {{CSF}'11},
  booktitle = {{P}roceedings of the 
               24th {IEEE} {C}omputer {S}ecurity {F}oundations
               {S}ymposium ({CSF}'11)},
  author = {Delaune, St{\'e}phanie and Kremer, Steve and Ryan, Mark D. and
  	 	Steel, Graham},
  title = {Formal analysis of protocols based on {TPM} state registers},
  pages = {66-82},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/DKRS-csf11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DKRS-csf11.pdf},
  doi = {10.1109/CSF.2011.12},
  abstract = {We~present a Horn-clause-based framework for analysing security
    protocols that use platform configuration registers~(PCRs), which are
    registers for maintaining state inside the Trusted Platform Module~(TPM).
    In~our model, the~PCR state space is unbounded, and our experience shows
    that a na{\"i}ve analysis using ProVerif or SPASS does not terminate. To
    address this, we extract a set of instances of the Horn clauses of our
    model, for which ProVerif does terminate on our examples. We~prove the
    soundness of this extraction process: no~attacks are lost, that~is, any
    query derivable in the more general set of clauses is also derivable from
    the extracted instances. The~effectiveness of our framework is
    demonstrated in two case studies: a~simplified version of Microsoft
    Bitlocker, and a digital envelope protocol that allows a user to choose
    whether to perform a decryption, or to verifiably renounce the ability to
    perform the decryption.}
}
@inproceedings{CLC-stacs11,
  address = {Dortmund, Germany},
  month = mar,
  year = 2011,
  volume = 9,
  series = {Leibniz International Proceedings in Informatics},
  publisher = {Leibniz-Zentrum f{\"u}r Informatik},
  editor = {D{\"u}rr, Christoph and Schwentick, {\relax Th}omas},
  acronym = {{STACS}'11},
  booktitle = {{P}roceedings of the 28th {A}nnual
               {S}ymposium on {T}heoretical {A}spects of
               {C}omputer {S}cience
               ({STACS}'11)},
  author = {Comon{-}Lundh, Hubert and Cortier, V{\'e}ronique},
  title = {How to prove security of communication protocols? 
                   A~discussion on the soundness of formal models w.r.t. computational ones},
  pages = {29-44},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CLC-stacs11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CLC-stacs11.pdf},
  doi = {10.4230/LIPIcs.STACS.2011.29},
  abstract = {Security protocols are short programs that aim at
                  securing communication over a public network. Their
                  design is known to be error-prone with flaws found
                  years later. That is why they deserve a careful
                  security analysis, with rigorous proofs. Two main
                  lines of research have been (independently)
                  developed to analyse the security of protocols. On
                  the one hand, formal methods provide with symbolic
                  models and often automatic proofs. On the other
                  hand, cryptographic models propose a tighter
                  modeling but proofs are more difficult to write and
                  to check. An approach developed during the last
                  decade consists in bridging the two approaches,
                  showing that symbolic models are sound
                  w.r.t. symbolic ones, yielding strong security
                  guarantees using automatic tools. These results have
                  been developed for several cryptographic primitives
                  (e.g. symmetric and asymmetric encryption,
                  signatures, hash) and security properties. While
                  proving soundness of symbolic models is a very
                  promising approach, several technical details are
                  often not satisfactory. Focusing on symmetric
                  encryption, we describe the difficulties and
                  limitations of the available results.}
}
@phdthesis{kremer-HDR11,
  author = {Kremer, Steve},
  title = {Modelling and analyzing security protocols in cryptographic process calculi},
  year = 2011,
  month = mar,
  type = {M{\'e}moire d'habilitation},
  school = {{\'E}cole Normale Sup{\'e}rieure de Cachan, France},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/hdr-SK.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/hdr-SK.pdf},
  noslides = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/SLIDES/}
}
@phdthesis{steel-HDR11,
  author = {Steel, Graham},
  title = {Formal Analysis of Security {API}s},
  year = 2011,
  month = mar,
  type = {M{\'e}moire d'habilitation},
  school = {{\'E}cole Normale Sup{\'e}rieure de Cachan, France},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/hdr-GS.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/hdr-GS.pdf},
  noslides = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/SLIDES/}
}
@phdthesis{delaune-HDR11,
  author = {Delaune, St{\'e}phanie},
  title = {Verification of security protocols: from confidentiality to privacy},
  year = 2011,
  month = mar,
  type = {M{\'e}moire d'habilitation},
  school = {{\'E}cole Normale Sup{\'e}rieure de Cachan, France},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/hdr-SD.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/hdr-SD.pdf},
  abstract = {Security is a very old concern, which until quite recently was
    mostly of interest for military purposes. The deployment of electronic
    commerce changes this drastically. The security of exchanges is ensured by
    cryptographic protocols which are notoriously error prone. The formal
    verification of cryptographic protocols is a difficult problem that can be
    seen as a particular model-checking problem in an hostile environment.
    Many results and tools have been developed to automatically verify
    cryptographic protocols.\par
    Recently, new type of applications have emerged, in order to face new
    technological and societal challenges, e.g. electronic voting protocols,
    secure routing protocols for mobile ad hoc networks,~... These
    applications involve some features that are not taken into account by the
    existing verification tools, e.g. complex cryptographic primitives,
    privacy-type security properties,~... This prevents us from modelling
    these protocols in an accurate way. Moreover, protocols are often analysed
    in isolation and this is well-known to be not sufficient. In this thesis,
    we use formal methods to study these aspects concerning the verification
    of cryptographic protocols.}
}
@inproceedings{ACGP-rsa11,
  address = {San Francisco, California, USA},
  month = feb,
  year = 2011,
  volume = 6558,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Kiayias, Aggelos},
  acronym = {{CT-RSA}'11},
  booktitle = {{P}roceedings of the {C}ryptographers' {T}rack at the {RSA}
                  {C}onference 2011 ({CT-RSA}'11)},
  author = {Abdalla, Michel and Chevalier, C{\'e}line and Granboulan, Louis and
            Pointcheval, David},
  title = {Contributory Password-Authenticated Group Key Exchange with
        Join Capability},
  pages = {142-160},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/ACGP-rsa11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ACGP-rsa11.pdf},
  doi = {10.1007/978-3-642-19074-2_11},
  abstract = {Password-based authenticated group key exchange allows any group
    of users in possession of a low-entropy secret key to establish a common
    session key even in the presence of adversaries. In this paper, we propose
    a new generic construction of password-authenticated group key exchange
    protocol from any two-party password-authenticated key exchange with
    explicit authentication. Our new construction has several advantages when
    compared to existing solutions. First, our construction only assumes a
    common reference string and does not rely on any idealized models. Second,
    our scheme enjoys a simple and intuitive security proof in the universally
    composable framework and is optimal in the sense that it allows at most
    one password test per user instance. Third, our scheme also achieves a
    strong notion of security against insiders in that the adversary cannot
    bias the distribution of the session key as long as one of the players
    involved in the protocol is honest. Finally, we show how to easily extend
    our protocol to the dynamic case in a way that the costs of establishing a
    common key between two existing groups is significantly smaller than
    computing a common key from scratch.}
}
@inproceedings{GLV-lics2011,
  address = {Toronto, Canada},
  month = jun,
  year = 2011,
  publisher = {{IEEE} Computer Society Press},
  acronym = {{LICS}'11},
  booktitle = {{P}roceedings of the 26th
               {A}nnual {IEEE} {S}ymposium on
               {L}ogic in {C}omputer {S}cience
               ({LICS}'11)},
  author = {Goubault{-}Larrecq, Jean and Varacca, Daniele},
  title = {Continuous Random Variables},
  pages = {97-106},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/GLV-lics2011.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLV-lics2011.pdf},
  corrigendumpdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLV-lics2011-errata.pdf},
  doi = {10.1109/LICS.2011.23},
  abstract = {We introduce the domain of continuous random variables (CRV)
    over a domain, as an alternative to Jones and Plotkin's probabilistic
    powerdomain. While no known Cartesian-closed category is stable under the
    latter, we show that the so-called thin (uniform) CRVs define a strong
    monad on the Cartesian-closed category of bc-domains. We also characterize
    their inequational theory, as (fair-)coin algebras. We apply this to solve
    a recent problem posed by M. Escard{\'o}: testing is semi-decidable for
    EPCF terms. CRVs arose from the study of the second author's (layered)
    Hoare indexed valuations, and we also make the connection apparent.}
}
@book{CK-ios2011,
  editor = {Cortier, V{\'e}ronique and Kremer, Steve},
  title = {Formal Models and Techniques for Analyzing Security Protocols},
  publisher = {{IOS} Press},
  year = {2011},
  series = {Cryptology and Information Security Series},
  volume = 5,
  url = {http://www.iospress.nl/loadtop/load.php?isbn=9781607507130}
}
@inproceedings{DDS-tosca11,
  address = {Saarbr{\"u}cken, Germany},
  month = jan,
  year = 2012,
  volume = 6993,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {M{\"o}dersheim, Sebastian A. and Palamidessi, Catuscia},
  acronym = {{TOSCA}'11},
  booktitle = {{R}evised {S}elected {P}apaers of the {W}orkshop on {T}heory of {S}ecurity and
                  {A}pplications ({TOSCA}'11)},
  author = {Dahl, Morten and Delaune, St{\'e}phanie and Steel, Graham},
  title = {Formal Analysis of Privacy for Anonymous Location Based Services},
  pages = {98-112},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/DDS-tosca11.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DDS-tosca11.pdf},
  doi = {10.1007/978-3-642-27375-9_6},
  abstract = {We propose a framework for formal analysis of privacy in
    location based services such as anonymous electronic toll collection. We
    give a formal definition of privacy, and apply it to the VPriv scheme for
    vehicular services. We analyse the resulting model using the ProVerif
    tool, concluding that our privacy property holds only if certain
    conditions are met by the implementation. Our analysis includes some novel
    features such as the formal modelling of privacy for a protocol that
    relies on interactive zero-knowledge proofs of knowledge and list
    permutations. }
}
@article{JGL-jyg10,
  publisher = {Elsevier Science Publishers},
  journal = {Theoretical Computer Science},
  author = {Goubault{-}Larrecq, Jean},
  title = {Musings Around the Geometry of Interaction, and Coherence},
  volume = 412,
  number = 20,
  pages = {1998-2014},
  year = 2011,
  month = apr,
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/jgl-jyg10.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/jgl-jyg10.pdf},
  doi = {10.1016/j.tcs.2010.12.023},
  abstract = {We introduce the Danos-R{\'e}gnier category \(\mathcal{DR}(M)\)
    of a linear inverse monoid~\(M\), as~a categorical description of
    geometries of interaction~(GOI) inspired from the weight algebra. The
    natural setting for GOI is that of a so-called weakly Cantorian linear
    inverse monoid, in which case \(\mathcal{DR}(M)\) is a kind of symmetrized
    version of the classical Abramsky-Haghverdi-Scott construction of a weak
    linear category from a GOI situation. It is well-known that GOI is
    perfectly suited to describe the multiplicative fragment of linear logic,
    and indeed \(\mathcal{DR}(M)\) will be a \(\star\)-autonomous category in
    this case. It is also well-known that the categorical interpretation of
    the other linear connectives conflicts with GOI interpretations. We make
    this precise, and show that \(\mathcal{DR}(M)\) has no terminal object, no
    cartesian product of any two objects, and no exponential---whatever
    \(M\)~is, unless \(M\)~is trivial. However, a form of coherence completion
    of \(\mathcal{DR}(M)\) \textit{{\`a} la} Hu-Joyal (which for additives
    resembles a layered approach \textit{{\`a} la} Hughes-van Glabbeek),
    provides a model of full classical linear logic, as soon as \(M\) is
    weakly Cantorian. One finally notes that Girard's notion of \emph{coherence} is
    pervasive, and instrumental in every aspect of this work.}
}
@inproceedings{CU-fsttcs12,
  address = {Hyderabad, India},
  month = dec,
  year = 2012,
  volume = 18,
  series = {Leibniz International Proceedings in Informatics},
  publisher = {Leibniz-Zentrum f{\"u}r Informatik},
  editor = {D'Souza, Deepak and Radhakrishnan, Jaikumar and Telikepalli, Kavitha},
  acronym = {{FSTTCS}'12},
  booktitle = {{P}roceedings of the 32nd {C}onference on
               {F}oundations of {S}oftware {T}echnology and
               {T}heoretical {C}omputer {S}cience
               ({FSTTCS}'12)},
  author = {Chadha, Rohit and Ummels, Michael},
  title = {The complexity of quantitative information flow in recursive
                  programs},
  pages = {534-545},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2012-15.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2012-15.pdf},
  doi = {10.4230/LIPIcs.FSTTCS.2012.534},
  abstract = {Information-theoretic measures based upon mutual information can
    be employed to quantify the information that an \emph{execution} of a
    program reveals about its \emph{secret inputs}. The \emph{information
    leakage bounding problem} asks whether the information leaked by a program
    does not exceed a certain amount. We consider this problem for two
    scenarios: a)~the \emph{outputs} of the program are revealed, and b)~the
    \emph{timing} (measured in the number of execution steps) of the program
    is revealed. For both scenarios, we establish complexity results in the
    context of deterministic boolean programs, both for programs with and
    without recursion. In particular, we prove that for recursive programs the
    information leakage bounding problem is no harder than checking
    reachability.}
}
@inproceedings{CB-post13,
  address = {Rome, Italy},
  month = mar,
  year = 2013,
  volume = {7796},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Basin,  David  and Mitchell, John},
  acronym = {{POST}'13},
  booktitle = {{P}roceedings of the 2nd {I}nternational {C}onference on
  	   {P}rinciples of {S}ecurity and {T}rust 
           ({POST}'13)},
  author = {Cheval, Vincent and Blanchet, Bruno},
  title = {Proving More Observational Equivalences with ProVerif},
  pages = {226-246},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CB-post13.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CB-post13.pdf},
  doi = {10.1007/978-3-642-36830-1_12},
  abstract = {This paper presents an extension of the automatic protocol
                  verifier ProVerif in order to prove more observational
                  equivalences. ProVerif can prove observational equivalence
                  between processes that have the same structure but differ by
                  the messages they contain. In order to extend the class of
                  equivalences that ProVerif handles, we extend the language
                  of terms by defining more functions (destructors) by rewrite
                  rules. In particular, we allow rewrite rules with
                  inequalities as side-conditions, so that we can express
                  tests {"}if then else{"} inside terms. Finally,
                  we provide an automatic procedure that translates a process
                  into an equivalent process that performs as many actions as
                  possible inside terms, to allow ProVerif to prove the
                  desired equivalence. These extensions have been implemented
                  in ProVerif and allow us to automatically prove anonymity in
                  the private authentication protocol by Abadi and Fournet.}
}
@inproceedings{CD-post13,
  address = {Rome, Italy},
  month = mar,
  year = 2013,
  volume = {7796},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Basin,  David  and Mitchell, John},
  acronym = {{POST}'13},
  booktitle = {{P}roceedings of the 2nd {I}nternational {C}onference on
  	   {P}rinciples of {S}ecurity and {T}rust 
           ({POST}'13)},
  author = {Chr{\'e}tien, R{\'e}my and Delaune, St{\'e}phanie},
  title = {Formal analysis of privacy for routing protocols in mobile ad~hoc networks},
  pages = {1-20},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-post13.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-post13.pdf},
  doi = {10.1007/978-3-642-36830-1_1},
  abstract = {Routing protocols aim at establishing a route between
                  distant nodes in ad hoc networks. Secured versions
                  of routing protocols have been proposed to provide
                  more guarantees on the resulting routes, and some of
                  them have been designed to protect the privacy of
                  the users. In this paper, we propose a framework for
                  analysing privacy-type properties for routing
                  protocols. We use a variant of the applied-pi
                  calculus as our basic modelling formalism.  More
                  precisely, using the notion of equivalence between
                  traces, we formalise three security properties
                  related to privacy, namely indistinguishability,
                  unlinkability, and anonymity. We study the
                  relationship between these definitions and we
                  illustrate them using two versions of the ANODR
                  routing protocol.}
}
@phdthesis{benzina-phd2012,
  author = {Benzina, Hedi},
  title = {Enforcing Virtualized Systems Security},
  school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  type = {Th{\`e}se de doctorat},
  year = 2012,
  month = dec,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/benzina-these12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/benzina-these12.pdf}
}
@mastersthesis{m2-chretien,
  author = {Chr{\'e}tien, R{\'e}my},
  title = {Trace equivalence of protocols for an unbounded number of sessions},
  school = {{M}aster {P}arisien de {R}echerche en 
	{I}nformatique, Paris, France},
  type = {Rapport de {M}aster},
  year = {2012},
  month = sep,
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2012-22.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2012-22.pdf},
  note = {30~pages},
  abstract = {The problem of deciding reachability for cryptographic protocols
    has been thoroughly studied for an unbounded number of sessions and proven
    to be undecidable in general. Nevertheless some fragments were shown to be
    decidable, either by tagging or by restricting the number of blind-copies.
    On the other hand, trace equivalenc has only been proven to be decidable
    for a bounded number of sessions. The objective of this talk is to provide
    the first results of decidability of trace equivalence for an unbounded
    number of sessions by lifting the approach followed by Comon-Lundh and
    Cortier to trace equivalence.\par
    Trace equivalence for a first class of protocols was shown undecidable
    under scarce restrictions one variable and symmetric encryption are indeed
    enough. Consequently, we restrained our class of protocols a step further
    by making the protocols deterministic in some sense and preventing it from
    disclosing secret keys. This tighter class of protocols was then shown to
    be decidable after reduction to an equivalence between deterministic
    pushdown automata.}
}
@phdthesis{cheval-phd2012,
  author = {Cheval, Vincent},
  title = {Automatic verification of cryptographic protocols: privacy-type properties},
  school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  type = {Th{\`e}se de doctorat},
  year = 2012,
  month = dec,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/cheval-these12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/cheval-these12.pdf}
}
@techreport{AGL-arxiv12,
  author = {Adj{\'e}, Assal{\'e} and Goubault{-}Larrecq, Jean},
  title = {Concrete Semantics of Programs with Non-Deterministic and
                  Random Inputs},
  year = {2012},
  month = oct,
  type = {Research Report},
  institution = {Computing Research Repository},
  number = {cs.LO/1210.2605},
  url = {http://arxiv.org/abs/1210.2605},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/AGL-arxiv12.pdf},
  originalpdf = {http://arxiv.org/pdf/1210.2605},
  note = {19~pages},
  abstract = {This document gives semantics to programs written in a C-like
    programming language, featuring interactions with an external environment
    with noisy and imprecise data.}
}
@inproceedings{KS-stm12,
  address = {Pisa, Italy},
  month = sep,
  year = 2012,
  volume = 7783,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {J{\o}sang, Audun and Samarati, Pierangela and Petrocchi, Marinella},
  acronym = {{STM}'12},
  booktitle = {{R}evised {S}elected {P}apers of the 8th {W}orkshop
           on {S}ecurity and {T}rust {M}anagement
           ({STM}'12)},
  author = {K{\"u}nnemann, Robert and Steel, Graham},
  title = {{Y}ubi{S}ecure? Formal Security Analysis Results for the
  	  		   {Y}ubikey and {Y}ubi{HSM}},
  pages = {257-272 },
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/KS-stm12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/KS-stm12.pdf},
  doi = {10.1007/978-3-642-38004-4_17},
  abstract = {The Yubikey is a small hardware device designed to authenticate
    a user against network-based services. Despite its widespread adoption
    (over a million devices have been shipped by Yubico to more than 20~000
    customers including Google and Microsoft), the Yubikey protocols have
    received relatively little security analysis in the academic literature.
    In the first part of this paper, we give a formal model for the operation
    of the Yubikey one-time password (OTP) protocol. We prove security
    properties of the protocol for an unbounded number of fresh OTPs using a
    protocol analysis tool, tamarin.\par
    In the second part of the paper, we analyze the security of the protocol
    with respect to an adversary that has temporary access to the
    authentication server. To address this scenario, Yubico offers a small
    Hardware Security Module (HSM) called the YubiHSM, intended to protect
    keys even in the event of server compromise. We show if the same YubiHSM
    configuration is used both to set up Yubikeys and run the authentication
    protocol, then there is inevitably an attack that leaks all of the keys to
    the attacker. Our discovery of this attack lead to a Yubico security
    advisory in February 2012. For the case where separate servers are used
    for the two tasks, we give a configuration for which we can show using the
    same verification tool that if an adversary that can compromise the server
    running the Yubikey-protocol, but not the server used to set up new
    Yubikeys, then he cannot obtain the keys used to produce one-time
    passwords.}
}
@inproceedings{BFKSST-crypto12,
  address = {Santa Barbara, California, USA},
  month = aug,
  year = 2012,
  volume = 7417,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Safavi-Naini, Reihaneh and Canetti, Ran},
  acronym = {{CRYPTO}'12},
  booktitle = {{P}roceedings of the 32nd {A}nnual {I}nternational 
		  {C}ryptology {C}onference ({CRYPTO}'12)},
  author = {Bardou, Romain and Focardi, Riccardo and Kawamoto, Yusuke and
                  Simionato, Lorenzo and Steel, Graham and Tsay, Joe-Kai},
  title = {Efficient Padding Oracle Attacks on Cryptographic Hardware},
  pages = {608-625},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/BFKSST-crypto12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BFKSST-crypto12.pdf},
  doi = {10.1007/978-3-642-32009-5_36},
  abstract = {We show how to exploit the encrypted key import functions of a
    variety of different cryptographic devices to reveal the imported key. The
    attacks are padding oracle attacks, where error messages resulting from
    incorrectly padded plaintexts are used as a side channel. In the
    asymmetric encryption case, we modify and improve Bleichenbacher's attack
    on RSA PKCS\#1v1.5 padding, giving new cryptanalysis that allows us to
    carry out the 'million message attack' in a mean of 49 000 and median of
    14 500 oracle calls in the case of cracking an unknown valid ciphertext
    under a 1024 bit key (the original algorithm takes a mean of 215 000 and a
    median of 163 000 in the same case). We show how implementation details of
    certain devices admit an attack that requires only 9 400 operations on
    average (3 800 median). For the symmetric case, we adapt Vaudenay's CBC
    attack, which is already highly efficient. We demonstrate the
    vulnerabilities on a number of commercially available cryptographic
    devices, including security tokens, smartcards and the Estonian electronic
    ID card. The attacks are efficient enough to be practical: we give timing
    details for all the devices found to be vulnerable, showing how our
    optimisations make a qualitative difference to the practicality of the
    attack. We give mathematical analysis of the effectiveness of the attacks,
    extensive empirical results, and a discussion of countermeasures.}
}
@article{AGG-lmcs12,
  journal = {Logical Methods in Computer Science},
  author = {Adj{\'e}, Assal{\'e} and Gaubert, St{\'e}phane and Goubault,
                  {\'E}ric},
  title = {Coupling policy iteration with semi-definite relaxation to compute
                  accurate numerical invariants in static analysis},
  year = 2012,
  month = jan,
  volume = {8},
  number = {1:1},
  nopages = {},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/AGG-lmcs12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/AGG-lmcs12.pdf},
  doi = {10.2168/LMCS-8(1:01)2012},
  abstract = {We introduce a new domain for finding precise numerical
    invariants of programs by abstract interpretation. This domain, which
    consists of level sets of non-linear functions, generalizes the domain of
    linear {"}templates{"} introduced by Manna, Sankaranarayanan, and Sipma.
    In the case of quadratic templates, we use Shor's semi-definite relaxation
    to derive computable yet precise abstractions of semantic functionals, and
    we show that the abstract fixpoint equation can be solved accurately by
    coupling policy iteration and semi-definite programming. We demonstrate
    the interest of our approach on a series of examples (filters, integration
    schemes) including a degenerate one (symplectic scheme).}
}
@inproceedings{IL-pairing12,
  address = {Cologne, Germany},
  month = may,
  year = 2012,
  volume = 7708,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Abdalla, Michel and Lange, Tanja},
  acronym = {{PAIRING}'12},
  booktitle = {{P}roceedings of the 5th {I}nternational
           {C}onference on {P}airing-Based {C}ryptography
	   ({PAIRING}'12)},
  author = {Izabach{\`e}ne, Malika and Libert, Beno{\^\i}t},
  title = {Divisible E-Cash in the Standard Model},
  pages = {314-332},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/IL-pairing12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/IL-pairing12.pdf},
  doi = {10.1007/978-3-642-36334-4_20},
  abstract = {Off-line e-cash systems are the digital analogue of regular
    cash. One of the main desirable properties is anonymity: spending a coin
    should not reveal the identity of the spender and, at the same time, users
    should not be able to double-spend coins without being detected. Compact
    e-cash systems make it possible to store a wallet of \(O(2^{L})\) coins
    using \(O(L + \lambda)\) bits, where \(\lambda\) is the security
    parameter. They are called \emph{divisible} whenever the user has the
    flexibility of spending an amount of~\(2^{\ell}\), for some \(\ell\leq
    L\), more efficiently than by repeatedly spending individual coins. This
    paper presents the first construction of divisible e-cash in the standard
    model (i.e., without the random oracle heuristic). The scheme allows a
    user to obtain a wallet of~\(2^{L}\) coins by running a withdrawal
    protocol with the bank. Our construction is built on the traditional
    binary tree approach, where the wallet is organized in such a way that the
    monetary value of a coin depends on how deep the coin is in the tree.}
}
@inproceedings{benzina-dictap12,
  address = {Bangkok, Thailand},
  month = may,
  year = 2012,
  publisher = {{IEEE} Computer Society Press},
  acronym = {{DICTAP}'12},
  booktitle = {{P}roceedings of the 2nd {I}nternational {C}onference on {D}igital 
  	    {I}nformation and {C}ommunication {T}echnology and its
                  {A}pplication ({DICTAP}'12)},
  author = {Benzina, Hedi},
  title = {Towards Designing Secure Virtualized Systems},
  pages = {250-255},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/HB-dictap12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/HB-dictap12.pdf},
  doi = {10.1109/DICTAP.2012.6215385},
  abstract = {Virtual machine technology is rapidly gaining acceptance as a
    fundamental building block in enterprise data centers. It is most known
    for improving efficiency and ease of management. However, it also provides
    a compelling approach to enhancing system security, offering new ways to
    rearchitect todays systems and opening the door for a wide range of future
    security technologies. While this technology is meant to enhance the
    security of computer systems, some recent attacks show that virtual
    machine technology has many weaknesses and becomes exposed to many
    security threats. In this paper we present some of these threats and show
    how we protect these systems through intrusion detection and security
    policies mechanisms.}
}
@inproceedings{ACD-csf12,
  address = {Cambridge Massachusetts, USA},
  month = jun,
  year = 2012,
  publisher = {{IEEE} Computer Society Press},
  acronym = {{CSF}'12},
  booktitle = {{P}roceedings of the 
               25th {IEEE} {C}omputer {S}ecurity {F}oundations
               {S}ymposium ({CSF}'12)},
  author = {Arapinis, Myrto and Cheval, Vincent and Delaune, St{\'e}phanie},
  title = {Verifying privacy-type properties in a modular way},
  pages = {95-109},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-csf12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-csf12.pdf},
  doi = {10.1109/CSF.2012.16},
  abstract = {Formal methods have proved their usefulness for analysing the
    security of protocols. In this setting, privacy-type security properties
    (e.g. vote-privacy, anonymity, unlinkability) that play an important role
    in many modern applications are formalised using a notion of
    equivalence.\par
    In this paper, we study the notion of trace equivalence and we show how to
    establish such an equivalence relation in a modular way. It is well-known
    that composition works well when the processes do not share secrets.
    However, there is no result allowing us to compose processes that rely on
    some shared secrets such as long term keys. We show that composition works
    even when the processes share secrets provided that they satisfy some
    reasonable conditions. Our composition result allows us to prove various
    equivalence-based properties in a modular way, and works in a quite
    general setting. In particular, we consider arbitrary cryptographic
    primitives and processes that use non-trivial else branches.\par
    As an example, we consider the ICAO e-passport standard, and we show how
    the privacy guarantees of the whole application can be derived from the
    privacy guarantees of its sub-protocols.}
}
@inproceedings{benzina-iscc12,
  address = {Nev{\c{s}}ehir, Turkey},
  month = jul,
  year = 2012,
  publisher = {{IEEE} Computer Society Press},
  noeditor = {},
  acronym = {{ISCC}'12},
  booktitle = {{P}roceedings of the 17th {IEEE} {S}ymposium on {C}omputers and
		{C}ommunications ({ISCC}'12)},
  author = {Benzina, Hedi},
  title = {A~Network Policy Model for Virtualized Systems},
  pages = {680-683},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/benzina-iscc12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/benzina-iscc12.pdf},
  doi = {10.1109/ISCC.2012.6249376},
  abstract = {Modern hypervisors offer the ability to build virtual networks
    between virtual machines. These networks are very useful in both personal
    and professional activities since they offer the same opportunities as
    physical networks, but in a much lower cost in terms of hardware and time.
    On the other hand, these networks are facing many security threats due to
    the absence of rigourous security policies that protect the sensitive
    ressources of the network. In this paper, we propose a multilevel security
    policy model for these networks, this policy covers not only network
    operations, but also operations related to the management of the virtual
    architecture.}
}
@inproceedings{DKP-ijcar12,
  address = {Manchester, UK},
  month = jun,
  year = 2012,
  volume = {7364},
  series = {Lecture Notes in Artificial Intelligence},
  publisher = {Springer-Verlag},
  editor = {Gramlich, Bernhard and Miller, Dale and Sattler, Uli},
  acronym = {{IJCAR}'12},
  booktitle = {{P}roceedings of the 6th {I}nternational {J}oint
           {C}onference on {A}utomated {R}easoning
           ({IJCAR}'12)},
  author = {Delaune, St{\'e}phanie and Kremer, Steve and Pasail{\u{a}}, Daniel},
  title = {Security protocols, constraint systems, and
               group theories},
  pages = {164-178},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/DKP-ijcar12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DKP-ijcar12.pdf},
  doi = {10.1007/978-3-642-31365-3_15},
  abstract = {When formally analyzing security protocols it is often
                  important to express properties in terms of an
                  adversary's inability to distinguish two
                  protocols. It has been shown that this problem
                  amounts to deciding the equivalence of two
                  constraint systems, i.e., whether they have the same
                  set of solutions. In this paper we study this
                  equivalence problem when cryptographic primitives
                  are modeled using a group equational theory, a
                  special case of monoidal equational theories. The
                  results strongly rely on the isomorphism between
                  group theories and rings. This allows us to reduce
                  the problem under study to the problem of solving
                  systems of equations over rings.\par We provide
                  several new decidability and complexity results,
                  notably for equational theories which have
                  applications in security protocols, such as
                  exclusive or and Abelian groups which may
                  additionally admit a unary, homomorphic symbol.}
}
@article{BCD-tocl12,
  publisher = {ACM Press},
  journal = {ACM Transactions on Computational Logic},
  author = {Baudet, Mathieu and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
  title = {{YAPA}: A~generic tool for computing intruder knowledge},
  year = 2013,
  month = feb,
  nopages = {},
  number = {1:4},
  volume = 14,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/BCD-tocl12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BCD-tocl12.pdf},
  doi = {10.1145/2422085.2422089},
  abstract = {Reasoning about the knowledge of an attacker is a
                  necessary step in many formal analyses of security
                  protocols. In the framework of the applied pi
                  calculus, as in similar languages based on
                  equational logics, knowledge is typically expressed
                  by two relations: deducibility and static
                  equivalence. Several decision procedures have been
                  proposed for these relations under a variety of
                  equational theories. However, each theory has its
                  particular algorithm, and none has been implemented
                  so far.  \par We provide a generic procedure for
                  deducibility and static equivalence that takes as
                  input any convergent rewrite system.  We show that
                  our algorithm covers most of the existing decision
                  procedures for convergent theories. We also provide
                  an efficient implementation, and compare it briefly
                  with the tools ProVerif and KiSs.}
}
@book{JGL-topology,
  author = {Goubault{-}Larrecq, Jean},
  title = {Non-{H}ausdorff Topology and Domain Theory---Selected Topics
                  in Point-Set Topology},
  publisher = {Cambridge University Press},
  series = {New Mathematical Monographs},
  volume = {22},
  year = {2013},
  month = mar,
  url = {http://www.cambridge.org/9781107034136},
  isbn = {9781107034136}
}
@inproceedings{CCK-esop12,
  address = {Tallinn, Estonia},
  month = mar,
  year = 2012,
  volume = {7211},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Seidl, Helmut},
  acronym = {{ESOP}'12},
  booktitle = {{P}rogramming {L}anguages and {S}ystems~---
               {P}roceedings of the 22nd
               {E}uropean {S}ymposium on {P}rogramming
               ({ESOP}'12)},
  author = {Chadha, Rohit and Ciob{\^a}c{\u{a}}, {\c{S}}tefan and Kremer, Steve},
  title = {Automated verification of equivalence properties of
                  cryptographic protocols},
  pages = {108-127},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCK-esop12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCK-esop12.pdf},
  doi = {10.1007/978-3-642-28869-2_6},
  abstract = {Indistinguishability properties are essential in formal
    verification of cryptographic protocols. They are needed to model
    anonymity properties, strong versions of confidentiality and resistance to
    offline guessing attacks, and can be conveniently modeled using process
    equivalences. We present a novel procedure to verify equivalence
    properties for bounded number of sessions. Our procedure is able to verify
    trace equivalence for determinate cryptographic protocols. On determinate
    protocols, trace equivalence coincides with observational equivalence
    which can therefore be automatically verified for such processes. When
    protocols are not determinate our procedure can be used for both under-
    and over-approximations of trace equivalence, which proved successful on
    examples. The procedure can handle a large set of cryptographic
    primitives, namely those which can be modeled by an optimally reducing
    convergent rewrite system. Although, we were unable to prove its
    termination, it has been implemented in a prototype tool and has been
    effectively tested on examples, some of which were outside the scope of
    existing tools.}
}
@article{CD-pourlascience13,
  publisher = {Belin},
  journal = {Pour La Science},
  author = {Chr{\'e}tien, R{\'e}my and Delaune, St{\'e}phanie},
  title = {La protection des informations sensibles},
  volume = {433},
  month = nov,
  year = 2013,
  pages = {70-77},
  url = {http://www.pourlascience.fr/ewb_pages/a/article-la-protection-des-informations-sensibles-32228.php}
}
@techreport{rr-lsv-13-13,
  author = {Hirschi, Lucca},
  title = {R{\'e}duction d'entrelacements pour l'{\'e}quivalence de traces},
  institution = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  year = {2013},
  month = sep,
  type = {Research Report},
  number = {LSV-13-13},
  url = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2013-13.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2013-13.pdf},
  versions = {http://www.lsv.fr/Publis/PAPERS/PDF/rr-lsv-2013-13-v1.pdf, 20130910},
  note = {22~pages},
  abstract = {La trace \'equivalence permet notamment de mod\'eliser l'anonymat de
    protocoles cryptographiques. Cette propri\'et\'e est d\'ecidable pour de
    nombreuses classes de protocoles et quelques outils permettent de la
    prouver automatiquement. Mais malheureusement, tous ces outils sont tr\`es
    lents et peu de protocoles r\'eellement int\'eressants peuvent \^etre analys\'es
    dans un temps raisonnable. Ces outils doivent r\'ealiser un parcours
    exhaustif des traces (symboliques) possibles. Mais le parall\`ele introduit
    de nombreux entrelacements dont un grand nombre sont peu pertinents. Cette
    explosion combinatoire est une des causes de cette inefficacit\'e.\par
    Une optimisation dont l'id\'ee est emprunt\'ee \`a la POR (Partial Order
    Reduction) permet de r\'eduire significativement l'espace de recherche en
    reconnaissant certaines redondances entre les traces. Elle a \'et\'e
    d\'evelopp\'ee dans le cas des propri\'et\'es d'accessibilit\'e.
    L'objectif est de l'adapter au cas de l'\'equivalence, de l'automatiser,
    d'augmenter son champ d'action et de l'introduire dans un outil
    existant.}
}
@inproceedings{JGL-mfcs13,
  address = {Klosterneuburg, Austria},
  month = aug,
  year = 2013,
  volume = {8087},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Chatterjee, Krishnendu and Sgall, Ji{\v{r}}{\'\i}},
  acronym = {{MFCS}'13},
  booktitle = {{P}roceedings of the 38th
               {I}nternational {S}ymposium on
               {M}athematical {F}oundations of 
               {C}omputer {S}cience
               ({MFCS}'13)},
  author = {Goubault{-}Larrecq, Jean},
  title = {A Constructive Proof of the Topological {K}ruskal Theorem},
  pages = {22-41},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-mfcs13.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-mfcs13.pdf},
  doi = {10.1007/978-3-642-40313-2_3},
  abstract = {We give a constructive proof of Kruskal's Tree
    Theorem---precisely, of a topological extension of~it. The proof is in the
    style of a constructive proof of Higman's Lemma due to Murthy and
    Russell~(1990), and illuminates the role of regular expressions there. In
    the process, we discover an extension of Dershowitz' recursive path
    ordering to a form of cyclic terms which we call \(\mu\)-terms. This all came
    from recent research on Noetherian spaces, and serves as a teaser for
    their theory.}
}
@article{CCD-tcs13,
  publisher = {Elsevier Science Publishers},
  journal = {Theoretical Computer Science},
  author = {Cheval, Vincent and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
  title = {Deciding equivalence-based properties using constraint solving},
  year = {2013},
  month = jun,
  volume = {492},
  pages = {1-39},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-tcs13.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-tcs13.pdf},
  doi = {10.1016/j.tcs.2013.04.016},
  abstract = {Formal methods have proved their usefulness for analyzing the
    security of protocols. Most existing results focus on trace properties
    like secrecy or authentication. There are however several security
    properties, which cannot be defined (or cannot be naturally defined) as
    trace properties and require a notion of behavioural equivalence. Typical
    examples are anonymity, privacy related properties or statements closer to
    security properties used in cryptography.\par
    In this paper, we consider three notions of equivalence defined in the
    applied pi calculus: observational equivalence, may-testing equivalence,
    and trace equivalence. First, we study the relationship between these
    three notions. We show that for determinate processes, observational
    equivalence actually coincides with trace equivalence, a notion simpler to
    reason with. We exhibit a large class of determinate processes, called
    simple processes, that capture most existing protocols and cryptographic
    primitives. While trace equivalence and may-testing equivalence seem very
    similar, we show that may-testing equivalence is actually strictly
    stronger than trace equivalence. We prove that the two notions coincide
    for image-finite processes, such as processes without replication.\par
    Second, we reduce the decidability of trace equivalence (for finite
    processes) to deciding symbolic equivalence between sets of constraint
    systems. For simple processes without replication and with trivial else
    branches, it turns out that it is actually sufficient to decide symbolic
    equivalence between pairs of positive constraint systems. Thanks to this
    reduction and relying on a result first proved by M. Baudet, this yields
    the first decidability result of observational equivalence for a general
    class of equational theories (for processes without else branch nor
    replication). Moreover, based on another decidability result for deciding
    equivalence between sets of constraint systems, we get decidability of
    trace equivalence for processes with else branch for standard
    primitives.}
}
@inproceedings{CCS-cade2013,
  address = {Lake Placid, New~York, USA},
  month = jun,
  year = 2013,
  volume = 7898,
  series = {Lecture Notes in Artificial Intelligence},
  publisher = {Springer},
  editor = {Bonacina, Maria Paola},
  acronym = {{CADE}'13},
  booktitle = {{P}roceedings of the 24th {I}nternational 
               {C}onference on {A}utomated {D}eduction
               ({CADE}'13)},
  author = {Comon{-}Lundh, Hubert and Cortier, V{\'e}ronique and
  	 	  Scerri,  Guillaume},
  title = {Tractable inference systems: an extension with a
  		  deducibility predicate},
  pages = {91-108},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCS-cade2013.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCS-cade2013.pdf},
  doi = {10.1007/978-3-642-38574-2_6},
  abstract = {The main contribution of the paper is a PTIME decision procedure
    for the satisfiability problem in a class of first-order Horn clauses. Our
    result is an extension of the tractable classes of Horn clauses of Basin &
    Ganzinger in several respects. For instance, our clauses may contain
    atomic formulas \(S \vdash t\) where \(\vdash\) is a predicate symbol and
    \(S\) is a finite set of terms instead of a term. \(\vdash\)~is used to
    represent any possible computation of an attacker, given a set of
    messages~\(S\). The class of clauses that we consider encompasses the
    clauses designed by Bana~\& Comon-Lundh for security proofs of protocols
    in a computational model. \par
    Because of the (variadic) \(\vdash\) predicate symbol, we cannot use
    ordered resolution strategies only, as in Basin~\& Ganzinger: given \(S
    \vdash t\), we must avoid computing \(S' \vdash t\) for all subsets \(S'\)
    of~\(S\). Instead, we design PTIME entailment procedures for increasingly
    expressive fragments, such procedures being used as oracles for the next
    fragment. \par
    Finally, we obtain a PTIME procedure for arbitrary ground clauses and
    saturated Horn clauses (as in Basin~\& Ganzinger), together with a
    particular class of (non saturated) Horn clauses with the \(\vdash\)
    predicate and constraints (which are necessary to cover the
    application).}
}
@inproceedings{KKS-esorics13,
  address = {Egham, U.K.},
  month = sep,
  year = 2013,
  volume = {8134},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Crampton, Jason and Jajodia, Sushil and Mayes, Keith},
  acronym = {{ESORICS}'13},
  booktitle = {{P}roceedings of the 18th {E}uropean {S}ymposium on
		{R}esearch in {C}omputer {S}ecurity ({ESORICS}'13)},
  author = {Kremer, Steve and K{\"u}nnemann, Robert and Steel, Graham},
  title = {Universally Composable Key-Management},
  pages = {327-344},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/KKS-esorics13.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/KKS-esorics13.pdf},
  doi = {10.1007/978-3-642-40203-6_19},
  abstract = {We present the first universally composable key-management
    functionality, formalized in the GNUC framework by Hofheinz and Shoup. It
    allows the enforcement of a wide range of security policies and can be
    extended by diverse key usage operations with no need to repeat the
    security proof. We illustrate its use by proving an implementation of a
    security token secure with respect to arbitrary key-usage operations and
    explore a proof technique that allows the storage of cryptographic keys
    externally, a novel development in simulation-based security frameworks.}
}
@inproceedings{CCD-icalp13,
  address = {Riga, Latvia},
  month = jul,
  year = 2013,
  volume = {7966},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Fomin, Fedor V. and Freivalds, R{\=u}si{\c{n}}{\v{s}} 
  	 	and Kwiatkowska, Marta and Peleg, David},
  acronym = {{ICALP}'13},
  booktitle = {{P}roceedings of the 40th {I}nternational 
               {C}olloquium on {A}utomata, {L}anguages and 
               {P}rogramming ({ICALP}'13)~-- {P}art~{II}},
  author = {Chr{\'e}tien, R{\'e}my and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
  title = {From security protocols to pushdown automata},
  pages = {137-149},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-icalp13.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-icalp13.pdf},
  doi = {10.1007/978-3-642-39212-2_15},
  abstract = {Formal methods have been very successful in analyzing
    security protocols for reachability properties such as secrecy or
    authentication. In contrast, there are very few results for
    equivalence-based properties, crucial for studying
    e.g. privacy-like properties such as anonymity or vote
    secrecy.\par 
    We study the problem of checking equivalence of security protocols
    for an unbounded number of sessions. Since replication leads very
    quickly to undecidability (even in the simple case of secrecy), we
    focus on a limited fragment of protocols (standard primitives but
    pairs, one variable per protocol's rules) for which the secrecy
    preservation problem is known to be decidable. Surprisingly, this
    fragment turns out to be undecidable for equivalence. Then,
    restricting our attention to deterministic protocols, we propose
    the first decidability result for checking equivalence of
    protocols for an unbounded number of sessions. This result is
    obtained through a characterization of equivalence of protocols in
    terms of equality of languages of (generalized, real-time)
    deterministic pushdown automata.}
}
@inproceedings{ABGGP-vstte13,
  address = {Atherton, California, USA},
  year = 2014,
  volume = 8164,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Cohen, Ernie and Rybalchenko, Andrey},
  acronym = {{VSTTE}'13},
  booktitle = {{R}evised {S}elected {P}apers of the
	   5th {IFIP} {TC2}\slash{WG2.3} {C}onference {V}erified
                  {S}oftware---{T}heories, {T}ools, and {E}xperiments
                  ({VSTTE}'13)},
  author = {Adj{\'e}, Assal{\'e} and Bouissou, Olivier and
                  Goubault{-}Larrecq, Jean and
                 Goubault, {\'E}ric and Putot, Sylvie},
  title = {Static Analysis of Programs with Imprecise Probabilistic Inputs},
  pages = {22-47},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/ABGGP-vstte13.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ABGGP-vstte13.pdf},
  doi = {10.1007/978-3-642-54108-7},
  abstract = {Having a precise yet sound abstraction of the inputs of
    numerical programs is important to analyze their behavior. For many
    programs, these inputs are probabilistic, but the actual distribution used
    is only partially known. We present a static analysis framework for
    reasoning about programs with inputs given as imprecise probabilities: we
    define a collecting semantics based on the notion of previsions and an
    abstract semantics based on an extension of Dempster-Shafer structures. We
    prove the correctness of our approach and show on some realistic examples
    the kind of invariants we are able to infer.}
}
@inproceedings{CCP-cav13,
  address = {Saint Petersburg, Russia},
  month = jul,
  year = 2013,
  volume = {8044},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Sharygina, Natasha and Veith, Helmut},
  acronym = {{CAV}'13},
  booktitle = {{P}roceedings of the 25th
               {I}nternational {C}onference on 
               {C}omputer {A}ided {V}erification
               ({CAV}'13)},
  author = {Cheval, Vincent and Cortier, V{\'e}ronique and Plet, Antoine},
  title = {Lengths may break privacy~---or~how to check for
                  equivalences with length},
  pages = {708-723},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCP-cav13.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCP-cav13.pdf},
  doi = {10.1007/978-3-642-39799-8_50},
  abstract = {Security protocols have been successfully analyzed using
    symbolic models, where messages are represented by terms and protocols by
    processes. Privacy properties like anonymity or untraceability are
    typically expressed as equivalence between processes. While some decision
    procedures have been proposed for automatically deciding process
    equivalence, all existing approaches abstract away the information an
    attacker may get when observing the length of messages.\par In this paper, we
    study process equivalence with length tests. We first show that, in the
    static case, almost all existing decidability results (for static
    equivalence) can be extended to cope with length tests. In the active
    case, we prove decidability of trace equivalence with length tests, for a
    bounded number of sessions and for standard primitives. Our result relies
    on a previous decidability result from Cheval~\emph{et~al.} (without
    length tests). Our procedure has been implemented and we have discovered a
    new flaw against privacy in the biometric passport protocol.}
}
@article{CDKR-fmsd13,
  publisher = {Springer},
  journal = {Formal Methods in System Design},
  author = {Chevalier, C{\'e}line and Delaune, St{\'e}phanie and 
  	    Kremer, Steve and Ryan, Mark D.},
  title = {Composition of Password-based Protocols},
  volume = {43},
  number = {3},
  pages = {369-413},
  month = dec,
  year = 2013,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDKR-fmsd13.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDKR-fmsd13.pdf},
  doi = {10.1007/s10703-013-0184-6},
  abstract = {Formal and symbolic techniques are extremely useful for
    modelling and analysing security protocols. They have helped to improve
    our understanding of such protocols, allowed us to discover flaws, and
    they also provide support for protocol design. However, such analyses
    usually consider that the protocol is executed in isolation or assume a
    bounded number of protocol sessions. Hence, no security guarantee is
    provided when the protocol is executed in a more complex environment.\par
    In this paper, we study whether password protocols can be safely composed,
    even when a same password is reused. More precisely, we present a
    transformation which maps a password protocol that is secure for a single
    protocol session (a~decidable problem) to a protocol that is secure for an
    unbounded number of sessions. Our result provides an effective strategy to
    design secure password protocols: (i)~design a protocol intended to be
    secure for one protocol session; (ii)~apply our transformation and obtain
    a protocol which is secure for an unbounded number of sessions. Our
    technique also applies to compose different password protocols allowing us
    to obtain both inter-protocol and inter-session composition.}
}
@incollection{GLJ-hg13,
  noaddress = {},
  month = jan,
  year = 2013,
  volume = 7797,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  noacronym = {},
  booktitle = {Programming Logics~-- Essays in Memory of {H}arald {G}anzinger},
  editor = {Voronkov, Andrei and Weidenbach, Christoph},
  author = {Goubault{-}Larrecq, Jean and Jouannaud, Jean-Pierre},
  title = {The Blossom of Finite Semantic Trees},
  pages = {90-122},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/GLJ-hg13.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLJ-hg13.pdf}
}
@mastersthesis{m2-lefaucheux,
  author = {Lefaucheux, Engel},
  title = {D{\'e}tection de fautes dans les syst{\`e}mes probabilistes},
  school = {{M}aster {P}arisien de {R}echerche en 
	{I}nformatique, Paris, France},
  type = {Rapport de {M}aster},
  year = {2014},
  month = sep,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-lefaucheux.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-lefaucheux.pdf},
  note = {35~pages}
}
@mastersthesis{m2-dubut,
  author = {Dubut, J{\'e}r{\'e}my},
  title = {{H}omologie dirig{\'e}e},
  school = {{M}aster {P}arisien de {R}echerche en 
	{I}nformatique, Paris, France},
  type = {Rapport de {M}aster},
  year = {2014},
  month = sep,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-dubut.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-dubut.pdf},
  note = {35~pages}
}
@inproceedings{BC-ccs14,
  address = {Scottsdale, Arizona, USA},
  month = nov,
  year = 2014,
  publisher = {ACM Press},
  editor = {Ahn, Gail-Joon and Yung, Moti and Li, Ninghui},
  acronym = {{CCS}'14},
  booktitle = {{P}roceedings of the 21st {ACM} {C}onference
               on {C}omputer and {C}ommunications {S}ecurity
               ({CCS}'14)},
  author = {Bana, Gergei and Comon{-}Lundh, Hubert},
  title = {A~Computationally Complete Symbolic Attacker for
                  Equivalence Properties},
  pages = {609-620},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/BC-ccs14.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BC-ccs14.pdf},
  doi = {10.1145/2660267.2660276},
  abstract = {We consider the problem of computational indistinguishability of
    protocols. We design a symbolic model, amenable to automated deduction,
    such that a successful inconsistency proof implies computational
    indistinguishability. Conversely, symbolic models of distinguishability
    provide clues for likely computational attacks. We follow the idea we
    introduced earlier for reachability properties, axiomatizing what an
    attacker cannot violate. This results a computationally complete symbolic
    attacker, and ensures unconditional computational soundness for the
    symbolic analysis. We present a small library of computationally sound,
    modular axioms, and test our technique on an example protocol. Despite
    additional difficulties stemming from the equivalence properties, the
    models and the soundness proofs turn out to be simpler than they were for
    reachability properties.}
}
@inproceedings{GLJ-mfps30,
  address = {Ithaca, New~York, USA},
  month = jun,
  year = 2014,
  volume = 308,
  series = {Electronic Notes in Theoretical Computer Science},
  publisher = {Elsevier Science Publishers},
  editor = {Jacobs, Bart and Silva, Alexandra and Staton, Sam},
  acronym = {{MFPS}'14},
  booktitle = {{P}roceedings of the 30th {C}onference on 
	{M}athematical {F}oundations of {P}rogramming 
	{S}emantics ({MFPS}'14)},
  author = {Goubault{-}Larrecq, Jean and Jung, Achim},
  title = {{QRB}, {QFS}, and the Probabilistic Powerdomain},
  pages = {167-182},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/GLJ-mfps14.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLJ-mfps14.pdf},
  doi = {10.1016/j.entcs.2014.10.010},
  abstract = {We show that the first author's QRB-domains coincide with Li and
    Xu's QFS-domains, and also with Lawson-compact quasi-continuous dcpos,
    with stably-compact locally finitary compact spaces, with sober
    QFS-spaces, and with sober QRB-spaces. The first three coincidences were
    discovered independently by Lawson and~Xi. The equivalence with sober
    QFS-spaces is then applied to give a novel, direct proof that the
    probabilistic powerdomain of a QRB-domain is a QRB-domain. This improves
    upon a previous, similar result, which was limited to pointed,
    second-countable QRB-domains.}
}
@article{jgl-jlap14,
  publisher = {Elsevier Science Publishers},
  journal = {Journal of Logic and Algebraic Methods in Programming},
  author = {Goubault{-}Larrecq, Jean},
  title = {Full Abstraction for Non-Deterministic and Probabilistic
  		 Extensions of {PCF}~{I}: the~Angelic Cases},
  volume = 84,
  number = 1,
  year = 2015,
  month = jan,
  pages = {155-184},
  opteditor = {Berger, Ulrich},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/jgl-jlap14.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/jgl-jlap14.pdf},
  doi = {10.1016/j.jlamp.2014.09.003},
  abstract = {We examine several extensions and variants of Plotkin's
    language~PCF, including non-deterministic and probabilistic choice
    constructs. For~each, we give an operational and a denotational semantics,
    and compare them. In each case, we show soundness and computational
    adequacy: the two semantics compute the same values at ground types.
    Beyond this, we establish full abstraction (the~observational preorder
    coincides with the denotational preorder) in a number of cases. In~the
    probabilistic cases, this requires the addition of so-called statistical
    termination testers to the language.}
}
@article{CD-interstices14,
  publisher = {INRIA},
  journal = {Interstices},
  author = {Chr{\'e}tien, R{\'e}my and Delaune, St{\'e}phanie},
  title = {Le~bitcoin, une monnaie \(100\%\) num{\'e}rique},
  month = sep,
  year = {2014},
  url = {https://interstices.info/jcms/ni_78681/le-bitcoin-une-monnaie-100-numerique},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-interstices14.pdf}
}
@inproceedings{CDR-tgc14,
  address = {Rome, Italy},
  month = dec,
  year = 2014,
  volume = {8902},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Maffei, Matteo and Tuosto, Emilio},
  acronym = {{TGC}'14},
  booktitle = {{R}evised {S}elected {P}apers of the 9th {S}ymposium on {T}rustworthy {G}lobal 
	   {C}omputing ({TGC}'14)},
  author = {Cheval, Vincent and Delaune, St{\'e}phanie and Ryan, Mark
                  D.},
  title = {Tests for establishing security properties},
  pages = {82-96},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDR-tgc14.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDR-tgc14.pdf},
  doi = {10.1007/978-3-662-45917-1_6},
  abstract = {Ensuring strong security properties in some cases requires
    participants to carry out tests during the execution of a protocol.
    A~classical example is electronic voting: participants are required to
    verify the presence of their ballots on a bulletin board, and to verify
    the computation of the election outcome. The notion of certificate
    transparency is another example, in which participants in the protocol are
    required to perform tests to verify the integrity of a certificate log.\par
    We present a framework for modelling systems with such `testable
    properties', using the applied pi calculus. We model the tests that are
    made by participants in order to obtain the security properties.
    Underlying our work is an attacker model called {"}malicious but cautious{"},
    which lies in between the Dolev-Yao model and the {"}honest but curious{"}
    model. The malicious-but-cautious model is appropriate for cloud computing
    providers that are potentially malicious but are assumed to be cautious
    about launching attacks that might cause user tests to fail.}
}
@inproceedings{GLS-pp14,
  year = 2014,
  volume = 8464,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {van Breugel, Franck and Kashefi, Elham and Palamidessi,
                  Catuscia and Rutten, Jan},
  booktitle = {Horizons of the Mind. A~Tribute to Prakash Panangaden},
  author = {Goubault{-}Larrecq, Jean and Segala, Roberto},
  title = {Random Measurable Selections},
  pages = {343-362},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/GLS-pp14.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLS-pp14.pdf},
  doi = {10.1007/978-3-319-06880-0_18},
  abstract = {We make the first steps towards showing a general {"}randomness
    for free{"} theorem for stochastic automata. The goal of such theorems is
    to replace randomized schedulers by averages of pure schedulers. Here, we
    explore the case of measurable multifunctions and their measurable
    selections. This involves constructing probability measures on the
    measurable space of measurable selections of a given measurable
    multifunction, which seems to be a fairly novel problem. We then extend
    this to the case of IT automata, namely, non-deterministic (infinite)
    automata with a history-dependent transition relation. Throughout, we
    strive to make our assumptions minimal.}
}
@article{ADK-lmcs14,
  journal = {Logical Methods in Computer Science},
  author = {Arapinis, Myrto and Delaune, St{\'e}phanie and Kremer, Steve},
  title = {Dynamic Tags for Security Protocols},
  volume = 10,
  number = {2:11},
  nopages = {},
  month = jun,
  year = 2014,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/ADK-lmcs14.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ADK-lmcs14.pdf},
  doi = {10.2168/LMCS-10(2:11)2014},
  abstract = {The design and verification of cryptographic protocols is a
    notoriously difficult task, even in symbolic models which take an abstract
    view of cryptography. This is mainly due to the fact that protocols may
    interact with an arbitrary attacker which yields a verification problem
    that has several sources of unboundedness (size of messages, number of
    sessions, etc. In this paper, we characterize a class of protocols for
    which deciding security for an unbounded number of sessions is decidable.
    More precisely, we present a simple transformation which maps a protocol
    that is secure for a bounded number of protocol sessions (a~decidable
    problem) to a protocol that is secure for an unbounded number of sessions.
    The precise number of sessions that need to be considered is a function of
    the security property and we show that for several classical security
    properties a single session is sufficient. Therefore, in many cases our
    results yields a design strategy for security protocols: (i)~design a
    protocol intended to be secure for a {single session}; and (ii)~apply our
    transformation to obtain a protocol which is secure for an unbounded
    number of sessions.}
}
@inproceedings{CCD-concur14,
  address = {Rome, Italy},
  month = sep,
  year = 2014,
  volume = 8704,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Baldan, Paolo and Gorla, Daniele},
  acronym = {{CONCUR}'14},
  booktitle = {{P}roceedings of the 25th
               {I}nternational {C}onference on
               {C}oncurrency {T}heory
               ({CONCUR}'14)},
  author = {Chr{\'e}tien, R{\'e}my and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
  title = {Typing messages for free in security protocols: 
                 the~case of equivalence properties},
  pages = {372-386},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-concur14.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-concur14.pdf},
  doi = {10.1007/978-3-662-44584-6_26},
  abstract = {Privacy properties such as untraceability, vote secrecy, or
    anonymity are typically expressed as behavioural equivalence in a process
    algebra that models security protocols. In this paper, we study how to
    decide one particular relation, namely trace equivalence, for an unbounded
    number of sessions.\par
    Our first main contribution is to reduce the search space for attacks.
    Specifically, we show that if there is an attack then there is one that is
    well-typed. Our result holds for a large class of typing systems and a
    large class of determinate security protocols. Assuming finitely many
    nonces and keys, we can derive from this result that trace equivalence is
    decidable for an unbounded number of sessions for a class of tagged
    protocols, yielding one of the first decidability results for the
    unbounded case. As an intermediate result, we also provide a novel
    decision procedure in the case of a bounded number of sessions.}
}
@incollection{CD-nato12,
  author = {Comon{-}Lundh, Hubert and Delaune, St{\'e}phanie},
  title = {Formal Security Proofs},
  booktitle = {Software Safety and Security},
  pages = {26-63},
  editor = {Nipkow, Tobias and Grumberg, Orna and Hauptmann, Benedikt},
  series = {NATO Science for Peace and Security Series~-- D:~Information and
  	     	      Communication Security},
  volume = {33},
  publisher = {{IOS} Press},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-nato12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CD-nato12.pdf},
  year = 2012,
  month = may
}
@inproceedings{CLHKS-ispec12,
  address = {Hangzhou, China},
  year = 2012,
  month = apr,
  volume = 7232,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Ryan, Mark D. and Smyth,  Ben and Wang, Guilin},
  acronym = {{ISPEC}'12},
  booktitle = {{P}roceedings of the 8th {I}nternational {C}onference on
                  {I}nformation {S}ecurity {P}ractice and {E}xperience
                  ({ISPEC}'12)},
  author = {Comon{-}Lundh, Hubert and Hagiya, Masami and Kawamoto, Yusuke
                  and Sakurada, Hideki},
  title = {Computational Soundness of Indistinguishability
                  Properties without Computable Parsing},
  pages = {63-79},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CHKS-ispec12.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CHKS-ispec12.pdf},
  doi = {10.1007/978-3-642-29101-2_5},
  abstract = {We provide a symbolic model for protocols using public-key
    encryption and hash function, and prove that this model is computationally
    sound: if there is an attack in the computational world, then there is an
    attack in the symbolic (abstract) model. Our original contribution is that
    we deal with the security properties, such as anonymity, which cannot be
    described using a single execution trace, while considering an unbounded
    number of sessions of the protocols in the presence of active and adaptive
    adversaries. Our soundness proof is different from all existing studies in
    that it does not require a computable parsing function from bit strings to
    terms. This allows us to deal with more cryptographic primitives, such as
    a preimage-resistant and collision-resistant hash function whose input may
    have different lengths.}
}
@inproceedings{BDH-post14,
  address = {Grenoble, France},
  month = apr,
  year = 2014,
  volume = {8414},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Abadi, Mart{\'\i}n and Kremer, Steve},
  acronym = {{POST}'14},
  booktitle = {{P}roceedings of the 3rd {I}nternational {C}onference on
  	   {P}rinciples of {S}ecurity and {T}rust 
           ({POST}'14)},
  author = {Baelde, David and Delaune, St{\'e}phanie and Hirschi, Lucca},
  title = {A~reduced semantics for deciding trace equivalence using constraint systems},
  pages = {1-21},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/BDH-post14.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BDH-post14.pdf},
  doi = {10.1007/978-3-642-54792-8_1},
  abstract = {Many privacy-type properties of security protocols can be
    modelled using trace equivalence properties in suitable process algebras.
    It has been shown that such properties can be decided for interesting
    classes of finite processes (i.e.,~without replication) by means of symbolic
    execution and constraint solving. However, this does not suffice to obtain
    practical tools. Current prototypes suffer from a classical combinatorial
    explosion problem caused by the exploration of many interleavings in the
    behaviour of processes. Modersheim et~al. have tackled this problem for
    reachability properties using partial order reduction techniques. We
    revisit their work, generalize it and adapt it for equivalence checking.
    We obtain an optimization in the form of a reduced symbolic semantics that
    eliminates redundant interleavings on the fly.}
}
@article{ACD-icomp13,
  publisher = {Elsevier Science Publishers},
  journal = {Information and Computation},
  author = {Arnaud, Mathilde and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
  title = {Modeling and Verifying Ad~Hoc Routing Protocols},
  volume = 238,
  pages = {30-67},
  month = nov,
  year = 2014,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-icomp13.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-icomp13.pdf},
  doi = {10.1016/j.ic.2014.07.004},
  abstract = {Mobile ad hoc networks consist of mobile wireless devices which
    autonomously organize their infrastructure. In such networks, a central
    issue, ensured by routing protocols, is to find a route from one device to
    another. Those protocols use cryptographic mechanisms in order to prevent
    malicious nodes from compromising the discovered route.\par
    Our contribution is twofold. We first propose a calculus for modeling and
    reasoning about security protocols, including in particular secured
    routing protocols. Our calculus extends standard symbolic models to take
    into account the characteristics of routing protocols and to model
    wireless communication in a more accurate way. Our second main
    contribution is a decision procedure for analyzing routing protocols for
    any network topology. By using constraint solving techniques, we show that
    it is possible to automatically discover (in~NPTIME) whether there exists
    a network topology that would allow malicious nodes to mount an attack
    against the protocol, for a bounded number of sessions. We also provide a
    decision procedure for detecting attacks in case the network topology is
    given a priori. We demonstrate the usage and usefulness of our approach by
    analyzing protocols of the literature, such as SRP applied to DSR and
    SDMSR.}
}
@article{GL-acs13,
  publisher = {Springer},
  journal = {Applied Categorical Structures},
  author = {Goubault{-}Larrecq, Jean},
  title = {Exponentiable streams and prestreams},
  volume = {22},
  number = {3},
  year = 2014,
  month = jun,
  pages = {515-549},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/GL-acs13.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GL-acs13.pdf},
  corrigendumpdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GL-acs13-erratum.pdf},
  doi = { 10.1007/s10485-013-9315-x},
  note = {Errata 1: \url{http://www.lsv.fr/Publis/PAPERS/PDF/GL-acs13-erratum.pdf};
           Errata 2: \url{http://www.lsv.fr/Publis/PAPERS/PDF/GL-acs13-erratum2.pdf}},
  abstract = {Inspired by a construction of Escard{\'o}, Lawson, and Simpson,
    we give a general construction of \(\mathcal C\)-generated objects in a
    topological construct. When \(\mathcal C\) consists of exponentiable
    objects, the resulting category is Cartesian-closed. This generalizes the
    familiar construction of compactly-generated spaces, and we apply this to
    Krishnan's categories of streams and prestreams, as well as to Haucourt
    streams. For that, we need to identify the exponentiable objects in these
    categories: for prestreams, we show that these are the preordered
    core-compact topological spaces, and for streams, these are the
    core-compact streams.}
}
@article{GL-mscs13,
  publisher = {Cambridge University Press},
  journal = {Mathematical Structures in Computer Science},
  author = {Goubault{-}Larrecq, Jean},
  title = {A~short proof of the {S}chr{\"o}der-{S}impson theorem},
  volume = 25,
  number = 1,
  year = 2015,
  month = jan,
  pages = {1-5},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/GL-mscs13.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GL-mscs13.pdf},
  doi = {10.1017/S0960129513000467},
  abstract = {We give a short and elementary proof of the
    Schr{\"o}der-Simpson Theorem, which states that the space of all
    continuous maps from a given space~\(X\) to the non-negative reals with their
    Scott topology is the cone-theoretic dual of the probabilistic powerdomain
    on~\(X\).}
}
@article{BCD-icomp13,
  publisher = {Elsevier Science Publishers},
  journal = {Information and Computation},
  author = {Bursuc, Sergiu and Comon{-}Lundh, Hubert and Delaune,
                  St{\'e}phanie},
  title = {Deducibility constraints and blind signatures},
  year = {2014},
  month = nov,
  volume = 238,
  pages = {106-127},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/BCD-icomp13.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BCD-icomp13.pdf},
  nonote = {32~pages},
  doi = {10.1016/j.ic.2014.07.006},
  abstract = {Deducibility constraints represent in a symbolic way the
    infinite set of possible executions of a finite protocol. Solving a
    deducibility constraint amounts to finding all possible ways of filling
    the gaps in a proof. For finite local inference systems, there is an
    algorithm that reduces any deducibility constraint to a finite set of
    solved forms. This allows one to decide any trace security property of
    cryptographic protocols.\par
    We investigate here the case of infinite local inference systems, through
    the case study of blind signatures. We show that, in this case again, any
    deducibility constraint can be reduced to finitely many solved forms
    (hence we can decide trace security properties). We sketch also another
    example to which the same method can be applied.}
}
@mastersthesis{m2-dallon,
  author = {Dallon, Antoine},
  title = {Verification of Cryptographic Protocols : a bound on the number
of agents},
  school = {{M}aster {P}arisien de {R}echerche en 
	{I}nformatique, Paris, France},
  type = {Rapport de {M}aster},
  year = {2015},
  month = sep,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-dallon.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-dallon.pdf},
  note = {38~pages}
}
@article{CCD-tocl15,
  publisher = {ACM Press},
  journal = {ACM Transactions on Computational Logic},
  author = {Chr{\'e}tien, R{\'e}my and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
  title = {From security protocols to pushdown automata},
  volume = {17},
  number = {1:3},
  nopages = {},
  year = 2015,
  month = sep,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-tocl15.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-tocl15.pdf},
  doi = {10.1145/2811262},
  abstract = {Formal methods have been very successful in analyzing security
    protocols for reachability properties such as secrecy or authentication.
    In contrast, there are very few results for equivalence-based properties,
    crucial for studying e.g. privacy-like properties such as anonymity or
    vote secrecy.\par
    We study the problem of checking equivalence of security protocols for an
    unbounded number of sessions. Since replication leads very quickly to
    undecidability (even in the simple case of secrecy), we focus on a limited
    fragment of protocols (standard primitives but pairs, one variable per
    protocol's rules) for which the secrecy preservation problem is known to
    be decidable. Surprisingly, this fragment turns out to be undecidable for
    equivalence. Then, restricting our attention to deterministic protocols,
    we propose the first decidability result for checking equivalence of
    protocols for an unbounded number of sessions. This result is obtained
    through a characterization of equivalence of protocols in terms of
    equality of languages of (generalized, real-time) deterministic pushdown
    automata. We further show that checking for equivalence of protocols is
    actually equivalent to checking for equivalence of generalized, real-time
    deterministic pushdown automata.\par
    Very recently, the algorithm for checking for equivalence of deterministic
    pushdown automata has been implemented. We have implemented our
    translation from protocols to pushdown automata, yielding the first tool
    that decides equivalence of (some class of) protocols, for an unbounded
    number of sessions. As an application, we have analyzed some protocols of
    the literature including a simplified version of the basic access control
    (BAC) protocol used in biometric passports.}
}
@inproceedings{CCD-esorics15,
  address = {Vienna, Austria},
  month = sep,
  year = 2015,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Ryan, Peter and Weippl, Edgar},
  acronym = {{ESORICS}'15},
  booktitle = {{P}roceedings of the 20th {E}uropean {S}ymposium on
		 {R}esearch in {C}omputer {S}ecurity ({ESORICS}'15)},
  author = {Chr{\'e}tien, R{\'e}my and Cortier, V{\'e}ronique and Delaune, St{\'e}phanie},
  title = {Checking trace equivalence: How to get rid of nonces?},
  pages = {230-251},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-esorics15.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-esorics15.pdf},
  doi = {10.1007/978-3-319-24177-7_12},
  abstract = {Security protocols can be successfully analysed using formal
    methods. When proving security in symbolic settings for an unbounded
    number of sessions, a typical technique consists in abstracting away fresh
    nonces and keys by a bounded set of constants. While this abstraction is
    clearly sound in the context of secrecy properties (for protocols without
    else branches), this is no longer the case for equivalence properties.\par
    In this paper, we study how to soundly get rid of nonces in the context of
    equivalence properties. We show that nonces can be replaced by constants
    provided that each nonce is associated to two constants (instead of
    typically one constant for secrecy properties). Our result holds for
    deterministic (simple) protocols and a large class of primitives that
    includes e.g. standard primitives, blind signatures, and zero-knowledge
    proofs.}
}
@article{BCGMNTW-jfr14,
  publisher = {University of Bologna},
  journal = {Journal of Formalized Reasoning},
  author = {Baelde, David and Chaudhuri, Kaustuv and Gacek, Andrew and
                  Miller, Dale and Nadathur, Gopalan and Tiu, Alwen and Wang,
                  Yuting},
  title = {Abella: A~System for Reasoning about Relational Specifications},
  volume = {7},
  number = {2},
  year = {2014},
  pages = {1-89},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/BCGMNTW-jfr14.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BCGMNTW-jfr14.pdf},
  doi = {10.6092/issn.1972-5787/4650},
  abstract = {The Abella interactive theorem prover is based on an
    intuitionistic logic that allows for inductive and co-inductive reasoning
    over relations. Abella supports the \(\lambda\)-tree approach to treating
    syntax containing binders: it~allows simply typed \(\lambda\)-terms to be
    used to represent such syntax and it provides higher-order (pattern)
    unification, the \(\nabla\) quantifier, and nominal constants for
    reasoning about these representations. As such, it is a suitable vehicle
    for formalizing the meta-theory of formal systems such as logics and
    programming languages. This tutorial exposes Abella incrementally,
    starting with its capabilities at a first-order logic level and gradually
    presenting more sophisticated features, ending with the support it offers
    to the \emph{two-level logic approach} to meta-theoretic reasoning. Along
    the way, we show how Abella can be used prove theorems involving natural
    numbers, lists, and automata, as well as involving typed and untyped
    \(\lambda\)-calculi and the \(\pi\)-calculus.}
}
@inproceedings{BDS-csl15,
  address = {Berlin, Germany},
  month = sep,
  year = 2015,
  volume = {41},
  series = {Leibniz International Proceedings in Informatics},
  publisher = {Leibniz-Zentrum f{\"u}r Informatik},
  editor = {Kreuzer, Stephan},
  acronym = {{CSL}'15},
  booktitle = {{P}roceedings of the 24th {A}nnual {EACSL} {C}onference on
                  {C}omputer {S}cience {L}ogic ({CSL}'15)},
  author = {Baelde, David and Doumane, Amina and Saurin, Alexis},
  title = {Least and Greatest Fixed Points in Ludics},
  pages = {549-566},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/BDS-csl15.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BDS-csl15.pdf},
  doi = {10.4230/LIPIcs.CSL.2015.549},
  abstract = {Various logics have been introduced in order to reason over
   (co)inductive specifications and, through the Curry-Howard correspondence,
   to study computation over inductive and coinductive data. The logic mu-MALL
   is one of those logics, extending multiplicative and additive linear logic
   with least and greatest fixed point operators.\par
   In this paper, we investigate the semantics of mu-MALL proofs in
   (computational) ludics. This framework is built around the notion of
   design, which can be seen as an analogue of the strategies of game
   semantics. The infinitary nature of designs makes them particularly well
   suited for representing computations over infinite data.\par
   We provide mu-MALL with a denotational semantics, interpreting proofs by
   designs and formulas by particular sets of designs called behaviours. Then
   we prove a completeness result for the class of {"}essentially finite
   designs{"}, which are those designs performing a finite computation followed
   by a copycat. On the way to completeness, we investigate semantic
   inclusion, proving its decidability (given two formulas, we can decide
   whether the semantics of one is included in the other's) and completeness
   (if semantic inclusion holds, the corresponding implication is provable in
   mu-MALL).}
}
@inproceedings{BDH-concur15,
  address = {Madrid, Spain},
  month = sep,
  year = 2015,
  volume = {42},
  series = {Leibniz International Proceedings in Informatics},
  publisher = {Leibniz-Zentrum f{\"u}r Informatik},
  editor = {Aceto, Luca and de Frutos-Escrig, David},
  acronym = {{CONCUR}'15},
  booktitle = {{P}roceedings of the 26th
               {I}nternational {C}onference on
               {C}oncurrency {T}heory
               ({CONCUR}'15)},
  author = {Baelde, David and Delaune, St{\'e}phanie and Hirschi,
                  Lucca},
  title = {Partial Order Reduction for Security Protocols},
  pages = {497-510},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/BDH-concur15.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BDH-concur15.pdf},
  doi = {10.4230/LIPIcs.CONCUR.2015.497},
  abstract = {Security protocols are concurrent processes that communicate
    using cryptography with the aim of achieving various security properties.
    Recent work on their formal verification has brought procedures and tools
    for deciding trace equivalence properties (\textit{e.g.},~anonymity,
    unlinkability, vote secrecy) for a bounded number of sessions. However,
    these procedures are based on a naive symbolic exploration of all traces
    of the considered processes which, unsurprisingly, greatly limits the
    scalability and practical impact of the verification tools.\par
    In this paper, we mitigate this difficulty by developing partial order
    reduction techniques for the verification of security protocols. We
    provide reduced transition systems that optimally elim- inate redundant
    traces, and which are adequate for model-checking trace equivalence
    properties of protocols by means of symbolic execution. We have
    implemented our reductions in the tool \textsf{Apte}, and demonstrated
    that it achieves the expected speedup on various protocols.}
}
@inproceedings{CCD-csf15,
  address = {Verona, Italy},
  month = jul,
  year = 2015,
  publisher = {{IEEE} Computer Society Press},
  acronym = {{CSF}'15},
  booktitle = {{P}roceedings of the 
               28th {IEEE} {C}omputer {S}ecurity {F}oundations
               {S}ymposium ({CSF}'15)},
  author = {Chr{\'e}tien, R{\'e}my and Cortier, V{\'e}ronique and
                  Delaune, St{\'e}phanie},
  title = {Decidability of trace equivalence for protocols with nonces},
  pages = {170-184},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-csf15.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CCD-csf15.pdf},
  doi = {10.1109/CSF.2015.19},
  abstract = {Privacy properties such as anonymity, unlinkability, or vote
    secrecy are typically expressed as equivalence properties.\par
    In this paper, we provide the first decidability result for trace
    equivalence of security protocols, for an unbounded number of sessions and
    unlimited fresh nonces. Our class encompasses most symmetric key protocols
    of the literature, in their tagged variant.}
}
@inproceedings{DGGL-icalp15,
  address = {Kyoto, Japan},
  month = jul,
  year = 2015,
  volume = {9135},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Halld{\'o}rsson, Magnus M. and Iwama, Kazuo and Kobayashi,
                  Naoki and Speckmann, Bettina},
  acronym = {{ICALP}'15},
  booktitle = {{P}roceedings of the 42nd {I}nternational 
               {C}olloquium on {A}utomata, {L}anguages and 
               {P}rogramming ({ICALP}'15)~-- {P}art~{II}},
  author = {Dubut, J{\'e}r{\'e}my and Goubault, {\'E}ric and
                  Goubault{-}Larrecq, Jean},
  title = {Natural Homology},
  pages = {171-183},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/DGGL-icalp15.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DGGL-icalp15.pdf},
  doi = {10.1007/978-3-662-47666-6_14},
  abstract = {We propose a notion of homology for directed algebraic topology,
    based on so-called natural systems of abelian groups, and which we call
    natural homology. Contrarily to previous proposals, and as we show,
    natural homology has many desirable properties: it~is invariant under
    isomorphisms of directed spaces, it is invariant under refinement
    (subdivision), and it is computable on cubical complexes.}
}
@inproceedings{ACD-post15,
  address = {London, UK},
  month = apr,
  year = 2015,
  volume = {9036},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Focardi, Riccardo and Myers, Andrew},
  acronym = {{POST}'15},
  booktitle = {{P}roceedings of the 4th {I}nternational {C}onference on
  	   {P}rinciples of {S}ecurity and {T}rust 
           ({POST}'15)},
  author = {Arapinis, Myrto and Cheval, Vincent and Delaune, St{\'e}phanie},
  title = {Composing security protocols: from confidentiality to privacy},
  pages = {324-343},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-post15.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/ACD-post15.pdf},
  doi = {10.1007/978-3-662-46666-7_17},
  abstract = {Security protocols are used in many of our daily-life
    applications, and our privacy largely depends on their design. Formal
    verification techniques have proved their usefulness to analyse these
    protocols, but they become so complex that modular techniques have to be
    developed. We propose several results to safely compose security
    protocols. We consider arbitrary primitives modeled using an equational
    theory, and a rich process algebra close to the applied pi calculus.\par
    Relying on these composition results, we derive some security properties
    on a protocol from the security analysis performed on each of its
    sub-protocols individually. We consider parallel composition and the case
    of key-exchange protocols. Our results apply to deal with confidentiality
    but also privacy-type properties (e.g. anonymity) expressed using a notion
    of equivalence. We illustrate the usefulness of our composition results on
    protocols from the 3G phone application and electronic passport.}
}
@phdthesis{scerri-phd15,
  author = {Scerri, Guillaume},
  title = {Proofs of security protocols revisited},
  school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  type = {Th{\`e}se de doctorat},
  year = 2015,
  month = jan,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/scerri-phd15.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/scerri-phd15.pdf}
}
@article{AFG-sif15,
  publisher = {SIF},
  journal = {1024~-- Bulletin de la soci{\'e}t{\'e} informatique de France},
  author = {Abiteboul, Serge and Fribourg, Laurent and
                  Goubault{-}Larrecq, Jean},
  title = {{G}{\'e}rard {B}erry~: un~informaticien m{\'e}daille d'or du {CNRS}~2014},
  volume = 4,
  pages = {139-142},
  month = oct,
  year = 2014,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/AFG-sif15.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/AFG-sif15.pdf},
  abstract = {C'est un chercheur en informatique qui vient de recevoir la
    m{\'e}daille d'or du CNRS, la plus haute distinction scientifique fran{\c
    c}aise toutes disciplines confondues. Les informaticiens sont rares {\`a}
    avoir {\'e}t{\'e} ainsi honor{\'e}s : ce n'est que la seconde fois
    apr{\`e}s Jacques Stern en~2006.}
}
@inproceedings{GLO-fps13,
  address = {La Rochelle, France},
  month = oct,
  year = 2013,
  volume = 8352,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Danger, Jean-Luc and Debbabi, Mourad and Marion, Jean-Yves and
  	 	Garcia{-}Alfaro, Joaquin and Zincir{-}Heywood,Nur},
  acronym = {{FPS}'13},
  booktitle = {{R}evised {S}elected {P}apers of the 6th {I}nternational {S}ymposium on
	   {F}oundations and {P}ractice of {S}ecurity ({FPS}'13)},
  author = {Goubault{-}Larrecq, Jean and Olivain, Julien},
  title = {On~the Efficiency of Mathematics in Intrusion
                  	 Detection: The NetEntropy Case.},
  pages = {3-16},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/GLO-fps13.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLO-fps13.pdf},
  doi = {10.1007/978-3-319-05302-8_1},
  abstract = {NetEntropy is a plugin to the Orchids intrusion detection tool
    that is originally meant to detect some subtle attacks on implementations
    of cryptographic protocols such as {SSL\slash TLS}. NetEntropy compares
    the sample entropy of a data stream to a known profile, and flags any
    significant variation. Our point is to stress the \emph{mathematics} behind
    NetEntropy: the reason of the rather incredible precision of NetEntropy is
    to be found in theorems due to Paninski and Moddemeijer.}
}
@mastersthesis{m2-jacomme,
  author = {Jacomme, Charlie},
  title = {Automated applications of Cryptographic Assumptions},
  school = {{M}aster {P}arisien de {R}echerche en 
	{I}nformatique, Paris, France},
  type = {Rapport de {M}aster},
  year = {2016},
  month = sep,
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/m2-jacomme.pdf}
}
@article{DH-jlamp16,
  publisher = {Elsevier Science Publishers},
  journal = {Journal of Logic and Algebraic Methods in Programming},
  author = {Delaune, St{\'e}phanie and Hirschi, Lucca},
  title = {A survey of symbolic methods for establishing equivalence-based properties in cryptographic protocols},
  volume = {87},
  year = {2016},
  pages = {127-144},
  url = {http://www.sciencedirect.com/science/article/pii/S235222081630133X},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DH-jlamp16.pdf},
  doi = {10.1016/j.jlamp.2016.10.005},
  note = {To~appear},
  abstract = {Cryptographic protocols aim at securing communications over insecure networks such as the Internet, where dishonest users may listen to communications and interfere with them. A secure communication has a different meaning depending on the underlying application. It ranges from the confidentiality of a data to e.g. verifiability in electronic voting systems. Another example of a security notion is privacy. Formal symbolic models have proved their usefulness for analysing the security of protocols. Until quite recently, most results focused on trace properties like confidentiality or authentication. There are however several security properties, which cannot be defined (or cannot be naturally defined) as trace properties and require a notion of behavioural equivalence. Typical examples are anonymity, and privacy related properties. During the last decade, several results and verification tools have been developed to analyse equivalence-based security properties. We propose here a synthesis of decidability and undecidability results for equivalence-based security properties. Moreover, we give an overview of existing verification tools that may be used to verify equivalence-based security properties.}
}
@article{GLSSW-dagrep16,
  publisher = {Leibniz-Zentrum f{\"u}r Informatik},
  journal = {Dagstuhl Reports},
  author = {Goubault{-}Larrecq, Jean and Seisenberger, Monika and Selivanov, Victor and Weiermann, Andreas},
  title = {Well {Q}uasi-{O}rders in {C}omputer {S}cience ({D}agstuhl {S}eminar
16031)},
  year = 2016,
  month = jan,
  volume = {6},
  number = {1},
  pages = {69-98},
  url = {http://dx.doi.org/10.4230/DagRep.6.1.69},
  pdf = {http://dx.doi.org/10.4230/DagRep.6.1.69},
  doi = {10.4230/DagRep.6.1.69},
  abstract = {This report documents the program and the outcomes of Dagstuhl Seminar 16031 {"}Well Quasi{-}Orders in Computer 
Science{"}, the first seminar devoted to the multiple and deep interactions between the theory of Well quasi{-}orders 
(known as the Wqo{-}Theory) and several fields of Computer Science (Verification and Termination of Infinite-State Systems, 
Automata and Formal Languages, Term Rewriting and Proof Theory, topological complexity of computational problems on continuous 
functions). Wqo{-}Theory is a highly developed part of Combinatorics with ever-growing number of applications in Mathematics and 
Computer Science, and Well quasi-orders are going to become an important unifying concept of Theoretical Computer Science. 
In this seminar, we brought together several communities from Computer Science and Mathematics in order to facilitate the 
knowledge transfer between Mathematicians and Computer Scientists as well as between established and younger researchers and thus 
to push forward the interaction between Wqo{-}Theory and Computer Science.}
}
@inproceedings{GLL-rv16,
  address = {Madrid, Spain},
  volume = 10012,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Madrid, Spain},
  acronym = {{RV}'16},
  booktitle = {{P}roceedings of the 16th {C}onference on {R}untime {V}erification ({RV}'16)},
  author = {Goubault{-}Larrecq, Jean and Lachance,  Jean{-}Philippe},
  title = {On the {C}omplexity of {M}onitoring {O}rchids {S}ignatures},
  year = 2016,
  month = sep,
  pages = {169-164},
  opturl = {http://link.springer.com/chapter/10.1007%2F978-3-319-46982-9_11},
  optpdf = {http://link.springer.com/chapter/10.1007%2F978-3-319-46982-9_11},
  doi = {10.1007/978-3-319-46982-9_11},
  abstract = {Modern monitoring tools such as our intrusion detection tool Orchids work by firing new monitor instances dynamically. Given an Orchids signature (a.k.a. a rule, a specification), what is the complexity of checking that specification, that signature? In other words, let f(n) be the maximum number of monitor instances that can be fired on a sequence of n events: we design an algorithm that decides whether f(n) is asymptotically exponential or polynomial, and in the latter case returns an exponent d such that  f(n)=Theta(n^d) . Ultimately, the problem reduces to the following mathematical question, which may have other uses in other domains: given a system of recurrence equations described using the operators + and max, and defining integer sequences u_n, what is the asymptotic behavior of  u_n as n tends to infinity? We show that, under simple assumptions,  u_n  is either exponential or polynomial, and that this can be decided, and the exponent computed, using a simple modification of Tarjan’s strongly connected components algorithm, in linear time.}
}
@misc{vip-D42,
  author = {Delaune, St{\'e}phanie and Gazeau, Ivan},
  howpublished = {Deliverable VIP~4.2 (ANR-11-JS02-0006)},
  month = jun,
  note = {5~pages},
  type = {Contract Report},
  title = {Combination issues},
  year = {2016},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/vip-d42.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/vip-d42.pdf}
}
@misc{vip-D22,
  author = {Delaune, St{\'e}phanie and Gazeau, Ivan},
  howpublished = {Deliverable VIP~2.2 (ANR-11-JS02-0006)},
  month = jun,
  note = {8~pages},
  type = {Contract Report},
  title = {Results on the case studies},
  year = {2016},
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/vip-d22.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/vip-d22.pdf}
}
@inproceedings{DGGL-csl16,
  address = {Marseille, France},
  month = sep,
  year = 2016,
  volume = {62},
  series = {Leibniz International Proceedings in Informatics},
  publisher = {Leibniz-Zentrum f{\"u}r Informatik},
  editor = {Regnier, Laurent and Talbot, Jean-Marc},
  acronym = {{CSL}'16},
  booktitle = {{P}roceedings of the 25th {A}nnual {EACSL} {C}onference on
                  {C}omputer {S}cience {L}ogic ({CSL}'16)},
  author = {Dubut, J{\'e}r{\'e}my and Goubault, {\'E}ric and
                  Goubault{-}Larrecq, Jean},
  title = {The Directed Homotopy Hypothesis},
  pages = {9:1-9:16},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/DBS-csl16.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DBS-csl16.pdf},
  doi = {10.4230/LIPIcs.CSL.2016.9},
  abstract = {The homotopy hypothesis was originally stated by Grothendieck: topological spaces should be {"}equivalent{"} to (weak) infinite-groupoids, which give algebraic representatives of homotopy types. Much later, several authors developed geometrizations of computational models, e.g., for rewriting, distributed systems, (homotopy) type theory etc. But an essential feature in the work set up in concurrency theory, is that time should be considered irreversible, giving rise to the field of directed algebraic topology. Following the path proposed by Porter, we state here a directed homotopy hypothesis: Grandis' directed topological spaces should be {"}equivalent{"} to a weak form of topologically enriched categories, still very close to (infinite,1)-categories. We develop, as in ordinary algebraic topology, a directed homotopy equivalence and a weak equivalence, and show invariance of a form of directed homology.}
}
@inproceedings{DBS-csl16,
  address = {Marseille, France},
  month = sep,
  year = 2016,
  volume = {62},
  series = {Leibniz International Proceedings in Informatics},
  publisher = {Leibniz-Zentrum f{\"u}r Informatik},
  editor = {Regnier, Laurent and Talbot, Jean-Marc},
  acronym = {{CSL}'16},
  booktitle = {{P}roceedings of the 25th {A}nnual {EACSL} {C}onference on
                  {C}omputer {S}cience {L}ogic ({CSL}'16)},
  author = {Amina Doumane and David Baelde and Alexis Saurin},
  title = {Infinitary proof theory: the multiplicative additive case},
  pages = {42:1-42:17},
  doi = {10.4230/LIPIcs.CSL.2016.42},
  abstract = {Infinitary and regular proofs are commonly used in fixed point logics. Being natural intermediate devices between semantics and traditional finitary proof systems, they are commonly found in completeness arguments, automated deduction, verification, etc. However, their proof theory is surprisingly underdeveloped. In particular, very little is known about the computational behavior of such proofs through cut elimination. Taking such aspects into account has unlocked rich developments at the intersection of proof theory and programming language theory. One would hope that extending this to infinitary calculi would lead, e.g., to a better understanding of recursion and corecursion in programming languages. Structural proof theory is notably based on two fundamental properties of a proof system: cut elimination and focalization. The first one is only known to hold for restricted (purely additive) infinitary calculi, thanks to the work of Santocanale and Fortier; the second one has never been studied in infinitary systems. In this paper, we consider the infinitary proof system muMALLi for multiplicative and additive linear logic extended with least and greatest fixed points, and prove these two key results. We thus establish muMALLi as a satisfying computational proof system in itself, rather than just an intermediate device in the study of finitary proof systems.}
}
@inproceedings{BLS-hal15,
  address = {Marseille, France},
  month = sep,
  year = 2016,
  volume = {62},
  series = {Leibniz International Proceedings in Informatics},
  publisher = {Leibniz-Zentrum f{\"u}r Informatik},
  editor = {Regnier, Laurent and Talbot, Jean-Marc},
  acronym = {{CSL}'16},
  booktitle = {{P}roceedings of the 25th {A}nnual {EACSL} {C}onference on
                  {C}omputer {S}cience {L}ogic ({CSL}'16)},
  author = {Baelde, David and Lunel, Simon and Schmitz, Sylvain},
  title = {A~Sequent Calculus for a Modal Logic on Finite Data
                  Trees},
  pages = {32:1-32:16},
  url = {https://hal.inria.fr/hal-01191172},
  doi = {10.4230/LIPIcs.CSL.2016.32},
  abstract = {We investigate the proof theory of a modal fragment of XPath
                  equipped with data (in)equality tests over finite data
                  trees, i.e. over finite unranked trees where nodes are
                  labelled with both a symbol from a finite alphabet and a
                  single data value from an infinite domain.  We present a
                  sound and complete sequent calculus for this logic, which
                  yields the optimal PSPACE complexity bound for its validity
                  problem.}
}
@inproceedings{DGGL-concur16,
  address = {Qu{\'e}bec City, Canada},
  month = aug,
  year = 2016,
  volume = {59},
  series = {Leibniz International Proceedings in Informatics},
  publisher = {Leibniz-Zentrum f{\"u}r Informatik},
  editor = {Desharnais, Jos{\'e}e and Jagadeesan, Radha},
  acronym = {{CONCUR}'16},
  booktitle = {{P}roceedings of the 27th
               {I}nternational {C}onference on
               {C}oncurrency {T}heory
               ({CONCUR}'16)},
  author = {Dubut, J{\'e}r{\'e}my and Goubault, {\'E}ric and Goubault{-}Larrecq, Jean},
  title = {Bisimulations and unfolding in {{\(\mathcal{P}\)}}-accessible categorical models},
  pages = {25:1-25:14},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/DGGL-concur16.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DGGL-concur16.pdf},
  doi = {10.4230/LIPIcs.CONCUR.2016.25},
  abstract = {We propose a categorical framework for bisimulations and
    unfoldings that unifies the classical approach from Joyal
    \emph{et~al.} via open maps and unfoldings. This is based on a
    notion of categories accessible with respect to a subcategory of
    path shapes, i.e., for which one can define a nice notion of trees
    as glueings of paths. We show that transition systems and presheaf
    models are instances of our framework. We also prove that in our
    framework, several notions of bisimulation coincide, in particular
    an {"}operational~one{"} akin to the standard definition in
    transition systems. Also, our notion of accessibility is preserved
    by coreflections. This also leads us to a notion of unfolding that
    behaves well in the accessible case: it~is a right adjoint and is a
    universal covering, i.e., it is initial among the morphisms that
    have the unique lifting property with respect to path shapes. As an
    application, we prove that the universal covering of a groupoid, a
    standard construction in algebraic topology, is an unfolding, when
    the category of path shapes is well chosen.}
}
@article{DGG-acs16,
  publisher = {Springer},
  journal = {Applied Categorical Structures},
  author = {Dubut, J{\'e}r{\'e}my and Goubault, {\'E}ric and
                  Goubault{-}Larrecq, Jean},
  title = {Directed homology theories and {E}ilenberg-{S}teenrod
                  axioms},
  year = 2017,
  month = oct,
  volume = {25},
  number = {5},
  pages = {775-807},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/DGG-acs16.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DGG-acs16.pdf},
  doi = {doi:10.1007/s10485-016-9438-y},
  abstract = {In this paper, we define and study a homology theory, that
    we call {"}natural homology{"}, which associates a natural system of
    abelian groups to every space in a large class of directed spaces
    and precubical sets. We show that this homology theory enjoys many
    important properties, as an invariant for directed homotopy. Among
    its properties, we show that subdivided precubical sets have the
    same homology type as the original ones ; similarly, the natural
    homology of a precubical set is of the same type as the natural
    homology of its geometric realization. By same type we mean
    equivalent up to some form of bisimulation, that we define using the
    notion of open map. Last but not least, natural homology, for the
    class of spaces we consider, exhibits very important properties such
    as Hurewicz theorems, and most of Eilenberg-Steenrod axioms, in
    particular the dimension, homotopy, additivity and exactness axioms.
    This last axiom is studied in a general framework of (generalized)
    exact sequences.}
}
@inproceedings{GLS-icalp16,
  address = {Rome, Italy},
  month = jul,
  year = 2016,
  volume = {55},
  series = {Leibniz International Proceedings in Informatics},
  publisher = {Leibniz-Zentrum f{\"u}r Informatik},
  editor = {Chatzigiannakis, Ioannis and Mitzenmacher,
                  Michael and Rabani, Yuval and Sangiorgi, Davide},
  acronym = {{ICALP}'16},
  booktitle = {{P}roceedings of the 43rd {I}nternational 
               {C}olloquium on {A}utomata, {L}anguages and 
               {P}rogramming ({ICALP}'16)},
  author = {Goubault{-}Larrecq, Jean and Schmitz, Sylvain},
  title = {Deciding Piecewise Testable Separability for Regular
                  Tree Languages},
  pages = {97:1-97:15},
  url = {https://hal.inria.fr/hal-01276119/},
  optpdf = {http://www.lsv.fr/Publis/PAPERS/PDF/GLS-icalp16.pdf},
  doi = {10.4230/LIPIcs.ICALP.2016.97},
  abstract = {The piecewise testable separability problem asks, given
    two input languages, whether there exists a piecewise testable
    language that contains the first input language and is disjoint from
    the second. We prove a general characterisation of piecewise
    testable separability on languages in a well-quasi-order, in terms
    of ideals of the ordering. This subsumes the known characterisations
    in the case of finite words. In the case of finite ranked trees
    ordered by homeomorphic embedding, we show using effective
    representations for tree ideals that it entails the decidability of
    piecewise testable separability when the input languages are
    regular. A~final byproduct is a new proof of the decidability of
    whether an input regular language of ranked trees is piecewise
    testable, which was first shown in the unranked case by Boja{\'n}czyk,
    Segoufin, and Straubing (Log.~Meth. in Comput.~Sci.,~8(3:26),
    2012).}
}
@inproceedings{DBHS-lics16,
  address = {New York City, USA},
  month = jul,
  year = 2016,
  publisher = {ACM Press},
  editor = {Grohe, Martin and Koskinen, Eric and Shankar, Natarajan},
  acronym = {{LICS}'16},
  booktitle = {{P}roceedings of the 31st {A}nnual {ACM\slash
            IEEE} {S}ymposium on {L}ogic {I}n {C}omputer {S}cience ({LICS}'16)},
  author = {Amina Doumane and David Baelde and Lucca Hirschi
                  and Alexis Saurin},
  title = {Towards Completeness via Proof Search in the Linear
                  Time {{\(\mu\)}}-calculus},
  pages = {377-386},
  url = {https://hal.archives-ouvertes.fr/hal-01275289/},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/DBHS-lics16.pdf},
  doi = {10.1145/2933575.2933598},
  abstract = {Modal \(\mu\)-calculus is one of the central
                  languages of logic and verification, whose study
                  involves notoriously complex objects: automata over
                  infinite structures on the model-theoretical side;
                  infinite proofs and proofs by (co)induction on the
                  proof-theoretical side.  Nevertheless,
                  axiomatizations have been given for both linear and
                  branching time \(\mu\)-calculi, with quite involved
                  completeness arguments.  We come back to this
                  central problem, considering it from a proof search
                  viewpoint, and provide some new completeness
                  arguments in the linear time \(\mu\)-calculus.  Our
                  results only deal with restricted classes of
                  formulas that closely correspond to
                  (non-alternating) \(\omega\)-automata but, compared
                  to earlier proofs, our completeness arguments are
                  direct and constructive.  We first consider a
                  natural circular proof system based on sequent
                  calculus, and show that it is complete for
                  inclusions of parity automata directly expressed as
                  formulas, making use of Safra's construction
                  directly in proof search.  We then consider the
                  corresponding finitary proof system, featuring
                  (co)induction rules, and provide a partial
                  translation result from circular to finitary
                  proofs. This yields completeness of the finitary
                  proof system for inclusions of sufficiently
                  deterministic parity automata, and finally for
                  arbitrary B{\"u}chi automata.}
}
@inproceedings{HBD-sp16,
  address = {San Jose, California, USA},
  month = may,
  year = 2016,
  publisher = {IEEECSP},
  editor = {Locasto, Michael and Shmatikov, Vitaly and Erlingsson, {\'U}lfar},
  acronym = {{S\&P}'16},
  booktitle = {{P}roceedings of the 37th {IEEE} {S}ymposium
           on {S}ecurity and {P}rivacy ({S\&P}'16)},
  author = {Hirschi, Lucca and Baelde, David and Delaune, St{\'e}phanie},
  title = {A~method for verifying privacy-type properties:
                  the~unbounded case},
  pages = {564-581},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/HBD-sp16.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/HBD-sp16.pdf},
  doi = {10.1109/SP.2016.40},
  abstract = {In~this paper, we~consider the problem of verifying
    anonymity and unlinkability in the symbolic model, where protocols
    are represented as processes in a variant of the applied pi calculus
    notably used in the Proverif tool. Existing tools and techniques do
    not allow one to verify directly these properties, expressed as
    behavioral equivalences. We propose a different approach: we design
    two conditions on protocols which are sufficient to ensure anonymity
    and unlinkability, and which can then be effectively checked
    automatically using Proverif. Our two conditions correspond to two
    broad classes of attacks on unlinkability, corresponding to data and
    control-flow leaks.\par
    This theoretical result is general enough to apply to a wide class
    of protocols. In particular, we apply our techniques to provide the
    first formal security proof of the BAC protocol (e-passport). Our
    work has also lead to the discovery of new attacks, including one on
    the LAK protocol (RFID authentication) which was previously claimed
    to be unlinkable (in~a weak sense) and one on the PACE protocol
    (e-passport).}
}
@comment{{B-arxiv16,
  author =		Bollig, Benedikt, 
  affiliation = 	aff-LSVmexico,
  title =    		One-Counter Automata with Counter Visibility, 
  institution = 	Computing Research Repository, 
  number =    		1602.05940, 
  month = 		feb, 
  nmonth =     		2,
  year = 		2016, 
  type = 		RR, 
  axeLSV = 		mexico,
  NOcontrat = 		"",
  
  url =			http://arxiv.org/abs/1602.05940, 
  PDF =			"http://www.lsv.fr/Publis/PAPERS/PDF/B-arxiv16.pdf",
  lsvdate-new =  	20160222,
  lsvdate-upd =  	20160222,
  lsvdate-pub =  	20160222,
  lsv-category = 	"rapl",
  wwwpublic =    	"public and ccsb",
  note = 		18~pages, 

  abstract = "In a one-counter automaton (OCA), one can read a letter
    from some finite alphabet, increment and decrement the counter by
    one, or test it for zero. It is well-known that universality and
    language inclusion for OCAs are undecidable. We consider here OCAs
    with counter visibility: Whenever the automaton produces a letter,
    it outputs the current counter value along with~it. Hence, its
    language is now a set of words over an infinite alphabet. We show
    that universality and inclusion for that model are in PSPACE, thus
    no harder than the corresponding problems for finite automata, which
    can actually be considered as a special case. In fact, we show that
    OCAs with counter visibility are effectively determinizable and
    closed under all boolean operations. As~a~strict generalization, we
    subsequently extend our model by registers. The general nonemptiness
    problem being undecidable, we impose a bound on the number of
    register comparisons and show that the corresponding nonemptiness
    problem is NP-complete.",
}}
@misc{vip-D32,
  author = {Baelde, David and Delaune, St{\'e}phanie and Kremer, Steve},
  title = {Decision procedures for equivalence based properties (part~{II})},
  howpublished = {Deliverable VIP~3.2 (ANR-11-JS02-0006)},
  month = sep,
  year = {2015},
  note = {9~pages},
  type = {Contract Report},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/vip-d32.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/vip-d32.pdf}
}
@misc{vip-D41,
  author = {Delaune, St{\'e}phanie and Kremer, Steve},
  title = {Composition results for equivalence-based security properties},
  howpublished = {Deliverable VIP~3.1 (ANR-11-JS02-0006)},
  month = sep,
  year = {2015},
  note = {6~pages},
  type = {Contract Report},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/vip-d41.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/vip-d41.pdf}
}
@phdthesis{rc-phd2016,
  author = {Chr{\'e}tien, R{\'e}my},
  title = {Analyse automatique de propri{\'e}t{\'e}s d'{\'e}quivalence pour
                  les protocoles cryptographiques},
  school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  type = {Th{\`e}se de doctorat},
  year = 2016,
  month = jan,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/rc-phd16.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/rc-phd16.pdf}
}
@inproceedings{CDD-post16,
  address = {Eindhoven, The~Netherlands},
  month = apr,
  year = 2016,
  volume = { 9635},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Piessens, Frank and Vigan{\'o}, Luca},
  acronym = {{POST}'16},
  booktitle = {{P}roceedings of the 5th {I}nternational {C}onference on
  	   {P}rinciples of {S}ecurity and {T}rust 
           ({POST}'16)},
  author = {Cortier, V{\'e}ronique and Dallon, Antoine and
                   Delaune, St{\'e}phanie},
  title = {Bounding the number of agents, for equivalence~too},
  pages = {211-232},
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/CDD-post16.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDD-post16.pdf},
  doi = {10.1007/978-3-662-49635-0_11},
  abstract = {Bounding the number of agents is a current practice when
    modeling a protocol. In~2003, it has been shown that one honest agent and
    one dishonest agent are indeed sufficient to find all possible attacks,
    for secrecy properties. This is no longer the case for equivalence
    properties, crucial to express many properties such as vote privacy or
    untraceability.\par
    In this paper, we show that it is sufficient to consider two honest agents
    and two dishonest agents for equivalence properties, for deterministic
    processes with standard primitives and without else branches. More
    generally, we show how to bound the number of agents for arbitrary
    constructor theories and for protocols with simple else branches. We show
    that our hypotheses are tight, providing counter-examples for non
    actiondeterministic processes, non constructor theories, or protocols with
    complex else branches.}
}
@article{JGL-mscs16,
  publisher = {Cambridge University Press},
  journal = {Mathematical Structures in Computer Science},
  author = {Goubault{-}Larrecq, Jean},
  title = {Isomorphism theorems between models of mixed choice},
  volume = {27},
  number = {6},
  pages = {1032-1067},
  month = sep,
  year = 2017,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-mscs16.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/JGL-mscs16.pdf},
  doi = {10.1017/S0960129515000547},
  abstract = {We relate the so-called powercone models of mixed
    non-deterministic and probabilistic choice proposed by Tix, Keimel,
    Plotkin, Mislove, Ouaknine, Worrell, Morgan, and McIver, to our own models
    of previsions. Under suitable topological assumptions, we show that they
    are isomorphic. We rely on Keimel's cone-theoretic variants of the
    classical Hahn-Banach separation theorems, using functional analytic
    methods, and on the Schr{\"o}der-Simpson Theorem.}
}
@inproceedings{D-lics17,
  address = {Reykjavik, Iceland},
  month = jun,
  publisher = {{IEEE} Press},
  editor = {Ouaknine, Jo{\"e}l},
  acronym = {{LICS}'17},
  booktitle = {{P}roceedings of the 32nd {A}nnual {ACM\slash
            IEEE} {S}ymposium on {L}ogic {I}n {C}omputer {S}cience ({LICS}'17)},
  author = {Doumane, Amina},
  title = {Constructive completeness for the linear-time {\(\mu\)}-calculus},
  pages = {1-12},
  year = {2017},
  doi = {10.1109/LICS.2017.8005075},
  abstract = {Modal \(\mu\)-calculus is one of the central logics for verification. In his seminal paper, Kozen proposed an axiomatization for this logic, which was proved to be complete, 13 years later, by Kaivola for the linear-time case and by Walukiewicz for the branching-time one. These proofs are based on complex, non-constructive arguments, yielding no reasonable algorithm to construct proofs for valid formulas. The problematic of constructiveness becomes central when we consider proofs as certificates, supporting the answers of verification tools. In our paper, we provide a new completeness argument for the linear-time \(\mu\)-calculus which is constructive, i.e. it builds a proof for every valid formula. To achieve this, we decompose this difficult problem into several easier ones, taking advantage of the correspondence between the \(\mu\)-calculus and automata theory. More precisely, we lift the well-known automata transformations (non-determinization for instance) to the logical level. To solve each of these smaller problems, we perform first a proof-search in a circular proof system, then we transform the obtained circular proofs into proofs of Kozen's axiomatization.}
}
@article{JGL-minimax17,
  publisher = {Heldermann Verlag},
  journal = {Minimax Theory and its Applications},
  author = {Goubault{-}Larrecq, Jean},
  title = {A Non-{H}ausdorff Minimax Theorem},
  volume = {3},
  number = {1},
  year = {2017},
  pages = {73-80}
}
@techreport{CDD-hal17,
  author = {Cortier, V{\'e}ronique and Dallon, Antoine and Delaune, St{\'e}phanie},
  institution = {HAL},
  month = oct,
  number = {hal-01615265},
  type = {Research Report},
  title = {A typing result for trace inclusion (for pair and symmetric encryption only)},
  year = {2017},
  url = {https://hal.archives-ouvertes.fr/hal-01615265},
  pdf = {https://hal.archives-ouvertes.fr/hal-01615265/document},
  abstract = {Privacy-type properties such as vote secrecy, anonymity, or untraceability are typically expressed using the notion of trace equivalence in a process algebra that models security protocols. In this paper, we propose some results to reduce the search space when we are looking for an attack regarding trace equivalence. Our work is strongly inspired from [10], which establishes that, if there is a witness of non trace equivalence, then there is one that is well-typed.\par
Our main contribution is to establish a similar result for trace inclusion. Our motivation is twofolds: first, this small attack property is needed for proving soundness of the tool SatEquiv [13]. Second, we revisit the proof in order to simplify it. Specifically, we show two results. First, if there is a witness of non-inclusion then there is one that is well-typed. We establish this result by providing a decision procedure for trace inclusion similar to the one proposed in [10] for trace equivalence. We also show that we can reduce the search space when considering the notion of static inclusion. Acutally, if there is a witness of static non-inclusion there is one of a specific shape.\par
Even if our setting slightly differs from the one considered in [10], our proofs essentially follow the same ideas than the existing proof for trace equivalence. Nevertheless, we hope that this proof will be easier to extend to other primitives such as asymmetric encryption or signatures.}
}
@article{GLL-fmsd17,
  publisher = {Springer},
  journal = {Formal Methods in System Design},
  author = {Goubault{-}Larrecq, Jean and Lachance, Jean-Philippe},
  title = {On the Complexity of Monitoring {O}rchids Signatures, and Recurrence Equations},
  volume = {53},
  number = {1},
  year = {2018},
  month = aug,
  pages = {6-32},
  doi = {10.1007/s10703-017-0303-x},
  url = {https://doi.org/10.1007/s10703-017-0303-x},
  abstract = {Modern monitoring tools such as our intrusion detection tool Orchids work by firing new monitor instances dynamically. Given an Orchids signature (a.k.a. a rule, a specification), what is the complexity of checking that specification, that signature? In other words, let \(f(n)\) be the maximum number of monitor instances that can be fired on a sequence of \(n\) events: we design an algorithm that decides whether \(f(n)\) is asymptotically exponential or polynomial, and in the latter case returns an exponent \(d\) such that \(f(n)=\Theta(n^d)\). Ultimately, the problem reduces to the following mathematical question, which may have other uses in other domains: given a system of recurrence equations described using the operators \(+\) and \(\max\), and defining integer sequences \(u_n\), what is the asymptotic behavior of \(u_n\) as \(n\) tends to infinity? We show that, under simple assumptions, \(u_n\) is either exponential or polynomial, and that this can be decided, and the exponent computed, using a simple modification of Tarjan's strongly connected components algorithm, in linear time.},
  note = {Special issue of RV'16, to appear}
}
@article{GLN-lmcs17,
  journal = {Logical Methods in Computer Science},
  author = {Goubault{-}Larrecq, Jean and Ng, Kok Min},
  title = {A Few Notes on Formal Balls},
  volume = {13},
  number = {4},
  year = {2017},
  month = nov,
  pages = {1-34},
  doi = {10.23638/LMCS-13(4:18)2017},
  url = {https://lmcs.episciences.org/4100},
  pdf = {https://lmcs.episciences.org/4100/pdf},
  note = {Special Issue of the Domains XII Workshop}
}
@article{BCMW-fi17,
  publisher = {{IOS} Press},
  journal = {Fundamenta Informaticae},
  author = {David Baelde and Arnaud Carayol and Ralph Matthes and Igor Walukiewicz},
  title = {Preface: Special Issue of {Fixed Points in Computer Science} ({FICS}'13)},
  volume = {150},
  number = {3-4},
  pages = {i-ii},
  year = {2017},
  url = {https://doi.org/10.3233/FI-2017-1468},
  doi = {10.3233/FI-2017-1468}
}
@inproceedings{BDGK-csf17,
  address = {Santa Barbara, California, USA},
  month = aug,
  publisher = {{IEEE} Computer Society Press},
  editor = {K{\"o}pf, Boris and Chong, Steve},
  acronym = {{CSF}'17},
  booktitle = {{P}roceedings of the 
               30th {IEEE} {C}omputer {S}ecurity {F}oundations
               {S}ymposium ({CSF}'17)},
  author = {Baelde, David and Delaune, St{\'e}phanie and Gazeau, Ivan and Kremer, Steve},
  title = {Symbolic Verification of Privacy-Type Properties for Security Protocols with {XOR}},
  pages = {234-248},
  year = {2017},
  doi = {10.1109/CSF.2017.22},
  pdf = {https://hal.inria.fr/hal-01533694/document},
  url = {https://hal.inria.fr/hal-01533694},
  abstract = {In symbolic verification of security protocols, process equivalences have recently been used extensively to model strong secrecy, anonymity and unlinkability properties. However, tool support for automated analysis of equivalence properties is limited compared to trace properties, e.g., modeling authentication and weak notions of secrecy. In this paper, we present a novel procedure for verifying equivalences on finite processes, i.e., without replication, for protocols that rely on various cryptographic primitives including exclusive or (xor). We have implemented our procedure in the tool AKISS, and successfully used it on several case studies that are outside the scope of existing tools, e.g., unlinkability on various RFID protocols, and resistance against guessing attacks on protocols that use xor.}
}
@inproceedings{CDD-csf17,
  address = {Santa Barbara, California, USA},
  month = aug,
  publisher = {{IEEE} Computer Society Press},
  editor = {K{\"o}pf, Boris and Chong, Steve},
  acronym = {{CSF}'17},
  booktitle = {{P}roceedings of the 
               30th {IEEE} {C}omputer {S}ecurity {F}oundations
               {S}ymposium ({CSF}'17)},
  author = {Cortier, V{\'e}ronique and Dallon, Antoine and Delaune, St{\'e}phanie},
  title = {{SAT-Equiv}: An Efficient Tool for Equivalence Properties},
  pages = {481-494},
  year = {2017},
  doi = {10.1109/CSF.2017.15},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDD-csf17.pdf},
  url = {http://ieeexplore.ieee.org/document/8049740/},
  abstract = {Automatic tools based on symbolic models have been successful in analyzing security protocols. Such tools are particularly adapted for trace properties (e.g. secrecy or authentication), while they often fail to analyse equivalence properties.Equivalence properties can express a variety of security properties, including in particular privacy properties (vote privacy, anonymity, untraceability). Several decision procedures have already been proposed but the resulting tools are rather inefficient.In this paper, we propose a novel algorithm, based on graph planning and SAT-solving, which significantly improves the efficiency of the analysis of equivalence properties. The resulting implementation, SAT-Equiv, can analyze several sessions where most tools have to stop after one or two sessions.}
}
@mastersthesis{m2-hirschi,
  author = {Hirschi, Lucca},
  title = {Reduction of interleavings for trace equivalence checking of security protocols},
  school = {{M}aster {P}arisien de {R}echerche en 
	{I}nformatique, Paris, France},
  type = {Rapport de {M}aster},
  year = {2013},
  month = aug
}
@phdthesis{doumane-phd2017,
  author = {Doumane, Amina},
  title = {On the infinitary proof theory of logics with fixed points},
  school = {Universit{\'e} Paris-Diderot, Paris, France},
  type = {Th{\`e}se de doctorat},
  year = 2017,
  month = jun,
  url = {https://www.irif.fr/~doumane/these.pdf},
  pdf = {https://www.irif.fr/~doumane/these.pdf}
}
@inproceedings{BFG-fsttcs17,
  address = {Kanpur, India},
  month = dec,
  year = 2017,
  volume = {93},
  series = {Leibniz International Proceedings in Informatics},
  publisher = {Leibniz-Zentrum f{\"u}r Informatik},
  editor = {Satya Lokam and R. Ramanujam},
  acronym = {{FSTTCS}'17},
  booktitle = {{P}roceedings of the 37th {C}onference on
               {F}oundations of {S}oftware {T}echnology and
               {T}heoretical {C}omputer {S}cience
               ({FSTTCS}'17)},
  author = {Michael Blondin and Alain Finkel and Jean Goubault{-}Larrecq},
  title = {Forward Analysis for {WSTS}, {Part III}: {Karp-Miller} Trees},
  pages = {16:1-16:15},
  url = {https://hal.archives-ouvertes.fr/hal-01736704/},
  pdf = {http://drops.dagstuhl.de/opus/volltexte/2018/8403/pdf/LIPIcs-FSTTCS-2017-16.pdf},
  doi = {10.4230/LIPIcs.FSTTCS.2017.16},
  abstract = {This paper is a sequel of ''Forward Analysis for WSTS, Part I: Completions'' [STACS 2009, LZI Intl. Proc. in Informatics 3, 433-444] and ''Forward Analysis for WSTS, Part II: Complete WSTS'' [Logical Methods in Computer Science 8(3), 2012]. In these two papers, we provided a framework to conduct forward reachability analyses of WSTS, using finite representations of downwards-closed sets. We further develop this framework to obtain a generic Karp-Miller algorithm for the new class of very-WSTS. This allows us to show that coverability sets of very-WSTS can be computed as their finite ideal decompositions. Under natural assumptions on positive sequences, we also show that LTL model checking for very-WSTS is decidable. The termination of our procedure rests on a new notion of acceleration levels, which we study. We characterize those domains that allow for only finitely many accelerations, based on ordinal ranks.}
}
@phdthesis{dubut-phd2017,
  author = {Dubut, J{\'e}r{\'e}my},
  title = {Directed homotopic and homologic theories for geometric models of true concurrency},
  school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  type = {Th{\`e}se de doctorat},
  year = 2017,
  month = sep,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/dubut-phd17.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/dubut-phd17.pdf}
}
@article{BDH-lmcs17,
  journal = {Logical Methods in Computer Science},
  author = {Baelde, David and Delaune, St{\'e}phanie and Hirschi, Lucca},
  title = {{A Reduced Semantics for Deciding Trace Equivalence}},
  volume = {13},
  number = {2:8},
  year = {2017},
  pages = {1-48},
  doi = {10.23638/LMCS-13(2:8)2017},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/BDH-lmcs17.pdf},
  url = {https://lmcs.episciences.org/3703},
  abstract = {Many privacy-type properties of security protocols can be modelled using trace equivalence properties in suitable process algebras. It has been shown that such properties can be decided for interesting classes of finite processes (i.e. without replication) by means of symbolic execution and constraint solving. However, this does not suffice to obtain practical tools. Current prototypes suffer from a classical combinatorial explosion problem caused by the exploration of many interleavings in the behaviour of processes. M{\"o}dersheim et al. [40] have tackled this problem for reachability properties using partial order reduction techniques. We revisit their work, generalize it and adapt it for equivalence checking. We obtain an optimisation in the form of a reduced symbolic semantics that eliminates redundant interleavings on the fly. The obtained partial order reduction technique has been integrated in a tool called Apte. We conducted complete benchmarks showing dramatic improvements.}
}
@phdthesis{hirschi-phd2017,
  author = {Hirschi, Lucca},
  title = {{Automated Verification of Privacy in Security Protocols: Back and Forth Between Theory \& Practice}},
  school = {Laboratoire Sp{\'e}cification et V{\'e}rification,
               ENS Cachan, France},
  type = {Th{\`e}se de doctorat},
  year = 2017,
  month = apr,
  url = {http://www.lsv.fr/Publis/PAPERS/PDF/hirschi-phd17.pdf},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/hirschi-phd17.pdf}
}
@inproceedings{CK-csf17,
  address = {Santa Barbara, California, USA},
  month = aug,
  publisher = {{IEEE} Computer Society Press},
  editor = {K{\"o}pf, Boris and Chong, Steve},
  acronym = {{CSF}'17},
  booktitle = {{P}roceedings of the 
               30th {IEEE} {C}omputer {S}ecurity {F}oundations
               {S}ymposium ({CSF}'17)},
  author = {Comon, Hubert and Koutsos, Adrien},
  title = {Formal Computational Unlinkability Proofs of RFID Protocols},
  pages = {100-114},
  year = {2017},
  doi = {10.1109/CSF.2017.9},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CK-csf17.pdf},
  url = {http://ieeexplore.ieee.org/document/8049714/},
  abstract = {We set up a framework for the formal proofs of
RFID protocols in the computational model. We rely on the
so-called computationally complete symbolic attacker model. Our
contributions are:
1) To design (and prove sound) axioms reflecting the proper-
ties of hash functions (Collision-Resistance, PRF).
2) To formalize computational unlinkability in the model.
3) To illustrate the method, providing the first formal proofs
of unlinkability of RFID protocols, in the computational
model.}
}
@inproceedings{CGKM-csf17,
  address = {Santa Barbara, California, USA},
  month = aug,
  publisher = {{IEEE} Computer Society Press},
  editor = {K{\"o}pf, Boris and Chong, Steve},
  acronym = {{CSF}'17},
  booktitle = {{P}roceedings of the 
               30th {IEEE} {C}omputer {S}ecurity {F}oundations
               {S}ymposium ({CSF}'17)},
  author = {Calzavara, Stefano and Grishchenko, Ilya and Koutsos, Adrien and Maffei, Matteo},
  title = {A Sound Flow-Sensitive Heap Abstraction for the Static Analysis of Android Applications},
  pages = {22-36},
  year = {2017},
  doi = {10.1109/CSF.2017.19},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CGKM-csf17.pdf},
  url = {http://ieeexplore.ieee.org/document/8049649/},
  abstract = {The present paper proposes the first static analysis
for Android applications which is both flow-sensitive on the heap
abstraction and provably sound with respect to a rich formal
model of the Android platform. We formulate the analysis as a
set of Horn clauses defining a sound over-approximation of the
semantics of the Android application to analyse, borrowing ideas
from recency abstraction and extending them to our concurrent
setting. Moreover, we implement the analysis in HornDroid, a
state-of-the-art information flow analyser for Android applica-
tions. Our extension allows HornDroid to perform strong updates
on heap-allocated data structures, thus significantly increasing its
precision, without sacrificing its soundness guarantees. We test
our implementation on DroidBench, a popular benchmark of
Android applications developed by the research community, and
we show that our changes to HornDroid lead to an improvement
in the precision of the tool, while having only a moderate cost in
terms of efficiency. Finally, we assess the scalability of our tool
to the analysis of real applications.}
}
@article{KV-jcss17,
  publisher = {Elsevier Science Publishers},
  journal = {Journal of Computer and System Sciences},
  author = {Koutsos, Adrien and Vianu, Victor},
  title = {{Process-centric views of data-driven business artifacts}},
  volume = {86},
  number = {1},
  year = {2017},
  pages = {82-107},
  doi = {10.1016/j.jcss.2016.11.012},
  month = jun,
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/KV-jcss17.pdf},
  url = {http://dx.doi.org/10.1016/j.jcss.2016.11.012},
  abstract = {Declarative, data-aware workflow models are becoming increasingly pervasive. While these have numerous benefits, classical process-centric specifications retain certain advantages. Workflow designers are used to development tools such as BPMN or UML diagrams, that focus on control flow. Views describing valid sequences of tasks are also useful to provide stakeholders with high-level descriptions of the workflow, stripped of the accompanying data. In this paper we study the problem of recovering process-centric views from declarative, data-aware workflow specifications in a variant of IBM's business artifact model. We focus on the simplest process-centric views, specified by finite-state transition systems, describing regular languages. The results characterize when process-centric views of artifact systems are regular, using both linear and branching-time semantics. We also study the impact of data dependencies on regularity of the views. As a side effect, we obtain several new results on verification of business artifacts, including a decidability result for branching-time properties.}
}
@inproceedings{OBH-most17,
  address = {San Jose, CA, USA},
  month = may,
  editor = {Chen, Hao and Koved, Larry},
  booktitle = {{P}roceedings of Mobile Security Technologies (MoST'17), held as part of the {IEEE} Computer Society Security and Privacy Workshops},
  author = {{O'Hanlon}, Piers and Borgaonkar, Ravishankar and Hirschi, Lucca},
  title = {Mobile subscriber WiFi privacy},
  todopages = {252-261},
  year = {2017},
  tododoi = {},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/OBH-most17.pdf},
  abstract = {This paper investigates and analyses the insufficient protections afforded to mobile identities when using today?s operator backed WiFi services. Specifically we detail a range of attacks, on a set of widely deployed authentication protocols, that enable a malicious user to obtain and track a user?s International Mobile Subscriber Identity (IMSI) over WiFi. These attacks are possible due to a lack of sufficient privacy protection measures, which are exacerbated by preconfigured device profiles. We provide a formal analysis of the protocols involved, examine their associated configuration profiles, and document our experiences with reporting the issues to the relevant stakeholders. We detail a range of potential countermeasures to tackle these issues to ensure that privacy is better protected in the future.}
}
@misc{JGL:pls16,
  author = {Goubault{-}Larrecq, Jean},
  howpublished = {Encart dans l'article ''S'adapter {\`a} la cyberguerre'', de Karen Elazari, Pour La Science 459},
  month = jan,
  title = {Les m{\'e}thodes formelles: l'autre arme de la cybers{\'e}curit{\'e}},
  year = {2016},
  pages = {50-55}
}
@misc{JGL:stc16,
  author = {Goubault{-}Larrecq, Jean},
  howpublished = {Invited talk (plenary speaker), Summer Topology Conference, Leicester, UK},
  month = aug,
  title = {A few things on Noetherian spaces},
  year = {2016}
}
@misc{JGL:gs16,
  author = {Goubault{-}Larrecq, Jean},
  howpublished = {Invited talk, Galway Symposium, Leicester, UK},
  month = aug,
  title = {An introduction to asymmetric topology and domain theory: why, what, and how},
  year = {2016}
}
@misc{JGL:dom15,
  author = {Goubault{-}Larrecq, Jean},
  howpublished = {Invited talk, Domains XII workshop, Cork, Ireland},
  month = aug,
  title = {Formal balls},
  year = {2015}
}
@misc{JGL:lls14,
  author = {Goubault{-}Larrecq, Jean},
  howpublished = {Matinale de l'innovation Logiciels Libres et S{\'e}curit{\'e}, Paris, France},
  month = dec,
  title = {D{\'e}tection d'intrusions avec {OrchIDS}},
  year = {2014}
}
@misc{JGL:ccc14,
  author = {Goubault{-}Larrecq, Jean},
  howpublished = {Invited talk, Continuity, Computability, Constructivity workshop (CCC), Ljubljana, Slovenia},
  month = sep,
  title = {Noetherian spaces},
  year = {2014}
}
@misc{JGL:cps14,
  author = {Goubault{-}Larrecq, Jean},
  howpublished = {CPS Summer School, Grenoble, France},
  month = jul,
  title = {{OrchIDS}: on the value of rigor in intrusion detection},
  year = {2014}
}
@misc{JGL:stc13,
  author = {Goubault{-}Larrecq, Jean},
  howpublished = {Invited talk (semi-plenary speaker), Summer Topology Conference, North Bay, Ontario, CA},
  month = jul,
  title = {A few pearls in the theory of quasi-metric spaces},
  year = {2013}
}
@misc{JGL:dga13,
  author = {Goubault{-}Larrecq, Jean},
  howpublished = {S{\'e}minaire DGA Innosciences. DGA, Bagneux},
  month = jun,
  title = {{OrchIDS}, ou : de l'importance de la s{\'e}mantique},
  year = {2013}
}
@misc{JGL:at13,
  author = {Goubault{-}Larrecq, Jean},
  howpublished = {Invited talk, Workshop on Asymmetric Topology, Summer Topology Conference, North Bay, Ontario, CA},
  month = jul,
  title = {A short proof of the {Schr{\"o}der-Simpson} theorem},
  year = {2013}
}
@misc{JGL:dm16,
  author = {Goubault{-}Larrecq, Jean},
  howpublished = {Invited talk, Dale Miller Festschrift, Paris Diderot University, Paris},
  month = dec,
  title = {A semantics for {{\(\nabla\)}}},
  year = {2016}
}
@misc{GSHM:dga-inria16,
  author = {Goubault-Larrecq, Jean and Sentucq, Pierre-Arnaud and Hulin-Hubard, Francis and Majorczyk, Fr{\'e}d{\'e}ric},
  howpublished = {Rapport final et fourniture 4 du contrat DGA-INRIA Orchids},
  month = may,
  title = {Etat final des travaux engag{\'e}s sur {Orchids}},
  year = {2016}
}
@misc{GM:dga-inria16,
  author = {Goubault-Larrecq, Jean and Majorczyk, Fr{\'e}d{\'e}ric},
  howpublished = {Fourniture 3 du contrat DGA-INRIA Orchids},
  month = may,
  title = {G{\'e}n{\'e}ration de signatures pour le suivi de flux d'informations},
  year = {2016}
}
@misc{GSM:dga-inria15,
  author = {Goubault-Larrecq, Jean and Sentucq, Pierre-Arnaud and Majorczyk, Fr{\'e}d{\'e}ric},
  howpublished = {Rapport interm{\'e}diaire du contrat DGA-INRIA Orchids},
  month = may,
  title = {Etat d'avancement interm{\'e}diaire des travaux engag{\'e}s sur {OrchIDS}},
  year = {2015}
}
@misc{GSM:dga-inria-2-14,
  author = {Goubault-Larrecq, Jean and Sentucq, Pierre-Arnaud and Majorczyk, Fr{\'e}d{\'e}ric},
  howpublished = {Fourniture 2 du contrat DGA-INRIA Orchids},
  month = may,
  title = {Techniques et m{\'e}thodes de g{\'e}n{\'e}ration de signatures pour la d{\'e}tection d'intrusions},
  year = {2014}
}
@misc{GSM:dga-inria-1-14,
  author = {Goubault-Larrecq, Jean and Sentucq, Pierre-Arnaud and Majorczyk, Fr{\'e}d{\'e}ric},
  howpublished = {Fourniture 1 du contrat DGA-INRIA Orchids},
  month = may,
  title = {Politiques de s{\'e}curit{\'e} syst{\`e}me},
  year = {2014}
}
@misc{AG:anr-cpp12,
  author = {Adj{\'e}, Assal{\'e} and Goubault-Larrecq, Jean},
  howpublished = {Fourniture du projet ANR CPP (Confidence, Proofs, and Probabilities), WP 2, version 1},
  month = oct,
  title = {Concrete semantics of programs with non-deterministic and random inputs},
  year = {2012},
  url = {http://arxiv.org/abs/1210.2605}
}
@misc{GL:ARC-ProNoBis-16,
  author = {Goubault-Larrecq, Jean},
  howpublished = {Rapport final ARC ProNoBis},
  month = oct,
  title = {{Pronobis: Probability and nondeterminism,
bisimulations and security}},
  year = {2007}
}
@phdthesis{dallon-phd2018,
  author = {Dallon, Antoine},
  title = {{Verification of indistinguishability properties in cryptographic protocols} -- {Small attacks and efficient decision with SAT-Equiv}},
  school = {{\'E}cole Normale Sup{\'e}rieure Paris-Saclay, France},
  type = {Th{\`e}se de doctorat},
  year = 2018,
  month = nov,
  url = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/dallon-phd18.pdf},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/dallon-phd18.pdf}
}
@inproceedings{BDH-esorics18,
  address = {Barcelona, Spain},
  month = sep,
  year = 2018,
  volume = {11098},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Javier L{\'{o}}pez and
               Jianying Zhou and
               Miguel Soriano},
  acronym = {{ESORICS}'18},
  booktitle = {{P}roceedings of the 23rd {E}uropean {S}ymposium on
		 {R}esearch in {C}omputer {S}ecurity ({ESORICS}'18)},
  author = {David Baelde and St{\'e}phanie Delaune and Lucca Hirschi},
  title = {{POR} for Security Protocol Equivalences - Beyond Action-Determinism},
  pages = {385-405},
  url = {https://arxiv.org/abs/1804.03650},
  doi = {10.1007/978-3-319-99073-6\_19},
  abstract = {Formal methods have proved effective to automatically analyse protocols. Recently, much research has focused on verifying trace equivalence on protocols, which is notably used to model interesting privacy properties such as anonymity or unlinkability. Several tools for checking trace equivalence rely on a naive and expensive exploration of all interleavings of concurrent actions, which calls for partial-order reduction (POR) techniques. In this paper, we present the first POR technique for protocol equivalences that does not rely on an action-determinism assumption: we recast trace equivalence as a reachability problem, to which persistent and sleep set techniques can be applied, and we show how to effectively apply these results in the context of symbolic execution. We report on a prototype implementation, improving the tool DeepSec.}
}
@inproceedings{CDD-esorics18,
  address = {Barcelona, Spain},
  month = sep,
  year = 2018,
  volume = {11098},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {Javier L{\'{o}}pez and
               Jianying Zhou and
               Miguel Soriano},
  acronym = {{ESORICS}'18},
  booktitle = {{P}roceedings of the 23rd {E}uropean {S}ymposium on
		 {R}esearch in {C}omputer {S}ecurity ({ESORICS}'18)},
  author = {V{\'e}ronique Cortier and Antoine Dallon and St{\'e}phanie Delaune},
  title = {Efficiently Deciding Equivalence for Standard Primitives and Phases},
  pages = {491-511},
  url = {https://hal.archives-ouvertes.fr/hal-01819366},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/CDD-esorics18.pdf},
  doi = {10.1007/978-3-319-99073-6\_24},
  abstract = {Privacy properties like anonymity or untraceability are now
well identified, desirable goals of many security protocols. Such properties
are typically stated as equivalence properties. However, automatically
checking equivalence of protocols often yields efficiency issues.\par
We propose an efficient algorithm, based on graph planning and SATsolving.
It can decide equivalence for a bounded number of sessions, for
protocols with standard cryptographic primitives and phases (often necessary
to specify privacy properties), provided protocols are well-typed,
that is encrypted messages cannot be confused. The resulting implementation,
SAT-Equiv, demonstrates a significant speed-up w.r.t. other
existing tools that decide equivalence, covering typically more than 100
sessions. Combined with a previous result, SAT-Equiv can now be used to
prove security, for some protocols, for an unbounded number of sessions.}
}
@inproceedings{JK-ccs18,
  address = {Toronto, Canada},
  month = oct,
  publisher = {ACM Press},
  editor = {Backes, Michael and Wang, XiaoFeng},
  acronym = {{CCS}'18},
  booktitle = {{P}roceedings of the 25th {ACM} {C}onference
               on {C}omputer and {C}ommunications {S}ecurity
               ({CCS}'18)},
  author = {Barthe, Gilles and Fan, Xiong and Gancher, Joshua and Gr{\'e}goire, Benjamin and Jacomme, Charlie and Shi, Elaine},
  title = {Symbolic Proofs for Lattice-Based Cryptography},
  pages = {538-555},
  year = {2018},
  pdf = {https://eprint.iacr.org/2018/765.pdf},
  url = {https://dl.acm.org/citation.cfm?doid=3243734.3243825}
}
@inproceedings{BLS-pods19,
  address = {Amsterdam, Netherlands},
  month = jun # {-} # jul,
  publisher = {ACM Press},
  editor = {Christoph Koch},
  acronym = {{PODS}'19},
  booktitle = {{P}roceedings of the 38th {A}nnual 
	  {ACM} {SIGACT}-{SIGMOD}-{SIGART} {S}ymposium 
	  on {P}rinciples of {D}atabase {S}ystems
	  ({PODS}'19)},
  author = {Baelde, David and Lick, Anthony and Schmitz, Sylvain},
  title = {Decidable {XP}ath Fragments in the Real World},
  pages = {285-302},
  year = 2019,
  doi = {10.1145/3294052.3319685},
  url = {https://hal.inria.fr/hal-01852475},
  abstract = {XPath is arguably the most popular query language for selecting elements in XML documents.  Besides query evaluation, query satisfiability and containment are the main computational problems for XPath; they are useful, for instance, to detect dead code or validate query optimisations.  These problems are undecidable in general, but several fragments have been identified over time for which satisfiability (or query containment) is decidable: CoreXPath 1.0 and 2.0 without so-called data joins, fragments with data joins but limited navigation, etc.  However, these fragments are often given in a simplified syntax, and sometimes wrt. a simplified XPath semantics.  Moreover, they have been studied mostly with theoretical motivations, with little consideration for the practically relevant features of XPath.  To investigate the practical impact of these theoretical fragments, we design a benchmark compiling thousands of real-world XPath queries extracted from open-source projects.  These queries are then matched against syntactic fragments from the literature.  We investigate how to extend these fragments with seldom-considered features such as free variables, data tests, data joins, and the last() and id() functions, for which we provide both undecidability and decidability results.  We analyse the coverage of the original and extended fragments, and further provide a glimpse at which other practically-motivated features might be worth investigating in the future.}
}
@inproceedings{BLS-aiml18,
  address = {Bern, Switzerland},
  month = aug,
  year = 2018,
  publisher = {College Publications},
  editor = {Guram Bezhanishvili and Giovanna D'Agostino and
                  George Metcalfe and Thomas Studer},
  acronym = {{AiML}'18},
  booktitle = {{P}roceedings of the 10th
           {C}onference on {A}dvances in {M}odal {L}ogics
           ({AiML}'18)},
  author = {Baelde, David and Lick, Anthony and Schmitz, Sylvain},
  title = {A Hypersequent Calculus with Clusters for Linear Frames},
  pages = {36-55},
  url = {https://hal.inria.fr/hal-01756126},
  abstract = {The logic Kt4.3 is the basic modal logic of linear frames. Along with its extensions, it is found at the core of linear-time temporal logics and logics on words.  In this paper, we consider the problem of designing proof systems for these logics, in such a way that proof search yields decision procedures for validity with an optimal complexity---coNP in this case.  In earlier work, Indrzejczak has proposed an ordered hypersequent calculus that is sound and complete for Kt4.3 but does not yield any decision procedure.  We refine his approach, using a hypersequent structure that corresponds to weak rather than strict total orders, and using annotations that reflect the model-theoretic insights given by small models for Kt4.3.  We obtain a sound and complete calculus with an associated coNP proof search algorithm.  These results extend naturally to the cases of unbounded and dense frames, and to the complexity of the two-variable fragment of first-order logic over total orders.}
}
@article{JGL-mscs18,
  publisher = {Cambridge University Press},
  journal = {Mathematical Structures in Computer Science},
  author = {Goubault{-}Larrecq, Jean},
  title = {A semantics for nabla},
  pages = {1-25},
  year = {2018},
  doi = {10.1017/S0960129518000063},
  url = {https://www.cambridge.org/core/journals/mathematical-structures-in-computer-science/article/semantics-for-nabla/A3337AB54DC58CBDDEC78116F4390777},
  note = {To appear}
}
@inproceedings{JKS-eurosp17,
  address = {Paris, France},
  month = apr,
  publisher = {{IEEE} Press},
  editor = {Andrei Sabelfeld and Matthew Smith},
  acronym = {{EuroS\&P}'17},
  booktitle = {{P}roceedings of the 2nd IEEE European Symposium on
                 Security and Privacy ({EuroS\&P}'17)},
  author = {Jacomme, Charlie and Kremer, Steve and Scerri, Guillaume},
  title = {Symbolic Models for Isolated Execution Environments},
  pages = {530-545},
  year = {2018},
  doi = {10.1109/EuroSP.2017.16},
  url = {https://ieeexplore.ieee.org/document/7962001/},
  abstract = {Isolated Execution Environments (IEEs), such as ARM
                 TrustZone and Intel SGX, offer the possibility to
                 execute sensitive code in isolation from other
                 malicious programs, running on the same machine, or
                 a potentially corrupted OS. A key feature of IEEs is
                 the ability to produce reports binding
                 cryptographically a message to the program that
                 produced it, typically ensuring that this message is
                 the result of the given program running on an
                 IEE. We present a symbolic model for specifying and
                 verifying applications that make use of such
                 features. For this we introduce the S{\(\ell\)}APIC
                 process calculus, that allows to reason about
                 reports issued at given locations. We also provide
                 tool support, extending the SAPIC/TAMARIN toolchain
                 and demonstrate the applicability of our framework
                 on several examples implementing secure outsourced
                 computation (SOC), a secure licensing protocol and a
                 one-time password protocol that all rely on such
                 IEEs.}
}
@inproceedings{JK-csf18,
  address = {Oxford, UK},
  month = jul,
  publisher = {{IEEE} Computer Society Press},
  editor = {Chong, Steve and Delaune, St{\'e}phanie},
  acronym = {{CSF}'18},
  booktitle = {{P}roceedings of the 
               31st {IEEE} {C}omputer {S}ecurity {F}oundations
               {S}ymposium ({CSF}'18)},
  author = {Jacomme, Charlie and Kremer, Steve},
  title = {An extensive formal analysis of multi-factor authentication protocols},
  pages = {1-15},
  year = {2018},
  doi = {10.1109/CSF.2018.00008},
  pdf = {https://easychair.org/publications/preprint/m89p},
  url = {https://ieeexplore.ieee.org/document/8429292/},
  abstract = {Passwords are still the most widespread means for authenticating users, even though they have been shown to create huge security problems. This motivated the use of additional authentication mechanisms used in so-called multi-factor authentication protocols. In this paper we define a detailed threat model for this kind of protocols: while in classical protocol analysis attackers control the communication network, we take into account that many communications are performed over TLS channels, that computers may be infected by different kinds of malwares, that attackers could perform phishing, and that humans may omit some actions.  We formalize this model in the applied pi calculus and perform an extensive analysis and comparison of several widely used protocols - variants of Google 2-step and FIDO's U2F. The analysis is completely automated, generating systematically all combinations of threat scenarios for each of the protocols and using the ProVerif tool for automated protocol analysis. Our analysis highlights weaknesses and strengths of the different protocols, and allows us to suggest several small modifications of the existing protocols which are easy to implement, yet improve their security in several threat scenarios.}
}
@article{CCD-ic17,
  publisher = {Elsevier Science Publishers},
  journal = {Information and Computation},
  author = {Vincent Cheval and Hubert Comon{-}Lundh and St{\'e}phanie Delaune},
  title = {{A procedure for deciding symbolic equivalence between sets of constraint systems}},
  volume = {255},
  year = {2017},
  pages = {94-125},
  doi = {10.1016/j.ic.2017.05.004},
  url = {https://www.sciencedirect.com/science/article/pii/S0890540117300949},
  abstract = {We consider security properties of cryptographic protocols that can be modelled using trace equivalence, a crucial notion when specifying privacy-type properties, like anonymity, vote-privacy, and unlinkability. Infinite sets of possible traces are symbolically represented using deducibility constraints. We describe an algorithm that decides trace equivalence for protocols that use standard primitives and that can be represented using such constraints. More precisely, we consider symbolic equivalence between sets of constraint systems, and we also consider disequations. Considering sets and disequations is actually crucial to decide trace equivalence for processes that may involve else branches and/or private channels (for a bounded number of sessions). Our algorithm for deciding symbolic equivalence between sets of constraint systems is implemented and performs well in practice. Unfortunately, it does not scale up well for deciding trace equivalence between processes. This is however the first implemented algorithm deciding trace equivalence on such a large class of processes.}
}
@article{HGJX-lmcs18,
  journal = {Logical Methods in Computer Science},
  author = {Ho, Weng Kin and Goubault-Larrecq, Jean and Jung, Achim and Xi, Xiaoyong},
  title = {{The Ho-Zhao Problem}},
  volume = {14},
  number = {1},
  year = {2018},
  month = jan,
  pages = {1-19},
  doi = {10.23638/LMCS-14(1:7)2018},
  url = {https://lmcs.episciences.org/4218},
  pdf = {http://www.lsv.fr/Publis/PAPERS/PDF/HGJX-lmcs18.pdf}
}
@inproceedings{JGL-lncs11760,
  volume = 11760,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  editor = {M{\'a}rio S. Alvim and Kostas Chatzikokolakis and Carlos Olarte and Franck Valencia},
  acronym = {{The Art of Modelling Computational Systems: A Journey from Logic and Concurrency to Security and Privacy}},
  booktitle = {The Art of Modelling Computational Systems: A Journey from Logic and Concurrency to Security and Privacy---Essays Dedicated to Catuscia Palamidessi on the Occasion of Her 60th Birthday},
  author = {Goubault{-}Larrecq, Jean},
  title = {Fooling the Parallel or Tester with Probability $8/27$},
  pages = {313--328},
  year = 2019,
  note = {Updated version on arXiv:1903.12653},
  url = {https://arxiv.org/abs/1903.12653},
  abstract = {It is well-known that the higher-order language PCF is not fully abstract: there is a program - the so-called parallel or tester, meant to test whether its input behaves as a parallel or - which never terminates on any input, operationally, but is denotationally non-trivial. We explore a probabilistic variant of PCF, and ask whether the parallel or tester exhibits a similar behavior there. The answer is no: operationally, one can feed the parallel or tester an input that will fool it into thinking it is a parallel or. We show that the largest probability of success of such would-be parallel ors is exactly 8/27. The bound is reached by a very simple probabilistic program. The difficult part is to show that that bound cannot be exceeded.}
}
@inproceedings{DGJL-isdt19,
  address = {Yangzhou, China},
  month = jun,
  volume = 345,
  series = {Electronic Notes in Theoretical Computer Science},
  publisher = {Elsevier Science Publishers},
  editor = {Jung, Achim and Li, Qingguo and Xu, Luoshan and Zhang, Guo-Qiang},
  acronym = {{ISDT}'19},
  booktitle = {{P}roceedings of the {I}nternational {S}ymposium on {D}omain {T}heory ({ISDT}'19)},
  author = {de Brecht, Matthew and Goubault{-}Larrecq, Jean and Jia, Xiaodong and Lyu, Zhenchao},
  title = {Domain-complete and LCS-complete Spaces},
  pages = {3-35},
  doi = {10.1016/j.entcs.2019.07.014},
  year = 2019
}
@inproceedings{GJ-isdt19,
  address = {Yangzhou, China},
  month = jun,
  volume = 345,
  series = {Electronic Notes in Theoretical Computer Science},
  publisher = {Elsevier Science Publishers},
  editor = {Jung, Achim and Li, Qingguo and Xu, Luoshan and Zhang, Guo-Qiang},
  acronym = {{ISDT}'19},
  booktitle = {{P}roceedings of the {I}nternational {S}ymposium on {D}omain {T}heory ({ISDT}'19)},
  author = {Goubault{-}Larrecq, Jean and Jia, Xiaodong},
  title = {Algebras of the Extended Probabilistic Powerdomain Monad},
  pages = {37-61},
  doi = {10.1016/j.entcs.2019.07.015},
  year = 2019
}
@article{GM-hjm19,
  publisher = {University of Houston},
  journal = {Houston Journal of Mathematics},
  author = {Goubault{-}Larrecq, Jean and Mynard, Fr{\'e}d{\'e}ric},
  title = {Convergence without Points},
  year = 2019,
  note = {To appear}
}
@inproceedings{K-csf19,
  address = {Hoboken, NJ, USA},
  month = jul,
  publisher = {{IEEE} Computer Society Press},
  editor = {Delaune, St{\'e}phanie and Jia, Limin},
  acronym = {{CSF}'19},
  booktitle = {{P}roceedings of the 
               31st {IEEE} {C}omputer {S}ecurity {F}oundations
               {S}ymposium ({CSF}'19)},
  author = {Adrien Koutsos},
  title = {Decidability of a Sound Set of Inference Rules for Computational Indistinguishability},
  pages = {48-61},
  year = 2019,
  doi = {10.1109/CSF.2019.00011},
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/K-csf19.pdf},
  abstract = {Computational indistinguishability is a key property in cryptography and verification of security protocols. Current tools for proving it rely on cryptographic game transformations. We follow Bana and Comon's approach, axiomatizing what an adversary cannot distinguish. We prove the decidability of a set of first-order axioms which are computationally sound, though incomplete, for protocols with a bounded number of sessions whose security is based on an IND-CCA_2 encryption scheme. Alternatively, our result can be viewed as the decidability of a family of cryptographic game transformations. Our proof relies on term rewriting and automated deduction techniques.}
}
@inproceedings{K-eurosp19,
  address = {Stockholm, Sweden},
  month = jun,
  publisher = {{IEEE} Press},
  editor = {Frank Piessens and Frank Stajano},
  acronym = {{EuroS\&P}'19},
  booktitle = {{P}roceedings of the 4th IEEE European Symposium on
                 Security and Privacy ({EuroS\&P}'19)},
  author = {Adrien Koutsos},
  title = {The {5G-AKA} Authentication Protocol Privacy},
  pages = {464-479},
  year = 2019,
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/K-eurosp19.pdf},
  doi = {10.1109/EuroSP.2019.00041},
  abstract = {We study the 5G-AKA authentication protocol described in the 5G mobile communication standards. This version of AKA tries to achieve a better privacy than the 3G and 4G versions through the use of asymmetric randomized encryption. Nonetheless, we show that except for the IMSI-catcher attack, all known attacks against 5G-AKA privacy still apply. Next, we modify the 5G-AKA protocol to prevent these attacks, while satisfying 5G-AKA efficiency constraints as much as possible. We then formally prove that our protocol is sigma-unlinkable. This is a new security notion, which allows for a fine-grained quantification of a protocol privacy. Our security proof is carried out in the Bana-Comon indistinguishability logic. We also prove mutual authentication as a secondary result.}
}
@article{JGL-topa19,
  publisher = {Elsevier Science Publishers},
  journal = {Topology and its Applications},
  author = {Goubault{-}Larrecq, Jean},
  title = {Formal Ball Monads},
  year = 2019,
  note = {To appear},
  doi = {10.1016/j.topol.2019.06.044},
  url = {http://www.sciencedirect.com/science/article/pii/S0166864119302160},
  abstract = {The formal ball construction B is a central tool of
quasi-metric space theory. We show that it induces monads on certain
natural categories of quasi-metric spaces, with 1-Lipschitz maps as
morphisms, or with 1-Lipschitz continuous maps as morphisms. Those are
left Kock-Zöberlein monads, and that allows us to characterize their
algebras exactly. As an application, we study so-called Lipschitz
regular spaces, a natural class of spaces that contain all standard
algebraic quasi-metric spaces with relatively compact balls, in
particular all metric spaces whose closed balls are compact. There are
other Lipschitz regular spaces, as we show, and notably all B-algebras.
That includes all spaces of formal balls, with their d+-Scott topology.
The value of Lipschitz regularity is that, for a Lipschitz regular
standard quasi-metric space X,d, the space LX of lower semicontinuous
maps from X to the extended non-negative reals, with the Scott topology,
retracts onto each of the spaces L_alpha(X,d) of alpha-Lipschitz
continuous maps, and that the subspace topology on the latter coincides
with the Scott topology.}
}
@article{HBD-jcs19,
  publisher = {{IOS} Press},
  journal = {Journal of Computer Security},
  author = {Hirschi, Lucca and Baelde, David and Delaune, St{\'e}phanie},
  title = {A method for unbounded verification of privacy-type properties},
  volume = {27},
  number = {3},
  pages = {277-342},
  year = 2019,
  pdf = {http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/HBD-jcs19.pdf},
  doi = {10.3233/JCS-171070},
  url = {https://content.iospress.com/articles/journal-of-computer-security/jcs171070}
}
@inproceedings{BGJKS-csf19,
  address = {Hoboken, NJ, USA},
  month = jul,
  publisher = {{IEEE} Computer Society Press},
  editor = {Delaune, St{\'e}phanie and Jia, Limin},
  acronym = {{CSF}'19},
  booktitle = {{P}roceedings of the 
               31st {IEEE} {C}omputer {S}ecurity {F}oundations
               {S}ymposium ({CSF}'19)},
  author = {Barthe, Gilles and Gr{\'e}goire, Benjamin and Jacomme, Charlie and Kremer, Steve and Strub, Pierre-Yves},
  title = {Symbolic methods in computational cryptography proofs},
  pages = {136-151},
  year = 2019,
  doi = {10.1109/CSF.2019.00017},
  pdf = {https://hal.inria.fr/hal-02117794/document},
  url = {https://hal.inria.fr/hal-02117794},
  abstract = {Code-based game-playing is a popular methodology for proving security of cryptographic constructions and side-channel countermeasures. This methodology relies on treating cryptographic proofs as an instance of relational program verification (between probabilistic programs), and decomposing the latter into a series of elementary relational program verification steps. In this paper, we develop principled methods for proving such elementary steps for probabilistic programs that operate over finite fields and related algebraic structures. We focus on three essential properties: program equivalence, information flow, and uniformity. We give characterizations of these properties based on deducibility and other notions from symbolic cryptography. We use (sometimes improve) tools from symbolic cryptography to obtain decision procedures or sound proof methods for program equivalence, information flow, and uniformity. Finally, we evaluate our approach using examples drawn from provable security and from side-channel analysis-for the latter, we focus on the masking countermeasure against differential power analysis. A partial implementation of our approach is integrated in EASYCRYPT, a proof assistant for provable security, and in MASKVERIF, a fully automated prover for masked implementations.}
}
@inproceedings{JGL-lics19,
  address = {Vancouver, Canada},
  month = jun,
  publisher = {{IEEE} Press},
  editor = {Bouyer, Patricia},
  acronym = {{LICS}'19},
  booktitle = {{P}roceedings of the 34th {A}nnual {ACM\slash
            IEEE} {S}ymposium on {L}ogic {I}n {C}omputer {S}cience ({LICS}'19)},
  author = {Goubault{-}Larrecq, Jean},
  title = {A Probabilistic and Non-Deterministic Call-by-Push-Value Language},
  pages = {1-13},
  year = 2019,
  doi = {10.1109/LICS.2019.8785809},
  abstract = {There is no known way of giving a domain-theoretic semantics to higher-order probabilistic languages, in such a way that the involved domains are continuous or quasi-continuous. We argue that the problem naturally disappears for languages with two kinds of types, where one kind is interpreted in a Cartesian-closed category of continuous dcpos, and the other is interpreted in a category that is closed under the probabilistic powerdomain functor. Such a setting is provided by Paul B. Levy's call-by-push-value paradigm. Following this insight, we define a call-by-push-value language, with probabilistic choice sitting inside the value types, and where conversion from a value type to a computation type involves demonic non-determinism. We give both a domain-theoretic semantics and an operational semantics for the resulting language, and we show that they are sound and adequate. With the addition of statistical termination testers and parallel if, we show that the language is even fully abstract-and those two primitives are required for that.}
}

This file was generated by bibtex2html 1.98.