On Communication Models When Verifying Equivalence Properties

  • Kushal Babel
  • Vincent ChevalEmail author
  • Steve KremerEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10204)


Symbolic models for security protocol verification, following the seminal ideas of Dolev and Yao, come in many flavors, even though they share the same ideas. A common assumption is that the attacker has complete control over the network: he can therefore intercept any message. Depending on the precise model this may be reflected either by the fact that any protocol output is directly routed to the adversary, or communications may be among any two participants, including the attacker — the scheduling between which exact parties the communication happens is left to the attacker. These two models may seem equivalent at first glance and, depending on the verification tools, either one or the other semantics is implemented. We show that, unsurprisingly, they indeed coincide for reachability properties. However, when we consider indistinguishability properties, we prove that these two semantics are incomparable. We also introduce a new semantics, where internal communications are allowed but messages are always eavesdropped by the attacker. We show that this new semantics yields strictly stronger equivalence relations. We also identify two subclasses of protocols for which the three semantics coincide. Finally, we implemented verification of trace equivalence for each of these semantics in the APTE tool and compare their performances on several classical examples.


Function Symbol Operational Semantic Authentication Protocol Extended Process Classical Semantic 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We would like to thank Catherine Meadows and Stéphanie Delaune for interesting discussions, as well as the anonymous reviewers for their comments. This work has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation program (grant agreement No 645865-SPOOC) and the ANR project SEQUOIA ANR-14-CE28-0030-01.


  1. 1.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: Nielson, H.R.: 28th Symposium on Principles of Programming Languages (POPL 2001), pp. 104–115. ACM, London, January 2001Google Scholar
  2. 2.
    Abadi, M., Fournet, C.: Private authentication. Theor. Comput. Sci. 322(3), 427–476 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Abadi, M., Gordon, A.D.: A calculus for cryptographic protocols: the spi calculus. Inf. Comput. 148(1), 1–70 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Arapinis, M., Cheval, V., Delaune, S.: Verifying privacy-type properties in a modular way. In: Cortier, V., Zdancewic, S. (eds.) Proceedings of the 25th IEEE Computer Security Foundations Symposium (CSF 2012), pp. 95–109. IEEE Computer Society Press, Cambridge, June 2012Google Scholar
  5. 5.
    Arapinis, M., Chothia, T., Ritter, E., Ryan, M.: Analysing unlinkability and anonymity using the applied pi calculus. In: Proceedings of 23rd Computer Security Foundations Symposium (CSF 2010), pp. 107–121. IEEE Computer Society Press (2010)Google Scholar
  6. 6.
    Armando, A., et al.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005). doi: 10.1007/11513988_27 CrossRefGoogle Scholar
  7. 7.
    Babel, K., Cheval, V., Kremer, S.: On communication models when verifying equivalence properties. Technical report, HAL (2017)Google Scholar
  8. 8.
    Blanchet, B.: Automatic verification of correspondences for security protocols. J. Comput. Secur. 17(4), 363–434 (2009)CrossRefGoogle Scholar
  9. 9.
    Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. J. Logic Algebraic Program. 75(1), 3–51 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Chadha, R., Cheval, V., Ciobâcă, Ş., Kremer, S.: Automated verification of equivalence properties of cryptographic protocol. ACM Trans. Comput. Logic 17, 23 (2016)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Cheval, V., Comon-Lundh, H., Delaune, S.: Trace equivalence decision: negative tests and non-determinism. In: Proceedings of 18th ACM Conference on Computer and Communications Security (CCS 2011), ACM, October 2011Google Scholar
  12. 12.
    Cheval, V., Cortier, V., Delaune, S.: Deciding equivalence-based properties using constraint solving. Theor. Comput. Sci. 492, 1–39 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Cremers, C.J.F.: The scyther tool: verification, falsification, and analysis of security protocols. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 414–418. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-70545-1_38 CrossRefGoogle Scholar
  14. 14.
    Delaune, S., Kremer, S., Ryan, M.D.: Verifying privacy-type properties of electronic voting protocols. J. Comput. Secur. 17(4), 435–487 (2009)CrossRefzbMATHGoogle Scholar
  15. 15.
    Dong, N., Jonker, H., Pang, J.: Analysis of a receipt-free auction protocol in the applied pi calculus. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 223–238. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-19751-2_15 CrossRefGoogle Scholar
  16. 16.
    Force, P.T.: PKI for machine readable travel documents offering ICC read-only access. Technical report, International Civil Aviation Organization (2004)Google Scholar
  17. 17.
    Millen, J.K., Shmatikov, V.: Constraint solving for bounded-process cryptographic protocol analysis. In: Proceedings of 8th Conference on Computer and Communications Security, pp. 166–175. ACM Press (2001)Google Scholar
  18. 18.
    Paulson, L.C.: The inductive approach to verifying cryptographic protocols. J. Comput. Secur. 6(1/2), 85–128 (1998)CrossRefGoogle Scholar
  19. 19.
    Ryan, P., Schneider, S., Goldsmith, M., Lowe, G., Roscoe, A.: Modelling and Analysis of Security Protocols. Addison Wesley, Boston (2000)Google Scholar
  20. 20.
    Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-39799-8_48 CrossRefGoogle Scholar
  21. 21.
    Fabrega, T.H., Javier, F., Herzog, J.C., Guttman, J.D.: Strand spaces: proving security protocols correct. J. Comput. Secur. 7(2/3), 191–230 (1999)CrossRefGoogle Scholar
  22. 22.
    Tiu, A., Dawson, J.E.: Automating open bisimulation checking for the spi calculus. In: Proceedings of 23rd Computer Security Foundations Symposium (CSF 2010), pp. 307–321. IEEE Computer Society (2010)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany 2017

Authors and Affiliations

  1. 1.IIT BombayMumbaiIndia
  2. 2.LORIA, Inria Nancy & CNRS & Université de LorraineNancyFrance

Personalised recommendations