ENSURING THE CORRECTNESS OF CRYPTOGRAPHIC
PROTOCOLS WITH RESPECT TO SECRECY
Hanane Houmani and Mohamed Mejri
LSFM Research Group, Computer Science Department, Laval University, Quebec, Canada
Keywords:
Secure communications, Cryptographic protocols, Secrecy, Formal verification, Sufficient conditions.
Abstract:
This paper gives sufficient conditions to ensure secrecy property of cryptographic protocols that allow to share
a session keys. Indeed, this paper proves that if within a protocol agents don’t decease or increase the security
level of components, then this protocol respect the secrecy property. This sufficient condition holds even we
change our context of verification (message algebra, intruder capacities or cryptographic assumptions). To
verify this condition we use the notion of interpretation functions. An interpretation function is a safe way
allowing an agent to appropriately estimate the security level of message components that he receives so that
he can handle them correctly.
1 INTRODUCTION
The verification of cryptographic protocols is
paramount, since they are used to make secure our
communications and transactions. However, the ver-
ification of the security of cryptographic protocols is
undecidable in general (see (Comon and Shmatikov,
2002; Comon-Lundh and Cortier, 2003a)). Therefore,
researchers have proposed a large variety of methods
and tools that can help to find attacks or to prove the
security for some classes of these protocols. A gen-
eral survey of the most used approaches related to
the verification of cryptographic protocols could be
found in (Boreale and Gorla, 2002; Meadows, 2003;
Sabelfeld and Myers, 2003).
Due to the complexity of the problem, almost of
all the existing approaches try to simplify it by mak-
ing some restrictions on cryptographic primitives like
the perfect encryption assumption. However, pro-
tocols may contain flaws outside the considered as-
sumptions. For example, in (Paulson, 1997), L. Paul-
son has proven that the Bull protocol preserves secret
using an intruder model that does not take into ac-
count any algebraic property of cryptographic prim-
itives. However, he proved that attacks are possible
on this protocol if some algebraic properties of expo-
nentiation or ⊕ are considered. Since then, many re-
searchers (Chevalier et al., 2003; Comon-Lundh and
Cortier, 2003b; Goubault-Larrecq, 2005; Jacquemard
et al., 2000; Abadi and Cortier, 2006; Shmatikov,
2004; Turuani, 2003), have been trying to study the
problem of the security of the cryptographic proto-
cols under equational theories (sets of the algebraic
properties).
In (Houmani and Mejri, 2007a; Houmani and
Mejri, 2007b; Houmani and Mejri, 2008), we gath-
ered assumptions, restrictions and algebraic proper-
ties that can be made on cryptographic protocols on
what we called a context of verification. More specif-
ically, a context of verification is basically the speci-
fication of messages algebra and the capacities of the
intruder (including set of equational theories). This
representation allowed us to give sufficient conditions
that are independent from specific context of verifi-
cation (specific class of messages, a specific capacity
of the intruder, or specific class of equational theo-
ries) and that guarantee the secrecy property of any
protocol that respect them. Intuitively, these suffi-
cient conditions state that agents should not decrease
the security level of message components when they
send them over the network. Protocols that respect
this condition were called Increasing Protocols.
However, if the analyzed protocol use a tempo-
rary key (session key), we will not be able to prove
that it respects the secrecy property even if it is the
case. This is due to the fact that the sufficient condi-
tions verify wether agents decrease the security level
of a message without caring about the exact values
184
Houmani H. and Mejri M. (2008).
ENSURING THE CORRECTNESS OF CRYPTOGRAPHIC PROTOCOLS WITH RESPECT TO SECRECY.
In Proceedings of the International Conference on Security and Cryptography, pages 184-189
DOI: 10.5220/0001927401840189
Copyright
c
SciTePress
of these security levels. Suppose for instance that an
agent has received the message {k}
k
ab
, hence from
that message we can safely approximate the security
level of k by saying that it is less than the security
level of k
ab
. However, to send a message {α}
k
over
the network, it is not sufficient to know a lower bound
for the security level of k. but we need an upper bound
also and ideally if we know the exact value of this se-
curity level so that we can know wether α is correctly
protected when sent inside {α}
k
. Therefore, to en-
sure that a protocol does not leak secret information,
we need to ensure that each agent protects the com-
ponents that he send according to their security types
(public key cannot protect secret information for ex-
ample). More precisely, it is sufficient to restrict each
agent so that he does not decrease or increase the se-
curity levels of sent components to guarantee the se-
crecy property of a protocol. Protocols that respect
this condition are called, in this paper, Coherent Pro-
tocols.
However, we need first to find a way allowing to
safely communicate the security level of each com-
ponent send over the network. In fact, an agent can-
not appropriately protect a component (especially for
received and previously unknown components) if he
is not able to deduce his security level. For this pur-
pose, we use what we call interpretation function. The
role of this function is to allow each agent involved in
the protocol to deduce in a safe way the security level
of each received component. Once the interpretation
function is defined, it will be enough to restrict each
agent so that he does not decrease or increase the se-
curity levels of sent components to guarantee that the
protocol is correct with respect to the secrecy prop-
erty.
The remainder of this paper is organized as fol-
lows. Section 2 gives the definition of a context of
verification. Also, it gives the definition of some ba-
sic words used within this paper. Section 3 gives a
formal definition for the secrecy property. Section 4
introduces the proposed conditions and proves that
they are sufficient to ensure the secrecy property of
cryptographic protocols. Section 5 shows how to put
in practice these conditions with a concrete example.
Finally, section 6 provides some concluding remarks.
2 BASIC DEFINITIONS
Basically, this section gives the definition of a context
of verification already introduced in (Houmani and
Mejri, 2007b; Houmani and Mejri, 2007a). Also, it
gives the definition of a set of messages and the defi-
nition of the intruder capacities.
Context of Verification. Parameters like the struc-
ture of messages exchanged during the protocol,
the intruder capacities or the algebraic properties of
cryptographic primitives, could affect the class of
protocols that could be analyzed by an approach.
We found therefore interesting to gather them in
what we called a context of verification. A con-
text of verification can have the following form
C = hN , Σ, E , K, L
⊒
,
p
·
q
i, where:
• The Names N is the set of names (nounce, keys,
etc). For instance, let N
0
be the set of names given
by the the following BNF grammar:
n ::= A (Principal Identifier)
| N
a
(Nonce)
| k
ab
(Shared key)
• The Signature Σ contains all function symbols
(encryption and pair symbol for example). For in-
stance, let Σ
0
be the signature defined as follows:
Σ
0
= {enc, dec, pair, fst, snd}
As usual we write hx, yi instead of writing
pair(x, y).
• The Equational Theory E is the equational the-
ory that represents the algebraic properties of
the function symbols (commutativity of the pair
symbol for example). For instance, Let E
0
be
the equational theory that contains the following
equations:
dec(enc(x, y), y) = x
fst(pair(x, y)) = x
snd(pair(x, y)) = y
• The Intruder Knowledge K is the set of initial
knowledge of the intruder. For instance, let K
0
be the set of knowledge of intruder that contains
shared keys k
ia
, k
ib
, etc, a public key k
i
, a private
key k
−1
i
, and a infinite set of fresh values as ses-
sions keys, nonces, and timestimps .
• The Lattice of Security L
⊒
is a lattice that con-
tains security levels (types). For example the
poset ({classified, secret, topSecret}, ⊑) where
classified ⊑ secret ⊑ topSecret can define a sim-
ple lattice of security. Another interesting secu-
rity lattice is the one defined by the powerset of
agents identities i.e 2
I
. Within this lattice the se-
curity level of a component is the set of identities
of agents allowed to know the value of this com-
ponent. In the sequel, we denote this powerset
lattice by L
⊆
0
.
• The Typed Environment
p
·
q
is a partial function
that assigns to atomic messages their real security
ENSURING THE CORRECTNESS OF CRYPTOGRAPHIC PROTOCOLS WITH RESPECT TO SECRECY
185
levels (types). This allows us to know the secu-
rity level of components initially known by each
agent. For instance, let
p
·
q
0
be a typed environ-
ment that assigns to a message α the set of iden-
tities of agents that could know α. For example,
p
k
ab
q
0
= {A, B}.
Messages. Given a context of verification C , a set of
messages M can be defined (this definition is inspired
from (Abadi and Cortier, 2006).) by the following
BNF grammar:
m ::= N (Name)
| X (Variable)
| f(m
1
, . . . , m
n
) (Function application)
Notice that the set of messages involved in the verifi-
cation context will be denoted, in that follows, by M ,
and the set A (M) denotes the set of atomic compo-
nents (nonces, keys and principal identifiers) in M.
Intruder. Given a context of verification
C = hN , Σ, E , K, L
⊒
,
p
·
q
i and a set of mes-
sage M that represents the information available
to an intruder, the message m can be deduced by
the intruder from M in the context C and we write
M |=
C
m if m can be obtained by using these rules:
Table 1: Generic capacities of intruder.
(Init)
M |=
C
m
[m ∈ M ∪ K
I
]
(Eq)
M |=
C
m
1
m
1
=
C
m
2
M |=
C
m
2
(Op)
M |=
C
m
1
, . . . , M |=
C
m
n
M |=
C
f(m
1
, . . . , m
n
)
[ f ∈ Σ]
Given a context of verification
C = hN , Σ, E , K, L
⊒
,
p
·
q
i, we write m
1
=
C
m
2
if
and only if m
1
=
E
m
2
, where m
1
=
E
m
2
means that
the message m
1
and m
2
are equal under the equational
theory E .
Protocol. Basically, a protocol is specified by a se-
quence of communication steps given in the standard
notation. More precisely a protocol p has to respect
the following BNF grammar:
p ::= hi : A → B : mi | p. p
The statement hi : A → B : mi denotes the trans-
mission of a message m from the principal A to the
principal B in the step i. Let p
0
be a variant of the Woo
and Lam (Woo and Lam, 1994) authentication proto-
col. This variant, given by Table 2, aims to distribute
a new key that will be shared between two agents A
and B.
Table 2: Example of a Protocol.
p
0
= h1, A → B : Ai.
h2, B → S : {N
b
, A, k
ab
}
k
bs
i.
h3, S → A : {N
b
, B, k
ab
}
k
as
i.
h4, A → B : {N
b
, s
ab
}
k
ab
i
In this paper, we denote by [[ p ]] all valid traces
(executions) of a protocol p. Also, we denote by
R
G
(p) the role-based specification (Debbabi et al.,
1997; Houmani and Mejri, 2007b) of p which is a
set of generalized roles. A generalized role is a proto-
col abstraction, where the emphasis is put on a partic-
ular principal and where all the unknown messages
are replaced by variables. A session identifier i is
added as an exponent to each fresh message to re-
flect the fact that these components change their val-
ues from one run to another. Basically, a generalized
role reflects how a particular agent perceives the ex-
changed messages. For instance, the role-based spec-
ification of the protocol described in Table 2, R
G
(P),
is {A
1
G
, A
2
G
, B
1
G
, B
2
G
, B
3
G
, S
1
G
} (see Table 3).
Table 3: Example of Roles-Based Specification.
A
1
G
= hi.1, A → I(B) : Ai
A
2
G
= hi.1, A → I(B) : Ai.
hi.3, I(S) → A : {X
1
, B, X
2
}
k
as
i.
hi.4, A → I(B) : {X
1
, s
ab
}
X
2
i
B
1
G
= hi.1, I(A) → B : Ai.
hi.2, B → I(S) : {N
b
, A, k
ab
}
k
bs
i
B
2
G
= hi.1, I(A) → B : Ai.
hi.2, B → I(S) : {N
b
, A, k
ab
}
k
bs
i.
hi.4, I(A) → B : {N
b
, Y
1
}
k
ab
i
S
1
G
= hi.2, I(A) → S : {U, A, V}
k
bs
i.
hi.3, S → I(A) : {U, B, V}
k
as
i
SECRYPT 2008 - International Conference on Security and Cryptography
186
3 SECRECY PROPERTY
Intuitively, a protocol keeps a component m secret, if
it has not a valid trace that decrease the security level
of m. More precisely, the formal definition of the se-
crecy property given hereafter states that the intruder
cannot learn from any valid trace more than what he
is eligible to know. We suppose that if an agent (in-
cluding the intruder) knows a message with a security
level τ, then he is also eligible to know all messages
having security level lower than τ
1
.
Definition 1 (Secrecy Property)
. Let p be a protocol
a
nd C = hN , Σ, E , K, L
⊒
,
p
·
q
i a verification con-
text. The protocol p is C -correct with respect the se-
crecy property, if:
∀α ∈ A (M ) · [[ p ]] |=
C
α ⇒
p
K
q
⊒
p
α
q
where ⊒ is the order involved from the security lattice
given in C and the notation
p
K
q
⊒
p
α
q
is an abbrevia-
tion of: ∃β ∈ K ·
p
β
q
⊒
p
α
q
. Notice that this abbrevi-
ation will be used throughout the rest of this paper.
4 MAIN RESULT
Now, it is time to give the sufficient conditions allow-
ing to guarantee the correctness of a cryptographic
protocol with respect to the secrecy property. Infor-
mally, these conditions state that honest agents should
never decrease or increase the security level of any
atomic message. However, to reach this goal, princi-
pals involved in the protocol need a ”safe” way allow-
ing them to compute the security level of a component
received within message during the protocol execu-
tion. By a ”safe” way, we mean that the computed
security level can neve be mislead by the intruder. To
this end, we introduce what we call a safe interpreta-
tion function allowing to safely compute the security
level of componentssend and received with messages.
Formally:
Definition 2 (Safe Interpretation Function)
. Let
C = hN , Σ, E , K, L
⊒
,
p
·
q
i b
e a context of verifica-
tion. A function function F, from A (M ) × 2
M
to L , is
called C -safe interpretation function if the following
conditions hold:
1. F is well formed, i.e:
F(α, {α}) = ⊥ and F(α, M
1
∪ M
2
) = F(α, M
1
) ⊓
F(α, M
2
) and F(α, M) = ⊤ where α 6∈ A (M)
1
Notice that it is always possible to define a security lat-
tice that reflects our needs and which is coherent with this
hypothesis.
2. F is C -full-invariant by substitutions, i.e: for all
M
1
and M
2
two set of messages in 2
M
such that
∀α ∈ A (M
1
) · F(α, M
1
) = F(α, M
2
) we have for
every σ ∈ Γ that:
∀α ∈ A (M
1
) · F(α, M
1
σ) = F(α, M
2
σ)
where Γ is the set of possible substitution form X
to close messages in M .
3. F is C -full-invariant by intruder, i.e:
∀M ⊆ M , ∀α ∈ A (M) such that F(α, M) ⊒
p
α
q
and ∀m ∈ M such that M |=
C
m we have for every
α in A (m) that:
(F(α, m) = F(α, M) ∨ (
p
K
q
⊒
p
α
q
)
Let C
0
= hN
0
, Σ
0
, E
0
, K
0
, L
⊒
0
,
p
·
q
0
i be the con-
text of verification, where its elements are those given
as example in section 2. As an example of a safe in-
terpretation function, is the function F
0
that attributes
to message a security level according to the keys
that encrypt it and agents identities that are neighbors
to it. For instance, F
0
(k
ab
, {A, {B, N
b
, k
ab
}
k
as
}
k
bs
) =
{B} ∪
p
k
as
q
0
= {A, S, B}. This function is called the
DEKAN function and it is proved in (Houmani and
Mejri, 2007a) to be C
0
-safe.
The sufficient conditions that states that agents of
a protocols should not decrease or increase the secu-
rity level of messages when they send them over the
network, can be formalized as follows:
Definition 3 (Coherent Protocol)
. Let
C = hN , Σ, E , K, L
⊒
,
p
·
q
i b
e a verification
context, F a C -interpretation function and p a
protocol. The protocol p is said to be F-coherent if:
∀r ∈ R
G
(p), ∀α ∈ A (r
+
)· F(α, r
+
) =
p
α
q
⊓F(α, r
−
)
where r
+
is a set containing the messages sent during
the last step of r and r
−
contains the set of messages
received by the honest agent in r.
Now, the main theorem could be formalized as fol-
lows:
Theorem 4
. Let p be a protocol, C a verification con-
t
ext and F a C -interpretation function . If F is C -safe
and p is F-coherent, then p is C -correct with respect
to the secrecy property.
Proof.
The proof is almost similar to the ones
in (Houmani and Mejri, 2007a).The intuition
behind our proof is as follows: Since the pro-
tocols is F-coherent and F full-invariant by
substitution, then the valid traces of the proto-
col, which are the interleaving of substituted
ENSURING THE CORRECTNESS OF CRYPTOGRAPHIC PROTOCOLS WITH RESPECT TO SECRECY
187
generalized roles of the protocol, are also F-
coherent. This means that all the sent mes-
sages are encrypted with keys having an ap-
propriate level of security. Furthermore, since
F is invariant by intruder manipulation, then
it follows that the intruder can never deduce,
from appropriately protected messages, an in-
appropriately protected component. Hence,
the intruder can never learn from the protocol
what he is not eligible to know.
5 CASES STUDY
According to the theorem 4, the first step of verifica-
tion is to define a safe interpretation function. To that
end, we consider the DEKAN function F
0
which is a
safe interpretation function (see (Houmani and Mejri,
2007a)), that selects the direct encrypting keys and
neighbors of a message and after that interprets the
selected elements to deduce the security level of that
message. For instance, we have:
F
0
(α, {A, B, α}
k
as
) = {A, B, S}
By using the DEKAN safe interpretation function
F
0
and the theorem 4, we will try to prove that p (the
version of Woo and Lam protocol given by Table 2)
is C
0
-correct with respect to the secrecy property. To
this end, we need only to prove that the protocol is F
0
-
increasing, i.e., for each generalized role r in Table 3,
we have:
∀α ∈ A (r
+
) · F
0
(α, r
+
) =
p
α
q
∪ F
0
(α, r
−
)
For the role A
1
G
, since
p
A
q
= ⊥ and F
0
is well-defined
(F(A, A) = ⊥), then the role A
1
G
is F
0
-coherent:
F
0
(A, A) =
p
A
q
∪ F
0
(A, A)
For the role A
2
G
, since:
p
s
i
ab
q
= {A, B, S}
F
0
(X
1
, {X
1
, B, X
2
}
k
as
) = {A, B, S}
F
0
(X
1
, {X
1
, S, s
i
ab
}
X
2
) = {A, B, S}
F
0
(s
i
ab
, {X
1
, S, s
i
ab
}
X
2
) = {A, B, S}
then the role A
2
G
is F
0
-coherent. Indeed, we have:
F
0
(X
1
, {X
1
, S, s
i
ab
}
X
2
) =
p
X
1
q
∪ F
0
(X
1
, {X
1
, B, X
2
}
k
as
)
F
0
(s
i
ab
, {X
1
, S, s
i
ab
}
X
2
) =
p
s
i
ab
q
∪ F
0
(s
i
ab
, {X
1
, B, X
2
}
k
as
)
For the role B
1
G
, since:
p
A
q
= ⊥
F
0
(k
i
ab
, {N
i
b
, A, k
i
ab
}
k
bs
) = {A, B, S}
F
0
(N
i
b
, {N
i
b
, A, k
i
ab
}
k
bs
) = {A, B, S}
p
k
i
ab
q
=
p
N
i
b
q
= {A, B, S}
and since F
0
is well-defined (F
0
(A, A) =
⊥, F
0
(N
i
b
, A) = ⊤), then the role B
1
G
is F
0
-coherent.
Indeed, we have:
F
0
(N
i
b
, {N
i
b
, A, k
i
ab
}
k
bs
) =
p
N
i
b
q
∪ F
0
(N
i
b
, A)
For the role B
2
G
, since:
p
A
q
= ⊥
F
0
(k
i
ab
, {N
i
b
, A, k
i
ab
}
k
bs
) = {A, B, S}
F
0
(N
i
b
, {N
i
b
, A, k
i
ab
}
k
bs
) = {A, B, S}
p
k
i
ab
q
=
p
N
i
b
q
= {A, B, S}
and since F
0
is well-defined (F
0
(A, A) =
⊥, F
0
(N
i
b
, A) = ⊤), then the role B
1
G
is F
0
-coherent.
Indeed, we have:
F
0
(N
i
b
, {N
i
b
, A, k
i
ab
}
k
bs
) =
p
N
i
b
q
∪ F
0
(N
i
b
, A)
For the role S
1
G
, since:
F
0
(U, {U, A, V}
k
bs
) = {A, B, S}
F
0
(V, {U, A, V}
k
bs
) = {A, B, S}
F
0
(U, {U, B, V}
k
as
) = {A, B, S}
F
0
(V, {U, V}
k
as
) = {A, B, S}
and since
p
U
q
=
p
V
q
= ⊤, then the role S
1
G
is F
0
-
coherent. Indeed, we have:
F
0
(U, {U, B, V}
k
as
) =
p
U
q
∪ F
0
(U, {U, A, V}
k
bs
)
F
0
(V, {U, B, V}
k
as
) =
p
V
q
∪ F
0
(V, {U, A, V}
k
bs
)
Therefore, this protocol is F
0
-coherent and so C
0
-
correct with respect the secrecy property.
6 CONCLUSIONS
In this paper, we have extended the result obtained
in our previous works (Houmani and Mejri, 2007a;
Houmani and Mejri, 2007b; Houmani and Mejri,
2008), to deal with protocols that use temporary keys
(also called session keys). The main idea is that
agents always include implicitly or explicitly within
the messages the exact security levels of components
so that this information can never be manipulated by
an intruder.
According the main result of this paper, the first
step of the verification of secrecy property is to find
a safe interpretation function and this is the delicate
part of the approach. That is why, we have proposed
in (Houmani and Mejri, 2007a; Houmani and Mejri,
2007b; Houmani and Mejri, 2008) some guidelines
allowing to define some examples of such functions.
As a future work, we would like to extend this guide-
line to give more safe interpretation functions and so
to handle more cryptographic protocols.
SECRYPT 2008 - International Conference on Security and Cryptography
188
REFERENCES
Abadi, M. and Cortier, V. (2006). Deciding knowledge in
security protocols under equational theories. Theor.
Comput. Sci., 367(1):2–32.
Boreale, M. and Gorla, D. (2002). Process calculi
and the verification of security properties. Journal
of Telecommunication and Information Technology—
Special Issue on Cryptographic Protocol Verification,
(4/02):28–40.
Chevalier, Y., Ksters, R., Rusinowitch, M., and Turuani, M.
(2003). An np decision procedure forprotocol insecu-
rity with xor. In LICS ’03, volume 25. IEEE Computer
Society Press.
Comon, H. and Shmatikov, V. (2002). Is it possible to de-
cide whether a cryptographic protocol is secure or not.
Journal of Telecommunications and Information Tech-
nolog,.
Comon-Lundh, H. and Cortier, V. (2003a). New decidabil-
ity results for fragments of first-order logic and ap-
plication to cryptographic protocols. In RTA, pages
148–164.
Comon-Lundh, H. and Cortier, V. (2003b). New Decidabil-
ity Results for Fragments of First-Order Logic and Ap-
plication to Cryptographic Protocols, volume 2706 of
Lecture Notes in Computer Science. Springer Berlin /
Heidelberg.
Debbabi, M., Mejri, M., Tawbi, N., and Yahmadi, I. (1997).
From Protocol Specifications to Flaws and Attack
Scenarios: An Automatic and Formal Algorithm. In
Proceedings of the Second International Workshop on
Enterprise Security, Massachusetts Institute of Tech-
nology (MIT), Cambridge, Massachusetts, USA. IEEE
Press.
Goubault-Larrecq, J. (2005). Deciding h1 by resolution. Inf.
Process. Lett., 95(3):401–408.
Houmani, H. and Mejri, M. (2007a). Practical and universal
interpretation functions for secrecy. In International
Conference on Security and Cryptography: Secrypt,
Barcelona, Spain.
Houmani, H. and Mejri, M. (2007b). Secrecy by interpreta-
tion functions. Journal of Knowledge-Based Systems,
20(7):617–635.
Houmani, H. and Mejri, M. (2008). Sufficient conditions
for secrecy under equational theories. In The 2nd In-
ternational Conference on Information Security and
Assurance, Busan, Korea. IEEE CS.
Jacquemard, F., Rusinowitch, M., and Vigneron, L. (2000).
Compiling and verifying security protocols. In Logic
Programming and Automated Reasoning, pages 131–
160.
Meadows, C. (2003). What makes a cryptographic protocol
secure? the evolution of requirements specification in
formal cryptographic protocol analysis. In Proceed-
ings of ESOP 03. Springer-Verlag.
Paulson, L. C. (1997). Mechanized proofs for a recursive
authentication protocol. In 10th Computer Security
Foundations Workshop, pages 84–95. IEEE Computer
Society Press.
Sabelfeld, A. and Myers, A. (2003). Language-based
information-flow security.
Shmatikov, V. (2004). NP Decidable Analysis of Cryp-
tographic Protocols with Products and Modular Ex-
ponentiation, volume 2986 of Lecture Notes in Com-
puter Science. Springer Berlin / Heidelberg.
Turuani, M. (2003). Scurit des protocoles cryptographiques
: dcidabilit et complexit. PhD thesis, Universit Henri
Poincar, Nancy.
Woo, T. Y. C. and Lam, S. S. (1994). A Lesson on Authen-
tication Protocol Design. Operating Systems Review,
pages 24–37.
ENSURING THE CORRECTNESS OF CRYPTOGRAPHIC PROTOCOLS WITH RESPECT TO SECRECY
189
