We look at a new way of specifying and verifying cryptographic protocols using the Coalgebraic Class Specification Language. Protocols are specified into CCSL (with temporal operators for “free”) and translated by the CCSL compiler into theories for the theorem prover PVS. Within PVS, the desired security conditions can then be (dis)proved. In addition, we are interested in using assumptions wh...

In this paper we attempt to formally study two very intuitive physical models: sealed envelopes and locked boxes, often used as illustrations for common cryptographic operations. We relax the security properties usually required from locked boxes (such as in bit-commitment protocols) and require only that a broken lock or torn envelope be identifiable to the original sender. Unlike the complete...

Modeling is a popular way of representing the behavior of a system. A very useful type of model in computing is an abstract state machine which describes transitions over first order structures. The general purpose model-based testing tool SpecExplorer (used within Microsoft, also available externally) uses such a model, written in AsmL or Spec#, to perform a search that checks that all reachab...

Fail-stop cryptographic protocols are characterized by the property that they terminate when an active attack is detected, rather than releasing information valuable to the attacker. Since such a construction forces attacks (other than denial-of-service) to be passive, the protocol designer's concerns can be restricted to passive attacks and malicious insiders. A signi cant advantage of such pr...

A group is a mathematical structure 〈G; ∗〉 consisting of a non-empty set G and a binary operation ∗ : G×G→ G and satisfying the following axioms: (A1) The operation ∗ is associative, i.e., for any x, y, z ∈ G, x ∗ (y ∗ z) = (x ∗ y) ∗ z. (A2) There exists a neutral element e for ∗, i.e., x ∗ e = e ∗ x = x for all x ∈ G. (A3) Every element x ∈ G has an inverse x̂, i.e., x ∗ x̂ = x̂ ∗ x = e. If ∗ is ...

In the veriication of cryptographic protocols along the approach of the logic for authentication by Burrows, Abadi, and Needham, it is possible to write a speciica-tion which does not faithfully represent the real world situation. Such a speciication, though impossible or unreasonable to implement, can go undetected and be veriied to be correct. It can also lead to logical statements that do no...

We present public-key cryptographic protocols for key exchange, digital signatures, and encryption whose security is based on the presumed intractability of solving the principal ideal problem, or equivalently, the distance problem, in the real model of a hyperelliptic curve. Our protocols represent a significant improvement over existing protocols using real hyperelliptic curves. Theoretical a...

We describe a method for enumerating all essentially different executions possible for a cryptographic protocol. We call them the shapes of the protocol. Naturally occurring protocols have only finitely many, indeed very few shapes. Authentication and secrecy properties are easy to determine from them, as are attacks and anomalies. cpsa, our Cryptographic Protocol Shape Analyzer, implements the...

Attacks on Cryptographic Hashes in Internet Protocols Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Abstract Recent announcements of better-than-expected collision attacks in popular hash algorithms have caused some people to question whether common Internet protocols n...

A t-out-of-n secret-sharing scheme allows an honest dealer D to distribute a secret s among n players, such that any subset of t players has no information about s, but every set of t + 1 players can collaboratively reconstruct the secret. The most famous secret-sharing scheme is Shamir’s Sharing Scheme [Sha79] (cf. Section 8.1.2). It uses polynomials to obtain the desired properties. Before pr...