No file available
To read the file of this research,
you can request a copy directly from the authors.
Cryptis: Cryptographic Reasoning in Separation Logic
Preprints and early-stage research may not have been peer reviewed yet.
Abstract
We introduce Cryptis, an extension of the Iris separation logic that can be used to verify cryptographic components using the symbolic model of cryptography. The combination of separation logic and cryptographic reasoning allows us to prove the correctness of a protocol and later reuse this result to verify larger systems that rely on the protocol. To make this integration possible, we propose novel specifications for authentication protocols that allow agents in a network to agree on the use of system resources. We evaluate our approach by verifying various authentication protocols and a key-value store server that uses these authentication protocols to connect to clients. Our results are formalized in Coq.
ResearchGate has not been able to resolve any citations for this publication.
Probabilistic independence is a useful concept for describing the result of random sampling—a basic operation in all probabilistic languages—and for reasoning about groups of random variables. Nevertheless, existing verification methods handle independence poorly, if at all. We propose a probabili stic separation logic PSL, where separation models probabilistic independence. We first give a new, probabilistic model of the logic of bunched implications (BI). We then build a program logic based on these assertions, and prove soundness of the proof system. We demonstrate our logic by verifying information-theoretic security of cryptographic constructions for several well-known tasks, including private information retrieval, oblivious transfer, secure multi-party addition, and simple oblivious RAM. Our proofs reason purely in terms of high-level properties, like independence and uniformity.
Message passing is a useful abstraction to implement concurrent programs. For real-world systems, however, it is often combined with other programming and concurrency paradigms, such as higher-order functions, mutable state, shared-memory concurrency, and locks. We present Actris: a logic for proving functional correctness of programs that use a combination of the aforementioned features. Actris combines the power of modern concurrent separation logics with a first-class protocol mechanism—based on session types—for reasoning about message passing in the presence of other concurrency paradigms. We show that Actris provides a suitable level of abstraction by proving functional correctness of a variety of examples, including a distributed merge sort, a distributed load-balancing mapper, and a variant of the map-reduce model, using relatively simple specifications. Soundness of Actris is proved using a model of its protocol mechanism in the Iris framework. We mechanised the theory of Actris, together with tactics for symbolic execution of programs, as well as all examples in the paper, in the Coq proof assistant.
Iris is a framework for higher-order concurrent separation logic, which has been implemented in the Coq proof assistant and deployed very effectively in a wide variety of verification projects. Iris was designed with the express goal of simplifying and consolidating the foundations of modern separation logics, but it has evolved over time, and the design and semantic foundations of Iris itself have yet to be fully written down and explained together properly in one place. Here, we attempt to fill this gap, presenting a reasonably complete picture of the latest version of Iris (version 3.1), from first principles and in one coherent narrative.
Distributed systems play a crucial role in modern infrastructure, but are notoriously difficult to implement correctly. This difficulty arises from two main challenges: (a) correctly implementing core system components (e.g., two-phase commit), so all their internal invariants hold, and (b) correctly composing standalone system components into functioning trustworthy applications (e.g., persistent storage built on top of a two-phase commit instance). Recent work has developed several approaches for addressing (a) by means of mechanically verifying implementations of core distributed components, but no methodology exists to address (b) by composing such verified components into larger verified applications. As a result, expensive verification efforts for key system components are not easily reusable, which hinders further verification efforts.
In this paper, we present Disel, the first framework for implementation and compositional verification of distributed systems and their clients, all within the mechanized, foundational context of the Coq proof assistant. In Disel, users implement distributed systems using a domain specific language shallowly embedded in Coq and providing both high-level programming constructs as well as low-level communication primitives. Components of composite systems are specified in Disel as protocols, which capture system-specific logic and disentangle system definitions from implementation details. By virtue of Disel's dependent type system, well-typed implementations always satisfy their protocols' invariants and never go wrong, allowing users to verify system implementations interactively using Disel's Hoare-style program logic, which extends state-of-the-art techniques for concurrency verification to the distributed setting. By virtue of the substitution principle and frame rule provided by Disel's logic, system components can be composed leading to modular, reusable verified distributed systems.
We describe Disel, illustrate its use with a series of examples, outline its logic and metatheory, and report on our experience using it as a framework for implementing, specifying, and verifying distributed systems.
Formal methods have proved their usefulness for analysing the security of protocols. In this setting, privacy-type security properties (e.g. vote-privacy, anonymity, unlink ability) that play an important role in many modern applications are formalised using a notion of equivalence. In this paper, we study the notion of trace equivalence and we show how to establish such an equivalence relation in a modular way. It is well-known that composition works well when the processes do not share secrets. However, there is no result allowing us to compose processes that rely on some shared secrets such as long term keys. We show that composition works even when the processes share secrets provided that they satisfy some reasonable conditions. Our composition result allows us to prove various equivalence-based properties in a modular way, and works in a quite general setting. In particular, we consider arbitrary cryptographic primitives and processes that use non-trivial else branches. As an example, we consider the ICAO e-passport standard, and we show how the privacy guarantees of the whole application can be derived from the privacy guarantees of its sub-protocols.
Formal methods have been proved successful in analyzing different kinds of security protocols. They typically formalize and study the security guarantees provided by cryptographic protocols, when executed by a (possibly unbounded) number of different participants. A key problem in applying formal methods to cryptographic protocols, is the study of multi-protocol systems, where different protocols are concurrently executed. This scenario is particularly interesting in a global computing setting, where several different security services coexist and are possibly combined together. In this paper, we discuss how the tagging mechanism presented in [M. Bugliesi, R. Focardi, and M. Maffei. Compositional analysis of authentication protocols. In Proceedings of European Symposium on Programming (ESOP 2004), volume 2986 of Lecture Notes in Computer Science, pages 140–154. Springer-Verlag, 2004, M. Bugliesi, R.Focardi, and M.Maffei. A theory of types and effects for authentication. In ACM Proceedings of Formal Methods for Security Engineering: from Theory to Practice (FMSE 2004), pages 1–12. ACM Press, October 2004] addresses this issue.
We propose a type and effect system for authentication protocols built upon a tagging scheme that formalizes the intended semantics of ciphertexts. The main result is that the validation of each component in isolation is provably sound and fully compositional: if all the protocol participants are independently validated, then the protocol as a whole guarantees authentication in the presence of Dolev-Yao intruders. The highly compositional nature of the analysis makes it suitable for multi-protocol systems, where different protocols might be executed concurrently.
We propose a new method to check authenticity properties of cryptographic protocols. First, code up the protocol in the spi-calculus of Abadi and Gordon. Second, specify authenticity properties by annotating the code with correspondence assertions in the style of Woo and Lam. Third, figure out types for the keys, nonces, and messages of the protocol. Fourth, check that the spi-calculus code is welltyped according to a novel type and effect system presented in this paper. Our main theorem guarantees that any welltyped protocol is robustly safe, that is, its correspondence assertions are true in the presence of any opponent expressible in spi.
Protocol Composition Logic (PCL) is a logic for proving authentication and secrecy properties of network protocols. This chapter presents the central concepts of PCL, including a protocol programming language, the semantics of protocol execution in the presence of a network attacker, the syntax and semantics of PCL assertions, and axioms and proof rules for proving authentication properties. The presentation draws on a logical framework enhanced with subtyping, setting the stage for mechanizing PCL proofs. and gives a new presentation of PCL semantics involving honest and unconstrained principals. Other papers on PCL provide additional axioms, proof rules, and case studies of standardized protocols in common use.
We present Lilac, a separation logic for reasoning about probabilistic programs where separating conjunction captures probabilistic independence. Inspired by an analogy with mutable state where sampling corresponds to dynamic allocation, we show how probability spaces over a fixed, ambient sample space appear to be the natural analogue of heap fragments, and present a new combining operation on them such that probability spaces behave like heaps and measurability of random variables behaves like ownership. This combining operation forms the basis for our model of separation, and produces a logic with many pleasant properties. In particular, Lilac has a frame rule identical to the ordinary one, and naturally accommodates advanced features like continuous random variables and reasoning about quantitative properties of programs. Then we propose a new modality based on disintegration theory for reasoning about conditional probability. We show how the resulting modal logic validates examples from prior work, and give a formal verification of an intricate weighted sampling algorithm whose correctness depends crucially on conditional independence structure.
Formal reasoning about hashing-based probabilistic data structures often requires reasoning about random variables where when one variable gets larger (such as the number of elements hashed into one bucket), the others tend to be smaller (like the number of elements hashed into the other buckets). This is an example of negative dependence , a generalization of probabilistic independence that has recently found interesting applications in algorithm design and machine learning. Despite the usefulness of negative dependence for the analyses of probabilistic data structures, existing verification methods cannot establish this property for randomized programs.
To fill this gap, we design LINA, a probabilistic separation logic for reasoning about negative dependence. Following recent works on probabilistic separation logic using separating conjunction to reason about the probabilistic independence of random variables, we use separating conjunction to reason about negative dependence. Our assertion logic features two separating conjunctions, one for independence and one for negative dependence. We generalize the logic of bunched implications (BI) to support multiple separating conjunctions, and provide a sound and complete proof system. Notably, the semantics for separating conjunction relies on a non-deterministic , rather than partial, operation for combining resources. By drawing on closure properties for negative dependence, our program logic supports a Frame-like rule for negative dependence and monotone operations. We demonstrate how LINA can verify probabilistic properties of hash-based data structures and balls-into-bins processes.
Steel is a language for developing and proving concurrent programs embedded in F ⋆ , a dependently typed programming language and proof assistant. Based on SteelCore, a concurrent separation logic (CSL) formalized in F ⋆ , our work focuses on exposing the proof rules of the logic in a form that enables programs and proofs to be effectively co-developed.
Our main contributions include a new formulation of a Hoare logic of quintuples involving both separation logic and first-order logic, enabling efficient verification condition (VC) generation and proof discharge using a combination of tactics and SMT solving. We relate the VCs produced by our quintuple system to solving a system of associativity-commutativity (AC) unification constraints and develop tactics to (partially) solve these constraints using AC-matching modulo SMT-dischargeable equations.
Our system is fully mechanized and implemented in F ⋆ . We evaluate it by developing several verified programs and libraries, including various sequential and concurrent linked data structures, proof libraries, and a library for 2-party session types. Our experience leads us to conclude that our system enables a mixture of automated and interactive proof, making it productive to build programs foundationally verified against a highly expressive, state-of-the-art CSL.
Concurrent Separation Logic (CSL) was originally advanced in papers of the authors published in Theoretical Computer Science for John Reynolds's 70th Birthday Festschrift (2007). Preliminary versions appeared as invited papers in the CONCUR'04 conference proceedings. Foundational work leading to these papers began in 2002. Since then there have been significant developments stemming from CSL, both in theoretical and practical research. In this retrospective paper we describe the main ideas that underpin CSL, placing these ideas into historical context by summarizing the prevailing tendencies in concurrency verification and programming language semantics when the logic was being invented in 2002-2003. We end with a snapshot of the state-of-the-art as of 2016. Along the way we describe some of the main developments in the intervening period, and we attempt to classify the work that has been done, along broad lines. While we do not intend an exhaustive survey, we do hope to provide some general perspective on what has been achieved in the field, what remains to be done, and directions for future work.
Much recent research has been devoted to modeling effects within type theory. Building on this work, we observe that effectful type theories can provide a foundation on which to build semantics for more complex programming constructs and program logics, extending the reasoning principles that apply within the host effectful type theory itself.
Concretely, our main contribution is a semantics for concurrent separation logic (CSL) within the F ⋆ proof assistant in a manner that enables dependently typed, effectful F ⋆ programs to make use of concurrency and to be specified and verified using a full-featured, extensible CSL. In contrast to prior approaches, we directly derive the partial-correctness Hoare rules for CSL from the denotation of computations in the effectful semantics of non-deterministically interleaved atomic actions.
Demonstrating the flexibility of our semantics, we build generic, verified libraries that support various concurrency constructs, ranging from dynamically allocated, storable spin locks, to protocol-indexed channels. We conclude that our effectful semantics provides a simple yet expressive basis on which to layer domain-specific languages and logics for verified, concurrent programming.
We present ReLoC: a logic for proving refinements of programs in a language with higher-order state, fine-grained concurrency, polymorphism and recursive types. The core of our logic is a judgement e ⪯ e': τ, which expresses that a program e refines a program e' at type τ. In contrast to earlier work on refinements for languages with higher-order state and concurrency, ReLoC provides type- and structure-directed rules for manipulating this judgement, whereas previously, such proofs were carried out by unfolding the judgement into its definition in the model. These more abstract proof rules make it simpler to carry out refinement proofs.
Moreover, we introduce logically atomic relational specifications: a novel approach for relational specifications for compound expressions that take effect at a single instant in time. We demonstrate how to formalise and prove such relational specifications in ReLoC, allowing for more modular proofs.
ReLoC is built on top of the expressive concurrent separation logic Iris, allowing us to leverage features of Iris such as invariants and ghost state. We provide a mechanisation of our logic in Coq, which does not just contain a proof of soundness, but also tactics for interactively carrying out refinements proofs. We have used these tactics to mechanise several examples, which demonstrates the practicality and modularity of our logic.
When using a proof assistant to reason in an embedded logic -- like separation logic -- one cannot benefit from the proof contexts and basic tactics of the proof assistant. This results in proofs that are at a too low level of abstraction because they are cluttered with bookkeeping code related to manipulating the object logic.
In this paper, we introduce a so-called proof mode that extends the Coq proof assistant with (spatial and non-spatial) named proof contexts for the object logic. We show that thanks to these contexts we can implement high-level tactics for introduction and elimination of the connectives of the object logic, and thereby make reasoning in the embedded logic as seamless as reasoning in the meta logic of the proof assistant. We apply our method to Iris: a state of the art higher-order impredicative concurrent separation logic.
We show that our method is very general, and is not just limited to program verification. We demonstrate its generality by formalizing correctness proofs of fine-grained concurrent algorithms, derived constructs of the Iris logic, and a unary and binary logical relation for a language with concurrency, higher-order store, polymorphism, and recursive types. This is the first formalization of a binary logical relation for such an expressive language. We also show how to use the logical relation to prove contextual refinement of fine-grained concurrent algorithms.
We present a new type system for verifying the security of reference implementations of cryptographic protocols written in a core functional programming language. The type system combines prior work on refinement types, with union, intersection, and polymorphic types, and with the novel ability to reason statically about the disjointness of types. The increased expressivity enables the analysis of important protocol classes that were previously out of scope for the type-based analyses of reference protocol implementations. In particular, our types can statically characterize: i more usages of asymmetric cryptography, such as signatures of private data and encryptions of authenticated data; ii authenticity and integrity properties achieved by showing knowledge of secret data; iii applications based on zero-knowledge proofs. The type system comes with a mechanized proof of correctness and an efficient type-checker.
We define , an untyped call-by-value λ-calculus with primitives for protecting abstract data by sealing, and develop a bisimulation proof method that is sound and complete with respect to contextual equivalence. This provides a formal basis for reasoning about data abstraction in open, dynamic settings where static techniques such as type abstraction and logical relations are not applicable.
We present a trace semantics for a language of parallel programs which share access to mutable data. We introduce a resource-sensitive logic for partial correctness, based on a recent proposal of O’Hearn, adapting separation logic to the concurrent setting. The logic allows proofs of parallel programs in which “ownership” of critical data, such as the right to access, update or deallocate a pointer, is transferred dynamically between concurrent processes. We prove soundness of the logic, using a novel “local” interpretation of traces which allows accurate reasoning about ownership. We show that every provable program is race-free.
Automatic security protocol analysis is currently feasible only for small protocols. Since larger protocols quite often are composed of many small protocols, compositional analysis is an attractive, but non-trivial approach.We have developed a framework for compositional analysis of a large class of security protocols. The framework is intended to facilitate automatic as well as manual verification of large structured security protocols. Our approach is to verify properties of component protocols in a multi-protocol environment, then deduce properties about the composed protocol. To reduce the complexity of multi-protocol verification, we introduce a notion of protocol independence and prove a number of theorems that enable analysis of independent component protocols in isolation.To illustrate the applicability of our framework to real-world protocols, we study a key establishment sequence in WiMAX consisting of three subprotocols. Except for a small amount of trivial reasoning, the analysis is done using automatic tools.
Use of encryption to achieve authenticated communication in computer networks is discussed. Example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee. Both conventional and public-key encryption algorithms are considered as the basis for protocols.
A language for parallel programming, with a primitive construct for synchronization and mutual exclusion, is presented. Hoare's deductive system for proving partial correctness of sequential programs is extended to include the parallelism described by the language. The proof method lends insight into how one should understand and present parallel programs. Examples are given using several of the standard problems in the literature. Methods for proving termination and the absence of deadlock are also given.
The theory of relational parametricity and its logical relations proof technique are powerful tools for reasoning about information hiding in the polymorphic λ-calculus. We investigate the application of these tools in the security domain by defining a cryptographic λ-calculus - an extension of the standard simply typed λ-calculus with primitives for encryption, decryption, and key generation - and introducing syntactic logical relations (in the style of Pitts and Birkedal-Harper) for this calculus that can be used to prove behavioral equivalences between programs that use encryption.We illustrate the framework by encoding some simple security protocols, including the Needham-Schroeder public-key protocol. We give a natural account of the well-known attack on the original protocol and a straightforward proof that the improved variant of the protocol is secure.
We study the composition of security protocols when protocols share secrets such as keys. We show (in a Dolev-Yao model) that if two protocols use disjoint cryptographic primitives, their composition is secure if the individual protocols are secure, even if they share data. Our result holds for any cryptographic primitives that can be modeled using equational theories, such as encryption, signature, MAC, exclusive-or, and Diffie-Hellman. Our main result transforms any attack trace of the combined protocol into an attack trace of one of the individual protocols. This allows various ways of combining protocols such as sequentially or in parallel, possibly with inner replications. As an application, we show that a protocol using preestablished keys may use any (secure) key-exchange protocol without jeopardizing its security, provided that they do not use the same primitives. This allows us, for example, to securely compose a Diffie-Hellman key exchange protocol with any other protocol using the exchanged key, provided that the second protocol does not use the Diffie-Hellman primitives. We also explore tagging, which is a way of forcing the disjointness of two protocols that share cryptographic primitives We explain why composing protocols which use tagged cryptographic primitives like encryption and hash functions is secure by reducing this problem to the previous one.
In joint work with Peter O'Hearn and others, based on early ideas of Burstall, we have developed an extension of Hoare logic that permits reasoning about low-level imperative programs that use shared mutable data structure. The simple imperative programming language is extended with commands (not expressions) for accessing and modifying shared structures, and for explicit allocation and deallocation of storage. Assertions are extended by introducing a "separating conjunction" that asserts that its subformulas hold for disjoint parts of the heap, and a closely related "separating implication". Coupled with the inductive definition of predicates on abstract data structures, this extension permits the concise and flexible description of structures with controlled sharing. In this paper, we survey the current development of this program logic, including extensions that permit unrestricted address arithmetic, dynamically allocated arrays, and recursive procedures. We also discuss promising future directions.
Many security protocols have the aim of authenticating one agent
to another. Yet there is no clear consensus in the academic literature
about precisely what “authentication” means. We suggest that
the appropriate authentication requirement will depend upon the use to
which the protocol is put, and identify several possible definitions of
“authentication”. We formalize each definition using the
process algebra CSP, use this formalism to study their relative
strengths, and show how the model checker FDR can be used to test
whether a system running the protocol meets such a specification
In this paper we show how a resource-oriented logic, separation logic, can be used to reason about the usage of resources in concurrent programs.
Composing Security Protocols: From Confidentiality to Privacy
- Myrto Arapinis
- Vincent Cheval
- Stéphanie Delaune
Myrto Arapinis, Vincent Cheval, and Stéphanie Delaune. "Composing Security Protocols:
From Confidentiality to Privacy". In: Principles of Security and Trust -4th International Conference, POST 2015, Held as Part of the European Joint Conferences on Theory and Practice of
Software, ETAPS 2015, London, UK, April 11-18, 2015, Proceedings. Ed. by Riccardo Focardi and
Andrew C. Myers. Vol. 9036. Lecture Notes in Computer Science. Springer, 2015, pp. 324-343.
: 10.1007/978-3-662-46666-7\_17.
: https://doi.org/10.1007/978-3-662-46666-7%5C_17.
Union and Intersection Types for Secure Protocol Implementations
- Michael Backes
- Catalin Hritcu
- Matteo Maffei
Michael Backes, Catalin Hritcu, and Matteo Maffei. "Union and Intersection Types for Secure
Protocol Implementations". In: Theory of Security and Applications -Joint Workshop, TOSCA
2011, Saarbrücken, Germany, March 31 -April 1, 2011, Revised Selected Papers. Ed. by Sebastian Mödersheim and Catuscia Palamidessi. Vol. 6993. Lecture Notes in Computer Science.
Springer, 2011, pp. 1-28.
: 10.1007/978-3-642-27375-9\_1.
: https://doi.org/10.1007/978-3-642-273
SoK: Computer-Aided Cryptography
- Manuel Barbosa
Manuel Barbosa et al. "SoK: Computer-Aided Cryptography". In: IACR Cryptol. ePrint Arch.
2019 (2019), p. 1393.
: https://eprint.iacr.org/2019/1393.
EasyCrypt: A Tutorial
- Gilles Barthe
Gilles Barthe et al. "EasyCrypt: A Tutorial". In: Foundations of Security Analysis and Design
VII -FOSAD 2012/2013 Tutorial Lectures. Ed. by Alessandro Aldini, Javier López, and Fabio
Martinelli. Vol. 8604. Lecture Notes in Computer Science. Springer, 2013, pp. 146-166.
:
10.1007/978-3-319-10082-1\_6.
: https://doi.org/10.1007/978-3-319-10082-1%5C_6.
Layered Symbolic Security Analysis in DY ★
- Karthikeyan Bhargavan
Karthikeyan Bhargavan et al. "Layered Symbolic Security Analysis in DY ★ ". In: Computer
Security -ESORICS 2023 -28th European Symposium on Research in Computer Security, The
Hague, The Netherlands, September 25-29, 2023, Proceedings, Part III. Ed. by Gene Tsudik et al.
Vol. 14346. Lecture Notes in Computer Science. Springer, 2023, pp. 3-21.
: 10.1007/978-3-031-51479-1
: https://doi.org/10.1007/978-3-031-51479-1%5C_1.
Compositional Analysis of Authentication Protocols
- Michele Bugliesi
- Riccardo Focardi
- Matteo Maffei
Michele Bugliesi, Riccardo Focardi, and Matteo Maffei. "Compositional Analysis of Authentication Protocols". In: Programming Languages and Systems, 13th European Symposium on
Programming, ESOP 2004, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2004, Barcelona, Spain, March 29 -April 2, 2004, Proceedings. Ed. by
David A. Schmidt. Vol. 2986. Lecture Notes in Computer Science. Springer, 2004, pp. 140-154.
: 10.1007/978-3-540-24725-8\_11.
: https://doi.org/10.1007/978-3-540-24725-8%5C_11.
A Logic of Authentication
- Michael Burrows
- Martín Abadi
- Roger M Needham
Michael Burrows, Martín Abadi, and Roger M. Needham. "A Logic of Authentication". In:
ACM Trans. Comput. Syst. 8.1 (1990), pp. 18-36.
: 10.1145/77648.77649.
: https://doi.org/10.1145/77
Pragmatic Quotient Types in Coq
- Cyril Cohen
Cyril Cohen. "Pragmatic Quotient Types in Coq". In: Interactive Theorem Proving -4th International Conference, ITP 2013, Rennes, France, July 22-26, 2013. Proceedings. Ed. by Sandrine Blazy, Christine Paulin-Mohring, and David Pichardie. Vol. 7998. Lecture Notes in
Computer Science. Springer, 2013, pp. 213-228.
: 10.1007/978-3-642-39634-2\_17.
:
https://doi.org/10.1007/978-3-642-39634-2%5C_17.
OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks
- Stanislaw Jarecki
- Hugo Krawczyk
- Jiayu Xu
Stanislaw Jarecki, Hugo Krawczyk, and Jiayu Xu. "OPAQUE: An Asymmetric PAKE Protocol
Secure Against Pre-Computation Attacks". In: IACR Cryptol. ePrint Arch. (2018), p. 163.
:
http://eprint.iacr.org/2018/163.
The Essence of Higher-Order Concurrent Separation Logic
- Robbert Krebbers
Robbert Krebbers et al. "The Essence of Higher-Order Concurrent Separation Logic". In: Programming Languages and Systems -26th European Symposium on Programming, ESOP 2017,
Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2017,
Uppsala, Sweden, April 22-29, 2017, Proceedings. Ed. by Hongseok Yang. Vol. 10201. Lecture
Notes in Computer Science. Springer, 2017, pp. 696-723.
: 10.1007/978-3-662-54434-1\_26.
: https://doi.org/10.1007/978-3-662-54434-1%5C_26.
Aneris: A Mechanised Logic for Modular Reasoning about Distributed Systems
- Morten Krogh-Jespersen
Morten Krogh-Jespersen et al. "Aneris: A Mechanised Logic for Modular Reasoning about
Distributed Systems". In: Programming Languages and Systems -29th European Symposium
on Programming, ESOP 2020, Held as Part of the European Joint Conferences on Theory and
Practice of Software, ETAPS 2020, Dublin, Ireland, April 25-30, 2020, Proceedings. Ed. by Peter
Müller. Vol. 12075. Lecture Notes in Computer Science. Springer, 2020, pp. 336-365.
:
10.1007/978-3-030-44914-8\_13.
: https://doi.org/10.1007/978-3-030-44914-8%5C_13.
The TAMARIN Prover for the Symbolic Analysis of Security Protocols
- Simon Meier
Simon Meier et al. "The TAMARIN Prover for the Symbolic Analysis of Security Protocols".
In: Computer Aided Verification -25th International Conference, CAV 2013, Saint Petersburg,
Russia, July 13-19, 2013. Proceedings. Ed. by Natasha Sharygina and Helmut Veith. Vol. 8044.
Lecture Notes in Computer Science. Springer, 2013, pp. 696-701.
: 10.1007/978-3-642-39799-8\_48.
: https://doi.org/10.1007/978-3-642-39799-8%5C_48.
Formalizing Algorithmic Bounds in the Query Model in EasyCrypt
- Alley Stoughton
Alley Stoughton et al. "Formalizing Algorithmic Bounds in the Query Model in EasyCrypt".
In: 13th International Conference on Interactive Theorem Proving, ITP 2022, August 7-10, 2022,
Haifa, Israel. Ed. by June Andronick and Leonardo de Moura. Vol. 237. LIPIcs. Schloss Dagstuhl
-Leibniz-Zentrum für Informatik, 2022, 30:1-30:21.
: 10.4230/LIPIcs.ITP.2022.30.
:
https://doi.org/10.4230/LIPIcs.ITP.2022.30.