## Relating two standard notions of secrecy

** Relating two standard notions of secrecy**. V. Cortier, M. Rusinowitch, and E. Zalinescu. In * Proceedings of 20th Int. Conference on Computer Science Logic
(CSL'06)*, pp. 303–318, Lecture Notes in Computer Science 4207, Springer, Szeged, Hungary, September 2006.

### Download

### Abstract

Two styles of definitions are usually considered to express
that a security protocol preserves the confidentiality of a data s.
Reachability-based secrecy means that s should never be disclosed while
equivalence-based secrecy states that two executions of a protocol with
distinct instances for s should be indistinguishable to an attacker.
Although the second formulation ensures a higher level of security and is
closer to cryptographic notions of secrecy, decidability results and
automatic tools have mainly focused on the first definition so far.

This paper initiates a systematic investigation of situations where
syntactic secrecy entails strong secrecy. We show that in the passive
case, reachability-based secrecy actually implies equivalence-based
secrecy for signatures, symmetric and asymmetric encryption provided that
the primitives are probabilistic. For active adversaries in the case of
symmetric encryption, we provide sufficient (and rather tight) conditions
on the protocol for this implication to hold.

### BibTeX

@INPROCEEDINGS{CortierRZ-CSL06, AUTHOR = {Cortier, V. and Rusinowitch, M. and Zalinescu, E.}, TITLE = {Relating two standard notions of secrecy}, BOOKTITLE = {{Proceedings of 20th Int. Conference on Computer Science Logic (CSL'06)}}, EDITOR = {Zoltan Esik}, ADDRESS = {Szeged, Hungary}, MONTH = {September}, PAGES = {303-318}, PUBLISHER = {Springer}, SERIES = {Lecture Notes in Computer Science}, VOLUME = {4207}, YEAR = {2006}, abstract = {Two styles of definitions are usually considered to express that a security protocol preserves the confidentiality of a data s. Reachability-based secrecy means that s should never be disclosed while equivalence-based secrecy states that two executions of a protocol with distinct instances for s should be indistinguishable to an attacker. Although the second formulation ensures a higher level of security and is closer to cryptographic notions of secrecy, decidability results and automatic tools have mainly focused on the first definition so far. \par This paper initiates a systematic investigation of situations where syntactic secrecy entails strong secrecy. We show that in the passive case, reachability-based secrecy actually implies equivalence-based secrecy for signatures, symmetric and asymmetric encryption provided that the primitives are probabilistic. For active adversaries in the case of symmetric encryption, we provide sufficient (and rather tight) conditions on the protocol for this implication to hold.}, doi = {10.1007/11874683_20}, }